[Ndn-interest] Adding HMAC to available NDN signature types

[Gene Tsudik]

>>> The mechanism for key management should be designed, in order for HMAC
signing to be useful.

Just as a word of caution,
I hope that, instead of designing a homegrown (and quite possibly insecure)
NDN- or CCNx-specific
key management approach, people consult ample prior work that contains many
such protocols,
i.e.., using public key-based authenticated key exchange/agreement to yield
a symmetric key.
(By "prior work" I don't just mean papers but also real deployed protocols.)

Cheers,
Gene


On Tue, Sep 23, 2014 at 8:47 AM, Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Dear folks
>
> It appears to me that HMAC, as a signing algorithm that requires a
> symmetric key, is suitable only for realtime applications with a small
> number of mutually trusted participants.
> The reasons are:
>
>    - Participants must be mutually trusted, because any participant who
>    wants to verify Data must know the symmetric key, and knowing the symmetric
>    key allows a participant to sign Data as well.
>    - Verifying old Data requires knowing the symmetric key. However, it's
>    impossible to establish mutual trust when the participant who generated the
>    Data is gone. Thus HMAC is suitable for realtime applications only, where
>    all participants are still alive.
>
>
> To use HMAC signing, we must first use existing pubkey signing methods to
> establish mutual trust between participants, and negotiate a symmetric key.
> This key should also be rotated periodically.
> The mechanism for key management should be designed, in order for HMAC
> signing to be useful.
>
> Yours, Junxiao
>
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20140923/2900e794/attachment.html>