[Ndn-interest] Adding HMAC to available NDN signature types

Gene Tsudik gts at ics.uci.EDU
Tue Sep 23 09:04:33 PDT 2014

>>> The mechanism for key management should be designed, in order for HMAC
signing to be useful.

Just as a word of caution,
I hope that, instead of designing a homegrown (and quite possibly insecure)
NDN- or CCNx-specific
key management approach, people consult ample prior work that contains many
such protocols,
i.e.., using public key-based authenticated key exchange/agreement to yield
a symmetric key.
(By "prior work" I don't just mean papers but also real deployed protocols.)


On Tue, Sep 23, 2014 at 8:47 AM, Junxiao Shi <shijunxiao at email.arizona.edu>

> Dear folks
> It appears to me that HMAC, as a signing algorithm that requires a
> symmetric key, is suitable only for realtime applications with a small
> number of mutually trusted participants.
> The reasons are:
>    - Participants must be mutually trusted, because any participant who
>    wants to verify Data must know the symmetric key, and knowing the symmetric
>    key allows a participant to sign Data as well.
>    - Verifying old Data requires knowing the symmetric key. However, it's
>    impossible to establish mutual trust when the participant who generated the
>    Data is gone. Thus HMAC is suitable for realtime applications only, where
>    all participants are still alive.
> To use HMAC signing, we must first use existing pubkey signing methods to
> establish mutual trust between participants, and negotiate a symmetric key.
> This key should also be rotated periodically.
> The mechanism for key management should be designed, in order for HMAC
> signing to be useful.
> Yours, Junxiao
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20140923/2900e794/attachment.html>

More information about the Ndn-interest mailing list