[Ndn-interest] [Question] Where is the public key should be stored?

Marc.Mosko at parc.com Marc.Mosko at parc.com
Fri Apr 14 12:09:08 PDT 2017


In general there is not the same idea of TLS handshakes because the trust anchors for content would not be the same as the replica name hosting that content in cache.  NDN has several tech reports on different ways to encrypt data that you can find in their publications section.

In the CICN community, we’ve addressed this mainly two ways:

1) The publisher includes the public key in the first content chunk (or a named pointed to it).  If the content is encrypted for a particular recipient, then the publisher wraps a symmetric key in the first chunk then generates per-chunk session keys based on the symmetric key and the chunk number (i.e. the chunk number becomes part of the IV in the AES algorithm’s key derivation).  In CICN, we’ve favored encapsulation encryption (i.e. there’s an unencrypted outer name used for transport and an inner name part of the wrapped encrypted object) as that leaks the least amount of information.

2) When a replica name is known, for example the publisher lists that you can get the content from Comcast or Akamai, then the client can use a TLS like protocol to get session encryption to that replica.  See, for example, https://www.ietf.org/id/draft-wood-icnrg-ccnxkeyexchange-01.txt.  This form of opportunistic channel encryption does not replace the end-to-end manifest (or merkle hash tree) signing, but compliments it.  It also includes mechanisms where a user can authenticate to a publisher then get a re-direction token to continue a TLS-like session with a particular replica.


On Apr 14, 2017, at 11:55 AM, Pengyuan Zhou <zpymyyn at gmail.com<mailto:zpymyyn at gmail.com>> wrote:

Hi all,

According to my understanding, the KeyLocator has the storage location of the key.

My question is where normally should the key be stored, especially for secure transmission?

Since NDN is not end-to-end, there might not be thing like "TLS handshake”, or is there?

If not, then how does NDN realise the agreement of "Master Secret and Session key” (or sth. similar)?

Seems to me that all the key info including the KeyLocator are predefined before transmission, is that realistic?

There might be understanding, please correct me if so.


Pengyuan Zhou
University of Helsinki
Ndn-interest mailing list
Ndn-interest at lists.cs.ucla.edu<mailto:Ndn-interest at lists.cs.ucla.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20170414/37790126/attachment.html>

More information about the Ndn-interest mailing list