[Nfd-dev] Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today
Junxiao Shi
shijunxiao at email.arizona.edu
Wed Oct 24 14:27:24 PDT 2018
Hi Zhiyi
> Your mentioned attack scenario is valid and possible. Thank you for
> pointing that out!
> Given the ndncert protocol is for two ends only, I think we can add a
> Diffie-Hellman process in the NEW command and its reply.
>
I hope you are referring to ECDH, not classical Diffie-Hellman. Many IoT
devices have binary code size constraint. Since ECDSA must be supported, it
takes less binary code to add ECDH than to add classical DH.
> With the negotiated shared secret by DH, the requester and issuer can:
> 1. Use hmac to sign the request which is faster and fits IoT scenarios
>
This is false. With low-cost crypto chip such as ECC508 (less than $1), IoT
devices can easily access ECDH and ECDSA implemented by hardware.
Also, NDNCERT is not just for IoT.
2. Use key derived from the shared secret to AES encrypt the sensitive
> components and Data content (prevent Eve to see the PIN_E and all the other
> sensitive info)
>
Yes.
> On the other hand, I will update the email format to include the full
> certificate name and request id (each request instance has a unique ID)
>
Usability is a concern: user is going to neglect the request ID. There are
two solutions:
First, digest of the public key can be represented as graphics (e.g. a cat
face with various colors and features). A client with GUI capability can
display the graphics, and the user can compare the graphics with one
generated by CA and embedded in the email.
Second, the PIN code can be prefixed by the request ID. The email says "PIN
code 777777-666666"; the client prompts "Enter PIN code: 777777-"; the user
types "666666".
> I have already take the ndncert server offline. We will perform a major
> upgrade on ndncert protocol and ndncert codebase.
>
When can we see a preview of the new protocol?
Yours, Junxiao
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20181024/67701eac/attachment.html>
More information about the Nfd-dev
mailing list