-
Notifications
You must be signed in to change notification settings - Fork 13
NDNCERT Protocol 0.2
In Named Data Networking (NDN), to generate Data packets with legitimate names and verifiable signatures, an application (producer) needs to obtain a name and a certificate for that name. With trust anchors, an entity could apply for a certificate from a trusted certificate signer, which can be processed either manually or through automated means. NDN certificate management protocol (NDNCERT) enables automatic certificate management in NDN, including
- certificate application/issuance,
- certificate renewal
- certificate revocation
- identity verification for certificate management operations.
Furthermore, NDNCERT enables an entity to easily manage its sub-namespaces and their corresponding certificates, allowing a namespace owner to manage its owned devices and services in a clearer and more secure way.
For example, a entity who owns namespace /ucla/cs/zhiyi
can derive sub-namespace /ucla/cs/zhiyi/mobile-phone
to his phone and /ucla/cs/zhiyi/home
to his smart home controller.
Note that NDNCERT does not impose any specific trust model or trust anchors. While the primary use case of the developed protocol is to manage NDN testbed certificates, it can be used with any other set of global and local trust anchors.
This specification provides details and packet formats to request certificates, create certificates after one of the validation mechanism, and how the issued certificate is retrieved by the original requester.
In NDN any node can take a role of certificate issuer/signer, managing certificates in the designated namespace. There are mainly two kinds of an issuer:
- A self-signed local trust anchor for the namespace.
- A delegated certificate for the namespace.
The following diagram illustrates the main process for an issuer to perform new certificate issuance. There are mainly three processes in the certificate application.
-
PROBE
Interest for Sub Namespace AssignmentThe certificate requester first sends an interest called
PROBE
to ask for an available namespace from the issuer.PROBE
Interest can carry information that is used for the issuer to decide the namespace assignment. The issuer will reply an available namespace to certificate requester. -
NEW
Interest to Start a New Certificate ApplicationThe certificate requester first prepares a pair of asymmetric key (existing key pair or newly generated key pair) with the name obtained in the previous step and send a
NEW
interest to the issuer to start an application. When the issuer receives theNEW
Interest, the issuer will collect all available out-of-band or in-band identity verification methods (called challenge) according to its own policy and reply the challenge list and a unique application ID to the requester.Notice that the issuer will start keeping requester's application instance at this time point.
-
CHALLENGE
Interest to Select and Finish the ChallengeThe certificate requester then selects one challenge and send a
CHALLENGE
Interest to notice the issuer which challenge has been selected. After receiving the firstCHALLENGE
Interest, the issuer will perform the challenge for the requester.During the process or after finishing the selected challenge, the request would send more
CHALLENGE
Interests to pass the required information to the issuer and finish the identity verification. Once the challenge result is approved by the issuer, the issuer will sign the certificate. -
DOWNLOAD
Interest for New Certificate DownloadOnce certificate requester knows the certificate has been signed by the issuer. The requester can fetch the certificate using
DOWNLOAD
Interest.
certificate requester CA
| PROBE |
| --------------------------------> |
| |
| Get an available namespace
| Data |
| <-------------------------------- |
| |
Generate key pair |
Generate certificate request |
| NEW |
| --------------------------------> |
| |
| Prepare challenge list
| Generate request ID
| Data |
| <-------------------------------- |
| |
select challenge |
| CHALLENGE |
| --------------------------------> |
| |
| Perform Challenge
| |
Requester sends more CHALLENGE Interest to finish challenge if needed.
| |
| Check Challenge .....+
| | V
| | Verify result
| Data | V
| <-------------------------------- |<.... If valid, issue cert
| | Otherwise, return status
| DOWNLOAD |
| --------------------------------> |
| Data |
| <-------------------------------- |
Warm start means that the requester trusts the issuer in advance, which means the requester has already installed the issuer's certificate. The use case of warm start is mainly where the issuer is well-known, e.g., NDN Testbed Certificate Authority, UCLA Official Certificate Authority. In warm start scenarios, the challenge is usually single-direction: the challenge is used to verify a requester's identity or legality.
Cold start means that the requester does not have issuer's certificate pre-installed. The use case of cold start is when there is no way for the requester to trust the issuer, e.g., in Internet of Things (IoT) scenarios, when a new device is bought, the device does not have pre-defined knowledge of its future home system. In code start scenarios, the challenge is supposed to be double-direction: the challenge is for the requester to verify the issuer and at the same time, the issuer can verify requester's identity.
Name: /<CA-Prefix>/CA/_PROBE/[ApplicationParameter_Digest|INFO]
ApplicationParameters: JSON text
Signature: Not required
Must Be Fresh: True
JSON format: The format depends on the probe
of the configuration file.
As an example, if we have "probe":"email:full-name"
, then the JSON text carried in the PROBE
Interest will contains two attributes: email and full-name.
Name: Same as PROBE Interest Name
Content: JSON text
Signature: Signed by CA's identity key
JSON format:
- "name": assigned sub-namespace (appears when
PROBE
Interest carries Parameters). - "ca-config": ca configuration content (appears when
PROBE
Interest ends withCA/_PROBE/INFO
).
Data Verification Process
- The KeyLocator in Data Signature Info element must starts with the //KEY
- The signature value must be verified using the public key pre-installed (in warm start scenarios) or obtained in the
PROBE
Data content (in cold start scenarios).
Notice that in cold start scenarios, using the public key extracted from the
PROBE
Data content to verify thePROBE
Data signature does not provide any real authenticity and integrity until the requester and the issuer finish the challenge and successfully verify each other.
In the warm start scenario, the last name component is the digest value of Interest Parameters Field and the required information for sub-namespace assignment is placed into the Interest Parameters Field.
Notice that the required information is different from issuer to issuer, and for a requester to properly give the information, human interaction is usually needed.
For example, the command line user interface or graphical user interface can prompt please input your email address.
In cases where human interaction is impossible or hard, e.g., when a constrained IoT board is applying for a certificate, the sub-namespace assignment step can be omitted.
In a cold start scenario, given the requester has no idea how to perform the sub-namespace assignment, this step can be omitted.
One special case of PROBE
Interest is /<CA-prefix>/CA/_PROBE/INFO
(with no Interest Parameters Field).
With this special PROBE
Interest, a requester can fetch the information of the issuer, including the certificate, the requirement of certificate application, and so on.
This Interest is recommended if the requester has not talked with the issuer before.
Another special case of PROBE
Interest is /localhop/CA/_PROBE/INFO
(with no Interest Parameters Field).
This is used in the local area network, e.g., smart home WiFi network.
This Interest is supposed to be a broadcast Interest and this Interest can discover the available issuer(s) in the local network.
-
Issuer
/ndn/edu/ucla
requires user to use email address for sub-name assignment. Such requirement is enforced by having a"probe":"email"
in CA and Client's configuration files.Interest: Name: /ndn/edu/ucla/CA/_PROBE/9A39DC3... ApplicationParameters: { "email":"zhiyi@cs.ucla.edu" } Data: Name: /ndn/edu/ucla/CA/_PROBE/9A39DC3... Content: { "name": "/ndn/edu/ucla/zhiyi", "email": "zhiyi@cs.ucla.edu" } Signature
-
The requester sends
/ndn/_PROBE/INFO
Interest: Name: /ndn/CA/_PROBE/INFO Data: Name: /ndn/CA/_PROBE/INFO Content: { "ca-prefix": "/zhiyi-home/controller", "probe": "email", "certificate": "Bv0CJAcsCANuZG4IBXNpd..." } Signature
Name: /<CA-prefix>/CA/_NEW/[ApplicationParameters_Digest]
ApplicationParameters: JSON text
Signature: Signed by the private key associated with the public key in the cert
Must Be Fresh: True
JSON Format:
- "ecdh-pub": ECDH_Requester_PubKey: the requester's public key used for Elliptic-Curve Diffie-Hellman key agreement.
- "cert-request": Certificate Request (Self-signed Certificate).
- "probe-token": the
PROBE
Data packet replied in the previousPROBE
step. This field only appears whenprobe
is not empty in the configuration file. The token helps to ensure that a client has already performed thePROBE
step before theNEW
step, helping CA to determine whether a client actually uses the identity name, and whether the information provided in thePROBE
is actually used in later verifications (for example, the email address provided inPROBE
should be the same as the one used in Email challenge).
Interest Verification Process:
-
The Interest must be in the correct signed Interest format as defined in NDN Packet Format.
However, currently the format v0.3 is not fully supported by ndn-cxx. Therefore, the current implementation will follow the old format of signed Interest until format v0.3 is fully supported by ndn-cxx.
-
The signature value can be verified by the public key obtained in the certificate request.
-
The cert request must be a valid self-signed certificate
-
The probe token must be a valid Data packet signed by the CA.
Notice that using the public key extracted from Interest Parameters to verify the Interest signature does not provide any real authenticity and integrity until the requester finishes the challenge.
Name: Same as NEW Interest Name
Content: JSON text
Signature: Signed by CA's identity key
JSON format:
-
"ecdh-pub": ECDH_Issuer_PubKey: the issuer's public key used for Elliptic-Curve Diffie-Hellman key agreement. The value is supposed to be encoded into base64 format as specified in RFC 4648 section 3.1.
-
"salt": 64 bits or longer random number. The decimal string of this number in little endianness should be placed in the JSON text.
-
"request-id": Unique ID assignment for this request instance
-
"status": The application status code. The decimal string of the status number in little endianness should be placed in the JSON text.
- STATUS_BEFORE_CHALLENGE = 0,
- STATUS_CHALLENGE = 1,
- STATUS_PENDING = 2,
- STATUS_SUCCESS = 3,
- STATUS_FAILURE = 4,
- STATUS_NOT_STARTED = 5
-
"challenges": A challenge list from which the requester can select. The list is a JSON array object. The child attribute name is "challenge-id".
Data Verification Process
- The KeyLocator in Data Signature Info element must starts with the //KEY
- The signature value must be verified using the public key pre-installed (in warm start scenarios) or obtained in the
PROBE
Data content (in cold start scenarios).
In the NEW
Interest and Data exchange:
-
The requester and the issuer follow Elliptic-Curve Diffie-Hellman (ECDH) protocol and negotiate a shared secret key for future use.
-
The requester provides its self-signed certificate so that later if identity verification succeeds, the issuer can use issuer's key to sign the requester's public key and issue the certificate.
-
In the self-signed certificate, the requester can specify the validity period based on its needs; however, the validity period cannot exceed the maximum value pre-defined by the issuer. If exceeds, the issuer will modify the validity period to the maximum value. This enables requesters to get ephemeral certificates.
Regarding the public parameters used for ECDH process, there are two options:
-
Global default public parameters: Elliptic Curve NIST p-256 (providing 128 bits security)
-
Customized public parameters can be placed into issuer's configuration. The information is obtained by the issuer with
PROBE
Interest/<CA-Prefix>/CA/_PROBE/INFO
or/ndn/CA/_PROBE/INFO
if enabled. In cold start scenarios, the requester cannot verify the issuer's configuration, but this will not damage because when performing a double-direction challenge, if the issuer cannot prove its identity, the requester will abandon all the state related to this application.
The ECDH_Requester_PubKey
and the ECDH_Issuer_PubKey
are base64-encoded (as specified in RFC 4648 section 3.1) ECDH compressed public key bits.
The default length of ECDH public key bits is defined per the ECDH public parameters.
After ECDH process, both the requester and the issuer get a shared secret (256 bits using ECDH NIST p-256).
A Key Derivation Function (KDF) will be applied on the shared secret for better security.
In NDNCERT, the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) will be used to derive a 256-bit AES key from the shared secret from ECDH.
The HKDF function will be invoked on the shared secret and also a salt.
In HKDF, the salt value should be the "salt" value in the JSON text of the NEW
Data.
The info bytes used in HKDF is 0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9
.
-
Example 1. If the configuration's "probe" is not empty. The
NEW
Interest must carry a probe token, which is literally thePROBE
Data packet.Interest: Name: /ndn/edu/ucla/CA/_NEW/06a49... ApplicationParameters: { "ecdh-pub": "9ik30...", "cert-request": "...", "probe-token": "..." } Signature Data: Name: /ndn/edu/ucla/CA/_NEW/06a49... Content: { "ecdh-pub": "07d60...", "request-id": "1209381203", "status": 1, "challenges": [ { "challenge-id": "PIN" }, { "challenge-id": "Email" }, { "challenge-id": "Shared-Secret" } ] } Signature
Name: /<CA-prefix>/CA/_CHALLENGE/[Request_ID]/[ApplicationParameters_Digest]
ApplicationParameters: AES-CBC(JSON text)
InterestSignatureValue: Signed by the private key paired with the public key in Certificate Request
Must Be Fresh: True
JSON Format:
- "selected-challenge": The challenge selected by the
CHALLENGE
Interest - other attributes specified by the implementation of the selected challenge
Interest Verification Process:
-
The JSON text encrypted with AES-CBC can be successfully decrypted using the shared secret obtained in the ECDH.
-
The Interest must be in the correct signed Interest format as defined in NDN Packet Format.
However, currently the format v0.3 is not fully supported by ndn-cxx. Therefore, the current implementation will follow the old format of signed Interest until format v0.3 is fully supported by ndn-cxx.
-
The signature value can be verified by the public key obtained in
NEW
Interest's Interest Parameters.
Name: Same as CHALLENGE Interest Name
Content: AES-CBC(JSON text)
Signature: Signed by CA's identity key
JSON format:
-
"status": The application status code. The decimal string of the status number in little endianness should be placed in the JSON text.
- STATUS_BEFORE_CHALLENGE = 0,
- STATUS_CHALLENGE = 1,
- STATUS_PENDING = 2,
- STATUS_SUCCESS = 3,
- STATUS_FAILURE = 4,
- STATUS_NOT_STARTED = 5
-
"challenge-status": The challenge status code, specified by the selected challenge implementation.
-
"remaining-tries": The remaining times that the requester can send a challenge Interest. The decimal string of the number in little endianness should be placed in the JSON text.
-
"remaining-time": The remaining time for the requester to finish the challenge. The decimal string of the number in little endianness should be placed in the JSON text.
Data Verification Process
- The JSON text encrypted with AES CBC can be successfully decrypted using the shared secret obtained in the ECDH.
- The KeyLocator in Data Signature Info element must starts with the
/<CA-Prefix>/KEY
- The signature value must be verified using the public key pre-installed (in warm start scenarios) or obtained in the
PROBE
Data content (in cold start scenarios).
-
Example 1. If the configuration's "probe" is not empty. The
NEW
Interest must carry a probe token, which is literally thePROBE
Data packet.Interest: Name: /ndn/edu/ucla/CA/_CHALLANEG/1209381203/4fe9... ApplicationParameters: AES-CBC-Encrypt { "selected-challenge": "email", "email": "zhiyi@cs.ucla.edu" } Signature Data: Name: /ndn/edu/ucla/CA/_CHALLANEG/1209381203/4fe9... Content: AES-CBC-Encrypt { "status": 1, "challenge-status": "need-code", "remaining-tries": 3, "remaining-time": 3600 } Signature
In CHALLENGE
Interest, the selected challenge name and the parameters provided by the requester will be encrypted with AES CBC.
In CHALLENGE
Data, the whole content will be encrypted with AES CBC.
The AES key is the shared secret negotiated from the ECDH in NEW
Interest and Data exchange.
After receiving the CHALLENGE
Interest packet for the first time, the issuer is supposed to perform the specified challenge to verify the requester's legality.
One or more CHALLENGE
Interest and Data exchange can be performed in order to finish the challenge.
Once the "status" JSON attribute is FINISHED
in the replied CHALLENGE
Data packet, the requester then knows the challenge result has been successfully approved.
After that, the requester can send DOWNLOAD
Interest to fetch the issued certificate back.
The remaining-tries
and remaining-time
attributes are used to ensure the freshness of the challenge.
The value of the two attributes is supposed to be defined by the specific challenge implementation.
Name: /<CA-prefix>/CA/_DOWNLOAD/[Request_ID]
Must Be Fresh: True
Name: Same as DOWNLOAD Interest Name
Content: Embedded issued certificate
Signature: Signed by CA's identity key
Data Verification Process
- The KeyLocator in Data Signature Info element of the encapsulated Certificate must starts with the
/<CA-Prefix>/KEY
- The signature value of the encapsulated Certificate must be verified using the public key pre-installed (in warm start scenarios) or obtained in the
PROBE
Data content (in cold start scenarios).
In the above mentioned NDNCERT cert application/issuance packet exchange process, the JSON texts used after the NEW
step are all encrypted with AES CBC.
NDNCERT takes a similar format used by Named-based Access Control (NAC) and Named-based Access Control with Attribute-based Encryption (NAC-ABE).
EncryptedPayload = ENCRYPTED_PAYLOAD_TYPE (T) length (L)
Bytes+ (V)
InitialVector = INITIAL_VECTOR_TYPE (T) length (L)
Bytes+ (V)
Type Number Assignment:
ENCRYPTED_PAYLOAD_TYPE 630
INITIAL_VECTOR_TYPE 632
The above two TLV blocks should be embedded into Interest Parameters element and the Data Content element when used.
TBD
In cases when a certificate owner
- no longer uses the certificate,
- wants to change the detail of its certificate,
- found its private key was compromised,
the certificate owner should use certificate revocation protocol to revoke its certificate from the certificate issuer,
In NDNCERT, a certificate owner can use REVOKE
Interest packet to revoke its certificate.
After receiving the REVOKE
Interest, the issuer of the certificate will perform a challenge on the certificate owner to ensure that the requester has the authority to revoke the certificate.
As shown in the figure, the certificate revocation protocol in NDNCERT is like:
-
REVOKE
Interest to Start a RevocationThe requester first sends an interest called
REVOKE
to inform the issuer which certificate to revoke. The issuer should then return a list of challenges that can be used to verify the requester. -
CHALLENGE
Interest to Select and Finish the ChallengeThe certificate requester then selects one challenge and send a
CHALLENGE
Interest to notice the issuer which challenge has been selected. After receiving the firstCHALLENGE
Interest, the issuer will perform the challenge for the requester.During the process or after finishing the selected challenge, the request would send more
CHALLENGE
Interests to pass the required information to the issuer and finish the identity verification. Once the challenge result is approved by the issuer, the issuer will revoke the certificate.
certificate requester CA
| REVOKE |
| --------------------------------> |
| |
| Prepare challenge list
| Generate request ID
| Data |
| <-------------------------------- |
| |
select challenge |
| CHALLENGE |
| --------------------------------> |
| |
| Perform Challenge
| |
Requester sends more CHALLENGE to finish challenge if needed.
| |
| Check Challenge .....+
| | V
| | Verify result
| Data | V
| <-------------------------------- |<... If valid, revoke cert
| | Otherwise, return status
Trusting signature signed by a revoked certificate will cause severe security problems. To prevent users from accepting revoked certificates, NDNCERT provides different methods of revocation status query for different scenarios.
This method does not require any certificate revocation operations nor certificate revocation status query. When issuing a certificate at the first place, the issuer should make the certificate validity period short enough so that even the private key is compromised, the damage of the certificate is limited.
This method requires certificate revocation operations.
When a certificate owner successfully revokes a certificate, the issuer will issue a certificate revocation announcement following the pre-defined naming convention in NDNCERT: the revocation announcement is a Data packet with Data name: /<NDN Certificate Name>/_REVOKE
.
By querying the announcement, a user can learn whether a certificate has been revoked or not.
With revocation announcement query, an issuer or the revocation requester should make the revocation announcement as available as possible. For example, the announcement can be replicated in many different repositories or stored in a distributed ledger system (e.g., a blockchain-based ledger).
This method does not require the issuer to be online when users want to check the revocation status but this method is considered to be best-effort only since this method subjects to the availability of the announcement Data.
This method mimics the OCSP Stapling extension of TLS Certificate Status Request and realizes the notion of stapling in a named-data style. This method requires the issuer or a separate process/thread to be online regularly (e.g., every one hour, every day, etc.) and issue the certificate status Data packet for all the unrevoked certificates. A certificate status Data serves as a guarantee that a certificate is still valid in the defined time period (e.g., from the current time to the next issuer's online time).
For a producer to offer better consumer experience, a producer can obtain the certificate status Data packets in advance and utilize certificate bundle to bundle the certificates and the certificate status together so that the consumer does not need to fetch the certificate status in real time at the cost of additional latency.
Name: /<CA-Prefix>/CA/_REVOKE/[ParametersSha256DigestComponent]
ApplicationParameters: JSON text
Signature: Not required
Must Be Fresh: True
JSON Format:
* "ecdh-pub": ECDH_Requester_PubKey: the requester's public key used for Elliptic-Curve Diffie-Hellman key agreement.
* "cert-revoke": The name of the certificate that is to be revoked.
Name: Same as REVOKE Interest Name
Content: JSON text
Signature: Signed by CA's identity key
JSON format:
-
"ecdh-pub": ECDH_Issuer_PubKey: the issuer's public key used for Elliptic-Curve Diffie-Hellman key agreement.
-
"salt": 64 bits or longer random number. The decimal string of this number in little endianness should be placed in the JSON text.
-
"request-id": Unique ID assignment for this request instance
-
"status": The application status code. The decimal string of the status number in little endianness should be placed in the JSON text.
- STATUS_BEFORE_CHALLENGE = 0,
- STATUS_CHALLENGE = 1,
- STATUS_PENDING = 2,
- STATUS_SUCCESS = 3,
- STATUS_FAILURE = 4,
- STATUS_NOT_STARTED = 5
-
"challenges": A challenge list from which the requester can select. The list is a JSON array object. The child attribute name is "challenge-id".
Data Verification Process
-
The KeyLocator in Data Signature Info element must starts with the //KEY
-
The signature value must be verified using the public key pre-installed.
Notice that there is no cold start scenarios in certificate revocation.
In the NEW
Interest and Data exchange:
- The requester and the issuer follow Elliptic-Curve Diffie-Hellman (ECDH) protocol and negotiate a shared secret key for future use.
Regarding the public parameters used for ECDH process, there are two options:
-
Global default public parameters: Elliptic Curve NIST p-256 (providing 128 bits security)
-
Customized public parameters can be placed into issuer's configuration. The information is obtained by the issuer with
PROBE
Interest/<CA-Prefix>/CA/_PROBE/INFO
or/ndn/CA/_PROBE/INFO
if enabled. In cold start scenarios, the requester cannot verify the issuer's configuration, but this will not damage because when performing a double-direction challenge, if the issuer cannot prove its identity, the requester will abandon all the state related to this application.
The ECDH_Requester_PubKey
and the ECDH_Issuer_PubKey
are base64-encoded (as specified in RFC 4648 section 3.1) ECDH compressed public key bits.
The default length of ECDH public key bits is defined per the ECDH public parameters.
After ECDH process, both the requester and the issuer get a shared secret (256 bits using ECDH NIST p-256).
A Key Derivation Function (KDF) will be applied to the shared secret for better security.
In NDNCERT, the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) will be used to derive a 256-bit AES key from the shared secret from ECDH.
The HKDF function will be invoked on the shared secret and also salt.
In HKDF, the salt value should be the "salt" value in the JSON text of the REVOKE
Data.
The info bytes used in HKDF is 0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9
.
Name: /<Certificate-Name>/_REVOKE
Signature: Not required
Name: Same as REVOKE Interest Name
Content: JSON text
Signature: Signed by CA's identity key
JSON format:
- "revoke-time": The timestamp when the certificate is revoked.
Data Verification Process
- The KeyLocator in Data Signature Info element must be the same as the KeyLocator of the revoked Certificate.
- The signature value must be verified using the public key of the issuer.
Name: /<Certificate-Name>/STATUS
Signature: Not required
Name: Same as REVOKE Interest Name
Content: JSON text
Signature: Signed by CA's identity key
JSON format:
-
"cert-status": The status of the certificate
- 1: VALID
- 2: REVOKED
- 0: UNKNOWN
-
"issue-time": The timestamp when the status packet is generated.
-
"valid-before": The timestamp before which the status of the certificate will not be changed.
Data Verification Process
- The KeyLocator in Data Signature Info element must be the same as the KeyLocator of the revoked Certificate.
- The signature value must be verified using the public key of the issuer.