Gitiles
Code Review Sign In
gerrit.named-data.net / name-based-access-control / 3c7f645852813ae9d44b429b80203fc0ec6fe1ee / . / docs / spec.rst
blob: bb706f37d14b038fb030319ad950a99bcf48375c [file] [log] [blame]
Alexander Afanasyev6e64ac92018-06-14 17:25:38 -0400[diff] [blame]1NAC Specification
2=================
3
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]4.. figure:: _static/nac-overview.png
5 :alt: Overview of NAC entities
6 :align: center
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]7
8Terminology
9-----------
10
11+-----------------+------------------------------------------------------------------------------------------+
12| Term | Description |
13+=================+==========================================================================================+
14| KEK | Key Encryption Key (RSA public key) |
15+-----------------+------------------------------------------------------------------------------------------+
16| KDK | Key Decryption Key (RSA private key) |
17+-----------------+------------------------------------------------------------------------------------------+
18| CK | Content Key (AES symmetric key) |
19+-----------------+------------------------------------------------------------------------------------------+
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]20| CK data | Data packet carrying a KDK-encrypted CK as payload |
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]21+-----------------+------------------------------------------------------------------------------------------+
22| Access Manager | (Data Owner) Entity that control access to the data associated with the namespace |
23+-----------------+------------------------------------------------------------------------------------------+
24| Encryptor | (Producer) Entity that encrypts data based on namespace association |
25+-----------------+------------------------------------------------------------------------------------------+
26| Decryptor | (Consumer) Entity that decrypts data based on namespace association |
27+-----------------+------------------------------------------------------------------------------------------+
28
29EncryptedContent
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]30----------------
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]31
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]32The ``EncryptedContent`` element contains encrypted blob, optional Initialization Vector (for AES CBC encryption),
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]33optional EncryptedPayloadKey, and Name elements.
34
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]35.. code-block:: abnf
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]36
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]37 EncryptedContent = ENCRYPTED-CONTENT-TYPE TLV-LENGTH
38 EncryptedPayload
39 [InitializationVector]
40 [EncryptedPayloadKey]
41 [Name]
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]42
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]43 EncryptedPayload = ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH *OCTET
44 InitializationVector = INITIALIZATION-VECTOR-TYPE TLV-LENGTH *OCTET
45 EncryptedPayloadKey = ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH *OCTET
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]46
47
48Access Manager
49--------------
50
51.. figure:: _static/access-manager.png
52 :alt: Access Manager
53 :align: center
54
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]55Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private key) key pair.
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]56
57KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format:
58
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]59.. code-block:: abnf
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]60
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]61 Kek = DATA-TYPE TLV-LENGTH
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame^]62 Name ; /[access-namespace]/NAC/[dataset]/KEK/[key-id]
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]63 MetaInfo ; ContentType = KEY, FreshnessPeriod = 1 hour default value
64 KekContent
65 DataSignature
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]66
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]67 KekContent = CONTENT-TYPE-TLV TLV-LENGTH
68 *OCTET ; = BER of public key /[access-namespace]/NAC/[dataset]/KEY/[key-id]
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]69
70
71Different versions of KDK are published, encrypted by the public key of the individual authorized member, following naming convention: ``/[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]``. KDK is published in the following format:
72
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]73.. code-block:: abnf
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]74
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]75 Kdk = DATA-TYPE TLV-LENGTH
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame^]76 Name ; /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]77 MetaInfo ; ContentType = BLOB, FreshnessPeriod = 1 hour default value
78 KdkContent
79 DataSignature
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]80
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]81 KdkContent = CONTENT-TYPE-TLV TLV-LENGTH
82 EncryptedContent
83
84Within the ``EncryptedContent`` element,
85
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame^]86* ``EncryptedPayload`` contains `SafeBag <https://named-data.net/doc/ndn-cxx/0.7.1/specs/safe-bag.html>`__ of private key ``/[access-namespace]/NAC/[dataset]/KEY/[key-id]``
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]87* ``EncryptedPayloadKey`` contains password for SafeBag, encrypted by public key ``/<authorized-member>/KEY/[member-key-id]``
88* ``InitializationVector`` and ``Name`` must be omitted
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]89
90Encryptor
91---------
92
93.. figure:: _static/encryptor.png
94 :alt: Encryptor
95 :align: center
96
97Encryptor encrypts (synchronous operation) the requested content and returns an ``EncryptedContent`` element with values:
98
99::
100
101 EncryptedPayload = AES CBC encrypted blob
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]102 InitializationVector = Random initial vector for AES CBC encryption
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame^]103 EncryptedPayloadKey (not set)
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]104 Name = Prefix of ContentKey (CK) data packet /[ck-prefix]/CK/[ck-id]
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]105
106During initialization or when requested by the application, the Encryptor (re-)generates a random key for AES CBC encryption.
107The encrypted version of this key is published (asynchronous operation, contingent on successful retrieval and validation of KEK) as a data packet, following the naming convention: ``/[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]``. CK data is published in the following format:
108
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]109.. code-block:: abnf
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]110
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]111 CkData = DATA-TYPE TLV-LENGTH
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame^]112 Name ; /[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]113 MetaInfo ; ContentType = BLOB, FreshnessPeriod = 1 hour default value
114 CkContent
115 DataSignature
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]116
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]117 CkContent = CONTENT-TYPE-TLV TLV-LENGTH
118 EncryptedContent
119
120Within the ``EncryptedContent`` element,
121
122* ``EncryptedPayload`` contains ContentKey encrypted by public key ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``
123* ``EncryptedPayloadKey``, ``InitializationVector``, and ``Name`` must be omitted
124
Alexander Afanasyevff3ee9f2018-06-13 20:33:30 -0400[diff] [blame]125
126Decryptor
127---------
128
129.. figure:: _static/decryptor.png
130 :alt: Decryptor
131 :align: center
132
133Encryptor decrypts (asynchronous operation, contingent on successful retrieval of CK data, KDK, and decryption of both) the supplied ``EncryptedContent`` element.
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]134
135TLV-TYPE number assignments
136---------------------------
137
138+---------------------------------------------+------------------+-----------------+
139| Type | Assigned number | Assigned number |
140| | (decimal) | (hexadecimal) |
141+=============================================+==================+=================+
142| EncryptedContent | 130 | 0x82 |
143+---------------------------------------------+------------------+-----------------+
144| EncryptedPayload | 132 | 0x84 |
145+---------------------------------------------+------------------+-----------------+
146| InitializationVector | 133 | 0x85 |
147+---------------------------------------------+------------------+-----------------+
148| EncryptedPayloadKey | 134 | 0x86 |
149+---------------------------------------------+------------------+-----------------+