Gitiles
Code Review Sign In
gerrit.named-data.net / name-based-access-control / 44b0f8c4c3c7c9d766a7c92c30d646bf1eaf6e94 / . / docs / spec.rst
blob: 038c1411240b8f7f6a8327f7956727018963d149 [file] [log] [blame]
Alexander Afanasyev6e64ac92018-06-14 17:25:38 -0400[diff] [blame]1NAC Specification
2=================
3
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]4.. figure:: _static/nac-overview.png
5 :alt: Overview of NAC entities
6 :align: center
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]7
8Terminology
9-----------
10
11+-----------------+------------------------------------------------------------------------------------------+
12| Term | Description |
13+=================+==========================================================================================+
14| KEK | Key Encryption Key (RSA public key) |
15+-----------------+------------------------------------------------------------------------------------------+
16| KDK | Key Decryption Key (RSA private key) |
17+-----------------+------------------------------------------------------------------------------------------+
18| CK | Content Key (AES symmetric key) |
19+-----------------+------------------------------------------------------------------------------------------+
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]20| CK data | Data packet carrying a KDK-encrypted CK as payload |
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]21+-----------------+------------------------------------------------------------------------------------------+
22| Access Manager | (Data Owner) Entity that control access to the data associated with the namespace |
23+-----------------+------------------------------------------------------------------------------------------+
24| Encryptor | (Producer) Entity that encrypts data based on namespace association |
25+-----------------+------------------------------------------------------------------------------------------+
26| Decryptor | (Consumer) Entity that decrypts data based on namespace association |
27+-----------------+------------------------------------------------------------------------------------------+
28
29EncryptedContent
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]30----------------
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]31
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]32The ``EncryptedContent`` element contains encrypted blob, optional Initialization Vector (for AES CBC encryption),
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]33optional EncryptedPayloadKey, and Name elements.
34
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]35.. code-block:: abnf
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]36
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]37 EncryptedContent = ENCRYPTED-CONTENT-TYPE TLV-LENGTH
38 EncryptedPayload
39 [InitializationVector]
40 [EncryptedPayloadKey]
41 [Name]
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]42
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]43 EncryptedPayload = ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH *OCTET
44 InitializationVector = INITIALIZATION-VECTOR-TYPE TLV-LENGTH *OCTET
45 EncryptedPayloadKey = ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH *OCTET
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]46
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]47Access Manager
48--------------
49
50.. figure:: _static/access-manager.png
51 :alt: Access Manager
52 :align: center
53
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]54Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private key) key pair.
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]55
56KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format:
57
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]58.. code-block:: abnf
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]59
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]60 Kek = DATA-TYPE TLV-LENGTH
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame]61 Name ; /[access-namespace]/NAC/[dataset]/KEK/[key-id]
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]62 MetaInfo ; ContentType = KEY, FreshnessPeriod = 1 hour default value
63 KekContent
64 DataSignature
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]65
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]66 KekContent = CONTENT-TYPE-TLV TLV-LENGTH
67 *OCTET ; = BER of public key /[access-namespace]/NAC/[dataset]/KEY/[key-id]
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]68
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]69Different versions of KDK are published, encrypted by the public key of the individual authorized member, following naming convention: ``/[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]``. KDK is published in the following format:
70
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]71.. code-block:: abnf
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]72
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]73 Kdk = DATA-TYPE TLV-LENGTH
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame]74 Name ; /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]75 MetaInfo ; ContentType = BLOB, FreshnessPeriod = 1 hour default value
76 KdkContent
77 DataSignature
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]78
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]79 KdkContent = CONTENT-TYPE-TLV TLV-LENGTH
80 EncryptedContent
81
82Within the ``EncryptedContent`` element,
83
Davide Pesavento135cd2d2023-01-19 19:06:08 -0500[diff] [blame]84* ``EncryptedPayload`` contains `SafeBag <https://docs.named-data.net/ndn-cxx/0.8.1/specs/safe-bag.html>`__ of private key ``/[access-namespace]/NAC/[dataset]/KEY/[key-id]``
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]85* ``EncryptedPayloadKey`` contains password for SafeBag, encrypted by public key ``/<authorized-member>/KEY/[member-key-id]``
86* ``InitializationVector`` and ``Name`` must be omitted
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]87
88Encryptor
89---------
90
91.. figure:: _static/encryptor.png
92 :alt: Encryptor
93 :align: center
94
95Encryptor encrypts (synchronous operation) the requested content and returns an ``EncryptedContent`` element with values:
96
97::
98
99 EncryptedPayload = AES CBC encrypted blob
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]100 InitializationVector = Random initial vector for AES CBC encryption
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame]101 EncryptedPayloadKey (not set)
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]102 Name = Prefix of ContentKey (CK) data packet /[ck-prefix]/CK/[ck-id]
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]103
104During initialization or when requested by the application, the Encryptor (re-)generates a random key for AES CBC encryption.
105The encrypted version of this key is published (asynchronous operation, contingent on successful retrieval and validation of KEK) as a data packet, following the naming convention: ``/[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]``. CK data is published in the following format:
106
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]107.. code-block:: abnf
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]108
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]109 CkData = DATA-TYPE TLV-LENGTH
Davide Pesavento3c7f6452021-10-02 04:06:26 -0400[diff] [blame]110 Name ; /[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]111 MetaInfo ; ContentType = BLOB, FreshnessPeriod = 1 hour default value
112 CkContent
113 DataSignature
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]114
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]115 CkContent = CONTENT-TYPE-TLV TLV-LENGTH
116 EncryptedContent
117
118Within the ``EncryptedContent`` element,
119
120* ``EncryptedPayload`` contains ContentKey encrypted by public key ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``
121* ``EncryptedPayloadKey``, ``InitializationVector``, and ``Name`` must be omitted
122
Alexander Afanasyevff3ee9f2018-06-13 20:33:30 -0400[diff] [blame]123Decryptor
124---------
125
126.. figure:: _static/decryptor.png
127 :alt: Decryptor
128 :align: center
129
130Encryptor decrypts (asynchronous operation, contingent on successful retrieval of CK data, KDK, and decryption of both) the supplied ``EncryptedContent`` element.
Junxiao Shidddc19a2020-08-10 13:13:06 -0600[diff] [blame]131
132TLV-TYPE number assignments
133---------------------------
134
Davide Pesavento135cd2d2023-01-19 19:06:08 -0500[diff] [blame]135+----------------------------------------+------------------+------------------+
136| Type | Assigned number | Assigned number |
137| | (decimal) | (hexadecimal) |
138+========================================+==================+==================+
139| EncryptedContent | 130 | 0x82 |
140+----------------------------------------+------------------+------------------+
141| EncryptedPayload | 132 | 0x84 |
142+----------------------------------------+------------------+------------------+
143| InitializationVector | 133 | 0x85 |
144+----------------------------------------+------------------+------------------+
145| EncryptedPayloadKey | 134 | 0x86 |
146+----------------------------------------+------------------+------------------+