Gitiles
Code Review Sign In
gerrit.named-data.net / name-based-access-control / 6e90a0b9c67e1a5f9cdad8f053295b90f75212f1 / . / docs / spec.rst
blob: 2de5aa1a6d4af9d541076061fc9432035f2ff924 [file] [log] [blame]
Alexander Afanasyev6e64ac92018-06-14 17:25:38 -0400[diff] [blame]1NAC Specification
2=================
3
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]4.. figure:: _static/nac-overview.png
5 :alt: Overview of NAC entities
6 :align: center
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]7
8Terminology
9-----------
10
11+-----------------+------------------------------------------------------------------------------------------+
12| Term | Description |
13+=================+==========================================================================================+
14| KEK | Key Encryption Key (RSA public key) |
15+-----------------+------------------------------------------------------------------------------------------+
16| KDK | Key Decryption Key (RSA private key) |
17+-----------------+------------------------------------------------------------------------------------------+
18| CK | Content Key (AES symmetric key) |
19+-----------------+------------------------------------------------------------------------------------------+
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]20| CK data | Data packet carrying a KDK-encrypted CK as payload |
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]21+-----------------+------------------------------------------------------------------------------------------+
22| Access Manager | (Data Owner) Entity that control access to the data associated with the namespace |
23+-----------------+------------------------------------------------------------------------------------------+
24| Encryptor | (Producer) Entity that encrypts data based on namespace association |
25+-----------------+------------------------------------------------------------------------------------------+
26| Decryptor | (Consumer) Entity that decrypts data based on namespace association |
27+-----------------+------------------------------------------------------------------------------------------+
28
29EncryptedContent
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]30----------------
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]31
32The ``EncryptedContent`` element contains encrypted blob, optional Initial Vector (for AES CBC encryption),
33optional EncryptedPayloadKey, and Name elements.
34
35::
36
37 EncryptedContent ::= ENCRYPTED-CONTENT-TYPE TLV-LENGTH
38 EncryptedPayload
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]39 InitializationVector?
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]40 EncryptedPayloadKey?
41 Name?
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]42
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]43 EncryptedPayload ::= ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH(=N) BYTE{N}
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]44 InitializationVector ::= INITIALIZATION-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
Alexander Afanasyev0db0feb2018-06-13 20:33:10 -0400[diff] [blame]45 EncryptedPayloadKey ::= ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH(=N) BYTE{N}
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]46
47
48Access Manager
49--------------
50
51.. figure:: _static/access-manager.png
52 :alt: Access Manager
53 :align: center
54
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]55Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private key) key pair.
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]56
57KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format:
58
59::
60
61 Kek ::= DATA-TYPE TLV-LENGTH
62 Name (= /[access-namespace]/NAC/[dataset]/KEK/[key-id])
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]63 MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour default value)
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]64 KekContent
65 SignatureInfo
66 SignatureValue
67
68 KekContent ::= CONTENT-TYPE-TLV TLV-LENGTH
69 BYTE* (= BER of public key /[access-namespace]/NAC/[dataset]/KEY/[key-id])
70
71
72Different versions of KDK are published, encrypted by the public key of the individual authorized member, following naming convention: ``/[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]``. KDK is published in the following format:
73
74::
75
76 Kdk ::= DATA-TYPE TLV-LENGTH
77 Name (= /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id])
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]78 MetaInfo (= .ContentType = BLOB, .FreshnessPeriod = 1 hour default value)
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]79 KdkContent
80 SignatureInfo
81 SignatureValue
82
83 KdkContent ::= CONTENT-TYPE-TLV TLV-LENGTH
84 EncryptedContent (=
85 .EncryptedPayload = SafeBag with private key /[access-namespace]/NAC/[dataset]/KEY/[key-id]
86 .EncryptedPayloadKey = password for SafeBag, encrypted by public key /<authorized-member>/KEY/[member-key-id]
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400[diff] [blame]87 // .InitializationVector and .Name are not set
88 )
89
90Encryptor
91---------
92
93.. figure:: _static/encryptor.png
94 :alt: Encryptor
95 :align: center
96
97Encryptor encrypts (synchronous operation) the requested content and returns an ``EncryptedContent`` element with values:
98
99::
100
101 EncryptedPayload = AES CBC encrypted blob
102 InitializationVector = Random initial vector for AES CBC encryption
103 EncryptedPayloadKey (not set)
104 Name = Prefix of ContentKey (CK) data packet [ck-prefix]/CK/[ck-id]
105
106During initialization or when requested by the application, the Encryptor (re-)generates a random key for AES CBC encryption.
107The encrypted version of this key is published (asynchronous operation, contingent on successful retrieval and validation of KEK) as a data packet, following the naming convention: ``/[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]``. CK data is published in the following format:
108
109::
110
111 CkData ::= DATA-TYPE TLV-LENGTH
112 Name (= /[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id])
113 MetaInfo (= .ContentType = BLOB, .FreshnessPeriod = 1 hour default value)
114 CkContent
115 SignatureInfo
116 SignatureValue
117
118 CkContent ::= CONTENT-TYPE-TLV TLV-LENGTH
119 EncryptedContent (=
120 .EncryptedPayload = ContentKey encrypted by public key /[access-namespace]/NAC/[dataset]/KEK/[key-id]
121 // .InitializationVector, .EncryptedPayloadKey, and .Name are not set
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400[diff] [blame]122 )
Alexander Afanasyevff3ee9f2018-06-13 20:33:30 -0400[diff] [blame]123
124Decryptor
125---------
126
127.. figure:: _static/decryptor.png
128 :alt: Decryptor
129 :align: center
130
131Encryptor decrypts (asynchronous operation, contingent on successful retrieval of CK data, KDK, and decryption of both) the supplied ``EncryptedContent`` element.