Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 699725dae197531eec473e0a692b240503e7f1a0 / . / docs / tutorials / security-trust-schema.rst
blob: 7daeb3de5b1aa12276b71ee9ac653c34941ba4dc [file] [log] [blame]
Yingdi Yub56c54e2015-05-24 18:47:40 -0700[diff] [blame]1Trust Schema Specification
2==========================
3
4.. contents::
5
6Trust in NDN is based on name. A data packet is valid only if it is signed with a key whose
7name satisfies certain conditions (e.g., sharing the same prefix, containing certain name
8components, etc.). Such a relation between data name and key name defines a trust rule. Since
9keys are just another type of data, authenticating the signing key of a data packet is the same
10as authenticating a normal data packet. The trust model of an NDN application consists of a
11set of trust rules that associate data with keys, keys with their signing keys (including some
12pre-trusted keys).
13
14Trust schema is a description of a trust model, which can help automate data and interest
15packet signing and authentication. A trust schema describes the relationship between packet
16and its signing key in terms of name patterns. A trust schema interpreter with the ability to
17retrieve public keys (also called *authenticating* *interpreter*) can automatically validate
18packets according to the trust model. Similarly, a trust schema interpreter with the ability
19to access private keys (also called *signing* *interpreter*) can automatically sign packets
20according to the trust model. This specification defines a way to specify a trust model using
21the trust schema.
22
23A trust schema consists of three parts: a list of **rules**, one or more
24**anchor**, and a **crypto**:
25
26.. table::
27
28 +------------+------------------------------------------------------------------------+
29 | **rule** | Restriction on a packet name and its signing key name |
30 +------------+------------------------------------------------------------------------+
31 | **anchor** | A pre-authenticated public key (a data packet carrying the public key) |
32 +------------+------------------------------------------------------------------------+
33 | **crypto** | Cryptographic requirements on packet signature: which public key |
34 | | algorithm to use, which hashing algorithm to use, and what is the |
35 | | minimum required signature strength |
36 +------------+------------------------------------------------------------------------+
37
38.. note::
39 All values in trust schema definition must be quoted if they contain spaces.
40
41Here is an example of the schema configuration file:
42
43::
44
45 rule
46 {
47 id article
48 name (<>*)<blog><article><><><>
49 signer author($1)
50 }
51 rule
52 {
53 id author
54 name (<>*)<blog><author>[user]<KEY>[id]
55 signer admin($1)
56 }
57 rule
58 {
59 id admin
60 name (<>*)<blog><admin>[user]<KEY>[id]
61 signer admin($1)|root($1)
62 }
63 anchor
64 {
65 id root
66 name (<>*)<blog><KEY>[id]
67 file blog-root.cert
68 }
69 crypto
70 {
71 hash sha256
72 signing rsa|ecdsa
73 key-strength 112
74 }
75
76An authenticating interpreter that loads this trust schema can automatically
77validate blog articles, blog author keys, and blog admin keys. When an
78authenticating interpreter get an article data packet, the interpreter will
79find the first **rule** whose **name** matches the data name and check the
80data's KeyLocator against the **signer** in the rule. For example, if the
81article is signed by an author key which matches the signer **author**, the
82interpreter can fetch the key and validate the key using the author rule which
83corresponds to the matched signer. The authentication process can recursively
84develop until reaching an **anchor**. At this moment, the interpreter can
85trigger the signature verification along the reverse path until eventually
86authenticating article.
87
88Similarly, for packet signing, a signing interpreter that loads this trust
89schema can construct a chain of signing key to sign packet correctly, so that
90the packet can be authenticated by authenticating interpreter using the same
91trust schema.
92
93Rule
94----
95
96A rule has the following properties:
97
98- **id**: a unique identifier of the rule in the trust schema that can be used to
99 link rules as part of signer "function." The identifier must start with a
100 letter, and can only contain letters, digits, and underscores. The identifier
101 is case-sensitive.
102
103- **name**: name pattern of the packet in terms of :doc:`utils-ndn-regex`
104- **type** (optional): type of packet to match against the rule.
105
106 Possible values: **data** (default) and **interest**.
107
108- **signer**: one or more invocations of rules or trust anchors, separated by **|**.
109
110 Each invocation can take as an input name components that are either explicitly
111 specified or extracted from the packet name using regular expression sub-groups.
112
113 Output of each rule invocation is a name pattern from the corresponding rule or
114 trust anchor, specialized with the specified input parameters.
115
116Example::
117
118 rule
119 {
120 id article
121 name (<>*)<blog><article><><><>
122 signer author($1)
123 }
124
125
126A data/interest packet will be checked by a rule only if the packet **name**
127matches the rule's name property.
128
129For a packet that is matched by a rule, the packet's KeyLocator will be checked
130against the rule's **signer** property.
131
132The packet's KeyLocator must match a name pattern that is derived from at least
133one of the signers to be treated as a valid packet. Note that KeyLocator always
134points to a certificate, thus the "functions" in a signer must be data rules.
135
136.. note::
137 For interest packets, the name property only matches the name components that
138 exist before the packet is signed. In other words, if the signature signing
139 process add the signature info and signature value as name components, these
140 name components will not be matched by the pattern.
141
142.. note::
143 **ATTENTION: The order of rules MATTERS!** A packet will be check ONLY with
144 the first matched rule.
145
146
147Anchor
148------
149
150A trust schema must contain at least one **anchor** (a pre-authenticated key) and
151all authentication paths must end at an anchor. Each anchor must contain:
152
153- **id**: identifier for the anchor that can be used to link an anchor to a rule
154 as a signer "function". The identifier must start with a letter, and can only
155 contain letters, digits, and underscores. The identifier is case-sensitive.
156
157
158- **name**: name pattern of the packet in terms of :doc:`utils-ndn-regex`
159
160Since an anchor is pre-authenticated, it does not have the **signer** property,
161but instead the key directly. Therefore, anchor must specify exactly one of the
162following properties:
163
164- **file**: name of a file containing a base64 encoded pre-authenticated public key
165 certificate.
166
167or
168
169- **raw**: text string in base64 encoding, containing the raw bytes of a pre-authenticated
170 public key certificate.
171
172or
173
174- **dir**: name of directory under which each file contains a base64 encoded
175 pre-authenticated public key certificate.
176
177
178Examples::
179
180 anchor
181 {
182 id root
183 name (<>*)<blog><KEY>[id]
184 file blog-root.cert
185 }
186 anchor
187 {
188 id another-root
189 name <KEY>[id]
190 raw "Bv0DGwdG...amHFvHIMDw=="
191 }
192 anchor
193 {
194 id root
195 name (<>*)<blog><KEY>[id]
196 dir /etc/ndn/trust-anchors
197 }
198
199
200When **file** or **dir** is specified and the file(s) can change during the runtime,
201additional **refresh** property can be specified to define how often the
202pre-authenticated key should be refreshed in the trust model (Three units of time
203interval are supported: ``h`` for hour, ``m`` for minute, and ``s`` for second)::
204
205 anchor
206 {
207 id root
208 name (<>*)<blog><KEY>[id]
209 file blog-root.cert
210 refresh 1h ; refresh the key every hour, other units include
211 ; m (for minutes) and s (for seconds)
212 }
213
214There is another special anchor **any**. As long as such an anchor is defined
215in config file, any signature of any data and interest packet is considered valid::
216
217 anchor
218 {
219 any true
220 }
221
222.. note::
223
224 Use of ``any`` anchor is highly discouraged and should only be used to
225 temporarily disable packet validation (e.g., while debugging code).
226
227
228Crypto (Signature Requirements)
229-------------------------------
230
231**crypto** block defines the acceptable packet signature.
232**crypto** must contain three properties:
233
234- **hash**: one or more allowed hash algorithms, separated by **|**.
235
236 Possible values: **sha256**
237
238- **signing**: one or more allowed signing algorithms, separated by **|**
239
240 Possible values: **rsa** (RSA signature algorithm), **ecdsa** (ECDSA signature algorithm)
241
242- **key-strength**: minimum crypto strength of a key (in terms of symmetric key bits)
243
244 Recommended values by NIST (`details`_) and their equivalent RSA and ECDSA key sizes:
245
246 +---------------------------------------------+-------------------+----------------+
247 | Key Strength (in symmetric key bits) | RSA key bits | ECDSA key bits |
248 +=============================================+===================+================+
249 | 80 (very weak) | 1024 | 160 |
250 +---------------------------------------------+-------------------+----------------+
251 | 112 (recommended value) | 2048 | 224 |
252 +---------------------------------------------+-------------------+----------------+
253 | 128 | 3072 | 256 |
254 +---------------------------------------------+-------------------+----------------+
255 | 192 | 7680 | 384 |
256 +---------------------------------------------+-------------------+----------------+
257 | 256 (strong) | 15360 | 521 |
258 +---------------------------------------------+-------------------+----------------+
259
260.. todo: define key strengths for RSA 4096 (as it is a pretty commonly used value)
261
262.. _details: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
263
264..
265 Any
266 ---
267
268 There is another special optional property of trust schema **any**. As long as
269 such a property is specified with a value **true**, packet validation will be
270 turned off.
271
272 ::
273
274 any true
275
276 .. note::
277 **ATTENTION: This property is dangerous.** You should used it only when you
278 want to disable packet validation temporarily (e.g, debugging code, building
279 a demo).
280
281Examples
282--------
283
284Example Configuration For NLSR
285~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
286
287The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:
288
289::
290
291 root
292 |
293 +--------------+---------------+
294 site1 site2
295 | |
296 +---------+---------+ +
297 operator1 operator2 operator3
298 | | |
299 +-----+-----+ +----+-----+ +-----+-----+--------+
300 router1 router2 router3 router4 router5 router6 router7
301 | | | | | | |
302 + + + + + + +
303 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
304
305However, entities name may not follow the signing hierarchy, for
306example:
307
308+------------+-------------------------------------------------------------------------------------+
309| Entity | Identity name and examples |
310+============+=====================================================================================+
311| root | ``/<network>`` |
312| | |
313| | Identity example: ``/ndn`` |
314| | |
315| | Certificate name example: ``/ndn/KEY/ksk-1/ID-CERT/%01`` |
316+------------+-------------------------------------------------------------------------------------+
317| site | ``/<network>/<site>`` |
318| | |
319| | Identity example: ``/ndn/edu/ucla`` |
320| | |
321| | Certificate name example: ``/ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01`` |
322+------------+-------------------------------------------------------------------------------------+
323| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
324| | |
325| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
326| | |
327| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/ksk-3/ID-CERT/%01`` |
328+------------+-------------------------------------------------------------------------------------+
329| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
330| | |
331| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
332| | |
333| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/ksk-4/ID-CERT/%01`` |
334+------------+-------------------------------------------------------------------------------------+
335| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
336| | |
337| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
338| | |
339| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/ksk-5/ID-CERT/%01`` |
340+------------+-------------------------------------------------------------------------------------+
341
342Assume that a typical NLSR data name is
343``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then here is the trust schema:
344
345::
346
347 rule
348 {
349 id announce
350 name (<>)(<>*)<%C1.O.R.>(<>)<NLSR><LSA><LSType.1>[id]
351 signer nlsr($1,$2,$3)
352 }
353 rule
354 {
355 id nlsr
356 name (<>)(<>*)<%C1.O.R.>(<>)<NLSR><KEY>[id]<ID-CERT>[version]
357 signer router($1,$2,$3)
358 }
359 rule
360 {
361 id router
362 name (<>)(<>*)<%C1.O.R.>(<>)<KEY>[id]<ID-CERT>[version]
363 signer operator($1,$2)
364 }
365 rule
366 {
367 id operator
368 name (<>)(<>*)<%C1.O.N.>[user]<KEY>[id]<ID-CERT>[version]
369 signer site($1)
370 }
371 rule
372 {
373 id site
374 name (<>)(<>*)<KEY>[id]<ID-CERT>[version]
375 signer root($1)
376 }
377 anchor
378 {
379 id root
380 name (<>)<KEY>[id]<ID-CERT>[version]
381 file "testbed-trust-anchor.cert"
382 }
383 crypto
384 {
385 hash sha-256
386 signing rsa|ecdsa
387 key-strength 112
388 }
389
390Example Configuration For NFD RIB Management
391~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
392
393Assume `NFD RIB Management <http://redmine.named-data.net/projects/nfd/wiki/RibMgmt>`_
394allows any valid testbed certificate to register prefix, the configuration file could be
395written as:
396
397::
398
399 rule
400 {
401 id localhost-rib-command
402 type interest
403 name <localhost><nrd>[<register><unregister><advertise><withdraw>]<><prefix>(<>*)(<>)
404 signer key($1,$2)
405 }
406 rule
407 {
408 id key
409 name (<>*)(<>)<KEY>[id]<ID-CERT>[version]
410 signer key($1,null)|root()
411 }
412 trust-anchor
413 {
414 id root
415 name <KEY>[id]
416 raw "Bv0DGwdG...amHFvHIMDw=="
417 }
418 crypto
419 {
420 hash sha-256
421 signing rsa|ecdsa
422 key-strength 112
423 }