CertCoalesce: Efficient Certificate Pool for NDN-Based Systems
Sanjeev Kaushik Ramani and Alexander Afanasyev
Named Data Networking (NDN) relies on public key sign- ing to ensure integrity and authenticity for all data packets fetched in the network. One of the considerations for reliability of such signing is limiting the scope (what the key can sign) and time (how long the key can sign) of the public keys and their certificates, usually referred to as “least privilege principle.” Traditionally, the public key certificates are issued for relative long periods of times measured in months or years; which requires considerations for certificate revocation, e.g, when the private key is lost or compromised. However, if the validity periods can be reduced to days or hours, the complex (and sometimes semi-broken) revocation mechanisms can be completely eliminated. This poster proposes such a mechanism—CertCoalesce certificates—to efficiently manage virtually unlimited pools of short-term certificates with limited networking, storage, and computational overheads. Specifically, a single certificate request with a “primary” key can be used to bootstrap the process of creating an unlimited number of short-term certificates for derivative private/public keys. Moreover, such certificates can be issued asynchronously—periodically pre-provisioned or upon request with an Interest—terminating issuance of future certificates when necessary. Moreover, CertCoalesce design owing to the underlying elliptic curve cryptography ensures that a compromised key from the pool of keys will not reveal information about other keys/certificates in the pool.