SEANAC: Schema Enforced Automation of Name-based Access Control

Name-based Access Control (NAC) facilitates access control by utilizing NDN's data-centric security and naming convention. NAC design includes three agents: (a) Encryptors, (b) Decryptors, and (c) Access Manager. Encryptors encrypts the content (data) symmetrically using a Content Key (CK). This CK is later encrypted asymmetrically using a Key Encryption Key (KEK). A corresponding KDK is used to decrypt the CK first by the decryptor, and eventually decrypt the content using that CK. Note that, KDK is private and access manager will provide a KDK only to a certain entity if it has access to that data. Access manager is responsible for generating and managing both KEK and KDK. However, in NAC design, there is not any specific mention of how an access manager gets the knowledge of following two things: (a) which KEK will be used to encrypt which CK and (b) which users will have access to which KDK. On the implementation side, these two things are configured manually. However, is a system with a significant number of entities, manually configuring this would not be a feasible approach. Therefore, to automate this process, we have proposed SEANAC, which is a schema-enforced approach to automate the overall NAC process by addressing the two issues mentioned above. In this paper, we have described our design choices and implementation details of SEANAC. Besides, we have evaluated our approach by experimenting with an NDN-based application, Hydra; what are the access control requirements of Hydra, and how SEANAC can be used to fulfill those requirements and build an automated access control system.