Actions

History

Trust Model¶

Signing chain¶

Trust Model¶

trust anchor

Component identities¶

Root / Site CA¶

Identity: /ndn/md2k
Type: Self-signed root CA
Trust Anchor: md2k-trust-anchor.ndncert

All components ultimately chain to this root.Consumers load this file so they can trust any certificate issued under /ndn/md2k.

Identities Signed by the Root CA

The root /ndn/md2k signs:

/ndn/md2k/mguard/controller
/ndn/md2k/mguard/aa
/ndn/md2k/mguard/dd40c (producer)
All consumer identities (example: /ndn/md2k/adam)

Defines the trust boundary.

Controller (/ndn/md2k/mguard/controller)¶

Signs POLICYDATA.
Issues policy decisions (who can access what).
Does not decrypt or validate ABE content.

Attribute Authority (AA) (/ndn/md2k/mguard/aa)¶

Signs PUBPARAMS.
Generates and signs ** DKEYs** (consumer ABE private keys).
Only entity holding ABE master secret.

Producer (/ndn/md2k/mguard/dd40c)¶

Signs and serves stream certificates.

The producer identity /ndn/md2k/mguard/dd40c signs all stream identities:

/ndn/md2k/mguard/dd40c/phone/accelerometer
/ndn/md2k/mguard/dd40c/phone/gyroscope
/ndn/md2k/mguard/dd40c/phone/gps
/ndn/md2k/mguard/dd40c/phone/battery
/ndn/md2k/mguard/dd40c/data_analysis/gps_episodes_and_semantic_location

These stream identities are used to sign manifests, encrypted DATA, and CK packets.

Producer validates:

AA public parameters (/aa/PUBPARAMS)

Publishes:

Encrypted DATA (digest-signed for NAC-ABE)
CK Data (digest-signed)
MANIFESTS (RSA-signed)

Producer serves:

Producer certificate
All stream certificates

Stream Identities (/ndn/md2k/mguard/dd40c/phone/…)¶

Used to sign RSA-signed objects (manifest).
metadata, DATA, CK(handled by nac-abe)
Each stream has its own identity and cert.

Consumer (e.g./ndn/md2k/adam)¶

Consumer validates:

AA parameters (RSA)
DKEY segments (RSA)
Controller POLICYDATA (RSA)
Stream manifests (RSA)
CK packets (digest)
Encrypted data segments (digest)

All rules validated using the consumers trust schema.

Consumer decrypts:

Encrypted application DATA → extract CK name
Fetch CK → decrypt with DKEY
Decrypt DATA using CK

The consumer uses three rules:

AA public parameters and DKEY validation

/ndn/md2k/mguard/aa/* signed by AA (RSA), chaining to root.
Controller POLICYDATA replies

/ndn/md2k/mguard/controller/* signed by controller (RSA), chaining to root.
Stream and producer content

/ndn/md2k/mguard/dd40c/*

Allows:
- sha256 (digest) for encrypted DATA, CK, metadata
- rsa-sha256 for manifests, stream certs
  KeyLocator must be a prefix of the Data name.

All validations ultimately chain back to /ndn/md2k.

Files (4)

Updated by Suravi Regmi 20 days ago · 9 revisions

old_trust_shcema.png (58.9 KB) old_trust_shcema.png		Suravi Regmi, 11/21/2025 07:34 PM
trust_model.png (307 KB) trust_model.png		Suravi Regmi, 11/21/2025 08:27 PM
cert signing chain.png (22.9 KB) cert signing chain.png		Suravi Regmi, 11/25/2025 05:16 PM
Group 71.png (12 KB) Group 71.png		Suravi Regmi, 11/25/2025 05:17 PM

Project

General

Profile

mGuard

Wiki

Trust Model¶

Signing chain¶

Trust Model¶

Component identities¶

Root / Site CA¶

Controller (/ndn/md2k/mguard/controller)¶

Attribute Authority (AA) (/ndn/md2k/mguard/aa)¶

Producer (/ndn/md2k/mguard/dd40c)¶

Stream Identities (/ndn/md2k/mguard/dd40c/phone/…)¶

Consumer (e.g./ndn/md2k/adam)¶

Project

General

Profile

mGuard

Wiki

Trust Model¶

Signing chain¶

Trust Model¶

Component identities¶

Root / Site CA¶

Controller (/ndn/md2k/mguard/controller)​¶

Attribute Authority (AA) (/ndn/md2k/mguard/aa)​¶

Producer (/ndn/md2k/mguard/dd40c)​¶

Stream Identities (/ndn/md2k/mguard/dd40c/phone/…)​¶

Consumer (e.g./ndn/md2k/adam)​¶

Controller (/ndn/md2k/mguard/controller)¶

Attribute Authority (AA) (/ndn/md2k/mguard/aa)¶

Producer (/ndn/md2k/mguard/dd40c)¶

Stream Identities (/ndn/md2k/mguard/dd40c/phone/…)¶

Consumer (e.g./ndn/md2k/adam)¶