Security verification framework for NDN access control

Abstract

Named Data Networking (NDN) presents a promising alternative to TCP/IP, but its access control design poses challenges for cybersecurity. Addressing this, the paper introduces the Security Verification Framework for NDN Access Control (SVF-NDN). This framework employs formal analysis to assess access control schemes, evaluating their resilience against cyberattacks. SVF-NDN verifies five crucial security properties-deadlock freedom, data availability, key authentication, data leakage protection, and data access protection. Implemented using the PAT model checking tool, the framework focuses on a data encryption-based NDN access control. Uncovering vulnerabilities such as node key pair faking and data leakage, two enhancement methods are proposed and evaluated. Recognizing the potential compromise of Access Control Manager (ACM), an innovative solution is presented. Additionally, four algorithms streamline the automatic updating of formal models. Results indicate SVF-NDN’s efficacy in fortifying access control against cyber threats, offering valuable insights for bolstering NDN security.

Introduction

Named Data Networking (NDN)¹is one of the leading architectures in Information-Centric Networking (ICN) that aims to resolve the existing problems in TCP/IP Internet^2,3. Although TCP/IP-based network has shown great resilience over the years, it cannot support the newly evolving content distribution model successfully, as users gradually pay more attention to named content rather than its location. NDN emerges as one of the promising architectures in ICN, where each packet does not carry an IP address but a data name. When a data consumer needs data, it sends out an Interest packet with the required name of the data. According to the name, routers forward the packets over the network, and a Data packet with a matching name will be returned to the consumer when it is produced by some data producer. 

Although the architecture of NDN is different from traditional networks, it also faces cyberattacks. Access control is an important measure to protect network security. As a fundamental aspect of network security, it is strongly correlated with other security services such as authenticity, auditing, and authorizations⁴. Generally, the main purpose of access control is to regulate who can view or use resources in a computing environment. Traditional mechanisms of access control focus on the IP addresses of end hosts. Such host-centric access control models cannot be easily adapted into NDN. As Data packets are cached in the content store at NDN routers for effective data delivery, they may be obtained by the consumers without access rights.

Some solutions have been proposed for ICN architectures including NDN with several limits. Data encryption is a natural and intuitive approach to build access control. Chen et al.⁵ proposed an encryption and probability-based access model for NDN. The bloom-filter data structure applied in this model is suitable for video streaming services, but may reduce the efficiency in other scenarios. In Misra et al.⁶, contents are encrypted by a symmetric data key whose dissemination is supported by Broadcast Encryption (BE). However, BE is only suitable for the context where the number of users is limited. As the prototype of NDN, CCNx introduced a simple access control solution⁷, which allows the control of the rights of reading, writing, and management. Unfortunately, its lazy revocation produces a possible situation where a revoked entity reads protected content. To address these limits, Hamdane et al.⁸ introduced a new encryption-based NDN access control, which is also the research object of this paper.

At present, NDN access control design is still in the starting stage, and it faces a lack of systematic guidance and the ability to adjust for cyberattacks. Most of them lack the verification of the security properties related to attacks and need more flexible measures for different cyberattacks. As a method that can describe the system and its requirements formally, formal verification (e.g., model checking) is helpful to support verification of the security properties related to cyberattacks. Model checking helps to avoid manual testing and save time. At the same time, it supports the feature of giving counter-examples, which can effectively provide clues for the improvement of access controls to enhance their robustness to cyberattacks. Therefore, formal verification is very recommended for protecting NDN from cyberattacks.

As one of the most popular formal verification techniques, model checking is suitable for modeling access control schemes⁹. However, model-checking-based methods are still not widely used in this field. One reason is that it is very difficult for users to build a formal model directly from the access control. Although some researchers have conducted formal verification of their access control schemes^10,11, there is a lack of methods to support NDN access control. To solve this problem, it is demanded that the formal verification method should generate formal models from the NDN access control as automatically as possible.

Contributions

As discussed above, the motivation is to provide a security verification framework for NDN access control (SVF-NDN). Fig. 1shows the overall framework of SVF-NDN. It supports the CSP (Communicating Sequential Processes) modelling from the NDN access control⁸ and formalizing security properties into linear temporal logic (LTL) formulas, which are verified by model checker PAT (Process Analysis Toolkit). The properties include deadlock freedom, data availability, key authentication, data leakage prevention, and data access protection. SVF-NDN supports updating NDN access control based on verification results.

This paper extends the previous work published at ICFEM 2018¹². In¹², the NDN access control was modeled, and four properties (deadlock freedom, data availability, key authentication, and data leakage protection) were verified. Additionally, two model improvements were presented. Now, to provide a more comprehensive description of various scenarios, additional types of messages are introduced, and a new property, namely data access protection, is verified. In the first model improvement, compared to the approach presented in¹², additional modeling components for different entities and intruders have been incorporated. Furthermore, three new algorithms (Algorithm 1, Algorithm 2, and Algorithm 3) have been introduced to facilitate the updating of CSP models. In the second model improvement, compared to the one presented in¹², additional modeling components for different entities and intruders have been incorporated. Furthermore, a new algorithm (Algorithm 4) has been introduced. Algorithm 4 is introduced to support updating CSP overall models. Considering the situation when ACM is invaded, another new solution (an innovative method) is introduced, which is also modelled and verified.

Fig. 1

Overall framework of SFV-NDN.

Results

NDN access control

Hamdane et al.⁸ proposed an access control solution for NDN based on data encryption. Symmetric data key DK is used to encrypt the data produced by a writer. A pair of keys (\(\textit{NK}_{\textit{encryption}}\),\(\textit{NK}_{\textit{decryption}}\)) is specially used to encrypt DK. Similar to public and private keys, \(\textit{NK}_{\textit{encryption}}\) is used for encryption and \(\textit{NK}_{\textit{decryption}}\) does the decryption job. However, both of them are secret. There are three entities in this scheme. The establishment of this access control solution is mainly based on the entities as below:

• Readers and writers: They correspond to users with the read and write rights respectively. Readers want to read encrypted data. Writers are responsible for producing encrypted data.

• Access Control Manager (ACM): It is introduced to control the management of the access control policy.

• Network Nodes (NN): They guarantee content delivery to transit messages between entities and ACM.

Since read and write operations in closed environments are the most complex ones in⁸, they are chosen to be studied in this paper. The focus of this research is solely on the transmission of key information, including keys and data. Therefore, several operational steps, such as checking the naming convention and the writing privilege of the writer, among others, have been omitted. Fig. 3 illustrates simplified NDN access control with read and write operations. As NN is only responsible to transit message to ACM, \(\textit{Reader}_{i}\) and \(\textit{Writer}_{i}\) are communicating with ACM essentially.

• Read Operations: To reduce the size of the CSP models in SVF-NDN, commands and the information that the reader can get from the commands in original access control are abstracted into an Interest packet and a Data packet respectively. The Interest packet confirms whether the reader has the privilege to read and whether the namespace where the data name belongs owns the privilege to read (step a.0). The Data packet is used to inform the reader about the name of the node key and the data key (step a.0’). As a reader requests the desired content (step a.1), he gets the encrypted data (step a.2). He uses special commands to get the naming conventions, transmits a request for the data key DK (step a.3), and receives it encrypted by NK\({_{encryption}}\) (step a.4). He applies special commands to request the naming convention, and also retrieves the set of hash values of the public keys to confirm that he owns the read privilege. The reader sends the name of the node keys and the hash value of his public key to get these keys (step a.5). On receiving the response (step a.6), he can apply his public key to decrypt the received key(s). He uses NK\({_{decryption}}\) to decrypt the data key DK and decrypt the content with this key.

• Write Operations: Step b.0 and step b.0’ are presented similarly to step a.0 and step a.0’ for reducing the CSP models. If the writer has the privilege of writing, he can continue to send the request, otherwise, it will be rejected by ACM. To request the node keys, he sends the name of the node keys along with the hash value of his public key (step b.1). Upon receiving the response (step b.2), he decrypts the pair of keys. The writer then creates two packages. The first one contains the content encrypted by data key DK, which is generated by the writer randomly. The second one includes the decryption of this DK which is done by NK\({_{encryption}}\). After getting the permit for writing the namespace from ACM, he also receives Interest packets for the corresponding two packets (steps b.3 and b.5). The writer feeds back with the two packets. After receiving the messages (steps b.4 and b.6), the ACM saves them in the repository permanently.

Communicating sequential processes

As one of the most mature formal methods, Communicating Sequential Processes (CSP)^13,14is tailored for describing the interaction between concurrency systems by mathematical theories. Because of its well-known expressive ability, CSP has been widely used in many fields^15,16,17,18.

CSP processes are constituted by primitive processes and actions. The following syntax is used to define the processes in this paper, whereby \(\textit{P}\) and \(\textit{Q}\) represent processes, the alphabets \(\alpha (\textit{P})\) and \(\alpha (\textit{Q})\) mean the set of actions that the processes \(\textit{P}\) and \(\textit{Q}\) can take respectively. Hence, \(\textit{a}\) and \(\textit{b}\) denote the atomic actions, and \(\textit{c}\) stands for the name of a channel.

$$\begin{aligned} \textit{P,Q} {:}{:}=&{...} \mid \textit{SKIP} \mid \textit{a} \rightarrow \textit{P} \mid \textit{c?x} \rightarrow \textit{P} \mid \textit{c!e} \rightarrow \textit{P} \mid \textit{P;Q} \mid \\&\textit{P} \lhd \textit{B} \rhd \textit{Q} \mid \textit{P} \Box \textit{Q} \mid \textit{P}[[\textit{a}\leftarrow \textit{b}]] \mid \textit{P}[|\textit{c}|]\textit{Q} \end{aligned}$$

Here, \(\textit{SKIP}\) stands for a process that only terminates successfully. \(\textit{a}\rightarrow \textit{P}\) first performs action \(\textit{a}\), then behaves like \(\textit{P}\). \(\textit{c?x} \rightarrow \textit{P}\) receives a message by channel \(\textit{c}\) and assigns it to variable \(\textit{x}\), then does the subsequent behavior like \(\textit{P}\). \(\textit{c!e} \rightarrow \textit{P}\) sends a message \(\textit{e}\) through channel \(\textit{c}\), then performs \(\textit{P}\). \(\textit{P;Q}\) executes \(\textit{P}\) and \(\textit{Q}\) sequentially. \(\textit{P} \lhd \textit{B} \rhd \textit{Q}\) denotes if the condition \(\textit{B}\) is true, the process behaves like \(\textit{P}\), otherwise, like \(\textit{Q}\). \(\textit{P}\Box \textit{Q}\) acts like either \(\textit{P}\) or \(\textit{Q}\) and the environment decides the selection. \(\textit{P}[[\textit{a}\leftarrow \textit{b}]]\) changes event \(\textit{a}\) to event \(\textit{b}\). \(\textit{P}[|\textit{c}|]\textit{Q}\) indicates that \(\textit{P}\) and \(\textit{Q}\) execute the concurrent events on the set \(\textit{c}\) of channels.

Table 1 The relationship between involved constants and pre-defined sets.

Table 2 The relationship between involved variables and pre-defined sets.

Verification for properties of initial model for NDN access control

As a model checking tool, Process Analysis Toolkit (PAT)¹⁹is designed as an extensible and modularized framework based on CSP. Different model checking techniques are implemented in PAT, supporting many assertions, such as deadlock freeness and reachability²⁰. PAT has been applied in various places^20,21. With advanced optimization techniques implemented in PAT, it can achieve good performance. In this section, the five properties (deadlock freedom, data availability, key authentication, data leakage protection, and data access protection) are verified with the help of the model checker PAT.

To perform the verification, the formal models have been implemented in PAT. According to the verification results, the models is also improved twice for better safety performance. The datasets utilized in the verification process essentially originate from multiple CSP models constructed from the access control scheme. In this case study, the access control scheme being considered is NDN access control. Hence, the datasets correspond to the NDN access control scheme.

Properties

Five properties of the models are verified, including deadlock freedom, data availability, key authentication, data leakage protection, and data access protection. Some of them are described in Linear Temporal Logic (LTL) formula, which is commonly used to describe linear-time properties. Because the five properties will be verified for all the models in this paper, System() are used to represent the models. PAT supports the LTL formula by using the assertion \(\#\)assert P() |= F to check whether system P() satisfies the LTL formula F. In addition, PAT provides reachability checking with the keyword “reaches”.

Property 1: Deadlock Freedom

\(\#\)assert System() deadlockfree;

It must be guaranteed that the models should not run into a deadlock state. PAT owns a primitive to describe this situation.

Property 2: Data Availability

\(\#\)define Data_Acquisition_Success

data_acquisition_success==true;

\(\#\)assert System() reaches Data_Acquisition_Success;

This assertion is a reachability property, which means the model can reach a state at which the given condition is satisfied. The situation in which the data can be transmitted to the entity requiring it is described.

Property 3: Key Authentication

\(\#\)define NK_Faking_Success

nk_faking_success==true;

\(\#\)assert System() |= []!NK_Faking_Success;

Once the NK key pair is faked, other security issues may appear. So this assertion is used to check whether the NK key pair can be faked successfully, using the “always” operator [] in LTL.

Property 4: Data Leakage Prevention

\(\#\)define Data_Leakage_Success

data_leakage_success==true;

\(\#\)assert System() |= []!Data_Leakage_Success;

The security of data should be maintained, as the leakage of data will produce a bad effect. The assertion is built to check whether the data can be obtained by intruders.

Property 5: Data Access Protection

\(\#\)define Revoked_Entity_Denied_Success

((cuEn==reEn) &&(is_rejected==true))

\(\Vert\)((cuEn!=reEn) &&(is_rejected==false));

\(\#\)assert System() |= \([]<>\) Revoked_Entity_Denied_Success;

The variables reEn and cuEn represent the id of revoked entity and the current entity respectively. Using the “eventually” operator \(<>\) in LTL together with the “always” operator [], whether the system can always eventually reach one of the two states or not can be checked. One is the current entity is not revoked and its request is not rejected by ACM. The other is that the current entity is a revoked one, then its request is rejected by ACM. By utilizing the proposed algorithms, it is possible to determine whether the current entity has been revoked, and subsequently ascertain if their read or write request is rejected by the ACM.

In comparison to the previous verification¹², there have been some changes in the four properties being verified. Originally, there were three properties, but now the name of “Data Security” has been revised to the more appropriate “Data Leakage Prevention”, and a new property called “Data Access Protection” has been introduced. Meanwhile, only the CSP models involving Intruder modeling are kept to enhance simplicity. This means that all the models previously labeled with an “I” subscript in¹² have been modified to remove the subscript. For example, a model previously known as \(\textit{SystemR}_{I}\) is now referred to as SystemR. Furthermore, the incorporation of scenarios involving entity revocation has led to the inclusion of six new models, each denoted by a subscript “re”, such as \(\textit{SystemR}_{\textit{re}}\).

The verification results in Table 3 indicate that model SystemR, SystemW, \(\textit{SystemR}_{\textit{re}}\) and \(\textit{SystemW}_{\textit{re}}\) satisfy the property of deadlock freedom. This means that the four models will not run into a deadlock state.

Table 3 Verification Results of Models.

The verification results of data availability are valid for SystemR and SystemW. Thus, the models can assure that the entity owning privilege can require its desired data. The verification results of data availability for \(\textit{SystemR}_{\textit{re}}\) and \(\textit{SystemW}_{\textit{re}}\) are invalid. These illustrate that the entity can no longer access the data once it is revoked.

The verification results of key authentication for SystemR and SystemW are invalid, which indicates that the node key pair can be faked successfully by intruders. As \(\textit{SystemR}_{\textit{re}}\) and \(\textit{SystemW}_{\textit{re}}\) have no transmission of key information, the property of key authentication is satisfied for them. For the verification results of data leakage protection, SystemR is valid and SystemW is invalid, which means the intruder can get the data in the write operation. Because \(\textit{SystemR}_{\textit{re}}\) and \(\textit{SystemW}_{\textit{re}}\) have no transmission of a data packet, the property of data leakage prevention is valid for them. For data access protection, all of them are valid. It illustrates that the revoked entity has no privilege to access the data.

Verification results for the first improvement method of SFV-NDN

The verification results of the first model improvement are illustrated in Table 3. The six models with subscript Sig belong to the results of the first improvement. For \(\textit{SystemR}_{\textit{Sig}}\) and \(\textit{SystemW}_{\textit{Sig}}\), all the verification results of them are valid, which indicates the first improvement prevents the intruder to give the fake node key pair to the entity and get the data successfully. For \(\textit{SystemR}_{\textit{Sig}\_\textit{re}}\) and \(\textit{SystemW}_{\textit{Sig}\_\textit{re}}\), their verification results are all valid except for data availability. The results mean the revoked entity can no longer access the data. For key authentication, the invalid results of \(\textit{SystemR}_{\textit{Sig}\_\textit{C}}\) and \(\textit{SystemW}_{\textit{Sig}\_\textit{C}}\) indicate that the node key pair is risky of being faked when ACM’s public key known by the entity is faked by intruder’s public key. For data access protection, the invalid result of \(\textit{SystemW}_{\textit{Sig}\_\textit{C}}\) shows that data will be leaked when ACM’s public key known by the writer is faked by the intruder’s public key.

Verification results for the second improvement method of SFV-NDN

The verification results of the second model improvement are illustrated in Table 3. The six models subscripted by Dig belong to the results of the second improvement. Except for data availability of \(\textit{SystemR}_{\textit{Dig}\_\textit{re}}\) and \(\textit{SystemW}_{\textit{Dig}\_\textit{re}}\), the validation results for the six models are valid on all properties. The verification results for \(\textit{SystemR}_{\textit{Dig}\_\textit{re}}\) and \(\textit{SystemW}_{\textit{Dig}\_\textit{re}}\) means once the entity can no longer access the data if it is revoked. The verification results are all valid for \(\textit{SystemR}_{\textit{Dig}}\), \(\textit{SystemW}_{\textit{Dig}}\), \(\textit{SystemR}_{\textit{Dig}\_\textit{C}}\) and \(\textit{SystemW}_{\textit{Dig}\_\textit{C}}\), which indicates that the second improvement protects data from being leaked and the node key from being faked successfully. The second improvement method does ensure the security of keys and data even if the reader or writer is invaded. However, it is based on the premise that ACM is not invaded. Once ACM is invaded, data is at risk of being faked. Specifically, when ACM receives data from the writer, the data is replaced with fake data which will be sent to the reader. Thus, another approach to solving this problem is considered in the following.

Verification results for the innovative method of SFV-NDN

Table 4 Verification Results of Innovative Method.

Table 4 presents the verification results of the innovative method. As the new access control no longer uses node key pairs, it needs to verify the deadlock freedom, data availability, data leakage protection, and data access protection. The verification results of System_New_re show that the new access control can prevent the revoked entity from getting the data. All valid results of System_New indicate that the new access control can protect the data from being leaked.

In this study, SVF-NDN framework was employed to evaluate the security properties of NDN access control, encompassing several key aspects. Deadlock Freedom was confirmed across all models, including both baseline and improved versions, ensuring the system would not halt execution. For Data Availability, baseline models such as SystemR and SystemW guaranteed access for entities with proper privileges, but models with revoked entities, such as \(\textit{SystemR}_{\textit{re}}\), SystemW\(_{re}\), and System_New_re, failed to uphold this property, indicating successful restriction of data access for revoked entities. Regarding Key Authentication, baseline models (SystemR and SystemW) demonstrated vulnerability to intruder attacks capable of forging node key pairs, a problem resolved in enhanced models like \(\textit{SystemR}_{\textit{Sig}}\) and \(\textit{SystemW}_{\textit{Sig}}\). For Data Leakage Prevention, baseline models such as SystemW exhibited vulnerabilities during write operations, while improved models effectively prevented such leakage. System_New and System_New_re also successfully prevented data leakage, demonstrating robustness against intrusions. Lastly, all models satisfied Data Access Protection, affirming that revoked entities were denied data access as intended.

Discussion

The results of the SVF-NDN framework highlight its robustness in verifying and improving NDN access control against cyber threats, with several key observations and insights derived from the study. The first improvement method introduced digital signatures, successfully addressing key authentication and data leakage issues observed in the baseline models; however, it exhibited a vulnerability when the ACM’s public key was replaced by a forged key, potentially compromising system security. The second improvement method, by incorporating digital certificates, effectively resolved the issues from the first method, with verification results indicating that all security properties were satisfied even under scenarios involving intruders. The innovative method eliminated dependence on the ACM, offering a simpler and more robust access control solution for small networks. The access control scheme updated by the innovative method from SVF-NDN is suitable to be applied in a small network, as it can decrease the complexity of messages between entities and avoid the situation that ACM is invaded. However, its efficiency will be reduced when dealing with a large network. Because the data transfer in NDN is based on the data name, there will be a lot of broadcast forwarding to transfer the Interest packet to the writer. Although users may encounter the risk of ACM being compromised, it is more appropriate to use the access control obtained by the improvement methods on a large network.

Methodology

We propose a Security Verification Framework for NDN Access Control (SFV-NDN) for the NDN access control scheme, which is proposed by Hamdane et al⁸. SFV-NDN integrates an approach to building, verifying, and enhancing access control mechanisms within network environments through CSP models. This process not only focuses on formalizing and verifying security properties but also adapts to evolving threat landscapes. The framework is illustrated in Fig. 1.

1. 1.

   Build initial CSP models for access control: Initially, the access control requirements are captured in CSP models that define the system’s behavior. This involves modeling various roles, such as readers, writers, and intruders, and their interactions. The inclusion of persistent intruder scenarios is emphasized in the model, eliminating the need for additional subscripts (e.g., subscript I used in prior work). This simplification makes the models more general while still addressing potential attack vectors.

2. 2.

   Define properties by assertion: Critical security properties, such as deadlock freedom, data availability, key authentication, data leakage prevention, and data access protection, are formalized as assertions. These properties represent the essential security requirements of the system. They are expressed in a form suitable for formal verification using PAT, which can support LTL formulas.

3. 3.

   Verify models by properties: Once the CSP model and properties are defined, the verification process begins. The models are fed into the PAT tool to check whether the system satisfies the specified security properties. SFV-NDN can effectively verify the properties users are concerned about. If all properties are satisfied, the process ends; otherwise, further analysis is needed.

   1. 4(a).

      Obtain the counter example if the verification result is invalid: If the security property is not satisfied, the verification tool provides a counter-example. This counter-example highlights specific flaws in the model, helping locate the issues that prevent the system from fulfilling its security requirements.

   2. 4(b).

      Return result if the verification result is invalid: If the properties are satisfied, the verification result is returned, confirming that the current model meets the security requirements.

4. 4.

   Update CSP models using designed strategies by Algorithms 1–4: If the verification process uncovers issues, the CSP models are updated using a variety of strategies. SFV-NDN supports model updates based on analysis results, employing methods to enhance the system. Algorithms 1–4 provide an automated approach to refining the model, with multiple iterations of verification ensuring the system’s robustness against attacks.

5. 5.

   Update access control scheme: After updating the CSP models, the access control scheme itself is revised to reflect these improvements. The updated scheme is designed to ensure that critical security properties are maintained. By continuously refining the models and control schemes, the framework enhances system resilience against potential intrusions.

This framework allows for iterative improvements by combining formal verification techniques with model adaptation strategies. The primary objective of SVF-NDN is to verify security properties and identify potential vulnerabilities. To achieve this, our framework focuses on five key security properties: deadlock freedom, data availability, key authentication, data leakage prevention, and data access protection. These properties are formalized as LTL formulas and verified using the PAT.

The input to SVF-NDN consists of NDN access control schemes, modeled using CSP. These models are then verified against the specified security properties. If any property fails the verification, the PAT tool generates a counterexample, pinpointing the exact vulnerabilities in the model. The output includes either verification results or counterexamples, which help identify where the system fails to meet security requirements.

To address these vulnerabilities, we have developed four algorithms that automate the process of updating the CSP models. These algorithms iteratively refine the models based on the verification results, thereby strengthening the system against attacks. By focusing on persistent attack scenarios and incorporating multiple verification cycles, SVF-NDN ensures that access control mechanisms remain robust and that predefined security properties are protected. The relationships between different CSP models are illustrated in Fig. 2, and further details on specific model scenarios will be discussed in subsequent sections.

Fig. 2

Relationship between different CSP models.

Modeling entities in access control

In this section, the basic definitions of modeling are presented. The original CSP models which describe the access control formally are given. We will model entities and establish concurrent connections between entities.

Basic definitions of modeling

To model the behavior between the writers/readers and the ACM in Fig. 3, the fundamental information about sets, messages, and channels is needed.

Fig. 3

Simplified NDN access control with read and write operations.

The existence of six sets is assumed to be used in the models. Entity set represents entities including writers, readers, and ACM. Name set denotes NK names, Data names, and DK names. Key set is constituted by keys. NKey set is a subset of Key set including node key pairs and single node keys. Content set contains the content to be encrypted. Ack set consists of acknowledgments.The symbols and their meanings in the messages transmitted between entities, as well as their relationships with pre-defined sets, are illustrated in Table 1 and Table 2.

Interest and Data packets transmitted between entities and internal processing procedures of entities are two core elements of modeling. With the help of the previously defined sets, they are abstracted into different messages. Each message is tagged with one of the labels from the set {\(\textit{msg}_{\textit{int}}\), \(\textit{msg}_{\textit{dat}}\), \(\textit{msg}_{\textit{ack}}\), \(\textit{msg}_{\textit{pro}}\)}. These labels indicate the type of the current message, where \(\textit{msg}_{\textit{int}}\) corresponds to Interest packets, \(\textit{msg}_{\textit{dat}}\) corresponds to Data packets, \(\textit{msg}_{\textit{ack}}\) represents acknowledgment, and \(\textit{msg}_{\textit{pro}}\) denotes internal processing. In addition, the form E(k) and H(k) are used to represent the encryption and the hash of key k. At the same time, the keywords Name and Data are used in the messages to better distinguish between Interest packets and Data packets. Here four Boolean variables considering verification are defined. They are data_acquisition_success, nk_faking_success, data_leakage_success and is_rejected, which are initialized to false. When their values are true, these mean that data is obtained by the reader or ACM, the node key pair is faked, data is obtained by intruders and the revoked reader or writer is rejected by ACM respectively.

Fig. 4

Interprocess communication between processes in CSP models.

Reader modeling

We construct the processes that characterize the read and write operations, namely, processes SystemR and SystemW. Fig. 4 illustrates the interprocess communication between processes in SystemR and SystemW, representing the read and write operations with the participation of an intruder, respectively. Entities are represented by rectangles, where READER and WRITER, as indicated by their names, represent the reader and the writer, respectively. ACM_R and ACM_W symbolize the behavior of ACM when communicating with readers and writers. PROCESS denotes the internal processing procedure. In the presence of intruders, the INTRUDER process is created to simulate the behavior of intruders who eavesdrop on and modify messages. The arrowed connections between entities represent different channels.

Additionally, \(\textit{SystemR}_{\textit{re}}\) is akin to SystemR but involves a revoked reader. \(\textit{SystemW}_{\textit{re}}\) employs a revoked writer, with the remaining part identical to SystemW. Due to space limitations, modeling for readers is provided. An algorithm is designed to facilitate the generation of the models. Process \(\textit{READER}_{\textit{0}}\) is formalized to describe the behavior of a reader.

$$\begin{aligned} \textit{REA}&\textit{DER}_{0}(\textit{r},\textit{m},\textit{k},\textit{dn})=_{df}~\textit{ComRM}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{m}.Name(\textit{dn}, \textit{H}(\textit{k}))\\&\rightarrow \left( \begin{array}{l} (\textit{ComRM}?\textit{msg}_{\textit{pro}}.\textit{reject}\rightarrow \textit{SKIP})\\ \Box \textit{READER}_{0}\_\textit{Sub}(\textit{r},\textit{m},\textit{k},\textit{dn})\end{array} \right) ;\textit{READER}_{0}(\textit{r},\textit{m},\textit{k},\textit{dn})\\ \textit{R}&\textit{EADER}_{0}\_\textit{Sub}(\textit{r},\textit{m},\textit{k},\textit{dn})=_{df}~\textit{ComRM}?\textit{msg}_{\textit{dat}}.\textit{m}.\textit{r}.Data(\textit{dkn},\textit{nkn})\\&\rightarrow \textit{ComRM}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{m}.Name(\textit{dn})\rightarrow \textit{ComRM}?\textit{msg}_{\textit{dat}}.\textit{m}.\textit{r}.Data(\textit{E}(\textit{dk},\textit{data}))\rightarrow \\&\textit{ComRM}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{m}.Name(\textit{dkn})\rightarrow \textit{ComRM}?\textit{msg}_{\textit{dat}}.\textit{m}.\textit{r}.Data(\textit{E}(\textit{nk}\_\textit{e},\textit{dk}'))\\&\rightarrow \textit{ComRM}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{m}.Name(\textit{nkn},\textit{H}(\textit{k}))\rightarrow \\&\textit{ComRM}?\textit{msg}_{\textit{dat}}.\textit{m}.\textit{r}.Data(\textit{E}(\textit{k}',\textit{nk}\_\textit{d}))\rightarrow \textit{CheckNK}!\textit{msg}_{\textit{pro}}.\textit{E}(\textit{k}',\textit{nk}\_\textit{d}).\textit{k}^{{-1}}\rightarrow \textit{CheckNK}?\textit{msg}_{\textit{ack}}.\textit{ack}\rightarrow \\&\left( \begin{array}{l} (\textit{NKFakingSuccess}\{\textit{nk}\_\textit{faking}\_\textit{success}=\textit{true}\} \rightarrow \textit{SKIP})\\ \lhd (\textit{ack} == \textit{YES})\rhd (\textit{NKFakingError}\{\textit{nk}\_\textit{faking}\_\textit{success}=\textit{false}\} \rightarrow \textit{SKIP}) \end{array} \right) ;\\&\textit{GetData}!\textit{msg}_{\textit{pro}}.\textit{E}(\textit{dk},\textit{data}).\textit{E}(\textit{nk}\_\textit{e},\textit{dk}').\textit{nk}\_\textit{d}\rightarrow \\&\textit{GetData}?\textit{msg}_{\textit{ack}}.\textit{ack}'\rightarrow \left( \begin{array}{l} (\textit{DataAcquisitionSuccess}\{\textit{data}\_\textit{acquisition}\_\textit{success}=\textit{true}\} \rightarrow \textit{SKIP})\\ \lhd (\textit{ack}' == \textit{YES})\rhd (\textit{DataAcquisitionSuccess}\{\textit{data}\_\textit{acquisition}\_\textit{success}\\ =\textit{false}\}\rightarrow \textit{SKIP}) \end{array} \right) \end{aligned}$$

When the reader’s reading privilege is revoked, the reader will receive a reject message from ACM. If it owns reading privilege, then the corresponding read operations are performed. The first eight actions on channel ComRM correspond to steps a.0, a0’and a.1 - a.6 of \(\textit{Reader}_{i}\) in Fig.3 in order. By channel CheckNK, whether the value carried by nk_d is faked or not can be checked. Whether data is obtained successfully using channel GetData can be learned.

In order to permit the possibility of intruder action, the message on the ComRM channel is allowed to be intercepted or faked. This can be achieved through a process called renaming. Moreover, {|c|} represents the set of all communications over channel c. Algorithm 1 is designed to support this renaming process. Furthermore, by using this algorithm, the following process READER can be obtained:

$$\begin{aligned} \textit{READ}&\textit{ER}(\textit{r},\textit{m},\textit{k},\textit{dn})=_{df}~\\&\textit{READER}_{0}(\textit{r},\textit{m},\textit{k},\textit{dn})[[\textit{ComRM}?\{|\textit{ComRM}|\}\leftarrow \textit{ComRM}?\{|\textit{ComRM}|\},\\&\textit{ComRM}?\{|\textit{ComRM}|\}\leftarrow \textit{FakeRM1}?\{|\textit{ComRM}|\},\textit{ComRM}!\{|\textit{ComRM}|\}\\&\leftarrow \textit{ComRM}!\{|\textit{ComRM}|\},\textit{ComRM}!\{|\textit{ComRM}|\}\leftarrow \textit{FakeRM1}!\{|\textit{ComRM}|\}]] \end{aligned}$$

READER will perform either an action on channel ComRM or channel FakeRM1 whenever \(\textit{READER}_{0}\) performs a corresponding action on channel ComRM. Besides, READER and \(\textit{READER}_{0}\) perform the same action. The purpose of Algorithm 1 is to support channel renaming in the CSP model of an entity. By using this algorithm, the CSP definition of an entity can be mapped from one channel to another, enabling channel adjustments in different communication contexts. For example, in the instance shown in Fig. 5, Algorithm 1 is applied to rename channels between \(\textit{READER}_{0}\) and READER. Specifically, ComRM channel is renamed to FakeRM1, achieved through channel substitution in the CSP process definition. In this scenario, Algorithm 1 ensures that both channels remain usable, thereby maintaining system flexibility and functionality.

Fig. 5

Instance of Algorithms 1, 2, 3 and 4.

The first improvement method for the access control

To maintain key authentication and prevent data leakage in access control during cyberattacks, an approach similar to digital signature is proposed. The modifications in constructing novel CSP models while implementing this technique are explained. Due to space constraints, only the modeling for the reader and writer are provided. Algorithm 1 and Algorithm 2 are introduced for the facile creation of models. Lastly, the effectiveness of the novel CSP models is validated through a thorough verification process.

Overall modeling

In the first improvement method, the ACM creates a special pair of keys: public key \(\textit{K}_{M}\) and private key \(\textit{K}_{M}^{-1}\). Assuming that \(\textit{K}_{M}\) is known by readers and writers. When producing message a.6 and message b.2 in Fig. 3, ACM uses its private key \(\textit{K}_{M}^{-1}\) to encrypt (\(\textit{NK}_{\textit{encryption}}\),\(\textit{NK}_{\textit{decryption}}\)) and \(\textit{NK}_{\textit{decryption}}\) at first, like creating a digital signature. This happens before (\(\textit{NK}_{\textit{encryption}}\),\(\textit{NK}_{\textit{decryption}}\)) and \(\textit{NK}_{\textit{decryption}}\) are encrypted by the public key of readers and writers. When readers and writers receive these messages, they apply \(\textit{K}_{M}\) to decrypt the digital signature in them. If the operation is successful, it can be inferred that the message has been sent by the ACM.

Algorithm 1

Renaming channels in entity’s CSP model.

The read and write operations are re-modeled with the appearance of intruders. Updating SystemR and SystemW results in the generation of six updated CSP models in the first improvement. \(\textit{SystemR}_{\textit{Sig}}\) and \(\textit{SystemW}_{\textit{Sig}}\) represent the situation of applying the digital signature. \(\textit{SystemR}_{\textit{Sig}\_\textit{re}}\) and \(\textit{SystemW}_{\textit{Sig}\_\textit{re}}\) are the cases of using revoked entities. Due to space constraints, only the definitions of \(\textit{SystemR}_{\textit{Sig}}\) and \(\textit{SystemW}_{\textit{Sig}}\) are shown here. Algorithm 2 is designed to update CSP models for improvement, producing three updated models: \(\textit{S}_{\textit{Sig}}\), \(\textit{S}_{\textit{Sig}\_\textit{re}}\) and \(\textit{S}_{\textit{Sig}\_\textit{C}}\). In Fig. 5 for instance, the initial model S is defined as a combination of READER, PROCESS, and ACM_R processes connected by communication paths. After adding the Sig subscript and introducing \(\textit{K}_{M}\), the updated \(\textit{S}_{\textit{Sig}}\) is formed. Next, modifying R to R’ results in \(\textit{S}_{\textit{Sig}\_\textit{re}}\), representing a state change. Finally, replacing \(\textit{K}_{M}\) with \(\textit{K}_{I}\) generates \(\textit{S}_{\textit{Sig}\_\textit{C}}\), indicating an adjustment in the authentication parameter. These transformations illustrate how the model structure remains consistent while enabling functional extensions through parameter changes.

Algorithm 2

Updating CSP overall models in the first improvement.

Fig. 6

Corresponding changes in the NDN access control and CSP models for the read operation.

Reader and writer modeling

Fig. 6 depicts the modeling update for the reader. Specifically, \(\textit{READER}_{1}\) is derived from \(\textit{READER}_{0}\) through renaming, resulting in a structure similar to \(\textit{READER}_{0}\). Algorithm 3 facilitates the updating of \(\textit{READER}_{0}\) to \(\textit{READER}_{1}\), supporting the modification of actions in an entity’s CSP model. Algorithm 3 is designed to update actions within a CSP model by transforming a process \(\textit{E}_n\) into an updated version \(\textit{E}'_n\). The algorithm takes a list L containing triples of the original message, the updated message, and the associated communication channel. Using this information, it iteratively constructs the new process \(E'_d\), where each specified action is updated on its respective channel. The process ensures proper formatting and outputs the updated definition as a string. For example, in the instance shown in Fig. 5, the original process \(\textit{READER}_{0}\)(r,m,k,dn) is updated to \(\textit{READER}_{1}\)(r,m,k,dn). The updates include replacing \(\textit{msg}_{\textit{dat}}\).m.r.Data(E(k’,nk_d)) with \(\textit{msg}_{\textit{dat}}\).m.r.Data(E(k’, E(\(\textit{k}_{\textit{m}}^{{-1}}\),nk_d))) on the channel ComRM, and \(\textit{msg}_{\textit{pro}}\).E(k’,nk_d).\(\textit{k}^{{-1}}\) with \(\textit{msg}_{\textit{pro}}\).E(k’,E(\(\textit{k}_{\textit{m}}^{{-1}}\),nk_d)). \(\textit{k}^{{-1}}\).\(\textit{k}_{\textit{m}}\) on the channel CheckNK. The resulting definition of \(READER_1\) integrates these changes, reflecting the updated actions on the specified channels, demonstrating the algorithm’s capability to manage precise modifications in CSP processes.

The only distinction lies in the fact that \(\textit{READER}_{1}\) updates two actions on channel ComRM and channel CheckNK respectively. Simultaneously, in order to update the transmitted packet (a.6) in Fig. 6, the private key of ACM is employed to encrypt the node key first, followed by encryption using the reader’s public key. A similar modeling approach can be employed to derive \(\textit{ACM}\_\textit{R}_{1}\) based on ACM_\(\textit{R}_{0}\), as illustrated in Fig. 6.

Algorithm 3

Updating actions in entity’s CSP model.

Meanwhile, renaming is performed to simulate interception and forgery on channel ComRM. Consequently, \(\textit{READER}_{\textit{Sig}}\) can be generated by using READER as input for Algorithm 1. Whenever either an action on channel ComRM or channel FakeRM1 is done in \(\textit{READER}_{1}\), a corresponding action is done on channel ComRM in \(\textit{READER}_{\textit{Sig}}\). Except that, \(\textit{READER}_{\textit{Sig}}\) and \(\textit{READER}_{1}\) perform the same action.

Fig. 7

Corresponding changes in the NDN access control and CSP models for the write operation.

To update the transmitted packet (b.2) in Fig. 7, the process involves using the private key of ACM to encrypt the node key pair, followed by encryption using the writer’s public key. Employing a modeling approach similar to that of the reader, corresponding entities \(\textit{WRITER}_{1}\) and ACM_\(\textit{W}_{1}\) can be obtained, as depicted in Fig. 7.

The second improvement method for access control

According to the previous analysis, the first improvement method does effectively protect keys and data, but it is still weak in handling special cases when ACM’s public key known by the entity is faked by an intruder’s public key. Therefore, a second improvement is proposed to address this problem. This section focuses on presenting the updates made during the modeling process and verifying the security properties of the access control under the new solution. Meanwhile, Algorithm 4 is also given to support better model building.

Overall modeling

The second improvement is to update the previous method by adding digital certificates. Specifically, ACM provides its public key \(\textit{K}_{\textit{M}}\) to the certificate authority (CA). CA uses its private key \(\textit{K}_{A}^{-1}\) to encrypt \(\textit{K}_{M}\), which creates a digital certificate E((\(\textit{K}_{A}^{-1}\)),\(\textit{K}_{M}\)). After performing the same operations as those in the first model improvement, the digital certificate is added to the end of message a.6 and message b.2. Assuming that readers and writers know CA’s public key \(\textit{K}_{A}\), they will fetch the digital certificates at first when dealing with these two messages. Then they decrypt the digital certificates using \(\textit{K}_{A}\) to get \(\textit{K}_{\textit{M}}\), which will be compared with the public key of the ACM known by the reader/writer. If the two keys match, it can be concluded that the public key known by the reader/writer is the authentic key of the ACM. Otherwise, the key is deemed to be forged.

Except for adding CA’s public key \(\textit{K}_{\textit{A}}\) as a parameter, the six models here are almost having the same definitions as the six models in the first improvement method. \(\textit{SystemR}_{\textit{Dig}}\) and \(\textit{SystemW}_{\textit{Dig}}\) represent the situation of using the digital certificates. \(\textit{SystemR}_{\textit{Dig}\_\textit{re}}\) and \(\textit{SystemW}_{\textit{Dig}\_\textit{re}}\) indicate the cases of having revoked entities. \(\textit{SystemR}_{\textit{Dig}\_\textit{C}}\) and \(\textit{SystemW}_{\textit{Dig}\_\textit{C}}\) denote the public key of ACM known by the reader and writer are replaced by the public key of the intruder. They can be obtained conveniently by applying Algorithm 4.

Algorithm 4 focuses on the second improvement of CSP models, transforming \(\textit{S}_{\textit{Sig}}\) into three updated models: \(\textit{S}_{\textit{Dig}}\), \(\textit{S}_{\textit{Dig}\_\textit{re}}\) and \(\textit{S}_{\textit{Dig}\_\textit{C}}\). For example, in the instance shown in Fig. 5, Algorithm 4 generates \(S_{Dig}\) by renaming the processes and adding \(K_A\) to the parameters. The updated model \(S_{Dig\_re}\) modifies \(R\) to \(R'\), while \(S_{Dig\_C}\) replaces \(K_M\) with \(K_I\), reflecting a change in the cryptographic configuration. This step-by-step transformation illustrates the systematic enhancement of CSP models for more robust applications.

Algorithm 4

Updating CSP overall models in the second improvement.

Reader and writer modeling

To handle the transmitted packet (a.6) in Fig. 6, the second improvement involves adding a digital certificate to the packet. Consequently, \(\textit{READER}_\textit{2}\) is created through renaming from \(\textit{READER}_{1}\), shown in Fig. 6. Similarly, Algorithm 3 supports the construction of \(\textit{READER}_{2}\) based on \(\textit{READER}_{1}\). To simulate interception and forgery on channel ComRM, renaming is applied.

Utilizing Algorithm 1, it is possible to construct \(\textit{READER}_{\textit{Dig}}\) based on \(\textit{READER}_{2}\). Whenever \(\textit{READER}_{2}\) executes an action on channel ComRM, READER_Dig will perform either a corresponding action on channel ComRM or on channel FakeRM1. In addition to that, READER_Dig carries out the same action as \(\textit{READER}_{2}\).

To manage the transmitted packet (b.2) in Fig. 7, the second improvement entails incorporating a digital certificate into the packet. By employing a modeling approach similar to that of the reader, corresponding entities \(\textit{WRITER}_{2}\) and \(\textit{ACM}\_\textit{W}_{2}\) can be obtained, as depicted in Fig. 7.

The initial CSP model and all the CSP models involved in the improvement methods have been implemented in PAT. Please refer to the website(The full implementation of the improvement methods in PAT can be found at https://github.com/asunafy/SVF-NDN.) for full implementation.

The innovative method for the access control

The improvement method for NDN access control has been adopted, demonstrating promising performance in enhancing security when the ACM is secure. When the ACM is unsafe, the improvement method does not perform well. Therefore, in this section, a new access control method is introduced that does not rely on considering the ACM, presenting an innovative approach to access control. SFV-NDN is also applied to accomplish the update of the CSP models and the access control. The verification results of this method are illustrated and analyzed.

Fig. 8

New NDN access control with read and write operations.

Overall modeling

The new access control is shown in Fig.8. If a reader wants to subscribe to the data from a writer, he first applies special commands to request the naming convention and checks if he has the read privilege of the data (step c.1). Then the reader receives the name of the data key DK and the private key of the writer encrypted by his public key (step c.2). After receiving the data request (step c.3), the writer produces the data by encrypting its private key by the public key of the reader (step c.4). The reader requests for the data key (step c.5). The writer returns the data key DK encrypted by his public key (step c.6).

To specify the new access control, several new sets are defined. Entity’ set denotes writers and readers. Name’ set represents data names and data key names. Key’ set contains keys in the new access control. As a subset of Key’, PriKey set consists of private keys. The new access control also uses Content set and Ack set from the old access control. The elements of the new pre-defined sets are listed in Table 5.

Table 5 The new pre-defined sets in the new access control.

The tag set used in the old access control is inherited, and the messages are defined as follows.

$$\begin{aligned}&\textit{MSG}'_{\textit{int}}=~\{\textit{msg}_{\textit{int}}.\textit{a}.\textit{b}.Name(\textit{n}),\textit{msg}_{\textit{int}}.\textit{a}.\textit{b}.Name(\textit{n},\textit{H}(\textit{k}))~|~\textit{a},\textit{b}\in {\textbf {Entity}}',\textit{n}\in {\textbf {Name}}',\textit{k}\in {\textbf {Key}}'\}\\&\textit{MSG}'_{\textit{dat1}}=~\{\textit{msg}_{\textit{dat}}.\textit{a}.\textit{b}.Data(\textit{E}(\textit{k},\textit{c}))~|~\textit{a},\textit{b}\in {\textbf {Entity}}',\textit{k}\in {\textbf {Key}}',\textit{c}\in ({\textbf {Key}}'-{\textbf {PriKey}})\cup {\textbf {Content}}\}\\&\textit{MSG}'_{\textit{dat2}}=~\{\textit{msg}_{\textit{dat}}.\textit{a}.\textit{b}.Data(\textit{E}(\textit{k},\textit{c}))~|~\textit{a},\textit{b}\in {\textbf {Entity}}',\textit{n}\in {\textbf {Name}}',\textit{k}\in {\textbf {Key}}',\textit{c}\in {\textbf {PriKey}}\}\\&\textit{MSG}'_{\textit{ack}}=~\{\textit{msg}_{\textit{ack}}.\textit{x}~|~\textit{x}\in {\textbf {Ack}}\}\\&\textit{MSG}'_{\textit{pro}}=~\{\textit{msg}_{\textit{pro}}.\textit{E}(\textit{k}_{1},\textit{k}_{2}).\textit{E}(\textit{k}_{3},\textit{c}).\textit{E}(\textit{k}_{4},\textit{k}_{5}).\textit{k}_{6}~|~\textit{k}_{1},\textit{k}_{2},\textit{k}_{3},\textit{k}_{4},\textit{k}_{5},\textit{k}_{6}\in {\textbf {Key}}',\textit{c}\in {\textbf {Key}}'\cup {\textbf {Content}}\}\\&\textit{MSG}'_{\textit{out}}=~\textit{MSG}'_{\textit{int}}\cup \textit{MSG}'_{\textit{dat1}\cup \textit{dat2}}~~~~~\textit{MSG}'_{\textit{in}}=~\textit{MSG}'_{ack}\cup \textit{MSG}'_{\textit{pro}}\\&\textit{MSG}'=~\textit{MSG}'_{\textit{in}}\cup \textit{MSG}'_{\textit{out}} \end{aligned}$$

The declarations of channels are as below.

$$\begin{aligned}&{\textbf {Channel}}~\textit{ComRW}, \textit{FakeRW1}, \textit{FakeRW2}:\textit{MSG}'_{\textit{out}}\\&{\textbf {Channel}}~\textit{GetData}:\textit{MSG}'_{\textit{in}} \end{aligned}$$

The entire models are composed of the following modules as below.

$$\begin{aligned} \textit{System}\_\textit{New}=_{df}~&\textit{READ} \textit{ER}\_\textit{New}(\textit{R},\textit{W},\textit{K},\textit{ND})[|\textit{GetData}'|]\textit{PROCESS}\_\textit{New}\\&[|\textit{ComRW}|]\textit{WRITER}\_\textit{New}(\textit{W},\textit{R},\textit{NDK},\textit{ND},\textit{DK},\textit{DATA})\\&[|\textit{FakeRW1}, \textit{FakeRW2}|]\textit{INTRUDER}\_\textit{New}\\ \textit{System}\_\textit{New}\_\textit{re}=_{df}~&\textit{READ} \textit{ER}\_\textit{New}(\textit{R}',\textit{W},\textit{K},\textit{ND})[|\textit{GetData}'|]\textit{PROCESS}\_\textit{New}\\&[|\textit{ComRW}|]\textit{WRITER}\_\textit{New}(\textit{W},\textit{R}',\textit{NDK},\textit{ND},\textit{DK},\textit{DATA})\\&[|\textit{FakeRW1}, \textit{FakeRW2}|]\textit{INTRUDER}\_\textit{New} \end{aligned}$$

READER_New, WRITER_New and PROCESS_New represent the reader, writer, and the processing procedure in the new access control. INTRUDER_New stands for the intruder, especially for the new access control.

Reader and writer modeling

READER’ and WRITER’ simulate the operations of readers and writers in the new access control. There are six actions on channel ComRW corresponding to step c.1 - step c.6 in Fig.8. By utilizing the GetData channel, it can be determined whether the data is obtained successfully. WRITER’ also has six actions on channel ComRW which are related to step c.1 - step c.6 in Fig.8.

The definition of READER’ and WRITER’ are as below.

$$\begin{aligned} \textit{REA}&\textit{DER}'(\textit{r},\textit{w},\textit{k},\textit{dn})= _{df}\\&\textit{ComRW}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{w}.Name(\textit{dn},\textit{H}(\textit{k}))\rightarrow \left( \begin{array}{l}(\textit{ComRW}?\textit{msg}_{\textit{pro}}.\textit{reject}\rightarrow \textit{SKIP})\\ \Box \textit{READER}'\_\textit{Sub}(\textit{r},\textit{w},\textit{k},\textit{dn})\end{array} \right) ;\\&\textit{READER}'(\textit{r},\textit{w},\textit{k},\textit{dn})\\ \textit{REA}&\textit{DER}'\_\textit{Sub}(\textit{r},\textit{w},\textit{k},\textit{dn})=_{df}~\\&\textit{ComRW}?\textit{msg}_{\textit{dat}}.\textit{w}.\textit{r}.Data(dkn, \textit{E}(\textit{k}',\textit{k1}^{{-1}}))\rightarrow \textit{ComRW}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{w}.Name(\textit{dn})\rightarrow \\&\textit{ComRW}?\textit{msg}_{\textit{dat}}.\textit{w}.\textit{r}.Data(\textit{E}(\textit{dk},\textit{data}))\rightarrow \textit{ComRW}!\textit{msg}_{\textit{int}}.\textit{r}.\textit{w}.Name(\textit{dkn})\rightarrow \\&\textit{ComRW}?\textit{msg}_{\textit{dat}}.\textit{w}.\textit{r}.Data(\textit{E}(\textit{k2},\textit{dk}'))\rightarrow \textit{GetData}!\textit{msg}_{\textit{pro}}.\textit{E}(\textit{k}',\textit{k1}^{{-1}}).\textit{E}(\textit{dk},\textit{data}).\textit{E}(\textit{k2},\textit{dk}').\textit{k}^{{-1}}\rightarrow \\&\textit{GetData}?\textit{msg}_{\textit{ack}}.\textit{ack}\rightarrow \left( \begin{array}{l} (\textit{DataAcquisitionSuccess}\{\textit{d}=\textit{true}\} \rightarrow \textit{SKIP})\\ \lhd (\textit{ack} == \textit{YES})\rhd (\textit{DataAcquisitionError}\{\textit{d}=\textit{false}\} \rightarrow \textit{SKIP}) \end{array} \right) \end{aligned}$$

$$\begin{aligned} \textit{WRIT}&\textit{ER}'(\textit{w},\textit{r},\textit{k},\textit{dn},\textit{dkn},\textit{data},\textit{dk})=_{df}~\nonumber \\&\textit{ComRW}?\textit{msg}_{\textit{int}}.\textit{r}.\textit{w}.Name(\textit{dn},\textit{H}(\textit{k}'))\rightarrow \textit{CheckPrivilege}!\textit{msg}_{\textit{pro}}.\textit{r}\rightarrow \\&\textit{CheckPrivilege}?\textit{msg}_{\textit{ack}}.\textit{ack}\rightarrow \\&\left( \begin{array}{l} (\textit{RevokedEntityDeniedSuccess}\{\textit{is}\_\textit{rejected}=\textit{true}\}\rightarrow \textit{SKIP}\\ \lhd (\textit{ack} == \textit{YES})\rhd \\ (\textit{RevokedEntityDeniedSuccess}\{\textit{is}\_\textit{rejected}=\textit{false}\}\rightarrow \\ \textit{WRITER}'\_\textit{Sub}(\textit{w},\textit{r},\textit{k},\textit{dn},\textit{dkn},\textit{data},\textit{dk}) \end{array} \right) ;\\&\textit{WRITER}'(\textit{w},\textit{r},\textit{k},\textit{dn},\textit{dkn},\textit{data},\textit{dk})\\ \textit{WRIT}&\textit{ER}'\_\textit{Sub}(\textit{w},\textit{r},\textit{k},\textit{dn},\textit{dkn},\textit{data},\textit{dk})=_{df}~\\&\textit{ComRW}!\textit{msg}_{\textit{dat}}.\textit{w}.\textit{r}.Data(dkn, \textit{E}(\textit{k}',\textit{k}^{{-1}}))\rightarrow \textit{ComRW}?\textit{msg}_{\textit{int}}.\textit{r}.\textit{w}.Name(\textit{dn})\rightarrow \\&\textit{ComRW}!\textit{msg}_{\textit{dat}}.\textit{w}.\textit{r}.Data(\textit{E}(\textit{dk},\textit{data}))\rightarrow \textit{ComRW}?\textit{msg}_{\textit{int}}.\textit{r}.\textit{w}.Name(\textit{dkn})\rightarrow \\&\textit{ComRW}!\textit{msg}_{\textit{dat}}.\textit{w}.\textit{r}.Data(\textit{E}(\textit{k},\textit{dk}))\rightarrow \textit{SKIP} \end{aligned}$$

If the reader’s reading right is revoked, the writer will reject the request. Otherwise, the corresponding operations are performed. For READER’ and WRITER’, the six actions on channel ComRW correspond to step c.1 - c.6 in Fig.8 in order. The six actions of READER’ and WRITER’ on channel ComRW correspond to each other. Reader’ first sends the Interest packet including the data name and the public key hash value. Then WRITER’ returns the Data packet with the data key name and its private key encrypted with the reader’s public key. READER’ also sends the data’s name to Writer’, and then gets the Data packet including the encrypted data. Finally, READER’ transmits the DK’s name to Writer’, and WRITER’ feeds back with the Data packet carrying encrypted data key.

To simulate the actions of intruders, renaming is employed to simulate the interception and forgery of messages on the ComRW channel. READER_New and WRITER_New are built from Algorithm 1 as below.

$$\begin{aligned} \textit{READ}&\textit{ER}\_\textit{New}(\textit{r},\textit{w},\textit{k},\textit{nr},\textit{dn})= _{df} \\&\textit{READER}'(\textit{r},\textit{w},\textit{k},\textit{nr},\textit{dn})\\&[[\textit{ComRW}?\{|\textit{ComRW}|\}\leftarrow \textit{ComRW}?\{|\textit{ComRW}|\},\textit{ComRW}?\{|\textit{ComRW}|\}\leftarrow \textit{FakeRW1}?\{|\textit{ComRW}|\},\\&\textit{ComRW}!\{|\textit{ComRW}|\}\leftarrow \textit{ComRW}!\{|\textit{ComRW}|\},\textit{ComRW}!\{|\textit{ComRW}|\}\leftarrow \textit{FakeRW1}!\{|\textit{ComRW}|\}]]\\ \textit{WRIT}&\textit{ER}\_\textit{New}(\textit{w},\textit{m},\textit{k},\textit{dn},\textit{dkn},\textit{data},\textit{dk})=_{df}\\&\textit{WRITER}'(\textit{w},\textit{m},\textit{k},\textit{dn},\textit{dkn},\textit{data},\textit{dk})\\&[[\textit{ComRW}?\{|\textit{ComRW}|\}\leftarrow \textit{ComRW}?\{|\textit{ComRW}|\},\textit{ComRW}?\{|\textit{ComRW}|\}\leftarrow \textit{FakeRW2}?\{|\textit{ComRW}|\},\\&\textit{ComRW}!\{|\textit{ComRW}|\}\leftarrow \textit{ComRW}!\{|\textit{ComRW}|\},\textit{ComRW}!\{|\textit{ComRW}|\}\leftarrow \textit{FakeRW2}!\{|\textit{ComRW}|\}]] \end{aligned}$$

Whenever either an action on channel ComRW or channel FakeRW1 is done in READER’, a corresponding action is done on channel ComRW in READER_New. Except that, READER_New and READER’ perform the same action. WRITER_New performs the corresponding action which is done on channel ComRW, whenever WRITER’ does either an action on channel ComRW or channel FakeRW2.

PROCESS and intruder modeling

PROCESS_New describes the processing procedure for the new access control, which is used to decrypt messages. It decrypts messages to check if the data is acquired correctly.

$$\begin{aligned} \textit{PROC}&\textit{ESS}\_\textit{New}()=_{df}~\\&(\textit{GetData}?\textit{msg}_{\textit{pro}}.\textit{E}(\textit{k}',\textit{k1}^{{-1}}).\textit{E}(\textit{dk},\textit{data}).\textit{E}(\textit{k2},\textit{dk}').\textit{k}^{{-1}}\\&\rightarrow \left( \begin{array}{l} (\textit{GetData}!\textit{msg}_{\textit{ack}}.\textit{YES} \rightarrow \textit{SKIP})\\ \lhd ((\textit{k}' == \textit{k}) \& \& (\textit{k1} == \textit{k2}) \& \& (\textit{dk} == \textit{dk}'))\rhd \\ (\textit{GetData}!\textit{msg}_{\textit{ack}}.\textit{NO} \rightarrow \textit{SKIP}) \end{array} \right) \Box \textit{CHECKP}());\textit{PROCESS}() \end{aligned}$$

The set of facts that intruders might learn in the new access control is defined as Fact’.

$$\begin{aligned} \textit{Fact}'=_{df}~&\{\textit{R},\textit{W}\}\cup \{\textit{DKN},\textit{DN}\}\cup \textit{MSG}'_{\textit{out}}\cup \{\textit{K},\textit{K}^{{-1}},\textit{DK}\}\\&\cup \{\textit{E}(\textit{key},\textit{content})~|~\textit{key}\in \{\textit{K},\textit{DK}\},\textit{content}\in \{\textit{Data},\textit{DK},\textit{K}^{{-1}}\}\} \end{aligned}$$

All the messages transmitted between entities can be intercepted by the intruder. It supports facts deduced from its known facts and messages faking to disturb normal communication between entities. The formalization of is INTRUDER_New as below.

$$\begin{aligned} \textit{INTU}&\textit{DER}'(\textit{F})=_{df}\\&\Box \Box _{\textit{m}\in \textit{MSG}'_{\textit{out}}} \textit{FakeRW1}?\textit{m}\rightarrow \textit{FakeRW2}!\textit{m}\rightarrow \textit{INTRUDER}'(\textit{F}\cup \textit{Info}(\textit{m}))\\&\Box \Box _{\textit{m}\in \textit{MSG}'_{\textit{dat2}}} \textit{FakeRW2}?\textit{m}\rightarrow \textit{FakeRW1}!\textit{m}[[\textit{k}^{-1}\leftarrow \textit{K}_{{I}^{-1}}]]\rightarrow \textit{INTRUDER}'(\textit{F}\cup \textit{Info}(\textit{m}))\\&\Box \Box _{\textit{m}\in (\textit{MSG}'_{\textit{out}}\backslash \textit{MSG}'_{\textit{dat2}})} \textit{FakeRW2}?\textit{m}\rightarrow \textit{FakeRW1}!\textit{m}\rightarrow \textit{INTRUDER}'(\textit{F}\cup \textit{Info}(\textit{m}))\\&\Box \Box _{\textit{f}\in \textit{Fact}',\textit{f}\notin \textit{F},\textit{F}\mapsto \textit{f}} \textit{Initialization}\{\textit{l}=\textit{false}\}\rightarrow \textit{Deduce}.\textit{f}.\textit{F}\rightarrow \\&~~~\left( \begin{array}{l} (\textit{DataLeakageSuccess}\{\textit{l}=\textit{true}\} \rightarrow \textit{INTRUDER}'(\textit{F}\cup \{\textit{f}\}))\\ \lhd (\textit{f} == \textit{Data})\rhd (\textit{DataLeakageError}\{\textit{l}=\textit{false}\} \rightarrow \\ \textit{INTRUDER}'(\textit{F}\cup \{\textit{f}\})) \end{array} \right) \\ \textit{INTU}&\textit{DER}\_\textit{New}=_{df} \textit{INTRUDER}'(\textit{IK}')~~~~~\textit{IK}' =_{df}\{\textit{R},\textit{W},\textit{K},\textit{K}_{I},\textit{K}_{{I}^{-1}}\} \end{aligned}$$

Please refer to the website(The full implementation of the innovative methods in PAT can be found in https://github.com/asunafy/SVF-NDN.) for full implementation of the innovative method.

Related work

There are several researches on formal methods for cyberattacks. Bernardeschi et al.²³ introduced a framework integrating formal verification and network simulation to evaluate attacks on wireless sensor networks. This approach is effective in simulating attack scenarios and verifying system robustness but is primarily designed for specific industrial domains, limiting its generalizability to other network architectures. Hóu et al.²⁴ combined digital twins and runtime verification to protect satellites systems from cyberattacks. However, its reliance on runtime data makes it less suitable for preemptive and formal security verification in broader contexts. Poorhadi et al.²⁵ presented a formal approach to evaluate the cyberattacks on the European rail traffic management system with Event-B. Yet, it lacks scalability for large-scale distributed networks. Sakata et al.²⁶ formalized the fallback control of the industrial control systems in UPPAAL and analyzed whether the supervisor can give incident response during cyberattacks. While it is adept at ensuring incident response mechanisms, it focuses on predefined scenarios and does not address adaptive attack patterns. Most of the above approaches excel in specific industrial applications but fall short in addressing cyberattacks in more dynamic and distributed network environments such as access control in NDN.

Formal methods have been widely applied in the aspect of access controls. Wu et al.²⁷ formalized the Role-Compatibility Model and proved that if a resource is protected in a policy, then no existing sequence of events would compromise security. This method is robust in ensuring policy compliance but is limited by its static nature, making it less effective in adapting to dynamic policy changes. Hu et al.²⁸ defined a standardized structure for mandatory access control (MAC) mechanisms to provide property verification and automated generation of test cases. The approach efficiently automates test case generation, but its reliance on a specific modeling language reduces its flexibility for other access control paradigms. Ferrara et al.²⁹ combined abstraction and reduction to perform security analysis on administrative role-based access control models (RBAC). By abstracting policies into imperative programs, they effectively verify policy security, but this approach struggles with scalability in large systems with complex roles and hierarchies. These researches provide a solid foundation for formal access control verification but primarily focus on traditional access control models. In contrast, this paper specifically addresses the security concerns in NDN access control through data encryption and formal methods to handle cyberattacks.

There were also some studies focusing on the security of NDN and NDN-like environments, such as Information Centric Networking (ICN) and Content-centric networking (CCN). Fan et al.³⁰presented a complete secure file transfer protocol for NDN called FTP-NDN, and gave formal security models and proofs for it. While comprehensive, it is designed for file transfer scenarios and does not address general access control issues. In³¹, Viera et al. proposed a security protocol based on identity-based encryption to support ICN in smart grids, which enhances identity authentication but faces challenges in scalability for larger ICN environments. Wang et al.³² proposed a session-based access control mechanism for ICN. Wood et al.³³ provided strong end-to-end content security for CNN using a combination of proxy re-encryption and identity-based encryption, but the dependency on proxy components introduces potential vulnerabilities. Most of these works propose effective mechanisms for specific use cases but lack a comprehensive framework for robust security verification. This paper addresses this gap by introducing a security verification framework for NDN access control that supports the enhancement of access control measures against evolving cyberattacks.

Conclusion

In this paper, a security verification framework for NDN access control (SVF-NDN) has been presented. It takes the access control scheme and security properties as inputs and conducts formal modeling and verification for evaluating the scheme’s performance under cyberattacks. Taking data encryption-based NDN access control as a case study, several properties including deadlock freedom, data availability, key authentication, data leakage prevention, and data access protection have been verified. The verification results indicate that key authentication and data leakage protection are rendered invalid in the presence of intruders. As a result, two improvement methods and one innovative method were proposed. The improvement methods improved the access controls by adding digital signatures and digital certificates. The updated access control protected against data leakage prevention when the ACM is secure. The innovative method created a new access control instead to deal with the situation when ACM is invaded. The verification results showed the successful protection of data leakage prevention. Additionally, four algorithms were proposed to support the update of the CSP model in SFV-NDN. This work is significant for improving the security and robustness of NDN access control.

Future work

As for future work, the consideration of modeling and verifying alternative access control solutions in NDN using the framework SFV-NDN, as well as addressing other potential security issues related to NDN access control, will be the focus. Also, further research will be conducted on cyber attacks, including chain attacks and probabilistic attacks, to enhance the model’s ability to respond to such attacks. Due to the significant importance of caching in the NDN network, the research will also focus on attacks targeting caches, equipping the model with the capability to effectively handle such attacks.