An Efficient TCB for a Generic Content Distribution System S.D. Mohanty, A. Velagapalli, M. Ramkumar Department of Computer Science and Engineering Mississippi State University, MS. Abstract—We consider the security requirements for a broad class of content distribution systems where the content distribu- tion infrastructure is required to strictly abide by access control policies prescribed by owners of content. We propose a security solution that identifies a minimal trusted computing base (TCB) for a content distribution infrastructure, and leverages the TCB to provide all desired assurances regarding the operation of the infrastructure. It is assumed that the contents and access control policies associated with contents are dynamic. I. I NTRODUCTION A content distribution system includes publishers who create content for consumption by subscribers, and a third party in the form of a distribution infrastructure, as pub- lishers themselves may not possess the infrastructural capa- bilities required to distribute content. In any such content distribution system (CDS), publishers desire mechanisms to ensure that their content is made available only to a select set of subscribers, by prescribing an access control list (ACL) for the content. Subscribers desire mechanisms to ensure the integrity and authenticity of the content. Irrespective of the nature of the specifics of the CDS, the users of the system - viz., publishers and subscribers - are expected to trust the infrastructural elements to preserve integrity of content, and adhere to the (content specific) ACL prescribed by the publisher. In practice, the “infrastructure” may be composed of possibly several agencies, computers and personnel. As malicious behavior by any infrastructural component may lead to violation of the desired assurances, and as it is impractical to rule out such behavior in complex systems, explicit mechanisms are required to assure the operation of such infrastructural elements. A. Trusted Computing Base The trusted computing base (TCB) [1] for a system is a small amount of hardware and/or software that need to be trusted in order to realize the desired assurances. More specifically, the assurances are guaranteed even if all elements outside the TCB misbehave. The lower the complexity of the elements in the TCB, the lower is the ability to hide malicious/accidental functionality in the TCB components. Consequently, in the design of any security solution it is necessary to lower the complexity of components in the TCB to the extent feasible. The contribu- tion of this paper is a broad security solution for assuring the operation of a content distribution system (CDS), and is motivated by the question “what is a minimal TCB for a CDS?” In the proposed approach the TCB is a set of simple functions F () executed inside a trusted boundary - for example, by a trusted module T. All desired assurances regarding operation of the CDS are guaranteed as long as the following (very reasonable) assumptions hold: 1) a pre-image resistant cryptographic hash function h() exists. 2) the module T is read-proof and write-proof; in other words, the secrets protected by the module cannot be exposed, and the simple functionality F () of the module cannot be modified; A multitude of proven hash functions (like SHA-1) ex- ist that justify the first assumption. To justify the second assumption it is essential that the functionality F () is constrained to be simple enough to permit consummate verification. Towards this end we deliberately limit the computational and storage capabilities of module T required to execute F () - by constraining F () to be composed of simple sequences of logical and cryptographic hash h() operations. The contribution of this paper is an algorithmic descrip- tion of a TCB functionality F () which can be leveraged to assure the operation of a broad class of content distribution systems. The rest of this paper is organized as follows. In Section II we outline a generic model for a CDS and enumerate the desirable features and assurances. In Section III we provide a systemic overview of the proposed approach. In Section III-B we provide an overview of a simple data structure, an index ordered merkle tree (IOMT) which is used to succinctly represent all content handled by the CDS and the ACL for each content. Section IV provides a description of the operation of the system along with an algorithmic description of the TCB functionality F (). II. A MODEL FOR A GENERIC CONTENT DISTRIBUTION SYSTEM A content distribution system consists of a dynamic set of users U = {u 1 ··· u n } (who may be publishers, or subscribers, or both) and a dynamic set of content C = {c 1 ··· c m }, where u i is a unique identity of a user, and c i is a unique label assigned to a content. Both sets U and C may be dynamic, and posses practically unlimited cardinality (unlimited n and m).