System for key exchange in a content centric network
First Claim
1. A computer system comprising:
- a processor; and
a storage device storing instructions that when executed by the processor cause the processor to perform implementing a key exchange protocol to establish and exchange secure session keys for authenticated encryption of data for a secure communication session between a content-consuming device and a content-producing device each configured to exchange interest packets and content object packets over a content-centric network (CCN), the implementing including;
constructing an initial interest packet with a name that includes a first prefix and a previously generated first nonce, and a payload that indicates an initial hello;
in response to the initial interest packet, receiving an initial content-object packet with a payload that includes configuration information, a second nonce, and a second prefix different from the first prefix, wherein the configuration information indicates a first consumer-share key, and the second nonce is used to establish a session between the content-consuming device and the content-producing device over the CCN;
generating, by the content-consuming device, a first key based on the first consumer-share key and a previously received producer-share key;
constructing a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of the previously generated first nonce, wherein the first interest packet has a name that includes the first prefix, and wherein the previously generated first nonce is also used to establish the session;
replacing the first prefix with the second prefix in the name for the first interest packet;
sending the first interest packet to the content-producing device over the CCN and in response to the nonce token being verified by the content-producing device, receiving, by the content-consuming device, from the content-producing device over the CCN a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key;
generating the second key based on a second consumer-share key and the first content-object packet;
decrypting the payload for the first content-object packet; and
in response to determining that the decrypted payload does not indicate a rejection, obtaining an acknowledgment and a second producer-share key.
0 Assignments
0 Petitions
Accused Products
Abstract
One embodiment provides a system that facilitates secure communication between computing entities. During operation, the system generates, by a content-consuming device, a first key based on a first consumer-share key and a previously received producer-share key. The system constructs a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of a previously generated first nonce, wherein the first interest has a name that includes a first prefix, and wherein the first nonce is used to establish a session between the content-consuming device and a content-producing device. In response to the nonce token being verified by the content-producing device, the system receives a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key. The system generates the second key based on a second consumer-share key and the first content-object packet.
-
Citations
20 Claims
-
1. A computer system comprising:
-
a processor; and a storage device storing instructions that when executed by the processor cause the processor to perform implementing a key exchange protocol to establish and exchange secure session keys for authenticated encryption of data for a secure communication session between a content-consuming device and a content-producing device each configured to exchange interest packets and content object packets over a content-centric network (CCN), the implementing including; constructing an initial interest packet with a name that includes a first prefix and a previously generated first nonce, and a payload that indicates an initial hello; in response to the initial interest packet, receiving an initial content-object packet with a payload that includes configuration information, a second nonce, and a second prefix different from the first prefix, wherein the configuration information indicates a first consumer-share key, and the second nonce is used to establish a session between the content-consuming device and the content-producing device over the CCN; generating, by the content-consuming device, a first key based on the first consumer-share key and a previously received producer-share key; constructing a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of the previously generated first nonce, wherein the first interest packet has a name that includes the first prefix, and wherein the previously generated first nonce is also used to establish the session; replacing the first prefix with the second prefix in the name for the first interest packet; sending the first interest packet to the content-producing device over the CCN and in response to the nonce token being verified by the content-producing device, receiving, by the content-consuming device, from the content-producing device over the CCN a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key; generating the second key based on a second consumer-share key and the first content-object packet; decrypting the payload for the first content-object packet; and in response to determining that the decrypted payload does not indicate a rejection, obtaining an acknowledgment and a second producer-share key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system comprising:
-
a processor; and a storage device storing instructions that when executed by the processor cause the processor to perform implementing a key exchange protocol to establish and exchange secure session keys for authenticated encryption of data for a secure communication session between a content-consuming device and a content-producing device each configured to exchange interest packets and content object packets over a content-centric network (CCN), the implementing including; upon receiving over the CCN, by the content-producing device, an initial interest packet with a name that includes a first prefix and a first nonce, and a payload that indicates an initial hello, constructing an initial content-object packet with a payload that includes configuration information, a second nonce, and a second prefix different from the first prefix, wherein the configuration information indicates a first consumer-share key, and the second nonce is used to establish a session between the content-consuming device and the content-producing device over the CCN; receiving over the CCN, by the content-producing device, a first interest packet from the content-consuming device, wherein the first interest packet includes the first consumer-share key and a nonce token which is used as a pre-image of the previously received first nonce, wherein the first interest packet has a name that includes the first prefix, and wherein the previously received first nonce is also used to establish the session; replacing the first prefix with the second prefix in the name for the first interest packet; generating a first key based on the first consumer-share key and a first producer-share key; verifying the nonce token based on the first key and the first nonce, by decrypting the payload for the first interest packet based on the first key, performing a hash function on the nonce token to obtain a result, and determining whether the result matches the first nonce; generating a second key based on the first interest packet and a second producer-share key; and constructing a first content-object packet with a payload that includes a first resumption indicator encrypted based on the second key. - View Dependent Claims (8, 9, 10, 11, 12, 13, 15)
-
-
14. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations comprising implementing a key exchange protocol to establish and exchange secure session keys for authenticated encryption of data for a secure communication session between a content-consuming device and a content-producing device each configured to exchange interest packets and content object packets over a content-centric network (CCN), the implementing including:
-
constructing an initial interest packet with a name that includes a first prefix and a previously generated first nonce, and a payload that indicates an initial hello; in response to the initial interest packet, receiving an initial content-object packet with a payload that includes configuration information, a second nonce, and a second prefix different from the first prefix, wherein the configuration information indicates a first consumer-share key, and the second nonce is used to establish a session between the content-consuming device and the content-producing device over the CCN; generating, by the content-consuming device, a first key based on the first consumer-share key and a previously received producer-share key; constructing a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of the previously generated first nonce, wherein the first interest packet has a name that includes the first prefix, and wherein the previously generated first nonce is also used to establish the session; replacing the first prefix with the second prefix in the name for the first interest packet; sending the first interest packet to the content-producing device over the CCN and in response to the nonce token being verified by the content-producing device, receiving, by the content-consuming device, from the content-producing device over the CCN a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key; generating the second key based on a second consumer-share key and the first content-object packet; decrypting the payload for the first content-object packet; and in response to determining that the decrypted payload does not indicate a rejection, obtaining an acknowledgment and a second producer-share. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification