Encrypted CCNx
First Claim
1. A system comprising:
- a content requesting device configured to communicate with a content centric network (CCN) and to perform a method comprising;
generating an Interest requesting a content object by a hierarchically structured variable-length name that is used to forward the Interest in the CCN, the name comprising name components arranged contiguously in an order from a most general level to a most specific level and each including a bit group comprising a type, a length, and a set of values, wherein one or more of the name components at the most specific level are marked for encryption;
exchanging one or more symmetric keys via a public key operation;
encrypting each name component at the most specific level marked for encryption using a respective symmetric key, to produce a selectively encrypted name having one or more encrypted name components and one or more unencrypted name components;
indicating each encrypted name component as encrypted by setting a respective field associated with the bit group of the encrypted name component;
including in the Interest a validation section that identifies the respective symmetric key for each encrypted name component; and
transmitting the Interest to the CCN; and
a content producing device configured to receive the Interest from the CCN and responsive thereto, perform a method comprising;
verifying authentication information associated with the Interest by looking up in a storage a key identifier associated with the Interest;
responsive to the verifying, decrypting, for each encrypted name component indicated as encrypted, the encrypted name component based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in a validation section for the Interest;
indicating the decrypted name components as decrypted; and
producing a content object that matches the name components as decrypted.
3 Assignments
0 Petitions
Accused Products
Abstract
One embodiment provides a system that facilitates selective encryption of bit groups of a message. During operation, the system determines, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level. The system computes a plurality of cipher blocks for the message based on an authenticated encryption protocol. The system encrypts the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components. Subsequently, the system indicates the encrypted bit groups as encrypted.
-
Citations
24 Claims
-
1. A system comprising:
-
a content requesting device configured to communicate with a content centric network (CCN) and to perform a method comprising; generating an Interest requesting a content object by a hierarchically structured variable-length name that is used to forward the Interest in the CCN, the name comprising name components arranged contiguously in an order from a most general level to a most specific level and each including a bit group comprising a type, a length, and a set of values, wherein one or more of the name components at the most specific level are marked for encryption; exchanging one or more symmetric keys via a public key operation; encrypting each name component at the most specific level marked for encryption using a respective symmetric key, to produce a selectively encrypted name having one or more encrypted name components and one or more unencrypted name components; indicating each encrypted name component as encrypted by setting a respective field associated with the bit group of the encrypted name component; including in the Interest a validation section that identifies the respective symmetric key for each encrypted name component; and transmitting the Interest to the CCN; and a content producing device configured to receive the Interest from the CCN and responsive thereto, perform a method comprising; verifying authentication information associated with the Interest by looking up in a storage a key identifier associated with the Interest; responsive to the verifying, decrypting, for each encrypted name component indicated as encrypted, the encrypted name component based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in a validation section for the Interest; indicating the decrypted name components as decrypted; and producing a content object that matches the name components as decrypted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19, 20, 21, 22)
-
-
12. A computer-implemented method comprising:
-
at a content producing device configured to communicate with a content centric network (CCN); generating a content object packet responsive to an Interest from a content requesting device that requests a content object by a hierarchically structured variable-length name, the content object packet including the content object and the name to be used to forward the content object packet in the CCN, the name comprising name components arranged contiguously in an order from a most general level to a most specific level and each including a bit group comprising a type, a length, and a set of values, wherein one or more of the name components are marked for encryption; exchanging one or more symmetric keys via a public key operation; encrypting each name component at the most specific level marked for encryption using a respective symmetric key, to produce a selectively encrypted name having one or more encrypted name components and one or more unencrypted name components; indicating each encrypted name component as encrypted by setting a respective field associated with the bit group of the encrypted name component; including in the content object packet a validation section that identifies the respective symmetric key for each encrypted name component; and transmitting the content object packet to the CCN; and at the content requesting device, receiving the content object packet from the CCN, and responsive thereto; verifying authentication information associated with the content object packet by looking up in a storage a key identifier associated with the content object packet, and verifying a signature or a message authentication code based on the key identifier; responsive to the verifying, decrypting, for each encrypted name component indicated as encrypted, the encrypted name component based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in the validation section for the content object packet; indicating the decrypted name components as decrypted; and based on the decrypted name components, performing a lookup, and clearing an entry, in a Pending Interest Table (PIT) corresponding to the Interest. - View Dependent Claims (13, 14, 15, 16, 17, 18, 23, 24)
-
Specification