Method and Apparatus to Use Identify Information for Digital Signing and Encrypting Content Integrity and Authenticity in Content Oriented Networks

US 20120166806A1
Filed: 07/27/2011
Published: 06/28/2012
Est. Priority Date: 12/28/2010
Status: Active Grant

First Claim

Patent Images

1. A content router comprising:

storage configured to cache, in a content oriented network (CON), a content object with a signature signed by a publisher based on a known identity to a subscriber; and

a transmitter coupled to the storage and configured to forward the content object with the signature upon request to the subscriber,wherein the subscriber uses the signature to verify the content object'"'"'s integrity based on the known identity without verifying a trust of a publisher key for the publisher, andwherein the known identity is trusted by the publisher and does not require verifying trust from the publisher.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A content router comprising storage configured to cache, in a content oriented network (CON), a content object with a signature signed by a publisher based on a known identity to a subscriber; and a transmitter coupled to the storage and configured to forward the content object with the signature upon request to the subscriber, wherein the subscriber uses the signature to verify one of the content object'"'"'s integrity and the content object'"'"'s authenticity based on the known identity without verifying a trust of a publisher key for the publisher, and wherein the known identity is trusted by the publisher and does not require verifying trust from the publisher.

62 Citations

View as Search Results

24 Claims

1. A content router comprising:
- storage configured to cache, in a content oriented network (CON), a content object with a signature signed by a publisher based on a known identity to a subscriber; and
  
  a transmitter coupled to the storage and configured to forward the content object with the signature upon request to the subscriber,wherein the subscriber uses the signature to verify the content object'"'"'s integrity based on the known identity without verifying a trust of a publisher key for the publisher, andwherein the known identity is trusted by the publisher and does not require verifying trust from the publisher.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The content router of claim 1, wherein the known identity is an identity of the publisher that is known to the subscriber or an identity of the content object that comprises a full name or a name prefix of the content object.
  - 3. The content router of claim 2, wherein the identity of the publisher is a public identifier (id) of the publisher that comprises one of an email address, a phone number, an organization name of the publisher, and a local identity within an organization.
  - 4. The content router of claim 1, wherein the content object is signed by the publisher using a private key of the publisher that is obtained using the known identity.
  - 5. The content router of claim 4, wherein the private key of the publisher is obtained from a Private Key Generator (PKG) that generates a master key (MK) distributed in the CON and a master secret key (MSK) that is not distributed, and wherein the private key of the publisher is obtained by the publisher using MSK and the known identity.
  - 6. The content router of claim 5, wherein the content object'"'"'s authenticity is verified using the signature, the known identity, and MK.
  - 7. The content router of claim 1, wherein no public key for the publisher is distributed in the CON, and wherein the subscriber does not require and does not use a public certificate from a trusted certificate authority (CA) to establish trust.

8. A network component comprising:
- a receiver in a content router configured to receive content from a publisher encrypted with a master key (MK) generated by a Private Key Generator (PKG) and an identity associated with the content, and the receiver further configured to receive the encrypted content from a cache in a content oriented network (CON); and
  
  a transmitter configured to send the encrypted content to the cache and to send the encrypted content from the cache to a subscriber that decrypts the encrypted content using a private key obtained using an identity associated with the publisher or the content and a master secret key (MSK) generated by the PKG.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The network component of claim 8, wherein the content is cached with metadata that comprises the signature and the identity, and wherein the identity is an identity of a subscriber.
  - 10. The network component of claim 8, wherein the identity is a content name or prefix that is registered with a content name registration service (NRS) if the content name or prefix is new.
  - 11. The network component of claim 10, wherein the NRS obtains the private key for the content name or prefix from the PKG and sends the private key to the subscriber that decrypts the encrypted content using the private key.
  - 12. The network component of claim 11, wherein the private key is obtained without using a public key infrastructure (PKI).

13-15. -15. (canceled)

16. A network apparatus implemented method comprising:
- receiving a content object with a signature signed from a publisher using a private key that is obtained using a public identity known in a content oriented network (CON);
  
  storing the content object with the signature in the CON; and
  
  forwarding the content object with the signature upon receiving a content request to a subscriber.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The network apparatus implemented method of claim 16, wherein a Private Key Generator (PKG) generates the private key using the public identity and a master secret key (MSK) also generated by the PKG with a master secret key (MK), and wherein the PKG generates MK and MSK only once and uses the same MSK and the public identity for generating a plurality of private keys for a plurality of publishers using a plurality of corresponding public identities.
  - 18. The network apparatus implemented method of claim 17, wherein the private key is obtained by the publisher from the PKG only once and uses the same private key for signing a plurality of content objects, and wherein the private key is obtained by the publisher from the PKG.
  - 19. The network apparatus implemented method of claim 17, wherein the subscriber verifies the signature using the public identity and the MK from the PKG without using a secure channel between the PKG and the subscriber, and wherein the subscriber gets MK from the PKG only once and uses the same MK for verifying a plurality of content objects.
  - 20. The network apparatus implemented method of claim 17, wherein the CON comprises a plurality of domains that comprise a plurality of corresponding publishers, subscribers, and PKGs, and wherein a subscriber in a first domain verifies a signature of a content object signed by a publisher in a second domain using a MK generated by a PKG in the second domain and signed using a second private key in the second domain generated by a public key infrastructure (PKI) of the CON, and wherein the subscriber verifies the authenticity of the signed MK using a public key in the second domain generated by the PKI and corresponding to the second private key and verifies the authenticity of the public key using a certificate from a trusted certificate authority (CA).
  - 21. The network apparatus implemented method of claim 16, wherein the publisher signs a plurality of content objects that have the same name or prefix with the same private key based on the name or prefix, and wherein the publisher delegates signing the content object to another user or service in an organization.
  - 22. The network apparatus implemented method of claim 16, wherein the subscriber uses the same public identity to verify the same content object that is published by a group of users or a plurality of publishers using the same name or prefix.
  - 23. The network apparatus implemented method of claim 16, wherein a plurality of public identities are used to sign the content object using different names or prefixes or different publishers identities.

24-30. -30. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Xinwen, Shi, Guangyu

Granted Patent

US 8,645,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/64   Protecting data integrity, ...

H04L 2209/60   Digital content management,...

H04L 63/062   for key distribution, e.g. ...

H04L 63/123   received data contents, e.g...

H04L 67/568   Storing data temporarily at...

H04L 67/63   Routing a service request d...

H04L 9/0847   involving identity based en...

H04L 9/3247   involving digital signatures

Method and Apparatus to Use Identify Information for Digital Signing and Encrypting Content Integrity and Authenticity in Content Oriented Networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus to Use Identify Information for Digital Signing and Encrypting Content Integrity and Authenticity in Content Oriented Networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links