Method and Apparatus to Create and Manage a Differentiated Security Framework for Content Oriented Networks

US 20120174181A1
Filed: 09/07/2011
Published: 07/05/2012
Est. Priority Date: 01/05/2011
Status: Active Grant

First Claim

Patent Images

1. A network component comprising:

a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item;

a storage unit configured to cache the content item and the associated security information;

a processor to implement procedures to enforce security policies defined by the security information; and

a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item, wherein the subscriber verifies the signed content.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network component comprising a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item, a storage unit configured to cache the content item and the associated security information, a processor to implement procedures to enforce security policies defined by the security information, and a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item.

Citations

30 Claims

1. A network component comprising:
- a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item;
  
  a storage unit configured to cache the content item and the associated security information;
  
  a processor to implement procedures to enforce security policies defined by the security information; and
  
  a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item, wherein the subscriber verifies the signed content.
- View Dependent Claims (2, 3, 5, 6, 7)
- - 2. The network component of claim 1, wherein the received signed content item is further signed by a router using a private content router key, and wherein the signed content item that is sent from the cache to the subscriber is verified by the router using a public content router key.
  - 3. The network component of claim 2, wherein the signed content item is further signed by a content router using a private content router key, wherein the signed content item is further verified by the same or another content router using a public content router key before sending the signed content item to a subscriber, and wherein the security information comprises metadata.
  - 5. The network component of claim 1, wherein the signed content item is encrypted using an encryption key and then cached, wherein the cached content item is decrypted using the encryption key before sending the cached content item to the subscriber, and wherein the encryption key is distributed among a plurality of content routers in the CON.
  - 6. The network component of claim 1, wherein the signed content item is encrypted using a group identifier (ID) for one of a plurality of user groups authorized to share and subscribe the content, wherein the cached content item is decrypted using a group ID before sending the cached content item to the subscriber in the one of the user groups associated with the group ID, and wherein the group ID is distributed among a plurality of content routers in the CON.
  - 7. The network component of claim 1, wherein the signed content item is encrypted using a logical group policy that indicates a plurality of user groups authorized to share and subscribe the content item, and wherein the cached content item is decrypted using the group policy before sending the cached content item to the subscriber in one of the user groups that satisfies the logical group policy.

4. (canceled)

8. A content router comprising:
- storage configured to store a signed content item and an associated security policy, wherein the signed content item is received from a first one of a plurality of users in a content oriented network (CON), wherein the security policy indicates which users from the plurality of users are allowed to access the signed content item; and
  
  a processor configured to enforce the associated security policy for the signed content item.
- View Dependent Claims (9, 10, 12, 17, 18, 19, 20, 21)
- - 9. The content router of claim 8, wherein the security policies define different security levels for different ones of a plurality of users that correspond to a plurality of user classes.
  - 10. The content router of claim 8, wherein the content is stored once using a policy for a plurality of user groups that are authorized to share the content item, and wherein the users use a plurality of cryptographic algorithms for signing and verifying content.
  - 12. The content router of claim 8, wherein the security policy is defined by one or more of the plurality of users, wherein the security policy enables privacy protection, wherein the security policy provides for ensuring the confidentiality of the content item, wherein the security policy provides access control to the content item, and wherein implementation of the security policy ensures the integrity of the content item.
  - 17. The content router of claim 8, wherein the users correspond to one user group or a plurality of user groups that have at least one of a plurality of corresponding security policies, a plurality of service level agreements (SLAs), a plurality of Quality of Service (QoS) requirements, and a plurality of other policies.
  - 18. The content router of claim 8, wherein the storage is configured to store a plurality of security policies wherein the plurality of security policies define different security levels for different ones of a plurality of users that correspond to a plurality of users.
  - 19. The content router of claim 18, wherein the user classes have a plurality of corresponding security levels provided by the CON, and wherein the security levels comprise a first security level for guaranteeing content integrity, a second security level for guaranteeing content integrity and confidentiality, and a third security level for guaranteeing content integrity, confidentiality, and sharing among multiple authorized user groups.
  - 20. The content router of claim 19, wherein the security levels are implemented based on a plurality of CON operation models, and wherein the CON operation models comprise a first operation model where the CON provides content integrity and a user group handles content confidentiality, a second operation model where the CON and the user group share content integrity and confidentiality, and a third operation model where the CON handles both content integrity and confidentiality.
  - 21. The content router of claim 8, wherein the same content item is stored a plurality of times using a plurality of group identifiers (IDs) for a plurality of user groups that are authorized to share the content item, wherein the users use a plurality of application programming interfaces (APIs) for publishing and subscribing the content item, and wherein the CON uses a plurality of functions for encrypting and decrypting the content item which are transparent to the users.

11. (canceled)

13-16. -16. (canceled)

22-23. -23. (canceled)

24. A system for enforcing a plurality of security policies for shared content, comprising:
- a content oriented network (CON) comprising a plurality of content routers; and
  
  a plurality of edge nodes coupled to the CON, wherein the edge nodes are configured to couple a first group of users to the CON and a second group of users to the CON, wherein the first group of users are associated with a first security policy for a first content item, wherein the first security policy is created by the first group of users, and wherein the second group of users are associated with a second security policy for a second content item, wherein the second security policy is created by the second group of users;
  
  wherein the first security policy is different from the second security policy, and wherein the CON is configured to implement the first security policy and the second security policy.
- View Dependent Claims (25, 26, 27, 29)
- - 25. The system of claim 24, wherein the content oriented network comprises a content router and wherein the first and second security policies are defined in the content router.
  - 26. The system of claim 24, wherein the content oriented network comprises a management plane and the first and second security policies are mapped to respective members of the first and second groups of users in the management plane.
  - 27. The system of claim 24, wherein the first security policy comprises a first security scheme for a first member of the first group of users and a second security scheme for a second member of the first group of uses, wherein the first security scheme is different from the second security scheme, and wherein implementation of the first security policy by the CON ensures data integrity of the first content item.
  - 29. The system of claim 24, wherein implementation of the first security policy by the CON provides for sharing of the first content item between members of the first group of users and a third group of users and wherein implementation of the first security policy preserves data integrity of the first content item, and wherein implementation of the first security policy by the CON preserves confidentiality of members of the first and third group of users.

28. (canceled)

30-41. -41. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Xinwen, Ravindran, Ravishankar, Wang, Guoqiang, Shi, Guangyu

Granted Patent

US 8,863,227 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 2209/60   Digital content management,...

H04L 63/104   Grouping of entities

H04L 63/123   received data contents, e.g...

H04L 9/0833   involving conference or gro...

H04L 9/3247   involving digital signatures

Method and Apparatus to Create and Manage a Differentiated Security Framework for Content Oriented Networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus to Create and Manage a Differentiated Security Framework for Content Oriented Networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links