CONTENT-BASED TRANSPORT SECURITY

US 20150222424A1
Filed: 02/06/2014
Published: 08/06/2015
Est. Priority Date: 02/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:

determining, by a client computing device, a request for data or a service from the remote computer system;

determining at least a routable prefix and a name suffix associated with the request;

determining an encryption key that corresponds to a session with the remote computer system;

encrypting the name suffix using the session encryption key;

generating an Interest whose name includes the routable prefix and the encrypted name suffix; and

disseminating the Interest over a named-data network to send the request to the remote computer system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system can send a secure request over a named-data network to a remote device by generating an Interest with encrypted name components. During operation, the computer system can receive or obtain a request for data, such as from a local user or from a local application. If the system cannot satisfy the request locally, the system can determine at least a routable prefix and a name suffix associated with the request. The system can generate the secure Interest for the request by determining an encryption key that corresponds to a session with the remote computer system, and encrypts the name suffix using the session encryption key. The system then generates an Interest whose name includes the routable prefix and the encrypted name suffix, and disseminates the Interest over a named-data network to send the request to the remote computer system.

Citations

25 Claims

1. A computer-implemented method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
- determining, by a client computing device, a request for data or a service from the remote computer system;
  
  determining at least a routable prefix and a name suffix associated with the request;
  
  determining an encryption key that corresponds to a session with the remote computer system;
  
  encrypting the name suffix using the session encryption key;
  
  generating an Interest whose name includes the routable prefix and the encrypted name suffix; and
  
  disseminating the Interest over a named-data network to send the request to the remote computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising providing a temporary key to the remote computer system, wherein providing the temporary key involves:
    - sending, to the remote computer system, a request for a digital certificate from the remote computer system;
      
      receiving a response that includes the remote computer system'"'"'s digital certificate;
      
      generating an encrypted packet that includes the temporary key, and that is encrypted using a public key from the digital certificate; and
      
      sending the encrypted packet to the remote computer system.
  - 3. The method of claim 1, further comprising providing a public key of the local computer system to the remote computer system, wherein providing the public key involves:
    - sending, to the remote computer system, a digital certificate or encoded public key object.
  - 4. The method of claim 1, wherein determining the encryption key involves obtaining a symmetric session key from the remote computer system.
  - 5. The method of claim 1, wherein determining the encryption key involves generating a session key using a key-generating function that takes as input one or more of:
    - a session identifier for the local client device'"'"'s session with the remote computer system; and
      
      a secret number that is secret to the remote computer system.
  - 6. The method of claim 1, further comprising initiating a session with the remote computer system, wherein initiating the session involves:
    - receiving, from the remote computer system, an encrypted session-setup packet that includes at least a session identifier and a symmetric session key, wherein the encrypted session-setup packet is encrypted using a temporary key from the local client device and includes the remote computer system'"'"'s certificate, and wherein the encrypted session-setup packet is signed according to the remote computer system'"'"'s certificate; and
      
      decrypting the encrypted session-setup packet to obtain the session identifier and the symmetric session key.
  - 7. The method of claim 6, wherein the session-setup packet is encrypted using the local client device'"'"'s public key.
  - 8. The method of claim 4, wherein initiating the session further involves:
    - signing the session identifier using the local client device'"'"'s private key;
      
      generating a resume-setup packet that includes the session identifier and a public key certificate of the local client device;
      
      encrypting the resume-setup packet using the session key;
      
      generating an Interest, for the remote computer system, that includes the encrypted resume-setup packet; and
      
      disseminating the Interest to provide the client-device authentication information to the remote computer system.
  - 9. The method of claim 1, further comprising:
    - receiving a response Content Object that satisfies the Interest; and
      
      decrypting the Content Object using a temporary symmetric key from the local client device.
  - 10. The method of claim 1, further comprising generating a private-key and public-key pair for the local client device;
    - wherein generating the Interest involves generating the Interest packet to include the client-device public key.
  - 11. The method of claim 10, further comprising:
    - receiving a response Content Object that satisfies the Interest; and
      
      decrypting the Content Object using the client-device private key.

12. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
- determining a request for data or a service from the remote computer system;
  
  determining at least a routable prefix and a name suffix associated with the request;
  
  determining an encryption key that corresponds to a session with the remote computer system;
  
  encrypting the name suffix using the session encryption key;
  
  generating an Interest whose name includes the routable prefix and the encrypted name suffix; and
  
  disseminating the Interest over a named-data network to send the request to the remote computer system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The storage medium of claim 12, wherein the method further comprising providing a temporary key to the remote computer system, wherein providing the temporary key involves:
    - sending, to the remote computer system, a request for a digital certificate from the remote computer system;
      
      receiving a response that includes the remote computer system'"'"'s digital certificate;
      
      generating an encrypted packet that includes the temporary key, and that is encrypted using a public key from the digital certificate; and
      
      sending the encrypted packet to the remote computer system.
  - 14. The storage medium of claim 12, wherein the method further comprises providing a public key of the local computer system to the remote computer system, wherein providing the public key involves:
    - sending, to the remote computer system, a digital certificate or encoded public key object.
  - 15. The storage medium of claim 12, wherein determining the encryption key involves obtaining a symmetric session key from the remote computer system.
  - 16. The storage medium of claim 12, wherein determining the encryption key involves generating a session key using a key-generating function that takes as input one or more of:
    - a session identifier for the local client device'"'"'s session with the remote computer system; and
      
      a secret number that is secret to the remote computer system.
  - 17. The storage medium of claim 14, wherein the method further comprises initiating a session with the remote computer system, wherein initiating the session involves:
    - receiving, from the remote computer system, an encrypted session-setup packet that includes at least a session identifier and a symmetric session key, wherein the encrypted session-setup packet is encrypted using a temporary key from the local client device and includes the remote computer system'"'"'s certificate, and wherein the encrypted session-setup packet is signed according to the remote computer system'"'"'s certificate; and
      
      decrypting the encrypted session-setup packet to obtain the session identifier and the symmetric session key.
  - 18. The storage medium of claim 17, wherein the session-setup packet is encrypted using the local client device'"'"'s public key.
  - 19. The storage medium of claim 17, wherein initiating the session further involves:
    - signing the session identifier using the local client device'"'"'s public key;
      
      generating a resume-setup packet that includes the session identifier and a public key certificate of the local client device;
      
      encrypting the resume-setup packet using the session key;
      
      generating an Interest, for the remote computer system, that includes the encrypted resume-setup packet; and
      
      disseminating the Interest to provide the client-device authentication information to the remote computer system.
  - 20. The storage medium of claim 12, wherein the method further comprises:
    - receiving a response Content Object that satisfies the Interest; and
      
      decrypting the Content Object using a temporary symmetric key from the local client device.
  - 21. The storage medium of claim 12, further comprising generating a private-key and public-key pair for the local client device;
    - wherein generating the Interest involves generating the Interest packet to include the client-device public key.
  - 22. The storage medium of claim 21, wherein the method further comprises:
    - receiving a response Content Object that satisfies the Interest; and
      
      decrypting the Content Object using the client-device private key.

23. An apparatus, comprising:
- a request-processing mechanism to determine a request for data or a service from the remote computer system, and to determine at least a routable prefix and a name suffix associated with the request;
  
  cryptography mechanism to determine an encryption key that corresponds to a session with the remote computer system, and encrypt the name suffix using the session encryption key;
  
  an Interest-processing mechanism to generate an Interest whose name includes the routable prefix and the encrypted name suffix; and
  
  a communication mechanism to disseminate the Interest over a named-data network to send the request to the remote computer system.
- View Dependent Claims (24, 25)
- - 24. The apparatus of claim 23, wherein the cryptography mechanism is further configured to provide a temporary key to the remote computer system, wherein providing the temporary key involves:
    - sending, to the remote computer system, a request for a digital certificate from the remote computer system;
      
      receiving a response that includes the remote computer system'"'"'s digital certificate;
      
      generating an encrypted packet that includes the temporary key, and that is encrypted using a public key from the digital certificate; and
      
      sending the encrypted packet to the remote computer system.
  - 25. The apparatus of claim 23, further comprising a session-managing mechanism to initiate a session with the remote computer system, wherein while initiating the session, the session-managing mechanism is further configured to:
    - configure the communication mechanism to receive, from the remote computer system, an encrypted session-setup packet that includes at least a session identifier and a symmetric session key, wherein the encrypted session-setup packet is encrypted using a temporary key from the local client device and includes the remote computer system'"'"'s certificate, and wherein the encrypted session-setup packet is signed according to the remote computer system'"'"'s certificate; and
      
      configure the cryptography mechanism to decrypt the encrypted session-setup packet to obtain the session identifier and the symmetric session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Mosko, Marc E., Uzun, Ersin

Granted Patent

US 9,954,678 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 49/355   Application aware switches,...

H04L 63/0428   wherein the data content is...

H04L 67/63   Routing a service request d...

H04L 9/08   Key distribution or managem...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0866   involving user or device id...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

CONTENT-BASED TRANSPORT SECURITY

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

CONTENT-BASED TRANSPORT SECURITY

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links