ENCRYPTED CCNx

US 20170111330A1
Filed: 10/16/2015
Published: 04/20/2017
Est. Priority Date: 10/16/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system for facilitating forwarding of packets, the system comprising:

a processor; and

a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;

determining, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level;

computing a plurality of cipher blocks for the message based on an authenticated encryption protocol;

encrypting the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components; and

indicating the encrypted bit groups as encrypted,thereby facilitating selective encryption of bit groups of the message.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a system that facilitates selective encryption of bit groups of a message. During operation, the system determines, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level. The system computes a plurality of cipher blocks for the message based on an authenticated encryption protocol. The system encrypts the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components. Subsequently, the system indicates the encrypted bit groups as encrypted.

Citations

24 Claims

1. A computer system for facilitating forwarding of packets, the system comprising:
- a processor; and
  
  a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;
  
  determining, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level;
  
  computing a plurality of cipher blocks for the message based on an authenticated encryption protocol;
  
  encrypting the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components; and
  
  indicating the encrypted bit groups as encrypted,thereby facilitating selective encryption of bit groups of the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer system of claim 1, wherein the message is an interest packet or a content object packet.
  - 3. The computer system of claim 1, wherein the method further comprises:
    - transmitting the selectively encrypted message to a content producing device or a content requesting device.
  - 4. The computer system of claim 1, wherein computing the cipher blocks is further based on beginning at byte zero of the message.
  - 5. The computer system of claim 1, wherein computing the cipher blocks is further based on an Advanced Encryption Standard using a key with a length of 128 bits.
  - 6. The computer system of claim 1, wherein encrypting the bit groups is further based on an exclusive disjunction operation.
  - 7. The computer system of claim 1, wherein indicating the encrypted bit groups as encrypted comprises one or more of:
    - setting a field associated with the bit group in the message; and
      
      setting a reserved bit associated with the bit group in the message.
  - 8. The computer system of claim 1, wherein the method further comprises:
    - including in a validation section for the message a nonce and a key identifier for each of the symmetric keys.
  - 9. The computer system of claim 1, further comprising one or more of the following:
    - wherein a symmetric key is exchanged via a public key operation;
      
      wherein a symmetric key is encrypted based on a public key included in the message;
      
      wherein the validation section is based on a symmetric key cryptographic system with encryption;
      
      wherein a public key identifier of the content producing device is included in the message; and
      
      wherein a short symmetric key identifier is specified for use in subsequent messages between the content requesting device and the content producing device.
  - 10. The computer system of claim 9, further comprising one or more of the following:
    - wherein the public key operation is based on a cryptographic system that is RSA-SHA256; and
      
      wherein the short symmetric key identifier is a random number that is not derived from the symmetric key.
  - 11. The computer system of claim 1, wherein the method further comprises:
    - receiving the selectively encrypted message;
      
      in response to verifying authentication information associated with the message, decrypting, for each bit group indicated as encrypted, the encrypted bit group based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in a validation section for the message; and
      
      indicating the decrypted bit groups as decrypted.
  - 12. The computer system of claim 11, wherein verifying the authentication information associated with the message further comprises:
    - looking up in a storage a key identifier associated with the message; and
      
      verifying a signature or a message authentication code based on the key identifier.

13. A computer-implemented method for forwarding packets, the method comprising:
- determining, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level;
  
  computing a plurality of cipher blocks for the message based on an authenticated encryption protocol;
  
  encrypting the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components; and
  
  indicating the encrypted bit groups as encrypted,thereby facilitating selective encryption of bit groups of the message.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein the message is an interest packet or a content object packet.
  - 15. The method of claim 13, further comprising:
    - transmitting the selectively encrypted message to a content producing device or a content requesting device.
  - 16. The method of claim 13, wherein computing the cipher blocks is further based on beginning at byte zero of the message.
  - 17. The method of claim 13, wherein computing the cipher blocks is further based on an Advanced Encryption Standard using a key with a length of 128 bits.
  - 18. The method of claim 13, wherein encrypting the bit groups is further based on an exclusive disjunction operation.
  - 19. The method of claim 13, wherein indicating the encrypted bit groups as encrypted comprises one or more of:
    - setting a field associated with the bit group in the message; and
      
      setting a reserved bit associated with the bit group in the message.
  - 20. The method of claim 13, further comprising:
    - including in a validation section for the message a nonce and a key identifier for each of the symmetric keys.
  - 21. The method of claim 13, further comprising one or more of the following:
    - wherein a symmetric key is exchanged via a public key operation;
      
      wherein a symmetric key is encrypted based on a public key included in the message;
      
      wherein the validation section is based on a symmetric key cryptographic system with encryption;
      
      wherein a public key identifier of the content producing device is included in the message; and
      
      wherein a short symmetric key identifier is specified for use in subsequent messages between the content requesting device and the content producing device.
  - 22. The method of claim 21, further comprising one or more of the following:
    - wherein the public key operation is based on a cryptographic system that is RSA-SHA256; and
      
      wherein the short symmetric key identifier is a random number that is not derived from the symmetric key.
  - 23. The method of claim 13, further comprising:
    - receiving the selectively encrypted message;
      
      in response to verifying authentication information associated with the message, decrypting, for each bit group indicated as encrypted, the encrypted bit group based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in a validation section for the message; and
      
      indicating the decrypted bit groups as decrypted.
  - 24. The method of claim 23, wherein verifying the authentication information associated with the message further comprises:
    - looking up in a storage a key identifier associated with the message; and
      
      verifying a signature or a message authentication code based on the key identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Mosko, Marc E., Wood, Christopher A.

Granted Patent

US 10,263,965 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0631   Substitution permutation ne...

H04L 9/14   using a plurality of keys o...

H04L 9/302   involving the integer facto...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

ENCRYPTED CCNx

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTED CCNx

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links