Method and apparatus to create and manage a differentiated security framework for content oriented networks
First Claim
1. A network device in a Content Oriented Network (CON), wherein the network device comprises:
- a receiver configured to receive, from a publisher, a plain text content item signed by a publisher private key and an associated security information, wherein the security information comprises a group identifier (ID) that uniquely identifies a group of subscribers that is authorized to access the content item;
a processor coupled to the receiver and configured to implement procedures to enforce security policies defined by the security information, wherein the procedures comprise;
encrypting the plain text content item at the network device using the group ID as an encryption key to produce an encrypted content item;
attempting to decrypt the content item in response to a request from a subscriber by employing a subscriber group ID as a decryption key;
granting the subscriber access to the content item when the subscriber group ID successfully decrypts the content item; and
verifying the content item on behalf of the subscriber by employing a publisher public key;
a storage unit coupled to the processor and configured to cache the encrypted content item and the associated security information; and
a transmitter coupled to the processor and configured to;
send the content item from the storage unit to the subscriber when the subscriber is granted access; and
distribute the group ID among a plurality of content routers in the CON to support distributed access to the encrypted content item.
1 Assignment
0 Petitions
Accused Products
Abstract
A network component comprising a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item, a storage unit configured to cache the content item and the associated security information, a processor to implement procedures to enforce security policies defined by the security information, and a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item.
-
Citations
17 Claims
-
1. A network device in a Content Oriented Network (CON), wherein the network device comprises:
-
a receiver configured to receive, from a publisher, a plain text content item signed by a publisher private key and an associated security information, wherein the security information comprises a group identifier (ID) that uniquely identifies a group of subscribers that is authorized to access the content item; a processor coupled to the receiver and configured to implement procedures to enforce security policies defined by the security information, wherein the procedures comprise; encrypting the plain text content item at the network device using the group ID as an encryption key to produce an encrypted content item; attempting to decrypt the content item in response to a request from a subscriber by employing a subscriber group ID as a decryption key; granting the subscriber access to the content item when the subscriber group ID successfully decrypts the content item; and verifying the content item on behalf of the subscriber by employing a publisher public key; a storage unit coupled to the processor and configured to cache the encrypted content item and the associated security information; and a transmitter coupled to the processor and configured to; send the content item from the storage unit to the subscriber when the subscriber is granted access; and distribute the group ID among a plurality of content routers in the CON to support distributed access to the encrypted content item. - View Dependent Claims (2, 3, 4)
-
-
5. A content router comprising:
-
a receiver configured to receive a content item in plain text and an associated security policy from a publisher in a content oriented network (CON), wherein the content item is signed by the publisher, and wherein the security policy comprises a logical group membership formula that indicates user group membership requirements for authorization to access the content item; a hardware processor coupled to the receiver and a storage unit, wherein the hardware processor is configured to; encrypt the plain text content item using the logical group membership formula as a security key to produce an encrypted content item; distribute the logical group membership formula among a plurality of content routers in the CON to support distributed access to the encrypted content item; store the encrypted content item in the storage unit; receive, via the receiver, an access request from a user, wherein the access request comprises one or more group membership identifiers (IDs) associated with the user; attempt to decrypt the encrypted content item with the user'"'"'s group membership IDs; grant the user access to the content item when the user'"'"'s group membership IDs successfully decrypt the content item. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A method implemented in a network device in a content oriented network (CON), the method comprises:
-
receiving, from a publisher, a plain text content item signed by a publisher private key and an associated security information, wherein the security information comprises a group identifier (ID) that uniquely identifies a group of subscribers that is authorized to access the content item; encrypting, by a computing device, the plain text content item using the group ID as an encryption key to produce an encrypted content item; caching the encrypted content item; distributing the group ID among a plurality of content routers in the CON to support distributed access to the encrypted content item; attempting to decrypt the content item in response to a request from a subscriber by employing a subscriber group ID as a decryption key; granting the subscriber access to the content item when the subscriber group ID successfully decrypts the content item; and verifying the content item on behalf of the subscriber by employing a publisher public key; sending the content item to the subscriber when the subscriber is granted access. - View Dependent Claims (14, 15, 16, 17)
-
Specification