Method and apparatus to create and manage a differentiated security framework for content oriented networks

US 8,863,227 B2
Filed: 09/07/2011
Issued: 10/14/2014
Est. Priority Date: 01/05/2011
Status: Active Grant

First Claim

Patent Images

1. A network device in a Content Oriented Network (CON), wherein the network device comprises:

a receiver configured to receive, from a publisher, a plain text content item signed by a publisher private key and an associated security information, wherein the security information comprises a group identifier (ID) that uniquely identifies a group of subscribers that is authorized to access the content item;

a processor coupled to the receiver and configured to implement procedures to enforce security policies defined by the security information, wherein the procedures comprise;

encrypting the plain text content item at the network device using the group ID as an encryption key to produce an encrypted content item;

attempting to decrypt the content item in response to a request from a subscriber by employing a subscriber group ID as a decryption key;

granting the subscriber access to the content item when the subscriber group ID successfully decrypts the content item; and

verifying the content item on behalf of the subscriber by employing a publisher public key;

a storage unit coupled to the processor and configured to cache the encrypted content item and the associated security information; and

a transmitter coupled to the processor and configured to;

send the content item from the storage unit to the subscriber when the subscriber is granted access; and

distribute the group ID among a plurality of content routers in the CON to support distributed access to the encrypted content item.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network component comprising a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item, a storage unit configured to cache the content item and the associated security information, a processor to implement procedures to enforce security policies defined by the security information, and a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item.

Citations

17 Claims

1. A network device in a Content Oriented Network (CON), wherein the network device comprises:
- a receiver configured to receive, from a publisher, a plain text content item signed by a publisher private key and an associated security information, wherein the security information comprises a group identifier (ID) that uniquely identifies a group of subscribers that is authorized to access the content item;
  
  a processor coupled to the receiver and configured to implement procedures to enforce security policies defined by the security information, wherein the procedures comprise;
  
  encrypting the plain text content item at the network device using the group ID as an encryption key to produce an encrypted content item;
  
  attempting to decrypt the content item in response to a request from a subscriber by employing a subscriber group ID as a decryption key;
  
  granting the subscriber access to the content item when the subscriber group ID successfully decrypts the content item; and
  
  verifying the content item on behalf of the subscriber by employing a publisher public key;
  
  a storage unit coupled to the processor and configured to cache the encrypted content item and the associated security information; and
  
  a transmitter coupled to the processor and configured to;
  
  send the content item from the storage unit to the subscriber when the subscriber is granted access; and
  
  distribute the group ID among a plurality of content routers in the CON to support distributed access to the encrypted content item.
- View Dependent Claims (2, 3, 4)
- - 2. The network device of claim 1, wherein the network device is further configured to receive a second content item from a content router in the CON, wherein the second content item is encrypted when received, wherein the second content item is signed by the content router using a private content router key, and wherein the processor is further configured to verify the second content item using a public content router key before sending the second content item to a second subscriber.
  - 3. The network device of claim 2, wherein the second content item is decrypted before sending the second content item to the second subscriber.
  - 4. The network device of claim 1, wherein encrypting the plain text content item using the group ID further comprises using a second group ID as part of the encryption key, wherein the second group ID is associated with a user group that authorized to share and subscribe the encrypted content item.

5. A content router comprising:
- a receiver configured to receive a content item in plain text and an associated security policy from a publisher in a content oriented network (CON), wherein the content item is signed by the publisher, and wherein the security policy comprises a logical group membership formula that indicates user group membership requirements for authorization to access the content item;
  
  a hardware processor coupled to the receiver and a storage unit, wherein the hardware processor is configured to;
  
  encrypt the plain text content item using the logical group membership formula as a security key to produce an encrypted content item;
  
  distribute the logical group membership formula among a plurality of content routers in the CON to support distributed access to the encrypted content item;
  
  store the encrypted content item in the storage unit;
  
  receive, via the receiver, an access request from a user, wherein the access request comprises one or more group membership identifiers (IDs) associated with the user;
  
  attempt to decrypt the encrypted content item with the user'"'"'s group membership IDs;
  
  grant the user access to the content item when the user'"'"'s group membership IDs successfully decrypt the content item.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The content router of claim 5, wherein the security policy defines a plurality of security levels for a plurality of user classes.
  - 7. The content router of claim 6, wherein the storage unit is configured to store a plurality of security policies, and wherein the plurality of security policies define a plurality of user security levels.
  - 8. The content router of claim 7, wherein the user is associated with one of a plurality of user classes that each have a plurality of corresponding security levels provided by the CON, and wherein the security levels comprise a first security level for guaranteeing content integrity, a second security level for guaranteeing content integrity and confidentiality, and a third security level for guaranteeing content integrity, confidentiality, and sharing among multiple authorized user groups.
  - 9. The content router of claim 8, wherein the security levels are implemented based on a plurality of CON operation models, and wherein the CON operation models comprise a first operation model where the content router provides content integrity and not content confidentiality, a second operation model where the content router shares provisioning of content integrity and confidentiality with the user group, and a third operation model where the content router handles both content integrity and confidentiality.
  - 10. The content router of claim 5, wherein the security policy enables privacy protection, wherein the security policy is employed to support confidentiality of the content item, wherein the security policy provides access control to the content item, and wherein the security policy is employed to support an integrity of the content item.
  - 11. The content router of claim 5, wherein the user is associated with at least one of a security policy, a service level agreement (SLA), and a Quality of Service (QoS) requirement.
  - 12. The content router of claim 5, wherein the content router is further configured to provide a plurality of application programming interfaces (APIs) for publishing and subscribing the content item, and wherein the content router uses a plurality of functions for encrypting and decrypting the content item which are transparent to the users.

13. A method implemented in a network device in a content oriented network (CON), the method comprises:
- receiving, from a publisher, a plain text content item signed by a publisher private key and an associated security information, wherein the security information comprises a group identifier (ID) that uniquely identifies a group of subscribers that is authorized to access the content item;
  
  encrypting, by a computing device, the plain text content item using the group ID as an encryption key to produce an encrypted content item;
  
  caching the encrypted content item;
  
  distributing the group ID among a plurality of content routers in the CON to support distributed access to the encrypted content item;
  
  attempting to decrypt the content item in response to a request from a subscriber by employing a subscriber group ID as a decryption key;
  
  granting the subscriber access to the content item when the subscriber group ID successfully decrypts the content item; and
  
  verifying the content item on behalf of the subscriber by employing a publisher public key;
  
  sending the content item to the subscriber when the subscriber is granted access.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, further comprising:
    - receiving a second content item from a content router in the CON, wherein the second content item is signed by the content router using a private content router key; and
      
      verifying the second content item using a public content router key before sending the second content item to a second subscriber.
  - 15. The method of claim 14, wherein the second content item is encrypted when received, and wherein the method further comprises:
    - receiving a second group ID associated with the second content item from the content router;
      
      attempting to decrypt the second content item in response to a request from a second subscriber by employing a second subscriber group ID as a decryption key;
      
      granting the second subscriber access to the second content item when the second subscriber group ID successfully decrypts the second content item.
  - 16. The method of claim 15, further comprising forwarding the decrypted second content item to the second subscriber in plain text when the second subscriber is granted access.
  - 17. The method of claim 13, wherein encrypting the plain text content item using the group ID further comprises using a third group ID as part of the encryption key, wherein the third group ID is associated with a user group that authorized to share and subscribe the encrypted content item.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Xinwen, Ravindran, Ravishankar, Wang, Guoqiang, Shi, Guangyu
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
SCHMIDT, KARI L

Application Number

US13/226,605
Publication Number

US 20120174181A1
Time in Patent Office

1,133 Days
Field of Search

726/1, 726 2- 6, 726 11- 15, 726 27- 30, 713/171, 713/176, 713/193
US Class Current

726/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 2209/60   Digital content management,...

H04L 63/104   Grouping of entities

H04L 63/123   received data contents, e.g...

H04L 9/0833   involving conference or gro...

H04L 9/3247   involving digital signatures

Method and apparatus to create and manage a differentiated security framework for content oriented networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to create and manage a differentiated security framework for content oriented networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links