System and method for performing key resolution over a content centric network

US 9,391,777 B2
Filed: 08/15/2014
Issued: 07/12/2016
Est. Priority Date: 08/15/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a server computer of the key-resolution service (KRS) over a Content Centric Network, an Interest message with a name that includes a routable prefix associated with the key-resolution service, wherein the Interest includes a query for a content name that is to be resolved in the name or a payload of the Interest;

obtaining, from the Interest message, the content name that is to be resolved;

obtaining, by the server computer, a KRS record for the content name, wherein the KRS record includes security information for the content name or security information for a prefix of the content name, wherein obtaining the KRS record involves;

performing a longest-prefix-matching lookup in a next-hop table, using the content name as input, to obtain a second routable prefix for a key-resolution zone associated with the content name or a prefix of the content name;

disseminating, over the Content Centric Network, a second Interest message that includes the query for the content name, and whose name includes the second routable prefix for the key-resolution zone; and

in response to receiving, from the key-resolution zone, a Content Object that includes a routable prefix for a second key-resolution zone, obtaining the KRS record from the second key-resolution zone; and

returning, by the server computer, a Content Object whose payload includes the security information that satisfies the query, and whose name includes the Interest message'"'"'s name, to satisfy the Interest message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key-resolution service (KRS) can facilitate a client device in verifying that Content Objects are signed by a trusted entity. During operation, the KRS service can receive an Interest that includes a KRS query for a content name that is to be resolved. The KRS service obtains the content name from the Interest, and obtains a KRS record that includes security information for the content name or a prefix of the content name. The KRS service then returns a Content Object whose payload includes the KRS record to satisfy the first Interest. The client device can query the KRS service to obtain a trusted key associated with at least a name prefix of the Content Object, and if necessary, can disseminate Interests to obtain keys that complete a chain of trust between the trusted key and a key that is used to authenticate the Content Object.

381 Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, by a server computer of the key-resolution service (KRS) over a Content Centric Network, an Interest message with a name that includes a routable prefix associated with the key-resolution service, wherein the Interest includes a query for a content name that is to be resolved in the name or a payload of the Interest;
  
  obtaining, from the Interest message, the content name that is to be resolved;
  
  obtaining, by the server computer, a KRS record for the content name, wherein the KRS record includes security information for the content name or security information for a prefix of the content name, wherein obtaining the KRS record involves;
  
  performing a longest-prefix-matching lookup in a next-hop table, using the content name as input, to obtain a second routable prefix for a key-resolution zone associated with the content name or a prefix of the content name;
  
  disseminating, over the Content Centric Network, a second Interest message that includes the query for the content name, and whose name includes the second routable prefix for the key-resolution zone; and
  
  in response to receiving, from the key-resolution zone, a Content Object that includes a routable prefix for a second key-resolution zone, obtaining the KRS record from the second key-resolution zone; and
  
  returning, by the server computer, a Content Object whose payload includes the security information that satisfies the query, and whose name includes the Interest message'"'"'s name, to satisfy the Interest message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the Content Object'"'"'s payload includes the KRS record.
  - 3. The method of claim 1, wherein the KRS record includes at least one of:
    - a name or name prefix for which the KRS record resolves security information;
      
      a payload comprising security information for the name or name prefix; and
      
      security information that is used to authenticate the KRS record.
  - 4. The method of claim 1,wherein generating the second Interest message involves including the query for the content name in the name or a payload of the second Interest message.
  - 5. The method of claim 1, wherein a respective entry of the next-hop table includes at least one of:
    - a name or name prefix;
      
      a routable prefix for a key-resolution zone mapped to the name or name prefix; and
      
      a public key for a key-resolution service associated with the key-resolution zone.
  - 6. The method of claim 1, wherein obtaining the KRS record from the second key-resolution zone involves:
    - generating a third Interest message whose name includes the routable prefix for the second key-resolution zone, and includes the query for the content name in the name or a payload of the third Interest; and
      
      responsive to disseminating the third Interest for the second key-resolution zone, receiving a Content Object that includes the KRS record.
  - 7. The method of claim 1, further comprising updating the next-hop table to include an entry that maps the content name to the routable prefix for the second key-resolution zone.
  - 8. The method of claim 1, further comprising:
    - responsive to disseminating the second Interest for the key-resolution zone, receiving a Content Object that satisfies the second Interest, and includes the KRS record; and
      
      caching the KRS record in a KRS record repository.
  - 9. The method of claim 1, wherein obtaining the KRS record involves:
    - performing a longest-prefix-matching lookup in a KRS record repository, using the content name as input, to obtain the KRS record that includes the security information associated with at least a prefix of the content name.
  - 10. The method of claim 1, wherein the security information for the content name or a prefix of the content name in the KRS record includes one or more of:
    - a public key;
      
      a public key certificate;
      
      a certificate chain;
      
      a cryptographic digest of a Content Object; and
      
      a cryptographic digest of a content object, signed by the Content Object'"'"'s producer or a trusted entity.

11. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
- receiving, over a Content Centric Network, an Interest message with a name that includes a routable prefix associated with a key-resolution service, wherein the Interest includes a query for a content name that is to be resolved in the name or a payload of the Interest;
  
  obtaining, from the Interest message, the content name that is to be resolved;
  
  obtaining a KRS record for the content name, wherein the KRS record includes security information for the content name or security information for a prefix of the content name, wherein obtaining the KRS record involves;
  
  performing a longest-prefix-matching lookup in a next-hop table, using the content name as input, to obtain a second routable prefix for a key-resolution zone associated with the content name or a prefix of the content name;
  
  disseminating, over the Content Centric Network, a second Interest message that includes the query for the content name, and whose name includes the second routable prefix for the key-resolution zone; and
  
  in response to receiving, from the key-resolution zone, a Content Object that includes a routable prefix for a second key-resolution zone, obtaining the KRS record from the second key-resolution zone; and
  
  returning a Content Object whose payload includes the security information that satisfies the query, and whose name includes the Interest message'"'"'s name, to satisfy the Interest message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The storage medium of claim 11, wherein the Content Object'"'"'s payload includes the KRS record.
  - 13. The storage medium of claim 11, wherein the KRS record includes at least one of:
    - a name or name prefix for which the KRS record resolves security information;
      
      a payload comprising security information for the name or name prefix; and
      
      security information that is used to authenticate the KRS record.
  - 14. The storage medium of claim 11,wherein generating the second Interest message involves including the query for the content name in the name or a payload of the second Interest message.
  - 15. The storage medium of claim 11, wherein a respective entry of the next-hop table includes at least one of:
    - a name or name prefix;
      
      a routable prefix for a key-resolution zone mapped to the name or name prefix; and
      
      a public key for a key-resolution service associated with the key-resolution zone.
  - 16. The storage medium of claim 11, wherein obtaining the KRS record from the second key-resolution zone involves:
    - generating a third Interest message whose name includes the routable prefix for the second key-resolution zone, and includes the query for the content name in the name or a payload of the third Interest; and
      
      responsive to disseminating the third Interest for the second key-resolution zone, receiving a Content Object that includes the KRS record.
  - 17. The storage medium of claim 11, further comprising updating the next-hop table to include an entry that maps the content name to the routable prefix for the second key-resolution zone.
  - 18. The storage medium of claim 11, further comprising:
    - responsive to disseminating the second Interest for the key-resolution zone, receiving a Content Object that satisfies the second Interest, and includes the KRS record; and
      
      caching the final key-resolution record.
  - 19. The storage medium of claim 11, wherein obtaining the KRS record involves:
    - performing a longest-prefix-matching lookup in a KRS record repository, using the content name as input, to obtain the KRS record that includes the security information associated with at least a prefix of the content name.

20. A server computer of a key-resolution service (KSR), comprising:
- a processor; and
  
  a memory storing instructions that when executed by the processor cause the server computer to implement;
  
  a communication module configured to receive, over a Content Centric Network, an Interest message with a name that includes a routable prefix associated with the key-resolution service, wherein the Interest includes a query for a content name that is to be resolved in the name or a payload of the Interest;
  
  an Interest-processing module configured to obtain, from the Interest message, the content name that is to be resolved; and
  
  a record-lookup module configured to obtain a KRS record for the content name, wherein the KRS record includes security information for the content name or security information for a prefix of the content name, wherein obtaining the KRS record involves;
  
  performing a longest-prefix-matching lookup in a next-hop table, using the content name as input, to obtain a second routable prefix for a key-resolution zone associated with the content name or a prefix of the content name;
  
  disseminating, over the Content Centric Network, a second Interest message that includes the query for the content name, and whose name includes the second routable prefix for the key-resolution zone; and
  
  in response to receiving, from the key-resolution zone, a Content Object that includes a routable prefix for a second key-resolution zone, obtaining the KRS record from the second key-resolution zone; and
  
  wherein the communication module is further configured to return a Content Object whose payload includes the security information that satisfies the query, and whose name includes the Interest message'"'"'s name, to satisfy the Interest message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Mahadevan, Priya, Uzun, Ersin, Sevilla, Spencer, Garcia-Luna-Aceves, Jose J.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US14/461,258
Publication Number

US 20160050068A1
Time in Patent Office

697 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

System and method for performing key resolution over a content centric network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

381 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for performing key resolution over a content centric network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

381 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links