Low-cost authenticated signing delegation in content centric networking

US 9,473,475 B2
Filed: 12/22/2014
Issued: 10/18/2016
Est. Priority Date: 12/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

monitoring, by a first content producing device, one or more content objects created by a second content producing device, wherein a content object is identified by a name that is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level;

retrieving the one or more content objects;

in response to determining that the retrieved content objects indicate a message authentication code, authenticating the message authentication code for the retrieved content objects based on a key shared by the first content producing device and the second content producing device;

in response to determining that the retrieved content objects do not indicate the message authentication code, authenticating the retrieved content objects based on one or more of;

a physical location of the first content producing device and the second content producing device; and

a network topology;

creating a manifest which indicates a name for the manifest and a content object hash (COH) value for each of the retrieved content objects;

producing a digital signature for the manifest based on a private key of the first content producing device; and

including the digital signature in the manifest, thereby facilitating delegation of signature production to the first content producing device for content objects created by the second content producing device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a system that delegates signature production in a CCN. During operation, a first content producing device monitors content objects created by a second content producing device. A content object can be identified by a name that is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level. The first device retrieves the content objects and authenticates a message authentication code for each content object based on a key shared by the first and second device. The first device creates a manifest with a name and a content object hash value for each content object, produces a digital signature for the manifest based on a private key of the first device, and includes the digital signature in the manifest, thereby delegating signature production to the first device for content objects created by the second device.

389 Citations

20 Claims

1. A computer-implemented method comprising:
- monitoring, by a first content producing device, one or more content objects created by a second content producing device, wherein a content object is identified by a name that is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level;
  
  retrieving the one or more content objects;
  
  in response to determining that the retrieved content objects indicate a message authentication code, authenticating the message authentication code for the retrieved content objects based on a key shared by the first content producing device and the second content producing device;
  
  in response to determining that the retrieved content objects do not indicate the message authentication code, authenticating the retrieved content objects based on one or more of;
  
  a physical location of the first content producing device and the second content producing device; and
  
  a network topology;
  
  creating a manifest which indicates a name for the manifest and a content object hash (COH) value for each of the retrieved content objects;
  
  producing a digital signature for the manifest based on a private key of the first content producing device; and
  
  including the digital signature in the manifest, thereby facilitating delegation of signature production to the first content producing device for content objects created by the second content producing device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the name for the manifest is indicated in the retrieved content objects.
  - 3. The method of claim 1, wherein retrieving the one or more content objects is based on one or more of:
    - a name associated with each of the one or more content objects; and
      
      a content object hash (COH) value for each of the one or more content objects.
  - 4. The method of claim 1, wherein the manifest further indicates a name for each of the retrieved content objects.
  - 5. The method of claim 1, wherein each of the one or more content objects indicates a name.

6. A computer-implemented method comprising:
- generating, by a second content producing device, a first set of one or more content objects which indicate a message authentication code, which is based on a key shared by the second content producing device and a first content producing device, wherein a content object is identified by a name that is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level;
  
  generating a second set of one or more content objects which do not indicate the message authentication code;
  
  delegating, to the first content producing device, a production of a digital signature for the one or more content objects of the first set;
  
  authenticating, by the first content producing device, the message authentication code for the first set of the one or more content objects based on the shared key;
  
  delegating, to the first content producing device, the production of the digital signature of the one or more content objects of the second set; and
  
  authenticating, by the first content producing device, the second set of the one or more content objects based on one or more of;
  
  a physical location of the first content producing device and the second content producing device; and
  
  a network topology.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein each of the first set of the one or more content objects and the second set of the one or more content objects indicates a name.
  - 8. The method of claim 6, further comprising:
    - creating a manifest which indicates the first set of the one or more content objects and the second set of the one or more content objects and a COH value for each of the one or more content objects of the first set and of the second set;
      
      producing a digital signature for the manifest based on a private key of the first content producing device; and
      
      including the digital signature in the manifest.
  - 9. The method of claim 6, wherein the one or more content objects of the first set and of the second set further indicate a name for a manifest to be created by the first content producing device.
  - 10. The method of claim 9, wherein the manifest indicates the first set of the one or more content objects and the second set of the one or more content objects and a content object hash (COH) value for each of the one or more content objects of the first set and of the second set.

11. A computer system comprising:
- a processor;
  
  a storage device coupled to the processor and storing instructions that when executed by a computer cause the computer to perform a method, the method comprising;
  
  monitoring, by a first content producing device, one or more content objects created by a second content producing device, wherein a content object is identified by a name that is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level;
  
  retrieving the one or more content objects;
  
  in response to determining that the retrieved content objects indicate a message authentication code, authenticating the message authentication code for the retrieved content objects based on a key shared by the first content producing device and the second content producing device;
  
  in response to determining that the retrieved content objects do not indicate the message authentication code, authenticating the retrieved content objects based on one or more of;
  
  a physical location of the first content producing device and the second content producing device; and
  
  a network topology;
  
  creating a manifest which indicates a name for the manifest and a content object hash (COH) value for each of the retrieved content objects;
  
  producing a digital signature for the manifest based on a private key of the first content producing device; and
  
  including the digital signature in the manifest, thereby facilitating delegation of signature production to the first content producing device for content objects created by the second content producing device.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer system of claim 11, wherein the name for the manifest is indicated in the retrieved content objects.
  - 13. The computer system of claim 11, wherein retrieving the one or more content objects is based on one or more of:
    - a name associated with each of the one or more content objects; and
      
      a content object hash (COH) value for each of the one or more content objects.
  - 14. The computer system of claim 11, wherein the manifest further indicates a name for each of the retrieved content objects.
  - 15. The computer system of claim 11, wherein each of the one or more content objects indicates a name.

16. A computer system comprising:
- a processor;
  
  a storage device coupled to the processor and storing instructions that when executed by a computer cause the computer to perform a method, the method comprising;
  
  generating, by a second content producing device, a first set of one or more content objects which indicate a message authentication code, which is based on a key shared by the second content producing device and a first content producing device, and wherein a content object is identified by a name that is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level; and
  
  generating a second set of one or more content objects which do not indicate the message authentication code;
  
  delegating, to the first content producing device, a production of a digital signature for the one or more content objects of the first set;
  
  authenticating, by the first content producing device, the message authentication code for the first set of the one or more content objects based on the shared key;
  
  delegating, to the first content producing device, the production of the digital signature of the one or more content objects of the second set; and
  
  authenticating, by the first content producing device, the second set of the one or more content objects based on one or more of;
  
  a physical location of the first content producing device and the second content producing device; and
  
  a network topology.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer system of claim 16, wherein each of the first set of the one or more content objects and the second set of the one or more content objects indicates a name.
  - 18. The computer system of claim 16, wherein the method further comprises:
    - creating a manifest which indicates the first set of the one or more content objects and the second set of the one or more content objects and a COH value for each of the one or more content objects of the first set and of the second set;
      
      producing a digital signature for the manifest based on a private key of the first content producing device; and
      
      including the digital signature in the manifest.
  - 19. The computer system of claim 16, wherein the one or more content objects of the first set and of the second set further indicate a name for a manifest to be created by the first content producing device.
  - 20. The computer system of claim 19, wherein the manifest indicates the first set of the one or more content objects and the second set of the one or more content objects and a content object hash (COH) value for each of the one or more content objects of the first set and of the second set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Uzun, Ersin
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US14/579,674
Publication Number

US 20160182475A1
Time in Patent Office

666 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Low-cost authenticated signing delegation in content centric networking

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

389 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Low-cost authenticated signing delegation in content centric networking

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

389 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links