Content-based transport security for distributed producers
First Claim
1. A computer-implemented method, the method comprising:
- receiving, by a content-producing system via a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;
generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;
generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and
returning the encrypted Content Object over the CCN to the client device;
receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;
decrypting the digital certificate using the symmetric session key;
authenticating the client device using the digital certificate; and
in response to receiving a third Interest packet with the session identifier;
decrypting an encrypted name suffix of the third Interest packet'"'"'s name, using the symmetric session key to obtain a plaintext name suffix; and
using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet'"'"'s name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
3 Assignments
0 Petitions
Accused Products
Abstract
A content-producing computer system can use a locally generated key or a client-generated key to communicate with a client device during a session over a named-data network. During operation, the computer system can receive an Interest packet that includes a name for a piece of data or a service. The Interest'"'"'s name can include a routable prefix, a session identifier, and an encrypted suffix. In some embodiments, the system can generating a session key based on the session identifier and a secret value, and decrypts the encrypted suffix using the session key to obtain a plaintext suffix. The system processes the plaintext suffix to obtain data requested by the Interest, and encrypts the data using the session key. In some other embodiments, the system can use a local private key to decrypt the encrypted suffix, and uses an encryption key obtained from the Interest to encrypt the Content Object.
-
Citations
14 Claims
-
1. A computer-implemented method, the method comprising:
-
receiving, by a content-producing system via a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device; generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN; generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and returning the encrypted Content Object over the CCN to the client device; receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device; decrypting the digital certificate using the symmetric session key; authenticating the client device using the digital certificate; and in response to receiving a third Interest packet with the session identifier; decrypting an encrypted name suffix of the third Interest packet'"'"'s name, using the symmetric session key to obtain a plaintext name suffix; and using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet'"'"'s name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN. - View Dependent Claims (2, 3)
-
-
4. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
-
receiving, by a content-producing system over a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device; generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN; generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and returning the encrypted Content Object over the CCN to the client device; receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device; decrypting the digital certificate using the symmetric session key; authenticating the client device using the digital certificate; and in response to receiving a third Interest packet that includes the session identifier; decrypting an encrypted name suffix of the third Interest packet'"'"'s name, using the symmetric session key to obtain a plaintext name suffix; and using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet'"'"'s name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN. - View Dependent Claims (5, 6)
-
-
7. A computer-implemented method, the method comprising:
-
receiving, by a content-producing system from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of the content-producing system; and in response to receiving the first Interest packet; returning, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and receiving a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system; generating, by the content-producing system, a session identifier and an encryption key for the session with the client device; generating an encrypted Content Object that satisfies the second Interest packet and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system; returning the encrypted Content Object over the CCN to satisfy the second Interest packet; receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device; obtaining a decryption key; decrypting the client device'"'"'s public key certificate from the resume-setup the Interest packet, using the decryption key; authenticating the client device using the public key certificate; and in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device; decrypting the encrypted name suffix of the fourth Interest packet'"'"'s name, using the decryption key to obtain a plaintext name suffix; and using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet'"'"'s name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet. - View Dependent Claims (8, 9, 10)
-
-
11. An apparatus to process an encrypted request received over a named-data network, the apparatus comprising:
-
a processor; and a memory storing instructions that when executed by the processor cause the apparatus to; receive, from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of a content-producing system; and in response to receiving the first Interest packet; return, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and receive a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system; generate a session identifier and an encryption key for the session with the client device; generate an encrypted Content Object that satisfies the second Interest packet, and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system; return, via the CCN, the encrypted Content Object to satisfy the second Interest packet; receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device; obtaining a decryption key; decrypting the client device'"'"'s public key certificate from the resume-setup third Interest packet, using the decryption key; authenticating the client device using the public key certificates; and in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device; decrypt the encrypted name suffix of the fourth Interest packet'"'"'s name, using the decryption key to obtain a plaintext name suffix; and using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet'"'"'s name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet. - View Dependent Claims (12, 13, 14)
-
Specification