System for key exchange in a content centric network

US 9,794,238 B2
Filed: 10/29/2015
Issued: 10/17/2017
Est. Priority Date: 10/29/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system for facilitating secure communication between computing entities, the system comprising:

a processor; and

a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;

generating, by a content-consuming device, a first key based on a first consumer-share key and a previously received producer-share key, and performing a key derivation function based on the first consumer-share key and the first producer-share key;

constructing a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of a previously generated first nonce, wherein the first interest packet has a name that includes a first prefix, and wherein the first nonce is used to establish a session between the content-consuming device and a content-producing device;

in response to the nonce token being verified by the content-producing device, receiving a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key; and

generating the second key based on a second consumer-share key and the first content-object packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a system that facilitates secure communication between computing entities. During operation, the system generates, by a content-consuming device, a first key based on a first consumer-share key and a previously received producer-share key. The system constructs a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of a previously generated first nonce, wherein the first interest has a name that includes a first prefix, and wherein the first nonce is used to establish a session between the content-consuming device and a content-producing device. In response to the nonce token being verified by the content-producing device, the system receives a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key. The system generates the second key based on a second consumer-share key and the first content-object packet.

Citations

20 Claims

1. A computer system for facilitating secure communication between computing entities, the system comprising:
- a processor; and
  
  a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;
  
  generating, by a content-consuming device, a first key based on a first consumer-share key and a previously received producer-share key, and performing a key derivation function based on the first consumer-share key and the first producer-share key;
  
  constructing a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of a previously generated first nonce, wherein the first interest packet has a name that includes a first prefix, and wherein the first nonce is used to establish a session between the content-consuming device and a content-producing device;
  
  in response to the nonce token being verified by the content-producing device, receiving a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key; and
  
  generating the second key based on a second consumer-share key and the first content-object packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer system of claim 1, wherein the nonce token is verified based on the first key and the first nonce.
  - 3. The computer system of claim 1:
    - wherein generating the second key is further based on performing the derivation function based on the second consumer-share key and a second producer-share key indicated in the first content-object packet; and
      
      wherein the method further comprises generating, based on performing an expansion function based on the second key, one or more of the following;
      
      a consumer-specific second key;
      
      a producer-specific second key;
      
      a consumer-specific initialization vector; and
      
      a producer-specific initialization vector.
  - 4. The computer system of claim 1, wherein the method further comprises:
    - constructing an initial interest packet with a name that includes the first prefix and the first nonce, and a payload that indicates an initial hello; and
      
      in response to the initial interest packet, receiving an initial content-object packet with a payload that includes configuration information and the second nonce, wherein the configuration information indicates the first consumer-share key, and wherein the second nonce is used to establish the session.
  - 5. The computer system of claim 4, wherein the payload for the initial content-object packet includes a second prefix different from the first prefix, and wherein the method further comprises:
    - replacing the first prefix with the second prefix in the name for the first interest packet and a name for a subsequent interest packet associated with the session.
  - 6. The computer system of claim 1, wherein the name for the first interest packet further includes a previously received second nonce, wherein the second nonce is used to establish the session.
  - 7. The computer system of claim 1, wherein the method further comprises:
    - constructing a second interest packet with a name that includes a previously received session identifier, and a payload encrypted based on a consumer-specific second key; and
      
      in response to the second interest packet, receiving a second content-object packet with a payload encrypted based on a producer-specific second key,wherein the consumer-specific second key and the producer-specific second key are generated based on performing an expansion function on the second key.
  - 8. The computer system of claim 7, wherein the payload for the first content-object packet indicates a move token and a third prefix different from the first prefix, and wherein the method further comprises:
    - replacing the first prefix with the third prefix in the name for the second interest packet and a name for a subsequent interest packet associated with the session; and
      
      indicating the move token in the payload for the second interest packet.
  - 9. The computer system of claim 7, wherein the payload for the second content-object packet includes a second resumption indicator for a subsequently resumed session between the consumer and the producer.
  - 10. The computer system of claim 1, wherein the method further comprises:
    - decrypting the payload for the first content-object packet;
      
      in response to determining that the decrypted payload does not indicate a rejection, obtaining an acknowledgment and a second producer-share key.

11. A computer system for facilitating secure communication between computing entities, the system comprising:
- a processor; and
  
  a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;
  
  receiving, by a content-producing device, a first interest packet that includes a first consumer-share key and a nonce token which is used as a pre-image of a previously received first nonce, wherein the first interest packet has a name that includes a first prefix, and wherein the first nonce is used to establish a session between a content-consuming device and the content-producing device;
  
  generating a first key based on the first consumer-share key and a first producer-share key, and performing a key derivation function based on the first consumer-share key and the first producer-share key;
  
  verifying the nonce token based on the first key and the first nonce;
  
  generating a second key based on the first interest packet and a second producer-share key; and
  
  constructing a first content-object packet with a payload that includes a first resumption indicator encrypted based on the second key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer system of claim 11:
    - wherein generating the second key is further based on performing the derivation function based on a second consumer-share key indicated in the first interest packet and the second producer-share key; and
      
      wherein the method further comprises generating, based on performing an expansion function based on the second key, one or more of the following;
      
      a consumer-specific second key;
      
      a producer-specific second key;
      
      a consumer-specific initialization vector; and
      
      a producer-specific initialization vector.
  - 13. The computer system of claim 11, wherein the method further comprises:
    - receiving an initial interest packet with a name that includes the first prefix and the first nonce, and a payload that indicates an initial hello; and
      
      in response to the initial interest packet, constructing an initial content-object packet with a payload that includes configuration information and a second nonce, wherein the configuration information indicates the first consumer-share key, and wherein the second nonce is used to establish the session.
  - 14. The computer system of claim 13, wherein the method further comprises:
    - including in the payload for the initial content-object packet a second prefix that is different from the first prefix,wherein the name for the first interest packet includes the second prefix, wherein the second prefix replaces the first prefix, andwherein a name for a subsequent interest packet associated with the session includes the second prefix.
  - 15. The computer system of claim 11, wherein the name for the first interest packet further includes a previously generated second nonce, wherein the second nonce is used to establish the session.
  - 16. The computer system of claim 11, wherein the method further comprises:
    - generating a session identifier based on the second key;
      
      receiving a second interest packet with a name that includes the session identifier, and a payload encrypted based on a consumer-specific second key; and
      
      in response to the second interest packet, constructing a second content-object packet with a payload encrypted based on a producer-specific second key,wherein the consumer-specific second key and the producer-specific second key are generated based on performing an expansion function on the second key.
  - 17. The computer system of claim 16, wherein the method further comprises:
    - indicating in the payload for the first content-object packet a move token and a third prefix different from the first prefix,wherein the name for the second interest packet includes the third prefix in place of the first prefix, andwherein the payload for the second interest packet indicates the move token.
  - 18. The computer system of claim 16, wherein the method further comprises:
    - in response to identifying a need for a new resumption indicator, generating a new resumption indicator for use in a subsequently resumed session between the consumer and the producer; and
      
      including in the payload for the second content-object packet the new resumption indicator encrypted based on the producer-specific second key.
  - 19. The computer system of claim 11, wherein verifying the nonce token further comprises:
    - decrypting the payload for the first interest packet based on the first key;
      
      performing a hash function on the nonce token to obtain a result; and
      
      determining whether the result matches the first nonce.
  - 20. The computer system of claim 19, wherein the method further comprises:
    - in response to determining that the result matches the first nonce, including in the payload for the first content-object packet an acknowledgment and the second producer-share key; and
      
      in response to determining that the result does not match the first nonce, including in the payload for the first content-object packet a rejection and a reason for the rejection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wood, Christopher A., Mosko, Marc E., Uzun, Ersin
Primary Examiner(s)
To, Baotran N
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/927,034
Publication Number

US 20170126643A1
Time in Patent Office

719 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/3271   using challenge-response

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

System for key exchange in a content centric network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for key exchange in a content centric network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links