Hardware assisted provenance proof of named data networking associated to device data, addresses, services, and servers

US 9,819,679 B1
Filed: 09/14/2015
Issued: 11/14/2017
Est. Priority Date: 09/14/2015
Status: Active Grant

First Claim

Patent Images

1. A system delivering data content with hardware assisted provenance proof in named data networking (NDN), comprising:

a first client with a first client trusted security zone enabled, configured to;

send a first request message, wherein the first request message comprises a name that identifies desired data content,receive data content and a digital signature, anddetermine whether or not the data content is from a corresponding trusted content server based on the digital signature;

a data content server with a data content server trusted security zone enabled, configured to;

receive the first request message from the first client, andtransmit the desired data content based on the name comprised in the first request message and a determination by the data content server independently that the first client is trusted and that the routing path from the first client to the data content server is trusted;

a signature server with a signature server trusted security zone enabled, configured to;

receive the first request message from the first client,generate the digital signature based on the desired data content, andtransmit the digital signature based on a determination by the signature server independently that the first client is trusted and that the routing path from the first client to the signature server is trusted; and

at least one router each with a router trusted security zone enabled, wherein the router trusted security zone, the first client trusted security zone, the data content server trusted security zone, and the signature server trusted security zone provide hardware assisted trust, where the at least one router is configured to;

cache the data content and the digital signature received from the data content server and the signature server, andforward the data content and the digital signature to a second client requesting the data content based on the same name comprised in a second request message from the second client and a determination by the at least one router independently that the second client is trusted and that the routing path from the second client to the router is trusted.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system of delivering data content with hardware assisted provenance proof in named data networking (NDN). The system comprises a data content server with a trusted security zone enabled that is configured to receive the first request message from the first client, and transmit the desired data content based on the name comprised in the first request message and a determination that the first client is trusted and that the routing path from the first client to the data content server is trusted. The system further comprises a signature server with a trusted security zone enabled that is configured to receive the first request message from the first client, generate a digital signature based on the desired data content, and transmit the corresponding digital signature based on a determination that the first client is trusted and that the routing path from the first client to the signature server is trusted.

Citations

20 Claims

1. A system delivering data content with hardware assisted provenance proof in named data networking (NDN), comprising:
- a first client with a first client trusted security zone enabled, configured to;
  
  send a first request message, wherein the first request message comprises a name that identifies desired data content,receive data content and a digital signature, anddetermine whether or not the data content is from a corresponding trusted content server based on the digital signature;
  
  a data content server with a data content server trusted security zone enabled, configured to;
  
  receive the first request message from the first client, andtransmit the desired data content based on the name comprised in the first request message and a determination by the data content server independently that the first client is trusted and that the routing path from the first client to the data content server is trusted;
  
  a signature server with a signature server trusted security zone enabled, configured to;
  
  receive the first request message from the first client,generate the digital signature based on the desired data content, andtransmit the digital signature based on a determination by the signature server independently that the first client is trusted and that the routing path from the first client to the signature server is trusted; and
  
  at least one router each with a router trusted security zone enabled, wherein the router trusted security zone, the first client trusted security zone, the data content server trusted security zone, and the signature server trusted security zone provide hardware assisted trust, where the at least one router is configured to;
  
  cache the data content and the digital signature received from the data content server and the signature server, andforward the data content and the digital signature to a second client requesting the data content based on the same name comprised in a second request message from the second client and a determination by the at least one router independently that the second client is trusted and that the routing path from the second client to the router is trusted.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein a public key is transmitted by the data content server upon receipt of a request from the client after a determination that the client is trusted, wherein the public key is utilized by the client to decrypt the digital signature.
  - 3. The system of claim 2, wherein the public key and the data content are combined into a single type length value (TLV) element by a first router after the data content server transmits the data content.
  - 4. The system of claim 1, wherein the determination that the routing path from the first client to the data content server is trusted comprises determining whether or not domain name system (DNS) servers and domain host configuration protocol (DHCP) servers along the routing path have hardware assisted trust enabled.
  - 5. The system of claim 1, wherein when the desired data content comprises more than one piece of data content from more than one data content server, only one digital signature is generated and transmitted for the pieces of data content.
  - 6. The system of claim 5, wherein the pieces of data content are combined at the first and second clients.
  - 7. The system of claim 1, wherein a trustlet is generated at the first client to send the first request message in case of commerce use scenarios to provide a higher level of security, where the trustlet executes in the first client trusted security zone and is associated with a communication application.

8. A method of delivering data content with hardware assisted provenance proof in named data networking (NDN), comprising:
- sending, by a first client with a first client trusted security zone enabled, a first request message, wherein the first request message comprises a name that identifies desired data content;
  
  receiving, by a data content server with a data content server trusted security zone enabled and a signature server with a signature server trusted security zone enabled, the first request message from the first client;
  
  transmitting, by the data content server, the desired data content based on the name comprised in the first request message and a determination by the data content server independently that the first client is trusted and that the routing path from the first client to the data content server is trusted;
  
  generating, by the signature server, a digital signature based on the desired data content;
  
  transmitting, by the signature server, the digital signature based on a determination by the signature server independently that the first client is trusted and that the routing path from the first client to the signature server is trusted;
  
  caching, by at least one router each with a router trusted security zone enabled, the data content and the digital signature received from the data content server and the signature server, wherein the router trusted security zone, the first client trusted security zone, the data content server trusted security zone, and the signature server trusted security zone provide hardware assisted trust;
  
  receiving, by the first client, the data content and the digital signature;
  
  determining, by the first client, whether or not the data content is from a corresponding trusted content server based on the digital signature; and
  
  forwarding, by the at least one router, the data content and the digital signature to a second client requesting the data content based on the same name comprised in a second request message from the second client and a determination by the at least one router independently that the second client is trusted and that the routing path from the second client to the router is trusted.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the routing table in the at least one router is secure.
  - 10. The method of claim 8, wherein a public key is transmitted by the data content server upon receipt of a request from the client after a determination that the client is trusted, wherein the public key is utilized by the client to decrypt the digital signature.
  - 11. The method of claim 10, wherein the public key and the data content are combined into a single type length value (TLV) element by a first router after the data content server transmits the data content.
  - 12. The method of claim 8, wherein the determination that the routing path from the first client to the data content server is trusted comprises determining whether or not domain name system (DNS) servers and domain host configuration protocol (DHCP) servers along the routing path have hardware assisted trust enabled.
  - 13. The method of claim 8, wherein when the desired data content comprises more than one piece of data content from more than one data content server, only one digital signature is generated and transmitted for the pieces of data content and the pieces of data content are combined at the first and second clients.
  - 14. The method of claim 8, wherein a trustlet is generated at the first client to send the first request message in case of commerce use scenarios to provide a higher level of security, where the trustlet executes in the first client trusted security zone and is associated with a communication application.

15. A method of delivering data content with hardware assisted provenance proof in named data networking (NDN), comprising:
- sending, by a client with a client trusted security zone enabled, a request message, wherein the request message comprises a name that identifies desired data content;
  
  receiving, by a data content server with a data content server trusted security zone enabled and a signature server with a signature server trusted security zone enabled, the request message from the client;
  
  transmitting, by the data content server, the desired data content based on the name comprised in the request message and a determination by the data content server independently that the first client is trusted and that the routing path from the client to the data content server is trusted;
  
  generating, by the signature server, a digital signature based on the desired data content;
  
  transmitting, by the signature server, the digital signature based on a determination by the signature server independently that the client is trusted and that the routing path from the client to the signature server is trusted;
  
  caching, by at least one router each with a router trusted security zone enabled, the data content and the digital signature received from the content server, wherein the router trusted security zone, the client trusted security zone, the data content server trusted security zone, and the signature server trusted security zone provide hardware assisted trust;
  
  receiving, by the client, the data content and the digital signature; and
  
  determining, by the client, whether or not the data content is from a corresponding trusted content server based on the digital signature.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the at least one router caches the data content and the digital signature received from the data content server and the signature server.
  - 17. The method of claim 16, wherein the at least one router forwards the data content and the digital signature to a second client requesting the data content based on the same name comprised in a second request message from the second client and a determination that the second client is trusted and that the routing path from the second client to the router is trusted.
  - 18. The method of claim 15, wherein a public key is transmitted by the data content server upon receipt of a request from the client after a determination that the client is trusted, wherein the public key is utilized by the client to decrypt the digital signature.
  - 19. The method of claim 15, wherein the public key and the data content are combined into a single type length value (TLV) element by a first router after the data content server transmits the data content.
  - 20. The method of claim 15, wherein a trustlet is generated at the client to send the request message for commerce purposes to provide a higher level of security where the trustlet executes in the client trusted security zone and is associated with a communication application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Bertz, Lyle T., Paczkowski, Lyle W.
Primary Examiner(s)
To, Baotran N

Application Number

US14/853,492
Time in Patent Office

792 Days
Field of Search

713176
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 2209/60   Digital content management,...

H04L 45/00   Routing or path finding of ...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 67/568   Storing data temporarily at...

H04L 67/63   Routing a service request d...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 12/102   Route integrity, e.g. using...

Hardware assisted provenance proof of named data networking associated to device data, addresses, services, and servers

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware assisted provenance proof of named data networking associated to device data, addresses, services, and servers

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links