Decoupled name security binding for CCN objects

US 9,916,457 B2
Filed: 01/12/2015
Issued: 03/13/2018
Est. Priority Date: 01/12/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

responsive to receiving, by a computing device, a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object;

generating a hash for the data object based on the content, but not based on either of the name or the new name;

obtaining a private key for signing the data object; and

encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object;

responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object;

when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together;

when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and

when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data-hosting system facilitates binding a decoupled name to a data object. During operation, the system can receive a command to generate a decoupled name that binds a new name to the data object. The system generates a hash for the data object based on the data object'"'"'s content, such that the hash is not generated based on a name for the data object. The system then obtains a private key for signing the data object, and generates the decoupled name for the data object by encrypting the data object'"'"'s hash and the new name using the private key. This decoupled name binds the new name to the data object. When a client request the data object based on the network name, the system can return the decoupled name associated with content of the data object. The client can use the decoupled name to validate the data object.

583 Citations

18 Claims

1. A computer-implemented method, comprising:
- responsive to receiving, by a computing device, a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object;
  
  generating a hash for the data object based on the content, but not based on either of the name or the new name;
  
  obtaining a private key for signing the data object; and
  
  encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object;
  
  responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object;
  
  when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together;
  
  when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and
  
  when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the data object includes a Content Centric Networking (CCN) Content Object.
  - 3. The method of claim 1, wherein the request to access the data object includes a network name for the content;
    - andthe returning the content and the decoupled name further comprises;
      
      selecting the data object based on the network name for the content; and
      
      selecting the decoupled name based on the hash for the content.
  - 4. The method of claim 3, wherein the returning at least the decoupled name and the content further involves:
    - generating a Manifest that includes the decoupled name; and
      
      returning the Manifest.
  - 5. The method of claim 3, wherein the data object request includes an Interest message which includes the network name or the new name for the data object.
  - 6. The method of claim 1, wherein the data object is additionally bound to a name differing from the decoupled name.
  - 7. The method of claim 1, wherein the request is received from a client.
  - 8. The method of claim 1, wherein the encrypting the hash using the private key includes encrypting the hash using the private key, but not using the network name or the new name, to produce the cryptographic signature for the data object.

9. A non-transitory, computer-readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method, the method comprising:
- responsive to receiving a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object;
  
  generating a hash for the data object based on the content, but not based on either of the name or the new name;
  
  obtaining a private key for signing the data object; and
  
  encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object;
  
  responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object;
  
  when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together;
  
  when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and
  
  when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The storage medium of claim 9, wherein the data object includes a Content Centric Networking (CCN) Content Object.
  - 11. The storage medium of claim 9, wherein the method further comprises:
    - receiving the request to access the data object, wherein the request includes a network name for the content;
      
      selecting the data object based on the network name for the content; and
      
      selecting the decoupled name based on the hash for the content.
  - 12. The storage medium of claim 11, wherein the returning involves:
    - generating a Manifest that includes the decoupled name; and
      
      returning the Manifest.
  - 13. The storage medium of claim 11, wherein the data object request includes an Interest message which includes the network name or the new name for the data object.
  - 14. The storage medium of claim 9, wherein the request is received from a client.
  - 15. The storage medium of claim 9, wherein the encrypting the hash using the private key includes encrypting the hash using the private key, but not using the network name or the new name, to produce the cryptographic signature for the data object.

16. A computer system, comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium storing instructions that, when executed by the one or more processors, cause the computer system to perform a method including;
  
  responsive to receiving a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object;
  
  generating a hash for the data object based on the content, but not based on either of the name or the new name;
  
  obtaining a private key for signing the data object; and
  
  encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object;
  
  responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object;
  
  when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together;
  
  when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and
  
  when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names.
- View Dependent Claims (17, 18)
- - 17. The computer system of claim 16, wherein the request is received from a client.
  - 18. The computer system of claim 16, wherein the encrypting the hash using the private key includes encrypting the hash using the private key, but not using the network name or the new name, to produce the cryptographic signature for the data object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Solis, Ignacio
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/595,052
Publication Number

US 20160203322A1
Time in Patent Office

1,156 Days
Field of Search

713189
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/64   Protecting data integrity, ...

H04L 2209/60   Digital content management,...

H04L 63/12   Applying verification of th...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/3247   involving digital signatures

Decoupled name security binding for CCN objects

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

583 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Decoupled name security binding for CCN objects

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

583 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links