Decoupled name security binding for CCN objects
First Claim
1. A computer-implemented method, comprising:
- responsive to receiving, by a computing device, a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object;
generating a hash for the data object based on the content, but not based on either of the name or the new name;
obtaining a private key for signing the data object; and
encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object;
responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object;
when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together;
when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and
when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names.
3 Assignments
0 Petitions
Accused Products
Abstract
A data-hosting system facilitates binding a decoupled name to a data object. During operation, the system can receive a command to generate a decoupled name that binds a new name to the data object. The system generates a hash for the data object based on the data object'"'"'s content, such that the hash is not generated based on a name for the data object. The system then obtains a private key for signing the data object, and generates the decoupled name for the data object by encrypting the data object'"'"'s hash and the new name using the private key. This decoupled name binds the new name to the data object. When a client request the data object based on the network name, the system can return the decoupled name associated with content of the data object. The client can use the decoupled name to validate the data object.
583 Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
responsive to receiving, by a computing device, a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object; generating a hash for the data object based on the content, but not based on either of the name or the new name; obtaining a private key for signing the data object; and encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object; responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object; when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together; when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory, computer-readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method, the method comprising:
-
responsive to receiving a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object; generating a hash for the data object based on the content, but not based on either of the name or the new name; obtaining a private key for signing the data object; and encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object; responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object; when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together; when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer system, comprising:
-
one or more processors; and a non-transitory computer-readable medium storing instructions that, when executed by the one or more processors, cause the computer system to perform a method including; responsive to receiving a command to generate a decoupled name for a data object having content and a network name, wherein the command includes a new name to bind to the data object; generating a hash for the data object based on the content, but not based on either of the name or the new name; obtaining a private key for signing the data object; and encrypting the hash using the private key to produce a cryptographic signature for the data object, wherein the new name, the hash, and the cryptographic signature collectively represent the decoupled name for the data object; responsive to receiving a request to access the data object, determining whether the decoupled name is associated with the data object; when the decoupled name is associated with the data object, determining whether to return the decoupled name and the data object separately or together; when the decoupled name is associated with the data object and when the determining is to return the decoupled name and the data object together, generating a new data object including the decoupled name embedded with the data object, and returning the new data object; and when the decoupled name is associated with the data object and when the determining is not to return the decoupled name and the data object together, returning the decoupled name and the data object as separate objects using separate object names. - View Dependent Claims (17, 18)
-
Specification