Content-based transport security

US 9,954,678 B2
Filed: 02/06/2014
Issued: 04/24/2018
Est. Priority Date: 02/06/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:

determining, by a client computing device, a request for data or a service from the remote computer system comprising a plurality of distributed servers;

determining at least a routable prefix for the remote computer system, and a name suffix associated with the request;

as part of initiating a session with the remote computer device, at the client device, determining a session encryption key that corresponds to the session, the determining the session encryption key including;

encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key;

receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and

decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key;

encrypting the name suffix using the session encryption key;

generating an Interest comprising a first name that includes the routable prefix unencrypted, and also includes the Content Object name suffix which is encrypted using the session encryption key;

disseminating the Interest, by the client computing device over a named-data network, to send the request to any distributed server of the remote computer system;

in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and

decrypting the Content Object name suffix using the session encryption key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system can send a secure request over a named-data network to a remote device by generating an Interest with encrypted name components. During operation, the computer system can receive or obtain a request for data, such as from a local user or from a local application. If the system cannot satisfy the request locally, the system can determine at least a routable prefix and a name suffix associated with the request. The system can generate the secure Interest for the request by determining an encryption key that corresponds to a session with the remote computer system, and encrypts the name suffix using the session encryption key. The system then generates an Interest whose name includes the routable prefix and the encrypted name suffix, and disseminates the Interest over a named-data network to send the request to the remote computer system.

Citations

22 Claims

1. A computer-implemented method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
- determining, by a client computing device, a request for data or a service from the remote computer system comprising a plurality of distributed servers;
  
  determining at least a routable prefix for the remote computer system, and a name suffix associated with the request;
  
  as part of initiating a session with the remote computer device, at the client device, determining a session encryption key that corresponds to the session, the determining the session encryption key including;
  
  encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key;
  
  receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and
  
  decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key;
  
  encrypting the name suffix using the session encryption key;
  
  generating an Interest comprising a first name that includes the routable prefix unencrypted, and also includes the Content Object name suffix which is encrypted using the session encryption key;
  
  disseminating the Interest, by the client computing device over a named-data network, to send the request to any distributed server of the remote computer system;
  
  in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and
  
  decrypting the Content Object name suffix using the session encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - sending, to the remote computer system, a request for a digital certificate from the remote computer system;
      
      receiving a response that includes the remote computer system'"'"'s digital certificate with the public key;
      
      wherein the generating the session setup message includes generating the session setup message using the public key.
  - 3. The method of claim 1, further comprising providing a public key of the client device to the remote computer system, wherein providing the public key involves:
    - sending, to the remote computer system, a digital certificate or encoded public key object.
  - 4. The method of claim 1, wherein determining the session encryption key involves obtaining a symmetric session key from the remote computer system.
  - 5. The method of claim 1, wherein determining the session encryption key involves generating the session encryption key using a key-generating function that takes as input one or more of:
    - the session identifier; and
      
      a secret number that is secret to the remote computer system.
  - 6. The method of claim 1,wherein the server setup packet includes the remote computer system'"'"'s certificate and is signed according to the remote computer system'"'"'s certificate.
  - 7. The method of claim 6, wherein initiating the session further involves:
    - signing the session identifier using the client device'"'"'s private key;
      
      generating a resume-setup packet that includes the session identifier and a public key certificate of the client device;
      
      encrypting the resume-setup packet using the session encryption key;
      
      generating an Interest, for the remote computer system, that includes the encrypted resume-setup packet; and
      
      disseminating the Interest to provide the client device authentication information to the remote computer system.
  - 8. The method of claim 1, further comprising:
    - decrypting the Content Object using a temporary symmetric key from the client device.
  - 9. The method of claim 1, further comprising generating a private-key and public-key pair for the client device;
    - wherein generating the Interest involves generating the Interest packet to include the client device public key.
  - 10. The method of claim 9, further comprising:
    - decrypting the Content Object using the client device private key.
  - 11. The method of claim 1, wherein the determining the session encryption key further includes, at the client device:
    - requesting, and then receiving, the public key from the remote computer system.

12. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
- determining a request for data or a service from the remote computer system comprising a plurality of distributed servers;
  
  determining at least a routable prefix for the remote computer system, and a name suffix associated with the request;
  
  as part of initiating a session with the remote computer device, at the client device, determining the session encryption key that corresponds to the session, the determining the session encryption key including;
  
  encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key;
  
  receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and
  
  decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key;
  
  encrypting the name suffix using the session encryption key;
  
  generating an Interest comprising a first name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key; and
  
  disseminating the Interest over a named-data network to send the request to any distributed server of the remote computer system;
  
  in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and
  
  decrypting the Content Object name suffix using the session encryption key.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The storage medium of claim 12, wherein the method further comprises:
    - sending, to the remote computer system, a request for a digital certificate from the remote computer system;
      
      receiving a response that includes the remote computer system'"'"'s digital certificate with the public key;
      
      wherein the generating the session setup message includes generating the session setup message using the public key.
  - 14. The storage medium of claim 12, wherein the method further comprises providing a public key of the client device to the remote computer system, wherein providing the public key involves:
    - sending, to the remote computer system, a digital certificate or encoded public key object.
  - 15. The storage medium of claim 14,wherein the server setup packet includes the remote computer system'"'"'s certificate and is signed according to the remote computer system'"'"'s certificate.
  - 16. The storage medium of claim 15, wherein initiating the session further involves:
    - signing the session identifier using the client device'"'"'s public key;
      
      generating a resume-setup packet that includes the session identifier and a public key certificate of the client device;
      
      encrypting the resume-setup packet using the session encryption key;
      
      generating an Interest, for the remote computer system, that includes the encrypted resume-setup packet; and
      
      disseminating the Interest to provide the client device authentication information to the remote computer system.
  - 17. The storage medium of claim 12, wherein determining the session encryption key involves generating the session encryption key using a key-generating function that takes as input one or more of:
    - the session identifier; and
      
      a secret number that is secret to the remote computer system.
  - 18. The storage medium of claim 12, further comprising generating a private-key and public-key pair for the client device;
    - wherein generating the Interest involves generating the Interest packet to include the client device public key.
  - 19. The storage medium of claim 18, wherein the method further comprises:
    - decrypting the Content Object using the client device private key.

20. An apparatus, comprising:
- a processor;
  
  a memory storing instructions that when executed by the processor cause the apparatus to implement;
  
  determining, by a client computing device, a request for data or a service from the remote computer system comprising a plurality of distributed servers;
  
  determining at least a routable prefix for the remote computer system, and a name suffix associated with the request;
  
  as part of initiating a session with the remote computer device, at the client device, determining a session encryption key that corresponds to the session, the determining the session encryption key including;
  
  encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key;
  
  receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and
  
  decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key;
  
  encrypting the name suffix using the session encryption key;
  
  generating an Interest comprising a first name that includes the routable prefix unencrypted, and also includes the Content Object name suffix which is encrypted using the session encryption key;
  
  disseminating the Interest, by the client computing device over a named-data network, to send the request to any distributed server of the remote computer system;
  
  in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and
  
  decrypting the Content Object name suffix using the session encryption key.
- View Dependent Claims (21, 22)
- - 21. The apparatus of claim 20, wherein the memory stores further instructions that when executed by the processor cause the apparatus to implement:
    - sending, to the remote computer system, a request for a digital certificate from the remote computer system;
      
      receiving a response that includes the remote computer system'"'"'s digital certificate with the public key;
      
      wherein the generating the session setup message includes generating the session setup message using the public key.
  - 22. The apparatus of claim 20, wherein:
    - the server setup packet includes the remote computer system'"'"'s certificate and is signed according to the remote computer system'"'"'s certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mosko, Marc E., Uzun, Ersin
Primary Examiner(s)
KANAAN, SIMON P

Application Number

US14/174,681
Publication Number

US 20150222424A1
Time in Patent Office

1,538 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 49/355   Application aware switches,...

H04L 63/0428   wherein the data content is...

H04L 67/63   Routing a service request d...

H04L 9/08   Key distribution or managem...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0866   involving user or device id...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

Content-based transport security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Content-based transport security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links