Content-based transport security
First Claim
1. A computer-implemented method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
- determining, by a client computing device, a request for data or a service from the remote computer system comprising a plurality of distributed servers;
determining at least a routable prefix for the remote computer system, and a name suffix associated with the request;
as part of initiating a session with the remote computer device, at the client device, determining a session encryption key that corresponds to the session, the determining the session encryption key including;
encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key;
receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and
decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key;
encrypting the name suffix using the session encryption key;
generating an Interest comprising a first name that includes the routable prefix unencrypted, and also includes the Content Object name suffix which is encrypted using the session encryption key;
disseminating the Interest, by the client computing device over a named-data network, to send the request to any distributed server of the remote computer system;
in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and
decrypting the Content Object name suffix using the session encryption key.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system can send a secure request over a named-data network to a remote device by generating an Interest with encrypted name components. During operation, the computer system can receive or obtain a request for data, such as from a local user or from a local application. If the system cannot satisfy the request locally, the system can determine at least a routable prefix and a name suffix associated with the request. The system can generate the secure Interest for the request by determining an encryption key that corresponds to a session with the remote computer system, and encrypts the name suffix using the session encryption key. The system then generates an Interest whose name includes the routable prefix and the encrypted name suffix, and disseminates the Interest over a named-data network to send the request to the remote computer system.
-
Citations
22 Claims
-
1. A computer-implemented method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
-
determining, by a client computing device, a request for data or a service from the remote computer system comprising a plurality of distributed servers; determining at least a routable prefix for the remote computer system, and a name suffix associated with the request; as part of initiating a session with the remote computer device, at the client device, determining a session encryption key that corresponds to the session, the determining the session encryption key including; encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key; receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key; encrypting the name suffix using the session encryption key; generating an Interest comprising a first name that includes the routable prefix unencrypted, and also includes the Content Object name suffix which is encrypted using the session encryption key; disseminating the Interest, by the client computing device over a named-data network, to send the request to any distributed server of the remote computer system; in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and decrypting the Content Object name suffix using the session encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for sending an encrypted request to a remote computer system over a named-data network, the method comprising:
-
determining a request for data or a service from the remote computer system comprising a plurality of distributed servers; determining at least a routable prefix for the remote computer system, and a name suffix associated with the request; as part of initiating a session with the remote computer device, at the client device, determining the session encryption key that corresponds to the session, the determining the session encryption key including; encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key; receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key; encrypting the name suffix using the session encryption key; generating an Interest comprising a first name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key; and disseminating the Interest over a named-data network to send the request to any distributed server of the remote computer system; in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and decrypting the Content Object name suffix using the session encryption key. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus, comprising:
-
a processor; a memory storing instructions that when executed by the processor cause the apparatus to implement; determining, by a client computing device, a request for data or a service from the remote computer system comprising a plurality of distributed servers; determining at least a routable prefix for the remote computer system, and a name suffix associated with the request; as part of initiating a session with the remote computer device, at the client device, determining a session encryption key that corresponds to the session, the determining the session encryption key including; encrypting a temporary key of the client device with a public key, and sending to the remote computer system a session setup message including the encrypted temporary key; receiving from the remote computer system a server setup packet encrypted using the temporary key, the server setup packet including a session identifier for the session and the session encryption key; and decrypting the server setup packet using the temporary key to recover the session identifier and the session encryption key; encrypting the name suffix using the session encryption key; generating an Interest comprising a first name that includes the routable prefix unencrypted, and also includes the Content Object name suffix which is encrypted using the session encryption key; disseminating the Interest, by the client computing device over a named-data network, to send the request to any distributed server of the remote computer system; in response to the Interest, receiving a Content Object that satisfies the Interest, wherein the Content Object comprises a second name that includes the routable prefix unencrypted and also includes the Content Object name suffix which is encrypted using the session encryption key, wherein a payload of the Content Object is encrypted using the session encryption key; and decrypting the Content Object name suffix using the session encryption key. - View Dependent Claims (21, 22)
-
Specification