Encrypted CCNx

US 10,263,965 B2
Filed: 10/16/2015
Issued: 04/16/2019
Est. Priority Date: 10/16/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a content requesting device configured to communicate with a content centric network (CCN) and to perform a method comprising;

generating an Interest requesting a content object by a hierarchically structured variable-length name that is used to forward the Interest in the CCN, the name comprising name components arranged contiguously in an order from a most general level to a most specific level and each including a bit group comprising a type, a length, and a set of values, wherein one or more of the name components at the most specific level are marked for encryption;

exchanging one or more symmetric keys via a public key operation;

encrypting each name component at the most specific level marked for encryption using a respective symmetric key, to produce a selectively encrypted name having one or more encrypted name components and one or more unencrypted name components;

indicating each encrypted name component as encrypted by setting a respective field associated with the bit group of the encrypted name component;

including in the Interest a validation section that identifies the respective symmetric key for each encrypted name component; and

transmitting the Interest to the CCN; and

a content producing device configured to receive the Interest from the CCN and responsive thereto, perform a method comprising;

verifying authentication information associated with the Interest by looking up in a storage a key identifier associated with the Interest;

responsive to the verifying, decrypting, for each encrypted name component indicated as encrypted, the encrypted name component based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in a validation section for the Interest;

indicating the decrypted name components as decrypted; and

producing a content object that matches the name components as decrypted.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a system that facilitates selective encryption of bit groups of a message. During operation, the system determines, by a content requesting device or content producing device, a message that includes a plurality of bit groups, each corresponding to a type, a length, and a set of values, wherein one or more bit groups are marked for encryption, and wherein the message indicates a name that is a hierarchically structured variable-length identifier comprising contiguous name components ordered from a most general level to a most specific level. The system computes a plurality of cipher blocks for the message based on an authenticated encryption protocol. The system encrypts the one or more bit groups marked for encryption based on one or more symmetric keys, wherein the marked bit groups include one or more name components. Subsequently, the system indicates the encrypted bit groups as encrypted.

629 Citations

24 Claims

1. A system comprising:
- a content requesting device configured to communicate with a content centric network (CCN) and to perform a method comprising;
  
  generating an Interest requesting a content object by a hierarchically structured variable-length name that is used to forward the Interest in the CCN, the name comprising name components arranged contiguously in an order from a most general level to a most specific level and each including a bit group comprising a type, a length, and a set of values, wherein one or more of the name components at the most specific level are marked for encryption;
  
  exchanging one or more symmetric keys via a public key operation;
  
  encrypting each name component at the most specific level marked for encryption using a respective symmetric key, to produce a selectively encrypted name having one or more encrypted name components and one or more unencrypted name components;
  
  indicating each encrypted name component as encrypted by setting a respective field associated with the bit group of the encrypted name component;
  
  including in the Interest a validation section that identifies the respective symmetric key for each encrypted name component; and
  
  transmitting the Interest to the CCN; and
  
  a content producing device configured to receive the Interest from the CCN and responsive thereto, perform a method comprising;
  
  verifying authentication information associated with the Interest by looking up in a storage a key identifier associated with the Interest;
  
  responsive to the verifying, decrypting, for each encrypted name component indicated as encrypted, the encrypted name component based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in a validation section for the Interest;
  
  indicating the decrypted name components as decrypted; and
  
  producing a content object that matches the name components as decrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19, 20, 21, 22)
- - 2. The system of claim 1, wherein the method further comprises:
    - encrypting the content object using one of the symmetric keys.
  - 3. The system of claim 1, wherein the encrypting includes computing a plurality of cipher blocks for the Interest based on an authenticated encryption protocol.
  - 4. The system of claim 3, wherein computing the cipher blocks is further based on beginning at byte zero of the Interest.
  - 5. The system of claim 3, wherein computing the cipher blocks is further based on an Advanced Encryption Standard using a key with a length of 128 bits.
  - 6. The system of claim 1, wherein encrypting the bit groups of the name components marked for encryption is further based on an exclusive disjunction operation.
  - 7. The system of claim 1, wherein indicating each encrypted name component further comprises:
    - setting a reserved bit associated with the bit group of the encrypted name component.
  - 8. The system of claim 1, further comprising one or more of the following:
    - wherein a symmetric key is encrypted based on a public key included in the Interest;
      
      wherein the validation section is based on a symmetric key cryptographic system with encryption;
      
      wherein a public key identifier of the content requesting device is included in the Interest; and
      
      wherein a symmetric key identifier is specified for use in subsequent messages between the content requesting device and the content producing device.
  - 9. The system of claim 8, further comprising one or more of the following:
    - wherein the public key operation is based on a cryptographic system that is Rivest-Shamir-Adleman Secure Hash Algorithm 256-bit (RSA-SHA
      
      256); and
      
      wherein the symmetric key identifier is a random number that is not derived from the symmetric key.
  - 10. The system of claim 1, wherein the Interest is configured to be forwarded to the content producing device by CCN nodes along a path of the CCN based on the name.
  - 11. The system of claim 10, wherein the content object packet is configured to be forwarded to the content requesting device along a path of the CCN in reverse to the Interest based on the name.
  - 19. The system of claim 1, wherein the encrypting includes first encrypting the one or more of the name components marked for encryption using a first symmetric key and second encrypting results of the first encrypting using a second symmetric key to produce one or more nested encryption name components.
  - 20. The system of claim 19, further comprising:
    - encrypting the second symmetric key and storing the results in the validation section in correspondence with the one or more nested encryption name components.
  - 21. The system of claim 1, wherein the Interest is configured to be forwarded to the content producing device by CCN nodes along a path of the CCN based on the name, and the content object packet is configured to be forwarded to the content requesting device along a path of the CCN in reverse to the Interest based on the name.
  - 22. The method of claim 1, wherein the encrypting each name component at the most specific level includes encrypting at least two name components at the most specific level with at least two respective symmetric keys.

12. A computer-implemented method comprising:
- at a content producing device configured to communicate with a content centric network (CCN);
  
  generating a content object packet responsive to an Interest from a content requesting device that requests a content object by a hierarchically structured variable-length name, the content object packet including the content object and the name to be used to forward the content object packet in the CCN, the name comprising name components arranged contiguously in an order from a most general level to a most specific level and each including a bit group comprising a type, a length, and a set of values, wherein one or more of the name components are marked for encryption;
  
  exchanging one or more symmetric keys via a public key operation;
  
  encrypting each name component at the most specific level marked for encryption using a respective symmetric key, to produce a selectively encrypted name having one or more encrypted name components and one or more unencrypted name components;
  
  indicating each encrypted name component as encrypted by setting a respective field associated with the bit group of the encrypted name component;
  
  including in the content object packet a validation section that identifies the respective symmetric key for each encrypted name component; and
  
  transmitting the content object packet to the CCN; and
  
  at the content requesting device, receiving the content object packet from the CCN, and responsive thereto;
  
  verifying authentication information associated with the content object packet by looking up in a storage a key identifier associated with the content object packet, and verifying a signature or a message authentication code based on the key identifier;
  
  responsive to the verifying, decrypting, for each encrypted name component indicated as encrypted, the encrypted name component based on a corresponding symmetric key, wherein a nonce and a key identifier for each of the symmetric keys are included in the validation section for the content object packet;
  
  indicating the decrypted name components as decrypted; and
  
  based on the decrypted name components, performing a lookup, and clearing an entry, in a Pending Interest Table (PIT) corresponding to the Interest.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 23, 24)
- - 13. The method of claim 12, wherein the method further comprises:
    - encrypting the content object of the content object packet using one of the symmetric keys; and
      
      storing in the validation section an identifier of the one of the symmetric keys used to encrypt the content object.
  - 14. The method of claim 12, wherein indicating each encrypted name component further comprises:
    - setting a reserved bit associated with the bit group of the encrypted name component.
  - 15. The method of claim 12, further comprising one or more of the following:
    - wherein the validation section is based on a symmetric key cryptographic system with encryption;
      
      wherein a public key identifier of the content producing device is included in the content object packet; and
      
      wherein a symmetric key identifier is specified for use in subsequent messages between the content requesting device and the content producing device.
  - 16. The method of claim 15, further comprising one or more of the following:
    - wherein the public key operation is based on a cryptographic system that is Rivest-Shamir-Adleman Secure Hash Algorithm 256-bit (RSA-SHA
      
      256); and
      
      wherein the symmetric key identifier is a random number that is not derived from the symmetric key.
  - 17. The method of claim 12, wherein the content object packet is configured to be forwarded to the content requesting device along a path of the CCN in reverse to the Interest based on the name.
  - 18. The method of claim 12, wherein the encrypting includes computing a plurality of cipher blocks for the content object packet based on an authenticated encryption protocol.
  - 23. The method of claim 12, wherein the encrypting each name component at the most specific level includes encrypting at least two name components at the most specific level with at least two respective symmetric keys.
  - 24. The method of claim 12, further comprising, at the content requesting device, when the authentication information is not verified, discarding the content object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mosko, Marc E., Wood, Christopher A.
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
Cruz-Franqui, Richard W

Application Number

US14/885,904
Publication Number

US 20170111330A1
Time in Patent Office

1,278 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0631   Substitution permutation ne...

H04L 9/14   using a plurality of keys o...

H04L 9/302   involving the integer facto...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Encrypted CCNx

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

629 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Encrypted CCNx

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

629 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others