Transparent encryption in a content centric network

US 10,681,018 B2
Filed: 08/27/2018
Issued: 06/09/2020
Est. Priority Date: 11/20/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for facilitating efficient and transparent encryption of packets, the method comprising:

receiving, by a content producing device, an interest packet that includes a masked name which corresponds to an original name of a content object, wherein the original name is a hierarchically structured variable length identifier, wherein said hierarchically structured variable length identifier represents a location of a specific content object within a file system and is used to identify the specific content object, and wherein the interest packet includes an encrypted original name of the content object in a payload of the interest packet, wherein the original name is encrypted based on a public key of the content producing device to generate the encrypted original name;

obtaining the original name of the content object by decrypting the encrypted original name included in the payload of the interest packet based on a private key of the content producing device;

computing a symmetric key based on both;

(1) the original name of the content object, and (2) a generated nonce, wherein the generated nonce is a random string with a length of a predetermined size, and wherein the symmetric key has a length that is equal to the predetermined size of the generated nonce;

generating a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload including the content object corresponding to the original name, wherein the payload is encrypted based on the symmetric key, wherein the content object packet is received by a client computing device, thereby facilitating efficient and transparent content encryption between the content producing device and the client computing device; and

forwarding the content object packet to an entity that sent the interest packet.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a system that facilitates efficient and transparent encryption of packets between a client computing device and a content producing device. During operation, the system receives, by a content producing device, an interest packet that includes a masked name which corresponds to an original name, wherein the original name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system obtains the original name based on the masked name. The system computes a symmetric key based on the original name and a generated nonce. The system generates a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload encrypted based on the symmetric key, wherein the content object packet is received by a client computing device.

384 Citations

20 Claims

1. A computer-implemented method for facilitating efficient and transparent encryption of packets, the method comprising:
- receiving, by a content producing device, an interest packet that includes a masked name which corresponds to an original name of a content object, wherein the original name is a hierarchically structured variable length identifier, wherein said hierarchically structured variable length identifier represents a location of a specific content object within a file system and is used to identify the specific content object, and wherein the interest packet includes an encrypted original name of the content object in a payload of the interest packet, wherein the original name is encrypted based on a public key of the content producing device to generate the encrypted original name;
  
  obtaining the original name of the content object by decrypting the encrypted original name included in the payload of the interest packet based on a private key of the content producing device;
  
  computing a symmetric key based on both;
  
  (1) the original name of the content object, and (2) a generated nonce, wherein the generated nonce is a random string with a length of a predetermined size, and wherein the symmetric key has a length that is equal to the predetermined size of the generated nonce;
  
  generating a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload including the content object corresponding to the original name, wherein the payload is encrypted based on the symmetric key, wherein the content object packet is received by a client computing device, thereby facilitating efficient and transparent content encryption between the content producing device and the client computing device; and
  
  forwarding the content object packet to an entity that sent the interest packet.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the original name that corresponds to the masked name is stored in a data structure at the client computing device.
  - 3. The method of claim 1, wherein the masked name is based on a hash function performed on one or more name components of the original name.
  - 4. The method of claim 1, wherein the method is performed by an application associated with the content producing device or by a component of a stack of communication modules associated with the content producing device.
  - 5. The method of claim 1, wherein the generated nonce is included in the payload of the content object packet.
  - 6. The method of claim 1, wherein the generated nonce is included in a packet header of the content object packet.

7. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a content producing device, cause the processor to:
- receive an interest packet that includes a masked name which corresponds to an original name of a content object, wherein the original name is a hierarchically structured variable length identifier, wherein said hierarchically structured variable length identifier represents a location of a specific content object within a file system and is used to identify the specific content object, and wherein the interest packet includes an encrypted original name of the content object in a payload of the interest packet, wherein the original name is encrypted based on a public key of the content producing device to generate the encrypted original name;
  
  obtain the original name of the content object by decrypting the encrypted original name included in the payload of the interest packet based on a private key of the content producing device;
  
  compute a symmetric key based on both;
  
  (1) the original name of the content object, and (2) a generated nonce, wherein the generated nonce is a random string with a length of a predetermined size, and wherein the symmetric key has a length that is equal to the predetermined size of the generated nonce;
  
  generate a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload including the content object corresponding to the original name, wherein the payload is encrypted based on the symmetric key, wherein the content object packet is received by a client computing device, thereby facilitating efficient and transparent content encryption between the content producing device and the client computing device; and
  
  forward the content object packet to an entity that sent the interest packet.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more non-transitory computer readable storage media of claim 7, wherein the original name that corresponds to the masked name is stored in a data structure at the client computing device.
  - 9. The one or more non-transitory computer readable storage media of claim 7, wherein the instructions are executed by an application associated with the content producing device or by a component of a stack of communication modules associated with the content producing device.
  - 10. The one or more non-transitory computer readable storage media of claim 7, wherein the generated nonce is included in the payload of the content object packet.
  - 11. The one or more non-transitory computer readable storage media of claim 7, wherein the generated nonce is included in a packet header of the content object packet.
  - 12. The one or more non-transitory computer readable storage media of claim 7, wherein the masked name is based on a hash function performed on one or more name components of the original name.

13. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a client computing device, cause the processor to:
- encrypt an original name of a content object to generate an encrypted original name, wherein the original name is encrypted based on a public key of a content producing device, wherein the original name is a hierarchically structured variable length identifier, wherein said hierarchically structured variable length identifier represents a location of a specific content object within a file system and is used to identify a specific content object;
  
  compute a masked name based on the original name;
  
  include the encrypted original name in a payload of an interest packet;
  
  in response to transmitting the interest packet with the masked name, receive a content object packet that includes the masked name, a nonce, and a payload including the content object corresponding to the original name, wherein the payload is encrypted based on a symmetric key to produce an encrypted payload, wherein the content object packet is generated by the content producing device;
  
  look up the masked name in a data structure stored at the client computing device to obtain the original name of the content object;
  
  compute the symmetric key based on both;
  
  (1) the original name of the content object obtained based on the masked name, and (2) the nonce, wherein the nonce is a random string with a length of a predetermined size, and wherein the symmetric key has a length that is equal to the predetermined size of the nonce; and
  
  decrypt the encrypted payload of the content object packet based on the symmetric key to produce a decrypted payload and to obtain the content object corresponding to the original name, thereby facilitating efficient and transparent content encryption between the client computing device and the content producing device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The one or more non-transitory computer readable storage media of claim 13, wherein computing the masked name is further based on a hash function performed on one or more name components of the original name.
  - 15. The one or more non-transitory computer readable storage media of claim 13, wherein the instructions are executed by an application associated with the client computing device or by a component of a stack of communication modules associated with the client computing device.
  - 16. The one or more non-transitory computer readable storage media of claim 13, wherein the instructions further cause the processor to:
    - set a name for the interest packet to the masked name; and
      
      store in a data structure stored at the client computing device a relation between the masked name and the original name.
  - 17. The one or more non-transitory computer readable storage media of claim 13, wherein computing the symmetric key is further based on a key derivation function indicated in the content object packet.
  - 18. The one or more non-transitory computer readable storage media of claim 13, wherein the instructions further cause the processor to:
    - replace the masked name in the content object packet with the original name of the content object obtained based on the masked name;
      
      replace the encrypted payload in the content object packet with the decrypted payload; and
      
      remove from a pending interest table an entry corresponding to the original name of the content object obtained based on the masked name.
  - 19. The one or more non-transitory computer readable storage media of claim 13, wherein the nonce is included in the payload of the content object packet.
  - 20. The one or more non-transitory computer readable storage media of claim 13, wherein the nonce is included in a packet header of the content object packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wood, Christopher A.
Primary Examiner(s)
Nickerson, Jeffrey
Assistant Examiner(s)
Ahsan, Syed M

Application Number

US16/113,115
Publication Number

US 20180359225A1
Time in Patent Office

652 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 63/0435   wherein the sending and rec...

H04L 67/63   Routing a service request d...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0847   involving identity based en...

H04L 9/0869   involving random numbers or...

Transparent encryption in a content centric network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

384 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent encryption in a content centric network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

384 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links