SYSTEM FOR A SECURE ENCRYPTION PROXY IN A CONTENT CENTRIC NETWORK

US 20170331800A1
Filed: 05/13/2016
Published: 11/16/2017
Est. Priority Date: 05/13/2016
Status: Active Grant

First Claim

Patent Images

1. A computer system, comprising:

a processor; and

a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;

receiving, by an intermediate router from a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key, wherein the inner interest includes a name for a manifest that represents a collection of data, wherein the intermediate router does not possess the encryption key;

generating one or more interests for the data represented by the manifest, wherein a generated interest has a name that corresponds to a numbered chunk of the data represented by the manifest;

transmitting to the content-consuming computing device a content object received in response to a generated interest,wherein the intermediate router transmits the responsive content object without receiving a corresponding interest from the content-consuming computing device, thereby facilitating reduced network between the content-consuming computing device and the intermediate router.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a system that facilitates a secure encryption proxy in a content centric network. During operation, the system receives, by an intermediate router from a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key. The inner interest includes a name for a manifest that represents a collection of data. The intermediate router does not possess the encryption key. The system generates one or more interests for the data represented by the manifest. The system transmits to the content-consuming computing device a content object received in response to a generated interest, wherein the intermediate router transmits the responsive content object without receiving a corresponding interest from the content-consuming computing device, thereby facilitating reduced network between the content-consuming computing device and the intermediate router.

Citations

20 Claims

1. A computer system, comprising:
- a processor; and
  
  a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;
  
  receiving, by an intermediate router from a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key, wherein the inner interest includes a name for a manifest that represents a collection of data, wherein the intermediate router does not possess the encryption key;
  
  generating one or more interests for the data represented by the manifest, wherein a generated interest has a name that corresponds to a numbered chunk of the data represented by the manifest;
  
  transmitting to the content-consuming computing device a content object received in response to a generated interest,wherein the intermediate router transmits the responsive content object without receiving a corresponding interest from the content-consuming computing device, thereby facilitating reduced network between the content-consuming computing device and the intermediate router.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer system of claim 1, wherein the intermediate router acts as an encryption performance enhancing proxy between the content-consuming computing device and a replica device, wherein the content-consuming computing device and the intermediate router communicate over an air interface, and wherein the intermediate router and the replica device communicate over a wired link.
  - 3. The computer system of claim 1, wherein the first interest further includes an authentication token which is based on an authentication key, the encrypted signaling information, the encrypted inner interest, and data associated with the encrypted inner interest and the first interest, wherein the method further comprises:
    - authenticating the first interest by verifying the authentication token based on the authentication key and the associated data; and
      
      decrypting the signaling information included in the first interest based on the signaling key.
  - 4. The computer system of claim 1, wherein the method further comprises:
    - in response to transmitting the first interest to a replica device, receiving a first content object with signaling information encrypted based on the signaling key and that indicates an end chunk number,wherein generating the one or more interests further involves generating a number of interests equal to the end chunk number.
  - 5. The computer system of claim 1, wherein the method further comprises:
    - in response to transmitting a generated interest to a replica device, receiving a responsive content object with a name that corresponds to a numbered chunk of the data represented by the manifest, wherein a numbered chunk corresponds to;
      
      a chunk created by a content producing device based on a division of a concatenation of the data represented by the manifest;
      
      ordata for a leaf or a content object indicated in the manifest.
  - 6. The computer system of claim 1, wherein the method further comprises:
    - in response to receiving one or more interests from the content-consuming computing device, forwarding the received interests, wherein a received interest indicates a name for a branch of the manifest; and
      
      transmitting to the content-consuming computing device a content object received in response to a forwarded interest.
  - 7. The computer system of claim 1, wherein the method further comprises:
    - receiving a second interest that includes the first name, signaling information encrypted based on the signaling key and that indicates the manifest name, data encrypted based on the encryption key, and an authentication token based on the authentication key; and
      
      authenticating the second interest by verifying the authentication token based on the authentication key,wherein a generated interest of the one or more interests includes signaling information that indicates a request for a leaf of the manifest, andwherein the content object received in response to the generated interest includes data corresponding to the requested manifest leaf.
  - 8. The computer system of claim 1, wherein the method further comprises:
    - obtaining the signaling key and the authentication key based on a key exchange protocol which is based on one or more of;
      
      a content centric network, wherein the intermediate router is known to the content-consuming computing device; and
      
      a dynamic proxy discovery, wherein the intermediate router is not known to the content-consuming computing device, wherein the method further comprises;
      
      updating an interest received during a second round of communication in the key exchange protocol based on the content centric network by adding a key share of the intermediate router to the interest; and
      
      transmitting the updated interest to a replica device, which allows the replica device to return to the content-consuming computing device a responsive content object that includes the key share of the replica device and the key share of the intermediate router.
  - 9. The computer system of claim 1, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level, wherein the name further includes one or more of:
    - a routable name prefix for a replica device that hosts content;
      
      a session identifier;
      
      a transaction identifier; and
      
      a chunk number.
  - 10. The computer system of claim 1, wherein the method further comprises:
    - receiving or generating a first alert message which is one or more of;
      
      a close message that indicates a shutdown of a transaction associated with the transaction identifier or a shutdown of a session associated with the session identifier; and
      
      an error message that indicates an error; and
      
      receiving a second alert message which is one or more of;
      
      a rekey message that indicates a request from the content-consuming computing device or a replica device to establish a new set of session keys; and
      
      a keepalive message from the content-consuming computing device or the replica device that allows a receiving entity to return a message to a sending entity outside of the generated interests or a received content object.

11. A computer system, comprising:
- a processor; and
  
  a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;
  
  generating, by a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key,wherein the inner interest includes a name for a manifest that represents a collection of data;
  
  in response to transmitting the first interest to an intermediate router, receiving one or more content objects, wherein a received content object includes a name that corresponds to a numbered chunk of the data represented by the manifest,wherein the content-consuming computing device is not required to transmit one or more corresponding interests for the one or more content objects, thereby facilitating reduced network traffic between the content-consuming computing device and the intermediate router.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer system of claim 11, wherein a received content object includes an authentication token which is based on an authentication key, the encrypted signaling information, the encrypted inner interest, and data associated with the encrypted inner interest and the first interest, wherein the method further comprises:
    - authenticating a received content object by verifying the authentication token based on the authentication key and the associated data;
      
      decrypting the signaling information included in the received content object based on the signaling key; and
      
      decrypting encrypted data or the inner interest that is included in the received content object based on the encryption key.
  - 13. The computer system of claim 11, wherein a numbered chunk of the data represented by the manifest corresponds to:
    - a chunk created by a content producing device based on a division of a concatenation of the data represented by the manifest;
      
      ordata for a leaf or a content object indicated in the manifest.
  - 14. The computer system of claim 11, wherein the method further comprises:
    - generating one or more interests, wherein a name for a generated interest indicates a name for a branch of the manifest; and
      
      receiving a content object in response to a generated interest.
  - 15. The computer system of claim 11, wherein the method further comprises:
    - generating a second interest that includes the first name, signaling information encrypted based on the signaling key and that indicates the manifest name, data encrypted based on the encryption key, and an authentication token based on the authentication key; and
      
      in response to transmitting the second interest to the intermediate router, receiving one or more transport content objects, wherein a received transport content object includes signaling information that indicates a request for a leaf of the manifest, and data corresponding to the requested manifest leaf.
  - 16. The computer system of claim 11, wherein the method further comprises:
    - obtaining the encryption key, the signaling key, and the authentication key based on a key exchange protocol which is based on one or more of;
      
      a content centric network, wherein the intermediate router is known to the content-consuming computing device; and
      
      a dynamic proxy discovery, wherein the intermediate router is not known to the content-consuming computing device, wherein the method further comprises;
      
      updating, by the intermediate router, an interest received during a second round of communication in the key exchange protocol based on the content centric network by adding a key share of the intermediate router to the interest; and
      
      transmitting, by the intermediate router, the updated interest to a replica device, which allows the replica device to return to the content-consuming computing device a responsive content object that includes the key share of the replica device and the key share of the intermediate router; and
      
      receiving, by the content-consuming computing device, the responsive content object that includes the key share of the replica device and the key share of the intermediate router.
  - 17. The computer system of claim 11, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level, wherein the name further includes one or more of:
    - a routable name prefix for a replica device that hosts content;
      
      a session identifier;
      
      a transaction identifier; and
      
      a chunk number,wherein the method further comprises;
      
      receiving or generating an alert message which is one or more of;
      
      a close message that indicates a shutdown of a transaction associated with the transaction identifier or a shutdown of a session associated with the session identifier;
      
      an error message that indicates an error;
      
      a rekey message that indicates a request from the content-consuming computing device or a replica device to establish a new set of session keys; and
      
      a keepalive message from the content-consuming computing device or the replica device that allows a receiving entity to return a message to a sending entity outside of the generated interests or a received content object.

18. A computer system, comprising:
- a processor; and
  
  a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising;
  
  receiving, by a replica device, a first interest that includes a first name, signaling information encrypted based on a signaling key, an inner interest encrypted based on an encryption key, and an authentication token based on an authentication key,wherein the inner interest includes a name for a manifest that represents a collection of data;
  
  authenticating the first interest by verifying the authentication token based on the authentication key; and
  
  generating a first content object that includes signaling information encrypted based on the signaling key and that indicates an end chunk number that corresponds to a number of chunks comprising the data represented by the manifest,wherein the first content object further includes data represented by the manifest and that is encrypted based on the encryption key.
- View Dependent Claims (19, 20)
- - 19. The computer system of claim 18, wherein the method further comprises:
    - in response to receiving a subsequent interest with a name that corresponds to a numbered chunk of the data represented by the manifest, generating a subsequent content object with data that corresponds to the numbered chunk, wherein a numbered chunk corresponds to;
      
      a chunk created by a content producing device based on a division of a concatenation of the data represented by the manifest;
      
      ordata for a leaf or a content object indicated in the manifest.
  - 20. The computer system of claim 19, wherein the method further comprises:
    - receiving a second interest that includes the first name, signaling information encrypted based on the signaling key and that indicates the manifest name, data encrypted based on the encryption key, and an authentication token based on the authentication key; and
      
      authenticating the second interest by verifying the authentication token based on the authentication key,wherein a received subsequent interest includes signaling information that indicates a request for data represented by the manifest, andwherein a generated subsequent content object includes signaling information that indicates the data represented by the manifest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wood, Christopher A., Mosko, Marc E.

Granted Patent

US 10,084,764 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/327   Alarm or error message display

G06F 9/442   Shutdown

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

SYSTEM FOR A SECURE ENCRYPTION PROXY IN A CONTENT CENTRIC NETWORK

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM FOR A SECURE ENCRYPTION PROXY IN A CONTENT CENTRIC NETWORK

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links