Content-based transport security for distributed producers

US 9,531,679 B2
Filed: 02/06/2014
Issued: 12/27/2016
Est. Priority Date: 02/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, the method comprising:

receiving, by a content-producing system via a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;

generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;

generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and

returning the encrypted Content Object over the CCN to the client device;

receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;

decrypting the digital certificate using the symmetric session key;

authenticating the client device using the digital certificate; and

in response to receiving a third Interest packet with the session identifier;

decrypting an encrypted name suffix of the third Interest packet'"'"'s name, using the symmetric session key to obtain a plaintext name suffix; and

using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet'"'"'s name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A content-producing computer system can use a locally generated key or a client-generated key to communicate with a client device during a session over a named-data network. During operation, the computer system can receive an Interest packet that includes a name for a piece of data or a service. The Interest'"'"'s name can include a routable prefix, a session identifier, and an encrypted suffix. In some embodiments, the system can generating a session key based on the session identifier and a secret value, and decrypts the encrypted suffix using the session key to obtain a plaintext suffix. The system processes the plaintext suffix to obtain data requested by the Interest, and encrypts the data using the session key. In some other embodiments, the system can use a local private key to decrypt the encrypted suffix, and uses an encryption key obtained from the Interest to encrypt the Content Object.

262 Citations

14 Claims

1. A computer-implemented method, the method comprising:
- receiving, by a content-producing system via a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;
  
  generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;
  
  generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and
  
  returning the encrypted Content Object over the CCN to the client device;
  
  receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;
  
  decrypting the digital certificate using the symmetric session key;
  
  authenticating the client device using the digital certificate; and
  
  in response to receiving a third Interest packet with the session identifier;
  
  decrypting an encrypted name suffix of the third Interest packet'"'"'s name, using the symmetric session key to obtain a plaintext name suffix; and
  
  using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet'"'"'s name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein using the plaintext name suffix to obtain the piece of data involves:
    - obtaining the piece of data that corresponds to the third Interest packet'"'"'s name from a local repository or via the CCN.
  - 3. The method of claim 1, wherein the session identifier is signed using a private key of the client device, and wherein authenticating the client device further involves using the client device'"'"'s public key to authenticate the signed session identifier.

4. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
- receiving, by a content-producing system over a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;
  
  generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;
  
  generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and
  
  returning the encrypted Content Object over the CCN to the client device;
  
  receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;
  
  decrypting the digital certificate using the symmetric session key;
  
  authenticating the client device using the digital certificate; and
  
  in response to receiving a third Interest packet that includes the session identifier;
  
  decrypting an encrypted name suffix of the third Interest packet'"'"'s name, using the symmetric session key to obtain a plaintext name suffix; and
  
  using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet'"'"'s name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
- View Dependent Claims (5, 6)
- - 5. The storage medium of claim 4, wherein using the plaintext name suffix to obtain the piece of data involves:
    - obtaining the piece of data that corresponds to the third Interest packet'"'"'s name from a local repository or via the CCN.
  - 6. The storage medium of claim 4, wherein the session identifier is signed using a private key of the client device, and wherein authenticating the client device further involves using the client device'"'"'s public key to authenticate the signed session identifier.

7. A computer-implemented method, the method comprising:
- receiving, by a content-producing system from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of the content-producing system; and
  
  in response to receiving the first Interest packet;
  
  returning, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and
  
  receiving a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system;
  
  generating, by the content-producing system, a session identifier and an encryption key for the session with the client device;
  
  generating an encrypted Content Object that satisfies the second Interest packet and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system;
  
  returning the encrypted Content Object over the CCN to satisfy the second Interest packet;
  
  receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device;
  
  obtaining a decryption key;
  
  decrypting the client device'"'"'s public key certificate from the resume-setup the Interest packet, using the decryption key;
  
  authenticating the client device using the public key certificate; and
  
  in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device;
  
  decrypting the encrypted name suffix of the fourth Interest packet'"'"'s name, using the decryption key to obtain a plaintext name suffix; and
  
  using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet'"'"'s name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein the content-producing system'"'"'s encryption key and decryption key include one or more of:
    - a symmetric session key; and
      
      an asymmetric public encryption key and private decryption key pair.
  - 9. The method of claim 7, wherein obtaining the decryption key involves generating the decryption key based on one or more of:
    - the session identifier; and
      
      a secret value.
  - 10. The method of claim 7, wherein using the plaintext name suffix to obtain the piece of data involves:
    - obtaining the piece of data that corresponds to the fourth Interest packet'"'"'s name from a local repository or via the CCN.

11. An apparatus to process an encrypted request received over a named-data network, the apparatus comprising:
- a processor; and
  
  a memory storing instructions that when executed by the processor cause the apparatus to;
  
  receive, from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of a content-producing system; and
  
  in response to receiving the first Interest packet;
  
  return, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and
  
  receive a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system;
  
  generate a session identifier and an encryption key for the session with the client device;
  
  generate an encrypted Content Object that satisfies the second Interest packet, and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system;
  
  return, via the CCN, the encrypted Content Object to satisfy the second Interest packet;
  
  receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device;
  
  obtaining a decryption key;
  
  decrypting the client device'"'"'s public key certificate from the resume-setup third Interest packet, using the decryption key;
  
  authenticating the client device using the public key certificates; and
  
  in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device;
  
  decrypt the encrypted name suffix of the fourth Interest packet'"'"'s name, using the decryption key to obtain a plaintext name suffix; and
  
  using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet'"'"'s name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet.
- View Dependent Claims (12, 13, 14)
- - 12. The apparatus of claim 11, wherein the content-producing system'"'"'s encryption key and decryption key include one or more of:
    - a symmetric session key; and
      
      an asymmetric public encryption key and private decryption key pair.
  - 13. The apparatus of claim 11, wherein executing the instructions further cause the apparatus to generate the decryption key based on one or more of:
    - the session identifier; and
      
      a secret value.
  - 14. The apparatus of claim 11, wherein using the plaintext name suffix to obtain the piece of data involves:
    - obtaining the piece of data that corresponds to the fourth Interest packet'"'"'s name from a local repository or via the CCN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Uzun, Ersin, Mosko, Marc E.
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
DHRUV, DARSHAN I

Application Number

US14/174,729
Publication Number

US 20150222603A1
Time in Patent Office

1,055 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/146   Markers for unambiguous ide...

H04L 67/63   Routing a service request d...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/3247   involving digital signatures

Content-based transport security for distributed producers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

262 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Content-based transport security for distributed producers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

262 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others