Access control framework for information centric networking

US 9,552,493 B2
Filed: 02/03/2015
Issued: 01/24/2017
Est. Priority Date: 02/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining, by a computing device, a Manifest object for a data collection, wherein the Manifest includes references to a set of encrypted Content Objects of the data collection, includes one or more Access Control Specification (ACS) that each specifies a decryption protocol for decrypting one or more Content Objects of the data collection, and includes a respective ACS by reference;

obtaining a respective encrypted Content Object listed in the Manifest over an Information Centric Network (ICN);

obtaining, by the computing device from the Manifest, an ACS associated with the respective encrypted Content Object, which involves;

obtaining, from the Manifest, a name prefix associated with the ACS;

disseminating, over ICN, an Interest whose name includes the name prefix; and

responsive to disseminating the Interest, receiving a Contact Object that includes the ACS; and

decrypting, by the computing device, the respective encrypted Content Object using the decryption protocol specified in the ACS.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides an access-control framework for publishing and obtaining a collection of encrypted data in encrypted form. During operation, a content consumer can obtain a Manifest object for a data collection, such that the Manifest includes references to a set of encrypted Content Objects of the data collection, and includes one or more Access Control Specifications (ACS) that each specifies a decryption protocol for decrypting one or more Content Objects of the data collection. The consumer can disseminate Interest messages to receive encrypted Content Objects listed in the Manifest over an Information Centric Network (ICN). The client can also obtain, from the Manifest, an ACS associated with a respective encrypted Content Object, and decrypts the respective encrypted Content Object using the decryption protocol specified in the ACS.

398 Citations

18 Claims

1. A computer-implemented method, comprising:
- obtaining, by a computing device, a Manifest object for a data collection, wherein the Manifest includes references to a set of encrypted Content Objects of the data collection, includes one or more Access Control Specification (ACS) that each specifies a decryption protocol for decrypting one or more Content Objects of the data collection, and includes a respective ACS by reference;
  
  obtaining a respective encrypted Content Object listed in the Manifest over an Information Centric Network (ICN);
  
  obtaining, by the computing device from the Manifest, an ACS associated with the respective encrypted Content Object, which involves;
  
  obtaining, from the Manifest, a name prefix associated with the ACS;
  
  disseminating, over ICN, an Interest whose name includes the name prefix; and
  
  responsive to disseminating the Interest, receiving a Contact Object that includes the ACS; and
  
  decrypting, by the computing device, the respective encrypted Content Object using the decryption protocol specified in the ACS.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - disseminating an Interest for the data collection over ICN; and
      
      responsive to disseminating the Interest, receiving the Manifest object over ICN.
  - 3. The method of claim 1, wherein decrypting the encrypted Content Object involves:
    - obtaining an encrypted key that corresponds to the encrypted Content Object;
      
      obtaining a decapsulation key by performing the decryption protocol specified in the ACS;
      
      decrypting the encrypted key, using the decapsulation key, to obtain a decryption key; and
      
      decrypting the encrypted Content Object using the decryption key.
  - 4. The method of claim 3, wherein obtaining the decapsulation key involves:
    - obtaining a decapsulation-key name which identifies the decapsulation key;
      
      following a keychain until a key node identified by the decapsulation-key name is reached, wherein a respective key node of the keychain includes a decryption key in encrypted form, and wherein the decryption key is capable of decrypting a decryption key of a next key node of the keychain; and
      
      obtaining the decapsulation key from the identified key node.
  - 5. The method of claim 4, wherein the decryption keys are encrypted using one or more of:
    - a group-based encryption scheme; and
      
      a broadcast encryption scheme.

6. A computer-implemented method, comprising:
- obtaining, by a computing device, an initiation Manifest object for a data collection, wherein the initiation Manifest includes an Access Control Specification (ACS) that specifies an end-to-end access control scheme for obtaining and decrypting one or more Content Objects of the data collection;
  
  obtaining a public key of a publisher from the ACS in the initiation Manifest;
  
  determining, by the computing device from the ACS, an encryption algorithm for a session with the publisher;
  
  disseminating a setup Interest message for the publisher, wherein the setup Interest message includes a temporary key encrypted using the determined encryption algorithm and the publisher'"'"'s public key;
  
  receiving a setup Content Object that satisfies the setup Interest message, wherein the setup Content Object includes a session key and a session identifier;
  
  disseminating a finish Interest message for the publisher, wherein the finish Interest message includes the session identifier; and
  
  receiving an in-session Manifest that satisfies the finish Interest message, wherein the in-session Manifest includes references to one or more Content Objects of the data collection that are encrypted using the session key.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, further comprising:
    - obtaining verification data from the setup Content Object;
      
      verifying the session key using the verification data; and
      
      in response to determining that the session key is valid, disseminating the finish Interest message.
  - 8. The method of claim 6, wherein verifying the session key involves:
    - computing a hash from one or more of the session key, a key identifier, and an identifier for the determined encryption algorithm; and
      
      comparing the computed hash to the verification data.
  - 9. The method of claim 6, further comprising:
    - obtaining a respective Content Object listed in the in-session Manifest over an Information Centric Network (ICN); and
      
      decrypting the respective Content Object using the session key.

10. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
- obtaining a Manifest object for a data collection, wherein the Manifest includes references to a set of encrypted Content Objects of the data collection, includes one or more Access Control Specification (ACS) that each specifies a decryption protocol for decrypting one or more Content Objects of the data collection, and includes a respective ACS by reference;
  
  obtaining a respective encrypted Content Object listed in the Manifest over an Information Centric Network (ICN);
  
  obtaining, by the computing device from the Manifest, an ACS associated with the respective encrypted Content Object, which involves;
  
  obtaining, from the Manifest, a name prefix associated with the ACS;
  
  disseminating, over ICN, an Interest whose name includes the name prefix; and
  
  responsive to disseminating the Interest, receiving a Contact Object that includes the ACS; and
  
  decrypting the respective encrypted Content Object using the decryption protocol specified in the ACS.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The storage medium of claim 10, further comprising:
    - disseminating an Interest for the data collection over ICN; and
      
      responsive to disseminating the Interest, receiving the Manifest object over ICN.
  - 12. The storage medium of claim 10, wherein decrypting the encrypted Content Object involves:
    - obtaining an encrypted key that corresponds to the encrypted Content Object;
      
      obtaining a decapsulation key by performing the decryption protocol specified in the ACS;
      
      decrypting the encrypted key, using the decapsulation key, to obtain a decryption key; and
      
      decrypting the encrypted Content Object using the decryption key.
  - 13. The storage medium of claim 12, wherein obtaining the decapsulation key involves:
    - obtaining a decapsulation-key name which identifies the decapsulation key;
      
      following a keychain until a key node identified by the decapsulation-key name is reached, wherein a respective key node of the keychain includes a decryption key in encrypted form, and wherein the decryption key is capable of decrypting a decryption key of a next key node of the keychain; and
      
      obtaining the decapsulation key from the identified key node.
  - 14. The storage medium of claim 13, wherein the decryption keys are encrypted using one or more of:
    - a group-based encryption scheme; and
      
      a broadcast encryption scheme.

15. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
- obtaining an initiation Manifest object for a data collection, wherein the initiation Manifest includes an Access Control Specification (ACS) that specifies an end-to-end access control scheme for obtaining and decrypting one or more Content Objects of the data collection;
  
  obtaining a public key of a publisher from the ACS in the initiation Manifest;
  
  determining, from the ACS, an encryption algorithm for a session with the publisher;
  
  disseminating a setup Interest message for the publisher, wherein the setup Interest message includes a temporary key encrypted using the determined encryption algorithm and the publisher'"'"'s public key;
  
  receiving a setup Content Object that satisfies the setup Interest message, wherein the setup Content Object includes a session key and a session identifier;
  
  disseminating a finish Interest message for the publisher, wherein the finish Interest message includes the session identifier; and
  
  receiving an in-session Manifest that satisfies the finish Interest message, wherein the in-session Manifest includes references to one or more Content Objects of the data collection that are encrypted using the session key.
- View Dependent Claims (16, 17, 18)
- - 16. The storage medium of claim 15, further comprising:
    - obtaining verification data from the setup Content Object;
      
      verifying the session key using the verification data; and
      
      in response to determining that the session key is valid, disseminating the finish Interest message.
  - 17. The storage medium of claim 15, wherein verifying the session key involves:
    - computing a hash from one or more of the session key, a key identifier, and an identifier for the determined encryption algorithm; and
      
      comparing the computed hash to the verification data.
  - 18. The storage medium of claim 15, further comprising:
    - obtaining a respective Content Object listed in the in-session Manifest over an Information Centric Network (ICN); and
      
      decrypting the respective Content Object using the session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Uzun, Ersin, Kurihara, Jun, Wood, Christopher A.
Primary Examiner(s)
Song, Hosuk

Application Number

US14/613,205
Publication Number

US 20160224799A1
Time in Patent Office

721 Days
Field of Search

713/165, 713/167, 713/189, 726/1, 726 26- 30
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/10   for controlling access to d...

H04L 67/568   Storing data temporarily at...

Access control framework for information centric networking

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

398 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Access control framework for information centric networking

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

398 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links