US 9531679 B2 - Content-based Transport Security For Distributed Producers - The Lens

Content-based Transport Security For Distributed Producers

Published: Dec 27, 2016
Family: 5
Cited Works: 99
Cited by: 3
Cites: 111
Additional Info: Cited Works Full text

Abstract

A content-producing computer system can use a locally generated key or a client-generated key to communicate with a client device during a session over a named-data network. During operation, the computer system can receive an Interest packet that includes a name for a piece of data or a service. The Interest's name can include a routable prefix, a session identifier, and an encrypted suffix. In some embodiments, the system can generating a session key based on the session identifier and a secret value, and decrypts the encrypted suffix using the session key to obtain a plaintext suffix. The system processes the plaintext suffix to obtain data requested by the Interest, and encrypts the data using the session key. In some other embodiments, the system can use a local private key to decrypt the encrypted suffix, and uses an encryption key obtained from the Interest to encrypt the Content Object.

Claims

A computer-implemented method, the method comprising:
receiving, by a content-producing system via a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;

generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;

generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and

returning the encrypted Content Object over the CCN to the client device;

receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;

decrypting the digital certificate using the symmetric session key;

authenticating the client device using the digital certificate; and

in response to receiving a third Interest packet with the session identifier:
decrypting an encrypted name suffix of the third Interest packet's name, using the symmetric session key to obtain a plaintext name suffix; and

using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet's name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
The method of claim 1, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the third Interest packet's name from a local repository or via the CCN.
The method of claim 1, wherein the session identifier is signed using a private key of the client device, and wherein authenticating the client device further involves using the client device's public key to authenticate the signed session identifier.
A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
receiving, by a content-producing system over a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;

generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;

generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and

returning the encrypted Content Object over the CCN to the client device;

receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;

decrypting the digital certificate using the symmetric session key;

authenticating the client device using the digital certificate; and

in response to receiving a third Interest packet that includes the session identifier:
decrypting an encrypted name suffix of the third Interest packet's name, using the symmetric session key to obtain a plaintext name suffix; and

using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet's name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
The storage medium of claim 4, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the third Interest packet's name from a local repository or via the CCN.
The storage medium of claim 4, wherein the session identifier is signed using a private key of the client device, and wherein authenticating the client device further involves using the client device's public key to authenticate the signed session identifier.
A computer-implemented method, the method comprising:
receiving, by a content-producing system from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of the content-producing system; and

in response to receiving the first Interest packet:
returning, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and

receiving a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system;

generating, by the content-producing system, a session identifier and an encryption key for the session with the client device;

generating an encrypted Content Object that satisfies the second Interest packet and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system;

returning the encrypted Content Object over the CCN to satisfy the second Interest packet;

receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device;

obtaining a decryption key;

decrypting the client device's public key certificate from the resume-setup the Interest packet, using the decryption key;

authenticating the client device using the public key certificate; and

in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device:
decrypting the encrypted name suffix of the fourth Interest packet's name, using the decryption key to obtain a plaintext name suffix; and

using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet's name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet.
The method of claim 7, wherein the content-producing system's encryption key and decryption key include one or more of:
a symmetric session key; and

an asymmetric public encryption key and private decryption key pair.
The method of claim 7, wherein obtaining the decryption key involves generating the decryption key based on one or more of:
the session identifier; and

a secret value.
The method of claim 7, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the fourth Interest packet's name from a local repository or via the CCN.
An apparatus to process an encrypted request received over a named-data network, the apparatus comprising:
a processor; and

a memory storing instructions that when executed by the processor cause the apparatus to:

receive, from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of a content-producing system; and

in response to receiving the first Interest packet:
return, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and

receive a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system;

generate a session identifier and an encryption key for the session with the client device;

generate an encrypted Content Object that satisfies the second Interest packet, and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system;

return, via the CCN, the encrypted Content Object to satisfy the second Interest packet;

receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device;

obtaining a decryption key;

decrypting the client device's public key certificate from the resume-setup third Interest packet, using the decryption key;

authenticating the client device using the public key certificates; and

in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device:
decrypt the encrypted name suffix of the fourth Interest packet's name, using the decryption key to obtain a plaintext name suffix; and

using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet's name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet.
The apparatus of claim 11, wherein the content-producing system's encryption key and decryption key include one or more of:
a symmetric session key; and

an asymmetric public encryption key and private decryption key pair.
The apparatus of claim 11, wherein executing the instructions further cause the apparatus to generate the decryption key based on one or more of:
the session identifier; and

a secret value.
The apparatus of claim 11, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the fourth Interest packet's name from a local repository or via the CCN.