A content-producing computer system can use a locally generated key or a client-generated key to communicate with a client device during a session over a named-data network. During operation, the computer system can receive an Interest packet that includes a name for a piece of data or a service. The Interest's name can include a routable prefix, a session identifier, and an encrypted suffix. In some embodiments, the system can generating a session key based on the session identifier and a secret value, and decrypts the encrypted suffix using the session key to obtain a plaintext suffix. The system processes the plaintext suffix to obtain data requested by the Interest, and encrypts the data using the session key. In some other embodiments, the system can use a local private key to decrypt the encrypted suffix, and uses an encryption key obtained from the Interest to encrypt the Content Object.
-
A computer-implemented method, the method comprising:
receiving, by a content-producing system via a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;
generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;
generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and
returning the encrypted Content Object over the CCN to the client device;
receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;
decrypting the digital certificate using the symmetric session key;
authenticating the client device using the digital certificate; and
in response to receiving a third Interest packet with the session identifier:
decrypting an encrypted name suffix of the third Interest packet's name, using the symmetric session key to obtain a plaintext name suffix; and
using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet's name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
-
The method of claim 1, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the third Interest packet's name from a local repository or via the CCN.
- The method of claim 1, wherein the session identifier is signed using a private key of the client device, and wherein authenticating the client device further involves using the client device's public key to authenticate the signed session identifier.
-
A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
receiving, by a content-producing system over a content-centric network (CCN), a first Interest packet having a name that includes a serialized public key or digital certificate having the public key from a client device;
generating, by the content-producing system, a session identifier and a symmetric session key for a new session with the client device over the CCN;
generating an encrypted Content Object that includes at least the session identifier, the symmetric session key, and a digital certificate for the content-producing system, wherein the encrypted Content Object is encrypted using the public key from the first Interest packet, and signed according to the digital certificate of the content-producing system; and
returning the encrypted Content Object over the CCN to the client device;
receiving a resume-setup second Interest packet that includes the session identifier and the digital certificate of the client device;
decrypting the digital certificate using the symmetric session key;
authenticating the client device using the digital certificate; and
in response to receiving a third Interest packet that includes the session identifier:
decrypting an encrypted name suffix of the third Interest packet's name, using the symmetric session key to obtain a plaintext name suffix; and
using the plaintext name suffix to obtain a piece of data that corresponds to the third Interest packet's name, encrypting the piece of data using the symmetric session key, and returning a Content Object that includes the encrypted piece of data over the CCN.
-
The storage medium of claim 4, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the third Interest packet's name from a local repository or via the CCN.
- The storage medium of claim 4, wherein the session identifier is signed using a private key of the client device, and wherein authenticating the client device further involves using the client device's public key to authenticate the signed session identifier.
-
A computer-implemented method, the method comprising:
receiving, by a content-producing system from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of the content-producing system; and
in response to receiving the first Interest packet:
returning, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and
receiving a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system;
generating, by the content-producing system, a session identifier and an encryption key for the session with the client device;
generating an encrypted Content Object that satisfies the second Interest packet and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system;
returning the encrypted Content Object over the CCN to satisfy the second Interest packet;
receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device;
obtaining a decryption key;
decrypting the client device's public key certificate from the resume-setup the Interest packet, using the decryption key;
authenticating the client device using the public key certificate; and
in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device:
decrypting the encrypted name suffix of the fourth Interest packet's name, using the decryption key to obtain a plaintext name suffix; and
using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet's name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet.
-
The method of claim 7, wherein the content-producing system's encryption key and decryption key include one or more of:
a symmetric session key; and
an asymmetric public encryption key and private decryption key pair.
-
The method of claim 7, wherein obtaining the decryption key involves generating the decryption key based on one or more of:
the session identifier; and
a secret value.
-
The method of claim 7, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the fourth Interest packet's name from a local repository or via the CCN.
-
An apparatus to process an encrypted request received over a named-data network, the apparatus comprising:
a processor; and
a memory storing instructions that when executed by the processor cause the apparatus to:
receive, from a client device via a content-centric network (CCN), a first Interest packet that includes a name of a digital certificate of a content-producing system; and
in response to receiving the first Interest packet:
return, via the content centric network, a Content Object that includes the digital certificate of the content-producing system; and
receive a second Interest packet having a name that includes a temporary symmetric key from the client device, wherein the temporary symmetric key is encrypted using the public key of the content-producing system;
generate a session identifier and an encryption key for the session with the client device;
generate an encrypted Content Object that satisfies the second Interest packet, and includes at least the session identifier, the encryption key for the session, and a digital certificate of the content-producing system, wherein the encrypted Content Object is encrypted using the temporary symmetric key from the client device, and wherein the encrypted Content Object is signed according to the digital certificate of the content-producing system;
return, via the CCN, the encrypted Content Object to satisfy the second Interest packet;
receiving a resume-setup third Interest packet that includes the session identifier and a public key certificate of the client device;
obtaining a decryption key;
decrypting the client device's public key certificate from the resume-setup third Interest packet, using the decryption key;
authenticating the client device using the public key certificates; and
in response to receiving a fourth Interest packet that includes a routable prefix associated with the content-producing system, the session identifier, and an encrypted name suffix storing a name for a piece of data or a service requested by the client device:
decrypt the encrypted name suffix of the fourth Interest packet's name, using the decryption key to obtain a plaintext name suffix; and
using the plaintext name suffix to obtain a piece of data that corresponds to the fourth Interest packet's name, encrypting the piece of data using the encryption key or a public key of the client device, and returning a Content Object that includes the encrypted piece of data over the CCN to satisfy the fourth Interest packet.
-
The apparatus of claim 11, wherein the content-producing system's encryption key and decryption key include one or more of:
a symmetric session key; and
an asymmetric public encryption key and private decryption key pair.
-
The apparatus of claim 11, wherein executing the instructions further cause the apparatus to generate the decryption key based on one or more of:
the session identifier; and
a secret value.
-
The apparatus of claim 11, wherein using the plaintext name suffix to obtain the piece of data involves:
obtaining the piece of data that corresponds to the fourth Interest packet's name from a local repository or via the CCN.
-
Cisco Technology Inc
(Feb 10 2017)
Explore more patents:
-
Cisco Systems Inc
(Jan 10 2017)
Explore more patents:
-
Palo Alto Research Center Incorporated
(Feb 06 2014)
Explore more patents:
-
Palo Alto Res Ct Inc
Explore more patents:
-
H04L63/0428
Explore more patents:
-
H04L63/062
Explore more patents:
-
H04L67/146
Explore more patents:
-
H04L67/327
Explore more patents:
-
H04L9/0816
Explore more patents:
-
H04L9/3247
Explore more patents:
Document Preview
- Publication: Dec 27, 2016
-
Application:
Feb 6, 2014
US 201414174729 A
-
Priority:
Feb 6, 2014
US 201414174729 A