US 2017/0331800 A1 - System For A Secure Encryption Proxy In A Content Centric Network - The Lens

Abstract

One embodiment provides a system that facilitates a secure encryption proxy in a content centric network. During operation, the system receives, by an intermediate router from a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key. The inner interest includes a name for a manifest that represents a collection of data. The intermediate router does not possess the encryption key. The system generates one or more interests for the data represented by the manifest. The system transmits to the content-consuming computing device a content object received in response to a generated interest, wherein the intermediate router transmits the responsive content object without receiving a corresponding interest from the content-consuming computing device, thereby facilitating reduced network between the content-consuming computing device and the intermediate router.

Claims

A computer system, comprising:
a processor; and

a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising:
receiving, by an intermediate router from a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key, wherein the inner interest includes a name for a manifest that represents a collection of data, wherein the intermediate router does not possess the encryption key;

generating one or more interests for the data represented by the manifest, wherein a generated interest has a name that corresponds to a numbered chunk of the data represented by the manifest;

transmitting to the content-consuming computing device a content object received in response to a generated interest,

wherein the intermediate router transmits the responsive content object without receiving a corresponding interest from the content-consuming computing device, thereby facilitating reduced network between the content-consuming computing device and the intermediate router.
The computer system of claim 1, wherein the intermediate router acts as an encryption performance enhancing proxy between the content-consuming computing device and a replica device, wherein the content-consuming computing device and the intermediate router communicate over an air interface, and wherein the intermediate router and the replica device communicate over a wired link.
The computer system of claim 1, wherein the first interest further includes an authentication token which is based on an authentication key, the encrypted signaling information, the encrypted inner interest, and data associated with the encrypted inner interest and the first interest, wherein the method further comprises:
authenticating the first interest by verifying the authentication token based on the authentication key and the associated data; and

decrypting the signaling information included in the first interest based on the signaling key.
The computer system of claim 1, wherein the method further comprises:
in response to transmitting the first interest to a replica device, receiving a first content object with signaling information encrypted based on the signaling key and that indicates an end chunk number,

wherein generating the one or more interests further involves generating a number of interests equal to the end chunk number.
The computer system of claim 1, wherein the method further comprises:
in response to transmitting a generated interest to a replica device, receiving a responsive content object with a name that corresponds to a numbered chunk of the data represented by the manifest, wherein a numbered chunk corresponds to:
a chunk created by a content producing device based on a division of a concatenation of the data represented by the manifest; or

data for a leaf or a content object indicated in the manifest.
The computer system of claim 1, wherein the method further comprises:
in response to receiving one or more interests from the content-consuming computing device, forwarding the received interests, wherein a received interest indicates a name for a branch of the manifest; and

transmitting to the content-consuming computing device a content object received in response to a forwarded interest.
The computer system of claim 1, wherein the method further comprises:
receiving a second interest that includes the first name, signaling information encrypted based on the signaling key and that indicates the manifest name, data encrypted based on the encryption key, and an authentication token based on the authentication key; and

authenticating the second interest by verifying the authentication token based on the authentication key,

wherein a generated interest of the one or more interests includes signaling information that indicates a request for a leaf of the manifest, and

wherein the content object received in response to the generated interest includes data corresponding to the requested manifest leaf.
The computer system of claim 1, wherein the method further comprises:
obtaining the signaling key and the authentication key based on a key exchange protocol which is based on one or more of:
a content centric network, wherein the intermediate router is known to the content-consuming computing device; and

a dynamic proxy discovery, wherein the intermediate router is not known to the content-consuming computing device, wherein the method further comprises:
updating an interest received during a second round of communication in the key exchange protocol based on the content centric network by adding a key share of the intermediate router to the interest; and

transmitting the updated interest to a replica device, which allows the replica device to return to the content-consuming computing device a responsive content object that includes the key share of the replica device and the key share of the intermediate router.
The computer system of claim 1, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level, wherein the name further includes one or more of:
a routable name prefix for a replica device that hosts content;

a session identifier;

a transaction identifier; and

a chunk number.
The computer system of claim 1, wherein the method further comprises:
receiving or generating a first alert message which is one or more of:
a close message that indicates a shutdown of a transaction associated with the transaction identifier or a shutdown of a session associated with the session identifier; and

an error message that indicates an error; and

receiving a second alert message which is one or more of:
a rekey message that indicates a request from the content-consuming computing device or a replica device to establish a new set of session keys; and

a keepalive message from the content-consuming computing device or the replica device that allows a receiving entity to return a message to a sending entity outside of the generated interests or a received content object.
A computer system, comprising:
a processor; and

a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising:
generating, by a content-consuming computing device, a first interest that includes a first name, signaling information encrypted based on a signaling key, and an inner interest encrypted based on an encryption key,

wherein the inner interest includes a name for a manifest that represents a collection of data;

in response to transmitting the first interest to an intermediate router, receiving one or more content objects, wherein a received content object includes a name that corresponds to a numbered chunk of the data represented by the manifest,

wherein the content-consuming computing device is not required to transmit one or more corresponding interests for the one or more content objects, thereby facilitating reduced network traffic between the content-consuming computing device and the intermediate router.
The computer system of claim 11, wherein a received content object includes an authentication token which is based on an authentication key, the encrypted signaling information, the encrypted inner interest, and data associated with the encrypted inner interest and the first interest, wherein the method further comprises:
authenticating a received content object by verifying the authentication token based on the authentication key and the associated data;

decrypting the signaling information included in the received content object based on the signaling key; and

decrypting encrypted data or the inner interest that is included in the received content object based on the encryption key.
The computer system of claim 11, wherein a numbered chunk of the data represented by the manifest corresponds to:
a chunk created by a content producing device based on a division of a concatenation of the data represented by the manifest; or

data for a leaf or a content object indicated in the manifest.
The computer system of claim 11, wherein the method further comprises:
generating one or more interests, wherein a name for a generated interest indicates a name for a branch of the manifest; and

receiving a content object in response to a generated interest.
The computer system of claim 11, wherein the method further comprises:
generating a second interest that includes the first name, signaling information encrypted based on the signaling key and that indicates the manifest name, data encrypted based on the encryption key, and an authentication token based on the authentication key; and

in response to transmitting the second interest to the intermediate router, receiving one or more transport content objects, wherein a received transport content object includes signaling information that indicates a request for a leaf of the manifest, and data corresponding to the requested manifest leaf.
The computer system of claim 11, wherein the method further comprises:
obtaining the encryption key, the signaling key, and the authentication key based on a key exchange protocol which is based on one or more of:
a content centric network, wherein the intermediate router is known to the content-consuming computing device; and

a dynamic proxy discovery, wherein the intermediate router is not known to the content-consuming computing device, wherein the method further comprises:
updating, by the intermediate router, an interest received during a second round of communication in the key exchange protocol based on the content centric network by adding a key share of the intermediate router to the interest; and

transmitting, by the intermediate router, the updated interest to a replica device, which allows the replica device to return to the content-consuming computing device a responsive content object that includes the key share of the replica device and the key share of the intermediate router; and

receiving, by the content-consuming computing device, the responsive content object that includes the key share of the replica device and the key share of the intermediate router.
The computer system of claim 11, wherein a name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level, wherein the name further includes one or more of:
a routable name prefix for a replica device that hosts content;

a session identifier;

a transaction identifier; and

a chunk number,

wherein the method further comprises:
receiving or generating an alert message which is one or more of:

a close message that indicates a shutdown of a transaction associated with the transaction identifier or a shutdown of a session associated with the session identifier;

an error message that indicates an error;

a rekey message that indicates a request from the content-consuming computing device or a replica device to establish a new set of session keys; and

a keepalive message from the content-consuming computing device or the replica device that allows a receiving entity to return a message to a sending entity outside of the generated interests or a received content object.
A computer system, comprising:
a processor; and

a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising:
receiving, by a replica device, a first interest that includes a first name, signaling information encrypted based on a signaling key, an inner interest encrypted based on an encryption key, and an authentication token based on an authentication key,

wherein the inner interest includes a name for a manifest that represents a collection of data;

authenticating the first interest by verifying the authentication token based on the authentication key; and

generating a first content object that includes signaling information encrypted based on the signaling key and that indicates an end chunk number that corresponds to a number of chunks comprising the data represented by the manifest,

wherein the first content object further includes data represented by the manifest and that is encrypted based on the encryption key.
The computer system of claim 18, wherein the method further comprises:
in response to receiving a subsequent interest with a name that corresponds to a numbered chunk of the data represented by the manifest, generating a subsequent content object with data that corresponds to the numbered chunk, wherein a numbered chunk corresponds to:
a chunk created by a content producing device based on a division of a concatenation of the data represented by the manifest; or

data for a leaf or a content object indicated in the manifest.
The computer system of claim 19, wherein the method further comprises:
receiving a second interest that includes the first name, signaling information encrypted based on the signaling key and that indicates the manifest name, data encrypted based on the encryption key, and an authentication token based on the authentication key; and

authenticating the second interest by verifying the authentication token based on the authentication key,

wherein a received subsequent interest includes signaling information that indicates a request for data represented by the manifest, and

wherein a generated subsequent content object includes signaling information that indicates the data represented by the manifest.