巴西专利BR112013016797B1 CONTENT ROUTER, METHOD IMPLEMENTED IN A NETWORK DEVICE AND APPARATUS

专利PDF首页>>巴西专利

专利附录

专利说明

权利要求

类似技术

同族专利

引用文献

法律状态

优先权

专利摘要:
method and apparatus for using identity information for digital signaling and content integrity and authenticity encryption in content-oriented networks a content router comprising caching-configured storage, in a content-oriented network (con), a content object with a signature signed by an editor based on a known identity to a subscriber; and a storage-coupled transmitter configured for routing the content object with the subscriber upon request to the subscriber, wherein the subscriber uses the signature to verify one of the content object integrity and content object authenticity based on in the known identity, without verifying a publisher key trust for the publisher, where the known identity has publisher trust and does not require a trust check from the publisher.
公开号:BR112013016797B1
申请号:R112013016797-1
申请日:2011-12-09
公开日:2019-09-24
发明作者:Xinwen Zhang；Guangyu Shi
申请人:Huawei Technologies Co., Ltd.；
IPC主号:

专利说明:

CONTENT ROUTER, METHOD IMPLEMENTED IN A NETWORK APPLIANCE AND APPLIANCE
FIELD OF THE INVENTION [001] The present invention relates to a communication network, and, more particularly, to content-oriented networks.
BACKGROUND [002] In a content-oriented network (CON), a content router is responsible for routing user requests and content to appropriate recipients. At CON, a unique name across the domain is assigned to each entity that is part of a content delivery structure. Entities can comprise data content, such as video clips or web pages, and / or infrastructure elements, such as routers, switches or servers. The content router uses name prefixes, which can be full content names or appropriate content name prefixes, rather than network addresses, for routing content packets on the content network.
[003] In NOCs, a content delivery including publication, requisition, management (eg, modification, deletion, etc.) can be based on content name and not content location. One aspect of NOCs that may differ from traditional Internet Protocol (IP) networks is the ability of NOCs to interconnect multiple geographic points and cache content temporarily or on a more persistent basis. This can allow content to be served from the network, rather than an original server, and thus can improve
Petition 870180064312, of 25/07/2018, p. 51/106
2/37 substantially the user experience.
SUMMARY [004] In one embodiment, the exhibition includes a content router comprising storage configured for caching, on a content-oriented network (CON), a content object with a signature signed by an editor, based on a known identity to a subscriber; and a transmitter attached to the storage and configured to forward the content object with the signature upon a request to the subscriber, in which the subscriber uses the signature to verify one of the content object integrity and the content object authenticity, with based on known identity, without checking a publisher key for a publisher, and where the known identity is trusted by the publisher and does not require a trust check from the publisher.
[005] In another embodiment, the exhibition includes a network component comprising a receiver in a content router configured to receive content from an editor encrypted with a master key (MK) generated by a private key generator ( PKG) and to receive encrypted content from a cache in a CON, and a transmitter configured to send encrypted content to the cache and to send encrypted content from the cache to a subscriber who decrypts the encrypted content using a key private key obtained using an identity associated with the publisher or content and a secret master key (MSK) generated by the PKG.
[006] In a third aspect, the exhibition includes a
Petition 870180064312, of 25/07/2018, p. 52/106
3/37 method implemented in a network device that comprises the receipt of a content object with a signature signed by a publisher using a private key that is obtained using a known public identity in a CON, the storage of the object of content with the signature at the CON, and upon receipt of a content request, the forwarding of the content object with the signature to an outgoing sign that verifies the signature using the public identity known at the CON.
[007] These and other resources will be more clearly understood from the detailed description below taken in conjunction with the associated drawings and claims.
BRIEF DESCRIPTION OF THE DRAWINGS [008] For a more complete understanding of this exhibition, a reference is now made to the brief description below, taken in relation to the associated drawings and the detailed description, in which equal reference numbers represent equal parts.
[009] THE figure 1 and one diagram schematic in an modality of a CON. [0010] THE figure 2 is one diagram schematic in an modality of one scheme in authentication of content [0011] THE figure 3 is one diagram schematic in an another modality of a scheme content authentication.[0012] THE figure 4 is one diagram schematic in an modality of one scheme in encryption of content. [0013] THE figure 5 is one diagram schematic in an another modality of a scheme encrypting content.[0014] THE figure 6 is one diagram schematic in an
modality of a hybrid content authentication scheme.
Petition 870180064312, of 25/07/2018, p. 53/106
4/37 [0015] Figure 7 is a schematic diagram of a modality of a content metadata format.
[0016] Figure 8 is a flow chart of a modality of a content authentication method.
[0017] Figure 9 is a flow chart of an embodiment of a content encryption method.
[0018] Figure 10 is a schematic diagram of a modality of a network unit.
[0019] Figure 11 is a schematic diagram of a modality of a general purpose computer system.
DETAILED DESCRIPTION [0020] It should be understood at the outset that, although an illustrative implementation of one or more modalities is provided below, the systems exposed and / or methods can be implemented using any number of techniques, whether currently known or existing. The exposure is in no way limited to the illustrative implementations, drawings and techniques illustrated below, including the example designs and implementations illustrated and described here, but may be modified in the scope of the appended claims along with its full scope of equivalents .
[0021] A user may not access the original server for retrieving a content object in the CON. As such, ensuring content integrity (that is, ensuring that the content has not been altered by a third party) and authenticity (that is, ensuring that the content originates from the publisher to which it is assigned) can become required. A digital signature is a general approach to allow content integrity
Petition 870180064312, of 25/07/2018, p. 54/106
5/37 and authenticity at CON. Typically, a content publisher can sign a content object with a publisher's private key. The subscription can be attached to the content or separately distributed through the CON. When a subscriber receives the content, the subscriber can verify the integrity of the content using a publisher's public key. The prerequisite of this mechanism is that a subscriber needs to obtain a publisher's public key, which can be distributed at CON, as suggested for network architectures such as content-centric network (CCN) / so-called data network (NDN) . However, trusting a publisher's public key may also require verification with another public key, which is usually a public certificate issued by a globally trusted certificate authority (CA).
[0022] Here are exposed a system and method for using a content identity for signing and verifying the integrity and authenticity of a content object in the CON. The content identity can also be used as part of an encryption scheme to protect the privacy of the content object in the CON. The identity can be the name or partial name (prefix) of the content, which can be part of the content metadata. Alternatively, the identity can be an identity of the content publisher. In this case, the identity can be any publicly unique identifier (id) of the publisher (for example, email address, phone number), which may not be the publisher's public key. The identity can also be a unique identity locally, for example, a user or department name in an organization.
Petition 870180064312, of 25/07/2018, p. 55/106
6/37
Using content or publisher identity can release a subscriber's burden of obtaining and verifying the trust of a publisher's public key, since trust is built on a known identity of a content object or publisher. Linking trust in a content object, for example, with the content name, instead of linking a content object's trust with its publisher can apply to a plurality of real-world application scenarios.
[0023] Figure 1 illustrates a modality of a CON 100, where content can be routed based on name prefixes and delivered to consumers based on requests. CON 100 may comprise a network domain 110 comprising a plurality of nodes, such as an Internet Protocol (IP) domain, a multiple protocol label switching domain (MPLS), or an Ethernet domain. The network domain 110 may comprise a plurality of internal nodes 112 and a plurality of content routers 114, which can be coupled to each other via network links, for example, fixed connections. Content routers 114 can be coupled to a plurality of consumer nodes 120, through a plurality of access networks 140, and to a plurality of consumer sites 150, as shown in figure 1. Communications between the content routers 114, consumer nodes 120, access networks 140 and consumer sites 150 are indicated by dashed lines in figure 1. CON 100 can also comprise a management plan 160 that can communicate with internal nodes 112 and / or content routers 114 (indicated by lines with
Petition 870180064312, of 25/07/2018, p. 56/106
7/37 continuous arrows in figure 1).
[0024] Internal nodes 112 can be any nodes, devices or components that support traffic transport, for example, frames and / or packets, through CON 100. Internal nodes 112 can pass traffic to or receive traffic from others in the same network domain 110. For example, internal nodes 112 can be routed, switches, or bridges, such as backbone core bridges (BCBs), provider core bridges (PCBs), or label switch routers (LSRs). Internal nodes 112 can also be content routers 114 that forward content based on content name prefixes. Content routers 114 can be any nodes, devices or components that support transport of traffic between network domain 110 and external components. Content routers 114 can be edge nodes that route content traffic from internal nodes 112 to consumer nodes 120 and / or consumer sites 150, for example, based on consumer request or demand. Content routers 114 can also receive content requests from consumer nodes 120. For example, content routers can be routers or bridges, such as backbone edge bridges (BEBs), provider edge bridges (PEBs) ), or label edge routers (LERs) that forward content based on content name prefixes. Internal nodes 112 and / or content routers 114 can comprise or can be coupled to a plurality of content servers that store or cache content, which can be provided to consumers or subscribers, for example
Petition 870180064312, of 25/07/2018, p. 57/106
8/37 example, on demand.
[0025] Consumer nodes 120 can be nodes, devices or components configured to deliver content to a user or consumer and receive requests for content from consumer nodes 120. For example, consumer nodes 120 can be device-oriented for fixed or mobile users, such as desktop computers, notebook computers, personal digital assistants (PDAs) or cell phones. Alternatively, consumer nodes 120 can be connectivity devices in consumer facilities, such as modems or set top boxes. Consumer nodes 120 may also comprise consumer equipment (not shown) that can be configured to receive content from content routers 114, via access networks 140, and distribute the content to a plurality of consumers. For example, consumer nodes 120 may comprise optical network terminals (ONUs) and / or very high bit rate (VDSL) subscriber line transceiver units in residential locations (VTU-Rs). Access networks 140 can be any networks that provide access to content on CON 100, such as virtual private networks (VPNs). Consumer sites 150 can be any sites or office environments configured to receive content from content routers 114 and can send content to corresponding consumer nodes 120 via access networks 140. Consumer sites 150 also they can receive content requests from consumer nodes 120 and send content requests to content routers 114.
Petition 870180064312, of 25/07/2018, p. 58/106
9/37 [0026] CON 100 can be configured to guarantee data integrity for a plurality of users associated with consumer nodes 120 and / or consumer sites 150. For the provision of data integrity, content can be received and cached with a signature from a publisher. The signature can then be verified by a subscriber to determine the integrity of the content. The publisher and the subscriber can use a public / private key to sign and verify the content, respectively. Typically, the public / private key pair can be provided by a public key infrastructure (PKI). This scheme may require a distribution of the public key to subscribers and the use of an additional verification mechanism by subscribers to trust the public key, for example, using certificates from a CA. To avoid using this additional mechanism, an identity-based subscription scheme can be used, instead, to ensure the integrity of content in the CON 100. Therefore, an identity associated with the publisher or content that is known to the subscriber can be received and cached with the content. The subscriber can then receive the known identity with the content and recognize the identity to determine content integrity, without requiring an additional identity or key distribution and / or trust mechanisms. Additionally, for the provision of data security and privacy, the identity can be used to decrypt content that is encrypted without using an additional encryption key distribution and / or trust mechanisms, as described in detail
Petition 870180064312, of 25/07/2018, p. 59/106
10/37 below.
[0027] The identity associated with the publisher or the content and known to the subscriber can be a global or local public identity of the publisher, or it can be a name or a name prefix of the content or content object. This identity can have an existing built trust with the system infrastructure, for example, a publisher and subscriber organization or a global name or address system. For example, the identity can be an e-mail address, a phone number, a department name, or any other known identity that is known to the system's infrastructure. As such, the subscriber can use the identity to verify content integrity and authenticity, without relying on extra trusted infrastructure, such as a PKI and / or a CA.
[0028] Figure 2 illustrates a modality of a content authentication scheme 200 to ensure content integrity and authenticity for users of a CON. The content authentication scheme 200 can be implemented on a CON 210, which can be similar to CON 100. CON 210 can comprise a plurality of internal nodes 212 and content routers 214, which can be configured similar to internal nodes 112 and content routers 114, respectively. Content routers 214 can be coupled to a plurality of nodes / consumer sites 250, similar to consumer nodes 120 / consumer sites 150, for example, through a plurality of access networks (not shown). Consumer nodes / sites 250 can be configured to publish / subscribe content to CON 210. CON 210
Petition 870180064312, of 25/07/2018, p. 60/106
11/37 can also comprise or be coupled to a PKG 2 70 that can be configured to generate a plurality of private keys for a plurality of content publishers.
[0029] In the content authentication scheme 200, each node / consumer site 250 may use algorithms or general functions, such as for content subscription, content publication, content subscription and content verification, as described below. The algorithms or functions can be any algorithms or cryptographic functions known or used in existing CONs, for example, using algorithm libraries, such as open secure socket layer (openSSL). Each user or consumer node / site 250 that can be a publisher can also have a public identity (p-id), which can be used to obtain a private key for the publisher (pr-p) for content subscription . The public identity (p-id) can also be known and used by a subscriber to verify content. For example, the public identity can be a publicly known identity associated with the publisher, such as the publisher’s email address, phone number, organization name, a locally unique identity (for example, a user or department name in an organization), or other publisher-known identity that is known to a CON 210 subscriber.
[0030] For example, a first consumer node / site 250 can be a publisher that publishes content for a user to CON 210, through a content router 214. The publisher can authenticate with PKG 270 using public identity ( p-id) to obtain the private key (pr-p), which can then be kept secret by the publisher. The 270
Petition 870180064312, of 25/07/2018, p. 61/106
12/37 can generate a system-wide public parameter or a MK and a private parameter or an MSK, for example, using the Setup: Generate (MK, MSK) algorithm / function. The MK / MSK can be generated as part of a PKG 270 configuration operation. For example, when the PKG 270 starts or goes online, the PKG 270 can run a configuration to generate MK and MSK before handling any requests consumer. MK can also be published in CON 210, for example, using the Publish (MK) algorithm / function, without distributing an MSK.
[0031] Subsequently, the publisher can request from PKG 270 a private key to sign publisher content from PKG 270 using a p-id, for example, using the GetPrk algorithm / function (p-id). The PKG 270 can then use the MSK and the p-id to generate the pr-p, for example, using the GeneratePrk algorithm / function (MSK, p-id). The generation of MK and MSK using Setup: Generate (MK, MSK) and obtaining pr-p using GetPrk (p-id) can be implemented only once by PKG 270 and the editor, respectively, for example, offline independent of the content publishing process (indicated by the continuous arrow lines in figure 2). The editor can then sign a content object, for example, using the Sign algorithm / function (pr-p, m), and publish the content with the signature (s) using p-id, for example, using the algorithm / function Publish (m, name, p-id, s). The signature (s) can be part of the metadata of the cached or stored content. In some embodiments, the publisher's public identity (p-id) can also be included as part of the content's metadata. The published content can then be forwarded through the content router 214 and stored or cached in CON 210.
Petition 870180064312, of 25/07/2018, p. 62/106
13/37 [0032] A second consumer node / site 250 that can be a subscriber can then obtain the content from CON 210. The second consumer node / site 250 can subscribe to the content with the same content router 214 or with another one, for example, using the Subscribe (m, name) algorithm / function. The publisher's p-id can be known to the subscriber or can be obtained from the content's metadata. Specifically, the subscriber can obtain MK from the PKG 270, for example, using the GetMK algorithm / function, and then verify the integrity and authenticity of the signed content by examining the signature (s) using the pid and MK, for example, using the Verify algorithm / function (pid, MK, m, s). The subscriber can obtain MK from the PKG 270 using GetMK only once, for example, offline regardless of the content publishing process (indicated by the continuous arrow lines in figure 2). In some scenarios, the subscriber can verify the integrity of the signed content by first generating a publisher's public key (pb-p), for example, using the GeneratePbK algorithm / function (MK, p-id), and then checking the content based on pb-p, for example, using Verify (pb-p, m, s). This can be equivalent to using Verify (p-id, MK, m, s), since pb-p is internally generated by the subscriber and is a function of p-id and MK.
[0033] In the content authentication scheme 200, the configuration operation for generating MK and MSK can be an operation at a time, for example, implemented only once. For example, MK / MSK parameters can be common parameters for all entities (publishers and subscribers) in the system. The GetPrk operation can be a
Petition 870180064312, of 25/07/2018, p. 63/106
14/37 operation at once for the editor and used to edit all content from the same editor. The GetMK operation can be a one-time operation for the subscriber, since it is not dependent on a particular publisher or a content object. The GeneratePrk () operation can also be a one-time operation for a single identity, for example, the editor. Also, retrieving the private key for the publisher (pr-p) from PKG 270 may require a secure channel between the publisher and PKG 270. However, recovering MK from PKG 270 may not require a secure channel between the subscriber and the PKG 270.
[0034] Figure 3 illustrates a modality of another content authentication scheme 300 to guarantee content integrity and authenticity for users of a CON. The content authentication scheme 300 can be implemented on a CON 310, which can be similar to CON 100. CON 310 can comprise a plurality of internal nodes 312 and content routers 314, which can be configured similar to internal nodes 112 and content routers 114, respectively. Content routers 314 can be coupled to a plurality of nodes / consumer sites 350, similar to consumer nodes 120 / consumer sites 150, for example, through a plurality of access networks (not shown). Consumer nodes / sites 350 can be configured for publishing / subscribing to content at CON 310. CON 310 can also comprise or be coupled to a PKG 370, which can be configured to generate a plurality of content names for content publishers. CON 310 can also comprise or be coupled with a service of
Petition 870180064312, of 25/07/2018, p. 64/106
15/37 content name registration (NRS) 380, which can be configured to register a plurality of content names for publishers. Content names can be selected by the editors. NRS 380 can be a local or global entity in a publisher organization, and can obtain from PKG 270 a plurality of private keys for publishers (pr-m) associated with the registered content names of publishers. The NRS 380 can verify that the content name from a publisher is new and not previously registered before the registration of the content name and obtain a private key for the publisher associated with or corresponding to the registered content name.
[0035] In the content authentication scheme 300, each node / consumer site 350 can use general algorithms or functions, such as for content subscription, content publication, content subscription and content verification, as described below. The algorithms or functions can be any algorithms or cryptographic functions known or used in existing NOCs, for example, using algorithm libraries, such as openSSL. Each user or consumer node / site 350 can obtain a composition for the publisher (pr-m) for content subscription, based on the content name or prefix (name). The content name or prefix can be known and used by a subscriber to verify the content.
[0036] For example, a first node / consumer site 350 can be a publisher that publishes content for a user to CON 310, through a content router 314. The publisher can select the content name and register the name of content with NRS 380, for example, using the
Petition 870180064312, of 25/07/2018, p. 65/106
16/37 RegisterName (name) algorithm / function. The NRS 380 can then obtain a corresponding private key for the editor (pr-m) from PKG 370, for example, using the GetPrk (name) algorithm / function. Similar to PKG 270, PKG 370 can generate a system-wide public parameter or a master key (MK) and a private parameter or secret master key (MSK), for example, using the Setup: Generate (algorithm / function) MK, MSK). The MK / MSK can be generated as part of a PKG 370 configuration operation, for example, at the start, before handling any consumer requests. MK can also be published in CON 310, for example, using the Publish (MK) algorithm / function, without distributing an MSK.
[0037] Subsequently, NRS 380 can request from PKG 370 a private key to sign publisher content from PKG 370 using GetPrk (name), as described above. The PKG 370 can then use the MSK and the content name or prefix to generate the pr-m, for example, using the GeneratePrk (MSK, name) algorithm / function. The generation of MK and MSK using Setup: Generate (MK, MSK) and obtaining pr-m using GetPrk (name) can be implemented only once by PKG 370 and the editor, respectively, for example, offline regardless of content publishing process (indicated by the continuous arrow lines in figure 3). The publisher can then subscribe to a content object, for example, using the Sign algorithm / function (pr-m, m), and publish the content with the signature (s) using the Publish algorithm / function (m, name, s) . The signature (s) can be part of the metadata of the cached or stored content. The published content can then be forwarded by the router
Petition 870180064312, of 25/07/2018, p. 66/106
17/37 of content 314 and stored or cached in CON 310.
[0038] A second node / consumer site 350 that can be a subscriber can then obtain the content from CON 310. The second node / consumer site 350 can subscribe to the content with the same content router 314 or with another , for example, using the Subscribe (m, name) algorithm / function. Specifically, the subscriber can obtain MK from PKG 370, for example, using the GetMK algorithm / function, and then verify the integrity and authenticity of the signed content by examining the signature (s) using the content name or prefix and MK, for example, using the Verify algorithm / function (name, MK, m, s). The subscriber can obtain MK from PKG 370 using GetMK only once, for example, offline regardless of the content publishing process (indicated by the continuous arrow lines in figure 3). The subscriber may not need to authenticate with PKG 370 to obtain MK. In some scenarios, the subscriber can verify the integrity of the signed content by first generating a publisher's public key (pb-p), for example, using the GeneratePbK (MK, name) algorithm / function, and then verifying the content with base on pb-p, for example, using Verify (pb-p, m, s). This can be equivalent to using Verify (name, MK, m, s), since pb-p is internally generated by the subscriber and is a function of the content name or prefix and MK.
[0039] The different operations and parameters used in the content authentication scheme 300 can be implemented in a similar way as in the case of content authentication scheme 200. The authentication scheme
Petition 870180064312, of 25/07/2018, p. 67/106
18/37 of content 300 can also implement a plurality of flexible security policies that can be supported with identity-based signature (s). Security policies can include signing multiple content objects that have the same name or prefix with the same private key generated based on the name or prefix. This can enable a delegated subscription, for example, where an editor can delegate his subscription operation to another user or service in an organization. Security policies can also allow a subscriber to use the same identity to verify content that is published by a group or a plurality of publishers using the same name or prefix. In addition, multiple identities can be used to subscribe to a single content object, for example, using different names or prefixes or multiple publisher ids or known identities, such as emails or phone numbers.
[0040] Figure 4 illustrates a modality of a content encryption scheme 400 to protect content and guarantee security and privacy for users of a CON. The content encryption scheme 400 can be implemented on a CON 410, which can be similar to CON 100. CON 410 can comprise a plurality of internal nodes 412 and content routers 414, which can be configured similar to internal nodes 112 and content routers 114, respectively. Content routers 414 can be coupled to a plurality of nodes / consumer sites 440, similar to consumer nodes 120 / consumer sites 140, for example, through a plurality of access networks (not shown). The nodes /
Petition 870180064312, of 25/07/2018, p. 68/106
19/37 440 consumer sites can be configured for publishing / subscribing to content at CON 410. CON 410 can also comprise or be coupled to a private key generator (PKG) 470 that can be configured to generate a plurality of private keys for a plurality of content publishers.
[0041] In the content authentication scheme 400, each node / consumer site 440 may use algorithms or general functions, such as for content subscription, content publication, content subscription and content verification, as described below. The algorithms or functions can also comprise algorithms or functions for encrypting and decrypting content. Each user or consumer node / site 450 that can be a publisher can also have a public identity (p-id), which can be used for encrypting content by the publisher. The public identity (p-id) can also be known and used by a subscriber to obtain a private key for the publisher (pr-p) to decrypt the content. For example, the public identity may be a publicly known identity associated with the publisher, as described in the content authentication scheme 200.
[0042] In the content encryption scheme 400, a first node / consumer site 440 can be a publisher that publishes content for a user to CON 410, through a content router 414. The publisher can first obtain a public parameter for the whole system or a master key (MK) from PKG 470, for example, using the GetMK algorithm / function. The PKG 470 can generate MK and a private parameter or secret (or private) master key (MSK),
Petition 870180064312, of 25/07/2018, p. 69/106
20/37 for example, using the Setup: Generate algorithm / function (MK, MSK). The MK / MSK can be generated as part of a PKG 470 configuration operation. For example, when the PKG 470 starts or goes online, the PKG 470 can run a configuration to generate MK and MSK before handling any requests consumer. MK can also be published in CON 410, for example, using the Publish (MK) algorithm / function, without distributing an MSK. The editor can obtain MK from the PKG 470 using GetMK only once, for example, offline, regardless of the content publishing process (indicated by the continuous arrow lines in figure 4). The editor can encrypt content (m) using p-id and MK to obtain encrypted content (c), for example, using the Encrypt algorithm / function (p-id, MK, m). The editor can then publish the encrypted content (c) with the content name (or prefix), for example, using the Publish (c, name) algorithm / function. In some embodiments, the publisher's public identity (p-id) may be included as part of the content's metadata. In addition, the publisher can also sign the content, for example, as described in the content authentication scheme 200, before or after encryption and publication of the content. The published content can then be forwarded through the content router 414 and stored or cached at CON 210.
[0043] A second node / consumer site 440 that can be a subscriber can then obtain the content from CON 410. The second node / consumer site 440 can subscribe to the content with the same content router 414 or with another , for example, using the algorithm / function
Petition 870180064312, of 25/07/2018, p. 70/106
21/37
Subscribe (c, name). The publisher can request from PKG 470 a private key for decryption of the encrypted content using p-id, for example, using the GetPrk algorithm / function (p-id). The publisher's p-id can be known to the subscriber or can be obtained from the content's metadata. The PKG 470 can then use MSK and p-id to generate a private key for the editor (pr-p), for example, using the algorithm / function GeneratePrK (MSK, p-id). The GeneratePrK () operation can be a one-time operation for a single identity, for example, the editor. Also, retrieving the private key for the publisher (pr-p) from PKG 470 may require a secure channel between the subscriber and PKG 470. However, retrieving MK from PKG 470 may not require a secure channel between the editor and PKG 470. The editor can then decrypt the encrypted content (c) to obtain the original content m using pr-p, for example, using the Decrypt algorithm / function (c, pr-p). Additionally, if the content is signed by the publisher, the subscriber can check the signed content, for example, as described in the content authentication scheme
200.
[0044] Figure 5 illustrates a modality of another content encryption scheme 500 to guarantee security and privacy of content for users of a CON. The content encryption scheme 500 can be implemented on a CON 510, which can be similar to CON 100. CON 510 can comprise a plurality of internal nodes 512 and content routers 514, which can be configured similar to internal nodes 112 and content routers 114, respectively. Routers
Petition 870180064312, of 25/07/2018, p. 71/106
22/37 of content 514 can be coupled to a plurality of nodes / consumer sites 550, similar to consumer nodes 120 / consumer sites 150, for example, through a plurality of access networks (not shown). The consumer nodes / sites 550 can be configured for publishing / subscribing to content in CON 510. CON 510 can also comprise or be coupled with an NRS 580, which can be configured to register a plurality of content names for publishers. Content names can be selected by the editors. NRS 580 can be a local or global entity in a publisher organization, and can obtain from PKG 570 a plurality of private keys for publishers (pr-m) associated with the registered content names of publishers. The NRS 580 can verify that the content name from a publisher is new and not previously registered before registering the content name and obtaining a private key for the publisher associated with or corresponding to the registered content name.
[0045] In the content encryption scheme 500, each node / consumer site 550 can use algorithms or general functions, such as for content subscription, content publication, content subscription and content verification, as described below. The algorithms or functions can also comprise algorithms or functions for encrypting and decrypting content. Each user or consumer node / site 550 can use the content name or prefix for encrypting the content for publication. Each node / consumer site 550 that can be a publisher can also have a public identity (p-id), which can be used for content encryption by the publisher. The identity
Petition 870180064312, of 25/07/2018, p. 72/106
23/37 public (p-id), which can be known and used by a subscriber and used to obtain a private key for the publisher (pr-m) to decrypt the content.
[0046] For example, a first node / consumer site 550 can be a publisher that publishes content for a user to CON 510, through a content router 514. The publisher can first obtain a public parameter for the entire system or a master key (MK) from PKG 570, for example, using the GetMK algorithm / function. The PKG 570 can generate MK and a private parameter or master secret key (MSK), for example, using the Setup: Generate (MK, MSK) algorithm / function only once, as part of a configuration operation, as described above. MK can also be published in CON 510, for example, using the Publish (MK) algorithm / function, without distributing an MSK. The editor can also obtain MK from the PKG 570 using GetMK only once, as described above. The publisher can encrypt content (m) using the content name (or prefix) and MK to obtain encrypted content (c), for example, using the Encrypt algorithm / function (name, MK, m). The editor can then publish the encrypted content (c) with the content name (or prefix), for example, using the Publish (c, name) algorithm / function. In some embodiments, the publisher's public identity (p-id) may be included as part of the content's metadata. In addition, the publisher can also sign the content, for example, as described in the content authentication scheme 300, before or after encryption and publication of the content. The published content can then be forwarded through the content router 514 and stored or cached in the CON
Petition 870180064312, of 25/07/2018, p. 73/106
24/37
510.
[0047] A second node / consumer site 550 that can be a subscriber can then obtain the content from CON 510. The second node / consumer site 55 can subscribe to the content with the same content router 514 or with another , for example, using the Subscribe (c, name) algorithm / function. The publisher can request from PKG 570 a private key to decrypt the encrypted content using the content name (or prefix), for example, using the GetPrk (name) algorithm / function. The PKG 570 can then use MSK and the content name (or prefix) to generate a private key for the publisher (pr-m), for example, using the GeneratePrK (MSK, name) algorithm / function. The GeneratePrK () operation can be a one-time operation for a single content name (or prefix). The subscriber can then decrypt the encrypted content (c) to obtain the original content m using pr-m, for example, using the Decrypt algorithm / function (c, pr-m). Additionally, if the content is signed by the publisher, the subscriber can check the signed content, for example, as described in the content authentication scheme 300.
[0048] Figure 6 illustrates a modality of a hybrid content authentication scheme 600 that can be used to support large-scale CONs or ICNs and improve the scalability of content authentication schemes 200 and 300. A CON or ICN of large scale can comprise a plurality of domains, which can each comprise a plurality of content routers, consumer nodes / sites, and a corresponding PKG. The scheme of
Petition 870180064312, of 25/07/2018, p. 74/106
25/37 hybrid content authentication 600 can comprise elements and components of the 200 or 300 content authentication scheme and a PKI, and can enable cross-domain or cross-domain content authentication, also referred to here . Cross-domain or cross-domain content authentication can allow a subscriber on a first domain to verify the authenticity of content signed by a publisher on a second domain using either a public system-wide parameter or a master key (MK) of the second domain (according to content authentication scheme 200 or 300). The subscriber can also authenticate the MK signed using the PKI, for example, using a public key to verify the MK signed by publishing a domain using a private key.
[0049] For example, a subscriber (Bob) in the first domain (DomB) can request cached content published by an editor (Alice) in a second domain (DomA). Thus, the subscriber can request the content object name / DomA / Alice / content-object from a content router in the CON. The content router can return the requested content object that can be signed by a private key to the publisher (Alice.SK) using the 200 or 300 content authentication scheme. The subscriber can also obtain (from the PKG of DomA) a MK (/ DomA / pkg / sp) that can be signed by a private key for DomA (DomA.prK) using the PKI. The subscriber can verify the authenticity of the signed content received (data) using the signed MK. The subscriber can also verify the authenticity of the signed MK using a key
Petition 870180064312, of 25/07/2018, p. 75/106
26/37 public to domA (DomA.pKK) corresponding to the public key to DomA (DomA.prK). The public key for domA (DomA.pbK) can also be obtained using the PKI. The signer can also use a certificate from a trusted CA to verify the authenticity of the public key for domA (DomA.pbK).
[0050] In the hybrid content authentication scheme 600, the PKG and NRS can be domain or organizational entities that issue a publisher, MK, MSK private key and registrar names or prefixes to local users in the corresponding domain. For example, a company may have its own PKG, which is the case with TrendMicro's identity-based email encryption solution for enterprise, as described in the publication entitled The true costs of email encryption: Trend micro ibe ( identity-based) vs. pki encryption, published in October 2010 at http://us.trendmicro.com/imperia/md/content/us/pdf/products / enterprise / emailencryption / the true cost of email encrypti on 6-2010.pdf. In some embodiments, a hybrid content encryption scheme can be used based on the PKI and 40 0 or 500 content encryption scheme, using PKI encryption keys in addition to MK and a known publisher identity or content name ( or prefix).
[0051] The hybrid content authentication scheme 6 00 can be implemented as a CCN protocol and can be scalable based on the fact that PKI is employed at the domain or autonomous system (AS) level in the current Internet infrastructure. For example, Domain Name System (DNSSEC) security extensions, protocol security
Petition 870180064312, of 25/07/2018, p. 76/106
27/37 Internet (IPsec) and server-side security (SSL) layer layer (SSL) transport layer (TLS) for web-based Internet services are based on a reliable PKI-based infrastructure. In these protocols, public domain keys are certified by trusted CAs, which proved to be an appropriate scalable solution. PKI can be viable for domain-level trust management, while identity-based content authentication (using content authentication schemes 200 and 300) and identity-based encryption (using content encryption schemes 400 and 500) may be suitable for end user and device level trust management. In CONs and ICNs, requiring each content provider or consumer to have a public key certificate can be expensive and key management like this can become an obstacle for many applications. In this case, the hybrid scheme above can overcome these limitations. In addition, the hybrid scheme above may not compromise the benefits for content-based trust and privacy protection with identity-based content authentication and identity-based content encryption. For example, a consumer may only need a public domain key certificate to verify the authenticity of a PKG MK. Subsequently, trust can still be built on top of trusting the content provider's identity or content name (or prefix), rather than an individual user's public key certificate. Thus, a certificate management charge may be limited at the level of
Petition 870180064312, of 25/07/2018, p. 77/106
28/37 domain.
[0052] Figure 7 illustrates a modality of a content metadata format 700 that can be cached or stored with content data in a CON in any of the above authentication / encryption schemes.
The content metadata format 700 can comprise a content name 702 and metadata 720. The content name 702 can indicate the name or prefix of the stored / cached content or the content object. For example, content name 702 can comprise /huawei.com/cona/security-report. The metadata 720 can comprise a signature id 7 04 (sign-id), a MK of PKG 706 (pkg_mk), a time stamp / version 708 and a signature (sig) 710. Signature id 704 can match the identity public publisher name (p-id) or the content name or prefix that can be used to obtain a private key for the publisher (pr-p or pr-m) to sign the content. The PKG 706 MK can be generated by the PKG once at the time of configuration, as described above, and used for all publishers in the domain. The MK of PKG 706 can indicate the MK value or the name of the MK which can then be used to obtain the MK value from the CON. The time stamp / version 708 can indicate a time stamp and / or a version for the cached / stored content. Signature 710 can correspond to a signed proof value of content name 702, metadata 710 and content data.
[0053] Figure 8 illustrates a modality of a content authentication method 800 that can be used to provide content integrity and authenticity in a
Petition 870180064312, of 25/07/2018, p. 78/106
29/37
CON. The content authentication method 800 can be implemented by a CON or a content router in the CON. The content authentication method 800 can be based on content authentication scheme 200 or content authentication scheme 300. Method 800 can start at block 802, where a content object with a signature that is based on a known identity can be received at a CON, for example, by a content router. The received content object can be signed and published by a user or an editor. The subscription can be based on a known publisher identity, such as a publisher id (for example, an email or phone number) or the known content name or prefix. The signature can be signed using a publisher's private key that can be generated using the known identity obtained from a PKG. If the known identity is a content name or prefix, then the known identity can be registered with an NRS.
[0054] In block 804, the content object can be cached or stored with the signature at the CON. The content object can be cached or stored with metadata that includes the signature. The content object can be cached / stored without encryption, for example, as plain text, or it can be encrypted before caching / storage, for example, as cipher text. In some embodiments, metadata may also include the known identity that was used to obtain the signature. In block 806, a content request can be received at the CON, for example, at least or by a second router. The request for
Petition 870180064312, of 25/07/2018, p. 79/106
30/37 content can be received from a user or subscriber to the cached / stored content object. In block 808, the content requested with the signature can be forwarded. The content router can forward the cached / stored content to the subscriber with the subscription included in the content. The subscriber can then verify the subscription using the known identity, as described above. The identity may already be known to the subscriber or may be obtained from the content's metadata. Method 800 can then end.
[0055] Figure 9 illustrates a modality of a content encryption method 900 that can be used to provide content security and privacy in a CON. The content encryption method 900 can be implemented by a CON or a content router in the CON. The content encryption method 900 can be based on the content encryption scheme 400 or the content encryption scheme 500. Method 900 can start at block 902, where a content object encrypted based on a public parameter for the entire system or a master key (MK) can be received in a CON, for example, by a content router. The received content object can be encrypted and published by a user or an editor. Encryption can be based on MK, which can be sent from a PKG to the publisher.
[0056] In block 904, the encrypted content object can be cached or stored in the CON, for example, as ciphertext. In some embodiments, encrypted content can be cached / stored
Petition 870180064312, of 25/07/2018, p. 80/106
31/37 with metadata that includes an identity known to the publisher or the content name or prefix. In block 906, a content request can be received at the CON, for example, by the same content router or by a second router. The content request can be received from a user or subscriber for the cached / stored content object. In block 908, the requested encrypted content can be forwarded. The content router can forward encrypted / cached / stored content to the subscriber. The subscriber can then obtain a private key for the publisher from the PKG using the publisher's known identity or the content name or prefix. The subscriber can then use the private key to decrypt the received encrypted content. The identity of the publisher of the content name or prefix can already be known by the subscriber, or can be obtained from the metadata of the encrypted content. The 900 method can then end.
[0057] Figure 10 illustrates a modality of a network unit 1000, which can be any device that carries and processes data over a network. For example, network unit 1000 can be located on the content router or on any node in CON 100, or any node in the CON schemes described above. The content router can also be configured to implement or support the CON methods and systems described above. Network unit 1000 may comprise one or more ports or ingress units 1010 coupled to a receiver (R10) 1012 for receiving signals and frames / data from other network components. Network unit 1000 may comprise a content aware unit 1020 for
Petition 870180064312, of 25/07/2018, p. 81/106
32/37 determine which network components to send content to. The content-aware unit 1020 can be implemented using hardware, software, or both. The network unit 1000 can also comprise one or more ports or egress units 1030 coupled to a transmitter (T10) 1032 for the transmission of signals and frames / data to the other network components. Receiver 1012, content-aware unit 1020 and transmitter 1032 can also be configured to implement at least one of the exposed methods, which can be based on hardware, software or both. The components of the network unit 1000 can be arranged as shown in figure 10.
[0058] The content aware unit 1020 may also comprise a programmable content routing plan block 1028 and one or more storage blocks 1022 that can be coupled to the programmable content routing plan block 1028. The content plan block programmable content forwarding 1028 can be configured to implement content forwarding and processing functions, such as at an application layer or L3, where content can be forwarded based on the content name or prefix and possibly another information related to content that maps the content to network traffic. This mapping information can be maintained in a table of contents on the content aware unit 1020 or on the network unit 1000. The programmable content forwarding plan block 1028 can interpret user requests for content and, accordingly, seek content, for example, based on metadata and / or content name, the
Petition 870180064312, of 25/07/2018, p. 82/106
33/37 from the network or other content routers, and can store the content, for example, temporarily, in the 1022 storage blocks. The 1028 programmable content forwarding plan block can then forward the cached content to the user. The programmable content routing plan block 1028 can be implemented using hardware, software or both, and can operate above the IP or L2 layer. Storage blocks 1022 may comprise a cache 1024 for temporary storage of content, such as content that is requested by a subscriber. In addition, storage blocks 1022 may comprise long-term storage 1026 for storing content for a relatively longer time, such as content submitted by a publisher. For example, cache 1024 and long-term storage 1026 can include dynamic random access memories (DRAMs), solid state drives (SSDs), hard drives or combinations of them.
[0059] At least some of the network components and methods described above can be implemented in a general-purpose network component, such as a computer or a network component with sufficient processing power, memory resources, and a pace capability. network transfer to handle the required workload imposed on them. Figure 11 illustrates a typical general purpose network component 1100 suitable for the implementation of one or more modalities of the components exposed here. The network component 1100 includes a processor 1102 (which can be referred to as a central processing unit or CPU) that is in
Petition 870180064312, of 25/07/2018, p. 83/106
34/37 communication with memory devices including secondary storage 1104, read-only memory (ROM) 1106, random access memory (RAM) 1108, input / output (I / O) devices 1110 and connectivity devices 1112. The processor 1102 can be implemented as one or more CPU chips, or it can be part of one or more application specific integrated circuits (ASICs).
[0060] Secondary storage 1104 is typically comprised of one or more disk drives or tape drives, and is used for non-volatile data storage and as an overflow data storage device if RAM 1108 is not is large enough to hold all of the work data. Secondary storage 1104 can be used to store programs that are loaded in RAM 1108, when those programs are selected to run. ROM 1106 is used for storing instructions and, perhaps, data, which are read during program execution. ROM 1106 is a non-volatile memory device that typically has a small memory capacity compared to the larger memory capacity of secondary storage 1104. RAM 1108 is used for storing volatile data and perhaps for storing instructions . Access to ROM 1106 and RAM 1108 is typically faster than secondary storage 1104.
[0061] At least one modality is exposed, and variations, combinations and / or modifications of the modality (s) and / or resources of the modality (s) made by a person having common knowledge in the technical are within the scope of
Petition 870180064312, of 25/07/2018, p. 84/106
35/37 exhibition. Alternative modalities, which result from the combination, integration and / or omission of resources from the modality (s) are also within the scope of the exhibition. Although numerical ranges or limitations are expressly stated, those fixed ranges or limitations should be understood to include iterative ranges or limitations of similar magnitude falling into the expressly stated fixed or limitations (for example, from around 1 to around 10 includes 2, 3, 4, etc. more than 0.10 includes 0.11, 0.12, 0.13, etc.). For example, whenever a numerical range with a lower limit, R1, and an upper limit, Ru, is exposed, any number falling in the range will be specifically exposed. In particular, the following numbers in the range are specifically exposed: R = Ri + k * (Ru - Rl), where k is a variable ranging from percent to 100 percent with an increase of 1 percent, that is , k is 1 percent, 2 percent, 3 percent, 4 percent, 7 percent, ..., 70 percent, 71 percent, 72 percent, 97 percent, 96 percent, 97 percent , 98 percent, 99 percent, or 100 percent. Furthermore, any numerical range defined by two R numbers as defined above is also specifically exposed. The use of the term optionally with respect to any element of a claim means that the element is required or, alternatively, the element is not required, both alternatives being within the scope of the claim. The use of broader terms, such as comprises, includes, and having to be understood as providing support for narrower terms, such as consisting of, consisting essentially of and substantially understood by. Therefore, the scope of protection does not
Petition 870180064312, of 25/07/2018, p. 85/106
36/37 is limited by the description set out above, but is defined by the claims that follow, that scope including all equivalents of the subject of the claims. Each and every claim is incorporated as an additional statement in the specification, and the claims are modalities of the present statement. The discussion of a reference in the exhibition is not an admission that it is prior art, especially any reference that has a publication date after the priority date of this application. The exhibition of all patents, patent applications and publications cited in the exhibition is incorporated here by reference, to the extent that they provide details of example, procedure or other supplementary to the exhibition.
[0062] Although several modalities have been provided in the present exhibition, it should be understood that the systems and methods exposed could be implemented in many other specific ways, without deviating from the spirit or scope of the present exhibition. The present examples are to be considered as illustrative and not restrictive, and the intention is not limited to the details given here. For example, the various elements or components can be combined or integrated into another system or certain features can be omitted, or not implemented.
[0063] In addition, techniques, systems, subsystems and methods described and illustrated in the various modalities as discrete or separate can be combined or integrated with other systems, modules, techniques or methods, without departing from the scope of this exhibition. Other items shown or discussed as docked or docked
Petition 870180064312, of 25/07/2018, p. 86/106
37/37 directly or in communication with each other can be coupled indirectly or be in communication through some interface, device or intermediate component, either electrically, mechanically or otherwise. Other examples of changes, substitutions and alterations can be evaluated by someone skilled in the art and could be done, without deviating from the spirit and scope exposed here.

权利要求:
Claims (18)
[1]
1. Content router characterized by the fact that it comprises:
a memory;
a processor coupled to memory, where the memory comprises storage configured for caching, on a content-oriented network (CON) (210, 310, 510), a content object with a signature signed by a publisher based on an identity known to a subscriber;
a transmitter coupled to the storage and configured to forward the content object with the signature upon a request to the subscriber, in which the subscriber uses the signature to verify the integrity of the content object based on the known identity, without verifying a trust of a publisher key for the publisher, where the known identity is trusted by the publisher and does not require a trust check from the publisher, where the content object is signed by the publisher using a publisher private key that is obtained using the known identity, and where the publisher's private key is obtained from a private key generator (PKG) that generates a master key (MK) distributed at the CON and a secret master key (MSK) that is not distributed, and in that the publisher’s private key is obtained by the publisher using the MSK and the known identity.
[2]
2. Content router, according to claim 1, characterized in that the known identity is an identity of the publisher that is known to the subscriber or an identity of the content object that comprises a name
Petition 870180064312, of 25/07/2018, p. 88/106
2/6 complete or a name prefix of the content object.
[3]
3. Content router, according to claim 2, characterized by the fact that the publisher’s identity is a publisher’s public identifier (id) comprising one of an email address, a phone number, an organization name of the publisher and a local identity in an organization.
[4]
4. Content router, according to claim 1, characterized by the fact that the authenticity of the content object is verified using the signature, the known identity and the MK.
[5]
5. Content router, according to claim 1, characterized by the fact that no public key for the publisher is distributed in the CON (210, 310, 510), and the subscriber does not require and does not use a public certificate from a trust certificate authority (CA) for establishing trust.
[6]
6. Method implemented in a network device, characterized by the fact that it comprises:
receiving a signed content object from a publisher using a private key that is obtained using a known public identity on a content-oriented network (CON) (210, 310, 510) where the key private is obtained from a private key generator (PKG) that generates a master key (MK) distributed in the CON and a secret master key (MSK) that is not distributed, and in which the private key is obtained by the publisher using the MSK and the known identity;
the storage of the content object with the signature at the CON (210, 310, 510); and
Petition 870180064312, of 25/07/2018, p. 89/106
3/6 the forwarding of the content object with the subscription upon receipt of a content request to a subscriber.
[7]
7. Method implemented in a network device, according to claim 6, characterized by the fact that the private key generator (PKG) generates MK and MSK only once and uses the same MSK and public identity to generate a plurality of private keys for a plurality of publishers using a plurality of corresponding public identities.
[8]
8. Method implemented in a network device, according to claim 7, characterized by the fact that the private key is obtained by the publisher from the PKG only once and uses the same private key to sign a plurality of content objects , and where the private key is obtained by the publisher from the PKG.
[9]
9. Method implemented in a network device, according to claim 7, characterized by the fact that the subscriber verifies the signature using the public identity and the MK from the PKG, without using a secure channel between the PKG and the subscriber, and the subscriber obtains MK from the PKG only once and uses the same MK to verify a plurality of content objects.
[10]
10. Method implemented in a network device, according to claim 7, characterized by the fact that the CON (210, 310, 510) comprises a plurality of domains that comprise a plurality of corresponding publishers, subscribers and PKGs, and in which a subscriber on a first domain verifies a subscription to a content object signed by a publisher on a second domain using an MK
Petition 870180064312, of 25/07/2018, p. 90/106
4/6 generated by a PKG in the second domain and signed using a second private key in the second domain generated by a CON public key infrastructure (PKI) (210, 310, 510), and in which the subscriber verifies authenticity MK signed using a public key in the second domain generated by PKI and corresponding to the second private key and verifies the authenticity of the public key using a certificate from a trusted certificate authority (CA).
[11]
11. Method implemented in a network device, according to claim 6, characterized by the fact that the publisher signs a plurality of content objects that have the same name or prefix with the same private key based on the name or prefix, and where the publisher delegates the subscription of the content object to another user or service in an organization.
[12]
12. Method implemented in a network device, according to claim 6, characterized by the fact that the subscriber uses the same public identity to verify the same content object that is published by a group of users or a plurality of publishers using the same name or prefix.
[13]
13. Method implemented in a network device, according to claim 6, characterized by the fact that a plurality of public identities are used to sign the content object using different names or prefixes or identities of different publishers.
[14]
14. Device characterized by the fact of understanding:
a receiver configured to receive a content object with a signature signed from a publisher using a private key that is obtained using an identity
Petition 870180064312, of 25/07/2018, p. 91/106
Known public 5/6 in a content-oriented network (CON);
a storage coupled to the receiver and configured to cache the content object; and a transmitter coupled to the storage and configured to forward the signature content object from the cache upon a request to a subscriber, where the known identity is trusted by the publisher and does not require verification of trust from the publisher, and where the private key is obtained from a private key generator (PKG) that generates a master key (MK) distributed in the CON and a secret master key (MSK) that is not distributed, and where the private key is obtained using the MSK and the known identity.
[15]
15. Device, according to claim 14, characterized by the fact that the PKG generates the MSK with the MK, and in which the PKG generates MK and MSK only once and uses the same MSK and the public identity to generate a plurality of private keys for a plurality of publishers using a plurality of corresponding public identities.
[16]
16. Apparatus according to claim 14, characterized in that the transmitter is further configured to send the content object to a subscriber who decrypts the encrypted content using a private key obtained using an identity associated with the publisher or the content object and MSK.
[17]
17. Device, according to claim 14, characterized by the fact that the private key is obtained without using a public key infrastructure (PKI).
[18]
18. Device, according to claim 14, characterized by the fact that no public key for the
Petition 870180064312, of 25/07/2018, p. 92/106
6/6 publisher be distributed in the CON, and in which the signer does not require and does not use a public certificate from a trusted certificate authority (CA) to establish trust.

类似技术:

公开号 | 公开日 | 专利标题

BR112013016797B1|2019-09-24|CONTENT ROUTER, METHOD IMPLEMENTED IN A NETWORK DEVICE AND APPARATUS

Zhang et al.2011|Towards name-based trust and security for content-centric network

CN107567704B|2020-11-24|Network path pass authentication using in-band metadata

US11038854B2|2021-06-15|Terminating SSL connections without locally-accessible private keys

US8863227B2|2014-10-14|Method and apparatus to create and manage a differentiated security framework for content oriented networks

US8769705B2|2014-07-01|Method for flexible data protection with dynamically authorized data receivers in a content network or in cloud storage and content delivery services

US8548171B2|2013-10-01|Pair-wise keying for tunneled virtual private networks

BR112013019922B1|2022-01-25|Network system and method implemented in a network component to provide an interest to a mobile device

US11050724B2|2021-06-29|IaaS-aided access control for information centric networking with Internet-of-Things

US20160335447A1|2016-11-17|Secure enterprise cdn framework

US10938554B2|2021-03-02|Managing private key access in multiple nodes

US20170201382A1|2017-07-13|Secure Endpoint Devices

US20170126623A1|2017-05-04|Protected Subnet Interconnect

Zhu et al.2019|An edge re‐encryption‐based access control mechanism in NDN

Fotiou et al.2015|Enabling NAME-based security and trust

Li et al.2020|Hierarchical identity-based security mechanism using blockchain in named data networking

US20170317821A1|2017-11-02|Schematized access control in a content centric network

Carofiglio et al.2018|IaaS-aided access control for information-centric IoT

Khan et al.2013|A key management scheme for Content Centric Networking

Lam et al.2018|Design, implementation, and performance evaluation of identity‐based cryptography in ONOS

Kissel et al.2013|Access control for untrusted content distribution clouds using unidirectional re-encryption

Guo et al.2015|Secure mobility management for MIPv6 with identity-based cryptography

Jacobs2014|Providing better confidentiality and authentication on the Internet using Namecoin and MinimaLT

Khan et al.2014|Location identity based content security scheme for content centric networking

Khan et al.2013|Content-location based key management scheme for content centric networks

同族专利:

公开号 | 公开日

US20120166806A1|2012-06-28|

EP2638659A4|2014-03-05|

WO2012089004A1|2012-07-05|

US8645702B2|2014-02-04|

RU2571394C2|2015-12-20|

RU2013135313A|2015-02-10|

EP2638659B1|2017-08-09|

BR112013016797A2|2016-10-18|

CN103270718B|2016-09-28|

CN103270718A|2013-08-28|

EP2638659A1|2013-09-18|

引用文献:

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

US6473800B1|1998-07-15|2002-10-29|Microsoft Corporation|Declarative permission requests in a computer system|

US8132250B2|2002-03-08|2012-03-06|Mcafee, Inc.|Message profiling systems and methods|

EP1826695A1|2006-02-28|2007-08-29|Microsoft Corporation|Secure content descriptions|

US20080065729A1|2006-09-08|2008-03-13|Pitney Bowes Incorporated|Method and system for service provider to be compensated for delivering e-mail messages while reducing amount of unsolicited e-mail messages|

FR2922702B1|2007-10-17|2010-02-26|Airbus France|SECURING TELECHARGEABLE COMPUTER FILE DATA ON AN AIRCRAFT BASED ON IDENTITY OF ENTITIES, AUTHENFICATION METHOD, SYSTEM AND AIRCRAFT|

US8165118B2|2008-05-19|2012-04-24|Palo Alto Research Center Incorporated|Voice over content centric networks|

CN101500146A|2009-02-18|2009-08-05|北京永新视博数字电视技术有限公司|Digital television receiving control method and apparatus based on bi-directional network|US8863227B2|2011-01-05|2014-10-14|Futurewei Technologies, Inc.|Method and apparatus to create and manage a differentiated security framework for content oriented networks|

KR20120137726A|2011-06-13|2012-12-24|삼성전자주식회사|A transmission node and a receiver node of a contents centric network and a communination method thereof|

US8683286B2|2011-11-01|2014-03-25|Cleversafe, Inc.|Storing data in a dispersed storage network|

US20130124870A1|2011-11-16|2013-05-16|Certicom Corp.|Cryptographic document processing in a network|

US9027102B2|2012-05-11|2015-05-05|Sprint Communications Company L.P.|Web server bypass of backend process on near field communications and secure element chips|

KR101436049B1|2012-06-01|2014-09-01|에스케이텔레콤 주식회사|Method for providing content caching service and local caching device thereof|

US9282898B2|2012-06-25|2016-03-15|Sprint Communications Company L.P.|End-to-end trusted communications infrastructure|

WO2014047882A1|2012-09-28|2014-04-03|France Telecom|Method for transmitting data content in content centric network|

US9602480B2|2012-10-26|2017-03-21|Nokia Technologies Oy|Methods and apparatus for data access control|

KR101474320B1|2013-02-04|2014-12-18|아주대학교산학협력단|Location-based content-centric networking method for location-based contents|

US9009465B2|2013-03-13|2015-04-14|Futurewei Technologies, Inc.|Augmenting name/prefix based routing protocols with trust anchor in information-centric networks|

US9961110B2|2013-03-15|2018-05-01|Verisign, Inc.|Systems and methods for pre-signing of DNSSEC enabled zones into record sets|

US9838869B1|2013-04-10|2017-12-05|Sprint Communications Company L.P.|Delivering digital content to a mobile device via a digital rights clearing house|

US9560519B1|2013-06-06|2017-01-31|Sprint Communications Company L.P.|Mobile communication device profound identity brokering framework|

KR102134429B1|2013-10-04|2020-07-15|삼성전자주식회사|Method and apparatus for content verification|

WO2015088402A1|2013-12-09|2015-06-18|Telefonaktiebolaget L M Ericsson |Method and apparatus for data connectivity sharing|

US9246803B2|2014-01-02|2016-01-26|Futurewei Technologies, Inc.|Method and apparatus for scalable content routing and mobility in named data networks|

US9712240B2|2014-02-24|2017-07-18|Futurewei Technologies, Inc.|Mapping information centric networking flows to optical flows|

US9363086B2|2014-03-31|2016-06-07|Palo Alto Research Center Incorporated|Aggregate signing of data in content centric networking|

CN105432053B|2014-04-23|2019-07-23|华为技术有限公司|Information object acquisition methods, server and user equipment|

US9992281B2|2014-05-01|2018-06-05|Cisco Technology, Inc.|Accountable content stores for information centric networks|

US9979644B2|2014-07-13|2018-05-22|Cisco Technology, Inc.|Linking to content using information centric networking|

US9535968B2|2014-07-21|2017-01-03|Palo Alto Research Center Incorporated|System for distributing nameless objects using self-certifying names|

US20160065677A1|2014-09-02|2016-03-03|Palo Alto Research Center Incorporated|System and method for a reliable content exchange of a ccn pipeline stream|

US9536059B2|2014-12-15|2017-01-03|Palo Alto Research Center Incorporated|Method and system for verifying renamed content using manifests in a content centric network|

CN107113314B|2015-01-19|2020-06-19|诺基亚技术有限公司|Method and device for heterogeneous data storage management in cloud computing|

US9462006B2|2015-01-21|2016-10-04|Palo Alto Research Center Incorporated|Network-layer application-specific trust model|

US9838868B1|2015-01-26|2017-12-05|Sprint Communications Company L.P.|Mated universal serial buswireless dongles configured with destination addresses|

US9552493B2|2015-02-03|2017-01-24|Palo Alto Research Center Incorporated|Access control framework for information centric networking|

US10291651B1|2015-06-26|2019-05-14|Juniper Networks, Inc.|Unified secure socket layer decryption|

US10193698B1|2015-06-26|2019-01-29|Juniper Networks, Inc.|Avoiding interdicted certificate cache poisoning for secure sockets layer forward proxy|

US9893883B1|2015-06-26|2018-02-13|Juniper Networks, Inc.|Decryption of secure sockets layer sessions having enabled perfect forward secrecy using a diffie-hellman key exchange|

US10701038B2|2015-07-27|2020-06-30|Cisco Technology, Inc.|Content negotiation in a content centric network|

US9774610B2|2015-07-28|2017-09-26|Futurewei Technologies, Inc.|Certificateless data verification with revocable signatures|

US9819679B1|2015-09-14|2017-11-14|Sprint Communications Company L.P.|Hardware assisted provenance proof of named data networking associated to device data, addresses, services, and servers|

US10313227B2|2015-09-24|2019-06-04|Cisco Technology, Inc.|System and method for eliminating undetected interest looping in information-centric networks|

US10282719B1|2015-11-12|2019-05-07|Sprint Communications Company L.P.|Secure and trusted device-based billing and charging process using privilege for network proxy authentication and audit|

US10742596B2|2016-03-04|2020-08-11|Cisco Technology, Inc.|Method and system for reducing a collision probability of hash-based names using a publisher identifier|

US10051071B2|2016-03-04|2018-08-14|Cisco Technology, Inc.|Method and system for collecting historical network information in a content centric network|

US10264099B2|2016-03-07|2019-04-16|Cisco Technology, Inc.|Method and system for content closures in a content centric network|

US10067948B2|2016-03-18|2018-09-04|Cisco Technology, Inc.|Data deduping in content centric networking manifests|

US10091330B2|2016-03-23|2018-10-02|Cisco Technology, Inc.|Interest scheduling by an information and data framework in a content centric network|

US10320760B2|2016-04-01|2019-06-11|Cisco Technology, Inc.|Method and system for mutating and caching content in a content centric network|

US10404450B2|2016-05-02|2019-09-03|Cisco Technology, Inc.|Schematized access control in a content centric network|

US10084798B2|2016-06-30|2018-09-25|Juniper Networks, Inc.|Selective verification of signatures by network nodes|

US10244071B2|2016-11-21|2019-03-26|Intel Corporation|Data management in an edge network|

US10203967B1|2017-04-18|2019-02-12|Amazon Technologies, Inc.|Client configurable hardware logic and corresponding data|

US10499249B1|2017-07-11|2019-12-03|Sprint Communications Company L.P.|Data link layer trust signaling in communication network|

KR102039658B1|2018-02-21|2019-11-01|김인영|Platform system for letter crypto currency|

US11165824B2|2019-10-18|2021-11-02|Cisco Technology, Inc.|Transport layer security extension for hybrid information centric networking|

法律状态:
2018-12-18| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|

2019-09-03| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|

2021-10-05| B21F| Lapse acc. art. 78, item iv - on non-payment of the annual fees in time|Free format text: REFERENTE A 10A ANUIDADE. |

2022-01-25| B24J| Lapse because of non-payment of annual fees (definitively: art 78 iv lpi, resolution 113/2013 art. 12)|Free format text: EM VIRTUDE DA EXTINCAO PUBLICADA NA RPI 2648 DE 05-10-2021 E CONSIDERANDO AUSENCIA DE MANIFESTACAO DENTRO DOS PRAZOS LEGAIS, INFORMO QUE CABE SER MANTIDA A EXTINCAO DA PATENTE E SEUS CERTIFICADOS, CONFORME O DISPOSTO NO ARTIGO 12, DA RESOLUCAO 113/2013. |

优先权:

申请号 | 申请日 | 专利标题

US201061427551P| true| 2010-12-28|2010-12-28|

US61/427,551|2010-12-28|

US13/191,610|US8645702B2|2010-12-28|2011-07-27|Method and apparatus to use identity information for digital signing and encrypting content integrity and authenticity in content oriented networks|

US13/191,610|2011-07-27|

PCT/CN2011/083727|WO2012089004A1|2010-12-28|2011-12-09|Method and apparatus to use identify information for digital signing and encrypting content integrity and authenticity in content oriented networks|

[返回顶部]