System for key exchange in a content centric network

What is claimed is: 1. A computer system for facilitating secure communication between computing entities, the system comprising: a processor; and a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising: generating, by a content-consuming device, a first key based on a first consumer-share key and a previously received producer-share key, and performing a key derivation function based on the first consumer-share key and the first producer-share key; constructing a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of a previously generated first nonce, wherein the first interest packet has a name that includes a first prefix, and wherein the first nonce is used to establish a session between the content-consuming device and a content-producing device; in response to the nonce token being verified by the content-producing device, receiving a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key; and generating the second key based on a second consumer-share key and the first content-object packet. 2. The computer system of claim 1 , wherein the nonce token is verified based on the first key and the first nonce. 3. The computer system of claim 1 : wherein generating the second key is further based on performing the derivation function based on the second consumer-share key and a second producer-share key indicated in the first content-object packet; and wherein the method further comprises generating, based on performing an expansion function based on the second key, one or more of the following: a consumer-specific second key; a producer-specific second key; a consumer-specific initialization vector; and a producer-specific initialization vector. 4. The computer system of claim 1 , wherein the method further comprises: constructing an initial interest packet with a name that includes the first prefix and the first nonce, and a payload that indicates an initial hello; and in response to the initial interest packet, receiving an initial content-object packet with a payload that includes configuration information and the second nonce, wherein the configuration information indicates the first consumer-share key, and wherein the second nonce is used to establish the session. 5. The computer system of claim 4 , wherein the payload for the initial content-object packet includes a second prefix different from the first prefix, and wherein the method further comprises: replacing the first prefix with the second prefix in the name for the first interest packet and a name for a subsequent interest packet associated with the session. 6. The computer system of claim 1 , wherein the name for the first interest packet further includes a previously received second nonce, wherein the second nonce is used to establish the session. 7. The computer system of claim 1 , wherein the method further comprises: constructing a second interest packet with a name that includes a previously received session identifier, and a payload encrypted based on a consumer-specific second key; and in response to the second interest packet, receiving a second content-object packet with a payload encrypted based on a producer-specific second key, wherein the consumer-specific second key and the producer-specific second key are generated based on performing an expansion function on the second key. 8. The computer system of claim 7 , wherein the payload for the first content-object packet indicates a move token and a third prefix different from the first prefix, and wherein the method further comprises: replacing the first prefix with the third prefix in the name for the second interest packet and a name for a subsequent interest packet associated with the session; and indicating the move token in the payload for the second interest packet. 9. The computer system of claim 7 , wherein the payload for the second content-object packet includes a second resumption indicator for a subsequently resumed session between the consumer and the producer. 10. The computer system of claim 1 , wherein the method further comprises: decrypting the payload for the first content-object packet; in response to determining that the decrypted payload does not indicate a rejection, obtaining an acknowledgment and a second producer-share key. 11. A computer system for facilitating secure communication between computing entities, the system comprising: a processor; and a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising: receiving, by a content-producing device, a first interest packet that includes a first consumer-share key and a nonce token which is used as a pre-image of a previously received first nonce, wherein the first interest packet has a name that includes a first prefix, and wherein the first nonce is used to establish a session between a content-consuming device and the content-producing device; generating a first key based on the first consumer-share key and a first producer-share key, and performing a key derivation function based on the first consumer-share key and the first producer-share key; verifying the nonce token based on the first key and the first nonce; generating a second key based on the first interest packet and a second producer-share key; and constructing a first content-object packet with a payload that includes a first resumption indicator encrypted based on the second key. 12. The computer system of claim 11 : wherein generating the second key is further based on performing the derivation function based on a second consumer-share key indicated in the first interest packet and the second producer-share key; and wherein the method further comprises generating, based on performing an expansion function based on the second key, one or more of the following: a consumer-specific second key; a producer-specific second key; a consumer-specific initialization vector; and a producer-specific initialization vector. 13. The computer system of claim 11 , wherein the method further comprises: receiving an initial interest packet with a name that includes the first prefix and the first nonce, and a payload that indicates an initial hello; and in response to the initial interest packet, constructing an initial content-object packet with a payload that includes configuration information and a second nonce, wherein the configuration information indicates the first consumer-share key, and wherein the second nonce is used to establish the session. 14. The computer system of claim 13 , wherein the method further comprises: including in the payload for the initial content-object packet a second prefix that is different from the first prefix, wherein the name for the first interest packet includes the second prefix, wherein the second prefix replaces the first prefix, and wherein a name for a subsequent interest packet associated with the session includes the second prefix. 15. The computer system of claim 11 , wherein the name for the first interest packet further includes a previously generated second nonce, wherein the second nonce is used to establish the session. 16. The computer system of claim 11 , wherein the method further comprises: generating a session identifier based on the second key; receiving a second interest packet with a name that includes the session identifier, and a payload encrypted