Senior Fitness - Exercise and Nutrition for Aging Men and Women
FREE Article Feed for your website.
Home Ownership Magazine
Party Planning Information
Article Marketing Resources
Bio-Medical Research Article Database
Informative Articles on Life, Love and Happiness
Tutorials on Business to Writing
Famous Quotes from Famous People
Song Lyric Information
New US Patent Information
Comprehensive List of Content by Category
Online Auctions and Shopping Related Articles
Article Search
Most Recent Articles
Title: Data packet queue handling method and system
Patent Number: 7,437,489 Issued on 10/14/2008 to Chen

Title: Interface for car-mounted devices
Patent Number: 7,437,488 Issued on 10/14/2008 to Ito,   et al.

Title: Storage medium array controller, a storage medium array apparatus, a storage medium drive, a method of controlling a storage medium array, and a signal-bearing medium embodying a program of a
Patent Number: 7,437,487 Issued on 10/14/2008 to Chikamichi

Title: Configurable measurement interface coupled to a front-end subsystem and a back-end subsystem for receiving a set of bootstrap information
Patent Number: 7,437,486 Issued on 10/14/2008 to Burch,   et al.

Title: Method and apparatus for synchronization of two computer systems
Patent Number: 7,437,485 Issued on 10/14/2008 to Kruglikov,   et al.

Title: Method for optimizing synchronization
Patent Number: 7,437,484 Issued on 10/14/2008 to Auriemma,   et al.

Title: System and method for transferring a compressed data file to a peripheral device
Patent Number: 7,437,483 Issued on 10/14/2008 to Goossen,   et al.

Title: Method and apparatus for facilitating client server communications over a network
Patent Number: 7,437,482 Issued on 10/14/2008 to Jungck

Title: Methods and apparatus for utilizing user software to communicate with network-resident services
Patent Number: 7,437,481 Issued on 10/14/2008 to Bond,   et al.

Title: Communication protocol for wireless data exchange via a packet transport based system
Patent Number: 7,437,480 Issued on 10/14/2008 to Oueslati,   et al.

Title: Position identifier management apparatus and method, mobile computer, and position identifier processing method
Patent Number: 7,437,479 Issued on 10/14/2008 to Ishiyama,   et al.

Title: Priority control device
Patent Number: 7,437,478 Issued on 10/14/2008 to Yokota,   et al.

Title: SCSI-based storage area network having a SCSI router that routes traffic between SCSI and IP networks
Patent Number: 7,437,477 Issued on 10/14/2008 to Kuik,   et al.

Title: Optimizing flooding of information in link-state routing protocol
Patent Number: 7,437,476 Issued on 10/14/2008 to Zinin,   et al.

Title: Method and apparatus for utilizing an audibly coded signal to conduct commerce over the internet
Patent Number: 7,437,475 Issued on 10/14/2008 to Philyaw

Title: Proxy-less packet routing between private and public address realms
Patent Number: 7,437,474 Issued on 10/14/2008 to Iyer,   et al.

Title: Packet switch and method thereof dependent on application content
Patent Number: 7,437,473 Issued on 10/14/2008 to Lu,   et al.

Title: Interactive broadband server system
Patent Number: 7,437,472 Issued on 10/14/2008 to Rose

Title: Tunneling IPv6 packets
Patent Number: 7,437,470 Issued on 10/14/2008 to Fernandes,   et al.

Title: Virtual network element framework and operating system for managing multi-service network equipment
Patent Number: 7,437,469 Issued on 10/14/2008 to Ellanti,   et al.

Title: Method and system for secure URL-based access control
Patent Number: 7,437,468 Issued on 10/14/2008 to Yamamoto,   et al.

Title: Printing system and method of setting same, information processing apparatus and storage medium
Patent Number: 7,437,467 Issued on 10/14/2008 to Kato

Title: Method of optimizing calls set up in a private telecommunication network including two subnetworks using the QSIG protocol and the session initialization protocol, respectively
Patent Number: 7,437,465 Issued on 10/14/2008 to Rousseau

Title: Systems and methods for providing asynchronous messaging
Patent Number: 7,437,464 Issued on 10/14/2008 to Xu,   et al.

Title: Method and means for providing scheduling for a videoconferencing network in a manner to ensure bandwidth
Patent Number: 7,437,463 Issued on 10/14/2008 to Valletutti,   et al.

Title: Load balancing apparatus and method
Patent Number: 7,437,461 Issued on 10/14/2008 to Sugizaki

Title: Systems and methods for providing quality assurance
Patent Number: 7,437,458 Issued on 10/14/2008 to Stewart,   et al.

Title: Regulating concurrent logins associated with a single account
Patent Number: 7,437,457 Issued on 10/14/2008 to Eisendrath,   et al.

Title: Object reference generating device, object reference generating method and computer readable recording medium for recording an object reference generating program
Patent Number: 7,437,456 Issued on 10/14/2008 to Miyamoto

Title: System and method for collecting desired information for network transactions at the kernel level
Patent Number: 7,437,451 Issued on 10/14/2008 to Tang,   et al.

Title: Method and device for function selection of a control unit
Patent Number: 7,437,448 Issued on 10/14/2008 to Kohler,   et al.

Title: Administering devices with domain state objects
Patent Number: 7,437,443 Issued on 10/14/2008 to Bodin,   et al.

Title: Peer-to-peer networking framework application programming interfaces
Patent Number: 7,437,440 Issued on 10/14/2008 to Manion,   et al.

Title: System and method for the hybrid harvesting of information from peripheral devices
Patent Number: 7,437,439 Issued on 10/14/2008 to Hardcastle,   et al.

Title: System and method for energy efficient data prefetching
Patent Number: 7,437,438 Issued on 10/14/2008 to Mogul,   et al.

Title: Server, device, client, information processing method of server, information processing method of device, information processing method of client, information processing program, and memory me
Patent Number: 7,437,436 Issued on 10/14/2008 to Higuchi

Title: Method for downloading an icon corresponding to a hierarchical directory structure from a directory service
Patent Number: 7,437,431 Issued on 10/14/2008 to San Andres,   et al.

Title: Method and apparatus for bouncing electronic messages
Patent Number: 7,437,422 Issued on 10/14/2008 to Fuisz

Title: Method and system for providing an energy cost estimation for a water distribution network
Patent Number: 7,437,333 Issued on 10/14/2008 to Herrin,   et al.

Title: Mailing machine including methods and systems to reduce weighing errors when operating in a differential weighing mode
Patent Number: 7,437,332 Issued on 10/14/2008 to Jacobson,   et al.

Title: Method and system for buyer centric dispute resolution in electronic payment system
Patent Number: 7,437,327 Issued on 10/14/2008 to Lam,   et al.

Title: Securities trading simulation
Patent Number: 7,437,326 Issued on 10/14/2008 to Slowik,   et al.

Title: System and method of tracking bill payment methods
Patent Number: 7,437,324 Issued on 10/14/2008 to Goodwin, III,   et al.

Title: Managing investment assets
Patent Number: 7,437,322 Issued on 10/14/2008 to McCracken,   et al.

Title: Method for on-line parts ordering
Patent Number: 7,437,319 Issued on 10/14/2008 to Brownell

Title: Methods, computer-readable media, and apparatus for offering users a plurality of scenarios under which to conduct at least one primary transaction
Patent Number: 7,437,313 Issued on 10/14/2008 to Mussman

Title: Method for context personalized web browsing
Patent Number: 7,437,312 Issued on 10/14/2008 to Bhatia,   et al.

Title: Talent management system and methods for reviewing and qualifying a workforce utilizing categorized and free-form text data
Patent Number: 7,437,309 Issued on 10/14/2008 to Magrino,   et al.

Title: Methods for estimating the seasonality of groups of similar items of commerce data sets based on historical sales date values and associated error information
Patent Number: 7,437,308 Issued on 10/14/2008 to Kumar,   et al.

Title: Method of relating multiple independent databases
Patent Number: 7,437,307 Issued on 10/14/2008 to Walsh,   et al.

Title: Customer buying pattern detection in customer relationship management systems
Patent Number: 7,437,306 Issued on 10/14/2008 to Bayer,   et al.

Title: System and method for project preparing a procurement and accounts payable system
Patent Number: 7,437,304 Issued on 10/14/2008 to Barnard,   et al.

Title: Method and system for implementing and tracking cost-saving measures in hospitals and compensating physicians
Patent Number: 7,437,303 Issued on 10/14/2008 to Werblin

Title: System for managing healthcare related information supporting operation of a healthcare enterprise
Patent Number: 7,437,302 Issued on 10/14/2008 to Haskell,   et al.

Title: Coding of stereo signals
Patent Number: 7,437,299 Issued on 10/14/2008 to Aarts,   et al.

Title: Systems and methods for predicting consequences of misinterpretation of user commands in automated systems
Patent Number: 7,437,297 Issued on 10/14/2008 to Chaar,   et al.

Title: Speech recognition dictionary creation apparatus and information search apparatus
Patent Number: 7,437,296 Issued on 10/14/2008 to Inoue,   et al.

Title: Natural language processing for a location-based services system
Patent Number: 7,437,295 Issued on 10/14/2008 to Pitts, III,   et al.

Title: Data transmission system with enhancement data
Patent Number: 7,437,293 Issued on 10/14/2008 to Schwab,   et al.

Title: Using partial information to improve dialog in automatic speech recognition systems
Patent Number: 7,437,291 Issued on 10/14/2008 to Stewart,   et al.

Title: Automatic censorship of audio data for broadcast
Patent Number: 7,437,290 Issued on 10/14/2008 to Danieli

Title: Methods and apparatus for the systematic adaptation of classification systems from sparse adaptation data
Patent Number: 7,437,289 Issued on 10/14/2008 to Chaudhari,   et al.

Title: Adaptive media encoding and decoding equipment
Patent Number: 7,437,285 Issued on 10/14/2008 to Sakazawa,   et al.

Title: Methods and systems for language boundary detection
Patent Number: 7,437,284 Issued on 10/14/2008 to Margulies

Title: System and method for monitoring and modeling system performance
Patent Number: 7,437,281 Issued on 10/14/2008 to Saghier,   et al.

Title: Simulation method, simulation apparatus, and computer program product for simulation
Patent Number: 7,437,278 Issued on 10/14/2008 to Suzuki

Title: Method and apparatus for evaluating a proposed solution to a constraint problem
Patent Number: 7,437,276 Issued on 10/14/2008 to Kropaczek,   et al.

Title: System for and method of multi-location test execution
Patent Number: 7,437,275 Issued on 10/14/2008 to Sathe,   et al.

Title: Method for monitoring and analysing the printing process of a press
Patent Number: 7,437,273 Issued on 10/14/2008 to Enke

Title: Systems and methods for self-synchronized digital sampling
Patent Number: 7,437,272 Issued on 10/14/2008 to Samson, Jr.

Title: Performance state management
Patent Number: 7,437,270 Issued on 10/14/2008 to Song,   et al.

Title: Method, system and program for evaluating reliability on component
Patent Number: 7,437,269 Issued on 10/14/2008 to Ninagawa,   et al.

Title: Systems and methods for analyzing data
Patent Number: 7,437,268 Issued on 10/14/2008 to Pathak,   et al.

Title: Designing time-based measurement/control system
Patent Number: 7,437,265 Issued on 10/14/2008 to Eidson

Title: Methods and apparatus for balancing a rotor
Patent Number: 7,437,264 Issued on 10/14/2008 to Pierce,   et al.

Method for authenticating a JAVA archive (JAR) for portable devices Number:6,766,353 from the United States Patent and Trademark Office (PTO) owispatent

Home    Author Login    Submit Article    Article Search    Add Your Link    Edit Your Link    Contact Us    Advertising    Disclaimer

   

 
Web LinkGrinder.com

Top Breaking News
     Greek, Cypriot Leaders Resume Unification Talks in Nicosia by Nathan Morley
     Indonesia Tobacco Sales Grow, Raising Health Fears
     South Korea Allows Top Defector to Travel Overseas by VOA News

Title: Method for authenticating a JAVA archive (JAR) for portable devices

Abstract: A signed application descriptor file (206) is used instead of X.509 certificates to authenticate a portable application code, such as a JAVA archive (JAR) file. The signed ADF includes an application descriptor file (302), file hash (304) of the JAR file (301), a developer descriptor file (308), signed time stamp (310), and a developer's certificate (312). A network client device (202) includes limited computing resources (212) and a virtual machine environment for executing the portable code (208). Furthermore the client device contains a set of cryptographic, digital keys for authenticating parts of the signed ADF, which are further used to authenticate the JAR file.

Patent Number: 6,766,353 Issued on 07/20/2004 to Lin,   et al.

Inventors: Lin; Jyh-Han (Coral Springs, FL), Geiger; Robert L. (Sunnyvale, CA), Smith; Ronald R. (Coral Springs, FL), Chan; Alan W. (Sunrise, FL), Wanchoo; Sanjay (Lauderdhill, FL)
Assignee: Motorola, Inc. (Schaumburg, IL)
Appl. No.: 09/613,804
Filed: July 11, 2000

Current U.S. Class: 709/203 ; 709/201
Current International Class: H04L 29/06 (20060101)
Field of Search: 713/200,201,156,168 709/200,203,225,229,226,217

References Cited [Referenced By]
U.S. Patent Documents
5987608 November 1999 Roskind
6023764 February 2000 Curtis
6029000 February 2000 Woolsey et al.
6044467 March 2000 Gong
6341353 January 2002 Herman et al.
6351816 February 2002 Mueller et al.
6378075 April 2002 Goldstein et al.
6381696 April 2002 Doyle
6477647 November 2002 Venkatraman et al.
6523067 February 2003 Mi et al.
6606708 August 2003 Devine et al.
Primary Examiner: Geckil; Mehmet B.
Attorney, Agent or Firm: Garrett; Scott M.
Claims


What is claimed is:

1. A method of authenticating a JAVA archive file to be loaded onto a network client device, the network client device having a code signing certificate authority key and a time stamping root key, the method comprising: transmitting, from the network client device, a request to a distribution server for the JAVA archive file; receiving, at the network client device, a signed application descriptor file from the distribution server, the signed application descriptor file containing an application descriptor file, a hash of the JAVA archive file, a developer descriptor file, a developer certificate containing a developer public key, a signed time stamp, and a developer signature; verifying the developer certificate with the code signing certificate authority key; and verifying the signed time stamp with the time stamping root key.

2. A method of authenticating a JAVA archive file as defined in claim 1, further comprising verifying the developer signature using the developer public key.

3. A method of authenticating a JAVA archive file as defined in claim 1, wherein the receiving comprises receiving the signed application descriptor file where the developer signature is a signed hash of the signed time stamp, developer certificate, developer descriptor file, application hash file, and the application descriptor file.

4. A method of authenticating a JAVA archive file as defined in claim 1, wherein the receiving comprises receiving an application descriptor file containing a security policy file.

5. A method of authenticating a JAVA archive file as defined in claim 1, wherein the receiving comprises receiving an application descriptor file containing a license policy file.

6. A method of authenticating a JAVA archive file as defined in claim 1, further comprising: extracting a network address of the application from the signed application descriptor file; and loading the JAVA archive file from the network address.

7. A method of authenticating a JAVA archive file as defined in claim 6, wherein the network client device comprises a virtual machine environment, the method further comprising loading the JAVA archive file into the virtual machine environment.

8. A method of creating a signed application descriptor file to be used in authenticating a JAVA archive file, comprising: generating an application descriptor file corresponding to the JAVA archive file, the application descriptor file describing the resources needed by the JAVA archive file; generating a hash of the application descriptor file; transmitting the hash of the application descriptor file and a developer's certificate to a certificate authority; receiving a signed timestamp from the certificate authority in response to the transmitting; and signing an application descriptor file with the file hash, a developer descriptor file, the developer's certificate, and the signed time stamp.
Description


TECHNICAL FIELD

This invention relates in general to portable code transfer, such as JAVA technology, and more particularly to security and authentication of portable code for use by wireless or mobile devices, or other computing devices with relatively limited computing resources, and limited communication bandwidth.

BACKGROUND OF THE INVENTION

In networked environments such as the Internet, the use of portable code or portable applications has gained widespread acceptance. The best known technology in this field is JAVA. In creating JAVA code, a developer creates an application and makes it available on a network in byte code format. The byte code is downloaded by various client devices connected to the network and loaded into a JAVA virtual machine environment on the client machine or computer. The virtual machine environment is a layer of software that can interact with the specific computing platform of the particular client device and interpret the byte code. An application so loaded onto a client device could compromise the client device, and may even be designed to do so if the developer of the application had malicious intentions. Therefore, security is a significant issue with portable code.

Many security schemes have been devised to address these security issues. These range from giving only very restricted access to all portable applications to a system of authentication in which different levels of permission may be granted depending on whether the application can be authenticated as having come from a trusted source. The later scheme is more preferable since it allows an application more access to the local computer's resources, so long as it is authenticated. This allows developers to create more powerful applications because the applications have more access to the computer resources of the client machine.

However, as presently devised, these authentication schemes are designed for general purpose personal computers, which are commonly referred to as "desktop" computers. These machines have varying degrees of computing resources, but in general the resources they have greatly exceed the computing resources of small, portable devices such as personal organizers and mobile communication devices. There is an increasing number of these smaller devices being manufactured that are able to connect to large networks, and particularly the internet. Presently X.509 certificates are widely used for authentication, but these are quite large files compared to the limited memory resources available on these smaller mobile devices. Furthermore, since the certificate comes bundled with the application typically, the device must load both the application and the certificate. Therefore a data structure and method of authenticating portable applications that can be used by smaller devices is needed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a typical network including a server and a client;

FIG. 2 shows a representation of a client network device and its computing resources;

FIG. 3 shows a block diagram of a signed application descriptor file (ADF) for use in accordance with the present invention;

FIG. 4 shows a sequence chart for creating a signed ADF in accordance with the invention;

FIG. 5 shows a sequence chart for establishing the identity of a trusted developer for use in creating a signed ADF in accordance with the invention; and

FIG. 6 shows a sequence chart for downloading a signed ADF and a portable application from a distribution server to a network client device in accordance with the invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

While the specification concludes with claims defining the features of the invention that are regarded as novel, it is believed that the invention will be better understood from a consideration of the following description in conjunction with the drawing figures, in which like reference numerals are carried forward. A brief description of the prior art is also thought to be useful.

The present invention solves the problem of downloading portable applications and authenticating their source onto client device with limited computing resources by creating a signed application descriptor file (ADF), and a developer descriptor file (DDF). The ADF is a file that describes the portable application in terms of the computing resources it requires, and can be loaded onto the client device first so that the client device can determine whether or not it has sufficient resources, or it can let the user of the client device determine if there are sufficient resources. The ADF file is signed by the developer of the corresponding application using a certification authority, which is a well known and trusted signing authority. Attributes in the signed ADF correspond to those of the application so that if the user of the client device decides to load the application, the application can be authenticated against the signed ADF. The DDF is associated with a particular application software developer and specifies the general access control related information assigned to the developer. For example, a DDF may restrict the kind of application libraries that applications developed by the developer can use, or the security domain to which the developer belongs.

Referring now to FIG. 1, there is shown a typical network 100 over which client and server machines interact. In particular, a network client device 102, such as a mobile communication device, connects with a distribution server 104 over one or more bearer networks 106. Typically the bearer network includes a TCP/IP network, and for public distribution of software, it includes the Internet. However, numerous private networks are connected to the Internet through various gateways and portals, including many wireless mobile communication networks. Indeed, the present invention is suited particularly well to use on mobile communication devices such as Internet capable mobile or cellular radio telephones. These devices may use what is referred to as a "microbrowser" to view information, or "content", placed on the Internet and other networks accessible by the device, as well as execute portable code. As with general purpose computers, there is a desire to load portable applications onto these devices. Developers of portable applications provide the application on a database 106 of the distribution server 104. Client devices access the distribution server over the network and receive the desired portable code or portable application over the connection. This is one way which JAVA code sections, such as applets, are distributed.

Referring to FIG. 2 there is shown a representation 200 of a client network device 202 and its computing resources. In this instance, the client device is receiving an application file 204, which includes a signed ADF 206 and the application code 208. The application code may be, for example, a JAVA archive (JAR) file. These two parts maybe transferred separately or together. The signed ADF prescribes the security domain 210 of the application when loaded into the client device. Essentially, the security domain determines which of the client device's resources 212 the application will be allowed to access when running in the virtual machine environment 214. In the preferred embodiment, the application is received in the form of byte code which the virtual machine executes. The virtual machine only allows the application to access the resources permitted, as dictated by the signed ADF. The resources 212 include other processes, classes, and methods, as well as certain hardware components such as volatile and non-volatile memory space. The signed ADF is substantially smaller than the presently used signed JAR file format because a signed JAR file includes all applications-related files, and is more desirable for use with computing devices with relatively limited resources.

Referring now to FIG. 3, there is shown a block diagram 300 of a signed application descriptor file (ADF) for use in accordance with the present invention, along with an associated JAR file 301 containing the portable code to be installed on the client machine. The signed ADF includes an application descriptor file 302, a file hash 304 of the JAR file, a developer descriptor file (DDF) 306, a developer certificate 308, a time stamp 310, and a developer signature 312. ADF 302 describes the resources which are required by the client device, and may include a security policy file 314 or a license policy file 316, or both. The ADF contains a pointer to the network location of the application in the file hash 304, an indication of the amount of memory space required to execute the application, and the environment necessary for execution. The security policy contains the information regarding which resources the application needs permission to use, as well as the names of files the application may create, and the network addresses it may need to access. The license policy may be used to set how the application may be used, such as whether it has a finite number of uses, or a finite period of time, whether it may be transferred to other users, and so on. The file hash 304 is a hash of the JAR file 301, and is the result of a cryptographic method which produces a small digest that can be used to authenticate a larger file (in this case a JAR file), as is known in the art. For additional security, more than one hash may be used and included in the signed ADF using different hash algorithms, such as SHA1, MD5, or others. The DDF 306 also contains information about the JAR file, and may also include information regarding the developer. The developer's certificate is a certificate issued to the developer and includes the developers public key 318 so that the certificate may be authenticated by the client device. It also contains information about the identity of the developer, the validity period, the issuing certificate authority, the issuing date, and so on, to be used in the authentication process. The time stamp 310 is a signed time stamp. It is provided by a trusted source, such as a certificate authority or perhaps the client device's subscriber network operator. By providing a signed timestamp, the client device can determine when the application was signed, and if that time stamp is authentic. Finally, the developer's signature 312 is concatenated onto the other data structures. The developer's signature is allows the client device to authenticate the ADF.

The developer produces the signed ADF as illustrated in FIG. 4, which shows a sequence chart for creating a signed ADF 400 in accordance with the invention. The developer sends a request, containing the hash for the ADF and the developer certificate, to a code signing authority (402), and requests a signed timestamp. The code signing authority is a trusted entity, such as, for example, Verisign, Inc., or the client's network operator. It should be noted that the certificate authority and the code signing authority are not necessarily the same entity. A certificate authority manages certificates, while a code signing authority verifies developer certificates and signs ADF hash files and timestamps it. The developer generates and sends a hash of the ADF to the code signing authority and receives a signed timestamp back from the certificate authority (404). The developer then concatenates the ADF, the hash of the JAR file, the DDF, the developer's certificate, and the signed time stamp together. The developer's certificate contains a hash of the DDF. The developer signs the concatenated file (406), by adding the developer's digital signature (element 312 from FIG. 3), and the ADF is fully signed. The signed, concatenated file is the signed ADF, and is then placed on a distribution server (408), along with the application code or JAR file. The network address of the signed ADF is then made available so that client devices can download it to begin the installation and authentication procedure for the JAR file. In the preferred embodiment, the developer uses a software developer's kit (SDK), which is a set of software creation tools distributed by, for example, the creator of the virtual machine environment 214 that runs on the client device. The SDK automates this whole procedure, including steps 402-408.

FIG. 5 shows the sequence 500 for obtaining a developer's certificate. The developer's browser, or similar client application, first sends a certificate request (502) to a code signing certificate authority server, which may be operated by the same certificate authority referred to above. The certificate authority sends the developer information to a developer administration server (504). This entity may be, for example, the operator of the client's home network or network service provider. For example, in the case of the client device being a wireless mobile communication device, the developer administrator may be the wireless service provider that provides the wireless communication service. The developer administrator returns a developer descriptor file (DDF) to the code signing certificate authority (506), which becomes part of the signed ADF, as described above in reference to FIG. 3. In the preferred embodiment, the developer's certificate will contain a hash of the DDF. The preferred format for the certificate is a wireless transport layer security (WTLS) certificate because it is smaller than, for example, an X.509 certificate. The certificate authority then forwards a developer certificate and the DDF, preferably both text encoded, to the developer's computer, such as, for example, by email (508). The text encoded information is easy to transfer as an email enclosure.

After the signed ADF has been created and placed on a distribution server, client devices can download the signed ADF and the application or JAR file. The procedure is as shown in FIG. 6, which shows a sequence chart 600 for downloading a signed ADF and a portable application or JAR file from a distribution server to a network client device in accordance with the invention. Prior to beginning this sequence, the client device has had a code signing certificate authority public key and a time stamping root key placed in the client device. The time stamping root key is a public key used for authenticating the signed time stamp 310. To begin the method, the client device transmits (602) a request to a distribution server for the application. The distribution server transmits the signed ADF for the desired application, which is received by the client device (604). Preferably the signed ADF contains an application descriptor file, file hash of the application code, developer descriptor file, developer certificate, signed time stamp, and the developer certificate. These transactions take place using known network protocols, such as TCP/IP. Upon receiving the signed ADF, the client device verifies the developer certificate with the code signing certificate authority's public key (606). The client may also authenticate the signed time stamp with the time stamping root key (608). The verified timestamp is used to check whether the ADF file is signed within the valid period of the developer certificate. Both of these must be verified. If it was not already received, the client device obtains the network location of the application code or JAR file, and transmits a request to the server, specifying the particular application desired (610). Although shown here a being on the same distribution server as the signed ADF, the application may be located on a different server. The server transmits the application code to the client device (612). Upon receiving the application code, the client device compares it to the parameters in the signed ADF. Specifically, it compares the hash received in the signed ADF with the hash of the application, and may also verify attributes such as file size. The hash of the JAR file may be produced by the client device, and compared to the hash received in the signed ADF. If the hash of the application received in the signed ADF matches the hash of the received application file (in step 612), the client device loads the application into the virtual machine environment for execution according to the security and license policies, if any were present in the ADF.

Thus, the invention avoids the use of relatively large files and certificates for authenticating the application code, as is used with more powerful, general purpose computers. A typical certificate will be 100-500 bytes, the file hash about 20 bytes, the DDF about 100-200 bytes, and of course the JAR file can be very small to very large, depending on the application. The use of a signed ADF allows devices with relatively limited resources to easily authenticate the trustworthiness of an application, and to set appropriate permissions for the various resources. The security is accomplished by providing the client device with a set of keys initially, such as the code signing certificate authority key and a time stamping root key. Furthermore, developers provides their public key in the signed ADF so that client devices can use them to further establish a trusted chain. A hash of the application, and preferably a signed hash, is used so that it may be compared to the application once it is received at the client device. A security policy file and a license policy file may be provided to describe what resources the application will need, what it will create, and the limitation on the use of the application as well as the transferability of the application.

While the preferred embodiments of the invention have been illustrated and described, it will be clear that the invention is not so limited. Numerous modifications, changes, variations, substitutions and equivalents will occur to those skilled in the art without departing from the spirit and scope of the present invention as defined by the appended claims.

*


Free Web Sudoku Puzzles.
Solve with your browser.
    5 8   1      
  9             3
        3   8   5
1       7     2  
2   3       6   8
  7     2       1
8   9   1        
4             5  
      2   3 7    
What is it?



Add Your Site · Terms Of Service · Privacy Policy


DISCLAIMER
Linkgrinder is a free service that searches the Internet and indexes all files found so that you may search quickly and easily for shared files. These files are created and made available individually by users whose identity we are not aware of and who we have no control over. In essence we function like a search engine tool; these files ARE NOT STORED OR SERVED BY OUR NETWORK. We are not responsible for any materials obtained by using our service. We do not monitor any of the contents of these files. These files may contain viruses, illegal materials, materials inappropriate for minors, offensive files and the like. BY USING OUR SERVICE, YOU ASSUME FULL RESPONSIBILITY FOR DOWNLOADING THESE MATERIALS AND WILL INDEMNIFY US FOR ANY DAMAGES THAT MAY BE INCURRED.

For More Specific Information VIEW OUR TERMS OF SERVICE.

Thank you and Enjoy!