The invention relates generally to systems that employ information security algorithms, and more particularly to systems and methods for controlling software application operation and secure software distribution.
Many of today""s computer systems and communication systems employ some type of information security system such as a public key cryptography system or other cryptographic based security system to either encrypt information communicated among applications or to other units within the system, or to digitally sign documents as a method of electronic commerce or for other suitable purpose. Information security systems are often used by multiple software applications, for example, an e-mail application may use public/private key cryptographic programs to allow the encryption of electronic mail or digital signing of electronic mail. Similarly, other software applications such as financial transaction applications that allow a user to digitally sign, for example, electronic contracts or purchase orders to carry out financial transactions, may also use the same public public/private key infrastructure as the e-mail application and other applications within the system. In a public/private key based cryptography system as known in the art, a private signing key and a private decryption key may be stored in an encrypted secret file in each computer corresponding to a user of the computer. The user typically has to login on the computer to gain access to the secret key information by entering a specific password, or through another mechanism, each time the security system needs to be used. As such, when multiple applications are being used by a user, a login requirement on a per application basis for use of the security system becomes cumbersome, although it can provide a high level of security from unauthorized access.
In other known computer systems using information security systems, a single login by the user can be used wherein subsequent applications are allowed access to the secret key information stored in the file. When a login or use is requested by a different application, the application retrieves the stored login information and obtains it automatically. A problem arises with such systems when unauthorized applications (for example rogue software applications, applications not authorized by an individual or corporation, or unlicensed applications) may be attempting access to a computer either in a foreground or background mode. Since the system allows access by any application seeking use of the cryptographic system, protected credentials such as secret decryption keys and signing keys can be obtained without the user""s knowledge. As a result, an unauthorized party may use a rogue application to obtain a secret signing key to digitally forge documents or decrypt important documents that were originally encrypted only for receipt by a specific user. The rogue application can attempt and obtain access, by being downloaded, for example, from a worldwide computer network.
In an attempt to overcome such problems, a code-signing scheme has been developed to help ensure that a specific software application is a legitimate application. For example, when a manufacturer releases a new software application, or new version of a previously released application, over a public network, the manufacturer digitally signs the software application with a signature that is trusted by the receiving unit in the network through the use of, for example, certificate authorities, as known in the art. As such, a computer node or other communication unit may determine that the application is not a virus or a rogue software application. Code signing schemes generally involve an executable file being digitally signed by a trusted authority and the signature is verified by a computer unit before the program is run. However typically in such schemes, all of the trust is in the manufacturer or the entity signing the application, and typically the signature certificate of the code signer accompanies the signed code. Furthermore, the granularity of control is generally coarse. For example, either all programs by a given code signer are automatically trusted or none are, and in the latter case a user may be prompted to approve individual programs; however the capability does not exist to centrally control the designation of only selected programs from a given code signer to be automatically trusted.
Other computer systems are known that have mechanisms that allow a user to grant or deny specific applications access to peripheral devices such as hard disks and to limit access to networks. However, such systems do not typically provide continuing protection that only authorized applications are run by carrying out a check each time an application is opened.
Also, it would be desirable to control whether a calling application can execute on a processor, since unauthorized applications can be inadvertently downloaded onto a system or an updated version of software can be released that should be run instead of an older and perhaps malfunctioning version of an application.
It would also be desirable to provide a suitable software distribution mechanism that substantially reduced the likelihood that an unauthorized application would be allowed to execute for a particular processing unit. For example, a problem can arise with operating systems that run executable files that may be corrupted, contain a virus, not be properly licensed, or otherwise be detrimental to the system. Computer virus checking systems are known that store lists of identified strings or portions of known virus. The virus checking software typically analyzes the executable code to determine whether predefined strings are embodied in the program. However, such systems typically do not generate and store a list of pre-approved hash values of executable programs and compare a program to be run with the predefined list of hash values. Moreover, such systems typically do not indicate which files may be approved for executability, but typically indicate which programs or files are improper for execution due to a found virus based on a predetermined data string.
Other systems are known for the secure distribution of electronic files, such as the system described in U.S. Pat. No. 5,638,446, issued Jun. 10, 1997, entitled xe2x80x9cMethod For The Secure Distribution Of Electronic Files In A Distributed Environmentxe2x80x9d. This system discloses a process for using a trusted third-party to create an electronic certificate for an electronic file that is used to establish the integrity of the file and verify the identity of the creator of the file. To register the file with a trusted third-party, the third-party receives information about an author, such as an author""s public key, and verifies the accuracy of the public key. In the file distribution phase, an author sends to the trusted third-party a signed message containing the hash of the file the author wants to distribute. The trusted third-party creates an electronic certificate signed by the third-party, containing the hash of the file sent by the author. The user desiring to receive the file retrieves the file with the certificate. The user then uses the certificate to verify first, that the certificate was created by the third-party, and second, that the hash of the file and the certificate is the same as the hash as computed from the retrieved file. If the two hashes match, the user then believes that the file came from the author and is uncorrupted.
However, such a system does not generally evaluate on a continuous basis whether a calling executable program may be suitable for executability on a system, nor does such a system typically provide a list of approved hash values which may be centrally distributed to a plurality of receiving units to facilitate central distribution of approved executable files and control of multiple executable applications to a plurality of recipients.
Consequently, there exists a need for a system and method for controlling program execution for a first-party based on a plurality of approved hash values of executable file data. It would be desirable if such a system facilitated centralized distribution and control of program execution for a plurality of units.