This invention relates generally to obtaining computer software over an open computer network like the Internet and, in particular, to identifying the source of such software.
The Internet is a well known, global network of cooperatively interconnected computer networks. The world wide web portion of the Internet is a collection of server computers (referred to as xe2x80x9csitesxe2x80x9d) on the Internet which store HTML documents that can be publicly accessed by computer uses having a connection to the Internet. There are many such world wide web sites on the Internet.
Software, generally known as xe2x80x9cInternet browsers,xe2x80x9d are now in wide-spread use for retrieving (also known as xe2x80x9cdownloadingxe2x80x9d) and viewing electronic documents in hyper-text markup language (HTML) format from the world-wide web. Originally, these HTML documents were simply ASCII coded character files generally consisting of text and HTML xe2x80x9ctagsxe2x80x9d that specify formatting of the document, links (referred to as xe2x80x9chyper-linksxe2x80x9d) to related documents on the network, and other files that contain information (e.g., sound, images, video, etc.) to be combined into the document. Typical HTML documents found on the world wide web include both text and tags specifying files for several images that are to be displayed with the text. In use, browser software allows a user to navigate (also known as xe2x80x9cbrowsingxe2x80x9d) between documents and sites on the world-wide web.
More recently, the files that browsers are capable of accessing and utilizing include executable files such as, for example, OLE (object linking and embedding) controls and JAVA applets. These executable files were at first used to enhance the image characteristics of an HTML document by adding features that move or have other changing image characteristics. Moreover, it is expected that the functionality of such executable files will increase to include a wide range of applications and application components. In addition to browsers utilizing executable files, the marketing and distribution of computer software is increasingly utilizing network-based distribution rather than the traditional distribution of computer readable media such as magnetic (floppy) diskettes or optical (CD-ROM) disks.
A danger in wide-spread distribution of executable files over open networks like the Internet is an increased risk of contracting computer viruses or other malicious executable computer files. Computer viruses have long been a scourge of computer owners and operators because of the relative ease of contracting many viruses and the potentially devastating damage that viruses can cause. A common and effective defense to computer viruses has been to install executable files only from computer readable media that are known to be virus-free, such as the original media on which software are distributed by a manufacturer or software distributor or publisher.
Confidence in the authenticity of the original media is established by conventional marketing devices such as packaging, trademarks, the reputation of retailers offering the software, etc. Software that is distributed over an open network like the Internet does not have identifying packaging, fixed original media, or even a retail establishment that can be visited. As a consequence, software distribution over an open network is susceptible to corruption by a party impersonating a proper software distributor or by the software being modified after it is transmitted by the distributor.
One approach to addressing this problem is to create a protective and padded virtual machine on the software recipient""s computer. Such a virtual machine, which is often referred to as a playpen or sandbox, allows untrusted, possibly malicious code to be executed without fear that it could cause any unauthorized or unwarranted actions. This approach is an outgrowth of the security architecture in existing computer operating systems. A problem with this approach is that it is extraordinarily difficult to create a sandbox that is actually secure against malicious code. Unexpected security holes are commonly discovered in supposedly secure operating systems that use this method.
But even assuming that this difficulty could be overcome, a fundamental quandary with the sandboxing approach is that there is a very strong tension between creating a sandbox safe enough to run perhaps malicious code, but yet with sufficient access to system resources to be capable of performing useful operations. For example, sandboxed code that is allowed to make network connections off of a host machine (e.g., TCP, FTP, EMail, or otherwise) should not have access to any information on the machine that is to be kept private. As other examples, some system utilities such as a disk defragmenter or an indexing utility that locates the lost documents on a hard disk would likely be inoperable as sandboxed code. A sandbox that successfully protected against the damage these utilities might possibly cause would prevent them from carrying out their intended purpose.
A certification or signing method ensures the authenticity and integrity of a computer program, an executable file, or code received over a computer network. The method is used by a publisher or distributor to xe2x80x9csignxe2x80x9d an executable file so it can be transmitted with confidence to a recipient over an open network like the Internet. The executable file may be of any executable form, including an executable or portable executable .exe file format, a .cab cabinet file format, an .ocx object control format, or a Java class file.
The code signing method assures the recipient of the identity of the publisher as the source of file (i.e., its authenticity) and that the file has not been modified after being transmitted by the publisher (i.e., the integrity of the file). As a result, the code signing method allows an executable file to be transmitted over open computer networks like the Internet with increased certainty in the identity of the source of the file and minimized risk of contracting a computer virus or other malicious executable computer files.
In one implementation, the method includes determining a cryptographic digest or xe2x80x9chashxe2x80x9d of the executable file and forming a publisher signature with the cryptographic digest. The publisher digital signature may also include an identifying name of the executable file and possibly a link or hyperlink to a description of the executable file. The publisher signature is formed with a public-private key signature algorithm, such as the RSA public key cipher, as is known in the art.
A publisher digital certificate is attached to the publisher signature. The publisher digital certificate is issued by a certification authority or agency to authenticate the identity of the publisher issuing the publisher signature. The publisher digital certificate is a cryptographic certificate that includes the software publisher""s name, a public key corresponding to a private key used by the publisher to sign the file, an expiration date (or validity period) of the certificate, and possibly a link or hyperlink to the certification agency, including a statement of its certification policy and its identifier (e.g., trademark). The digital certificate is encrypted with a private key corresponding to a widely known and readily available certification agency public key. For example, the certification agency public key may be on or linked to a key that is on the recipient""s computer in association with a browser application or another software application or the operating system. Alternatively, the certification agency public key may be posted on an open network like the Internet, or otherwise published.
This certification of the executable file or code is confirmed or read at the recipient""s computer. The public key for the publisher""s signature is obtained by decoding or decrypting the digital certificate with the certification agency public key, thereby assuring the authenticity of the software publisher. A cryptographic digest or hash is determined for the code as it is received. The digest is compared to the digest included in the publisher signature. A match between the digests confirms the integrity of the code. A dialog is then rendered by the recipient computer indicating who is providing the code and the certification agency that has authenticated the identity of the publisher.
The publisher digital certificate and the publisher signature together form a keyed source confirmation with a secure representation of the executable file. The source confirmation is keyed in that it (or a portion of it) is encrypted with a key, or includes a key, or both. The described implementation of publisher digital certificate and the publisher signature as a source confirmation is both encrypted with a key and includes a key.
In one embodiment, the certification is referenced in a header of the executable file, the reference including a pointer to the keyed source confirmation and an indication of the size of the keyed source confirmation. The header reference functions to identify the location of the keyed source confirmation so that it is not included in the cryptographic digest or hash that is determined for the code received at the recipient""s computer. In addition, other components of the executable file or code may be excluded from the hash computed at the recipient""s computer, as well as the original hash of the file. As a result, the hash that is computed can, if the executable file remains unchanged except for the excluded information, match the original cryptographic digest for the file.
This two-level identity confirmation provides the recipient with a concise, simple assurance of the authenticity and integrity of the downloaded code or executable file. By authenticating the identity of the publisher rather than the actual code, the certification agency need not authenticate the code being signed by the publisher. This allows the certification agency to authenticate the identity of a relatively large number of software publishers. If present, links to the certification agency and a description of the code allow the recipient to obtain additional information about the code and the agency""s certification policies before choosing to run or accept the code.
Additional features and advantages of the invention will be made apparent from the following detailed description of an illustrated embodiment which proceeds with reference to the accompanying drawings.