Field
Various features disclosed herein pertain generally to authentication of software to mitigate hacking of software in devices lacking secure storage, and more particularly, to a method in which software authentication is performed the first time the software is to be executed and a more efficient software verification is performed thereafter.
Background
Devices, such as mobile phones, mobile devices, pagers, wireless modems, personal digital assistants, tablets, personal information managers (PIMs), personal media players, palmtop computers, laptop computers, or any other device with a processor are becoming increasingly popular and ubiquitous. Data generated, entered, stored, and/or received at such devices should be secured against unauthorized access. One such risk of unauthorized access to data in a device includes the software running on the device which may have been modified (e.g., hacked) to permit such unauthorized access. Consequently, software operating on a device should be authenticated to make sure it has not been modified. Authentication of software on devices serves to prevent modified software from being executed on those devices. That is, the software may be authenticated as it is loaded, prior to execution, to verify that it has not been compromised (e.g., modified). Software authentication is particularly important where devices do not have secure or trusted internal storage to securely store the software. Software developers may use cryptography to digitally sign their software before being distributed to devices. Where a symmetric key is used to sign the software, each device receives such symmetric key to authenticate the software. However, using the same symmetric key for the software on all devices is risky because if a single device is compromised to obtain such symmetric key, then all other devices are exposed. While per device symmetric keys may be used to sign the software for each device, this approach may require management of a large number of symmetric keys and is thus cumbersome to implement. Alternatively, private/public key cryptography may be used by signing the software with a private key and distributing the corresponding public key to devices to authenticate the software. However, using a public key for authentication is processing intensive and difficult for many devices that are low-power or have minimal processing capabilities/resources. Thus, the private/public key approach is not a practical solution.
Consequently, there is a need for a solution that permits effectively authenticating software operating on devices of varying processing capabilities.