METHOD AND APPARATUS TO CREATE A SECURE WEB-BROWSING ENVIRONMENT WITH PRIVILEGE SIGNING

US 20100275014A1
Filed: 04/27/2009
Published: 10/28/2010
Est. Priority Date: 04/27/2009
Status: Active Grant

First Claim

Patent Images

1. A method for executing a client-server application on a mobile device, comprising:

receiving from a server a script for execution on the mobile devicereceiving a digital certificate issued to the server;

verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created; and

enabling the script to access a resource identified in the digital certificate used to verify the script.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices and methods use digital certificates and digital signatures to enable computing devices, such as mobile devices, to trust a server attempting to access a resource on the computing device. The server may present the computing device with a digital certificate issued by a trusted third party which includes information so that the computing device can determine which resources the server should be trusted to access. The computing device can determine that the digital certificate was issued by a trusted third party by examining the chain of digital certificates that may link the server with an inherently trusted authority.

Citations

64 Claims

1. A method for executing a client-server application on a mobile device, comprising:
- receiving from a server a script for execution on the mobile devicereceiving a digital certificate issued to the server;
  
  verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created; and
  
  enabling the script to access a resource identified in the digital certificate used to verify the script.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising receiving a digital signature for the script comprising an encrypted first fingerprint of the script,wherein the step of verifying the digital certificate and confirming that the script has not been modified comprises:
    - determining that the digital certificate was issued to the server by a trusted third party;
      
      determining a public key of the server from the digital certificate;
      
      decrypting the encrypted fingerprint using a public key of the server;
      
      generating a second fingerprint of the script; and
      
      comparing the value of the first fingerprint to the value of the second fingerprint.
  - 3. The method of claim 1, further comprising determining whether the script should be granted access to the resource by verifying from the digital certificate that a trusted third party has granted the server access to the resource or a class of resources containing the resource.
  - 4. The method of claim 1, further comprising requesting a service from the server, wherein the received script was generated at the server in response to the request for the service.
  - 5. The method of claim 2, wherein determining that the digital certificate was issued to the server by a trusted third party comprises determining that the digital certificate was issued to the server by a certificate authority that is inherently trusted.
  - 6. The method of claim 2, wherein determining that the digital certificate was issued to the server by a trusted third party comprises determining that the digital certificate was issued to the server by a certificate authority that is linked to an inherently trusted certificate authority by a chain of digital certificates.
  - 7. The method of claim 1, further comprising:
    - requesting a digital signature for the script from the server; and
      
      receiving a digital signature for the script in response to the request for the digital signature.
  - 8. The method of claim 1, further comprising:
    - requesting a digital signature for the script from a trusted third party; and
      
      receiving a digital signature for the script in response to the request for the digital signature.
  - 9. The method of claim 1, further comprising:
    - determining whether the server has been granted permission to access the requested resource based on the digital certificate issued to the server; and
      
      enabling the script to access the resources only if the server has been granted permission to access the requested resource.
  - 10. The method of claim 1, further comprising:
    - requesting a digital signature for the server from the server;
      
      receiving a digital signature for the server;
      
      determining from the digital signature for the server whether the server has access to the requested resource, and enabling the script to access the resources only if the server has access to the requested resource.
  - 11. The method of claim 1, further comprising:
    - requesting a digital signature for the server from a trusted third party;
      
      receiving a digital signature for the server;
      
      determining from the digital signature for the server whether the server has access to the requested resource, and enabling the script to access the resources only if the server has access to the requested resource.
  - 12. The method of claim 1, further comprising:
    - determining whether the script has access to the requested resource, and enabling the script to access the resources only if the script has access to the requested resource.
  - 13. The method of claim 1, further comprising:
    - limiting permissions granted to the script based upon information within the script, ; and
      
      enabling the script to access the requested resource only if the requested resource is encompassed within the limited permissions.
  - 14. The method of claim 1, further comprising:
    - receiving a user input designating a server or server content to be trusted;
      
      determining if the script was received from a server or is server content designated by the user input as to be trusted; and
      
      enabling the script to access the resource if the script was received from a server or is server content designated by the user input as to be trusted

15. A mobile device, comprising:
- a processor;
  
  a transceiver coupled to the processor;
  
  a memory coupled to the processor;
  
  wherein the processor is configured with software instructions to perform steps comprising;
  
  receiving from a server a script for execution on the mobile devicereceiving a digital certificate issued to the server;
  
  verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created; and
  
  enabling the script to access a resource only if the digital certificate is verified and the script has not been modified.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - receiving a digital signature for the script in the form of an encrypted first fingerprint of the script;
      
      verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created by performing steps comprising;
      
      determining that the digital certificate was issued to the server by a trusted third party;
      
      determining a public key of the server from the digital certificate;
      
      decrypting the encrypted fingerprint using a public key of the server;
      
      generating a second fingerprint of the script; and
      
      comparing the value of the first fingerprint to the value of the second fingerprint.
  - 17. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising determining whether the script should be granted access to the resource by verifying from the digital certificate that a trusted third party has granted the server access to the resource or a class of resources containing the resource.
  - 18. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising requesting a service from the server, wherein the received script was generated at the server in response to the request for the service.
  - 19. The mobile device of claim 16, wherein the processor is configured with software instructions to perform further steps comprising determining that the digital certificate was issued to the server by a certificate authority that is inherently trusted.
  - 20. The mobile device of claim 16, wherein the processor is configured with software instructions to perform further steps comprising determining that the digital certificate was issued to the server by a certificate authority that is linked to an inherently trusted certificate authority by a chain of digital certificates.
  - 21. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - requesting a digital signature for the script from the server; and
      
      receiving a digital signature for the script in response to the request for the digital signature.
  - 22. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - requesting a digital signature for the script from a trusted third party; and
      
      receiving a digital signature for the script in response to the request for the digital signature.
  - 23. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - determining whether the server has been granted permission to access the requested resource based on the digital certificate issued to the server; and
      
      enabling the script to access the resources only if the server has been granted permission to access the requested resource.
  - 24. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - requesting a digital signature for the server from the server;
      
      receiving a digital signature for the server;
      
      determining from the digital signature for the server whether the server has access to the requested resource; and
      
      enabling the script to access the resources only if the server has access to the requested resource.
  - 25. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - requesting a digital signature for the server from a trusted third party;
      
      receiving a digital signature for the server;
      
      determining from the digital signature for the server whether the server has access to the requested resource; and
      
      enabling the script to access the resources only if the server has access to the requested resource.
  - 26. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - determining whether the script has access to the requested resource; and
      
      enabling the script to access the resources only if the script has access to the requested resource.
  - 27. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - limiting permissions granted to the script based upon information within the script; and
      
      enabling the script to access the requested resource only if the requested resource is encompassed within the limited permissions.
  - 28. The mobile device of claim 15, wherein the processor is configured with software instructions to perform further steps comprising:
    - receiving a user input designating a server or server content to be trusted;
      
      determining if the script was received from a server or is server content designated by the user input as to be trusted; and
      
      enabling the script to access the resource if the script was received from a server or is server content designated by the user input as to be trusted.

29. A tangible storage medium having stored thereon processor-executable software instructions configured to cause a processor to perform steps comprising:
- receiving from a server a script for execution on a mobile devicereceiving a digital certificate issued to the server;
  
  verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created; and
  
  enabling the script to access a resource only if the digital certificate is verified and the script has not been modified.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - receiving a digital signature for the script in the form of an encrypted first fingerprint of the script; and
      
      verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created by performing steps comprising;
      
      determining that the digital certificate was issued to the server by a trusted third party;
      
      determining a public key of the server from the digital certificate;
      
      decrypting the encrypted fingerprint using a public key of the server;
      
      generating a second fingerprint of the script; and
      
      comparing the value of the first fingerprint to the value of the second fingerprint.
  - 31. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising determining whether the script should be granted access to the resource by verifying from the digital certificate that a trusted third party has granted the server access to the resource or a class of resources containing the resource.
  - 32. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising requesting a service from the server, wherein the received script was generated at the server in response to the request for the service.
  - 33. The tangible storage medium of claim 30, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising determining that the digital certificate was issued to the server by a certificate authority that is inherently trusted.
  - 34. The tangible storage medium of claim 30, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising determining that the digital certificate was issued to the server by a certificate authority that is linked to an inherently trusted certificate authority by a chain of digital certificates.
  - 35. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - requesting a digital signature for the script from the server; and
      
      receiving a digital signature for the script in response to the request for the digital signature.
  - 36. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - requesting a digital signature for the script from a trusted third party; and
      
      receiving the digital signature for the script.
  - 37. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - determining whether the server has been granted permission to access the requested resource based on the digital certificate issued to the server; and
      
      enabling the script to access the resources only if the server has been granted permission to access the requested resource.
  - 38. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - requesting a digital signature for the server from the server;
      
      receiving a digital signature for the server;
      
      determining from the digital signature for the server whether the server has access to the requested resource; and
      
      enabling the script to access the resources only if the server has access to the requested resource.
  - 39. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - requesting a digital signature for the server from a trusted third party;
      
      receiving a digital signature for the server;
      
      determining from the digital signature for the server whether the server has access to the requested resource; and
      
      enabling the script to access the resources only if the server has access to the requested resource.
  - 40. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - determining whether the script has access to the requested resource; and
      
      enabling the script to access the resources only if the script has access to the requested resource.
  - 41. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - limiting permissions granted to the script based upon information within the script; and
      
      enabling the script to access the requested resource only if the requested resource is encompassed within the limited permissions.
  - 42. The tangible storage medium of claim 29, wherein the processor-executable software instructions stored thereon are further configured to cause a processor to perform steps comprising:
    - receiving a user input designating a server or server content to be trusted;
      
      determining if the script was received from a server or is server content designated by the user input as to be trusted; and
      
      enabling the script to access the if the script was received from a server or is server content designated by the user input as to be trusted.

43. A mobile device, comprising:
- means for receiving from a server a script for execution on the mobile devicemeans for receiving a digital certificate issued to the server;
  
  means for verifying the digital certificate and confirming that the script has not been modified since the digital certificate was created; and
  
  means for enabling the script to access a resource only if the digital certificate is verified and the script has not been modified.
- View Dependent Claims (44, 45, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 44. The mobile device of claim 43, further comprising means for receiving a digital signature for the script in the form of an encrypted first fingerprint of the script;
    - andwherein means for verifying the digital certificate and confirming that the script has not been modified comprises;
      
      means for determining that the digital certificate was issued to the server by a trusted third party;
      
      means for determining a public key of the server from the digital certificate;
      
      means for decrypting the encrypted fingerprint using a public key of the server;
      
      means for generating a second fingerprint of the script; and
      
      means for comparing the value of the first fingerprint to the value of the second fingerprint.
  - 45. The mobile device of claim 43, further comprising means for determining whether the script should be granted access to the resource by verifying from the digital certificate that a trusted third party has granted the server access to the resource or a class of resources containing the resource.
  - 47. The mobile device of claim 43, further comprising means for requesting a service from the server, wherein the received script was generated at the server in response to the request for the service.
  - 48. The mobile device of claim 45, wherein means for determining that the digital certificate was issued to the server by a trusted third party comprises means for determining that the digital certificate was issued to the server by a certificate authority that is inherently trusted.
  - 49. The mobile device of claim 45, wherein means for determining that the digital certificate was issued to the server by a trusted third party comprises means for determining that the digital certificate was issued to the server by a certificate authority that is linked to an inherently trusted certificate authority by a chain of digital certificates.
  - 50. The mobile device of claim 44, further comprising:
    - means for requesting a digital signature for the script from the server; and
      
      means for receiving the digital signature.
  - 51. The mobile device of claim 44, further comprising:
    - means for requesting a digital signature for the script from a trusted third party; and
      
      means for receiving the digital signature.
  - 52. The mobile device of claim 44, further comprising:
    - means for determining whether the server has been granted permission to access the requested resource based on the digital certificate issued to the server; and
      
      means for enabling the script to access the resources only if the server has been granted permission to access the requested resource.
  - 53. The mobile device of claim 44, further comprising:
    - means for requesting a digital signature for the server from the server;
      
      means for receiving a digital signature for the server;
      
      means for determining from the digital signature for the server whether the server has access to the requested resource; and
      
      means for enabling the script to access the resources only if the server has access to the requested resource.
  - 54. The mobile device of claim 44, further comprising:
    - means for requesting a digital signature for the server from a trusted third party;
      
      means for receiving a digital signature for the server;
      
      means for determining from the digital signature for the server whether the server has access to the requested resource; and
      
      means for enabling the script to access the resources only if the server has access to the requested resource.
  - 55. The mobile device of claim 44, further comprising:
    - means for determining whether the script has access to the requested resource; and
      
      means for enabling the script to access the resources only if the script has access to the requested resource.
  - 56. The mobile device of claim 44, further comprising:
    - means for limiting permissions granted to the script based upon information within the script; and
      
      means for enabling the script to access the requested resource only if the requested resource is encompassed within the limited permissions.
  - 57. The mobile device of claim 44, further comprising:
    - means for receiving a user input designating a server or server content to be trusted;
      
      means for determining if the script was received from a server or is server content designated by the user input as to be trusted; and
      
      means for enabling the script to access the if the script was received from a server or is server content designated by the user input as to be trusted.

58. A method for executing a client-server application on a mobile device, comprising:
- receiving from a server a script for execution on the mobile device;
  
  verifying that the server from which the script was obtained is named in a certificate;
  
  determining which permissions have been granted to the server according to the contents of the certificate; and
  
  enabling the script to access a protected resource only when an associated permission has been granted to the server from which the script was obtained.
- View Dependent Claims (59, 60)
- - 59. The method of claim 58, wherein the certificate naming the server is pre-configured in the mobile device.
  - 60. The mobile device of claim 59, wherein the certificate naming the server is pre-configured in the mobile device.

59-1. A mobile device, comprising:
- a processor;
  
  a transceiver coupled to the processor;
  
  a memory coupled to the processor;
  
  wherein the processor is configured with software instructions to perform steps comprising;
  
  receiving from a server a script for execution on the mobile device;
  
  verifying that the server from which the script was obtained is named in a certificate;
  
  determining which permissions have been granted to the server according to the contents of the certificate; and
  
  enabling the script to access a protected resource only when an associated permission has been granted to the server from which the script was obtained.

61. A tangible storage medium having stored thereon processor-executable software instructions configured to cause a processor to perform steps comprising:
- receiving from a server a script for execution on the mobile device;
  
  verifying that the server from which the script was obtained is named in a certificate;
  
  determining which permissions have been granted to the server according to the contents of the certificate; and
  
  enabling the script to access a protected resource only when an associated permission has been granted to the server from which the script was obtained.
- View Dependent Claims (62)
- - 62. The tangible storage medium of claim 61, wherein the certificate naming the server is pre-configured in the mobile device.

63. A mobile device, comprising:
- means for receiving from a server a script for execution on the mobile device;
  
  means for verifying that the server from which the script was obtained is named in a certificate;
  
  means for determining which permissions have been granted to the server according to the contents of the certificate; and
  
  means for enabling the script to access a protected resource only when an associated permission has been granted to the server from which the script was obtained.
- View Dependent Claims (64)
- - 64. The mobile device of claim 63, wherein the certificate naming the server is pre-configured in the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
KELLEY, Brian H.

Granted Patent

US 8,788,809 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/157
CPC Class Codes

G06F 21/445 by mutual authentication, e...

G06F 21/51 at application loading time...

METHOD AND APPARATUS TO CREATE A SECURE WEB-BROWSING ENVIRONMENT WITH PRIVILEGE SIGNING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS TO CREATE A SECURE WEB-BROWSING ENVIRONMENT WITH PRIVILEGE SIGNING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links