Method and apparatus for controlling application access to limited access based data

US 6,470,450 B1
Filed: 12/23/1998
Issued: 10/22/2002
Est. Priority Date: 12/23/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for controlling application access to limited access based data comprising the steps of:

generating application registration data containing at least application identification data and corresponding unique application verification data wherein the unique application verification data is based on executable file data; and

determining application access to the limited access based data, based on the application identification data and the unique application verification data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application registration data generator, on a per application basis, generates application registration data that contains at least application identification data, such as, the name of a software application or a pathname to a software application, and stored unique application verification data that is based on executable file data. A data access determinator determines whether a calling application should be allowed access to the limited access based data by, for example, computing a hash value of the executable file and checking whether this hash value matches the corresponding stored unique application verification data. If there is a match, the application is granted access to the user'"'"'s cryptographic parameters, privilege data, or other limited access based data on a per application basis.

143 Citations

44 Claims

1. A method for controlling application access to limited access based data comprising the steps of:
- generating application registration data containing at least application identification data and corresponding unique application verification data wherein the unique application verification data is based on executable file data; and
  
  determining application access to the limited access based data, based on the application identification data and the unique application verification data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 including the step of granting application access to the limited access based data based on the application identification data and unique verification data contained in the application registration data.
  - 3. The method of claim 1 wherein the limited access data includes security parameter data used in a cryptographic operation.
  - 4. The method of claim 3 wherein the security parameter data includes cryptographic key data.
  - 5. The method of claim 1 wherein the application registration data further includes location data allowing determination of where the executable file data is located in memory.
  - 6. The method of claim 4 wherein the cryptographic key data includes at least one of a private signing key and a private decryption key.
  - 7. The method of claim 3 wherein the application registration data includes data representing approved applications that are allowed access to the limited access based data.
  - 8. The method of claim 1 including the step of applying digital signature data of a trusted authority to the application registration data.
  - 9. The method of claim 1 wherein the unique application verification data is a function of the executable file data.
  - 10. The method of claim 9 wherein the unique application verification data is derived at least in part by applying a hash function to at least a portion of the executable file data.
  - 11. The method of claim 10 wherein the step of determining application access includes:
    - computing a hash value of at least a portion of executable file data associated with a calling application; and
      
      comparing the computed hash value with the unique application verification data in the application registration data.
  - 12. The method of claim 10 wherein the step of determining application access includes:
    - comparing a location of the executable file data with a location of approved executable file data indicated by the application registration data.
  - 13. The method of claim 10 wherein the step of determining application access includes:
    - computing a hash value of at least a portion of executable file data associated with a calling application;
      
      providing the computed hash value to an output interface; and
      
      receiving a response through an input interface.
  - 14. The method of claim 1 including the steps of:
15. The method of claim 14 including the step of updating a hash list of approved applications based on the response.

16. An apparatus for controlling application access to limited access based data comprising:
- an application registration data generator that generates application registration data containing at least application identification data and corresponding unique application verification data wherein the unique application verification data is based on executable file data; and
  
  a data access determinator, operatively responsive to the application identification data and the unique application verification data to determine application access to the limited access based data.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The apparatus of claim 16 wherein the data access determinator grants application access to the limited access based data based on the application data and unique verification data contained in the application registration data.
  - 18. The apparatus of claim 16 wherein the limited access data includes security parameter data used in a cryptographic operation.
  - 19. The apparatus of claim 18 wherein the security parameter data includes cryptographic key data.
  - 20. The apparatus of claim 16 wherein the application identification data further includes location data allowing determination of where the executable file data is located in memory.
  - 21. The apparatus of claim 19 wherein the cryptographic key data includes at least one of a private signing key and a decryption key.
  - 22. The apparatus of claim 18 wherein the application registration data includes data representing approved applications that are allowed access to the limited access based data.
  - 23. The apparatus of claim 16 including a digital signature generator that applies digital signature data of a trusted authority to the application registration data.
  - 24. The apparatus of claim 16 wherein the application data generator generates a digital representation of a plurality of executable applications by using a hash function on executable file data corresponding to a plurality of calling applications.
  - 25. The apparatus of claim 16 wherein the unique application verification data is a function of the executable file data.
  - 26. The apparatus of claim 25 wherein the data access determinator computes a hash value of executable file data associated with a calling application, and compares the computed hash value with the unique application verification data in the application registration data to determine whether access should be granted to a calling application, to the limited access data.
  - 27. The apparatus of claim 25 wherein the data access determinator compares a location of the executable file data with a location of approved executable file data indicated by the application registration data.
  - 28. The apparatus of claim 27 including an output interface that outputs the computed hash value and an input interface operative to receive a response indicating whether the computed hash value is part of approved application registration data.

29. A storage medium comprising:
- first memory containing data representing executable instructions that cause a processing device to generate application registration data containing at least application identification data and corresponding unique application verification data wherein the unique application verification data is based on executable file data; and
  
  second memory containing data representing executable instructions that cause a processing device to determine application access to the limited access based data, based on the application identification data and the unique application verification data.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 30. The storage medium of claim 29 including data representing executable instructions that cause a processing device to grant application access to the limited access based data based on the application data and unique verification data contained in the application registration data wherein the limited access data includes security parameter data used in a cryptographic operation.
  - 31. The storage medium of claim 30 wherein the application registration data further includes location data allowing determination of where the executable file data is located in memory.
  - 32. The storage medium of claim 30 wherein the limited access data includes cryptographic key data including at least one of a private signing key and a private decryption key.
  - 33. The storage medium of claim 30 wherein the application registration data includes data representing approved applications that are allowed access to the limited access based data.
  - 34. The storage medium of claim 30 including data representing executable instructions that cause a processing device to apply digital signature data of a trusted authority to the application registration data.
  - 35. The storage medium of claim 30 including data representing executable instructions that cause a processing device to derive the unique application verification data at least in part by applying a hash function to at least a portion of the executable file data.
  - 36. The storage medium of claim 30 including data representing executable instructions that cause a processing device to compute a hash value of at least a portion of executable file data associated with a calling application;
    - and comparing the computed hash value with the unique application verification data in the application registration data.
  - 37. The storage medium of claim 30 including data representing executable instructions that cause a processing device to compare a location of the executable file data with a location of approved executable file data indicated by the application registration data.
  - 38. The storage medium of claim 30 including data representing executable instructions that cause a processing device to generate an approval request signal to solicit approval of a calling application;
    - await a response; and
      
      grant or deny access to the limited access data based on the response.
  - 39. The storage medium of claim 30 including data representing executable instructions that cause a processing device to update a hash list of approved applications based on the response.

40. A method for controlling application access to limited access based data comprising the steps of:
- obtaining application registration data containing at least application identification data and corresponding unique application verification data wherein the unique application verification data is based on executable file data; and
  
  determining application access to the limited access based data, based on the application identification data and the unique application verification data.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The method of claim 40 including the step of granting application access to the limited access based data based on the application data and unique verification data contained in the application registration data wherein the limited access data includes security parameter data used in a cryptographic operation.
  - 42. The method of claim 41 wherein the security parameter data includes cryptographic key data including at least one of a private signing key and a private decryption key.
  - 43. The method of claim 40 wherein the step of determining application access includes:
    - computing a hash value of at least a portion of executable file data associated with a calling application; and
      
      comparing the computed hash value with the unique application verification data in the application registration data.
  - 44. The method of claim 40 wherein the step of determining application access includes:
    - comparing a location of the executable file data with a location of approved executable file data indicated by the application registration data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Technologies Limited
Inventors
Langford, Glenn C., Vandergeest, Ronald J.
Primary Examiner(s)
Smithers, Matthew

Application Number

US09/220,247
Time in Patent Office

1,399 Days
Field of Search

713/182, 713/187, 713/188, 713/193, 713/194, 713/155, 713/164, 713/165, 713/167
US Class Current

713/182
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

Method and apparatus for controlling application access to limited access based data

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for controlling application access to limited access based data

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links