Module authentication and binding library extensions
First Claim
1. An apparatus on a computer readable medium for effecting secure communications between executable entities in a computer system having a processor and a memory device operably connected thereto for storing executable data structures and operational data structures associated therewith, comprising:
- a first executable entity loadable by the processor to perform a first function, the first executable entity being provided with a first authentication module, the first authentication module holding a property uniquely identifying the first executable entity;
a second executable entity loadable by the processor independent of the first executable entity to perform a second function and provided with a second authentication module, the second authentication module executable by a processor and adapted for communication with the first authentication module to verify the holding of the property by the first authentication module; and
a binding module for establishing a communication link between the first and second executable entities in response to a verification by the second authentication module of the holding of the property by the first authentication module, and wherein the binding module includes a binding structure used for a non-authenticated communication link for access to non-authenticated resources and a privileged communication link for access to privileged resources.
9 Assignments
0 Petitions
Accused Products
Abstract
An apparatus, system, and method to provide an initial and an on-going authentication mechanism with which two executable entities may unilaterally or bilaterally authenticate the identity, origin, and integrity of each other. In one instance, the authentication mechanisms are implemented within a dynamically loaded, modular, cryptographic system. The initial authentication mechanism may include digitally signed challenge and possibly encrypted response constructs that are alternately passed between the authenticating and authenticated executable entities. A chain of certificates signed and verified with the use of asymmetric key pairs may also be part of the initial authentication mechanism. Representative asymmetric key pairs include a run-time key pair, a per-instance key pair, and a certifying authority master key pair. The on-going authentication mechanism may include a nonce variable having a state associated therewith. The state may be both time and incidence varying and may be combined in an obfuscating or encrypted manner into data passed between the executable entities. The initial and ongoing authentication mechanisms may have instances implemented without the use of export-regulated cryptography.
242 Citations
20 Claims
-
1. An apparatus on a computer readable medium for effecting secure communications between executable entities in a computer system having a processor and a memory device operably connected thereto for storing executable data structures and operational data structures associated therewith, comprising:
-
a first executable entity loadable by the processor to perform a first function, the first executable entity being provided with a first authentication module, the first authentication module holding a property uniquely identifying the first executable entity;
a second executable entity loadable by the processor independent of the first executable entity to perform a second function and provided with a second authentication module, the second authentication module executable by a processor and adapted for communication with the first authentication module to verify the holding of the property by the first authentication module; and
a binding module for establishing a communication link between the first and second executable entities in response to a verification by the second authentication module of the holding of the property by the first authentication module, and wherein the binding module includes a binding structure used for a non-authenticated communication link for access to non-authenticated resources and a privileged communication link for access to privileged resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
a. the second authentication module is adopted for the creation of a challenge construct that is passed from the second authentication module to the first authentication module and that contains a randomly generated property therein; and
b. the first authentication modules is adapted for the response construct that is passed from the first authentication module to the second authentication module in response to the receipt of the challenge construct, the response construct including therein the challenge construct and a digital signature uniquely identifying the first executable entity to the second executable entity.
-
-
8. The apparatus of claim 1, further comprising a chain of certificates passed between the first and second authentication modules, and wherein the property uniquely identifying the second executable entity is contained within the chain of certificates.
-
9. The apparatus of claim 1, wherein:
-
the second authentication module holds a property uniquely identifying the second executable entity; and
the first authentication module is adapted for communication with the second authentication module to verify the holding of the property by the second authentication module.
-
-
10. The apparatus of claim 1, wherein the property uniquely identifying the first executable entity is incorporated within the first authentication module in an obfuscated form.
-
11. A method for effecting secure communications between executable entities in a computer system having a memory and a processor, comprising:
-
providing a first executable entity executable by the processor to perform a first function and holding a property capable of uniquely identifying the first executable entity;
providing a second executable entity, executable by the processor to perform a second function;
communicating a request for authentication from the second executable entity to the first executable entity;
communicating the holding of the property from the first executable entity to the second executable entity in response to the request for authentication;
authenticating the first executable entity to the second executable entity by the second authenticating module verifying the holding of the property by the first executable entity; and
forming a binding between the first and second executable entities at least partially in response to authenticating the first executable entity to the second executable entity, the binding enabling further communication between the first and second executable entities, and wherein the binding is adapted to identify general non-authenticated communication for access to non-authenticated resources and privilege communication for access to privilege communication. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
passing a variable between the first and second executable entities during an initial interaction of the first and second executable entities; and
allowing the dynamic relational binding to continue to exist subject to the second executable entity verifying a proper state of the variable during each of the plurality of successive interactions between the first and second executable entities.
-
-
14. The method of claim 13, wherein the state of the variable varies according to a number of occurrences of the successive interactions between the first and second executable entities.
-
15. The method of claim 11, wherein authenticating the first executable entity to the second executable entity further comprises:
-
passing a challenge construct from the second executable entity to the first executable entity; and
passing a response construct from the first executable entity to the second executable entity, the response construct comprising the challenge construct and a digital signature.
-
-
16. The method of claim 11, wherein authenticating the first executable entity to the second executable entity comprises passing a chain of public keys from the first executable entity to the second executable entity.
-
17. The method of claim 11, further comprising sharing cryptographic services between the first and second executable entities only after authenticating the first executable entity to the second executable entity.
-
18. The method of claim 11, further comprising authenticating the second executable entity to the first executable entity by recognizing by the first executable entity a property uniquely identifying the second executable entity.
-
19. The method of claim 18, further comprising authenticating of the second executable entity to the first executable entity during each of a plurality of successive interactions between the first and second executable entities.
-
20. A computer memory storing therein computer instructions capable of creating within a processor executable data structures and operational data structures associated therewith, the executable and operational data structures comprising:
-
a first executable entity adapted to perform a first function within the processor;
a second executable entity adapted to perform a second function within the processor;
a resource allocation module associated with the first executable entity adapted to allow a resource to be shared between the second executable entities only after an authentication of the first executable entity by the second executable entity; and
an on-going authentication mechanism adapted to authenticate the first executable to the second executable entity during each of a plurality of successive interactions between the first and second executable entities, and wherein the on-going authentication mechanism maintains a state associated with each of the plurality of successive interactions.
-
Specification