Enabling content security in a distributed system

US 7,685,416 B2
Filed: 04/19/2007
Issued: 03/23/2010
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A system for securing content over a network, comprising:

a client device configured and arranged to receive content, comprising;

a memory component that is arranged for temporal content storage; and

a permanent-memory based storage component that is arranged for non-temporal content storage; and

a secure content manager that is configured to perform actions, including;

receiving a first portion of content of an application that is tagged to be exclusively memory resident at the memory component of the client device;

receiving a second portion of the content of the application that is untagged, such that the second portion is enabled to be stored on the client device'"'"'s permanent-memory based storage component;

receiving a request for the content from the client device, wherein the request includes an authenticator associated with the client device, the authenticator determining if the client is authentic by;

determining a remote address and a local address associated with the client device,concatenating the determined remote address and the local address,determining a digest based on the concatenation,determining a timestamp based on the digest and the authenticator, andemploying the timestamp to determine whether the client device is authentic;

if the client device is authentic based, in part, on the authenticator;

providing, over the network, at least the first portion of the content and the second portion of the content to the client device, wherein the first portion of the content is exclusively memory resident at the memory component on the client device, and the second portion of the content is storable on the client device'"'"'s permanent-memory based storage component;

receiving, in response to a change in the content, another request from the client device for another portion of the content that is required for continued execution of the application at the client device; and

providing, over the network, the other portion of the content to the client device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are directed towards enabling content security in a distributed environment. The system includes a data store for content associated with an application that may be tagged as exclusively memory resident at a client. The content may also be encrypted and digitally signed. When an authenticated client requests the content, it is provided at a constrained rate that enables a portion of the content to start execution on the client before the application associated with the content is completely downloaded. Additional portions of the content are provided to the client when the additional portions are required for execution by the application.

Citations

18 Claims

1. A system for securing content over a network, comprising:
- a client device configured and arranged to receive content, comprising;
  
  a memory component that is arranged for temporal content storage; and
  
  a permanent-memory based storage component that is arranged for non-temporal content storage; and
  
  a secure content manager that is configured to perform actions, including;
  
  receiving a first portion of content of an application that is tagged to be exclusively memory resident at the memory component of the client device;
  
  receiving a second portion of the content of the application that is untagged, such that the second portion is enabled to be stored on the client device'"'"'s permanent-memory based storage component;
  
  receiving a request for the content from the client device, wherein the request includes an authenticator associated with the client device, the authenticator determining if the client is authentic by;
  
  determining a remote address and a local address associated with the client device,concatenating the determined remote address and the local address,determining a digest based on the concatenation,determining a timestamp based on the digest and the authenticator, andemploying the timestamp to determine whether the client device is authentic;
  
  if the client device is authentic based, in part, on the authenticator;
  
  providing, over the network, at least the first portion of the content and the second portion of the content to the client device, wherein the first portion of the content is exclusively memory resident at the memory component on the client device, and the second portion of the content is storable on the client device'"'"'s permanent-memory based storage component;
  
  receiving, in response to a change in the content, another request from the client device for another portion of the content that is required for continued execution of the application at the client device; and
  
  providing, over the network, the other portion of the content to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein if the client device is authentic further comprises:
    - employing at least one IP address associated with the client device to determine a digest;
      
      combining the authenticator with the digest to generate a timestamp; and
      
      examining a value of the timestamp to determine whether the value is within a window of time.
  - 3. The system of claim 1, wherein an executable third portion of content associated with an application is absent from the client during execution of the application on the client device.
  - 4. The system of claim 1, wherein the secure content manager is configured to perform actions, further including:
    - receiving at least one of the client device'"'"'s local address, or the client device'"'"'s remote IP addresses from other than the client device.
  - 5. The system of claim 1, wherein the first portion of content is further configured to be purged from the memory component of the client device upon a completion of execution of the first portion.
  - 6. The system of claim 1, wherein if the client device is authentic further comprises:
    - performing a request for a first remote address associated with the client device;
      
      examining a packet header associated with the request for content to determine a second remote address; and
      
      determining, in part, that the client device is authentic if the first remote address and the second remote address match.
  - 7. The system of claim 1, wherein if the client device is authentic further comprises:
    - receiving a content ticket associated with the request for content;
      
      invalidating access to the requested content if at least one of the following conditions exists;
      
      a time allocated to the content ticket is expired, the content ticket is revoked, or content ticket fails to grant access rights to the requested content.

8. A method of securing content over a network, comprising:
- tagging a first portion of content to be exclusively memory resident at a memory component arranged for temporal content storage at a client device;
  
  determining a second portion of the content to be untagged, such that the second portion is enabled to be stored on the client device'"'"'s permanent data store device;
  
  receiving a request for the content from the client device, wherein the request includes an authenticator associated with the client device;
  
  determining if the client device is authentic based on the authenticator; and
  
  if the client device is authentic, providing, over the network, at least the first portion of the content and the second portion of the content to the client device, wherein the first portion of the content is loaded exclusively as memory resident on the memory component of the client device, and the second portion of the content is loaded on the client device'"'"'s permanent data store device,wherein determining if the client is authentic further comprises;
  
  determining a remote address and a local address associated with the client device;
  
  concatenating the determined remote address and the local address;
  
  determining a digest based on the concatenation;
  
  determining a timestamp based on the digest and the authenticator; and
  
  employing the timestamp to determine whether the client device is authentic.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the client device'"'"'s permanent data store device comprises at least one of a hard disk, floppy disk, CD, tape, or DVD.
  - 10. The method of claim 8, wherein the first portion of content is further configured to be purged from the memory component of the client device upon a completion of execution of the first portion.
  - 11. The method of claim 8, further comprising:
    - receiving a content ticket associated with the request for content; and
      
      inhibiting access to the requested content if at least one of the following is valid;
      
      a time allotted to the content ticket is expired, the content ticket is revoked, or the content ticket fails to include information granting access rights to the client device for the requested content.
  - 12. The method of claim 8, wherein the request for content further comprises:
    - receiving a content ticket that includes at least one of a client device'"'"'s local address, client device'"'"'s remote address, or a session key.
  - 13. The method of claim 8, wherein receiving the request for content further comprises:
    - receiving a content ticket having a client readable portion, a server readable portion and a modified authenticator.
  - 14. A computer-readable storage medium having executable instructions for performing the method of claim 8.

15. An apparatus for securing content over a network, comprising:
- memory for storing data and instructions; and
  
  a processor that includes instructions for executing the instructions to perform actions, including;
  
  receiving a request for content from a client device having a permanent data storage component;
  
  tagging a portion of the content to be exclusively memory resident on a memory component arranged for temporal content storage at the client device, while another portion of the content remains untagged such that the other portion is configured to be storable on the permanent data storage component;
  
  receiving a content ticket that includes an authenticator;
  
  employing the content ticket and the authenticator to determine whether the client device is allowed access to the requested content; and
  
  if the client device is allowed access, providing, over the network, the tagged portion of the content and the untagged other portion of the content to the client device, wherein the tagged portion of the content is loaded as exclusively memory resident on the memory component of the client device, while the untagged other portion of the content is loadable on the client device'"'"'s permanent data storage component,wherein employing the authenticator to determine whether the client device is allowed access further comprises;
  
  determining a remote address and a local address associated with the client device;
  
  concatenating the determined remote address and the local address;
  
  determining a digest based on the concatenation;
  
  determining a timestamp based on the digest and the authenticator; and
  
  employing the timestamp to determine whether the client device is authentic.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15, wherein employing the content ticket to determine whether the client device is allowed access further comprises:
    - allowing access if at least one of the following is valid;
      
      a time allotted to the content ticket is expired, the content ticket is revoked, or the content ticket fails to include information granting access rights to the client device for the requested content.
  - 17. The apparatus of claim 15, wherein receiving a content ticket that includes an authenticator further comprises:
    - decrypting a server portion of the content ticket to extract a session key; and
      
      employing the session key to decrypt the authenticator.
  - 18. The apparatus of claim 15, wherein the content further comprises blocks of content that are arranged such that a first block is useable to cross validate another block of content by employing in the first block at least one of an executable or dynamic link library to validate a digital signature associated with the other block of content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valve Corporation
Original Assignee
Valve Corporation
Inventors
Jones, Paul David, Newcombe, Christopher Richard, Birum, Derrick Jason, Ellis, Richard Donald
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tolentino; Roderick

Application Number

US11/737,677
Publication Number

US 20070289026A1
Time in Patent Office

1,069 Days
Field of Search

713/155, 709/225, 709/226, 380/229, 705/67
US Class Current

713/155
CPC Class Codes

G06Q 20/3674   involving authentication

H04L 2463/101   applying security measures ...

H04L 41/0896   Bandwidth or capacity manag...

H04L 61/2514   between local and global IP...

H04L 63/045   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/1001   for accessing one among a p...

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

H04L 67/53   using third party service p...

H04L 67/55   Push-based network services

H04L 67/62   Establishing a time schedul...

Enabling content security in a distributed system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling content security in a distributed system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links