Method, system and computer program for deploying software packages with increased security

US 8,230,222 B2
Filed: 08/21/2006
Issued: 07/24/2012
Est. Priority Date: 08/23/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for deploying software packages adapted to enforce software configurations in a data processing system including a plurality of target entities, each target entity being associated with a corresponding pair of private key and public key, wherein the method includes the steps of:

providing, from a server computer over a data network, a software package to be deployed to a set of selected target entities, each of the selected target entities being an endpoint computer;

associating a symmetric key with the software package;

encrypting at least a portion of the software package with the symmetric key;

for each selected target entity encrypting the symmetric key with the corresponding public key of the selected target entity;

building a further software package, the further software package including a plurality of encrypted symmetric keys, each encrypted symmetric key in the plurality of encrypted keys being associated with an indication of a corresponding selected target entity; and

deploying the encrypted software package and the further software package to the selected target entities to enable each selected target entity to decrypt the corresponding encrypted symmetric key with the associated private key, to decrypt the encrypted software package with the decrypted symmetric key, and to apply the decrypted software package for enforcing the corresponding software configuration, wherein for each selected target entity the further software package includes a command for decrypting the corresponding encrypted symmetric key with the associated private key, the command being conditioned to an identification of the selected target entity using run-time parameters of the selected target entity for enforcing a software configuration from the software configurations on the selected target entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A software distribution method (300) with security add-on is proposed. Particularly, any software package to be deployed to selected target endpoints is encrypted (312-315) with a symmetric key (generated dynamically). The symmetric key is in turn encrypted (318-321) with a public key of each target endpoint. A multi-segment software package (embedding the encrypted software package and the encrypted symmetric keys) is then deployed (324-336, 360) to all the target endpoints. In this way, each target endpoint can decrypt (343-348) the encrypted symmetric key with a corresponding private key; it is then possible to decrypt (363-366) the encrypted software package with the symmetric key so obtained. As a result, the endpoint is able to apply (369) the decrypted software package. Therefore, the application of the software package can be restricted to the desired target endpoints only.

Citations

15 Claims

1. A method for deploying software packages adapted to enforce software configurations in a data processing system including a plurality of target entities, each target entity being associated with a corresponding pair of private key and public key, wherein the method includes the steps of:
- providing, from a server computer over a data network, a software package to be deployed to a set of selected target entities, each of the selected target entities being an endpoint computer;
  
  associating a symmetric key with the software package;
  
  encrypting at least a portion of the software package with the symmetric key;
  
  for each selected target entity encrypting the symmetric key with the corresponding public key of the selected target entity;
  
  building a further software package, the further software package including a plurality of encrypted symmetric keys, each encrypted symmetric key in the plurality of encrypted keys being associated with an indication of a corresponding selected target entity; and
  
  deploying the encrypted software package and the further software package to the selected target entities to enable each selected target entity to decrypt the corresponding encrypted symmetric key with the associated private key, to decrypt the encrypted software package with the decrypted symmetric key, and to apply the decrypted software package for enforcing the corresponding software configuration, wherein for each selected target entity the further software package includes a command for decrypting the corresponding encrypted symmetric key with the associated private key, the command being conditioned to an identification of the selected target entity using run-time parameters of the selected target entity for enforcing a software configuration from the software configurations on the selected target entity.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the step of deploying the encrypted software package and the further software package further includes:
    - building a multi-segment software package including the further software package and the encrypted software package; and
      
      distributing the multi-segment software package to each selected target entity.
  - 3. The method according to claim from 1, wherein the software package includes an instruction section and a data section, the at least a portion of the software package consisting of the data section.
  - 4. The method according to claim 2, wherein for each selected target entity the step of distributing the multi-segment software package includes:
    - downloading the further software package; and
      
      downloading the encrypted software package in response to a successful decryption of the corresponding encrypted symmetric key with the associated private key.
  - 5. The method according to claim 4, further including the steps for each selected target entity of:
    - storing the decrypted symmetric key before downloading the encrypted software package; and
      
      retrieving the decrypted symmetric key after downloading the encrypted software package.

6. A computer program product including a computer-usable storage device embodying a computer program, the computer program when executed on a data processing system causing the system to perform a method for deploying software packages adapted to enforce software configurations in the system, the system including a plurality of target entities each one being associated with a corresponding pair of private key and public key, wherein the method includes the steps of:
- providing, from a server computer over a data network, a software package to be deployed to a set of selected target entities, each of the selected target entities being an endpoint computer;
  
  associating a symmetric key with the software package;
  
  encrypting at least a portion of the software package with the symmetric key;
  
  for each selected target entity encrypting the symmetric key with the corresponding public key of the selected target entity;
  
  building a further software package, the further software package including a plurality of encrypted symmetric keys, each encrypted symmetric key in the plurality of encrypted keys being associated with an indication of a corresponding selected target entity; and
  
  deploying the encrypted software package and the further software package to the selected target entities to enable each selected target entity to decrypt the corresponding encrypted symmetric key with the associated private key, to decrypt the encrypted software package with the decrypted symmetric key, and to apply the decrypted software package for enforcing the corresponding software configuration, wherein for each selected target entity the further software package includes a command for decrypting the corresponding encrypted symmetric key with the associated private key, the command being conditioned to an identification of the selected target entity using run-time parameters of the selected target entity for enforcing a software configuration from the software configurations on the selected target entity.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product according to claim 6, wherein the step of deploying the encrypted software package and the further software package further includes:
    - building a multi-segment software package including the further software package and the encrypted software package; and
      
      distributing the multi-segment software package to each selected target entity.
  - 8. The computer program product according to claim from 6, wherein the software package includes an instruction section and a data section, the at least a portion of the software package consisting of the data section.
  - 9. The computer program product according to claim 7, wherein for each selected target entity the step of distributing the multi-segment software package includes:
    - downloading the further software package; and
      
      downloading the encrypted software package in response to a successful decryption of the corresponding encrypted symmetric key with the associated private key.
  - 10. The computer program product according to claim 9, further including the steps for each selected target entity of:
    - storing the decrypted symmetric key before downloading the encrypted software package; and
      
      retrieving the decrypted symmetric key after downloading the encrypted software package.

11. A system for deploying software packages adapted to enforce software configurations in a data processing system including a plurality of target entities, each target entity being associated with a corresponding pair of private key and public key, wherein the system includes:
- a storage device including a storage medium, wherein the storage device stores computer usable program code; and
  
  a processor, wherein the processor executes the computer usable program code, and wherein the computer usable program code comprises;
  
  computer usable code for providing, from a server computer over a data network, a software package to be deployed to a set of selected target entities, each of the selected target entities being an endpoint computer;
  
  computer usable code for associating a symmetric key with the software package;
  
  computer usable code for encrypting at least a portion of the software package with the symmetric key;
  
  computer usable code for encrypting the symmetric key with the corresponding public key for each selected target entity;
  
  computer usable code for building a further software package, the further software package including a plurality of encrypted symmetric keys, each encrypted symmetric key in the plurality of encrypted keys being associated with an indication of a corresponding selected target entity; and
  
  computer usable code for deploying the encrypted software package and the further software package to enable each selected target entity to decrypt the corresponding encrypted symmetric key with the associated private key, to decrypt the encrypted software package with the decrypted symmetric key, and to apply the decrypted software package for enforcing the corresponding software configuration, wherein for each selected target entity the further software package includes a command for decrypting the corresponding encrypted symmetric key with the associated private key, the command being conditioned to an identification of the selected target entity using run-time parameters of the selected target entity for enforcing a software configuration from the software configurations on the selected target entity.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system according to claim 11, wherein the step of deploying the encrypted software package and the further software package further includes:
    - computer usable code for building a multi-segment software package including the further software package and the encrypted software package; and
      
      computer usable code for distributing the multi-segment software package to each selected target entity.
  - 13. The system according to claim from 11, wherein the software package includes an instruction section and a data section, the at least a portion of the software package consisting of the data section.
  - 14. The system according to claim 12, wherein for each selected target entity the step of distributing the multi-segment software package includes:
    - computer usable code for downloading the further software package; and
      
      computer usable code for downloading the encrypted software package in response to a successful decryption of the corresponding encrypted symmetric key with the associated private key.
  - 15. The system according to claim 14, further including the steps for each selected target entity of:
    - computer usable code for storing the decrypted symmetric key before downloading the encrypted software package; and
      
      computer usable code for retrieving the decrypted symmetric key after downloading the encrypted software package.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Celli, Massimiliano, Ferri, Luca, Pichetti, Luigi, Secchi, Marco, Velati, Marcello
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
Salehi, Helai

Application Number

US11/465,824
Publication Number

US 20070047735A1
Time in Patent Office

2,164 Days
Field of Search

None
US Class Current

713/173
CPC Class Codes

G06F 21/125   by manipulating the program...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

Method, system and computer program for deploying software packages with increased security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and computer program for deploying software packages with increased security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links