HTTP signing
First Claim
Patent Images
1. A method for signing data transferred over a network, comprising:
- receiving a request for a first resource;
generating a first header field of a set of header fields, the first header field associated with a content identifier for the first resource;
generating a second header field of the set of header fields, the second header field associated with a content expiration time for the first resource;
determining a plurality of header fields corresponding with a message digest, the plurality of header fields includes at least one of the first header field or the second header field;
generating the message digest, the generating the message digest includes hashing the plurality of header fields and at least a portion of the first resource;
generating a supplemental header, the supplemental header specifies the plurality of header fields used to generate the message digest;
generating a digital signature based on the message digest;
embedding the set of header fields, the supplemental header, and the digital signature into a response header; and
transmitting a response message, the response message includes the response header and the at least a portion of the first resource,wherein the plurality of header fields is a subset of the set of header fields;
the response header is an HTTP response header;
the first resource comprises a file;
the supplemental header comprises a non-standard HTTP header; and
the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration time is at a time prior to the cache expiration time.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for signing data transferred over a computer network is described. In one aspect, the HTTP header of an HTTP response message is extended to include a content identifier, a content expiration time, and a digital signature. The digital signature may be generated from the content identifier, the content expiration time, and the message body of the HTTP response message.
-
Citations
17 Claims
-
1. A method for signing data transferred over a network, comprising:
-
receiving a request for a first resource; generating a first header field of a set of header fields, the first header field associated with a content identifier for the first resource; generating a second header field of the set of header fields, the second header field associated with a content expiration time for the first resource; determining a plurality of header fields corresponding with a message digest, the plurality of header fields includes at least one of the first header field or the second header field; generating the message digest, the generating the message digest includes hashing the plurality of header fields and at least a portion of the first resource; generating a supplemental header, the supplemental header specifies the plurality of header fields used to generate the message digest; generating a digital signature based on the message digest; embedding the set of header fields, the supplemental header, and the digital signature into a response header; and transmitting a response message, the response message includes the response header and the at least a portion of the first resource, wherein the plurality of header fields is a subset of the set of header fields; the response header is an HTTP response header; the first resource comprises a file; the supplemental header comprises a non-standard HTTP header; and the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration time is at a time prior to the cache expiration time. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An electronic device for verifying the authenticity of a first resource, comprising:
-
a network interface, the network interface transmits a first request for a first resource, the network interface receives a response to the first request from a content delivery network, the response includes a header and at least a portion of the first resource, the header includes a content identifier field and a content expiration field, the header further includes a digital signature and a supplemental header, the supplemental header specifies a plurality of header fields used to generate a message digest, the plurality of header fields includes at least one of the content identifier field or the content expiration field, the digital signature is generated using the message digest; and a processor, the processor verifies that the at least a portion of the first resource is authentic by decrypting the digital signature and comparing the decrypted digital signature to a hashing of the plurality of header fields specified m the supplemental header and the at least a portion of the first resource, wherein the plurality of header fields is a subset of a set of header fields included within the header; the header is an HTTP response header; the first resource comprises a file; the supplemental header comprises a non-standard HTTP header; and the header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration field specifies a content expiration time at which the at least a portion of the first resource is no longer valid, the content expiration time is at a time different than the cache expiration time. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. One or more storage devices containing processor readable code for programming one or more processors to perform a method comprising the steps of:
-
receiving a first request for a particular game update; establishing a secure connection with an origin server; sending a second request for the particular game update to the origin server; receiving a response to the second request from the origin server, the response includes the particular game update; generating a first header field associated with a content identifier for the particular game update; generating a second header field associated with a content expiration time for the particular game update; determining a plurality of header fields corresponding with a message digest, the plurality of header fields includes at least one of the first header field or the second header field; generating the message digest, the generating the message digest includes hashing the plurality of header fields and at least a portion of the particular game update; generating a supplemental header, the supplemental header specifies the plurality of header fields used to generate the message digest; generating a digital signature based on the message digest; embedding the first header field, the second header field, the supplemental header, and the digital signature into a response header; and transmitting a response message to a content delivery network, the response message includes the response header and the particular game update, wherein the response header is an HTTP response header; the supplemental header comprises a non-standard HTTP header; and the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the particular game update must be refreshed, the content expiration field specifies a content expiration time at which the particular game update is no longer valid, the content expiration time is at a time equal to the cache expiration time. - View Dependent Claims (16, 17)
-
Specification