HTTP signing

US 8,677,134 B2
Filed: 11/11/2010
Issued: 03/18/2014
Est. Priority Date: 11/11/2010
Status: Active Grant

First Claim

Patent Images

1. A method for signing data transferred over a network, comprising:

receiving a request for a first resource;

generating a first header field of a set of header fields, the first header field associated with a content identifier for the first resource;

generating a second header field of the set of header fields, the second header field associated with a content expiration time for the first resource;

determining a plurality of header fields corresponding with a message digest, the plurality of header fields includes at least one of the first header field or the second header field;

generating the message digest, the generating the message digest includes hashing the plurality of header fields and at least a portion of the first resource;

generating a supplemental header, the supplemental header specifies the plurality of header fields used to generate the message digest;

generating a digital signature based on the message digest;

embedding the set of header fields, the supplemental header, and the digital signature into a response header; and

transmitting a response message, the response message includes the response header and the at least a portion of the first resource,wherein the plurality of header fields is a subset of the set of header fields;

the response header is an HTTP response header;

the first resource comprises a file;

the supplemental header comprises a non-standard HTTP header; and

the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration time is at a time prior to the cache expiration time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for signing data transferred over a computer network is described. In one aspect, the HTTP header of an HTTP response message is extended to include a content identifier, a content expiration time, and a digital signature. The digital signature may be generated from the content identifier, the content expiration time, and the message body of the HTTP response message.

Citations

17 Claims

1. A method for signing data transferred over a network, comprising:
- receiving a request for a first resource;
  
  generating a first header field of a set of header fields, the first header field associated with a content identifier for the first resource;
  
  generating a second header field of the set of header fields, the second header field associated with a content expiration time for the first resource;
  
  determining a plurality of header fields corresponding with a message digest, the plurality of header fields includes at least one of the first header field or the second header field;
  
  generating the message digest, the generating the message digest includes hashing the plurality of header fields and at least a portion of the first resource;
  
  generating a supplemental header, the supplemental header specifies the plurality of header fields used to generate the message digest;
  
  generating a digital signature based on the message digest;
  
  embedding the set of header fields, the supplemental header, and the digital signature into a response header; and
  
  transmitting a response message, the response message includes the response header and the at least a portion of the first resource,wherein the plurality of header fields is a subset of the set of header fields;
  
  the response header is an HTTP response header;
  
  the first resource comprises a file;
  
  the supplemental header comprises a non-standard HTTP header; and
  
  the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration time is at a time prior to the cache expiration time.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein:
    - the content identifier includes a uniform resource name; and
      
      the content expiration time is specified according to Greenwich Mean Time.
  - 3. The method of claim 1, wherein:
    - the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration time is specified relative to the cache expiration time.
  - 4. The method of claim 1, wherein:
    - the generating a digital signature includes using an asymmetric signature algorithm.
  - 5. The method of claim 1, wherein:
    - the transmitting includes transmitting the response message to a content delivery network.
  - 6. The method of claim 1, further comprising:
    - establishing a secure connection with a proxy server; and
      
      the transmitting includes transmitting the response message to the proxy server.

7. An electronic device for verifying the authenticity of a first resource, comprising:
- a network interface, the network interface transmits a first request for a first resource, the network interface receives a response to the first request from a content delivery network, the response includes a header and at least a portion of the first resource, the header includes a content identifier field and a content expiration field, the header further includes a digital signature and a supplemental header, the supplemental header specifies a plurality of header fields used to generate a message digest, the plurality of header fields includes at least one of the content identifier field or the content expiration field, the digital signature is generated using the message digest; and
  
  a processor, the processor verifies that the at least a portion of the first resource is authentic by decrypting the digital signature and comparing the decrypted digital signature to a hashing of the plurality of header fields specified m the supplemental header and the at least a portion of the first resource,wherein the plurality of header fields is a subset of a set of header fields included within the header;
  
  the header is an HTTP response header;
  
  the first resource comprises a file;
  
  the supplemental header comprises a non-standard HTTP header; and
  
  the header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the at least a portion of the first resource must be refreshed, the content expiration field specifies a content expiration time at which the at least a portion of the first resource is no longer valid, the content expiration time is at a time different than the cache expiration time.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The electronic device of claim 7, wherein:
    - the content identifier field associates the at least a portion of the first resource with a uniform resource name; and
      
      the processor discards the at least a portion of the first resource if authentication of the at least a portion of the first resource fails.
  - 9. The electronic device of claim 7, wherein:
    - the content expiration field specifies a content expiration time at which the at least a portion of the first resource is no longer valid, the content expiration time is specified according to Greenwich Mean Time.
  - 10. The electronic device of claim 9, wherein:
    - the processor verifies that the content expiration time plus a time specified by a given window of time has not occurred.
  - 11. The electronic device of claim 7, wherein:
    - the digital signature is generated using an asymmetric signature algorithm.
  - 12. The electronic device of claim 11, wherein:
    - the processor verifies that the digital signature was created using the content identifier field, the content expiration field, and the at least a portion of the first resource.
  - 13. The electronic device of claim 11, wherein:
    - the processor executes verification software, the verification software acquires a public key from a trusted third party, the verification software uses the public key to decrypt the digital signature.
  - 14. The electronic device of claim 11, wherein:
    - the processor executes verification software, the verification software acquires a public key from a secure location on a local storage device, the verification software uses the public key to decrypt the digital signature.

15. One or more storage devices containing processor readable code for programming one or more processors to perform a method comprising the steps of:
- receiving a first request for a particular game update;
  
  establishing a secure connection with an origin server;
  
  sending a second request for the particular game update to the origin server;
  
  receiving a response to the second request from the origin server, the response includes the particular game update;
  
  generating a first header field associated with a content identifier for the particular game update;
  
  generating a second header field associated with a content expiration time for the particular game update;
  
  determining a plurality of header fields corresponding with a message digest, the plurality of header fields includes at least one of the first header field or the second header field;
  
  generating the message digest, the generating the message digest includes hashing the plurality of header fields and at least a portion of the particular game update;
  
  generating a supplemental header, the supplemental header specifies the plurality of header fields used to generate the message digest;
  
  generating a digital signature based on the message digest;
  
  embedding the first header field, the second header field, the supplemental header, and the digital signature into a response header; and
  
  transmitting a response message to a content delivery network, the response message includes the response header and the particular game update,wherein the response header is an HTTP response header;
  
  the supplemental header comprises a non-standard HTTP header; and
  
  the response header includes a cache expiration field, the cache expiration field specifies a time at which cached copies of the particular game update must be refreshed, the content expiration field specifies a content expiration time at which the particular game update is no longer valid, the content expiration time is at a time equal to the cache expiration time.
- View Dependent Claims (16, 17)
- - 16. The one or more storage devices of claim 15, wherein:
    - the content identifier field includes a uniform resource name; and
      
      the content expiration field includes a time specified according to Greenwich Mean Time.
  - 17. The one or more storage devices of claim 16, wherein:
    - the digital signature is generated using an asymmetric signature algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Livni, Felix, Chen, Hao
Primary Examiner(s)
Hwang, Joon H
Assistant Examiner(s)
AGUIAR, JOHNNY B

Application Number

US12/944,649
Publication Number

US 20120124384A1
Time in Patent Office

1,223 Days
Field of Search

713/176, 713/178, 713/181
US Class Current

713/178
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0442   wherein the sending and rec...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

H04L 9/3247   involving digital signatures

HTTP signing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP signing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links