DE10215747B4 - Method, computer program with program code means and computer program product for the protected downloading of an electronic object into a Personal Area Network (PAN) and Personal Area Network (PAN) - Google Patents

Abstract

Method for the protected downloading of an electronic object (IE) into a Personal Area Network (PAN) with at least two functional units (N1, N2),
- in which a control task (KA) is carried out, by means of which the downloading of the electronic object (IE) into the PAN is monitored,
- in which a security task (SA) is carried out, by means of which a security check of the electronic object (IE) is carried out,
- in which a transmission task (LA) is carried out, by means of which the electronic object (IE) is downloaded into the PAN,
wherein the control task (KA), the security task (SA) and the transfer task (LA) are divided among the at least two functional units (N1, N2) in the PAN such that none of the at least two functional units (N1, N2) all tasks (KA, SA, LA).

Description

Method, Computer program with program code means and computer program product to a protected Download an electronic object to a personal area Network (PAN) and Personal Area Network (PAN)

The Invention relates to a protected Downloading an electronic object into a target environment, for example downloading software (software download) on or into a mobile device.

The Downloading software, software download, is a key technology with a flexible adaptation of end devices, especially mobile ones terminals to specific user environments and user requirements. The software Allows download an expansion of existing functionalities of end devices such as also an implementation or installation of new additional ones functionalities with these, such as enhanced or new multimedia applications.

The downloaded software can exist in different forms, like as a binary code or machine code, for example Java bytecode or Microsoft MSIL, as a so-called script, for example as a Java script or as a WML script, or as a parameter or data file.

Around the end devices when downloading from dirty software, such as contaminated with viruses Software, protect, downloading is usually done with a security check, which the downloaded software is subjected to. This protected download will only be completed if: the downloaded software has one or more security controls has successfully passed.

at such a security check usually integrity and authenticity checked the downloaded software. This usually happens because the end device is a source or a provider the software to be downloaded verified and the downloaded one Software checked for tampering.

Depending on the verified source or the provider of the software or the manipulation test the terminal decides whether the download is done and the software is accepted.

Furthermore can also do the security check an authorization of the terminal to Software download can be checked. This can ensure that the software to be downloaded only on authorized devices installed and not copied illegally by them.

exemplary some well-known security checks are mentioned, such as verification a digital signature or a "message authentication code" (MAC) and a calculation and a comparison of hash values. Security checks are also known what cryptographic keys, Use certificates and "policy" information.

Various protected Software downloads to end devices are known from [1], [2] and [3].

Out [1] is a software download protected by a digital signature known a calculator. A provider provides this software download the software to be downloaded with a digital signature, comparable to an electronic signature. Under use This digital signature can be used by the target device, in this case the computer, carry out the security check and the integrity and authenticity check the downloaded software.

at the protected one known from [2] Software download will download the software via a secure information channel between the software provider and the terminal transmitted to the terminal and loaded there.

The Protected known from [3] Software download refers to so-called mobile agents ([12], [13]). These are executable programs that are can autonomously move around a network to perform certain tasks perform. In [3] a mechanism is given by means of which mobile agents with execution rights and these rights are checked can.

Further protected Software downloads are known from [4] to [9].

at all protected software downloads known from [1] to [9] the downloaded software is loaded onto a singular end device, a "monolithic device". The singular end device does both the charging process with subsequent Storage of the software as well as the security check of the same. However, this requires several from the respective terminal different functionalities, like a load function, a store function and a check function.

The provision as well as the execution of these functionalities, however, relies on the end devices appropriate facilities and corresponding capacities, such as storage space and computing power.

In particular mobile devices, to which special requirements regarding low weight, Size and energy consumption but are limited in their capacities, which leads to problems with protected Perform software download can.

Out [10] is a software download into a terminal device, a target device, one Vehicle control system, which includes the target device and other devices, known.

at With this software download, the loading process is carried out in various subtasks divided like a control device task, an update device task, a receiving device task and a configuration manager task. The control device task, the update device task as well as the receiving device task on the vehicle control system internal devices, i.e. the target device and the other devices of the vehicle control system, divided and executed there. The Configuration manager task that has the highest demands on computing power and storage capacity, is outsourced from the vehicle control system and by a Master unit executed which is outside of the vehicle control system.

A Personal Area Network (PAN) is known from [11]. Such a PAN ( 13 . 1300 ) is formed from at least two physical, functional units (nodes) in communication with each other 1301 . 1302 . 1303 ,

Such physical units can for example his networked computer and / or server computer, communications equipment such as cell phones, so-called PDA or combinations of the aforementioned Equipment.

Communication between the nodes 1301 . 1302 . 1303 of a PAN 1300 can be both wired and wired (wireless). Furthermore, the knots stand out 1301 . 1302 . 1303 of such a PAN 1300 in that they are all assigned to the same user. This assignment or belonging to the same user means that all nodes 1301 . 1302 . 1303 of a PAN 1300 trust each other.

The PAN stands 1300 with an external communication network, such as a GSM network, a UMTS network or an Internet, in (communication) connection, this is usually done via a selected node 1301 inside the PAN 1300 which selected node 1301 a connection, a so-called gateway 1304 , to the external communication network or to a node in the external communication network.

Are electronic objects, such as data or software, in the PAN 1300 or to a (target) node 1301 . 1302 . 1303 of the PAN 1300 downloaded, the download takes place to the target node 1301 . 1302 . 1303 technically via the selected "gateway" node 1304 and functionally like downloading to a "monolithic device". However, this requires from the target node 1301 that this must provide all the corresponding functionalities described, such as a loading function, a storage function and a checking function.

Out [14] is a method of preventing downloading and execution an unwanted Object on or in a workstation of a computer network using a central control unit, a “Control Center ".

The Invention, the technical object is based on a method a protected Download an electronic object to a personal area Network (PAN), a corresponding PAN and corresponding software resources specify which one or as few as possible at the nodes of the PAN technical requirements.

This Task is through the process, through the computer program with Program code means and the computer program product for a protected download of an electronic object into a PAN and through a PAN with the Characteristics according to the respective independent Claim resolved.

• – eine Kontrollaufgabe (KA), durch welche das Herunterladen des elektronischen Objekts (IE) in das PAN überwacht wird,
• – eine Sicherungsaufgabe (SA), durch welche eine Sicherheitsüberprüfung des elektronischen Objekts (IE) durchgeführt wird,
• – eine Übertragungsaufgabe (LA), durch welche das elektronische Objekt (IE) in das PAN heruntergeladen wird.

The method for protected downloading of an electronic object (IE) into a personal area network (PAN) with at least two functional units (N1, N2) is carried out

• A control task (KA) by which the downloading of the electronic object (IE) into the PAN is monitored,
• - a security task (SA), through which a security check of the electronic object (IE) is carried out,
• - A transmission task (LA) through which the electronic object (IE) is downloaded into the PAN.

The control task (KA), the security task (SA) and the transfer task (LA) are distributed to the at least two functional units (N1, N2) in the PAN such that none of the at least two functional units (N1, N2) performs all tasks (KA, SA, LA).

synonymous with the use of the term "task" is the use of the following Term "function", for example the control task and a control function.

The Personal Area Network (PAN), set up for secure downloading of an electronic Object, has at least two functional units (N1, N2) on.

• – eine Kontrollaufgabe (KA), durch welche das Herunterladen des elektronischen Objekts (IE) in das PAN überwacht wird,
• – eine Sicherungsaufgabe (SA), durch welche eine Sicherheitsüberprüfung des elektronischen Objekts (IE) durchgeführt wird, und
• – eine Übertragungsaufgabe (LA), durch welche das elektronische Objekt (IE) in das PAN heruntergeladen wird.

The protected download of the electronic object (IE) into the PAN includes

• A control task (KA) by which the downloading of the electronic object (IE) into the PAN is monitored,
• - a security task (SA), through which a security check of the electronic object (IE) is carried out, and
• - A transmission task (LA) through which the electronic object (IE) is downloaded into the PAN.

The at least two functional units are set up in such a way that the control task (KA), the backup task (SA) and the transfer task (LA) to the at least two functional units (N1, N2) in which PAN is divisible, that none of the at least two functional ones Units (N1, N2) performs all tasks (KA, SA, LA).

Under the protected Downloading the electronic object is understood to mean that downloading the electronic object with a security check of the same connected is. The protected Downloading is only completed or completed, i.e. the downloaded electronic object is only accepted when one or more security checks pass successfully accomplished were.

Of another is in the invention under an electronic object any kind of loadable or transferable To understand information or information elements, such as software, Scripts or parameter or data files.

By doing the protected Downloading the electronic object divided into different subtasks will and the implementation of the subtasks to several distributed, functional units in assigned to the PAN not all tasks when downloading the electronic object be perceived by a single functional unit.

Thereby can a total load, for example with regard to computing power and storage capacity, according to a capacity of the individual functional units.

The sensible, functional division of the overall task into the subtasks, the control task, the backup task and the transfer task, corresponds to a definition of logical devices. In implementing the invention the subtasks or the logical devices will then actually become physical existing functional units in the PAN, such as a node PAN assigned.

By the inventive and intelligent division of the overall task in the subtasks and assignment of the subtasks to at least two functional units of the PAN can be prevented Already existing functional units for the entire task upgraded and thus have to be made more expensive.

Of the invention further uses the (securing) property of a PAN, namely that all nodes, i.e. all functional units, one PAN itself trust each other.

In order to enough it, the backup task or the security check of the downloaded electronic object from a functional unit in the PAN carry out to leave, with a positive check result the electronic object at PAN level, i.e. for all functional units of the PAN, is considered safe.

Fall the functional units for the security check and the transfer task apart, so there is no additional Security check by the functional unit that carries out the transfer task, more necessary.

Further or other technical properties of a PAN are known and described for example in [11].

The Computer program with program code means is set up to all Steps according to the inventive method perform when the program is run on a computer.

The Computer program product with stored on a machine readable medium Program code means is set up to perform all steps according to the inventive method perform, if the program is running on a computer.

The arrangement as well as the computer program with program code means set up to perform all steps according to the inventive method when the program is executed on a computer, and the computer program product with program code means stored on a machine-readable medium, arranged to carry out all steps according to the inventive method when the program is executed on a computer are particularly suitable for carrying out the method according to the invention or one of its further developments explained below.

preferred Further developments of the invention result from the dependent claims.

The The further developments described below relate both to the procedures as well as the arrangement.

The Invention and the further developments described below can both in software as well as in hardware, for example using a special electrical circuit.

Further is an implementation of the invention or one described below Further training possible through a computer-readable storage medium on which the computer program stored with program code means, which is the invention or training.

Also can the invention or any further development described below be realized by a computer program product, which a Storage medium on which the computer program with program code means is stored, which carries out the invention or further development.

at In one development, the PAN has three functional units, for example three nodes, each of which has one of the three tasks or functions, the control task, the backup task and the transfer task or the control function, the security function and the transfer function performs.

So For example, a node which exercises the control function can be clearly illustrated be seen as a download manager.

The Tasks, the control task, the backup task and the transfer task, can both parallel in time or offset in time as well as in series in time, i.e. sequentially, expire.

As well Is it possible, the implementation a task depends on a result of another task make (conditional execution of a Function). For example, it is only then possible to complete the transfer task perform when performed the backup task was and / or the backup task delivered a predeterminable result Has.

A Coordination of tasks can be done using appropriate Messages between the tasks or between the functional Units are exchanged, accomplished.

Has been For example, the backup task was performed successfully can do this or the corresponding functional unit of the control task or report the positive implementation to the corresponding functional unit, which then carry out the transfer task by a corresponding message to the transfer task or the can initiate appropriate functional unit.

The Exchange of messages, generally communication between the tasks or the functional units can be encrypted. Corresponding encryption mechanisms, are like asymmetrical encryption well known.

Of further it makes sense to do the transfer task to be divided into two subtasks, one transfer task, in which the electronic object to a target unit, such as a target node, transmitted in the PAN and an installation task, which is indexed, that the transferred electronic object can now be installed on the target unit can.

The Subdivision of the transfer task in the two subtasks a separate execution of the subtasks, which increases the flexibility of the download.

So For example, the transfer task can be carried out at an early stage of the Download performed before, for example, performing the backup task, while the installation task at the end of the download, in in this case after the implementation the backup task can be.

Furthermore, a further functional unit can be provided in the PAN that performs a “gateway” function, for example a so-called gateway node. Via this gateway node, which in turn is connected to the other nodes or functional units of the PAN , the PAN enters into communication contact with other networks, such as a public network GSM / UMTS network or an Internet. Information and / or data can thus be exchanged between the PAN and another network via the gateway node.

In Figures are an embodiment the invention and modifications of the embodiment shown, which further below are explained.

It demonstrate

1 a sketch of a personal area network (PAN) according to an embodiment;

2 a sketch of an information flow when downloading an electronic object into a PAN according to an embodiment;

3 a sketch of a modified information flow when downloading an electronic object into a PAN according to a modification of an embodiment;

4 a sketch of a modified information flow when downloading an electronic object into a PAN according to a modification of an embodiment;

5 a sketch of a modified information flow when downloading an electronic object into a PAN according to a modification of an embodiment;

6 a sketch of a modified information flow when downloading an electronic object into a PAN according to a modification of an embodiment;

7 a sketch of a modified information flow when downloading an electronic object into a PAN according to a modification of an embodiment;

8th a sketch of a modified information flow when downloading an electronic object into a PAN according to a modification of an embodiment;

9 a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

10 a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

11 a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

12 a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

13 a sketch of a Personal Area Network (PAN) according to a prior art.

Embodiment: Download an electronic object from a download server a public one Network in a Personal Area Network (PAN) with over several Distributed download functionalities

In 1 is a Personal Area Network (PAN) 100 shown, which is formed by several functional, in contact with each other nodes 101 . 102 . 103 and 109 ,

The PAN 100 in turn is in communication with a public network 110 , The public network includes a download server 111 which offers software for download. Data can be transferred between the public network via the communication link 110 and the PAN 100 be replaced.

Node 1 101 , Node 2 102 and node 3 103 show functionalities, function 1 104 (Control function of the node 1 101 ), Function 2 105 (Node 2 security check function 102 ) and function 3 106 (Node 3 transfer function 103 ) for downloading data 108 , generally of electronic objects, into the PAN 100 on.

The node 1 101 which with function 1, the control function, 104 is equipped, controls and monitors the download of an object to be downloaded 108 , So he starts downloading the object 108 and coordinates functions 2, the security check function 105 , and 3, the transfer function 106 , the other two nodes 102 . 103 ,

The node 2 102 which with function 2, the security check function 105 , is equipped, leads to the object to be downloaded 108 a security check. During the security check, node 2 verifies 102 one with the object to be downloaded 108 associated security certificate 107 , Appropriate verification methods are known.

The node 3 103 which with function 3, the transfer function 106 , is loaded, loads the object to be downloaded 108 and is that according to a so-called target node, in the PAN 100 ,

2 shows an information flow or data / message flow 200 which when downloading the electronic object 108 into the PAN 100 between the three nodes 101 . 102 . 103 or between the three functions, function 1 104 (Control function of the node 1 101 ), function 2 105 (Node 2 security check function 102 ) and function 3 106 (Node 3 transfer function 103 ), flows.

in the The following are just the functions for the sake of simplicity described by their numbers.

Function 1 104 sends function 2 105 a message 201 through which the security check 202 which is carried out by function 2 105 , the object to be downloaded 108 is triggered.

After completing the security check 202 shares the function 2 105 function 1 104 the result of this by transmitting an appropriate message 203 With.

Depending on the message 203 the actual download process is performed.

Receives function 1 104 with the message 203 reporting a positive security check 202 , then function 1 104 downloading the object 108 , It sends a corresponding message (Download Message) 204 to function 3 106 ,

This triggers the download process. The process is carried out by function 3 106 carried out and in this case closes a transfer of the object 108 on node 3 103 and an installation of the downloaded object 108 on node 3 103 on.

After the download is complete, the downloaded and installed object is located 108 on node 3 103 ,

In case of a message 203 about a negative security check 202 ends function 1 104 downloading without transfer and installation of the object 108 ,

In the 3 to 8th are various modifications of the download 200 according to 2 with corresponding modified information flows. Modified steps are new and labeled according to the figure designations 3 to 8, unchanged steps remain unchanged accordingly 2 designated.

3 shows a download 300 of the object 108 in one for downloading 200 out 2 modified form.

When downloading 300 in 3 is the download message (cf. 2 . 204 ) separated into a first message 301 , which causes the transfer of the object, as well as in a second message 302 , through which the installation of the downloaded object 108 on node 3 103 is initiated.

When downloading 300 according to 3 the two messages 301 . 302 and consequently the two corresponding steps, the transfer and the installation of the object, immediately after the security check 202 and the transmission of the corresponding message 203 triggered or carried out.

4 shows a download 400 similar to downloading 300 according to 3 where the two news 301 . 302 respectively. 401 . 402 and the two corresponding, triggered steps, the transmission of the object 108 and installing the object 108 , be carried out separately.

When downloading 400 the message follows 401 which is the transfer of the object 108 triggers at the start of the download 400 , ie before the function 1 104 Your message 201 through which the security check 202 is triggered to function 2 105 sends.

The message 402 , which triggers the installation of the object, takes place as in 3 at the end of the download 400 ,

In 5 is another modification 500 of downloading 200 respectively. 400 of the object in the PAN 100 shown, in which also two messages 401 . 501 for transferring and installing the object 108 be sent.

With this modified download 500 sends function 2 105 directly the message 501 which is the installation of the downloaded object 108 triggers to function 3 106 , In this case, the result message 203 the security check of function 2 105 to function 1 104 remain under.

At the in 6 shown modification 600 in turn, just a message, the download message, 601 for transferring and installing the object 108 sent.

This is done by function 2 105 directly to function 3 106 sent at the end of the download and correspondingly triggers the transfer performed by function 3 and the installation of the object 108 out.

7 shows a download 700 where the download message again in two messages 701 . 702 for the transfer and installation of the object, which in this case is carried out directly by function 2 105 to function 3 106 following the security check 202 of the object 108 by function 2 105 sent.

With the modified download 800 according to 8th the download message is again in two messages 801 . 802 for transferring and installing the object 108 divided up. Both messages 801 . 802 function 2 105 to function 3 106 sent, the message 801 for the transfer of the object 108 before the security check 202 of the object and the message 802 for the installation of the object after the security check 202 be sent.

The temporal separation of the download message and thus the two processes, the transfer and the installation of the object 108 , is advantageous if the transfer process of the object takes more time. During the transfer process you can at least partially start with the security check 202 of the object 108 by function 2 105 be started.

It should be noted is that in the various forms of downloading, communication between the nodes or between the functions can also be encrypted can. Appropriate techniques are known, such as IrDA, Bluetooth, HomeRF, Tetra, IEEE 802.15, IEEE 802.11 WLAN, Hiperlan / 1 or / 2 and ticket certificates.

9 shows one too 1 slightly modified PAN 900 which is another knot, a fourth knot 901 includes. Unchanged components are labeled according to 1 Modified components are identified separately.

The fourth knot 902 includes a gateway function 902 which establish a communication link between the PAN 900 and the public network 110 manufactures.

In this case, the object to be downloaded 108 including its security certificate 107 from the download server 111 of the public network 110 using the gateway function 902 at the fourth knot 901 transfer.

It should be noted that the object to be downloaded 108 as well as its security certificate 107 can also be handled separately. Both can be obtained from different sources and / or can be generated from different sources at different times. In the event that, for example, the security certificate 107 is a digital signature or an installation ticket, this can be issued by a corresponding unit, a license server or a ticket server.

10 shows another one too 1 slightly modified PAN 1000 where the first node 1001 in addition to function 1 104 also function 2 105 performs.

Unchanged components are labeled according to 1 Modified components are identified separately.

In this case, the PAN 1000 no more knots.

Other double functions of a node, such as in the in 11 and 12 shown PAN 1100 respectively. 1200 , are also possible.

In the in 11 shown PAN 1100 leads the second knot 1101 both the second function 105 as well as the third function 106 out. In this case the second knot is missing 102 ,

In the in 12 shown PAN 1200 leads the first node 1201 both the first function 104 as well as the third function 106 out. In this case the third node is missing 103 ,

In the following, a sequence or a sequence log of a multi-stage protected download of an object into the PAN is according to 9 described.

Multi-stage in this context means that both an asymmetrical encryption method as well as symmetric encryption methods with the protected Download done become. The basics of corresponding encryption techniques are known.

The first node becomes the run or log 101 as Download Manager (DM), the second node 102 as the verification node (VN), the third node 103 as the target node (TN), the fourth node 901 referred to as the gateway node (GN).

The VN has a suitable key, a root key (RK), for verifying the security certificate of the object to be downloaded. The verification of the security certificate ensures that one is up-to-date from the download server to the UN transmitted public key (asymmetric encryption).

Under Use of the public key the VN uses a digital signature during the security check, with which the object to be downloaded from the download server signed, checked.

The DM and TN share a secret key, as do TN and VN another secret key share (symmetric encryption).

• 1) The participant needs the object to be downloaded (IE) and sends a corresponding request in the form of a request message to the DM. The request message contains an exact description of the object to be downloaded (ID-IE). "From TN to DM: <ID-IE>"
• 2) The DM forwards the request message to the GN. "From DM to GN: <ID-IE> "
• 3) The GN transmits the request message to the download server (DS), whereby this is provided with an address designation of the GN (ID-GN). "From GN to DS: <ID-GN, ID IE> "
• 4) The DS processes the request or request message and sends the GN the ID-IE, the IE, a security certificate CERT (ID-IEP, PuK-IEP), where a public key of the DM (PuK-IEP) with an identity designation of the DM (ID-IEP) is connected, and a digital signature SIGN (PrK-IEP, <ID-IE, IE>), which via the ID-IE and (a HASH value of) IE using the private key of the DM (PrK-IEP) is formed. "From DS to GN: <ID-IE, IE>, CERT (ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID-IE, IE>)"
• 5) The GN forwards the data received from the DM to the DM. "From GN to DM: <ID-IE, IE>, CERT (ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID IE, IE>) "
• 6) The DM extracts the ID-IE and the IE from the data and transmits them these to the participants together with a message authentication code (MAC1 (SK1, <ID-IE, IE>)). The MAC1 depends on the ID-IE, the IE and a first secret key SK1, which is shared between the DM and the TN. "From DM to TN: <ID-IE, IE>, MAC1 (SK1, <ID-IE, IE>) "
• 7) The DM forwards the data received in step 5) to the VN further. "From DM to VN: <ID-IE, IE>, CERT (ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID IE, IE>) "
• 8) The VN checks the ID-IE of the data just received. The UN also verifies the security certificate CERT (ID-IEP, PuK-IEP) using the RK, the timeliness of the PuK-IEP of the DS is checked. The UN then checks the digital signature SIGN (PrK-IEP, <ID-IE, IE>) using of the PuK-IEP.
• 9) The UN sends a verification message regarding the IE to the participant. The ID-IE provides this verification message together with another message authentication code (MAC2 (SK2, <ID-IE>)). This second MAC2 hangs ab from a second secret key SK2, which between the TN and the VN is shared. "From VN to TN: ID-IE, MAC2 (SK2, <ID-IE>)"
• 10) The participant checks the ID-IE the data received in steps 6 and 9 and verified MAC1 (SK1, <ID-IE, IE>) and MAC2 (SK2, <ID-IE>).

A Alternative to the described process or process log results if the PAN uses an underlying communication protocol protected becomes. In this case, the MAC1 and MAC2 can be accessed in steps 6), 9) and 10) can be dispensed with.

In The following writings are cited in this document:

• [1] 3GPP 23,057 MexE;
• [2] WAP Download Architecture Draft, Sec. 4.1.3, last bullet;
• [3] German patent application, registration number DE 101 09 546.5 ;
• [4] WO01 / 33867A2 (Motorola);
• [5] WO00 / 72149A1 (Motorola);
• [6] US patent US6223291B1 (Motorola);
• [7] DE 195 43 843 A1 (Acer);
• [8] WO01 / 78303A1 (Sony);
• [9] WO01 / 86389A2 (Motorola);
• [10] WO02 / 10903A2 (Daimler Chrysler);
• [11] WO 01 / 76154A2 (Ericsson);
• [12] J.M. Bradshaw. Software agents. MIT Press, 1997;
• [13] M. N. Huhns, M. P. Singh; Readings in agents; Morgan Kaufmann Publishers Inc., 1998;
• [14] WO 98/40993 A1.

Claims (19)

Method for the protected downloading of an electronic object (IE) into a personal area network (PAN) with at least two functional units (N1, N2), - in which a control task (KA) is carried out, by means of which the downloading of the electronic object (IE ) is monitored in the PAN, - in which a security task (SA) is carried out, through which a security check of the electronic object (IE) is carried out, - In which a transfer task (LA) is carried out, through which the electronic object (IE) is downloaded to the PAN, the control task (KA), the backup task (SA) and the transfer task (LA) being carried out in this way on the at least two functional units (N1, N2) in which PAN is divided so that none of the at least two functional units (N1, N2) performs all tasks (KA, SA, LA). Method according to claim 1, - where the PAN has three functional Has units on which the tasks are divided such that each functional unit performs one of the tasks. Method according to claim 1, - where the tasks are so be divided among the functional units that one of the functional units perform two tasks. Method according to one of the preceding claims, - in which the tasks are carried out in a coordinated manner: in parallel or staggered or in series. Method according to one of the preceding claims, - in which one of the tasks is only carried out under a predefinable condition. Method according to claim 5, - in which the predefinable condition is a result of another of the tasks. Method according to one of the preceding claims, - in which Messages between the functional units and / or the tasks be replaced. Method according to claim 7, - when using of the exchanged messages the functional units and / or the tasks are coordinated. Method according to claim 7 or 8, - in which the exchanged messages are encrypted. Method according to one of the preceding claims, - in which the transfer task in a transfer task in which the electronic object one of the functional units is transferred and an installation task, in which the transferred electronic object installed on one of the functional units will be divided. Method according to claim 10, - where the transfer task and the installation task is carried out separately. Method according to one of the preceding claims, - in which one of the functional units of the PAN carries out a channel task which a communication link from the PAN to a communication network and / or a unit of a communication network is established. Method according to claim 12, - in which for execution a separate functional unit is provided for the channel task. Method according to one of the preceding claims, - in which the electronic object is an electronic information element, especially software. Method according to one of the preceding claims, - in which at least one of the functional units is a networked computer of a computer network or a networked server computer of a computer network or a communication device, in particular a cell phone or a PDA. Personal Area Network (PAN) with at least two functional units (N1, N2) for protected downloading of an electronic Object (IE) in the PAN, where the download includes - a control task (KA) through which the downloading of the electronic object (IE) monitored in the PAN becomes, - one Security task (SA), through which a security check of the electronic object (IE) is performed, and - a transfer task (LA) through which the electronic object (IE) is downloaded into the PAN becomes, in which the at least two functional units are such are set up that the control task (KA), the backup task (SA) and the transfer task (LA) to the at least two functional units (N1, N2) in which PAN is divisible, that none of the at least two functional ones Units (N1, N2) performs all tasks (KA, SA, LA). Computer program with program code means to all Steps according to claim 1 to perform if the program is running on a computer. Computer program with program code means according to claim 17, which on a computerles hard disk are stored. Computer program product with on a machine readable carrier stored program code means to complete all steps according to claim 1 to perform if the program is running on a computer.