EP2014048A2 - Geschütztes ausführen einer datenverarbeitungsanwendung eines diensteanbieters für einen nutzer durch eine vertrauenswürdige ausführungsumgebung - Google Patents
Geschütztes ausführen einer datenverarbeitungsanwendung eines diensteanbieters für einen nutzer durch eine vertrauenswürdige ausführungsumgebungInfo
- Publication number
- EP2014048A2 EP2014048A2 EP07728572A EP07728572A EP2014048A2 EP 2014048 A2 EP2014048 A2 EP 2014048A2 EP 07728572 A EP07728572 A EP 07728572A EP 07728572 A EP07728572 A EP 07728572A EP 2014048 A2 EP2014048 A2 EP 2014048A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- execution
- data
- data processing
- processing application
- execution container
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Definitions
- the invention relates to an execution container for a data processing application of a service provider.
- Wireless access networks to remote telecommunications networks are becoming increasingly equipped for data processing applications in which selected information or advertisements are sent to a user terminal in accordance with their current location.
- Network operators or service providers who operate a corresponding location-sensitive data processing application in this way can track the behavior of a user without his consent.
- US Patent Application Publication No. 2004/0181683 A1 also discusses a "trusted agent” approach, in which an "international security, trust and privacy framework work" allows a user to provide the service provider of a data processing application with several profiles for which the service provider - Beiter then generated according to personalized user output data.
- the personal data of the user is protected by the fact that the service provider does not know which of the profiles is correct. It is also suggested to distribute the correct user input data to multiple profiles.
- a disadvantage of this concept is that the generation of useful user output data by the service provider is made more difficult if the user's personal data belonging to different user profiles belong together are distributed. However, if all the relevant information is included in a profile, then the probability is high that the correct user input data can be determined, at least when the user makes more use of the service provider's data processing application. Furthermore, guessing the correct user input data is simplified by generally sending all the wrong profiles together with the correct profile from the user terminal together.
- an agent created by the service provider protects the user terminal.
- the agent is installed by a system administrator and monitors security settings on the terminal when used outside of a site assigned to the customer's employer.
- said agent is provided by an Internet Service Provider (ISP) and monitors, for example, children's internet use for filtering dangerous information.
- ISP Internet Service Provider
- a "Privacy Preserving Trust Agent” which negotiates the use of data with the ISP, but does not itself provide any data protection.
- Usage policy can only be determined later. But then the data to be protected has already been abused.
- the technical problem underlying the present invention is therefore to provide a device for executing a data processing application of a service provider for a user with an improved protection of user input data.
- an execution container for a data processing application of a service provider contains:
- At least one execution environment configured to instantiate and execute the data processing application that processes user input data to generate user output data in the form of executable program data, and to exchange the user input data and the user output data with the data processing application;
- a communication interface connected to the execution environment and configured to receive user input data and forward it to the execution environment, and output user output data sent from the execution environment to outside the execution container;
- a security control unit connected to the communication interface and configured to prevent such data communication of the data processing application from any communication execution endpoint external to the execution environment whose communication path bypasses the execution environment; and an access control unit connected to the communication interface and arranged to prevent such data communication of the execution environment with any relative to the execution container external communication endpoint, which is not defined as permissible by a first security agreement.
- the device according to the invention has the advantage that the data processing application of the service provider can not be executed by the service provider itself, but by a trusted execution entity. This can be done on the equipment of the service provider, the service user or a third party.
- the device according to the invention is referred to in the context of the present application as an execution container.
- the service provider does not receive user input data.
- the data processing application exchanges user input data with the execution environment.
- the user input data made available to the data processing application can not be sent uncontrollably to the outside, that is, for example, to the service provider of the data processing application.
- the access control unit prevents data from the execution environment from being sent to external communication endpoints that are not permitted by a first security agreement.
- the first security agreement is concluded between the provider of the data processing application and the user.
- the security agreement is in the form of a file for the execution container.
- the access control unit uses the first security agreement to monitor and, if necessary, prevent the data communication of the execution environment with external communication endpoints.
- the safety control unit provided in the embodiment container ensures that only the execution environment, but not the data processing application itself, can communicate with communication endpoints that are relative to the execution environment are arranged externally.
- the security control unit actively prevents any data communication of the data processing application whose communication path bypasses the execution environment. This means that the security control unit in particular prevents direct, uncontrolled communication between data processing applications that are embedded in different execution environments within the execution container. In an embodiment described in more detail below also include so-called. Covert channel attacks on the security of the execution container.
- the execution environment provides the necessary infrastructure, such as access to the processor, etc.
- a security agreement is understood to be a regulation which is present in file form and defines which data communication may be sent to which communication endpoints. Furthermore, the security agreement may contain information about what data a data processing application (DVA) may receive from the user as well as what data the user may receive from the DVA. If in the present application in the context of the invention of "security” is spoken, the term in the sense of the aforementioned “privacy protection” as protection against unauthorized disclosure and recovery of personal data to understand. What personal data is defines a respective security agreement, so it varies from individual case to case.
- DVA data processing application
- executable program data in the context of the present application, for example in the form of at least one executable file or at least one script. Examples of data processing applications will be discussed later in the description of preferred embodiments.
- Permitted data communication in particular under permitted user input data, is to be understood as user input data which are defined in the security agreement on the basis of verifiable criteria.
- a permissible keitskriterium can be, for example, a threshold value associated with a position determination of a user terminal measurement accuracy.
- Another admissibility criterion may stipulate, for example, that address data, either in the form of the residence of a user or in the form of a network address of a user terminal of this user, are not made available to the execution container.
- eligibility criteria for user output data as well as a permissible recipient of the user output data with respect to the respective data processing application can be defined.
- the first security agreement between the service provider and the user accordingly regulates the data flow between the user and the execution container on the one hand and the execution container and the authorized recipient (s) of the user output data.
- the user output data to be sent can also be sent differentiated according to the recipients.
- the transmission to the service provider may be limited to billing data, while other user output data may be transmitted to the user himself, for example, to provide him with the service provider's service associated with the data processing application.
- the first security agreement is implemented in the execution container. This means that the execution container always has access to and adheres to the associated first security agreement during execution of the data processing application.
- the execution container has a memory for user input data that is external to the execution environment and that is accessible via the communication interface with the execution environment. is connected.
- the security control unit is designed to prevent a direct access of the data processing application to the memory.
- memory accesses can not be performed by the application itself without involving the execution environment in such an operation. This can however ensure that the data processing application does not access the memory in an inadmissible way.
- a further development of this exemplary embodiment provides for designing the execution environment in such a way that external user input data relative to the execution container can be read via the communication interface and a local copy of the external user input data can be stored in the memory. Access to external user input data is in this embodiment solely by the execution environment.
- the data processing application receives no access rights to external user input data in this exemplary embodiment.
- the execution container includes a negotiation unit and a negotiation interface.
- the negotiation unit is designed to negotiate the first security agreement between a service provider and a user via the negotiation interface in accordance with a predefined negotiation protocol.
- the first security agreement includes the following information:
- the execution container has a negotiation unit and a negotiation interface, and the negotiation The unit is designed to negotiate a second security agreement between the execution container and a service user via the negotiation interface in accordance with a predefined negotiation protocol, wherein it contains the following information:
- the second security agreement provides a tool that allows the execution container and the user to determine how the user input data defined in the first security agreement is made available to the execution container.
- the second security agreement In addition to sending the user input data from a user terminal to the execution container, in practice it often makes sense to allow the execution container access to user input data, for example, if this is frequently updated data.
- user input data can either be sent by the user to the execution container and stored in this or be picked up by an access of the execution container user-stored user input data from the execution container itself.
- the transmission step may also occur in connection with the implementation of the data processing application in the execution container in certain data processing applications. In general, however, it will be performed by the execution container in connection with the execution of the data processing application.
- security control unit and the access control unit of the execution container are integrated into a single unit in one embodiment.
- This integrated unit like the safety The control unit and the access control unit itself, in the presence of a distributed execution container also be distributed over these multiple execution container.
- the security control unit is designed to also exercise its functions as a function of contents of the first or second security agreement or depending on contents of both security agreements.
- Particularly preferred embodiments provide protocols for negotiating the security agreements.
- a step of negotiating the first security agreement between the service provider and the user is provided according to a predefined privacy negotiation protocol. This step is performed before the step of receiving the first security agreement at the execution container.
- the privacy negotiation protocol may define formats of offer and counter offer messages that may be exchanged between the user and the service provider.
- the privacy negotiation protocol may define security preferences formats to be filled by the user or service provider with their respective security preferences. The respective security preferences are then exchanged between the user and the service provider with the predefined security preferences format by sending corresponding messages according to the negotiation protocol. This allows the sender and recipient to automatically negotiate the security agreement.
- users and service providers define at least one set of respective security preferences as well as non-negotiable minimum preferences and negotiable additional preferences.
- a negotiation strategy prior to the negotiation according to a negotiation strategy format predefined in the privacy negotiation protocol, it is even possible to carry out the negotiation fully automatically.
- each party may define that the negotiation will be terminated if a non-negotiable minimum from the other side is not accepted.
- a negotiation strategy may provide that instead of aborting a negotiable additional preference, a counter offer or a new offer of its own with a changed value of the negotiable additional preference is created.
- the execution container may then insert a further verification step prior to implementing the security agreement, including checking the signatures of a received security agreement. This ensures that only genuine security agreements between the service provider and the user are implemented, further increasing the trustworthiness of the execution container. It goes without saying that signatures of the first security agreement can also be attached to the negotiation protocol without a negotiation between the user and the service provider in order to ensure the authenticity of the security agreement.
- the execution environment is designed so that data that is no longer needed can not be retrieved later from a third party. This may, in a particularly preferred embodiment, e.g. be achieved by causing a deletion in the memory of stored user input data and user output data of the data processing application after completion of the execution of the data processing application,
- the execution environment is designed such that access to the third-party program data is not possible. This may e.g. be achieved by causing the instantiation of the execution of the data processing application to eliminate the instantiated executable program data of the data processing application.
- the security control unit or the access control unit is adapted to check the presence of a criterion for termination of the validity of the first security agreement, and at Presence of such a criterion to cause a deletion in the memory of stored user input data and user output data of the data processing application.
- a criterion for terminating the validity of the first security agreement may be determined by a timeout in the first security agreement itself.
- the first security agreement may also be used as a termination criterion for its validity to expire if a violation of the eligibility criteria defined in the security agreement is established.
- the user input data and user output data stored in the execution container are preferably deleted. This ensures that this data is not made available to anyone.
- provision can advantageously be made, alternatively or additionally, for the data processing application implemented in the execution container to be deleted if a criterion for terminating the validity of the first security agreement exists.
- the execution container of the present invention forms a service model.
- the execution container can be operated, for example, by the service user, by the service provider, but also by a third party.
- a plurality of execution environments may be provided for data processing applications.
- DVA can be instantiated and active.
- a preferred execution container accordingly contains a plurality of execution environments.
- the execution environments are configured to prevent any communication between different computing applications in relatively external execution environments within the execution container. It is thus ensured that the data processing applications instantiated in an execution container can not influence one another or can mutually access one another.
- Data communication with external data processing applications relative to the execution container in external execution environments may be facilitated in a preferred embodiment without compromising security that the execution environment of the execution container is configured to respond to a command received from the data processing application via the communication interface To send a literal selected from a set of given literals to a communication endpoint external to the execution container.
- a set of predefined literals that can be exchanged with external execution environments is provided. Of course, this exchange must be permitted under the first security agreement.
- predefined literals ie, predefined commands and messages allowed in the communication between the data processing application and an external execution environment, enables dedicated communication which, at the same time, can easily be checked for eligibility based on its predefined patterns at runtime.
- the data processing application does not send a literal itself, but the broadcast is made by the execution environment. This ensures that the data processing application does not automatically contact external communication endpoints.
- the predefined literals will be used by a suitably manipulated data processing application to "throw out" inadmissible information from the execution container, thus proposing the total number of literals, the number of times that literals are made, or the duration of an execution
- the execution environment is configured to send at most a maximum number T of data bits via predefined literals.
- the maximum number T is defined by
- n is the number of literals transferred
- L is the total number of predefined literals
- f is the frequency of transmission of literals
- t is the length of a session in which literals are sent.
- Another possible attack on the security of the execution container is to create transmission channels that are not provided by the execution container for information transmission.
- Such channels may be formed, for example, by the data processing application selectively generating varying processor utilization, with certain processor utilization states being able to represent particular bit values or symbol values having a higher number of bits. for a duration of one second as bit value "1", while a lower average CPU load could be agreed as bit value "0" for one second during the duration of one second CPU utilization can be read by known technical means
- the execution environment is configured to charge a processor usable by the execution container for a non-predetermined time pattern that is independent of an actual load of the data processing This will prevent the data processing application from gaining control of processor utilization alone. Similar measures are for the utilization of a memory conceivable. The time pattern must be random, ie controlled by a random number generator.
- a distributed execution container which includes a first and a second execution container according to the invention described above ,
- the distributed execution container may also contain more than two individual execution containers.
- the two execution containers are connected via a data transmission channel for the exchange of data.
- the execution container is designed to identify itself to the respective other execution container with the aid of a suitable authentication mechanism.
- the communication interfaces of the execution container are designed to exchange data in encrypted form via the data transmission channel.
- the execution environment may include an application environment such as a Java runtime environment or a .NET runtime environment.
- DVAs represent compiled code and provide a suitable execution speed. It should be noted, however, that the application environment is to be adapted according to the invention. For this purpose, appropriate additions to the known application environments are required.
- Fig. 1 shows a simplified structure of an embodiment container according to an embodiment of the invention
- Fig. 2 shows the structure of a distributed execution container according to another embodiment of the invention
- Fig. 3 shows the flow of negotiation over a security agreement for use in an embodiment of the invention.
- Fig. 1 shows a simplified structure of an execution container 100 according to an embodiment of the invention.
- the container contains a number of execution environments as fixed components.
- execution container 100 includes two execution environments 102 and 104.
- Other embodiments may include only one or more than two execution environments.
- the execution environments 102 and 104 provide an infrastructure that includes all means for instantiating and executing a data processing application in the form of executable program files, scripts, or the like.
- the execution environment is realized in the present embodiment by an application environment. Examples of known application environments are the Java runtime environment or the .NET Common Language Runtime (CLR).
- the application environments 102 and 104 are basically the same. Compared to known runtime environments, they must be for a Implementation of the present invention, as will become apparent from the following description in detail.
- Each execution environment of the execution container 100 is designed to instantiate and execute a data processing application 106 or 108 in the form of executable program data.
- a data processing application is provided to the execution container by a service provider in the form of a platform independent bytecode adapted to the application environment in which the execution container operates.
- the data processing application can be transmitted, for example, in the form of Java byte code or in the form of a program file present in .NET Intermediate Language (CIL). This is compiled code that is capable of ensuring the execution speed required for most data processing applications.
- execution environments 102 and 104, as well as 100 are embodied in the Java runtime environment.
- the data processing applications 106 and 108 may be different types of data processing applications.
- a rough distinction of data processing applications can be made in data delivery services, data control services and goods delivery services.
- An example of a data delivery service is, for example, a navigation service. Such services communicate primarily with the respective user.
- a navigation service requires, for example, a map stored in a memory 110 which is connected to the execution container 100, and a current position of a mobile receiving device from the user. Communication with the service provider is not required. It is conceivable, however, that the service provider is communicated to what extent use was made of the data processing application in order to enable the service provider to charge the user for the services rendered.
- Data control services are, for example, remote control services for remotely controllable devices. An example of such a service is the ability to have a panoramic camera controlled by a remote user. In such a service, it is necessary for control signals from the user to reach the service provider via the execution container 100 in order to be able to control the camera.
- Goods delivery services are well-known forms of online shops or, for example, printing services. These services actually require the user to provide private information, such as a delivery address or files to be printed.
- the execution environment 102 or 104 associated with a respective data processing application is configured to exchange user input data and user output data with the data processing application 106 or 108. It is essential that all data exchange of the data processing application takes place via the assigned execution environment. Different computing applications executing in different execution environments of execution container 100 may not communicate with each other. This is ensured by the non-existence of shared memory and the structure of the communication interface 112 described in more detail below.
- the communication interface 1 12 comprises a safety control unit 1 14, which in the present embodiment is designed in a distributed structure with two subunits 114.1 and 14.2. For the sake of simplicity, both subunits are also referred to below as a safety control unit.
- the safety control units 1 14.1 and 114.2 are connected to a respectively assigned execution environment 102 or 104 and monitor the data communication of the data processing application 106 or 108.
- the security control unit 114 is configured to prevent any communication of the associated data processing application, if it is to occur with a communication endpoint external to the associated execution environment and if the data communication bypasses the associated execution environment.
- the security control unit 14 therefore ensures that all data communication of the data processing applications 106 and 108 with an external communication endpoint is via the associated execution environment. This means that the execution environment always has control over the appropriate data communication and can ensure that provided user input data is not improperly communicated externally.
- the security control units 114.1 and 114.2 contained in the security control unit 114 access first security agreements 118 and 120 which are present in the execution container 100 in file form and constitute an agreement between the provider of the respective data processing application 106 or 108 and the respective user.
- the execution container 100 Since a data processing application can be executed for a large number of users, the execution container 100 has a corresponding number of first security agreements, whereby the first security agreement assigned to each user is used.
- the format of the first security agreement must be rich enough to allow for convenient handling, and on the other hand, it needs to be scarce enough to ensure that malicious code can not be integrated that can search user-related data and send it using legitimate messages.
- the format of the security of the first security agreement is defined such that the communication interface 1 12 of the execution container 100 can check whether a respective message is permissible or not. It is advantageous to use a code in the first security agreement, which allows only the transmission of predefined messages, so-called literals.
- the security control unit 114 may make a simple comparison of character strings to check whether a message is allowed or not.
- the security control unit 114 therefore checks the incoming and outgoing messages sent to it for their admissibility according to the respective security agreement.
- the security control unit 114 is designed to prevent such data communication of a respective execution environment with any communication endpoint external to the execution container. not defined by the corresponding first security agreement 118 or 120 as admissible.
- the communication interface 1 12 also contains an access control unit 16.
- the access control unit 16 accesses second security agreements 1 19 and 121, which are present in the execution container 100 in file form and form an agreement between the respective user and the execution container. Since execution containers can be used by a large number of users, the execution container 100 has a corresponding number of second security agreements, wherein the second security agreement assigned to each user is used for each user.
- the access control unit 116 monitors the accesses to the memory 110 using the second security agreement.
- Permitted messages are forwarded externally via a data access layer 122.
- the interface 122 controls the read-only accesses to the memory 1 10.
- 122 controls allowed communication with literals as well as communication with other containers.
- an external application environment 124 which houses a data processing application (not shown here).
- this may be the control of the panoramic camera mentioned above.
- the associated first security agreement 118 includes a number of control commands that may be exchanged between the execution environment 102 in the execution container 100 and the external application environment 124. Such literals can be easily checked by the access control unit 14 for their permissibility.
- the communication interface 112 thus ensures, in cooperation with the security control unit 14 and the data access layer 122, that only those messages are exchanged with external communication endpoints that are expressly declared permissible in the first security agreement and at the same time ensure that they are only addressed to the predefined recipients / communication endpoints are sent in the security agreement.
- the execution container 100 may accommodate a variety of different computing applications and may also serve a large number of users of different computing applications. Accordingly, the permissible data may change frequently according to the stored first security agreements.
- the communication interface 1 12 therefore forms a kind of rule machine that monitors and controls the communication of the execution environments with other communication endpoints according to the predetermined first security agreements.
- the frequency of messages to be sent can also be limited by the security agreements or by predefined rules of the execution container. It is also possible to send orthogonal messages in unspecified order. This prevents information from being illegally encoded in messages.
- An execution container 100 may also be operated by a service provider. In this case, it is important that the security rules that the execution container 100 dictates can not be changed by the owner of the execution container.
- the safety rules of the embodiment container 100 according to the invention are fixed and are monitored by the means described above. Additional protection can be provided by the execution container is designed not to instantiate itself if it is not the absolutely first component that is started eg in a Java Virtual Machine (JVM), or if a foreign security manager is already installed or the JVM has been modified.
- the execution container is adapted to compare secure hash codes of all running modules within the current process with a set of saved hash codes to check whether the current code corresponds to the original code of the provider of the execution container. Such a hash check also ensures that classes such as Java classes in a JVM that access external resources are safe.
- the safety control unit 14 may be designed in such a way that different Java class loaders are provided for different execution environments. Objects in different execution environments will not have access to instances of other execution environments in this way. Only the execution container or Java classes provided within the same execution environment can access. The security control unit 1 14 ensures that access to classes in other execution environments is not possible. Likewise, there is no shared access of different execution environments to the same memory.
- the execution container 100 ensures a secure and complete elimination of data and the data processing application when the corresponding data processing application is no longer needed, or when the first security agreement is no longer valid.
- the application environments needed to execute byte code that is, the Java Runtime Environment (JRE) and the .NET Common Language Runtime (CLR), include a concept called garbage collection. It then ensures that data that is no longer needed is deleted.
- the data processing applications themselves are eliminated in the same way when they are no longer needed.
- a class Definition can be cleared by a class debugger, which can be implemented, for example, in Java by its own class loader for the execution container This class loader solves the loading of a class as well as its removal when it is no longer needed becomes.
- Fig. 2 shows the structure of a distributed execution container according to another embodiment of the invention.
- the structure of a distributed execution container 200 illustrated in FIG. 2 is based on the structure of the execution container 100 shown in FIG. 1. Therefore, corresponding elements of the distributed execution container 200 in FIG. 2 are provided with reference numerals that are different from the elements of FIG in the first digit, where instead of a "1" a "2" is included.
- the execution container 200 contains two partial execution containers 200.1 and 200.2.
- the structure of execution container 200.1 with the exception of the features described below, corresponds exactly to the structure of execution container 100 of FIG. 1.
- communication interface 212.1 of sub-execution container 200.1 and communication interface 212.2 of the sub-execution container 200.2 channel ports 226.1 to 232.1 or 226.2 to 232.2 provided.
- Corresponding execution environments 202.1 and 202.2 as well as 204.1 and 204.2 communicate with each other in pairs via corresponding channels. The number of channel ports is not fixed.
- the sub-execution containers 200.1 and 200.2 are provided on spatially separate hardware that communicate with each other.
- the sub-execution container 200.1 may be installed on a stationary server while the second sub-execution container 200.2 is installed on a PDA.
- the communication interfaces 212.1 and 212.2 are designed to channel-specifically encrypt the data communication running on each channel.
- both parts can access the same user input data if this is covered by the respective first security agreement, even if the data is physically located only on one of the two sub-execution containers.
- the data communication with execution environments also runs outside the execution container 200.
- the required messages may be requested from each of the two sub-execution containers and are first delivered to the sub-execution container that can establish the data connection with the external execution environment 224. They are transmitted internally encrypted.
- the distributed structure of execution container 200 is therefore transparent to an internal data processing application.
- FIG. 3 illustrates a negotiation step between a user and a service provider for establishing a security agreement.
- a proposal 302 to be negotiated which is submitted by either the user or the service provider, is checked for acceptance by the other party, ie the user 304 or the service provider 306. If the security agreement can not be accepted according to the security preference 304.1 available to the user or the security preference 306.1 available to the service provider, an amendment to the agreement proposal is made in accordance with the respective security preference and submitted as a counterproposal. This is then checked by the other side for acceptance. This mechanism is repeated until there is a mutually acceptable agreement, which is then signed by both parties and sent to the execution container as a completed and signed security agreement 308.
- Not shown in Fig. 3 is a termination of the negotiation, which according to predetermined criteria, such as the duration of Negotiation or non-acceptance of required minimum preferences by the other party is made.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE200610020093 DE102006020093A1 (de) | 2006-04-26 | 2006-04-26 | Geschütztes Ausführen einer Datenverarbeitungsanwendung eines Diensteanbieters für einen Nutzer durch eine vertrauenswürdige Ausführungsumgebung |
PCT/EP2007/054117 WO2007122266A2 (de) | 2006-04-26 | 2007-04-26 | Geschütztes ausführen einer datenverarbeitungsanwendung eines diensteanbieters für einen nutzer durch eine vertrauenswürdige ausführungsumgebung |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2014048A2 true EP2014048A2 (de) | 2009-01-14 |
Family
ID=38325467
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP07728572A Withdrawn EP2014048A2 (de) | 2006-04-26 | 2007-04-26 | Geschütztes ausführen einer datenverarbeitungsanwendung eines diensteanbieters für einen nutzer durch eine vertrauenswürdige ausführungsumgebung |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2014048A2 (de) |
DE (1) | DE102006020093A1 (de) |
WO (1) | WO2007122266A2 (de) |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6098172A (en) * | 1997-09-12 | 2000-08-01 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with proxy reflection |
US6772416B1 (en) * | 1999-11-19 | 2004-08-03 | General Dynamics Decision Systems, Inc. | Separation kernel with memory allocation, remote procedure call and exception handling mechanisms |
US20030158960A1 (en) * | 2000-05-22 | 2003-08-21 | Engberg Stephan J. | System and method for establishing a privacy communication path |
WO2002080457A1 (en) * | 2001-03-29 | 2002-10-10 | Sphere Software Corporation | Layering enterprise application services using semantic firewalls |
US7103914B2 (en) * | 2002-06-17 | 2006-09-05 | Bae Systems Information Technology Llc | Trusted computer system |
DE10253676B4 (de) * | 2002-11-18 | 2008-03-27 | Siemens Ag | Verfahren und Vorrichtung für die Fernübertragung sensibler Daten |
EP1569410B1 (de) * | 2004-02-26 | 2015-07-08 | BlackBerry Limited | Verfahren und System zur automatischen Konfiguration von Zugangskontrolle |
-
2006
- 2006-04-26 DE DE200610020093 patent/DE102006020093A1/de not_active Ceased
-
2007
- 2007-04-26 EP EP07728572A patent/EP2014048A2/de not_active Withdrawn
- 2007-04-26 WO PCT/EP2007/054117 patent/WO2007122266A2/de active Application Filing
Non-Patent Citations (1)
Title |
---|
See references of WO2007122266A3 * |
Also Published As
Publication number | Publication date |
---|---|
WO2007122266A3 (de) | 2008-01-17 |
DE102006020093A1 (de) | 2007-10-31 |
WO2007122266A2 (de) | 2007-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE602004011689T2 (de) | Verfahren und System zur Handhabung der Übermittlung von Inhalten in Kommunikationsnetzen | |
EP3125492B1 (de) | Verfahren und system zum erzeugen eines sicheren kommunikationskanals für endgeräte | |
DE19740547B4 (de) | Vorrichtung und Verfahren zum Sicherstellen sicherer Kommunikation zwischen einer anfordernden Entität und einer bedienenden Entität | |
DE60102934T2 (de) | Verfahren und system für sitzungsbasierte berechtigung und zugangskontrolle für vernetzte anwendungsobjekte | |
DE60312235T2 (de) | Verfahren und system zur eindringverhinderung und ablenkung | |
EP2561461A1 (de) | Verfahren zum lesen eines attributs aus einem id-token | |
WO2007045395A1 (de) | Vorrichtungen und verfahren zum durchführen von kryptographischen operationen in einem server-client-rechnernetzwerksystem | |
DE102007030622A1 (de) | Verfahren und Anwendung zum Verknüpfen zwischen Systemen auf der Grundlage von Hardware-Sicherheits-Einheiten | |
DE112011102224T5 (de) | Identitätsvermittlung zwischen Client- und Server-Anwendungen | |
DE10146361B4 (de) | Verteiltes System | |
DE60311146T2 (de) | Verfahren zur vertrauenswürdigen Kommunikation zwischen zwei Einheiten | |
WO2013017394A1 (de) | Zugangsregelung für daten oder applikationen eines netzwerks | |
DE102017212474A1 (de) | Verfahren und Kommunikationssystem zur Überprüfung von Verbindungsparametern einer kryptographisch geschützten Kommunikationsverbindung während des Verbindungsaufbaus | |
EP4107640B1 (de) | Verfahren und systeme zum übertragen von software-artefakten aus einem quellnetzwerk zu einem zielnetzwerk | |
WO2007122266A2 (de) | Geschütztes ausführen einer datenverarbeitungsanwendung eines diensteanbieters für einen nutzer durch eine vertrauenswürdige ausführungsumgebung | |
EP3618348B1 (de) | Verfahren zum betreiben eines verteilten datenbanksystems, verteiltes datenbanksystem und industrieautomatisierungssystem | |
DE102005062061B4 (de) | Verfahren und Vorrichtung zum mobilfunknetzbasierten Zugriff auf in einem öffentlichen Datennetz bereitgestellten und eine Freigabe erfordernden Inhalten | |
EP2186285B1 (de) | Verfahren und einrichtung zur authentisierung übertragener nutzdaten | |
DE60205206T2 (de) | Verfahren zur Sicherung des Herunterladens von aktiven Daten auf ein Kommunikationsgerät | |
DE102018216959A1 (de) | Verfahren zur Absicherung eines Datenpakets durch eine Vermittlungsstelle in einem Netzwerk, Vermittlungsstelle und Kraftfahrzeug | |
DE102005050336B4 (de) | Verfahren und Anordnung zum Betreiben eines Sicherheitsgateways | |
EP4179758B1 (de) | Authentisierung eines kommunikationspartners an einem gerät | |
DE202022101783U1 (de) | Intelligentes Managementsystem für die sichere Verbindung mehrerer mobiler Zahlungsanwendungen gegen Sicherheitslücken | |
DE10102979C2 (de) | Verfahren zur Absicherung von Rechnern mit Anschluss an ein Netzwerk zum Zweck der Kontrolle von Netzwerkverbindungen | |
DE102020006075A1 (de) | Verfahren zur Absicherung von gespeicherten Nutzdaten |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20081126 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC MT NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA HR MK RS |
|
DAX | Request for extension of the european patent (deleted) | ||
RBV | Designated contracting states (corrected) |
Designated state(s): DE FR GB |
|
17Q | First examination report despatched |
Effective date: 20100128 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: IHP GMBH-INNOVATIONS FOR HIGH PERFORMANCE M |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20141011 |