WO2003067850A1 - Verifying digital content integrity - Google Patents

Verifying digital content integrity Download PDF

Info

Publication number
WO2003067850A1
WO2003067850A1 PCT/US2003/003622 US0303622W WO03067850A1 WO 2003067850 A1 WO2003067850 A1 WO 2003067850A1 US 0303622 W US0303622 W US 0303622W WO 03067850 A1 WO03067850 A1 WO 03067850A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital content
content
integrity
signature
server
Prior art date
Application number
PCT/US2003/003622
Other languages
French (fr)
Inventor
Daniel Hill
Tom Fountain
Alan Frindell
Nagendra Modadugu
Original Assignee
Ingrian Networks, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ingrian Networks, Inc. filed Critical Ingrian Networks, Inc.
Priority to AU2003216191A priority Critical patent/AU2003216191A1/en
Publication of WO2003067850A1 publication Critical patent/WO2003067850A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the following disclosure relates generally to the field of data security and more particularly to verifying the integrity of content in a server environment.
  • SSL Secure Socket Layer
  • session keys known only to a client computer and a corresponding web server secures data while it is in transit by uniquely encrypting the data.
  • the security of the data before or after the transmission is not guaranteed.
  • the data resides on the Web server or in computers throughout the server environment, the data is subject to attacks and intrusions from a number of avenues.
  • Web servers have many access points. Data housed on a Web server or computers in a server environment can be accessed by any number of entry means including administrative functions, e-mail, publishing, and diagnostics. Furthermore, backdoors and other vulnerabilities exist that make protecting web content extremely difficult.
  • Figure 1 is a block diagram showing one embodiment of a system architecture for verifying content integrity.
  • Figure 2 is a block diagram showing one embodiment of a hardware architecture for a content integrity device.
  • Figure 3 is a block diagram showing one embodiment of a software architecture for a content integrity device.
  • Figure 4 is a flow diagram of one embodiment of a method for verifying content integrity using cryptographic operations.
  • Figure 5 is a flow diagram of one embodiment of a method for verifying content integrity using digital signatures.
  • Figure 6 is a flow diagram of one embodiment of a method for verifying content integrity using encryption and digital signatures. Summary of the Invention
  • the integrity of digital content is verified by comparing the results of cryptographic operations performed on the content.
  • a first cryptographic operation may be performed on digital content, upon which the content may be made available for transmission over the communications network.
  • content may be stored for future distribution after the performance of the first cryptographic operation.
  • a second, corresponding cryptographic operation may be performed upon the digital content.
  • these verification protocols can be performed by use of a content integrity device; this enables the operations to be performed transparently, without necessitating any modifications to existing software architectures.
  • two content integrity devices may be coupled to a content distribution device in communication with the external network; in some such embodiments, the content distribution device is a content distribution server.
  • Digital content which is intended for publishing is intercepted by one of the content integrity devices as the content travels to the content distribution server.
  • the device Upon arrival at the first content integrity device, the device performs a cryptographic operation such as a digital signature of the content. Once the digital signature has been created, the digital content and signature are passed to the content distribution server.
  • the content distribution server identifies the requested digital content and passes the digital content and its associated signature to a second content integrity device.
  • the second content integrity device executes the corresponding cryptographic operations performed by the first content integrity device upon the digital content.
  • the signature prepared by the second content integrity device is compared to the original in order to verify the content. If, and only if, the digital content is verified, the content integrity device concludes that the integrity of the digital content is intact and, accordingly, forwards the digital content to the requester outside of the server environment.
  • Another aspect of the invention includes ensuring the privacy of the digital content while the content resides on a content distribution server, storage medium, or isolated network.
  • Content released for publication by one computing environment is intercepted by a content integrity device.
  • the content integrity device performs cryptographic operations on the content, operations which may include, but are not limited to, the creation of a digital signature. Other cryptographic operations may which may also be performed include encryption and compression operations.
  • content which has been encrypted, along with associated digital signatures are passed to a content distribution server where the encrypted content and signature reside until requested by a user outside of the server environment.
  • the content distribution server identifies the encrypted content as the content requested by the user and forwards the encrypted content and associated signature to another content integrity device.
  • the second content integrity device proceeds to (1) decrypt the content and (2) verify the integrity of the decrypted content.
  • the decrypted digital content is released to the requesting user only after verifying the digital signature.
  • inventions include caching the content on a content integrity device so that if altered content is discovered, previously verified content can be forwarded to the requesting user without having to reacquire content from its source.
  • content integrity device include other cryptographic operations and combinations of cryptographic operations to verify the integrity of the content and ensure the security of the content while residing on the content distribution server.
  • the invention described herein includes systems and methods for securing and verifying the integrity of digital content.
  • digital content produced within a secure environment may be conveyed to an intermediate device, such as a publishing system, and subsequently made available for access by users external to the secure environment.
  • digital content with is ready for publishing may be forwarded to a content distribution device, such as a web server, via a device which verifies the integrity of the content.
  • the content integrity device Upon receiving the content from the secure, authorized source, the content integrity device performs one or more cryptographic operations on the content, and subsequently makes it assessable to users outside of the secure environment.
  • the content distribution device receives an external request for the content
  • the content is identified and forwarded to a second content integrity device. This second device performs one or more cryptographic operations, such as to examine the content by verifying the associated digital signature performed by the first content integrity device.
  • content integrity is verified by a dedicated content integrity device, which is separate from the devices which house the digital content prior to its external publication.
  • the content integrity devices are coupled to the remaining devices, such as the content dispersal systems and data networks, in a manner that obviates modification to the remaining devices. This enables web site operators or other managers of digital content to ensure the integrity of digital content transparently, without altering current software or modifying existing hardware on their systems.
  • a network architecture 100 for verifying content integrity is illustrated in Figure 1.
  • the system 100 includes two content integrity devices 102 104.
  • a first content integrity device 102 is coupled among a publishing system 106 and a content distribution server 1 10.
  • the publishing system 106 may be further coupled to one or more server computers 1 12.
  • the intranet established by the publishing system and server computers 112 is, for purposes of this discussion, isolated from outside intervention and can be considered a secure environment.
  • the second content integrity device 104 is coupled among the content distribution server 1 10 and a network 120, such as the Internet or an intranet, which is in turn coupled to several other computers 130 from which content requests may originate; by way of non-limiting example, the requestors may client programs such as web browsers.
  • the requestors 130 can each possess software for accessing network resources, such as, by way of non-limiting example, a web browser that when directed by a user requests content from the content distribution server.
  • the protocol for exchange and transport of this information can be one of any protocols known to one skilled in the relevant art and includes but is not limited to HyperText Transmission Protocol (HTTP), File Transfer Protocol (FTP), HyperText Transmission Protocol Secure (HTTPS), Common Internet File System
  • content developed on the server computers 1 12 is communicated to the publishing system 06 and passed to the content distribution server 1 10 via the first content integrity device 102.
  • the first content integrity device 102 generates a first digital signature and digitally signs the content before the content reaches the web server 110.
  • the content is passed from the content distribution server 1 10 to the second content integrity device 104 where the digital signature is verified. If the content is successfully verified, the content is released to the requesting client computer 130. If the content is not verified, its release is blocked, preventing unauthorized or modified content to be released.
  • the content integrity device 104 stores a trusted version of the digital content.
  • This cache may be updated either periodically or each time content is verified prior to transmittal. If the verification process fails, the trusted, cached content can be forwarded to the requesting user in place of the content provided by the content distribution server. In some embodiments of the invention, logs may be maintained which record verification failures. Other responses undertaken in case the content integrity is comprised shall be apparent to those skilled in the art.
  • the functionality provided by the content integrity device 102 and 104 can be hosted on dedicated network appliances as shown in Figure 1 , but is not so limited.
  • the content integrity functionality can also be performed by, or distributed among, any combination of the publishing systems 106 and 1 12, numerous client processing devices and browsers 130 coupled to the network 120, and any of the associated network components.
  • each content integrity device can include at least one processor capable of executing computer executable instructions and at least one storage medium for retention of data and software.
  • protection and verification operations can be performed on a single physical device.
  • Many hardware and/or network architectures which support the content integrity functions will be apparent to those skilled in the art.
  • Encryption operations may be symmetric, such as, by way of non-limiting example, any of the variants of the Data Encryption Standard (DES).
  • DES Data Encryption Standard
  • asymmetric encryption may be employed, such as, by way of non-limiting example, public-private key algorithms, such as any of the variants of Rivest-Shamir- Ableson (RSA), Pretty Good Privacy (PGP), or other examples which will be apparent to those skilled in the art.
  • the cryptographic operations may include one-way functions, such as one-way hash functions. These one way hash functions may include, by way of non-limiting example, any of the variants of Secure Hash Algorithm (SHA), Message Authentication Code (MAC), and a Message Digest (MD) functions.
  • SHA Secure Hash Algorithm
  • MAC Message Authentication Code
  • MD Message Digest
  • a content integrity device may perform multiple encryption functions on digital content.
  • FIG. 2 illustrates a hardware architecture 200 for verifying the integrity of digital content.
  • the hardware architecture 200 includes at least one processor 208, a memory system 210, and I/O.
  • Inherent to the architecture 200 is a system bus 206 that operatively couples the various components together.
  • the processing unit may be any logic processing unit, such as one or more central processing units (CPUs), digital signal processors (DSPs), application-specific integrated circuits (ASIC), etc.
  • CPUs central processing units
  • DSPs digital signal processors
  • ASIC application-specific integrated circuits
  • the operating system 202 contains the basic routines that help transfer information amongst the elements within the architecture 200.
  • the operating system is based on a version of the Linux operating system
  • the system bus 206 can employ any know bus structures or architectures including a memory bus with memory controller, a peripheral bus, and a local bus.
  • the memory 21 0 includes read-only memory (ROM) and random access memory (RAM).
  • the input / output system 216 contains basic routines that help transfer information between elements with the content integrity device. Non-limiting examples of input / output 216 include various forms of Ethernet.
  • the content integrity device can also include secondary storage media, non-limiting examples of which include a hard disk drive for reading from and writing to a hard disk, and an optical disk drive and a magnetic disk drive for reading from and writing to removable optical disks and magnetic disks, respectively.
  • the optical disk can be a CD-ROM, while the magnetic disk can be a magnetic floppy disk.
  • the hard disk drive, optical disk drive and magnetic disk drive communicate with the processing unit 208 via the bus 206.
  • the hard disk drive, optical disk drive and magnetic disk drive may include interfaces or controllers coupled between such drives and the bus 206, as is known by those skilled in the art.
  • the drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for the content integrity device.
  • Program modules such as an operating system can be stored in the system memory 210 one or more application programs, other programs or modules, and program data.
  • the system memory 210 may also include software for permitting the content integrity device to access and exchange data with web sites in the World Wide Web of the Internet.
  • system memory 210 stores private and public keys that enable the processing unit 208 to create digital signatures of content received through the input and output ports 216. Furthermore, various algorithms and other computer cryptographic executable codes are retained in the system memory 210 for the encryption and decryption of the digital content.
  • the operating system 202 can also direct the caching of the digital content in both the encrypted and clear text state as well as associating a digital signature generated in the content integrity device with a particular piece of digital content.
  • a further aspect of the content integrity device is the inclusion of a hardware security module 220 with a smart card.
  • the hardware security module 220 comprises a tamper resistant device that stores private keys in a secure format.
  • the private keys are encrypted using a separate group key known to a select, predefined group of ancillary network devices. This encrypted group of keys can be transported between the various devices using a smart card.
  • the smart card can also be used to back up the encrypted key data. As the data contained on the smart cards is encrypted with a separate key, the encrypted group of private keys can only be accessed by one of the devices in the predefined group.
  • Another aspect of the hardware security module is a protocol that supports "k out of n" secret sharing of the separate group key.
  • FIG. 3 shows one embodiment of a software architecture 300 for verifying the integrity of digital content by use of a content integrity device.
  • the architecture 300 includes a caching engine 315, a content identification engine 320, a cryptographic engine 325, a digital signature engine 330, and a process manger 332.
  • the process manager 332 uses the digital signature engine 330 and cryptographic engine 325 to perform cryptographic operations on the content.
  • the content may optionally be cached using the caching engine 315 for subsequent access and dispersal.
  • the process manager 332 uses the content identification engine 320 to associate the content with the digital signature and encrypted data.
  • the cryptographic engine 325 may embed a numerical representation, such as a digital signature, in the content itself. In other embodiments the numerical representation may or may not be part of the content.
  • the process manager 332 uses the content identification engine 320, identifies and retrieves the content and associated signatures from the cache for dispersal.
  • the process manger 332 manages content received from a server environment 340 that includes a publishing system 350 and other server computers 360.
  • the process manager 332 conveys the content to entities outside the server environment such as a content distribution server 375 and a network 385 such as the Internet.
  • this embodiment illustrates the software architecture 300 of a content integrity device which is positioned between a server environment 340 and a content distribution server 375
  • an identical software architecture 300 may be placed between the content distribution server 375 and a network 385 to facilitate the verification of the content's integrity as a condition to its distribution over the network 385.
  • the invention supports several techniques for verifying the integrity of digital content.
  • a method 400 for verifying the integrity of content in a network environment used in embodiments of the invention is illustrated in the flow diagram of Figure 4.
  • Content is published 405 and intercepted by a content integrity device.
  • the content integrity device performs at least one cryptographic operation on the content 410.
  • These operations can include encryption operations, decryption operations, hash operations, keyed hash operations, keyed hash verifications, digital signatures, signature verification, checksums, and other like operations known to those skilled in the relevant art.
  • the content is transferred 415, to a content distribution server, along with any associated result from the cryptographic operation, for dissemination over the Internet or like network.
  • the content remains on the content distribution server until an updated version is received from the publishing server.
  • a client computer may request content from a web page resident on the content distribution server.
  • the content distribution server 420 receives the request for the content and identifies the desired object with the appropriate embedded objects to send.
  • the content is intercepted 425 by the second content integrity device.
  • the second content integrity device performs additional cryptographic operations on the content.
  • the signature is verified 435. If the verification succeeds, indicating that the content has not been altered, the content integrity device releases the content 440 to the requesting client.
  • Figure 5 depicts a flow diagram for verifying content integrity 500 by use of digital signatures.
  • Content is received at the first integrity device from a trusted source such as the publishing server 505.
  • the content integrity device Transparent to the publishing server and the content distribution server, the content integrity device creates a digital signature 510.
  • the digital signature can be created using various algorithms known to one skilled in the relevant art.
  • the digital signature of the content is formed in one embodiment by using secret information such as a private key which can be later verified by using public information such as a public key.
  • Other algorithms which may be used to create the digital signature include, but are not limited to one way hashing, keyed hashes such as Keyed Hash Message Authentication Code (HMAC), timestamps, and other techniques that will be apparent to those skilled in the art.
  • HMAC Keyed Hash Message Authentication Code
  • the content remains on the content distribution server until it is either requested by a client or replaced by the publishing server 525.
  • the appropriate content is identified 530 and ultimately forwarded for integrity verification 535.
  • the content and the associated signature arrive at the second integrity device where the signature is verified 540.
  • the signature verification will be successful if the content has not been altered. Likewise the signature verification will fail if false data has been placed on the content distribution server lacking the proper signature.
  • the signatures are verified 545, the content is released 550 to the requestor.
  • the content integrity device maintains a cache of the verified content. Upon detecting a discrepancy in the digital signatures, the content integrity device releases the cached content and alerts the network manager of the presence of false data 560.
  • Various other protocols in response to a verification failure can be established that are aligned with the use of the methodology and techniques for content integrity verification described herein; these protocols shall be apparent to those skilled in the art.
  • FIG. 6 An alternative method for verifying the integrity of digital content is shown in the flow diagram of Figure 6.
  • this method 600 also protects the privacy of the content as it rests on the content distribution server.
  • content is published by the publishing server 605 to a first integrity device.
  • a digital signature of the content is formed 610 using methodology described herein and known to one skilled in the relevant art.
  • the content is subsequently encrypted 615 using a non- limiting algorithm such as Data Encryption Standard (DES), Rivest Shamir Adleman
  • the content is signed using a private key and encrypted using a distinct public key.
  • the encrypted content is associated 620 with the digital signature and transferred 625 to the content distribution server.
  • the content and digital signature reside on the content distribution server in an encrypted state until updated by new authorized data.
  • the content remains encrypted until a request for the content 630 is received from a requestor.
  • the content distribution server 635 identifies the content and associated signature.
  • the encrypted content and signature are then forwarded 640 to a second content integrity.
  • the second content integrity device decrypts the content 645 using, in one embodiment, the corresponding private key of the public/private key pair. With the content decrypted, the digital signature is verified. In one embodiment, verifying the digital signature includes using a public key corresponding to the public/private key pair utilized by the first content integrity device. Other techniques for verifying integrity readily known to those skilled in the relevant art can also be used without affecting the functionality of the invention. Having verified 655 the digital signature, the decrypted content is released 660 to the Internet and ultimately to the requestor. In embodiments of the invention, slightly different operations may be used for the encryption and the signatures.
  • the system and methodology described herein protects the content on a content distribution server from being stolen and altered by unauthorized users. It further verifies that the content being served to the Internet from a content distribution server is the content that was intended to be published to the content distribution server. The content is signed as it is being published to the content distribution server. If the signature associated with the content upon transmission from the content distribution server is different from the one when the content was initially published, the transmission is blocked ensuring the client is not exposed to false or misleading data.
  • a single content integrity device may include separate process which perform an initial digital signature on digital content, and then, prior to release by a content distribution server, verify the integrity of the digital content by performing and comparing a second digital signature on the content.
  • the digital content device may itself be incorporated into a content distribution server, or may comprise discrete processes within a content distribution server.
  • the encryption and verification processes described infra may be at least partially performed on line cards within networking devices.
  • a content integrity device may perform multiple cryptographic operations on digital content.
  • routines and other functions and methods described herein can be preformed by or distributed among any of the components described herein. While many of the embodiments are shown and described as being implemented in hardware (e.g. one or more devices designed specifically for a task), such embodiments could equally be implemented in software and be performed by one or more processors. Such software can be stored on any suitable computer-readable medium, such as micro-code stored in a semiconductor chip, on a computer-readable disk, or downloaded from a server and stored locally at a client.
  • the embodiments described herein are for illustrative purposes only; many equivalents and alternatives shall be apparent to those skilled in the art.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A system and method for verifying the integrity of digital content in a server environment is described. Content from the server environment, as from a publishing server, is transferred to a content distribution server via a content integrity device. The content integrity device performs cryptographic operations on the content prior to its arrival at the content distribution server. The results of the cryptographic operation are associated and stored with the digital content. Upon receiving a request for the digital content from a source outside of the server environment, the content distribution server identifies and forwards the digital content and results of the associated cryptographic operation to a second integrity device. This device verifies the integrity of the content by comparing the results of similar cryptographic operations performed by the second integrity device with those performed by the first content integrity device.

Description

VERIFYING DIGITAL CONTENT INTEGRITY
Technical Field
The following disclosure relates generally to the field of data security and more particularly to verifying the integrity of content in a server environment.
Background
Various mechanisms exist to enhance the security of digital content associated with networks such as the World Wide Web and the Internet. These mechanisms include the use of passwords, firewalls, access and intrusion control devices, encryption techniques, and others that address the ease of accessing and altering information on the World Wide Web. To protect data during transit, most web sites or server computers use some form of secure protocol such as Secure Socket Layer (SSL).
The use of session keys known only to a client computer and a corresponding web server secures data while it is in transit by uniquely encrypting the data. However, the security of the data before or after the transmission is not guaranteed. While the data resides on the Web server or in computers throughout the server environment, the data is subject to attacks and intrusions from a number of avenues. Web servers have many access points. Data housed on a Web server or computers in a server environment can be accessed by any number of entry means including administrative functions, e-mail, publishing, and diagnostics. Furthermore, backdoors and other vulnerabilities exist that make protecting web content extremely difficult.
As technology has advanced, so has the ability for unwanted intrusions into a company's network. While not all intrusions are malicious in nature, the resulting interruptions frequently result in loss of revenue and damage to reputation. Users demand Internet sites to be available 24 hours per day, 7 days a week. Web site downtime causes immediate sales losses and often damages public confidence longer term. Compounding the nature of competition in e-business, in which alternatives are only a mouse click away, are hackers who often invade and alter web sites as a matter of pride. Invasions into a web server can corrupt web sites, defacing the sites aesthetically and/or conveying bogus information. Such invasions often cost revenue and good will. Encountering false data is an experience that can mean a permanent loss of a customer. Companies invest intensively to provide a highly available and positive user experience. It is therefore necessary to protect digital content while the content is in transit and while the content is stored. A company must be able to rely on the integrity of the information being posted on the company's web server. The challenge has been to arrive at a balance between security and accessibility. It is easier to build an impenetrable safe than it is to build a secure repository of information that delivers requested data reliably. It is also desirable to safeguard against intrusion in a manner that is transparent to the server environment, the web server, and the web user. These and other challenges are addressed in the following disclosure.
Brief Description of the Drawings
Figure 1 is a block diagram showing one embodiment of a system architecture for verifying content integrity.
Figure 2 is a block diagram showing one embodiment of a hardware architecture for a content integrity device.
Figure 3 is a block diagram showing one embodiment of a software architecture for a content integrity device.
Figure 4 is a flow diagram of one embodiment of a method for verifying content integrity using cryptographic operations.
Figure 5 is a flow diagram of one embodiment of a method for verifying content integrity using digital signatures. Figure 6 is a flow diagram of one embodiment of a method for verifying content integrity using encryption and digital signatures. Summary of the Invention
Systems and methods for ensuring the integrity of digital content are described. In embodiments of the invention, the integrity of digital content, as it is transmitted from one computing environment to another computing environment via a communications network, is verified by comparing the results of cryptographic operations performed on the content. In particular, a first cryptographic operation may be performed on digital content, upon which the content may be made available for transmission over the communications network. In some embodiments of the invention, content may be stored for future distribution after the performance of the first cryptographic operation. Prior to the release of the digital content, a second, corresponding cryptographic operation may be performed upon the digital content. As a precondition to releasing the content to a requestor, the integrity of the content is verified to ensure it has not been altered. In embodiments of the invention, these verification protocols can be performed by use of a content integrity device; this enables the operations to be performed transparently, without necessitating any modifications to existing software architectures.
In embodiments of the invention, two content integrity devices may be coupled to a content distribution device in communication with the external network; in some such embodiments, the content distribution device is a content distribution server. Digital content which is intended for publishing is intercepted by one of the content integrity devices as the content travels to the content distribution server. Upon arrival at the first content integrity device, the device performs a cryptographic operation such as a digital signature of the content. Once the digital signature has been created, the digital content and signature are passed to the content distribution server. Upon receiving a request for the digital content from outside the server environment, the content distribution server identifies the requested digital content and passes the digital content and its associated signature to a second content integrity device.
The second content integrity device executes the corresponding cryptographic operations performed by the first content integrity device upon the digital content. In some embodiments of the invention, the signature prepared by the second content integrity device is compared to the original in order to verify the content. If, and only if, the digital content is verified, the content integrity device concludes that the integrity of the digital content is intact and, accordingly, forwards the digital content to the requester outside of the server environment.
Another aspect of the invention includes ensuring the privacy of the digital content while the content resides on a content distribution server, storage medium, or isolated network. Content released for publication by one computing environment is intercepted by a content integrity device. The content integrity device performs cryptographic operations on the content, operations which may include, but are not limited to, the creation of a digital signature. Other cryptographic operations may which may also be performed include encryption and compression operations. In some such embodiments, content which has been encrypted, along with associated digital signatures are passed to a content distribution server where the encrypted content and signature reside until requested by a user outside of the server environment. Upon receiving an external request for the digital content, the content distribution server identifies the encrypted content as the content requested by the user and forwards the encrypted content and associated signature to another content integrity device. The second content integrity device, proceeds to (1) decrypt the content and (2) verify the integrity of the decrypted content. The decrypted digital content is released to the requesting user only after verifying the digital signature.
Other embodiments of the invention include caching the content on a content integrity device so that if altered content is discovered, previously verified content can be forwarded to the requesting user without having to reacquire content from its source. Other aspects of the content integrity device include other cryptographic operations and combinations of cryptographic operations to verify the integrity of the content and ensure the security of the content while residing on the content distribution server. These and other embodiments are described in greater detail herein.
Detailed Description of the Illustrated Embodiments
A. Overview
The invention described herein includes systems and methods for securing and verifying the integrity of digital content. In embodiments of the invention, digital content produced within a secure environment may be conveyed to an intermediate device, such as a publishing system, and subsequently made available for access by users external to the secure environment. In some such embodiments, digital content with is ready for publishing may be forwarded to a content distribution device, such as a web server, via a device which verifies the integrity of the content. Upon receiving the content from the secure, authorized source, the content integrity device performs one or more cryptographic operations on the content, and subsequently makes it assessable to users outside of the secure environment. In embodiments of the invention, when the content distribution device receives an external request for the content, the content is identified and forwarded to a second content integrity device. This second device performs one or more cryptographic operations, such as to examine the content by verifying the associated digital signature performed by the first content integrity device.
In embodiments of the invention, content integrity is verified by a dedicated content integrity device, which is separate from the devices which house the digital content prior to its external publication. In such embodiments, the content integrity devices are coupled to the remaining devices, such as the content dispersal systems and data networks, in a manner that obviates modification to the remaining devices. This enables web site operators or other managers of digital content to ensure the integrity of digital content transparently, without altering current software or modifying existing hardware on their systems.
B. Network Architecture of the Content Integrity System
A network architecture 100 for verifying content integrity is illustrated in Figure 1. The system 100 includes two content integrity devices 102 104. A first content integrity device 102 is coupled among a publishing system 106 and a content distribution server 1 10. The publishing system 106 may be further coupled to one or more server computers 1 12. The intranet established by the publishing system and server computers 112 is, for purposes of this discussion, isolated from outside intervention and can be considered a secure environment. The second content integrity device 104 is coupled among the content distribution server 1 10 and a network 120, such as the Internet or an intranet, which is in turn coupled to several other computers 130 from which content requests may originate; by way of non-limiting example, the requestors may client programs such as web browsers. The requestors 130 can each possess software for accessing network resources, such as, by way of non-limiting example, a web browser that when directed by a user requests content from the content distribution server. The protocol for exchange and transport of this information can be one of any protocols known to one skilled in the relevant art and includes but is not limited to HyperText Transmission Protocol (HTTP), File Transfer Protocol (FTP), HyperText Transmission Protocol Secure (HTTPS), Common Internet File System
(CIFS), and Network File Systems (NFS). Other suitable protocols shall be apparent to those skilled in the art.
In one embodiment of the claimed invention, content developed on the server computers 1 12 is communicated to the publishing system 06 and passed to the content distribution server 1 10 via the first content integrity device 102. The first content integrity device 102 generates a first digital signature and digitally signs the content before the content reaches the web server 110. Upon receiving a request for the content from a client computer 130 via network 120, the content is passed from the content distribution server 1 10 to the second content integrity device 104 where the digital signature is verified. If the content is successfully verified, the content is released to the requesting client computer 130. If the content is not verified, its release is blocked, preventing unauthorized or modified content to be released. In an embodiment of the claimed invention, the content integrity device 104 stores a trusted version of the digital content. This cache may be updated either periodically or each time content is verified prior to transmittal. If the verification process fails, the trusted, cached content can be forwarded to the requesting user in place of the content provided by the content distribution server. In some embodiments of the invention, logs may be maintained which record verification failures. Other responses undertaken in case the content integrity is comprised shall be apparent to those skilled in the art. The functionality provided by the content integrity device 102 and 104 can be hosted on dedicated network appliances as shown in Figure 1 , but is not so limited. The content integrity functionality can also be performed by, or distributed among, any combination of the publishing systems 106 and 1 12, numerous client processing devices and browsers 130 coupled to the network 120, and any of the associated network components. Typically each content integrity device can include at least one processor capable of executing computer executable instructions and at least one storage medium for retention of data and software. In some embodiments of the invention, protection and verification operations can be performed on a single physical device. Many hardware and/or network architectures which support the content integrity functions will be apparent to those skilled in the art.
The cryptographic operations which may be performed by a content integrity device are multifarious. Encryption operations may be symmetric, such as, by way of non-limiting example, any of the variants of the Data Encryption Standard (DES).
Alternatively, asymmetric encryption may be employed, such as, by way of non-limiting example, public-private key algorithms, such as any of the variants of Rivest-Shamir- Ableson (RSA), Pretty Good Privacy (PGP), or other examples which will be apparent to those skilled in the art. The cryptographic operations may include one-way functions, such as one-way hash functions. These one way hash functions may include, by way of non-limiting example, any of the variants of Secure Hash Algorithm (SHA), Message Authentication Code (MAC), and a Message Digest (MD) functions. In embodiments of the invention, a content integrity device may perform multiple encryption functions on digital content. These and other permutations of cryptographic functions in the invention shall be apparent to those skilled in the art.
C. Hardware Architectures of the Content Integrity System
Figure 2 illustrates a hardware architecture 200 for verifying the integrity of digital content. The hardware architecture 200 includes at least one processor 208, a memory system 210, and I/O. Inherent to the architecture 200 is a system bus 206 that operatively couples the various components together. The processing unit may be any logic processing unit, such as one or more central processing units (CPUs), digital signal processors (DSPs), application-specific integrated circuits (ASIC), etc. Unless described otherwise, the construction and operation of the various blocks shown in Figure 2 are of conventional design. As a result, such blocks need not be described in further detail herein, as they will be readily understood by one skilled in the relevant art.
The operating system 202 contains the basic routines that help transfer information amongst the elements within the architecture 200. In non-limiting embodiments of the invention, the operating system is based on a version of the Linux operating system The system bus 206 can employ any know bus structures or architectures including a memory bus with memory controller, a peripheral bus, and a local bus. The memory 21 0 includes read-only memory (ROM) and random access memory (RAM). The input / output system 216 contains basic routines that help transfer information between elements with the content integrity device. Non-limiting examples of input / output 216 include various forms of Ethernet. The content integrity device can also include secondary storage media, non-limiting examples of which include a hard disk drive for reading from and writing to a hard disk, and an optical disk drive and a magnetic disk drive for reading from and writing to removable optical disks and magnetic disks, respectively. The optical disk can be a CD-ROM, while the magnetic disk can be a magnetic floppy disk. The hard disk drive, optical disk drive and magnetic disk drive communicate with the processing unit 208 via the bus 206. The hard disk drive, optical disk drive and magnetic disk drive may include interfaces or controllers coupled between such drives and the bus 206, as is known by those skilled in the art. The drives and their associated computer-readable media, provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for the content integrity device. Those skilled in the relevant art will appreciate that other types of computer-readable media that can store data accessible by a processor may be employed, such as magnetic cassettes, flash memory cards, digital video disks ("DVD"), Bernoulli cartridges, RAMs, ROMs, smart cards, etc.
Program modules, such as an operating system can be stored in the system memory 210 one or more application programs, other programs or modules, and program data. In embodiments of the invention, the system memory 210 may also include software for permitting the content integrity device to access and exchange data with web sites in the World Wide Web of the Internet.
In one embodiment the system memory 210 stores private and public keys that enable the processing unit 208 to create digital signatures of content received through the input and output ports 216. Furthermore, various algorithms and other computer cryptographic executable codes are retained in the system memory 210 for the encryption and decryption of the digital content. The operating system 202 can also direct the caching of the digital content in both the encrypted and clear text state as well as associating a digital signature generated in the content integrity device with a particular piece of digital content.
A further aspect of the content integrity device is the inclusion of a hardware security module 220 with a smart card. The hardware security module 220 comprises a tamper resistant device that stores private keys in a secure format. The private keys are encrypted using a separate group key known to a select, predefined group of ancillary network devices. This encrypted group of keys can be transported between the various devices using a smart card. The smart card can also be used to back up the encrypted key data. As the data contained on the smart cards is encrypted with a separate key, the encrypted group of private keys can only be accessed by one of the devices in the predefined group.
Another aspect of the hardware security module is a protocol that supports "k out of n" secret sharing of the separate group key. Such a protocol enhances security by requiring each device to use multiple smart cards for backing up and restoring the private keys. For example, if the private key information is distributed across a group of five smart cards (n=5), preferences can be established requiring three smart cards (k=3) be inserted into a smart card reader before the group data can be accessed. Any attempt to access the data with less than three smart cards will fail. Using a "k out of n" schema ensures data security. If a single card is stolen, misplaced or unaccounted for, a unauthorized user of the card will not be able to access the key data stored on the hardware security module. D. Software Architecture of the Content Integrity System
Figure 3 shows one embodiment of a software architecture 300 for verifying the integrity of digital content by use of a content integrity device. The architecture 300 includes a caching engine 315, a content identification engine 320, a cryptographic engine 325, a digital signature engine 330, and a process manger 332. As content is received, the process manager 332 uses the digital signature engine 330 and cryptographic engine 325 to perform cryptographic operations on the content. Once completed, the content may optionally be cached using the caching engine 315 for subsequent access and dispersal. In addition to directing cryptographic operations on the content, the process manager 332 uses the content identification engine 320 to associate the content with the digital signature and encrypted data. In one embodiment, the cryptographic engine 325 may embed a numerical representation, such as a digital signature, in the content itself. In other embodiments the numerical representation may or may not be part of the content. Upon receiving a request for the content, the process manager 332, using the content identification engine 320, identifies and retrieves the content and associated signatures from the cache for dispersal.
In the embodiment shown in Figure 3, the process manger 332 manages content received from a server environment 340 that includes a publishing system 350 and other server computers 360. The process manager 332 conveys the content to entities outside the server environment such as a content distribution server 375 and a network 385 such as the Internet. While this embodiment illustrates the software architecture 300 of a content integrity device which is positioned between a server environment 340 and a content distribution server 375, in alternate embodiments an identical software architecture 300 may be placed between the content distribution server 375 and a network 385 to facilitate the verification of the content's integrity as a condition to its distribution over the network 385.
E. Integrity Verification Process
The invention supports several techniques for verifying the integrity of digital content. A method 400 for verifying the integrity of content in a network environment used in embodiments of the invention is illustrated in the flow diagram of Figure 4.
Content is published 405 and intercepted by a content integrity device. The content integrity device performs at least one cryptographic operation on the content 410.
These operations can include encryption operations, decryption operations, hash operations, keyed hash operations, keyed hash verifications, digital signatures, signature verification, checksums, and other like operations known to those skilled in the relevant art.
Once the desired cryptographic operation has been completed 410, the content is transferred 415, to a content distribution server, along with any associated result from the cryptographic operation, for dissemination over the Internet or like network.
The content remains on the content distribution server until an updated version is received from the publishing server. By way of non-limiting example, a client computer may request content from a web page resident on the content distribution server. The content distribution server 420 receives the request for the content and identifies the desired object with the appropriate embedded objects to send. As the content is directed to the client's IP address, the content is intercepted 425 by the second content integrity device. The second content integrity device performs additional cryptographic operations on the content. Before the content is released to requests originating outside the system, the signature is verified 435. If the verification succeeds, indicating that the content has not been altered, the content integrity device releases the content 440 to the requesting client.
Figure 5 depicts a flow diagram for verifying content integrity 500 by use of digital signatures. Content is received at the first integrity device from a trusted source such as the publishing server 505. Transparent to the publishing server and the content distribution server, the content integrity device creates a digital signature 510. The digital signature can be created using various algorithms known to one skilled in the relevant art. The digital signature of the content is formed in one embodiment by using secret information such as a private key which can be later verified by using public information such as a public key. Other algorithms which may be used to create the digital signature include, but are not limited to one way hashing, keyed hashes such as Keyed Hash Message Authentication Code (HMAC), timestamps, and other techniques that will be apparent to those skilled in the art. Once signed, the digital signature is associated 515 with the content and then transferred to the content distribution server, or other storage medium 520.
In embodiments of the invention, the content remains on the content distribution server until it is either requested by a client or replaced by the publishing server 525.
Upon receipt of the request, the appropriate content is identified 530 and ultimately forwarded for integrity verification 535.
The content and the associated signature arrive at the second integrity device where the signature is verified 540. As the algorithms and keys used correspond to the original signature, the signature verification will be successful if the content has not been altered. Likewise the signature verification will fail if false data has been placed on the content distribution server lacking the proper signature. If the signatures are verified 545, the content is released 550 to the requestor. In an alternative embodiment, the content integrity device maintains a cache of the verified content. Upon detecting a discrepancy in the digital signatures, the content integrity device releases the cached content and alerts the network manager of the presence of false data 560. Various other protocols in response to a verification failure can be established that are aligned with the use of the methodology and techniques for content integrity verification described herein; these protocols shall be apparent to those skilled in the art.
An alternative method for verifying the integrity of digital content is shown in the flow diagram of Figure 6. Continuing with the theme of ensuring the integrity of the content prior to its dispersal, this method 600 also protects the privacy of the content as it rests on the content distribution server. As described herein, content is published by the publishing server 605 to a first integrity device. Upon arrival, a digital signature of the content is formed 610 using methodology described herein and known to one skilled in the relevant art. The content is subsequently encrypted 615 using a non- limiting algorithm such as Data Encryption Standard (DES), Rivest Shamir Adleman
(RSA), or another cipher commonly known to one skilled in the relevant art. In an alternative embodiment, the content is signed using a private key and encrypted using a distinct public key.
The encrypted content is associated 620 with the digital signature and transferred 625 to the content distribution server. The content and digital signature reside on the content distribution server in an encrypted state until updated by new authorized data. The content remains encrypted until a request for the content 630 is received from a requestor. Upon receiving the request, the content distribution server 635 identifies the content and associated signature. The encrypted content and signature are then forwarded 640 to a second content integrity.
The second content integrity device decrypts the content 645 using, in one embodiment, the corresponding private key of the public/private key pair. With the content decrypted, the digital signature is verified. In one embodiment, verifying the digital signature includes using a public key corresponding to the public/private key pair utilized by the first content integrity device. Other techniques for verifying integrity readily known to those skilled in the relevant art can also be used without affecting the functionality of the invention. Having verified 655 the digital signature, the decrypted content is released 660 to the Internet and ultimately to the requestor. In embodiments of the invention, slightly different operations may be used for the encryption and the signatures.
The system and methodology described herein protects the content on a content distribution server from being stolen and altered by unauthorized users. It further verifies that the content being served to the Internet from a content distribution server is the content that was intended to be published to the content distribution server. The content is signed as it is being published to the content distribution server. If the signature associated with the content upon transmission from the content distribution server is different from the one when the content was initially published, the transmission is blocked ensuring the client is not exposed to false or misleading data.
Alternative Embodiments
Though many of the embodiments described herein involve the deployment of two content integrity devices, many alternative embodiments shall be apparent to those skilled in the art. For instance, the verification procedures may be performed on a single device. By way of non-limiting example, a single content integrity device may include separate process which perform an initial digital signature on digital content, and then, prior to release by a content distribution server, verify the integrity of the digital content by performing and comparing a second digital signature on the content. In some embodiments of the invention, the digital content device may itself be incorporated into a content distribution server, or may comprise discrete processes within a content distribution server. In some embodiments, the encryption and verification processes described infra may be at least partially performed on line cards within networking devices. Additionally, a content integrity device may perform multiple cryptographic operations on digital content.
Those skilled in the relevant art will appreciate that the routines and other functions and methods described herein can be preformed by or distributed among any of the components described herein. While many of the embodiments are shown and described as being implemented in hardware (e.g. one or more devices designed specifically for a task), such embodiments could equally be implemented in software and be performed by one or more processors. Such software can be stored on any suitable computer-readable medium, such as micro-code stored in a semiconductor chip, on a computer-readable disk, or downloaded from a server and stored locally at a client. The embodiments described herein are for illustrative purposes only; many equivalents and alternatives shall be apparent to those skilled in the art.

Claims

1. A method for verifying integrity of digital content, the method comprising:
computing a first one or more cryptographic operations on the digital content;
upon a request for the digital content, performing a second one or more
cryptographic operations on the digital content, the second one or more cryptographic
operations including an inversion of the first one or more cryptographic operations;
releasing the digital content in response to the request immediately after
performing the second one or more cryptographic operations.
2. The method of claim 1 , wherein the first one or more cryptographic operations
includes an encryption of the digital content, and the second one or more cryptographic
operations includes a corresponding decryption of the digital content.
3 The method of claim 2 wherein the encryption and corresponding decryption are symmetric operations based on a private key.
4. The method of claim 3, wherein the encryption and decryption are based on
Data Encryption Standard (DES).
5. The method of claim 2, wherein the encryption is based on a public key, and the
decryption is based on a corresponding private key.
6 The method of claim 5, wherein the encryption and corresponding decryption are
RSA operations.
7. A method for verifying integrity of digital content, the method comprising:
computing a first one or more cryptographic operations on the digital content; upon a request for the digital content, performing a second one or more
cryptographic operations on the digital content;
comparing a result of the second one or more cryptographic operations with at
least one of the digital content and a result of the first one or more cryptographic
operations;
releasing the digital content in response to the request if and only if the
comparing the result of the first and second one or more cryptographic operations is
successful.
8. The method of claim 7, wherein the first one or more cryptographic operations
and second one or more cryptographic operations are identical operations.
9. The method of claim 7, wherein the first and second one or more cryptographic
operations include one way hash functions.
10. The method of claim 9, wherein the one way hash functions include one or more of Secure Hash Algorithm (SHA), a Message Authentication Code (MAC), a Message
Digest (MD) function.
11. The method of claim 10, wherein the MAC is HMAC.
12. The method of claim 10, wherein the MD function is one of MD-2, MD-3, MD-4,
MD-5.
13. The method of claim 8, wherein the first and second one or more cryptographic
operations comprise, respectively, a first digital signature and a second digital
signature.
14. The method of claim 13, wherein the first and second digital signatures are
performed by use of a single private key.
15. The method of claim 13, further comprising:
prior to computing the first digital signature, receiving the digital content from a trusted
source.
16. The method of claim 17, wherein the trusted source is a secure local network.
17. The method of claim 16, wherein the request for the digital content arrives from
an network external to the secure local network.
18. The method of claim 17, wherein the network external to the local network is an
internetwork.
19. The method of claim 13, further comprising:
if the first and second signatures do not agree, releasing a previously cached version
of the digital content in response to the request.
20. The method of claim 13 further comprising:
if the first and second signatures do not agree, logging a corresponding record in a
database of anomalies.
21 . The method of claim 13, further comprising:
If the first and second signatures do not agree, denying the request for the digital
content.
22. The method of claim 13, further comprising:
after first computing the first digital signature, encrypting the digital content.
23. The method of claim 22, further comprising:
prior to performing the second digital signature, decrypting the digital content.
24. A computer network system for delivering digital content to an external network,
wherein in the external network is in communication with the computer network system
via at least one content server, the computer network system comprising:
one or more publishing servers for generating and storing digital content,
wherein the one or more publishing servers are isolated from the external network;
a first content integrity device for performing and verifying cryptographic
operations, such that the content integrity device is coupled to the one or more
publishing servers and to the external access device;
a second content integrity device for performing and verifying cryptographic
operations, the second content integrity device coupled to the external access device and the external network;
wherein the first content integrity device is configured to intercept digital content
forwarded by the one or more publishing servers to the at least one content server,
such that the first content integrity generates a cryptographic operation for the digital
content, and the second content integrity device is configured to authorize external
release of the digital content by the at least one content server, only after verification of
the cryptographic operation.
25. The computer network system of claim 24, wherein the external network in an
internetwork.
26. The computer network system of claim 24, wherein the digital content is encoded
in at least one markup language.
27. The computer network system of claim 24, wherein the at least one markup language is one or more of HTML, XML, SGML.
28. The computer network system of claim 24, wherein the at least one content
server includes a web server.
29. The computer network system of claim 24, wherein the digital content includes a
PDF file.
30. The computer network system of claim 24, wherein the digital content includes
ASCII text.
31. The computer network system of claim 24, wherein a private key is stored in a
secure format on the first and second content integrity devices.
32. The computer network system of claim 31 , wherein the private key is encrypted in the first and second content integrity devices.
33. The computer network system of claim 32, wherein the private key is encrypted
in the first and second devices using a separate group key, such that the separate
group key is known to the first and second content integrity devices.
34. The computer network system of claim 33, wherein the first and second content
integrity devices each include a smart card port, such that the private key can be
received securely by one or more smart cards via the smart card port.
35. The computer network system of claim 34, wherein the private key can be
received by use of any k of n smart cards, wherein k < n.
36. The computer network system of claim 34, wherein the one or more smart cards
includes three or more smart cards, such that the private key is distributed amongst the
three or more smart cards, and the first and second content integrity devices read the
private key from a plurality of the three or more smart cards.
37. The computer network system of claim 24, wherein the first content integrity
device and the one or more publishing servers are coupled via a local area network.
38. The computer network system of claim 37, wherein the second content integrity
device and the at least one content server are coupled via a local area network
connection.
39. The computer network system of claim 38, wherein the second content integrity
device is operable to record each failure in verification of the digital signature.
40. The computer network system of claim 24, wherein the first content integrity
device is operable to encrypt the digital content with a private key.
41. The computer network system of claim 40, wherein the second content integrity
device stores a public key corresponding to the private key, such that the second
content integrity device is operable to decrypt the digital content with the public key.
42. A computer system for verifying the integrity of digital content, wherein the digital
content is generated in a secure environment, and is intended for external release, the
computer system comprising: at least one processing device; a first one or more daemon processes, for intercepting the digital content
prior to external release, the first one or more daemon processes operable on the at
least one processing device;
a second one or more daemon processes for receiving external requests
for the digital content, the second one or more daemon processes operable on the at
least one processing device;
a first one or more cryptographic processes for performing a first
cryptographic operation on the digital content prior to the receiving external requests
for the digital content, the first one or more cryptographic processes operable on the at
least one processing device;
a second one or more cryptographic processes executing for performing a
second cryptographic operation on the digital content after receiving the external
requests for the digital content, the second one or more cryptographic processes
resident on the at least one processing device;
one or more verification processes on the computer system for verifying
and authorizing release of the digital content, after comparison of the first and second
digital signatures, the one or more verification processes resident on the at least one
processing device.
43. The computer system of claim 42, wherein the digital content is at least partially
encoded in one or more markup languages.
44. The computer system of claim 43, wherein the one or more markup languages
includes Hyper Text Markup Language (HTML).
45. The computer system of claim 44, wherein the one or more daemon processes
for receiving external requests includes an Hyper Text Transfer Protocol daemon
(HTTP).
46. The computer system of claim 46, wherein the HTTP daemon is resident on a
dedicated HTTP server.
47. The computer system of claim 44, wherein the one or more daemon processes
for receiving external requests includes an Hyper Text Transfer Protocol over SSL
(HTTPS) daemon.
48. The computer system of claim 47, wherein the HTTPS daemon is resident on a
dedicated HTTPS server.
49. The computer system of claim 43, wherein the one or more markup languages includes extensible Markup Language (XML) and Standard Generalized Markup Language (SGML). '
50. The computer system of claim 42, wherein the first one or more cryptographic
processes are executed at least partially on a dedicated encryption offload processor.
51. The computer system of claim 42, wherein the second one or more
cryptographic processes are executed at least partially on a dedicated encryption
offload processor. ■
52. The computer system of claim 42, wherein the first one or more cryptographic
processes and second one or more cryptographic processes are at least partially
executed on a single server device.
53. The computer system of claim 52, wherein the one or more daemon processes
for intercepting the digital content prior to external release and the one or more r daemon processes for receiving external requests for the digital content are also
performed on the single server device.
54. The computer system of claim 53, wherein the single server device comprises a
web server.
55. The computer system of claim 53, further including:
one or more processes for encrypting the digital content.
56. The computer system of claim 55, wherein the one or more processes for
encrypting the digital content encrypt the digital content by use of a private key.
57. The computer system of claim 55, wherein the one or more processes for encrypting the digital content are resident on the single server device.
58. The computer system of claim 42, wherein the at least one processing device
includes an accelerator card for accelerating the first one or more cryptographic processes.
59. The computer system of claim 58, wherein the at least one processing device
includes an accelerator card for accelerating the first one or more cryptographic processes.
60. A method for verifying the integrity of digital content stored initially in a server
environment, the method comprising:
signing the digital content using a private key forming a first signature;
associating the digital content with the first signature; transferring the digital content and the first signature to an external access server,
wherein the external access server is in direct communication with at least one network external to the server environment;
after associating the digital content with the first signature, receiving an external
request for the digital content at the external access server;
in response to the external request, signing the digital content with the private key to
form a second digital signature for the content;
comparing the first signature and the second signature;
if the first and second signatures agree, releasing the digital content from the external
access server via the one or more external networks.
61. The method of claim 60, wherein the signing the first digital signature is
performed in at least partially in a first dedicated content integrity server, the first
content integrity server coupled locally to the external access server.
62. The method of claim 61 , wherein the second digital signature is generated in a
second dedicated content integrity server, which is locally coupled to the external access server.
63. The method of claim 60, wherein the external access server is a web server.
64. The method of claim 63, wherein the digital content is at least partially encoded
in a markup language.
65. The method of claim 64, wherein the markup language is one or more of HTML,
SGML, XML.
66. The method of claim 63, wherein the external request is an http request.
67. The method of claim 60 wherein- the one or more external networks include an
internetwork.
68. The method of claim 60, wherein the first and second digital signatures are
generated at the external access server.
69. The method of claim 60, further comprising:
after signing the digital content using the private key to forming the first signature,
encrypting the digital content.
70. The method of claim 69, further comprising:
prior to forming the second digital signature, decrypting the digital content.
71 . A method for verifying the integrity of digital content stored in a server
environment, the method, comprising:
signing the digital content using a private key forming a first signature;
associating the digital content with the first signature;
transferring the digital content and the first signature to an external access server,
wherein the external access server is in direct communication with at least one network
external to the server environment;
after associating the digital content with the first signature, receiving an external
request for the digital content at the external access server;
in response to the external request, signing the digital content with the private key to
form a second digital signature for the content;
comparing the first signature and the second signature; if the first and second signatures do not match,
logging an entry in a database of integrity failures, and
barring external release of the digital content.
72. A method for verifying the integrity of digital content stored in a server
environment, the method, comprising:
signing the digital content using a private key forming a first signature;
associating the digital content with the first signature;
transferring the digital content and the first signature to an external access server,
wherein the external access server is in direct communication with at least one network external to the server environment;
after associating the digital content with the first signature, receiving an external request for the digital content at the external access server;
in response to the external request, signing the digital content with the private key to form a second digital signature for the content;
comparing the first signature and the second signature;
if the first and second signatures do not match, releasing a previously cached version
of the digital content from the external access server.
73. The method of claim 72 wherein the method for verifying the integrity of digital
content stored in a server environment, the method, comprising:
signing the digital content using a private key forming a first signature;
associating the digital content with the first signature.
74. A system for verifying the integrity of digital content in a server environment, the
system comprising:
at least one web server coupled among two or more network appliances, wherein a first
of the two or more network appliances includes
means for receiving the digital content from the server environment,
means for creating a cryptographic transformation of the digital content, and
means for transferring the digital content to the web server, and
wherein a second of the two or more network appliances includes
means for receiving the digital content from the web server, and
means for verifying the digital content before releasing the digital content
outside of the server environment.
75. An electromagnetic medium containing executable instructions which, when
executed in a processing system, verifies the integrity of digital content by:
identifying the digital content and an associated first signature at a server upon
receiving a request from a party outside of the server environment for the digital
content;
transferring the digital content and the associated first signature to a processor; signing the digital content forming a second signature;
verifying successfully the integrity of the digital content; and
releasing the digital content to the party outside of the server environment.
76. A computer readable medium containing executable instructions which, when executed in a processing system, verifies integrity of digital content by: identifying the digital content and an associated first signature at a server upon receiving a request from a party outside of the server environment for the digital content; transferring the digital content and the associated first signature to a processor; signing the digital content forming a second signature; verifying successfully the integrity of the digital content; and releasing the digital content to the party outside of the server environment.
PCT/US2003/003622 2002-02-08 2003-02-08 Verifying digital content integrity WO2003067850A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003216191A AU2003216191A1 (en) 2002-02-08 2003-02-08 Verifying digital content integrity

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US35493002P 2002-02-08 2002-02-08
US60/354,930 2002-02-08

Publications (1)

Publication Number Publication Date
WO2003067850A1 true WO2003067850A1 (en) 2003-08-14

Family

ID=27734437

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/003622 WO2003067850A1 (en) 2002-02-08 2003-02-08 Verifying digital content integrity

Country Status (2)

Country Link
AU (1) AU2003216191A1 (en)
WO (1) WO2003067850A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005059752A1 (en) * 2003-12-18 2005-06-30 Nokia Corporation Method for ensuring the integrity of a data record set
CN109660988A (en) * 2019-01-02 2019-04-19 百度在线网络技术(北京)有限公司 Communicate authentication processing method, device and electronic equipment
US11403369B2 (en) 2020-01-21 2022-08-02 Disney Enterprises, Inc. Secure content processing pipeline
US11425120B2 (en) 2020-02-11 2022-08-23 Disney Enterprises, Inc. Systems for authenticating digital contents

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HERDA S: "Non-repudiation: Constituting evidence and proof in digital cooperation", COMPUTER STANDARDS AND INTERFACES, ELSEVIER SEQUOIA. LAUSANNE, CH, vol. 17, no. 1, 1995, pages 69 - 79, XP004046750, ISSN: 0920-5489 *
RSA LABORATORIES: "PKCS #7: Cryptographic Message Syntax Standard, Version 1.5", RSA LABORATORIES TECHNICAL NOTE, XX, XX, 1 November 1993 (1993-11-01), pages 1 - 30, XP002207635 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005059752A1 (en) * 2003-12-18 2005-06-30 Nokia Corporation Method for ensuring the integrity of a data record set
KR100829977B1 (en) 2003-12-18 2008-05-19 노키아 코포레이션 Method for ensuring the integrity of a data record set
CN109660988A (en) * 2019-01-02 2019-04-19 百度在线网络技术(北京)有限公司 Communicate authentication processing method, device and electronic equipment
CN109660988B (en) * 2019-01-02 2021-09-28 百度在线网络技术(北京)有限公司 Communication authentication processing method and device and electronic equipment
US11403369B2 (en) 2020-01-21 2022-08-02 Disney Enterprises, Inc. Secure content processing pipeline
US11425120B2 (en) 2020-02-11 2022-08-23 Disney Enterprises, Inc. Systems for authenticating digital contents

Also Published As

Publication number Publication date
AU2003216191A1 (en) 2003-09-02

Similar Documents

Publication Publication Date Title
JP6625211B2 (en) Key exchange through partially trusted third parties
US11757641B2 (en) Decentralized data authentication
US9544280B2 (en) Utilization of a protected module to prevent offline dictionary attacks
US9584517B1 (en) Transforms within secure execution environments
JP5598828B2 (en) Software signing certificate reputation model
US7685425B1 (en) Server computer for guaranteeing files integrity
JP4463887B2 (en) Protected storage of core data secrets
US7243226B2 (en) Method and system for enabling content security in a distributed system
US8185942B2 (en) Client-server opaque token passing apparatus and method
US20060149962A1 (en) Network attached encryption
US8321924B2 (en) Method for protecting software accessible over a network using a key device
US20020032873A1 (en) Method and system for protecting objects distributed over a network
JP2005533438A (en) Encryption associated with the network
KR20030036787A (en) System for establishing an audit trail to protect objects distributed over a network
JP2003330365A (en) Method for distributing/receiving contents
US20030237005A1 (en) Method and system for protecting digital objects distributed over a network by electronic mail
US7234060B1 (en) Generation and use of digital signatures
WO2008053279A1 (en) Logging on a user device to a server
US7565538B2 (en) Flow token
WO2003067850A1 (en) Verifying digital content integrity
Benton et al. Signaturecheck: a protocol to detect man-in-the-middle attack in ssl
KR101987579B1 (en) Method and system for sending and receiving of secure mail based on webmail using by otp and diffie-hellman key exchange

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP