Safe identification of executable file for logical object determining confidence

FIELD: information technology.

SUBSTANCE: present invention relates to the identification of an executable file, or another beneficiary for determining the credibility of the resource object so that this object can provide a resource for the executable file. Resource is received from the resource provider for a resource requester, which functions on a computer device. The resource requester has an associated identifier descriptor. The identifier descriptor includes information related to security, giving the environment in which the resource requester operates. An identification code (ID code) is generated in accordance with loaded resource requester and the loaded identifier descriptor, based on the loaded resource requester and the loaded identification code. The resource provider makes sure that the calculated id-Code in request for a resource coincides with one of one or more valid id-Codes for the identified resource requester, so as conclude, that resource requester and identifier descriptor can be trusted, and the resource provider responds to the request by providing the resource requester with the resource.

EFFECT: invention can increase the credibility of executable files, or other recipient of the resource by the resource providers.

36 cl, 4 dwg

 

The technical FIELD TO WHICH the INVENTION RELATES

The present invention relates to a method and means by which the executable file or the like can securely identify themselves to defining the confidence of the object so that he could provide a resource for this executable. More specifically, the present invention relates to such method and means by which the determinant trust object can verify (authenticate) the executable file before you provide him with resources.

PRIOR art

In many computing scenarios, the first computer object type provides some resource computer type second computer object type. It should be understood that each of the first and second objects can be either a hardware or a software object, such as a computer program or executable file, computer storage device, a computer server, data, etc. Also, a resource can be raw data file raw data in it in some systematic form, etc.

Especially in the case when the resource is of particular value or must be processed in accordance with predetermined rules, the first object or provider re the URSA can provide the resource to the second object or recipient of the resource", only if the second object or a related object provides authentication information for the first object and the first object based on it, performs authentication of the second object. For example, if the server is in the banking institution (the first object) provides the security key (resource) for the banking program on the user's computer (the second object), through which the user can conduct banking transactions on computer, the server may ask for some assurance that the banking program can be trusted with the use of a security key in a way that is controlled by the Bank.

That is, the server needs authentication information either from the Bank or from the means of authentication on behalf of the banking program, announcing that the banking program refers to a specific type, performed in a specific environment based on certain variables and/or the like, Thus, the server does provide the security key for the Bank only after authentication based on the authentication information. It is particularly important that the server used to authenticate the banking program on the basis of the authentication information wants to be sure that the banking application has not been changed in some respect, in the example, incorrectly used the security key, and also wants to make sure that the banking program is a valid and will not work in environments where the security key may be bypassed or read a doubtful object, such as a thief.

There is therefore a need in the method and means by which a computer program, executable or other recipients of the resource can be provided authentication information, which the recipient of the resource can be authenticated by the provider of the resource to resource. In particular, there is a need for identifying the descriptor (descriptor) to describe the identity of the recipient of the resource provider of the resource, where the identifying descriptor includes, among other things, a set of variables that describe the environment of the recipient of the resource and authenticating the signature or other

The INVENTION

The aforementioned need is satisfied, at least partially, by the present invention, in which the get resource from resource providers (RP, RP) to the requestor of the resource (WR, RR)operating on a computing device. This SP has an associated identifying descriptor (IO, ID), and IO includes information that is compared to the security specifies the environment in which BP operates.

WR and IO corresponding to this SP, loaded into a computing device SP and provide a link to the uploaded IO. Identification code (ID, code-ID) is calculated in accordance with the loaded WR and loaded IO and based on the downloaded SP and loaded IO. After receiving the request from the LA to the resource is satisfied that the requesting SP has rights to the resource, and that resource should be entrusted to him. After that, the request for a resource transfer from LA to PR.

PR checks accepted request, receives the code-ID, IO, and the definition of the requested resource from a received request and determines from a received request identification information to the requesting SP. Also PR is received by each of the one or more valid identification codes (code-ID) for identified WR and ensures that the calculated code-ID in a received request matches one of the valid codes-ID identified by the LA. Then PR can conclude that SP can trust known as the LA, which can be considered credible, and the fact that the information relevant to security, on the basis of which BP operates, is known information relevant to security, which can be considered credible.

After this the th, PR answers forwarded the request by providing the requested resource by the LA. The LA receives the requested resource is granted PR, and applies it in a way compatible with the confidence that the PR has given the LA, and in accordance with the information relevant to security set forth in the IO, the corresponding SP.

LIST of FIGURES

The above brief description of the invention and the following detailed description of embodiments of the present invention will be better understood when read in conjunction with the attached drawings. For the purpose of illustration of the invention in the drawings shown embodiments of preferred currently. However, as should be clear that the invention is not limited to the exact schemes and tools. In the drawings:

Figure 1 is a block diagram showing an illustrative computing environment, which can be implemented in the present invention.

Figure 2 is a block diagram showing the provider of the resource, the recipient of the resource that identifies the handle of the recipient of the resource and the corresponding objects, arranged and operating in accordance with one embodiment of the present invention.

Figure 3 - the precedence diagram showing key steps performed by the recipient of the resource and meet their objects of figure 2 when querying the resource provider resource of figure 2 in accordance with one embodiment of the present invention.

4 is a diagram of a sequence of operations showing key steps performed by the provider of the resource of figure 2 when granting resource recipient resource of figure 2 in accordance with one embodiment of the present invention.

DETAILED description of the INVENTION

COMPUTER ENVIRONMENT

Figure 1 and the following discussion are intended to provide a short, General description of a suitable computing environment in which the present invention and/or part of it can be implemented. Although not required, the invention described in the General context mashinostryenia commands, such as program modules, executed by a computer such as a workstation client or server. Generally, program modules include procedures, programs, objects, components, data structures, etc. that perform particular tasks or implement certain abstract data types. In addition, should be taken into account that the invention and/or part of it may be implemented with other configurations of computer systems, including handheld devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network personal computers (PCs), minicomputers, universal computers (mainframes), etc. of the Invention may be the also implemented in distributed computing environments, where tasks are performed by remote processing devices data that are linked through a communications network. In a distributed computing environment, program modules may be placed on both local and remote storage devices.

As shown in figure 1, an illustrative computer system General purpose includes a conventional personal computer 120 or something like that includes a processor 121, a system memory 122, and a system bus 123 that connects various system components including the system memory to process 121. The system bus 123 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus and a local bus using any of a variety of bus architectures. The system memory includes a persistent storage device (RAM, ROM) 124 and a random access memory (RAM, RAM) 125. Basic system 126 input / output system (BIOS), containing basic routines that help to transfer information between elements within the personal computer 120, such as during startup, is stored in ROM 124.

The personal computer 120 may further include a drive 127 on hard magnetic disks to read from the hard disk (not shown) or write to it, the drive 128 for a magnetic disk for when edyvane with removable magnetic disk 129 or write on it and drive 130 for an optical disk drive for reading from the removable optical disk 131, for example, a CD-ROM (CD-ROM) or other optical media, or write to it. Drive 127 on hard magnetic disks, the disk drive 128 for a magnetic disk and disk drive 130 for optical drive connected to the system bus 123 via an interface 132 of the drive hard disk drives, interface 133 of the drive for a magnetic disk and interface 134 of the optical disk, respectively. Drives and drives and their corresponding machine-readable media provide nonvolatile storage of computer-readable commands, data structures, program modules and other data for the personal computer 120.

Although the described exemplary illustrative environment uses a hard disk, a removable magnetic disk 129 and a removable optical disk 131, it is necessary to understand that other types of computer-readable media that can store data that can access the computer, can also be used in the illustrative operating environment. Such other types of media include magnetic cassettes, flash memory cards, digital video disc, cartridge Bernoulli, random access memory (RAM), a persistent storage device (ROM), etc.

A number of program modules may be stored on the hard disk, magnetic disk 129, optical disk 131, ROM 124, RAM 125, including an operating system 135, one the or more application programs 136, other program modules 137, and data 138 programs. The user can enter commands and information into the personal computer 120 through input devices such as a keyboard 140 and a pointing device 142. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like, These and other input devices are often connected to the CPU 121 via the interface 146 serial port that is connected to the system bus, but may be connected by other interfaces such as a parallel port, game port or USB (universal serial bus). Monitor 147 or other types of display devices are also connected to system bus 123 via an interface, such as a video adapter 148. In addition to the monitor 147 personal computer typically includes other peripheral output devices (not shown), such as speakers and printers. The illustrative system of figure 1 also includes the host adapter 155, bus 156 small computer system interface (SCSI) and the external storage device 162 that is attached to the SCSI bus 156.

The personal computer 120 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer 149. UD is certain computer 149 may be another personal computer, server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 120, although only storage device 150 shown in Fig 1. The logical connections depicted in figure 1 include a local area network (LAN) 151 and a wide area network (WAN) 152. Such networking environments are typical for offices, computer networks scale enterprises, intranets and the Internet.

When used in a LAN environment, the personal computer 120 is connected to the LAN 151 through a network interface or adapter 153. When used in a WAN environment, the personal computer 120 typically includes a modem 154 or other means for establishing communications over the WAN 152, such as the Internet. The modem 154, which may be internal or external, is connected to system bus 123 via an interface 146 serial port. In a networked environment, program modules depicted relative to the personal computer 120, or portions thereof, may be stored in a remote storage device. It should be understood that the illustrated network connections are illustrative, and that can be used and other means to establish lines of communication between computers.

IDENTIFYING DESCRIPTOR FOR the RECIPIENT of the RESOURCE

Turn the SJ now to Figure 2, where it is seen that the present invention is described in the context of the first computer object type acts as the provider of the resource (PR) 10, which provides some resource computer 12 type of recipient (requester) resource (WR) 14. It should be understood that depending on the circumstances of any given situation, each of the PR 10 SP and 14 can be either a hardware or a software object, or it may be a hardware element, a software object or a software element of a hardware object, in all cases without departing from the essence and scope of the present invention. For example, a CR 10 may be a server that provides the data, file, key, content (information important content) or the like as a resource 12, al 14 may be a software structural component, storage device, computer program or the like, the needy in this resource. Moreover, PR 10 may be a printer, a network, or the like, and WR 14 may be a program or other logical structure, trying as a resource to access this PR 10.

In one embodiment of the present invention, the resource 12 is of special value or must be processed in accordance with predetermined rules, and therefore PR 10 only provides it for SP 14, if SP 14 or the associated tool 16 out what the certification is authentication information for a CR 10, ETC 10 based on it authenticates (authenticates) SP 14. This WR and the tool 16 authentication may, for example, both reside on the computing device 18 of the user, the tool 16 authentication is a measure of trust, or some other system object in the computing device 18, such as a loader or other part of the operating system on the computing device 18.

According to the prior art SP 14 typically includes a Declaration with information relevant to the SP 14, including elements such as a description of the environment within the process SP 14, the digital signature verifying the certificate chain, the keys that can be used to verify the constituent elements of SP 14, etc. Then, when operating elements operating on the computing device 18, appealed to the Declaration, for example, to get the key for verification SP 14, or to determine that the process SP 14 must include certain elements, or to get certain procedures that must be followed during operation, or the like

Thus, the Declaration by the LA-14 was described by the LA 14, protected environment for SP 14, the input data for the LA 14, etc. However, this Declaration is insufficient for the following PR the ranks:

1) Declaration could ask lots of executable files that could be loaded into a single process. Although this allows more flexibility constraint Declaration of one executable file is more secure, as one Declaration may be connected or otherwise combined with one executable file and one identification code or 'ID-ID' ('code-ID') can be calculated on the basis of such a combination. As can be taken into account, the code-ID is the profile combination and in particular, the input data related to security, as set forth in the Declaration and in the executable file. As described in numerous detail below, identifies the descriptor or 'IO', corresponding to the present invention, is a data structure that contains the input data relevant to safety.

2) the Declaration has grown to include numerous characteristics that have resulted in increased complexity and other undesirable effects. In contrast, IO corresponding to the present invention, can be embedded directly in the Declaration, imported by reference from any other place or removed during the execution of the Declaration and/or any other place, with IO special focused on in the above-mentioned input data, related to safety, only for the corresponding executable file, and IO is the significance and the context of security at the lowest level of access control system. Thus, the IO may have a relatively simple format.

Let us now turn specifically to identify the handle or IO corresponding to the present invention. IO 20 is a package for the input data relating to security for the executable in the process, where this executable is presumably WR 14 of figure 2. It should be understood that IO 20 may be embedded in the executable file, extracted from a separate file, or extracted from another document, such as Declaration. Essentially, IO 20 is a block environment, specify the input variables that describe the environment in which it operates executable/SP 14 (hereinafter "SP 14"), and in particular the environment of security, and can be used by the LA 14 and the operating system of the computing device 18, on which SP 14 is always to manage the launch and execution of such SP 14, and can also be used PR 10, when making decisions about whether to grant the resource 12 such SP 14. Identification code or 'ID-ID' receive or calculate based on the profile SP 14 and IO 20, and usually he represents his x is servandae value (the hash value), obtained in a manner analogous to that used in the digital signature.

The essential thing is that if SP 14 wants to change his environment and security, for example, by reading in the file, open the debug port and the like, such SP 14 is responsible for doing this. However, if the developer who creates the SP 14, wants a specific behavior has been parameterized, the parameter is related to security (for example, open another file based on the input program, or debugging based on the input data of the program), then the parameter can be placed in John 20, SP and 14 can be written to refer only to IO 20 in respect of the option. Thus, although the argument could potentially be changed inside IO 20 malicious object, the modified IO 20 will cause a change in the calculated code-ID 20, while such a change may be interpreted by the interested party, such as a CR 10, as indicating that SP 14 should not be trusted.

In one embodiment, the present invention IO 20 has the following functional form:

Map<NameString, String> EnvironmentVariables

That is, in this case IO 20 includes a set of pairs of name and value, each of which displays the name, such as, for example, alphanumeric string that points to the corresponding string value. Note that the On 20 may be in the form of a document extensible markup language (XML) or the like, without departing from the essence and scope of the present invention, although such an XML document may introduce unnecessary complexity in syntactic analysis. Note also that at least some of the variables can be XML documents, expressed as strings. Thus, IO 20, presented in list form, has the following form

Name1=StringValue1

Name2=StringValue2

Name3=StringValue3

...

Examples of use IO 20 below. Note that these examples are explanatory and do not necessarily sobolski. Assuming for the "names" ("names") namespace, the namespace is "_System" may be reserved for use by the operating system of the computing device 18 and John 20 corresponding to the SP 14, may include:

_System.Debuggable="true"

_System.ProgramName="Excel"

_System.SealToLocalAdmin="true"

Thus, the operating system of the computing device 18 can access IO 20 in order to determine what process SP 14, the corresponding IO 20, enables debugging that the executable file is called "Excel" and that variable _System.SealToLocalAdmin set to "true" (true).

SP 14 may use your IO 20 for decision-making in respect of conduct based on the input program, safe in nature. Believing for "names" namespace, the namespace "MyProg" can be reserved is identified for use by the LA 14, and IO 20 corresponding to the SP 14, may include:

MyProg.ProgName="MS URT running Trusted Backup Script" ("tool user registration (URT) from Microsoft takes a trusted backup script")

MyProg.script="main(){foreach(blob in blobs)printf(blob);}"

MyProg.UI="<xml>Some UI XML(some UI in XML)</xml>";

MyProg.AllowedResourceFiles="01234, 03456, 089abb";

MyProg.KeyHolderWhoCanDebugMyProcess="0xfedcb";

Thus, WR 14 may determine, based on its IO 20, the specific name of the program, software, script (script), user interface (UI) programs in XML format, number of files allowed resources and the specific holder of the key that can debug the process WR 14.

It should be understood that the actual pairs of name and value in any specific IO 20 can be any suitable pairs name-value without departing from the essence and scope of the present invention. Moreover, such a pair of name-value may include the types of values that change from SP 14 SP 14, such as, for example, a particular software script or a list of valid users, and the types of values that are common to almost all SP 14, such as, for example, the name of the program, and whether the process SP 14 debugged. Typically that pairs of name and value in any specific IO 20 related to security, because IO 20 is mainly the unit circle, predelays input variables, which describe the environment security functional SP 14, although it is necessary to take into account that are not related to security pairs name-value can also be in John 20 without departing from the essence and scope of the present invention.

Thus, and particularly in relation to entities related to security, specific IO 20 may include a pair of name-value, which describe the operating system, virtual machine real machine, and/or other appropriate computing device 18, which should work SP 14, as well as whether or not the SP 14 to work in an isolated process, which cannot be monitored by the debugger or the like, or to work in the allow debugging process, which in fact you can trace the above image every entry point by which to SP 14 you can access and input data relating to security provided for the LA 14, among other entities with respect to security. Should be taken into account that such related entity security in General are entities that affect how the LA 14 operates, where WR 14 receives the data and other input data, and whether the SP 14 to be subjected to external impact or be monitored externally, among about is him. Thus, and also in the General case, the information in John 20 describes the SP 14, describes the operating system and the computing device 18, on which SP 14 should operate and describes aspects WR 14 related to security. Note that because the code-ID 22 to WR 14 is based partially on its IO 20 and code-ID must be known, as will be described in more detail below, IO 20 may include a pair of name-value, which is specific to any particular instance of SP 14 on a particular computing device 18.

In one embodiment of the present invention an identification code or 'ID-ID' 22 that corresponds to a particular SP 14, is defined as the hash value SP 14, combined with its IO 20. For example, the hash value may be based on any of several well-known secure hash algorithms (SHA), including SHA-1 and SHA-256:

Code-ID 22 = SHA (RR 14 | ID, 20)

In one particular embodiment, the code-ID 22 is the Union of the two above-mentioned hash value, where the hash value is based on SHA-1, and the other on SHA-256:

Code-ID 22 = SHA-1(RR 14 | ID, 20) | SHA-256 (RR 14 | ID, 20)

Thus, and should be taken into account, from a knowledge of the SP 14 and IO 20, as well as knowledge of the way in which code-ID 22 should be calculated, WR 14 or the associated tool 16 authentication can calculate code-And the 22, corresponding to such SP 14, for submission PR 10 way, the corresponding digital signature. It is essential that each of the one or more valid code-ID 22, the corresponding SP 14, should be well known, especially for PR 10, which must be requested in respect of the provision for SP 14 resource 12. Note that SP 14 may have more than one valid code-ID 22, especially if the LA 14 comes in numerous versions that can work on multiple operating systems, and so on, each of which necessitates a change in the SP 14 and/or IO 20.

Probably, in this case, PR 10 has information on LA 14 and each valid code-ID 22 for SP 14, and such PR 10 provides a resource for 12 LA 14 only if a valid code-ID 22 to WR 14 presents for PR 10 on behalf of the LA 14. In one embodiment of the present invention, and referring to Figure 3, IO 20 and code-ID 22, the corresponding SP 14, are applied in the following way. Previously, a copy of the LA 14 creating in the process an operating system of the computing device 18 by instantiating initiated by a user or by another process (step 301). Usually, this instantiation is achieved by the loader 24, functioning in the operating system of the computing device 18, although such an instantiation m which can be achieved by any other suitable object without departing from the essence and scope of the present invention.

As part of the instance creation WR 14 loader 24 receives WR 14 from any place where such SP 14 may be located, and loads it (step 303). It should be understood that the loader 24 may perform the receiving and loading SP 14 in any suitable way without departing from the essence and scope of the present invention, the specific method of obtaining the known or should be apparent to the audience and therefore does not require disclosure here in any detail.

As part of instantiating the SP 14, the loader 24 receives IO 20 that corresponds to that WR 14 from any place where such IO 20 can be, and loads it into the appropriate location (step 305). As stated above, this IO 20 may be embedded in the SP 14, obtained from a separate file, or extracted from another document, such as Declaration. In any case, the loader 24 may receive IO 20 from its position in any appropriate manner without departing from the essence and scope of the present invention, in the mode corresponding to this location, where a specific method for obtaining the known or should be apparent to the audience and therefore does not require disclosure here in any detail. The location where the loader loads IO 20 can be any suitable location without departing the t of the essence and scope of the present invention, such as, for example, table, cache IO, process SP 14, etc.

Note that SP 14 and the operating system of the computing device 18, on which SP 14 operates may both require access to the downloaded IO 20. Therefore, downloading IO 20, the loader 24 provides at least SP 14 a pointer or other reference to the location of the IO 20 (step 307). Thus, WR 14 can find the information relating to security, in such IO 20. Moreover, the operating system may also find such information relating to security, or by the LA 14, or, also, by the acceptance of such a pointer or other reference.

Apparently, at some point during operation, WR 14 such SP 14 may request the resource from 12 PR 10, which, as stated above, provides a resource 12 such SP 14 only if a valid code-ID 22, the corresponding SP 14 provided for the POR 10 on behalf of the LA 14. Thus, after loading the SP 14 and its corresponding IO 20 calculated code-ID 22 corresponding to such loaded SP 14 and IO 20 (step 309). Such code-ID 22 can be calculated by the loader or the above-mentioned means 16 authentication, which is the authentication information for a PR 10. May be taken into account that the tool 16 authentication can be actually a part of the loader 24, or the loader 24 can in order to be actually part of the means 16 authentication. Again, the code ID can be computed in any suitable way without departing from the essence and scope of the present invention, if only the calculated code-ID 22 was in a form that expects to see PR 10.

Thus, at some point during operation, WR 14 such SP 14 is really needed resource from 12 PR 10 and so he asks the tool 16 authentication to obtain such a resource on behalf of the SP 14 (step 311). Note that before you can try this way to get the resource 12, the tool 16 authentication can perform various functions of the authentication with respect to the SP 14 to ensure that the LA 14 has rights to the resource 12 and that the resource 12 he shall be entrusted, among other things (step 313). By doing this, the tool 16 authentication may refer to information related to security, in John 20, the corresponding SP 14, and can also confirm that SP 14 has not been modified in any way, including one that negates his trust by, among other things. In General, the tool 16 authentication can perform any of the functions of the authentication with respect to SP 14 without departing from the essence and scope of the present invention. Such authentication feature is known or should be apparent to the interested audience and therefore need not be here detailed consideration.

Assuming that the tool 6 authentication satisfied SP 14, then, the tool 16 forwards the authentication request to the resource from 12 SP 14 to a CR 10 (step 315). This forwarded request may be a literal copy of the request from the SP 14 or its modification. Thus, the forwarded request may have any suitable shape, without going beyond the nature and scope of the present invention. For example, this form may be in the form of a predetermined function of the quota system, which includes the calculated code-ID 22 to the requesting SP 14, IO 20 to the requesting SP 14 and the resource definition 12, the requested SP 14, among others. It should be understood that the quota feature may also include a digital signature or something similar, based on one or more of these elements, where the signature can be verified on the basis of a security key shared between the tool 16 authentication, ETC 10.

Next, in response to the accepted quota feature or another forwarded the request with reference to Figure 4 PR 10 makes a decision regarding whether to satisfy the resource request from the SP 14. In particular, PR 10, among other things, checks are mailed the request (step 401), which in the case of functions quota includes checking the signature on the basis of shared security key. In addition, PR 10 receives the code-ID 22, John 20, and the definition of the requested resource from 12 Perez the data request (step 403), determines from the forwarded request identification information to the requesting SP 14 (step 405), receives each valid code-ID 22 for the identified SP 14 (step 407) and verifies that the calculated code-ID 22, forwarded the request matches one of the valid code-ID 22 for the identified SP 14 (step 409).

Note that PR 10 can determine the identity of the requesting SP 14 of the forwarded request any appropriate manner without departing from the essence and scope of the present invention. For example, such identification information can be set inside IO 20 in the forwarded request as specific pair of name and value. Of course, a malicious objects can change such identification information IO 20 in an attempt improperly to obtain the resource from 12 PR 10. However, because the code-ID 22 calculated by the tool 16 authentication, based on a part of IO 20, so the calculated code-ID must not be the same with any valid ID ID known PR 10. Moreover, it should be noted that PR 10 trusts the tool 16 authentication in terms of its proper functioning and, therefore, trust in the sense that it will not destroy the code-ID 22.

Also note that it is assumed and expected that the POR 10 has each valid code-ID 22 to WR 14. Again, each of the one or more on istically code-ID 22, the corresponding SP 14, should be well known, especially PR 10, which should be requested to provide a resource for 12 LA 14. Note finally that by finding a valid code-ID 22 in the forwarded request PR 10 may conclude, based on valid code-ID 22, which is extracted from the LA 14 and IO 20 that SP 14 can be trusted as known unmodified SP 14, which can be considered credible, and that information relating to security on the basis of which the LA 14 operates, is known unmodified information relating to security that can be considered trustworthy. Moreover, it should be taken into account that through the use of code-ID 22 specific SP 14, which may have been compromised, may be refused simply by removing all corresponding to the code ID from the available PR 10.

In addition to the validation of the calculated code-ID 22 from the query PR 10 may also check the validity of the submitted query based on the other information contained therein (step 411). For example, even if the accuracy of code-ID 22 confirmed, PR 10 can be programmed to accept or reject a request based on specific information in John 20, such as, for example, does it work WR 14 isolated the om process. Also, if mailed, the request includes identification data of the user computing device 18 SP 14, PR 10 can be programmed to accept or reject the request based on the identified user. Of course, PR 10 can check the validity of the submitted query based on any criteria, without going beyond the nature and scope of the present invention.

If the reliability of the forwarded request is confirmed, as in the steps 409 and 411, PR 10 then determines that the requested resource 12 is available and/or can be provided (step 413). For example, if the resource 12 is data, then PR 10 determines that the data is indeed available, or if the resource is access to the printer, then PR 10 determines that the printer is actually connected to the network with paper and is in a state of receiving a new request for printing, among others.

Assuming then that the reliability of the forwarded request is confirmed, as in the steps 409 and 411, and the requested resource 12 is available and/or can be provided in step 413, PR 10 answers the forwarded request by providing the requested resource 12 (step 415). Thus, if the resource 12 is an object, then PR 10 provides such an object, and if the resource 12 is access to the service, PR 10 organisms is no such access, for example, using a security key or other signs for access, and provides the security key, or other signs for access.

This response by the requested resource 12 provided PR 10, adopted by the LA 14 (step 317, Figure 3), either directly or indirectly by the tool 16 authentication and SP 14 can then apply the resource 12, provided in the response properly (step 319). At least implicitly, since PR 10 did provide the requested resource 12 for SP 14, PR 10 trusts SP 14 and a computing device in terms of application of the given resource 12 only way that is consistent with such confidence and particularly in accordance with the information relevant to the safety instructions stated in John 20 corresponding to the SP 14.

CONCLUSION

The present invention can be implemented on any interrogators SP 14 and suppliers ETC 10. More specifically, the present invention is, for example, can be used to provide a word processor on the PC the ability to take protected text document, a music player on a dedicated playback device to transmit the reproduced music sound system, wireless device to access the wireless network, etc. Thus, WR 14 need interpretation in order to aromatise like any tool, requesting the resource 12, and PR 10 should be interpreted as any tool that provides the resource 12 within the system, where WR 14 operates on the basis of the information relevant to security, in John 20, ETC 10 ensures that credible SP 14 based in part on John 20.

The programming necessary to perform the processes performed in connection with the present invention is relatively straightforward and should be obvious to experts in the field of programming. Therefore, this programming is not described here. Therefore, any specific programming can be used to implement the present invention without departing from its essence and scope.

From the above description it is seen that the present invention provides a new and useful method and means by which a computer program, executable or other recipient resource WR 14 may be provided with authentication information, such as IO 20 through which SP 14 can be authenticated by the provider of the resource, PR 10, which should provide the resource 12. IO 20 describes the identity SP 14 yo 10 and includes, among other things, a set of variables describing the environment SP 14.

Should be taken into account that changes may be made in the above-described variants of implementation without departing from the concept of the invention. It should be clear, therefore, that this invention is not limited to the specific disclosed the embodiment, but it is understood that it covers modifications within the essence and scope of the present invention defined in the attached claims.

1. The method of obtaining the resource from the resource providers (RP) to the requestor of the resource (WR)operating on a computing device, while SP has an associated identifying descriptor (IO)and IO includes information related to the security, specifying the environment in which BP operates, the method includes the steps are:
download the LA in the computing device;
download IO corresponding to the LA, in the computing device;
provide the LA with reference to the loaded IO;
calculate the identification code (code-ID), the downloaded SP and loaded IO based on the downloaded SP and loaded IO;
accept a request from the LA to the resource;
make sure that the requesting SP has rights to the resource and that the resource must be entrusted to him;
send the above request from the SP to the RP, when it forwarded the request includes the calculated code-ID to the requesting SP, IO to the requesting SP and the definition of the resource requested by the LA, and PR udostovertes what is that the calculated code-ID is forwarded in the request matches one of the one or more valid code-ID identified by the LA, concludes on this basis that the LA can trust known as the LA, which can be considered credible, and that the information relevant to security, on the basis of which BP operates, is known information relevant to security, which can be considered credible, and answers the forwarded request by providing the requested resource;
take through the LA requested resource is granted PR, and apply it in such a way that is consistent with the confidence that the PR has given the LA, and in accordance with the information relevant to security set forth in the IO, the corresponding SP.

2. The method according to claim 1, containing a stage, on which shall be certified by means of authentication at the computing device that the requesting SP has rights to the resource, and that resource should be trusted, and the means of authentication refers to information relating to safety contained in IO corresponding to the CW.

3. The method according to claim 1, in which forwarded the request additionally includes a digital signature based on at least one of the calculated code-ID for ask what his BP IO to the requesting SP and definition of the resource requested by the LA, with the signature allows the verification based on the security key that is shared with OTHERS.

4. The method according to claim 1, in which IO includes a set of relevance to the safety of pairs of name and value that are available as input data for at least one of LA, PR and operating system on the computing device on which BP operates.

5. The method according to claim 4, in which a pair of name-value describing at least one of the environment within which BP operates, whether SP to function in an isolated process, and each entry point, through which the SP can be accessed.

6. The method according to claim 1, in which code-ID is calculated based on the profile WR and IO.

7. The method according to claim 6, in which code-ID is the hash value of WR, combined with its IO.

8. The method according to claim 7, in which code-ID is the Union of the two hash values, each hash value corresponds to the SP, combined with its IO.

9. Method of providing resource provider resource (PR) to the requestor of the resource (WR)operating on a computing device, while SP has an associated identifying descriptor (IO)and IO includes information related to the security, specifying the environment in which BP operates, p. and this method contains the steps are:
taken from the LA forwarded the request to the resource, and forwarded the request includes an identification code (ID), calculated for the requesting SP, while the calculated code-ID corresponds to the WR and IO loaded in the computing device, and based on WR and IO loaded in the computing device, and forwarded the request also includes IO to the requesting SP and the definition of the resource requested by the LA;
check the accepted request;
get code-ID, IO, and the definition of the requested resource from a received request;
determine from a received request identification information to the requesting SP;
get each of the one or more valid code-the ID for the identified SP;
make sure that the calculated code-ID in a received request matches one of the one or more valid code-ID identified by the LA, and conclude based on this that the LA can trust known as the LA, which can be considered credible, and that information relating to security on the basis of which BP operates, is known information relating to security, which can be considered credible;
answer forwarded the request by providing the requested resource to SP, with SP adopts the requested resource, provided PR, and uses it in a way that is consistent with the confidence that the PR has given the LA, and in conformity with information relating to security set forth in the IO, the corresponding SP.

10. The method according to claim 9, containing the stage at which accept forwarded the request from the authentication computing device to ensure that the requesting SP has rights to the resource and the resource must be entrusted to him, and the means of authentication refers to information related to security, IO corresponding to the CW.

11. The method according to claim 9, in which forwarded the request additionally includes a digital signature based on at least one of the calculated code-ID to the requesting SP, IO for requesting WR and definition of the resource requested by the LA, the method further comprises a stage on which verifies the signature.

12. The method according to claim 9, further containing a stage on which verify the authenticity of submitted query based on the other information contained therein.

13. The method according to claim 9, further containing phase, which determines that the requested resource is available and/or can be provided.

14. The method according to claim 9, in which IO includes a set of pairs name-value related to security, available as input given is passed to at least one of al, PR and operating system on the computing device on which BP operates.

15. The method according to 14, in which a pair of name-value describing at least one of the environment within which BP operates, whether SP to function in an isolated process, and each entry point, through which the SP can be accessed.

16. The method according to claim 9, in which code-ID is calculated based on the profile WR and IO.

17. The method according to clause 16, in which code-ID is the hash value of WR, combined with its IO.

18. The method according to 17, where the code-ID is the Union of the two hash values, each hash value corresponds to the SP, combined with its IO.

19. Machine-readable medium having stored thereon Mashinostroenie command to perform a method of obtaining the resource from the resource providers (RP) to the requestor of the resource (WR)operating on a computing device, while SP has an associated identifying descriptor (IO)and IO includes information related to the security, specifying the environment in which BP operates, the method includes the steps are:
download the LA in the computing device;
download IO corresponding to the LA, in the computing device;
provide the LA with reference to the loaded IO;
compute ID (code), the downloaded SP and IO based on the downloaded SP and IO;
accept a request from the LA to the resource;
make sure that the requesting SP has rights to the resource and the resource must be entrusted to him;
forwarding the resource request from the SP to the RP, when it forwarded the request includes the calculated code-ID to the requesting SP, IO to the requesting SP and the definition of the resource requested by the LA, and PR ensures that the calculated code-ID is forwarded in the request matches one of the one or more valid code-ID identified by the LA, concludes on this basis that the LA can trust known as the LA, which can be considered credible, and that the information relevant to security, on the basis of which BP operates, is known information relevant to security, which can be considered credible, and answers the forwarded request by providing the requested resource;
take through the LA requested resource is granted PR, and apply it in a way that is consistent with the confidence that the PR has given the LA, and in accordance with the information relevant to security set forth in the IO, the corresponding SP.

20. Machine-readable medium according to claim 19, in which the method comprises a step, which is ascertained by means of authentication at the computing device including, that the requesting SP has rights to the resource, and that resource should be entrusted to him, and the means of authentication refers to information relating to safety contained in IO corresponding to the CW.

21. Machine-readable medium according to claim 19, in which forwarded the request additionally includes a digital signature based on at least one of the calculated code-ID to the requesting SP, IO for requesting WR and definition of the resource requested by the LA, with the signature allows the verification based on the security key that is shared with OTHERS.

22. Machine-readable medium according to claim 19, in which IO includes a set of relevance to the safety of pairs of name and value that are available as input data for at least one of LA, PR and operating system on the computing device on which BP operates.

23. Machine-readable medium according to article 22, in which a pair of name-value describing at least one of the environment within which BP operates, whether SP to function in an isolated process, and each entry point, through which the SP can be accessed.

24. Machine-readable medium according to claim 19, in which code-ID is computed based on the profile WR and IO.

25. Machine-readable media according to paragraph 24, where the code-ID is the hash value of SP, the joint with its IO.

26. Machine-readable media on A.25, where the code-ID is the Union of the two hash values, each hash value corresponds to the SP, combined with its IO.

27. Machine-readable medium having stored thereon mashinovedeniya command to perform a method for providing resource provider resource (PR) the requester of the resource (WR)operating on a computing device, while SP has an associated identifying descriptor (IO)and IO includes information related to the security, specifying the environment in which BP operates, the method includes the steps are:
accept the forwarded request from the LA to the resource, and forwarded the request includes an identification code (ID), calculated for the requesting SP, and the calculated code-ID corresponds to the WR and IO, loaded on the computing device, and based on al and ne), loaded on a computing device, when it forwarded the request also includes IO to the requesting SP and the definition of the resource requested by the LA;
check the accepted request;
get code-ID, IO, and the definition of the requested resource from a received request;
determine from a received request identification information to the requesting SP;
get each of the one or more valid cadavid identified for the LA;
make sure that the calculated code-ID in a received request matches one of the one or more valid code-ID identified by the LA, and conclude based on this that the LA can trust known as the LA, which can be considered credible, and that the information relevant to security, on the basis of which BP operates, is known information relevant to security, which can be considered credible;
answer forwarded the request by providing the requested resource by the LA, with the LA receives the requested resource is granted PR, and uses it in a way that is consistent with the confidence that the PR has given the LA, and in accordance with the information relevant to security set forth in the IO, the corresponding SP.

28. Machine-readable medium according to item 27, in which the method includes a stage on which to accept forwarded the request from the authentication computing device to ensure that the requesting SP has rights to the resource and the resource must be entrusted to him, and the means of authentication refers to information related to security, IO corresponding to the CW.

29. Machine-readable medium according to item 27, which forwarded the request additionally includes digital is odpis, based on at least one of the calculated code-ID to the requesting SP, IO for requesting WR and definition of the resource requested by the LA, the method further comprises a stage on which verifies the signature.

30. Machine-readable medium according to item 27, in which the method additionally includes the stage at which verifies the authenticity of the submitted query based on the other information contained therein.

31. Machine-readable medium according to item 27, in which the method additionally includes the stage, which determines that the requested resource is available and/or can be provided.

32. Machine-readable medium according to item 27, in which IO includes a set of relevance to the safety of pairs of name and value that are available as input data for at least one of LA, PR and operating system on the computing device on which BP operates.

33. Machine-readable media on p, in which a pair of name-value describing at least one of the environment within which BP operates, whether SP to function in an isolated process, and each entry point through which to SP can be accessed.

34. Machine-readable medium according to item 27, in which code-ID is computed based on the profile WR and IO.

35. Machine-readable medium according to clause 34, to the m code-ID is the hash value of WR, combined with its IO.

36. Machine-readable media on p in which code-ID is the Union of the two hash values, each hash value corresponds to the LA, United with his IO.



 

Same patents:

FIELD: physics, computation technology.

SUBSTANCE: invention concerns method and device of digital rights management. When authorisation on server is not accessible, operations with minimised risk are allowed by implementation of internal authorisation scheme. Authorisation method for operation to be performed on digital element involves definition of first operation group members including first predetermined group of operations on digital element, and second operation group including second predetermined group of operations on digital elements; comparison of predetermined operation to be performed on digital element to operations included in each indicated operation group; external authorisation with access to authorising server if operation belongs to first operation group; internal authorisation by device if operation belongs to second operation group; and authorisation of operation to be performed on digital element if one of listed authorisations brings positive result.

EFFECT: enhanced security level of operations with digital content.

13 cl, 5 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to authentication of applications. Identifier of the corresponding distributor is retrieved from meta data applications. Certificates are received. Each certificate contains one or more identifiers of corresponding distributors. The above mentioned identifiers are retrieved from certificates and certificates are chosen, based on comparison of identifiers, retrieved from meta data applications and certificates, such that, the relationship between the identifier and the distributor is controlled so that, certificates could be used only for identifying applications, distributed by identified distributors.

EFFECT: provision for selecting a certificate for authenticating an application, linked to a distributor.

15 cl, 4 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to the architecture and method of establishing a secure multimedia channel for content delivery. The computer device has a secure multimedia channel for delivering content from a source to a receiver. In the secure channel, the multimedia base provides a secure environment in the computer device and comprises a common infrastructure of key components, processing content from any specified source and delivering the processed content to any specified receiver, and also comprises a policy implementation unit, providing for compliance with policy on behalf of the source. The policy corresponds to the content from the source and comprises rules and requirements for accessing the content and its playback. The multimedia base provides for secure transmission of content through the computer device and allows for arbitrary processing of protected content in the computer device.

EFFECT: increased security of content from unauthorised use.

23 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: invention can be used in system of the forced performance of requirements which provides access possibility to the enciphered digital content on a computing mechanism only according to parametres the certain rights of the license got by the user of digital contents. The first confidential builder on the first computing mechanism carries out cryptographic, an estimate and the forced performance of requirements and forcedly contacts it, the first certificate of the user device corresponding to the first computing mechanism, forcedly contacts the user. Accordingly, the second confidential builder on the second computing mechanism carries out cryptographic processing, an estimate and the forced performance of requirements and forcedly contacts it, the second certificate of the user device corresponding to the second computing mechanism, also forcefully contacts the user. The first competent builder gains contents for reproduction on the first computing mechanism by means of the first certificate of the user device and the license, and the second confidential builder gains contents for reproduction on the second computing mechanism by means of the second certificate of the user device and the same license.

EFFECT: prevention of non-authorised duplication of digital content by the user related to the digital license and having of some computing mechanisms.

16 cl, 6 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns digital rights management system. (DRM) features multiple DRM servers with DRM functionality, and incoming server DRM-I is registered in the system by registration server DRM-R, so that incoming server DRM-I should be a trust server in this system. DRM-I server sends registration request to DRM-R server including representative identification data and public key (PU-E). DRM-R server checks validity of representative identification data, and if the request can be met, DRM-R server generates digital registration certificate by (PU-E) for DRM-I server for registration of DRM-I server in DRM system. Just registered DRM-I server with generated registration certificate can use it for delivery of documents with DRM in DRM system.

EFFECT: possible controlled reproduction or replay of arbitrary digital content forms in medium where documents are shared by a definite group of users.

74 cl, 17 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention deals with data protection systems. Certificate-based encryptation mechanism failing to envisage the client source computer access to the whole of the certificate corresponding to the client target computer during encryptation of the e-message to be transferred to the client target computer. Instead the client source computer addresses the certificate server a request for but part of the certificate. The certificate part referred to contains encryptation information but may fail to include (completely or partly) the certificate self-checking information. The certificate server preferably carries out any check of the certificate authenticity before transfer of encryptation information to the client source computer which enables obviation of the need to specifically perform certificate authenticity check with the client source computer especially if the certificate server has been checked for trustworthiness with the client source computer.

EFFECT: reduction of amount of memory and processor resources used for certificate-based encryptation as well as minimisation of requirements to the width of band between certificate server and client source device.

36 cl, 8 dwg

FIELD: physics.

SUBSTANCE: invention is related to methods of usage data collection for television broadcast receivers. Method of usage data collection from broadcast receiver is suggested, whereat receiver is arranged to detect and save such usage data. Method involves representation (16, 18) of confidentiality policy to receiver that identifies not only the usage data subjected to collection, but also preset usage of such data. On receiver interactive or automatic determination (22) whether received policy of confidentiality is acceptable is carried out. If yes, receiver picks up (30) usage data identified in confidentiality policy from storage, and sends them (28) to sender of confidentiality policy.

EFFECT: increased confidentiality of usage of information about habits of users viewing.

15 cl, 3 dwg

FIELD: physics.

SUBSTANCE: invention is related to method for data recording for memory of portable terminal and to memory carrier. Method for recording data for memory of portable terminal contains a stage of reading, at which data is read that is saved on memory carrier of portable terminal; stage of data comparison, at which identifying data are compared, which are individual for user of portable terminal and read from memory carrier, with user registration data registered earlier, and a record command is brought to device of data reading/recording, only when data is approved; recording stage involving recording applied data required for portable terminal to memory carrier under the condition that at the stage of data comparison a record command is sent; stage of activation involving activation of portable terminal, to which memory carrier is connected. Memory carrier contains program, by means of which actions of the said method are enabled.

EFFECT: safety of saving data required for activation of portable telephone.

2 cl, 44 dwg

FIELD: physics, computation technology.

SUBSTANCE: invention concerns method and device of digital rights management. When authorisation on server is not accessible, operations with minimised risk are allowed by implementation of internal authorisation scheme. Authorisation method for operation to be performed on digital element involves definition of first operation group members including first predetermined group of operations on digital element, and second operation group including second predetermined group of operations on digital elements; comparison of predetermined operation to be performed on digital element to operations included in each indicated operation group; external authorisation with access to authorising server if operation belongs to first operation group; internal authorisation by device if operation belongs to second operation group; and authorisation of operation to be performed on digital element if one of listed authorisations brings positive result.

EFFECT: enhanced security level of operations with digital content.

13 cl, 5 dwg

FIELD: information technologies.

SUBSTANCE: data of serial interface for detection of dual-in-line memory module (DIMM) presence in electronically erasable programmable read-only memory (EEPROM) is encoded using closed key of motherboard with which this dual-in-line memory module (DIMM) is to be used, so that only basic input-output system (BIOS) of specified motherboard could decode presence detection serial (SPD) interface data to complete downloading.

EFFECT: improving protection of computer system integrity by blocking the use of memory modules retrieved from original motherboard in another motherboard.

15 cl, 2 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to methods and devices for performance of operation requested by user over content element. Invention is intended for authorization of operation requested by the first user over content element on the basis of user right. User right may identify the first user or second user and authorise performance of requested operation by user over content element. If user right identifies the second user, then operation is authorised on reception of information on relation of the user right of the first user and user right of the second user. It is preferable that information consists of one or more domain certificates that identify the first and second users as members of one and the same authorised domain. It is preferable that right for content is used, which permits the operation, at that user right authorises performance of right for content by the second user.

EFFECT: provides control of rights for content for groups of people on the basis of persons, not devices.

19 cl, 3 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

FIELD: physics, computer facilities.

SUBSTANCE: invention concerns an information processing device, system and method of updating of the software. When user computer 103 sends the identifier of the user to central computer 102, central computer 102 orders to user computer 103 to gain the URL-address of field of 104 storages of modules which corresponds to the identifier of the user and stores modules which the user should gain. User computer 103 provides access to field of storage of modules by means of the URL-address, gains the list of modules, and compares the list to modules which are placed by the current moment on it, and the solution on makes, whether it is necessary to gain modules. If the solution on necessity of reception of modules, the user computer 103 recurringly is accepted access provides to field of storage of modules and gains the module.

EFFECT: simple and convenient updating of the software and simultaneous decrease of load on users, suppliers of the software and the central computer.

11 cl, 17 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns network management, particularly system and method of principal identification in network environment. Improved network architecture applies superauthorised unit holding identification data catalogue for forwarding request identification tasks to logical input of relevant authorised units. Identification tasks can be implemented by authorised units over name space boundaries if superauthorised unit prescribes so, resulting in principal account transition without account ID change. Version of invention implementation identification data catalogue containing a list connecting account identifiers to the relevant identifying authorised units.

EFFECT: possible transition of principals over security boundaries without changing account identifiers and resource protection level.

25 cl, 8 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns method of first radio communication network (WLAN) user identification and payment charging for services of communication between user device (laptop) and first radio communication network (WLAN), involving use of mobile radio communication system including mobile station (MS) and mobile radio communication network (PLMN). User and/or mobile station (MS) identification data is transmitted by user device (laptop) from first radio communication network (WLAN) to mobile radio communication network (PLMN), or mobile station (MS) sends information request signal to mobile radio communication network (PLMN) for access to first radio communication network (WLAN). In response, mobile radio communication network (PLMN) sends charged short message to mobile station (MS), containing information on access to first radio communication network (WLAN). Payment charging for communication between user device (laptop) and first radio communication network (WLAN) is performed by charging for short message in mobile radio communication system.

EFFECT: possible user identification and payment charging for the use of first radio communication network (WLAN) without involving new equipment and additional investments.

8 cl, 3 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns digital rights management system. (DRM) features multiple DRM servers with DRM functionality, and incoming server DRM-I is registered in the system by registration server DRM-R, so that incoming server DRM-I should be a trust server in this system. DRM-I server sends registration request to DRM-R server including representative identification data and public key (PU-E). DRM-R server checks validity of representative identification data, and if the request can be met, DRM-R server generates digital registration certificate by (PU-E) for DRM-I server for registration of DRM-I server in DRM system. Just registered DRM-I server with generated registration certificate can use it for delivery of documents with DRM in DRM system.

EFFECT: possible controlled reproduction or replay of arbitrary digital content forms in medium where documents are shared by a definite group of users.

74 cl, 17 dwg

FIELD: physics, computer facilities.

SUBSTANCE: invention concerns methods of guidance of document circulation in safety system. Develop inquiry about change of access rights of the subordinated employee by higher means of input by the higher employee of data about change of access rights in the IT system, thus a system web portal carries out activities over inquiry during inquiry life cycle. Then handle inquiry about change of access rights of the subordinated employee, for the purpose of definition of the information necessary for performance of the further procedure of processing of inquiry and development of instructions. After process of decision-making concerning granting of access rights to resources of the IT-system to the employee who is in submission authorise inquiry. The method also includes inquiry about realisation by means of appointment of the executor for all instructions of inquiry and modification of text instructions and performance of instructions by means of change of a state of IT system by the appointed executor. The expedient can include the control over performance of instructions by means of monitoring of a correctness of changes of access rights and acknowledgement of conformity of these changes to blanket instructions.

EFFECT: integrating and the self-acting coordination of procedures of guidance of identification of users and access rights.

9 cl, 17 dwg

FIELD: engineering of devices and methods for using server for access to processing server, which performs given processing.

SUBSTANCE: for this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

EFFECT: creation of method for using server, device for controlling server reservation and means for storing a program, capable of providing multiple users with efficient utilization of functions of processing server with simultaneous decrease of interference from unauthorized users without complicated processing or authentication operations.

6 cl, 51 dwg

Up!