Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1999-06-03
2002-05-21
Coby, Frantz (Department: 2771)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000
Reexamination Certificate
active
06393420
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a computer system, and deals more particularly with a method, system, and computer readable code for validating that a document or executable to be served from a server is the same original document or executable placed on the server by the legitimate author or owner.
2. Description of the Related Art
Use of the Internet and World Wide Web has skyrocketed in recent years. The Internet is a vast collection of computing resources, interconnected as a network, from sites around the world. It is used every day by millions of people. The World Wide Web (referred to herein as the “Web”) is that portion of the Internet which uses the HyperText Transfer Protocol (“HTTP”) a protocol for exchanging messages. (Alternatively, the “HTTPS” protocol can be used, where this protocol is a security-enhanced version of HTTP.)
A user of the Internet typically accesses and uses the Internet by establishing a network connection through the services of an Internet Service Provider (ISP). An ISP provides computer users the ability to dial a telephone number using their computer modem (or other connection facility, such as satellite transmission), thereby establishing a connection to a remote computer owned or managed by the ISP. This remote computer then makes services available to the user's computer. Typical services include: providing a search facility to search throughout the interconnected computers of the Internet for items of interest to the user; a browse capability, for selecting Web pages from a server location which are then served or delivered to the user and displayed on the local computer; download facilities, for requesting and receiving information from the Internet including (but not limited to) documents, Web pages, and executable programs; and an electronic mail facility, with which the user can send and receive mail messages from other computer users.
The user working in the Internet environment will have software running on his computer to allow him to create and send requests for information, and to see the results. These functions are typically combined in what is referred to as a “Web browser”, or “browser”. After the user has created his request using the browser, the request message is sent out into the Internet for processing. The target of the request message is one of the interconnected computers in the Internet network, commonly referred to as a “server”. That server computer will receive the message, attempt to find the data satisfying the user's request, and return the located information to the browser software running on the user's computer. This server process is referred to herein as “serving” or “publishing” the information.
The information that is available on the Internet is placed there by the owner(s) of the information for the purpose of making it available to users for downloading, reading (i.e. browsing), executing (i.e. executables), etc. (The “owner” in this case is the author of the materials or someone who has been delegated to manage the materials on behalf of the author.) Typically, users of the information are only given “read access”, and are not allowed to alter the owner's original information that is stored on the server. If the material is sensitive in nature and is intended for access by a limited set of users such as a specific company, work group or organization, then typically some form of user authorization process is employed to limit read access to the information only to specific users. This normally involves a security system that Add will ask the user for a predefined password in an attempt to verify the identity of the requesting user. Once the user proves to be authorized to access the material, they are allowed to browse the information, download it, etc. If, on the other hand, the information is intended for public access, then a user authorization process is not used and anyone with access to the Internet has free read access to the information.
The legitimate owners of the information placed on the Internet, as well as the ISPs, must also protect Internet resources such as the Internet servers where owners' information is stored and accessed by users. The ability to write to these servers, or “write access”, is normally controlled by some form of security system that verifies the user has legitimate access to the information (typically the owner or author). Controlling write access to the servers is critical since it is the facility used by legitimate authors or owners to store, update or otherwise maintain the material available to the Internet users. Normally, write access to Internet servers is not granted to typical Internet users—with the possible exception of personal Web pages that may be offered to Internet users by their ISP. Even then, the ISP protects the Internet servers by typically requiring the user to verify who they are through a security system, and limits the user's write access on the Internet server to only the data the Internet user owns.
Hackers have been able to bypass the various security systems in the past and, despite continuing efforts to improve security systems, it can be assumed that hackers will continue to penetrate security systems and gain unauthorized access to resources such as the Internet servers. Hackers may access Internet servers for a variety of reasons, and may perform many different kinds of acts once they gain access to a server. They may obtain read access to documents for which they are not authorized. Or, they may alter or remove files or executables that are available to be served to users requesting the information. More malicious acts of hackers include planting viruses, removing files, replacing files with corrupted material, or other acts damaging the server content, or even causing the server to fail completely. The more severe forms of tampering, such as disabling a server site on the Internet, are normally detected quickly since anyone trying to access the server will receive some form of indication of the failure. Other forms of tampering, such as replacing legitimate material with malicious materials or planting a virus, may go undetected for a long period of time. During the time period from the alteration to its detection, the material may have been served to thousands of unsuspecting users. Because of the communication paradigm used for Internet computing, it is typically impossible to notify all the users who have received corrupted information after the fact. Instead, the material will continue to be served until the alteration is detected and appropriate measures are taken (such as removing the material or even disabling the site). There is currently no systematic way to detect altered content in this environment. The owner of material that has been corrupted may be notified by a user who has received the corrupted material. Or, the owner may notice the tampering during a review of the server content. It is, however, unlikely that an owner will perform such a review on a timely basis. It is even more unlikely that a user of the information will be able to detect subtle alterations to the served material.
Even when password protection is in place for read and write access to the information on a server, it is still possible for malicious alteration to occur. There are many well known sniffer attacks where FTP (file transfer protocol) and telnet passwords are intercepted during legitimate transmission and then used by hackers to modify a site. For example, several U.S. government judicial and law enforcement sites have been hacked such that the text and images available from the site were altered. One solution is to use secure shell or secure file transfer to hide the password, but strong encryption is generally required to provide adequate protection. A disadvantage of this solution is that strong encryption is subject to government regulation and, in cases where content does not need to be kept private, the encryption is computational overhead that
Coby Frantz
Doubet Marcia L.
Doudnikoff Gregory M.
LandOfFree
Securing Web server source documents and executables does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Securing Web server source documents and executables, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Securing Web server source documents and executables will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2862524