PCT /CA 01/01344
`oe Detenhey 20 0/ ( 06./2-01)
`
`PA 494424
`
`
`
`
`
`
`
`
`
`
`
`United States Patent and Trademark Office
`
`“HS
`November21, 2001
`THIS IS TO CERTIFY THAT ANNEXED HERETO IS’A TRUE COPY FROM
`THE RECORDS OF THE UNITED STATES PATENT AND TRADEMARK
`OFFICE OF THOSE PAPERS OF THE BELOW IDENTIFIED PATENT
`APPLICATION THAT MET THE REQUIREMENTSTO BE GRANTED A
`FILING DATE UNDER35 USC111.
`
`
`
`
`
` ihe
`
`
`
`
`
`TOSLLTOWHOMTHESE: PRESENTS SHATHCOMES
`UNITED STATES DEPARTMENT OF COMMERCE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SfywWy vy
`15 By Authority of the
`¥ 4eeAN),
`
`
`
`_.-;COMMISSIONER OF PATENTS AND TRADEMARKS
`
`
`MMobo
`
`
`
`
`APPLICATION NUMBER: 60/234,152
`FILING DATE: September21, 2000
`
`PRIORITY _
`DOCUMENT
`SUBMITTED OR TRANSMITTED IN
`COMPLIANCEWITH RULE17.1(a) OR(b)
`
`:
`
`N. WOODSON
`Certifying Officer
`
`
`
`
`
`
`Page 1 of 16
`g
`
`GOOGLE EXHIBIT 1007
`
`Page 1 of 16
`
`GOOGLE EXHIBIT 1007
`
`

`

`Michael
`
`Brown
`
`CODE SIGNING SYSTEM AND METHOD
`
`Directallcorrespondence to:
`
`CORRESPONDENCE ADDRESS
`
`Place CustomerNumber
`
`OR
`Firm or
`xl fnarnacat Name
`
`
`
`| Yes, the name of the U.S, Government agency and the Governmentcontract numberares
`
`
`
`$150.00
`
`
`
`7 Danube Drive
`Heidelberg, Ontario NOB 1YD
`CANADA
`kx] Aathtonaliventorsare beingnainedon the_\_ separatelynumberedsheets attachedhereto
`TITLE OF THE INVENTION (286 characters max
`
`
`
`
`
`
`
`
`7iupe CustomerNumberhere
`.
`
`
`David B, Cochran, Esq.
`Jones, Day, Reavis & Pogue
`North Point, 901 Lakeside Avenue
`
`
`cleveland|gue[|8 [yp [OOH
`
`Telephone
`rox |
`
`
`ENCLOSED APPLICATION PARTS (checkaffthatapply)
`
`
`Specification NumberofPages[| Small Entity Statement
`ceraanearvoneA]Demin|
`
`
`
`
`
`METHOD OF PAYMENT OFFILING FEES FOR THIS PROVISIONAL APPLICATION FOR PATENT fohect ane)
`FILING FEE
`
`
`
`[| A checkor money orderis enclosed to coverthe filingfees
`AMOUNTS
`
`
`The Commissioneris hereby authonzed to chargefiling
`
`501432
`feesorcredit any overpaymentto Depasit Account Number;
`account 555255012173
`
`
`The invention was made by an agencyof the United States Governmentor undera contract with an agency of the
`United States Government.
`.
`No.
`
`
`
`Respeottulysubmitted, _
`Date
`S\GNATURS Dad = { prblo
`>
`
`,
`:
`David B. Cochran
`REGISTRATION NO.
`39,142
`(ifappropriate}
`TYPED or PRINTED NAME
`TELEPHONE (216/586-3939)
`Dockat Number:
`USE ONLYFOR FILING A PROVISIONAL APPLICATIONFOR PATENT
`This collectton of information is required by 37 CFR 1.51. The information is used by the public to file (and by the PTO to
`process) a provisionalapplication. Confidentiality 1s governed by 35 U.S.C. 122 and 37 GFR 1.14, This collection is estimated
`to take 8 hours to complete, including gathering, prepanng, and submitting the complete provisional application to the PTO.
`Time will vary depending upon the individual case. Any comments on the amountof time you require to complete this form
`and/or suggestions for reducing this burden, should be sent to the Chief information Officer, U.S. Patent and Trademark
`Office, US! Dapartment of Commerce, Washington, D.C., 20231, DO NOT SEND FEES OR COMFLETED FORMS TO THIS
`ADDRESS. SEND TO: Box Provisional Application, Assistant Commissionerfor Patents, Washington, D.C,, 20234.
`
`Please typ? & plus sign (+) inside this box
`
`7(a
`
`PTOISE/16 (2-48)
`
`oO =
`Ee =
`
`A/PRn |
`OF Oe
`Approvedforusethrough 01/31/2001. OMB0651-0037
`Prong =
`Patent and Trademark Olfice; US DEPARTMENT OF COMMERCE
`UD =.
`Underthe Paperwork Reduction Act of 1995, no personsara required to respondto a collection of information unless st displays a
`
`70982U.s i
`valid OMB contral number.
`/2344i
`PROVISIONAL APPLICATIONFOR PATENTCOVER SHEET
`This is 4 requestforfiting a PROVISIONAL APPLICATION FOR PATENT under 37 CFR 1.53 (c).
`IM
`
`Given Name (first and middle {i any)
`
`Family Name or Surname
`
`Residence
`(City and either State or Foreign Country)
`
`0
`
`oo/te/60
`
`Ht—=|“s’nbeear
`Oldit
`
`
`
`
`
`Page 2 of 16
`
`Page 2 of 16
`
`

`

`PROVISIONAL APPLICATION COVER SHEET
`+
`AdditionalPage
`PTOSB/IE (a38)
`Patent andTrademark Office; U.S. DEPARTMENTOF COMMMERCE
`Approved for use through 01 31/2001. OMB 0651-00:
`Underthe Paperwork Reduction Act of 1995, 10 personsare required to tespond to a.collection of mformation uniess it displaysa
`valid OMG contro! number,
`
`DocketNumber|555255012173) v2sptussan|+|
`:
`INVENTOR(SVAPPLICANT(S)
`amumeamaaaa|Gives Name(first and middle [an
`Family or Surname
`City and either State or Foreian Count!
`
`523A Rosemeadow Crescent
`
`Little
`
`Waterloo, Ontario N2T 129
`
`
`CANADA
`
`
`
`
`
`
`
`
`
`
`Waterloo, Ontario N2K 2N1
`
`CANADA
`
` 254 Castlefield Ave.
`
`Number
`
`_1_
`
`of
`
`
`
`Page 3 of 16
`
`Page 3 of 16
`
`

`

`.
`
`Title:
`Inventor(s):
`Assignee:
`
`Code Signing System and Method
`Michael Brown,Herb Little, David Yach
`Research In Motion Limited
`
`BACKGROUND OF THE INVENTION
`BAVLAGKYVL™Oe
`
`
`
`
`Field of the Invention
`This invention relates to security protocols with Java programs. Specifically
`this invention relates to assigning a digital signature to a Java program in order to use it
`on a mobile communications device (herein collectively called devices).
`
`Description of the Prior Art
`When a Java application arrives on a device such as the RIM Wireless
`Handheld 957™, there is a need to control the access that the application has. For
`example, if a product is to be exported, accessto strong cryptographic routines must be
`restricted.
`Interfaces to a radio transmitter may be protected so that destructive
`applications are unable to flood the wireless network with data; similarly, interfaces to a
`databaseorfile system may be protected so that destructive applications are unable to fill
`a device's storage space with unwanted data.
`
`SUMMARY OF THE INVENTION
`It is an object of the invention is to provide an improved coding signing
`
`25
`
`system and method.
`{It is an object of the invention to oversee the management and execution of
`
`-4-
`
`Page 4 of 16
`
`Page 4 of 16
`
`

`

`Java applications arriving to the device;
`It is an object of the invention to verify that any application has been digitally
`signed as having permission to carry out its intended function;
`It is an object of the invention to prevent unacceptable applications from
`gaining access strong cryptographic routines and any other application programming
`interface (API) designatedbyits author as “sensitive”;
`In the present invention, digital signatures are used to contral access to
`sensitive APIs, thereby allowing access to only those applications that have beendigitally
`
`5
`
`signed by the authorof a sensitive API.
`In the invention, a Java application, which will access an API, is developed
`to run on a device.
`In order to run on the device and accessthe sensitive API, the author
`of the API must approve the application by attaching a digital signature using the author's
`private key. Whenever the application on the device is executed the signed application
`will be verified. The author of any API may decide that the AP! should not be exposedto
`every application on the device, but only to those that have been verified to be non-
`
`
` destructive, or for which some business arrangement pre-exists, for example.
`
`Further features of the invention will be described or will become apparent
`
`in the course of the following detailed description.
`
`
`20 BRIEF DESGRIPTION OF THE DRAWINGSBNIEF
`VoOoVNeee
`In order that the invention may be more clearly understood, at least one
`embodimentthereofwill now be described in detail by way of example, with reference to
`
`-2-
`
`Page 5 of 16
`
`Page 5 of 16
`
`

`

`the accompanying drawings,in which:
`Fig. 1 is a system diagram of the invention;
`Fig. 2 is a diagram illustrating the components of the invention on the device;
`Fig. 3 is a detailed flow diagram of the signing process; and,
`Fig. 4 is a detailed flow diagram of the handling of a signed application on
`
`the device.
`
`
`
`20
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`The detailed description of the invention will now be described with
`
`reference to Figures 1-4.
`FIG 1
`is an overall system diagram of the invention. An application
`developmentfirm Y, 2, creates a Java application Y, 4, to run on the device 12 and access
`some sensitive API 6. Before the device application Y can be executed and granted
`access to the sensitive API, the author of the sensitive API must sign the application; that
`is, using the author's private key, the author of the API 6 must attach a digital signature to
`the application, creating the signed application 8. The signed application may now access
`the sensitive APIit requires whenit arrives on the device. The signed application may be
`sent via the wireless network 9 or viaa serial link (not shown) to the device. The Java
`virtual machine (as shownin Fig. 2) on the device will verify the digital signature of the
`signed application before allowing the signed application access to the sensitive API.
`
`-3-
`
`Page 6 of 16
`
`Page 6 of 16
`
`

`

`FIG 2 is a diagram of the basic componentsof the invention on the device.
`
`The basic components on the device include the Java virtual machine 20, applications 22,
`
`and libraries 24. The Java virtual machine is responsible for managing the linking and
`
`execution of all Java applications that are running on the device. The applications are
`
`5
`
`those that have been sentto the device over the wireless network or through a seriallink;
`
`these applications may need to belinked with otherlibraries on the device before being
`
`run. The libraries are those with which the applications may need to be linked; these
`
`libraries may expose sensitive APIs.
`
`If a library exposes a sensitive API, it must contain
`
`feet oO
` Hd
`
`
`the following three items:
`
`a) Astring 26 that provides a short description of the contentsof thelibrary;
`
`b) A public key 28 corresponding to the private key held by the author of the API; this
`
`public key will be used to verify signatures on signed applications that require
`
`access to the API;
`
`c) An API identifier 30 that uniquely identifies the API
`
`Any signed application 23 on the device must contain the following three items:
`
`a) The Java byte code thatis to be run;
`
`b) One or more digital signatures;
`c) An API identifier for each digital signature indicating which APIthe digital signature
`
`protects.
`
`20 |
`
`FIG 3 is a flow diagram of the code signing scheme.
`
`if an application
`
`developeris writing an application that will require access to a sensitive AP! on a device,
`
`the finished application will need to be signed before it can run on the device. The
`
`-4-
`
`Page 7 of 16
`
`Page 7 of 16
`
`

`

`developer can write an application 4, and can test it using a device simulator (not shown)
`
`because signature checking is disabled in the device simulator environment. Once the
`
`developeris satisfied that the application is working properly, in step 44, he submits it to
`the author of the protected AP! to have the application reviewed and possibly signed. In
`
`5
`
`step 46, the authorof the protected AP! is responsible for reviewing the application that
`
`
`
`has been sent to him and verifying that it may be granted access to the sensitive API on
`
`the device. The author may have a plurality of criteria by which the author makes his
`
`decision. In step 48, the author makes a determination of whether or not to sign the
`
`submitted application. If the author is satisfied, in step 50, the author signs the application
`
`using the author’s private key, and appends the digital signature (including the API
`
`identifier) to the application. The signed application is then returned to the application
`
`developerasin step 52. The application developer may then send the signed application,
`
`as in step 54, to a real device for execution therein. In step 56,
`
`if the author does not
`
`acceptthe code, the developer receives a rejection notice and the submitted application
`
`will not run on the device, if sent to it.
`
`FIG 4 is a flow diagram of the method that the device uses to handle a
`
`signed application. Once an application has arrived on the device in step 60, the virtual
`
`machine may begin the verification process. Anylibraries that the application requires
`
`must also be present on the device before the process can continue. Once the device has
`
`20
`
`all of the libraries required by the application,
`
`it will determine whether the application
`
`needs access to a sensitive AP! within one of these libraries in step 62.
`
`If not, the
`
`application can be linked with all of the libraries it requires, and executed in step 76,
`
`In
`
`-5-
`
`Page 8 of 16
`
`Page 8 of 16
`
`

`

`step 64,if the application does require access to a protected API, the virtual machine can
`
`extract the public key and API identifier from the library exposing the API. Then, in step
`
`66,the virtual machine looks throughall of the signatures appendedto the application, and
`
`tries to find one with an identifier matching the API identifier extracted from thelibrary. The
`
`§
`
`virtual machine determinesif there is a match in step 68. If the signature cannot be
`
`verified, in step 74, the application is not loaded or executed.
`
`In one embodiment, the non-
`
`verified application is purged from the device.If the signature is verified properly in step
`
`70, the application must have been signed using the private key matching the public key
`
`in the library; only the author of the sensitive API has accessto that private key, thus the
`
`authorof the API must have beensatisfied that this application should be granted access:
`
` to the sensitive AP]. The virtual machine will display a notification message to the user,
`eeseo
`
`including the description of the API required by the application, similar to: “Application X
`
`requires accessto the ‘strong cryptographic primitives’ API.” The user will then be asked
`
`= OoA
`
`if the application should be allowed to proceed,
`
`If the user chooses to execute the
`
`application, the virtual machine will continue to link the application. Once the linking
`process is complete, the application will be executed as in step 72 otherwise, the
`
`application will be executed.
`
`it will be appreciated that the above description relates to the preferred
`
`embodiment by way of example only. Many variations on the invention will be within the
`
`20
`
`scope of those knowledgeable in the field, and such variations are within the scope of the
`
`invention as described and claimed, whether or not expressly described.
`
`Page 9 of 16
`
`Page 9 of 16
`
`

`

`olESft
`
`ie
`
`2
`
`Page 10 of 16
`
`Page 10 of 16
`
`

`

`WHAT IS CLAIMED AS THE INVENTION IS:
`
`1. Asysiem for assigning a digital signature comprising:
`
`a} an application written in Java that will access the device;
`
`5
`
`b) a code signing program that will maintain a public/private key pair and API
`
`identifier and assign a digital signature to the application.
`
`2. Amethod for assigning and certifying a digital signature comprising steps of;
`a} compiling an application to be run on a device;
`
` identifies the sensitive API.
`
`b) reviewing the application:.
`
`c) accepting or rejecting the application,
`
`d) assigning a signature to the application using the code signing program;
`
`3. The method of claim 2d) wherein the signature is comprised of a signature generated:
`
`using the private key corresponding to a sensitive AP!, and an unique identifier which
`
`4. Asystem for certifying a digital signature comprising:
`
`a) an application sent to the device with an associated library,
`
`20
`
`b) a virtual machine which manages and executes the application;
`
`c) a public key and API identifier attached to the library to verify the signature on
`
`the application;
`
`Page 11 of 16
`
`Page 11 of 16
`
`

`

`d) a digital signature and API identifier attached to the application;
`
`5. Amethodfor certifying a digital signature comprising steps of:
`
`a) receiving a signed application on the device;
`
`5
`
`b) determining whetherthe application requires secure access;
`
`¢) obtaining the public key and APIidentifier from the library;
`
`
`
`
`
`d) matching the API identifier from the library with an API identifier from the
`
`application;
`
`€)
`
`f)
`
`verifying that the corresponding signature on the application is correct;
`
`linking the signed application with thelibrary;
`
`g) executing the signed application.
`
`5. The method of claim 5 wherein the signature cannot be verified further comprising the
`
`step of rejecting the application;
`
`7. The method of claim 5 wherein the application does not require secure access further
`
`comprising the step of linking the application with the associatedlibrary and executing
`
`the application without attempting to verify a signature.
`
`Page 12 of 16
`
`Page 12 of 16
`
`

`

`—_—_”:
`
`application Y
`
`developer¥
`Application
`
`——
`
`Code signer
`.
`
`
` signed
`applicationY
`
`
`
`
`
`
`
`
`
`
`Signed application
`Y
`
`Device
`
`Fig. 1
`
`Page 13 of 16
`
`Page 13 of 16
`
`

`

`
`
`Application
`
`\brary X with sensitve API
`
`
`
`QD=a€22aa
`
`Public kay to venfy
`signature
`
`
`
`Virtual Machine
`
`/
`Device
`
`Fig 2
`
`Page 14 of 16
`
`Page 14 of 16
`
`
`
`
`
`

`

`Application Y uses
`library X
`
`
`
`
`Test application Y in
`device simulator
`wherein simulator has
`
`no signature checking
`schema
`
`
`
`
`Application ¥ forwarded
`to code signer
`
`
`
`
`
`Fig. 3
`
`
`cade of application Y .
`
`
` Send sighed application
`
`Code signer reviews
`
`
`
`
`
`
`
`Send rejection
`Code signer signs
`
`notification to developer
` Accept code ?
`application Y with his
`Y
`signing authority
`
`
`
`Return application Y¥ ta
`developer Y with
`appended signature
`
`
`
`Y to device
`
`
`
`Page 15 of 16
`
`Page 15 of 16
`
`

`

`
`
`Liorary X and
`signed application
`Y amve on device
`
`
` application
`needs access
`
`to sensitive API
`
`\brary?
`
`
`
`
`
`
`
`
`Virtual Machine links
`application Y with
`library Xand executes
`application Y
`
`
`
`Yes
`
`
`Virtual Machine gets
`
`
`
`public key and signing
`identity from library,
`
`
`looksfor signature with
`
`
`that tdentity on
`
`
`application Y
`
`No———_—
`
`Signature
`verified?
`
`Yes
`
`
`
`
`
`
`Application Y not
`loaded or
`executed
`
`
`
`ecute sign
`application
`
`
`Yes
`
`
`
`
`Fig. 4
`
`Page 16 of 16
`
`Page 16 of 16
`
`