Apple Files Two Major Security Patents to Combat Identity Theft, More

The US Patent & Trademark Office published eleven patent applications from Apple Inc. today. The notables within this group include one pertaining to MobileMe (which was posted earlier this morning) and two others relating to new security measures that Apple is working on to combat viruses, trojan horses and perhaps more importantly, identity theft. Identity theft is on the rise, affecting almost 10 million victims in 2008 which was a whopping 22% increase over 2007, according to recent statistics. According to Fortune, Mac owners are richer: 36% have household incomes greater than $100,000, compared with 21% of all U.S. consumers. In context, those who were twice as likely to be victims of identity theft were households with incomes higher than $70,000, according to a US DOJ 2005 report. So it stands to reason that Apple is focusing on how to combat this threat facing their customer base – and today we see two highly detailed patents on the topic of security.

Background Overview

As more and more computing devices are being used in people's daily life, security has become a widespread concern for users and content providers. Viruses, worms, Trojan horses, identity theft, software and media content piracy, and extortion using threats of data destruction are rampant. Usually, these attacks involve installing and executing malicious software codes to expose access to device resources that would otherwise be private to the system, the content provider, the user or an application.

For example, a hacker program when running in consumer computing devices developed to play audio/video content, such as Hollywood movies or music, could potentially allow the cracking of the encryption used to secure the A/V content. Therefore, high levels of security are usually required for such devices.

An operating system may provide some security features to guard against such attacks. However, the security features of an operating system often fail to keep up with new attacks occurring on a daily basis. Moreover, when booting a computing device, security features may not yet be initialized and are vulnerable to bypass and/or tampering. Another way to guard against these attacks is to completely seal a computing device from installing and/or running any additional software after shipped out from manufacturers. Such a strict measure, however, severely limits the capabilities and the flexibilities of the underlying computing device. Not only does it make upgrading a computing device costly and difficult, it is not able to take advantage of increasing number of applications which do require downloading and running software codes from outside the device. In addition, the rapid technology advancement usually renders the applications or functionalities originally built inside a computing device obsolete within a very short period of time.

Therefore, current security measures do not deliver a robust solution to protect applications and content inside a computing device, while at the same time providing the flexibility to update the software and or firmware for the device.

Patent Summary: Code Image Personalization for a Computing Device

A method and apparatus for personalizing a software component to be executed in particular environment are described in this patent. A software component is personalized with the effects similar to licking the cookie. According to an aspect of the invention, in response to an executable code image representing a software component to be installed in an electronic device, the executable code image is encrypted using an encryption key, where the software component, when executed, is configured to establish an operating environment of the electronic device. The encryption key is then wrapped with a unique identifier (UID) that uniquely identifies the electronic device, where the UID is embedded within a secure ROM (read-only memory) of the electronic device. The wrapped encryption key and the encrypted executable code image are then encapsulated into a data object to be stored in a storage of the electronic device, such that when the electronic device is subsequently initialized for operation, the executable code image can only be recovered using the UID of the electronic device to retrieve a decryption key corresponding to the encryption key in order to decrypt the executable code image encrypted by the encryption key.

According to another aspect of the invention, in response to a data object having an executable code image embedded therein, a decryption key is recovered from the data object using a unique identifier (UID) that uniquely identifies an electronic device, where the UID is embedded within a secure ROM (read-only memory) of the electronic device. The executable code image is then recovered from the data object using the recovered decryption key, where the executable code image is previously encrypted using an encryption key corresponding to the decryption key, which is stored within the data object and wrapped by the UID associated with the electronic device. Thereafter, the recovered executable code image is executed to establish at least a portion of an operating environment of the electronic device.

Method 1: Secure Booting

Apple's patent FIG. 1 is a block diagram illustrating one embodiment of system components for secure booting. Details of FIG.1: System 100 may include one or more chips inside a device. In one embodiment, system 100 may include a chip 105 coupled with a memory component 103. Chip 105 may be implemented as a system-on-chip (SOC) configuration. Chip 105 may also include a RAM (Random Access Memory) component 111, such as an SRAM (Static Random Access Memory) or an EDRAM (Embedded Dynamic Random Access Memory). A code image may be loaded into the memory component 103 prior to being executed by the device. When executed, a code image enables a user application, a system application, and/or an operating environment (e.g. operating system) for the device that supports the user or system application. In one embodiment, memory component 103 includes DDR (Double Data Rate) memory. Chip 105 may include a ROM 113 storing codes 115 and associated data 117.

Data Processing System for Portables

Apple's patent FIG. 9 shown above presents us with an example of another data processing system which may be used with one embodiment of the present invention. The data processing system shown in FIG. 9 may also pertain to Apple's iPhone, iPod touch – and even through to Apple's iPod Nano, according to the patent. In other embodiments, the data processing system 900 may be a network computer or an embedded processing device within another device.

Patent Summary: Single Security Model in Booting a Computing Device

A method and apparatus for securely booting software components in an electronic device to establish an operating environment are described in this patent. According to an aspect of the invention, software components are to be executed in sequence in order to establish an operating environment of a device. For each software component, a security code is executed to authenticate and verify an executable code image associated with each software component using one or more keys embedded within a secure ROM (read-only memory) of the device and one or more configuration settings of the device which may be hardware, software, or a combination of both. The security code for each software component includes at least one common functionality to authenticate and verify the executable code image associated with each software component. In response to successfully authenticating and verifying the executable code image, the executable code image is then executed in a main memory of the device to launch the associated software component.

According to another aspect of the invention, an executable code image representing a software component is to be installed in an electronic device, where the software component is used to establish an operating environment of the electronic device. A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image. The signature is then signed using a certificate of a certificate chain derived from a root certificate that matches a fingerprint embedded within a secure ROM (read-only memory) of the electronic device, where the fingerprint may include identities uniquely identify the electronic device or an entity associated with the electronic device (e.g. manufacturer, distributor, or retailer etc.) The signature, the certificate chain, and the executable code image are then embedded into an object signed by a leaf certificate of the certificate chain. The object is to be stored in a storage within the electronic device, such that the object can be subsequently authenticated and verified using the certificate chain before being loaded in order to establish an operating environment of the electronic device.

Method 2: Secure Booting

Apple's patent FIG. 2 is a block diagram illustrating one embodiment of system components executing secure booting.

Apple credits Joshua de Cesare Dallas Blake De Atley, Jonathan Andrews and Michael Smith as the inventors of both patent applications 20090259855 and 20090257595.

Other Noteworthy Patent Applications Published Today

Diffusion-Limited Adaptive Battery Charging: Apple's patent generally relates to techniques for charging a battery. More specifically, the present invention relates to a method and apparatus for charging a lithium-ion battery which adaptively controls the lithium surface concentration to remain within set limits. For more details, see patent application 20090256528.

Adaptive Surface Concentration Batter Charging: Apple's patent generally relates to techniques for charging a battery. More specifically, the present invention relates to a method and apparatus for charging a lithium-ion battery which adaptively controls the lithium surface concentration to remain within set limits. For more details, see patent application 20090259420.

System and Method for Masking Visual Compression Artifacts in Decoded Video Streams: Apple's patent generally relates to techniques for processing decoded video data and, more particularly, to techniques for generating and adding random noise to mask visual compression artifacts in decoded video data. For more details, see patent application 20090257507.

Location Determination Using Formula: Apple's patent presents a method which includes determining a location of the mobile device using a formula that uses: locations of the multiple transmitters, a first function of the power information and a second function of respective locations of the multiple transmitters. The method can include recording the determined location. For more details, see patent application 20090258660.

There are two continuation patents posted today, one of them being "Display Housing for Computer Device." This is about MacBooks and the context is the "lid of a portable computer." All of the patent figures relate to the MacBook and not a tablet. Definitely not a tablet.

NOTICE: Patently Apple presents only a brief summary of patents with associated graphic(s) for journalistic news purposes as each such patent application and/or grant is revealed by the U.S. Patent & Trade Office. Readers are cautioned that the full text of any patent application and/or grant should be read in its entirety for further details. For additional information on today's patent(s), simply feed the individual patent number(s) noted above into this search engine. To read this report in another major language, use Yahoo! Babel Fish.

Posted by Jack Purcher on October 15, 2009 at 10:27 AM in 1A. Patent Applications | Permalink | Comments (0)