DE10215747A1 - Software downloading method, especially for downloading of application software or updates to a mobile phone, whereby downloading is implemented using a personal area network with distributed functional parts - Google Patents

Abstract

Method for protected downloading of software (IE) to an electronic device, especially a mobile phone with the phone's target environment. The software is downloaded with two functional parts with a checking task implemented in a personal area network (PAN). A security task is also implemented. After the security task is implemented, a transfer task is carried out and the software downloaded. Neither of the functional parts carry out all the tasks. The invention also relates to a corresponding personal area network and computer program product.

Description

The invention relates to a protected download of a electronic object in a target environment, for example downloading software (software download) to or into a mobile device.

Downloading software is software download a key technology in flexible adaptation of End devices, in particular of mobile end devices specific user environments and user requirements. The software Download enables an expansion of existing ones Functionalities of end devices as well as an implementation or Installation of new additional functionalities at this, such as enhanced or new multimedia applications.

The downloaded software can be in different ways There are versions, such as binary code or machine code, for example Java bytecode or Microsoft MSIL, as so-called script, for example as a Java script or as a WML Script, or as a parameter or data file.

To download the end devices before dirty software, such as to protect with software contaminated with viruses, that will Download usually with a security check, which the downloaded software undergoes connected. This protected download is only completed or completely done when the downloaded software is a or passed several security checks successfully Has.

Such a security check is usually the integrity and authenticity of the downloaded Software checked. This usually happens because the Terminal a source or a provider of the to be downloaded Software verified and the downloaded software on Manipulations checked.

Depending on the verified source or the provider of the Software or the manipulation test decides that Terminal whether the download is carried out and the software is accepted.

In addition, a security check can also include a Authorization of the device for software download checked become. This can ensure that the software to be downloaded only on authorized devices installed and not copied illegally by them.

Some well-known security checks are exemplary called as a verification of a digital signature or a "message authentication code" (MAC) and a calculation and a comparison of hash values. Also are Security checks known which cryptographic keys, Use certificates and "policy" information.

There are various protected software downloads on end devices known from [1], [2] and [3].

From [1] is a protected by a digital signature Software download known to a computer. With this Software download provides a provider of the downloadable Software this with a digital signature, comparable an electronic signature. Using this digital signature can the target device, in this case the Computers that perform security check and that Integrity and authenticity of the downloaded software check.

With the protected software download known from [2] the software to be downloaded via a secure Information channel between the software provider and the end device transferred to the terminal and loaded there.

The protected software download known from [3] relates referred to so-called mobile agents ([12], [13]). there are executable programs that are autonomous in a network can move to specific tasks perform. In [3] a mechanism is given with which Provide execution rights to mobile agents and these rights can be checked.

Further protected software downloads are from [4] to [9] known.

For all protected software known from [1] to [9] Downloads will download the downloaded software singular terminal device, a "monolithic device". The singular The end device carries the charging process with it subsequent storage of the software as well as the Security check of the same. However, this requires of that respective terminal several different Functionalities such as a loading function, a storage function and a Check function.

The provision as well as the execution of this However, functionalities are set accordingly on the end devices Facilities and corresponding capacities, such as storage space and computing power, ahead.

In particular, mobile devices to which special Requirements for light weight, size and Energy consumption are provided, but are in their capacities limited, causing problems with protected software Download can result.

From [10] is a software download to a device Target device, a vehicle control system, which is the target device as well as other devices known.

With this software download the loading process is in divided different subtasks, like one Control device task, an update device task, a receiving device task and a configuration manager task. The Control device task, the update device task as well as the receiving device task are internal to the vehicle control system devices, d. H. the target device and the other devices of the Vehicle control system, divided and executed there. The Configuration manager task, which the highest demands Computing power and storage capacity is from the Vehicle control system outsourced and by a control unit executed, which is outside the vehicle control system located.

A Personal Area Network (PAN) is known from [11]. Such a PAN ( FIGS. 13, 1300) is formed from at least two physical, functional units (nodes) 1301 , 1302 , 1303 that are in communication with one another.

Such physical units can be, for example networked computers and / or server computers, Communication devices such as cell phones, so-called PDA or Combinations of the above devices.

The communication between the nodes 1301 , 1302 , 1303 of a PAN 1300 can be both wired and wire-free (wireless). Furthermore, the nodes 1301 , 1302 , 1303 of such a PAN 1300 are characterized in that they are all assigned to the same user. This assignment or belonging to the same user means that all nodes 1301 , 1302 , 1303 of a PAN 1300 trust each other.

If the PAN 1300 is in (communication) connection with an external communication network, such as a GSM network, a UMTS network or an Internet, this is usually done via a selected node 1301 within the PAN 1300 , which selected node 1301 forms a connection, a so-called gateway 1304, to the external communication network or to a node in the external communication network.

If electronic objects, such as data or software, are downloaded to the PAN 1300 or to a (target) node 1301 , 1302 , 1303 of the PAN 2000 , the download to the target nodes 1301 , 1302 , 1303 takes place via the selected gateway "Node 2001 and functionally like a download to a" monolithic device ". However, this requires the destination node 1301 to provide all the corresponding functionalities described, such as a loading function, a storage function and a checking function.

The invention is based on the technical problem Process for a protected download of a electronic object in a Personal Area Network (PAN) to specify the appropriate PAN and corresponding software resources, which one or as few as possible at the nodes of the PAN technical requirements.

This task is accomplished through the process by which Computer program with program code means and the computer program Product for a protected download of a electronic object into a PAN and through a PAN with the Features solved according to the respective independent claim.

• - eine Kontrollaufgabe (KA), durch welche das Herunterladen des elektronischen Objekts (IE) in das PAN überwacht wird,
• - eine Sicherungsaufgabe (SA), durch welche eine Sicherheitsüberprüfung des elektronischen Objekts (IE) durchgeführt wird,
• - eine Übertragungsaufgabe (LA), durch welche das elektronische Objekt (IE) in das PAN heruntergeladen wird.

The method for protected downloading of an electronic object (IE) into a personal area network (PAN) with at least two functional units (N1, N2) is carried out

• a control task (KA) by which the downloading of the electronic object (IE) into the PAN is monitored,
• - a security task (SA), through which a security check of the electronic object (IE) is carried out,
• - A transmission task (LA) through which the electronic object (IE) is downloaded into the PAN.

The control task (KA), the security task (SA) and the Transfer task (LA) are such on the at least two functional units (N1, N2) in the PAN split that none of the at least two functional units (N1, N2) performs all tasks (KA, SA, LA).

Synonymous with the use of the term "task" is the use of the term "function" below, for example the control task and a control function.

The Personal Area Network (PAN), set up for a protected download of an electronic object at least two functional units (N1, N2).

• - eine Kontrollaufgabe (KA), durch welche das Herunterladen des elektronischen Objekts (IE) in das PAN überwacht wird,
• - eine Sicherungsaufgabe (SA), durch welche eine Sicherheitsüberprüfung des elektronischen Objekts (IE) durchgeführt wird, und
• - eine Übertragungsaufgabe (LA), durch welche das elektronische Objekt (IE) in das PAN heruntergeladen wird.

The protected download of the electronic object (IE) into the PAN includes

• a control task (KA) by which the downloading of the electronic object (IE) into the PAN is monitored,
• - a security task (SA), through which a security check of the electronic object (IE) is carried out, and
• - A transmission task (LA) through which the electronic object (IE) is downloaded into the PAN.

The at least two functional units are of this type set up that control task (KA), the Backup task (SA) and the transfer task (LA) so on the at least two functional units (N1, N2) in the PAN are divisible that none of the at least two functional Units (N1, N2) performs all tasks (KA, SA, LA).

Under the protected download of the electronic It is understood that the downloading of the electronic object with a security check of the same connected is. The protected download is only then completed or completed, d. H. the downloaded electronic object is only accepted when one or more security checks successful run through.

Furthermore, the invention includes an electronic Object any kind of loadable or transferable To understand information or information elements, such as software, Scripts or parameter or data files.

By protected downloading of the electronic object is divided into different subtasks and the Execution of the subtasks to several distributed, functional Units in which PAN is assigned do not have to be all Tasks when downloading the electronic object from a single functional unit.

This can result in a total load, for example with respect to Computing power and storage capacity, according to one Performance of the individual functional units distributed become.

The sensible, functional division of the overall task into the subtasks, the control task, the backup task and the transfer task corresponds to a definition logical devices. Then in the implementation of the invention the subtasks or the logical devices actually physically existing functional units in the PAN, like nodes of a PAN.

Thanks to the inventive and intelligent division of the Overall task in the subtasks and allocation of Subtasks on at least two functional units of the PAN can prevent existing functional Units upgraded accordingly for the overall task and thus have to be made more expensive.

Furthermore, the invention uses the (security) property a PAN, namely that all nodes, i.e. H. all functional Units, of a PAN trust each other.

It is therefore sufficient to perform the backup task or the Security check of the downloaded electronic object from to have a functional unit carried out in the PAN, with which, if the result of the check is positive, the electronic Object at PAN level, i.e. H. for all functional Units of the PAN, is considered safe.

Are the functional units for the Security check and the transfer task apart, so there is none additional security check by the functional Unit performing the transfer task, more necessary.

Further or different technical properties of a PAN are known and described for example in [11].

The computer program with program code means is set up to perform all steps according to the inventive method perform when the program on a computer is performed.

The computer program product with on a machine readable Carrier stored program code means is set up all steps according to the inventive method perform when the program is running on a computer becomes.

The arrangement as well as the computer program with program code Means set up all steps according to the perform inventive methods when the program on a Computer is running, as well as the computer program product with stored on a machine readable medium Program code means set up to perform all steps according to the perform inventive method when the program is on running a computer are particularly suitable to carry out the method according to the invention or a his further training explained below.

Preferred developments of the invention result from the dependent claims.

The further developments described below relate both on the procedures and on the arrangement.

The invention and those described below Further training can be done in software as well as in hardware, for example using a special electrical Circuit.

Furthermore, an implementation of the invention or one in further training described possible by a computer-readable storage medium on which the computer program with Program code means is stored, which is the invention or training.

Also, the invention or any described below Continuing education realized by a computer program product be, which has a storage medium on which the Computer program is stored with program code means, which carries out the invention or further training.

In the case of further training, the PAN has three functional ones Units, for example three nodes, each of which is one of the three tasks or functions, the control task, the Backup task and the transfer task or the Control function, the safety function and the Carries out transfer function.

For example, a node that is the Control function, clearly seen as a download manager become.

The tasks, the control task, the backup task and the transfer task, can be both in time or parallel staggered in time as well as in series, d. H. chronologically in a row, run off.

It is also possible to carry out a task by make dependent on a result of another task (conditional execution of a function). For example, it is possible to carry out the transfer task only then if the backup task was carried out and / or the Backup task has delivered a predetermined result.

Coordination of tasks can be done using corresponding messages that appear between the tasks or exchanged between the functional units, be accomplished.

For example, the backup task was successful carried out, this or the corresponding functional Unit of the control task or the corresponding one functional unit to report the positive implementation, which then the execution of the transfer task by a appropriate message to the transfer task or the can initiate appropriate functional unit.

The exchange of messages, generally one Communication between tasks or functional units, can be encrypted. Appropriate Encryption mechanisms, such as asymmetric encryption well known.

Furthermore, it makes sense to split the transfer task into two To split sub-tasks, a transfer task, in which the electronic object to a target device, such as one Target node in which PAN is transmitted and one Installation task where it is indicated that the transferred electronic object now installed on the target device can be.

The division of the transfer task into two Subtasks enable the execution of the Subtasks, giving flexibility of downloading elevated.

For example, the transfer task can already be carried out in one Early phase of downloading can be done for example, before performing the backup task while the installation task at the end of the download, in this case after the implementation of the Backup task that can be performed.

Furthermore, a further functional unit in the PAN are provided, which performs a "gateway" function, for example a so-called gateway node. About this gateway node, which in turn connects with the other nodes or functional units of the PAN is connected the PAN in communication contact with other networks, such as a public network, a GSM / UMTS network or an Internet. about the gateway node can thus provide information and / or data exchanged between the PAN and another network.

In figures are an embodiment of the invention as well Modifications of the embodiment shown, which are explained in more detail below.

Show it

Fig. 1 is a sketch of a Personal Area Network (PAN) according to an embodiment;

FIG. 2 shows a sketch of an information flow when downloading an electronic object into a PAN according to an exemplary embodiment;

Figure 3 is a sketch of a modified information flow in a download of an electronic object in a PAN according to a modification of an embodiment.

Figure 4 is a sketch of a modified information flow in a download of an electronic object in a PAN according to a modification of an embodiment.

Figure 5 is a sketch of a modified information flow in a download of an electronic object in a PAN according to a modification of an embodiment.

Fig. 6 is a sketch of a modified information flow in a download of an electronic object in a PAN according to a modification of an embodiment;

Fig. 7 is a sketch of a modified information flow in a download of an electronic object in a PAN according to a modification of an embodiment;

Figure 8 is a sketch of a modified information flow in a download of an electronic object in a PAN according to a modification of an embodiment.

Fig. 9 is a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

FIG. 10 is a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

FIG. 11 is a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

FIG. 12 is a sketch of a modified Personal Area Network (PAN) according to a modification of an embodiment;

Fig. 13 is a diagram of a Personal Area Network (PAN) in accordance with a prior art.

embodiment Download an electronic object from a download server in a public network Personal Area Network (PAN) with distributed over several nodes Download capabilities

In Fig. 1, a Personal Area Network (PAN) 100 is shown, which is formed by a plurality of functional property with each other in contact nodes 101, 102, 103 and 109.

The PAN 100 in turn is in communication with a public network 110 . The public network includes a download server 111 , which offers software for downloading. Data can be exchanged between the public network 110 and the PAN 100 via the communication link.

Node 1 101, node 2 102 and node 3 103 have functionalities, function 1 104 (control function of node 1 101), function 2 105 (security check function of node 2 102) and function 3 106 (transfer function of node 3 103), for a download (Download) data 108 , generally electronic objects, into the PAN 100 .

The node 1 101, which is equipped with the function 1 , the control function 104, controls and monitors the download of an object 108 to be downloaded. So it starts downloading the object 108 and coordinates the functions 2 , the security check function 105 , and 3, the transfer function 106 , of the other two nodes 102 , 103 .

The node 2 102, which is equipped with the function 2 , the security check function 105 , carries out a security check on the object 108 to be downloaded. During the security check, the node 2 102 verifies a security certificate 107 connected to the object 108 to be downloaded. Appropriate verification methods are known.

The node 3 103, which is equipped with the function 3 , the transfer function 106 , loads the object 108 to be downloaded and is accordingly a so-called target node in the PAN 100 .

FIG. 2 shows an information flow or data / message flow 200 which, when the electronic object 108 is downloaded to the PAN 100, between the three nodes 101 , 102 , 103 or between the three functions, the function 1 104 (control function of the node 1 101), function 2 105 (security check function of node 2 102) and function 3 106 (transfer function of node 3 103) flows.

The following are the functions for the sake of simplicity only more described by their numbers.

Function 1 104 sends a message 201 to function 2 105, by means of which the security check 202 , which is carried out by function 2 105, of the object 108 to be downloaded is triggered.

After the security check 202 has ended , the function 2 105 informs the function 1 104 of the result of this by transmitting a corresponding message 203 .

Depending on the message 203 , the actual downloading process is carried out.

If the function 1 104 receives the message 203 of a positive security check 202 with the message 203 , the function 1 104 initiates the download of the object 108 . It sends a corresponding message (download message) 204 to function 3 106.

This triggers the download process. The process is carried out by the function 3 106 and in this case includes a transfer of the object 108 to the node 3 103 and an installation of the downloaded object 108 on the node 3 103.

After the download is complete, the downloaded and installed object 108 is on node 3 103.

In the case of a message 203 about a negative security check 202 , the function 1 104 ends the download without transmitting and installing the object 108 .

In FIGS. 3 to 8 show various modifications of downloading 200 are shown in FIG. 2 with corresponding modified information flows. Modified steps are new and labeled according to the figure designations 3 to 8 , unchanged steps are labeled unchanged according to FIG. 2.

FIG. 3 shows a download 300 of the object 108 in a form modified from the download 200 from FIG. 2.

When downloading 300 in FIG. 3, the download message (cf. FIGS. 2, 204) is separated into a first message 301 , which initiates the transmission of the object, and a second message 302 , by means of which the downloaded object 108 is installed on node 3 103 is initiated.

In the downloading 300 of FIG. 3, the two messages 301, 302 and therefore the two corresponding steps of the transmission and the installation of the object, in immediate succession after the security check 202 and the transmission of the corresponding message 203 initiated or performed.

FIG. 4 shows a download 400 similar to the download 300 according to FIG. 3, in which the two messages 301 , 302 or 401 , 402 and the two corresponding steps triggered thereby, the transmission of the object 108 and the installation of the object 108 , be carried out separately.

During the download 400 , the message 401 , which triggers the transmission of the object 108 , takes place at the beginning of the download 400 , ie before the function 1 104 sends its message 201 , by which the security check 202 is triggered, to the function 2 105.

The message 402 , which triggers the installation of the object, occurs as in FIG. 3 at the end of the download 400 .

In FIG. 5 another modification is shown 500 the downloading 200 or 400 of the object in the PAN 100, wherein also two messages 401, 501 are made for transferring and installing the object 108th

In this modified download 500 , the function 2 105 directly sends the message 501 , which triggers the installation of the downloaded object 108 , to the function 3 106. In this case, the result message 203 of the security check from the function 2 105 to the function 1 104 can be omitted ,

In the modification 600 shown in FIG. 6, in turn only one message, the download message 601 for the transmission and installation of the object 108, is sent.

This is sent by function 2 105 directly to function 3 106 at the end of the download and accordingly triggers the transfer performed by function 3 and the installation of object 108 .

FIG. 7 shows a download 700 , in which the download message is again divided into two messages 701 , 702 for the transmission and installation of the object, which in this case directly from function 2 105 to function 3 106 following the Security check 202 of object 108 can be sent by function 2 105.

In the modified download 800 according to FIG. 8, the download message is again divided into two messages 801 , 802 for the transmission and the installation of the object 108 . Both messages 801 , 802 are sent directly from function 2 105 to function 3 106, the message 801 for the transmission of the object 108 before the security check 202 of the object and the message 802 for the installation of the object after the security check 202 be sent.

The temporal separation of the download message and thus the two processes, the transmission and the installation of the object 108 , is advantageous if the transmission process of the object takes more time. During the transmission process, the security check 202 of the object 108 by the function 2 105 can be started at least in part.

It should be noted that with the various forms of downloading, communication between the nodes or between the functions can also be encrypted. Appropriate techniques are known, such as IrDA, Bluetooth, HomeRF, Tetra, IEEE 802.15 , IEEE 802.11 WLAN, Hiperlan / 1 or / 2 and ticket certificates.

FIG. 9 shows a PAN 900 slightly modified from FIG. 1, which comprises a further node, a fourth node 901 . Unchanged components have the designations according to FIG. 1, modified components are identified separately.

The fourth node 902 contains a gateway function 902 , which establishes a communication connection between the PAN 900 and the public network 110 .

In this case, the object 108 to be downloaded, including its security certificate 107 , is transmitted from the download server 111 of the public network 110 to the fourth node 901 using the gateway function 902 .

It should be noted that the object 108 to be downloaded and its security certificate 107 can also be handled separately. Both can be obtained from different sources and / or can be generated from different sources at different times. In the event that, for example, the security certificate 107 is a digital signature or an installation ticket, this or this can be issued by a corresponding unit, a license server or a ticket server.

FIG. 10 shows another PAN 1000 slightly modified from FIG. 1, in which the first node 10001 performs the function 2 105 in addition to the function 1 104.

Unchanged components have the designations according to FIG. 1, modified components are identified separately.

In this case, the PAN 1000 no longer has a second node.

Other dual functions of a node, such as shown in the in FIGS. 11 and Fig. 12 PAN 1100 and 1200 are also possible.

In the PAN 1100 shown in FIG. 11, the second node 1101 performs both the second function 105 and the third function 106 . In this case, the second node 102 is missing.

In the PAN 1200 shown in FIG. 12, the first node 1201 performs both the first function 104 and the third function 106 . In this case, the third node 103 is missing.

A sequence or a sequence log of a multi-stage protected download of an object into the PAN according to FIG. 9 is described below.

In this context, multilevel means that both asymmetric encryption method as well symmetrical encryption method for protected download be performed. Basics of the corresponding Encryption techniques are known.

The first node 101 is used as a download manager (DM), the second node 102 as a verification node (VN), the third node 103 as a target node (TN), and the fourth node 901 as a gateway node (GN). designated.

The VN has a suitable key, a root key (RK), for verification of the security certificate of the object to download. The verification of the Security certificate ensures that the download is current Server's public key transmitted to the UN (Asymmetric encryption).

Using the public key, the UN a digital signature during the security check, with which is the object to be downloaded from the download server signed, checked.

• 1. Der TN bedarf des herunterzuladenden Objektes (IE) und sendet eine entsprechende Anforderung in Form einer Anforderungsmeldung an den DM. Die Anforderungsmeldung enthält eine genaue Bezeichnung des herunterzuladenden Objekts (ID-IE).
  "From TN to DM: <ID-IE>"
• 2. Der DM leitet die Anforderungsmeldung an den GN weiter.
  "From DM to GN: <ID-IE>"
• 3. Der GN übermittelt die Anforderungsmeldung weiter an den Download Server (DS), wobei diese mit einer Adressenbezeichnung des GN (ID-GN) versehen wird.
  "From GN to DS: <ID-GN, ID-IE>"
• 4. Der DS bearbeitet die Anforderung bzw. Anforderungsmeldung und sendet dem GN die ID-IE, das IE, ein Sicherheitszertifikat CERT(ID-IEP, PuK-IEP), bei dem ein öffentlicher Schlüssel des DM (PuK-IEP) mit einer Identitätsbezeichnung des DM (ID-IEP) verbunden wird, und eine digitale Signatur SIGN(PrK-IEP, <ID-IE, IE>), welche über die ID-IE und (einen HASH-Wert des) IE unter Verwendung des privaten Schlüssels des DM (PrK-IEP) gebildet wird.
  "From DS to GN: <ID-IE, IE>, CERT(ID-IEP, PuK-IEP), SIGN(PrK-IEP, <ID-IE, IE>)"
• 5. Der GN leitet die vom DM erhaltenen Daten weiter an den DM.
  "From GN to DM: <ID-IE, IE>, CERT(ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID-IE, IE>)"
• 6. Der DM extrahiert die ID-IE und das IE aus den Daten und übermittelt diese an den TN zusammen mit einem Message Authentikation Code (MAC1(SK1, <ID-IE, IE>)). Der MAC1 hängt ab von der ID-IE, der IE sowie von einem ersten geheimen Schlüssel SK1, welcher zwischen dem DM und dem TN geteilt wird.
  "From DM to TN: <ID-IE, IE>, MAC1(SK1, <ID-IE, IE>)"
• 7. Der DM leitet die in Schritt 5) empfangenen Daten an den VN weiter.
  "From DM to VN: <ID-IE, IE>, CERT(ID-IEP, PuK-IEP), SIGN(PrK-IEP, <ID-IE, IE>)"
• 8. Der VN überprüft die ID-IE der gerade empfangenen Daten. Ferner verifiziert der VN das Sicherheitszertifikat CERT(ID-IEP, PuK-IEP) unter Verwendung des RK, wobei die Aktualität des PuK-IEP des DS überprüft wird. Anschließend überprüft der VN die digitale Signatur SIGN(PrK- IEP, <ID-IE, IE>) unter Verwendung des PuK-IEP.
• 9. Der VN sendet eine Verifikationsmeldung betreffend das IE an den TN. Diese Verifikationsmeldung weist die ID-IE zusammen mit einem weiteren Message Authentikation Code (MAC2(SK2, <ID-IE>)) auf. Dieser zweite MAC2 hängt ab von einem zweiten geheimen Schlüssel SK2, welcher zwischen dem TN und dem VN geteilt wird.
  "From VN to TN: ID-IE, MAC2(SK2, <ID-IE>)"
• 10. Der TN überprüft die ID-IE der in den Schritten 6 und 9 empfangenen Daten und verifiziert MAC1(SK1, <ID-IE, IE>) und MAC1(SK2, <ID-IE>).

The DM and the TN share a secret key as well as the TN and the VN share another secret key (symmetrical encryption).

• 1. The participant needs the object to be downloaded (IE) and sends a corresponding request in the form of a request message to the DM. The request message contains a precise description of the object to be downloaded (ID-IE).
  "From TN to DM: <ID-IE>"
• 2. The DM forwards the request message to the GN.
  "From DM to GN: <ID-IE>"
• 3. The GN forwards the request message to the download server (DS), which is provided with an address designation of the GN (ID-GN).
  "From GN to DS: <ID-GN, ID-IE>"
• 4. The DS processes the request or request message and sends the GN the ID-IE, the IE, a security certificate CERT (ID-IEP, PuK-IEP), in which a public key of the DM (PuK-IEP) with an identity designation of the DM (ID-IEP) is connected, and a digital signature SIGN (PrK-IEP, <ID-IE, IE>), which via the ID-IE and (a HASH value of) IE using the private key of the DM (PrK-IEP) is formed.
  "From DS to GN: <ID-IE, IE>, CERT (ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID-IE, IE>)"
• 5. The GN forwards the data received from the DM to the DM.
  "From GN to DM: <ID-IE, IE>, CERT (ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID-IE, IE>)"
• 6. The DM extracts the ID-IE and the IE from the data and transmits them to the participant together with a message authentication code (MAC1 (SK1, <ID-IE, IE>)). The MAC1 depends on the ID-IE, the IE and a first secret key SK1, which is shared between the DM and the TN.
  "From DM to TN: <ID-IE, IE>, MAC1 (SK1, <ID-IE, IE>)"
• 7. The DM forwards the data received in step 5 ) to the VN.
  "From DM to VN: <ID-IE, IE>, CERT (ID-IEP, PuK-IEP), SIGN (PrK-IEP, <ID-IE, IE>)"
• 8. The VN checks the ID-IE of the data just received. The UN also verifies the security certificate CERT (ID-IEP, PuK-IEP) using the RK, whereby the timeliness of the PuK-IEP of the DS is checked. The VN then checks the digital signature SIGN (PrK-IEP, <ID-IE, IE>) using the PuK-IEP.
• 9. The UN sends a verification message regarding the IE to the TN. The ID-IE shows this verification message together with another message authentication code (MAC2 (SK2, <ID-IE>)). This second MAC2 depends on a second secret key SK2, which is shared between the TN and the VN.
  "From VN to TN: ID-IE, MAC2 (SK2, <ID-IE>)"
• 10. The participant checks the ID-IE of the data received in steps 6 and 9 and verifies MAC1 (SK1, <ID-IE, IE>) and MAC1 (SK2, <ID-IE>).

An alternative to the sequence or sequence protocol described arises if the PAN is protected by an underlying communication protocol. In this case, the MAC1 and MAC2 in steps 6 ), 9) and 10) can be omitted.

The following writings are cited in this document:
[1] 3GPP 23,057 MexE;
[2] WAP Download Architecture Draft, Sec. 4.1.3, last bullet;
[3] German patent application, registration number DE 101 09 546.5;
[4] WO 01/33867 A2 (Motorola);
[5] WO 00/72149 A1 (Motorola);
[6] US Patent US 6223291 B1 (Motorola);
[7] DE 195 43 843 A1 (Acer);
[8] WO 01/78303 A1 (Sony);
[9] WO 01/86389 A2 (Motorola);
[10] WO 02/10903 A2 (Daimler Chrysler);
[11] WO 01/76154 A2 (Ericsson);
[12] JM Bradshaw. Software agents. MIT Press, 1997;
[13] MN Huhns, MP Singh; Readings in agents; Morgan Kaufmann Publishers Inc., 1998.

Claims (19)

1. Method for the protected downloading of an electronic object (IE) into a personal area network (PAN) with at least two functional units (N1, N2),
in which a control task (KA) is carried out, by means of which the downloading of the electronic object (IE) into the PAN is monitored,
in which a security task (SA) is carried out, by means of which a security check of the electronic object (IE) is carried out,
in which a transmission task (LA) is carried out, by means of which the electronic object (IE) is downloaded into the PAN,
wherein the control task (KA), the security task (SA) and the transfer task (LA) are divided among the at least two functional units (N1, N2) in the PAN such that none of the at least two functional units (N1, N2) all tasks (KA, SA, LA). 2. The method according to claim 1, where the PAN has three functional units the tasks are divided in such a way that each functional unit performs one of the tasks. 3. The method according to claim 1, where the tasks are so functional Units are divided that one of the functional ones Units performs two tasks. 4. The method according to any one of the preceding claims, in which the tasks are carried out in a coordinated manner parallel in time or staggered in time or in Line. 5. The method according to any one of the preceding claims, in which one of the tasks can only be specified under one Condition is executed. 6. The method according to claim 5, where the predefinable condition is a result of another of tasks. 7. The method according to any one of the preceding claims, when reporting between the functional units and / or the tasks are exchanged. 8. The method according to claim 7, where the using the exchanged messages functional units and / or coordinated the tasks become. 9. The method according to claim 7 or 8, where the exchanged messages are encrypted. 10. The method according to any one of the preceding claims, where the transfer task into a transfer task, where the electronic object becomes one of the functional units is transferred, and one Installation task in which the transferred electronic object installed on one of the functional units will be divided. 11. The method according to claim 10, where the transfer task and the installation task run separately. 12. The method according to any one of the preceding claims, where one of the functional units of the PAN is one Executes channel task through which a Communication link from the PAN to a communication network and / or a unit of a communication network will be produced. 13. The method according to claim 12, with which to carry out the channel task functional unit is provided. 14. The method according to any one of the preceding claims, where the electronic object is an electronic one Information element, in particular software. 15. The method according to any one of the preceding claims, at least one of the functional units networked computer of a computer network or a networked Server computer of a computer network or a Communication device, in particular a mobile phone or a PDA. 16. Personal Area Network (PAN) with at least two functional units (N1, N2) for protected downloading of an electronic object (IE) into the PAN, the download comprising
a control task (KA) by which the downloading of the electronic object (IE) into the PAN is monitored,
a security task (SA), through which a security check of the electronic object (IE) is carried out, and
a transmission task (LA) through which the electronic object (IE) is downloaded into the PAN,
in which the at least two functional units are set up in such a way that the control task (KA), the backup task (SA) and the transfer task (LA) can be divided among the at least two functional units (N1, N2) in the PAN such that none of the at least two functional units (N1, N2) perform all tasks (KA, SA, LA). 17. Computer program with program code means to all Perform steps according to claim 1 when the program running on a computer. 18. Computer program with program code means according to claim 17 stored on a computer readable disk are. 19. Computer program product with on a machine readable Carrier stored program code means to complete all steps perform according to claim 1 when the program on a Computer is running.