U.S. patent application number 15/552009 was filed with the patent office on 2018-02-01 for adaptive system profile.
This patent application is currently assigned to Konvax Corporation. The applicant listed for this patent is Fondazione Universitaria INUIT-"Tor Vergata", Konvax Corporation. Invention is credited to Franco Arcieri, Christian H. Schunck, Maurizio Talamo.
Application Number | 20180032740 15/552009 |
Document ID | / |
Family ID | 55650673 |
Filed Date | 2018-02-01 |
United States Patent
Application |
20180032740 |
Kind Code |
A1 |
Talamo; Maurizio ; et
al. |
February 1, 2018 |
ADAPTIVE SYSTEM PROFILE
Abstract
An approach to generating and regenerating a profile value from
features of a system (e.g., a computer system), allows for certain
changes of features of the system over time. The system may
correspond to a client computer or a particular component of the
client computer or a user of a client computer, and may also
correspond to a combination of the user (i.e., a biometric
characterization of the user) and the client computer or a
component of the computer. The profile value may be used, for
example, for purposes including identification, authentication, key
generation, and other cryptographic functions involving the
system.
Inventors: |
Talamo; Maurizio; (Rome,
IT) ; Arcieri; Franco; (Rome, IT) ; Schunck;
Christian H.; (Rome, IT) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Konvax Corporation
Fondazione Universitaria INUIT-"Tor Vergata" |
Cambridge
Roma |
MA |
US
IT |
|
|
Assignee: |
Konvax Corporation
Cambridge
MA
Fondazione Universitaria INUIT-"Tor Vergata"
Roma
|
Family ID: |
55650673 |
Appl. No.: |
15/552009 |
Filed: |
February 19, 2016 |
PCT Filed: |
February 19, 2016 |
PCT NO: |
PCT/US16/18619 |
371 Date: |
August 18, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14626279 |
Feb 19, 2015 |
9805205 |
|
|
15552009 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04L 9/0866 20130101;
H04L 9/085 20130101; H04L 9/0869 20130101; G06F 21/32 20130101;
G06F 21/602 20130101; H04L 2209/24 20130101; H04L 9/3239 20130101;
G06F 21/45 20130101; H04L 2209/34 20130101 |
International
Class: |
G06F 21/60 20130101
G06F021/60; G06F 21/32 20130101 G06F021/32; H04L 9/32 20060101
H04L009/32; H04L 9/08 20060101 H04L009/08; G06F 21/45 20130101
G06F021/45 |
Claims
1. A method for repeatedly generating a profile value on a system,
the method comprising: in a first phase, determining a plurality of
features of the system, grouping the determined features into a
plurality of groups such that at least some features of the
plurality of features is omitted from each group of one or more of
the groups, computing a function of the features in each of the
groups to yield a plurality of corresponding group-specific values,
and encoding a profile value using the group-specific values to
yield an encoding, and storing said encoding and removing the
profile value from the system, wherein the encoding is such that
fewer that all the group-specific values are required to regenerate
the profile value using the encoding; and repeatedly in successive
phases after the first phase, determining some or all of the
plurality of features of the system, grouping the determined
features into at least some of the plurality of groups used in a
prior phase of the first phase or the successive phases, and
recomputing the function of the features in each of the at least
some of the groups to yield a plurality of corresponding recomputed
group-specific values, and decoding the profile value using the
stored encoding and the recomputed group-specific values.
2. The method of claim 1 wherein the profile value comprises a
pseudo-random value.
3. The method of claim 1 further comprising, in the first phase and
in a successive phases, using the profile value to generate a
cryptographic key.
4. The method of claim 3 further comprising, in a successive phase,
using the cryptographic key for an interaction between the
computing system and another computing system.
5. The method of claim 3 further comprising, in a successive phase,
using the decoded profile value for at least one of authentication
and secure communication between the computing system and another
computing system.
6. The method of claim 1 wherein the features of the system
comprise a feature selected from a group consisting of hardware
features, software features, user features, and environment
features.
7. The method of claim 1 wherein during at least some of the
successive phases after the first phase, the method further
includes: repeating encoding of the profile value using recomputed
group-specific values to yield a recomputed encoding, and storing
said recomputed encoding for use a subsequent phase.
8. The method of claim 1 wherein encoding the profile value using
the group-specific values to yield the encoding includes separately
encoding the profile value using each group-specific values to
yield corresponding group-specific encodings.
9. The method of claim 8 wherein decoding the profile value using
the stored encoding and the recomputed group-specific values
includes using the group-specific encodings to generate a plurality
of decodings of the profile value.
10. The method of claim 9 wherein decoding the profile value
further includes determining the profile value according to a
relative majority of the decodings of the profile value.
11. The method of claim 9 wherein decoding the profile value
further includes determining the profile value according to a
threshold number of the decodings of the profile value having a
same value.
12. The method of claim 1 wherein the plurality of groups are
specified using a random number.
13. The method of claim 12 wherein grouping the determined features
in the initial phase and in the successive phases includes
determining the random number.
14. The method of claim 1 wherein computing a function of the
features in a group includes using a non-invertible mathematical
function.
15. The method of claim 1 wherein the system belongs to a group
consisting of a personal computing device and a device with an
embedded processor.
16. The method of claim 1 wherein the system comprises a person,
and the features comprise one or more biometric features of the
person.
17. The method of claim 1 wherein the system comprises a computing
system, and the features comprise one or more computing hardware
features of the computing system.
18. The method of claim 1 wherein the system comprises a computing
system, and the features comprise one or more software features of
the computing system.
19. Software comprising instructions stored on a non-transitory
machine-readable medium that when executed by a processor to: in a
first phase, determine a plurality of features of a system, group
the determined features into a plurality of groups such that at
least some features of the plurality of features is omitted from
each group of one or more of the groups, compute a function of the
features in each of the groups to yield a plurality of
corresponding group-specific values, and encode a profile value
using the group-specific values to yield an encoding, and storing
said encoding and removing the profile value from the system,
wherein the encoding is such that fewer that all the group-specific
values are required to regenerate the profile value using the
encoding; and repeatedly in successive phases after the first
phase, determine some or all of the plurality of features of the
system, group the determined features into at least some of the
plurality of groups used in a prior phase of the first phase or the
successive phases, and recompute the function of the features in
each of the at least some of the groups to yield a plurality of
corresponding recomputed group-specific values, and decode the
profile value using the stored encoding and the recomputed
group-specific values.
Description
CROSS REFERENCE TO RELATED APPLICATION
[0001] This application claims priority to U.S. application Ser.
No. 14/626,279 filed on Feb. 19, 2015, the contents of which are
hereby incorporated by reference in their entirety.
BACKGROUND
[0002] This invention relates to use of an adaptive system profile,
and more particularly to regeneration of a system-specific quantity
using the system profile.
[0003] There are situations in which a software component executing
on a device, such as a computer, desires to determine if the device
is the same device on which it previously executed. For example,
the software component may have been licensed for use on a single
computer, and when the software component is executed at later
times, the licensing of the host computer needs to be checked. One
approach is to form a system profile of the computer, for example,
based on types of components, specific serial numbers, etc. on the
computer.
[0004] In related situations, a server computer may desire to
determine if a client computer is the same computer with which it
has previously communicated. One approach currently used is for the
server computer to cause a quantity to be stored on the computer
(e.g., as a browser "cookie") and later retrieval of the same
quantity may indicate that the computer is the same. In another
approach, a quantity related to the client computer, for instance a
system profile of the client computer, is provided to the server
computer and that profile is regenerated in different sessions to
determine whether they match and therefore that the client
computers are the same.
[0005] If the system profile is used as the basis of cryptographic
operations that combines identifiers of one or more components, for
example, using a key generation procedure, a change in the system
profile, for example, based on replacement of a component of the
system, may result in an invalid key being generated, and a
computer that should have been declared to be the same as in a
previous session is declared to be different.
[0006] Device recognition via hardware fingerprints is a well
studied problem. In some devices special hardware chips are
implemented to achieve this goal but such security chips are
currently not included in most computing devices used in the
market. Furthermore also for these chips mechanisms are required to
assure that the chip is still integrated in the same hardware
environment.
[0007] In general a significant problem is to keep the device
fingerprint stable under changes to the system (like exchange and
degrading of hardware components). If the device is not recognized
after the exchange of e.g. a memory card expensive and time
consuming procedures are required to solve this problem e.g. via a
call center.
SUMMARY
[0008] There is a need be able to generate a profile value of a
system (e.g., a computer system, a personal computing device, for
instance a smartphone, tablet or laptop computer, a person/machine
system, a device with an embedded processor, for instance a
thermostat, etc.), for example, for purposes including but not
limited to identification, authentication, key generation, and
other cryptographic functions, while allowing for changes of the
profile value over time. The system may correspond to a client
computer or a particular component of the client computer or a user
of a client computer, and may also correspond to a combination of
the user (i.e., a biometric characterization of the user) and the
client computer or a component of the computer.
[0009] In one aspect, in general, a method addresses initially
generating and then repeatedly regenerating a profile value. In
some examples, this profile value is used to regenerate a
cryptographic key that is not otherwise stored in a persistent
manner on the system. The method includes determining a plurality
of features (e.g., numerical or numerically-representable features)
of the system, and grouping the features into a plurality of groups
such that at least some of the features are omitted from at least
some of the groups. During the initial generation, a function
(e.g., a function with a numerical output) of the features in each
of the groups is computed to yield a plurality of corresponding
group-specific values. Then the profile value is encoded using the
group-specific values to yield an encoding that is stored, for
instance on the system or at a location accessible to the system
(e.g., on a computer server). The encoding is such that less that
all the group-specific values are required to regenerate the
profile value using the encoding. In regenerating the profile
value, some or all of the plurality of features of the system are
again determined, grouped into the plurality of groups used
initially, and group-specific values are recomputed. In general, at
least some of the group-specific values do not match the
group-specific values computed initially (e.g., because the
underlying features in the corresponding groups have changed). The
system specific quantity is regenerated using the stored encoding
and the recomputed group-specific values. In some examples, the
profile value is again encoded using the recomputed group-specific
values and stored for use in a subsequent regenerating of the
profile value.
[0010] An advantage of at least some implementations is that some
changes of the features of the system may change over time while
still being able to regenerate the profile value. Furthermore,
successive changes over time in those features can be accommodated
to a greater degree than if the changes all occur at the same
time.
[0011] Aspects of the approach are useful to uniquely
identify/recognize a hardware device. In one example, the approach
is used to uniquely recognize a company laptop computer or mobile
phone as it logs remotely into the company network; uniquely
recognize sensors and other remotely deployed devices as they make
contact (e.g. through wireless networks) with their control units
or other remotely deployed devices/sensors. In another example, the
unique identification of the hardware device (in some cases
combined with the identification of the user operating the device)
may help to significantly reduce the risks of fraudulent access to
remote resources. For example and employees can only have remote
access to company emails via devices the company can uniquely
recognize. Yet other examples include ensuring that software is
installed and updated only on authorized devices (e.g. not more
than a given number of devices). A final example includes ensuring
that the hardware or configuration of a device has not been changed
by a malicious user (e.g., by installing software probes) that
wants to acquire information about device internals.
[0012] Other features and advantages of the invention are apparent
from the following description, and from the claims.
DESCRIPTION OF DRAWINGS
[0013] FIG. 1 is a block diagram of a computing system;
[0014] FIG. 2A is an illustration of generation of group-specific
values during an initialization phase;
[0015] FIG. 2B is an illustration of generation of encodings of the
profile value during the initialization phase;
[0016] FIG. 3A is an illustration of generation of group-specific
values during an regeneration phase;
[0017] FIG. 3B is an illustration of regeneration of the profile
value during the regeneration phase;
[0018] FIG. 3C is an illustration of updating of encodings of the
profile value during the regeneration phase.
DESCRIPTION
[0019] Referring to FIG. 1, in one embodiment, a client computing
system 110 includes a software system 120, a hardware system 130,
and an interface system 140 through which a user 150 interacts with
the system 110. Singly or together, the user 150 and/or the client
computing system 110 can be considered to be the "system" for which
a profile value is generated and then regenerated as described
below. The hardware system includes a number of components 148,
such as processors, disk drives and controllers, memory systems,
network interfaces, graphical boards, I/O boards, etc. The software
system 120 includes components 138 that executed, or are used
during execution, on the hardware system 130. Such components
include software executables and libraries, data registries, etc.
The interface system 140 includes components 148 that are able to
accept input from the user or to sense inputs from the environment.
For example, the components 148 can receive user inputs, such as
password entry, or biometric information, such as fingerprints,
retinal scans, etc. Not all of the components mentioned above are
necessarily present in all examples of a computing system 110.
[0020] In this example, the user 150 uses the client system 100 to
repeatedly interact with a remote server application 160, for
instance over the public Internet and using a Web browsing protocol
(e.g., http). In this example, the remote application 160
determines if the client computing device 100, or optionally the
system including the combination of the user 150 and the client
computing device 100, matches a previous session. Generally, this
is accomplished by passing a system identification quantity, or
alternatively a quantity derived from the system identification
quantity (e.g., using a one-way function, a cryptographic key
derived from the quantity, etc.), to the remote application. If the
quantity passed from the client system matches the quantity that
was previously passed from that system, the remote application
determines that the client computing device, optionally in
combination with the user, are the same as in the previous
session.
[0021] Very generally, the system identification quantity is based
on observations of components of the system, including observations
of hardware-related characteristics, software-related
characteristics, computer-behavior related characteristics, user
input, and/or user biometric characteristics. It should be
understood that these different observations do not all have to be
used together, and that essentially any subset would be suitable
for the techniques described below. Also, as discussed below, the
approach to determining the system identification quantity is
tolerant of certain changes of the underlying observations over
time while maintaining consistency in the derived system
identification.
[0022] Examples of observations of components include hardware
related characteristics of the installed hard disks and for every
hard disk the serial number, the logical disks, logical volume
serial numbers together with the volume label, its capacity and
related low level data.
[0023] Other examples of observations include software-related
characteristics, for instance, identifiers or other quantities
related to versions of software installed on the client computing
device 100. Also, characteristics of software data structures, such
as functions of the directory structure on a file system, contents
of a system registry, etc. may be used as software-related
observations. An example of how these observations can be obtained
using the Windows Management Instrumentation (WMI) interface on
Microsoft Windows Operating Systems or using the "/proc" and
similar interfaces on Linux based Operating Systems.
[0024] Other examples of observations computer-behavior related
characteristics include, for instance the time spent by the CPU to
evaluate a well defined cycle that is completely executed inside
the cache, or the same parameter when the cycle is executed outside
the cache.
[0025] Yet other examples of observations include biometric
observations include, for instance, biometric information, such as
fingerprints, facial images, retinal scans, voice characteristic.
In some implementations, acquisition of such biometric information
is feasible with current smartphones (e.g., an Apple iPhone), which
has microphone, camera, and fingerprint scanners in the device.
Also, observations may include user inputs, such as password entry
and/or interaction through a graphical interface.
[0026] The software system 120 also includes a profile processor
122, which in at least some embodiments also serves the specific
role of a key generator and regenerator. Very generally, the
profile processor 122 is able to generate and then later regenerate
a quantity, referred to below as a SysID, from specific
observations (e.g., measurement, retrieval, or query) of
characteristics of the components 128, 138, 148 of the software,
hardware, and/or user interface systems of the computing system
110. The regeneration is performed in such a manner that the SysID
does not have to be stored in a non-volatile storage 124 of the
system (or elsewhere away from the computing system 110). In at
least some examples, the SysID is a unique cryptographically secure
pseudo-random number, which can be used for cryptographic
functions, such as key generation, encryption and/or authentication
in interaction with a remote server application 160. However, it
should be recognized that the SysID can be chosen freely depending
on the application one has in mind and may have no relation to any
device characteristics at all. Nevertheless, the device
characteristics are used to produce an encoding of the SysID. In
general, the profile processor 122 may store information that
depends on the SysID in the non-volatile memory, which alone is not
sufficient to regenerate the SysID. However, in combination with
the results of repeated observations of the characteristics of the
components 128, 138, 148, the profile processor is able to
regenerate the SysID. Note that preferred implementations of the
approach do not disclose the SysID outside the computing system
100. Note that in general, the observations that are used to
generate the SysID are not disclosed outside the client system 100,
thereby avoiding another party from being able to generate the
SysID as an imposter.
[0027] A feature of the profile processor 122, and the method of
regenerating the SysID, is that it is tolerant of changes in the
observations of the components, at least to a limited degree or a
limited rate of change. An example of a change may result from the
replacement of a disk drive resulting in a change of an observation
of a hardware component 138, or updating of a software library,
resulting in a change of an observation of a software component
128.
[0028] Referring to FIGS. 2A-B, operation of the profile processor
during an initial generation phase can be understood as follows. We
assume that there are N components (e.g., in the order of 100 or
more different observations), each providing one observation
O.sub.n (e.g., a numerical quantity, and, more generally, a string)
of a corresponding component 1.ltoreq.n.ltoreq.N. For example, an
observation of a disk drive may depend on the serial number of
drive or on the production date. The profile processor initially
generates a random seed Seed (e.g., of at least 1024 bits) and
stores it in the non-volatile storage 124. This random seed is used
to generate K random subsets S.sub.k of the N observations. In some
implementations, K is chosen such that K.apprxeq. {square root over
(N)}. Because the seed is retained in the non-volatile storage, the
K subsets identifying the components may be regenerated at a later
time.
[0029] In some implementations, the N observations are composed of
n "buckets", each with s "slots", such that in total there are N=ns
values. For example, each "bucket" is associated with one component
(e.g., a network interface card), and an observation function
f.sub.n( ) provides the s slot values for that component. For
example, using the WMI interface for making observations in the
Microsoft Windows operating systems provides such slot values.
[0030] Initially, the SysID is generated using a secure random
number generator, for example, using a pseudo-random number
generator (PRNG). The N observations O.sub.n of the components are
made. For each subset S.sub.k a one-way function is applied to that
subset of observations to yield a pseudo-random number r.sub.k.
Because of the application of the one-way functions, the original
observations cannot be recovered from the pseudo-random numbers
r.sub.k. Referring to FIG. 2B, the SysID is then encoded K times,
once with each of the pseudo-random numbers to yield K encodings
SysID.sub.k. These K encodings are stored in the non-volatile
storage, along with the seed that is used to determine the subsets
of the observations. The encoding function is such that the SysID
cannot be recovered from the K encodings alone. In this
implementation, the SysID can be decoded from any of the K
encodings SysID.sub.k in combination with the corresponding
pseudo-random number r.sub.k. An example of the encoding makes use
of an operator such as addition or XOR, which can be decoded using
an inverse operator such as subtraction or XOR.
[0031] Referring to FIGS. 3A-C, later, during regeneration of the
SysID, the process is repeated with N new observations O.sub.n .
The same subsets S.sub.k are used to generate new pseudo-random
numbers {tilde over (r)}.sub.k . Referring to FIG. 3B, each
pseudo-random numbers {tilde over (r)}.sub.k is used to decode
SysID.sub.k to form SysID.sup.(k). If the observation subsets are
all different than those originally measured, then {tilde over
(r)}.sub.k.noteq.r.sub.k for all of the K subsets, and decoded
SysID.sup.(k) obtained using {tilde over (r)}.sub.k will not yield
SysID for any of the K subsets. However, assuming that at least
l<k subsets have yielded the same subset of observations, at
least l of the decodings will match.
[0032] Therefore, if the profile processor is configured to combine
the SysID.sup.(k) values to require at least l same decoded values,
and when such a decoding is achieved this same value is output as
the SysID. Referring to FIG. 3C, then for all subsets k for which
the decoding doesn't match, the SysID is re-encoded with {tilde
over (r)}.sub.k to yield a new SysID.sub.k, which is stored in the
non-volatile storage for future regenerations of SysID.
[0033] Returning to the approach to generating the subsets S.sub.k
from the seed S, one approach to forming the subset
cryptographically securely involved forming K sets, each with M
elements, where K=N/M. The N observations O=(O.sub.1, . . . ,
O.sub.N) are first shuffled to yield O.sup.permuted.
[0034] In some implementations, transformations of the
observations, including shuffling and/or other transformations make
use of techniques related to a Blum Blum Shub random number
generator. Specifically, an integer m=pq is selected for p and q
prime and both congruent to 3 mod 4 (e.g., p=11 and q=19 yielding
m=209). An initial value x.sub.0 is iterated as
x.sub.n=1=x.sup.2.sub.n mod m. A number k=log.sub.2 (bits(m))
(e.g., k=3 for m=209) of least significant bits is selected,
referred to as lsb.sub.k(x.sub.n-1). For a given "seed" x.sub.0 a
random number of N bits is formed as the concatenation of N/k k bit
sequences: (lsb.sub.k(x.sub.N/k), . . . , lsb.sub.k(x.sub.1)).
[0035] One approach to shuffling the observations make use of an
iteration that is based on the random Seed stored at the client
system 110. A particular implementation of such an approach
performs a sequence of N exchanges of two elements of the
observation vector, such that the i.sup.th exchange of O.sub.i and
O.sub.p, where the sequence of p values is computed using a Blum
Blum Shub approach by initializing x.sub.0=Seed, and generating the
successive indices p as bits(N)-long random numbers as described
above (not resetting x between successive indices).
[0036] Having permuted the observations, K subsets, each with N/K
observations are formed, for example as predetermined subsets. For
example, with K= {square root over (N)}, there are {square root
over (N)} subsets each of {square root over (N)} observations.
[0037] In some embodiments, each observation O.sub.i is first
transformed and replaced with O.sub.i' also using a Blum Blum Shub
approach. In particular, each transformed observation is a bits(m)
long, and computed by initializing x.sub.0=O.sub.i and forming the
transformed observation 0.sub.i' as the concatenation of bits(m)/k
k-bit sections.
[0038] The process for processing each set of makes use of a
K*(K-1) long bit sequence Seq generated by a Blum Blum Shub random
number generator staring with x.sub.0=NewSeed, another random
number known to the client device. Generally, r.sub.i for the
i.sup.th set (O.sub.i.sub.1', . . . , O.sub.i.sub.k') is formed as
a summation r.sub.i=O.sub.i.sub.1'.+-.O.sub.i.sub.2' . . .
+O.sub.i.sub.K' where whether a plus or a minus of each term is
determined by a successive bit of Seq.
[0039] In some implementations, the transformation of SysID using a
quantity r.sub.k is formed as SysID.sub.k=r.sub.k-SysID.
[0040] In some examples, the SysID is used to generate asymmetric
keys associated with the computing system 110. The SysID is split
in two numbers, q.sub.1 and q.sub.2 , with q.sub.1.noteq.q.sub.2,
each with half of the number of bits of SysID. Each of these
numbers is then used to determine a corresponding prime number,
p.sub.1 and p.sub.2, respectively using tests (e.g., Miller/Rabin,
trial divisions, Fermat, Solovay-Strassen, etc.) for verifying the
compositeness or the primality of the numbers and then, if
composite, increase/decrease it until the next odd number and
restart the test. The keys are generated from the prime numbers,
for example, based on the asymmetric algorithm chosen (RSA, DSA,
Blum Blum Shub, etc.). The primes are checked against other
properties as requested by the algorithms to generate the private
and public keys used for asymmetric cryptography.
[0041] In some examples, one or more keys generated from the SysID
(or the SysID itself or some other deterministic function of the
SysID) are used to determine a response to a challenge. For
example, a remote system sends a challenge to the system, which
determines the response based on a key value. The remote system
received the response and determines if it matches the
challenge.
[0042] In some examples, if a "public" key derived from the SysID
of a device X is securely shared with another party S (e.g., a
server) which keeps it as a secret (i.e. not "public"), then if the
device X contacts S standard forms of authentication can be avoided
in the following way: X just says "hello S; I am X" and starts an
information exchange encrypted by its corresponding private key
derived from the SysID (for example by encoding a symmetric key to
be used in the following interaction). Then if S can correctly
decipher and thus interpret the communications from Xbased on the
use of the "public" key it previously received from X, S knows that
it is in fact talking to X No password exchange or any other form
of authentication challenge will be required.
[0043] It should be understood that the specific approach to
permitting decoding of the system profile value when one or a
limited number of observations of the system have changed is but an
example. Other approaches, which may or may not involve grouping of
the observations into groups may be used. Furthermore, rather than
repeated encoding of the profile value with different functions of
the observations, other ways of generating the encoding, for
example, based on error correction techniques, may be used.
[0044] Implementations of the approaches described above may make
use of software, which may be stored on non-transitory
machine-readable media and transported via computer or
telecommunication networks. The software can include software for
execution by a processor on a client device and can include
software for execution on a computer (e.g., a server computer)
remote from the client device and in data communication with the
client device.
[0045] It is to be understood that the foregoing description is
intended to illustrate and not to limit the scope of the invention,
which is defined by the scope of the appended claims. Other
embodiments are within the scope of the following claims.
* * * * *