200837600 九、發明說明: 【發明所屬之技術領域】 本發明之具體實施例一般而言係關於内容存取,且更特 定言之係關於鏈結内容與授權並基於—會話權證來存取内 容。 【先前技術】 數位權限管理(DRM)係一種用以保護並控制内容(例如 音樂標案、視訊樓案及其他内容)分佈的技術。在〇讀 [使用-密碼編譯密錄來加密内容,因此該密碼編譯密 錄還可用於解密該内容。為了使—使用者解密並存取該内 容’使用者必須有權存取相關聯於該内容的一授權。—护 而言’-授權可將不同的存取權限授予該内容,取決於: 授權提供者所定義之許可。例如’該授權可能限制持續一 有限次數來播放該内容(例如一音樂槽案)。 在傳統DRM技術中,用於解密内容之密碼編譯密餘係儲 存於授權内。授權可能會被破解,從而可從授權容易地提 取密碼編譯密鑰。若危及密碼編譯密鑰的安全,則一未妒 授權的使用者可在沒有授權情況下解密内纟,從而無限: 地存取内容。由此,需要進一步改良内容保護。 【發明内容】 本發明之各種具體實施例提供用於鏈結一授權與内容並 基於一會話權證來存取内容之方法、系統及/或裝置 瞭解,該等具體實施例可採用許多方式來實施,包括一 ^ 法、-電路、-系統或-器件。下面說明本發明之數個具 126730.doc 200837600 體實施例。 在一具體實施例中,提供一種用於存取内容之方法。在 此方法中,擷取相關聯於一授權的一第一參數。該授權係 相關聯於該内容。還擷取相關聯於該内容的一第二參數。 使用該等第一及第二參數,產生基於該等第一及第二參數 的一第三參數。該第三參數係經組態用以解密該内容,因 此可基於該第三參數來存取該内容。 在另一具體實施例中 Γ Ο 提供一種裝置。該裝置包括一記 憶體及與該記憶體通信的_處理器。該處理器係經組態用 :擷取相關聯於一授權的一第一參數;擷取相關聯於該内 备的第一參數,基於該等第一及第二參數來產生一第三 參數,及基於該第三參數來存取該内容。 …口以範例方式說明本發明之原理的附圖,根據下列詳 細說明會明白本發明之其他具體實施例及優點。 【實施方式】 連同附圖,以下提供一或多個具體實施例之一詳細說 月忒洋細說明係結合此類具體實施例來提供,但不限於 任特疋具體實施例。範疇僅受申請專利範圍限制且涵蓋 許夕替代、修改及等效物。在下列說明中提出眾多特定細 節以便提供一詳盡理解。此等細節係出於示範目的而提 ’、可在’又有该些特定細節之一些或全部之情況下依據申 明專利乾圍來實施該等所述具體實施例。為了清楚起見, 未曰洋細說明與該等具體實施例相關的在技術領域中已知 的技術材料,以免不必要地混淆本說明。 126730.doc 200837600 本文所述之該等具體實施例提供鏈結一授權與内容並基 於一會話權證來存取★女 +仔取Θ内各。使用一密碼編譯密鑰來解密 並存取-加密内容。如下面更詳細所解釋,使用相關聯: 該授權與該内容兩者之參數來導出該密碼編譯㈣。在一 二具體κ施例中’一用以導出該密碼編譯密鑰之參數可進 -步使用-變數來加密,使得將内容存取限於一會話。 f ly 圖1係依據本發明之一具體實施例一裝置系統之一簡化 方塊圖。如® 1所示’系統1()2包括主計算器件114與記憶 體器件116 °主計算器件114可包括各種電子器件,其能夠 存取記憶體器件116,以儲存或擷取⑽存在該記憶體器件 上的内容118。記憶體器件! 16可藉由機械介面⑽(例如引 線及/或插座連接器)而可移地耦合至主計算器件ιΐ4。記憶 體裔件116係一記憶體儲存器件。如下面所將解釋,記憶 體器件116之一範例係一使用非揮發性記憶體之記憶卡。 主計算器件114主控應用程式1〇4。應用程式1〇4可包括 各種程式應用。例如,應用程式1〇4可能係一作業系統, 其官理主計异器件114上的硬體及軟體資源。在另一範例 中,應用程式104可能係一多媒體播放器,其係經組態用 以播放音吼及視訊檔案。此外,例如,應用程式i 〇4可能 係一視訊遊戲。應用程式104可存取儲存於記憶體器件116 内的内容118。内容118可包括各種資料。内容118之範例 包括以音訊槽案格式(例如WAVE、MPEG-Ι音訊層 3(MP3)、進階音訊編碼(Advanced Audio Coding ; AAC)) 及其他音sil檔案格式編碼的音訊播案。内容us還可包括 126730.doc 200837600 以視讯檔案格式(例如音訊視訊交錯(Audi〇 vide〇 erleave,AVI)、動晝專家組(Μ〇ν_ Εχρ州$200837600 IX. INSTRUCTIONS OF THE INVENTION: TECHNICAL FIELD OF THE INVENTION The present invention is generally directed to content access and, more particularly, to link content and authorization and to access content based on session rights. [Prior Art] Digital Rights Management (DRM) is a technology used to protect and control the distribution of content such as music standards, video buildings, and other content. Read [Use-Password Encryption to encrypt content, so the password compilation password can also be used to decrypt the content. In order for the user to decrypt and access the content, the user must have access to an authorization associated with the content. - Protection - The authorization grants different access rights to the content, depending on: The license defined by the Authorized Provider. For example, the authorization may limit the duration of a limited number of times to play the content (e.g., a music slot). In conventional DRM technology, the cryptographic secrets used to decrypt the content are stored in the license. Authorization may be cracked so that the cryptographic key can be easily extracted from the authorization. If the security of the cryptographic key is compromised, an unauthorized user can decrypt the guilt without authorization, thereby accessing the content infinitely: Therefore, it is necessary to further improve the content protection. SUMMARY OF THE INVENTION Various embodiments of the present invention provide methods, systems, and/or apparatus for aggregating an authorization and content and accessing content based on a session ticket, the specific embodiments being implemented in a number of ways , including a ^ circuit, - circuit, - system or - device. Several embodiments of the invention having 126730.doc 200837600 are described below. In a specific embodiment, a method for accessing content is provided. In this method, a first parameter associated with an authorization is retrieved. This authorization is associated with this content. A second parameter associated with the content is also retrieved. Using the first and second parameters, a third parameter based on the first and second parameters is generated. The third parameter is configured to decrypt the content, so the content can be accessed based on the third parameter. In another embodiment, a device is provided. The device includes a memory and a processor that communicates with the memory. The processor is configured to: retrieve a first parameter associated with an authorization; retrieve a first parameter associated with the internal device, and generate a third parameter based on the first and second parameters And accessing the content based on the third parameter. Other embodiments and advantages of the invention will be apparent from the accompanying drawings. [Embodiment] In conjunction with the drawings, one or more of the specific embodiments are provided below in detail. The detailed description is provided in conjunction with such specific embodiments, but not limited to the specific embodiments. The scope is only limited by the scope of the patent application and covers the alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding. The details are presented for the purpose of illustration, and the specific embodiments may be practiced in accordance with the appended claims. For the sake of clarity, technical material known in the art related to the specific embodiments is not described in detail to avoid unnecessarily obscuring the description. 126730.doc 200837600 The specific embodiments described herein provide a link-authorization and content and are based on a session ticket to access the female. Use a cryptographic key to decrypt and access-encrypt content. As explained in more detail below, the use of the associated: the authorization and the content of the content to derive the cryptographic compilation (4). In a specific embodiment, a parameter used to derive the cryptographic key can be encrypted using a -variant to limit content access to a session. f ly Figure 1 is a simplified block diagram of a device system in accordance with an embodiment of the present invention. 'System 1() 2 as shown in ® 1 includes main computing device 114 and memory device 116. The main computing device 114 can include various electronic devices that can access the memory device 116 to store or retrieve (10) the memory. Content 118 on the body device. Memory device! 16 can be movably coupled to the host computing device ι4 by a mechanical interface (10) such as a lead and/or socket connector. The memory member 116 is a memory storage device. As will be explained below, one example of a memory device 116 is a memory card that uses non-volatile memory. The main computing device 114 hosts the application 1〇4. Applications 1〇4 can include a variety of program applications. For example, the application program 1〇4 may be an operating system whose main program is the hardware and software resources on the device 114. In another example, application 104 may be a multimedia player configured to play audio and video files. Also, for example, the application i 〇4 may be a video game. The application 104 can access the content 118 stored in the memory device 116. Content 118 can include a variety of materials. Examples of content 118 include audio broadcasts encoded in an audio slot format (eg, WAVE, MPEG-Audio Layer 3 (MP3), Advanced Audio Coding (AAC)), and other audio sil file formats. The content us can also include 126730.doc 200837600 in video file format (such as audio video interlacing (Audi〇 vide〇 erleave, AVI), dynamic expert group (Μ〇ν_ Εχρ州$
Group,MPEG))及其他視訊權案格式編碼的視訊稽案。内 容118之其他範例包括文件稽案、影像構案、應用程式槽 案及其他資料。 鏈結授權與内容 圖2係描述依據本發明之—具體實施狀—用以解密内 容之參數之產生的一古治固 ^Group, MPEG)) and other video rights format coded video audit files. Other examples of content 118 include file auditing, image archiving, application caching, and other materials. LINK LICENSE AND CONTENT Figure 2 illustrates an ancient remedy for the generation of parameters for decrypting content in accordance with the present invention.
V ί) 方塊圖。圖2顯示内容118與相關聯授 _4。内容118係加密,使得該内容難以理解。-般而 吕’授權204係實現存取内容118之資料(例如一字串、一 檔案及其他資料)。授權204可包括用以存取内容118之許 I或規則,例如存取持續時間、將内容存取限於-特定計 异器件、日期、時間、可在 六 子取内谷之次數及其他許可。因 此授權可經組態用以定義存取内容ιΐ8之許可。因此基 於在㈣204内所包括之該等許可來允許一使用者存取内 谷118。例如,授權2〇4 ^ ^ ^ V牡符疋计异态件上欲播放 採用一曰樂檔案之形式的 授權綱可允許存取内容二二次。在另一範例中, 件。 +取内谷118,但不允許複製至另一計算器 内容118係加密的且第二 容。第經組態用以解密該内 第一多數210包括可相關倘私 料。例如m91 〜118之解密的各種資 V ㈣數210可能係用於加密及解密内容118的 一密碼編譯密鑰。取抑吁—s 1谷118的 取代该费碼編譯密鑰,第三參數210還 可包括該密碼編譯密鑰 數210遢 的引用。例如,該引用可能係識 126730.doc 200837600 別该费碼編譯密鑰的一號碼或字串。第三參數2 1 〇還可包 括一驗證密鑰。該驗證密鑰係一用於在該主計算器件與記 憶體器件之間驗證會話之密碼編譯密鑰。在另一範例中, 第二參數2 1 0可能係一密碼編譯臨時值。一密碼編譯臨時 值係一可用以產生該密碼編譯密鑰的號碼。 第三參數210係基於第一參數202與第二參數2〇6來產 生。換言之,第三參數21〇可表述成 第二參數=F (第一參數,第二參數) (1.0) 其中該第三參數係第一參數2〇2及第二參數2〇6之一函數。 名函數可包括各種函數,例如一雜湊函數,因此第三參數 210可能係該雜凑函數之雜湊值。第一參數2〇2係相關聯於 授權204而第二參數206係相關聯於内容118。第一參數2〇2 與第二參數206可包括各種資料。例如,第一參數2〇2可能 係一唬碼。在一具體實施例中,該號碼可能係隨機產生 的。在另一具體實施例中,該號碼係預定義的。第二參數 可能取決於第一參數2〇2或反之亦然。例如,第二參數 2%可能係自一密碼編譯密鑰之一引用與第一參數兩者 ^出之一號碼或字串。此類號碼或字串可表述成 第二參數=F (密鑰引用,第一參數)(12) 八中第一參數206係該密碼編譯密鑰引用與第一參數2⑽之 一函數。應瞭解,第二參數2〇6還可自一驗證密鑰與第一 多數202兩者導出。在另一範例中,第二參數206可自一密 、、睪臨時值與第一參數202導出。反之,第一參數202可 自第二參數206及一驗證密鑰、一密碼編譯密鑰之一引 126730.doc 200837600 用、一密碼編譯臨時值或其他參數來導出。 第一參數202及第二參數206係分別相關聯於授權2〇4與 内容118。為了相關聯授權204或内容118,第一參數202及 第二參數206可分別位於或包括於該授權及該内容内。例 如,第二參數206可位於内容118之標頭或註腳内。或者, 第一參數202及/或第二參數206可與授權204及/或内容118 分離定位。若分離定位,則授權204可包括該第一參數的 一指標而相關聯於第一參數202。在該第二參數與該内容 分離定位之情況下,内容118還可包括第二參數2〇6的一指 標。 圖3係依據本發明之一具體實施例之一用於存取一記憶 體器件之系統之一簡化方塊圖。如所示,系統3〇2包括耦 合至記憶體器件116之主計算器件114。主計算器件丨14可 包括應用程式104與第一内容保護平台3〇4。記憶體器件 Π6包括第二内容保護平台3 〇6、内容U8及授權2〇4。在一 具體實施例中,授權204可儲存於記憶體器件116之一隱藏 刀區内’其中該授權不可見或不可供許多應用程式存取。 除了儲存於記憶體器件116内外,授權204還可儲存於主計 算器件114内。第一内容保護平台3〇4及第二内容保護平台 3〇6係用於防護至記憶體器件U6之内容n8的技術平台。 使用第一内容保護平台304及/或第二内容保護平台3〇6, 一使用者可傳送記憶體器件丨16及其内容丨18而不危及内容 保護的安全。存在各種可用於防護資料之内容保護平台, 範例係在商標 TrustedFlashTN^CmViTM (由 SanDisk,Inc.製 126730.doc -11 - 200837600 造)下銷售。 如圖3所示,庵 • …用程式104藉由第一内容保護平台304來 專輸*求健存於記憶體器件116内之内容118的請求。此 處,加密内客】〗8 々 δ °為了解密内容118,擷取相關聯於授權 -之第參數2〇2與相關聯於内容丨18之第二參數2〇6。第 ·>數2〇2與第二參數206可分別包括於授權204與内容118 内,或可此係與該授權及該内容分離定位的播案。如等式 - 所疋義,一第三參數係基於第一參數202與第二參數 206而產生。拖古 斗杜 . 換曰之,該第三參數可自第一參數202與第二 參數2〇6導出。該第三參數可能係-用以解密内容118的密 馬、扁"睪崔鑰、该岔餘密鑰的一引用、一驗證密鑰、一臨時 值或其他參數。使用該第三參數,應用程式104可解密並 存取内谷118。為了存取内容118,第一内容保護平台3 04 可傳輸該第1參數及要求内$ 118之請求至記憶體器件 116。第一内容保護平台3〇6可基於該第三參數來解密内容 ι U 8並可藉由第一内容保護平台304將解密後的内容傳輸至 ^ 應用程式104。 在圖3之具體實施例中,主控於主計算器件114上的第一 ^ 内容保護平台304擷取第一參數202及第二參數206並基於 忒4弟一及第一參數來產生該第三參數。在另一具體實施 例中’包括於記憶體器件116内的第二内容保護平台3〇6還 可擷取第一參數202及第二參數206並基於該等第一及第二 參數來產生該第三參數。 圖4係依據本發明之一具體實施例描述從一記憶體器件 126730.doc -12- 200837600 存取内容之一流程圖。在402開始,分析内容以決定是否 保護(即加密)該内容。相關聯於該内容的各種資訊可指示 是否加密該内容。例如,該内容之標頭可指示該内容係加 密的。或者,該内容之副檔名還可指示該内容係加密的。 若不保護該内容,則在4 1 〇,可直接存取該内容。若保護 該内容,則在404可自授權擷取第一參數。在此具體實施 例中,該第一參數係一號碼。該號碼可能係隨機產生或預 定義的。在406,從該内容擷取一第二參數。在一具體實 施例中,如等式1 ·2所表述,該第二參數可自該密碼編譯 始、鑰的一引用與該第一參數來導出。該密碼編譯密鑰係用 ?口密或解密該内容。由此,該第二參數係相關聯於該内 今與該授權兩者,因為該第二參數係從用以解密該内容之 密碼編譯密瑜的一引用與一包括於該授權内之號碼來導出 或計算。應注意,在另一具體實施例中,該第-參數(例 二:::)可能相關聯於該内容而該第二參數可能相關聯 於该授推。 使用a第#數與該第二參數,可在彻 密碼編譯密鑰的一引 飞冲异4 如上面荨式10所表述,該穷 編譯密鑰引用可基於兮筮一 山馬 後,…x第一 > 數與該第二參數來產生。其 後,在410,可基於該夂 ^ 如,在一且體一,數來解岔並存取該内容。例 八體員知例中, ^ 形式的該第三參數傳卜、1碼編譯密餘引用之 包括-安全儲存琴:憶體器件。該記憶體器件可 件可使用該密巧編y儲存該密碼編譯密鑰。該記憶體器 、扁澤錢引用來從該安全儲存器揭取該密 126730.doc -13 - 200837600 ”Ί u W靖。使用該密碼編譯密鑰,該記憶體器件可解密 該内今並將該解密内容傳輸至一主計算器件。 基於會話權證來存取内容 圖5係依據本發明之一具體實施例描述一會話權證之產 生的一方塊圖。最初提供參數502且該參數包括可相關聯 於内谷解密的各種資料。參數502可基於相關聯於上述授 權及内容之參數來產生。參數502之範例包括一用以解密 f ' 内谷之费碼編譯密鍮的一引用、一密碼編譯臨時值或其他 I 參數。 ’、 會話權證506之產生涉及使用變數504。變數504包括各 種貢料。例如,該資料可能係一號碼。該號碼可能係預定 義或Ik機產生的。在另一具體實施例中,該資料可能係一 字串。不同於上述參數,變數5〇4可能不相關聯於該授權 及内谷。換言之,變數5〇4可能獨立於該授權及内容。變 數504係經組態用以在一會話時變化。一會話可跨越一段 〇 日夺間二例如,該會話可能持續-小時、-天、-周或其他 時間單位。此外,一會話可能在初始化或重新啟動輕合至 3 σ己隱體器件之主计算器件時截止。_會話還可能在將該 ‘ $憶體器件從該主計算器件解1¾合時截止。此外,例如, - έ話可此跨越一有限數目的内容存取(例如可存取内容 的一有限次數)。 會話權證506係基於參數5〇2與變數5〇4來產生,因此可 基於該變數來加密該參數以定義會話權證5〇6。會話權證 506因此可表述成 126730.doc -14- 200837600 會話權證=F (參數,變數)(2.〇) 其中該會話權證係參數502與變數5〇4的一函數。使用會 話權證506,可基於該會話權證來存取該内容。例如,一 主什异态件可將會話權證506傳輪至該記憶體器件。該記 十思體器件可基於會話權證506來導出用以解密該内容的參 數。參數5〇2可自以下導出 參數=F1 (會話權證,變數)(2·2) 其中該參數係會話權證506與變數5〇4的一反函數。 應瞭解’因為該會話權證係用以解密内容,故會話權證 506係相關聯於一特定内容。由此,使用會話權證5〇6無法 使用或存取另一儲存於該記憶體器件内的内容,除非該會 話權證包括一參數(例如參數5〇2)來解密其他内容。作為一 範例,若使用不同的密碼編譯密鑰來加密儲存於一記憶體 器件内的兩個、分離内|,則該主計算器件或記憶體器件 產生兩個、不同會話權證以存取該等兩個、分離内容。此 處,會話權證無法用以存取使用不同密碼編譯密鑰加密 的該等兩個、分離内容。 圖6係依據本發明之一具體實施例之一使用一會話權證 來存取。己體器件之系統之一簡化方塊圖。系統6〇2包 括耦合至記憶體器件116之主計算器件114。主計算器件 m可包括應用程式1()4與第一内容保護平台3〇4。記憶體 器件116包括第二内容保護平台3〇6、内容118及授權2〇4。 如上述,第一内容保護平台304與第二内容保護平台3〇6可 經組態用以管理儲存於記憶體器件丨16内之内容丨18之數位 126730.doc -15- 200837600 權限。 如圖6所示,應用程式1〇4藉由第一内容保護平台π*傳 輸一要求儲存於記憶體器件116内之内容118的請求。内容 118係使用一密碼編譯密鑰加密的。一相關聯於該密碼編 譯密鑰(例如該密碼編譯密鑰之一引用、一臨時值或其他 簽數)之參數係提供至第二内容保護平台3〇6。回應該存取 内容118之請求,第二内容保護平台3〇6基於變數6〇4來加 在名參數以疋義一會話權證,該會話權證係表述於等式 2.0内。第二内容保護平台3〇6可產生變數6〇4(例如一號 碼、一字串或其他參數)。變數604係經組態用以在一會話 時變化。例如,第二内容保護平台3〇6可為每一會話產生 一不同變數604。變數604可能係隨機產生或預定義的。 在產生該會話權證之後,第二内容保護平台3〇6將該會 話權證傳輸至主計算器件i 14。使用該會話權證,主計算 器件114可基於該會話權證來存取内容118。為了存取内容 118,主計算器件丨14隨後將該會話權證傳輸回到記憶體器 件116。在接收會話權證後,第二内容保護平台3〇6解密該 會話權證以提取用以解密内容118之參數,該參數係表述 於專式2.2内。若變數604未冒變化,則因為該解密係基於 一專同於用以加密該參數之變數的變數,故可提取該參 數。變數604可在不同會話時變化。由此,在相同會話内 產生該等變數之情況下,變數604等同於用以加密該參數 之變數。然而,若變數604已變化,則因為該解密係基於 一不同於用以加密該參數之變數的變數,故無法提取該參 126730.doc -16- 200837600 數。在不同會話内產生該等變數之情況下,變數604不同 於用以加密該參數之變數。藉由在一會話時改變變數 604’該會話權證持續或有效地用於一會話。若可提取該 參數’則該第二内容保護平台306可基於該參數來解密内 容118並將該解密内容傳輸至主計算器件114。 在另一具體實施例中,第一内容保護平台304還可藉由 加密用以解密内容118之參數來產生該會話權證。此處, 回應應用程式104請求存取内容11 8,第一内容保護平台 304可產生該會話權證並將該會話權證傳輸至應用程式 104。應用程式1〇4可接著將該會話權證傳輸回到第一内容 保護平台304以存取内容118。 圖7係依據本發明之一具體實施例描述基於一會話權證 從一記憶體器件存取内容之一流程圖。在702開始,擷取 一密碼編譯密鑰之一引用。該引用可能擷取自一主計算器 件或一記憶體器件。儲存於該記憶體器件内的内容係加密 的亚可使用該密碼編譯密鑰來加以解密。使用該密碼編譯 名鑰引用’在704 ’基於一號碼來加密該密碼編譯密鑰引 用以疋義一會話權證。該號碼係經組態用以在一會話時 k化並可隨機產生。在7〇6,該會話權證可接著傳輸至(例 如)一主計算器件。 §该主計算器件存取儲存於一記憶體器件上的内容時, 在706 ’该主計算器件可傳輸接收至該記憶體器件之會話 權證。在708該記憶體器件接收該會話權證並在710基於一 號碼來解密該會話權證。若該號碼匹配用以產生該會話權 126730.doc -17- 200837600 證之號碼’則可從解密操作提取該密碼編譯密鑰引用。然 而’若該會話已變化且該記憶體器件持有一不同號碼,則 無法從該解密操作中提取該密碼編譯密鑰引用,因為該等 號碼不匹配。若可從該會話權證提取該密碼編譯密输引 用’則在712,基於該引用來擷取該密碼編譯密鑰。該密 碼編譯密鑰可擷取自(例如)一安全儲存器。接著在714使用 該密碼編譯密鑰來解密該内容並接著在7丨6傳輸至(例如)該 主計算器件。 圖8係依據本發明之一具體實施例可主控於一主計算器 件上用於存取内容之程式應用之一簡化方塊圖。主計算器 件114可主控應用程式1〇4、數位權限管理(DRM)模組 8〇6、内容保護平台3〇4、檔案系統管理程式8〇8及器件驅 動程式810。如上述,應用程式1〇4可包括各種程式應用, 例如夕媒體播放器、視訊遊戲及其他應用。與應用程式 104通信的係DRM模組806與内容保護平台3〇4。DRM模組 806允許主計算器件i 14管理儲存於一記憶體器件或其他位 置内的内容之數位權限。例如,DRM模組8〇6可保護内容 並控制其分佈。如上述,内容保護平台3〇4係一用於防護 在一記憶體器件上之内容之技術平台。内容保護平台3〇4 可包括安全管理程式802與主密碼編譯引擎8〇4。一般而 言,安全管理程式802管理儲存於一記憶體器件内之内容 之存取。管理包括(例如)檢查是否保護内容、基於相關聯 於-授權及内容產生一密碼編譯密鑰之一引用、基於一參 數與-變數來產生一會話權證、產生該變數及其他操作。 126730.doc -18- 200837600 主密碼編譯引擎804包括該等密碼編譯庫用以處理密碼編 譯操作。内容保護平台304及DRM模組806—起向主計算器 件Π4(及記憶體器件)提供安全儲存及内容管理能力。例 如,内容保護平台304與DRM模組806允許防護儲存於該記 憶體器件内之内容(例如音樂檔案、電影檔案、軟體及其 他貧料)之儲存並加強用於控制内容存取之預定義策略。V ί) Block diagram. Figure 2 shows content 118 associated with _4. The content 118 is encrypted, making the content difficult to understand. - "L' authorized 204 is the material that accesses content 118 (eg, a string, a file, and other materials). Authorization 204 may include the I or rules used to access content 118, such as access duration, content access limited to - specific device, date, time, number of times that can be taken in six, and other permissions. The authorization can therefore be configured to define a license to access the content ι8. Thus, a user is allowed to access the valley 118 based on the permissions included in the (4) 204. For example, authorizing 2〇4 ^ ^ ^ V 牡 疋 异 异 异 异 异 异 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用 采用In another example, the piece. + Take the inner valley 118, but it is not allowed to copy to another calculator. The content 118 is encrypted and the second capacity. The first configured to decrypt the first majority 210 includes correlate private items. For example, the various resources V (four) 210 of the decryption of m91 to 118 may be used to encrypt and decrypt a cryptographic key of the content 118. The suffix s 1 valley 118 replaces the fee code compiling key, and the third parameter 210 may also include a reference to the cryptographic key number 210 。. For example, the reference may be related to 126730.doc 200837600. A number or string of the code compile key. The third parameter 2 1 〇 may also include a verification key. The verification key is a cryptographic key used to verify the session between the host computing device and the memory device. In another example, the second parameter 2 1 0 may be a cryptographically compiled temporary value. A cryptographically compiled temporary value is a number that can be used to generate the cryptographic key. The third parameter 210 is generated based on the first parameter 202 and the second parameter 2〇6. In other words, the third parameter 21〇 can be expressed as a second parameter = F (first parameter, second parameter) (1.0) where the third parameter is a function of the first parameter 2〇2 and the second parameter 2〇6. The name function can include various functions, such as a hash function, so the third parameter 210 may be the hash value of the hash function. The first parameter 2〇2 is associated with the authorization 204 and the second parameter 206 is associated with the content 118. The first parameter 2〇2 and the second parameter 206 can include various materials. For example, the first parameter 2〇2 may be a weight. In a specific embodiment, the number may be randomly generated. In another embodiment, the number is predefined. The second parameter may depend on the first parameter 2〇2 or vice versa. For example, the second parameter 2% may be one of a number or a string that is referenced from one of the first cryptographic keys. Such a number or string can be expressed as a second parameter = F (key reference, first parameter) (12) The first parameter 206 in the eight is a function of the cryptographic key reference and the first parameter 2 (10). It will be appreciated that the second parameter 2〇6 can also be derived from both a verification key and the first majority 202. In another example, the second parameter 206 can be derived from a secret, a temporary value, and a first parameter 202. Conversely, the first parameter 202 can be derived from the second parameter 206 and a verification key, a cryptographic key, 126730.doc 200837600, a cryptographically compiled temporary value, or other parameters. The first parameter 202 and the second parameter 206 are associated with the authorization 2〇4 and the content 118, respectively. In order to associate the authorization 204 or the content 118, the first parameter 202 and the second parameter 206 may be located or included in the authorization and the content, respectively. For example, the second parameter 206 can be located within the header or footer of the content 118. Alternatively, the first parameter 202 and/or the second parameter 206 can be separately located from the authorization 204 and/or the content 118. If the location is separated, the authorization 204 can include an indicator of the first parameter and be associated with the first parameter 202. In the event that the second parameter is separately positioned from the content, the content 118 may also include an indicator of the second parameter 2〇6. Figure 3 is a simplified block diagram of one system for accessing a memory device in accordance with one embodiment of the present invention. As shown, system 3〇2 includes a host computing device 114 coupled to memory device 116. The host computing device 丨 14 can include an application 104 and a first content protection platform 〇4. The memory device Π6 includes a second content protection platform 3 〇6, a content U8, and an authorization 2〇4. In one embodiment, the authorization 204 can be stored in one of the hidden locations within the memory device 116 where the authorization is not visible or accessible to many applications. In addition to being stored within the memory device 116, the authorization 204 can also be stored in the host computing device 114. The first content protection platform 〇4 and the second content protection platform 〇6 are used to protect the technology platform to the content n8 of the memory device U6. Using the first content protection platform 304 and/or the second content protection platform 3〇6, a user can transfer the memory device 丨16 and its contents 丨18 without compromising the security of the content protection. There are various content protection platforms available for protection data. The examples are sold under the trademark TrustedFlashTN^CmViTM (made by SanDisk, Inc. 126730.doc -11 - 200837600). As shown in FIG. 3, the program 104 uses the first content protection platform 304 to specifically request a request to store the content 118 stored in the memory device 116. Here, the encrypted guest] 8 々 δ ° is used to decrypt the content 118, and the second parameter 2〇2 associated with the content 丨18 is associated with the parameter 2〇2 associated with the authorization. The >2 and the second parameter 206 may be included in the authorization 204 and the content 118, respectively, or may be a broadcast that is separately located from the authorization and the content. As the equation - a third parameter is generated based on the first parameter 202 and the second parameter 206. In other words, the third parameter can be derived from the first parameter 202 and the second parameter 2〇6. The third parameter may be a cipher, a flat quotation key used to decrypt the content 118, a reference to the redundant key, a verification key, a temporary value, or other parameters. Using this third parameter, the application 104 can decrypt and access the inner valley 118. In order to access the content 118, the first content protection platform 304 can transmit the first parameter and the request for $118 to the memory device 116. The first content protection platform 〇6 can decrypt the content ι U 8 based on the third parameter and can transmit the decrypted content to the application 104 by the first content protection platform 304. In the specific embodiment of FIG. 3, the first content protection platform 304 hosted on the main computing device 114 retrieves the first parameter 202 and the second parameter 206 and generates the first parameter based on the first parameter and the first parameter. Three parameters. In another embodiment, the second content protection platform 3〇6 included in the memory device 116 can also retrieve the first parameter 202 and the second parameter 206 and generate the first parameter and the second parameter based on the first and second parameters. The third parameter. 4 is a flow diagram depicting accessing content from a memory device 126730.doc -12-200837600 in accordance with an embodiment of the present invention. Beginning at 402, the content is analyzed to determine whether to protect (i.e., encrypt) the content. The various information associated with the content can indicate whether the content is encrypted. For example, the header of the content may indicate that the content is encrypted. Alternatively, the extension of the content may also indicate that the content is encrypted. If the content is not protected, the content can be accessed directly at 4 1 。. If the content is protected, the first parameter can be retrieved at 404. In this embodiment, the first parameter is a number. This number may be randomly generated or predefined. At 406, a second parameter is retrieved from the content. In a specific embodiment, as represented by Equation 1-2, the second parameter can be derived from the cryptographic compilation, a reference to the key, and the first parameter. The cryptographic key is encrypted or decrypted. Thus, the second parameter is associated with both the present and the authorization, since the second parameter is a reference to the password used to decrypt the content and a reference to the number included in the authorization. Export or calculate. It should be noted that in another embodiment, the first parameter (example two:::) may be associated with the content and the second parameter may be associated with the push. Using a#th number and the second parameter, it can be expressed in the cryptographic key compilation as shown in the above formula 10, the poor compiled key reference can be based on the 兮筮一山,...x The first > number is generated with the second parameter. Thereafter, at 410, the content can be interpreted and accessed based on the number of ones. For example, in the case of the eight-body member, the third parameter of the form of the ^ parameter, the one-code compilation of the secret reference includes - safe storage of the piano: memory device. The memory device can store the cryptographic key using the cipher y. The memory device, the zebra money reference is used to extract the secret 126730.doc -13 - 200837600 from the secure storage. 使用 u W Jing. Using the password to compile the key, the memory device can decrypt the inside and the future The decrypted content is transmitted to a host computing device. Accessing Content Based on Session Warrants FIG. 5 is a block diagram depicting the generation of a session ticket in accordance with an embodiment of the present invention. Parameter 502 is initially provided and the parameter includes an associate. Various data decrypted in the inner valley. The parameter 502 can be generated based on parameters associated with the authorization and content described above. The example of the parameter 502 includes a reference for decrypting the code of the f' inner code, a cryptographic compilation. Temporary value or other I parameter. ', the generation of session ticket 506 involves the use of variable 504. Variable 504 includes various tributes. For example, the material may be a number. The number may be pre-defined or generated by the Ik machine. In a specific embodiment, the data may be a string. Unlike the above parameters, the variable 5〇4 may not be associated with the authorization and the inner valley. In other words, the variable 5〇4 may be independent of Authorization and Content. The variable 504 is configured to change during a session. A session can span a period of time. For example, the session may last for -hours, -days, weeks, or other time units. The session may be closed when initializing or restarting the master computing device that is lightly coupled to the 3 σ-hidden device. The session may also be turned off when the '$ memory device is unpacked from the host computing device. In addition, for example, - The call can be accessed across a limited number of content (eg a limited number of times the content can be accessed). The session ticket 506 is generated based on the parameter 5〇2 and the variable 5〇4, so the variable can be encrypted based on the variable The parameters are used to define the session ticket 5〇6. The session ticket 506 can therefore be expressed as 126730.doc -14- 200837600 session ticket = F (parameter, variable) (2.〇) where the session warrant system parameter 502 and the variable 5〇4 A function. Using the session ticket 506, the content can be accessed based on the session ticket. For example, a main hash component can pass the session ticket 506 to the memory device. The device can be based on session warrants. 506 coming The parameter used to decrypt the content. The parameter 5〇2 can derive the parameter =F1 (session ticket, variable) (2·2) from the following: where the parameter is an inverse function of the session warrant 506 and the variable 5〇4. 'Because the session ticket is used to decrypt the content, the session ticket 506 is associated with a particular content. Thus, using the session ticket 5〇6 cannot use or access another content stored in the memory device unless The session ticket includes a parameter (eg, parameter 5〇2) to decrypt other content. As an example, if a different cryptographic key is used to encrypt two separates stored in a memory device, then the master The computing device or memory device generates two, different session warrants to access the two, separate content. Here, the session ticket cannot be used to access the two separate contents encrypted with different cryptographic key encryption. Figure 6 is an access using a session ticket in accordance with one embodiment of the present invention. One of the systems of the body device simplifies the block diagram. System 〇2 includes a host computing device 114 coupled to memory device 116. The main computing device m can include an application 1() 4 and a first content protection platform 3〇4. The memory device 116 includes a second content protection platform 3.6, content 118, and an authorization 2〇4. As described above, the first content protection platform 304 and the second content protection platform 〇6 can be configured to manage the digits 126730.doc -15-200837600 permissions of the content 丨18 stored in the memory device 丨16. As shown in FIG. 6, the application program 4 transmits a request for content 118 stored in the memory device 116 via the first content protection platform π*. Content 118 is encrypted using a cryptographic key. A parameter associated with the cryptographic key (e.g., one of the cryptographic key references, a temporary value, or other number of signatures) is provided to the second content protection platform 3〇6. In response to the request to access the content 118, the second content protection platform 〇6 adds the name parameter to the name parameter based on the variable 〇4, which is expressed in Equation 2.0. The second content protection platform 3〇6 can generate a variable of 6〇4 (e.g., number one, string or other parameter). The variable 604 is configured to vary during a session. For example, the second content protection platform 〇6 can generate a different variable 604 for each session. The variable 604 may be randomly generated or predefined. After generating the session ticket, the second content protection platform 3〇6 transmits the session ticket to the host computing device i14. Using the session ticket, host computing device 114 can access content 118 based on the session ticket. In order to access the content 118, the host computing device 丨 14 then transmits the session ticket back to the memory device 116. After receiving the session ticket, the second content protection platform 3〇6 decrypts the session ticket to extract parameters for decrypting the content 118, which is expressed in the form 2.2. If the variable 604 does not change, the parameter can be extracted because the decryption is based on a variable that is specific to the variable used to encrypt the parameter. The variable 604 can vary during different sessions. Thus, in the event that such variables are generated within the same session, the variable 604 is equivalent to the variable used to encrypt the parameter. However, if the variable 604 has changed, the number of parameters 126730.doc -16 - 200837600 cannot be extracted because the decryption is based on a variable different from the variable used to encrypt the parameter. In the event that such variables are generated within different sessions, the variable 604 is different from the variable used to encrypt the parameter. The session ticket is continuously or effectively used for a session by changing the variable 604' at a session. If the parameter can be extracted, then the second content protection platform 306 can decrypt the content 118 based on the parameter and transmit the decrypted content to the host computing device 114. In another embodiment, the first content protection platform 304 can also generate the session ticket by encrypting parameters used to decrypt the content 118. Here, the response application 104 requests access to the content 11 8, and the first content protection platform 304 can generate the session ticket and transmit the session ticket to the application 104. Application 1-4 can then transmit the session ticket back to the first content protection platform 304 to access the content 118. Figure 7 is a flow diagram illustrating the access of content from a memory device based on a session ticket in accordance with an embodiment of the present invention. Beginning at 702, a reference to one of the cryptographic keys is retrieved. This reference may be taken from a master calculator or a memory device. The content stored in the memory device is encrypted and decrypted using the cryptographic key. Using the cipher to compile the key reference 'at 704' to encrypt the cryptographic key based on a number is used to deny a session ticket. This number is configured to be k-transformed at a session and randomly generated. At 7〇6, the session ticket can then be transmitted to, for example, a host computing device. § When the host computing device accesses the content stored on a memory device, the host computing device can transmit the session ticket received to the memory device at 706'. At 708, the memory device receives the session ticket and decrypts the session ticket based on a number at 710. If the number matches the number used to generate the session right 126730.doc -17-200837600, the cryptographic key reference can be extracted from the decryption operation. However, if the session has changed and the memory device holds a different number, the cryptographic keying reference cannot be extracted from the decryption operation because the numbers do not match. If the cryptographic secret reference is extracted from the session ticket, then at 712, the cryptographic key is retrieved based on the reference. The cryptographic key can be retrieved from, for example, a secure storage. The cryptographic key is then used at 714 to decrypt the content and then transmitted to, for example, the host computing device at 7.6. Figure 8 is a simplified block diagram of a program application for accessing content on a master calculator in accordance with an embodiment of the present invention. The main calculator 114 can host the application program 4, the digital rights management (DRM) module 8〇6, the content protection platform 3〇4, the file system management program 8〇8, and the device driver 810. As mentioned above, the application program 1-4 can include various program applications such as a eve media player, a video game, and other applications. The DRM module 806 and the content protection platform 3〇4 are in communication with the application 104. The DRM module 806 allows the host computing device i 14 to manage the digital rights of the content stored in a memory device or other location. For example, the DRM module 8〇6 protects content and controls its distribution. As mentioned above, the content protection platform 3〇4 is a technology platform for protecting content on a memory device. The content protection platform 〇4 may include a security management program 802 and a master cipher compilation engine 8.4. In general, the security management program 802 manages access to content stored in a memory device. Management includes, for example, checking whether the content is protected, generating a reference to one of the cryptographic keys based on the associated-authorization and content, generating a session ticket based on a parameter and a variable, generating the variable, and other operations. 126730.doc -18- 200837600 The master password compilation engine 804 includes such password compilation libraries for handling cryptographic compilation operations. The content protection platform 304 and the DRM module 806 - provide secure storage and content management capabilities to the main calculator Π 4 (and memory devices). For example, the content protection platform 304 and the DRM module 806 allow for the storage of content stored in the memory device (eg, music files, movie archives, software, and other poor materials) and enhance predefined policies for controlling content access. .
Lj 與内容保護平台304通信的係檔案系統管理程式8〇8。一 般而a,檔案系統管理程式8〇8係經組態用以管理並處理 存取(例如讀取、寫入及其他存取操作)儲存於一記憶體器 件内的内谷。例如,檔案系統管理程式可從一記憶體 器件頃取内容,並將該内容傳輸至内容保護平台用於 處理。主計算器件丨14可介接一記憶體器件。因此,主計 #器件114可包括器件驅動程式81〇,其與檔案系統管理程 式808通信,以介接該記憶體器件。器件驅動程式可 (例如)包括下層介面功能以與一記憶體器件通信。一下層 介面功能之-範例包括相關聯於輸人資料至該記憶體器件 及從其輸出資料之輸入/輸出功能。 圖9係依據本發明之一具體實施例可包括於一記憶體器 件内之程式應用之-簡化方塊圖。記憶體器件⑴可包括 模組9〇2、内容保護平台鳩、密碼編譯引擎州及安 :儲:器906。在記憶體器件116中,職模組9〇2允許記 匕體益件116管理儲存於該記憶體器件内之内容之數位權 限、。例如,DRM模組9〇2可經組態用以加強内容權限。如 上述,内容保護平台遍係—用於防護儲存於記憶體器件 126730.doc -19· 200837600 116上之内谷的技術平台。内容保護平台3 〇 6可經組態用以 基於相關聯於一授權及該内容之參數來產生一密碼編譯密 鑰之一引用,基於一參數及一變數來產生一會話權證,並 可經組悲用於其他操作。密碼編譯引擎9〇4處理密碼編譯 操作而安全儲存器906儲存該等密碼編譯密鑰。Lj is a file system management program 8〇8 that communicates with the content protection platform 304. In general, the file system management program 8-8 is configured to manage and process access (e.g., read, write, and other access operations) stored in a memory device. For example, the file system management program can retrieve content from a memory device and transfer the content to a content protection platform for processing. The host computing device 丨 14 can interface with a memory device. Thus, the master device 114 can include a device driver 81 that communicates with the file system management program 808 to interface with the memory device. The device driver can, for example, include a lower interface function to communicate with a memory device. The following examples of the interface function include input/output functions associated with the input data to and from the memory device. Figure 9 is a simplified block diagram of a program application that can be included in a memory device in accordance with an embodiment of the present invention. The memory device (1) may include a module 〇2, a content protection platform 鸠, a cryptographic engine state, and an EEPROM: 906. In the memory device 116, the job module 9〇2 allows the physical component 116 to manage the digital rights of the content stored in the memory device. For example, the DRM module 9〇2 can be configured to enhance content rights. As mentioned above, the content protection platform is used throughout—to protect the technology platform stored in the memory device 126730.doc -19·200837600 116. The content protection platform 3 〇6 can be configured to generate a reference to a cryptographic key based on a parameter associated with an authorization and the content, generate a session ticket based on a parameter and a variable, and can be grouped Sadness is used for other operations. The cryptographic engine 9〇4 handles the cryptographic compilation operation and the secure storage 906 stores the cryptographically compiled keys.
應瞭解’在其他具體實施例中,除了圖8及9所示該等裎 式應用,圖8之主計算器件114與圖9之記憶體器件116可包 括更少或更多的程式應用。例如,如圖8所示,檐案系統 管理程式808與器件驅動程式81〇可整合於内容保護平台 304内。圖8之主計算器件U4可因此包括dRM模組8〇6與内 容保護平台304。 圖10係依據本發明之一具體實施例適用於主控一内容保 護平台與其他程式應用之一主計算器件之一般概述之一簡 化方塊圖。在-些具體實施例中,主計算器件114可用於 實施電腦程式(例如内容保護平台)、邏輯、應用程式、方 法私序或其他軟體用於存取内容。主計算器件114之範 例包括一桌上型電腦、一伺服器、一可攜式計算器件、一 個人數位助理、一行動電話、在一器具内的一計算引擎及 其他電腦系統。如圖1〇所示,主計算器件114包括匯流排 1002或其他用於傳達資訊之通信機制,該通信機制互連子 系統及器件,例如處S||1〇〇4、系統記憶體1〇〇6(例如隨 機存取記憶體(RAM))、儲存器件1_(例如唯讀記憶體 (ROM)、磁碟機、光碟機及其他儲存器件)、通信介面 1012(例如數據機或乙太網路卡)、顯示器⑺μ(例如陰極射 126730.doc -20- 200837600 線管(CRT)或液晶顯示器(LCD))、輸入/輸出器件丄㈣(例 如鍵盤)及游標控制1018(例如滑鼠或軌跡球)。 在-些具體實施例中,當執行儲存於系統記憶體嶋内 之-或多個程式指令之一或多個序列日夺,主計算器件"4 藉由處理器1004來執行特定操作。此類程式指令可從另外 電腦可讀取媒體(例如儲存器件1〇()8)讀入系統記憶體議 内。在一些具體實施例中,硬佈線電路可取代或組合軟體 私式札令來使用,以實施本發明之具體實施例。 應瞭解,術語”電腦可讀取媒體”係指參與提供程式指令 至處理器1004用於執行之適當媒體。此一媒體可採取許多 形式,包括(但不限於)非揮發性媒體、揮發性媒體及傳輸 媒體。非揮發性媒體可包括(例如)光碟或磁碟,例如儲存 器件1008。揮發性媒體可包括動態記憶體,例如系統記憶 體1006。傳輸媒體包括同轴電纜、銅導線及光纖,包括包 含匯流排1002之導線。傳輸媒體還可採取聲波或光波之形 式,例如在無線電電波及紅外線資料通信期間所產生之該 等波。電腦可讀取媒體之常見形式包括(例如)磁性媒體(例 如軟碟、軟性磁碟、硬碟、磁帶及其他磁性媒體)、光學 媒體(例如光碟唯讀記憶體(CD-R〇m)及其他光學媒體)、 具有圖案之實體媒體(例如打孔卡、紙帶、任何其他實體 媒體)、記憶體晶片或匣、載波(例如RAM、可程式化唯讀 記憶體(PROM)、可抹除可程式化唯讀記憶體(epr〇m)、 快閃記憶體及其他記憶體晶片或匣)及電腦可自其讀取的 任一其他媒體。 126730.doc •21 · 200837600 …在-些具體實施例中,可藉由一單一計算器件ιΐ4來執 行該等程式指令序列之執行以實施該等具體實施例。在其 他具體實施例中,由通信鏈路·(例如區域網路(lan)、 公用父換電話網絡(PSTN)、無線網路及其他通信鏈路)耦 合的兩或更多電腦系統(例如主計算器件丨14)可執行程式指 令序列以相互協調地實施該等具體實施例。此外,計算器 件114可透過通信鏈路1〇2〇與通信介面1〇12來傳輸並接收 讯息、貧料及指令,包括程式,即應用程式碼。接收的程 式指令可在接收該等程式指令時由處理器1〇〇4執行及/或 儲存於儲存器件1〇〇8或其他非揮發性儲存器内用於稍後執 行。 圖11係依據本發明之一具體實施例之一記憶體器件之一 簡化方塊圖。如圖11所示,記憶體器件i 16包括與記憶體 1104通栺的纪憶體控制器丨丨〇2。一般而言,記憶體控制器 1102控制記憶體1106之操作。操作範例包括寫入(或程式 化)資料、讀取資料、抹除資料、核實資料及其他操作。 此外,記憶體控制1102可經組態用以基於相關聯於該授權 及該内容之參數來產生一參數,基於一參數及一號碼來產 生一會話權證’並可經組態用於上述其他操作。 記憶體器件116可包括各種非揮發性記憶體結構及技 術。e憶體技術之範例包括快閃記憶體(例如naNE)、 NOR、單級單元(SLC/BIN)、多級單元(MLC)、劃分位元 線NOR(DINOR)、AND、高電容耦合比(HiCR)、非對稱無 接觸電晶體(ACT)及其他快閃記憶體)、可抹除可程式化唯 126730.doc -22- 200837600 讀記憶體(EPROM)、電可抹除可程式化唯讀記憶體 (EEPROM)、唯讀記憶體(ROM)、一次可程式化記憶體 (OTP)及其他記憶體技術。在一具體實施例中,記憶體器 件116可能係使用快閃記憶體的一快閃記憶卡。快閃記憶 卡之範例包括各種以下商標標記產品,例如Secure DigitalTM(相容於加利福尼亞州San Ramon的SD卡協會所主 張的規格)、MultiMediaCardTM (相容於加利福尼亞州Palo Alto的多媒體卡協會("MMCA")所主張的規格)、MiniSDTM (由 SanDisk,Inc·製造)、MicroSDTM(由 SanDisk,Inc_ 製 造)、CompactFlashTM(相容於加利福尼亞州Palo Alto的 CompactFlash 協會(,fCFA” 所主張的規格)、SmartMedia™ (相容於日本橫濱的固態軟碟卡("SSFDC”)論壇主張的規 格)、xD-Picture CardTM(相容於日本東京的xD-Picture卡許 可辦公室所主張的規格)、Memory StickTM(相容於日本橫 濱的固態軟碟卡(nSSFDCn論壇所主張的規格)、TransFlash™ (由SanDisk,Inc.製造)及其他快閃記憶卡。在另一具體實 施例中,記憶體器件116可實施成一非可移式記憶體器 件。 下列專利文件包含可與本文所述之具體實施例一起使用 的具體實施例。該些專利文件之各專利文件與本申請案同 曰申請,讓渡給本發明之受讓人,並以引用形式併入本 文:’’内容與授權之鏈結裝置”,美國專利申請案序號 1 1/600,270 ; ”用於基於會話權證存取内容之方法”,美國 專利申請案序號11/600,263 ; ”用於基於會話權證存取内容 126730.doc -23- 200837600 之裝置",4國專利申請案序號11/6〇〇,273;"用於結合内 容至分離記憶體器件之方法",美國專利申請案序號 1 1/600,262 ;',用於結合内容至分離記憶體器件之裝置”, 美國專射請案序號u/_,245;"用於允許多個使用者存 取預視内容之方法",美國專利申請案序號11/599,994 ;,,用 於允許多個使用者存取預視内容之系統,,,美國專利申請 案序號1 1/599,995 ;,,用於允許第二DRM系統存取受第一 麵系統㈣之内容的方法",纟國專利中請案序號 1 1/600,005 ’用於允許第二DRM系統存取受第一 d腹系 統保護之内容的系統,,,美國專射請案序號⑴別州,· ”用於連接至相關聯於内容之網路位置的方法",美國專利 申請案序號⑽⑽,;及”用於連接至相關聯於内容之網 路位置的系統",美國專射請序號i 1/6GM〇6。 奋儘管為了清楚理解之故’在一些細節上已說明前述具體 實施例’但該等具體實施例不限於所提供的細節。存在許 多實施該等具體實施例之替代性方式。據此,該等揭示旦 體實施例應視為說明性而非限制性,且該等具體實施例不 限於本文所提出之細節’並可加以修改而不脫離隨附申請 專利範圍之範疇及等效物。”請專利範圍内,元件及/ 或操作不會暗示著任何特定操作次序,除非申請專利範圍 另有明確申明。 【圖式簡單說明】 結合附圖’藉由上述詳細說明應容易地理解本發明,且 相似參考數位指定相似結構元件。 126730.doc -24· 200837600 圖1係依據本發明 化方塊圖。 之一具體實施例之一襞置系統之一 簡 圖2係依據本發明 _ 每 八體貝轭例描述一用以解密内容 之參數之產生的一方塊圖。 圖3係依據本發明之一且舻實 麯抑^ 八體員鉍例之一用於存取一記憶 體盗件之系統之一簡化方塊圖。 圖4係依據本發明之_且辦香# & 八體實轭例描述從一記憶體器件It should be understood that in other embodiments, the host computing device 114 of Figure 8 and the memory device 116 of Figure 9 may include fewer or more program applications than those illustrated in Figures 8 and 9. For example, as shown in FIG. 8, the file system management program 808 and the device driver 81 can be integrated into the content protection platform 304. The host computing device U4 of Figure 8 can thus include the dRM module 8〇6 and the content protection platform 304. Figure 10 is a simplified block diagram of a general overview of a host computing device suitable for hosting a content protection platform and other programming applications in accordance with an embodiment of the present invention. In some embodiments, host computing device 114 can be used to implement computer programs (e.g., content protection platforms), logic, applications, method private programs, or other software for accessing content. Examples of host computing device 114 include a desktop computer, a server, a portable computing device, a personal digital assistant, a mobile phone, a computing engine within an appliance, and other computer systems. As shown in FIG. 1A, the main computing device 114 includes a bus bar 1002 or other communication mechanism for communicating information, the communication mechanism interconnecting subsystems and devices, such as at S||1〇〇4, system memory 1〇 〇6 (such as random access memory (RAM)), storage device 1_ (such as read-only memory (ROM), disk drive, CD player and other storage devices), communication interface 1012 (such as data machine or Ethernet) Road card), display (7) μ (eg cathode shot 126730.doc -20-200837600 line tube (CRT) or liquid crystal display (LCD)), input/output device 四 (4) (eg keyboard) and cursor control 1018 (eg mouse or track) ball). In some embodiments, the master computing device <4 performs a particular operation by the processor 1004 when one or more sequence instructions stored in the system memory bank are executed. Such program instructions can be read into the system memory from another computer readable medium (eg, storage device 1 () 8). In some embodiments, hard-wired circuitry may be used in place of or in combination with software-specific programming to implement embodiments of the present invention. It should be understood that the term "computer readable medium" refers to the appropriate medium that participates in providing program instructions to processor 1004 for execution. This medium can take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media may include, for example, a compact disc or a magnetic disk, such as storage device 1008. Volatile media can include dynamic memory, such as system memory 1006. The transmission medium includes a coaxial cable, a copper wire, and an optical fiber, including a wire including the bus bar 1002. The transmission medium can also take the form of sound waves or light waves, such as those generated during radio wave and infrared data communication. Common forms of computer readable media include, for example, magnetic media (such as floppy disks, floppy disks, hard disks, magnetic tapes, and other magnetic media), optical media (such as CD-ROM memory). Other optical media), patterned physical media (eg punch cards, tapes, any other physical media), memory chips or ports, carrier waves (eg RAM, Programmable Read Only Memory (PROM), erasable Programmable read-only memory (epr〇m), flash memory and other memory chips or 匣) and any other media that the computer can read from. 126730.doc • 21 · 200837600 ... In some embodiments, the execution of the sequence of program instructions can be performed by a single computing device ι 4 to implement the specific embodiments. In other embodiments, two or more computer systems (eg, primary) coupled by a communication link (eg, a local area network (LAN), a public parent exchange telephone network (PSTN), a wireless network, and other communication links) The computing device 丨 14) can execute the sequence of program instructions to implement the specific embodiments in coordination with one another. In addition, the calculator unit 114 can transmit and receive messages, poor materials and instructions, including programs, ie application code, through the communication link 1〇2 and the communication interface 1〇12. The received program instructions may be executed by processor 〇〇4 and/or stored in storage device 〇〇8 or other non-volatile storage for later execution upon receipt of the program instructions. Figure 11 is a simplified block diagram of one of the memory devices in accordance with one embodiment of the present invention. As shown in FIG. 11, the memory device i 16 includes a memory controller 丨丨〇2 that is in communication with the memory 1104. In general, memory controller 1102 controls the operation of memory 1106. Examples of operations include writing (or stylizing) data, reading data, erasing data, verifying data, and other operations. Additionally, the memory control 1102 can be configured to generate a parameter based on the parameters associated with the authorization and the content, generate a session ticket based on a parameter and a number and can be configured for the other operations described above . Memory device 116 can include a variety of non-volatile memory structures and techniques. Examples of e-memory technologies include flash memory (eg, naNE), NOR, single-level cell (SLC/BIN), multi-level cell (MLC), divided bit line NOR (DINOR), AND, high capacitance coupling ratio ( HiCR), Asymmetric Contactless Transistor (ACT) and other flash memory), erasable programmable 126730.doc -22- 200837600 Read Memory (EPROM), Erasable Readable Programmable Read Only Memory (EEPROM), read-only memory (ROM), one-time programmable memory (OTP) and other memory technologies. In one embodiment, memory device 116 may be a flash memory card that uses flash memory. Examples of flash memory cards include various branded markup products such as Secure DigitalTM (compatible with the specifications of the SD Card Association of San Ramon, Calif.), MultiMediaCardTM (compatible with the Multimedia Card Association of Palo Alto, Calif.) MMCA") specifications, MiniSDTM (manufactured by SanDisk, Inc.), MicroSDTM (manufactured by SanDisk, Inc.), CompactFlashTM (compatible with the specifications of the CompactFlash Association of Palo Alto, California (fCFA), SmartMediaTM (compatible with the specifications of the Yokohama Solid State Disc Card ("SSFDC) Forum), xD-Picture CardTM (compatible with the specifications of the xD-Picture Card Licensing Office in Tokyo, Japan), Memory StickTM (Compatible with solid state floppy disk cards in Yokohama, Japan (specifications as claimed by the nSSFDCn Forum), TransFlashTM (manufactured by SanDisk, Inc.) and other flash memory cards. In another embodiment, the memory device 116 may Implemented as a non-removable memory device. The following patent documents contain specific embodiments that may be described herein DETAILED DESCRIPTION OF THE INVENTION The patent documents of each of these patents are hereby incorporated by reference in their entirety in the entire entire entire entire entire entire entire entire entire entire entire entire entire content US Patent Application Serial No. 1 1/600,270; "Method for Accessing Content Based on Session Warrants", U.S. Patent Application Serial No. 11/600,263; "for accessing content based on session warrants 126730.doc -23- 200837600 Device ", 4 Patent Application Serial No. 11/6, 273; "Method for Combining Content to Separate Memory Devices", U.S. Patent Application Serial No. 1 1/600,262; ', for combining content "To the device for separating the memory device", the US special request number u/_, 245; " method for allowing multiple users to access the preview content, US Patent Application Serial No. 11/599,994; , a system for allowing a plurality of users to access previewed content, US Patent Application Serial No. 1 1/599,995;, a method for allowing a second DRM system to access content of a first-sided system (4) ;, the case of the patent in the country 1 1/600,005 'System for allowing the second DRM system to access the content protected by the first d-abdominal system, US, the specific number of the request (1) other states, · "for connecting to the network associated with the content The method of the location of the road ", the US patent application serial number (10) (10), and the "system for connecting to the network location associated with the content", the US special shot number i 1 / 6 GM 〇 6. The foregoing specific embodiments have been described in some detail, and are not intended to There are many alternative ways of implementing such specific embodiments. Accordingly, the disclosed embodiments are to be considered as illustrative and not restrictive, and the specific embodiments are not limited to the details set forth herein and may be modified without departing from the scope and scope of the accompanying claims. Effect. In the context of the patent, the components and/or operations are not intended to imply any specific order of operation unless the scope of the patent application is otherwise expressly stated. [Simplified Description of the Drawings] The present invention should be readily understood by the above detailed description. And similar reference numerals designate similar structural elements. 126730.doc -24· 200837600 Figure 1 is a block diagram according to the present invention. One of the specific embodiments is a schematic system 2 according to the present invention _ per eight body The conjugate example describes a block diagram for generating a parameter for decrypting content. Figure 3 is a system for accessing a memory pirate in accordance with one of the present invention and a sturdy singularity. One of the simplified block diagrams. Figure 4 is a description of the occupant # &
存取内容之一流程圖。 圖5係依據本發明之_ X乃之具體實她例描述一會話權證之產 生的一方塊圖。 曰系依據本舍明之_具體實施例之_使用一會話權證 來存取一記憶體器件之系統之一簡化方塊圖。 …圖7係依據本發明之一具體實施例描述基於一會話權證 攸一记憶體器件存取内容之一流程圖。 圖8係依據本發明之一具體實施例可主控於一主計算器 件上用於存取内容之程式應用之一簡化方塊圖。 圖9係依據本發明之一具體實施例可包括於一記憶體器 件内之私式應用之一簡化方塊圖。 圖10係依據本發明之一具體實施例適用於主控一内容保 護平台與其他程式應用之一主計算器件之一般概述之一簡 化方塊圖。 圖11係依據本發明之一具體實施例之一記憶體器件之一 簡化方塊圖。 【主要元件符號說明】 126730.doc -25- 200837600A flow chart for accessing content. Figure 5 is a block diagram showing the generation of a session ticket in accordance with the specific example of the invention. A simplified block diagram of a system for accessing a memory device using a session warrant in accordance with the teachings of the present invention. Figure 7 is a flow diagram illustrating one of the contents of a memory device access based on a session ticket in accordance with an embodiment of the present invention. Figure 8 is a simplified block diagram of a program application for accessing content on a master calculator in accordance with an embodiment of the present invention. Figure 9 is a simplified block diagram of a private application that can be included in a memory device in accordance with an embodiment of the present invention. Figure 10 is a simplified block diagram of a general overview of a host computing device suitable for hosting a content protection platform and other programming applications in accordance with an embodiment of the present invention. Figure 11 is a simplified block diagram of one of the memory devices in accordance with one embodiment of the present invention. [Main component symbol description] 126730.doc -25- 200837600
V 102 系統 104 應用程式 108 機械介面 114 主計算器件 116 記憶體器件 118 内容 202 第一參數 204 授權 206 第二參數 210 第三參數 302 系統 304 第一内容保護平台 306 第二内容保護平台 502 參數 504 變數 506 會話權證 602 系統 604 變數 802 安全管理程式 804 主密碼編譯引擎 806 數位權限管理(DRM)模組 808 檔案系統管理程式 810 器件驅動程式 902 DRM模組 126730.doc -26- 200837600 904 密碼編譯引擎 906 安全儲存器 1002 匯流排 1004 處理器 1006 系統記憶體 1008 儲存器件 1012 通信介面 1014 顯示器 1016 輸入/輸出器件 1018 游標控制 1020 通信鏈路 1102 記憶體控制器 1104 記憶體 126730.doc 27-V 102 system 104 application 108 mechanical interface 114 host computing device 116 memory device 118 content 202 first parameter 204 authorization 206 second parameter 210 third parameter 302 system 304 first content protection platform 306 second content protection platform 502 parameter 504 Variable 506 Session Warrant 602 System 604 Variable 802 Security Management Program 804 Master Password Compilation Engine 806 Digital Rights Management (DRM) Module 808 File System Management Program 810 Device Driver 902 DRM Module 126730.doc -26- 200837600 904 Password Compilation Engine 906 Secure Storage 1002 Bus 1004 Processor 1006 System Memory 1008 Storage Device 1012 Communication Interface 1014 Display 1016 Input/Output Device 1018 Cursor Control 1020 Communication Link 1102 Memory Controller 1104 Memory 126730.doc 27-