WO2007086006A1 - Cleaning up hidden content while preserving privacy - Google Patents
Cleaning up hidden content while preserving privacy Download PDFInfo
- Publication number
- WO2007086006A1 WO2007086006A1 PCT/IB2007/050236 IB2007050236W WO2007086006A1 WO 2007086006 A1 WO2007086006 A1 WO 2007086006A1 IB 2007050236 W IB2007050236 W IB 2007050236W WO 2007086006 A1 WO2007086006 A1 WO 2007086006A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- content
- user
- list
- users
- authorized
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
Definitions
- the present invention relates to a method of removing content from a multiuser device, and a multi-user device arranged to securely store content.
- CP Copy Protection
- CE consumer electronics
- DRM Digital Rights Management
- a user of a privacy-protected device i.e. a device which gives a user access to a content item if the user has the appropriate access right(s)
- logs on to the site of a content provider Using her credit card, she buys a right to access content in the form of e.g. a song and downloads the digital right to the device, being for example a portable audio player such as an MP3 player.
- a portable audio player such as an MP3 player.
- Different types of accesses exist, for example "play”, “copy”, “burn to CD-R", “transfer”, “download” etc.
- a typical digital right associated with audio content is "play unlimited”. With this right, the user can play the downloaded song for an unlimited number of times.
- the device to which the song is downloaded may be a multi-user device.
- DRM may be used for protecting user privacy. Users may also be viewed upon as content providers and DRM technologies may be employed to protect their content and to allow them to share this content in a controlled way.
- a privacy-protected device may contain content that is inaccessible to authorized or primary users of the device, because none of them has access rights to this content. Furthermore, the device can protect privacy by hiding, from a user, content of other users to which the user has no access rights. This content is hidden and can therefore not be removed in a normal way. A first example of such unwanted content is private content of a guest user, who accidentally or deliberately left it on the device. A second example is the content of a former authorized user.
- a third example is content of which access information containing the access rights is damaged, making the content unusable if no backup of the access information exists.
- a fourth example is inaccessible content implanted on the device by a hacker with the aim to make the device practically unusable by blocking a major part of storage area. It must therefore be possible to remove the invisible unwanted content, but without an infringement of privacy.
- An object of the present invention is to solve the problems in the prior art mentioned in the above and enable an authorized user of a privacy-protected device to issue a content removal command for content stored on the device to which no authorized user has access rights.
- This object is attained by a method of removing content from a multi-user device in accordance with claim 1 and a multi-user device arranged to securely store content in accordance with claim 16.
- a method comprising the steps of maintaining and securely storing a list of users that are authorized to store content on the device, and receiving a content removal command. Further, the method comprises the steps of checking whether any one of the users on the list is associated with the content to be removed and removing the content from the device, if none of the users on the list is associated with the content.
- a device comprising means arranged to maintain a list of users that are authorized to store content on the device.
- the means is further arranged to receive a content removal command, to check whether any one of the users on the list is associated with the content to be removed and to remove said content from the device, if none of the users on the list is associated with the content.
- the device comprises means for securely storing the list.
- a basic idea of the present invention is to enable an authorized user of a secure, tamper-proof device to issue a content removal command, a "clean-up" command, for content that is stored on the device, to which authorized users of the device have no access rights or no ownership rights.
- Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space on a user device.
- the device checks a list of users that are authorized to store content on the device.
- the secure, tamper-proof device is a multi-user device that supports content protection and secure sharing. It is typically a DRM compliant device which further can protect personal content.
- the list is maintained and stored securely by the device and comprises an identifier, in the form of e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a removal command has been issued, the content is removed from the device.
- the present invention enables removal of unwanted content to which no authorized user has access rights without infringement of privacy, since no super user is required who can view and manipulate private content of other device users.
- a user is added to the securely stored list when presenting authentication information to the device.
- This authentication information may be embodied in the form of a user name plus a password, a public-private key pair etc.
- a user is added to the securely stored list when presenting a physical key to the device, said physical key comprising a private-public key pair of the user and authentication information.
- the device For a user to be added to the list, the device must consider the user to be authorized. Hence, the user has to present some authentication information to the device.
- a physical key the user is given a feeling of safety.
- the electronic, cryptographic keys contained in the physical key in order to access private content is only present inside the physical key and is not hidden in the device or on a network.
- the physical key may be embodied in the form of e.g. a smart card or a USB stick.
- a fingerprint detector arranged on the physical key can further enhance safety by linking the key to its owner by means of a bio metric feature. This prevents unauthorized use of the physical key in case the owner forgets or loses her physical key, or if somebody steals it. Alternatively, the user may have to state a pin code or password. Further, remote authentication should be enabled, for instance over the Internet. In that case, it may be necessary to establish a secure channel between the physical key and the device by means of encryption.
- the adding of a user to the list further requires from the user to present a group key that corresponds to a valid group key stored in the device, wherein the physical key further comprises a private-public key pair of a group to which the user belongs. Users often look upon user identification is an annoying procedure. By using a group key, members of the group have access to content considered collective to the group. The group key pair is present in all physical keys of the users belonging to the group.
- a user may issue a list editing command to the device. If the user issuing the command is owner of the device, the device will edit the list in accordance with the command. For instance, the owner may add a user to the list and the user who is added consequently becomes authorized to permanently store content on the device.
- a regular authorized user who may store content on the device but who cannot edit the list
- primary users also referred to as owners
- a regular authorized user may be a family member and the primary user may be someone who is part of the same family but also is the owner of the device.
- a device may have more than one owner/primary user; a group of family members may e.g. be considered to be owners of the device.
- the list of authorized users is also stored on the physical key of a user whenever the user presents the physical key to the device. This is advantageous for backup reasons.
- access messages associated with the content to be removed are deleted, wherein the content is removed from the device when all access messages associated with the content have been deleted.
- so called access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items.
- An access message typically comprises at least an asset key with which the content is encrypted, an asset identifier to identify the content with which the access message is associated, a user identifier to identify the user with which the access message is associated and access rights defining which rights the user has to the content.
- the asset key is encrypted with the public key of the user with which the access message is associated.
- the content item is encrypted with the asset key, which typically is a symmetric key, anyone wishing the access the content must at least be in possession of the asset key, such that the content can be decrypted.
- the asset key is encrypted by the public key of the user and can thus only be decrypted by using the private key of the user.
- the physical key of the user should have some encryption/decryption processing power in order to create encrypted access messages containing asset keys for other users, to decrypt the asset keys and to perform other sharing and ownership management, if necessary.
- Fig. 1 shows a preferred embodiment of the present invention, in which a user interacts with a multi-user device.
- Fig. 2 shows another embodiment of the present invention, in which a user is added to a securely stored list when presenting a physical key to a multi-user device.
- Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention.
- Fig. 1 shows a preferred embodiment of the present invention, in which a user
- the device 101 interacts with a multi-user device 102 such as a computer, a DVD player an MP3 player or some other appropriate device for rendering a content item.
- the device 102 typically comprise one or more microprocessors or some other device 103 with computing capabilities, e.g. an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a complex programmable logic device (CPLD), etc., in order to perform digital rights management operations.
- ASIC application specific integrated circuit
- FPGA field programmable gate array
- CPLD complex programmable logic device
- the microprocessors typically execute appropriate software that is downloaded to the respective authority and stored in a suitable storage area 104, such as e.g. a RAM, a Flash memory or a hard disk.
- the storage is not necessarily arranged inside the device 102, but may be arranged as an external memory.
- the memory should be secure, such that content stored in the memory cannot be tampered with.
- the device 102 is arranged with interfaces that enable the communication. For instance, if the device is a computer, it is typically arranged with a keyboard (not shown) via which the user 101 can input commands to the computer. Further, if the device 102 is a computer, it is typically arranged with a connection to the Internet 110 via which content items may be downloaded from various content providers 111 to the computer.
- the device 102 may store content to which authorized users of the device have no access rights (or no ownership rights). Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space.
- the user 101 provides the device with authentication information, and if the user is considered to be authenticated, the user may issue a content removal command, requesting the device to remove the inaccessible content.
- the device checks a list 105 of users that are authorized to store content on the device. This list is maintained and securely stored by the device, for instance in the memory 104.
- the list comprises an identifier, e.g. a public key, of each authorized user.
- Fig. 2 which shows another embodiment of the present invention, in which a user 201 is added to the securely stored list 205 when presenting a physical key 206 to the device 202, said physical key comprising a private-public key pair of the user and authentication information.
- the device For a user to be added to the list, the device must consider the user to be authorized.
- the physical key may for instance be embodied by a smart card.
- remote authentication should be enabled, for instance over the Internet, it may be necessary to establish a secure channel between the physical key which typically is inserted into a device (not shown) with which the remote access is made.
- This device may for instance be a laptop computer.
- the list 205 may be stored on the physical key 206 of a user 201 whenever the user presents the physical key to the device 202.
- Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention.
- access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items.
- the concerned content is not removed until all access messages associated with the content have been deleted.
- An access message 300 typically comprises at least a message identifier 310 and a user identifier 311 to identify the user with which the access message is associated.
- the user identifier is typically the public key of the user.
- the access message 300 contains an owner identifier 312 in the form of the owner's public key, to indicate who owns the content.
- the message comprises an asset block 313, which includes an asset key 316 with which the content is encrypted, an asset identifier 317 to identify the content with which the access message is associated and access rights 318 defining which rights the user has to the content.
- This block is encrypted with the public key of the user with which the access message is associated.
- the message also comprises a copy 314 of the asset block.
- the asset block 314 is encrypted with the public key of the content owner.
- the access message 300 comprises a signature block 315 which is required to ensure that no one can fake content ownership.
- the signature block contains a hashing of the four blocks 311, 312, 313 and 314. The hashing ensures the integrity of every bit in the four blocks.
- the signature block is then encrypted by the content owner's private key. This ensures that only the content owner's physical key can create this signature. Any physical key can check the integrity of the message by decrypting the signature block using the owner's public key and verifying the hash value.
Abstract
The present invention relates to a method of removing content from a multi¬ user device (102), and a multi-user device arranged to securely store content. A basic idea of the present invention is to enable an authorized user (101) of a secure, tamper-proof device to issue a content removal command, a 'clean-up' command, for content that is stored on the device, to which authorized users of the device have no access rights or no ownership rights. When an authorized user issues a clean-up command for such content, the device checks a list (105) of users that are authorized to store content on the device. The list is maintained and stored securely by the device and comprises an identifier, in the form of e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a removal command has been issued, the content is removed from the device.
Description
CLEANING UP HIDDEN CONTENT WHILE PERSERVING PRIVACY
The present invention relates to a method of removing content from a multiuser device, and a multi-user device arranged to securely store content.
Recent developments in digital technologies, along with increasingly interconnected high-speed networks and decreasing prices for high-performance digital devices, have established digital content distribution as one of the most rapidly emerging trading activities and have created new methods for consumers to access, manage, distribute and pay for digital content. As a consequence of this trend and the success of one of the first online music shops - Apple's iTunes, a number of shops have been opened and both consumers and content providers have clearly shown high interest in electronic distribution of audio/video content.
On the other hand, the production of digital information has turned out to be low-priced and open to everyone. Nowadays, people create digital photos, home movies and other content items to an ever- increasing extent. Furthermore, the advances in digital storage technology, which doubles storage capacity every year, make digitization, compression, archiving and streaming of image and video data popular and inexpensive. Consequently, people in general have to manage a huge amount of digital data including commercial as well as personal content. Some content can be treated as confidential and therefore can be stored protected (encrypted) or used within a DRM system (e.g. commercial content or protected personal content). Digital content items may consist of medical or financial records, which may be highly confidential and therefore must be protected, for example by means of encryption or access control mechanisms. In recent years, the number of content protection systems available has been growing rapidly. Some of these systems only protect the content against illegal copying, while others also prohibit the user to access the content. The first category is called Copy Protection (CP) systems. CP systems have traditionally been the main focus for consumer electronics (CE) devices, as this type of content protection is thought to be inexpensively
implemented and does not need bi-directional interaction with the content provider. The second category is known under several names. In the broadcast world, systems of this category are generally known as conditional access (CA) systems, while in the Internet world they are generally known as Digital Rights Management (DRM) systems. In DRM systems, a user who wishes to access a content item must typically present an access right to the system. Access rights include e.g. play rights, one-generation copy rights, distribution rights etc. For example, a user of a privacy-protected device, i.e. a device which gives a user access to a content item if the user has the appropriate access right(s), logs on to the site of a content provider. Using her credit card, she buys a right to access content in the form of e.g. a song and downloads the digital right to the device, being for example a portable audio player such as an MP3 player. Different types of accesses exist, for example "play", "copy", "burn to CD-R", "transfer", "download" etc. A typical digital right associated with audio content is "play unlimited". With this right, the user can play the downloaded song for an unlimited number of times. Further, the device to which the song is downloaded may be a multi-user device.
Further, DRM may be used for protecting user privacy. Users may also be viewed upon as content providers and DRM technologies may be employed to protect their content and to allow them to share this content in a controlled way. A privacy-protected device may contain content that is inaccessible to authorized or primary users of the device, because none of them has access rights to this content. Furthermore, the device can protect privacy by hiding, from a user, content of other users to which the user has no access rights. This content is hidden and can therefore not be removed in a normal way. A first example of such unwanted content is private content of a guest user, who accidentally or deliberately left it on the device. A second example is the content of a former authorized user. A third example is content of which access information containing the access rights is damaged, making the content unusable if no backup of the access information exists. A fourth example is inaccessible content implanted on the device by a hacker with the aim to make the device practically unusable by blocking a major part of storage area. It must therefore be possible to remove the invisible unwanted content, but without an infringement of privacy.
An object of the present invention is to solve the problems in the prior art mentioned in the above and enable an authorized user of a privacy-protected device to issue a
content removal command for content stored on the device to which no authorized user has access rights.
This object is attained by a method of removing content from a multi-user device in accordance with claim 1 and a multi-user device arranged to securely store content in accordance with claim 16.
In a first aspect of the present invention, there is provided a method comprising the steps of maintaining and securely storing a list of users that are authorized to store content on the device, and receiving a content removal command. Further, the method comprises the steps of checking whether any one of the users on the list is associated with the content to be removed and removing the content from the device, if none of the users on the list is associated with the content.
In a second aspect of the present invention, there is provided a device comprising means arranged to maintain a list of users that are authorized to store content on the device. The means is further arranged to receive a content removal command, to check whether any one of the users on the list is associated with the content to be removed and to remove said content from the device, if none of the users on the list is associated with the content. Further, the device comprises means for securely storing the list.
A basic idea of the present invention is to enable an authorized user of a secure, tamper-proof device to issue a content removal command, a "clean-up" command, for content that is stored on the device, to which authorized users of the device have no access rights or no ownership rights. Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space on a user device. Hence, when an authorized user issues a clean-up command for such superfluous content, the device checks a list of users that are authorized to store content on the device. The secure, tamper-proof device is a multi-user device that supports content protection and secure sharing. It is typically a DRM compliant device which further can protect personal content. The list is maintained and stored securely by the device and comprises an identifier, in the form of e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a removal command has been issued, the content is removed from the device. Advantageously, the present invention enables removal of unwanted content to which no authorized user has access rights without infringement of privacy, since no super user is required who can view and manipulate private content of other device users.
In an embodiment of the present invention, a user is added to the securely stored list when presenting authentication information to the device. This authentication
information may be embodied in the form of a user name plus a password, a public-private key pair etc. Preferably, a user is added to the securely stored list when presenting a physical key to the device, said physical key comprising a private-public key pair of the user and authentication information. For a user to be added to the list, the device must consider the user to be authorized. Hence, the user has to present some authentication information to the device. By using a physical key, the user is given a feeling of safety. The electronic, cryptographic keys contained in the physical key in order to access private content is only present inside the physical key and is not hidden in the device or on a network. The physical key may be embodied in the form of e.g. a smart card or a USB stick. A fingerprint detector arranged on the physical key can further enhance safety by linking the key to its owner by means of a bio metric feature. This prevents unauthorized use of the physical key in case the owner forgets or loses her physical key, or if somebody steals it. Alternatively, the user may have to state a pin code or password. Further, remote authentication should be enabled, for instance over the Internet. In that case, it may be necessary to establish a secure channel between the physical key and the device by means of encryption.
In another embodiment of the present invention, the adding of a user to the list further requires from the user to present a group key that corresponds to a valid group key stored in the device, wherein the physical key further comprises a private-public key pair of a group to which the user belongs. Users often look upon user identification is an annoying procedure. By using a group key, members of the group have access to content considered collective to the group. The group key pair is present in all physical keys of the users belonging to the group.
In a further embodiment of the present invention, a user may issue a list editing command to the device. If the user issuing the command is owner of the device, the device will edit the list in accordance with the command. For instance, the owner may add a user to the list and the user who is added consequently becomes authorized to permanently store content on the device.
Typically, there are different types of users. In the list of authorized users, there are two types of users: a "regular" authorized user who may store content on the device but who cannot edit the list, and primary users (also referred to as owners) who can edit the list, e.g. add or delete users from the list. As an example, a regular authorized user may be a family member and the primary user may be someone who is part of the same family but also is the owner of the device. Note that a device may have more than one owner/primary user; a group of family members may e.g. be considered to be owners of the device.
In a further embodiment of the present invention, the list of authorized users is also stored on the physical key of a user whenever the user presents the physical key to the device. This is advantageous for backup reasons.
In yet another embodiment of the present invention, access messages associated with the content to be removed are deleted, wherein the content is removed from the device when all access messages associated with the content have been deleted. In the privacy-protected device described herein, so called access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items. An access message typically comprises at least an asset key with which the content is encrypted, an asset identifier to identify the content with which the access message is associated, a user identifier to identify the user with which the access message is associated and access rights defining which rights the user has to the content. The asset key is encrypted with the public key of the user with which the access message is associated. Since the content item is encrypted with the asset key, which typically is a symmetric key, anyone wishing the access the content must at least be in possession of the asset key, such that the content can be decrypted. The asset key is encrypted by the public key of the user and can thus only be decrypted by using the private key of the user. The physical key of the user should have some encryption/decryption processing power in order to create encrypted access messages containing asset keys for other users, to decrypt the asset keys and to perform other sharing and ownership management, if necessary.
Further features of, and advantages with, the present invention will become apparent when studying the appended claims and the following description. Those skilled in the art realize that different features of the present invention can be combined to create embodiments other than those described in the following.
A detailed description of preferred embodiments of the present invention will be given in the following with reference made to the accompanying drawings, in which: Fig. 1 shows a preferred embodiment of the present invention, in which a user interacts with a multi-user device.
Fig. 2 shows another embodiment of the present invention, in which a user is added to a securely stored list when presenting a physical key to a multi-user device.
Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention.
Fig. 1 shows a preferred embodiment of the present invention, in which a user
101 interacts with a multi-user device 102 such as a computer, a DVD player an MP3 player or some other appropriate device for rendering a content item. The device 102 typically comprise one or more microprocessors or some other device 103 with computing capabilities, e.g. an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a complex programmable logic device (CPLD), etc., in order to perform digital rights management operations. When performing steps of different embodiments of the method of the present invention, the microprocessors typically execute appropriate software that is downloaded to the respective authority and stored in a suitable storage area 104, such as e.g. a RAM, a Flash memory or a hard disk. The storage is not necessarily arranged inside the device 102, but may be arranged as an external memory. Preferably, the memory should be secure, such that content stored in the memory cannot be tampered with. For intercommunication to be possible, the device 102 is arranged with interfaces that enable the communication. For instance, if the device is a computer, it is typically arranged with a keyboard (not shown) via which the user 101 can input commands to the computer. Further, if the device 102 is a computer, it is typically arranged with a connection to the Internet 110 via which content items may be downloaded from various content providers 111 to the computer.
As previously mentioned, the device 102 may store content to which authorized users of the device have no access rights (or no ownership rights). Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space. The user 101 provides the device with authentication information, and if the user is considered to be authenticated, the user may issue a content removal command, requesting the device to remove the inaccessible content. When receiving this clean-up command, the device checks a list 105 of users that are authorized to store content on the device. This list is maintained and securely stored by the device, for instance in the memory 104. The list comprises an identifier, e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a clean-up command has been issued, the content is removed from the device.
In Fig. 2, which shows another embodiment of the present invention, in which a user 201 is added to the securely stored list 205 when presenting a physical key 206 to the device 202, said physical key comprising a private-public key pair of the user and authentication information. For a user to be added to the list, the device must consider the user to be authorized. The physical key may for instance be embodied by a smart card.
If remote authentication should be enabled, for instance over the Internet, it may be necessary to establish a secure channel between the physical key which typically is inserted into a device (not shown) with which the remote access is made. This device may for instance be a laptop computer. For backup reasons, the list 205 may be stored on the physical key 206 of a user 201 whenever the user presents the physical key to the device 202.
Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention. As previously described, access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items. In an embodiment, when a clean-up command is issued, the concerned content is not removed until all access messages associated with the content have been deleted.
An access message 300 typically comprises at least a message identifier 310 and a user identifier 311 to identify the user with which the access message is associated. The user identifier is typically the public key of the user. Moreover, the access message 300 contains an owner identifier 312 in the form of the owner's public key, to indicate who owns the content. Further, the message comprises an asset block 313, which includes an asset key 316 with which the content is encrypted, an asset identifier 317 to identify the content with which the access message is associated and access rights 318 defining which rights the user has to the content. This block is encrypted with the public key of the user with which the access message is associated. The message also comprises a copy 314 of the asset block. The asset block 314 is encrypted with the public key of the content owner. Finally, the access message 300 comprises a signature block 315 which is required to ensure that no one can fake content ownership. The signature block contains a hashing of the four blocks 311, 312, 313 and 314. The hashing ensures the integrity of every bit in the four blocks. The signature block is then encrypted by the content owner's private key. This ensures that only the content owner's physical key can create this signature. Any physical key can check the integrity of
the message by decrypting the signature block using the owner's public key and verifying the hash value.
Even though the invention has been described with reference to specific exemplifying embodiments thereof, many different alterations, modifications and the like will become apparent for those skilled in the art. The described embodiments are therefore not intended to limit the scope of the invention, as defined by the appended claims.
Claims
1. A method of removing content from a multi-user device (102) comprising the steps of: maintaining and securely storing a list (105) of users that are authorized to store content on the device; receiving a content removal command; checking whether any one of the users on the list is associated with the content to be removed; and removing said content from the device, if none of the users on the list is associated with the content.
2. The method according to claim 1, further comprising the step of adding a user (101) to the list (105) when being presented with authentication information of the user.
3. The method according to claim 2, further comprising the step of adding a user (201) to the list (205) when being presented with a physical key (206) of the user, said physical key comprising a private-public key pair of the user and said authentication information.
4. The method according to claim 3, wherein the adding of a user (201) to the list (205) further requires from the user to present a group key that corresponds to a valid group key stored in the device (202), wherein the physical key (206) further comprises a private- public key pair of a group to which the user belongs.
5. The method according to claim 1, further comprising the step of receiving a list editing command, wherein the device (102) edits the list according to the command if a user (101) issuing the list editing command is considered to be owner of the device.
6. The method according to claim 2, further comprising the step of storing the list
(205) of authorized users on the physical key (206) of an authorized user (201) whenever the user presents the physical key to the device (202).
7. The method according to claim 2, wherein a command to remove content from said device (202) is valid as long as an authorized user (201) that issues the command presents authentication information to the device (202).
8. The method according to claim 1, further comprising the step of deleting access messages (300) associated with the content to be removed, wherein the content is removed from the device (102) when said access messages have been deleted.
9. The method according to claim 1, wherein each access message (300) comprises at least an asset key (316) with which said content is encrypted, an asset identifier (317) to identify the content with which the access message is associated, a user identifier
(311) to identify the user with which the access message is associated and access rights (318) defining which rights the user has to the content, said asset key being encrypted with the public key of the user with which the access message is associated.
10. The method according to claim 8, wherein the access message further comprises a digital signature (315) created by means of a private key of a content owner.
11. The method according to claim 1 , wherein a user is considered to be associated with a content if said user has an access right to said content.
12. The method according to claim 1, wherein a user is considered to be associated with a content if said user has an ownership right to said content.
13. The method according to claim 1, wherein the step of securely storing a list (105) of users that are authorized to store content on the device (102) comprises the step of storing said list in secure memory (104).
14. The method according to claim 4, wherein the step of securely storing a list
(105) of users that are authorized to store content on the device (102) comprises the step of signing said list with the group key.
15. The method according to claim 4, wherein the step of securely storing a list
(105) of users that are authorized to store content on the device (102) comprises the step of signing said list with a device key.
16. A multi-user device (102) arranged to securely store content, said device comprising: means (103) arranged to maintain a list (105) of users that are authorized to store content on the device, said means further being arranged to receive a content removal command, to check whether any one of the users on the list is associated with the content to be removed and to remove said content from the device, if none of the users on the list is associated with the content; and means (104) for securely storing said list.
17. A computer program product comprising computer-executable components for causing a device (102) to perform the steps recited in claim 1 when the computer-executable components are run on a processing unit (103) included in the device.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06101002.1 | 2006-01-30 | ||
EP06101002 | 2006-01-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007086006A1 true WO2007086006A1 (en) | 2007-08-02 |
Family
ID=38007304
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2007/050236 WO2007086006A1 (en) | 2006-01-30 | 2007-01-24 | Cleaning up hidden content while preserving privacy |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2007086006A1 (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0461059A2 (en) * | 1990-06-07 | 1991-12-11 | International Business Machines Corporation | Method for retaining access to deleted documents in a data processing system |
US5689699A (en) * | 1992-12-23 | 1997-11-18 | International Business Machines Corporation | Dynamic verification of authorization in retention management schemes for data processing systems |
EP1320012A2 (en) * | 2001-12-12 | 2003-06-18 | Pervasive Security Systems Inc. | System and method for providing distributed access control to secured items |
US20030182306A1 (en) * | 2001-09-18 | 2003-09-25 | Yukitoshi Maeda | Content delivery server and content delivery system having the same |
US20030217034A1 (en) * | 2002-05-14 | 2003-11-20 | Shutt Michael J. | Document management system and method |
US20050091164A1 (en) * | 2003-10-24 | 2005-04-28 | Thomas Bryan Varble | Method and apparatus for the rental or sale, and secure distribution of digital content |
US20050216469A1 (en) * | 2004-03-26 | 2005-09-29 | Canon Kabushiki Kaisha | Document managing system, document managing method, and program for implementing the method |
-
2007
- 2007-01-24 WO PCT/IB2007/050236 patent/WO2007086006A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0461059A2 (en) * | 1990-06-07 | 1991-12-11 | International Business Machines Corporation | Method for retaining access to deleted documents in a data processing system |
US5689699A (en) * | 1992-12-23 | 1997-11-18 | International Business Machines Corporation | Dynamic verification of authorization in retention management schemes for data processing systems |
US20030182306A1 (en) * | 2001-09-18 | 2003-09-25 | Yukitoshi Maeda | Content delivery server and content delivery system having the same |
EP1320012A2 (en) * | 2001-12-12 | 2003-06-18 | Pervasive Security Systems Inc. | System and method for providing distributed access control to secured items |
US20030217034A1 (en) * | 2002-05-14 | 2003-11-20 | Shutt Michael J. | Document management system and method |
US20050091164A1 (en) * | 2003-10-24 | 2005-04-28 | Thomas Bryan Varble | Method and apparatus for the rental or sale, and secure distribution of digital content |
US20050216469A1 (en) * | 2004-03-26 | 2005-09-29 | Canon Kabushiki Kaisha | Document managing system, document managing method, and program for implementing the method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
USRE47313E1 (en) | Securing digital content system and method | |
EP2267628B1 (en) | Token passing technique for media playback devices | |
US8291219B2 (en) | System and method for enabling device dependent rights protection | |
CN101341490B (en) | Method for control access of file system, related system, SIM card and computer program product used therein | |
US8091137B2 (en) | Transferring a data object between devices | |
US20100310076A1 (en) | Method for Performing Double Domain Encryption in a Memory Device | |
US20070233601A1 (en) | Systems and methods for protecting digital content | |
US20080167994A1 (en) | Digital Inheritance | |
US8694799B2 (en) | System and method for protection of content stored in a storage device | |
WO2004038568A2 (en) | Method and device for authorizing content operations | |
WO2007044825A2 (en) | Use of media storage structure with multiple pieces of content in a content-distribution system | |
CN102906755A (en) | Content control method using certificate revocation lists | |
JP2011150693A (en) | Information management system, information management method and apparatus, and encryption method and program | |
US20100310075A1 (en) | Method and System for Content Replication Control | |
US8755521B2 (en) | Security method and system for media playback devices | |
CN101019083A (en) | Method, apparatus, and medium for protecting content | |
WO2007086006A1 (en) | Cleaning up hidden content while preserving privacy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07700675 Country of ref document: EP Kind code of ref document: A1 |