WO2007086006A1 - Cleaning up hidden content while preserving privacy - Google Patents

Cleaning up hidden content while preserving privacy Download PDF

Info

Publication number
WO2007086006A1
WO2007086006A1 PCT/IB2007/050236 IB2007050236W WO2007086006A1 WO 2007086006 A1 WO2007086006 A1 WO 2007086006A1 IB 2007050236 W IB2007050236 W IB 2007050236W WO 2007086006 A1 WO2007086006 A1 WO 2007086006A1
Authority
WO
WIPO (PCT)
Prior art keywords
content
user
list
users
authorized
Prior art date
Application number
PCT/IB2007/050236
Other languages
French (fr)
Inventor
Albert M. A. Rijckaert
Hong Li
Milan Petkovic
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2007086006A1 publication Critical patent/WO2007086006A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2143Clearing memory, e.g. to prevent the data from being stolen

Definitions

  • the present invention relates to a method of removing content from a multiuser device, and a multi-user device arranged to securely store content.
  • CP Copy Protection
  • CE consumer electronics
  • DRM Digital Rights Management
  • a user of a privacy-protected device i.e. a device which gives a user access to a content item if the user has the appropriate access right(s)
  • logs on to the site of a content provider Using her credit card, she buys a right to access content in the form of e.g. a song and downloads the digital right to the device, being for example a portable audio player such as an MP3 player.
  • a portable audio player such as an MP3 player.
  • Different types of accesses exist, for example "play”, “copy”, “burn to CD-R", “transfer”, “download” etc.
  • a typical digital right associated with audio content is "play unlimited”. With this right, the user can play the downloaded song for an unlimited number of times.
  • the device to which the song is downloaded may be a multi-user device.
  • DRM may be used for protecting user privacy. Users may also be viewed upon as content providers and DRM technologies may be employed to protect their content and to allow them to share this content in a controlled way.
  • a privacy-protected device may contain content that is inaccessible to authorized or primary users of the device, because none of them has access rights to this content. Furthermore, the device can protect privacy by hiding, from a user, content of other users to which the user has no access rights. This content is hidden and can therefore not be removed in a normal way. A first example of such unwanted content is private content of a guest user, who accidentally or deliberately left it on the device. A second example is the content of a former authorized user.
  • a third example is content of which access information containing the access rights is damaged, making the content unusable if no backup of the access information exists.
  • a fourth example is inaccessible content implanted on the device by a hacker with the aim to make the device practically unusable by blocking a major part of storage area. It must therefore be possible to remove the invisible unwanted content, but without an infringement of privacy.
  • An object of the present invention is to solve the problems in the prior art mentioned in the above and enable an authorized user of a privacy-protected device to issue a content removal command for content stored on the device to which no authorized user has access rights.
  • This object is attained by a method of removing content from a multi-user device in accordance with claim 1 and a multi-user device arranged to securely store content in accordance with claim 16.
  • a method comprising the steps of maintaining and securely storing a list of users that are authorized to store content on the device, and receiving a content removal command. Further, the method comprises the steps of checking whether any one of the users on the list is associated with the content to be removed and removing the content from the device, if none of the users on the list is associated with the content.
  • a device comprising means arranged to maintain a list of users that are authorized to store content on the device.
  • the means is further arranged to receive a content removal command, to check whether any one of the users on the list is associated with the content to be removed and to remove said content from the device, if none of the users on the list is associated with the content.
  • the device comprises means for securely storing the list.
  • a basic idea of the present invention is to enable an authorized user of a secure, tamper-proof device to issue a content removal command, a "clean-up" command, for content that is stored on the device, to which authorized users of the device have no access rights or no ownership rights.
  • Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space on a user device.
  • the device checks a list of users that are authorized to store content on the device.
  • the secure, tamper-proof device is a multi-user device that supports content protection and secure sharing. It is typically a DRM compliant device which further can protect personal content.
  • the list is maintained and stored securely by the device and comprises an identifier, in the form of e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a removal command has been issued, the content is removed from the device.
  • the present invention enables removal of unwanted content to which no authorized user has access rights without infringement of privacy, since no super user is required who can view and manipulate private content of other device users.
  • a user is added to the securely stored list when presenting authentication information to the device.
  • This authentication information may be embodied in the form of a user name plus a password, a public-private key pair etc.
  • a user is added to the securely stored list when presenting a physical key to the device, said physical key comprising a private-public key pair of the user and authentication information.
  • the device For a user to be added to the list, the device must consider the user to be authorized. Hence, the user has to present some authentication information to the device.
  • a physical key the user is given a feeling of safety.
  • the electronic, cryptographic keys contained in the physical key in order to access private content is only present inside the physical key and is not hidden in the device or on a network.
  • the physical key may be embodied in the form of e.g. a smart card or a USB stick.
  • a fingerprint detector arranged on the physical key can further enhance safety by linking the key to its owner by means of a bio metric feature. This prevents unauthorized use of the physical key in case the owner forgets or loses her physical key, or if somebody steals it. Alternatively, the user may have to state a pin code or password. Further, remote authentication should be enabled, for instance over the Internet. In that case, it may be necessary to establish a secure channel between the physical key and the device by means of encryption.
  • the adding of a user to the list further requires from the user to present a group key that corresponds to a valid group key stored in the device, wherein the physical key further comprises a private-public key pair of a group to which the user belongs. Users often look upon user identification is an annoying procedure. By using a group key, members of the group have access to content considered collective to the group. The group key pair is present in all physical keys of the users belonging to the group.
  • a user may issue a list editing command to the device. If the user issuing the command is owner of the device, the device will edit the list in accordance with the command. For instance, the owner may add a user to the list and the user who is added consequently becomes authorized to permanently store content on the device.
  • a regular authorized user who may store content on the device but who cannot edit the list
  • primary users also referred to as owners
  • a regular authorized user may be a family member and the primary user may be someone who is part of the same family but also is the owner of the device.
  • a device may have more than one owner/primary user; a group of family members may e.g. be considered to be owners of the device.
  • the list of authorized users is also stored on the physical key of a user whenever the user presents the physical key to the device. This is advantageous for backup reasons.
  • access messages associated with the content to be removed are deleted, wherein the content is removed from the device when all access messages associated with the content have been deleted.
  • so called access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items.
  • An access message typically comprises at least an asset key with which the content is encrypted, an asset identifier to identify the content with which the access message is associated, a user identifier to identify the user with which the access message is associated and access rights defining which rights the user has to the content.
  • the asset key is encrypted with the public key of the user with which the access message is associated.
  • the content item is encrypted with the asset key, which typically is a symmetric key, anyone wishing the access the content must at least be in possession of the asset key, such that the content can be decrypted.
  • the asset key is encrypted by the public key of the user and can thus only be decrypted by using the private key of the user.
  • the physical key of the user should have some encryption/decryption processing power in order to create encrypted access messages containing asset keys for other users, to decrypt the asset keys and to perform other sharing and ownership management, if necessary.
  • Fig. 1 shows a preferred embodiment of the present invention, in which a user interacts with a multi-user device.
  • Fig. 2 shows another embodiment of the present invention, in which a user is added to a securely stored list when presenting a physical key to a multi-user device.
  • Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention.
  • Fig. 1 shows a preferred embodiment of the present invention, in which a user
  • the device 101 interacts with a multi-user device 102 such as a computer, a DVD player an MP3 player or some other appropriate device for rendering a content item.
  • the device 102 typically comprise one or more microprocessors or some other device 103 with computing capabilities, e.g. an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a complex programmable logic device (CPLD), etc., in order to perform digital rights management operations.
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • CPLD complex programmable logic device
  • the microprocessors typically execute appropriate software that is downloaded to the respective authority and stored in a suitable storage area 104, such as e.g. a RAM, a Flash memory or a hard disk.
  • the storage is not necessarily arranged inside the device 102, but may be arranged as an external memory.
  • the memory should be secure, such that content stored in the memory cannot be tampered with.
  • the device 102 is arranged with interfaces that enable the communication. For instance, if the device is a computer, it is typically arranged with a keyboard (not shown) via which the user 101 can input commands to the computer. Further, if the device 102 is a computer, it is typically arranged with a connection to the Internet 110 via which content items may be downloaded from various content providers 111 to the computer.
  • the device 102 may store content to which authorized users of the device have no access rights (or no ownership rights). Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space.
  • the user 101 provides the device with authentication information, and if the user is considered to be authenticated, the user may issue a content removal command, requesting the device to remove the inaccessible content.
  • the device checks a list 105 of users that are authorized to store content on the device. This list is maintained and securely stored by the device, for instance in the memory 104.
  • the list comprises an identifier, e.g. a public key, of each authorized user.
  • Fig. 2 which shows another embodiment of the present invention, in which a user 201 is added to the securely stored list 205 when presenting a physical key 206 to the device 202, said physical key comprising a private-public key pair of the user and authentication information.
  • the device For a user to be added to the list, the device must consider the user to be authorized.
  • the physical key may for instance be embodied by a smart card.
  • remote authentication should be enabled, for instance over the Internet, it may be necessary to establish a secure channel between the physical key which typically is inserted into a device (not shown) with which the remote access is made.
  • This device may for instance be a laptop computer.
  • the list 205 may be stored on the physical key 206 of a user 201 whenever the user presents the physical key to the device 202.
  • Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention.
  • access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items.
  • the concerned content is not removed until all access messages associated with the content have been deleted.
  • An access message 300 typically comprises at least a message identifier 310 and a user identifier 311 to identify the user with which the access message is associated.
  • the user identifier is typically the public key of the user.
  • the access message 300 contains an owner identifier 312 in the form of the owner's public key, to indicate who owns the content.
  • the message comprises an asset block 313, which includes an asset key 316 with which the content is encrypted, an asset identifier 317 to identify the content with which the access message is associated and access rights 318 defining which rights the user has to the content.
  • This block is encrypted with the public key of the user with which the access message is associated.
  • the message also comprises a copy 314 of the asset block.
  • the asset block 314 is encrypted with the public key of the content owner.
  • the access message 300 comprises a signature block 315 which is required to ensure that no one can fake content ownership.
  • the signature block contains a hashing of the four blocks 311, 312, 313 and 314. The hashing ensures the integrity of every bit in the four blocks.
  • the signature block is then encrypted by the content owner's private key. This ensures that only the content owner's physical key can create this signature. Any physical key can check the integrity of the message by decrypting the signature block using the owner's public key and verifying the hash value.

Abstract

The present invention relates to a method of removing content from a multi¬ user device (102), and a multi-user device arranged to securely store content. A basic idea of the present invention is to enable an authorized user (101) of a secure, tamper-proof device to issue a content removal command, a 'clean-up' command, for content that is stored on the device, to which authorized users of the device have no access rights or no ownership rights. When an authorized user issues a clean-up command for such content, the device checks a list (105) of users that are authorized to store content on the device. The list is maintained and stored securely by the device and comprises an identifier, in the form of e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a removal command has been issued, the content is removed from the device.

Description

CLEANING UP HIDDEN CONTENT WHILE PERSERVING PRIVACY
The present invention relates to a method of removing content from a multiuser device, and a multi-user device arranged to securely store content.
Recent developments in digital technologies, along with increasingly interconnected high-speed networks and decreasing prices for high-performance digital devices, have established digital content distribution as one of the most rapidly emerging trading activities and have created new methods for consumers to access, manage, distribute and pay for digital content. As a consequence of this trend and the success of one of the first online music shops - Apple's iTunes, a number of shops have been opened and both consumers and content providers have clearly shown high interest in electronic distribution of audio/video content.
On the other hand, the production of digital information has turned out to be low-priced and open to everyone. Nowadays, people create digital photos, home movies and other content items to an ever- increasing extent. Furthermore, the advances in digital storage technology, which doubles storage capacity every year, make digitization, compression, archiving and streaming of image and video data popular and inexpensive. Consequently, people in general have to manage a huge amount of digital data including commercial as well as personal content. Some content can be treated as confidential and therefore can be stored protected (encrypted) or used within a DRM system (e.g. commercial content or protected personal content). Digital content items may consist of medical or financial records, which may be highly confidential and therefore must be protected, for example by means of encryption or access control mechanisms. In recent years, the number of content protection systems available has been growing rapidly. Some of these systems only protect the content against illegal copying, while others also prohibit the user to access the content. The first category is called Copy Protection (CP) systems. CP systems have traditionally been the main focus for consumer electronics (CE) devices, as this type of content protection is thought to be inexpensively implemented and does not need bi-directional interaction with the content provider. The second category is known under several names. In the broadcast world, systems of this category are generally known as conditional access (CA) systems, while in the Internet world they are generally known as Digital Rights Management (DRM) systems. In DRM systems, a user who wishes to access a content item must typically present an access right to the system. Access rights include e.g. play rights, one-generation copy rights, distribution rights etc. For example, a user of a privacy-protected device, i.e. a device which gives a user access to a content item if the user has the appropriate access right(s), logs on to the site of a content provider. Using her credit card, she buys a right to access content in the form of e.g. a song and downloads the digital right to the device, being for example a portable audio player such as an MP3 player. Different types of accesses exist, for example "play", "copy", "burn to CD-R", "transfer", "download" etc. A typical digital right associated with audio content is "play unlimited". With this right, the user can play the downloaded song for an unlimited number of times. Further, the device to which the song is downloaded may be a multi-user device.
Further, DRM may be used for protecting user privacy. Users may also be viewed upon as content providers and DRM technologies may be employed to protect their content and to allow them to share this content in a controlled way. A privacy-protected device may contain content that is inaccessible to authorized or primary users of the device, because none of them has access rights to this content. Furthermore, the device can protect privacy by hiding, from a user, content of other users to which the user has no access rights. This content is hidden and can therefore not be removed in a normal way. A first example of such unwanted content is private content of a guest user, who accidentally or deliberately left it on the device. A second example is the content of a former authorized user. A third example is content of which access information containing the access rights is damaged, making the content unusable if no backup of the access information exists. A fourth example is inaccessible content implanted on the device by a hacker with the aim to make the device practically unusable by blocking a major part of storage area. It must therefore be possible to remove the invisible unwanted content, but without an infringement of privacy.
An object of the present invention is to solve the problems in the prior art mentioned in the above and enable an authorized user of a privacy-protected device to issue a content removal command for content stored on the device to which no authorized user has access rights.
This object is attained by a method of removing content from a multi-user device in accordance with claim 1 and a multi-user device arranged to securely store content in accordance with claim 16.
In a first aspect of the present invention, there is provided a method comprising the steps of maintaining and securely storing a list of users that are authorized to store content on the device, and receiving a content removal command. Further, the method comprises the steps of checking whether any one of the users on the list is associated with the content to be removed and removing the content from the device, if none of the users on the list is associated with the content.
In a second aspect of the present invention, there is provided a device comprising means arranged to maintain a list of users that are authorized to store content on the device. The means is further arranged to receive a content removal command, to check whether any one of the users on the list is associated with the content to be removed and to remove said content from the device, if none of the users on the list is associated with the content. Further, the device comprises means for securely storing the list.
A basic idea of the present invention is to enable an authorized user of a secure, tamper-proof device to issue a content removal command, a "clean-up" command, for content that is stored on the device, to which authorized users of the device have no access rights or no ownership rights. Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space on a user device. Hence, when an authorized user issues a clean-up command for such superfluous content, the device checks a list of users that are authorized to store content on the device. The secure, tamper-proof device is a multi-user device that supports content protection and secure sharing. It is typically a DRM compliant device which further can protect personal content. The list is maintained and stored securely by the device and comprises an identifier, in the form of e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a removal command has been issued, the content is removed from the device. Advantageously, the present invention enables removal of unwanted content to which no authorized user has access rights without infringement of privacy, since no super user is required who can view and manipulate private content of other device users.
In an embodiment of the present invention, a user is added to the securely stored list when presenting authentication information to the device. This authentication information may be embodied in the form of a user name plus a password, a public-private key pair etc. Preferably, a user is added to the securely stored list when presenting a physical key to the device, said physical key comprising a private-public key pair of the user and authentication information. For a user to be added to the list, the device must consider the user to be authorized. Hence, the user has to present some authentication information to the device. By using a physical key, the user is given a feeling of safety. The electronic, cryptographic keys contained in the physical key in order to access private content is only present inside the physical key and is not hidden in the device or on a network. The physical key may be embodied in the form of e.g. a smart card or a USB stick. A fingerprint detector arranged on the physical key can further enhance safety by linking the key to its owner by means of a bio metric feature. This prevents unauthorized use of the physical key in case the owner forgets or loses her physical key, or if somebody steals it. Alternatively, the user may have to state a pin code or password. Further, remote authentication should be enabled, for instance over the Internet. In that case, it may be necessary to establish a secure channel between the physical key and the device by means of encryption.
In another embodiment of the present invention, the adding of a user to the list further requires from the user to present a group key that corresponds to a valid group key stored in the device, wherein the physical key further comprises a private-public key pair of a group to which the user belongs. Users often look upon user identification is an annoying procedure. By using a group key, members of the group have access to content considered collective to the group. The group key pair is present in all physical keys of the users belonging to the group.
In a further embodiment of the present invention, a user may issue a list editing command to the device. If the user issuing the command is owner of the device, the device will edit the list in accordance with the command. For instance, the owner may add a user to the list and the user who is added consequently becomes authorized to permanently store content on the device.
Typically, there are different types of users. In the list of authorized users, there are two types of users: a "regular" authorized user who may store content on the device but who cannot edit the list, and primary users (also referred to as owners) who can edit the list, e.g. add or delete users from the list. As an example, a regular authorized user may be a family member and the primary user may be someone who is part of the same family but also is the owner of the device. Note that a device may have more than one owner/primary user; a group of family members may e.g. be considered to be owners of the device. In a further embodiment of the present invention, the list of authorized users is also stored on the physical key of a user whenever the user presents the physical key to the device. This is advantageous for backup reasons.
In yet another embodiment of the present invention, access messages associated with the content to be removed are deleted, wherein the content is removed from the device when all access messages associated with the content have been deleted. In the privacy-protected device described herein, so called access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items. An access message typically comprises at least an asset key with which the content is encrypted, an asset identifier to identify the content with which the access message is associated, a user identifier to identify the user with which the access message is associated and access rights defining which rights the user has to the content. The asset key is encrypted with the public key of the user with which the access message is associated. Since the content item is encrypted with the asset key, which typically is a symmetric key, anyone wishing the access the content must at least be in possession of the asset key, such that the content can be decrypted. The asset key is encrypted by the public key of the user and can thus only be decrypted by using the private key of the user. The physical key of the user should have some encryption/decryption processing power in order to create encrypted access messages containing asset keys for other users, to decrypt the asset keys and to perform other sharing and ownership management, if necessary.
Further features of, and advantages with, the present invention will become apparent when studying the appended claims and the following description. Those skilled in the art realize that different features of the present invention can be combined to create embodiments other than those described in the following.
A detailed description of preferred embodiments of the present invention will be given in the following with reference made to the accompanying drawings, in which: Fig. 1 shows a preferred embodiment of the present invention, in which a user interacts with a multi-user device.
Fig. 2 shows another embodiment of the present invention, in which a user is added to a securely stored list when presenting a physical key to a multi-user device. Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention.
Fig. 1 shows a preferred embodiment of the present invention, in which a user
101 interacts with a multi-user device 102 such as a computer, a DVD player an MP3 player or some other appropriate device for rendering a content item. The device 102 typically comprise one or more microprocessors or some other device 103 with computing capabilities, e.g. an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a complex programmable logic device (CPLD), etc., in order to perform digital rights management operations. When performing steps of different embodiments of the method of the present invention, the microprocessors typically execute appropriate software that is downloaded to the respective authority and stored in a suitable storage area 104, such as e.g. a RAM, a Flash memory or a hard disk. The storage is not necessarily arranged inside the device 102, but may be arranged as an external memory. Preferably, the memory should be secure, such that content stored in the memory cannot be tampered with. For intercommunication to be possible, the device 102 is arranged with interfaces that enable the communication. For instance, if the device is a computer, it is typically arranged with a keyboard (not shown) via which the user 101 can input commands to the computer. Further, if the device 102 is a computer, it is typically arranged with a connection to the Internet 110 via which content items may be downloaded from various content providers 111 to the computer.
As previously mentioned, the device 102 may store content to which authorized users of the device have no access rights (or no ownership rights). Such content is inaccessible to the authorized users, and is thus in practice an invisible data set requiring storage space. The user 101 provides the device with authentication information, and if the user is considered to be authenticated, the user may issue a content removal command, requesting the device to remove the inaccessible content. When receiving this clean-up command, the device checks a list 105 of users that are authorized to store content on the device. This list is maintained and securely stored by the device, for instance in the memory 104. The list comprises an identifier, e.g. a public key, of each authorized user. If none of the users on the list is associated with the content for which a clean-up command has been issued, the content is removed from the device. In Fig. 2, which shows another embodiment of the present invention, in which a user 201 is added to the securely stored list 205 when presenting a physical key 206 to the device 202, said physical key comprising a private-public key pair of the user and authentication information. For a user to be added to the list, the device must consider the user to be authorized. The physical key may for instance be embodied by a smart card.
If remote authentication should be enabled, for instance over the Internet, it may be necessary to establish a secure channel between the physical key which typically is inserted into a device (not shown) with which the remote access is made. This device may for instance be a laptop computer. For backup reasons, the list 205 may be stored on the physical key 206 of a user 201 whenever the user presents the physical key to the device 202.
Fig. 3 shows an example of an access message which advantageously may be employed in embodiments of the present invention. As previously described, access messages are preferably created and used to efficiently handle content items and parameters such as which users have the right to access the content items and what rights they have to access the content items. In an embodiment, when a clean-up command is issued, the concerned content is not removed until all access messages associated with the content have been deleted.
An access message 300 typically comprises at least a message identifier 310 and a user identifier 311 to identify the user with which the access message is associated. The user identifier is typically the public key of the user. Moreover, the access message 300 contains an owner identifier 312 in the form of the owner's public key, to indicate who owns the content. Further, the message comprises an asset block 313, which includes an asset key 316 with which the content is encrypted, an asset identifier 317 to identify the content with which the access message is associated and access rights 318 defining which rights the user has to the content. This block is encrypted with the public key of the user with which the access message is associated. The message also comprises a copy 314 of the asset block. The asset block 314 is encrypted with the public key of the content owner. Finally, the access message 300 comprises a signature block 315 which is required to ensure that no one can fake content ownership. The signature block contains a hashing of the four blocks 311, 312, 313 and 314. The hashing ensures the integrity of every bit in the four blocks. The signature block is then encrypted by the content owner's private key. This ensures that only the content owner's physical key can create this signature. Any physical key can check the integrity of the message by decrypting the signature block using the owner's public key and verifying the hash value.
Even though the invention has been described with reference to specific exemplifying embodiments thereof, many different alterations, modifications and the like will become apparent for those skilled in the art. The described embodiments are therefore not intended to limit the scope of the invention, as defined by the appended claims.

Claims

CLAIMS:
1. A method of removing content from a multi-user device (102) comprising the steps of: maintaining and securely storing a list (105) of users that are authorized to store content on the device; receiving a content removal command; checking whether any one of the users on the list is associated with the content to be removed; and removing said content from the device, if none of the users on the list is associated with the content.
2. The method according to claim 1, further comprising the step of adding a user (101) to the list (105) when being presented with authentication information of the user.
3. The method according to claim 2, further comprising the step of adding a user (201) to the list (205) when being presented with a physical key (206) of the user, said physical key comprising a private-public key pair of the user and said authentication information.
4. The method according to claim 3, wherein the adding of a user (201) to the list (205) further requires from the user to present a group key that corresponds to a valid group key stored in the device (202), wherein the physical key (206) further comprises a private- public key pair of a group to which the user belongs.
5. The method according to claim 1, further comprising the step of receiving a list editing command, wherein the device (102) edits the list according to the command if a user (101) issuing the list editing command is considered to be owner of the device.
6. The method according to claim 2, further comprising the step of storing the list
(205) of authorized users on the physical key (206) of an authorized user (201) whenever the user presents the physical key to the device (202).
7. The method according to claim 2, wherein a command to remove content from said device (202) is valid as long as an authorized user (201) that issues the command presents authentication information to the device (202).
8. The method according to claim 1, further comprising the step of deleting access messages (300) associated with the content to be removed, wherein the content is removed from the device (102) when said access messages have been deleted.
9. The method according to claim 1, wherein each access message (300) comprises at least an asset key (316) with which said content is encrypted, an asset identifier (317) to identify the content with which the access message is associated, a user identifier
(311) to identify the user with which the access message is associated and access rights (318) defining which rights the user has to the content, said asset key being encrypted with the public key of the user with which the access message is associated.
10. The method according to claim 8, wherein the access message further comprises a digital signature (315) created by means of a private key of a content owner.
11. The method according to claim 1 , wherein a user is considered to be associated with a content if said user has an access right to said content.
12. The method according to claim 1, wherein a user is considered to be associated with a content if said user has an ownership right to said content.
13. The method according to claim 1, wherein the step of securely storing a list (105) of users that are authorized to store content on the device (102) comprises the step of storing said list in secure memory (104).
14. The method according to claim 4, wherein the step of securely storing a list
(105) of users that are authorized to store content on the device (102) comprises the step of signing said list with the group key.
15. The method according to claim 4, wherein the step of securely storing a list
(105) of users that are authorized to store content on the device (102) comprises the step of signing said list with a device key.
16. A multi-user device (102) arranged to securely store content, said device comprising: means (103) arranged to maintain a list (105) of users that are authorized to store content on the device, said means further being arranged to receive a content removal command, to check whether any one of the users on the list is associated with the content to be removed and to remove said content from the device, if none of the users on the list is associated with the content; and means (104) for securely storing said list.
17. A computer program product comprising computer-executable components for causing a device (102) to perform the steps recited in claim 1 when the computer-executable components are run on a processing unit (103) included in the device.
PCT/IB2007/050236 2006-01-30 2007-01-24 Cleaning up hidden content while preserving privacy WO2007086006A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP06101002.1 2006-01-30
EP06101002 2006-01-30

Publications (1)

Publication Number Publication Date
WO2007086006A1 true WO2007086006A1 (en) 2007-08-02

Family

ID=38007304

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/050236 WO2007086006A1 (en) 2006-01-30 2007-01-24 Cleaning up hidden content while preserving privacy

Country Status (1)

Country Link
WO (1) WO2007086006A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0461059A2 (en) * 1990-06-07 1991-12-11 International Business Machines Corporation Method for retaining access to deleted documents in a data processing system
US5689699A (en) * 1992-12-23 1997-11-18 International Business Machines Corporation Dynamic verification of authorization in retention management schemes for data processing systems
EP1320012A2 (en) * 2001-12-12 2003-06-18 Pervasive Security Systems Inc. System and method for providing distributed access control to secured items
US20030182306A1 (en) * 2001-09-18 2003-09-25 Yukitoshi Maeda Content delivery server and content delivery system having the same
US20030217034A1 (en) * 2002-05-14 2003-11-20 Shutt Michael J. Document management system and method
US20050091164A1 (en) * 2003-10-24 2005-04-28 Thomas Bryan Varble Method and apparatus for the rental or sale, and secure distribution of digital content
US20050216469A1 (en) * 2004-03-26 2005-09-29 Canon Kabushiki Kaisha Document managing system, document managing method, and program for implementing the method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0461059A2 (en) * 1990-06-07 1991-12-11 International Business Machines Corporation Method for retaining access to deleted documents in a data processing system
US5689699A (en) * 1992-12-23 1997-11-18 International Business Machines Corporation Dynamic verification of authorization in retention management schemes for data processing systems
US20030182306A1 (en) * 2001-09-18 2003-09-25 Yukitoshi Maeda Content delivery server and content delivery system having the same
EP1320012A2 (en) * 2001-12-12 2003-06-18 Pervasive Security Systems Inc. System and method for providing distributed access control to secured items
US20030217034A1 (en) * 2002-05-14 2003-11-20 Shutt Michael J. Document management system and method
US20050091164A1 (en) * 2003-10-24 2005-04-28 Thomas Bryan Varble Method and apparatus for the rental or sale, and secure distribution of digital content
US20050216469A1 (en) * 2004-03-26 2005-09-29 Canon Kabushiki Kaisha Document managing system, document managing method, and program for implementing the method

Similar Documents

Publication Publication Date Title
USRE47313E1 (en) Securing digital content system and method
EP2267628B1 (en) Token passing technique for media playback devices
US8291219B2 (en) System and method for enabling device dependent rights protection
CN101341490B (en) Method for control access of file system, related system, SIM card and computer program product used therein
US8091137B2 (en) Transferring a data object between devices
US20100310076A1 (en) Method for Performing Double Domain Encryption in a Memory Device
US20070233601A1 (en) Systems and methods for protecting digital content
US20080167994A1 (en) Digital Inheritance
US8694799B2 (en) System and method for protection of content stored in a storage device
WO2004038568A2 (en) Method and device for authorizing content operations
WO2007044825A2 (en) Use of media storage structure with multiple pieces of content in a content-distribution system
CN102906755A (en) Content control method using certificate revocation lists
JP2011150693A (en) Information management system, information management method and apparatus, and encryption method and program
US20100310075A1 (en) Method and System for Content Replication Control
US8755521B2 (en) Security method and system for media playback devices
CN101019083A (en) Method, apparatus, and medium for protecting content
WO2007086006A1 (en) Cleaning up hidden content while preserving privacy

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07700675

Country of ref document: EP

Kind code of ref document: A1