CA2212574C - Systems and methods for secure transaction management and electronic rights protection - Google Patents

Systems and methods for secure transaction management and electronic rights protection

Info

Publication number
CA2212574C
CA2212574C CA 2212574 CA2212574A CA2212574C CA 2212574 C CA2212574 C CA 2212574C CA 2212574 CA2212574 CA 2212574 CA 2212574 A CA2212574 A CA 2212574A CA 2212574 C CA2212574 C CA 2212574C
Authority
CA
Grant status
Grant
Patent type
Prior art keywords
information
vde
content
electronic
example
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CA 2212574
Other languages
French (fr)
Other versions
CA2212574A1 (en )
Inventor
Karl L. Ginter
Victor H. Shear
Francis J. Spahn
Wie David M. Van
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intertrust Technologies Corp
Original Assignee
Intertrust Technologies Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date
Family has litigation

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services; Handling legal documents
    • G06Q50/184Intellectual property management
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/86Secure or tamper-resistant housings
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/08Logistics, e.g. warehousing, loading, distribution or shipping; Inventory or stock management, e.g. order filling, procurement or balancing against orders
    • G06Q10/087Inventory or stock management, e.g. order filling, procurement, balancing against orders
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • G06Q20/023Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP] characterized in that the neutral party is a clearing house
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/085Payment architectures involving remote charge determination or related payment systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • G06Q20/102Bill distribution or payments
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/123Shopping for digital content
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/123Shopping for digital content
    • G06Q20/1235Shopping for digital content with control of digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/14Payment architectures specially adapted for billing systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/22Payment schemes or models
    • G06Q20/24Credit schemes, i.e. "pay after"
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce, e.g. shopping or e-commerce
    • G06Q30/02Marketing, e.g. market research and analysis, surveying, promotions, advertising, buyer profiling, customer management or rewards; Price estimation or determination
    • G06Q30/0241Advertisement
    • G06Q30/0273Fees for advertisement
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce, e.g. shopping or e-commerce
    • G06Q30/02Marketing, e.g. market research and analysis, surveying, promotions, advertising, buyer profiling, customer management or rewards; Price estimation or determination
    • G06Q30/0283Price estimation or determination
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce, e.g. shopping or e-commerce
    • G06Q30/06Buying, selling or leasing transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce, e.g. shopping or e-commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce, e.g. shopping or e-commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping
    • G06Q30/0609Buyer or seller confidence or verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation, credit approval, mortgages, home banking or on-line banking
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/12Accounting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services; Handling legal documents
    • G06Q50/188Electronic negotiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T1/00General purpose image data processing
    • G06T1/0021Image watermarking
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F9/00Details other than those peculiar to special kinds or types of apparatus
    • G07F9/02Devices for alarm or indication, e.g. when empty; Advertising arrangements in coin-freed apparatus
    • G07F9/026Devices for alarm or indication, e.g. when empty; Advertising arrangements in coin-freed apparatus for alarm, monitoring and auditing in vending machines or means for indication, e.g. when empty
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communication involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of content streams, manipulating MPEG-4 scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of content streams, manipulating MPEG-4 scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of content streams, manipulating MPEG-4 scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of content streams, manipulating MPEG-4 scene graphs involving video stream encryption
    • H04N21/23476Processing of video elementary streams, e.g. splicing of content streams, manipulating MPEG-4 scene graphs involving video stream encryption by partially encrypting, e.g. encrypting the ending portion of a movie
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/235Processing of additional data, e.g. scrambling of additional data, processing content descriptors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/236Assembling of a multiplex stream, e.g. transport stream, by combining a video stream with other content or additional data, e.g. inserting a Uniform Resource Locator [URL] into a video stream, multiplexing software data into a video stream; Remultiplexing of multiplex streams; Insertion of stuffing bits into the multiplex stream, e.g. to obtain a constant bit-rate; Assembling of a packetised elementary stream
    • H04N21/2362Generation or processing of Service Information [SI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/254Management at additional data server, e.g. shopping server, rights management server
    • H04N21/2541Rights Management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/254Management at additional data server, e.g. shopping server, rights management server
    • H04N21/2543Billing, e.g. for subscription services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/254Management at additional data server, e.g. shopping server, rights management server
    • H04N21/2543Billing, e.g. for subscription services
    • H04N21/2547Third Party Billing, e.g. billing of advertiser
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25866Management of end-user data
    • H04N21/25875Management of end-user data involving end-user authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/414Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance
    • H04N21/4143Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance embedded in a Personal Computer [PC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/426Characteristics of or Internal components of the client
    • H04N21/42646Characteristics of or Internal components of the client for reading from or writing on a non-volatile solid state storage medium, e.g. DVD, CD-ROM
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network, synchronizing decoder's clock; Client middleware
    • H04N21/432Content retrieval operation from a local storage medium, e.g. hard-disk
    • H04N21/4325Content retrieval operation from a local storage medium, e.g. hard-disk by playing back content from the storage medium
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network, synchronizing decoder's clock; Client middleware
    • H04N21/434Disassembling of a multiplex stream, e.g. demultiplexing audio and video streams, extraction of additional data from a video stream; Remultiplexing of multiplex streams; Extraction or processing of SI; Disassembling of packetised elementary stream
    • H04N21/4345Extraction or processing of SI, e.g. extracting service information from an MPEG stream
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network, synchronizing decoder's clock; Client middleware
    • H04N21/435Processing of additional data, e.g. decrypting of additional data, reconstructing software from modules extracted from the transport stream
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network, synchronizing decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network, synchronizing decoder's clock; Client middleware
    • H04N21/442Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
    • H04N21/44204Monitoring of content usage, e.g. the number of times a movie has been viewed, copied or the amount which has been watched
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network, synchronizing decoder's clock; Client middleware
    • H04N21/443OS processes, e.g. booting an STB, implementing a Java virtual machine in an STB, power management in an STB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4627Rights management associated to the content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/47End-user applications
    • H04N21/475End-user interface for inputting end-user data, e.g. personal identification number [PIN], preference data
    • H04N21/4753End-user interface for inputting end-user data, e.g. personal identification number [PIN], preference data for user identification, e.g. by entering a PIN or password
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/60Selective content distribution, e.g. interactive television, VOD [Video On Demand] using Network structure or processes specifically adapted for video distribution between server and client or between remote clients; Control signaling specific to video distribution between clients, server and network components, e.g. to video encoder or decoder; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
    • H04N21/65Transmission of management data between client and server
    • H04N21/658Transmission by the client directed to the server
    • H04N21/6581Reference data, e.g. a movie identifier for ordering a movie or a product identifier in a home shopping application
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/81Monomedia components thereof
    • H04N21/8166Monomedia components thereof involving executable data, e.g. software
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • H04N21/8355Generation of protective data, e.g. certificates involving usage data, e.g. number of copies or viewings allowed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • H04N21/8355Generation of protective data, e.g. certificates involving usage data, e.g. number of copies or viewings allowed
    • H04N21/83555Generation of protective data, e.g. certificates involving usage data, e.g. number of copies or viewings allowed using a structured language for describing usage rules of the content, e.g. REL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television, VOD [Video On Demand]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • H04N21/8358Generation of protective data, e.g. certificates involving watermark
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17309Transmission or handling of upstream communications
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/07Indexing scheme relating to G06F21/10, protecting distributed programs or content
    • G06F2221/0722Content
    • G06F2221/0737Traceability
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/07Indexing scheme relating to G06F21/10, protecting distributed programs or content
    • G06F2221/0797Indexing scheme relating to G06F21/10, protecting distributed programs or content using dedicated hardware at the client
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2135Metering
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography
    • G06Q2220/10Usage protection of distributed data files
    • G06Q2220/16Copy protection or prevention
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/101Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/103Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for protecting copy right
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • H04N2005/91357Television signal processing therefor for scrambling ; for copy protection by modifying the video signal
    • H04N2005/91364Television signal processing therefor for scrambling ; for copy protection by modifying the video signal the video signal being scrambled

Abstract

The present invention provides systems and methods for electronic commerce including secure transaction management and electronic rights protection. Electronic appliances such as computers employed in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Secure subsystems used with such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Secure distributed and other operating system environments and architectures, employing, for example, secure semiconductor processing arrangements that may establish secure, protected environments at each node. These techniques may be used to support an end-to-end electronic information distribution capability that may be used, for example, utilizing the "electronic highway".

Description

LA PRESENTE PARTIE DE CETTE DEMANDE OU CE BREVET
COMPREND PLUS D'UN TOME.

CECI EST LE 'TOME I DE L4 NOTE: Pour les tomes additionels, veuillez contacter le Bureau canadien des brevets ~:.
JUMBO APPLICATIONS/PATENTS

THIS SECTION OF THE API'LICATION/PATENT CONTAINS MORE
THAN ONE VOLUME

= THIS IS VOLUME ..vJ _ OF ~

NOTE: For additional voiumes=piease contact`the Canadian Patent Office I

SYSTEMS AND METHODS FOR SECURE TRANSACTION
MANAGEMENT IU'i-D ELECTRONIC RIGHTS PROTECTION
Field(s) of the Invention(s) 'Z'hiis invention generally relates to computer and/or electronic security.

More particularly, this invention relates to systems and techniques for secirre transaction management. This invention also relates to computer-based and other electronic appliance-based technologies that help to ensure that information is accessed and/or otherwise used only in authorized ways, and maintains the integrity, availability, and/or confidentiality of such information and processes related to such use.

'I'he invention also relates to systems and methods for protecting rights of various participants in electronic commerce and other electronic or electronically-facilitated transactions.
'I'he invention also relates to secure chains of handling and contro]l for both information content and information employed to regulate the use of such content and consequences of such use. It also relates to systems and techniques that manage, including meter and/or limit and/or otherwise monitor use of electronically stored and/or disseminated information. The invention WO 96/27155 PCT/[TS96/02303 particularly relates to transactions, conduct and arrangements that make use of, including consequences of use of, such systems and/or techniques.
.
The invention also relates to distributed and other =
operating systems, environments and architectures. It also generally relates to secure architectures, including, for example, tamper-resistant hardware-based processors, that can be used to establish security at each node of a distributed system.

Background and S'-i*n*nary of the Invention(s) Telecommunications, financial transactions, government processes, business operations, entertainment, and personal business productivity all now depend on electronic appliances.

Millions of these electronic appliances have been electronically connected together. These interconnected electronic appliances comprise what is increasingly called the "information highway."
Many businesses, academicians, and government leaders are concerned about how to protect the rights of citizens and organizations who use this information (also "electronic" or "digital") highway.

Electronic Content Today, virtually anything that can be represented by words, numbers, graphics, or system of commands and instructions can be formatted into electronic digital information.
Television, cable, satellite transmissions, and on-line services transmitted over telephone lines, compete to distribute digital = information and entertainment to homes and businesses. The = 5 owners and marketers of this content include software developers, motion picture and recording companies, publishers of book.s, magazines, and newspapers, and information database providers. The popiil.arization of on-line services has also enabled the individual personal computer user to participate as a content provider. It is estim.ated that the worldwide market for electronic information in 1992 was approximately $40 billion and is expected to grow to $200 bil.li.on by 1997, according to Microsoft Corporation. The present invention can materially enhance the revenue of content providers, lower the distribution costs and the costs for content, beicter support advertising and usage information gathering, and better satisfy the needs of electronic information users. ':['hese improvements can lead to a significant increase in the amoimt and variety of electronic information and the methods by which such information is distributed.

7'he inability of conventional products to be shaped to the needs of electronic iiiformation providers and users is sharply in contrast to the present invention. Despite the attention devoted = by a cross-section of America's largest telecommunications, computer, entertainment and information provider companies to WO 96/27155 PCT/iJS96/02303 some of the problems addressed by the present invention, only the present invention provides commercially secure, effective solutions for configurable, general purpose electronic commerce transaction/distribution control systems.

=
Controlling Electronic Content The present invention provides a new kind of "virtual distribution environment" (called "VDE" in this document) that secures, administers, and audits electronic information use. VDE

also features fundamentally important capabilities for managing content that travels "across" the "information highway." These capabilities comprise a rights protection solution that serves all electronic community members. These members include content creators and distributors, financial service providers, end-users, and others. VDE is the first general purpose, configurable, transaction control/rights protection solution for users of computers, other electronic appliances, networks, and the information highway.

A fundamental problem for electronic content providers is extending their ability to control the use of proprietary information. Content providers often need to limit use to authorized activities and amounts. Participants in a business model involving, for example, provision of movies and advertising on optical discs may include actors, directors, script and other __ WO 96l27155 PCT/US96102303 writers, musicians, studios, publishers, distributors, retailers, advertisers, credit card services, and content end-users. These participants need the ability to embody their range of agreements and requirements, hzcluding use limitations, into an "extended"

agreement comprisiiag an overall electronic business model. This extended agreement is represented by electronic content control information that can automatically enforce agreed upon rights and obligations. Under VDE, such an extended agreement may comprise an electronic contract involving aIl business model participants. Such an agreement may alternatively, or in addition, be made up of electronic agreements between subsets of the business model participants. Through the use of VDE, electronic commerce can function in the same way as traditional commerce-that is commercial relationships regarding products and services can be shaped through the negotiation of one or more agreements between a variety of parties.

Commercial content providers are concerned with ensuring proper compensation for the use of their electronic information.
Electronic digital information, for example a CD recording, can today be copied relatively easily and inexpensively. Similarly, unauthorized copying and use of software programs deprives rightful. owners of biUions of dollars in annual revenue according to the International Intellectual Property Alliance. Content providers and distributors have devised a number of limited function rights protection mechanisms to protect their rights.
Authorization passwords and protocols, license servers, "lock/unlock" distribution methods, and non-electronic contractual limitations imposed on users of shrink-wrapped =
software are a few of the more prevalent content protection schemes. In a commercial context, these efforts are inefficient and limited solutions.

Providers of "electronic currency" have also created protections for their type of content. These systems are not sufficiently adaptable, efficient, nor flexible enough to support the generalized use of electronic currency. Furthermore, they do not provide sophisticated auditing and control configuration capabilities. This means that current electronic currency tools lack the sophistication needed for many real-world financial business models. VDE provides means for anonymous currency and for "conditionally" anonymous currency, wherein currency related activities remain anonymous except under special circumstances.

VDE Control Capabilities VDE allows the owners and distributors of electronic digital information to reliably biIl for, and securely control, audit, and budget the use of, electronic information. It can reliably ___ detect and monitor ithe use of commercial information products.

VDE uses a wide variety of different electronic information delivery means: including, for example, digital networks, digital = broadcast, and physical storage media such as optical and = 5 magne=tic disks. VDE can be used by major network providers, hardware manufacturers, owners of electronic information, providers of such information, and clearinghouses that gather usage information regarding, and bill for the use of, electronic information.

Z1DE provides comprehensive and configurable transaction management, metering and monitoring technology. It can change how electronic information products are protected, marketed, packaged, and distributed. When used, VDE should result in laiigher revenues for i_nformation providers and greater user satisfaction and value. Use of VDE will normally result in lower usage costs, decreased transaction costs, more efficient access to electronic information, re-usability of rights protection and oth:er transactio:n management implementations, greatly improved flexibility in the use of secured information, and greater standardization of tools and processes for electronic transaction manageinent. VDE can be used to create an adaptable environment that fulfills the needs of electronic = information owners, distributors, and users; financial clearinghouses; and usage information analyzers and resellers.

Rights and Control Information In general, the present invention can be used to protect the rights of parties who have:

(a) proprietary or confidentiality interests in electronic information. It can, for example, help ensure that information is used only in authorized ways;

(b) financial interests resulting from the use of electronically distributed information. It can help ensure that content providers vvil]. be paid for use of distributed information; and (c) interests in electronic credit and electronic currency storage, communication, and/or use including electronic cash, banking, and purchasing.

Protecting the rights of electronic community members involves a broad range of technologies. VDE combines these technologies in a way that creates a"distributed" electronic rights protection "environment." This environment secures and protects transactions and other processes important for rights protection. VDE, for example, provides the ability to prevent, or impede, interference with and/or observation of, important rights =
related transactions and processes. VDE, in its preferred -embodiment, uses special purpose tamper resistant Secure Processing Units (SPUs) to help provide a high level of security for VDE processes and information storage and communication.
The rights protection problems solved by the present invention are elect:ronic versions of basic societal issues. These issues include protecting property rights, protecting privacy rights, properly cornpensating people and organizations for their work and risk, protecting money and credit, and generally protecting the security of information. VDE employs a system that uses a common set of processes to manage rights issues in an efficient, trusted, and cost-effective way.

VDE can be l.ased to protect the rights of parties who create electronic content such as, for example: records, games, movies, newspapers, electronic books and reference materials, personal electronic mail, and confidential records and communications.
The invention can al.so be used to protect the rights of parties who provide electronic products, such as publishers and distributors; the rights of parties who provide electronic credit and currency to pay for use of products, for example, credit clearinghouses and banks; the rights to privacy of parties who use electronic content (such as consumers, business people, governments); and the privacy rights of parties described by electronic information, such as privacy rights related to information contained in a medical record, tax record, or personnel record.

In general, the present invention can protect the rights of parties who have:

(a) commercial interests in electronically distributed information -- the present invention can help ensure, for example, that parties, will be paid for use of distributed information in a manner consistent with their agreement;

(b) proprietary and/or confidentiality interests in electronic information -- the present invention can, for example, help ensure that data is used only in authorized ways;

(c) interests in electronic credit and electronic currency storage, comm.unication, and/or use -- this can include electronic cash, banking, and purchasing;
and (d) interests in electronic information derived, at least in part, from use of other electronic information.
VDE Functional Properties VDE is a cost-,effective and efficient rights protection solution that provides a unified, consistent system for securing and managing transaction processing. VDE can:
.

(a) audit and analyze the use of content, (]b) ensure that content is used only in authorized ways, and (c) allow information regarding content usage to be used only in ways approved by content users.

In addition, V]DE:

(a) is very configurable, modifiable, and re-usable;

(b) supports a wide range of useful capabilities that may be combined in different ways to accommodate most potential applications;

(c) operates on a wide variety of electronic appliances ranging from hand-held inexpensive devices to large mainframe computers;

(d) is able to ensure the various rights of a number of different parties, and a number of different rights protection schemes, simultaneously;
, (e) is able to preserve the rights of parties through a series of transactions that may occur at different times and different locations;

(f) is able to flexibly accommodate different ways of securely delivering information and reporting usage;
and (g) provides for electronic analogues to "real" money and credit, including anonymous electronic cash, to pay for products and services and to support personal (including home) banking and other financial activities.

VDE economically and efficiently fulfills the rights protection needs of electronic community members. Users of VDE will not require additional rights protection systems for different information highway products and rights problems-nor will they be required to install and learn a new system for each new information highway application. =

VDE provides a unified solution that allows all content creators, providers, and users to employ the same electronic rights protection solution. Under authorized circumstances, the participants can freely exchange content and associated content control sets. This nzeans that a user of VDE may, if allowed, use the same electronic system to work with different kinds of content having different sets of content control information. The content and control information supplied by one group can be used by people who normally use content and control information supplied by a different group. VDE can allow content to be exchanged "universally" and users of an implementation of the present invention can interact electronically without fear of incompatibilities in content control, violation of rights, or the need to get, install, or learn a new content control system.

The VDE securely administers transactions that specify protection of rights. It can protect electronic rights including, for example:

(a) the property rights of authors of electronic content, (b) the counnercial rights of distributors of content, .

(c) the rights of any parties who facilitated the distribution of content, (d) the privacy rights of users of content, (e) the privacy rights of parties portrayed by stored and/or distributed content, and (f) any other rights regarding enforcement of electronic agreements.

VDE can enable a very broad variety of electronically enforced commercial and societal agreements. These agreements can include electronically implemented contracts, licenses, laws, regulations, and tax collection.

Contrast With Traditional Solutions Traditional content control mechanisms often require users to purchase more electronic information than the user needs or desires. For example, infrequent users of shrink-wrapped software are required to purchase a program at the same price as frequent users, even though they may receive much less value from their less frequent use. Traditional systems do not scale cost according to the extent or character of usage and traditional systems can not attract potential customers who find that a fixed price is too high. Systems using traditional mechanisms are also not normally particularly secure. For example, shrink-wrapping does not prevent the constant illegal pirating of software once removed from eitheir its physical or electronic package.

Traditional electronic information rights protection systemLs are often in.flexible and inefficient and may cause a content provider to choose costly distribution channels that increase a product's price. In general these mechanisms restrict product pricing, configuration, and marketing flexibi]ity. These compromises are the result of techniques for controlling information which cannot accommodate both different content models and content models which reflect the many, varied requirements, such as content delivery strategies, of the model participants. This can limit a provider's ability to deliver sufficient overall value to justify a given product's cost in the eyes of many potential users. VDE allows content providers and distributors to create applications and distribution networks that reflect content providers' and users' preferred business models.

It offers users a uniquely cost effective and feature rich system that supports the ways providers want to distribute information and the ways users want to use such information. VDE supports content control models that ensure rights and allow content delivery strategies to be shaped for maximum commercial results.

Chain of Handling and Control VDE can protect a collection of rights belonging to various parties having in rights in, or to, electronic information. This information may be at one location or dispersed across (and/or moving between) multiple locations. The in.formation may pass through a"chain" of distributors and a"chain" of users. Usage information may also be reported through one or more "chains" of parties. In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct or indirect agents for parties who have rights in electronic information, to ensure that the moving, accessing, modifying, or otherwise using of information can be securely controlled by rules regarding how, when, where, and by whom such activities can be performed.

VDE Applications and Software VDE is a secure system for regulating electronic conduct and commerce. Regulation is ensured by control information put in place by one or more parties. These parties may include content providers, electronic hardware manufacturers, financial service providers, or electronic "infrastructure" companies such as cable or telecommunications companies. The control information implements "Rights Applications." Rights applications "run on" the "base software" of the preferred embodiment. This base software serves as a secure, flexible, 25 general purpose foundation that can accommodate many different rights applications, that is, many different business models and their respective participant requirements.

A rights application under VDE is made up of special purpose pieces, each of which can correspond to one or more basic electronic processes needed for a rights protection environment.
These processes can. be combined together like building blocks to create electronic agi-eements that can protect the rights, and may enforce fulfiIlment of the obligations, of electronic information users and providers. One or more providers of electronic information can easily combine selected building blocks to create a rights application that is unique to a specific content distribiution model. A group of these pieces can represent the capabilities needed to fulfill the agreement(s) between users and providers. These pieces accommodate many requirements of electronic commerce including:

the distribution of perm.issions to use electronic information;

the persistence of the control information and sets of control information managing these permissions;
configurable control set information that can be selected by users for use with such information;

! data security and usage auditing of electronic information; and a secure system for currency, compensation and debit management.

For electronic commerce, a rights application, under the preferred embodiment of the present invention, can provide electronic enforcement of the business agreements between all participants. Since different groups of components can be put together for different applications, the present invention can provide electronic control information for a wide variety of different products and markets. This means the present invention can provide a "unified," efficient, secure, and cost-effective system for electronic commerce and data security.
This allows VDE to serve as a single standard for electronic rights protection, data security, and electronic currency and banking.

In a VDE, the separation between a rights application and its foundation permits the efficient selection of sets of control information that are appropriate for each of many different types of applications and uses. These control sets can reflect both rights of electronic community members, as well as obligations =
(such as providing a history of one's use of a product or paying __ WO 96/27155 PCTlUS96102303 taxes on one's electronic purchases). VDE flexibility allows its users to electronically implement and enforce common social and commercial ethics ajad practices. By providing a unified control system, the present invention supports a vast range of possible transaction related interests and concerns of individuals, communities, businesses, and governments. Due to its open design, VDE allows (normally under securely controlled circumstances) applications using technology independently created by users to be "added" to the system and used in conjunction with the foundation of the invention. In sum, VDE
provides a system that can fairly reflect and enforce agreements among parties. It is a broad ranging and systematic solution that answers the pressing need for a secure, cost-effective, and fair electronic environment.

VDE Implementation The preferred embodiment of the present invention includes various tools that enable system designers to directly insert VDE capabilities into their products. These tools include an Application Programmer's Interface ("APP') and a Rights Permissioning and Management Language ("RPML"). The R.PML provides comprehensive and detailed control over the use of the invention's features. VDE also includes certain user interface subsystems for satisfying the needs of content providers, distributors, and users.

Information distributed using VDE may take many forms.

It may, for example, be "distributed" for use on an individual's own computer, that is the present invention can be used to provide security for locally stored data. Alternatively, VDE may be used with information that is dispersed by authors and/or publishers to one or more recipients. This information may take many forms including: movies, audio recordings, games, electronic catalog shopping, multimedia, training materials, E-mail and personal documents, object oriented libraries, software progrAmm;ng resources, and reference/record keeping information resources (such as business, medical, legal, scientific, governmental, and consumer databases).

Electronic rights protection provided by the present invention will also provide an important foundation for trusted and efficient home and commercial banking, electronic credit processes, electronic purchasing, true or conditionally anonymous electronic cash, and EDI (Electronic Data Interchange). VDE
provides important enhancements for improving data security in organizations by providing "smart" transaction management features that can be far more effective than key and password based "go/no go" technology.

VDE normally employs an integration of cryptographic and other security technologies (e.g. encryption, digital signatures, etc.), vdth other tecl~mologies including: component, distributed, and event driven operating system technology, and related commtniications, object container, database, smart agent, smart card, and semiconductor design technologies.

= 5 1. Overview A. VDE Solves Important Problems and rills Critical Needs '.Phe world is inoving towards an integration of electronic information appliances. This interconnection of appliances provides a foundation for much greater electronic interaction and the evolution of electronic commerce. A variety of capabilities are required to implement an electronic commerce environment.
VDE is the first system that provides many of these capabilities and therefore solves fundamental problems related to electronic dissemination of information.

Electronic Content VDE allows electronic arrangements to be created involving two or more parties. These agreements can themselves comprise a collection of agreements between participants in a commercial value chain and/or a data security chain model for handling, auditing, reporting, and payment. It can provide efficient, reusable, nzodifiable, and consistent means for secure electroiaic content: distribution, usage control, usage payment, usage auditing, and usage reporting. Content may, for example, include:

! financial information such as electronic currency and credit;

commercially distributed electronic information such as reference databases, movies, games, and advertising; and electronic properties produced by persons and organizations, such as documents, e-mail, and proprietary database information.

VDE enables an electronic commerce marketplace that supports differing, competitive business partnerships, agreements, and evolving overall business models.

The features of VDE allow it to function as the first trusted electronic information control environment that can conform to, and support, the bulk of conventional electronic commerce and data security requirements. In particular, VDE enables the participants in a business value chain model to create an electronic version of traditional business agreement terms and conditions and further enables these participants to shape and evolve their electronic commerce models as they believe appropriate to their business requirements.

VDE offers an architecture that avoids reflecting specific distribution biases, administrative and control perspectives, and content types. Instead, VDE provides a broad-spectrum, fundanaentally configurable and portable, electronic transaction control, distributing, usage, auditing, reporting, and payment operating environment. VDE is not limited to being an application or application specific toolset that covers only a li.mited. subset of electronic interaction activities and participants.
Rather, VDE supports systems by which such applications can be created, modified, and/or reused. As a result, the present invention answers pressing, unsolved needs by offering a system that supports a standardized control environment which facilitates interoperability of electronic appliances, interoperability of content containers, and e$"icient creation of electronic commerce applications and models through the use of a programmable, secure electronic transactions management foundation and reusable and extensible executable components.
VDE can support a single electronic "world" within which most forms of electronic transaction activities can be managed.

To answer the developing needs of rights owners and content providers and to provide a system that can accommodate the requirements and agreements of all parties that may be involved in electronic business models (creators, distributors, administrators, users, credit providers, etc.), VDE supplies an efficient, largely transparent, low cost and sufficiently secure system (supporting both hardware/ software and software only models). VDE provides the widely varying secure control and administration capabilities required for:

1. Different types of electronic content, 2. Differing electronic content delivery schemes, 3. Differing electronic content usage schemes, 4. Different content usage platforms, and 5. Differing content marketing and model strategies.
VDE may be combined with, or integrated into, many separate computers and/or otherelectronic appliances. These appliances typically include a secure subsystem that can enable control of content use such as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, distributing, auditing usage, etc. The secure subsystem in the preferred embodiment comprises one or more "protected processing environments", one or more secure databases, and secure "component assemblies" and other items and processes that need to be kept secured. I1DE can, for example, securely control electronic currency, payments, and/or credit management (including electronic credit and/or currency receipt, disbursement, encuinbering, and/or allocation) using such a "secure subsystem."

VDE provides a secure, distributed electronic transaction management systemL for controlling the distribution and/or other usage of electronically provided and/or stored information. VDE
controls auditing and reporting of electronic content and/or appliance usage. Users of VDE may include content creators who apply content usage, usage reporting, and/or usage payment related control i_nforination to electronic content and/or appliances for users such as end-user organizations, individuals, and content and/or appliance distributors. VDE also securely supports the payment of money owed (including money owed for content and/or appliance usage) by one or more parties to one or more other parties, iia the form of electronic credit and/or currency.

Electronic appliances under control of VDE represent VDE
'nodes' that securely process and control; distributed electronic information and/or appliance usage, control information formulation, and related transactions. VDE can securely manage the integration of control information provided by two or more parties. As a result, VDE can construct an electronic agreement between VDE participants that represent a"negotiation"

between, the control requirements of, two or more parties and enacts terms and conditions of a resulting agreement. VDE
ensures the rights of each party to an electronic agreement regarding a wide range of electronic activities related to electronic information and/or appliance usage.

Through use of VDE's control system, traditional content providers and users can create electronic relationships that reflect traditional, non-electronic relationships. They can shape and modify commercial relationships to accommodate the evolving needs of, and agreements among, themselves. VDE does not require electronic content providers and users to modify their business practices and personal preferences to conform to a metering and control application program that supports limited, largely fixed functionality. Furthermore, VDE permits participants to develop business models not feasible with non-electronic commerce, for example, involving detailed reporting of content usage information, large numbers of distinct transactions at hitherto infeasibly low price points, "pass-along" control information that is enforced without involvement or advance knowledge of the participants, etc.

The present invention allows content providers and users to formulate their t:ransaction environment to accommodate:

(1) desired content models, content control models, and conteni; usage information pathways, (2) a complete range of electronic media and distribution means, (3) a broad. range of pricing, payment, and auditing strategies, (4) very flexible privacy and/or reporting models, (5) practical and effective security architectures, and (6) other administrative procedures that together with steps (1) through (5) can enable most "real world"
electronic commerce and data security models, including models unique to the electronic world.
VDE's transaction management capabilities can enforce:

(1) privacy rights of users related to information regarding their usage of electronic information and/or appliances, (2) societal policy such as laws that protect rights of content users or require the collection of taxes derived from electronic transaction revenue, and (3) the proprietary and/or other rights of parties related to ownership of, distribution of, an.d/or other commercial rights related to, electronic information.

VDE can support "real" commerce in an electronic form, that is the progressive creation of commercial relationships that form, over time, a network of interrelated agreements representing a value chain business model. This is achieved in part by enabling content control information to develop through the interaction of (negotiation between) securely created and independently submitted sets of content and/or appliance control information. Different sets of content and/or appliance control information can be submitted by different parties in an electronic business value chain enabled by the present invention. These parties create control information sets through the use of their respective VDE installations. Independently, securely 25 deliverable, component based control information allows efficient _ WO 96/27155 PCTlUS96102303 interaction among control information sets supplied by different parties.

VDE permits multiple, separate electronic arrangements to be formed between subsets of parties in a VDE supported electronic value chain model. These multiple agreements together comprise a VDE value chain "extended" agreement.

VDE allows such constituent electronic agreements, and therefore overall VEIE extended agreements, to evolve and reshape over time as additional VDE participants become involved in VDE content and/or appliance control information handling. VDE electronic agreements may also be extended as new coiatrol information is submitted by existing participants.
With VDE, electronic commerce participants are free to structure and restructure their electronic commerce business activities and relationships. As a result, the present invention allows a competitive electronic commerce marketplace to develop since the use of VI)E enables different, widely varying business models using the same or shared content.

A significant facet of the present invention's ability to broadly support electronic commerce is its ability to securely manage independently delivered VDE component objects containing control information (normally in the form of VDE

objects containing one or more methods, data, or load module VDE components). This independently delivered control information can be integrated with senior and other pre-existing content control information to securely form derived control information using the negotiation mechanisms of the present invention. All requirements specified by this derived control information must be satisfied before VDE controlled content can be accessed or otherwise used. This means that, for example, all load modules and any mediating data which are listed by the derived control information as required must be available and securely perform their required function. In combination with other aspects of the present invention, securely, independently delivered control components allow electronic commerce participants to freely stipulate their business requirements and trade offs. As a result, much as with traditional, non-electronic commerce, the present invention allows electronic commerce (through a progressive stipulation of various control requirements by VDE participants) to evolve into forms of business that are the most efficient, competitive and useful.

VDE provides capabilities that rationalize the support of electronic commerce and electronic transaction management.
This rationalization stems from the reusability of control structures and user interfaces for a wide variety of transaction management related activities. As a result, content usage control, data security, information auditing, and electronic financial activities, can be supported with tools that are reusable, convenient, consistent, and familiar. In addition, a rational approach-a transaction/distribution control standard-allows all participants in VDE the same foundation set of hardware control and security, authoring, administration, and management tools to support widely varying types of information, business market model, and/or personal objectives.

Employing VDE as a general purpose electronic transaction/distribut:ion control system allows users to maintain a single transaction inanagement control arrangement on each of their co3nputers, networks, communication nodes, and/or other electronic appliances,. Such a general purpose system can serve the needs of many electronic transaction management applications without requiring distinct, different installations for different purposes. As a result, users of VDE can avoid the confusion and expense and other inefficiencies of different, limited purpose transaction control applications for each different content and/or business model. For example, VDE allows content creators to use the same VDE foundation control arrangement for both content authoring and for licensing content from other content creators for inclusion into their products or for other use.
Clearinghouses, distributors, content creators, and other VDE
users can all interact, both with the applications running on their VDE instaIlations, and with each other, in an entirely consistent manner, using and reusing (largely transparently) the same distributed tools, mechanisms, and consistent user interfaces, regardless of the type of VDE activity.

VDE prevents many forms of unauthorized use of electronic information, by control7ing and auditing (and other administration of use) electronically stored and/or disseminated information. This includes, for example, commercially distributed content, electronic currency, electronic credit, business transactions (such as EDI), confidential communications, and the like. VDE can further be used to enable commercially provided electronic content to be made available to users in user defined portions, rather than constraining the user to use portions of content that were "predetermined" by a content creator and/or other provider for billi.ng purposes.

VDE, for example, can employ:

(1) Secure metering means for budgeting and/or auditing electronic content and/or appliance usage;
(2) Secure flexible means for enabling compensation and/or billin.g rates for content and/or appliance usage, including electronic credit and/or currency mechanisms for payment means;

(3) Secure distributed database means for storing control and usage related information (and employing validated compartmentalization and tagging schemes);

(4) Secure electronic appliance control means;

(5) A distributed, secure, "virtual black box" comprised of nodes located at every user (including VDE

content container creators, other content providers, client users, and recipients of secure VDE content usage information) site. The nodes of said virtual black box normally include a secure subsystem having at least one secure hardware element (a semiconductor element or other hardware module for securely executing VDE control processes), said secure subsystems being distributed at nodes along a pathway of information storage, distribution, payment, usage, and/or auditing. In some embodiments, the functions of said hardware element, for certain or all nodes, may be performed by softNvare, for example, in host processing environments of electronic appliances;

(6) Encryption and decryption means;

(7) Secure communications means employing authentication, digital signaturing, and encrypted transmissions. The secure subsystems at said user nodes utilize a protocol that establishes and authenticates each node's and/or participant's identity, and establishes one or more secure host-to-host encryption keys for communications between the secure subsystems; and (8) Secure control means that can allow each VDE
installation to perform VDE content authoring (placing content into VDE containers with associated control information), content distribution, and content usage; as well as clearinghouse and other administrative and analysis activities employing content usage information.

VDE may be used to migrate most non-electronic, traditional information delivery models (including entertAinment, reference materials, catalog shopping, etc.) into an adequately secure digital distribution and usage management and payment context. The distribution and financial pathways managed by a VDE arrangement may include:

content creator(s), distributor(s), redistributor(s), client administrator(s), client user(s), financial and/or other clearinghouse(s), and/or government agencies.

These distribution and financial pathways may also include:
advertisers, market survey organizations, and/or other parties interested in the user usage of information securely delivered and/or stored using VDE.

Normally, participants in a VDE arrangement wiIl employ the same secure VDE foundation. Alternate embodiments support VDE arrangements employing differing VDE foundations. Such alternate embodimeiits may employ procedures to ensure certain interoperability requirements are met.

Secure VDE hardware (also known as SPUs for Secure Processing Units), or VDE installations that use software to substitute for, or comLplement, said hardware (provided by Host Processing Environsnents (HPEs)), operate in conjunction with secure communications, systems integration software, and distributed software control information and support structures, to achieve the electronic contract/rights protection environment of the present invention. Together, these VDE components comprise a secure, virtual, distributed content andlor appliance control, auditing (and other administration), reporting, and payment environment. In some embodiments and where commercially acceptable, certain VDE participants, such as clearinghouses that normally maintain sufficiently physically secure non-VDE processing environments, may be allowed to employ HPEs rather VDE hardware elements and interoperate, for example, with VDE end-users and content providers. VDE
components together comprise a configurable, consistent, secure and "trusted" architecture for distributed, asynchronous control of electronic content and/or appliance usage. VDE supports a "universe wide" environment for electronic content delivery, broad dissemination, usage reporting, and usage related payment activities.

VDE provides generalized configurability. This results, in part, from decomposition of generalized requirements for supporting electronic commerce and data security into a broad range of constituent "atomic" and higher level components (such as load modules, data elements, and methods) that may be variously aggregated together to form control methods for electronic commerce applications, commercial electronic agreeiments, and data security arrangements. VDE provides a secure operating environment employing VDE foundation elements along with secure independently deliverable VDE

components that enable electronic commerce models and relationships to develop. VDE specifically supports the unfolding of distribution models in which content providers, over time, can expressly agree to, or allow, subsequent content providers and/or users to participate in shaping the control information for, and consequences of, use of electronic content and/or appliances. A
very broad range of the functional attributes important for supporting simple to very complex electronic commerce and data security activities are supported by capabilities of the present invention. As a resiult, VDE supports most types of electronic inform.ation and./or appliance: usage control (including distribution), security, usage auditing, reporting, other administration, and payment arrangements.

VDE, in its preferred embodiment, employs object software technology and uses object technology to form "containers" for delivery of information that is (at least in part) encrypted or otherwise secured. 'I'hese containers may contain electronic content products or other electronic information and some or all of their associated permissions (control) information. These container objects may be distributed along pathways involving content providers and/or content users. They may be securely moved among nodes of a Virtual Distribution Environment (VDE) arrangement, which nodes operate VDE foundation software and execute control methods to enact electronic information usage control and/or administration models. The containers delivered through use of the preferred embodiment of the present invention may be employed both for distributing VDE
control instructions (information) and/or to encapsulate and electronically distribute content that has been at least partially secured.

Content providers who employ the present invention may include, for example, software application and game publishers, database publishers, cable, television, and radio broadcasters, electronic shopping vendors, and distributors of information in electronic document, book, periodical, e-mail and/or other forms.
Corporations, government agencies, and/or individual "end-users"
who act as storers of, and/or distributors of, electronic information, may also be VDE content providers (in a restricted model, a user provides content only to himself and employs VDE
to secure his own confidential i_nformation against unauthorized use by other parties). Electronic information may include proprietary and/or confidential information for personal or internal organization use, as well as information, such as software applications, documents, entertai_ument materials, and/or reference information, which may be provided to other parties. Distribution may be by, for example, physical media delivery, broadcast ,and/or telecommunication means, and in the form of "static" files and/or stream.s of data. VDE may also be used, for example, for multi-site "real-time" interaction such as teleconferencing, interactive games, or on-line bulletin boards, where restrictions on, and/or auditing of, the use of all or portions of comimunicated ini:'ormation is enforced.

I-TDE provides important mechanisms for both enforcing commercial agreements and enabling the protection of privacy rights. VDE can seclarely deliver information from one party to another concerning the use of commercially distributed electronic content. Even if paities are separated by several "steps" in a chain (pathway) of handling for such content usage information, such information is protected by VDE through encryption and/or other secure processing. Because of that protection, the accuracy of such information -is guaranteed by VDE, and the information can be trusted by all parties to whom it is delivered.

Furthermore, VDE guarantees that all parties can trust that such information caimot be received by anyone other than the intended, authorized, party(ies) because it is encrypted such that only an authorized party, or her agents, can decrypt it. Such information may also be derived through a secure VDE process at a previous pathway-of-handling location to produce secure VDE

WO 96/27155 PCid'/1JS96/02303 reporting information that is then communicated securely to its intended recipient's VDE secure subsystem. Because VDE can deliver such information securely, parties to an electronic agreement need not trust the accuracy of commercial usage and/or other information delivered through means other than those under control of VDE.

VDE participants in a commercial value chain can be "commercially" confident (that is, sufficiently confident for commercial purposes) that the direct (constituent) and/or "extended" electronic agreements they entered into through the use of VDE can be enforced reliably. These agreements may have both "dynamic" transaction management related aspects, such as content usage control information enforced through budgeting, metering, and/or reporting of electronic information and/or appliance use, and/or they may include "static" electronic assertions, such as an end-user using the system to assert his or her agreement to pay for services, not to pass to unauthorized parties electronic information derived from usage of content or systems, and/or agreeing to observe copyright laws. Not only can electronically reported transaction related information be trusted under the present invention, but payment may be automated by the passing of payment tokens through a pathway of payment (which may or may not be the same as a pathway for reporting).

Such payment can be contained within a VDE container created automLatically by a VDE installation in response to control information (located, in the preferred embodiment, in one or more permissions records) stipulating the "withdrawal" of credit or electronic currency (such as tokens) from an electronic account (for example, an account securely maintained by a user's VDE
installation secure subsystem) based upon usage of VDE
controlled electronic content and/or appliances (such as governments, financial credit providers, and users).

VDE allows the needs of electronic commerce participants to be served and it can bind such participants together i_n a universe wide, trusted commercial network that can be secure enough to support very large amounts of commerce. VDE's security and meteriiag secure subsystem core will be present at all physical locations where VDE related content is (a) assigned usage related control information (rules and mediating data), and/or (b) used. This core can perform security and auditing functions (including metering) that operate within a "virtual black box," a collection of distributed, very secure VDE related hardware instances that are interconnected by secured information exchange (for example, telecommunication) processes and distributed database means. VDE further includes highly configurable transaction operating system technology, one or more associated libraries of load modules along with affi.liated data, VDE related administration, data preparation, and analysis --applications, as well as system software designed to enable VDE
integration into host environments and applications. VDE's usage control information, for example, provide for property content and/or appliance related: usage authorization, usage auditing (which may include audit reduction), usage bilting, usage payment, privacy filtering, reporting, and security related communication and encryption techniques.

VDE extensively employs methods in the form of software objects to augment configurability, portability, and security of the VDE environment. It also employs a software object architecture for VDE content containers that carries protected content and may also carry both freely available information (e.g, summary, table of contents) and secured content control information which ensures the performance of control information. Content control information governs content usage according to criteria set by holders of rights to an object's contents and/or according to parties who otherwise have rights associated with distributing such content (such as governments, financial credit providers, and users).

In part, security is enhanced by object methods employed by the present invention because the encryption schemes used to protect an object can efficiently be further used to protect the associated content control information (software control information and relevant data) from modification. Said object techniques also enhance portability between various computer and/or other appliance environments because electronic information in the :E'orm of content can be inserted along with (for example, in the same object container as) content control information (for sai.d content) to produce a "published" object. As a result, various portions of said control information may be specifically adapted for different environments, such as for diverse computer platforms and operating systems, and said various portions may all be carried by a VDE container.
An objective of VDE is supporting a transaction/distribution control standard. Development of such a standard has many obstacles, given the security requirements and related hardware and communications issues, widely differing environments, information types, types of information usage, business and/or data security goals, varieties of participants, and pi-operties of delivered information. A
significant feature of VDE accommodates the many, varying distribution and other transaction variables by, in part, decomposing electronic commerce and data security functions into generalized capability modules executable withi.n a secure hardware SPU andlor corresponding software subsystem and further allowing extensive flexibility in assembling, modifying, and/or replacing, such modules (e.g. load modules and/or methods) in applications ru.n on a VDE installation foundation.

This configurability and reconfigurability allows electronic commerce and data security participants to reflect their priorities and requirements through a process of iteratively shaping an evolving extended electronic agreement (electronic control model). This shaping can occur as content control information passes from one VDE participant to another and to the extent allowed by "in place" content control information. This process allows users of VDE to recast existing control information and/or add new control information as necessary (including the elimination of no longer required elements).

VDE supports trusted (sufficiently secure) electronic information distribution and usage control models for both commercial electronic content distribution and data security applications. It can be configured to meet the diverse requirements of a network of interrelated participants that may include content creators, content distributors, client administrators, end users, and/or clearinghouses and/or other content usage information users. These parties may constitute a network of participants involved in simple to complex electronic content dissemination, usage control, usage reporting, and/or usage payment. Disseminated content may include both originally provided and VDE generated information (such as content usage information) and content control information may -44- ~ _ _.

persist through both chains (one or more pathways) of content and content control information handling, as well as the direct usage of content. 7LTh.e conf"i.gurability provided by the present invention is particularly critical for supporting electronic comm.erce, that is enabling businesses to create relationships and evolve strategies that offer competitive value. Electronic commerce tools that are not inherently configurable and interoperable will ultimately fail to produce products (and services) that meet both basic requirements and evolving needs of most commerce applications.

VDE's fundamental confagurability will allow a broad range of competitive electronic commerce business models to flourish. It allows lbusiness models to be shaped to maximize reveniues sources, end-user product value, and operating efficiencies. VDE can be employed to support multiple, differing models, take advantage of new revenue opportunities, and deliver product configurations most desired by users. Electronic commerce technologies that do not, as the present invention does:

support a broad range of possible, complementary revenue activities, offer a flexible array of content usage features most desired by customers, and exploit opportunities for operating efficiencies, will result in products that are often intrinsically more costly and less appealing and therefore less competitive in the marketplace.

Some of the key factors contributing to the configurability intrinsic to the present invention include:

(a) integration into the fundamental control environment of a broad range of electronic appliances through portable API and progra,,,Tr,;ng language tools that efficiently support merging of control and auditing capabilities in nearly any electronic appliance environment while maintaining overall system security;

(b) modular data structures;
(c) generic content model;

(d) general modularity and independence of foundation architectural components;

(e) modular security structures;

(f) variable length and multiple branching chains of control; and (g) independent, modular control structures in the form of executable load modules that can be maintained in one or more libraries, and assembled into control methads and models, and where such model control = 5 schemes can "evolve" as control information passes through the VDE installations of participants of a pathw-ay of VDE content control information handling.

Because of the breadth of issues resolved by the present invention, it can provide the emerging "electronic highway" with a single transaction/distribution control system that can, for a very broad range of commercial and data security models, ensure against unauthorized use of confidential and/or proprietary information and commercial electronic transactions. VDE's electronic transaction management mechanisms can enforce the electronic rights and agreements of all parties participating in widely varying business and data security models, and this can be efficiently achieved through a single VDE implementation within each VDE participant's electronic appliance. VDE
supports widely vai-jing business and/or data security models that can involve a broad range of participants at various "levels"
of VDE content andVor content control information pathways of handling. Different content control and/or auditing models and agreements may be available on the same VDE installation.

These models and agreements may control content in relationship to, for example, VDE installations and/or users in general; certain specific users, installations, classes and/or other groupings of installations and/or users; as well as to electronic content generally on a given installation, to specific properties, property portions, classes and/or other groupings of content.

Distribution using VDE may package both the electronic content and control information into the same VDE container, and/or may involve the delivery to an end-user site of different pieces of the same VDE managed property from plural separate remote locations and/or in plural separate VDE content containers and/or employing plural different delivery means.
Content control information may be partially or fully delivered separately from its associated content to a user VDE installation in one or more VDE administrative objects. Portions of said control information may be delivered from one or more sources.
Control information may also be available for use by access from a user's VDE installation secure sub-system to one or more remote VDE secure sub-systems and/or VDE compatible, certified secure remote locations. VDE control processes such as metering, budgeting, decrypting and/or fingerprinting, may as relates to a certain user content usage activity, be performed in a user's local VDE installation secure subsystem, or said processes may be divided amongst plural secure subsystems which may be located in the same user VDE installations and/or in a network server and in the user installation. For example, a local VDE
installation may perform decryption and save any, or all of, usage metering information related to content and/or electronic appliance usage at such user installation could be performed at the server employiiig secure (e.g., encrypted) communications between said secure subsystems. Said server location may also be used for near real time, frequent, or more periodic secure receipt of content usage information from said user installation, with, for example, metered information being maintained only temporarily at a local user installation.

Delivery mea.ns for VDE managed content may include electronic data storage means such as optical disks for delivering one portion of said i.nformation and broadcasting and/or telecommunicating means for other portions of said information.
Electronic data storage means may include magnetic media, optica]. media, combined magneto-optical systems, flash RAM
memory, bubble memory, and/or other memory storage means such as huge capaci.ty optical storage systems employing holographic, frequency, and/or polarity data storage techniques.
Data storage means may also employ layered disc techniques, such as the use of generally transparent and/or translucent materials that pass light through layers of data carrying discs which themselves are physically packaged together as one thicker disc. Data carrying locations on such discs may be, at least in part, opaque.

VDE supports a general purpose foundation for secure transaction management, including usage control, auditing, =
reporting, and/or payment. This general purpose foundation is called "VDE Functions" ("VDEFs"). VDE also supports a collection of "atomic" application elements (e.g., load modules) that can be selectively aggregated together to form various VDEF

capabilities called control methods and which serve as VDEF
applications and operating system functions. When a host operating environment of an electronic appliance includes VDEF
capabilities, it is called a"Rights Operating System" (ROS).
VDEF load modules, associated data, and methods form a body of information that for the purposes of the present invention are called "control information." VDEF control information may be specifically associated with one or more pieces of electronic content and/or it may be employed as a general component of the operating system capabilities of a VDE installation.

VDEF transaction control elements reflect and enact content specific and/or more generalized administrative (for example, general operating system) control information. VDEF
capabilities which can generally take the form of applications (application models) that have more or less configurability which WO 96127155 PCTlUS96102303 can be shaped by VDE participants, through the use, for example, of VDE templates, to employ specific capabilities, along, for example, with capability parameter data to reflect the elements of one or mLore express electronic agreements between VDE participants in regards to the use of electronic content such as conunercially distributed products. These control capabilities manage the use of, and/or auditing of use of, electronic content, as well as reporting information based upon content use, and any payment for said use. VDEF capabilities may "evolve" to reflect the requirements of one or more successive parties who receive or otherwise contribute to a given set of control information.
Frequently, for a VDE application for a given content model (such as distribution of entertainment on CD-ROM, content delivery from an Internet repository, or electronic catalog shopping and advertising, or some combination of the above) participants would be able to securely select from amongst available, alternative control mLethods and apply related parameter data, wherein such selection of control method and/or submission of data would constitute their "contribution" of control information.

Alternatively, or in addition, certain control methods that have been expressly certified as securely interoperable and compatible with said application may be independently submitted by a parti.cipant as part of such a contribution. In the most general example, a generally certified load module (certified for a given VDE anrangement and/or content class) may be used with many or any VDE application that operates in nodes of said arrangement. These parties, to the extent they are allowed, can independently and securely add, delete, and/or otherwise modify the specification of load modules and methods, as well as add, delete or otherwise modify related information. Normally the party who creates a VDE content container defines the general nature of the VDEF capabilities that will and/or may apply to certain electronic information. A VDE
content container is an object that contains both content (for example, commercially distributed electronic information products such as computer software programs, movies, electronic publications or reference materials, etc.) and certain control information related to the use of the object's content. A creating party may make a VDE container available to other parties.
Control information delivered by, and/or otherwise available for use with, VDE content containers comprise (for commercial content distribution purposes) VDEF control capabilities (and any associated parameter data) for electronic content. These capabilities may constitute one or more "proposed" electronic agreements (and/or agreement functions available for selection and/or use with parameter data) that manage the use and/or the consequences of use of such content and which can enact the terms and conditions of agreements involving multiple parties and their various rights and obligations.

A VDE electronic agreement may be explicit, through a user interface acceptance by one or more parties, for example by a"junior" party who has received control information from a "senior" party, or it imay be a process amongst equal parties who individually assert their agreement. Agreement may also result from an automated electronic process during which terms and conditions are "evaluated" by certain VDE participant control information that assesses whether certain other electronic terms and conditions attached to content and/or submitted by another party are acceptable (do not violate acceptable control information criteria). Such an evaluation process may be quite simple, for example a comparison to ensure compatibility between a portion of, or all senior, control terms and conditions in a table of terms and conditions and the submitted control information of a subsequent participant in a pathway of content control information b.andling, or it may be a more elaborate process that evaluates the potential outcome of, and/or implements a negotiation process between, two or more sets of control information submitted by two or more parties. VDE also accommodates a semi-automated process during which one or more VDE participants directly, through user interface means, resolve "disagreements" between control information sets by accepting and/or proposing certain control information that may be acceptable to control information representing one or more other parties interes=ts and/or responds to certain user interface queries for selection of certain alternative choices and/or for certain parameter information, the responses being adopted if acceptable to applicable senior control information.

When another party (other than the first applier of rules), perhaps through a negotiation process, accepts, and/or adds to and/or otherwise modifies, "in place" content control information, a VDE agreement between two or more parties related to the use of such electronic content may be created (so long as any modifications are consistent with senior control information).
Acceptance of terms and conditions related to certain electronic content may be direct and express, or it may be implicit as a result of use of content (depending, for example, on legal requirements, previous exposure to such terms and conditions, and requirements of in place control information).
VDEF capabilities may be employed, and a VDE
agreement may be entered into, by a plurality of parties without the VDEF capabilities being directly associated with the controlli.ng of certain, specific electronic information. For example, certain one or more VDEF capabilities may be present at a VDE installation, and certain VDE agreements may have been entered into during the registration process for a content distribution application, to be used by such installation for securely controlling VDE content usage, auditing, reporting and/or payment. Similarly, a specific VDE participant may enter into a VDE user agraement with a VDE content or electronic appliance provider when the user and/or her appliance register with such provider as a VDE installation and/or user. In such events, VDEF in place control information available to the user VDE installation may require that certain VDEF methods are employed, for example in a certain sequence, in order to be able to use all and/or certain classes, of electronic content and/or VDE
applications.

VDE ensures that certain prerequisites necessary for a given transaction to occur are met. This includes the secure execution of any required load modules and the availability of any required, associated data. For example, required load modules and data (e.g. in the form of a method) might specify that sufficient credit from an authorized source must be confirmed as available. It might further require certain one or more load modules execute as processes at an appropriate time to ensure that. such crecii.t wiTl be used in order to pay for user use of the content. A certain content provider might, for example, require metering the number of copies made for distribution to employees of a given software program (a portion of the program might be maintained in encrypted form and require the presence of a VDE installation to run). This would require the execution of a meterrng method for copying of the property each time a copy was made for another employee. This same provider might also charge fees based on the total number of different properties licensed from them by the user and a metering history of their licensing of properties might be required to maintain this information.

VDE provides organization, community, and/or universe wide secure environments whose integrity is assured by processes securely controlled in VDE participant user installations (nodes). VDE installations, in the preferred embodiment, may include both software and tamper resistant hardware semiconductor elements. Such a semiconductor arrangement comprises, at least in part, special purpose circuitry that has been designed to protect against tampering with, or unauthorized observation of, the information and functions used in performing the VDE's control functions. The special purpose secure circuitry provided by the present invention includes at least one of: a dedicated semiconductor arrangement known as a Secure Processing Unit (SPU) and/or a standard microprocessor, microcontroller, and/or other processing logic that accommodates the requirements of the present invention and fia.n.ctions as an SPU. VDE's secure hardware may be found incorporated into, for example, a fax/modem chip or chip pack, I10 controller, video display controller, and/or other available digital processing arrangements. It is anticipated that portions of the present invention's VDE secure hardware capabilities may ultimately be standard design elements of central processing units (CPUs) for computers and vaiaous other electronic devices.

Designing VDE capabilities into one or more standard microprocessor, microcontroller and/or other digital processing components may materially reduce VDE related hardware costs by employing the same hardware resources for both the transaction management uses contemplated by the present invention and for other, host electronic appliance functions. This means that a VDE SPU can employ (share) circuitry elements of a "standard" CPU. For example, if a "standard"processor can operate in protected mode and can execute VDE related instructions as a protected activity, then such an embodiment may provide sufficient hardware security for a variety of applications and the expense of a special purpose processor might be avoided. Under one preferred embodiment of the present invention, certain inemory (e.g., RAM, ROM, NVRAM) is maintained during VDE related instruction processing in a protected mode (for example, as supported by protected mode microprocessors). 'L'his memory is located in the same package as the processing flogic (e.g. processor). Desirably, the packaging and memory of such a processor would be designed using security techniques that enhance its resistance to tampering.

The degree of overall security of the VDE system is primarily dependent on the degree of tamper resistance and concealment of VDE control process execution and related data storage activities. Employing special purpose semiconductor packaging techniques can significantly contribute to the degree of security. Concealment and tamper-resistance in semiconductor memory (e.g., RAM, ROM, NVRAM) can be achieved, in part, by employing such memory within an SPU package, by encrypting data before it is sent to external memory (such as an external RAM package) and decrypting encrypted data within the CPU/RAM package before it is executed. This process is used for important VDE related data when such data is stored on unprotected media, for example, standard host storage, such as random access memory, mass storage, etc. In that event, a VDE

SPU would encrypt data that results from a secure VDE
execution before such data was stored in external memory.
Summary of Some Important Features Provided by VDE in Accordance With the Present Invention VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that supports divergent, competitive business partnerships, agreements, and evolving overall business models. For example, VDE includes features that:

"sufficiently" impede unauthorized and/or uncompensated use of electronic information and/or appliances through the use of secure communication, storage, and transaction management technologies.

VDE supports a model wide, distributed security implementation which creates a single secure "virtual" transaction processing and information storage environment. VDE enables distributed VDE
installations to securely store and communicate i_nformation and remotely control the execution processes and the character of use of electronic information at other VDE installations and in a wide variety of ways;

suppori; low-cost, efficient, and effective security architectures for transaction control, auditing, reporting, and related communications and information storage. VDE may employ tagging related security techniques, the time-ageing of encryption keys, the compartmentalization of both stored control information (including differentially tagging such stored information to ensure against substitution and tampering) and distributed content (to, for inany content applications, employ one or more content encryption keys that are unique to the specific VDE installation and/or user), private key techniques such as triple DES to encrypt content, public key techniques such as RSA to protect communications and to provide the benefits of digital signature and authentication to securely bind together the nodes of a VDE arrangement, secure processing of important transaction management executable code, and a combining of a small amount of highly secure, hardware protected storage space with a much larger "exposed" mass media storage space storing secured (normally encrypted and tagged) control and audit information. VDE employs special purpose hardware distributed throughout some or all locations of a VDE implementation: a) said hardware controlling important elements of:
content preparation (such as causing such content to be placed in a VDE content container and associating content control information with said content), content and/or electronic appliance usage auditing, content usage analysis, as well as content usage control; and b) said hardware having been designed to securely handle processing load module control activities, wherein said control processing activities may involve a sequence of required control factors;

supporf, dynamic user selection of information subsets of a VDE electronic information product (VDE controlled content). This contrasts with the constraints of having to use a few high level individual, pre-defined content provider information increments such as being required to select a whole information product or product section in order to acquire or otherwise use a portion of such product or section. VDE supports metering and usage control over a variety of increments (including "atomic"
increments, and combinations of different increment types) that are selected ad hoc by a user and represent a collection of pre-identified one or more increments (such as one or more blocks of a preidentified nature, e.g., bytes, images, logically related 'blocks) that form a generally arbitrary, but logical to a user, content "deliverable." VDE control information (including budgeting, pricing and metering) can be configured so that it can specifically apply, as appropriate, to ad hoc selection of different, unanti.ciipated variable user selected aggregations of information increments and pricing levels can be, at least in art, based on quantities and/or nature of mixed increment selections (for example, a certain quantity of certain text could mean associated images might be discounted by 15%; a greater quantity of text in the "mixed" increment selection might mean the images are discounted 20%). Such user selected aggregated information increments can reflect the actual requirements of a user for information and is more flexible than being limited to a single, or a few, high level, (e.g. product, document, database record) predetermined increments. Such high level increments may include quantities of information not desired by the user and as a result be more costly than the subset of information needed by the user if such a subset was available. In sum, the present invention allows information contained in electronic information products to be supplied according to user specification. Tailoring to user specification allows the present invention to provide the greatest value to users, which in turn will generate the greatest amount of electronic commerce activity. The user, for example, would be able to define an aggregation of content derived from various portions of an available content product, but which, as a deliverable for use by the user, is an entirely unique aggregated increment. The user may, for example, select certain numbers of bytes of information from various portions of an information product, such as a reference work, and copy them to disc in unenciypted form and be billed based on total number of bytes plus a surcharge on the number of "articles" that provided the bytes. A content provider might reasonably charge less for such a user defined information increment since the user does not require all of the content from all of the articles that contained desired information. This process of defining a user desired information increment may involve artificial intelligence database search tools that contribute to the location of the inost relevant portions of information from an information product and cause the automatic display to the user of information describing search criteria hits for user selection or the automatic extraction and de:Livery of such portions to the user. VDE
further supports a wide variety of predefined increment types including:

bytes, images, content over time for audio or video, or any other increment that can be identified by content provider data mapping efforts, such as:

! sentences, paragraphs, articles, database records, and byte offsets representing increments of logically related information.

VDE supports as many simultaneous predefined increment types as may be practical for a given type of content and business model.

! securely store at a user's site potentially highly detailed information reflective of a user's usage of a variety of different content segment types and employing both inexpensive "exposed" host mass storage for maint in;ng detailed information in the form of encrypted data and maintaining sõvõmaiy information for security testing in highly secure special purpose VDE installation nonvolatile memory (if available).

! support trusted chain of handling capabilities for pathways of distributed electronic information and/or for content usage related information. Such chains may extend, for example, from a content creator, to a distributor, a redistributor, a client user, and then may provide a pathway for securely reporting the same and/or differing usage information to one or more auditors, such as to one or more independent clearinghouses and then back to the content providers, including content creators.

The same and/or different pathways employed for certain. content handling, and related content control information and reporting information handling, may also be employed as one or more pathways for electro:nic payment handling (payment is characterized in the present invention as administrative content) for electronic content and/or appliance usage. These pathways are used for conveyance of all or portions of content, and/or content related control information. Content creators and other providers can specify the pathways that, partiaIly or fuIly, must be used to disseminate commercially distributed property content, content control information, payment administrative content, and/or associated usage reporting information. Control information specified by content providers may also specify which specific parties must or may (including, for example, a group of eligible parties from which a selection may be made) handle conveyed information. It may also specify what t-ransmission means (for example telecommunication carriers or media types) and transmission hubs must or may be used.

support flexible auditing mechanisms, such as employing "bitmap meters," that achieve a high degree of efficiency of operation and throughput and allow, in a practical manner, the retention and ready recall of information related to previous usage activities and related patterns. This flexibility is adaptable to a wide variety of billi.ng and security control strategies such as:

P upgrade pricing (e.g. suite purchases), P pricing discounts (including quantity discounts), P billing related time duration variables such as discounting new purchases based on the timing of past purchases, and P security budgets based on quantity of different, logically related units of electronic information used over an interval of time.

Use of bitmap meters (including "regular" and "wide"
bitmap meters) to record usage and/or purchase of information, in conjunction with other elements of the preferred embodiment of the present invention, uniquely supports efficient maintenance of usage history for: (a) rental, (b) flat fee licensing or purchase, (c) licensing or purchase discounts based upon lustorical usage variables, and (d) reporting to users :in a manner enabling users to determine whether a certain item was acquired, or acquired within. a certain time period (without requiring the use of conventional database mechanisms, which are highly inefficient for these applications). Bitmap meter methods record activities associated with electronic appliances, properties, objects, or portions thereof, and/or administrative activities that are independent of specific properties, objects, etc., perforined by a user and/or electronic appliance such that a content and/or appliance provider and/or controller of an administrative activity can determine whether a certain activity has occurred at some point, or during a certain period, in the past (for exFumple, certain use of a commercial electronic content product and/or appliance). Such determinations can then be used as part of pricing and/or control strategies of a content and/or appliance provider, and/or controller of an administrative activity. For example, the content provider may choose to charge only once for access to a portion of a property, regardless of the number of times that portion of the property is accessed by a user.

! support "launchable" content, that is content that can be provided by a content provider to an end-user, who can then copy or pass along the content to other end-user parties without requiring the direct participation of a content provider to register and/or otherwise initialize the content for use. This content goes "out of (the traditional distribution) channel" in the form of a "traveling object." Traveling objects are containers that securely carry at least some permi.ssions information and/or methods that are required for their use (such methods need not be carried by traveling objects if the required methods wiIl be available at, or directly available to, a destination VDE installation). Certain travelling objects may be used at some or all VDE installations of a given VDE arrangement since they can make available the content control information necessary for content use without requiring the involvement of a commercial VDE value chain participant or data security administrator (e.g. a control officer or network administrator). As long as traveling object ___ -WO 96127155 PC. r/US96102303 control information requirements are available at the user VDE installation secure subsystem (such as the presence of a sufficient quantity of financial credit firom an authorized credit provider), at least some travelling object content may be used by a receivmg party without the need to establish a connection with a remote VDE authority (until, for exaYnple, budgets are exhausted or a time content usage reporting interval has occurred). Traveling objects can travel "out-of-channel," allowing, for example, a user to give a copy of a traveling object whose content is a software program, a movie or a game, to a neighbor, the neighbor being able to use the traveling object if appropriate credit (e.g. an electronic clearinghouse account from a clearinghouse such as VISA or AT&T) is available.
Similarly, electronic information that is generally available on an Internet, or a similar network, repository might be provided iin the form of a traveling object that can be downloaded and subsequently copied by the initial downloader and then passed along to other parties who may pass the object on to additional parties.

provide very flexible and extensible user identification according to individuals, installations, by groups such as classes, and by function and hierarchical identification employing a hierarchy of levels of client identification (for example, client organization ID, client department ID, client network ID, client project II.), and client employee ID, or any appropriate subset of the above).

! provide a general purpose, secure, component based content control and distribution system that functions as a foundation transaction operating system environment that employs executable code pieces crafted for transaction control and auditing.

These code pieces can be reused to optimize efficiency in creation and operation of trusted, distributed transaction management arrangements.
VDE supports providing such executable code in the form of "atomic" load modules and associated data.

Many such load modules are inherently configurable, aggregatable, portable, and extensible and singularly, or in combination (along with associated data), run as control methods under the VDE
transaction operating environment. VDE can satisfy the requirements of widely differing electronic _ ----commerce and data security applications by, in part, employing this general purpose transaction management foundation to securely process VDE
transac:tion related control methods. Control methods are created primarily through the use of one or 3nore of said executable, reusable load module code pieces (normally in the form of executable object components) and associated data. The component nature of control methods allows the present invention to efficiently operate as a highly configurable content control system. Under the present invention, content control models can be iteratively and asynchronously shaped, and otherwise updated to accommodate the needs of VDE
participants to the extent that such shaping and otherwise updating conforms to constraints applied by a VE-E application, if any (e.g., whether new component assemblies are accepted and, if so, what certification requirements exist for such component assemblies or whether any or certain participants may shape any or certain control information by selection amongst optional control information (permissions record) control methods. This iterative (or concurrent) multiple participant process occurs as a result of the submission and use of secure, control information components (executable code such as load modules and/or methods, and/or associated data). These components may be contributed independently by secure communication between each control information influencing VDE
participant's VDE installation and may require certification for use with a given application, where such certification was provided by a certification service manager for the VDE arrangement who ensures secure interoperability and/or reliability (e.g., bug control resulting from interaction) between appliances and submitted control methods. The transaction management control functions of a VDE
electronic appliance transaction operating environment interact with non-secure transaction management operating system functions to properly direct transaction processes and data related to electronic information security, usage control, auditing, and usage reporting. VDE provides the capability to manages resources related to secure VDE content and/or appliance control information execution and data storage.

facilitate creation of application and/or system functionality under VDE and to facilitate integration into electronic appliance environments of load modules and methods created under the present invention. To achieve this, VDE employs an Application Programmer's Interface (API) and/or a transaction operating system (such as a ROS) programm;ng language with incorporated functions, both of which support the use of capabilities and can be used to efficiently and tightly integrate VDE

functionality into commercial and user applications.

support user interaction through: (a) "Pop-Up"
applications which, for example, provide messages to users and enable users to take specific actions such as approvi.ng a transaction, (b) stand-alone VDE
applications that provide administrative environments for user activities such as: end-user preference specifications for li.mitin.g the price per transaction, unit of time, and/or session, for accessing history information concerning previous transacctions, for reviewing financial information such as budgets, expenditures (e.g. detailed and/or summary) and usage analysis information, and (c) VDE awvare applications which, as a result of the use of a VDE API and/or a transaction management (for _ WO 96/27155 PCT/1TS96l02303 example, ROS based) progrAmmir,g language embeds VDE "awareness" into commercial or internal software (application programs, games, etc.) so that VDE user control information and services are seamlessly integrated into such software and can be directly accessed by a user since the underlying functionality has been integrated into the commercial software's native design. For example, in a VDE aware word processor application, a user may be able to "print" a document into a VDE
content container object, applying specific control information by selecting from amongst a series of different menu templates for different purposes (for example, a confidential memo template for internal organization purposes may restrict the ability to "keep," that is to make an electronic copy of the memo).

employ "templates" to ease the process of configuring capabilities of the present invention as they relate to specific industries or businesses. Templates are applications or application add-ons under the present invention. Templates support the efficient specification and/or manipulation of criteria related to specific content types, distribution approaches, pricing mechanisms, user interactions with content and/or administrative activities, and/or the like.

Given the very large range of capabilities and configurations supported by the present invention, reducing the range of configuration opportunities to a manageable subset particularly appropriate for a given business model allows the full configurable power of the present invention to be easily employed by "typical" users who would be otherwise burdened with complex progra,,,ming and/or configuration designL responsibilities template applications can also help ensure that VDE related processes are secure and optimally bug free by reducing the risks associated with the contribution of independently developed-load modules, including unpredictable aspects of code interaction between independent modules and applications, as well as security risks associated with possible presence of viruses in such modules. VDE, through the use of templates, reduces typical user configuration responsibilities to an appropriately focused set of activities including selection of method types (e.g. functionality) through menu choices such as multiple choice, icon selection, and/or prompting for method parameter data (such as iden.tification information, prices, budget limits, __ dates, periods of time, access rights to specific content, etc.) that supply appropriate and/or necessary data for control information purposes. By limiting the typical (non-programm;ng) user to a limited subset of configuration activities whose general configuration environment (template) has been preset to reflect general requirements corresponding to that user, or a content or other business model can very substantially limit diff'iculties associated with content containerization (including placing initial control information on content), distribution, client administration, electronic agreement implementation, end-user interaction, and clearinghouse activities, including associated interoperability problems (such as conflicts resulting from security, operating system, and/or certification incompatibilities). Use of appropriate VDE templates can assure users that their activities related to content VDE

containerization, contribution of other control information, communications, encryption techniques and/or keys, etc. will be in compliauce with specifications for their distributed VDE
arrangement. VDE templates constitute preset 25 configurations that can normally be reconfigurable WO 96127155 PCTfUS96f02303 to allova for new and/or modified templates that reflect adaptation into new in.dustries as they evolve or to reflect the evolution or other change of an existing industry. For example, the template = 5 concepi; may be used to provide individual, overall frameworks for organizations and individuals that create, modify, market, distribute, consume, and/or otherwise use movies, audio recordings and live performances, magazines, telephony based retail sales, catalogs, computer software, information data bases, inultimedia, commercial communications, advertisements, market surveys, infomercials, games, CAD/CAM services for numerically controlled machines, and the like. As the context surrounding these templates changes or evolves, template applications provided under the present invention may be modified to meet these changes for broad use, or for more focused activities. A given VDE
participant may have a plurality of templates available for different tasks. A party that places content in its initial VDE container may have a variety of different, configurable templates dependimg on the type of content and/or business model related to the content. An end-user may have different configurable templates that can be applied to different document types (e-mail, secure internal documents, database records, etc.) and/or subsets of users (applying differing general sets of control information to different bodies of users, for example, selecting a list of users who may, under certain preset criteria, use a certain document). Of course, templates may, under certain circumstances have fixed control information and not provide for user selections or parameter data entry.

support plural, different control models regulating the use and/or auditing of either the same specific copy of electronic information content and/or differently regulating different copies (occurrences) of the same electronic information content. Differing models for billing, auditing, and security can be applied to the same piece of electronic information content and such differing sets of control information may employ, for control purposes, the same, or clifferi.ng, granularities of electronic information control increments. This includes supporting variable control information for budgeting and auditing usage as applied to a variety of predefined increments of electronic information, including employing a variety of different budgets and/or __ metering increments for a given electronic inforMation deliverable for: billing units of measure, credit limit, security budget limit and security content metering increments, and/or market surveying and customer profiling content metering increments. For example, a CD-ROM disk with a database of scientific articles might be in part billed according to a formula based on the number of bytes decrypted, number of articles containing said bytes decrypted, while a security budget might limit the use of said database to no more than 5% of the database per month for users on the wide area network it is installed on.

! provide mechanism.s to persistently maintain trusted content usage and reporting control information through both a sufficiently secure chain of handling of content and content control information and through various forms of usage of such content wherein said persistence of control may survive such use. Persistence of control includes the ability to extract information from a VDE container object by creating a new container whose contents are at least in part secured and that contains both the extracted content and at least a portion of the control information which control information of the original container and/or are at least in part produced by control information of the original container for this purpose and/or VDE installation control information stipulates should persist and/or control usage of content in the newly formed container. Such control information can continue to manage usage of container content if the container is "embedded" into another VDE managed object, such as an object which contains plural embedded VDE containers, each of which contains content derived (extracted) from a different source.

enables users, other value chain participants (such as clearinghouses and government agencies), and/or user organizations, to specify preferences or requirements related to their use of electronic content and/or appliances. Content users, such as end-user customers using commercially distributed content (games, information resources, software programs, etc.), can define, if allowed by senior control information, budgets, and/or other control information, to manage their own internal use of content. Uses include, for example, a user setting a limit on the price for electronic documents that the user is willing to pay without prior express user authorization, and the user establishing the character of metering information he or she is willing to allow to be collected (privacy protection).
This includes providing the means for content users to protect the privacy of information derived from their use of a VDE installation and content and/or appliance usage auditing. In particular, VDE can prevent information related to a participant's usage of elect:ronic content from being provided to other parties without the participant's tacit or explicit agreement.

provide mechanisms that allow control information to "evolve" and be modified according, at least in part, to independently, securely delivered further control information. Said control information may include executable code (e.g., load modules) that has been certified as acceptable (e.g., reliable and trusted) for use with a specific VDE application, class of applications, and/or a VDE distributed arrangement. This modification (evolution) of control :information can occur upon content control information (load modules and any associated data) circulating to one or more VDE participants in a pathway of handling of control information, or it may occur upon control information being received from a VDE participant. Handlers in a pathway of handling of content control information, to the extent each is authorized, can establish, modify, and/or contribute to, permission, auditing, payment, and reporting control information related to controlling, analyzing, paying for, and/or reporting usage of, electronic content and/or appliances (for example, as related to usage of VDE controlled property content).
Independently delivered (from an independent source which is independent except in regards to certification), at least in part secure, control information can be employed to securely modify content control information when content control information has flowed from one party to another party in a sequence ofVDE content control information handling. This modification employs, for example, one or more VDE component assemblies being securely processed in a VDE secure subsystem.
In an alternate embodiment, control information may be modified by a senior party through use of their VDE installation secure sub-system after receiving submitted, at least in part secured, control information from a`junior" party, normally in the form of a VDE administrative object. Control information passing along VDE pathways can represent a mixed control set, in that it may include:
control information that persisted through a = 5 sequence of control information handlers, other control information that was allowed to be modified, and further control information representing new control information and/or mediating data. Such a control set represents an evolution of control information for disseminated content. In this example the overall content control set for a VDE
content container is "evolving" as it securely (e.g.
communicated in encrypted form and using authentication and digital signaturing techniques) passes, at least in part, to a new participant's VDE
installation where the proposed control information is securely received and handled. The received control information may be integrated (through use of the receiving parties' VDE installation secure sub-system) with in-place control information througliL a negotiation process involving both control information sets. For example, the modification, within the secure sub-system of a content provider's VDE installation, of content control information for a certain VDE content container may have occurred as a result of the incorporation of required control information provided by a financial credit provider.

Said credit provider may have employed their VDE
installation to prepare and securely communicate (directly or indirectly) said required control information to said content provider. Incorporating said required control information enables a content provider to allow the credit provider's credit to be employed by a content end-user to compensate for the end-user's use of VDE controlled content and/or appliances, so long as said end-user has a credit account with said financial credit provider and said credit account has sufficient credit available.
Sim.ilarly, control information requiring the payment of taxes and/or the provision of revenue information resulting from electronic commerce activities may be securely received by a content provider. This control information may be received, for example, from a government agency. Content providers might be required by law to incorporate such control information into the control information for commercially distributed content and/or services related to appliance usage. Proposed control information is used to an extent allowed by senior control information and as determined by any negotiation trade-offs that satisfy priorities stipulated by each set (the received set and the proposed set). VDE also accommodates different control schemes specifically applying to different participants (e.g., individual participants and/or participant classes (types)) in a network of VDE
content handling participants.

support multiple simultaneous control models for the same content property and/or property portion.

This allows, for example, for concurrent business activities which are dependent on electronic commercial product content distribution, such as acquiring detailed market survey information and/or supporting advertising, both of which can increase revenue and result in lower content costs to users and greater value to content providers. Such control information and/or overall control models may be applied, as determined or allowed by control information, in differing manners to different participants in a pathway of content, reporting, payment, and/or related control information handling'. VDE supports applying different content control information to the same and/or different content amd/or appliance usage related activities, WO 96/27155 PCT/iJS96/02303 and/or to different parties in a content and/or appliance usage model, such that different parties (or classes of VDE users, for example) are subject to differing control information managing their use of electronic information content. For example, differing control models based on the category of a user as a distributor of a VDE controlled content object or an end-user of such content may result in different budgets being applied. Alternatively, for example, a one distributor may have the right to distribute a different array of properties than another distributor (from a common content collection provided, for example, on optical disc). An individual, and/or a class or other grouping of end-users, may have different costs (for example, a student, senior citizen, and/or poor citizen user of content who may be provided with the same or differing discounts) than a"typicaP' content user.

support provider revenue information resulting from customer use of content and/or appliances, and/or provider and/or end-user payment of taxes, through the transfer of credit and/or electronic currency from said end-user and/or provider to a government agency, might occur "automatically" as a result of such received control information causing the generation of a VDE content container whose conten.t includes customer content usage information reflecting secure, trusted revenue summary inform.ation and/or detailed user transaction listings (level of detail might depend, for example on type or size of tran.saction-information regarding a bank interest payment to a customer or a transfer of a large (ie.g. over $10,000) might be, by law, automatically reported to the government). Such summary and/or detailed information related to taxable events and/or currency, and/or creditor currency transfer, may be passed along a pathway of reporting and/or payment to the government in a VDE container. Such a container may also be used for other VDE related content usage reporting information.

support the flowing of content control information through different "branches" of content control information handling so as to accommodate, under the present invention's preferred embodiment, diverse controlled distributions of VDE controlled content. This allows different parties to employ the same initial electronic content with differing (perhaps competitive) control strategies. In this instance, a party who first placed control information on content can make certain control assumptions and these assumptions would evolve into more specific and/or extensive control assumptions. These =
control assumptions can evolve during the branching sequence upon content model participants submitting control information changes, for example, for use in "negotiating" with "in place" content control information. This can result in new or modified content control information and/or it might involve the selection of certain one or more already "in-place" content usage control methods over in-place alternative methods, as well as the submission of relevant control information parameter data. This form of evolution of different control information sets applied to different copies of the same electronic property content and/or appliance results from VDE control information flowing "down" through different branches in an overall pathway of hand}ing and control and being modified differently as it diverges down these different pathway branches. This ability of the present invention to support multiple pathway branches for the flow of both VDE content control information and VDE managed content enables an electronic commerce marketplace which supports diverging, competitive business partnerships, agreem.ents, and evolving overall business models which can employ the same content properties combined, for example, in differing collections of content; representing differing at least in part competitive products.

enable a user to securely extract, through the use of the secure subsystem at the user's VDE installation, at least a portion of the content included within a VDE content container to produce a new, secure object (content container), such that the extracted information is maintained in a continually secure mannei- through the extraction process. Formation of the new VDE container containing such extracted content shall result in control information consistent with, or specified by, the source VDE content container, and/or local VDE installation secure subsystem as appropriate, content control information. Relevant control information, such as security and administrative information, derived, at least in part, from the parent (source) object's control information, will normally be automatically inserted into a new VDE content container object containing extracted VDE content. This process typically occurs under the control framework of a parent object and/or VDE installation control information executing at the user's VDE installation secure subsystem (with, for example, at least a portion of this inserted control information being stored securely in encrypted form in one or more permissions records). In an alternative embodiment, the derived content control information applied to extracted content may be in part or whole derived from, or employ, content control information stored remotely from the VDE installation that performed the secure extraction such as at a remote server location. As with the content control information for most VDE managed content, features of the present invention allows the content's control information to:
(a) "evolve," for example, the extractor of content may add new control methods and/or modify control parameter data, such as VDE
application compliant methods, to the extent allowed by the content's in-place control information. Such new control information might specify, for example, who may use at least a portion of the new object, and/or how said at least a portion of said extracted content may be used (e.g. when at least a portion may be used, or what portion or quantity of portions may be used);

(b) allow a user to combine additional content with at least a portion of said extracted content, such as material authored by the extractor and/or content (for example, images, video, audio, and/or text) extracted from one or more other VDE container objects for placement directly into the new container;

(c) a!Ilow a user to securely edit at least a portion of said content while maintaining said content in a secure form within said VDE content container;

(d) append extracted content to a pre-existing VDE content container object and attach associated control information -- in these cases, user added information may be secured, e.g., encrypted, in part or as a whole, and may be subject to usage and/or auditing control information that differs from the those applied to previously in place object content;
(e) preserve VDE control over one or more portions of extracted content after various forms of usage of said portions, for example, maintain content in securely stored form while allowing "temporary" on screen display of content or allowing a software program to be maintained in secure form but transiently decrypt any encrypted executing portion of said program (all, or only a portion, of said program may be encrypted to secure the program).

Generally, the extraction features of the present invention allow users to aggregate and/or disseminate and/or otherwise use protected electronic content information extracted from content container sources while maintaining secure VDE capabilities thus preserving the rights of providers in said content information after various content usage processes.

--support the aggregation of portions of VDE

controlled content, such portions being subject to differing VDE content container control information, wherein various of said portions may have been provided by independent, different content providers from oiae or more different locations remote to the user performing the aggregation. Such aggregation, in the preferred embodiment of the present invention, may involve preserving at least a portion of the control information (e.g., executable code such as load. modules) for each of various of said portions by, for example, embedding some or all of such portions individually as VDE content container objects within an overall VDE content container and/or embedding some or all of such portions directly into a VDE content container. In the latter case, content control information of said content container may apply differing control information sets to various of such portions based upon said portions original control information requirements before aggregation. Each of such embedded VDE
content containers may have its own control information in the form of one or more permissions records. Alternatively, a negotiation between control information associated with various aggregated portions of electronic content, may produce a control information set that would govern some or all of the aggregated content portions. The VDE content control information produced by the negotiation may be uniform (such as having the same load modules and/or component assemblies, and/or it may apply differing such content control information to two or more portions that constitute an aggregation of VDE
controlled content such as differing metering, budgeting, billin.g and/or payment models. For example, content usage payment may be automatically made, either through a clearinghouse, or directly, to different content providers for different potions.

enable flexible metering of, or other collection of information related to, use of electronic content and/or electronic appliances. A feature of the present invention enables such flexibility of metering control mechanisms to accommodate a simultaneous, broad array of (a) different parameters related to electronic information content use; (b) different increment units (bytes, documents, properties, paragraphs, images, etc.) and/or other organizations 25 of such electronic content; and/or (c) different categories of user and/or VDE installation types, such as client organizations, departments, projects, networks, and/or individual users, etc. This feature of the present invention can be employed for content security, usage analysis (for example, market surveying), and/or compensation based upon the use andlor exposure to VDE managed content. Such metering is a fflexible basis for ensuring payment for content royalties, licensing, purchasing, and/or advertising. A feature of the present invention provides for payment means supporting flexible electronic currency and credit mechanisms, including the ability to securely maintain audit trails reflecting information related to use of such currency or credit. VDE supports multiple differing hierarc]hies of client organization control information wherein an organization client administrator distributes control information specifying the usage rights of departments, users, and/or projects.

Likewise, a department (division) network manager can function as a distributor (budgets, access rights, etc.) for department networks, projects, and/or users, etc.

provide scalable, integratable, standardized control means for use on electronic appliances ranging from inexpensive consumer (for example, television set-top appliances) and professional devices (and hand-held PDAs) to servers, mainframes, communication switches, etc. The scalable transaction management/auditing technology of the present invention will result in more efficient and reliable interoperability amongst devices functioning in electronic commerce and/or data security environments. As standardized physical containers have become essential to the shipping of physical goods around the world, allowing these physical containers to universally "fit" unloading equipment, effi.ciently use truck and train space, and accommodate known arrays of objects (for example, boxes) in an efficient manner, so VDE electronic content containers may, as provided by the present invention, be able to efficiently move electronic information content (such as commercially published properties, electronic currency and credit, and content audit information), and associated content control information, around the world.
Interoperability is fundamental to efficient electronic commerce. The design of the VDE foundation, VDE

load modules, and VDE containers, are important features that enable the VDE node operating environment to be compatible with a very broad range of electronic appliances. The ability, for example, for control methods based on load modules to execute in very "small" and inexpensive secure sub-system environments, such as environments with very little read/write memory, while also being able to execute in large memory sub-systems that may be used in more expensive electronic appliances, supports consistency across many machines. This consistent VDE operating environment, including its control structures and container architecture, enables the use of standardized VDE content containers across a broad range of device types and host operating environments. Since VDE
capabilities can be seamlessly integrated as extensions, additions, and/or modifications to fundamental capabilities of electronic appliances and host operating systems, VDE containers, content control information, and the VDE foundation will be able to Nvork with many device types and these device t;~pes wi]Il be able to consistently and . efficiently interpret and enforce VDE control information. Through this integration users can also __ benefit from a transparent interaction with many of the capabilities of VDE. VDE integration with software operating on a host electronic appliance supports a variety of capabilities that would be unavailable or less secure without such integration.
Through integration with one or more device applications and/or device operating environments, many capabilities of the present invention can be presented as inherent capabilities of a given electronic appliance, operating system, or appliance application. For example, features of the present invention include: (a) VDE system software to iin part extend and/or modify host operating systems such that they possesses VDE capabilities, such as enabling secure transaction processing and electronic information storage; (b) one or more application programs that in part represent tools associated with VDE operation; and/or (c) code to be integrated into application programs, wherein such code incorporates references into VDE system software to integrate VDE capabilities and makes such applications VDE aware (for example, word processors, database retrieval applications, spreadsheets, multimedia presentation authoring =
tools, film editing software, music editing software such as MIDI applications and the like, robotics control systems such as those associated with CAD/CAM environments and NCM software and the like, electronic mail systems, teleconferencing software, and other data authoring, creating, handli.ng, and/or usage applications including combinations of the above). These one or more features (which may also be implemented in firm.wfire or hardware) may be employed in conjunction with a VDE node secure hardware processing capability, such as a microcontroller(s), microprocessor(s), other CPU(s) or other digital processing logic.

employ audit reconciliation and usage pattern evaluation processes that assess, through certain, normaLly network based, transaction processing reconciliation and threshold checking activities, whether certain violations of security of a VDE

arrangement have occurred. These processes are performed remote to VDE controlled content end-user VDE locations by assessing, for example, purchases, and/or requests, for electronic properties ~ by a given VDE installation. Applications for such reconciliation activities include assessing whether the quantity of remotely delivered VDE controlled content corresponds to the amount of financial credit and/or electronic currency employed for the use of such content. A trusted organization can acquire information from content providers concerning the cost for content provided to a given VDE installation and/or user and compare this cost for content with the credit and/or electronic currency disbursements for that installation and/or user. Inconsistencies in.

the amount of content delivered versus the amount of disbursement can prove, and/or indicate, depending on the circumstances, whether the local VDE installation has been, at least to some degree, compromised (for example, certain important system security functions, such as breaking encryption for at least some portion of the secure subsystem and/or VDE controlled content by uncovering one or more keys). Determining whether irregular patterns (e.g.
unusually high demand) of content usage, or requests for delivery of certain kinds of VDE
controlled information during a certain time period by one or more VDE installations and/or users (including, for example, groups of related users whose aggregate pattern of usage is suspicious) may also be useful in determiring whether security at such one or more installations, and/or by such one or more users, has been compromised, particularly when used in combination with an assessment of electronic credit and/or currency provided to one or more VDE users and/or installations, by some or all of their credit and/or currency suppliers, compared with the disbursements made by such users and/or installations.

support security techniques that materially increase the time required to "break" a system's integrity.
This includes using a collection of techniques that minimizes the damage resulting from comprising some aspect of the security features of the present inventions.

provide a family of authoring, administrative, reporting, payment, and billing tool user applications that comprise components of the present invention's trustecVsecure, universe wide, distributed transaction control and administration system.
These components support VDE related: object creation (including placing control information on content), secure object distribution and management (including distribution control information, financial related, and other usage analysis), client internal VDE activities administration and control, security management, user interfaces, payment disbursement, and clearinghouse related functions.

These components are designed to support highly secure, uniform, consistent, and standardized:
electronic commerce and/or data security pathway(s) of handling, reporting, and/or payment; content control and administration; and human factors (e.g.

user interfaces).

support the operation of a plurality of clearinghouses, including, for example, both financial and user clearinghouse activities, such as those performed by a client administrator in a large organization to assist in the organization's use of a VDE arrangement, including usage information analysis, and control of VDE activities by individuals and groups of employees such as specifying budgets and the character of usage rights available under VDE for certain groups of and/or individual, client personnel, subject to control information series to control information submitted by the client administrator. At a clearinghouse, one or more VDE
installations may operate together with a trusted distributed database environment (which may include concurrent database processing means). A
financial clearinghouse normally receives at its location. securely delivered content usage information, and user requests (such as requests for further credit, electronic currency, and/or higher credit limit). Reporting of usage information and user requests can be used for supporting electronic currency, billing, payment and credit related activities, and/or for user profile analysis and/or broader market survey analysis and marketing (consolidated) list generation or other information derived, at least in part, from said usage information. this information can be provided to content providers or other parties, through secure, authenticated encrypted communication to the VDE
installation secure subsystems. Clearinghouse processing means would normally be connected to specialized I/0 means, which may include high speed telecommunication switching means that may be used for secure communications between a clearinghouse and other VDE pathway participants.
securely support electronic currency and credit usage control, storage, and communication at, and between, VDE installations. VDE further supports automated passing of electronic currency and/or credit information, including payment tokens (such as in the form of electronic currency or credit) or other payment information, through a pathway of payment, which said pathway may or may not be the same as a pathway for content usage information reporting. Such payment may be placed into a VDE
container created automatically by a VDE

installation in response to control information stipulating the "withdrawal" of credit or electronic currency from an electronic credit or currency account based upon an amount owed resulting from usage of VDE controlled electronic content and/or appliances. Payment credit or currency may then be automatically communicated in protected (at least in part encrypted) form through telecommunication of a VDE container to an appropriate party such as a clearinghouse, provider of original property content or appliance, or an agent for such provider (other .
than a clearinghouse). Payment information may be packaged in said VDE content container with, or without, related content usage information, such as metering information. An aspect of the present invention further enables certain information regarding currency use to be specified as unavailable to certain, some, or all VDE parties ("conditionally"
to fully anonymous currency) and/or further can regulate certain content information, such as currency and/or credit use related information (and/or other electronic information usage data) to be available only under certain strict circumstances, such as a court order (which may itself require authorization through the use of a court controlled VDE installation that may be required to securely access "conditionally" anonymous information).
Currency and credit information, under the preferred embodiment of the present invention, is treated as administrative content;

support fingerprinting (also known as watermarking) for embedding in content such that when content protected under the present invention is released in clear form from a VDE object (displayed, printed, communicated, extracted, and/or saved), information representing the identification of the user and/or VDE installation responsible for transfonmi-ng the content into clear form is embedded into the released content. Fingerprinting is useful in providing an ability to identify who extracted information in clear form a VDE container, or who made a copy of a VDE object or a portion of its contents. Since the identity of the user and/or other identifying information may be embedded in an obscure or generally concealed manner, in VDE
container content and/or control information, potential copyright violators may be deterred from unauthorized extraction or copying. Fingerprinting normally is embedded into unencrypted electronic content or control information, though it can be embedded into encrypted content and later placed in unencrypted content in a secure VDE installation sub-system as the encrypted content carrying the fingerprinting information is decrypted. Electronic information, such as the content of a VDE container, may be fingerprinted as it leaves a network (such as Internet) location bound for a receiving party. Such repository information may be maintained in unencrypted form prior to communication and be encrypted as it leaves the repository. Fingerprinting would preferably take place as the content leaves the repository, but before the encryption step.

Encrypted repository content can be decrypted, for example in a secure VDE sub-system, fingerprint information can be inserted, and then the content _ can be re-encrypted for transmission. Embedding identification information of the intended recipient user and/or VDE installation into content as it leaves, for example, an Internet repository, would provide important information that would identify or assist in identifying any party that managed to compromise the security of a VDE installation or the delivered content. If a party produces an authorized clear form copy of VDE controlled content, including making unauthorized copies of an authorized clear form copy, fingerpri_nt information would point back to that individual and/or his or her VDE installation.
Such hidden information wiIl act as a strong disincentive that should dissuade a substantial portioni of potential content "pirates" from stealing other parties electronic information. Fingerprint information identifying a receiving party and/or VDE
installation can be embedded into a VDE object before, or during, decryption, replication, or communication of VDE content objects to receivers.
Fingerprinting electronic content before it is encryp'ted for transfer to a customer or other user provides information that can be very useful for identifying who received certain content which may have then been distributed or made available in unencrypted form. This information would be useful in tracking who may have "broken" the security of a VDE installation and was illegally making certain electronic content available to others.

Fingerprinting may provide additional, available information such as time and/or date of the release (for example extraction) of said content information.
Locations for inserting fingerprints may be specified by VDE installation and/or content container control information. This information may specify that certain areas and/or precise locations within properties should be used for fingerprinting, such as one or more certain fields of information or information types. Fingerprinting information may be incorporated into a property by modifying in a normally undetectable way color frequency and/or the brightness of certain image pixels, by slightly modifying certain audio signals as to frequency, by modifying font character formation, etc. Fingerprint information, itself, should be encrypted so as to make it particularly difficult for tampered fingerprints to be interpreted as valid. Variations in fingerprint locations for different copies of the same property; "false" fingerprint information; and multiple copies of fingerprint information within a specific property or other content which copies employ different fingerprinting techniques such as information distribution patterns, frequency and/or brightness manipulation, and encryption related techniques, are features of the present invention for increasing the diifficulty of an unauthorized individual identifying fingerprint locations and erasing and/or modifying fingerprint information.

! provide smart object agents that can carry requests, data, and/or methods, including budgets, authorizations, credit or currency, and content. For example, smart objects may travel to and/or from remote iinformation resource locations and fulfill requests for electronic information content. Smart objects can, for example, be transmitted to a remote location to perform a specified database search on behalf of a user or otherwise "intelligently" search remote one or more repositories of information for user desiired information. After identifying desired information at one or more remote locations, by for example, performing one or more database searches, a smart object may return via communication to the user in -the form of a secure "return object"

containing retrieved information. A user may be charged for the remote retrieving of information, the returning of information to the user's VDE

installation, and/or the use of such information. In the latter case, a user may be charged only for the information in the return object that the user actually uses. Smart objects may have the means to request use of one or more services and/or resources.
Services include locating other services and/or resources such as information resources, language or format translation, processing, credit (or additional credit) authorization, etc. Resources include reference databases, networks, high powered or specialized computing resources (the smart object may carry information to another computer to be efficiently processed and then return the information to the sending VDE installation), remote object repositories, etc. Smart objects can make efficient use of remote resources (e.g. centralized databases, super computers, etc.) while providing a secure means for charging users based on information and/or resources actually used.

support both "translations" of VDE electronic agreements elements into modern language printed agreement elements (such as English language agreements) and translations of electronic rights protection/transaction management modern language agreement elements to electronic VDE
agreement elements. This feature requires maintaining a library of textual language that corresponds to VDE load modules and/or methods and/or component assemblies. As VDE methods are proposed and/or employed for VDE agreements, a listing of textual terms and conditions can be produced by a VDE user application which, in a preferred embodiment, provides phrases, sentences and/or paragraphs that have been stored and correspond to said methods and/or assemblies. This feature preferably employs artificial intelligence capabilities to analyze and automatically determine, and/or assist one or more users to determine, the proper order and relationship between the library elements corresponding to the chosen methods and/or assemblies so as to compose some or all portions of a legal or descriptive document. One or more users, and/or preferably an attorney (if the document a legal, binding agreement), would review the generated document material upon completion and employ such additional textual information and/or editing as necessary to describe non electronic transaction elements of the agreement and make any other improvements that may be necessary.
These features further support employing modern language tools that allow one or more users to make selections from choices and provide answers to questions and to produce a VDE electronic agreement from such a process. This process can be interactive and the VDE agreement formulation process may employ artificial intelligence expert system technology that learns from responses and, where appropriate and based at least in part on said responses, provides further choices and/or questions which "evolves" the desired VDE electronic agreement.

support the use of multiple VDE secure subsystems in a single VDE installation. Various security and/or performance advantages may be realized by employing a distributed VDE design within a single VDE installation. For example, designing a hardware based VDE secure subsystem into an electronic appliance VDE display device, and designing said subsystem's integration with said display device so that it is as close as possible to the point of display, wiIl increase the security for video materiaIs by making it materially more difficult to "steal" decrypted video information as it moves from outside to inside the video system. Ideally, for example, a VDE secure hardware module would be in the same physical package as the actual display monitor, such as within the packaging of a video monitor or other display device, and such device would be designed, to the extent commercially practical, to be as tamper resistant as reasonable.

As another example, embedding a VDE hardware module into an I/O peripheral may have certain advantages from the standpoint of overall system throughput. If multiple VDE instances are employed within the same VDE installation, these instances will ideally share resources to the extent practical, such as VDE instances storing certain control information and content and/or appliance usage information on the same mass storage device and in the same VDE management database.

requiring reporting and payment compliance by employing exhaustion of budgets and time ageing of keys. For example, a VDE commercial arrangement and associated content control information may involve a content provider's content and the use of clearinghouse credit for payment for end-user usage of said content. Control information regarding said arrangement may be delivered to a user's (of said content) VDE installation and/or said financial 5 clearinghouse's VDE
installation. Said control information might require said clearinghouse to prepare and telecommunicate to said content provider both content usage based information in a certain form, and content usage payment in the form of electronic credit (such credit might be "owned" by the provider after receipt and used in lieu of the availability or adequacy of electronic currency) and/or electronic currency. This delivery of information and payment may employ trusted VDE

installation secure subsystems to securely, and in some embodiments, automatically, provide in the manner specified bv said control information, said usage information and payment content. Features of the present invention help ensure that a requirement that a clearinghouse report such usage information and payment content will be observed.
For example, if one participant to a VDE electronic agreement fails to observe such information reporting and/or paying obligation, another 25 participant can stop the delinquent party from successfully participating in VDE activities related to such agreement. For example, if required usage information and payment was not reported as specified by content control information, the "injured." party can fail to provide, through failing to securely communicate from his VDE installation secure subsystem, one or more pieces of secure information necessary for the continuance of one or more critical processes. For example, failure to report information and/or payment from a clearinghouse to a content provider (as well as any security failures or other disturbing irregularities) can result in the content provider not providing key and/or budget refresh information to the clearinghouse, which information can be necessary to authorize use of the clearinghouse's credit for usage of the provider's content and which the clearinghouse would communicate to end-user's during a content usage reporting communication between. the clearinghouse and end-user. As another example, a distributor that failed to make payments and/or report usage information to a content provider might find that their budget for creating permissions records to distribute the content provider's content to users, and/or a security budget limiting one or more other aspect of their use of the provider's content, are not being refreshed by the content provider, once exhausted or timed-out (for example, at a predetermired date). In these and other cases, the offended party might decide not to refresh time ageing keys that had "aged out." Such a use of time aged keys has a similar impact as failing to refresh budgets or time-aged authorizations.

support smart card implementations of the present invention in the form of portable electronic appliances, including cards that can be employed as secure credit, banking, and/or money cards. A
feature of the present invention is the use of portable VDEs as transaction cards at retail and other establishments, wherein such cards can "dock" with an establishment terminal that has a VDE secure sub-system and/or an online connection to a VDE
secure and/or otherwise secure and compatible subsystem, such as a "trusted" fmancial clearinghouse (e.g., VISA, Mastercard). The VDE
card and the terminal (and/or onli.ne connection) can securely exchange information related to a transaction, with credit and/or electronic currency being transferred to a merchant and/or clearinghouse and transaction information flowing back to the card. Such a card can be used for transar,tion activities of all sorts. A docking station, such as a PCMCIA connector on an electronic appliance, such as a personal computer, can receive a consumer's VDE card at home. Such a station/card combination can be used for on-line transactions in the same manner as a VDE installation that is permanently iustalled in such an electronic appliance. The card can be used as an "electronic wallet" and contain electronic currency as well as credit provided by a clearinghouse. The card can act as a convergence point for financial activities of a consumer regarding many, if not all, merchant, banking, and on-lin.e financial transactions, including supporting home banking activities. A
consumer can receive his paycheck and/or investrnent earnings and/or "authentic" VDE content container secured detailed information on such receipts, through on-line connections. A user can send digital currency to another party with a VDE
arrangement, including giving away such currency.

~ A VDE card can retain details of transactions in a highly secure and database organized fashion so that financially related information is both consolidated and very easily retrieved and/or analyzed. Because of the VDE security, including use of effective encryption, authentication, digital signaturing, and secure database structures, the records contained within a VDE card arrangement may be accepted as valid transaction records for government and/or corporate recordkeeping requirements. In some embodiments of the present invention a VDE card may emplov docking station and/or electronic appliance storage means and/or share other VDE
arrangement means local to said appliance and/or available across a network, to augment the information storage capacity of the VDE card, by for example, storing dated, and/or archived, backup information. Taxes relating to some or all of an individual's financial activities may be automatically computed based on "authentic" information securely stored and available to said VDE card. Said information may be stored in said card, in said docking station, in an associated electronic appliance, and/or other device operatively attached thereto, and/or remotely, such as at a remote server site. A card's data, e.g. transaction history, can be backed up to an individual's personal computer or other electronic appliance and such an appliance WO 96(27155 PCT/US96102303 may have an integrated VDE installation of its own.

A current transaction, recent transactions (for redundancy), or all or other selected card data may be backed up to a remote backup repository, such a = 5 VDE compatible repository at a financial clearinghouse, during each or periodic docking for a financial transaction and/or inform.ation communication such as a user/merchant tra.nsaction.
Backing up at least the current transaction during a connection with another party's VDE installation (for example a VDE installation that is also on a financial or general purpose electronic network), by posting transaction information to a remote clearinghouse and/or bank, can ensure that sufficient backup is conducted to enable complete reconstruction of VDE card internal information in the event of a card failure or loss.

support certification processes that ensure authorized interoperability between various VDE
installations so as to prevent VDE arrangements and/or installations that unacceptably deviate in specification protocols from other VDE arrangements and/or iastallations from interoperating in a manner that may introduce security (integrity and/or confidentiality of VDE secured information), process control, and/or software compatibility problems.
Certification validates the identity of VDE

installations and/or their components, as well as VDE users. Certification data can also serve as information that contributes to determining the decommissioning or other change related to VDE
sites.

! support the separation of fundamental transaction control processes through the use of event (triggered) based method control mechanisms. These event methods trigger one or more other VDE methods (which are available to a secure VDE sub-system) and are used to carry out VDE managed transaction related processing. These triggered methods include independently (separably) and securely processable component billing management methods, budgeting management methods, metering management methods, and related auditing management processes. As a result of this feature of the present invention, independent triggering of metering, auditing, billing, and budgeting methods, the present invention is able to efficiently, concurrently support multiple financial currencies (e.g. dollars, marks, yen) and content related budgets, and/or billing iricrements as well as very flexible content distribution models.

support, complete, modular separation of the control structures related to (1) content event triggering, (2) auditing, (3) budgeting (including specifying no right of use or unlimited right of use), (4) billing, and (5) user identity (VDE installation, client name, department, network, and/or user, etc.). The independence of these VDE control structures provides a flexible system which allows plural relationships between two or more of these structures, for example, the ability to associate a financial. budget with different event trigger structures (that are put in place to enable controlling content based on its logical portions). Without such separation between these basic VDE capabilities, it would be more difficult to efficiently maintain separate metering, budgeting, identification, and/or billing activities which involve the same, differing (including overlapping), or entirely different, portions of content for metering, billing, budgeting, and user identification, for example, paying fees associated with usage of content, performing home banking, managing advertising services, etc. VDE
modular separation of these basic capabilities supports the programming of plural, "arbitrary"
relationships between one or differing content portions (and/or portion units) and budgeting, auditing, and/or billing control information. For example, under VDE, a budget limit of $200 dollars or 300 German Marks a month may be enforced for decryption of a certain database and 2 U.S. Dollars or 3 German Marks may be charged for each record of said database decrypted (depending on user selected currency). Such usage can be metered while an additional audit for user profile purposes can be prepared recording the identity of each filed displayed. Additionally, further metering can be conducted regarding the number of said database bytes that have been decrypted, and a related security budget may prevent the decrypting of more than 5% of the total bytes of said database per year.

The user may also, under VDE (if allowed by senior control information), collect audit information reflecting usage of database fields by different individuals and client organization departments and ensure that differing rights of access and differing budgets limiting database usage can be applied to these client individuals and groups. Enabling content providers and users to practically employ such diverse sets of user identification, metering, budgeting, and billing control information results, in part, from the use of such independent control capabilities. As a result, VDE can support great configurability in creation of plural control models applied to the same electronic property and the same and/or plural control models applied to differing or entirely different content models (for example, home banking versus electronic shopping).

Methods, Other Control Information, and VDE Objects VDE control information (e.g., methods) that collectively control use of VDE managed properties (database, document, individual commercial product), are either shipped with the content itself (for example, in a content container) and/or one or more portions of such control information is shipped to distributors and/or other users in separably deliverable "admindstrative objects." A subset of the methods for a property may in part be delivered with each property while one or more other subsets of methods can be delivered separately to a user or otherwise made available for use (such as being available remotely by telecommunication means). Required methods (methods listed as required for property and/or appliance use) must be available as specified if VDE controlled content (such as intellectual property distributed within a VDE content container) is to be used. Methods that control content may apply to a plurality of VDE container objects, such as a class or other grouping of such objects. Methods may also be required by certain users or classes of users and/or VDE installations and/or classes of installations for such parties to use one or more specific, or classes of, objects.

A feature of VDE provided by the present invention is that certain one or more methods can be specified as required in order for a VDE installation and/or user to be able to use certain and/or all content. For example, a distributor of a certain type of content might be allowed by "senior" participants (by content creators, for example) to require a method which prohibits end-users from electronically saving decrypted content, a provider of credit for VDE transactions might require an audit method that records the time of an electronic purchase, and/or a user might require a method that summarizes usage information for reporting to a clearinghouse (e.g. billing information) in a way that does not convey confidential, personal information regarding detailed usage behavior.

A further feature of VDE provided by the present invention is that creators, distributors, and users of content can select from among a set of predefined methods (if available) to control container content usage and distribution functions and/or they may have the right to provide new customized methods to control at least certain usage functions (such "new" methods may be required to be certified for trustedness and interoperability to the VDE installation an.d/or for of a group of VDE applications). As a result, VDE provides a very high degree of configurability with respect to how the distribution and other usage of each property or object (or one or rnore portions of objects or properties as desired and/or applicable) will be controlled. Each VDE
participant in a VDE pathway of content control information may set methods for som.e or all of the content in a VDE container, so long as such control information does not conflict with senior control information already in place with respect to:

(1) certain or all VDE managed content, (2) certain one or more VDE users and/or groupings of users, (3) certain one or more VDE nodes and/or groupings of nodes, and/or (4) certain one or more VDE applications and/or arrangements.

For example, a content creator's VDE control information for certain content can take precedence over other submitted VDE participant control information and, for example, if allowed by senior control information, a content distributor's control information may itself take precedence over a client administrator's control information, which may take precedence over an end-user's control information. A path of distribution participant's ability to set such electronic content control information can be limited to certain control information (for example, method mediating data such as pricing and/or sales dates) or it may be limited only to the extent that one or more of the participant's proposed control information conflicts with control information set by senior control information submitted previously by participants in a chain of handling of the property, or managed in said participant's VDE secure subsystem.
VDE control information may, in part or in full, (a), represent control information directly put in place by VDE
content control information pathway participants, and/or (b) comprise control information put in place by such a participant on behalf of a party who does not directly handle electronic content (or electronic appliance) permissions records information (for example control information inserted by a participant on behalf of a financial clearinghouse or government agency). Such control information methods (and/or load modules and/or mediating data and/or component assemblies) may also be put in place by either an electronic automated, or a semi-automated and human assisted, control information (control set) negotiating process that assesses whether the use of one or more pieces of submitted control information will be integrated into and/or replace existing control information (and/or chooses between alternative control iriformation based upon interaction with in-place control information) and how such control information may be used.

Control information mav be provided by a party who does not directly participate in the handling of electronic content (and/or appliance) and/or control information for such content (and/or appliance). Such control information may be provided in secure form using VI)E installation secure sub-system managed communications (including, for example, authenticating the deliverer of at least in part encrypted control information) between such not directly participating one or more parties' VDE
installation secure subsystems, and a pathway of VDE content control information participant's VDE installation secure subsystem. This control information may relate to, for example, the right to access credit supplied by a financial services provider, the enforce:ment of regulations or laws enacted by a gover.n~aent agency, or the requirements of a customer of VDE

managed content usage information (reflecting usage of content WO 96/27155 PCT/i7S96/02303 by one or more parties other than such customer) relating to the creation, handling and/or manner of reporting of usage ~
information received by such customer. Such control information may, for example, enforce societal requirements such as laws related to electronic commerce.

VDE content control information may apply differently to different pathway of content and/or control information handling participants. Furthermore, permissions records rights may be added, altered, and/or removed by a VDE participant if they are allowed to take such action. Rights of VDE participants may be defined in relation to specific parties and/or categories of parties and/or other groups of parties in a chain of handling of content and/or content control information (e.g., permissions records).

Modifications to control information that may be made by a given, eligible party or parties, may be limited in the number of modifications, and/or degree of modification, they may make.

At least one secure subsystem in electronic appliances of creators, distributors, auditors, clearinghouses, client administrators, and end-users (understanding that two or more of the above classifications may describe a single user) provides a "sufliciently" secure (for the intended applications) environment for:

1. Decrypting properties and control information;

2. Storing control and metering related information;
3. Manag.iYLg communications;

4. Processing core control programs, along with associated data, that constitute control information for electi-onic content and/or appliance rights protection, inclLiding the enforcing of preferences and requirements of VDE participants.
N'ormally, most usage, audit, reporting, payment, and distribution control methods are themselves at least in part encrypted and are ex.ecuted by the secure subsystem of a VDE
installation. Thus, for example, billing and metering records can be securely generated and updated, and encryption and decryption keys are securely utilized, within a secure subsystem.
Since VDE also employs secure (e.g. encrypted and authenticated) commLunications when passing information between the participant location (nodes) secure subsystems of a VDE arrangement, iinportant components of a VDE electronic agreement can be reliably enforced with sufficient security (sufficiently trusted) for the intended commercial purposes. A

VDE electronic agreement for a value chain can be composed, at least in part, of one or more subagreements between one or more subsets of the value chain participants. These subagreements are comprised of one or more electronic contract "compliance"
elements (methods including associated parameter data) that ensure the protection of the rights of VDE participants.

The degree of trustedness of a VDE arrangement will be primarily based on whether hardware SPUs are employed at participant location secure subsvstems and the effectiveness of the SPU hardware security architecture, software security techniques when an SPU is emulated in software, and the encryption algorithm(s) and keys that are employed for securing content, control information, communications, and access to VDE
node (VDE installation) secure subsystems. Physical facility and user identity authentication security procedures may be used instead of hardware SPUs at certain nodes, such as at an established financial clearinghouse, where such procedures may provide sufficient security for trusted interoperability with a VDE arrangement employing hardware SPUs at user nodes.

The updating of property management files at each location of a VDE arrangement, to accommodate new or modified control information, is performed in the VDE secure subsystem and under the control of secure management file updating programs executed by the protected subsystem. Since all secure WO 96/27155 PCT(US96102303 communi.cations are at least in part encrypted and the processing inside the secure subsystem is concealed from outside observation and interference, the present invention ensures that content control information can be enforced. As a result, the creator and/or distributor amd/or client administrator and/or other contributor of secure control information for each property (for example, an end-user restricting the kind of audit information he or she will allow to be reported and/or a fmancial clearinghouse establishing certain criteria for use of its credit for payment for use of distributed content) can be confident that their contributed and accepted control information will be enforced (within the security limitations of a given VDE security implementation design). This control information can determine, for example:

(1) How and/or to whom electronic content can be provided, for example, how an electronic property can be distributed;

(2) How one or more objects and/or properties, or portions of an object or property, can be directly used, s-nch as decrypted, displayed, printed, etc;

(3) How payment for usage of such content and/or content portions may or must be handled; and (4) How audit information about usage information related to at least a portion of a property should be collected, reported, and/or used.

Seniority of contributed control information, including resolution of conflicts between content control information submitted by multiple parties, is normally established by:

(1) the sequence in which control information is put in place by various parties (in place control information normally takes precedence over subsequently submitted control information), (2) the specifics of VDE content and/or appliance control information. For example, in-place control information can stipulate which subsequent one or more piece of control from one or more parties or class of parties will take precedence over control information submitted by one or more yet different parties and/or classes of parties, and/or (3) negotiation between control information sets from plural parties, which negotiation establishes what control information shall constitute the resulting control i.nformation set for a given piece of VDE

managed content and/or VDE installation.
.

Electronic Agreements and Rights Protection An important feature of VDE is that it can be used to assure the adm.i_nistration of, and adequacy of security and rights protection for, electronic agreements implemented through the use of the present invention. Such agreements may involve one or more of:

(1) creators, publishers, and other distributors, of electronic i_nformation, (2) financial service (e.g. credit) providers, (3) users of (other than financial service providers) information arising from content usage such as content specific demographic information and user specific descriptive information. Such users may include market analysts, marketing list compilers for direct and directed marketing, and government agencies, (4) end users of content, (5) infrastructure service and device providers such as telecommunication companies and hardware manufacturers (semiconductor and electronic appliance and/or other computer system manufacturers) who receive compensation based upon the use of their services and/or devices, and (6) certain parties described by electronic information.

VDE supports commercially secure "extended" value chain electronic agreements. VDE can be configured to support the various underlying agreements between parties that comprise this extended agreement. These agreements can define important electronic commerce considerations including:

(1) security, (2) content use control, including electronic distribution, (3) privacy (regarding, for example, information concerning parties described by medical, credit, tax, personal, and/or of other forms of confidential information), (4) management of financial processes, and (5) pathways of handling for electronic content, content and/or appliance control information, electronic content and/or appliance usage information and = payment and/or credit.

VDE agreements may define the electronic commerce relatioiaship of two or more parties of a value chain, but such agreements may, at times, not directly obligate or otherwise directly involve other VDE value chain participants. For example, an electronic agreement between a content creator and a distributor may establish both the price to the distributor for a creator's content (such as for a property distributed in a VDE
container object) and the number of copies of this object that this distributor may distribute to end-users over a given period of time. ]:n a second agreement, a value chain end-user may be involved in a three party agreement iin which the end-user agrees to certain requirements for using the distributed product such as accepting distributor charges for content use and agreeing to observe the copyriglit rights of the creator. A third agreement might exist between. the distributor and a fmancial clearinghouse that allows the distributor to employ the clearinghouse's credit for payment for the product if the end-user has a separate (fourth.) agreement directly with the clearinghouse extending credit to the end-user. A fi.fth, evolving agreement may develop between all value chain participants as content control information passes along its chain of handling. This evolving agreement can establish the rights of all parties to content usage information, including, for example, the nature of information to be received by each party and the pathway of handling of content usage information and related procedures. A sixth agreement in this example, may involve all parties to the agreement and establishes certain general assumptions, such as security techniques and degree of trustedness (for example, commercial integrity of the system may require each VDE installation secure subsystem to electronically warrant that their VDE node meets certain interoperability requirements). In the above example, these six agreements could comprise agreements of an extended agreement for this commercial value chain instance.

VDE agreements support evolving ("living") electronic agreement arrangements that can be modified by current and/or new participants through very simple to sophisticated "negotiations" between newly proposed content control information interacting with control information already in place and/or by negotiation between concurrently proposed content control information submitted by a plurality of parties. A given model may be asynchronously and progressively modified over time in accordance with existing senior rules and such modification may be applied to all, to classes of, and/or to specific content, and/or to classes and/or specific users and/or user nodes.

A given piece of content may be subject to different control information at different times or places of handling, depending on the evolution of its content control information (and/or on differing, applicable VDE installation content control - 5 information). The evolution of control information can occur during the passing along of one or more VDE control information containing objects, that is control information may be modified at one or more points along a chain of control information handling, so long as such modification is allowed. As a result, VDE

managed content may have different control information applied at both different "locations" in a chain of content handling and at similar locations in differing chains of the han.dling of such content. Such different application of control information may also result from content control information specifying that a certain party or group of parties shall be subject to content control information that differs from another party or group of parties. For example, content control information for a given piece of content may be stipulated as senior information and therefore not changeable, might be put in place by a content creator and might stipulate that national distributors of a given piece of their content may be permitted to make 100,000 copies per calendar quarter, so long as such copies are provided to boni fide end-users, but may pass only a single copy of such content to a local retailers and the control information limits such a retailer to making no more than 1,000 copies per month for retail sales to __ end-users. In addition, for example, an end-user of such content might be li.mited by the same content control information to making three copies of such content, one for each of three different computers he or she uses (one desktop computer at work, one for a desktop computer at home, and one for a portable computer).

Electronic agreements supported by the preferred embodiment of the present invention can vary from very simple to very elaborate. They can support widely diverse information management models that provide for electronic information security, usage administration, and communication and may support:

(a) secure electronic distribution of information, for example commercial literary properties, (b) secure electronic information usage monitoring and reporting, (c) secure financial transaction capabilities related to both electronic information and/or appliance usage and other electronic credit and/or currency usage and administration capabilities, (d) privacy protection for usage information a user does not wish to release, and (e) "living" electronic information content dissemination = 5 models that fle)dbly accommodate:

(1) a breadtli of participants, (2) one or more pathways (chains) for: the handling of content, content and/or appliance control information, reporting of content and/or appliance usage related information, and/or payment, (3) supporting an evolution of terms and conditions incorporated into content control information, including use of electronic negotiation capabilities, (4) support the combination of multiple pieces of content to form new content aggregations, and (5) multiple concurrent models.

Secure Processing Units An important part of VDE provided by the present invention is the core secure transaction control arrangement, herein called an SPU (or SPUs), that typically must be present in each user's computer, other electronic appliance, or network.
SPUs provide a trusted environment for generating decryption keys, encrypting and decrypting information, managing the secure communication of keys and other information between electronic appliances (i.e. between VDE installations and/or between plural VDE instances within a single VDE installation), securely accumulating and managing audit trail, reporting, and budget information in secure and/or non-secure non-volatile memory, maintaining a secure database of control information management instructions, and providing a secure environment for performing certain other control and administrative functions.
A hardware SPU (rather than a software emulation) within a VDE node is necessary if a highly trusted environment for performing certain VDE activities is required. Such a trusted environment may be created through the use of certain control software, one or more tamper resistant hardware modules such as a semiconductor or semiconductor chipset (including, for rt example, a tamper resistant hardware electronic appliance peripheral device), for use within, and/or operatively connected to, an electronic appliance. With the present invention, the _-trustedness of a harciware SPU can be enhanced by enclosing some or all of its hardware elements within tamper resistant packaging and/or by employing other tamper resisting techniques (e.g. microfusing ancUor thin wire detection techniques). A

= 5 trusted environment of the present invention implemented, in part, thxough the use of tamper resistant semiconductor design, contains control logic, such as a microprocessor, that securely executes VDE processes.

- A VDE node's hardware SPU is a core component of a VDE
secure subsystem and may employ some or all of an electronic appliance's primary control logic, such as a microcontroller, microcomputer or ot]:ler CPU arrangement. This primary control logic may be otherwise employed for non VDE purposes such as the control of some or all of an electronic appliance's non-VDE
functions. When operating in a hardware SPU mode, said primary control logic must be sufficiently secure so as to protect and conceal important VDE processes. For example, a hardware SPU may employ a host electronic appliance microcomputer operating in protected mode while performing VDE related activities, thus allowing portions of VDE processes to execute with a certain degree of security. This alternate embodiment is in contrast to the preferred embodiment wherein a trusted environment is created using a combination of one or more tamper resistant semiconductors that are not part of said primary control logic. In either embodiment, certain control information (software and parameter data) must be securely maintained within the SPU, and further control information can be stored externally and securely (e.g. in encrypted and tagged form) and loaded into said hardware SPU when needed. In many cases, and in particular with microcomputers, the preferred embodiment approach of employing special purpose secure hardware for executing said VDE processes, rather than using said primary control logic, may be more secure and efficient. The level of security and tamper resistance required for trusted SPU
hardware processes depends on the commercial requirements of particular markets or market niches, and may vary widely.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features and advantages provided by the present; invention(s) may be better and more completely understood by referring to the followi_n.g detailed description of presently preferred example embodiments in connection with the drawings, of which:

FIGURE 1 illustrates an example of a "Virtual Distribution Environment" provided in accordance with a preferred example/embodiment of this invention;

FIGURE 1A is a more detailed iIlustration of an example of the "Information Utility" shown in FIGURE 1;

FIGURE 2 illustrates an example of a chain of handling and control;

FIGURE 2A illustrates one example of how rules and control information may persist from one participant to another in the Figure 2 chain of handling and control;

FIGURE 3 shows one example of different control information that may be provided;
FIGURE 4 illustrates examples of some different types of 5 rules and/or control information;

FIGURES 5A and 5B show an example of an "object";
FIGURE 6 shows an example of a Secure Processing Unit ("SPU");

FIGURE 7 shows an example of an electronic appliance;
FIGURE 8 is a more detailed block diagram of an example of the electronic appliance shown in. FIGURE 7;

FIGURE 9 is a detailed view of an example of the Secure Processing Unit (SPU) shown in FIGURES 6 and 8;

, FIGUR,E 10 shows an example of a"R.ights Operating System" ("ROS") architecture provided by the Virtual Distribution Environment;

FIGURES 1Lk-11C show examples of functional = relationship(s) between applications and the Rights Operating System.;

FIGURES 11D-11J show examples of "components" and "component assemblies";

F'IGURE 12 L- a more detailed diagram of an example of the Rights Operating System shown in FIGURE 10;

FIGLTR.E 12A shows an example of how "objects" can be created;

FIGURE 13 is a detailed block diagram of an example the software architecture for a "protected processing environment"
shown in FIGURE 12;

FIGURES 14A-14C are examples of SPU memory maps provided by the protected processing environment shown in FIGUR.E 13;

FIGURE 15 illustrates an example of how the channel services manager and load module execution manager of FIGURE 13 can support a channel;

FIGLTRE 15A is an example of a channel header and channel detail records shown in. FIGLTRE 15;

FIGLTRE 15B is a flowchart of an example of program control steps that may be performed by the FIGURE 13 protected processing environment to create a channel;

FIGURE 16 is a block diagram of an example of a secure data base structure;

FIGLTRE 17 is an iIlustration of an example of a logical object structure;

FIGLTRE 18 shows an example of a stationary object structure;

FIGLTRE 19 shows an example of a traveling object structure;

l! IGURE 20 shows an example of a content object = structuxe;

FIGLTRE 21 shows an example of an administrative object strazctu:re;

FIGURE 22 shows an example of a method core structure;
FIGURE 23 shows an example of a load module structure;

FIGLTRE 24 sliows an example of a User Data Element (UDE) ,and/or Method Data Element (MDE) structure;
F'IGURES 25A-25C show examples of "map meters";

FIGURE 26 sliows an example of a permissions record (PERC) structure;

F'IGURES 26A and 26B together show a more detailed example of a permissions record structure;

FIGURE 27 shows an example of a shipping table structure;
FIGURE 28 shows an example of a receiving table structure;

FIGURE 29 shows an example of an administrative event log structure;

FIGLTRE 30 shows an example inter-relationship between and use of the object registration table, subject table and user rights table shown in the FIGURE 16 secure database;

FIGLTRE 31 is a more detailed example of an object registration table shown in FIGURE 16;

FIGURE 32 is a more detailed example of subject table shown in FIGLTRE 16;

FIGLTRE 33 is a more detailed example of a user rights table shown in FIGURE 16;

FIGURE 34 shows a specific example of how a site record table and group record table may track portions of the secure database shown in FIGURE 16;

FIGURE 3421 is an example of a FIGLTR,E 34 site record table structure;

FIGURE 34B is an example of a FIGURE 34 group record table structure;

FIGURE 35 shows an example of a process for updating the secure database;

FIGUR,E 36 shows an example of how new elements may be inserted into the FIGURE 16 secure data base;

FIGURE 37 shows an example of how an element of the secure database may be accessed;

FIGLTR.E 38 is a flowchart example of how to protect a secure database eleinent;

FIGURE 39 is a flowchart example of how to back up a secure database;

FIGITR.E 40 is a flowchart example of how to recover a secure database from a backup;

FIGUR.ES 41A-41D are a set of examples showing how a "chain of handling and control" may be enabled using "reciprocal methods";

FIGUR,ES 42A-42D show an example of a"reciprocaP' BUDGET method;

FIGURES 43A-43D show an example of a"reciprocaP' REGISTER method;

FIGITR,ES 44A-44C show an example of a"reciprocal"
AUDIT method;

FIGURES 45-48 show examples of several methods being used together to control release of content or other information;

WO 96/27155 PCTlUS96102303 ]E'IGURES 49, 49A-49F show an example OPEN method;
FIGITR,ES 50, 50A-50F show an example of a READ

method;

]FIGLTR.ES 51, 51A-51F show an example of a WRITE
method;

FIGURE 52 shows an example of a CLOSE method;

]E'IGURES 53A-53B show an example of an EVENT
method;

IFIGLTRE 53C shows an example of a BILLING method;

IFIGLTRE 54 shows an example of an ACCESS method;
]E'IGUR,ES 55A-55B show examples of DECRYPT and ENCRYPT methods;

FIGURE 56 shows an example of a CONTENT method;

FIGURES 57A and 57B show examples of EXTRACT and EMBED methods;

FIGURE 58A shows an example of an OBSCURE method;

FIGURES 58B, 58C show examples of a FINGERPRINT
method;

FIGUR.E 59 shows an example of a DESTROY method;

FIGLTRE 60 shows an example of a PANIC method;
FIGURE 61 shows an example of a METER method;
FIGURE 62 shows an example of a key "convolution"
process;

FIGITR,E 63 shows an example of how different keys may be generated using a key convolution process to determine a "true" key;

FIGUR,ES 64 and 65 show an example of how protected processing environnient keys may be initialized;

=
FIGLTRES 66 and 67 show example processes for decrypting information contained within stationary and traveling objects, respectively;

FIGURE 68 shows an example of how a protected processing environrnent may be initialized;

FIGURE 69 sl';iows an example of how firmware may be downloaded into a protected processing environment;

F'IGITR,E 70 shows an example of multiple VDE electronic appliances connected together with a network or other communications means;

FIGURE 71 sliows an example of a portable VDE electronic appliance;

-FIGUR.ES 72A-72D show examples of "pop-up" displays that may be generated by the user notification and exception interface;

FIGITR,E 73 shows an example of a "smart object";
FIGURE 74 shows an example of a process using "smart objects";

FIGURES 75A-75D show examples of data structures used for electronic negotiation;

FIGURES 75E-75F show example structures relating to an electronic agreement;

FIGURES 76A-76B show examples of electronic negotiation processes;

FIGURE 77 shows a further example of a chain of handling and control;

FIGUR.E 78 shows an example of a VDE "repository";

---_ FIGURES 79-83 show an example iIlustrating a chain of handling and control to evolve and tran,sform VDE managed content and control. information;

FIGUR.E 84 shows a further example of a chain of handling and control involving several categories of VDE participants;
FIGURE 85 shows a further example of a chain of distribution and handling within an organization;

Figures 86 and 86A show a further example of a chain of handling and control; and Figure 87 shows an example of a virtual silicon container model.

.

MORE DETAILED DESCRIPTION

Figures 1-7 and the discussion below provides an overview "
of some aspects of features provided by this invention. Following this overview is a more technical "detail description" of example embodiments in accordance with the invention.

Overview Figure 1 shows a "Virtual Distribution Environment"
("VDE") 100 that may be provided in accordance with this invention. In Figure 1, an in.formation utility 200 connects to communications means 202 such as telephone or cable TV lines for example. Telephone or cable TV lines 202 may be part of an "electronic hig, way" that carries electronic information from place to place. Lines 202 connect information utility 200 to other people such as for example a consumer 208, an office 210, a video production studio 204, and a publishing house 214. Each of the people connected to information utility 200 may be called a"VDE
participant" because they can participate in transactions occurring within the virtual distribution environment 100.
Almost any sort of transaction you can think of can be supported by virtual distribution environment 100. A few of many examples of transactions that can be supported by virtual distribution environment 100 include:

C home banking and electronic payments;
C electronic legal contracts;

C distribution of "content" such as electronic printed matter, video, audio, images and computer programs; and C secure communnication of private information such as medical records and financial information.

Virtual distribution environment 100 is "virtual" because it does not require mamy of the physical "things" that used to be necessary to protect rights, ensure reliable and predictable clistribution, and ensure proper compensation to content creators and distributors. For example, in the past, information was distributed on records or disks that were di.ffcult to copy. In the past, private or secret content was distributed in sealed envelopes or locked briefcases delivered by courier. To ensure appropriate compensation, consumers received goods and services only after they handed cash over to a seller. Although information utility 200 may deliver information by transferring physical "things" such as electronic storage media, the virtual distribution environment 100 facilitates a completely electronic "chain of handling and control."

VDE Flexibility Supports Transactions Information utili.ty 200 flexibly supports many different kinds of information transactions. Different VDE participants may define and/or participate in different parts of a transaction.

Information utility 200 may assist with delivering information about a transaction, or it may be one of the transaction participants.

For example, the video production studio 204 in the upper right-hand corner of Figure 1 may create video/television programs. Video production studio 204 may send these programs over lines 202, or may use other paths such as satellite link 205 and CD ROM delivery service 216. Video production studio 204 can send, the programs directly to consumers 206, 208, 210, or it can send the programs to information utility 200 Nvhich may store and later send them to the consumers, for example.

Constuners 206, 208, 210 are each capable of receiving and using the programs created by video production studio 204-assuming, that is, that the video production studio or information utility 200 has arranged for these consumers to have appropriate "rules and f,ontrols" (control information) that give the consumers rights to use the programs.

Even if a consumer has a copy of a video program, she cannot watch or copy the program unless she has "rules and controls" that authorize use of the program. She can use the program onlv as pex-arlitted by the "rules and controls."

For example, video production studio 204 might release a half-hour exercise v.ideo in the hope that as many viewers as possible will view it. The video production studio 204 wishes to receive $2.00 per viewing. Video production studio 204 may, t]zrough information utility 200, make the exercise video available in "protected" form to all consumers 206, 208, 210.

Video production studio 204 may also provide "rules and controls"
for the video. These "rules and controls" may specify for example:
(1) any consumer who has good credit of at least $2.00 based on a credit account with independent financial provider 212 (such as Mastercard or VISA) may watch the video, (2) virtual distribution environment 100 will "meter" each time a consumer watches the video, and report usage to video production studio 204 from time to time, and (3) financial provider 212 may electronically collect payment ($2.00) from the credit account of each consumer who watches the video, and transfer these payments to the video production studio 204.

Information utility 200 allows even a smaIl video production studio to market videos to consumers and receive compensation for its efforts. Moreover, the videos can, with appropriate payment to the video production studio, be made availalble to other video publishers who may add value and/or act as repackagers or redistributors.

Figure 1 also shows a publishing house 214. Publishing house 214 may act as a distributor for an author 206. The publis]ain.g house 214 may distribute rights to use "content" (such as computer software, electronic newspapers, the video produced by publishing house 214, audio, or any other data) to consumers such as office 210. 'Plhe use rights may be defined by "rules and controlls" distributed by publishing house 216. Publishing house 216 may distribute these "rules and controls" with the content, but this is not necessary. Because the content can be used only by consumers that have the appropriate "rules and controls,"
content and its associated "rules and controls" may be distributed at different times, iis different ways, by different VDE
participants. The ability of VDE to securely distribute and enforce "rules and controls" separately from the content they apply to provides great advantages.

Use rights distributed by publishing house 214 may, for example, permit offi:ce 210 to make and distribute copies of the content to its employees. Office 210 may act as a redistributor by extending a "chain of handling and control" to its employees. The office 210 may add or modify "rules and controls" (consistent with the "rules and controls" it receives from publishing house 214) to provide office-internal control information and mechanisms. For 5 example, office 210 may set a maximum usage budget for each individual user and/or group within the office, or it may permit only specified employees and/or groups to access certain information.

Figure 1 also shows an information delivery service 216 delivering electronic storage media such as "CD ROM" disks to consumers 206. Even though the electronic storage media themselves are not delivered electronically by information utility 200 over lines 202, they are still part of the virtual distribution environment 100. The electronic storage media may be used to distribute content, "rules and controls," or other information.
Example of What's Inside Information Utility 200 "Information utility" 200 i.n. Figure 1 can be a collection of participants that may act as distributors, financial clearinghouses, and adminitrators. Figure 1A shows an example of what may be inside one example of information utility WO 96/27155 PCTlUS96102303 200. Information utility participants 200a-200g could each be an independent organization/business. There can be any number of each of participants 200a-200g. In this example, electronic "switch" 200a connects internal parts of information utility 200 to each other and to outside participants, and may also connect outside participants to one another.

Information utility 200 may include a"transaction processor" 200b that processes transactions (to transfer electroiaic funds, for example) based on requests from participants and/or :report receiver 200e. It may also include a "usage analyst" 200c that analyzes reported usage information.
A "report creator" 200d may create reports based on usage for example, and may provide these reports to outside participants and/or to participants within information utility 200. A "report receiver" 200e may receive reports such as usage reports from content users. A"permi.ssioning agent" 200f may distribute "rules and controls" granting usage or distribution permissions based on a profile of a consumer's credit worthiness, for example.

A.n administrator 200h may provide information that keeps the virtual distribution environment 100 operating properly. A

content and message storage 200g may store information for use by participants within or outside of information utility 200.
Example of Distributing Content" Using A Chain of Handling 5 and Control"

As explained above, virtual distribution environment 100 can be used to manage almost any sort of transaction. One type of important transaction that virtual distribution environment 100 may be used to manage is the distribution or communication of "content" or other important information. Figure 2 more abstractly shows a"modeP' of how the Figure 1 virtual distribution environment 100 may be used to provide a "chain of handling and control" for distributing content. Each of the blocks in Figure 2 may correspond to one or more of the VDE
participants shown in Figure 1.

In the Figure 2 example, a VDE content creator 102 creates "content." The content creator 102 may also specify "rules and controls" for distributing the content. These distribution-related "rules and controls" can specify who has permission to distribute the rights to use content, and how many users are allowed to use the content.

WO 96/27155 PCT(US96102303 Arrow 104 shows the content creator 102 sending the "rules and controls"' associated with the content to a VDE ' ts djqtributor 106 ("distributor ') over an electronic highwav 108 (or by some other path, such as an optical disk sent by a delivery service such as U. S. mail). The content can be distributed over the same or differeiat path used to send the "rules and controls."
'I'he distributor 106 generates her own "rules and controls" that relate to usage of the content. The usage-related "rules and controls" may, for example, specify what a user can and can't do with the content and how much it costs to use the content. These usage-rel.ated "rules and controls" must be consistent with the "rules and controls" specified by content creator 102.

Arrow 110 shows the distributor 106 distributin~ rights to use the content by sending the content's "rules and controls" to a contenLt user 112 such as a consumer. The content user 112 uses the content in accordance with the usage-related "rules and controls."
In this Figure 2 example, information relating to content use is, as shown by arrow 114, rAorted to a finAmia~
clearinghouse 116. Based on this "reporting," the financial clearinghouse 116 may generate abj]], and send it to the content user 112 over a"reports and payments" network 118. Arrow 120 shows the content user 112 providing payments for content usage to the financial clearinghouse 116. Based on the reports and 5 payments it receives, the financial clearinghouse 116 may provide reports and/or payments to the distributor 106. The distributor 106 may, as shown by arrow 122, provide reports and/or payments to the content creator 102. The clearinghouse 116 may provide reports and payments directly to the creator 102. Reporting and/or payments may be done differently. For example, clearinghouse 116 may directly or through an agent, provide reports and/or payments to each of VDE content creators 102, and rights distributor 106, as well as reports to content user 112.

The distributor 106 and the content creator 102 may be the same person, or they may be different people. For example, a musical perform.i.ng group may act as both content creator 102 and distributor 106 by creating and distributing its own musical recordings. As another example, a publishing house may act as a distributor 106 to distribute rights to use works created by an author content creator 102. Content creators 102 may use a distributor 106 to efficiently manage the financial end of content distribution.

The "financial clearinghouse" 116 shown in Figure 2 may also be a"VDE ad~n:unistrator." Financial clearinghouse 116 in its VDE administrator role sends "administrative" information to the VDE participants. This administrative information helps to keep the virtual di-tribution environment 100 operating properly. The "VD]E admiaistrator" and financial clearinghouse roles may be performed by different people or companies, and there can be more than one of each.

More about Rules a:nd Commtrols"

'Z'he virtual distribution environment 100 prevents use of protected information except as permitted by the "rules and controls" (control in.formation). For example, the "rules and controls" shown in Figure 2 may grant specific individuals or classes of content users 112 "permission" to use certain content.
They may specify what kinds of content usage are permitted, and what kinds are not. They may specify how content usage is to be paid for and how much it costs. As another example, "rules and controls" may require content usage information to be reported back to the distributor 106 and/or content creator 102. Every VDE participant in "chain of handling and control" 5 is normally subject to "rules and controls." "Rules and controls"

define the respective rights and obligations of each of the various VDE participants. "Rules and controls" provide information and mechanisms that may establish interdependencies and relationships between the participants. "Rules and controls" are flexible, and permit "virtual distribution environment" 100 to support most "traditional" business transactions. For example:
C "Rules and controls" may specify which financial clearinghouse(s) 116 may process payments, C "Rules and controls" may specify which participant(s) receive what kind of usage report, and C "Rules and controls" may specify that certain information is revealed to certain participants, and that other information is kept secret from them.

"Rules and controls" may self li.mit if and how they may be changed. Often, "rules and controls" specified by one VDE participant cannot be changed by another VDE participant. For example, a content user 112 generally can't change "rules and = controls" specified by a distributor 106 that require the user to pay for content usage at a certain rate. "Rules and controls" may "persist" as they pass through a "chain of handling and control,"

and may be "inYierited" as they are passed down from one VDE
participant to the next.

Depending upon their needs, VDE participants can specify that their "rules and. controls" can be changed under conditions specified by the same or other "rules and controls." For example, "rules and controls" specified by the content creator 102 may permit the distributor 106 to "mark up" the usage price just as retail stores "mark vp" the wholesale price of goods. Figure 2A
shows an example in. which certain "rules and controls" persist unchanged from content creator 102 to content user 112; other "rules and controls" are modified or deleted by distributor 106;
and still other "rules and controls" are added by the distributor.

"Rules and controls" can be used to protect the content user's privacy by li_m:it-ing the information that is reported to other V]DE participants. As one example, "rules and controls"
can cause content usage information to be reported anonymously without revealing content user identity, or it can reveal only certain information to certain participants (for example, information derived from usage) with appropriate permission, if required. This ability to securely control what information is 5 revealed and what VDE participant(s) it is revealed to allows the privacy rights of all VDE participants to be protected.
Rules and Contents" Can Be Separately Delivered As mentioned above, virtual distribution environment 100 "associates" content with corresponding "rules and controls," and prevents the content from being used or accessed unless a set of corresponding "rules and controls" is available. The distributor 106 doesn't need to deliver content to control the content's distribution. The preferred embodiment can securely protect content by protecting corresponding, usage enabling "rules and controls" against unauthorized distribution and use.

In some examples, "rules and controls" may travel with the content they apply to. Virtual distribution environment 100 also allows "rules and controls" to be delivered separately from content. Since no one can use or access protected content without "per.mission" from corresponding "rules and controls," the distributor 106 can control use of content that has already been (or will in the future be) delivered. "Rules and controls" may be delivered over a path different from the one used for content delivery. "Rules and controls" may also be delivered at some other time. The content creator 102 might deliver content to content user 112 over the electronic highway 108, or could make the content availab:le to anyone on the highway. Content may be used at the time it is delivered, or it may be stored for later use or reuse.

'rhe virtual distribution environment 100 also allows payment and reporting means to be delivered separately. For example, the content user 112 may have a virtual "credit card"
that extends credit (up to a certain limit) to pay for usage of any content. A "credit transaction" can take place at the user's site without requiring any "online" connection or further authorization. This invention can be used to help securely protect the virtual "credit card" against unauthorized use.

P,ules and Contents" Define Processes Figure 3 shows an example of an overall process based on "rules and controls." It includes an "events" process 402, a meter process 404, a billing process 406, and a budget process 408. Not all of the processes shown in Figure 3 will be used for every set of =

"rules and controls."

The "events process" 402 detects things that happen ("events") and determines which of those "events" need action by the other "processes." The "events" may include, for example, a request to use content or generate a usage permission. Some events may need additional processing, and others may not.

Whether an "event" needs more processing depends on the "rules and controls" corresponding to the content. For example, a user who lacks permission will not have her request satisfied ("No Go"). As another example, each user request to turn to a new page of an electronic book may be satisfied ("Go"), but it may not be necessary to meter, bill or budget those requests. A user who has purchased a copy of a novel may be permitted to open and read the novel as many times as she wants to without any further metering, billing or budgeting. In this simple example, the "event process" 402 may request metering, billing and/or budgeting processes the first time the user asks to open the protected novel (so the purchase price can be charged to the user), and treat all later requests to open the same novel as "insignificant evenits." Other content (for example, searching an electronic telephone directory) may require the user to pay a fee for each access.

"Meter" process 404 keeps track of events, and may report usage to distributor 106 and/or other appropriate VDE
participant(s). Figiare 4 shows that process 404 can be based on a number of different; factors such as:

(a) type of usage to charge for, (b) what kind of unit to base charges on, (c) how mucli to charge per unit, (d) when to report, and (e) how to pay.

These factors may be specified by the "rules and controls" that control the meter process.

Billing process 406 determines how much to charge for events. It records and reports payment information.

Budget process 408 limits how much content usage is permitted. For example, budget process 408 may limit the number of times coiitent may be accessed or copied, or it may limit the number of pages or other amount of content that can be used based on, for example, the number of dollars available in a credit account. Budget process 408 records and reports financial and other transaction information associated with such limits.

Content may be supplied to the user once these processes have been successfully performed.

Containers and Objects"

Figure 5A shows how the virtual distribution environment 100, in a preferred embodiment, may package information elements (content) into a"container" 302 so the information can't be accessed except as provided by its "rules and controls."
Normally, the container 302 is electronic rather than physical.

Electronic container 302 in one example comprises "digitaP' information having a well defined structure. Container 302 and its contents can be called an "object 300."

The Figure 5A example shows items "within" and enclosed by container 302. However, container 302 may "contain" items without those items actually being stored within the container.
For example, the container 302 may reference items that are available elsewhere such as in other containers at remote sites.
Container 302 may reference items available at different times or only during limated times. Some items may be too large to store withiin container 302. Items may, for example, be delivered to the user inL the form of a "live feed ' of video at a certain time. Even then, the container 302 "contains" the live feed (by reference) in this example.

Container 302 may contain information content 304 in electronic (such as "'digital") form. Information content 304 could be the text of a novel, a picture, sound such as a musical performance or a reading, a movie or other video, computer software, or just about any other kind of electronic information you can think of. Other types of "objects" 300 (such as "administrative objects") may contain "administrative" or other information instead. of or in addition to information content 304.
In the Figure 5A example, container 302 may also contain "rules and controls" in the form of:

(a) a "permissions record" 808;
(b) ` ts" 308; and (c) "other xne.thods" 1000.

Figure 5B gives some additional detail about permi.ssions record 808, budgets 308 and other methods 1000. The "permissions record" 808 specifies the rights associated with the object 300 such as, for example, who can open the container 302, who can use the object's contents, who can distribute the object, and what other control mechanisms must be active. For example, permissions record 808 may specify a user's rights to use, distribute and/or administer the container 302 and its content.
Permissions record 808 may also specify requirements to be applied by the budgets 308 and "other methods" 1000.
Permissions record 808 may also contain security related information such as scrambling and descrambling "keys."

"Budgets" 308 shown in Figure 5B are a special type of "method" 1000 that may specify, among other things, limitations on usage of information content 304, and how usage will be paid for. Budgets 308 can specify, for example, how much of the total information content 304 can be used and/or copied. The methods 310 may prevent use of more than the amount specified by a specific budget.

WO 96127155 PCTlUS96102303 "Other methods" 1000 define basic operations used by "rules and controls." Such "methods" 1000 may include, for examp]Le, how usage is to be "metered," if and how content 304 and other information is to be scrambled and descrambled, and other processes associated with handling and controlli.ng information content 304. For example, methods 1000 may record the identity of anyone who opens the electronic container 302, and can also control, how information content is to be charged based on "metering." Methods 1000 may apply to one or several different information contents 304 and associated containers 302, as well as to all or specific portions of information content 304.
Secure Processing Unit (SPU) The "VDE participants" may each have an "electronic ag .pli.ance." The appliance may be or contain a computer. The appliances may communicate over the electronic highway 108.
Figure 6 shows a secure processing unit ("SPU") 500 portion of the "electronic appliance" used in this example by each VDE
participant. SPU 500 processes information in a secure processing environment 503, and stores important information securely. SPU 500 inay be emulated by software operating in a host electronic appliance.

SPU 500 is enclosed within and protected by a"ta=er resistant security barrier" 502. Security barrier 502 separates the secure environment 503 from the rest of the world. It prevents information and processes within the secure environment 503 from being observed, interfered with and leaving except under appropriate secure conditions. Barrier 502 also controls external access to secure resources, processes and information within SPU 500. In one example, tamper resistant security barrier 502 is formed by security features such as "encryption," and hardware that detects tampering and/or destroys sensitive information within secure environment 503 when tampering is detected.

SPU 500 in this example is an integrated circuit ("IC") "chip" 504 including "hardware" 506 and "T=ware" 508. SPU
500 connects to the rest of the electronic appliance through an "appliance l.ink" 510. SPU "firmware" 508 in this example is "software" such as a "computer program(s)" "embedded" within chip 504. Firmware 508 makes the hardware 506 work.

Hardware 506 preferably contains a processor to perform instructions specified by firmware 508. "Hardware" 506 also contains long-term and short-term memories to store information securely so it can't be tampered with. SPU 500 may also have a protected clock/calenLdar used for timing events. The SPU

hardware 506 in this example may include special purpose electronic circuits that are specially designed to perform certain processes (such as "encryption" and "decryption") rapidly and efficiently.

The particular context in which SPU 500 is being used will determine how much processing capabilities SPU 500 should have. SPU hardware 506, in this example, provides at least enough processing capabilities to support the secure parts of processes shown in Figure 3. In some contexts, the functions of SPU 500 may be increased so the SPU can perform all the electronic appliance processing, and can be incorporated into a general purpose processor. In other contexts, SPU 500 may work alongside a general purpose processor, and therefore only needs to have enough processing capabilities to handle secure processes.

VDE Electronic Appliance and Rights Operating System"

Figure 7 shows an example of an electronic appliance 600 -including SPU 500. Electronic appliance 600 may be practically any kind of electrical or electronic device, such as:

C a computer C a T.V. "set top" control box C a pager C a telephone C a sound system C a video reproduction system C a video game player C a "smart" credit card Electronic appliance 600 in this example may include a keyboard or keypad 612, a voice recognizer 613, and a display 614. A
human user can input commands through keyboard 612 and/or voice recognizer 613, and may view information on display 614.
Appliance 600 may communicate with the outside world through any of the connections/devices normally used within an electronic appliance. The connections/devices shown along the bottom of the drawing are examples:

a"modem" 618 or other telecommunications link;

a CD ROM disk 620 or other storage medium or device;
a printer 622;

broadcast reception 624;

a document scanner 626; and a "cable" 628 connecting the appliance with a "network."
Virtual distribution environment 100 provides a"rigl,tc operatimg svstem" 602 that manages appliance 600 and SPU 500 by controlling their hardware resources. The operating system 602 may also support at least one "application" 608. Generally, "application" 608 is hardware and/or software specific to the context of appliance 600. For example, if appliance 600 is a personal computer, then "application" 608 could be a program loaded by the user, for instance, a word processor, a communications system or a sound recorder. If appliance 600 is a television controller box, then application 608 might be hardware or software that allows a user to order videos on demand and perform other functions such as fast forward and rewind. In this example, operating system 602 provides a standardized, well defined, generalized "interface" that could support and work with many different; "applications" 608.

Operating system 602 in this example provides "rights and au iting operating system functions" 604 and "other operati_ng system fizxictions" 606. The "rights and auditing operating system functions" 604 securely handle tasks that relate to virtual distribution environment 100. SPU 500 provides or supports many of the security functions of the "rights and auditing operating system functions" 402. The "other operating system functions" 606 handle general appliance functions. Overall operating system 602 may be designed from the beginning to include the "rights and auditing operating system functions" 604 plus the "other operating system functions" 606, or the "rights and auditing operating system functions" may be an add-on to a preexisting operating system providing the "other operating system functions."

"Rights operating system" 602 in this example can work with many different types of appliances 600. For example, it can work with large mainframe computers, "minicomputers" and "microcomputers" such as personal computers and portable computing devices. It can also work in control boxes on the top of television sets, small portable "pagers," desktop radios, stereo sound systems, telephones, telephone switches, or any other _ _ WO 96%17155 PCTJUS96102303 electronic appliance. This ability to work on big appliances as well as little appliances is called "scalable." A "scalable"
operating system 602 means that there can be a standardized interface across many different appliances performing a wide variety of tasks.

'I'he "rights operating system functions" 604 are "services-d" in this example. For example, "rights operating system functions" 604 handle summary requests from application 608 rather than requirijag the application to always make more detailed "subrequests" or otherwise get involved with the underlying complexities involved in satisfying a summary request. For example, application 608 may simply ask to read specified information; "rights operating system functions" 604 can then decide whether the desired information is VDE-protected content and, if it is, perform processes needed to make the information available. This feature is called "transparency."
"Transparency" makes taslc.s easy for the application 608.
"Rights operating system functions" 604 can support applications 608 that "know" nothing about virtual distribution environment 100. Applications 608 that are "aware" of virtual distribution environment 100 may be able to make more detailed use of virtual distribution environment 100.

In this example, "rights operating system functions" 604 are "event driven". Rather than repeatedly exAmining the state of electronic appliance 600 to determine whether a condition has arisen, the "rights operating system functions" 604 may respond directly to "events" or "happenings" within appliance 600.

In this example, some of the services performed by "rights operating system functions" 604 may be extended based on additional "components" delivered to operating system 602.
"Rights operating system functions" 604 can collect together and use "components" sent by different participants at different times. The "components" help to make the operating system 602 "scalable." Some components can change how services work on little appliances versus how they work on big appliances (e.g., multi-user). Other components are designed to work with specific applications or classes of applications (e.g., some types of meters and some types of budgets).

Electronic Appliance 600 w0 96127155 PCT/US96102303 An electronic appliance 600 provided by the preferred embodiment may, for example, be any electronic apparatus that contains one or more microprocessors and/or microcontrollers and/or other devices which perform logical and/or mathematical calculations. This naay include computers; computer terminals;
device controllers for use with computers; peripheral devices for use with computers; digital display devices; televisions; video and audio/video projection systems; channel selectors and/or decoders for use with broadcast and/or cable transmissions; remote control devices; video and/or audio recorders; media players including compact disc players, videodisc players and tape players; audio and/or video amplifiiers; virtual reality machines; electronic game players; multimedia players; radios; telephones; videophones;
facsimiile machines; robots; numerically controlled machines including machine tools and the like; and other devices containi.ng one or more microcomputers and/or microcontrollers and/or other CPUs, including those not yet in exi.stence.

Figure 8 shows an example of an electronic appliance 600.
This example of electronic appliance 600 includes a system bus 653. In this example, one or more conventional general purpose central processing units ("CPUs") 654 are connected to bus 653.

___ WO 96/27155 PC'T/US96/02303 Bus 653 connects CPU(s) 654 to RAM 656, ROM 658, and I/O

controller 660. One or more SPUs 500 may also be connected to =
system bus 653. System bus 653 may permit SPU(s) 500 to communicate with CPU(s) 654, and also may allow both the CPU(s) and the SPU(s) to communicate (e.g., over shared address and data lines) with RAM 656, ROM 658 and UO controller 660.
A power supply 659 may provide power to SPU 500, CPU 654 and the other system components shown.

In the example shown, UO controller 660 is connected to secondary storage device 652, a keyboard/display 612,614, a communications controller 666, and a backup storage device 668.
Backup storage device 668 may, for example, store information on mass media such as a tape 670, a floppy disk, a removable memory card, etc. Communications controller 666 may allow electronic appliance 600 to communicate with other electronic appliances via network 672 or other telecommunications links.
Different electronic appliances 600 may interoperate even if they use different CPUs and different instances of ROS 602, so long as they typically use compatible communication protocols and/or security methods. In this example, UO controller 660 permits CPU 654 and SPU 500 to read from and write to secondary storage 662, keyboard/display 612, 614, communications controller 666, and backup storage device 668.

Secondary storage 662 may comprise the same one or more non-secure secondary storage devices (such as a magnetic disk and a CD-ROM[ drive as one example) that electronic appliance 600 uses for general secondary storage functions. In some implementations, part or all of secondary storage 652 may comprise a secondary storage device(s) that is physically enclosed within a secure enclosure. However, since it may not be practical or cost-effective to physically secure secondary storage 652 in many implementations, secondary storage 652 may be used to store information in a secure manner by encrypting information before storing it in secondary storage 652. If information is encrypted before it is stored, physical access to secondary storage 652 or its contents dloes not readily reveal or compromise the information.

Secondary storage 652 in this example stores code and data used by CPU 654 and/or SPU 500 to control the overall operation of electronic appliance 600. For example, Figure 8 shows that "Rights Operating System" ("ROS") 602 (including a portion 604 of ROS that provides VDE functions and a portion 606 that provides other OS functions) shown in Figure 7 may be =
stored on secondary storage 652. Secondary storage 652 may also store one or more VDE objects 300. Figure 8 also shows that the secure files 610 shown in Figure 7 may be stored on secondary storage 652 in the form of a "secure database" or management file system 610. This secure database 610 may store and organize information used by ROS 602 to perform VDE
functions 604. Thus, the code that is executed to perform VDE

and other OS functions 604, 606, and secure files 610 (as well as VDE objects 300) associated with those functions may be stored in secondary storage 652. Secondary storage 652 may also store "other information" 673 such as, for example, information used by other operating system functions 606 for task management, non-VDE files, etc. Portions of the elements indicated in secondary storage 652 may also be stored in ROM 658, so long as those elements do not require changes (except when ROM 658 is replaced). Portions of ROS 602 in particular may desirably be included in ROM 658 (e.g., "bootstrap" routines, POST routines, etc. for use in establishing an operating environment for electronic appliance 600 when power is applied).

Figure 8 shows that secondary storage 652 may also be used to store code ("application programs") providing user application(s) 608 shown in Figure 7. Figure 8 shows that there may be two general types of application programs 608: "VDE

aware" applications 608a, and Non-VDE aware applications 608b. VDE aware applications 608a may have been at least in part designed specifically with VDE 100 in mind to access and take detailed advantage of VDE functions 604. Because of the "transparency" features of ROS 602, non-VDE aware applications 608b (e.g., applications not specifically designed for VDE 100) can also access and take advantage of VDE functions 604.

Each VDE node or other electronic appliance 600 in the preferred embodiment may include one or more SPUs 500. SPUs 500 may be used to perform all secure processing for VDE 100.
For example, SPU 500 is used for decrypting (or otherwise unsecui-ing) VDE protected objects 300. It is also used for managing encrypted. and/or otherwise secured communication ti (such as by employing authentication and/or error-correction validation of information). SPU 500 may also perform secure data management processes including governing usage of, auditing of, and where appropriate, payment for VDE objects 300 (through the use of prepayments, credits, real-time electronic =
debits from bank accounts and/or VDE node currency token deposit accounts). SPU 500 may perform other transactions related to such VDE objects 300.

SPU Physical Packaging and Security Barrier 502 As shown Figure 6, in the preferred embodiment, an SPU
500 may be implemented as a single integrated circuit "chip" 505 to provide a secure processing environment in which confidential and/or commercially valuable information can be safely processed, encrypted and/or decrypted. IC chip 505 may, for example, comprise a small semiconductor "die" about the size of a thumbnail. This semiconductor die may include semiconductor and metal conductive pathways. These pathways define the circuitry, and thus the functionality, of SPU 500. Some of these pathways are electrically connected to the external "pins" 504 of the chip 505.

As shown in Figures 6 and 9, SPU 500 may be surrounded by a tamper-resistant hardware security barrier 502. Part of this security barrier 502 is formed by a plastic or other package in WO 96(27155 PCT/US96102303 which an SPU "die" is encased. Because the processing occurring within, and informati.on stored by, SPU 500 are not easily accessible to the outside world, they are relatively secure from unauthorized access and tampering. All signals cross barrier 502 through a secure, controlled path provided by BIU 530 that restricts the outside world's access to the internal components within SPU 500. This secure, controlled path resists attempts from the outside woi-ld to access secret information and resources within SPU 500.

It is possible to remove the plastic package of an IC chip and gain access to the "die." It is also possible to analyze and "reverse engineer" the "die" itself (e.g., using various types of logic analyzers and inicroprobes to collect and analyze signals on the die while the circuitry is operating, using acid etching or other techniques to remove semiconductor layers to expose other layers, viewing and photographing the die using an electron microscope, etc.) Although no system or circuit is absolutely impervious to such attacks, SPU barrier 502 may include additional hardware protections that make successful attacks exceedingly costly and time conslim;ng. For example, ion implantation and/or other fabrication techniques may be used to _.

make it very difficult to visually discern SPU die conductive pathways, and SPU internal circuitry may be fabricated in such a way that it "self-destructs" when exposed to air and/or light. SPU
500 may store secret information in internal memory that loses its contents when power is lost. Circuitry may be incorporated within SPU 500 that detects microprobing or other tampering, and self-destructs (or destroys other parts of the SPU) when tampering is detected. These and other hardware-based physical security techniques contribute to tamper-resistant hardware security barrier 502.

To increase the security of security barrier 502 even further, it is possible to encase or include SPU 500 in one or more further physical enclosures such as, for example: epoxy or other "potting compound"; further module enclosures including additional self-destruct, self-disabling or other features activated when tampering is detected; further modules providing additional security protections such as requiring password or other authentication to operate; and the like. In addition, further layers of metal may be added to the die to complicate acid etching, micro probing, and the like; circuitry designed to "zeroize" memory may be included as an aspect of self-destruct _ _--processes; the plastic package itself may be designed to resist chemical as well as physical "attacks"; and memories internal to SPU 500 may have specialized addressing and refresh circuitry that "shuffles" the location of bits to complicate efforts to electrically determine the value of memory locations. These and other techniques may contribute to the security of barrier 502.
In some electronic appliances 600, SPU 500 may be integrated together with the device microcontroller or equivalent or with a device I/O or communications microcontroller into a common chip (or chip set) 505. For example, in one preferred embodiment, SPU 500 may be integrated together with one or more other CPU(s) (e.g., a CPU 654 of an electronic appliance) in a single component or package. The other CPU(s) 654 may be any centrally controlling logic arrangement, such as for example, a microprocessor, other microcontroller, and/or array or other parallel processor. "['his integrated configuration may result in lower overall cost, sinaller overall size, and potentially faster interaction between an SPU 500 and a CPU 654. Integration may also provide wider distribution if an integrated SPU/CPU
component is a standard feature of a widely distributed microprocessor line. Merging an SPU 500 into a main CPU 654 WO 96/27155 PCI'/US96/02303 of an electronic appliance 600 (or into another appliance or appliance peripheral microcomputer or other microcontroller) may substantially reduce the overhead cost of implementing VDE
100. Integration considerations may include cost of implementation, cost of manufacture, desired degree of security, and value of compactness.

SPU 500 may also be integrated with devices other than CPUs. For example, for video and multimedia applications, some performance and/or security advantages (depending on overall design) could result from integrating an SPU 500 into a video controller chip or chipset. SPU 500 can also be integrated directly into a network communications chip or chipset or the like. Certain performance advantages in high speed communications applications may also result from integrating an SPU 500 with a modem chip or chipset. This may facilitate incorporation of an SPU 500 into communication appliances such as stand-alone fax machines. SPU 500 may also be integrated into other peripheral devices, such as CD-ROM devices, set-top cable devices, game devices, and a wide variety of other electronic appliances that use, allow access to, perform transactions related to, or consume, distributed information.

SPU 500 Internal A rchitecture Figure 9 is a detailed diagram of the internal structure within an example of SPU 500. SPU 500 in this example includes a single microprocessor 520 and a limited amount of memory configured as ROM 532 and RAM 534. In more detail, this example of SPU 500 includes microprocessor 520, an encrypt/decrypt engine 522, a DMA controller 526, a real-time clock 528, a bus interface unit ("BIU") 530, a read only memory (ROM) 532, a random access memory (RAM) 534, and a memory management unit ("M1VIU") 540. DMA controller 526 and MMU
540 are optional, but the performance of SPU 500 may suffer if they are not present. SPU 500 may also include an optional pattern matching engine 524, an optional random number generator 542, an optional arithmetic accelerator circuit 544, and optional compression/decompression circuit 546. A shared address/data bus arrangement 536 may transfer information between these various components under control of microprocessor 520 and/or DMA controller 526. Additional or alternate dedicated paths 538 may connect microprocessor 520 to the other componen.ts (e.g., encrypt/decrypt engine 522 via line 538a, real-time clock 528 via line 538b, bus interface unit 530 via line 538c, DMA controller via line 538d, and memory management unit (1VMJ) 540 via line 538e).

The following section discusses each of these SPU
components in more detail.

Microprocessor 520 Microprocessor 520 is the "brain" of SPU 500. In this example, it executes a sequence of steps specified by code stored (at least temporarily) within ROM 532 and/or RAM 534.

Microprocessor 520 in the preferred embodiment comprises a dedicated central processing arrangement (e.g., a RISC and/or CISC processor unit, a microcontroller, and/or other central processing means or, less desirably in most applications, process specific dedicated control logic) for executing instructions stored in the ROM 532 and/or other memory. Microprocessor 520 may be separate elements of a circuitry layout, or may be separate packages within a secure SPU 500.

In the preferred embodiment, microprocessor 520 normally handles the most security sensitive aspects of the operation of electronic appliance 600. For example, microprocessor 520 may WO 96/27155 PCTlUS96102303 manage VDE decrypting, encrypting, certain content and/or applianLce usage control information, keeping track of usage of VDE secured content, and other VDE usage control related functioins.

Stored in each SPU 500 and/or electronic appliance secondary memory 652 may be, for example, an instance of ROS
602 software, application programs 608, objects 300 containing VDE controlled property content and related information, and management database 610 that stores both information associated with objects and VDE control information. ROS 602 includes software intended for execution by SPU microprocessor 520 for, in part, cont;rolling usage of VDE related objects 300 by electronic appliance 600. As will be explained, these SPU

programs include "load modules" for perfor.ming basic control functioia.s. These various programs and associated data are executed and manipulated primarily by microprocessor 520.

Real Time Clcick (RTC) 528 In the preferred embodiment, SPU 500 includes a real time clock circuit ("RTC") 528 that serves as a reliable, tamper resistant time base for the SPU. RTC 528 keeps track of time of day and date (e.g., month, day and year) in the preferred embodiment, and thus may comprise a combination calendar and clock. A reliable time base is important for implementing time based usage metering methods, "time aged decryption keys," and other time based SPU functions.

The RTC 528 must receive power in order to operate.
Optimally, the RTC 528 power source could comprise a small battery located within SPU 500 or other secure enclosure.

However, the RTC 528 may employ a power source such as an externally located battery that is external to the SPU 500. Such an externally located battery may provide relatively uninterrupted power to RTC 528, and may also maintain as non-volatile at least a portion of the otherwise volatile RAM 534 within SPU 500.

In one implementation, electronic appliance power supply 659 is also used to power SPU 500. Using any external power supply as the only power source for RTC 528 may significantly reduce the usefulness of time based security techniques unless, at minimuIn, SPU 500 recognizes any interruption (or any material interruption) of the supply of external power, records such interruption, and responds as may be appropriate such as disabling the ability of the SPU 500 to perform certain or all VDE
processes. Recognizing a power interruption may, for example, be accomplished by employing a circuit which is activated by power failure. The power failure sensing circuit may power another circuit that includes associated logic for recording one or more power fail events. Capacitor discharge circuitry may provide the necessary temporary power to operate this logic. In addition or alternatively, SPU 500 may from time to time compare an output of RTC 528 to a clock output of a host electronic appliance 600, if available. In the event a discrepancy is detected, SPU 500 may respond as appropriate, including recording the discrepancy and/or disabling at least some portion of processes performed by SPU 500 under at least some circumstances.

If a power failure and/or RTC 528 discrepancy and/or other event indicates the possibility of tampering, SPU 500 may automatically destroy, or render inaccessible without privileged intervention, one or more portions of sensitive information it stores, such as execution related information and/or encryption key related information. To provide further SPU operation, such destroyed information would have to be replaced by a VDE
clearinghouse, administrator and/or distributor, as may be appropriate. This may be achieved by remotely downloading update and/or replacement data and/or code. In the event of a disabling and/or destruction of processes and/or information as described above, the electronic appliance 600 may require a secure VDE communication with an administrator, clearinghouse, and/or distributor as appropriate in order to reinitialize the RTC 528. Some or all secure SPU 500 processes may not operate until then.

It may be desirable to provide a mechanism for setting and/or synchronizing RTC 528. In the preferred embodiment, when communication occurs between VDE electronic appliance 600 and another VDE appliance, an output of RTC 528 may be compared to a controlled RTC 528 output time under control of the party authorized to be "senior" and controlling. In the event of a discrepancy, appropriate action may be taken, including resetting the RTC 528 of the "junior" controlled participant in the communication.

SPU Encrypt/Decrypt Engine 522 In the preferred embodiment, SPU encrypt/decrypt engine 522 provides special purpose hardware (e.g., a hardware state machine) for rapidly and efficiently encrypting and/or decrypting data. La some implementations, the encrypt/decrypt functions may be performed instead by microprocessor 520 under software control, but providing special purpose encrypt/decrypt hardware engine 522 will, in general, provide increased performance.
1VTi.croprocessor 520 inay, if desired, comprise a combination of processor circuitry and dedicated encryption/decryption logic that may be integrated together in the same circuitry layout so as to, for example, optimally share one or more circuit elements.
Generally, it is preferable that a computationally efficient but higbly secure "bulk" encryption/decryption technique should be used to protect most of the data and objects handled by SPU
500. It is preferable that an extremely secure encryption/decryption technique be used as an aspect of authenticating the identity of electronic appliances 600 that are establishing a communication channel and securing any transferred permission, method, and administrative information.
In the preferred embodiment, the encrypt/decrypt engine 522 includes both a symrnetric key encryption/decryption circuit (e.g.

DES, Skipjack/Clipper, IDEA, RC-2, RC-4, etc.) and an antisymmetric (asymmetric) or Public Key ("PK") encryption/decryption circuit. The public/private key encryption/decryption circuit is used principally as an aspect of secure communications between an SPU 500 and VDE
administrators, or other electronic appliances 600, that is between VDE secure subsystems. A symmetric encryption/decryption circuit may be used for "bulk" encrypting and decrypting most data stored in secondary storage 662 of electronic appliance 600 in which SPU 500 resides. The symmetric key encryption/decryption circuit may also be used for encrypting and decrypting content stored within VDE objects 300.

DES or public/private key methods may be used for all encryption functions. In alternate embodiments, encryption and decryption methods other than the DES and public/private key methods could be used for the various encryption related functions. For instance, other types of symmetric encryption/decryption techniques in which the same key is used for encryption and decryption could be used in place of DES encryption and decryption. The preferred embodiment can WO 96127155 PCTlUS96102303 support a plurality of decryption/encryption techniques using multiple dedicated ciircuits within encrypt/decrypt engine 522 and/or the processing arrangement within SPU 500.
Pattern Matc}aing Engine 524 Optional pattern matching engine 524 may provide special purpose hardware for performing pattern matching functions.
One of the functions SPU 500 may perform is to validate/authenticatie VDE objects 300 and other items.

Validatiion/authentication often involves comparing long data strings to determine whether they compare in a predetermined way. In. addition, certain forms of usage (such as logical and/or physical (contiguous) relatedness of accessed elements) may require searching potentially long strings of data for certain bit patterns or other significant pattern related metrics. Although pattern matching can be performed by SPU microprocessor 520 under software control, providing special purpose hardware pattern matching engine 524 may speed up the pattern matching process.

Compression/Decompression Engine 546 An optional compression/decompression engine 546 may be provided within an SPU 500 to, for example, compress and/or decompress content stored in, or released from, VDE objects 300.
Compression/decompression engine 546 may implement one or more compression algorithms using hardware circuitry to improve the performance of compression/decompression operations that would otherwise be performed by software operating on microprocessor 520, or outside SPU 500.
Decompression is important in the release of data such as video and audio that is usually compressed before distribution and whose decompression speed is important. In some cases, i_nformation that is useful for usage monitoring purposes (such as record separators or other del.i.miters) is "hidden" under a compression layer that must be removed before this information can be detected and used inside SPU 500.
Random Number Generator 542 Optional random number generator 542 may provide specialized hardware circuitry for generating random values (e.g., from inherently unpredictable physical processes such as quantum noise). Such random values are particularly useful for constructing encryption keys or unique identifiers, and for WO 96/27155 PCTfUS96102303 { initiali.2:ing the generation of pseudo-random sequences. Random number generator 542 may produce values of any convenient length, including as small as a single bit per use. A random number of arbitrary size may be constructed by concatenating values produced by i-andom number generator 542. A

cryptographically stirong pseudo-random sequence may be generated from a random key and seed generated with random number generator 542 and repeated encryption either with the encrypt/decrypt engine 522 or cryptographic algorithms in SPU
500. Such sequences may be used, for example, in private headers to frustrate efforts to determine an encryption key through cryptoanalysis.

Aaithmetic A.ccelerator 544 An optional arithmetic accelerator 544 may be provided within an SPU 500 in the form of hardware circuitry that can rapidly perform mathematical calculations such as multiplication and exponentiation involving large numbers. These calculations can, for example, be requested by microprocessor 520 or encrypt/decrypt engine 522, to assist in the computations required for certain asymmetric encryption/decryption operations. Such arithmetic accelerators are well-known to those skilled in the art. In some implementations, a separate arithmetic accelerator 544 may be omitted and any necessary calculations may be performed by microprocessor 520 under software control.

DMA Controller 526 DMA controller 526 controls information transfers over address/data bus 536 without requiring microprocessor 520 to process each individual data tran.sfer. Typically, microprocessor 520 may write to DMA controller 526 target and destination addresses and the number of bytes to transfer, and DMA
controller 526 may then automatically transfer a block of data between components of SPU 500 (e.g., from ROM 532 to RAM
534, between encrypt/decrypt engine 522 and RAM 534, between bus interface unit 530 and RAM 534, etc.). DMA controller 526 may have multiple channels to handle multiple transfers simultaneously. In some implementations, a separate DMA
controller 526 may be omitted, and any necessary data movements may be performed by microprocessor 520 under software control.

Bus Interface Unit (BIU) 530 WO 96127155 PCTlUS96102303 Bus interface unit (BIU) 530 communicates information between SPU 500 and the outside world across the security barrier 502. BIU 530 shown in Figure 9 plus appropriate driver software may comprise the "appliance link" 510 shown in Figure 6. Bus interface unit 530 may be modelled after a USART or PCI

bus interface in the preferred embodiment. In this example, BIU
530 connects SPU 500 to electronic appliance system bus 653 shown in Figure S. 13IU 530 is designed to prevent unauthorized access to internal components within SPU 500 and their contents. It does this by only allowing signals associated with an SPU 500 to be processed by control programs running on microprocessor 520 and not supporting direct access to the internal elements of an SPU 500.

Memory Nganageme3zt Unit 540 Memory Management Unit (MMU) 540, if present, provides hardware support for memory management and virtual memory management functions. It may also provide heightened security by enforcing hardware compartmentalization of the secure execution space (e.g., to prevent a less trusted task from modifying a more trusted task). More details are provided below in connection with a discussion of the architecture of a Secure Processing Environment ("SPE") 503 supported by SPU 500.

MMU 540 may also provide hardware-level support functions related to memory management such as, for example, address mapping.

SPU Memory Architecture In the preferred embodiment, SPU 500 uses three general kinds of memory:

(1) i.n.ternal ROM 532;

(2) internal RAM 534; and (3) external memory (typically RAM and/or disk supplied by a host electronic appliance).

The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment and execution space.
Because of cost limitations, chip fabrication size, complexity and other limitations, it may not be possible to provide sufficient memory within SPU 500 to store all information that an SPU
needs to process in a secure manner. Due to the practical limits on the amount of ROM 532 and RAM 534 that may be included WO 96/27155 PCT(US96102303 within SPU 500, SPU 500 may store information in memory external to it, and m.ove this information into and out of its secure internal mem.ory space on an as needed basis. In these cases, secure processing steps performed by an SPU typically must be segmented into smaIl, securely packaged elements that may be "paged in" and "paged out" of the limited available internal memory space. Memory external to an SPU 500 may not be secuxe. Since the external memory may not be secure, SPU
500 may encrypt and cryptographically seal code and other information before storing it in external memory. Similarly, SPU
500 must typically decrypt code and other information obtained from external memory in encrypted form before processing (e.g., executing) based on it. In the preferred embodiment, there are two general approaches used to address potential memory limitations in a SPU 500. In the first case, the small, securely packaged elements irepresent information contained in secure database 610. In the second case, such elements may represent protected (e.g., encrypted) virtual memory pages. Although virtual memory pages may correspond to information elements stored in secure database 610, this is not required in this example of a SPU memory architecture.

The following is a more detailed discussion of each of these three SPU memory resources.

SPU Internal ROM

SPU 500 read only memory (ROM) 532 or comparable purpose device provides secure internal non-volatile storage for certain programs and other information. For example, ROM 532 may store "kernel" programs such as SPU control firmware 508 and, if desired, encryption key information and certain fundamental "load modules." The "kernel" programs, load module information, and encryption key information enable the control of certain basic functions of the SPU 500. Those components that are at least in part dependent on device configuration (e.g., POST, memory allocation, and a dispatcher) may be loaded in ROM 532 along with additional load modules that have been determined to be required for specific installations or applications.

In the preferred embodiment, ROM 532 may comprise a combination of a masked ROM 532a and an EEPROM and/or equivalent "flash" memory 532b. EEPROM or flash memory 532b is used to store items that need to be updated and/or WO 96/27155 PCTlUS96102303 initialr.zed, such as for example, certain encryption keys. An additional benefit of providing EEPROM and/or flash memory 532b is the ability to optiYnize any load modules and library functions persisterrtly stored within SPU 500 based on typical usage at a specific site. Although these items could also be stored in NVRAM 534b, EEPROM and/or flash memory 532b may be more cost effective.

Masked ROM 532a may cost less than flash and/or EEPROM 532b, and can be used to store permanent portions of SPU software/firmNvare. Such permanent portions may include, for example, code that interfaces to hardware elements such as the RTC 528, encryption/decryption engine 522, interrupt handlers, key generators, etc. Some of the operating system, library caIls, libraries, and many of the core services provided by SPU 500 may also be in masked ROM 532a. In addition, some of the more commonly used executables are also good candidates for inclusion in masked ROM 532a. Items that need to be updated or that need to disappear when power is removed from SPU 500 should not be stored in masked ROM 532a.
r Under some circumstances, RAM 534a and/or NVRAM

534b (NVR.AM 534b may, for example, be constantly powered conventional RAM) may perform at least part of the role of ROM
532.

SPU Internal RAM

SPU 500 general purpose RAM 534 provides, among other things, secure execution space for secure processes. In the preferred embodiment, RAM 534 is comprised of different types of RAM such as a combination of high-speed RAM 534a and an NVRAM ("non-volatile RAM") 534b. RAM 534a may be volatile, while NVRAM 534b is preferably battery backed or otherwise arranged so as to be non-volatile (i.e., it does not lose its contents when power is turned off).

High-speed RAM 534a stores active code to be executed and associated data structures.

NVR.AM 534b preferably contains certain keys and summary values that are preloaded as part of an initialization process in which SPU 500 communicates with a VDE administrator, and may also store changeable or changing WO 96/27155 PCTlUS96102303 information associated with the operation of SPU 500. For security reasons, ceirtaiin highly sensitive information (e.g., certain load modules and certain encryption key related information such as internally generated private keys) needs to be loaded into or generated internally by SPU 500 from time to time but, once loaded or generated internally, should never leave the SPU. In this preferred embodiment, the SPU 500 non-volatale randomL access memory (NVRAM) 534b may be used for securely storing such highly sensitive information. NVRAM

534b is also used by SPU 500 to store data that may change frequently but which preferably should not be lost in a power down or power fail mode.

NVRAM 534b is preferably a flash memory array, but may in addition or alternatively be electrically erasable programmable read only memory (EEPR M), static RAM (SRAM), bubble memory, three dimensional holographic or other electro-optical memory, or the like, or any other writable (e.g., randomly accessilble) non-vola:tile memory of sufficient speed and cost-effectiveness.
SPU EsternaIl Memory The SPU 500 can store certain information on memory devices external to the SPU. If available, electronic appliance 600 memory can also be used to support any device external portions of SPU 500 software. Certain advantages may be gained by allowing the SPU 500 to use external memory. As one example, memory internal to SPU 500 may be reduced in size by using non-volatile read/write memory in the host electronic appliance 600 such as a non-volatile portion of RAM 656 and/or ROM 658.

Such external memory may be used to store SPU
programs, data and/or other information. For example, a VDE
control program may be, at least in part, loaded into the memory and communicated to and decrypted within SPU 500 prior to execution. Such control programs may be re-encrypted and communicated back to external memory where they may be stored for later execution by SPU 500. "Kernel" programs and/or some or all of the non-kernel "load modules" may be stored by SPU 500 in memory external to it. Since a secure database 610 may be relatively large, SPU 500 can store some or all of secure database 610 in external memory and call portions into the SPU
500 as needed.

WO 96/27155 PCT(US96/02303 A.s mentioned above, memory external to SPU 500 may not be secure. Therefore, when security is required, SPU 500 must encrypt secure information before writing it to external memory, and decrypt secure iiaformation read from external memory before using it. Inasmuch as the encryption layer relies on secure processes and inforniation (e.g., encryption algorithms and keys) present within SPU 500, the encryption layer effectively "extends" the SPU security barrier 502 to protect information the SPU 500 stores in memory external to it.

SPU 500 can use a wide variety of different types of external memory. For example, external memory may comprise electronic appliance secondary storage 652 such as a disk;
external EEPROM or flash memory 658; and/or external RAM

656. External RAM 656 may comprise an external nonvolatile (e.g. constantly powered) RAM and/or cache RAM.

Using external RAM local to SPU 500 can significantly improve access times to information stored externally to an SPU.
For example, external RAM may be used:

C to buffer memory image pages and data structures prior to their storage in flash memory or on an external hard disk (assuming transfer to flash or hard disk can occur in significant power or system failure cases);

C provide encryption and decryption buffers for data being released from VDE objects 300.

C to cache "swap blocks" and VDE data structures currently in use as an aspect of providing a secure virtual memory environment for SPU 500.

C to cache other information in order to, for example, reduce frequency of access by an SPU to secondary storage 652 and/or for other reasons.

Dual ported external RAM can be particularly effective in improving SPU 500 performance, since it can decrease the data movement overhead of the SPU bus interface unit 530 and SPU
microprocessor 520.

Using external flash memory local to SPU 500 can be used to significantly improve access times to virtually all data structures. Since most available flash storage devices have limited write lifetimes, flash storage needs to take into account the number of writes that will occur during the lifetime of the flash memory. Hence, flash storage of frequently written temporary items is not recommended. If external RAM is non-WO 96/27155 PCT(US96102303 volatile, then transf'er to flash (or hard disk) may not be necessary.
External menaory used by SPU 500 may include two categoi-ies:

C external memory dedicated to SPU 500, and C memory shared with electronic appliance 600.
For some VD]E implementations, sharing memory (e.g., electronic appliance RAM 656, ROM 658 and/or secondary storage 652) with C:PU 654 or other elements of an electronic appliance 600 may be the most cost effective way to store VDE
secure database management files 610 and information that needs to be stored external to SPU 500. A host system hard disk secondary memory 652 used for general purpose file storage can, for example, also be used to store VDE management files 610.
SPU 500 may be given exclusive access to the external memory (e.g., over a local bus high speed connection provided by BIU
530). Both dedicated and shared external memory may be provided.
}

R'O 96/27155 PCT1US96/02303 The hardware configuration of an example of electronic appliance 600 has been described above. The following section describes an example of the software architecture of electronic appliance 600 provided by the preferred embodiment, including the structure and operation of preferred embodiment "Rights Operating System" ("ROS") 602.

Rights Operating System 602 Rights Operating System ("ROS") 602 in the preferred embodiment is a compact, secure, event-driven, services-based, "component" oriented, distributed multiprocessing operating system environment that integrates VDE information security control information, components and protocols with traditional operating system concepts. Like traditional operating systems, ROS 602 provided by the preferred embodiment is a piece of software that manages hardware resources of a computer system and extends management functions to input and/or output devices, including communications devices. Also like traditional operating systems, preferred embodiment ROS 602 provides a coherent set of basic functions and abstraction layers for hiding the differences between, and many of the detailed complexities of, particular hardware implementations. In addition to these WO 96/27155 PCT(US96102303 characteristics found in many or most operating systems, ROS

602 provides secure VDE transaction management and other advantageous features not found in other operating systems. The following is a non-exhaustive list of some of the advantageous features provided by ROS 602 in the preferred embodiment:
Standardized interface nrovides coherent set of basic functions C simplifies program_~;ng C the same application can run on many different platforms Event driven C eases functional decomposition C extendible C accommodates state transition and/or process oriented events C simplifies task management C simplifies inter-process communications Services based C allows simplified and transparent scalability C simplifies multiprocessor support C hides machine dependencies C eases network management and support Component Based Architecture }

C processing based on independently deliverable secure components C component model of processing control allows different sequential steps that are reconfigurable based on requirements C components can be added, deleted or modified (subject to permissioning) C full control information over pre-defined and user-defined application events C events can be individually controlled with independent executables h9ecure C secure communications C secure control functions C secure virtual memory management C information control structures protected from exposure C data elements are validated, correlated and access controlled C components are encrypted and validated independently C components are tightly correlated to prevent unauthorized use of elements WO 96/27155 PCTlUS96102303 C control structures and secured executables are validated prior to use to protect against tampering C integrates security considerations at the I/O level C provides on-the-fly decryption of i_nformation at release tim.e C enables a secure commercial transaction network C :Elexible key management features 59-dMbia C highly scalaeble across many different platforms C supports concurrent processing in a multiprocessor environment C supports multiple cooperating processors C any number of host or security processors can be supported C control structures and kernel are easily portable to various host platforms and to different processors within a target platform witliout recompilation C supports remote processing C Remote Procedure Calls may be used for internal OS
communications Higb,],,,~Integratablg C can be highly integrated with host platforms as an additional operating system layer }

C permits non-secure storage of secured components and information using an OS layer "on top of " traditional OS
platforms C can be seamlessly integrated with a host operating system to provide a common usage paradigm for transaction management and content access C integration may take many forms: operating system layers for desktops (e.g., DOS, Windows, Macintosh); device drivers and operating system interfaces for network services (e.g, Unix and Netware); and dedicated component drivers for "low end" set tops are a few of many examples C can be integrated in traditional and real time operating systems Distributed C provides distribution of control information and reciprocal control information and mechanisms C supports conditional execution of controlled processes within any VDE node in a distributed, asynchronous arrangement C controlled delegation of rights in a distributed environment C supports chains of handling and control C management environment for distributed, occasionally connected but otherwise asynchronous networked database C real time and time independent data management C supports "ageint" processes Transparent C can be seamlessly integrated into existing operating systems C can support applications not specifically written to use it Network friendlY

C iiaternal OS structures may use RPCs to distribute processing C subnets may seamlessly operate as a single node or independently General Background Regarding Operating Systems A-n "operating system" provides a control mechanism for organizing computer system resources that allows programmers to create applications for computer systems more easily. An operating system does this by providing commonly used functions, and by helping to ensure compatibility between different computer hardware and architectures (which may, for example, be manufactured by different vendors). Operating systems also enable computer "peripheral device" manufacturers to far more easily supply compatible equipment to computer -manufacturers and users. 5 Computer systems are usually made up of several different hardware components. These hardware components include, for example:

a central processing unit (CPU) for executing instructions;
an array of main memory cells (e.g., "RAM" or "ROM") for storing instructions for execution and data acted upon or parameterizing those instructions; and one or more secondary storage devices (e.g., hard disk drive, floppy disk drive, CD-ROM drive, tape reader, card reader, or "flash" memory) organized to reflect named elements (a "file system") for storing images of main memory cells.

Most computer systems also include input/output devices such as keyboards, mice, video systems, printers, scanners and communications devices.

To organize the CPU's execution capabilities with available RAM, ROM and secondary storage devices, and to provide commonly used functions for use by programmers, a piece of software called an "operating system" is usually included with the other components. Typically, this piece of software is designed to begin executing after power is applied to the computer system and hardware diagnostics are completed.
Thereafter, all use of the CPU, main memory and secondary memory devices is normally managed by this "operating system"

software. Most computer operating systems also typically include a mechanism for extending their management functions to I/O
and other peripheral devices, including commonly used functions associated with these devices.

By managing the CPU, memory and peripheral devices through the operating system, a coherent set of basic functions and abstraction layers for hiding hardware details allows programmers to more easily create sophisticated applications. In additioia, managing the computer's hardware resources with an operating system allows many differences in design and } equipment requirements between different manufacturers to be hidden. Furthermore, applications can be more easily shared with other computer users who have the same operating system, with significantly less work to support different manufacturers' base hardware and peripheral devices.

ROS 602 is an Operating System Providing Significant Advantages ROS 602 is an "operating system." It manages the resources of electronic appliance 600, and provides a commonly used set of functions for programmers writing applications 608 for the electronic appliance. ROS 602 in the preferred embodiment manages the hardware (e.g., CPU(s), memory(ies), secure RTC(s), and encrypt/decrypt engines) within SPU 500.
ROS may also manage the hardware (e.g., CPU(s) and memory(ies)) within one or more general purpose processors within electronic appliance 600. ROS 602 also manages other electronic appliance hardware resources, such as peripheral devices attached to an electronic appliance. For example, referring to Figure 7, ROS 602 may manage keyboard 612, display 614, modem 618, disk drive 620, printer 622, scanner 624.

ROS 602 may also manage secure database 610 and a storage device (e.g., "secondary storage" 652) used to store secure database 610.

_ ROS 602 supports multiple processors. ROS 602 in the preferred embodiment supports any number of local and/or remote processors. Supported processors may include at least two types: one or more electronic appliance processors 654, and/or one or more SPUs 500. A host processor CPU 654 may provide storage, database, and communications services. SPU
500 may provide cryptographic and secured process execution services. Diverse control and execution structures supported by ROS 602 may requii e that processing of control information occur within a controllable execution space -- this controllable execution space may be provided by SPU 500. Additional host and/or SPU processors may increase efficiencies and/or capabilities. ROS 602 may access, coordinate and/or manage further processors remote to an electronic appliance 600 (e.g., via network or other communications link) to provide additional processor resources and/or capabilities.

ROS 602 is services based. The ROS services provided using a host processor 654 and/or a secure processor (SPU 500) are linked in the preferred embodiment using a "Remote Procedure Call" ("RPC") internal processing request structure.
Cooperating processors may request interprocess services using a RPC mechanism, which is minimally time dependent and can be distributed over cooperating processors on a network of hosts.

The multi-processor architecture provided by ROS 602 is easily extensible to support any number of host or security processors.

This extensibili.ty supports high levels of scalability. Services also allow functions to be implemented differently on different equipment. For example, a small appliance that typically has low levels of usage by one user may implement a database service using very different techniques than a very large appliance with high levels of usage by many users. This is another aspect of scalability.

ROS 602 provides a distributed processing enviromm ~t For example, it permits information and control structures to automatically, securely pass between sites as required to fulfill a user's requests. Communications between VDE nodes under the distributed processing features of ROS 602 may include interprocess service requests as discussed above. ROS 602 supports conditional and/or state dependent execution of controlled processors within any VDE node. The location that the process executes and the control structures used may be locally resident, remotely accessible, or carried along by the process. to support execution on a remote system.

ROS 602 provides distribution of control information, incluaag for example the distribution of control structures required to permit "agents" to operate in remote environments.
Thus, ROS 602 provides facilities for passing execution and/or information control as part of emerging requirements for "agent"
processes.

I,f desired, ROS 602 may independently distribute control information over veiy low bandwidth connections that may or may not be "real time" connections. ROS 602 provided by the preferred embodiment is "network friendly," and can be implemented with any level of networking protocol. Some examples include e-inail and direct connection at approximately "Layer 5" of the ISO model.

The ROS 602 distribution process (and the associated auditing of distributed information) is a controlled event that itself uses such control structures. This "reflective" distributed , processing mechanism permits ROS 602 to securely distribute rights and permissions in a controlled manner, and effectively restrict the characteristics of use of information content. The controlled delegation of rights in a distributed environment and the secure processing techniques used by ROS 602 to support this approach provide significant advantages.

Certain control mechanisms within ROS 602 are "reciprocal." Reciprocal control mechanisms place one or more control components at one or more locations that interact with one or more components at the same or other locations in a controlled way. For example, a usage control associated with object content at a user's location may have a reciprocal control at a distributor's location that governs distribution of the usage control, auditing of the usage control, and logic to process user requests associated with the usage control. A usage control at a user's location (in addition to controlling one or more aspects of usage) may prepare audits for a distributor and format requests associated with the usage control for processing by a distributor.
Processes at either end of a reciprocal control may be further controlled by other processes (e.g., a distributor may be limited by a budget for the number of usage control mechanisms they may produce). Reciprocal control mechanisms may extend over many WO 96/27155 PCT(US96102303 sites and many levels (e.g., a creator to a distributor to a user) and may take any relationship into account (e.g., creator/distributor, distributor/user, user/user, user/creator, user/creator/distributor, etc.) Reciprocal control mechanisms have many uses in IrDE 100 in representing relationships and agreemLents in a distributed environment.

ROS 602 is sc,alable. Many portions of ROS 602 control structures and kernel(s) are easily portable to various host platforms without recompilation. Any control structure may be distributed (or redistributed) if a granting authority permits this type of activity. The executable references within ROS 602 are portable within a target platform. Different instances of ROS 602 may execute the references using different resources. For example, one instance of ROS 602 may perform a task using an SPU 500, while another instance of ROS 602 might perform the same task using a host processing environment running in protected memory that is emulating an SPU in software. ROS
602 control informationis similarly portable; in many cases the event processing strixtures may be passed between machines and host platforms as easily as between cooperative processors in a single computer. Appliances with different levels of usage and/or resources available for ROS 602 functions may implement those functions in very different ways. Some services may be omitted entirely if insufficient resources exist. As described elsewhere, ROS 602 "knows" what services are available, and how to proceed based on any given event. Not all events may be processable if resources are missing or inadequate.

ROS 602 is component based. Much of the functionality provided by ROS 602 in the preferred embodiment may be based on "components" that can be securely, independently deliverable, replaceable and capable of being modified (e.g., under appropriately secure conditions and authorizations). Moreover, the "components" may themselves be made of independently deliverable elements. ROS 602 may assemble these elements together (using a construct provided by the preferred embodiment called a "channel") at execution time. For example, a "load module" for execution by SPU 500 may reference one or more "method cores," method parameters and other associated data structures that ROS 602 may collect and assemble together to perform a task such as billing or metering. Different users may have different combinations of elements, and some of the elements may be customizable by users with appropriate authorization. This increases flexibility, allows elements to be reused, and has other advantages.

ROS 602 is highlv secure. ROS 602 provides mechanisms to protect information control structures from exposure by end users and conduit hosts. ROS 602 can protect information, VDE
control structures and control executables using strong encryption and valiclation mechanisms. These encryption and validation mechanisms are designed to make them highly resistant to undetected tampering. ROS 602 encrypts i_nformation stored on secondary storage device(s) 652 to inhibit tampering. ROS 602 also separately encrypts and validates its various components. ROS 602 correlates control and data structure components to prevent unauthorized use of elements.
These features permit ROS 602 to independently distribute elements, and also a]lows integration of VDE functions 604 with non-secure "other" OS functions 606.

ROS 602 provided by the preferred embodiment extends conventional capabilities such as, for example, Access Control List (ACL) structures, to user and process defined events, including state transitions. ROS 602 may provide fuIl control information over pre-defined and user-defiued application events.
These control mechan.isms include "go/no-go" permissions, and also include optional event-specific executables that permit complete flexibility in the processing and/or controlling of events.
This structure permits events to be individually controlled so that, for example, metering and budgeting may be provided using independent executables. For example, ROS 602 extends ACL
structures to control arbitrary granularity of information.
Traditional operating systems provide static "go-no go" control mechanisms at a file or resource level; ROS 602 extends the control concept in a general way from the largest to the smallest sub-element using a flexible control structure. ROS 602 can, for example, control the printing of a single paragraph out of a document file.

ROS 602 provided by the preferred embodiment permits secure modification and update of control information governing each component. The control information may be provided in a template format such as method options to an end-user. An end-user may then customize the actual control information used within guidelines provided by a distributor or content creator.
Modification and update of existing control structures is preferably also a controllable event subject to auditing and control information.

ROS 602 provided by the preferred embodiment validates control structures a:nd secured executables prior to use. This validation provides assurance that control structures and executables have not been tampered with by end-users. The validation also pertnits ROS 602 to securely implement components that include fragments of files and other operating system structures. ROS 602 provided by the preferred embodiment integrates security considerations at the operating system I/O level (wliich is below the access level), and provides "on-the-fly" decryption of information at release time. These features permit non-secure storage of ROS 602 secured components and information using an OS layer "on top of' traditional operating system platforms.

ROS 602 is highlv iute atab with host platforms as an additional operating system layer. Thus, ROS 602 may be created by "adding on" to existing operating systems. This involves hooking V]DE "add ons" to the host operating system at the device driver and network interface levels. Alternatively, ROS 602 may comprise a wholly new operating system that integrates both VDE functions and other operating system functions.

Indeed, there are at least three general approaches to integrating VDE functions into a new operating system, potentially based on an existing operating system, to create a Rights Operating System 602 including:

(1) Redesign the operating system based on VDE
tra.n.saction management requirements;

(2) Compile VDE API functions into an existing operating systems; and (3) Integrate a VDE Interpreter into an existing operating system.

The first approach could be most effectively applied when a new operating system is being designed, or if a significant upgrade to an existing operating system is planned. The transaction management and security requirements provided by the VDE functions could be added to the design requirements list for the design of a new operating system that provides, in an optimally efficient manner, an integration of "traditional"

WO 96/27155 PCTlUS96102303 operating system capabilities and VDE capabilities. For example, = the engineers responsible for the design of the new version or instance of an operating system would include the requirements of VDE metering/transaction management in addition to other requirements (if any) that they use to form their design approach, specifications, and actual implementations. This approach could lead to a "seamless" integration of VDE functions and capabilities by threading meteriin.g/transaction management functionality throughout the system design and implementation.

The second approach would involve taking an existing set of API (Application Programmer Interface) functions, and incorporating references in the operating system code to VDE
function calls. This is similar to the way that the current Windows operating system is integrated with DOS, wherein DOS
serves as both the launch point and as a significant portion of the kernel underpinning of the Windows operating system. This approach would be also provide a high degree of "seamless"
integration (although not quite as "seamless" as the first approach). The benefits of this approach include the possibility that the incorporation of metering/transaction management fuuctionality into the new version or instance of an operating system may be accomplished with lower cost (by making use of the existing code embodied in an API, and also using the design implications of the API functional approach to influence the design of the elements into which the metering/transaction management functionality is incorporated).

The third approach is distinct from the first two in that it does not incorporate VDE functionality associated with meteri-n.g/transaction management and data security directly into the operating system code, but instead adds a new generalized capability to the operating system for executing metering/transaction management functionality. In this case, an interpreter including meteri.n.g/transaction management functions would be integrated with other operating system code in a "stand alone" mode. This interpreter might take scripts or other inputs to determine what metering/transaction management functions should be performed, and in what order and under which circumstances or conditions they should be performed.

Instead of (or in addition to) integrating VDE functions into/with an electronic appliance operating system, it would be __ WO 96127155 PCTlUS96102303 possib][e to provide certain VDE functionality available as an = application running on a conventional operating system.
ROS Software Architecture ]E'igure 10 is a block diagram of one example of a software structure/architecture for Rights Operating System ("ROS") 602 provided by the preferred embodiment. In this example, ROS
602 includes an operating system ("OS") "core" 679, a user Application Program Interface ("API") 682, a "redirector" 684, an "intercept" 692, a User Notification/Exception Interface 686, and a file system 687. R,OS 602 in this example also includes one or more Host Event Processing Environments ("HPEs") 655 and/or one or more Secure Event Processing Environments ("SPEs") 503 (these environments may be generically referred to as "Protected Processing Environinents" 650).

I-IPE(s) 655 aind SPE(s) 503 are self-contained computing and processing environments that may include their own operating system kernel 688 including code and data processing = 20 resources. A given electronic appliance 600 may include any number of SPE(s) 503 and/or any number of HPE(s) 655. HPE(s) 655 and SPE(s) 503 may process information in a secure way, and provide secure processing support for ROS 602. For example, they may each perform secure processing based on one =
or more VDE component assemblies 690, and they may each offer secure processing services to OS kernel 680.

In the preferred embodiment, SPE 503 is a secure processing environment provided at least in part by an SPU 500.
Thus, SPU 500 provides the hardware tamper-resistant barrier 503 surrounding SPE 503. SPE 503 provided by the preferred embodiment is preferably:

C small and compact C loadable into resource constrained environments such as for example minimally configured SPUs 500 C dynamically updatable C extensible by authorized users C integratable into object or procedural environments C secure.

In the preferred embodiment, HPE 655 is a secure processing environment supported by a processor other than an.

SPU, such as for example an electronic appliance CPU 654 general-purpose microprocessor or other processing system or device. In the prefe,rred embodiment, HPE 655 may be considered to "emulate" an SPU 500 in the sense that it may use softwai e to provide some or all of the processing resources provided in hardware and/or firmware by an SPU. HPE 655 in one preferred embodi.ment of the present invention is full-featured and fully compatible with SPE 503-that is, HPE 655 can handle each anci every service call SPE 503 can handle such that the SPE and the HPE are "plug compatible" from an outside interface standpoint (with the exception that the F3PE may not provide as much security as the SPE).

HPEs 655 ma.y be provided in two types: secure and not secure. For example, it may be desirable to provide non-secure versions of HPE 655 to allow electronic appliance 600 to efficiently run non-sensitive VDE tasks using the full resources of a fast g=eneral purpose processor or computer. Such non-secure versions of HPE 655 may run under supervision of an instance of ROS 602 that also includes an SPE 503. In this way, ROS 602 may run all secure processes within SPE 503, and only use HPE
655 for processes that do not require security but that may require (or run more efficiently) under potentially greater resources provided by a general purpose computer or processor =
supporting HPE 655. Non-secure and secure HPE 655 may operate together with a secure SPE 503.

BPEs 655 may (as shown in Figure 10) be provided with a software-based tamper resistant barrier 674 that makes them more secure. Such a software-based tamper resistant barrier 674 may be created by software executing on general-purpose CPU

654. Such a "secure" IHPE 655 can be used by ROS 602 to execute processes that, while still needing security, may not require the degree of security provided by SPU 500. This can be especially beneficial in architectures providing both an SPE 503 and an HPE 655. The SPU 502 may be used to perform all truly secure processing, whereas one or more HPEs 655 may be used to provide additional secure (albeit possibly less secure than the SPE) processing using host processor or other general purpose resources that may be available within an electronic appliance 600. Any service may be provided by such a secure HPE 655. In the preferred embodiment, certain aspects of "channel processing" appears to be a candidate that could be readily exported from SPE
503 to HPE 655.

WO 96/27155 PCTlUS96l02303 'The software-based tamper resistant barrier 674 provided = by HPE 655 may be provided, for example, by: introducing time checks and/or code modifications to complicate the process of stepphag through code comprising a portion of kernel 688a and/or a portion of compon:ent assemblies 690 using a debugger; using a map of defects on a storage device (e.g., a hard disk, memory card, etc.) to form internal test values to impede moving and/or copying HPE 655 to other electronic appliances 600; using kernel code that contains false branches and other complications in flow of control to disguise internal processes to some degree from disassembly or other efforts to discover details of processes; using "self-generating" code (based on the output of a co-sine transform, for example) such tlfzat detailed and/or complete instruction sequences are not stored explicitly on storage devices and/or in active memory but :rather are generated as needed; using code that "shuffles" memory locations used for data values based on operational parameters to complicate efforts to manipulate such values; using any software and/or hardware memory management resowrces of electronic appliance 600 to "protect"

the operation of HPE 655 from other processes, functions, etc.
Although such a software-based tamper resistant barrier 674 may provide a fair degree of security, it typically will not be as secure as the hardware-based tamper resistant barrier 502 provided (at least in part) by SPU 500. Because security may be better/more effectively enforced with the assistance of hardware security features such as those provided by SPU 500 (and because of other factors such as increased performance provided by special purpose circuitry within SPU 500), at least one SPE
503 is preferred for many or most higher security applications.
However, in applications where lesser security can be tolerated and/or the cost of an SPU 500 cannot be tolerated, the SPE 503 may be omitted and all secure processing may instead be performed by one or more secure HPEs 655 executing on general-purpose CPUs 654. Some VDE processes may not be allowed to proceed on reduced-security electronic appliances of this type if insufficient security is provided for the particular process involved.

Only those processes that execute completely within SPEs 503 (and in some cases, HPEs 655) may be considered to be truly secure. Memory and other resources external to SPE 503 and BPEs 655 used to store and/or process code and/or data to be used in secure processes should only receive and handle that information in encrypted form unless SPE 503/HPE 655 can protect secure process code and/or data from non-secure processes.
' OS "core" 679 in the preferred embodiment includes a kernel. 680, an RPC manager 732, and an "object switch" 734.

API 682, HPE 655 and SPE 503 may communicate "event"
messages with one another via OS "core" 679. They may also communicate messages directly with one another without messages going through OS "core" 679.

Kernel 680 may manage the hardware of an electronic appliance 600. For example, it may provide appropriate drivers and hardware managers for interacting with input/output and/or peripheral devices such as keyboard 612, display 614, other devices such as a "mouse" pointing device and speech recognizer 613, mLodem 618, pr.znter 622, and an adapter for network 672.
Kernel 680 may also be responsible for initially loading the remainder of ROS 602, and may manage the various ROS tasks (and associated un(lerlying hardware resources) during execution. OS kernel 680 may also manage and access secure database 610 and ffiLle system 687. OS kernel 680 also provides execution services for applications 608a(1), 608a(2), etc. and other applications.

RPC manager 732 performs messaging routing and resource management/integration for ROS 680. It receives and routes "calls" from/to API 682, HPE 655 and SPE 503, for example.

Object switch 734 may manage construction, deconstruction and other manipulation of VDE objects 300.

User Notification/Exception Interface 686 in the preferred embodiment (which may be considered part of API 682 or another application coupled to the API) provides "pop up"

windows/displays on display 614. This allows ROS 602 to communicate directly with a user without having to pass information to be communicated through applications 608. For applications that are not "VDE aware," user notification/exception interface 686 may provide communications between ROS 602 and the user.

API 682 in the preferred embodiment provides a standardized, documented software interface to applications 608.

In part, API 682 may translate operating system "calls"
generated by applications 608 into Remote Procedure Calls ("RPCs") specifying "events." RPC manager 732 may route these RPCs to kernel 680 or elsewhere (e.g., to HPE(s) 655 and/or SPE(s) 503, or to remote electronic appliances 600, processors, or VDE participants) for processing. The API 682 may also service RPC requests by paLssing them to applications 608 that register to receive and process specific requests.

.A.PI 682 provides an "Applications Programming Interface"
that is preferably standardized and documented. It provides a concise set of function calls an application program can use to access services provided by ROS 602. In at least one preferred example, API 682 vsriIl include two parts: an application program interface to VDE functions 604; and an application program interface to other OS functions 606. These parts may be interwoven into the same software, or they may be provided as two or more discrete pieces of software (for example).

Some applications, such as application 608a(1) shown in Figure 11, may be "VDE aware" and may therefore directly access both of these parts of API 682. Figure 11A shows an example of this. A"VDE aware" application may, for example, include explicit calls to ROS 602 requesting the creation of new VDE objects 300, metering usage of VDE objects, storing information in VDE-protected form, etc. Thus, a"VDE aware"
application can initiate (and, in some examples, enhance and/or extend) VDE functionality provided by ROS 602. In addition, "VDE aware" applications may provide a more direct interface between a user and ROS 602 (e.g., by suppressing or otherwise dispensing with "pop up" displays otherwise provided by user notification/exception interface 686 and instead providing a more "seamless" interface that integrates application and ROS

messages).

Other applications, such as application 608b shown in Figure 11B, may not be "VDE Aware" and therefore may not "know" how to directly access an interface to VDE functions 604 provided by API 682. To provide for this, ROS 602 may include a "redirector" 684 that allows such "non-VDE aware" applications 608(b) to access VDE objects 300 and functions 604. Redirector 684, in the preferreci embodiment, translates OS calls directed to the "other OS functions" 606 into calls to the "VDE function,s"

604. As one simple example, redirector 684 may intercept a"file open" call from application 608(b), determine whether the file to be opened is contained within a VDE container 300, and if it is, generate appropriate VDE function call(s) to file system 687 to open the VDE container (and potentially generate events to HPE
655 and/or SPE 503 to determine the name(s) of file(s) that may be stored in a VDE object 300, establish a control structure associated with a VDE object 300, perform a registration for a VDE object 300, etc.). Without redirector 684 in this example, a non-VDE aware application such as 608b could access only the part of API 682 that; provides an interface to other OS functions 606, and therefore could not access any VDE functions.

This "translation" feature of redirector 684 provides "transparency." It allows VDE functions to be provided to the application 608(b) in a"transparent" way without requiring the application to become involved in the complexity and details ~ 20 associated with generating the one or more calls to VDE
functions 604. This aspect of the "transparency" features of ROS
602 has at least two important advantages:

(a) it allows applications not written specifically for VDE
functions 604 ("non-VDE aware applications") to nevertheless access critical VDE functions; and (b) it reduces the complexity of the interface between an application and ROS 602.

Since the second advantage (reducing complexity) makes it easier for an application creator to produce applications, even "VDE
aware" applications 608a(2) may be designed so that some calls invoking VDE functions 604 are requested at the level of an "other OS functions" call and then "translated" by redirector 684 into a VDE function call (in this sense, redirector 684 may be considered a part of API 682). Figure 11C shows an example of this. Other calls invoking VDE functions 604 may be passed directly without translation by redirector 684.

Referring again to Figure 10, ROS 620 may also include an "interceptor" 692 that transmits and/or receives one or more real time data feeds 694 (this may be provided over cable(s) 628 for example), and routes one or more such data feeds appropriately while providing "translation" functions for real time data sent and/or received by electronic appliance 600 to allow "transparency" for this type of i_nformation analogous to the __ WO 96/27155 PCTlLTS96102303 transparency provided by redirector 684 (and/or it may generate one or more real time data feeds).

Secure ROS Components and Component Assemblies As discussed above, ROS 602 in the preferred embodiment is a component-based architecture. ROS VDE functions 604 may be based on segmented, independently loadable executable "component assemblies" 690. These component assemblies 690 are independently securely deliverable. The component assemblies 690 provided by the preferred embodiment comprise code and data elements that are themselves independently deliverable. Thus, each component assembly 690 provided by the preferred embodiment is comprised of independently securely deliverable elements which may be communicated using VDE

secure communication techniques, between VDE secure subsystems.

These component assemblies 690 are the basic functional unit provided by ROS 602. The component assemblies 690 are executed to perform operating system or application tasks. Thus, some component assemblies 690 may be considered to be part of the ROS operating system 602, while other component assemblies may be considered to be "applications" that run under the support of the operating system. As with any system incorporating "applications" and "operating systems," the boundary between these aspects of an overall system can be ambiguous. For example, commonly used "application" functions (such as determining the structure and/or other attributes of a content container) may be incorporated into an operating system.
Furthermore, "operating system" functions (such as task management, or memory allocation) may be modified and/or replaced by an application. A common thread in the preferred embodiment's ROS 602 is that component assemblies 690 provide functions needed for a user to fulfill her intended activities, some of which may be "application-like" and some of which may be "operating system-like."

Components 690 are preferably designed to be easily separable and individually loadable. ROS 602 assembles these elements together into an executable component assembly 690 prior to loading and executing the component assembly (e.g., in a secure operating environment such as SPE 503 and/or HPE 655).
ROS 602 provides an element identification and referencing mechanism that includes information necessary to automatically assemlble elements into a component assembly 690 in a secure manner prior to, and/or during, execution.

ROS 602 application structures and control parameters used to form component assemblies 690 can be provided by different parties. Because the components forming component assemblies 690 are independently securely deliverable, they may be delivered at different times and/or by different parties ("delivery" may take place within a local VDE secure subsystem, that is submission through the use of such a secure subsystem of control information by a chain of content control information handling participant for the preparation of a modified control information set constitutes independent, secure delivery). For example, a content creator can produce a ROS 602 application that defines the circumstances required for licensing content contained within a'VDE object 300. This application may reference structures provided by other parties. Such references might, for example, take the form of a control path that uses content creator strLictures to meter user activities; and structures created/owned by a financial provider to handle financial parts of a content distribution transaction (e.g., defining a credit budget that must be present in a control structure to establish creditwortbiness, audit processes which must be performed by the licensee, etc.). As another example, a distributor may give one user more favorable pricing than another user by delivering ' different data elements defining pricing to different users. This attribute of supporting multiple party securely, independently deliverable control information is fundamental to enabling electronic commerce, that is, defining of a content and/or appliance control information set that represents the requirements of a collection of independent parties such as content creators, other content providers, financial service providers, and/or users.

In the preferred embodiment, ROS 602 assembles securely independently deliverable elements into a component assembly 690 based in part on context parameters (e.g., object, user).

Thus, for example, ROS 602 may securely assemble different elements together to form different component assemblies 690 for different users performing the same task on the same VDE object 300. Similarly, ROS 602 may assemble differing element sets which may include, that is reuse, one or more of the same =
components to form different component assemblies 690 for the WO 96/27155 PCTlUS96102303 same user performing the same task on different VDE objects 300.
'I'he component assembly organization provided by ROS
602 is "recursive" in that a component assembly 690 may comprise one or more component "subassemblies" that are themselves independently loadable and executable component assemblies 690. These component "subassemblies" may, in turn, be made of one or more component "sub-sub-assemblies." In the general case, a component assembly 690 may include N levels of component subassemblies.

'I'hus, for example, a component assembly 690(k) that may includes a component subassembly 690(k + 1). Component subassembly 690(k + 1), in turn, may include a component sub-sub-assembly 690(3), ... and so on to N-level subassembly 690(k +
N). The ability of ROS 602 to build component assemblies 690 out of other component assemblies provides great advantages in terms of, for example, code/data reusability, and the ability to allow different parties to manage different parts of an overall component.

Each component assembly 690 in the preferred embodiment is made of distinct components. Figures 11D-11H are abstract depictions of various clistinct components that may be assembled to form a component assembly 690(k) showing Figure 11I. These same components can be combined in different ways (e.g., with more or less components) to form different component assemblies 690 providing completely different functional behavior. Figure 11J is an abstract depiction of the same components being put together in a different way (e.g., with additional components) to form a different component assembly 690(j). The component assemblies 690(k) and 690(j) each include a common feature 691 that interlocks with a "channel" 594 defined by ROS 602. This "channel" 594 assembles component assemblies 690 and interfaces them with the (rest of) ROS 602.

ROS 602 generates component assemblies 690 in a secure manner. As shown graphically in Figures 11I and 11J, the different elements compri8ing a component assembly 690 may be "interlocking" in the sense that they can only go together in ways that are intended by the VDE participants who created the elements and/or specified the component assemblies. ROS 602 includes security protections that can prevent an unauthorized WO 96/27155 PCT(US96102303 person from modifying elements, and also prevent an unauthorized person from substituting elements. One can picture an unauthorized person maki.ng a new element having the same "shape" as the one of the elements shown in Figures 11D-11H, and then attempting to substitute the new element in place of the original element. Suppose one of the elements shown in Figure 11H establi.shes the price for using content within a VDE object 300. If an unauthorized person could substitute her own "pizce" element for the price element intended by the VDE

content distributor, then the person could establish a price of zero instead of the price the content distributor intended to charge.
Similarly, if the elenaent establishes an electronic credit card, then an ability to substitute a different element could have disastrous consequences in terms of allowing a person to charge her usage to someone else's (or a non-existent) credit card. These are merely a few si-uiple examples demonstrating the importance of ROS 602 ensuring that certain component assemblies 690 are formed in a secure manner. ROS 602 provides a wide range of protectiions against a wide range of "threats" to the secure = 20 handling and execution of component assemblies 690.

In the preferred embodiment, ROS 602 assembles component assemblies 690 based on the following types of elements:

Permissions Records ("PERC"s) 808;
Method "Cores" 1000;

Load Modules 1100;

Data Elements (e.g., User Data Elements ("UDEs") 1200 and Method Data Elements ("MDEs") 1202); and Other component assemblies 690.

Briefly, a PERC 808 provided by the preferred embodiment is a record corresponding to a VDE object 300 that identifies to ROS 602, among other things, the elements ROS is to assemble together to form a component assembly 690. Thus PERC 808 in effect contains a "list of assembly instructions" or a "plan"
specifying what elements ROS 602 is to assemble together into a component assembly and how the elements are to be connected together. PERC 808 may itself contain data or other elements that are to become part of the component assembly 690.

_ -------WO 96127155 PCTlUS96102303 The PERC 808 may reference one or more method "cores"
1000N. A method core 1000N may define a basic "method" 1000 (e.g., "control," "billing," "metering," etc.) In the preferred embodiment, a "method" 1000 is a collection of basic instructions, and information related to basic instructions, that provides context, data, requirements, and/or relationships for use in performing, and/or preparing to perform, basic instructions in relation to the operation of one or more electronic appliances 600. 13asic i_nstructions may be comprised of, for example:

C machine code of the type commonly used in the progrananing of computers; pseudo-code for use by an interpreter or other instruction processing program operating on a computer;

C a sequeiice of electronically represented logical operations for use with an electronic appliance 600;
C or other electronic representations of instructions, source code, object code, and/or pseudo code as those terms ar=e commonly understood in the arts.

Information relating to said basic instructions may comprise, for example, data associated intrinsically with basic =
instructions such as for example, an identifier for the combined basic instructions and intrinsic data, addresses, constants, and/or the like. The information may also, for example, include one or more of the following:

C information that identifies associated basic instructions and said intrinsic data for access, correlation and/or validation purposes;

C required and/or optional parameters for use with basic instructions and said intrinsic data;

C information defining relationships to other methods;
C data elements that may comprise data values, fields of information, and/or the like;

C information specifying and/or defining relationships among data elements, basic instructions and/or intrinsic data;

C information specifying relationships to external data elements;

WO 96/27155 PC,TlUS96102303 C information specifying relationships between and among :internal and external data elements, methods, and/or the like, if any exist; and C additional information required in the operation of basic instructions and intrinsic data to complete, or attempt to complete, a purpose intended by a user of a method, where required, including additional instructions and/or intrinsic data.

Such information associated with a method may be stored, in part or whole, separately from basic instructions and intrinsic data. VVh.en these components are stored separately, a method may nevertheless include and encompass the other information and one or more sets of basic instructions and intrinsic data (the latter being included because of said other information's reference to one or naore sets of basic instructions and intrinsic data), whether or not said one or more sets of basic instructions and intrinsic data aire accessible at any given point in time.

Method core 1.000' may be parameterized by an "event code" to permit it to respond to different events in different ways.

For example, a METER method may respond to a "use" event by storing usage information in a meter data structure. The same METER method may respond to an "adminitrative" event by reporting the meter data structure to a VDE clearinghouse or other VDE participant.

In the preferred embodiment, method core 1000' may "contain," either explicitly or by reference, one or more "load modules" 1100 and one or more data elements (UDEs 1200, 1VIDEs 1202). In the preferred embodiment, a "load module" 1100 is a portion of a method that reflects basic instructions and intrinsic data. Load modules 1100 in the preferred embodiment contain executable code, and may also contain data elements ("DTDs" 1108) associated with the executable code. In the preferred embodiment, load modules 1100 supply the program instructions that are actually "executed" by hardware to perform the process defined by the method. Load modules 1100 may contain or reference other load modules.

Load modules 1100 in the preferred embodiment are modular and "code pure" so that individual load modules may be reenterable and reusable. In order for components 690 to be WO 96127155 PCTlUS96/02303 dynamically updatable, they may be in.dividually addressable within a global public name space. In view of these design goals, load modules 1100 are preferably small, code (and code-like) pure modules that are individually named and addressable. A single method may provide different load modules 1100 that perform the same or similar :E'unctions on different platforms, thereby making the method scalable and/or portable across a wide range of different electronic appliances.

ITDEs 1200 and MDEs 1202 may store data for input to or output from executable component assembly 690 (or data describing such inputs and/or outputs). In the preferred embodiment, LTDEs 1200 may be user dependent, whereas MDEs 1202 may be user independent.

7.'he component assembly example 690(k) shown in Figure 11E coinprises a method core 1000', UDEs 1200a & 1200b, an MDE 1202, load modules 1100a-1100d, and a further component assembly 690(k+l). As mentioned above, a PERC 808(k) defines, among other things, the "assembly instructions" for component assembly 690(k), and may contain or reference parts of some or all of the components that are to be assembled to create a component assembly.

One of the load modules 1100b shown in this example is itself comprised of plural load modules 1100c, 1100d. Some of the load modules (e.g., 1100a, 1100d) in this example include one or more "DTD" data elements 1108 (e.g., 1108a, 1108b). "DTD" data elements 1108 may be used, for example, to inform load module 1100a of the data elements included in MDE 1202 and/or UDEs 1200a, 1200b. Furthermore, DTDs 1108 may be used as an aspect of forming a portion of an application used to inform a user as to the i.nformation required and/or manipulated by one or more load modules 1100, or other component elements. Such an application program may also include functions for creating and/or manipulating UDE(s) 1200, NIDE(s) 1202, or other component elements, subassemblies, etc.

Components within component assemblies 690 may be "reused" to form different component assemblies. As mentioned above, figure 11F is an abstract depiction of one example of the same components used for assembling component assembly 690(k) to be reused (e.g., with some additional components _ WO 96127155 PCTlUS96102303 specified by a different set of "assembly instructions" provided in a different PERC 808(1)) to form a different component assembly } 690(1). Even thougli component assembly 690(1) is formed from some of the same components used to form component assembly 690(k), these two component assemblies may perform completely different processes :in complete different ways.

As mentioned above, ROS 602 provides several layers of security to ensure the security of component assemblies 690. One important security layer involves ensuring that certain compoinent assemblies 690 are formed, loaded and executed only in secure execution space such as provided within an SPU 500.
Components 690 and/or elements comprising them may be stored on external media encrypted using local SPU 500 generated and/or distributor provided keys.

]ft.OS 602 alsa, provides a tagging and sequencing scheme that may be used within the loadable component assemblies 690 to detect tampering, by substitution. Each element comprising a compoiaent assembly 690 may be loaded into an SPU 500, decrypted using encrypt/decrypt engine 522, and then tested/compared to ensure that the proper element has been loaded. Several independent comparisons may be used to ensure there has been no unauthorized substitution. For example, the public and private copies of the element ID may be compared to ensure that they are the same, thereby preventing gross substitution of elements. In addition, a validation/correlation tag stored under the encrypted layer of the loadable element may be compared to make sure it matches one or more tags provided by a requesting process. This prevents unauthorized use of information. As a third protection, a device assigned tag (e.g., a sequence number) stored under an encryption layer of a loadable element may be checked to make sure it matches a corresponding tag value expected by SPU 500. This prevents substitution of older elements. Validation/correlation tags are typically passed only in secure wrappers to prevent plaintext exposure of this information outside of SPU 500.

The secure component based architecture of ROS 602 has important advantages. For example, it accommodates limited resource execution environments such as provided by a lower cost SPU 500. It also provides an extremely high level of configurability. In fact, ROS 602 will accommodate an almost unlim.ited diversity of content types, content provider objectives, transaction types and client requirements. In addition, the abili.ty to dynamical]ly assemble independently deliverable components at execution time based on particular objects and users provides a high degree of flexibility, and facilitates or enables a di.stributed database, processing, and execution environment.

One aspect of an advantage of the component-based architecture provided by ROS 602 relates to the ability to "stage"
functionality and capabilities over time. As designed, implementation of R.OS 602 is a finite task. Aspects of its wealth of functionality can remain unexploited until market realities dictate the implemeiatation of corresponding VDE application functionality. As a result, initial product implementation investment and complexity may be limited. The process of "surfacing" the full range of capabilities provided by ROS 602 in terms of authoring, administrative, and artificial intelligence applications may take place over time. Moreover, already-designed functionality of ROS 602 may be changed or enhanced at any time to adapt to changing needs or requirements.

More Detailed Discussion of Rights Operating System 602 Architecture Figure 12 shows an example of a detailed architecture of ROS 602 shown in Figure 10. ROS 602 may include a file system 687 that includes a commercial database manager 730 and external object repositories 728. Commercial database manager 730 may maintain secure database 610. Object repository 728 may store, provide access to, and/or maintain VDE objects 300.

Figure 12 also shows that ROS 602 may provide one or more SPEs 503 and/or one or more HPEs 655. As discussed above, HPE 655 may "emulate" an SPU 500 device, and such HPEs 655 may be integrated in lieu of (or in addition to) physical SPUs 500 for systems that need higher throughput. Some security may be lost since BPEs 655 are typically protected by operating system security and may not provide truly secure processing. Thus, in the preferred embodiment, for high security applications at least, all secure processing should take place within an SPE 503 having an execution space within a physical SPU 500 rather than a HPE 655 using software operating elsewhere in electronic appliance 600.

_ WO 96/27155 PC'IYUS96102303 As mentioned above, three basic components of ROS 602 are a kern.el 680, a Remote Procedure Call (RPC) manager 732 and an object switch 734. These components, and the way they interact with other portions of ROS 602, wi]l be discussed below.

Kerne1680 Kernel 680 manages the basic hardware resources of electronic appliance 600, and controls the basic tasking provided by ROS 602. Kernell 680 in the preferred embodiment may include a memory manager 680a, a task manager 680b, and an 1/0 manager 680c. Task manager 680b may initiate and/or manage initiation of executable tasks and schedule them to be executed by a processor on which ROS 602 runs (e.g., CPU 654 shown in Figure 8). For example, Task manager 680b may include or be associated with a "bootstrap loader" that loads other parts of ROS 602. Task manager 680b may manage all tasking related to ROS 602, including tasks associated with application program(s) 608. Memory manager 680a may manage allocation, deallocation, sharing and/or use of memory (e.g., RAM 656 shown in Figure 8) of electronic appliance 600, and may for example provide virtual memory capabilities as required by an electronic appliance and/or associated application(s). UO manager 680c may manage all input to and output from ROS 602, and may interact with drivers and other hardware managers that provide communications and interactivity with physical devices.

RPC Manager 732 ROS 602 in a preferred embodiment is designed around a "services based" Remote Procedure Call architecture/interface.
All functions performed by ROS 602 may use this common interface to request services and share information. For example, SPE(s) 503 provide processing for one or more RPC based services. In addition to supporting SPUs 500, the RPC interface permits the dynamic integration of external services and provides an array of configuration options using existing operating system components. ROS 602 also communicates with external services through the RPC interface to seamlessly provide distributed and/or remote processing. In smaller scale instances of ROS 602, a simpler message passing IPC protocol may be used to conserve resources. This may limit the configurability of ROS 602 services, but this possible limitation may be acceptable in some electronic appliances.

'The RPC strizcture allows services to be called/requested without the c a1 1~ng process having to know or specify where the service is physically provided, what system or device will service the request, or how the service request will be fulfilled. This feature supports famili.es of services that may be scaled and/or customized for specific applications. Service requests can be forwarded and serviced by different processors and/or different sites as easily as they can be forwarded and serviced by a local service system. Since the same RPC interface is used by ROS

602 in the preferred embodiment to request services within and outside of the operating system, a request for distributed and/or remote processing incurs substantially no additional operating system overhead. Remote processing is easily and simply integrated as part of the same service calls used by ROS 602 for requesting local-based services. In addition, the use of a standard RPC intei-face ("RSI") allows ROS 602 to be modularized, with t;he different modules presenting a standardized interface to the remainder of the operating system.
Such modularization and standardized interfacing permits different vendors/operating system programmers to create } different portions of the operating system independently, and also allows the func:tionality of ROS 602 to be flexibly updated and/or changed based on different requirements and/or platforms.
RPC manager 732 manages the RPC interface. It receives service requests in the form of one or more "Remote Procedure Calls" (RPCs) from a service requestor, and routes the service requests to a service provider(s) that can service the request. For example, when rights operating system 602 receives a request from a user application via user API 682, RPC manager 732 may route the service request to an appropriate service through the "RPC service interface" ("RSI"). The RSI is an interface between RPC manager 732, service requestors, and a resource that will accept and service requests.

The RPC interface (RSI) is used for several major ROS 602 subsystems in the preferred embodiment.

RPC services provided by ROS 602 in the preferred embodiment are divided into subservices, i.e., individual instances of a specific service each of which may be tracked individually by the RPC manager 732. This mechanism permits multiple instances of a specific service on higher throughput WO 96/27155 PCTlUS96102303 systems while maintai_n.ing a common interface across a spectrum of implementations. The subservice concept extends to " supporting multiple processors, multiple SPEs 503, multiple HPEs 655, and mul-tiple communications services.

The preferred embodiment ROS 602 provides the following RPC based service providers/requestors (each of which have an RPC in:terface or "RSI" that communicates with RPC manager 732):

SPE device cb:-lver 736 (this SPE device driver is connected to an SPE 503 in the preferred embodiment);

IiPE Device I)river 738 (this HPE device driver is connected to an IIPE 738 in the preferred embodiment);

Notification Service 740 (this notification service is connected to user notification interface 686 in the preferred embodiment);

API Service 742 (this API service is connected to user API
682 in t;he preferred embodiment;

Redirector 684;

Secure Database (File) Manager 744 (this secure database or file manager 744 may connect to and interact with commercial database manager 730 and secure files 610 through a cache manager 746, a database interface 748, and a database driver 750);
Name Services Manager 752;

Outgoing Administrative Objects Manager 754;
Incoming Administrative Objects Manager 756;

a Gateway 734 to object switch 734 (this is a path used to allow direct communication between RPC manager 732 and Object Switch 734); and Communications Manager 776.

The types of services provided by HPE 655, SPE 503, User Notification 686, API 742 and Redirector 684 have already been described above. Here is a brief description of the type(s) of services provided by OS resources 744, 752, 754, 756 and 776:
Secure Database Manager 744 services requests for access to secure database 610;

Name Services Manager 752 services requests relating to user, host, or service identification;

Qutgoing Admi_nistrative Objects Manager 754 services requests relating to outgoing administrative objects;

_ Incoming AdminiGtrative Objects Manager 756 services requests relating to incoming administrative objects;
and .ommuni.cations Manae'er 776 services requests relating to communications between electronic appliance 600 and the outside world.

Object Switch 734 Object switch 734 handles, controls and communicates (both locally and remotely) VDE objects 300. In the preferred embodiment, the object switch may include the following elements:

a stream router 758;

a real time stream interface(s) 760 (which may be connected to real time data feed(s) 694);

a time dependent stream interface(s) 762;
a intercept 692;

a container manager 764;

one or more routing tables 766; and buffering/storage 768.

Sf,ream router 758 routes to/from "real time" and "time independent" data streams handled respectively by real time stream interface(s) 760 and time dependent stream interface(s) 762. Intercept 692 intercepts I/O requests that involve real-time information streams such as, for example, real time feed 694.
The routing performed by stream router 758 may be determined by routing tables 766. Buffering/storage 768 provides temporary store-and-forward, buffering and related services. Container manager 764 may (typically in conjunction with SPE 503) perform processes on VDE objects 300 such as constructing, deconstructing, and locating portions of objects.

Object switch 734 communicates through an Object Switch Interface ("OSI") with other parts of ROS 602. The Object Switch Interface may resemble, for example, the interface for a Unix socket in the preferred embodiment. Each of the "OSI" interfaces shown in Figure 12 have the ability to communicate with object switch 734.

ROS 602 includes the following object switch service providers/resources (each of which can communicate with the object switch 734 through an "OSI"): =
Outgoing Administrative Objects Manager 754;

Incoming Administrative Objects Manager 756;

; Gateway 734. (which may translate RPC calls into object switch calls and vice versa so RPC manager 732 may commtuiicate with object switch 734 or any other element having an OSI to, for example, provide and/or request services);
External Services Manager 772;
Object Submittal Manager 774; and Communications Manager 776.

Briefly, Object Repository Manager 770 provides services relating to access to object repository 728;

External Services Manager 772 provides services relating to requesting and receiving services externally, such as froin a network resource or another site;

QbJect Subnlittal Manager 774 provides services relating to how a user application may interact with object switch 734 (since the object submittal manager provides an interface to an application program 608, it coul.d be considered part of user API 682); and (;ommunications Manager 776 provides services relating to communicating with the outside world.

In the preferred embodiment, communications manager 776 may include a network manager 780 and a mail gateway (manager) 782. Mail gateway 782 may include one or more mail filters 784 to, for example, automatically route VDE related electronic mail between object switch 734 and the outside world electronic mail services. External Services Manager 772 may interface to communications manager 776 through a Service Transport Layer 786. Service Transport Layer 786a may enable External Services Manager 772 to communicate with external computers and systems using various protocols managed using the service transport layer 786.

The characteristics of and interfaces to the various subsystems of ROS 680 shown in Figure 12 are described in more detail below.

RPC Manager 732 and Its RPC Services Interface As discussed above, the basic system services provided by ROS 602 are invoked by using an RPC service interface (RSI).
This RPC service interface provides a generic, standardized interface for different services systems and subsystems provided by ROS 602.

-- --- -WO 96l27155 PCT/US96102303 l3,PC Manage:r 732 routes RPCs requesting services to an appropriate RPC service interface. In the preferred embodiment, upon receiving an R:PC call, RPC manager 732 determines one or more service managers that are to service the request. RPC

manager 732 then routes a service request to the appropriate service(s) (via a RSI: associated with a service) for action by the appropriate service manager(s).

]Eor example, if a SPE 503 is to service a request, the RPC
Manager 732 routes the request to RSI 736a, which passes the request on to SPE device driver 736 for forwarding to the SPE.
Similarly, if HPE 655 is to service the request, RPC Manager 732 routes the request to RSI 738a for forwarding to a HPE. In one preferred embodiment, SPE 503 and HPE 655 may perform essentially the same services so that RSIs 736a, 738a are different instances of the same RSI. Once a service request has been received by SPE 503 (or HPE 655), the SPE (or HPE) typically dispatches the request internally using its own internal RPC manager (as will be discussed shortly). Processes within SPEs 503 and IIPEs 655 can also generate RPC requests. These requests may be processed internally by a SPE/HPE, or if not WO 96/27155 PCT/US96l02303 internally serviceable, passed out of the SPE/HPE for dispatch by RPC Manager 732.

Remote (and local) procedure calls may be dispatched by a 5 RPC Manager 732 using an "RPC Services Table." An RPC

Services Table describes where requests for specific services are to be routed for processing. Each row of an RPC Services Table in the preferred embodiment contains a services ID, the location of the service, and an address to which control will be passed to service a request. An RPC Services Table may also include control information that indicates which instance of the RPC
dispatcher controls the service. Both RPC Manager 732 and any attached SPEs 503 and HPEs 655 may have symmetric copies of the RPC Services Table. If an RPC service is not found in the RPC services tables, it is either rejected or passed to external services manager 772 for remote servicing.

Assum?ng RPC manager 732 finds a row corresponding to the request in an RPC Services Table, it may dispatch the request to an appropriate RSI. The receiving RSI accepts a request from the RPC manager 732 (which may have looked up the request in an RPC service table), and processes that request WO 96129155 PCTlUS96102303 in accordance with internal priorities associated with the specific service.

In the preferred embodiment, RPC Service Interface(s) supported by RPC Manager 732 may be standardized and published to support add-on service modules developed by third party vendors, and to facilitate scalability by making it easier to program ROS 602. The preferred embodiment RSI closely follows the DOS and Unix device driver models for block devices so that common code may be developed for many platforms with minimuln effort. An example of one possible set of common entry points are listed below in the table.

Interface call Description SVC LOAD Load a service manager and return its status.
SVC UNLOAD Unload a service manager.

SVC_MOUNT Mount (load) a dynamically loaded subservice and return its status.

SVC UNMOUNT Unmount (unload) a dynamically subservice.
SVC OPEN Open a mounted subservice.

SVCCLOSE Close a mounted subservice.

SVC READ Read a block from an opened subservice.

SVC WRITE Write a block to an o ened subservice.

SVC IOCTL Control a subservice or a service manager.
Load 5 In the preferred embodiment, services (and the associated RSIs they present to RPC manager 732) may be activated during boot by an installation boot process that issues an RPC LOAD.
This process reads an RPC Services Table from a configuration file, loads the service module if it is run time loadable (as opposed to being a kernel linked device driver), and then calls the LOAD
entry point for the service. A successful return from the LOAD
entry point will indicate that the service has properly loaded and is ready to accept requests.

RPC LOAD Call Example: SVC_LOAD (long service_id) This LOAD interface call is called by the RPC manager 732 during rights operating system 602 initialization. It permits a service manager to load any dynamically loadable components and to initialize any device and memory required by the service.

The service number that the service is loaded as is passed in as service_id parameter. In the preferred embodiment, the service ---returns 0 is the initialization process was completed successfully or an error number if some error occurred.
Mount Once a service has been loaded, it may not be fully functional for all subservices. Some subservices (e.g., commuiaications based services) may require the establishment of additional connections, or they may require additional modules to be loaded. If the service is defined as "mountable," a RPC

manager 732 will ca:Ll the MOUNT subservice entry point with the requested subsei:-vice IID prior to opening an instance of a subservice.

RPC MOLTNT Call Example:

SVC_MOUNZ' (long service_id, long subservice_id, BYTE
*buffer) This MOIJNT interface call instructs a service to make a specific subservice ready. This may include services related to networ].=g, commuiaications, other system services, or external resources. The service_id and subservice_id parameters may be } specific to the specific service being requested. The buffer parameter is a memory address that references a control structure appropriate to a specific service.
.
Open Once a service is loaded and "mounted," specific instances of a service may be "opened" for use. "Opening" an instance of a service may allocate memory to store control and status information. For example, in a BSD socket based network connection, a LOAD call wiIl initialize the software and protocol control tables, a MOUNT call will specify networks and hardware resources, and an OPEN wiIl actually open a socket to a remote installation.

Some services, such as commercial database manager 730 that underlies the secure database service, may not be "mountable." In this case, a LOAD call will make a connection to a database manager 730 and ensure that records are readable.
An OPEN call may create instances of internal cache manager 746 for various classes of records.

RPC OPEN Call Example:
.
SVC_OPEN (long service_id, long subservice_id, BYTE

*buffer, int (*receive) (long request id)) This OPEN interface call instructs a service to open a specific subservice. The service_id and subservice_id parameters are specific to the specific service being requested, and the buffer parameter is a memory address that references a control structure appropriate to a specific service.

The optional i-eceive parameter is the address of a notification callback. function that is called by a service whenever a message is ready for the service to retrieve it. One call to this address is made for each incoming message received. If the caller passes a NULL to the interface, the software will not generate a callback for each message.

Close, Unmount and Unload The converse of the OPEN, MOUNT, and LOAD calls are CLOSE, UNMOUNT, and UNLOAD. These interface calls release any allocated resources back to ROS 602 (e.g., memory manager 680a).

RPC CLOSE Call Example: SVC_CLOSE (long svc_handle) This LOAD interface call closes an open service "handle."
A service "handle" describes a service and subservice that a user wants to close. The call returns 0 if the CLOSE request succeeds (and the handle is no longer valid) or an error number.

RPC tJNLOAD Call Example: SVC UNLOAD (void) This ITNLOAD interface call is called by a RPC manager 732 during shutdown or resource reallocation of rights operating system 602. It permits a service to close any open connections, flush buffers, and to release any operating system resources that it may have allocated. The service returns 0.

RPC UNMOUNT CaII Example: SVC_UNMOUNT (long service_id, long subservice_id) This UNMOIJNT interface call instructs a service to deactivate a specific subservice. The service_id and subservice_id parameters are specific to the specific service being requested, and must have been previously mounted using the SVC_MOIJNT() request. The call releases all system resources associated with the subservice before it returns.

WO 96/27155 PCTlUS96/02303 Read and Write The READ and WR.ITE calls provide a basic mechanism for sending i-nformatiori to and receiving responses from a mounted and opened service. For example, a service has requests written to it in the form of an RPC request, and makes its response available to be read by RPC Manager 732 as they become available.

RPC READ Call Es,ample:

SVC_READ (long svc handle, long request_id, BYTE
*buffer, long size) 'I'hnss READ call reads a message response from a service.
The svc handle and request_id parameters uniquely identify a request. The results of a request will be stored in the user specified buffer up to size bytes. If the buffer is too small, the first size bytes of the message will be stored in the buffer and an error vvill be returned.

If a message response was returned to the caller's buffer correctly, the function wiIl return 0. Otherwise, an error message will be returned.

RPC WRITE Call Example:

SVC_write (long service_id, long subservice_id, BYTE
*buffer, long size, int (*receive) (long request_id) This WRITE call writes a message to a service and subservice specified by the service_id/subservice_id parameter pair. The message is stored in buffer (and usually conforms to the VDE RPC message format) and is size bytes long. The function returns the request id for the message (if it was accepted for sending) or an error number. If a user specifies the receive callback functions, all messages regarding a request will be sent to the request specific callback routine instead of the generalized message callback.

Input/Output Control The IOCTL ("Input/Output ConTroL") call provides a mechanism for querying the status of and controlling a loaded service. Each service type will respond to specific general IOCTL
requests, all required class IOCTL requests, and service specific IOCTL requests.

t _ wo 96127155 PCTlUS96102303 RPC IQ-CTL Call Example: ROI_SVC_IOCTL (long service_id, long subservice_id, int command, BYTE *buffer) This IOCTL fiznction provides a generalized control interface for a RSI. A user specifies the service_id parameter and an optional subservice_id parameter that they wish to control. They specify the control command parameter(s), and a buffer into/from which the command parameters may be written/read. An example of a list of commands and the appropriate buffer structures are given below.
Command Structure Description GET_INFO SVC_INP'O Returns information about a service/subservice.
GET_STATS SVC_STATS Returns current statistics about a service/subservice.

CLR STATS None Clears the statistics about a service/subservice.
= 20 Now that a generic RPC Service Interface provided by the preferred embodiment has been described, the following description relates to particular examples of services provided by ROS 602.

SPE Device Driver 736 SPE device driver 736 provides an interface between ROS
602 and SPE 503. Since SPE 503 in the preferred embodiment runs within the confines of an SPU 500, one aspect of this device driver 736 is to provide low level communications services with the SPU 500 hardware. Another aspect of SPE device driver 736 is to provide an RPC service interface (RSI) 736a particular to SPE 503 (this same RSI may be used to communicate with HPE
655 through HPE device driver 738).

SPE RSI 736a and driver 736 isolates calling processes within ROS 602 (or external to the ROS) from the detailed service provided by the SPE 503 by providing a set of basic interface points providing a concise function set. This has several advantages. For example, it permits a full line of scaled SPUs 500 that all provide common functionality to the outside world but which may differ in detailed internal structure and =
architecture. SPU 500 characteristics such as the amount of memory resident in the device, processor speed, and the number WO 96127155 PCTlUS96f02303 of services supported within SPU 500 may be the decision of the specific SPU manufacturer, and in any event may differ from one SPU configuration to another. To maintain compatibility, SPE
device driver 736 and the RSI 736a it provides conform to a basic common RPC interface standard that "hides" differences between detailed configurations of SPUs 500 and/or the SPEs 503 they may support.

To provide for such compatibility, SPE RSI 736a in the preferred embodiment follows a simple block based standard. In the preferred embodiment, an SPE RSI 736a may be modeled after the packet interfaces for network Ethernet cards. This standard closely models the block mode interface characteristics of SPUs 500 in the preferred embodiment.

An SPE RSI 736a allows RPC calls from RPC manager 732 to access specific sei-vices provided by an SPE 736. To do this, SPE RSI 736a provides a set of "service notification address interfaces." These provide interfaces to individual services provided by SPE 503 to the outside world. Any calling process within ROS 602 may access these SPE-provided services by directing an RPC call to SPE RSI 736a and specifying a corresponding "service notification address" in an RPC call. The specified "service notification address" causes SPE 503 to internally route an RPC call to a particular service within an SPE. The following is a listing of one example of a SPE service =
breakdown for which individual service notification addresses may be provided:

Channel Services Manager Authentication Manager/Secure Communications Manager Secure Database Manager The Channel Services Manager is the principal service provider and access point to SPE 503 for the rest of ROS 602.
Event processing, as wiIl be discussed later, is primarily managed (from the point of view of processes outside SPE 503) by this service. The Authentication Manager/Secure Communications Manager may provide login/logout services for users of ROS 602, and provide a direct service for managing communications (typically encrypted or otherwise protected) related to component assemblies 690, VDE objects 300, etc.

Requests for display of information (e.g., value remairung in a financial budget) may be provided by a direct service request to a Secure Database Manager inside SPE 503. The instances of _ WO 96/27155 PCd'/US96/02303 Authentication Manager/Secure Communications Manager and Secure Database Manager, if available at all, may provide only a subset of the information and/or capabilities available to processes operating inside SPE 503. As stated above, most (potentially all) service requests entering SPE are routed to a Channel Services Manager for processing. As will be discussed in more detail later on, most control structures and event processing logic is associated with component assemblies 690 under the management of a Channel Services Manager.

The SPE 503 must be accessed through its associated SPE
driver 736 in this example. Generally, calls to SPE driver 736 are made in response to RPC calls. In this example, SPE driver RSI 736a may translate RPC calls directed to control or ascertain information about SPE driver 736 into driver calls. SPE driver RSI 736a in conjunction with driver 736 may pass RPC calls directed to SPE 503 through to the SPE.

'Phe following table shows one example of SPE device driver 736 calls:

Entry Point Description SPE_i_nfo() Returns summary information about the SPE driver 736 (and SPE 503) . I
SPE_initialize_interface() Initializes SPE driver 736, and sets the default notification address for received packets.

SPE_terminate_interface() Terminates SPE driver 736 and resets SPU 500 and the driver 736.
SPE_reset_interface() Resets driver 736 without resetting SPU
500.
SPE_get_stats() Return statistics for notification addresses and/or an entire driver 736.

SPE_clear_stats() Clears statistics for a specific notification address and/or an entire driver 736.

SPE_set_notify() Sets a notification address for a specific service ID.

SPE-get_notify() Returns a notification address for a s ecific service ID.

SPE_tx pkt() Sends a packet (e.g., containing an RPC
call) to SPE 503 for rocessin .

The following are more detailed examples of each of the SPE driver calls set forth in the table above.

WO 96127155 PCTlUS96102303 Example of an "SPE Information'Driver Call: SPE_info (void) This function returns a pointer to an SPE_INFO data structure that defines the SPE device driver 736a. This data structure may provide certain information about SPE device driver 736, RSI 736a and/or SPU 500. An example of a SPE INFO structure is described below:
Version Number/ID for SPE
Device Driver 736 Version Number/ID for SPE
Device Driver RSI 736 Pointer -to name of SPE Device Driver 736 Pointer to ID name of SPU 500 Functionality Code Describing SPE Capabilities/functionality Example of an SPE "Initialize Interface'Driver Call:
SPE_initialize_inte:rface (int (fcn *receiver)(void)) A receiver fiuiction passed in by way of a parameter will be called for all packets received from SPE 503 unless their destination service is over-ridden using the set_notify() call. A
receiver function allows ROS 602 to specify a format for packet communication between RPC manager 732 and SPE 503.

This function returns "0" in the preferred embodiment if the initialization of the interface succeeds and non-zero if it fails.
If the function fails, it wiIl return a code that describes the reason for the failure as the value of the function.

Example of an SPE "Terminate Iaterface'Driver Call:
SPE_terminate_interface (void) In the preferred embodiment, this function shuts down SPE Driver 736, clears all notification addresses, and terminates aIl outstanding requests between an SPE and an ROS RPC

manager 732. It also resets an SPE 503 (e.g., by a warm reboot of SPU 500) after all requests are resolved.

Termination of driver 736 should be performed by ROS 602 when the operating system is starting to shut down. It may also be necessary to issue this call if an SPE 503 and ROS 602 get so far out of synchronization that all processing in an SPE must be reset to a known state.

Example of an SPE "Reset Interface'Driver Call:
SPE_reset_interface (void) ',I'hi.s function resets driver 736, terminates all outstanding requests between SPE 503 and an ROS RPC manager 732, and clears all statistics counts. It does not reset the SPU 500, but simply restores driver 736 to a known stable state.

Example of an SPE "Get Statistics'Driver Call: SPE_get_stats (long service_id) 'I'ha.s function. returns statistics for a specific service notification interface or for the SPE driver 736 in general. It returns a pointer to a static buffer that contains these statistics or NULL if statistics are unavailable (either because an interface is not imitialized or because a receiver address was not specified).
An example of the SPE_STATS structure may have the following definition:

Service id # ackets rx # packets tx #b -esrx # errors rx # errors tx # requests tx # re tx com leted # re tx cancelled # req rx # re rx completed # req rx cancelled If a user specifies a service ID, statistics associated with packets sent by that service are returned. If a user specified 0 as the parameter, the total packet statistics for the interface are returned.

Example of an SPE "Clear Statietics'Driver Call:
SPE_clear stats (long service_id) This function clears statistics associated with the SPE
service_id specified. If no service_id is specified (i.e., the caller passes in 0), global statistics will be cleared. The function returns 0 if statistics are successfully cleared or an error number =
if an error occurs.

WO 96127155 PCTlUS96102303 Example of an SPE "Set Notification Address'Driver Call:
SPE_set_notify (long service_id, int (fcn*receiver) (void)) This ffiinction sets a notification address (receiver) for a specified service. If the notification address is set to NULL, SPE
device driver 736 will send notifications for packets to the specified service to the default notification address.
Example of a SPE "Get Not,ii'ication Address'Driver Call:
SPE_get_notify (Iong service_id) This function returns a notification address associated with the named serviice or NULL if no specific notification address has been specified.

Example of an SPE "Send Packet'Driver Call:

send pkt (BY7.'E *buffer, long size, int (far *receive) (void)) This function sends a packet stored in buffer of "length"
size. It returns 0 if the packet is sent successfuIly, or returns an error code associated with the failure.

Redirector Service Manager 684 The redirector 684 is a piece of systems integration software used principally when ROS 602 is provided by "adding on" to a pre-existing operating system or when "transparent"
operation is desired for some VDE functions, as described earlier.

In one embodiment the kernel 680, part of communications manager 776, file system 687, and part of API service 742 may be =

part of a pre-existing operating system such as DOS, Windows, IJNIX, Macintosh System, OS9, PSOS, OS/2, or other operating system platform. The remainder of ROS 602 subsystems shown in Figure 12 may be provided as an "add on" to a preexisting operating system. Once these ROS subsystems have been supplied and "added on," the integrated whole comprises the ROS
602 shown in Figure 12.

In a scenario of this type of integration, ROS 602 will continue to be supported by a preexisting OS kernel 680, but may supplement (or even substitute) many of its functions by providing additional add-on pieces such as, for example, a virtual memory manager.

Also in this integration scenario, an add-on portion of API
service 742 that integrates readily with a preexisting API service is provided to support VDE function calls. A pre-existing API
service integrated with an add-on portion supports an enhanced DEMANDES OU BREVETS VOLUMINEUX

LA PRESENTE PARTIE DE CETTE DEMANDE OU CE BREVET
COMPREND PLUS D'UN TOME.

CECI EST LE TOME I" DE L4 NOTE: Pour les tomes additionels., veuiliez contacter le Bureau canadien des brevets JIJMBO APPLiCATIONSMATENTS

THIS SECTION OF THE APPLICATION/PATENT CONTAINS MORE
THAN ONE VOLUME

= THiS IS VOLIUME OF

NOTE: For additional voiumes "pi'ease cantact'the Canadian Patent Ofiftce

Claims (8)

1. A method for secure content delivery including:
encapsulating digital information within one or more digital containers;
encrypting at least one portion of said digital information;
associating, with said encrypted digital information, at least partially secure control information configured for use by an electronic appliance associated with a digital information user to limit decryption of said encrypted one or more portions of said digital information unless said electronic appliance satisfies one or more conditions, the electronic appliance including at least one protected processing environment;
delivering one or more of said one or more digital containers to said electronic appliance; and wherein said at least one protected processing environment is configured to securely control decryption of said encrypted one or more portions of said digital information in accordance with said control information.
2. A system for secure content delivery including:
encrypting means for encrypting at least one portion of digital information;
container processing means for encapsulating said digital information within one or more digital containers and for associating with said digital information at least partially secure control information configured for use by an electronic appliance associated with a digital information user to limit decryption of said encrypted one or more portions of said digital information, the electronic appliance including at least one protected processing environment; and;
delivery means for delivering one or more of said one or more digital containers and said control information to said electronic appliance, wherein said at least one protected processing environment is configured to securely control decryption of said encrypted one or more portions of said digital information in accordance with said control information.
3. A method of information management characterized by steps of creating at least one smart object at a first location, protecting at least a portion of said smart object including protecting at least one control assigned to said smart object, distributing said at least one smart object to at least one second location, securely processing at least a portion of the contents of said at least one smart object at said at least one second location in accordance with at least a portion of at least one said assigned to said smart object.
4. An information management system characterized by:
means for creating at least one smart object at a first location, means for protecting at least a portion of said smart object including means for protecting at least one rule and/or control assigned to said smart object, means for distributing said at least one smart object to at least one second location, and means for securely processing at least a portion of the contents of said at least one smart object at said at least one second location in accordance with at least a portion of at least one said rule and/or control assigned to said smart object.
5. A method of protecting digital information characterized by steps of encrypting at least a portion of the information, using a rights management language to describe the conditions related to use of the information, distributing at least a portion of such information and at least a portion of such rights language expressed conditions to one or more recipients, using an electronic appliance arrangement including at least one protected processing arrangement to securely govern at least a portion of the use of such information.
6. A system for protecting digital information characterized by: means for encrypting at least a portion of the information, means for using a rights management language to describe the conditions related to use of the information, means for distributing at least a portion of such information and at least a portion of such rights language expressed conditions to one or more recipients, and an electronic appliance arrangement including at least one protected processing arrangement for securely governing at least a portion of the use of such information.
7. A distributed digital information management system comprising software components, a rights management language for expressing processing relationships between two or more of the software components, protected processing means for at least a portion of the software components and at least a portion of the rights management expressions, means for protecting content, means for creating software objects that relate protected content to rights management expressions, and means for delivering protected content, rights management expressions, and such software objects from a providing location to a user's location.
8. A distributed digital information management method comprising:
expressing, in a rights management language, processing relationships between two or more of the software components, processing, within at least one protected environment, at least a portion of the software components and at least a portion of the rights management expressions, protecting content, creating software objects that relate protected content to rights management expressions, and delivering protected content, rights management expressions, and such software objects from a providing location to a user's location.
CA 2212574 1995-02-13 1996-02-13 Systems and methods for secure transaction management and electronic rights protection Expired - Lifetime CA2212574C (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US38810795 true 1995-02-13 1995-02-13
US08/388,107 1995-02-13
PCT/US1996/002303 WO1996027155A3 (en) 1995-02-13 1996-02-13 Systems and methods for secure transaction management and electronic rights protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CA 2683230 CA2683230C (en) 1995-02-13 1996-02-13 Systems and methods for secure transaction management and electronic rights protection

Publications (2)

Publication Number Publication Date
CA2212574A1 true CA2212574A1 (en) 1996-09-06
CA2212574C true CA2212574C (en) 2010-02-02

Family

ID=23532729

Family Applications (2)

Application Number Title Priority Date Filing Date
CA 2212574 Expired - Lifetime CA2212574C (en) 1995-02-13 1996-02-13 Systems and methods for secure transaction management and electronic rights protection
CA 2683230 Expired - Lifetime CA2683230C (en) 1995-02-13 1996-02-13 Systems and methods for secure transaction management and electronic rights protection

Family Applications After (1)

Application Number Title Priority Date Filing Date
CA 2683230 Expired - Lifetime CA2683230C (en) 1995-02-13 1996-02-13 Systems and methods for secure transaction management and electronic rights protection

Country Status (7)

Country Link
US (33) US5910987A (en)
EP (11) EP1515216B1 (en)
JP (33) JPH10512074A (en)
CN (13) CN1912885B (en)
CA (2) CA2212574C (en)
DE (3) DE69637733D1 (en)
WO (1) WO1996027155A3 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105139225A (en) * 2015-08-17 2015-12-09 北京京东世纪贸易有限公司 Method and apparatus for determining the behavior capability grade of user

Families Citing this family (3802)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8352400B2 (en) 1991-12-23 2013-01-08 Hoffberg Steven M Adaptive pattern recognition based controller apparatus and method and human-factored interface therefore
US5903454A (en) 1991-12-23 1999-05-11 Hoffberg; Linda Irene Human-factored interface corporating adaptive pattern recognition based controller apparatus
US7904187B2 (en) 1999-02-01 2011-03-08 Hoffberg Steven M Internet appliance system and method
US6418424B1 (en) 1991-12-23 2002-07-09 Steven M. Hoffberg Ergonomic man-machine interface incorporating adaptive pattern recognition based control system
US7251624B1 (en) 1992-09-08 2007-07-31 Fair Isaac Corporation Score based decisioning
US6633861B2 (en) * 1993-03-19 2003-10-14 Ricoh Company Limited Automatic invocation of computational resources without user intervention across a network
US6193520B1 (en) * 1993-05-10 2001-02-27 Yugengaisha Adachi International Interactive communication system for communicating video game and karaoke software
US6744906B2 (en) 1995-05-08 2004-06-01 Digimarc Corporation Methods and systems using multiple watermarks
US6804376B2 (en) 1998-01-20 2004-10-12 Digimarc Corporation Equipment employing watermark-based authentication function
US7724919B2 (en) * 1994-10-21 2010-05-25 Digimarc Corporation Methods and systems for steganographic processing
US6760463B2 (en) 1995-05-08 2004-07-06 Digimarc Corporation Watermarking methods and media
US6122403A (en) 1995-07-27 2000-09-19 Digimarc Corporation Computer system linked by using information in data objects
US5768426A (en) 1993-11-18 1998-06-16 Digimarc Corporation Graphics processing system employing embedded code signals
US5748763A (en) 1993-11-18 1998-05-05 Digimarc Corporation Image steganography system featuring perceptually adaptive and globally scalable signal embedding
US6505160B1 (en) 1995-07-27 2003-01-07 Digimarc Corporation Connected audio and other media objects
US6778682B2 (en) 1994-10-21 2004-08-17 Digimarc Corporation Redundantly embedding auxiliary data in source signals
US7095871B2 (en) * 1995-07-27 2006-08-22 Digimarc Corporation Digital asset management and linking media signals with related data using watermarks
US6449377B1 (en) * 1995-05-08 2002-09-10 Digimarc Corporation Methods and systems for watermark processing of line art images
US7224819B2 (en) * 1995-05-08 2007-05-29 Digimarc Corporation Integrating digital watermarks in multimedia content
US7313251B2 (en) * 1993-11-18 2007-12-25 Digimarc Corporation Method and system for managing and controlling electronic media
US7555139B2 (en) 1995-05-08 2009-06-30 Digimarc Corporation Secure documents with hidden signals, and related methods and systems
US6882738B2 (en) * 1994-03-17 2005-04-19 Digimarc Corporation Methods and tangible objects employing textured machine readable data
US6611607B1 (en) 1993-11-18 2003-08-26 Digimarc Corporation Integrating digital watermarks in multimedia content
US6721440B2 (en) 1995-05-08 2004-04-13 Digimarc Corporation Low visibility watermarks using an out-of-phase color
US7515733B2 (en) * 1993-11-18 2009-04-07 Digimarc Corporation Methods and arrangements employing digital content items
US8290202B2 (en) 1998-11-03 2012-10-16 Digimarc Corporation Methods utilizing steganography
US7620200B2 (en) * 1995-05-08 2009-11-17 Digimarc Corporation Authentication of identification documents
US6345104B1 (en) * 1994-03-17 2002-02-05 Digimarc Corporation Digital watermarks and methods for security documents
US6614914B1 (en) * 1995-05-08 2003-09-02 Digimarc Corporation Watermark embedder and reader
US7676059B2 (en) * 1994-10-21 2010-03-09 Digimarc Corporation Video steganography or encoding
US7054462B2 (en) 1995-05-08 2006-05-30 Digimarc Corporation Inferring object status based on detected watermark data
US7006661B2 (en) 1995-07-27 2006-02-28 Digimarc Corp Digital watermarking systems and methods
US8505108B2 (en) * 1993-11-18 2013-08-06 Digimarc Corporation Authentication using a digital watermark
US7171016B1 (en) * 1993-11-18 2007-01-30 Digimarc Corporation Method for monitoring internet dissemination of image, video and/or audio files
US7986806B2 (en) * 1994-11-16 2011-07-26 Digimarc Corporation Paper products and physical objects as means to access and control a computer or to navigate over or act as a portal on a network
US9630443B2 (en) * 1995-07-27 2017-04-25 Digimarc Corporation Printer driver separately applying watermark and information
US20020136429A1 (en) * 1994-03-17 2002-09-26 John Stach Data hiding through arrangement of objects
US6763123B2 (en) 1995-05-08 2004-07-13 Digimarc Corporation Detection of out-of-phase low visibility watermarks
US6560349B1 (en) 1994-10-21 2003-05-06 Digimarc Corporation Audio monitoring using steganographic information
US6718046B2 (en) 1995-05-08 2004-04-06 Digimarc Corporation Low visibility watermark using time decay fluorescence
US6983051B1 (en) * 1993-11-18 2006-01-03 Digimarc Corporation Methods for audio watermarking and decoding
US6738495B2 (en) * 1995-05-08 2004-05-18 Digimarc Corporation Watermarking enhanced to withstand anticipated corruptions
US7024016B2 (en) 1996-05-16 2006-04-04 Digimarc Corporation Digital watermarking apparatus and methods
US6411725B1 (en) * 1995-07-27 2002-06-25 Digimarc Corporation Watermark enabled video objects
US8094949B1 (en) 1994-10-21 2012-01-10 Digimarc Corporation Music methods and systems
US6292828B1 (en) * 1994-02-23 2001-09-18 David L. Williams Trans-modal animated information processing with selective engagement
US6978036B2 (en) * 1998-07-31 2005-12-20 Digimarc Corporation Tamper-resistant authentication techniques for identification documents
US7321667B2 (en) * 2002-01-18 2008-01-22 Digimarc Corporation Data hiding through arrangement of objects
US7036019B1 (en) * 1994-04-01 2006-04-25 Intarsia Software Llc Method for controlling database copyrights
US6744894B1 (en) 1994-04-01 2004-06-01 Mitsubishi Corporation Data management system
JPH07271865A (en) * 1994-04-01 1995-10-20 Mitsubishi Corp Method for managing copyright of data base
US7181758B1 (en) 1994-07-25 2007-02-20 Data Innovation, L.L.C. Information distribution and processing system
US7991347B1 (en) 1994-04-07 2011-08-02 Data Innovation Llc System and method for accessing set of digital data at a remote site
US6473860B1 (en) * 1994-04-07 2002-10-29 Hark C. Chan Information distribution and processing system
US5694546A (en) 1994-05-31 1997-12-02 Reisman; Richard R. System for automatic unattended electronic information transport between a server and a client by a vendor provided transport software with a manifest list
EP1845527A3 (en) 1994-07-08 2012-04-25 Sony Corporation Receiving controlled-access broadcast signals
US7302415B1 (en) * 1994-09-30 2007-11-27 Intarsia Llc Data copyright management system
US8595502B2 (en) * 1995-09-29 2013-11-26 Intarsia Software Llc Data management system
US20070100757A1 (en) * 1999-05-19 2007-05-03 Rhoads Geoffrey B Content Protection Arrangements
DE69535013D1 (en) 1994-10-27 2006-07-06 Intarsia Software Llc Copyright data management system
EP0715241B1 (en) 1994-10-27 2004-01-14 Mitsubishi Corporation Apparatus for data copyright management system
US7801817B2 (en) * 1995-10-27 2010-09-21 Makoto Saito Digital content management system and apparatus
US6424715B1 (en) 1994-10-27 2002-07-23 Mitsubishi Corporation Digital content management system and apparatus
US20060271915A1 (en) * 2005-05-24 2006-11-30 Contentguard Holdings, Inc. Usage rights grammar and digital works having usage rights created with the grammar
JPH08263438A (en) 1994-11-23 1996-10-11 Xerox Corp Distribution and use control system for digital work, and method for controlling access to digital work
US20050289068A1 (en) * 1994-11-23 2005-12-29 Contentguard Holdings, Inc. Method and apparatus for tracking states of digital works
US20050149450A1 (en) * 1994-11-23 2005-07-07 Contentguard Holdings, Inc. System, method, and device for controlling distribution and use of digital works based on a usage rights grammar
US6963859B2 (en) 1994-11-23 2005-11-08 Contentguard Holdings, Inc. Content rendering repository
KR0152788B1 (en) 1994-11-26 1998-10-15 이헌조 Copy protecting method and apparatus of digital image system
US6515968B1 (en) 1995-03-17 2003-02-04 Worldcom, Inc. Integrated interface for real time web based viewing of telecommunications network call traffic
KR0136458B1 (en) 1994-12-08 1998-05-15 구자홍 Copy protection apparatus of digital magnetic recording and reproducing system
US7743248B2 (en) * 1995-01-17 2010-06-22 Eoriginal, Inc. System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components
US7162635B2 (en) * 1995-01-17 2007-01-09 Eoriginal, Inc. System and method for electronic transmission, storage, and retrieval of authenticated electronic original documents
US5845281A (en) 1995-02-01 1998-12-01 Mediadna, Inc. Method and system for managing a data object so as to comply with predetermined conditions for usage
US7165174B1 (en) * 1995-02-13 2007-01-16 Intertrust Technologies Corp. Trusted infrastructure support systems, methods and techniques for secure electronic commerce transaction and rights management
CN1912885B (en) 1995-02-13 2010-12-22 英特特拉斯特技术公司 Systems and methods for secure transaction management and electronic rights protection
US7124302B2 (en) * 1995-02-13 2006-10-17 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US20060206397A1 (en) * 1995-02-13 2006-09-14 Intertrust Technologies Corp. Cryptographic methods, apparatus and systems for storage media electronic right management in closed and connected appliances
US6948070B1 (en) * 1995-02-13 2005-09-20 Intertrust Technologies Corporation Systems and methods for secure transaction management and electronic rights protection
US7133845B1 (en) * 1995-02-13 2006-11-07 Intertrust Technologies Corp. System and methods for secure transaction management and electronic rights protection
US7095854B1 (en) * 1995-02-13 2006-08-22 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US7133846B1 (en) * 1995-02-13 2006-11-07 Intertrust Technologies Corp. Digital certificate support system, methods and techniques for secure electronic commerce transaction and rights management
US7143290B1 (en) * 1995-02-13 2006-11-28 Intertrust Technologies Corporation Trusted and secure techniques, systems and methods for item delivery and execution
US6658568B1 (en) * 1995-02-13 2003-12-02 Intertrust Technologies Corporation Trusted infrastructure support system, methods and techniques for secure electronic commerce transaction and rights management
US7702540B1 (en) * 1995-04-26 2010-04-20 Ebay Inc. Computer-implement method and system for conducting auctions on the internet
US7647243B2 (en) * 1995-11-07 2010-01-12 Ebay Inc. Electronic marketplace system and method for creation of a two-tiered pricing scheme
US7937312B1 (en) * 1995-04-26 2011-05-03 Ebay Inc. Facilitating electronic commerce transactions through binding offers
US6804377B2 (en) 2000-04-19 2004-10-12 Digimarc Corporation Detecting information hidden out-of-phase in color channels
US8027509B2 (en) 2000-04-19 2011-09-27 Digimarc Corporation Digital watermarking in data representing color channels
US6891959B2 (en) * 2000-04-19 2005-05-10 Digimarc Corporation Hiding information out-of-phase in color channels
US8094869B2 (en) * 2001-07-02 2012-01-10 Digimarc Corporation Fragile and emerging digital watermarks
US7602940B2 (en) 1998-04-16 2009-10-13 Digimarc Corporation Steganographic data hiding using a device clock
US7213757B2 (en) 2001-08-31 2007-05-08 Digimarc Corporation Emerging security features for identification documents
US6912295B2 (en) * 2000-04-19 2005-06-28 Digimarc Corporation Enhancing embedding of out-of-phase signals
US8332478B2 (en) * 1998-10-01 2012-12-11 Digimarc Corporation Context sensitive connected content
US7738673B2 (en) * 2000-04-19 2010-06-15 Digimarc Corporation Low visible digital watermarks
US7537170B2 (en) * 2001-08-31 2009-05-26 Digimarc Corporation Machine-readable security features for printed objects
US8249936B1 (en) * 1995-05-10 2012-08-21 Taxnet Systems, Llc Point of tax reporting and automatic collection system with tax register
GB2300991B (en) * 1995-05-15 1997-11-05 Andrew Macgregor Ritchie Serving signals to browsing clients
US6549942B1 (en) 1995-05-25 2003-04-15 Audiohighway.Com Enhanced delivery of audio data for portable playback
US7272639B1 (en) * 1995-06-07 2007-09-18 Soverain Software Llc Internet server access control and monitoring systems
US9900305B2 (en) 1998-01-12 2018-02-20 Soverain Ip, Llc Internet server access control and monitoring systems
US5742845A (en) 1995-06-22 1998-04-21 Datascape, Inc. System for extending present open network communication protocols to communicate with non-standard I/O devices directly coupled to an open network
US7895076B2 (en) 1995-06-30 2011-02-22 Sony Computer Entertainment Inc. Advertisement insertion, profiling, impression, and feedback
US20020178051A1 (en) 1995-07-25 2002-11-28 Thomas G. Scavone Interactive marketing network and process using electronic certificates
US6650761B1 (en) * 1999-05-19 2003-11-18 Digimarc Corporation Watermarked business cards and methods
US6829368B2 (en) 2000-01-26 2004-12-07 Digimarc Corporation Establishing and interacting with on-line media collections using identifiers in media signals
US7406214B2 (en) * 1999-05-19 2008-07-29 Digimarc Corporation Methods and devices employing optical sensors and/or steganography
US7756892B2 (en) * 2000-05-02 2010-07-13 Digimarc Corporation Using embedded data with file sharing
US6522770B1 (en) 1999-05-19 2003-02-18 Digimarc Corporation Management of documents and other objects using optical devices
US20050160271A9 (en) * 1998-11-19 2005-07-21 Brundage Trent J. Identification document and related methods
US6687828B1 (en) * 1995-08-11 2004-02-03 Sony Corporation Method and apparatus for ciphering playback mode information for recording on record medium
US5774670A (en) 1995-10-06 1998-06-30 Netscape Communications Corporation Persistent client state in a hypertext transfer protocol based client-server system
US6807534B1 (en) * 1995-10-13 2004-10-19 Trustees Of Dartmouth College System and method for managing copyrighted electronic media
US7047241B1 (en) 1995-10-13 2006-05-16 Digimarc Corporation System and methods for managing digital creative works
US8271339B2 (en) 1995-11-13 2012-09-18 Lakshmi Arunachalam Method and apparatus for enabling real-time bi-directional transactions on a network
US8037158B2 (en) 1995-11-13 2011-10-11 Lakshmi Arunachalam Multimedia transactional services
US7930340B2 (en) * 1995-11-13 2011-04-19 Lakshmi Arunachalam Network transaction portal to control multi-service provider transactions
US5790785A (en) * 1995-12-11 1998-08-04 Customer Communications Group, Inc. World Wide Web registration information processing system
US6591245B1 (en) * 1996-02-02 2003-07-08 John R. Klug Media content notification via communications network
US6615251B1 (en) * 1995-12-11 2003-09-02 John R. Klug Method for providing node targeted content in an addressable network
US5778367A (en) 1995-12-14 1998-07-07 Network Engineering Software, Inc. Automated on-line information service and directory, particularly for the world wide web
US9519915B1 (en) 1996-12-23 2016-12-13 Catalina Marketing Corporation System and method for providing shopping aids and incentives to customer through a computer network
WO1997025798A1 (en) 1996-01-11 1997-07-17 Mrj, Inc. System for controlling access and distribution of digital property
US6301379B1 (en) * 1996-01-17 2001-10-09 Carreker-Antinori, Inc. Electronic check presentment systems and methods employing volatile memory datastore access techniques
US7664263B2 (en) 1998-03-24 2010-02-16 Moskowitz Scott A Method for combining transfer functions with predetermined key creation
USRE44151E1 (en) * 1996-01-31 2013-04-16 Marvell Israel (M.I.S.L) Ltd. Switching ethernet controller
US7577782B2 (en) * 1996-02-02 2009-08-18 Sony Corporation Application programming interface for data transfer and bus management over a bus structure
US20060265336A1 (en) * 1996-02-26 2006-11-23 Graphon Corporation Automated system for management of licensed digital assets
US6044205A (en) * 1996-02-29 2000-03-28 Intermind Corporation Communications system for transferring information between memories according to processes transferred with the information
US6233637B1 (en) * 1996-03-07 2001-05-15 Sony Corporation Isochronous data pipe for managing and manipulating a high-speed stream of isochronous data flowing between an application and a bus structure
US6519268B1 (en) 1996-03-07 2003-02-11 Sony Corporation Asynchronous data pipe for automatically managing asynchronous data transfers between an application and a bus structure
US5991876A (en) * 1996-04-01 1999-11-23 Copyright Clearance Center, Inc. Electronic rights management and authorization system
US5822436A (en) 1996-04-25 1998-10-13 Digimarc Corporation Photographic products and methods employing embedded information
CN1139067C (en) 1996-05-15 2004-02-18 英特托拉斯技术公司 Method for obtaining controlled content or information of DVD and method for operating DVD apparatus
US8103877B2 (en) 2000-12-21 2012-01-24 Digimarc Corporation Content identification and electronic tickets, coupons and credits
US20050271246A1 (en) * 2002-07-10 2005-12-08 Sharma Ravi K Watermark payload encryption methods and systems
US6804726B1 (en) 1996-05-22 2004-10-12 Geovector Corporation Method and apparatus for controlling electrical devices in response to sensed conditions
US7774230B2 (en) 1996-06-10 2010-08-10 Phoenix Licensing, Llc System, method, and computer program product for selecting and presenting financial products and services
US6999938B1 (en) 1996-06-10 2006-02-14 Libman Richard M Automated reply generation direct marketing system
CN1146178C (en) 1996-06-20 2004-04-14 普罗特格里特 诺狄克股份公司 Method and appts. for data processing
JP3093678B2 (en) * 1996-06-28 2000-10-03 株式会社東芝 Encryption method, decryption method, a recording and reproducing apparatus, decoding apparatus, a method of manufacturing the decoding unit apparatus and a recording medium
US6473407B1 (en) 1997-09-05 2002-10-29 Worldcom, Inc. Integrated proxy interface for web based alarm management tools
US20120166807A1 (en) 1996-08-12 2012-06-28 Intertrust Technologies Corp. Systems and Methods Using Cryptography to Protect Secure Computing Environments
US6157721A (en) * 1996-08-12 2000-12-05 Intertrust Technologies Corp. Systems and methods using cryptography to protect secure computing environments
US5943422A (en) 1996-08-12 1999-08-24 Intertrust Technologies Corp. Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels
US8131007B2 (en) * 1996-08-30 2012-03-06 Regents Of The University Of Minnesota Watermarking using multiple watermarks and keys, including keys dependent on the host signal
US5892900A (en) * 1996-08-30 1999-04-06 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US7903029B2 (en) 1996-09-09 2011-03-08 Tracbeam Llc Wireless location routing applications and architecture therefor
US7714778B2 (en) 1997-08-20 2010-05-11 Tracbeam Llc Wireless location gateway and applications therefor
US9134398B2 (en) 1996-09-09 2015-09-15 Tracbeam Llc Wireless location using network centric location estimators
US6249252B1 (en) 1996-09-09 2001-06-19 Tracbeam Llc Wireless location using multiple location estimators
US9538493B2 (en) 2010-08-23 2017-01-03 Finetrak, Llc Locating a mobile station and applications therefor
US7764231B1 (en) 1996-09-09 2010-07-27 Tracbeam Llc Wireless location using multiple mobile station location techniques
US6236365B1 (en) 1996-09-09 2001-05-22 Tracbeam, Llc Location of a mobile station using a plurality of commercial wireless infrastructures
US5926624A (en) * 1996-09-12 1999-07-20 Audible, Inc. Digital information library and delivery system with logic for generating files targeted to the playback device
US7917643B2 (en) 1996-09-12 2011-03-29 Audible, Inc. Digital information library and delivery system
US20060280437A1 (en) * 1999-01-27 2006-12-14 Gotuit Media Corp Methods and apparatus for vending and delivering the content of disk recordings
US7055166B1 (en) * 1996-10-03 2006-05-30 Gotuit Media Corp. Apparatus and methods for broadcast monitoring
US20040255334A1 (en) * 2000-03-28 2004-12-16 Gotuit Audio, Inc. Methods and apparatus for seamlessly changing volumes during playback using a compact disk changer
US20030093790A1 (en) * 2000-03-28 2003-05-15 Logan James D. Audio and video program recording, editing and playback systems using metadata
US20040255330A1 (en) * 2000-03-28 2004-12-16 Gotuit Audio, Inc. CD and DVD players
US6275857B1 (en) * 1996-10-30 2001-08-14 Microsoft Corporation System and method for freeing shared resources in a computer system
US6912652B2 (en) 1996-11-08 2005-06-28 Monolith Co., Ltd. Method and apparatus for imprinting ID information into a digital content and for reading out the same
US20060020806A1 (en) * 1996-11-08 2006-01-26 Monolith Co., Ltd. Method and apparatus for imprinting ID information into a digital content and for reading out the same
US7627499B2 (en) * 1996-11-12 2009-12-01 Syncada Llc Automated transaction processing system and approach
US20080172314A1 (en) 1996-11-12 2008-07-17 Hahn-Carlson Dean W Financial institution-based transaction processing system and approach
US8396811B1 (en) * 1999-02-26 2013-03-12 Syncada Llc Validation approach for auditing a vendor-based transaction
US20070055582A1 (en) 1996-11-12 2007-03-08 Hahn-Carlson Dean W Transaction processing with core and distributor processor implementations
US8392285B2 (en) 1996-11-12 2013-03-05 Syncada Llc Multi-supplier transaction and payment programmed processing approach with at least one supplier
US6704118B1 (en) * 1996-11-21 2004-03-09 Ricoh Company, Ltd. Method and system for automatically and transparently archiving documents and document meta data
JP4497099B2 (en) * 1996-11-27 2010-07-07 ソニー株式会社 Information transmission apparatus
US8225089B2 (en) * 1996-12-04 2012-07-17 Otomaku Properties Ltd., L.L.C. Electronic transaction systems utilizing a PEAD and a private key
US6850916B1 (en) * 1998-04-27 2005-02-01 Esignx Corporation Portable electronic charge and authorization devices and methods therefor
EP0848337A1 (en) * 1996-12-12 1998-06-17 SONY DEUTSCHLAND GmbH Server with automatic document assembly
ES2256898T3 (en) * 1996-12-20 2006-07-16 Alza Corporation Gel composition and procedures.
RU2214697C2 (en) * 1996-12-24 2003-10-20 Экс Эр Ти Лимитед Method and device to generate image of change introduced by object into penetrating radiation
WO1998029974A1 (en) * 1996-12-25 1998-07-09 Sony Corporation Game machine system, broadcasting system, data distribution system and its method, and program executing device and its method
US6964611B2 (en) * 1996-12-30 2005-11-15 Walker Digital, Llc System and method for automated play of lottery games
US6460020B1 (en) 1996-12-30 2002-10-01 De Technologies, Inc. Universal shopping center for international operation
US7874914B2 (en) * 1996-12-30 2011-01-25 Igt System and method for communicating game session information
US7607981B2 (en) * 1996-12-30 2009-10-27 Walker Digital, Llc System and method for remote automated play of a gaming device
US9489800B2 (en) * 1996-12-30 2016-11-08 Igt Applications for gaming devices in a networked environment
US7806763B2 (en) * 1996-12-30 2010-10-05 Igt System and method for remote automated play of a gaming device
US20050021477A1 (en) * 1997-01-29 2005-01-27 Ganapathy Krishnan Method and system for securely incorporating electronic information into an online purchasing application
US6514461B1 (en) * 1997-02-14 2003-02-04 Escreen, Inc. System for automatically testing a fluid specimen
JPH10232878A (en) 1997-02-19 1998-09-02 Hitachi Ltd Document management method and device
US6014746A (en) * 1997-02-21 2000-01-11 Lockheed Martin Energy Research Corporation Workstation lock and alarm system
US20080016103A1 (en) * 1997-02-25 2008-01-17 Intertrust Technologies Corp. Techniques for Defining, Using and Manipulating Rights Management Data Structures
US5920861A (en) * 1997-02-25 1999-07-06 Intertrust Technologies Corp. Techniques for defining using and manipulating rights management data structures
US7062500B1 (en) * 1997-02-25 2006-06-13 Intertrust Technologies Corp. Techniques for defining, using and manipulating rights management data structures
JP2000122977A (en) * 1997-02-28 2000-04-28 Xerox Corp System for controlling distribution and use of digital work and supply method for water mark
US6233684B1 (en) 1997-02-28 2001-05-15 Contenaguard Holdings, Inc. System for controlling the distribution and use of rendered digital works through watermaking
US6401080B1 (en) * 1997-03-21 2002-06-04 International Business Machines Corporation Intelligent agent with negotiation capability and method of negotiation therewith
JPH10269284A (en) * 1997-03-25 1998-10-09 Hitachi Ltd Method and system for providing commodity information in electronic business transaction system
US7079649B1 (en) * 1997-03-27 2006-07-18 British Telecommunications Public Limited Company Copy protection of data
JP3884821B2 (en) 1997-03-27 2007-02-21 株式会社日立製作所 Integrated method and apparatus of the distributed information
US20080016000A1 (en) * 1997-03-27 2008-01-17 British Telecommunications Public Limited Company Copy protection of data
US6119229A (en) * 1997-04-11 2000-09-12 The Brodia Group Virtual property system
EP1650757A1 (en) * 1997-05-13 2006-04-26 Kabushiki Kaisha Toshiba Information ciphering method and apparatus, information reproducing method and apparatus
US6195646B1 (en) * 1997-05-13 2001-02-27 Data Junction Corp System and method for facilitating the valuation and purchase of information
US6202150B1 (en) * 1997-05-28 2001-03-13 Adam Lucas Young Auto-escrowable and auto-certifiable cryptosystems
US6668325B1 (en) 1997-06-09 2003-12-23 Intertrust Technologies Obfuscation techniques for enhancing software security
US7290288B2 (en) * 1997-06-11 2007-10-30 Prism Technologies, L.L.C. Method and system for controlling access, by an authentication server, to protected computer resources provided via an internet protocol network
US7966222B2 (en) * 1997-06-12 2011-06-21 Catalina Marketing Corporation System and method for distributing information through cooperative communication network sites
US6356704B1 (en) * 1997-06-16 2002-03-12 Ati Technologies, Inc. Method and apparatus for detecting protection of audio and video signals
US6606450B1 (en) * 1997-06-16 2003-08-12 Ati International Srl Method and apparatus for processing video signals having associated access restriction data
US6684369B1 (en) 1997-06-19 2004-01-27 International Business Machines, Corporation Web site creator using templates
US6308188B1 (en) * 1997-06-19 2001-10-23 International Business Machines Corporation System and method for building a web site with automated workflow
US20110014963A1 (en) * 2005-11-09 2011-01-20 Igt Methods and apparatus for facilitating blackjack flat rate play sessions
US20060089195A1 (en) * 1997-06-23 2006-04-27 Walker Jay S Systems, methods and apparatus for offering an extension of a flat rate play session based on an ending credit balance
US6353929B1 (en) * 1997-06-23 2002-03-05 One River Worldtrek, Inc. Cooperative system for measuring electronic media
US7140964B2 (en) * 1997-06-23 2006-11-28 Walker Digital, Llc Gaming device for a flat rate play session and a method of operating same
US6236727B1 (en) * 1997-06-24 2001-05-22 International Business Machines Corporation Apparatus, method and computer program product for protecting copyright data within a computer system
US6272631B1 (en) * 1997-06-30 2001-08-07 Microsoft Corporation Protected storage of core data secrets
US8073921B2 (en) * 1997-07-01 2011-12-06 Advanced Technology Company, LLC Methods for remote monitoring and control of appliances over a computer network
US5973734A (en) 1997-07-09 1999-10-26 Flashpoint Technology, Inc. Method and apparatus for correcting aspect ratio in a camera graphical user interface
US6052629A (en) * 1997-07-18 2000-04-18 Gilbarco Inc. Internet capable browser dispenser architecture
US5978836A (en) 1997-07-28 1999-11-02 Solectron Corporation Workflow systems and methods
US7096192B1 (en) * 1997-07-28 2006-08-22 Cybersource Corporation Method and system for detecting fraud in a credit card transaction over a computer network
US7403922B1 (en) 1997-07-28 2008-07-22 Cybersource Corporation Method and apparatus for evaluating fraud risk in an electronic commerce transaction
US7546346B2 (en) * 1997-07-28 2009-06-09 Juniper Networks, Inc. Workflow systems and methods for project management and information management
US9875492B2 (en) 2001-05-22 2018-01-23 Dennis J. Dupray Real estate transaction system
US8082096B2 (en) 2001-05-22 2011-12-20 Tracbeam Llc Wireless location routing applications and architecture therefor
US8135413B2 (en) 1998-11-24 2012-03-13 Tracbeam Llc Platform and applications for wireless location and other complex services
US6009525A (en) * 1997-08-29 1999-12-28 Preview Systems, Inc. Multi-tier electronic software distribution
US6030288A (en) * 1997-09-02 2000-02-29 Quixotic Solutions Inc. Apparatus and process for verifying honest gaming transactions over a communications network
US6681017B1 (en) * 1997-09-03 2004-01-20 Lucent Technologies Inc. Simplified secure shared key establishment and data delivery protocols for electronic commerce
US6795532B1 (en) * 1997-09-08 2004-09-21 Mci, Inc. Single telephone number access to multiple communication services
US6199181B1 (en) 1997-09-09 2001-03-06 Perfecto Technologies Ltd. Method and system for maintaining restricted operating environments for application programs or operating systems
US6311278B1 (en) 1998-09-09 2001-10-30 Sanctum Ltd. Method and system for extracting application protocol characteristics
DE19739808C2 (en) * 1997-09-10 1999-12-30 Siemens Ag Method and apparatus for controlling data transfer between two existing modules in a motor vehicle
US6490620B1 (en) 1997-09-26 2002-12-03 Worldcom, Inc. Integrated proxy interface for web based broadband telecommunications management
US6763376B1 (en) 1997-09-26 2004-07-13 Mci Communications Corporation Integrated customer interface system for communications network management
US6714979B1 (en) * 1997-09-26 2004-03-30 Worldcom, Inc. Data warehousing infrastructure for web based reporting tool
US6381644B2 (en) 1997-09-26 2002-04-30 Mci Worldcom, Inc. Integrated proxy interface for web based telecommunications network management
US6745229B1 (en) 1997-09-26 2004-06-01 Worldcom, Inc. Web based integrated customer interface for invoice reporting
US6044373A (en) * 1997-09-29 2000-03-28 International Business Machines Corporation Object-oriented access control method and system for military and commercial file systems
US6421653B1 (en) * 1997-10-14 2002-07-16 Blackbird Holdings, Inc. Systems, methods and computer program products for electronic trading of financial instruments
US20060190383A1 (en) * 2003-03-24 2006-08-24 Blackbird Holdings, Inc. Systems for risk portfolio management
US6128602A (en) * 1997-10-27 2000-10-03 Bank Of America Corporation Open-architecture system for real-time consolidation of information from multiple financial systems
US6094721A (en) * 1997-10-31 2000-07-25 International Business Machines Corporation Method and apparatus for password based authentication in a distributed system
US6038563A (en) * 1997-10-31 2000-03-14 Sun Microsystems, Inc. System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects
US6112181A (en) 1997-11-06 2000-08-29 Intertrust Technologies Corporation Systems and methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information
US7092914B1 (en) * 1997-11-06 2006-08-15 Intertrust Technologies Corporation Methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information
US6219669B1 (en) 1997-11-13 2001-04-17 Hyperspace Communications, Inc. File transfer system using dynamically assigned ports
US6041412A (en) * 1997-11-14 2000-03-21 Tl Technology Rerearch (M) Sdn. Bhd. Apparatus and method for providing access to secured data or area
US6061669A (en) * 1997-11-26 2000-05-09 International Business Machines Corporation Notification system for access to and printing of proprietary network services
US6173271B1 (en) * 1997-11-26 2001-01-09 California Institute Of Technology Television advertising automated billing system
US6330610B1 (en) * 1997-12-04 2001-12-11 Eric E. Docter Multi-stage data filtering system employing multiple filtering criteria
JPH11175329A (en) 1997-12-08 1999-07-02 Hitachi Ltd Application linking method and device therefor
US6918901B1 (en) 1997-12-10 2005-07-19 Felix Theeuwes Device and method for enhancing transdermal agent flux
GB9726202D0 (en) * 1997-12-11 1998-02-11 Ibm Handling processor-intensive operations in a data processing system
US6247127B1 (en) * 1997-12-19 2001-06-12 Entrust Technologies Ltd. Method and apparatus for providing off-line secure communications
US7167711B1 (en) * 1997-12-23 2007-01-23 Openwave Systems Inc. System and method for controlling financial transactions over a wireless network
JP3937548B2 (en) * 1997-12-29 2007-06-27 カシオ計算機株式会社 Data access apparatus and a program recording medium
JPH11194987A (en) * 1998-01-05 1999-07-21 Toshiba Corp Communication device
US6971882B1 (en) * 1998-01-07 2005-12-06 Electric Planet, Inc. Method and apparatus for providing interactive karaoke entertainment
US6636615B1 (en) 1998-01-20 2003-10-21 Digimarc Corporation Methods and systems using multiple watermarks
US7268700B1 (en) 1998-01-27 2007-09-11 Hoffberg Steven M Mobile communication device
US6385596B1 (en) 1998-02-06 2002-05-07 Liquid Audio, Inc. Secure online music distribution system
US7047300B1 (en) 1998-02-10 2006-05-16 Sprint Communications Company L.P. Survivable and scalable data system and method for computer networks
EP0936805A1 (en) * 1998-02-12 1999-08-18 Hewlett-Packard Company Document transfer systems
JPH11259452A (en) * 1998-02-17 1999-09-24 Internatl Business Mach Corp <Ibm> Fast integration method and system
US6240400B1 (en) * 1998-02-17 2001-05-29 International Business Machines Corporation Method and system for accommodating electronic commerce in the semiconductor manufacturing industry
US6088800A (en) 1998-02-27 2000-07-11 Mosaid Technologies, Incorporated Encryption processor with shared memory interconnect
JPH11259407A (en) * 1998-03-11 1999-09-24 Fuji Xerox Co Ltd Electronic information use promoting system
DE19810730A1 (en) * 1998-03-12 1999-09-16 Philips Patentverwaltung Microcontroller circuit, esp. for identification systems such as cash cards, locking systems etc.
US6373974B2 (en) * 1998-03-16 2002-04-16 Sharp Laboratories Of America, Inc. Method for extracting multiresolution watermark images to determine rightful ownership
US7809138B2 (en) 1999-03-16 2010-10-05 Intertrust Technologies Corporation Methods and apparatus for persistent control and protection of content
US6144741A (en) * 1998-03-19 2000-11-07 Mid America Gift Certificate Company System for dispensing gift certificates
WO1999049394A1 (en) * 1998-03-23 1999-09-30 Microsoft Corporation Application program interfaces in an operating system
US20040098584A1 (en) * 1998-03-25 2004-05-20 Sherman Edward G. Method and system for embedded, automated, component-level control of computer systems and other complex systems
US6170014B1 (en) * 1998-03-25 2001-01-02 Community Learning And Information Network Computer architecture for managing courseware in a shared use operating environment
US6205249B1 (en) 1998-04-02 2001-03-20 Scott A. Moskowitz Multiple transform utilization and applications for secure digital watermarking
US6202056B1 (en) * 1998-04-03 2001-03-13 Audiosoft, Inc. Method for computer network operation providing basis for usage fees
US7051004B2 (en) * 1998-04-03 2006-05-23 Macrovision Corporation System and methods providing secure delivery of licenses and content
US7609862B2 (en) * 2000-01-24 2009-10-27 Pen-One Inc. Method for identity verification
US6539101B1 (en) * 1998-04-07 2003-03-25 Gerald R. Black Method for identity verification
US7961917B2 (en) * 1999-02-10 2011-06-14 Pen-One, Inc. Method for identity verification
US7047419B2 (en) * 1999-09-17 2006-05-16 Pen-One Inc. Data security system
US7380137B2 (en) * 1999-07-20 2008-05-27 International Business Machines Corporation Content guard system for copy protection of recordable media
US6118873A (en) * 1998-04-24 2000-09-12 International Business Machines Corporation System for encrypting broadcast programs in the presence of compromised receiver devices
US6223284B1 (en) * 1998-04-30 2001-04-24 Compaq Computer Corporation Method and apparatus for remote ROM flashing and security management for a computer system
US6341351B1 (en) * 1998-05-07 2002-01-22 Banctec, Inc. Method for communicating and controlling transactions between unsecured parties
US6773547B2 (en) * 1998-05-08 2004-08-10 American Air Liquide, Inc. Process for the bleaching of low consistency pulp using high partial pressure ozone
US6957341B2 (en) * 1998-05-14 2005-10-18 Purdue Research Foundation Method and system for secure computational outsourcing and disguise
US6941463B1 (en) 1998-05-14 2005-09-06 Purdue Research Foundation Secure computational outsourcing techniques
US8543372B1 (en) * 1998-05-18 2013-09-24 Dennis S. Fernandez System design rights management
US6253237B1 (en) 1998-05-20 2001-06-26 Audible, Inc. Personalized time-shifted programming
US6275942B1 (en) * 1998-05-20 2001-08-14 Network Associates, Inc. System, method and computer program product for automatic response to computer system misuse using active response modules
US7046258B1 (en) * 1998-05-28 2006-05-16 Canon Kabushiki Kaisha Display and control of permitted data processing based on control information extracted from the data
US6721740B1 (en) * 1998-05-29 2004-04-13 Sun Microsystems, Inc. Method and apparatus of performing active update notification
US20040107368A1 (en) * 1998-06-04 2004-06-03 Z4 Technologies, Inc. Method for digital rights management including self activating/self authentication software
US20040117631A1 (en) * 1998-06-04 2004-06-17 Z4 Technologies, Inc. Method for digital rights management including user/publisher connectivity interface
US20040117664A1 (en) * 1998-06-04 2004-06-17 Z4 Technologies, Inc. Apparatus for establishing a connectivity platform for digital rights management
US20040225894A1 (en) * 1998-06-04 2004-11-11 Z4 Technologies, Inc. Hardware based method for digital rights management including self activating/self authentication software
US20040117628A1 (en) * 1998-06-04 2004-06-17 Z4 Technologies, Inc. Computer readable storage medium for enhancing license compliance of software/digital content including self-activating/self-authenticating software/digital content
US20040117644A1 (en) * 1998-06-04 2004-06-17 Z4 Technologies, Inc. Method for reducing unauthorized use of software/digital content including self-activating/self-authenticating software/digital content
US20040117663A1 (en) * 1998-06-04 2004-06-17 Z4 Technologies, Inc. Method for authentication of digital content used or accessed with secondary devices to reduce unauthorized use or distribution
JPH11353384A (en) * 1998-06-10 1999-12-24 Nec Corp Method and device for evaluating environmental load
US20020002039A1 (en) 1998-06-12 2002-01-03 Safi Qureshey Network-enabled audio device
US6536041B1 (en) * 1998-06-16 2003-03-18 United Video Properties, Inc. Program guide system with real-time data sources
US7249054B2 (en) * 1998-06-18 2007-07-24 Keil Dean S System and method for debit account transactions
DE19827637A1 (en) * 1998-06-20 1999-12-23 Alcatel Sa Assurance procedures for operating data of a network element and control device for a network element
US6418420B1 (en) * 1998-06-30 2002-07-09 Sun Microsystems, Inc. Distributed budgeting and accounting system with secure token device access
US6594662B1 (en) * 1998-07-01 2003-07-15 Netshadow, Inc. Method and system for gathering information resident on global computer networks
US6907407B1 (en) 1998-07-02 2005-06-14 Sharp Kabushiki Kaisha Copyright management apparatus
US6607136B1 (en) 1998-09-16 2003-08-19 Beepcard Inc. Physical presence digital authentication system
JP2002536031A (en) 1998-09-16 2002-10-29 コムセンス・テクノロジーズ・リミテッド Toys to interact
KR20010023966A (en) * 1998-07-14 2001-03-26 요트.게.아. 롤페즈 Method and apparatus for use of a watermark and a receiver dependent reference for the purpose of copy protection
US6499035B1 (en) 1998-07-15 2002-12-24 Microsoft Corporation Licensing java objects
US6363356B1 (en) * 1998-07-16 2002-03-26 Preview Software Referrer-based system for try/buy electronic software distribution
US6393411B1 (en) * 1998-07-21 2002-05-21 Amdahl Corporation Device and method for authorized funds transfer
US6425522B1 (en) * 1998-07-23 2002-07-30 Hitachi, Ltd. IC card information processing system, and apparatus and cards for the same
US6832355B1 (en) * 1998-07-28 2004-12-14 Microsoft Corporation Web page display system
US7974495B2 (en) * 2002-06-10 2011-07-05 Digimarc Corporation Identification and protection of video
US20010011253A1 (en) * 1998-08-04 2001-08-02 Christopher D. Coley Automated system for management of licensed software
US7552090B1 (en) * 1998-08-12 2009-06-23 Keynetics Inc. Method for billing for services delivered over a computer network
US6226618B1 (en) * 1998-08-13 2001-05-01 International Business Machines Corporation Electronic content delivery system
US6959288B1 (en) * 1998-08-13 2005-10-25 International Business Machines Corporation Digital content preparation system
US6983371B1 (en) * 1998-10-22 2006-01-03 International Business Machines Corporation Super-distribution of protected digital content
EP1105813A4 (en) * 1998-08-25 2001-10-10 Mobshop Inc On-line marketing system and method
JP3142821B2 (en) * 1998-08-27 2001-03-07 株式会社エヌ・ティ・ティ・ドコモ Method of billing information communication network
CA2345745A1 (en) 1998-10-02 2000-04-13 Moshe Cohen Card for interaction with a computer
JP3142820B2 (en) * 1998-08-27 2001-03-07 株式会社エヌ・ティ・ティ・ドコモ Push type information transmission method and the relay device
CA2279890A1 (en) * 1998-08-28 2000-02-28 Two Way Tv Limited Method and apparatus for sampling remote data sources
US6269380B1 (en) * 1998-08-31 2001-07-31 Xerox Corporation Property based mechanism for flexibility supporting front-end and back-end components having different communication protocols
ES2274557T3 (en) * 1998-08-31 2007-05-16 Irdeto Access B.V. System for providing encrypted data, to decrypt encrypted data system and method for providing a communications interface system said decryptor.
US6562076B2 (en) 1998-08-31 2003-05-13 Xerox Corporation Extending application behavior through active properties attached to a document in a document management system
US6266682B1 (en) 1998-08-31 2001-07-24 Xerox Corporation Tagging related files in a document management system
US6311270B1 (en) * 1998-09-14 2001-10-30 International Business Machines Corporation Method and apparatus for securing communication utilizing a security processor
JP3819160B2 (en) * 1998-09-18 2006-09-06 富士通株式会社 Information management methods and information management device
US6393421B1 (en) * 1998-09-18 2002-05-21 Neriel Paglin Communication method and system utilizing a specific communication code uniquely assigned to the data record
EP1116132A2 (en) * 1998-09-22 2001-07-18 Science Applications International Corporation User-defined dynamic collaborative environments
US6266429B1 (en) * 1998-09-23 2001-07-24 Philips Electronics North America Corporation Method for confirming the integrity of an image transmitted with a loss
KR100484209B1 (en) * 1998-09-24 2005-09-30 삼성전자주식회사 Digital content encryption / decryption apparatus and method
US8010627B1 (en) * 1998-09-25 2011-08-30 Sprint Communications Company L.P. Virtual content publishing system
US6411991B1 (en) 1998-09-25 2002-06-25 Sprint Communications Company L.P. Geographic data replication system and method for a network
US7055034B1 (en) * 1998-09-25 2006-05-30 Digimarc Corporation Method and apparatus for robust embedded data
US6453317B1 (en) * 1998-09-29 2002-09-17 Worldcom, Inc. Customer information storage and delivery system
US8019609B2 (en) 1999-10-04 2011-09-13 Dialware Inc. Sonic/ultrasonic authentication method
US6671803B1 (en) * 1998-10-06 2003-12-30 Koninklijke Philips Electronics N.V. Method and system for consumer electronic device certificate management
EP1125182B1 (en) 1998-10-07 2003-01-02 Adobe Systems Incorporated Distributing access to a data item
WO2000022621A1 (en) * 1998-10-14 2000-04-20 Sony Corporation Data transmission apparatus, data transmission method, and data recording medium
CA2314359A1 (en) * 1998-10-15 2000-04-20 Sony Corporation Information providing system
US6298334B1 (en) * 1998-10-15 2001-10-02 Netdecide Corporation Object-based numeric-analysis engine
JP4763866B2 (en) 1998-10-15 2011-08-31 インターシア ソフトウェア エルエルシー How to protect the digital data by double re-encryption and apparatus
US7058607B1 (en) * 1998-10-21 2006-06-06 Fuji Xerox Co., Ltd. Contents distribution method and system
JP3994599B2 (en) * 1998-10-21 2007-10-24 富士ゼロックス株式会社 Recording apparatus and method, rates arithmetic unit and charges calculation method and billing system,
US6981222B2 (en) 1998-10-22 2005-12-27 Made2Manage Systems, Inc. End-to-end transaction processing and statusing system and method
US6163794A (en) * 1998-10-23 2000-12-19 General Magic Network system extensible by users
US6519700B1 (en) * 1998-10-23 2003-02-11 Contentguard Holdings, Inc. Self-protecting documents
CA2341979A1 (en) * 2000-03-24 2001-09-24 Contentguard Holdings, Inc. System and method for protection of digital works
US20050060549A1 (en) * 1998-10-26 2005-03-17 Microsoft Corporation Controlling access to content based on certificates and access predicates
US6330670B1 (en) 1998-10-26 2001-12-11 Microsoft Corporation Digital rights management operating system
US7139915B2 (en) * 1998-10-26 2006-11-21 Microsoft Corporation Method and apparatus for authenticating an open system application to a portable IC device
US6609199B1 (en) 1998-10-26 2003-08-19 Microsoft Corporation Method and apparatus for authenticating an open system application to a portable IC device
US6820063B1 (en) 1998-10-26 2004-11-16 Microsoft Corporation Controlling access to content based on certificates and access predicates
US6327652B1 (en) 1998-10-26 2001-12-04 Microsoft Corporation Loading and identifying a digital rights management operating system
US7194092B1 (en) 1998-10-26 2007-03-20 Microsoft Corporation Key-based secure storage
US6871220B1 (en) 1998-10-28 2005-03-22 Yodlee, Inc. System and method for distributed storage and retrieval of personal information
US7673323B1 (en) * 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
CN1287640A (en) 1998-10-28 2001-03-14 维迪科隆有限公司 Apparatus and method for automated aggregation and delivery of electronic personal information or data
US7039941B1 (en) * 1998-10-30 2006-05-02 General Instrument Corporation Low distortion passthrough circuit arrangement for cable television set top converter terminals
US7031963B1 (en) * 1998-11-09 2006-04-18 Unisys Corporation Green ice printout sorting and delivery program
US7010512B1 (en) * 1998-11-09 2006-03-07 C/Base, Inc. Transfer instrument
US8121891B2 (en) * 1998-11-12 2012-02-21 Accenture Global Services Gmbh Personalized product report
JP4764536B2 (en) * 1998-11-17 2011-09-07 株式会社リコー Image measurement equipment
US6601087B1 (en) * 1998-11-18 2003-07-29 Webex Communications, Inc. Instant document sharing
US6751670B1 (en) 1998-11-24 2004-06-15 Drm Technologies, L.L.C. Tracking electronic component
US6272469B1 (en) * 1998-11-25 2001-08-07 Ge Medical Systems Global Technology Company, Llc Imaging system protocol handling method and apparatus
US6914691B1 (en) 1998-11-27 2005-07-05 Canon Kabushiki Kaisha Image processing apparatus, data processing method, and storage medium
US7058597B1 (en) 1998-12-04 2006-06-06 Digital River, Inc. Apparatus and method for adaptive fraud screening for electronic commerce transactions
US20030195974A1 (en) 1998-12-04 2003-10-16 Ronning Joel A. Apparatus and method for scheduling of search for updates or downloads of a file
US7617124B1 (en) 1998-12-04 2009-11-10 Digital River, Inc. Apparatus and method for secure downloading of files
US7085997B1 (en) 1998-12-08 2006-08-01 Yodlee.Com Network-based bookmark management and web-summary system
US6477565B1 (en) * 1999-06-01 2002-11-05 Yodlee.Com, Inc. Method and apparatus for restructuring of personalized data for transmission from a data network to connected and portable network appliances
US7672879B1 (en) 1998-12-08 2010-03-02 Yodlee.Com, Inc. Interactive activity interface for managing personal data and performing transactions over a data packet network
US6266774B1 (en) * 1998-12-08 2001-07-24 Mcafee.Com Corporation Method and system for securing, managing or optimizing a personal computer
US7752535B2 (en) 1999-06-01 2010-07-06 Yodlec.com, Inc. Categorization of summarized information
US8069407B1 (en) 1998-12-08 2011-11-29 Yodlee.Com, Inc. Method and apparatus for detecting changes in websites and reporting results to web developers for navigation template repair purposes
US6412073B1 (en) * 1998-12-08 2002-06-25 Yodiee.Com, Inc Method and apparatus for providing and maintaining a user-interactive portal system accessible via internet or other switched-packet-network
JP4195746B2 (en) * 1998-12-11 2008-12-10 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation Data billing system, the content generator, data charging location and method
GB9827831D0 (en) * 1998-12-17 1999-02-10 Tribeka Ltd Method and apparatus for the distribution of digitised information on demand
US6578143B1 (en) * 1998-12-18 2003-06-10 Qualcomm Incorporated Method for negotiating weakened keys in encryption systems
CA2256936C (en) * 1998-12-23 2002-04-02 Hamid Bacha System for electronic repository of data enforcing access control on data search and retrieval
US7624046B2 (en) * 1998-12-24 2009-11-24 Universal Music Group, Inc. Electronic music/media distribution system
US7209892B1 (en) * 1998-12-24 2007-04-24 Universal Music Group, Inc. Electronic music/media distribution system
US7209889B1 (en) * 1998-12-24 2007-04-24 Henry Whitfield Secure system for the issuance, acquisition, and redemption of certificates in a transaction network
US8175977B2 (en) 1998-12-28 2012-05-08 Audible License management for digital content
US6424979B1 (en) * 1998-12-30 2002-07-23 American Management Systems, Inc. System for presenting and managing enterprise architectures
US6317141B1 (en) 1998-12-31 2001-11-13 Flashpoint Technology, Inc. Method and apparatus for editing heterogeneous media objects in a digital imaging device
JP4405090B2 (en) * 1999-01-05 2010-01-27 富士通株式会社 Payback system, payback method and a recording medium
US6978262B2 (en) * 1999-01-05 2005-12-20 Tsai Daniel E Distributed database schema
US6212512B1 (en) * 1999-01-06 2001-04-03 Hewlett-Packard Company Integration of a database into file management software for protecting, tracking and retrieving data
JP4131071B2 (en) * 1999-01-11 2008-08-13 ソニー株式会社 Recording apparatus information signals, recording system, a recording medium and a recording method
US7127515B2 (en) 1999-01-15 2006-10-24 Drm Technologies, Llc Delivering electronic content
CA2359685A1 (en) * 1999-01-29 2000-08-03 General Instrument Corporation Authentication enforcement using decryption and authentication in a single transaction in a secure microprocessor
US6839841B1 (en) * 1999-01-29 2005-01-04 General Instrument Corporation Self-generation of certificates using secure microprocessor in a device for transferring digital information
US6400996B1 (en) 1999-02-01 2002-06-04 Steven M. Hoffberg Adaptive pattern recognition based control system and method
EP1151611A1 (en) * 1999-02-11 2001-11-07 Loudeye Technologies, Inc. System for automated comprehensive remote servicing for media information
WO2000048108A1 (en) 1999-02-12 2000-08-17 Mack Hicks System and method for providing certification-related and other services
US6209102B1 (en) * 1999-02-12 2001-03-27 Arcot Systems, Inc. Method and apparatus for secure entry of access codes in a computer environment
DE19906450C1 (en) 1999-02-16 2000-08-17 Fraunhofer Ges Forschung Generating encoded useful data flow involves producing encoded version of useful data key using asymmetrical encoding and entering in useful data stream header block
US6643813B1 (en) * 1999-02-17 2003-11-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for reliable and efficient data communications
US6314404B1 (en) * 1999-02-18 2001-11-06 Robert O. Good Method and apparatus for managing real estate brokerage referrals
WO2000051280A3 (en) * 1999-02-25 2000-12-14 Enco Tone Ltd Method and apparatus for the secure indentification of the owner of a portable device
JP2002538536A (en) * 1999-02-26 2002-11-12 オーセンティデイト ホールディング コーポレイション Including reliable file Mark King, digital file management and imaging system and method
CA2363796A1 (en) 1999-02-26 2000-08-31 Richard T. Box A system, method and article of manufacture for an electronic commerce interface to the government
WO2000052690A1 (en) * 1999-02-26 2000-09-08 Hitachi, Ltd. Digital signal recorder, reproducer and recording medium
KR20020007318A (en) * 1999-03-02 2002-01-26 추후제출 Electronic commerce transactions within a marketing system that may contain a membership buying opportunity
US7353194B1 (en) * 1999-03-02 2008-04-01 Alticor Investments, Inc. System and method for managing recurring orders in a computer network
EP1085420A4 (en) * 1999-03-03 2006-12-27 Sony Corp Data processing device, data processing method, terminal, transmission method for data processing device
JP2000260121A (en) * 1999-03-05 2000-09-22 Toshiba Corp Information reproducing device and information recording device
US6868497B1 (en) 1999-03-10 2005-03-15 Digimarc Corporation Method and apparatus for automatic ID management
US7174457B1 (en) * 1999-03-10 2007-02-06 Microsoft Corporation System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party
US7178036B1 (en) * 1999-03-15 2007-02-13 Antonius Adriaan Maria Staring Method and system for providing copy-protection on a storage medium and storage medium for use in such a system
WO2000055962A3 (en) 1999-03-15 2001-06-21 Sony Electronics Inc Electronic media system, method and device
KR100320183B1 (en) 1999-03-17 2002-01-10 구자홍 File encryption apparatus for digital data player
US6968513B1 (en) * 1999-03-18 2005-11-22 Shopntown.Com, Inc. On-line localized business referral system and revenue generation system
US7549056B2 (en) 1999-03-19 2009-06-16 Broadcom Corporation System and method for processing and protecting content
WO2000057290A1 (en) * 1999-03-19 2000-09-28 Hitachi, Ltd. Information processor
US6985887B1 (en) * 1999-03-19 2006-01-10 Suncrest Llc Apparatus and method for authenticated multi-user personal information database
EP1161811B1 (en) * 1999-03-22 2007-08-29 Agency for Science, Technology and Research Method and apparatus for encrypting and decrypting data
US7353199B1 (en) * 1999-03-22 2008-04-01 Perfect Web Technologies, Inc. Method of moderating external access to an electronic document authoring development and distribution system
US7664264B2 (en) 1999-03-24 2010-02-16 Blue Spike, Inc. Utilizing data reduction in steganographic and cryptographic systems
US6601046B1 (en) * 1999-03-25 2003-07-29 Koninklijke Philips Electronics N.V. Usage dependent ticket to protect copy-protected material
GB9906924D0 (en) * 1999-03-26 1999-05-19 Int Computers Ltd Printed document authentication method
WO2001052018A1 (en) * 2000-01-14 2001-07-19 Microsoft Corporation Specifying security for an element by assigning a scaled value representative of the relative security thereof
US7024393B1 (en) 1999-03-27 2006-04-04 Microsoft Corporation Structural of digital rights management (DRM) system
US7103574B1 (en) 1999-03-27 2006-09-05 Microsoft Corporation Enforcement architecture and method for digital rights management
US6973444B1 (en) * 1999-03-27 2005-12-06 Microsoft Corporation Method for interdependently validating a digital content package and a corresponding digital license
US7319759B1 (en) 1999-03-27 2008-01-15 Microsoft Corporation Producing a new black box for a digital rights management (DRM) system
US7225333B2 (en) * 1999-03-27 2007-05-29 Microsoft Corporation Secure processor architecture for use with a digital rights management (DRM) system on a computing device
US7136838B1 (en) * 1999-03-27 2006-11-14 Microsoft Corporation Digital license and method for obtaining/providing a digital license
US7073063B2 (en) 1999-03-27 2006-07-04 Microsoft Corporation Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out/checking in the digital license to/from the portable device or the like
US7383205B1 (en) 1999-03-27 2008-06-03 Microsoft Corporation Structure of a digital content package
US7051005B1 (en) * 1999-03-27 2006-05-23 Microsoft Corporation Method for obtaining a black box for performing decryption and encryption functions in a digital rights management (DRM) system
US6829708B1 (en) * 1999-03-27 2004-12-07 Microsoft Corporation Specifying security for an element by assigning a scaled value representative of the relative security thereof
US20060245741A1 (en) * 2000-03-09 2006-11-02 Cynthia Lakhansingh Digital enterainment recorder
US7747853B2 (en) 2001-06-06 2010-06-29 Sony Corporation IP delivery of secure digital content
US7730300B2 (en) 1999-03-30 2010-06-01 Sony Corporation Method and apparatus for protecting the transfer of data
EP1087291A4 (en) * 1999-03-30 2008-10-08 Sony Corp Information processing system
US20020120925A1 (en) * 2000-03-28 2002-08-29 Logan James D. Audio and video program recording, editing and playback systems using metadata
US6591255B1 (en) * 1999-04-05 2003-07-08 Netuitive, Inc. Automatic data extraction, error correction and forecasting system
US6651171B1 (en) * 1999-04-06 2003-11-18 Microsoft Corporation Secure execution of program code
JP3471654B2 (en) * 1999-04-06 2003-12-02 富士通株式会社 License server, the copyright holder system, user system, system, recording medium and content usage control method
US6775779B1 (en) * 1999-04-06 2004-08-10 Microsoft Corporation Hierarchical trusted code for content protection in computers
US6553037B1 (en) * 1999-04-08 2003-04-22 Palm, Inc. System and method for synchronizing data among a plurality of users via an intermittently accessed network
US6457062B1 (en) 1999-04-08 2002-09-24 Palm, Inc. System and method for synchronizing multiple calendars over wide area network
US6466236B1 (en) 1999-04-08 2002-10-15 Palm, Inc. System and method for displaying and manipulating multiple calendars on a personal digital assistant
JP2000293459A (en) * 1999-04-09 2000-10-20 Sony Corp Processor and method for information processing and provision medium
KR100774853B1 (en) 1999-04-09 2007-11-08 소니 가부시끼 가이샤 Information processing device and method, and record medium
JP4238410B2 (en) * 1999-04-09 2009-03-18 ソニー株式会社 Information processing system
JP4238411B2 (en) * 1999-04-12 2009-03-18 ソニー株式会社 Information processing system
WO2000062189A8 (en) 1999-04-12 2002-07-25 Reciprocal Inc System and method for data rights management
JP2000293590A (en) * 1999-04-12 2000-10-20 Sony Corp Information processor, information processing method and providing medium
EP1171811A1 (en) * 1999-04-13 2002-01-16 Ilumin Corporation System and method for document-driven processing of digitally-signed electronic documents
JP3747133B2 (en) 1999-04-14 2006-02-22 キヤノン株式会社 Mobile terminal and its control method and the storage medium
JP3376311B2 (en) 1999-04-14 2003-02-10 キヤノン株式会社 Information providing method and information providing system
JP3368237B2 (en) * 1999-04-14 2003-01-20 キヤノン株式会社 Code processing method, terminal device and a storage medium
JP3327877B2 (en) 1999-04-14 2002-09-24 キヤノン株式会社 Information providing method, an information providing system, a storage medium which stores a terminal device and an information providing program
JP2000298677A (en) * 1999-04-14 2000-10-24 Canon Inc Information retrieval method, information retrieval device and storage medium
US20040260653A1 (en) * 1999-04-19 2004-12-23 First Data Corporation Anonymous transactions
US20040083184A1 (en) * 1999-04-19 2004-04-29 First Data Corporation Anonymous card transactions
JP3823599B2 (en) * 1999-04-22 2006-09-20 富士ゼロックス株式会社 Distribution information management apparatus and method
US6529603B1 (en) * 1999-04-23 2003-03-04 Convera Corporation Method and apparatus to reduce the risk of observation of a secret value used by an instruction sequence
US6947560B1 (en) * 1999-04-26 2005-09-20 Telefonaktiebolaget L M Ericsson (Publ) Method and device for effective key length control
US6918059B1 (en) 1999-04-28 2005-07-12 Universal Music Group Method and system for handling errors in a distributed computer system
WO2001001625A9 (en) * 1999-05-03 2002-06-13 Ntru Cryptosystems Inc Secure user identification based on ring homomorphisms
US6959085B1 (en) 1999-05-03 2005-10-25 Ntru Cryptosystems, Inc. Secure user identification based on ring homomorphisms
US7308413B1 (en) * 1999-05-05 2007-12-11 Tota Michael J Process for creating media content based upon submissions received on an electronic multi-media exchange
US6697948B1 (en) 1999-05-05 2004-02-24 Michael O. Rabin Methods and apparatus for protecting information
US9477665B2 (en) 1999-05-05 2016-10-25 Virtual Creative Artists, LLC Revenue-generating electronic multi-media exchange and process of operating same
DE60023705T2 (en) * 1999-05-07 2006-07-20 Telefonaktiebolaget Lm Ericsson (Publ) Key information secure distribution and protection of
US6766307B1 (en) * 1999-05-11 2004-07-20 Clicknsettle.Com, Inc. System and method for providing complete non-judicial dispute resolution management and operation
US7562392B1 (en) * 1999-05-19 2009-07-14 Digimarc Corporation Methods of interacting with audio and ambient music
US6690880B1 (en) * 1999-05-21 2004-02-10 Ati International, Srl Method and apparatus for copy protection detection in a video signal
GB2350529B (en) * 1999-05-22 2004-03-10 Ibm Electronic contracts
CN1159654C (en) * 1999-05-26 2004-07-28 富士通株式会社 Network element management system and method
US6785815B1 (en) 1999-06-08 2004-08-31 Intertrust Technologies Corp. Methods and systems for encoding and protecting data using digital signature and watermarking techniques
US7140039B1 (en) 1999-06-08 2006-11-21 The Trustees Of Columbia University In The City Of New York Identification of an attacker in an electronic system
US7013296B1 (en) * 1999-06-08 2006-03-14 The Trustees Of Columbia University In The City Of New York Using electronic security value units to control access to a resource
US7272855B1 (en) 1999-06-08 2007-09-18 The Trustees Of Columbia University In The City Of New York Unified monitoring and detection of intrusion attacks in an electronic system
US6889260B1 (en) * 1999-06-10 2005-05-03 Ec Enabler, Ltd Method and system for transferring information
US6671805B1 (en) 1999-06-17 2003-12-30 Ilumin Corporation System and method for document-driven processing of digitally-signed electronic documents
GB9914418D0 (en) * 1999-06-22 1999-08-18 Stringer Andrew M Computer network payment system
US20060036505A1 (en) * 1999-06-28 2006-02-16 Netpack, Inc. Method and system for distributing digital works
US7139731B1 (en) * 1999-06-30 2006-11-21 Alvin Robert S Multi-level fraud check with dynamic feedback for internet business transaction processor
WO2001001227A1 (en) * 1999-06-30 2001-01-04 Accenture Llp A system, method and article of manufacture for tracking software sale transactions of an internet-based retailer for reporting to a software publisher
CN1304977C (en) 1999-07-06 2007-03-14 索尼株式会社 Data providing system, device, and method
KR100721078B1 (en) * 1999-07-06 2007-05-22 소니 가부시끼 가이샤 Data processing device, data providing system, and data providing method
US6594633B1 (en) * 1999-07-07 2003-07-15 Vincent S. Broerman Real estate computer network
JP4599657B2 (en) * 1999-07-07 2010-12-15 ソニー株式会社 Data providing system, content providing device, and the content processing apparatus
JP2001022843A (en) * 1999-07-07 2001-01-26 Sony Corp Device and method for processing information and providing medium
US7296001B1 (en) * 1999-07-12 2007-11-13 Ariba, Inc. Electronic multilateral negotiation system
US7117532B1 (en) * 1999-07-14 2006-10-03 Symantec Corporation System and method for generating fictitious content for a computer
EP1203280B1 (en) 1999-07-14 2017-08-30 Symantec Corporation System and method for protecting a computer network against denial of service attacks
US6981155B1 (en) * 1999-07-14 2005-12-27 Symantec Corporation System and method for computer security
WO2001006374A3 (en) 1999-07-16 2001-10-18 Intertrust Tech Corp System and method for securing an untrusted storage
US7152165B1 (en) 1999-07-16 2006-12-19 Intertrust Technologies Corp. Trusted storage systems and methods
US7177829B1 (en) * 1999-07-16 2007-02-13 H & R Block Tax Services, Inc. Tax refund system
WO2001007982A3 (en) * 1999-07-22 2001-10-11 Silicon Valley Bank Method and system for providing information responsive to a user
US7093286B1 (en) * 1999-07-23 2006-08-15 Openwave Systems Inc. Method and system for exchanging sensitive information in a wireless communication system
US6317755B1 (en) * 1999-07-26 2001-11-13 Motorola, Inc. Method and apparatus for data backup and restoration in a portable data device
US8381087B1 (en) 1999-07-26 2013-02-19 G&H Nevada-Tek Automated electronic document filing system, method, and article of manufacture
WO2001010090A1 (en) 1999-07-28 2001-02-08 Tomkow Terrance A System and method for verifying delivery and integrity of electronic messages
US7243236B1 (en) * 1999-07-29 2007-07-10 Intertrust Technologies Corp. Systems and methods for using cryptography to protect secure and insecure computing environments
US7430670B1 (en) 1999-07-29 2008-09-30 Intertrust Technologies Corp. Software self-defense systems and methods
US7770016B2 (en) 1999-07-29 2010-08-03 Intertrust Technologies Corporation Systems and methods for watermarking software and other media
EP1526435A3 (en) 1999-07-30 2005-07-27 Intertrust Technologies Corp. Methods and systems for transaction record delivery using thresholds and multi-stage protocol
JP3312335B2 (en) * 1999-07-30 2002-08-05 株式会社コムスクエア User authentication method, user authentication system and a recording medium
US7113918B1 (en) * 1999-08-01 2006-09-26 Electric Planet, Inc. Method for video enabled electronic commerce
US7171567B1 (en) 1999-08-02 2007-01-30 Harris Interactive, Inc. System for protecting information over the internet
EP1203281B1 (en) 1999-08-02 2012-10-10 DOT Assets No. 2 LLC System for protecting information over the internet
JP3522635B2 (en) * 1999-08-03 2004-04-26 ヴィジョンアーツ株式会社 Computer readable recording medium recording an image file, creation device the recording medium, medium recording an image file creation program, an image file transmission apparatus, an image file processing apparatus, a medium recording an image file processing program
US7159116B2 (en) * 1999-12-07 2007-01-02 Blue Spike, Inc. Systems, methods and devices for trusted transactions
US7475246B1 (en) 1999-08-04 2009-01-06 Blue Spike, Inc. Secure personal content server
US6628412B1 (en) * 1999-08-05 2003-09-30 Hewlett-Packard Development Company, L.P. Methods of document management and automated document tracking, and a document management system
JP4009108B2 (en) 1999-08-10 2007-11-14 コロムビアミュージックエンタテインメント株式会社 Memory card
EP1206741A1 (en) * 1999-08-11 2002-05-22 Spinware, Inc. System and method for controlling access to data stored in a portable storage medium
US9064281B2 (en) 2002-10-31 2015-06-23 Mastercard Mobile Transactions Solutions, Inc. Multi-panel user interface
US7536016B2 (en) * 2004-12-17 2009-05-19 Microsoft Corporation Encrypted content data structure package and generation thereof
EP1076279A1 (en) * 1999-08-13 2001-02-14 Hewlett-Packard Company Computer platforms and their methods of operation
US6886098B1 (en) * 1999-08-13 2005-04-26 Microsoft Corporation Systems and methods for compression of key sets having multiple keys
WO2001015162A3 (en) * 1999-08-13 2001-09-27 Microsoft Corp Methods and systems of protecting digital content
US8214386B2 (en) * 1999-08-20 2012-07-03 Newgems Llc System and method for structured news release generation and distribution
US7124170B1 (en) 1999-08-20 2006-10-17 Intertrust Technologies Corp. Secure processing unit systems and methods
EP1237112A4 (en) 1999-08-23 2006-05-17 Li Dongsheng A method for the accomplishment secure transaction for electronicbankbook (purse)
EP1212734B1 (en) * 1999-08-26 2006-07-19 MONEYCAT Ltd. Electronic currency, electronic wallet therefor and electronic payment systems employing them
US7082439B1 (en) * 1999-08-26 2006-07-25 Hsc Venture Fund 1999 System and method for electronic message notification
WO2001016776A1 (en) * 1999-08-27 2001-03-08 Sony Corporation Information transmission system, transmitter, and transmission method as well as information reception system, receiver and reception method
WO2001016775A1 (en) * 1999-08-27 2001-03-08 Comnex Co., Ltd. Method for providing literary work data, system for executing the method, and computer-readable recorded medium
US8090619B1 (en) 1999-08-27 2012-01-03 Ochoa Optics Llc Method and system for music distribution
US20060212908A1 (en) 1999-08-27 2006-09-21 Ochoa Optics Llc Video distribution system
US7209900B2 (en) 1999-08-27 2007-04-24 Charles Eric Hunter Music distribution systems
US20030133692A1 (en) * 1999-08-27 2003-07-17 Charles Eric Hunter Video distribution system
US6952685B1 (en) 1999-08-27 2005-10-04 Ochoa Optics Llc Music distribution system and associated antipiracy protection
US7647618B1 (en) 1999-08-27 2010-01-12 Charles Eric Hunter Video distribution system
US7203962B1 (en) * 1999-08-30 2007-04-10 Symantec Corporation System and method for using timestamps to detect attacks
WO2001016820A1 (en) * 1999-08-30 2001-03-08 Fujitsu Limited Recording device
US7020774B1 (en) * 1999-08-30 2006-03-28 Georges Marc Cornuejols Communications method and device
WO2001016933A1 (en) * 1999-08-30 2001-03-08 Fujitsu Limited Device for data reproduction
US6301666B1 (en) 1999-08-31 2001-10-09 Everdream, Inc. Method and apparatus for remotely enabling a preinstalled and previously disabled application on a computer system
US6281894B1 (en) * 1999-08-31 2001-08-28 Everdream, Inc. Method and apparatus for configuring a hard disk and for providing support for a computer system
US7406603B1 (en) 1999-08-31 2008-07-29 Intertrust Technologies Corp. Data protection systems and methods
CN1312593C (en) 1999-09-01 2007-04-25 松下电器产业株式会社 Dispensing system, semiconductor storing card, receiving device, computer readable recording medium and receiving method
US7343321B1 (en) * 1999-09-01 2008-03-11 Keith Ryan Hill Method of administering licensing of use of copyright works
US7225445B1 (en) * 1999-09-02 2007-05-29 Fuji Xerox Co., Ltd. Execution control apparatus with key pad that enables selection of jobs to be run
US7757097B2 (en) * 1999-09-03 2010-07-13 Purdue Research Foundation Method and system for tamperproofing software
US6490564B1 (en) * 1999-09-03 2002-12-03 Cisco Technology, Inc. Arrangement for defining and processing voice enabled web applications using extensible markup language documents
US7188186B1 (en) * 1999-09-03 2007-03-06 Meyer Thomas W Process of and system for seamlessly embedding executable program code into media file formats such as MP3 and the like for execution by digital media player and viewing systems
US6507817B1 (en) * 1999-09-03 2003-01-14 Cisco Technology, Inc. Voice IP approval system using voice-enabled web based application server
US6578000B1 (en) 1999-09-03 2003-06-10 Cisco Technology, Inc. Browser-based arrangement for developing voice enabled web applications using extensible markup language documents
US7287166B1 (en) 1999-09-03 2007-10-23 Purdue Research Foundation Guards for application in software tamperproofing
US7149893B1 (en) 1999-09-07 2006-12-12 Poofaway.Com, Inc. System and method for enabling the originator of an electronic mail message to preset an expiration time, date, and/or event, and to control processing or handling by a recipient
US7353541B1 (en) 1999-09-07 2008-04-01 Sony Corporation Systems and methods for content distribution using one or more distribution keys
WO2001018714A8 (en) * 1999-09-08 2001-11-15 Wizard Technologies Inc Transaction and account management system
US20020029200A1 (en) 1999-09-10 2002-03-07 Charles Dulin System and method for providing certificate validation and other services
US7555535B2 (en) * 1999-09-10 2009-06-30 Transurety, Llc Methods and apparatus for securing and providing coverage for transmission data
CA2384436C (en) * 1999-09-10 2010-06-29 Portogo, Inc. Systems and method for insuring correct data transmission over the internet
US7711646B2 (en) 1999-09-10 2010-05-04 Transurety, Llc Methods and apparatus for providing coverage for receiver of transmission data
US9042608B2 (en) 2010-10-25 2015-05-26 Pen-One, Inc. Data security system
US7761465B1 (en) 1999-09-17 2010-07-20 Sony Corporation Data providing system and method therefor
WO2001022319A1 (en) 1999-09-20 2001-03-29 Ethentica, Inc. Trust arbitrage in cryptographic authentication
US7391865B2 (en) * 1999-09-20 2008-06-24 Security First Corporation Secure data parser method and system
US6985885B1 (en) 1999-09-21 2006-01-10 Intertrust Technologies Corp. Systems and methods for pricing and selling digital goods
US6269349B1 (en) * 1999-09-21 2001-07-31 A6B2, Inc. Systems and methods for protecting private information
EP1286735A1 (en) 1999-09-24 2003-03-05 Dennis Jay Dupray Geographically constrained network services
CA2384242A1 (en) * 1999-09-24 2001-04-05 Mary Mckenney System and method for providing payment services in electronic commerce
GB9922665D0 (en) 1999-09-25 1999-11-24 Hewlett Packard Co A method of enforcing trusted functionality in a full function platform
WO2001024437A9 (en) 1999-09-30 2001-09-27 Us Postal Service Systems and methods for authenticating an electronic message
US7797543B1 (en) 1999-09-30 2010-09-14 United States Postal Service Systems and methods for authenticating an electronic message
WO2001025937A1 (en) * 1999-10-01 2001-04-12 Infraworks Corporation Network/tdi blocking method and system
US8538893B1 (en) * 1999-10-01 2013-09-17 Entrust, Inc. Apparatus and method for electronic transaction evidence archival and retrieval
US9219708B2 (en) * 2001-03-22 2015-12-22 DialwareInc. Method and system for remotely authenticating identification devices
US7127427B1 (en) * 1999-10-05 2006-10-24 Andrew Casper Secure transaction processing system and method
US6850252B1 (en) 1999-10-05 2005-02-01 Steven M. Hoffberg Intelligent electronic appliance system and method
WO2001025948A9 (en) 1999-10-05 2002-11-21 Zapmedia Inc System and method for distributing media assets to user devices and managing user rights of the media assets
US20060195400A1 (en) * 2000-10-13 2006-08-31 Patrick Patterson Controlling access to electronic content
US7536561B2 (en) 1999-10-15 2009-05-19 Ebrary, Inc. Method and apparatus for improved information transactions
US8311946B1 (en) 1999-10-15 2012-11-13 Ebrary Method and apparatus for improved information transactions
DE19950249C1 (en) * 1999-10-18 2001-02-01 Siemens Ag Electronic device with software protection for runtime software for automated systems
US7668956B2 (en) * 1999-10-19 2010-02-23 Netzero, Inc. Intelligent autodialer
JP2001188738A (en) * 1999-10-21 2001-07-10 Sony Corp System and method for providing information and device for adding identification information and computer readable recording medium stored with the same program and information providing server device and computer readable recording medium stored with the same program and information terminal and computer readable recording medium with information using program and charging device
US6807641B1 (en) * 1999-10-25 2004-10-19 Sony Corporation Content provider system
GB9925227D0 (en) 1999-10-25 1999-12-22 Internet Limited Data storage retrieval and access system
FR2800540B1 (en) * 1999-10-28 2001-11-30 Bull Cp8 Secure Terminal with a smart card reader has indicated to communicate with a server via an internet-type network
US6404337B1 (en) * 1999-10-28 2002-06-11 Brivo Systems, Inc. System and method for providing access to an unattended storage
US20030158810A1 (en) * 1999-10-28 2003-08-21 Naiem Dathi Method, system, and apparatus for open services architecture
US7340436B1 (en) * 1999-10-29 2008-03-04 Siemens Aktiengesellschaft Communication network charging method and system
US6430561B1 (en) * 1999-10-29 2002-08-06 International Business Machines Corporation Security policy for protection of files on a storage device
DE19953055C2 (en) * 1999-11-03 2002-01-03 Erland Wittkoetter Device and method for the protected output of an electronic document via a data transmission network
KR20050109620A (en) * 1999-11-05 2005-11-21 소니 가부시끼 가이샤 Data decoding apparatus and method, charge information processing apparatus and method, data reproducing apparatus and method, electronic money, electronic use right, and terminal apparatus
US7039214B2 (en) * 1999-11-05 2006-05-02 Digimarc Corporation Embedding watermark components during separate printing stages
US6876991B1 (en) 1999-11-08 2005-04-05 Collaborative Decision Platforms, Llc. System, method and computer program product for a collaborative decision platform
US6850914B1 (en) * 1999-11-08 2005-02-01 Matsushita Electric Industrial Co., Ltd. Revocation information updating method, revocation informaton updating apparatus and storage medium
US7039614B1 (en) 1999-11-09 2006-05-02 Sony Corporation Method for simulcrypting scrambled data to a plurality of conditional access devices
US7299292B2 (en) * 2002-03-29 2007-11-20 Widevine Technologies, Inc. Process and streaming server for encrypting a data stream to a virtual smart card client system
US6449719B1 (en) * 1999-11-09 2002-09-10 Widevine Technologies, Inc. Process and streaming server for encrypting a data stream
US8055894B2 (en) 1999-11-09 2011-11-08 Google Inc. Process and streaming server for encrypting a data stream with bandwidth based variation
EP1100052A3 (en) * 1999-11-12 2002-07-31 International Business Machines Corporation Currency and float ID tracking in an electronic purse
JP2001236081A (en) * 1999-11-12 2001-08-31 Sony Corp Information processor, information processing method and program storage medium
EP1236117B1 (en) * 1999-11-12 2016-03-30 Protegrity Corporation Method for reencryption of a database
US6754908B1 (en) 1999-11-12 2004-06-22 General Instrument Corporation Intrusion detection for object security
US20010013121A1 (en) * 1999-11-12 2001-08-09 Kimball Bridget D. Authorization conditioned object message download
US6578199B1 (en) 1999-11-12 2003-06-10 Fujitsu Limited Automatic tracking system and method for distributable software
US7158993B1 (en) 1999-11-12 2007-01-02 Sun Microsystems, Inc. API representation enabling submerged hierarchy
US7039617B1 (en) 1999-11-12 2006-05-02 International Business Machines Corporation Currency and float ID tracking in an electronic purse
US7395275B1 (en) * 1999-11-16 2008-07-01 Dana Automotive Systems Group, Llc System and method for disposing of assets
US7451147B1 (en) * 1999-11-18 2008-11-11 International Business Machines Corporation Flexible encryption scheme for GSO target passwords
US7051067B1 (en) * 1999-11-22 2006-05-23 Sun Microsystems, Inc. Object oriented mechanism for dynamically constructing customized implementations to enforce restrictions
US6792537B1 (en) 1999-11-22 2004-09-14 Sun Microsystems, Inc. Mechanism for determining restrictions to impose on an implementation of a service
US7103910B1 (en) 1999-11-22 2006-09-05 Sun Microsystems, Inc. Method and apparatus for verifying the legitimacy of an untrusted mechanism
US7131008B1 (en) 1999-11-22 2006-10-31 Sun Microsystems, Inc. Mechanism for dynamically constructing customized implementations to enforce restrictions
US6721888B1 (en) 1999-11-22 2004-04-13 Sun Microsystems, Inc. Mechanism for merging multiple policies
US7065342B1 (en) 1999-11-23 2006-06-20 Gofigure, L.L.C. System and mobile cellular telephone device for playing recorded music
JP2001222525A (en) * 1999-11-30 2001-08-17 Canon Inc Device, system and method for managing document and storage medium
US7203834B1 (en) * 1999-12-02 2007-04-10 International Business Machines Corporation Method of updating encryption keys in a data communication system
US7383233B1 (en) * 1999-12-03 2008-06-03 General Electric Company Method of designing an electronic transaction system
US6912514B2 (en) * 1999-12-03 2005-06-28 Matsushita Electric Industrial Co., Ltd. Content distribution system and a reference server
US20030061164A1 (en) * 1999-12-03 2003-03-27 William Muhammad Intellectual property brokerage system and method
CN100471108C (en) * 1999-12-06 2009-03-18 三洋电机株式会社;富士通株式会社;株式会社日立制作所 Data distribution system and recorder for use therein
US7188088B2 (en) * 1999-12-07 2007-03-06 Matsushita Electric Industrial Co., Ltd. Video editing apparatus, video editing method, and recording medium
US7184533B1 (en) 1999-12-07 2007-02-27 Siemens Communications, Inc. Method and apparatus for mixed media contact notification service
JP4881500B2 (en) * 1999-12-09 2012-02-22 ソニー株式会社 Information processing apparatus, information processing method, the content providing apparatus and a content providing method, playback apparatus and method, and recording medium
US6757824B1 (en) 1999-12-10 2004-06-29 Microsoft Corporation Client-side boot domains and boot rules
US6959384B1 (en) 1999-12-14 2005-10-25 Intertrust Technologies Corporation Systems and methods for authenticating and protecting the integrity of data streams and other data
US7047411B1 (en) 1999-12-17 2006-05-16 Microsoft Corporation Server for an electronic distribution system and method of operating same
US6970849B1 (en) 1999-12-17 2005-11-29 Microsoft Corporation Inter-server communication using request with encrypted parameter
JP2001175605A (en) * 1999-12-17 2001-06-29 Sony Corp Data processor
US6996720B1 (en) * 1999-12-17 2006-02-07 Microsoft Corporation System and method for accessing protected content in a rights-management architecture
JP2001175606A (en) * 1999-12-20 2001-06-29 Sony Corp Data processor, and data processing equipment and its method
US6792113B1 (en) 1999-12-20 2004-09-14 Microsoft Corporation Adaptable security mechanism for preventing unauthorized access of digital data
WO2001046880A1 (en) * 1999-12-21 2001-06-28 Sony Corporation Electronic money system
US7167844B1 (en) * 1999-12-22 2007-01-23 Accenture Llp Electronic menu document creator in a virtual financial environment
US6832316B1 (en) 1999-12-22 2004-12-14 Intertrust Technologies, Corp. Systems and methods for protecting data secrecy and integrity
US7610233B1 (en) 1999-12-22 2009-10-27 Accenture, Llp System, method and article of manufacture for initiation of bidding in a virtual trade financial environment
US6654032B1 (en) * 1999-12-23 2003-11-25 Webex Communications, Inc. Instant sharing of documents on a remote server
WO2001048633A1 (en) * 1999-12-24 2001-07-05 Telstra New Wave Pty Ltd A virtual token
US7389239B1 (en) * 1999-12-30 2008-06-17 At&T Delaware Intellectual Property, Inc. System and method for managing intellectual property
US7356498B2 (en) 1999-12-30 2008-04-08 Chicago Board Options Exchange, Incorporated Automated trading exchange system having integrated quote risk monitoring and integrated quote modification services
US7127405B1 (en) 1999-12-30 2006-10-24 Bellsouth Intellectual Property Corp. System and method for selecting and protecting intellectual property assets
US7801830B1 (en) 1999-12-30 2010-09-21 At&T Intellectual Property I, L.P. System and method for marketing, managing, and maintaining intellectual property
US7941468B2 (en) * 1999-12-30 2011-05-10 At&T Intellectual Property I, L.P. Infringer finder
US20040024714A1 (en) * 2000-12-29 2004-02-05 Wells Thomas E. Electronic safe deposit box
US7162429B1 (en) 2000-12-29 2007-01-09 Bellsouth Intellectual Property Corporation System and method for managing sponsorships
US7346518B1 (en) * 1999-12-30 2008-03-18 At&T Bls Intellectual Property, Inc. System and method for determining the marketability of intellectual property assets
US6711554B1 (en) 1999-12-30 2004-03-23 Lee Salzmann Method and system for managing and preparing documentation for real estate transactions
US9727916B1 (en) 1999-12-30 2017-08-08 Chicago Board Options Exchange, Incorporated Automated trading exchange system having integrated quote risk monitoring and integrated quote modification services
US20020114465A1 (en) * 2000-01-05 2002-08-22 Shen-Orr D. Chaim Digital content delivery system and method
WO2001050429A1 (en) * 2000-01-05 2001-07-12 American Express Travel Related Services Company, Inc. Smartcard internet authorization system
WO2001050396A1 (en) * 2000-01-05 2001-07-12 Iprivacy Llc Method and system for private shipping to anonymous users of a computer network
US7437317B1 (en) * 2000-01-12 2008-10-14 Oracle International Corporation System and method for providing a distributed marketing presentation
US7467099B2 (en) * 2000-01-13 2008-12-16 Access Co., Ltd. Information home electric appliance
US20010044787A1 (en) * 2000-01-13 2001-11-22 Gil Shwartz Secure private agent for electronic transactions
EP1247234A1 (en) * 2000-01-14 2002-10-09 Marconi Commerce Systems Inc. A data retail system
US7127425B1 (en) * 2000-01-14 2006-10-24 H & R Block Tax Services, Inc. System and method for providing a loan to a taxpayer based on a pre year-end tax refund
US6816596B1 (en) * 2000-01-14 2004-11-09 Microsoft Corporation Encrypting a digital object based on a key ID selected therefor
US7072862B1 (en) * 2000-01-14 2006-07-04 H&R Block Tax Services, Inc. Spending vehicles for payments
US7353209B1 (en) 2000-01-14 2008-04-01 Microsoft Corporation Releasing decrypted digital content to an authenticated path
US6772340B1 (en) 2000-01-14 2004-08-03 Microsoft Corporation Digital rights management system operating on computing device and having black box tied to computing device
US6912528B2 (en) * 2000-01-18 2005-06-28 Gregg S. Homer Rechargeable media distribution and play system
US6748539B1 (en) * 2000-01-19 2004-06-08 International Business Machines Corporation System and method for securely checking in and checking out digitized content
DE60132962T2 (en) * 2000-01-21 2009-02-26 Sony Corp. Data processing apparatus and data processing methods
US7093130B1 (en) * 2000-01-24 2006-08-15 The Regents Of The University Of California System and method for delivering and examining digital tickets
US20020111907A1 (en) * 2000-01-26 2002-08-15 Ling Marvin T. Systems and methods for conducting electronic commerce transactions requiring micropayment
US7328189B2 (en) * 2000-01-26 2008-02-05 Paybyclick Corporation Method and apparatus for conducting electronic commerce transactions using electronic tokens
US7177838B1 (en) 2000-01-26 2007-02-13 Paybyclick Corporation Method and apparatus for conducting electronic commerce transactions using electronic tokens
FR2804525A1 (en) * 2000-01-27 2001-08-03 St Microelectronics Sa Peripheral management system integrated into a circuit
US9252898B2 (en) 2000-01-28 2016-02-02 Zarbaña Digital Fund Llc Music distribution systems
US20030004891A1 (en) * 2000-01-28 2003-01-02 Van Rensburg Johannes Janse System for conducting commercial transactions
US6754784B1 (en) 2000-02-01 2004-06-22 Cirrus Logic, Inc. Methods and circuits for securing encached information
JP2003521751A (en) * 2000-02-01 2003-07-15 シラス ロジック、インコーポレイテッド Handheld audio decoder
US6965874B2 (en) * 2000-02-04 2005-11-15 Joseph Ronald G Jr. Method, apparatus and program product for facilitating transfer of vehicle leases
US7236596B2 (en) 2000-02-07 2007-06-26 Mikos, Ltd. Digital imaging system for evidentiary use
KR100479173B1 (en) * 2000-02-08 2005-03-25 최추환 The advertisement technical method and system using file structure or file to hold in check delete and edit in internet, computer and computer application device
US7644018B1 (en) * 2000-02-08 2010-01-05 Sony Corporation System and method for providing publicly vended content via a wireless network
WO2001059572A3 (en) * 2000-02-08 2002-12-12 Sony Corp America System and method for monitoring plural real-time customized data sources
DE60100408T2 (en) * 2000-02-08 2003-12-24 Ricoh Kk System for managing networked device
JP2001219440A (en) * 2000-02-09 2001-08-14 Sony Disc Technology Inc Multi-cavity molding apparatus and its molding method
EP1143698A3 (en) * 2000-02-09 2005-01-05 Canon Kabushiki Kaisha Data processing apparatus and method, and storage medium
US7343349B2 (en) * 2000-02-10 2008-03-11 Jove Corporation System and method for secure data and funds transfer
US6647417B1 (en) 2000-02-10 2003-11-11 World Theatre, Inc. Music distribution systems
US7120606B1 (en) 2000-02-10 2006-10-10 Jove Corporation System and method for secure electronic fund transfers
US7262778B1 (en) 2000-02-11 2007-08-28 Sony Corporation Automatic color adjustment of a template design
WO2001059653A1 (en) * 2000-02-11 2001-08-16 Sony Electronics, Inc. System and method for network revenue sharing
US7810037B1 (en) 2000-02-11 2010-10-05 Sony Corporation Online story collaboration
US8407595B1 (en) 2000-02-11 2013-03-26 Sony Corporation Imaging service for automating the display of images
US20020016910A1 (en) * 2000-02-11 2002-02-07 Wright Robert P. Method for secure distribution of documents over electronic networks
US7058903B1 (en) 2000-02-11 2006-06-06 Sony Corporation Image database jog/shuttle search
US6961714B1 (en) 2000-02-13 2005-11-01 David Levine Method of quantifying royalty owner rights
US6983374B2 (en) * 2000-02-14 2006-01-03 Kabushiki Kaisha Toshiba Tamper resistant microprocessor
JP2001230768A (en) * 2000-02-15 2001-08-24 Sony Corp System and method for information transaction and program supply medium
US6834308B1 (en) 2000-02-17 2004-12-21 Audible Magic Corporation Method and apparatus for identifying media content presented on a media playing device
WO2001061620A1 (en) * 2000-02-18 2001-08-23 Vasco Data Security, Inc. Field programmable smart card terminal and token device
GB0004178D0 (en) * 2000-02-22 2000-04-12 Nokia Networks Oy Integrity check in a communication system
US7596511B2 (en) * 2000-08-22 2009-09-29 Iclosings.Com Closing system for closing real-estate transactions between a plurality of parties
US7085735B1 (en) * 2000-02-23 2006-08-01 Iclosings.Com, Inc. System and method for conducting the closing of a real estate sale over a computerized network
EP1222597A4 (en) * 2000-02-23 2009-03-25 Digeo Inc Methods and devices for storing, distributing, and accessing intellectual property in digital form
US20010034758A1 (en) * 2000-02-24 2001-10-25 Dan Kikinis Virtual private network (VPN) for servicing home gateway system through external disk management
WO2001063567A3 (en) * 2000-02-25 2002-01-24 Alex Balashov Secure transaction system
CN1363071A (en) * 2000-02-25 2002-08-07 松下电器产业株式会社 Information distributing system
WO2001063460A2 (en) * 2000-02-25 2001-08-30 Vlahoplus John C Electronic ownership control system and method
EP1259947B1 (en) 2000-03-01 2004-10-20 Passgate Corporation Method for managing a user online financial transaction
US7865414B2 (en) * 2000-03-01 2011-01-04 Passgate Corporation Method, system and computer readable medium for web site account and e-commerce management from a central locat