CA2242777A1 - A secure pay-as-you-use system for computer software - Google Patents

Abstract

A method of renting software that relies on the reversal of encryption processes by the integration of secure processing into the system microprocessor of a user controlled data processing system. It consists of protected software objects, that in addition to being functionally limited to requires reversal of said limitation whithin the system microprocessor, they also have closely integrated information about conditions of use. This is used to distribute computer software on a large scale that may run on any computer.
The user is charged on a unit basis. The secure processes described for the system microprocessor will have applications in other secure processes.

Description

CA 02242777 1998-07-10 P~/AU 9 RECEI~/ED 1 5 SEP 1997 TITLE OF INVENTION:

5 TECHNICAL FIELD:
6 The d : of software and other r ' ~ .y re~ersibly flln~ti~nslly lirnited. Reversal is preferably 7 by a secure device and preferably linl~ed to generic rights of access. Validity of gencric rights is plt ~ y linked to 8 availability of elo~ s funds. The u.. - rnay be used to Fovide a flexible pay-for-use software usage system.
9 The usage systern is pardcularly suited to offline mass ~ of large numbers of software objec~s.
11 DEFINITIONS:

13 ~ or ~ ' may be one to rnany copies and rnay include replics~ion of part or whole in any 14 ~ ' and or number.
16 d ~ d) and dc lp!- (ed) rnay be wed ~ "y arld refer to reversal of a pl~; r' _ ' 'y applied encryption 17 proress.

19 Decode is generally used in the i ~ - r-' sense of decoding rAr~ c etc, however, where the context 20 permits it should be - ~let~d as for d~l ~L s~' 22 Clear text (or clear code) may be inf~ n that is not ~ . d and may be derived from encrypted inf~nngtion 23 and/or may have been supplied as clear code.

25 Internal to the System CPU (or System M;clu~lucessor) indicates that the hardware and or ~f.clucode and or 26 software are on the sasne ~ " ~ ~ ci~wit 27 and or 28 that they are on multipb E'~ f~,~'i~ where n~ o ~ using any known method and r, . ~ within the 29 package of the system CPU;
30 and or 31 part of the device is witbin the system CPU package and part (or all) external to the System CPU package and 32 attached extemally to the System CPU package using any method and ~ t, c 34 A system CPU also .~ ,..ced as sgstem 1~ r, is one that a person e~ in the art would 35 consider to be suitable as the pr~mary (or one of multiple primary) 1~IOCeDSU~g units in a User Controlled Data 36 E~JC6DDU~; System (UCDPS). For example the Intel ~ DOI of a PC.

38 User C~ Data ~ G Sydem: (also l~r~ ..ced as a UCDPS in this do.~ I) may include any data 39 yn~ceDsiug means that in part at least is pD~ -lly under the control of a user. This may include -yersonal 40 c-, any other C4~ JS le CO~-YUI;I~E; systems where a user has control in part at least over software 41 ~IU~DDeD~ net c~,~. l,ut~ ;,, r him~diq data yl~SDill,g means; games ~IC~ C. personal data Pc~ unt~ It allows 42 for devices that operate L ' ")ne and/or in an online v ~ V~F~I

Pcr/AU~ 71000 10 R~t: FItl~n 2 P~ or process refers to the actual ~ ;.,of c . instructions, and or the m~-~ip~.l (in any way) 3 of data r-- ~ with the ca -r ' ~ u~liull~ and or 1 - (in any way) of any other data.

4 Software Object: A software object cc~sists, in part at 1east, of digital ~ :
Cpmr1t~r progr~uns (that _ay include ~ . ~. r~ ~V ~) and or 8ùb~uuli~s that c~ part of a 6 . . ~ program may be c~.~s;.i~d software objects. Data p ~ g to said c- . ~ v is a wftware 7 object. T .fo. ~~~P';O~ that is pl~iS~ by a UCDPS and ' ~ '~ ~ as te~t; and or images; and or sound;
8 _ay be a software object. Informadon used to generate output from an ele~ books (and sirnilar) may be a 9 software object. The informadon supplied (eg. from a CD) to any means to generate music and or other sound may 10 be a software object. I ~.~ supplied to any means to generate visual imagery and or video in the form of 11 stadc and/or motion pictures may be a software object.
12 ~-~- - on supplied (eg. from a digital ~id~d;sc (DVD)) to any means to used to generate music (and/or any 13 other sound) 14 and 15 visual imagery (and/or video) in the fann of stadc and/or modon pictures, (eg. for digital TV) may be a software 16 object.
17 Service l~ ,.. As used in this sF~;fir u ually applies to one or muldple parties with access to 18 ~.~ on about the secure yl.~ ~~ and/or i..r.,.,. ~-;G.. in one or muldple - sed User Controlled Data 19 Pruces~u-v System and/or involved in c~,...~;~, and/or ~d ~tl i of software objects and/or payment system. It 20 may also apply to any agent in the ~' - ' process aDd/or the software producer.
21 PCPU: refers to part at least of a secure y.~ ~g means within the system lluwuylvc~i.or paclcage of a UCDPS.
22 ESPD: refers to a secure y,.Jcei.~. g means attached direc~y or i~i.~ll~ to any other part of the UCDPS.
23 End of Dçfiniti-nc 25 SUMMARY OF THE INVENTION AND BAC~KGROUND TO THE RELATED ART:
26 Ihe present invendon is in part based on the l~4,,,~l;v that today's 60ftware d;sl. ' ~ s distribute to 27 the user, in addidon to the software itself, the right to execute that software. That is, more pardcularly, when a 28 software object is sold to a typical user, the user acquires the software object itself and a rlght to use it. However, 29 the user can, with a typical Use~r Cl h~!~e d Data P~ g System (that may also be ~ef~ as UCDPS in 30 this ~li r'ic ), duplicate the software object and distribute it along with the (implied) right to use it to others. The 31 invendon seeks to separate the software object from the right to use it, such that the usu may be able to make 32 copies of the software and distribute these to others, however, they cannot distribute the right to e~ecute. For the 33 software object to becomc effecdve, Ihe right to execute must be activated in a suitably a -~ ~ d UCDPS. A
34 software object that has been suitably modified to separate the right to execute from the softwarc object itself is 35 referred to as a I~t d S~, ~ ..,.re Object (that may also be ll,f~,nc ~d as a rSo in this 41)~ AI il~n), T ; ',1~
36 the ;..~. ' also seeks to provide a system wherein the right to execute may be used across multil)le 37 softwnre objects, preferably at the user of a UCI)PS discretion (within any ~"~ct.,...~cd p~v~ , if any).

39 The invention allows ~at the sep~ on of the right to use and the software objec~ itself may be configured for an ~ .g.. ,l that is:
41 ~ ~ n~l.. l entirely on I ~ ~d processing by a UCDPS for its 1mp1 on 42 or 2 ~MENDED SHEET
IPE~VAU

PCIJAI~ ~ 7 / O O ~ 1 0 RECEIVED ~ 1998 ~ d.v~ ~ in part at bast on a secure ~,~s~-"g c~vuu .,.~,.";
2 for reversal, in part at le;ast, of any ,.i.~ "e fi~nrtioT~ placed on a software obje,ct, that rnay include 3 any l- - used to ssist in -r - 1~ right to execute fi~m the software object;
4 and,/or ~ in part at least, for any other prù~ssu.g that needs to be kept se,cret.
6 Said reversal of said ~ - ~1 o" rnay in part at least, require: secret d~l~ iou~ and/or secret 7 de~ JLùu and in part at least, secret E"' - and/or ~uc~ u,g of clear code g: ~ by said secret 8 dccl ~tiuu.
g 10 US Patent 4,817,140 Chandra and c~.,~.rO,d, and US Patent 4,644,493 provide a good b--~, uu-,d to the art of 11 software ~ t; / 1i~ib~ - at that ~ne. The ~rO,~ " ;nn~d patcnts introduce in detail the need for L er 3 12 the right to execute from the softwarc objcct itself. The right to execute dPs~bed rcquires the transfer of a software 13 key to a physically and logically securc p u~ssû, that exccutes a critical portion of the softwarc object in a secrct 14 C~i~fuullu ~L.Ihe softwarc kcy forms part u least of a decrypdon key and is particular to a specific software object.
15 This provides an effoctive method of granting the user of an alJ}JI~ -ly r ed User Controlled Data 16 Fru~ ug System a dlstinct right of access to a par~cular software object. The inventors clearly state that they 17 sought to devise a secwre method of ~1;~ ;~ 6 software with no pu.L ubdtion to the exisdng or planned charmels of 18 software ~1i hi~ nd rninimum change to the means by which software is prepared for distribution. Their 19 invention clearly deal~ with the i 'i~' -' method of software f~ i~ wherein a single copy (usually as a 20 physical - ~r -~ ) is sold to a u er. In addition to the software object (and any dc.- ~~e-~ ), they also 21 supply a physical token that includes s id software key.

23 One objective of the present invention ~;eeks to L~ r~ - - the software distribution paTddigm from one based on the 24 sale of Idiscrete pac~a8es, to one where users may rent from a wide selection of packages and preferably pay on a 25 usage basis. While one or multiple distinct rights of access may be used to control a particular software object, it is 26 preferable said control, in part at lea t, is by one or multiple generic rights operating across multiple software 27 objects.

29 The preferred embodiment of the present invention describes a method for providing a software rental system on an 30 offline basis and an alternative metho4 that has varying levels of - on with a service provider in an online 31 manner. An uu~i c~ ~- r ~l of the preferred e ~ of the present invention is the provision of one at 32 least generic r~ghts of access. Mulliple and ~l~ r I Iy many, software objects may be processed by a User 33 Con~nll~d Data ~rvc~h,g System equipped with said one or multiple generic rights of access. Said generic rights 34 are validated in one or multiple ways to provide the actual control means to the use of software objects. Said control 35 means provide multiple options for h~ dl pay for use software distribution.

37 The distinct right of access desc~ l in the known art is based on the provision of a decryption key specific~lly 38 required to decrypt a p~ l softw re object, on a particular UCDPS. While the present invention allows that 39 generic rights of access rnay be , '~ in a similllr marmer, they are preferably used as a variable value token, 40 whose presence pernuts ~uc~,.u g to continue. Said value is ~.,f"~ly modified against use of one or multiple 41 software objects, until it reaches a ~ amount, at which point it becomes invalid. The present invention 42 also allows for the presence of distinct rights of access.

3 AME~JDED St~EET
~pEA/~u CA 02242777 1998-07-10 P~IAU ~ 7 / O 0 0 1 0 2 A further patent by Come~fo~ and White, US Patent 5,10g,413 describes a method of ~ u. ' ~ ~'' ~~' 3 fle~ibility to the g~anting of distinct righB of access. This describes a method of , ' 9 the rights of access.
4 In particular it permits a customer to purchase a right of access for a ~ period of time and/or a ~ r~ number of events. This also describes a method of i f.- ~ e said rights from one User Control1ed 6 Data Fr.~.~ ~ e System to another, or baclc to the software producer. Ihis method provides the user ~vith more 7 flexiWity in their software p~, ' ~ E th n with more tradition l systems as they may clect to pay a ': ~ rate 8 for a 1' ~c d period of usage. This system is still ,1~ " on the sale of discrete products to e- r~ The 9 present invention seeks to over~n this concept of ~ ' - ~ and rcp}ace it with one wherein multiple software objects, and ~ t a Iarge number of software objects are made available to User Controlled Data ~r~s;,l.lg 11 Systems at nominal or no cost. The ideal scenario would rdease all software objects for a ~ - 1 platform in this 12 manner.

14 The preferred method of distribution of the present invention is on machine-readable media that may be of any type.
The preferred media is optical, in pardcular DVD. The latter is currently capable of stonng 17 gig '"~s. The 16 software may also be ~-1 ~bu- ~ via an~ i means, including t~ , CTV, l~ . By applying a 17 generic right of access to software objccts the user is not usually required to obtain a lcey or any other distinct right 18 of access to use any one or multiple products. r-----'-'ly, in part at least, the user obtains (usually by purchase) at 19 least one generic right of access that they may apply acra~s a large selection of software objects. Usage is ~ 'Iy in units of time ~ v~ ad (however, any other method is allowed). Unlike the known art where a user is 21 required to d~ r . ;~ ~ usage for a particular object and then obt~un a right to said wage, the present invention 22 permits the wer to purchase a block of generic units ~hat can be applied across multiple objects. This provides 23 -g ~r, flexibility in choice of software and no wastage. Unused generic rights for one software object and/or 24 group of software objects 1~ f ' Iy may be used for other software object(s). The purchase for cash or credit of said generic right(s) ensures that paymcnt is made for using oftware objects. F~ e a means of ensuring that 26 part at least of said generic rights are ad3usted pr~ E; to usage and/or are of limited time validity ensures that this 27 generic right of access is not abused begond the terms of any agreement between user and supplier (said e.~,l~e 28 may be implied). The addition of a ~ns of metering usage and ~cu ~lg use against one or multiple ~
29 and/or software objects andhr any othor means, provides a method of allocating revenue generated from software object use amongs~ the l~oftware ~ and/or agents. Any means is allowed for to generate a report of software 31 usage. The preferred means of Ill~i~b ~ g a user to forward liaid report is to ,. ~' one or multiple rights of 32 access if they do not comply with any one or multiple c ~i~ attached to the use of the software ~ ;n--33 system.

It is another objective of the invention to describe a method and , r that preferably enables part at least of the 36 method and/or ~r ~ of the invention to be applied to modern operating systems and ~/l~as~l design. One 37 dor.c;e-c~ of the known art is the provision of a secure software ~: h andlor y"~ ~;on means that is 38 CQ-~ with m~l - ' ~ g operating ~ystems. ~Ithough not l~mited to, this particularly applies to methods that 39 require the presence of a logically and physically secure ~JlU~siLIg device.
41 US Patent 5,146,575 by Nolan describes a secured Co-~lo~sj~l intended for use with the rights of access patents 42 dPc~hed earlier. Said CO-~I~SSOl includes a method of securely E,lu~i.lg part of a software object within a IPEA/AU

CA 02242777 1998-07-10 P~IAU 9 RECEI~IEO 1 5 SEP 1997 secured CLI.UU~UC~II. This method prevents any practical I ' ~ aoalysis ûf the secret object code and is a 2 very effective method of ensuring that ~ t; measures applied to software objects are not b.~l e d This is a 3 desirable method, however, it does not allow for generic rights of access and while it may be used to prvvide 4 distinct rights of access to multiple software objects, it does not allow for operation in a multitasking w S mulli~,vc~OOv, c.,.u~ - It is also of lirnited fle%ibility.

7 US 5,146,575 also describes a means of s r " e secure system functions (that may also be lef~, .,.,~d as 8 S~lp~;ov~ functioos in this ~-ifi ) from ~u~OO~g of secure user functions (that may also ,ef~,-~d as 9 secure ~' funcds.os in this speclficadon). However, it does not describe a meaos of It - ' e muldple secure aFF~ tion functio.os attached to multiple user ~ , r It also does not describe a means for 'F
11 muldple ~;ecure app"~ -' funcdons frarn muldple user P~v ~ such that wne or multiple uud secure ~, r" on 12 filnrtionc~ in one ~ at least, caonot infringe the security of one or muldple other secure l~ r~S~ "
13 functions and/or the secure su~ ~ Ihe pre~ent invendo.o does describe such a method and ~IJ~- _ ' ~

It will be 3~ r ~ by those .i r '~ - e ~ in the art tbat at least one secure m~ means (eg. a seculity 16 cv~.~ - of a secure software ~ ~ means) sp~ating s;~n~r -- Iy aodtor ~ ,~VI.OUOl~ with one at 17 least other (usually I - d) 1-' - ' ' g syctem may require a mean~s for any secure processing means:
18 to be capable of handling multiple secure ~ u~O~,S, and 19 1) plci~l ''y being able to detect taslt s~. ' g on its host u~u.~l ~loeUoulg means, this may be for any reason, however an iu,~o,i - one i5 tO avoid latency bétween host and slave s~. ' g, 21 the present invendon describes a means to allow for this and said means rnay be t~---r ~ to the UCDPS
22 operating system and/or one that rnay require a patch alndlor e - aodtor any other direct andtor indirect 23 changes to the UCDPS sperating system.

The pre~ent invendon also describes a meaos for software objects ~,vces~u.g within the User Controlled Data 26 Frv~D,g System to be able to interface with the ucure ~vc~sOU g means (usually a physical device) in a 27 1- ' 5~ c,hvull~. The invendon allows for any means to achieve this. The invendon describes a method 28 and app~ra~s that is tTansparent to the operating system andtor one that may require a patch andtor ~ ;r~ ~~;..--29 aodtor any other direct andtor indirect changes to the UCDPS aperating system.
31 The method and apparatus described for m l - ~ ' ' 5, may also be applicable to providing a secure 1_ ' - in a 32 u~l~v~o~l e...h~ It may alsopermit the software ~' - ~h system des~ibed in this ,~c:r;e~l;v~ to be 33 ~ . '~ d in a muldtasldng andtor luulli~JIoceOOv~ c~uu ul~l. Tbis may be achieveld ~ ulo~ ly to the 34 operating system andtor one that may require a patch ~nd/or ~l;r~i-,., andtor any other direct andtor indirect changes to the UCDPS operating system.

37 Another 1 of the method and ~ir -' des<~ in US Patent 5,146,575 is that the secure supG~visor 38 functions are stored in read only memory. This includes master dc~ dull keys. The secure mlll -- ' " features of 39 the present invention may be l,r'i ~' to multiple software objects E"~JC<ooUlg CVI~IUIG~ItIY~ and with the rapid d~l r in l~imP~ ' -'.ce", it is e~peGcted that a ~ number of software objects using the 41 present invendon may fall into this category. Furthermore, rnany of the software ' ' ~,.~ systems 42 dcD ;bed in the known art msy be ~ ,' - ~ withh the structure of the presenl iu~ ion~lly. the Page S AME~DED SHEET
IPEA/AU

CA 02242777 1998-07-10 P~.!A~ O O ~ ~ Q
RECEIVED o ~ r~, 19~8 present invention may be suitable as a ecure means of commu. - ~ and el~l-u.uc cu~.~.~ and these may ~ 2 operate in c~nj-~n~tir~n vvith the software ~ ~ ~ system while ~ ~ e security of their own IJlUC~bCiS.
3 There is scope to devdop the present invention into an industry standard for secure processing means within a User 4 Controlled Data ~suc~.& System. To cover all contingencies the invenlion describes a method and apparatus that 5 prDvides a fle~cible secure ~ ~ rncans that, may in part at least, be in non-volatile random access memory.

6 Said su~.~,;so means is ~ ablc to securely 3 5,, ~,d in part or whole while in the locadon of a User 7 Controlled Data Pr~ ~ e System. Sllid s . v-s~ means may be cu~rg u~ such that all functions and/or 8 decrypdor4'~ ~iGu kcys may be modified ant this m~y be tyr~nic. The invendon allows for a version wherein 9 software objects supplicd to the user r~odify secure b~'isl)l funcdons on the fly. This provides a secure and 10 ~ means of -~ g almost any secure andlor unsecured process.

12 Reference to US Patents 5,649,187 and S,613,089 and 5,497479 and 5,388211 by TTn~ u~ L 1-, Gary D, describe a 13 means of i -~ g p rt of the cancept of pay for use time-sharing of software on a r ~ system to a User 14 Controlled Data Processing System ~l~ilUllllle~ Tu~u~.LI~ describes a number of ~ ,, with pay-for-use cable TV systems. He debcribes a good overview of the art of ~' ' Ig el~l,ulùc i.. r~.. ~;o., on a rental basis.
16 However, the method d~ d for software rental has a number of 1 - - that are unlikely to see it adopted on 17 a large scale as a c~ - eh~ methot of software use.

19 TTo..-l.u~ describes a method of software rental on a User Controlled Data Processing System (eg. a personal 20 Culll~,ut~) that shifts the Tmmary metering means for saftware usage from a remote ~r~ J~ g system (as in time-21 share rlA" - on rnaiines) to ~e location of the User Con~rolled Data I'r. E, System. Metering is 22 achieved with a secured remote control module attached to the UCDPS.
. 23 TT~ LIe defines software rcntal as the service of providing software on a pay-as-used basis and as descnb~P~1, 24 this involves:
25 the metering of dme usage of a single software object supplied by a remote host rental s~ . _ with periodic 26 tTansfer of said dme usage to a remote host rental z . _ for future billing of software usage;
27 and 28 c with the host computer is an integral part of thc software rental concept, 29 and the .,lu~lv~ssor witbin the metering means is ~ ~ - d to destroy an encryption key if the UCDPS is 30 11 Ar~ ~t~ from a i ~ line for more than a ~ sel~P~P~ period and/or if the t~ lv~h~ number that the 31 UCDPS is ~ ..~c~ ~J to is changed.

33 The software rental system as decr-nbed by ~omhur~lp is clearly a method in which the user is s~lbs~ y billed 34 for dme units used. It makes no allowance for a user to pay in advance for one or multiple rights of usage (for cash 35 andlor on credit), in particular, rights th t may be used across muldple software objects.
36 The present invendon may permit the user, in part at least, to pay in advance for software access and allocate this 37 access across software objects as they choose.
38 The present Invendon rnay permit the user to pay in advance for a block of usage for a pardcular period of time (for 39 e~ample the purchase of, " ~ ~ access to muldple computer games for a period of dme, say one month).

6 ~ ;Y~EO SHEET
1~4AIJ

CA 02242777 1998-07-10 RECEI~EO 1 5 SEP 1997 The method and ~r ~ of lL~ blJ~ can only handle one rental C~ll.~t~ program at a tune in a particular 2 UCDPS and his claims only refer to: '1. A method of rentulg an a~ ' Fogram for use on a customer 3 c r- ~ ~ c~ g the method steps of:' (see US Patent ~,649,187). The use of the singular is clearly ~ -' 4 as no method or 1l r ~ is dr-r~ f~ the rental of multiple yl." orl a UCDPS. In summary, the method of S TTolbLlr pro~ides for a UCDPS to be linlced via a remote control means (RCM) to a host rentd s , _ (via 6 another RCM at the host 1- - ). The uu r selects a: ~ ~r' ~ Fogram that they wish to mn. The host 7 - ._ supplies this (usually via the c~ - - link) to the target ~ , . The program inclucles an 8 ~.C.~ t:' portionandaLeymoduleth tis c~ r ~ Thesy~temaLsorequiresapatchtotheoperatingsystemof 9 the UCDPS, however, as this is commoc across different UCDPSs and ~,~" s, it may not need to be supplied 10 each time. The program may be executed if an ~ ion Ley is j r ~i from the host rental - -- r ~~
11 and the e~,r~ ~ decryption Ley, d~ within the secret environment of the RCM. A~'- -' to it not being 12 cl~he~l, it will be 1' r - ~ by those e~ in the art that it is not a practical to traDsfer and to be able to 13 use multiple rental objects within a UCDPS using the method d~s~-;be~ by TT~ b~ Some of the reasons for 14 this may include:

15 i) muldple software objects may vary ~ - 'y in their c _ ~ -' worth and a system that is capable of 16 handling multiple software objects would usually require a means of 3- ~, ~ ' ~ e this value;

17 the absence of such a me~lns may enable a user to execute 1 ~. ~ that are of high value at the rate 18 ~ ' to a low value program - this would p rticularly be the case for the method of T~ ' '- as the 19 only ~tering mea~s is time and there is only a~e de~ Icey des~he~

20 ii) multiple software objects also require a means for the metering system to d~ between and 21 l~r l-r ly record each software object andlor groups of software objects; this may include ~.l" g 22 usage, that may be time and/or event based and/or any otha suitable metering means against illL~ ' - ' 23 software objects andlor groupirus of software objects (eg. by software ~ blfl ), 24 ~li) a means for part or aU of the ~- L-' - ~-~ t; h~ 1 system to adapt to the e _ - of different uftware objects.
26 rrhe present invention does seek to provide a means that it part at least may ~ . ' a rental system that includes 27 provision, in part at least for the ~ d~ DC' il~] in i) to iii) above and thiD rrlay be applied in part at least to:
28 the system d~hed by TTf~ U~4 that is integraUy d~ e-~l on s - -- - with a remote rental 29 and/or any other system of uftware ~ aodlor ~ andlor rental in part at least tbat:
is integrally d~ -~ a)n an online s - ~s on to at least one remote data ~ ~ U means;
31 andlor 32 is filnctir~n~l in a total offline C~dlUIIIII~
33 and/or 34 that while ~l~dr~ offl}ne, may use optional online c~ ;o-~ for transfer of part at least of ~ r - between a UCDPS and one at least service llIU. id~"D (eg. various reports andlor receipt or 36 retum of Cl~L~ 'SfundD). As previously dP~ik~ the present invention also seeks to provide a means 37 for ~ g multiple sohware objects in a multitasldng andlor mulli~lo~Dso, e~l~i 39 The present invendon describes muldple methods for controUing the P~P~l~tion of multiple software objects such 40 that they do not exceed tJI~D ~ co-~d;l~ The system I ' "y identifies each software object and records 41 usage ~ In addidon to rental of software bein8 pay~s-used much of the power of the present invendon is 42 that it is pay-in r ~ ~ such that the u age limits are defined g~P~ y and used as required within these limits.

IPWAU

RECEI~ED ~ ~ ?~ 3~

Softwa2e usage may be on the basis of a y~ t~ ed payment for a yl~ d period of use, usually across 2 multiple software objects.
4 Another l on the method and ~ ~ ~ dAs~he~ by l~ornh~ is tha~ while the p,o~liû.. applied to a S software obJect is by ~~Jtio A ylu.;dh~g practieal y~ n while in this fo2mat, the method rdies on the 6 transfer of a d~l ~d ~ey module to I ~ cd areas of the UCDPS for actual ylvc6~.~ulg. In this _I.uul~ it is 7 subject to analysis. A de ~ ~ piTate could readily access this ~ ~ Moreover, because the eontrol on 8 access to the dcw~l ~ Icey module is by an operating ~ystem patch, said patch may be eontrolled by a higher level 9 patch. This may ~ lly reveal secure infi~~~i~ While this would be beyond the e~cpertise of the average 10 user, it would only tsl~e one smart a~e to supply sueh a patch and the entire software rental process may be 11 Cvluy~u~ used. This is espocially the case as the same operating system patch is applied ae2~ss all UCDPSs of the 12 same type.

14 While the present invondon allows for e-"~ at lower levels of seeurity, its preferred e..,l~;..,.." yl~ ,y 15 includes the a, ~ ' - of a high level of security to p2wected software objects. In particular, the present invention 16 of this , ~ - m y enhances system security by ~u. ' g that part at least of the software objeet may be:
17 d~;lJ~ ~ by a secure deviee 18 and 19 may in part at least, require the d~l~ elear code to be executed in seerecy;
20 and if the secure de~rice is s rr,~ y physically and logically ~u~,y,vor, it is not practical, even for an 21 e~ ~ person, to access the secret ~ ~ n This may apply before and/or during andlor after ylVCe,.;~illg of 22 one or multiple software objects.

~ 24 The in~rm~ion to be d~l~ may be resident in the secure processing means, and/or ~ f~l~,d during andlor 25 after ~- e of part at least of one or multiple software objects. The present invention also allows that secret 26 ~ ~.~ - may be resident within s id secure y~v ~ ~h~g means in clear code and not require any d~l~liull 27 process to be applied. ~ ' -'ly, by linking the metering process to this internal e~eM~inn, the user may not be 28 able decouple the met~ing means frorn software ~,vceu".g and this is preferably the case. The present infor n~til~n 29 preferably creates protccted software objects that run tnu~ ly to thc operating system. They may be co,lfl~; u~

30 such tbat the user loads them as they would any ,u,l.,. ~ ' software object and they execute. When they reach an 31 area of ~,~ ~ and/or a region that needs interaction (for any reason) with the secure ylu~sSillg 32 means, this is a searnless process. Mc, co. ~,., the process is ~ ~ ' le with t~'-- ' ' g protected software objects.

DETAILED DESCRIPTION OF THE INVENTION:

37 The invention seeks to provide a method and ~,~ ~ for software object protection andlor distribution that may 38 g ~ 'y shift the software ~' b~. on paradigm from one involving the sale of boxed product to one that is 39 oriented towards a syuem of software object usage based on pay-for-use and/or pay-as-used models. It rnay be 40 configured to provide the user with flexibility in how they use and pay for software. While the invention rnay b 41 configured for operation in part at lea t in an online situation it is essentially intended for use in ~ .A~lo..~. User 'DCD SHE~T

CA 02242777 1998-07-10 PC~rlAU ~ 7 / O 0 0 1 0 RECEIVED ~ 8 .r'?R 1998 1 Controlled Data Processing Systems and in the preferred c . ~~ makes large numbers of software objects 2 available to the user on high~ensity optical medh 4 The u.~ also allows for the use, in part at least, of the means des~i~ for providing ~ d software S objects to a UCDPS to be applied to an~r means that, in part at least, securely converts protected digital ~ ~1 -6 to a format that may be used to:
7 generate r ~ on a visual display means, 8 ~I~,f~ably maintaining d~ !sL ~ r' digital infonn ~ n secret, in part at least, until it is cv.. ~ d to g an analogue format, and ~ ' !y securing said analogue from e~ I;h";
10 andlor 11 generate ;~fi~ S ~ on a sound output device, 12 ~ ''y ~ g d~.~: ' digital ;......... r".. ~,;.. ~ secret, in part at least, undl it is coll~e.t~,d to 13 an analogue format, nd ~ f~ bly socuring said analogue ulrv.. ~t;~,.. from ~ ~
14 Those e-S~ ;~ c~ in the art will appreciate that a digital video disk player ~, ~ r e ~ in part at least, with the 15 i~ iull may provide such a secure visual and audio generadng means.

17 Onc, non-inclusive, objcctive of the invention is to provide a means wherein, a plurality of software objects may be 18 compiled in~o one at least libraries of software objects ~md made r ~ - '~. in part at least, to consumers of digital 19 cc The control on the use of these software objects is not primarily by cvlltn " ~_ the distribution of tho objects (as is presently the case with most . . _ software). In fact the '1 ' ~ d' ~ t~ ;->-~ of softwaro 21 objccts may actually enhance the potential for ~w~ revenue to their owncrs aod agcnts, by e~posing mvre 22 potential customers to the objects.
23 SoftwaTe objects arc preferably made readily r ~ to potcntial users via any means, for example the Internet.
24 The preferred mcthod would supply users one at least said librarics, in part at least, on any type of Cv~ t~
ax~~~ '- memvry modia. The cost to the user of this infvrmation is 1~ nominal or free. The preferrcd 26 media at present is high4Gnsity vptieal media, ~ ' 9 the number of physical objects that the user needs to 27 acquire. CD ROMS (re~d andJor read~hrite) are preser~y the most ~ optical media, however, this is likely 28 to be superceded soon by Digital Video (or Versatile) Disks (DVD). Any optical media is allowed for, including 29 any future mass storage me~ms. The uurs are preferabl~r prvvided updated disks on any basis, for e~ample mvnthly, 30 quar~rlr. Rçad/Wdte DVD may make it possibb for the user to update directly to optical media.
31 The librar~ c~ software objects prefe~ably includes multiplc software objects from the same producer and/or 32 multiplo software objocts from differe~lt 1 l~ rs The libruy may include ~ programs, for 33 e~ample, a library of c . ~ g mes, in part at least. The library may include digital objects ~ se~tative of 34 images, for e~nple, literaly worlcs. The library may include digital objects represent~ve of sound, for e~ample 35 mwic. The library may include digital objects ,~ of images and sound, for e~ample, video movies. The 36 Ubrary may consist of any one or multiple classes of digital ~l -, for el~ample ~ . a,."

37 ~ and/or mwic, and/or Utetary te~t, andlor movies.

38 One at least Ubrades is preferably updated by the; ~ ~n of update ' ~ - This is E,l~ ' 1y on a periodic 39 basis. Said u,pdate ~ may include new versians of ~isting material, new software objects, ~ to 40 delete e~isting objects andlor any otber informadon. It may also include control informadon P- - ~ e to one at 41 least objects in said one at least Ubrules. Update ~ ~ is ~ supplied on ~ ' ' readable media, 42 howeva, it may be suppliod in part at kast Yia any other f locl~ '- andJor opdcal and/or ~ - - andJor ~MEN~ SH~E~

CA 02242777 1998-07-1o ~C~r!AU ~ 7 / O 0 0 1 0 RE(~EIV~ P~ 1991~

1 broadcast means. This may include the use of the Internet (and/or ~ ~ v '- ). The invention allows that the Internct 2 and/or other non-physical media means may be used as the primary or ~ means of supplying software 3 objects.

5 The invention describes multiple means that the user may select to pay for the use of software objects, including 6 outright purchase for ~ d use of one or more objects. The preferred methods do not restrict the user to a 7 ~ ~ usage pattern for a software object, as rnay be the case with the known art where a user may have to 8 purchase a product on a limited time and/or events basi~ (or purchase the product outright).
9 With thc present invendon, the user is ~.~,f~ provided with one at Icast generic right of access that may be used 10 to access muldple software objects on a r.., e ~ and usage basis that meets the needs of the user at any pardcular 11 dme. This provides great flexibility in the CO~ qn;~ of digital ~l and .~ 6 wastage. For example, 12 the user does not need to comrnit to the use of a ~i- ' software object for 30 days, only to discover that they no 13 longer require it and/or that it fails to meet their ~ Fr~,ce.~ are ~ ,f~,.ably paid on the basis of thc 14 number of units of timc and/or events that a user utilizes their product(s).

16 Despitc the ~iAt~il~_ permutations ar~ de,s,, i~ for the payment of software object co..c 'l'~ ;n-~ in 17 this -r ~ ~-~ '- 5, it is anticipated that market forces ~vill drlve the usagc of digital i--fo~ , particularly in thc 18 C0: ~ marlcct,tow~lrdsacommonmeans.
19 The ~ means d~ ;l ~ by thc prescnt invention provide an effective and secure method Of 1~ 7 most digital cont~t. These means may be applied to the di~stribudon of softwarc objects along Ir.a~iti~nal lines. This is 21 not a proferred objective.
22 Thc known art also des~ibes systems that allow software objects (in particular Culu~- t~ yli~ ~';0~ , ) t~
23 bc validated for use for a period of time (eg. a month) or for a ~ number of events. This provides 24 grc~er flexibility to the customer, however, it is much morc limiting than, part at least, of the means d~ s~ in this ~
26 T.he pt~ t invendon provides the u er with the me ns to purchase usage for a fraction of a second andJor any 27 measurable event ba~is. This mcthod is flexible, efll~cdve and eApected to be used with sper;alised computer 28 applications and databasu.
29 Consumcrs are eApected to prefer an . lternative model (~efi ~ ~ S Method Unlimited) provided by the invendon 30 that enabla ~n to purc~sc unlimitod access to, onc at least, libraries (or part libraries) of software objects for a 31 ~ ti~ne (~d/or number af events), for a prefer~bly Icnown amount (or, ~ amount) of outlay.
32 This may pa~rly apply to c ~ ~r ~ . - pplicadons ~.~ (~t; '~ 1~, games), and/or ele~
33 boo~s, and/or music and/or videos.
34 Por eAample, a user may pay SX for ~ use of the entire library (or part thereof) of & ~ , _ games available 35 for their c , ~ for a month (it may be for any pefiod of time). This is a similar process as currently applies to 36 many users ~ c, ~ ~ ~e the Internet a~Uor cable TV. If the user doesn't play any r ~ _' games in the period they 37 may still need to pay their monthly charges, in part at least. ~n the other extreme, users may ~ -"y play gamcs 38 for the entire allotted period. Ihe average will usually be S~jUh.,~h, b in between. This method allows the user to 39 ~ ~ ~ ~ ~ their budget without thc necessity of watching the cloclc as they play. It may also assist ~J. duc6,~
40 arld/or distributors to esthnatc revenue strcarns. Ihis method may bc modifled in any way, including by any other 41 means d~ ;kd for thc invention, f~ example, ~ - - .g, ad~_.tis...g. Thc ~ t~ d usage may bc on any 42 basis (eg. per day and/or numbcr of cvents).
10 A,~ ,.')eD S~. ET
!P~ u CA 02242777 1998-07-10 PCI'IAU ~ 7 / O O 0 1 0 RECE~VED O ~ .4PR 1998 With said Method Unlimited, the amount returned to ~.uduc~ for any number of units of use (eg. seconds of use) 2 may be variable from one user to the nc~ct. The invention allows for any method of di~ e software revenue 3 amongst ~ e ~v~luC~.~ on any ~.~f~.d~ly agreed) pro-rata and/or other basis. The preferred method meters 4 the usage of one or muldple software objects by a UCI)PS on a dme used basis and provides a report of usage 5 (~ ''y on a regular basis) to a service provider.
6 One method may d~ h~ C the drne uJage for each product by a user in a particular period and convert the dme 7 used on each product to a ~.~ ~ _ of the total time the user accessed the library for said period. The p~,.~.lt~ ge 8 use for each product may then be used to calculate the ~ .g~, of thc revenue collected from the user that may 9 be allocated to each software object. Any other means rnay be used, ~ ~lu(' e those that a~g - multiple users in 10 the ~
11 For e~tample, if user one plays 'Let's shoot the patent attorney' for 25 seconds (they are very efficient) and no other 12 garnes for the month, the producer may receive all of the funds received from that user for the month eg. $19 Qes~
13 amounts paid to all the hange~s on!). Usa two may shoot patent attorneys for 72 hours solid, however, if he also 14 plays 'let's be kind to the poor old patent e~.~.e~ for 1-14 hours, the producer of patent attorney shooting may only 15 receive one third of $19 (less s ~ costs!), despite the fact that the game was used for a 16 longer p~iod of time than the case with user one.
17 The invention allows that objects may be compiled into multiple groups that may contain the same type of object 18 andlor multiple types of objects. The amount charged for acce s to one at least groups, may be the same or different 19 as c . d to any one or multiple other ~ , e The ~.. allows that the purchase of multiple ~. . ~ ~.
20 may provide ~ - ~ to the user. For e~ample, ~ games may cost $19 and ~ music may cost $19 21 and unlimited videos may cost $29. Houever, games and music may cost $29 for the month and all three $3g. The ~ addidon of all novels in elc~,l.v,Lic format may add another SS. These are strictly for example and any amounts, 23 periods of access, ~ c etc may be used.
24 As ~ d~ br~, the ~ ~ may be delivered to the user by any means. The preferred method delivers 25 softwar~ libraries on optical medium, provides update~ on optical medium and uses the l~net as a method fvr 26 more imrnediate informatian and usage repo¢ting. The l~ d~iu~ provides a means whereby, Rupert Murdoch and 27 News Corp for e~ampk, are just one source (if they are luclcy) of digital i~rv ~ ;o~ to the c )--- - e, who may 28 select from a diversity of sources.

30 Wbile the uldrnate solution for the delivery of digital information may be a high speed network that can rapidly 31 deliver any digital infolmativn; with payment of usa~e an - Focess, securely debited from the use~s 32 el~ banlc and securely transfeIred to the producer land/or agents); and all reporting a seamless transparellt 33 Focess, 34 the reality is that a mix of manual and ~ - methods are likely to be required for so - - ~; e.
35 The Fesent inventor , that one Factical scenario may be for the user to visit their local ll~.n g 36 (b~ u~ store); buy the l test montbs games ~" ~ that includes the latest DVD of new games, 37 with the _ ~ - Fice including accas to all games in the wers software library for the ne~ct month.
38 Users may even deliver the Fevious rnDnths usage report tbis way (forbid the thought, it may even be on a floppy 39 disk). They can pay by credit card or ca h using old-fashioned methods. Once users have a secure ~ilO~DDl~g means 40 in their computer, they may have ~ need to connect to the ' ~ - s .~rh~
41 The Fesent~mvendon has been designod to cope with a completcly of fline scenario andlor a method tbat relies on 42 pardal c ~ ~ ~ to nctworlc means, ~d/or one totally ~e~ 1 on network co -- ~;o~ In addidon to ~.u.;d~.g a IFEAlAL~

CA 02242777 1998-07-10 P~-'A~ ~ 7 ~ n ~
RECEIVED O 8 ~'PR 1998 - 1 secure methold of controlling software object usage, the invention may also be G L '~d to handle el~l-~,.uc 2 c~ e and/or c sations 0nd may be part of a J'~ d el~t~ r co~ e network.

4 Those e~ in the art will realise that some controls need to be placed on the use of software objects S ~'L ' ~' onsuchanc ~ ~- basis.

7 Software objects; ~l bu d using the means of the invention are preferably r~ iu Ally limited, in part at least, 8 such that they require a secure processing means coupled to target UCDPS to, in part at least, reverse the r .~. ~
9 1 ~ applied to said software objects. This secure means may also be used to regulate the we and/or meter the 10 we andtor report on the we of a pluraliq of software objects.
11 The ~ - -' limitation placed on a oftware object is wually ~ '- (for obviow reasons) and this reversal 12 preferably occurs, in part a~ least, by a secure procesJing means. The r.-~.<~io~.Al l - placed on a software 13 object may include, in part at least, one at least of the following:
14 i) e~l~tiu - of at least a portion of sait software object and ~. ~l "y an essential portion of said software object.
15 ii) the absence of a functianal aspect of said software object with said r ' ~~ aspect preferably an important 16 part.
17 iii) the addition of ~( - to ~;aid software object, and said addition preferably includes software object support 18 ; 'r'~'II'-'~;"' 19 Software o~jects that are r_ _'-~ 'Iy limited may be lef'-~ ~ as Protected Software Objects (PSO) in this 20 specification. PSO are usually couplet to object support information and/or various control ;..fi~ A~ , that may be 21 an integral part of the PSO and in part at least, may define the rights of access p~i ~ to one at least software 22 objects. The secure ~ r;~ me~ns preferably ensur~, in p rt at lesst, that the use of ane at least software objects 23 complie6 with that intcnded by the p oducer and/or distributor and/or any other authorizet parties. The secure 24 processing ma~s pref~ably meters the use of software objects and preferably generates a secure report of wage.
25 The prea'erred secure ~. ~ e ~ is a logically and ~ secure device that is coupled to a UCl)PS
26 and/or other e~ L ~ device!~ F ~ by the ~ u. The logically andhr physically secure ~- - e means 27 preferably rnay be wet to perform ene at least other secure functions, for e~ample, 28 secure e'e ~ ;r fUDdS transfa, secure com. ~ _- ~s, seeure electmnie ~ ~:e. This may be in -;
29 with tbe seeure distribution of softwa e objects or in isalation.
30 A logicall~ d/or physically soc~re ~ g mean6 may be ,~ f~ ~ PAS a Secure Fr ~ Device (SPD) in 31 this ~i~. It preferably ineludcs one at least means to detect physical and/or logieal tampering with the 32 deviee.

34 As already noted, it is usually difficult to 1 ' multiple software objects for one at least UCDPS and control 35 the use of said software objeets on a UCDPS in the ab ence of some r~ limitation on their use. Otherwise a 36 user may load the objoct onto one of I ~ y hundJeds of millions (in the case of PCs) of UCDPSs and proce~s 37 the software object to thelr hearui de ire (what a qu int old phrase) or more like~y, the evil .- Qrh:- t;o", of a 38 devious mind.

40 The re~ersal of the functional limitation is preferably in a marm~ that does not provide the user with access to, psrt 41 at least, of the ~.: ~ ~ " ' in a usable digital folm t (and where ~, ~ . preferably denies aecess to 42 infonnation in analogue format). In Ihe case of audio and video ~ ~ 1 the preferrod solution integrates the, 12 ~ME;~F~ SHEET
IPEA/AU

CA 02242777 1998-07-10 ~CII~U ~ 7 l O O 0 1 Q
~J'~ Ap~ ta~
.

d~~ I of digital ;~fu~- - ";9~ and it conversion to analogue output within a secure device. This may then be 2 i ~l ~ to a suitable sound L ' B and/or display output means that may also be withnn a secure ~ clo~

4 Several opdons rnay apply to the ~ of digital information that is part of a computer ~p'i~ ~nQ program.
S At pres~t the system CPU's of ,~ personal c- . do not include a secure ~..~ss~g means and 6 ~ ~ ' delivered in ~IW.~: d format would usually need to be provided in clear code for use by the system 7 CPU. It is also s~~sQ;b'- to ~ ~hon~d analysis in this forrnat. The present invention allows that the SPD may 8 remove, part at least, of the r~".. liO al l; - :t ~;o~ applied to c , programs aod pass the clear code to the 9 system CPU for proce~sing. The pref~red option h~ the SPD decrypt, in part at least, hlw~: d 'l 10 pertaining to a computcr a~"~ on program and execute, in part at least, said d~l~ d i .r~ ;-, within said 11 SPD. This prevents the I ' - d analysis of ~-: X d portions of the object. The control ~ cl '~)n coupled to 12 software objects (lk ,~, ;I~Jd later) is preferably ~,~ess~, in part at least, within the SPD.

14 The preferred location for the SPD is within the package of the System CPU (eg. Pentium). This makes it difficult 15 forpirates to ~ Y ~ d and ., ~: : d ~f~ provides improved ~ c~ -e between secure 16 and unsecure l"~ and may only require a marginal increase in the cost of ~ sti~n of the CPU.
17 E~urthem~o~, the securiq funcdons (eg. r' " ', ~ ~' processors) rnay be used to improve the p ~ of the CPU.
18 The SPD may also be irlcluded, in part at least, in any other part of the UCDPS and/or peripherals attac_ed to tbe 19 UCDPS.
20 The preferr~d ~...l~li..- ..-1 of the invention describes several methods of including an SPD within the system CPU
21 and one e~a}nple of a board that plugs into the c - , bus. Those ~ d in the art will be able to adapt this 22 technology to other suitable 'c O,lc 23 When p rt at least of a ~ program is to be executed within an SPD, it rnay he necessary to convert the object 24 code of the applicatioos prograrn to a version cornpatible with the secure ~ ~ means. The invention also 25 allows tbat the secure ~ ' I,E mea~s may be object colde . il '-. in part at least, with the system CPU, 26 minimizing or eliminating the need to rnalce changes to the ~ e of the c~ , - program. For example, the 27 secure ~ ~ meaos may be a replica, in part at lea t, of the prirnary ~ h.g means.

29 It its simplest ._~' t, an SPD requires a secure ylu~g means and secure memory (part of which is preferably non-voladlo) and software t4 transfer information to and from the SPD and process it as needed. The 31 software ia preferably ' , ~ t as ~ secure, multita king cr e system ~ernel, lef~d as secure system 32 r or sec~ functdoris in this s~ The sr ~~ describes multdple funcdons that 33 may be irlcluded as pan a~ secure system filncdons A right ~ : ylù~ ~ - e means is usually included to 34 ensure, in part at leas~ that one at least ~ , c of use, coupled to one at least software objects, have tho appropnate rights of access coupled to the SPD.
36 A secure realtirne c~ -lclc~' ' mean~ is preferably irlcludod, together with one or muldple other opdonal means.
37 These are drs. ~ ~ in det0~1 later in thi6 spe -'~ i~

39 One method of ensuring thc security of an SPD is to dedicate a l~luylvcessvl to secure y,~Jce~ g filn~tionQ Once the socure yl~swr al o needs to pecform unsecure y.~s~ ' yl~ ~;o~ need to be talcen to maintain 41 the integrity of secure ~s~cs.

13 ~A~ENDEl~ SI~
Ir~v~u CA 02242777 1998-07-10 PC~ U ~ 7 t O O 0 1 The preferred ~ b- ' of an SPD describes a means for c ~ u8 a ~ securc ~,ce6so. (that may be 2 extended to multiple socure lJ,~ ) within the paclcage ~.~,f~l~ on the same die) as the system CPU. This 3 secure ~ )r is isolated from uo~ecure ~l~s~,l (preferably by a s ~ ~ of hardware and suitable 4 software). Inf~nation Is tr~nsferred from unsecure locations to secure locations and ~tS_ i as requir~ in secret.
S The secure ~o rnay load: ~( from extornal memory and or transfer information back to external 6 memory using any means, that may include one at least of the following:
7 ~ under DMA control (preferably securely controlled by the secure l~vces~ ,).
8 ~ acoess external memory by programmed VO (for oxample, it may share the system CPU data and address bus 9 on a n~ 1¢ e ~ basis, and/or duplicate these buser, in part at least).
10 ~ read informati~n from locations written to b~ unsecure means (andlor the reverse), for example by the use of 11 multi-port memory (eg. dual port RAI~. Por e~ample the system CPU rnay write ~ - to dual port 12 memory that is read by the secure p.~l, howe~er, there is ~ means for the CPU to write directly to secure 13 memory storage means. The secure ~ o, may write ! -~ "' to dual port memory for readuu by the 14 system CPU, however, the system CPU may not read directly from secure storage l- ~ Any other means is allowed for, for cxample, P}PO'5 (that may be arranged to pass; ,r~ io.~ in both ~~ ;o.. c), andlor latches 16 and/or registers (I " ' and/or bidirectional).
17 The de~J~tion of ~ ' usually oocurs once the ~ is within secure memory. The 18 d~l~,)~,. prooess may use programmed rneans andlor dedicated hardware (eg. a DES engine). An incomin8 19 infomlation stream representative of video or sound may be deooded in realtime by ~ known to the art, eg.
MPE~ 2 ~e~
21 The Icnown art tUS paîcnts 4465901, 4419079, 4278837, 4168396) describe ~ a~l~ that are capable of 22 deooding oomputer _t~ tir ~ andl~ data in realtime as they are transferred from locations e~cternal to the 23 processor to the pl~ - - ~ intern~l registers andlor mcmory. Realtime d~lJ~lio,. may decipher ~ ~l ~ in the 24 time that it talces to aocess external i~ q ~~ ~ ~ - and c10ck thls ~ ~ ~ into internal 'c ~ however, it also allows for one u least wait cycles in the process. Ih~s Icnown art encodes the data as a complex function of its 26 address in rnemory ant may add further complexity bg encrypting the - ' ' ~,~.~b, malcing the sequence of program 27 o. ~ difficult to trace. Ihe preseat invention allo~vs that tbese ~l~ rnay be applied to l~v 28 and/or to info~muion t~ferred by D!bLA. One problem with the l~nown art is that the ~ informati~ is 29 usually located at a collsistcnt address. ln the case of r~ost p~s~mal c~ . systems, a program rnay be loaded to a differcllt ad~ on each occasion. The present invention seelts to describe a means that rnay permit the address 31 thu e~ i d~a is locabed within unsecure memory ~ ars, to be uscd as part of the decoding ~g . even 32 when this addr~ may vary on each use of the program. Ihe preferred method is to include arl address offset 33 register within secure rnemory to , for the vanable r ' ~ of ~
34 Ihe ~nown art also desaibes one master !~ey to dec~ypt , ~l~" in realtime. The present invention describes a means for rnultiple progr~s to have their own d~,Jtion F and these may be loaded, in part 36 u least, with the program. The invention also allowr thu multiple ~ r programs that may be subject to 37 realtime d~ n rnay co-exist with multiplc othcr prog~ms sub3ect to realtimc d~p~,u (that may have 38 different d~.~tiob~ys), and/or rnay co-c~dst with programs tbat are not e,l~ rograms that have been 39 ~ d for ' , d~lJ~)L;O~ by a realtime d~ion means may also includc ~ ~ - that requires d~ k by other means d~ c.d for the invention. The pre~ent ~.~ further describes r ' ~- ~ ' methods 41 of realdmc d~-- thu may usc I ~.;ousl~ loaded ~ ~l - andtor past andJor pre~nt register contents to 42 generate ~ keys. The preferrod means suppl.;es a vuieq of ~ ~ - sourccs into a suitably complex ~A~E~ D SHEET
PE4/~

- RECElVEn O 8 ~R~ 1998 logic ~ &1~ ~e ~ to generate a comple~c d~.~lio,. key that ~.~,f~"~bly varies cig, ;r;~ y for infonn ~ion stored at 2 ~e locati~ in a progrun tO that whi~h follows. This d~.~ ion key is ~.~,f~,.dbl~ supplied to an e~clusive-or 3 a~ &~ e ~ (or r . ~ ) as one set of inputs and the c.".,, ~ i infonn~ )n supplied as the other set of inputs.
4 The output ~ el ~ly retums clear code within a secure c .~uw~lu.,.~l. This process may occur in a single clock 5 cycle. The invention allows for multiplo wait states. Spécial . u~ ons (~.~,f~,.ably e..~ ) may be 6 used to control BC~u~ ~ ~B Of the retltime d~.~tiou process. Ihis is ~ be~ in detail in the preferred 7 e .~ The realtime decryption process may be applied, in part at least, to encryption of ;..r,l,". l;.... when 8 i 9 e( ~d from secure to unsecure locations (eg. the storage of variables in e~ternal memory). It is p,~ el ~ a that 9 di$ferent C~pliO ~ tiuu keys are applied to ulSt~ ,liuuD and data.

11 Another preferred ~ ~bcd; ~ I describe5 a method for y.O . idinB a system "fir ~uy~ucessû~ that perf~ms secure and 12 unsecure y~ ~ e. within a single y~ceQ~:og means. It may use one at least of the methods ~ - ;lx~d for a secure 13 only yl~ DDi ~g means.

15 Secure ~r~lceDsiug means preferably protect secure i.~f~ ;ol~ within registers and/or cache locations when 16 ~JIU~JDiUg transfers from more secure to less secure (or to unsecure) p,oceDses. This may include l.r" - of 17 register means, o.~JIio of registeTs (~.~e~ ~ly in realtime), flushing of YIUCeSDOI caches (in part at least) and/or 18 ind~ - - of caches when ylur~DDiug is h- Df~ d to unsecure locations andlor when ~JIuCCSSulg iS ll~UIDf~ d to 19 secure means.
21 Another e--~l~l ~-- .~l includes multiple ~UrI~eDD(JI~ that may altcmate between secure and unsecure ~ ceDDulg.

23 It is preferable that the secure IJIVC~I~g means share, in part at least, the same i~Dhu~,lio~ set as the system 24 ~Jcessol.
26 The means dec~he~ for the ~-c- " e ~ are readily Il~uDf~ d to a location external to the system 27 CPU and a plug-in board is cl~ ,- il,~ to facilitate this. The mcthod d~bed for the ~ ~- externat to the 28 system CPU may be constructed in ane at least integrated circuits. The method d~s~-il~ for the preferred 29 ~ -b~; v -tt may also bc included in ~c at least devices that may bc coupled to a UCDPS.
31 The ~n~ r altow6 for the method ~tep of ",-~" 1;,~g an e~isting User Controlled Data ~ODDUg System 32 (UCDPS) that is not able to process PSO's, to a dcvicc that is p . ''y able to process, one at least, said PSO's, in 33 part at leuL This may invohre the coupling of a secure ~ - - 1 means that is potentiaUy able to reverse, in part 34 at least, said ~ ' ' on one or multiple said software objects;
wherein, 36 ~ said secure ~Jlu~DD~g means in part at least is ~ el Iy a physically andlor logically 37 secure ~- ~ means (it wilt be ~.r ~ by those ~ .r~ in the art that the 38 security of any software ~ ~-'n~" t; system is usuaUy only as secure as the 39 tinlcage between the right to proccss (atso .~f~ i as a right of access) and the software object;
41 as suc~ the preferred ~ uses a logicalty and physicaUy secure l~vce~h~g device 42 to in part at lea~t ensure, compliance with said right(s) of access);

iPEAiAU

CA 02242777 1998-07-lO PCTIAU 9 7 / O O O I ~

and said secure ~ g me ns may be in one at least of the folowing:
2 ~ in part at least within the paclcage of one or multiple system CPUs of the UCDPS
3 (eg. inside the Pendum CPU);
4 and/or ~ in part at least within one or muldple packages cu~ .~t~d directly to the UCDPS, 6 and 7 ~ said c~ ~te~ directly may include attached to the IllU~ lOal~], t g and/or 9 ~ said c~ t~ may include ;~ C~ ~ ly and/or attached to one or muldple sub ' ~- - 5, via the system bus and/or a PCMCIA slot and or 11 any other means;
12 and/or 13 ~ in part at least, within one or multiple packages used to 8enerate visual 14 informadon, preferably on a UCDPS (for e~ample the VGA chips, 3D graphics engines), and preferably in a manner such that part at least of any digital ~16 ~e,~ n that is Cùut_.lt~i from an c~ (or any other ~ ') format to a 17 usable digital format is maintained in an .~m c '9c means prior to CUU~ IOU to 18 a signal suitable for driving the display device (eg. an analoguc signal for a CRT
19 display) and part at least of said suitable for driving is preferably not made a~cess~ble to e~nination (eg. by making the display means I . ~ wf), thereby 21 making it very difficult for a potendal pirate to recapture the; f~ in a 22 ~ usable digital f~nat, assisting to maintain the cou~.w.-' value of software 23 . objects ~ l~t;ug in part at least visual ~ q - that rnay include te~t based 24 databa es (eg. cl~tll ~c bookLs, nc.. ,, .. ~ v :- cs etc); and/or cle~;t~u.~c databa es; and/or cl~ s art; and/or movies; and/or c ,_ p~uO.~ that 26 genera~e c -'ly valuable visual ~ e( ~on 27 and/or 28 ~ in part at least within ane or muldple packages used to generate sound ~ .
29 preferably on a UCDPS (for e~nple Creadve Labs sound-blaster cc , ' 'c chips), and preferably In a m nner such that part at least of any digital ~ q 31 that is cu.. _~d from an encrypted (and/or any other ~ ) format to a usable 32 digit~ll format is -~ ~ in an ~ c ~- le means prior to co,~ io.. to a signal 33 suitabk for driving a ound generadng device (eg. analogue); and part at least of 34 said suitable for ~iving, is ~ 'y not made - ~ " '~ to: ~ (eg. by ma1cin~ the c _ to an amplifi~ andlor speakers ~ .uor~, assisting to 36 maintain the c _ Ir' value of software objects that in part at least are music ~37 (and/~ any other sou~d) objects; and/or cs_r_~ programs that in part at least 38 generate cc l.~UC,. 'Iy valuable sound output;
39 and/or ~IIE~D~D S~
IPEAJ~ I

CA 0 2 2 4 2 7 7 7 19 9 8 - 0 7 - 10 p~ J 1 ~ r~ ! q ~ s ~ ~

~ in part at least within one or multiple devices c~ ~ directly and/or indi.~ll~
2 to any one or multiple ports on said UCDPS (eg. serial, parallel c~ ), and 3 ~ said i~tly may include a remote ~ means.
4 It will be . r ~ by those c~ ~ in the art that a Digital Video Drive ~ . r ~ i in part at least, with an SPD rnay meet tbe ,~ of a ~ecure means of handling ~,.~: ~ video and audio digital ~ - as 6 ck Sl~- ;I cd above. This rnay apply when acting as an ~ ~ - - unit andlor when coupled to a UCDPS.
7 The invention allows tbat the secure gPnP~ n of ima8es is not restricted to g : - e a video signal and may be 8 used for any display moans, for example, LCD or plasma displays.
10 An SPD may also include one at least resources (eg. ~ldit~ OI:~ DS~s, high ~ DMA), that in 11 addition to ~IU . ;dh g, in part at least, the secure functiorls of the invention, 12 may also provide a means for cu"~-,t~ programs (in ~ r" ~ "ons progratns) to enhance their ~ CeB~i..g 13 - rr~ iti~s by using part or all of these ~ sou.~.es.
14 This may require a cornputcr F~gr~ as part of its initial d~ v -l andlor during its CUII.~ ;Un to a PSO, to be 15 analyzed to e~camine how it may benefit from the ~~'it ~ - ~s (where present) of the SPD.
16 Ihc procoss to adapt a software obpct to use part at lea t, of the functions in an SPD may include one at least of the 17 following:
18 ~ (~ r which parts of the program may benefit by having a S~r processor execute part of the 19 Fograrn.
~ convert parts of the progra n to object code .: , ~ ' '~ w .~h the relevant CPU.
21 ~ include the r~ ~ tpocilll ur~tn 'on~r and or routines.needed to activate other CPUs, and provide 22 sufficient ~ -~- - - to din~ct the CPU to the part of the PSO that requires e 23 ~ this may require the transfer of ~ r tO the memory space of said CPU.
24 ' ~ it may direct the CPU as to where to find '.~ ' . and this may be intemal and or external tO the SPD.
26 ~ atlyother~" ~ andormethod~.
27 ~ tran~fer results to the primary CPU and or to shat~d me n~y l ~ onC
28 ~ terminato ~ 1~ ~ CPU ~i when necessaTy.
29 ~ An SPD rnay include varialls e~ ~ , and d~,~w routines and or hardware ! , ~ ' ~ a~
and a ~ devices and various parts of a paTticular sa~ftware o~ject rnay wish to use theso 31 fimc~ t aJ part of the a~ . ~ - program. By ~ ~ ' g the relevant U~t~l and data in the software 32 objoct these ~ and or d~ functiao~ rnay be utilised by the PSO. ~d~ y, a plurality 33 of ~-w.~ and or ~l~r~ ~a-'~ C may be included in the PSO to perform functiws o~
34 informatian witbin the PSO.
~ An SPD rnay include the ability to transfer infannation in and out of serure manory using one or mare 36 DMA chan~s tbat are u~ually under the control ~f software routines in internal secure memory. As part 37 of the invention requires ~ secret processing af; f~ , within sec~re internal memory, said DMA
38 provides a to rnove tbis ~ quiclcly fr~n exu:mal to intd mem~y, and or l~an 39 intemal to extemal mem~y. Ihis may also be u~l for various parts of the . F" prog~am, f~
e~a~le to transf~ ir~am~tion to an appropriate a~a for eV~ v.t~ by a se~ CPU (see abow) 41 andlar to move oode into secure memary f~ various reascns. Many System CPU's baw cacbe mem~y AMEND~3 ~ E~T
IPE~U

CA 02242777 1998-07-10 P~IAU 9 7 / O O 0 1 ~
RECEIVEO ~ 8 APR 1998 because the CPU may usually access this faster than e~ternal memory. Ihe secure internal memory 2 usuaUy has a similar speed '~ 1 . and therefore it rnay be effiaent for par~s of the PSO to move - 3 bloclcs of Fograrn and or dala from the exte~al memory to the internal memory to imFove ~- e~
4 The secure internal memory would not usually re~ire the ~ physical u.. ' ' of address tag S mernory and other -----r - ~ ~~~~ ~-~' ~ i with cac~he memory, however as it is not a cache memory it 6 would anly cont~un prograrnJ deliberately loaded for ~ ":~ ~ under program control.

8 When a c ~ , ~ prograrn is using these ~ .s ~.., it may also be nec~ ~ to test the program with an 9 active SPD. This may I 1 'y apply when the SPD is within the system CPU.
~ 10 As new programs may contain errors, a means is preferably included to disable, in part at least, the logical tamper 11 detect ~..~ - -= ~ of an SPD in case errant ~ ~ntly trigger ~ h ';~ Said ~
12 may prevent access to part at least, of the secure areas, nd ~ n-li g on the lcvel of ~ ' ' may prevent one 13 at least PSO and/or ~ : ~ softwa e objects -from operating. The in~ iull allows for any means to facilitate 14 said temporary disablement, that may include, one at lea~it of the foUo~ving:15 ~ ternporary disablement period(s) bJsed on elapsed time intervals generated by secure realtime clocks and/or 16 secure timers.
17 ~ a toggle a 19 The coupling of an SPD to a UCDPS ( nd/or other ~ ~ elo; Il.,..-c device) ~.ef~ W" p: -'Iy enables said 20 UCDPS to process a phlrality of software objects. One reasorl for hl.,l~g software objects is to ensure that they 21 only run on a means that rnay re~ulate their usage. In the abscnce of any other ~ ~ : ~ on the r - ~ e Of an 22 SPD, ~ : d sohware objects rnay bc able to be used as froely as unprotected sohware objects. As such the SPD
23 is preferably p¢ograrnn~ed with one or tnultiple rules it may be r~ .~cd p~rior to, arld/or during ~ ICeSDUIg of one 24 at least y~ software objects. The e rules are lef~ in this ~ 4;r;C ~i~r as 'rights of access'. The rights of 25 access may be p~re-programrned into the SPD and/or loaded ~ ' , to the delivery of the SPD to the user. In the 26 absence of the requir~ rights of acceu, one at least, PSO may not be able to be l, ~s~xl, despite the presence of 27 an SPD.
28 A PSO is preferably securely coupled to one at least ~ ' of use, tbat may be used, in part at least, to instruct 29 the SPD which rights of access may apply to said PSO and/or the circumstances under whic4 one at least, rights 30 may apply. lhe conditions of use m y be e ~ uithin the PSO nd/or pro~iW on the same media, and/or ~ 31 distributed ~a~dy ~d/or present vlthin the SPD andlor any othermethod.

33 The known art desc~ibeQ a mear~ wherein a distinct right of access may be coupled with a particular software 34 object. With the prese~t ~.. - . said distinct right may aetivate the SPD for a p~rticular PSO. I7~J4.l11UI~ the 35 di tinct right of access may have one at least l- ~ ~ on its - u' validity. For e~arnple it may e~pire aher 36 30 days and/or ~ nurnber of times the software object is a~c K

38 The present invention is primarily ~ ~d with ~o. ~- ~ a right of access that may be used across multiple 39 software objects. These are .ef~ ~ as generic rights of aecess. E'or e~ample a user may purchase a generic right that provides I ' i access to a library (or part lib~ary) of softw re objects, however, the generic right e~cpires 41 after somé ~ ined pe~iod of drne. Another e~amplo may be that a user ~ ' a generic right that ~ME,~JDED S~EET
IPEAIAU

CA 02242777 1998-07-10 P ~'AU ~ ,' f 0 0 0 1 0 RECEIVED O 8 AP~ 1998 s~seconds of access to muldple objects. As tbey access any one or said multdple objects, the generic rigbt 2 tnay be ~ ' (or any other me~ns), however, it rnay stay acdve undl all the 1~ units of drne have 3 been ---' Tbis Fovides fle~ibility to the user, who may allocate dme units across a spectnun of software 4 objects. Tbe generic right of access may be a certain value of elc~uuic funds that are ~ 4 into the SPD and 5 ~ . ed by software usage. For e~ample, one at least software objects may include a cost to use tbe object per 6 unit of time and/or per event (eg. each t~ne the program is e~P~P~).
7 Tbe PSO may also itnpose a ' ' ' ~ 'S on its use. For example, the SPD may have svffic;~ el~ll~ ic 8 funds, bowever, the PSO may limit it- use to a pardcular country and/or region. These are l~.f~"~,..ced as group g .~ I;o code~s. Anothcr e~npb may restrict tbe use of the software object to p~t~ age groups and/or 10 ~ uf -~o~ For exa~le, all SPD's shlpped to Australia may include a country ID code. One u least PSO's may ~ 11 include a .~ tbat the object cannot be used in Awtralia ~or that it may not be used in Australia for a 12 certain period of dme).
13 The invendon also allows tbat a plurality of PSO may be used as descnb~P~ above, however, they are e,.,.,.~ 3 14 such tbat they may only e~ecute on one or a limited subset of total SPD's. This rnay be used to contain tbe potendal 15 damage should tbe security of an SPD be broken and/or for any other reason.
16 The invendon also allows tbat a distinct right of access tnay be coupled to a particular PSO.

18 Some of the funcdons of the secure system funcdons coupled to an SPD may include:
19 . ~ . e the resources to Focess one u least ~ software objects, in part u least.
~ providing a means to tnanipulate ri~hts of access within the SPD and load rights of access.
21 ~ meter the use of a plurality of software objects.
22 ~ report on the usage of a plurality of software objects 23 ~ assist to maintain thc security of the SPD
24 ~ adapt its secure sy ltem ~ t; - aJ required.
25 ~ means to interact and progratn ~ that control the ~I~;IJ~JdUII of ~c ~ , programs in realdme.

27 The SPD may be provided with a meu~; ~ g it to be d, ~Ily re-y.~ f~ r in the locadon 28 of the UCDPS, to modify p rt u least ~f the secure syst~n me ns of said secure ~ - ~ lg means and/or to provide 29 funcdons thU, in part at least, may not have pm~iously been present, and said functions not S~ n olly included rnay include tbe abiliq, in part u loast, to reversc one or muldplc fv-~c~i~ ' 1 on PSO, 31 wherein sald limitation in part at lc~t c~r-~ 5 an abserlce of a funcdon (~ c~ cssendal) from onc or 32 muldple software objects;
33 and 34 said logically and/~ secure }~-~, e mean~ is 1~ 'y in part at least able to reverse the ~mrti~
limitati~ on ~ne or multdple software objects p.- ~- l,E. in a 1 ' ~ - and/or muld~u~OOv. UCDPS
36 and 37 said reverse ~ occurs without said onc or multdple software objects ~.. ~ Ul~ oU~g u 38 least part of the ecure , ~,;so means of said secure ~.u~sOi.~ means, and preferably without 39 one or muldplc secure uscr funcdon~l co.. ~u~Ou.g the security of one or muldple other secure user r. -1;0--.~
41 and 4~ ~~D S;~E~
!Fi~A.~ U

CA 02242777 1998-07-1o ~ rr ~ i / 0 ~ G 1 ~

said logically and/or secure ~u es~ulg means may have part or all of the functions ~,G~ in the 2 p~ ferred ~ of the im~ention secure ~lucei~ulg means;
3 and 4 said logically andtor physically secure ~ lg means may be used to perform filnrtions, in part at least S not part of said ~ L and,lor ~' ' rnethod.
7 An SPD may be actiYated (inrh~ g prior to and/or after couplmg to a UCDPS), in part at least, to process one or 8 multiple ~ software objects, 9 and the ~i~i~ in part at least, is preferably the transfer to said secure l.,vc~6.ng means of any one at least 11 rights of access, ~ r~ ~Iy subject to any limitations placed on said any one at least rights of access by 12 any one or multiple said softwllre objecu, 13 and 14 i) said a.;li-,dlion rnay be linked to tho presence of ele~,l,vluc fi~nds, and 16 said el~L.~C funds rnany be l~ - ~ in part at least, in any units of measurement 17 I~ ,S~ li~ any one or mul~iple:
18 legal tender - and/or 19 generic units of currency directly and/or ,1~l1~ linked to any one or multiple legal tender 21 and 22 said any units of lu~ul~ t iS pl~ Iy at least one 23 binary number of any positive bit length;
24 and - said ele~ - funds are preferably stored in part at least 26 withiII a secure storage means coupled in part at least to 27 said UCDPS, 28 . and/or 29 ii) said ~ rnay be linked to the prescnce of one or multiple, ~ 'y p~
blodcs of any units of time;
31 and/or 32 iii) aid ~li~_ ' may be linlced to the presence of one or multiple, ~ 'y 33 bloclcs of any measurable number o eventa 35 The validity of one at least rights of access may in part at lea~, be : : I andJor invalidated when:
36 i) ~ ~ - funds and/or 37 ii) any uniu of time andlor 38 iii) any measurable events, 39 are inYalidsted (tt~ r 1y and/or ~ '~) by:
41 cc ~1 . s (tozervaTld/orany~ dvalue) 42 and AlU~i~iD~D ~ LT
IPE/VAU

CA 02242777 1998-07-10 PC~IAU ~ 7 / ~ O 0 1 ~
o ~ r~ E I '~ E ~ ~ 8 ~ 9 said c . L~ may in part at least be against use of one or 2 multiple software objects, 3 and/or 4 electronic u,ll",.e.~,e.

6 Rights of access may be ~ . ' by any means and said any is preferably at least one software token, and said 7 software token is preferably one at least binary numbers of any positive bit length;
8 and 9 said rights of access may be one or multiple rights th t, in part at least, permit multiple software objects to be ~
11 and 12 said multiple software objects in part at least may be one or multiple from the sarne producer 13 and/or one or multiple from multiple ~ and said multiple is preferably a large number, 14 andlor said rights of access may be one or multiple that in part at least, permits a particular software object to be 16 y,u~,.~.

18 Rights of access may, in part at least, be ~JIu.id~L
19 ~ in e ~ _ for payment at the tirne andlor before receiving said right(s) (this may includo for example, ~ .,.~t~ by cash, cheque, credit card, el~hu~c funds 21 transfor, bank bills) and/or trsnsfer of any other valuable c~ d i t;u 22 and/or 23 ~ supplied on credi~
24 Rights of access may be paid after soft~are object usa~e has been recorded and ~I~.,.~.bly has a limit, that may be time and/or event based on the validity of said right of access.

27 The known art deQ~n~c multiple methods of ~,.,. " g a right of access to a particular software object and the 28 present i.~allows for these al~e and/or in c t;~ with any other right of access. An objective of the 29 il~._lL~ is to makc i~ casy for usa~ to access softw~ue objects from multiple software objuts, J,.~,f~bly without the nece~sity of obtaining distinct rights to one or multiple software objects. This is yl~,f~,.abl~ achieved by the 31 granting of onc at lea~t geoeric right of access that is applicabb acrws multiple (and preferaWy a large number) 32 software objects. Said onc at least geDcric righ~ in part at least is preferably controlled to ensure overall ~
33 with multiple softwarc object usc. Tho invention allo~lrs that multiple generic rights may apply to one or multiple 34 software objects and/~ onc or multiple distinct rights of access may also be attached to one or multiple software objects.

37 Rights of access may, in part at least, equates to one or multiple values of electronic funds, 38 and 39 said ele~t~ - funds rnany be l~ , in part at least, in any units of ~ ,.L
,~ 4 any one or multiple:
41 logal tender ~ ~ r, ~nd/or 42 generic units of cmTency directly ~Uor .~ ~iLly linked to any one or 21 ~M-,~
I~E~,~iU

CA 02242777 1998-07-10 PCTl.~U ~ W Ci ~ ~
RECEI\IEO O 8 GPR 1998 1 muldple legal tender ~ ;eD' 2 and 3 said any units of ~,-eas~ e~ is preferably at least one 4 binary nurnber of any posidve bit length;
and 6 ssid eIC~LV~ funds are ~.~f~ stored irl part at least 7 within a secure storage means coupled in part at least to 8 , said UCDPS for part at least of the dme.

10 Rights of sccess may, in part a~ least, equate to one or rnuldple values of ~,.. J' ' 'y ~. ~1ete~ ~, one or muldple 11 blocks of any umts of tune;
12 and ~f~,.~ly may include in part at least, one or muldple said blocks of any 13 unttsofdmed~ inthepreferred-,.,l~J
14 in ~t;. ' one or muldple blocks of dme that are valid for a 16 period of time across multiple said software objects;
17 ar~or 18 one or muldple blocks of dme that may be I . I J against use 19 - in part at least, of one or muldple softwsre objects.

21 Rights of access may, in part at least, equate to one or muldpk values of ~.~,f~l~ one or multiple 22 blocks of any _ ~ '-'- number of evonts;
23 and preferably rnay inclu~k in part at lesst, one or multiple said blocks of any 24 - ''rnumber of events ~ " ~d in the preferred c- ~I~I; e 26 Rights of access may, in part at lea~t, bo manipulated in response to usage of one or nmldple software objects;
27 and said manipula~ed may, in part at least, involve adjustuu (prefe~ably by decrement) the value 28 of one or rnultiple dllhts of access in l.-r ~, in part at least, to use of one or muldple software 29 objects, said adjusting is preftrably towards one at kast target values, 31 and preferably said one or rmlldple tights of access are in. "' ~ in part at least, when said 32 targct valuc is roachod and/or passed (said target vale is ~,~fi "y zero) 33 and/or 34 said onc or muldple ripts of access, in part at least, ~.~ '1y are valit for a ~. d~ - ~d period of dme andlor 35 a ~ t~ ~ed numbcr of events, 36 in particular it preferably includes one or muldple rig~ts of access that remain valid for a period of dme (and/~
37 number of events) that will e~cpire uTIless one or muldple ~eports are generated in part at least by said secure 38 processirU means, a~ld/or validslet in part at least by said secure ~I. Ig means u being received by an 39 ~h~P d party (eg. a service provider), said ~ rcports inpartatleastprcferably -' " e ~used to facilitate tn~. t;-41 ba~ed on the use of one or muldple software objects, 1 ~ ~ ''Y ' e a recort of use against producer 42 and/or product;

AMEND_I~ S~IE~T
IPEA/AU

CA 02242777 1998-07-10 P~IAU ~ 7 / O O ~ 1 0 R F (~

1 and/or 2 said one or multipb rights of access in part at leas~ preferably includes any one or multiple rights of access 3 d~ d in the preferred e~
The software ~ and/or distribution method may be used in an offline ~pl - and/or a partial online 6 ~ wherein said online co ~l; is not essential and used as a cvn~_me.ll method of t.
7 information and/or an online applicatio~n wherein said online in part at least is essential;
8 and 9 said L~ " and/or ~ ib ;OI- method may be applied to a UCDPS that is only able to process one software object at a time 11 and/or 12 said y,.~ : and/or ~ ' - method may be applied to a UCDPS that is capable of ~IV~Ssillg multiple 13 software objects in a m 1 - ' e and~or mulli~,ucc~.~r .~" - and said multipl _~,ects may be one or 14 multiple software objects that are not fi~rti,: 'ly linited andJor one or multiple w~tware objects that are ~ y limited;
16 and 17 said L--: t; and/or ~ ~ ~n method rnay require a patch andJor any other, ~ J to the 18 UCDPS opeIa~ng system 19 or said method may be i ~, to the UCDPS operating system and not require any patches and/or any 21 other modifications;
22 and 23 said one or multiple software objects may be coupled, ~n part at least, to a cost to process in one at least legal tender 24 ~-v ~ ~ for any one or multiple unit6 of measurement;
25 and 26 said one or multiple software objects rnay be coupled to a cost to process in one at least ger eric ~ull~,.l~,iei for any 27 one or multiple units of rneasuranen~
28 and 29 said coupled to a cost ~ ' Iy includes:
as an integ~al part of one or multiple oftware objects and/or 31 securely linlced bn part at least to one or multiple files on at least one mass storage device;
32 and 33 said one or multiple software objects p~fdly include one or multiple co~ ;o ~ of use and said c~ n~ nc of use 34 preferably include, in part at least, one or multiple conditdons of use ~ ~ in the preferred . X ' and 36 said one or muldple soRware objects ,~r -ly include a means to lir~ said software object with one or multiple 37 ~ ~ r ~ ~ of, part at least, any c~~ercial value recohed for use of s~ud object;
38 said means to linlc preferably includes a software producer ID and/or software 39 ploduct 11) attachod to s id software object;
and 41 said one or multiple software objects preferably include, in part at least, a means to indicate which said one or 42 muldple righ~ of acce~ are applicable to said one or multiple software objects;
23 AMENi~ S~ i.3 IPE~ U

CA 02242777 1998-07-10 ~IAU ~ 7 RECEIVE~ ~ 8 A?~ 1998 and 2 said one or multiple software objects ~ f~ bl~ include in part at least a means to , I said one at least rights 3 of use in response to software object usage;
4 and 5 said one or multiple software objects in part at least preferably includes:
6 IC r ~ andlor their data (that in part at least ~ef.,._bly includes applic"~i"~ programs);
7 and or 8 any i~rv~ ;vn ge ~ e _ d in part at least by said c r programs (that rnay include te~ct and/or sound 9 and/or images);
and/or 11 digltal ! (,!~ - on ~ g in part at least literary text eg ele~l.uu c books etc;
12 and/or 13 digital ~ f~on l~ images (eg. movies, video, cl~uu,c art);
14 and/or digital infolmation ,.,~ sound (eg. music).

17 A person ~ in the art will .~CoC,.~e that the Fesent invention Fovides a secure means of 18 1 l~im~Aissoftwareonapay-for-useal~d/orpayP-.-odbasi~.

One or multiple ~: .,Pd software objects may be ~ on any c~ ut~-readable media;
21 and 22 said one or multiple objects Feferably may be ~ l ' by ny ele~ unic means.

24 In - ' ~ with the Fesent invention Protected Software Objects and/or any other software objects are 25 Feferably ~ d on any comput~-readable medill (such a~ tape, floppy disk, ~~.,uo._' 'r rnagnetic c~i 26 CD ROM, DVD Optical Media) u~dJor by any other means (such as t,rl~h~- , cable or l..~ t tra.~
27 An ide~ll ~ . ' ~ h at tbe im~erltion in part at lea!it, would see the rnajority of comme~ial software objects f~
28 a ~ computer platform cou._t~ to a ~ functianally limited folmat and ~'~l bL d to potenti~l1 29 users. However, the L.. rnay be used to tr;b~ y one or multiple number of software objects. The 30 software rnay preferably be supplied an any type of modia al~d/or dh,UI ;.~ y transmitted, eg. using the net. The 31 Feferrod op~an is to ~- ' software on bigh cap~ity optical med~ for example the new Digital Video Dislc 32 (DVD) tbat can store up to 17 gigab~tes of inform~ion (the c~ ~. ' of appro~imateiy 28 CD ROM's). Ihis 33 method wou~d p~nut the majoriq of software available for personal ~ ~ p~ to be distributed on a small nurnber 34 of optical disks at no~inal or no cost to the user. Up~ate disks would normally be supplied on a periodic basi8.
35 Preferably said softw re objects are capable of transll~r to ny otb,er sto~age devices, and/or copied and given to 36 others. As long as the us~ meets the r~quired c ~ ' ~ of use attaclled to the software tbey may usually process it 37 as they would no~mal unprotected proltrams.

39 The invention y~ includes any means to monitor the ~,.. - ~ ~ of said one or multiple software objects and 40 to record in part at lea t, the usage of said one or multiple software objects;
41 and 42 said usage ~ '1 ' 'y include units of time ' and/or events O~Y ~; ~e ~nd/or cle~,hl - ~nds c~
.

24 AMEND~D S;~E~T
IPE~UAU

' CA 02242777 1998-07-10 P ~/AU ~ ~ / 0 0 ~ ~ ~
RECEI\IE~ ~ 8 ~ 998-1 and 2 said usage is ~ ,f~,.dbl~ d for in part at least by adjusting (preferably by d~ e.l.~l) the value of one or 3 multiple rights of access, and this yl~r~"dbly applies m particular to those rights of access that have a value 4 I~ D6~L;11O
S said electronic funds; and/or one or multiple stored blocks of time usage; ar~or one or multiple blocks of events 6 usage;
7 and 8 said value(s) adjusted against one or multiple rights of access in response to software usage, is preferably credited 9 to any rneans that records a~ ~,e data l~ D~ of the use to facilitate L ~ ' ~ based on the use, in 10 particular the crediting of said value to one or multiple producer and or products records, said records yl~ c~ ~IY
11 stored in part at least in se ure storage means within sald secure PI~D~inB means, and/or securely stored external 12 to said sccure ~- - E means;
13 and/or 14 said usage in part at least may be ~ ~ d for by l~,COI~g units of tune used and/or events oe~ g during the 15 PIU~;DDiI~g of one or multiple software objects;
16 this yl~F~ dpplies in 1: ' when said software object usage is an lnl ~ right of access for a 17 pl~t~,.u~ned period of time and/~ number of e~rents, hl which case it is yl~F~ ~le to record said time used aod/or 18 events a c~ e for each softwrare objest used, this F,~ '- is ~ cf~. Wy stored in the producer and/or product 19 record for eash applicable software objest;
and/or 21 said usage in part at least may be r~ ~ ~ d for using any method ~r!-~ il~ in the preferred ~ 1 r 23 The invention preferably includes a melms:
24 to fasilitate one or multiple reporu; (tht ~ f~"~lrl~r~ in part at least, include inf~nn~ion on software usage and/or 25 any other info~mation that fi~ -ti~S basod on aid usage) being generated, in part at least, by said 26 secure l~ 1, means;
27 andlor 28 that ensures said one or multiple report- are resehted by an ~hori~re~d party (eg. service ylo. ide.), 29 and 30 yl~ y i~sdvating, part at least, of said secure yl- e means in the event of non-s ~
31 said inasd~lrated is ~ ' upon ~" ~ with any (preferably ~ r~l) reporting 32 requiremcnts; and said means in part at least preferably insludes part at least of method and/or apparatus ~ - ;1~1 33 in the preferred 35 The reversal by an SPD of functional limitations plac~ on PSO's may use any means and y~ ly in~ d~S
36 in part at least, the mcthods d ~ ~ d in the yl~,f~lcd emb~ ~ in particular:

25 &.IY E~ID-!~ St-IPEA/AlJ
~ .

CA 02242777 1998-07-10 PCr/AU ~ 7 / O O 0 1 0 1 reversal of said r. .~ m~ inn by encryption by t~ r~ e part at least, of said enc. ~: ' to said secure 2 ~ means and reversing, part at least, of said e..w~ , and 3 transferring, part at least, of that said d~ d to an unsecure means (eg. the system CPU) for further ~l~DDillg;
4 andhr S retaining part at least of that said d~.~ ' within said secure y~uc~JDlllg means and ~lv~DDulg part at least of said 6 retained in a secure e...-.u~ that is not subject to I ~h~iced analysis;
7 and/or 8 reversal of said fi~nCt~ o~ by the absence of an Ullt~UI~ fimCti --' aspect in part at least by including 9 part of said absence within said secure ~lu~DDu.g meam;, and said include may be ~ with in said secure 10 processing means andtor loaded as required (before and/or during ~JI- - e of one or multiple software objects).

12 DESCRIPTION OF TEIE DRAWINGS:
14 Flgure 1 is a diagram of an apparatus suitable for use as a secret ~l~;csDhl~ device ~ ~-he~ld~i within the system . V~/I~DDO~.

17 Flgure 2 is a dia8ram of basic c-~ of an SPD for use external to the system ul, uce 19 Fgure 3 is a dia8ram of the address map for secure functions within the system U~CIU~I~DDVI.
~ 21 Flgure 4 iD a diagram of C4~ port structure.
23 Flgure 5 is a diagram showing the inten.'~ :- ~, of some of the secure system filnctif~nc 25 Flgure 6 is a diagram showing an e~ample of the structure of a ~.~ t ~:d software object.

27 F1gure 7 is a dia8ram of the sequence used to initiate contsct betwee~ a ~ d software object and the secure 28 processing mea~

30 Fgure 8 is a diagram showing details of the c~ ,,c of use structure of a ~ sûftware object.

32 Flgure 9 is a diagram showing details of the structure of the rights of access.
34 Flgure 10 is a diagram showing a method of manipulating rights of access in response to usage of software objects 35 in the secure ~~ ~ ~ means.

37 Flgure 11 is a diagram ~howing the structure of the ~.-t ~ software object used to _1 rights of sccess 39 ~n~;l'lShh~ EMBODIMENT OF THE INVENTION:
40 To assi~t with understaDding the inven~on, reference will now be made to the a~ ~ , jUlg drawings.
41 Secure Proce4dng and Storage. The invention in p rt usuaUy requires a secure plUC~;~I~.g and storage means 42 coupled to a UCDPS to, in part at least 43 enable in part at least, correct ~r " of sofrware objects, in particular software objects that are .~ ibl~

44 ~ - ~ly limited as ~ in this ~ ' ~ ~ ' ~

45 andtor to provide a secure metering and reporting system.

46 andtor any other ~ ~ ' required to meet the ~., ~ ' of any one at least method andtor ~, ~ ~ d~ ~, ;I cd 47 in this ~ Sa}d ~.. ' g andtor storagc means are ~ 'Iy secure. Said security is ~,f~

48 ~ , '-I - - ~ in part at least, within a physicaUy andtor logically secure device.

.E.~ "~
lPEP~,'.U

CA 02242777 1998-07-10 p~TlhU ~ 7 / ~ ~ ~ t REC~IVE~ O 8 APR 1998 The u~se of the t~m 'secure ~ e means' ~ef~,.alll~ refers, in part at least, ~o a logically and/or physically 2 secure ~. ~ e device (tbis may also be l~-f - r-l-'~ as an SPD in this ~ ), When said SPD is part of at 3 least one system ~Ifi~"u~co~ ~ -' ~s it may also be ~ef ~ '~ as a PCPU' (or ~ CPU). If said SPD is 4 in part at least witbin ~ ne or muldple devi-,es external to tbe system Illl~.lVIll~Si~J~ it may also be l~f~.;,lced as an 5 ESPD (or e~umal secure ~lU~DDillg device). An e~ ~ person could easily adapt part or all the secure 6 pl~ g means to an unsecure e.~ eg. using tbe nannal ~JlochlDlllg means of the UCDPS.
8 ~ tbe drawings, Figure 1 shows a metbod and apparatus that is suiuble in part at least for use as tbe secure 9 ~ means of the inYendf n. The logic as shown is intended for inclusion within the system u~luc6,.,.~~0 Those e~ e~l in the art should be able to adapt tbis to a location e~cternal to the CPU, par~icularly when d witb the -' h _ ~ , ' ~~ of F1gure 2.

13 The ~,.. h~; .. ~ of the secure ~Jlu~D~illg means dc-~-;l~d is d~,t~ in, part at least, ~n the use of secure 14 memory storage devices and a means to securely proccss ' ~ witbin these devices. One or muldple 15 r ' ' ~' funcdons may be includod. These may be implemented in hardware andlor software.

17 It will be appreciated by tbose c pr e ~ ~ in tbe art that the secure ~IlUCeDi~; means as df -~, ;bcd, is in part at 18 least, a user ~ ~ ~ dau ~JI- ~ a system. The pres~ce of a ~ lg memory and J10 means rnay permit it 19 to be Yl~v ~od (allowmg f~ rnemory and VO reQhia~nnC) to perform rnany software functions of a UCDPS. As 20 such there rnay be many different attributes able to be cv~t~ ~~ f~ the secure yl. g means. Many of tbese 21 should be known to those e~ in the ~rt of application and/or operating system design. The invention allows ~ for this and does not seeJc to te~ccibe in detail Foces es that should be well known and/or readily adaptable. A
23 person knowledgeable in the art will appreciate that the secure ~vccsscs used for the inYention may have multiple 24 other applications. for e~tample, e'~ ~ - funds, secure ~ s, 01c~h. '- co~ , online and/or 25 offline gaming. One or multiple functi<~ns able to be impll ~ in one or multiple sm~t cards may be adapted to 26 the sec,ure Fo.,essing means of the 27 Flgure 1 shows a bloclc diagram of a system ~v~ -~ (eg. Intel Pentium Pro) that c ~ with a 28 secure miwuylvc~ (eg. ~n A~U 32 bit RISC Fr. ) securely linked in part at least, to one or multiplc 29 secure functions that preferably inclutes:
30 secure me~y (prel'e~vly bauery baclced SRAM) and, a secure real-time c~Jc ' ' and may include any ane 31 or multipb ~ther secme r .

33 When the se~ure mernory is progran~ed with approFiate ~ ~ - . the combination of sohware rvutines and 34 1~ ~hed~Jl hardware function~ ant chulges to the miaocode of the system ~ ,lvr.~ usually provides the 35 Iti . ~ ~1~ of the inventian a secure ~ mea~ within the system l~,lVy vc~s~l package.

37 The modified system CPU rnay also be l~f~ Yi as a PCPU to disting ush it from an ~ .~ .~;f;~ system CPU.
38 The PCPIJ may be used to replace the u~isting system ~ , .c ~ in a UCDPS. It will be appr~iciated by those 39 ~ d in the art that there aro many ways of oombiDing logic, software and microcode to implement the 40 device as ~le&,, il~

AM~NL;_i~ 5X~ET
IPEAIAU

CA 02242777 1998-07-10 ~/AU 9 7 1 0 0 ~ ~ ~
RECEIV~ 5 S~P '~7 2 Figure 1 shows the silicon chip 130 of the system U~IV4eODVI 1. The system ~ V~DD~JI 1 normally 3 ~ - s with ext~nal locations via an ddress bus 5 and addrss buffers 2 and data bus 6 and data buffers 3 and 4 various control logic 7 via buffers 4. Buffers 2, 3 and 4 ~ d- '' - d du~ing nu~mal ~JlVCcDDlllg by system S Uf1~U~JI~DSUI 1 viacontrol linc 9. 1 ~ - - are ~ ~t~ and ~ ,' ~ by ae - - of ~ vcode 6 and logical devices within the u Dh~ ivu c. block 8, located within system I~IV~V~DS~

8 The ~" - of the invcntion usually needs to ~ with the system IlU~,lU~lU~SSvl 1 and this is most 9 readily ~ . ' d with dual port memory 19, a memory that allows rcad and write accesses by two devices to the 10 same r ' ' ~ vn an as~"h~ basis, as is usually the casc. Therc are rnany ways of ~ ;Ug an- e l ~ ' 11 result, eg. E71FO's.

13 As desc1i~ in this e-~ the DP memory 19 is not intended to store secure ~ t,~ '~ it is r ~ as 14 a port between ~ d and secure ~IWses.
16 It is not practical for an I ' d pcnon to access secure ir,,.~;.,within secure storage elements as access 17 to these is controlled by usually ecrct fi~ctioDs of the secure ~. ~ e means.18 19 The system uu~,lv~lvcessor side of the DP memory 90 may be decodcd into the normal address space of the 20 UCDPS using any decoding apparatus. This is usually the ca~se when the secure ~IVCeDOI-IB meaDs is outside the 21 CPU. However, the pref~red rnethod where practical is to malce the ad~owD occupied by the 90 side of the dual 22 port memory 19 a separate address space to the UCDPS. T~is may ha~e multiple applications, however, one 23 a~l. e is that l~,hl~ e a PCPU to a UCDPS does not inter,fere with Jny existing address d~ing 25 T r ~ll address decoding is ~ t,~ ' Iy ' .' '~d by Inv.ii;~g an ~u~huChOùl~,f-~ as a h ~ ~ a 26 address activator or TAA, which depending on the attached vpcode perfoTms a number of t,~

28 The primary ' ~ ' of the system ' VylV~o~ll 1 to dual port memory 19 will be to read and write data 29 between UCDPS ~d'WOe.s and dual port memory 19 for transfer into secure functivns 50 by the secure 30 mic~uylu~ol 20. There may also be a requirement to transfer data frvm one location to another within the dual 3l pvrt memory 19. The address space occupied by the du l pvrt memvry may be any practical amvunt. Reset of the 32 system mi,loyl~- 1 ~ ~ -''-es n~mal address deco~l;~, with the dual pon memory 19 ' . c '1e by the 33 system ~ uyluceoovl 1.

35 The e e~v~;o~ of a TAA U~I~UCIiO~ with for example X as the opcode (the CU~ ti~n l~,f,.~,.l~ as TAAX) is 36 carried out if the system ~ uyl~o~r 1 wants to move ~ t~ '-' f~vm UCDPS memory to dual port memory 37 19. In tbis case buffers 2, 3, 4 would be activated by 9 for reads frvm any address in the UCDPS memory. During a 38 write opcration the address decoder enable signal 11 is active, enabling the address decoder 10 to decode a 39 yl.d~ ~ -d address blocl~ (that may be made Y~v ' '~) of dual port memory 19 using chip select 13. This 40 also ~eeps the buffers 2t 3. 4 disabled by blocking any enabling effect of 9 via logic gate 14. Data is read from 41 UCDPS memory space and written to dual port memvry 19. l~h_~ - TAAY performs the reverse by d~ a~ulg 42 11 during read , 1~~ ' TAAZ activates 11 for reading and writing. TAAB disables 11 for all readinB

P8ge~ ~ME ~NDEUD SHEET

CA 02242777 1998-07-10 P~/AU ~ 7 ~ O O 0 1 Q
RECEIVED 1 5 SEP lg97 and writing, the normal situation. The TAA ~ t; only affats Cr ~ tbat are fetchmg data, not 2 ~tll - and most sy~item U/_~IU~ have a signal to di~ ~ ' between the two. An '~tlll~ti 3 l~f~ d as the TBAX ~tlL t may be used to acdvate, ~, fetches from dual port memory 19, by 4 activating 11 during ~ fetches and may be disabled by thc TBAY ,~ T-: t; - are read S s, TAA and TBA ;- - ~ Y~ may be used in any c ' A reset has thc same effat as TAAB and 6 TBAY, ensuring normal ~n~ e on litartup. Whi1c TBAX i- activc. ~L" - fetches from -'' outside 7 the dual port memory 19 are from UCDPS memory. A watchdog counter or timer may be set, and this may be 8 automatic to perform an ~ - ~ TBAY instruction or any other method to ~void trapping the system 9 UlJlU~o;~Or in dual port memory 19. This method and apparatus provides i -r ~1~ method of including one 10 or multiple devices within a system Uylùc without ~ -~ly cu-~ni~ with e~istulg ~~;so~ecs in a 11 UCDPS. It may have multdplc ar~ to thc art of sy~tem UlJIU~SSOl design.

13 To avoid interrupts dirating ~ to a routine e ~ g a normal e.l.ilu. ~"IL TAA and TBA instruction 14 may inhibit L~ This process does not require ~llri~ ~;oof the UCDPS operadng system.
16 An alteruative allows for similar ~1 ,~ to TAA and TBA that do not inhibit u~U. This allows the 17 interrupt handler and or task switcher to handle the situation, in which case the TAA and TAB ~U~,~iOI~s are 18 disabled by an interrupt and a record of their status is stored in a location, eg. a speeial register r- ' '~ by the 19 system operating system.
21 Secure p-.~f -~ g is provided by including a second J~ JI 20 within 130 that may read from and/or write 22 to a'' within the #cure address map 50. Address map 50 is protected in part at least from external analysis 23 and may be made logica11y secure with ~ software. The invention allows for any mix of memory storage 24 devices. They may be present in any ~ Any storage capacity is allowed for.
26 Secure address block 50 usually includes memory storage means preferably divided into ROM 51 to store routine to 27 initially program the device, non-volatile, non-battery backed memory (eg. flash) 52, battery backed SRAM 53 for 28 secure system functions and SRAM (may be battery backed) for secure user r ~~' ~ The secure UlJlUC~iO
29 20 - - with the secure merllory 50 via addre s lines 84, data lines 100, and other vaTious control lines 30 including rcad write 93. Preferably decoded within the secure memory address is a battery backed real-time clock 31 89 that c~not be tampered with and a crystal. A data e~l~ iun standard engine is y.~ ~1 ''y included. r~ec4~
32 of secure r ' ~ ~6w is provided by dec~le logic 25 and the vaTiûus chip sclect signal are output on 83 to the various 33 secure dcvices. The power -- e logic 6S receives extemal power on 60 and battery power on 87 from 34 (t~ ( 'lyl~ ) battery 70. An A~D converter 7S monitors voltage. C~ ~UO~-c power is supplied to 50 via 35 87. Powa e 65 may also be used for any c~ -' voltages to flash memory 52 and provides 36 ~~ uK~g power to the internal battery 70.

38 Secure ~,IU~UCcssvl 20 . with the system u~luce6~0l 1 via a dual pon memory 19. Ihe secure 39 U~IUe6oSUl (20) side (91) of dual port memory 19 is decoded by 25 via 40. Data lines 22, address lines 21 and 40 read write 23 connect with 19 to allow reads and WriteJ of ;~ ;o - between llfi~,;o~JIu~"i~ol 20 and dual pon 41 memory 19. A similar method allows the system u~ to c-~ - with dual pon memory via chip 42 select 13 from its decode logic 10 and address lines 14 and data 6. The decoding circuit 10 uses high orda address Page,~f ~MENDED SHEET
, ~7q IPEAIAU

PCT/~U ~ ~ ~ 0 ~
RE~EIYED I 5 SEP lS97 -lines 12 and control lines 32 (e.g. valid address) and 11 (activated by TAA, TBA). This provides a method of 2 transferring inff~nnrtion to and from e~tornal locations to dual port memory 19 that may be read and written by 3 UU~IUIJ~VCeDDUr 20. No user supplied program can access the ;-~fv~ At;v~ in secure memory without access to the 4 secret codes re~uired, and these may be made as complex as memory I~S_ ~S allow.
S
6 It is ~ ''~ that the Decure Ul.CIV~Jl~DDVI includes a direct memory access (DMA) facility to move blocks of 7 ~ from UCDPS memory direc~y into secure memory locations and or from secure memory to external 8 lvr~tiong. This may actually improve the eCl,c;~ of the original system UU~.l'VIJlU~i~i;Vl, ~...;II;.~g it to perfor n 9 other tasks while a bloclc of ~ c~ is securely ~JlV~66e;l in internal memory. Access to this DMA facility 10 should be decoded into the secure functivn address block and prcferably is only able to be selected by an Ul~tlu~liûll 11 ; e e within secure system functivns (as dr--~ later). Any possibility of an external Foglam and or a 12 program eY~lting in a user partition baving ~ ;icd access to the DMA controller 125 that may be 13 ~-O ~ ~ to move a large blocl~ vf system ~ c~ ~ to exteTnal locations may seriously co.u~vu~.~ security.

15Secure ~ v~ ucessv, 20 would usually program the DMA controller 125 via data bus 100 and chip select 142 and 16 readlwrite 102, using a routine known to have ori¢ir ~ within one or multiple ~t~ ~ system fi~n~tinng 17 The details of including a DMA controllcr 125 are not ~eC~ih~ or shown. The method involves l~i, ' e the 18address 5, data 6 and control lines 7 of the system UU~ 1VCe~iSVI 1, with similar sioPnals 3e- ~ by the DMA
19 controller 125 to read or write external locations and '~ ~ g of the address, data, and control lines of secure 20u~ u~ssu 20 to read and write secure a~,s~es. These methods are known to the art and, because the DMA
21 controller is within the system uu~,~u~ û chip, ~, - Iogic between system ~-uwu~ vcus:~o 1 and DMA
22 controller 125 would be easier to ~ , ' at a logical level th~m for external DMA controllers. Tbis type of DMA
23 is ~ s~ to external devices.

25 The invention also allows that the secure IlU4lUlJlVCCSoOl 20 may be a durlil , in part at least of the system 26UU41U~JIV4eS~VI 1 Fn' -lly a110wingsecureand~ e~ tiontoproceedcull~ ly.

28 Another option is to use two different sysum IUU4lU~lUce~ovl~ e.g. an Intel type of CPU and a Motorola type of 29 CPU. These may be '~i,' ed by orle e~ ~ in the art such that one system uuClu~lv4CooOl performs 30 normal system funcdons while the other provides secret IJlV4eooU~O of various fim~tion~ An cl_l-vuic switch or 31 any other means may switch the roles. lhe secure functions may be !','-- ~, in part or whole, or each may have 32 its own secure functiom~ that are .na~ when a system ul,lvcessvl becomes the unsecure ~ v4eJDvl. A
33 switch from secure ~IV4CD;~U g to unsecure ~lv4eooulg would need to ensure that any potentially secret infQnn~ti~ n 34 is flushed from CPU registers and any other locations that may become ~ce~ 1e to external analysis in the 35 unsecure state. All secure functions would usually be _ccc ~le to the system uu-,,u~ vceO~-, in unsecure mode.
36 A person h-u..'e ~'ef ~''~ in the art should be able to design such an e ~-bo(l;~ that performs to the l~uh4.l'e~,~
37 of the invention. This provides a means ûf ~, - g two different UCDPSs into one. Of course this scenario might 38 be , '~ to any number of system ~ ul vceOs~l~ within the one package. When multiple system 39 ~ ulJlu4e.~oulo are included in the one package, the orle that is nomlally ~C50~ with the resident operating 40 system and ~ v i 1 "~ 1 in the UCDPS is l4f~, lCC~i in this ~F';~ on as the Host CPU. Any other 41 system ,u, 1O~IU~e5~1o are lef~,..,.l4ed as a Grafted CPU. No changes would usually be required tO any software to 42 operate the Host CPU. However, other support measures that are outside the scope of this invention may be Page~ ~ME~ EE~

CA 02242777 1998-07-10 P~/AU ~ ~ ~ O O ~ ~ O
RECEIYE~ 1 ~ SEP t3~7 required to simulate the colrect c.l...v~c.l~ for a Grafted CPU and one solution may be to include a 1~ , ' le 2 address trap for the grafted system V~UCcDDvl that de~ects all accesses to ~~ s ces tbat need . 1 -4 It will be 1, r ~ ' ~ by those e~ in the art that the e.ul)udi-.~n~ (ks~ with reference to Figure 1 rnay 5 be ~eadily ~ f~ to a location extd to the system ~- UYIVC~ DDV~ . This would usually require replacing the 6 i ~ address space of the PCPU vith an ,, .~ ~ address within the UCDPS address space. ~
7 i . ~ uvf pr ' e g rnay be required although the preftrred means of . '~ g an external design would be 8 as a custom gate array with an integrated RISC ~IUrV-VDDVI.

A basic e~ v ~l of an SPD for use eJcternal to the system llf~lu~JlvcvDDoi iS ~ s~ ~ ;l ~ with reference to Figure 11 2 of the drawings. This ~hows a prir led circuit board 70n capable of c4 .~ g with an appropriate socket on the 12 bus e ~ ~ :o~ of a UCDPS 720 via the gold fingers 701 on the pdnted circuit board 700. Mounted onto PCB 700 is 13 address decoder 702 to receive address dgoals from the address bus of the UCDPS 721. Various control lines 722 14 are used to decode the UCDPS side of the dual port memory 704 to a suitable address location in the address map of the UCDPS using chip select line 712.1he lower order address lines 723 of the UCDPS together with UCDPS data 16 bus signals 724 and a read/write signal 725 pass from the UCDPS bus via buffer 703 to the UCDPS side of the dual 17 port memory 704 via signal lines 713. The part of 703 that buffers the data lines is ' ' ~ t; -l A ~ U~IU~D-DUn 18 707 includes two interrupt lines 730 and 731, an external address bus 714, a valid address signal 733, a ~ ' .,vliu~al 19 data bus 715, a read/write line 732 and internal ~ ''r non-volatile ~mory 708 ~e.g. flash memory). A
boot routine 735 loads i~f~m-~tit~rl into non-volatile memory 708.

~ A static RAM chip 709 is c~ ~~ t~ ~ to U~JIVCeSDUI 707 low order address lines of address bus 714 and the data 23 bus 715 and read~write line 732. Static RAM 709 is activated by chip select 740 that is created by the address 24 decoder 705 decoding the high order address lines on address bus 714 in cv~ with valid address signal 733.
26 When static RAM 709 is selected the U~IU~DDVI 707 may read and write date to and from 709. The 27 U~1~DDO1 707 side of the dual port memory 704 is attached directly to the 707 data bus 715 and readlwrite line 28 732 and low order address lines of sddress bus 714. The J~.,.,lul.. ~cDDv 707 side of the dual port memory is 29 activated for read and write er ' ~ by chip select 750 8 by address decoder 705, from high order address lines on the address bus 714 and the valid address signal 733. A ~l~b -''o battery 710 is included 31 ~u.;~.g backup power via 711 to the UU~IU~JI~DSUI 707 ~md the static memory 709. When the board 700 is 32 plugged into an active UCDPS, the battery 710 is ~~,_d from the system power supply. Mi.,.usw ' 712 33 connects to interrupt line 730 causing an interrupt when the ~.~ .uor enclosure 716 is d;s.,r ' The 34 ku--~,~ vur housing 716 securely encloses 710, 707, 709, 705, 704, 712, and all signal lines that may provide useful inform~i~ Intelrupt line 731 causes an interrupt to 707 when the address decoder 702 decodes any address 36 within the dual port memory, ~d . e that the external system ~ U~VC~ssvl is qrce~ .g the device and that 37 action may be required by u~ 707. The ~ o~.~essor 707 is normally in low power sleep mode. If 38 A~ d by interrupt 730 it _ ~ xly sc . ~ y erases the values stored within SRAM 709 using a routine 39 ~;~/luD,-~ e~ into 707 prior to c ~~,1~ u~ in 716. If .~ d by 732 it c~ntin~les~ DDlllg as required. The SPD as clescr bed may be - ~, ~ into a single chip. A person ~ - ;e ~e~ in the art would be able to adapt this 41 design to attach the SPI) to any suitable non-bus interface. A suitable location rnay be the paralld port on a shared 42 basis with the printer, the known art for other types of softwarc p: : devices describes such a shared interface.

Page,~ 4ME~ E~ ET
3l IF~A~,I

CA 02242777 1998-07-10 ~/AU g 7 ~ O Q
RECE~UIED 1 5 SEP l9g7 It may exlst on a remote CO~AIAUU~. The inclusi~ of a C~J,~ Cf uC,i~e ' A '-r- ' ~ in llardware would erlhance 2 d~ AoLion AUIUC iDD~S that are ' ' ' to the secure and verDatile functions provided by an SPD.

4 Secure System and Secure User Parti~ons:
S Flgure 3 shows a block diagram of the address map for secure functiorls within the SySterA.rA ~ UAU1U~DDUI
6 pr -~ -- 130 of Flgure 1. These secure functions may ordy be r ' ~ ~C d by the secure UAUIUCCjSU 20 and 7 cannot be accessed by e~terrlal programs otl~Aer Ihan said extelDal AUA~" Au~u.;~Ag infomlation that is usually 8 subject to vaAidity checlAcs and d~ ~iu~ before ~ X by tl~Ae secure UI~ - IUAUI~SD~)I 20 for furtha AuAu~DAu~.
9 Ihe address decoda 25 decodes:
battay-backed real time clock calerldar 89 with CAIIip select 140, DMA cor~oller 125 with chip select 142, Data 11 Encrypti~ Standard ErAgine 135 with chip select 143, and if the DES aAgine is CUA~DI~ iAn part or whole from 12 Au~v ' 'o logic devices (LJI~C.~ l~ly SRAM, that may be battery backed if non ~ .y is ~equired) that are 13 ~ --".y Au uO,- ~ as required, ~ese devices are selected by select line 141, t~unper detect 80 (~ ly 14 includinga.L ~rllypowaedsimplemh, u.,u,ltlullertoprovide~ n,- security ~ Ig)selectedby 144, A/D converter 75 by select line 145, po~lver manage~ 65 by sdect 146. The AL - ' e dcvices would usually 16 have fixed locations in the memory ~pacc and usually aTe part of the system functi~s address space. Chip selects 17 140,141,142,143,144,145,146, and any other f''- - ~' 6elec~ lines that may be included to access other secure 18 devices, are Au.~'.( 'Iy v~ly selected if the iustn - ~ th~t outputs an address that is decoded to thAe ~ g chip 19 selects ~ v from within a memory locati~ in the secure system memory 147. One method to do this is tû
latch the fArst address of an iUntll -r and compare it with an address block that defines the b ' e of the 21 secure system me,nory 147.

23 A ~ 'ly unsecure process is lr ' ~ ~ ~ into an SPD once the facility is provided to load extemally supplied 24 ~ n into secure ~nemory that in p~rt or whole CoA~Isists af e~e~ h- '' - code. PSOs th~t modify secure system functions are usually well tested and se~Nre. A PSO supplied by a Prvducer has no such " ~ - as to the 26 integrity of the ~ ~ program code. The ~o on of this material may read ~( fi~om secure system 27 functions and write it to external ~ tionr In a multi-user sys~m, it may also CCAA1AUIUAU~e i~fv~ ;o~ relevant to 28 another PSO.

The preferred method is to divide the available secure memory into partitions tAhat includes at least one system 31 partition and ~e or multAple user partitions. Programs within a system partition AL ~ , access any secure 32 memory address. Programs within a user partition are usually confmed to their own partition. TlAis protects system 33 integrity aod the integrity of one user partition fA~vm any other. AAn r' ~ iS tO peA~form this function with 34 software that checks each ilA~h r: a~ e-o~ ~;g within a 1- ~ ' user partition, verifying that it is not intended to make an ~n~ horuge~ access to system memory and or other user memory. Anûther soluti~ would be to allocate a 36 separate ~ UAUIVC~SUI to one or multiple user fi~n~-ti~ng~

38 When the secure system 1cernel switches A~IOC6D~U.g between user fimCti~ it Ar)rograms logic with the address 39 b ~ ' of the cuA~rent user partitAon. A separate user partition is ~ ( ''y allocate~'A to each user function.

Page,~ A~ ED SI~EET
32 IPF~fAll P~IA~ 9 7 f ~
REC~I~ED 1 5 S~P t~7 The invention allows for any method and ~ r l~tllC that prevents any particular user function from a ~ - ~ g in an 2 1 ' ;ied manner, secure ~ -nn within system partitions and or other secure user partitions. The method 3 does allow valid transfers of ylu~D~ .g across system and user ~m~tionQ
4 It is yl~ r~ le that the size of the L --' may be varied, yl~,f~ahl~ under the control of secure system fr~ on5 S
6 This system functions address block is preferably ylu~ to allow the size of secure system memory to be 7 varied, however, there is usuaUy a known default on reset of the secure U~I~SDUI 20. As an added yl~ -8 it is yl~ r l~ h~ to latch the first address of the y~ lg ~ : and do â similar ~s , r This requires any 9 ~DI.U,~ol~ that attempts access to secuIe functions in this part of the address map and must have nneir ~ ~ in 10 secure system memory and the il~D~ i~ prior to it must also have c g ' in secure system memory. Tnis is to 11 Fevent a program that rnay be e~ecl~ting within a secure user p~ition from ~ 'ly or d~ ly loading the 12 Fogram counter of the ~lecure J~Ul'i ~- " 20 with a value pointing to a secure function with ~~
13 results. The ad~dress of the fi}st _: :- may be d~ -~ by including in the ~ ~ of secure 14 ~U~I~SSVl 20 the g - of a signal to indicate that h is the f~rst address of the ~D~U.;IiUIl (this may already 15 be the case). The Fogram counter contents rnay also be latched. Chip select 147 from decoder 25 ~" - the 16 block of memory aUocated to secure system r ''~ ~ When the secure II~IClU,lJlUC~~r 20 is reset it jumps to an 17 ini~ irn routine in tbis memory. The size of this memory is y~c~bl.~ variable to a~ ~ - changing 18 c _ : ~ ~ This is u uaUy done by y~O ' '~ boundary registers 160, that are selected by chip select 161.
19 One boundary is usuaUy fixed at the top of the available ad~dress space. The yl~" ~ ' value of 160 is supplied to 20 address decode 25 and provided to its address comparators. These methods are well known to the art. Chip select 21 161 Feferably requires the same yl~ as regards checking the origin of the inQ~r~i-m as ~eQ~ibeJ~ for 140, 22 142, etc. Chip select 147 decodes the secure system memory. This y.~ has the same lc l~ tS for two 23 S~,' '~' UlbD,_ -' to have ~nB ' in secure system memory adl~ 7b~s in order to be decoded. An ~ t;~
24 iS reset or an interrupt that reset the atches that store the ~,Jses of the two relevant ulbtlU~iliUll ad~ ,sscs to 25 values tbat are within tbe secure system memory. This cnable6 the secure llliCl~JlVCeSbul 20 to read ~ ~.~
26 from its interrupt handl~s. This also provides a method for a user routine to transfer y ~Sbulg back to system 27 memory in a controlled way. A user function may write to an ~ 'o location that generates a user interrupt 28 180; the system functions may then interact in any y~cG~ltlolled manner to meet the rC, ~' of the user 29 function. I'he balance of tbe secure memory is allocated ~o variow user functions. In a mU1' ' v UCDPS, this is 30 yl~,~abl~ ioncd into multiple user partidons. lbe preferred method is to have one or multiple sets of address 31 boundary registers 170, that may only be Y~l v -d by secure system functions decoding select 171, witb the 32 value Y~v ~~ into 170 feeding baclc to tbe decode logic 25 to define the current wer partition, tbat is decoded 33 with chip sdect 148. This pemuts tbe available wer partitions to be divided on a totally flexible basis as required.
34 When y .Icessuug transfers from one userpartition to ano.~ber, the secure system functions ~Y~V the ~ r ~r 35 values. Wben ylUCe;.UU is j r _ d to a user partition no ad ll x ses are decoded outside this partition to prevent 36 a user funcdon compromising the system partition or another wer partition. If tbe program counter is loaded witb a 37 value pointing to an address outside t'ne user partition, it will not be decaded and the user function will usually 38 crash. In case of a crash witbin one of the user partitions a ~ a ' d~B timer 190 will interrupt 191 the secure 39 IlUClU~JlUC~ooOl 20 after a yl~ ~1 period. This is ~,~ c~ ~ ~y a yl~ ~ ~ '- period tbat may also be used to 40 task switch secure ~11U~oo6Cs in a 1 - ' g ~ ilulu~.ll. Prior to i r e yluccOsu g tO the user partition, 41 t'ne secure ll~clulJI~Odol 20 registers are ~ ' 1y stac ced and cleared of serlsitive infomlation. The dual pon 42 memory is decoded by chip select 150. The secure U~l ~DSOI 20 may also generate an interrupt l95 to the Page~3 &.ME~NpDED Si~EET

PC~IA~ ~ 7 RECEI~ED 1 5 SEP 1997 system ~ lu~,ucesDv, that directs the system llfiwulJ,u~J6v, to an interrupt routine in dual port memory or any 2 suiuble locati~. r~his location is preferllbly read unly to the sy tem ' U1JI~6;~VI and may be read and written 3 by the secure ,lu~,,ul.,v~,o 20. This interrupt may bypass any normal interrupts g ' by the UCDPS to the 4 system - U~IV~SDVI and be ~"~us~ i r wllly to the operating system. See known art US Patent 5274834.
S It may be used for any rea60n in panicular to direct the system l~fI~IU~1V~D~I to perfv~m various functions within 6 the UCDPS ~ to tbe UCDPS upcra~ng system, Por eY~nple writing the current Fogram counter 7 contents to an address ~cce ~'~ by the secure PIVCCD~" 20. Tbi6 may be used to track which Fograms are g ~Y~ ing in UCDPS memory. This rnay help track usk D~.;t~lg and/vr metering of program use. An interrupt 9 may also be v ~' by the system ~CIVIJ1U~DDVI to thc secure l.~ lV~V~DDol 20.
10 T U~)ID internal to the secure U1JIUC6DDVI 20 are ~ ,f~.bly specific to a particular source. There are 11 preferably s~1ffil~ien~ interrupt lines to handle all ~ 'x ~li-lg devices.

13 1be secure storage devices are des~cribed in deuil below:

15 1) T''~ o'~ , h 1ll ~1- usua~y a snu~l amount of mask ROM 51 to initi~ly program the other 16 ~ r - into the device (al ._s may be used~. It nuy also include a public code to identify the device 17 and one or multiple ecret codes to limit access to various pllrts of the device, particularly in the erased state.
18 2) Secure System Functhns (also ref~ C~d as Secure Sl~ iDVI r~ or Secure Su~ ~iDo, Means) -~ ~lash memory 52 usually for stvrage of ~ r - that needs to remain in the device in the event of total 21 power loss. The invention allowli for any device6 to suppon ~ erasure and ,.,~,u~ g of 22 flash memory and/or EEROM. Particular 3~ r~ - n~ of this area may include the storage of r ~n 23 that should survive an erasure of SRAM for any reasun, including -- ' ' erasure. One of the features 24 of the secure ~-~ ~ e means may be its capability to select random e.. u~ iul- keys and validity check sums and use these to encrypt ;~ -- for storage in w~u~ tionS, ~l~,f~,.abl~! on a mass storage 26 device. 1'he secret keys are used to reverse the process. This rnay have multiple ~FI!- ~ for the 27 invention. Part at least of this ~ n may need to remain .. ,L ie~al11e if the SRAM contents are 28 C~JIII ~ d or ~ 'Iy destroyed. By retaining the keys to this information in non-volatile lvc~ti~n~ a 29 SUitdbly protected routine rnay be used to retrieve this ;. ~rv~ . .. - -: ;~ . by the service provider. It also prevents ~ with externally ~" J~ f~ ';v~ as the decryption key is ~ and mdy be varied 31 every time.

33 ~ battery backed static memory 53, that usually stores in pan at least, hlllJGll~lL ~l '- which may 34 require rapid erasure in the event of i , ~ g Any r~n-volatile rapidly erasable storage means may be used. This rnay use any power source that w ' ~ ' loss of mains-power and is ~ f"ably a .~ -~u L i!-'-36 battery ~ O ~ into the device and or its O~lclGsw~:~ and or a ,~ battery external to the 37 ~lclG~ /Ic package. An nl ~ e in part at least is a Supercap. The battery backed RAM may have its 38 contents altered tapart from normal ~ ces~s) for any reason. This may include ?rr~ eg. flat 39 battery; ~ e (logical and/or physical). This memory usually stores inform~ti~n (i) that needs to be kept secret and that cannot be stored in c~ format in an external 41 location and loaded and de~ as required. This may include the master decryption 42 ~g~i~h~ and/or keys.
Page~ AM~ ' ' ;-E~

PCI/AU ~ 7 ~
RECEIVED 1 5 SEP 1~97 (ii) that may need to bc secret that is required to correctly intcrface with externally 2 available ~ ~( This may include the loading of othcr ;l ~f~ AI ;
3 (iii) that is ~ t .~: e~ for any rc son should be intcrnal on a continual basis.
4 (iv) tha~ is loaded from e~ternal l~ ~ fn~ This may include ~ sccure system S functions lol~dcd in e.. ~ ' fonnat and ~ , Iy de., ~l ~ and may includc 6 I~r ~r ~ objocts supplicd by an ~ ' ~ party to modify ~ r 7 within the S~D.

9 The ~ ;l~ in (i) to (iv) is usually known to be available within, and/or able to be loadcd wit'nin, thc dcvice when rcquircd to yerform t'ne funcdons that are an 11 integral part of thc securc y ~ ~ v means. They are usually known to bc sccure and 12 ~ ~h~ of co.luyL~g and or CU11~JIU11~S1~ the sccrecy of ~ - Those secure 13 system funcdûns that are loadcd into the SPD in C.~ r I format usually have 14 tam-yerproof validity checking l. ~sses intcgratcd into their structurc to ensure the validity of the; ~f.~ prior to -~~s- v it with other secure system fun~ti~ nc 16 Secure spbm ' '- pcrfonn in part at least the ~u~viFGl~ funcdons of an 17 opcrating systcm. Thc prcfcrrcd; 'x of the invendon sllows for Itit~ inE of 18 PSOs~ As such the funcdon~ of t'ne sccure memory means, in part at least provide the 19 role of a ~rnel of a muldtasking opcradng system. and do not require specific ~ E~ - An tlo i feature of the prcferrcd c .1~1; .. -~1 is the inclusion of a 21 means within secure systcm functions to dy --'ly modify itself while in the hands 22 of a user. This may include changing mastcr encrypti~ io" keys and/or 23 ~Ig~rithTn~

The provision of a method and ~ that enables Jecure system functions to be securely modified at a users 26 locadon and that may also be a dynamic process loading r from external locations (~f .~ y in 27 e,l~E ~ format) provides great fle~cibility. Muldple functions may be added in the future. The facility may 28 f, -' almost any secure ~~sg IG . ' ~ i across a spectrum of co -u--elc;al activides. However, 29 bccause it is dynamic there is ~ 'Iy a means for one or multiple protected software objects to ~ .e if the secure IA~esDu-g mean~ is current for its r~. uG,I-e~lt~. The invendon aUows for any means to provide at least one 31 current version number - SPD.~ersion n tn may be any number), for part at least of secure r L ~ One method to 32 achieve this is to have system funcdans write this infonn~ into a known locadon in dual port memory 19 of 33 figwe 1 in a locadon also readable by the UCDPS. One benefit of making it read only to unsecure ~uceGD6es is to 34 stop ~t .,cebyviruses.
36 3) Secure User Functions 54 (these may also be .ef.,l~,nced as Secure ~lic.~tion ~ul~ ul~ or as Secure 37 A~F~ ~n Means) 38 These are usuaUy part at least of software objects supplied by various producers that bave a ~GIu-,~".-e,lt for 39 - with the secure ~IU~D~ 8 means. They are usually c"."~: ' in part at least and have ~ U1 40 validity checking ' - included to ensure that the; ~rc, ,- ~;, is as intended. r~hosc parts of said software 41 object i ~ d to locations within the SPD, whether data and or computer instructions, are ,~,f~ , ced as secure 42 user flln~ti<~n~

Page,~S IFE~uAu Er CA 02242777 1998-07-10 P~IA~
RECEIVED t 5 SEP 1~7 2 In addition to yluvidil~g password ~ ~r to routines to initially program and/or r~ u~, the device, it may 3 also be used for a secure uscr passwûrd system.

S Secure User Password Functions:
6 The secure ~ e moans of the invention is readily adapted to the provision of a securc ~ l system for 7 users, and the invention allows for any means. This is an - r 0- feature in a system that may execute a variety of 8 software across a broad cost spectrum nd that may have other secure ~l r1 eg. ele~ r culllllle..,c. The 9 preferred e- ~ is a time based password sys~em as dc~ for device -' The ~ "d 10 functions wually include routines to disable part at least of the SPD in response to a spocificc4~ d This 11 requires the user to R~cslly disable the SPD, and ~ ly requires entry of the correct ~ ld to do this.
12 The invcntion also allows a ~ " ' ' of the SPD in response to:
13 resa andlor power down andlor any ot~er criteria (the l ~.aJ~ Jc~tDulg system is not usually disabled). These 14 functions 'iy disable the SPD and or other ~F' -e''- devices and require the correct password to 15 I~ . the SPD and or other ~' a~'- devices.

17 The pr ~ l(s) is usually stored in secure non-volatile system memory. The device may be shipped to the user 18 with a known default password and or the i ~-Jld system disabled. Entry to the ~ ~.JI~I system may use any 19 method. It may involve passing C~r~ l_ using one or multiple methods as d~ c~ elD~ h~,.c in this 20 ~F' - . usually by writing and or reading 1 l~ ' address locations for example dual port memory 19. A
21 user ~ e the device with the ca~cct password rnay be able to change ~ ~.a L. The ~ .Jld system is ~ usually co~lDt~l ~ to allow the service provider to roinitiate or disable said ~ ~.ad system by D,~ l,lg an 23 ~i r Ul ' ' software object, ~ r "y a PSO. The method de~ restricting access to SPD -lif~ n by 24 ~ ~ a -1, will be readily adapted by those e~ in the art. Certain r 'nn may be ~ into the 25 secure laù~DD~& means that may restrict the user access to one or multiple ~nct;c~n~. Por example, they may 26 restrict users of a p.: ~ country from using one or multiple software objects. The invention allows tbat some of 27 these ,~;~ c may be re-p~rogrammable with ~ - supplied by the service provider while other 28 ;.. r~.. ~i-.. may be fixed (eg. by the supply of an al ~,.. , PSO).

30 A user may require various l.,,~;clio ~- placed on the use of their SPD. These are normally ~-O ' '- by the 31 user. A user may want a master passwQrd for Ihe,l~ .,D and this would usually be stored within non-volatile 32 storage elements of system memory, and the correct entry of this may be required to activate the SPD.

34 ~ liti~n~l P~;D~.JI~ID may also be required that allow limited access to the PCPU, for example, certain i ~JI'IJD
may be attached to children to prevent them from using ~ software, or certain; . h ,~s may be ~ .,t~
36 from playing games on their . r- during business hours. Certain functions may also be attached to various 37 1 ~ ,ID~ e.g. to monitor usage. For e~ample, routines within the SPD may extract one or multiple codes witbin a 3~ particular PSO eg. those cl&s~i~.ug the type of software object (eg. a game) and/or suitability for children. If 39 password access is activated on the SPD the internal sohware stores details about the user and any rP~ C~ion~
40 These are ccl.ll~d with tbat coupled to one or multiple PSO's and a decision made on whether to permit access.
41 Tbis is actually a user ~v ~'" right of access.

Page 36 Pu''~ DED S~

CA 02242777 1998-07-10 P CI/A U 9 7 / Q ~
RECEI~ED 1 5 SEP Ig97 2 The preferred method is to use the system s d and data ports for ~ e cenain l - within the 3 SPD when a PSO first requires access to the SPD. The PSO would usually serld ~< ~, e a user 4 partition 54 of Pigure 3 and a user port slructure 205 of Pigure 4. The SPD would usuaUy respond with availability S of this rnemory and ~1J ~ 'Iy corJfigure a user cornmand input port 2l)6 and or user cornmand output port 207 6 and or user input dau port 208 and or user ds-ta output port 209. The PSO stores these port r ' ~ in a suiuble 7 location in its own addre6s space and directs aU c ' and other ;r~-;.,to and from these user poTts until 8 o ~.~ , r ~ r . A ltitsrl~ine l~nel within secure system functions is ~ 'y ~~i, ' '- for such port 9 c~nf, - as part of its f~nrtinnC Ad~liti~nsl PSOs create there own user ports, e.g. 210 and 215 of Figure 4.
10 The space used by these ports is usuaUy ~ when a software object i ~ ~ with the SPD.
11 Any one or multiple wer ports may be ~ ' - -'Iy reconfigured as required while stiU in use with a i ~ 1 PSO.
12 This process permits the SPD to be , ~ to the UCDPS task handler.

14 The prefelred e_bc ' of a secure ~lU~SDulg means ~iF ~ c~ed with reference to the figures 1, 2, 3 and 4 15 provides a me. ns to create a secure aptrating system. This is ~ "y mlllt!-~ ' ~ e- This may reside in part at 16 least within secure system memory and that may load u~d ' functions from ext~nal locations as required to 17 support. The secure system memory rnay be varied in size and such changes may only be made by routines 18 ~riR' ~ from the secure system address rnap. The socure system functions rnay also be D~ uJt~d by a battery 19 backed real-time clock calendar that has particular ~ r''- "O!r in d~ B when one or multiple reports may 20 need to be generated and transferred to a service provider andhr to facilitate timing of software usage. The option 21 of a Data Encryption Standard engine tDES) may assist the handling of software ~ ~ systems that use the 22 public/private keys IJIu~SSeS. The secure DMA function enables rapid transfers of ~ ~ - between internal 23 and external locadons and/or between in~nal 'c - It rnay also be used as a general purpose DMA channel by 24 the UCDPS. One or multiple secure user functions may be created that are also secure from one another and from 25 the secure system fim~ti ~nc 27 The secure ~I~SDO 20, secure system functions wually require ~ on from c~-~u,-.~. 20 car 28 ~ Iy via a comman charmel (in t~w case the dual port rnemory) with external, wually unsecure ~u~~s. It 29 accepts i ~ - for decryption and ~nay retum this to extemal locations for further ~ - ~ ~ e It may actually 30 retain part of this ~ - within the secure c~v~.~ for secret y ocei.;,u-g. This provides a software 31 lJlU~IiOII ~ ~ that is diff~cult to bypass. It may provide data and or i~llu,~v~ required by the software 32 object (these may be Fe-~ v,"~ 1 in clear code and/or loaded in e~, y~: ' fonnat and/or dear code, prior to 33 and/or during ~lVCG.>~ of one or multiple software objects). The secure system functions may be able to 34 ~ ly vary the size of one or multiple secure partitions to ~ ' the ~~qu--~,~.,.-t~ of different 35 software objects. These partitions are ~-~A : ' from one another where ne: ~ - an ilUyvli - I~UUG~ of a 36 secure m~l e system. The systcm functions may time-slice various system and/or user fim~tions This is 37 ~ ~,f~ bl~ - i with a ~ B timer counting down as d~ ;Ik~ earlier. At the end of each period the 38 system functions ~/IG~ y monitor the systcm/wer interface ports to ~ if the UCDPS is wanting 39 ~ , in particular if there has been a task change, for example as indicated by accesses to a different port.
40 The secure ~IV~SSVI 20 would not normally need to switch its tasks in response to an e~ternal switch from a PSO
41 to a normal software object, or from one normal software ob~ect to another. An alte,~t;.~, method is to have the 42 UCDPS interrupts, interrupt the secure ~vCe,j3vla8 ~ 1 This enables the secure l, vccj~v 20 to inspect-Page~ AJ~EN~ED ~EE~F
~ 31 IPEA/AlJ

CA 02242777 1998-07-10 P~/AU g 7 RECEI\~E~ 1 5 SEP lS~'~

external f~ bCS and ~ ",;"r if a n~' ' g PSO has been allocated a system time-slice (and that it is 2 different to the one being handled). Tbis provides the secure ~.~CCS~"lg means the ability to handle multiple tasks 3 and operate them in a ~ ' E alTangement. The method dr~ ~ to set up an interface port structure means 4 that multiple PSO may ~ - with the SPD i , . 'y to the UCDPS operating system if required and 5 i , ~ y to one another. This ammgement permits the invontion to be applied to l ' g software objects.
6 This may be one or multiple wimal saftware objects and/or one or multiple PSOs. A person e~ c~.d the art of 7 m-llti~ ne system design will be able to adapt what is a fairly standard , ~,.,..,n~ to the l~;u~JulfA6 of an SPD. It 8 will also be d~ ;I by those h.J '~ 'Ig~ ~ ' e in the rt that a mulli~,u~ssu, system would also be satisfied by 9 the e ~.b~ as d~ bCd The SPD ~vould appear as part of a global memory resource.
11 PhysicalandLogical~r ;~
12 The invention allows tb t any level of security may apply to the se~ure ~.u~ssil,& andlor storage means.

14 The simplest system would emulate the functions of the invention in software within a UCDPS. Given the fact a 15 f~ul~,u,~ue of this system is lilcely to rnake a large number of software objects r ~ . ~ - '~ without ,~ ;c~ ..., this is 16 not a preferred approach.

18 The preferred e ~l.o~ v ~1 uses a secure ~.~,u~,lvceD;,o, and storage means as the secure ~,-Jc~u~hlg means of the 19 invention. Those ~ d in the art will appreciate that an IC may have various levels of security. For example 20 if secret r ~ is stored in - .. ' '~ devices that ~ ~ power loss, it is possible to access this 21 inf.~rmrtion with sufficient expertise. lbis is particularly the ca e for mask ROM.

23 If co~ uuli~e of security will only affect one or a small number of devices this is probably an r . ~ risk. The 24 invention allows that saftware ~' ~- ~~' using the invention rrlay be ..,~ ~ for a particular UCDPS. In this 25 case, w~l"u ~siug security of a single device has minimal impact. However, if identical copies of software are to 26 be ~i~ L ' ~n a larger scale, greater security is required. The ~,~f~ ~ is to use battery backed SRAM that is 27 rapidly invalidated in tbe event of tamper det~~tinn 29 The IC package and or ar,y extemal ~",clo~ ,s provide the first line of security. This may be s~lff~iP.nt 31 The preferred method is to have the secure l"i.,lul.,ucesDo, 20 and or a ul~lucesDf~ into tamper detect 32 80,c -'ly powered and pc~ y a~ firûm a low power sleep mode to p~form one or multiple 33 ~( , g fimftif~nC~ including ...~ o.;.~g and or &~v~ various intruda detect ~IUf~DD~s. SRAM may be 34 rapidly h~ by removal of power, and or by a specially created s.,b,uu~ that cycles through the memory changing values. A specially designed cascade system that triggerc: - invalidation of static memory storage 36 elements is also known to the art (lef~ ,e Dallas S. ~- ~ - Secure Micro~ontrollers).

38 Where certain ;.. r.. ~ .. that is unique to an SPD needs to be ~l-v -~ during ,.. ~ ,,,r.~ this is preferably 39 .- - - ~. by laser plU~ of masked elements. This may apply to one or multiple I ~ lds in a particular SPD.

P 3K~' A ~ Et~DED ~ r CA 02242777 1998-07-10 P~IAU g 7 1 ~J ~
R~CEIVE~ 1 5 SEP lS97 The invention allows that attempts may be made to physically tamper with the SPD. This may be for any reason, 2 including the ~ of secure information from the Sl~D. Secure system tamper detect f mctions, 3 using any method and ll~r n 5~ may be used to detect i , e and or to take direct (that ~ef~.~ably includes 4 immediately erasing and or altering ~1 ~ within part ar all secure storage devices) and or indirect (e.g. via 5 error functions) action in the event of i 7 Software may in part perform this function. Secure system Cw~ uly functions (SSCF~ may be used confirm that 8 one or multiple i , r wf mechanisms remain intact.

10 One ~ ~ on ~ ~ is to include bi~ iu,lal logic at each end (or any other location) of the various signal 11 lines to check for ~ ~.y of signal traces and or filn~i~ning of attached logic elements in those instances where 12 the normal function does not permit this. This bi~ .-al logic is usually c-~ directly and or uudh~illy~ to 13 r ' ' ~ ' ~ elements under the control of suitable software routines.

15 The invention also allows for any means to detect loss of clock to the real-time clock/calendar and or any one or 16 multiple other clocked el~PmPn~ One method is to l ic' --'ly read these devices to ensure that there show the 17 expected ul.,.~;.~.l~l changes s~ to an active clock.

19 It is ~" r bl~ that part or all of the ta~nper detect ~ ' ~ remain function~l when the system power supply is 20 removed. This may include using batt~y power to maintain one or multiple ~uwù~ ul~essol~ within the device in an 21 ~r -~ ~~ mwe, en bling them to execute various system r onC Loss of battery voltage below â
22 ~ d threshold (as detected by an r~ ;1 A/D converter 75 of figure 3) may trigger the erasure of part 23 or all secure elements.

25 It is ~ r ~-17 that an ;~ f ~ly timed function is ~ ,' - ~ (e.g. RC network) that must be penc ~ Ily 26 refreshed by one or muldple ,,u..,~ ~ This confinns the presence of an active CPU and failure to 27 ~ ~ -lly refresh this function would usually cause a default erasure and or aluration of secure storage el~Pmen~c 29 Logical security is provided to deter ~ d attempts at ma~irUl~in~ infnnnr~i-n in an attempt to 30 cc~ u~use the secure means. With systems that rely on decryption for security there is little chance of a -c r I
31 logical attack on the device. However, in the preferred ~ l-cJ;- c-~ of the present invention., externally supplied 32 programs may be loade~ and executed within a secure cu~uo,~
33 The ~liliuluug of system fiunctions from user r 34 and 35 one user fiunction firom another, 36 provides a physical deterrent to a software ~ . a logical attack. This usually requires good 37 software support with the secure system filncti~nc. These methods are well known to those ~iA~.;~.ccd in the art.

39 The invention also allows that various errors and or validity failures and or any lJJUCCi~;~Ulg error and w any other 40 event may be recorded by secure system error ~o~;t~ g routines (usually . '~ ~ within secure system 41 memory). These may use any means.
42 These fimctions may include:
~EA~
page~ AU

CA 02242777 1998-07-10 ~ ~J ~ 7 / O O 0 1 0 RECEIVED ~ 8 AP~ t998 ~~culdiag r~- ~ ' wents; and or 2 in response to a ~ i number and or types of almnrmql events (and or ny other reason) take one or 3 multiple actions tthat m~y be any actior~ ' ' g calling other functions to partially or totally disable the device);
4 and or S retum ~u~;ug to the ~ystem CPU (with or without error reporting).

7 There may be a ~ .u~ to disable par~ or all of the SPD and or part or all of other apparatus that the SPD may 8 be integrated within (e.g. system CPU). The functions to perfonn this are l~,f. .~ced as secure system disable 9 functions and they may be ~ ~ using any method and ~ r ' 5~ "~ B
the genesation of various clocks (and or any other ~ g~ 1 signals) that trigger ~ ' erasure of volatile 11 ch . .,~i and or 12 settinglclearing of flags ~,e~ 'ly in non-volatile locations) that may be read by various other functions that will 13 not continue (and or any other outcome) in the event of an ~ 7 value within a flag.

S~stem Re~et Functions:
16 The secure u~wut,.u~ rnay be c- ~ y powered to perform relhble tamper detection and invalidation. The 17 power s~ce is usually shared with the battery backed SRAM and where present, the real-time clock calendar. The 18 SPD is preferably reset following a reset andlor power up of the host UCDPS.19 It is preferable that the reset line on the secure ~u~,~ul~lu~Or 20 is cu-~ to the reset line of the host UCDPS, 21 enabling it to perform error checking on internal stored ~l -~ prior to F~ fi~ g functians rcquired by the 22 UCDPS. Ihis reset rnay be latched with a delay to prevent an externai reset being awlied in an attempt to stop the 23 secure CPU 20 performing t~mper detect (for example) The secure ~u~ ,~sor 20 on reset (and or any other L~ '- event), and or as part of its normal functions 26 m~y perfonn various hou ' . ~ Ie duties:
27 while waiting for one ~ multiple interrupts generated by the UCDPS, 28 and or 29 the reading of one or multiple appropriate values from one or more polled a~ es, that may also be directly and or iu~lu~ written to by the system mi u~6s~" (eg in dual port memory 19 figure 1), 31 and or ~y other methad that activates the 9,.~r and or any one or multiple other functions of the SPD to 32 further inleract with tbe UCDPS as required.
33 Aftcr the UCDPS is re ct it is preferablc that one at least of thc following occurs:
34 ~ run a CRC chcck or similar on thc ~ ~ stored within the securc system memory to ensure ~at thcre have nQt becn any unauthorized changes, - - 1 or ~ idr ~l l; and/or 36 ~ clear a4~-r ~ ~ystem mcmory locations used for ~ r ~ storage and creatc required data st~ u~
37 and/or 38 ~ Ioad hardwarc Cf- ~110 ~ that rcquire -' with the relevant infonr~i~, this may include the 39 creation of bardw re ba~ed ~t~,.>; ~ ~ wing ~ v ''~ logic.

a~MEN~E3 5;;_ET
i~F~

i~t~v~

When the SPD is located within the system CPU, any method is allowed for to initialise se~ure system memory 2 after reset of the system CPU and/or after power up of the UCDPS. lbis may include one or more of the following:

4 ~ the system CPU may be modified such that when it comes out of reset, it I - 'ly enters a routine in S system memory to initiatc system memory, however, this may prevent access by the SPD to i .r~ n 6 external to the PCPU that is initially loaded by the usual system operating system.
7 ~a reset flag may be set within the SPD when there is a loss of external power with this flag cleared when reset 8 functions have occurred. The latter may be triggered when the first attempt is used to usc secure memory after 9 a reset, however, the preferred method is to include a special u~t~ in each PSO that executes prior to any other u s~ affecting the SPD.

13 Initial Programmlng, ~ ming and Erasure of secret in~

15 The system memory of an SPD must be preprogrammed with certain key ~IIUC,.a~ and data prior to shipping to a 16 user (usually as part of a UCDPS). Thls should be done in a secure wl~UUl Ub~ llt using secure methods, and is 17 ~,~,fc.~ during the ~ ' ~ e proces~ e service provider ~.ef~d~l~ keeps a record of the 18 ~ ~- ' within each SPD in part ~t least. Once thic key infolmation is ~ med into the system memory, 19 any oth~ types of ~ and or data may be suitably C~l,~r ~ by the service provider and t~ansferred to a 20 user's SPD (usually while within their UCDPS) using methods that maintain the security of the ~ ~ The 21 suitably ~ ~ infa~nation is pro~mmed into the system and or u&er memory of the SPD on a ti ---r ~ or 22 perman~t basis, and in many case& thi~ will be a tran~arent, dynamic process that occurs during the e-~.";o- of 23 various PSOs. This mothod allow6 almost any type of r ' '-'-' I furlctio~ls to be securely loaded and stored within 25 The remainder of this page has been deliberately left blank.

41 AMEND. 1~ ~f lPE/UAU

CA 02242777 1998-07-10 P~IA~ 9 ~ ~ O Q
RECEIVED 1 5 SE~ 1997 the systan memory, and or allows various prograrns to be loaded to update and or modify e%isting system functions 2 and or any other transfer of ;_r__ ~ir for any reason.
4 The secure plU~io;~iug means of the preferred c ~ ( ''y stores its secure system functions within 5 RAM. These may be d~ '~y updated as required. The invention allows that all secret q nn rnay be 6 replaced, including rnaster c~iuu loeys, while the devices is in an unsecure location. This provides a very 7 fle%ible spparatus. The RAM is preferably battery bacleed to enable rapid erasure. Any means may be used to 8 initially program info$mation into the RAM.

10 One method serially cloclcs the required i~r - into the RAM via latches (that may require a certain 11 I"~ht~ Fld sequence to sctivate the process). This rn y not require any ~ h ~ d software routines within 12 the device. This is a l~ e Icnown to the art.

14 The preferred method uses a secure software routine e~ff~uting from within ROM using the Timed Password Access 15 method dks~,-;l~ below. These routines are ,~f~w~ s secure system -' functions (SSl~7). They may 16 slso be used to erase and or modify and or reprogram the SE~D st a later date.

18 The invention also allows that part or all of the functions within the SSI~ may be called by other secure functions as 19 part of tbe norrnal operation of the SPD. For e%ample the routines to load ;.~fv. ~ from external locations snd to 20 program L r " into flash memory bave obvious multiple uses. Certain l,.u. i"iv~ within the SS~ should only 21 be capable of use when it is Icnown tbat secure ;r.--~ within the device is invalid.

23 The .~ - - SSIF ~ n prefersbly included within the device at the time of r1;; should be 24 s~ cien~ to load and or program other r ~ ' into the device snd where nec~ ~ initiate ~ g of said other ;~f ~ h~ This ususlly provides an SPD that rnay then modify itself as required.

27 Said other inforrnati~n rnay be any ~,~ and may Include additions to the SSIF not included at r r Ci~
28 1'he storage locations sbould retain SSIP functians (in pllrt or ~vhole) when other infannation within the device is, 29 erased fo~ any reason. The SSlP rnay include any required support hardware to program I ' storage devices, 30 eg. charge pump and or supply of special voltages and or timer~ and or glass windows to erase EPROM. The SSIF
31 usually includes functions to:

33 ~ respond to a c~ ~ to activate one or multiple SSIF functions (and or any other nc~s~
34 ~ ~ ); and or ~ retrieve e~ternally supplied ~,~ that rnay use any method and apparatus provided for in a 36 particular SPI) and to program part or all of tbis irr - and or any other Ulf(~ ;UI~ into 37 required l~r~icnc; and or 38 ~ finish~ g andor 39 ~ verify that the ~ - is error free; and or ~ tenninate the process such that various l~r~ r functions remain available as secure system 41 I~UlC~, and w Pa~ AMEI'JDED SHEET

-CA 02242777 1998-07-10 ~AU 9 7 1 0 0 ~ ~ O

~ direct ~ tD~g to part of the ~ ~( that has been ~ ' (and or olhe.wiDe initiate 2 accesstothis- ~~ ).

4 The ability to load ~ ~~ - and ~ Iy direct IJl~sDulg to this inf~rn~tion is a key aspect of the 5 inventi~. With the adtition 01~ a suit ble d~l~Lion method within the SPD, said SPD rnay load h~ t:
6 ~ r - decrypt this ~ ~~ ant ~en direct IJlVC~tDIll~l, to said d~l ~ ~~ -8 The addition of routines to pass information back to e~ternal locations ~ the process.

10 The SSIP and any s ~ ~ secure systern functions may load information from any relevant e~cternal location to 11 assist the process and or may call routines within e~cternal locations to assist the process.

13 The invention allows that part or all of SSlF functions rnay be j r ~,d from ROM to secure system memory in 14 secure SRAM.
16 A means to permit ~ inform tion to be read back for v~ on is ~ Any method is allowed 17 for with the preferred ane ~ , '~ ~ in software. It should prevent a user from activating this function at a later 18 date and possibly being able to access secret ~ r '~n 20 The preferred method flags a non-vola~le ~ location once the read-back process is complete in a 21 mauner that does not le ve said flag clear in the event of a par~ial read-back. The preferred method to pre~ent the 22 flag remaining clear in the event of a partial read-back is to activate a ~. ~dcg timer that times out after a 23 t'l~ Çd interval. This sets a flag by l~ g a flip flop ~ ;.C.I~UIg further ~ n read-back. It is 24 ~ ~ ' ' c said flag can only be cleared after secure stvrage dements have been erased and or o~ iDe suitably 25 mo~lifi ~ This is not a function that should be available in unsecure c IY--vlullen~

27 Disclosure of the ~ ~ ' e the actual SSI~ is unlikely to j~d;se the security of other secret 28 ~ r - However, it is preferable that ~ partie~ sre ~ from ~ -' e and or erasing and or 29 r~-v ~, the device. It is prefer ble thst these ~IVc. DD~,S sre ~ ld protected (using sny ~ ~Jld system) sgsinst 1 ' ~ - ~ use.

32 The timed I ~JIJ access method makes it unlikely that the p - ~o.d p..l t;nn will be defeated, while retaining 33 r t; -lity for those parties with thc ~ ~ h.o..l~lg . even in the presence of previous I ~ r I
34 attempts at ~ ~-O e and or dçl ~: attempts to u~i~i~ the device (eg. computer viruses). This contrasts 35 with ~ -S~JId systems that ~ h~ the process after a ~ ;~ number of attempts, possibly 36 ~ ~B further 1 l-" g of the device by ' s ~ ~ parties.

38 The invention allows that a ~/lcf~,.dl)l~ unique password is ~, oO, ~ d (usually as part of SS~) into each device.
39 Without access to this unique password the probability of ~ activation of SSIF is not a practical outcome.

AMENDED SHEET
Page,~,3 IPWAIJ
~ ,, CA 02242777 1998-07-10 P~/AU 9 7 /

The preferred method of a~ e the SSI~ functions when the SE~D is within the system ~ ~ r _ _ iS to load 2 the password into one or muldple CPU registers and e~cecute a specially created il~tl~liw that that activates SSIP
3 to read the r ;~old and continue a~ ~ r ~r 5 P~..WT~. d ~' ~ ~( ~
6 The timed 1 ~. Jld access (also Icf~. : ~ as TPA) may use any method and apparatus. It prevents any practical 7 gain from a , g Ul ' '~ acoess to a ~ d l : ~ event. It is basod on a pt ..~, -1 of such 8 c , ' ~ ~ that in practice it would t~lce such a long time to try all the p that it is not practical to gain 9 access to the ~ x ~ e~ent. Said c ,' ~l may be ssisted by ' ----r - '-~ of a dehy - ' ~ - ~ - e 10 the r,.~ of attempts. Said delay nuy be variable for any reason (e.g. to allow for legitirnate em~) and rnay be 11 created using any method including s~wate loops and or phydcal delays. The delay may be a hieratchical system 12 that includes different delays depending on the number of incorrect attempts at acccss. k is preferable that said 13 delay is, - ff~ted by powering dow,n of the device to ptevent rapid power cycling defeating delay n~bLnicm} .

15 The rollo..~,& method steps desctibe the preferred c ~
16 a) create one or morc password keys that are stored securely.
17 b) create a means to store a ~ , count in a device that is re~.V ' '~ and ~ y non-volatile.
18 c) create a means to generate a known time interval. The invention allows fot e ~b~; .."~t~ allowing a vatiable 19 inten~aL this is most readily achieved by a software loop.
20 d) create a means to input a password, eg create a speci~ic h~ on that can pass e~ternally supplied inforrnation 21 to the rclevant routines.
~ e) create a means to input function reqwred should ~ ".1 succeed (usually not req~ured if only one option).
23 f) user activates d) and e) including tr~ferring F ~ ,d and tatget function to the process.
24 g) check the value in 1 ~ count in b).
25 h) if less than certain ~ vJlue then go to step j) else proceed.
26 i) invoke c) to generate time delay.
27 j) hlc,~,ll the value in b).
28 k) confi'rm step j) has occurred if there is a chance that e~ternal ~ may interfere with j).
29 l) input password using d) and compaTe with key in a). lf a mateh go to step o), else proceed.
m) set flag in externsl memory to indicate failed attempt at call~g proglam.
31 n) exit, to try agai,n enter at f). (if ~ ! ~ -' count above c) retry will be ' _ - '' . olL~,~.~ a delay will be 32 C C ~d every time).
33 O) clear flag in exterrlal memory to indicate success.
34 p) Foceed with called process.
q) retum to external memory when finished.

37 Note: for I ~JlJ~ that Fotect access to ~,~sscs that are , ' ~ed a~er d~t~..clio" or r'~l of erasable 38 areas, sohware routi,na and ~ d Icey codes should be stored withi,n memory that is not erased.

The ad. ~, of TPA over a lirnited number of attempts that then blocks the system, is that it prevents the 41 ~"rJdent9l and or d~ of part or all of the device. The invention allows for a mk of 42 methods.

Page~, IPE~uAU

P~rt.~U ~ 7 / O O ~ ~ ~
- RECE~IED O ~ 3 2 In addition to y.u.;ding ~ ~.v,d y.. to routines to initially program and/or r~ v~, the device, it may 3 also be used for a secure user pr ~. . d system.

S Secure User Pass~ord Fl l -:
6 The secure y cs~ ~ e medns of the invention is readily adapted to the provision of a secure password system for 7 users, and the invention allows for any rneans. Ibis is an i--r - ' feature in a system that may e~tecute a variety of 8 software across a broad cost spcctrum, particularly as the SPD may have yl~loaded rights that may ~t require any 9 other ~l with r~note parties for use. The SPD rnay have other secure ~Mlic~ ns eg. d~Llu~uC cu..lll.c,ce 10 and these require yl. :-11 The pref~red ~ is a time ba ed pr ~.~ d system as ~k~ ;bed for device ini~igl ~ t~n This preferably12 allows a .I;Lf~al de}ay (eg. the user may be provided - ' retries for a yl~d ~
- i number of initial 13 attempts, with e~tended delays for Y ' .lr attempts if I cc r 1) 14 The i,u.. atlows f~ a I , ' ' l ~.JId system, plef~dltl~r controlled by at least one, master ~e ~old.
15 The user pdssword function6 preferably include routines to disable, part at least, of the SPD in response to a specific 16 c - ' by the user. Ihis may require the entry of a correct ~ .ld.

18 The iu~. also allows for -~ of the SPD, in part u least, in response to:
19 reset of the UCDPS and/or power down of the UCDPS andlor an: ~~ -- timeout (that is preferably 20 yl.~ able by the user); andhr ba~ed ~ any other criteria The l ~Jld yldCeS~i~lg system is not usually 21 disabled. ~ry of one u least, correct E ~ol.l is requ~red to l~&Li. - the SPD aT3d/or other a~ devices.
22 rIbis process rnay also be applied to ensb' ~" ~ '' ~ part u least, of the system CPU when the SPD is inclusive.
23 The pr - ~s~ Jld(S) iS usually stored in secure non-volatile system memory.

25 The SPD may be shipped to the user with a known default password and/or the ~ ld system disabled. Entry to 26 the pr~ 4d system may use any method. It may involve passing c ' using one or multiple methods as 27 de-v il~d clse.~ , in this applicatio~, usually by writing and or reading yl~t~ulined address locations for 28 e%ample dual port memory 19. Wh~ the SPD is part of the Systern CPU, it may be activated by a special 29 u~tll - and/or appropn te Post T ' ~ Syrnbol $tream (PISS).
30 A user ~ the dovice with the c~rect ~e ~ ~Nd rnay be able to change pr ~JI~b.
31 The pas wo~d systan ir usually constructed to allow the sen~ice provider to reinitiate or disable said user password 32 system by supplying an appropriate software object, p~eferably a PSO (this is particularly useful if the user forgets 33 their pa sword).
34 The method de~ d r~t~ Lg access to SPD in;~iq~ r by ~ ~JI~ will be readily adapted by those 35 e--r ' _ ~ in the ar~
36 Certain inforn~on may be programméd into the secure yl~si,.g means that may restrict the user access to one 37 or multiple fi"~ or e%ample, they may restrict users of a ~ ~ ~ country from using one or multiple 38 softwarc objects. The L.~ti,.- allows that some of these l~ - rnay be re-yl.~, ' '- with ~
3g supplied by the senrice provider while other ' ~ may be fi%ed (eg. by the supply of an 3~ PSO).

~ -r CA 02242777 1998-07-10 rr~ r~ 9 7 / O ~
RECEIVED O 8 APR l9g8 A user may require various l~hiCIiOllS placed on the use of their SPD. These are normally progr~ by the 2 user. A user may want a master 1 ~Jr d for ~,~el ~,s and this would usually be stored within non-volatile 3 storage elements of system memory, and the correct entry of this may be required to activate the SPI).

- 5 ~dditi~ JI~b rnay also be required that allow limited access to the PCPU, for example, certain pr~ ,-~o,~s 6 may be attached to children to prevent them from using I ' ' - software, or certain ~ , 'c ,~s may be ~ d 7 from playin~ games on their c , during business hours. The user L ~ .l.l system supports time limited 8 usage of one at least software objects and/or ~l~.ie~ ~i times of access for one or multiple software objects 9 and/or any otha l~ ;o-l~ users rnay want to place on the use of their s , _ .
Catain functions may also be attached to various usa controlled ~ ~ ~ JI~, e.g. to monitor usage. For example, 11 routines within the SPD may extract one or multiple codes witbin a particular PSO eg. those cl~;~g the type of 12 software object (eg. a game) atldlor suitllbility for children. If ~ J.d access is acdvated on the SPD the internal 13 software ~l~,f~,.~l~ stores details about the user and any ,~ ;O"c These are c , ~d with that coupled to one 14 or multiple PSO's and a decision made on whether to permit access.

18 The remainder of this page has been left blank del;be.~tely.

~ 21 2g ~t~ D~i:) c;;,-IPEAl,~U

CA 02242777 1998-07-10 P~IAU 9 7 / O O ~ ~ O

r~ ~ir - of Sealre Processill~ Means. The service provider andlor software producer may need to know 2 SeCrel; ~fv~ ;~ about a particubr SI~D (or group of SPDs). This usually requires P~ 8 a secure database 3 ~ ' '- to said serviee provider. To do this they need to know details about a particular SE~D. This may be done 4 by any method known to the art iwhding physical m~ings on the outside of the CPU package. The preferred 5 r .b ~ includes a~e or multiple ~rial numbers within the device. These are usually inscribed with laser at the 6 time of .- r5,~ in a rcadable me~nwy storage device. This is usually a puWcly ~ system. These 7 }~ to retrievd under prograun control and or any ot'her form of ~ - proccss. This provides 8 an - - method to ~iq,ud y id r ~ ~ a I '~ deviee and or group of devices. This is ~ ,.~d as an 9 dc~ - signature and is usudly included as part of the SSIP r ' Said one wr multiple clc~ w-.c ~
10 may be i r Jd tO an e~tsmal locatian and used by an authorised party as an inde~ to secure ' ~ - stored 11 within that particular device (and or for ~Iny oth~ reason). Int~nal secure functions may also use this --~c -- -12 for any reason eg. i ~ e itself with.in a secure ~, ~ to a service provider. The preferred method when the 13 device is a PCPU is to create a specific ~t~l that when e~ecuted sto~es said serial number from a non-volatile 14 storage location within SS~ to a 1~ h: ~ ~ d CPU register. Por other SPDs, the serial number is usually read 15 from an ~ ~ ~'r loeadon within the dual port memory. In the SPD d~cc~ibed with reference to figure one the 16 secure system interface ~ - programmed into flash memory 708 usually include the clh,l.ulf.c signature.
17 When the U~ 707 is firn ctivated by an intelTupt wn 731 after ~ v 8 of said secure system 18 -' - ' s, 1I routine would ~ansfer the ~ I,uluc ~ignature to a ~ ~ location in the dusl port 19 memory 704, where it is ~ ~ ' '- to the system U~D~I.
21 Secure ~l. .' M~. Ihe preferred method Of , e a secure, Y~l means is a ss one or ~ multiple secure system fi~nCti~C Ihis may include part at least of the utility functions already ~es~h~. and/or 23 part at least of the functions dc~ ;l~d L~cfu,~. The latter may be broadly divided in to gen~al functions well 24 within the e~pertise of any person ~ ~ in the ut of operating system design and functions that are more specific to the inventiwn.

27 Reference to Figure 5 of the drawing6 may assist an understanding of the next part of the d~s~ .Liu. It shows the 28 secure ~--u~;,o 20, the non-vola~le ~al-time clockhl~lend r 89, an intelrupt 260 to ~JCeDDOI 20 to provide a 29 source af interrupts to ~ssist task switchin~v2, DES c~ginc 135 and system memory 53. Ihe system memory is shown 30 as the hJL~ug principal blocks. Re8iwn 250 contai~ls the Icernel of the operating system. It is the resource 31 msDag~, L~ s';~ controller and othor known functia~s to ~hose ~ l~ . ;e ~ in the art. Region 2SS includes one 32 wr multiple c ' ' ~rea 265 ~ ~tD one or multiple secure d~lJti~ù and ~I~SDu~g fi~nrti~ns 33 Secure l~ystem support functions 270. Secure syDtem enor ~r-~ior~ ectioD functions 275. Area 290 I~ ,S&ItD
34 data and functions that are usually more specific to the u~-_ and ~leQ~he~d with reference to figure 7. The ~t; - e Of functions is for cu~ ~ of d~ on only. They may interact and cross perform any other 36 functions in any other way. Any ooe or multiple functions may be excluded and any one or multiple functions 37 added. Ihose ~-r ' d in the art of operating system design should be able to readily engineer software to 38 perform the functions required by the invention.
3g Included amongst secure system ~ ' functions 255 may be:
41 the inclusion of secure system ~ c - ' functionD to detect iUDt- U ~liUllD (that may be implied instructions) amongst 42 ' - wpplied to the S~D (usirU any method and ,, -) and or v ' by a secure user function and Pag5~4.1 AME I~PDEDASUHEET
~1~

CA 02242777 1998-07-10 P CI/A U ~ 7 / O O ~ ~ C
RECEIVED 1 5 SEP ~997 or ,, e ,, by secure system functiorLc ~u~ 6 the SPD to perform cenain tasks. These tasks rnay be any and 2 may include:
3 cl)......... ~ e~P~cu~i~n of inter~ Fograms from any source; and or 4 pass data received from e~teroal sourca lo iot~nal r.. ~;v..'~ and or 5 receive a request from ir~ernal functians to traosfer ~ e baelc to the system CPU for any reason; and or 6 aceept data from irlternal functions for traosfer to a location readable by the system CPU; and or 7 Fovide a t_ ' structure within the SPD to co~nate all other system functions and, where ~r Ul ' ', 8 interact with secure user fi~n~ ti<~nc; and or 9 where~ r~ e co~dinate~ " withrealtimedeeryption~Ir~eDui"andor 10 any other required function.

12 Secure system suppon functions 270:
13 The invention allows that the SPI) may ~ecurely add to and or edit any one or multiple of its own secure system 14 fimr-ti~n~ The inventioo also aUows for pan of the seeure system functions to be loaded (usudly in e 15 fonnat) into the device from e~tternal storage each time a UCDPS is booted (and or on any other basis).

17 The invention describes both a means of creating one or multiple protected software objects by a software 18 ~JIudu~.(s) and/or their agents (eg. service Fovider) and a mP~ns for eorrectly ~ e said protected software 19 objects in a target _ ' ~ d and aetivated UCDPS. Said r ~ d iS I t.~ ' Iy achieved by the eoupling of said 20 UCDPS to a seeure lJlVC~DDlllg means Ihat provides pan at least of the funetions tlPC~ibP~I for a secure ~JIVC6DDlllg 21 means in this r ~ - ''' _ '-~ Said activation is ~ t( ' ~.~ achieved in p~m at least by l"v. ~- g one or multiple 22 tokens, ~, c~ -Iy direetly andlor ~ " ~ Iy related to a moneury means (eg. ele~,hI - funds). Said ~;,li~ - is 23 p,~f~,dbly..~ ..~ by .~i~-g the validity of said tolcens as required. Said ~-~cc of software objects is 24 p~r~f~,~dbly achieved by reversibly ' : q -lly limiting one or multiple parts of said software objeets, such that part at least of said " requires rever al by said seeure ~ ~ e means.

27 A means is usually required to ereate PSOs and a means is wuaUy required to process PSOs. These funetions are 28 wually c , '~ ~ ~ in part at least. When a means is des~ Yd for a PSO an e~ ~ person should have no 29 difficulty ~ . '~ e the e-----r ~ing means to handle 6aid PSO means in one or multiple target seeure 30 ~ g means. The eonverse may also apply. As sueh when a method and/or apparatw is desr~ib~P~ for 31 ~ . ~- e a means in the PSO it may not inelude a ' ~. of part at least, of the cs nd- ~r means in the 32 secure y.~..D",g mcans as this is usually obviow. The converse may also apply.

34 The secure systcm functions are ylr~rr~ y D~U~ i 80 that entry to secure system functions iD in a regulated 35 manner. The inf~nn~ n within PSOs in part at least may be directcd to secure a~h.s ' '- locations that may have 36 validity checking functions ~ A on the data. One illl~Vli func~ion of the secure y .~~ ~ g mcans is its 37 capacity to meet the ,~qui,~,..le.l~ of one or multiple P90s. PrvceDDI..g of Protected Software Objects 'Dy a secure 38 ylu~i~D~g means may:
39 use any suitable software routines and/or ddtd that may bc resident in t'ne secure y~sh~B means snd/or loaded 40 from any external sources and/or ~ s ~ . in any external location"
41 and/or 42 be assisted in part at least by any other secure ~lr~DIllg means and/or extemal resources.
Page~ ~ ED S~tEET
, ~, 4 IPEAIAU

CA 02242777 1998-07-10 P~/AU 9 7 / O ~
RECEIVED 1 ~ SEP 1997 2 One function of secure system function~ preferably includes:
3 direct the de~ of iDcaming cncr~p~ed software; and~or 4 direct the t~nsfer of the ~e ~1 ~ infamlation to a suitable loc tion and where this dc~ ' irlformation consists 5 of ~ . ~t~- 5, direct e e - to the rcleYant stut~g point in tbe d~~ d program and provide any 6 r e ~ ~ support fimctians as ~id computer program is t - - ~

8 T.he syst~n functions ~ ~ e~ provide, in part at loast, Isuitable functions (eg programs and/or data at~Jor 9 hardware ~upport) such that when lequostcd by apprapdatc co~nds ~and/or any oth~ nuans) rnay in part at 10 least:
11 ucurely ~ansfcr at least a portion of c~r i information co ~ part or all of one at least softwate 12 object a~d/or any o~er ir~onnation, ~n a loaltion ~temal to a secure mearJs to an location intemal to 13 saidsecuremeans, 14 wherein, said secure means securely de~ypts pan or all af said c~ r d '.~ - and rnay:

17 ~ initiate and securcly process part or all af the ensuing d~l~ rs",.. ~ .. in co jl ~ , with 18 and/or s - to the d ~ ~iOI~ process; and/or 19 ~ interact in any way with any other int~nal andlor e~ternal inf~tion to correctly process informaticn; and/or 21 ~ terminate F ~CCJ~illg, and/or 22 ~ tran~fer data (said data rnay include clear code and/or ~ ~ data and/or c r ill~ llC) 23 and/or ~,.. e ~o any one or multiple intemal and/or e~c~nal lc - s) and said Ic ~)n(s) rnay 24 store part at least of one or multiple software objecti and/or ~ occur in a rnanner that ' or eliminates analysis of part or all of the dc~ lSIlb~,LiUll5 26 andlor daa~;
27 ar~or 29 provide ~-, ~, t;-~ and/or data (that may be Fe~ d and/or loaded prior to and/or during ~ of one or ~nultiple software objects and/or any other i ~ ) witbin a secure 31 ~luc~ai~ug melms and a facillty for a software object (that may include a saftwate object with part of its 32 functiocs deleted and replacod in patt at least by said Fovided) to inteTface with said CO~ ,t~,.
33 i~tluc~ and/or data, and ~ r~ ' ly a meant to Focess part at least of said proYide in a secure matmer, 34 i : ~ in ny way with a~y other intemal andlor e~ternal ' ~ic to correctly said process; and may:
36 ~ terminate said process as required; and/or 37 ~ transfer data (said data rnay include clear code and/or C.l~ data and/or COIlllJut~ instructions) 38 and/or ~ JlXol~ilUg to any one or rnultip1e internal and/or e~ternal l- '~s) and said location(s) may 39 store part at least of ane or multiple softw re object; and/or ~ occur in a rnanner that or ." ' ~ analysis of secret inforrnation; and/or Page~2~ ~MEN~D S~E~T

CA 02242777 1998-07-10 P~IAU 9 7 / O 0 0 1 C
RECEIVED f 5 SEP 1997 ~ be r~ by any means, including an e~ctem~al software object, to provide ~ securely 2 stored within.
4 A PSO is usually Cu~tll r: ~ from secdons of clear code ~ r - '~ with regions of ~lCIJt ~ and/or 5 deleted hlfu. - ~ , The unount of protected ~ ~ - rnay be varied in any wsy. Said amount usually depends 6 on the level of ~: required by each producer. The number of protected regions within a software object may 7 be any nunber greater than zero.

9 The invend~ allows that any method of C~ iVII arld/Or d~lJ~)IiUII rnay be used. The d~l~Aiûll funcdons rnay 10 in part or whole be ~ ,' ~ in softuare to decrypt e~cterr~lly supplied and c. w~ using any 11 known methods including the data c.l~ ,)dûll standard. One or muldple hardware based w.~J,~ dûn 12 engines may perfonn the d~J~liou, in part or whole. Such an engine is one cornpatible with ~he Dala E~ iUII
13 Standard tDES). The SE~D may be c rl~ ~,d (and this rnay be dyna~uc) to meet the , Its of any one or 14 multiple V~ilJ~JdOII or e..~,lJtJdûl~ tech~iques. The ~ is 1,, of ~ g a private key within the secure 15 ~ g means and using a variadv~ on DES or any of the other well known method allows the soft~vare 16 producer in part at least, to l~ f - ~ly limit software objects using well known public/private key 17 systems (eg. DES, RSA). They usually c nnot reverse engineer these ~vccs~es.

19 The decl~,Jdvl. ~IV~ ~ieC~bed also may apply to the ~JCI,~iVn of ;-~ from an SPD to a service 2C provider. The process may be rnade mare secure if the s~vice Fovider sends a preferably one offc~ J~. '' in part 21 at least, c~l~t)Livll means to the SPD. lbis process may have multdple al ~1; und is referred to as the COCO
22 method.

24 The invendon allows that encrypti~nld~ dûll may be assisted in part at least by hardware engines 135. This rnay 25 include in part at least, one or muldple hardware devices within the SPD actually 6 ~ - ~,d in part or whole from 26 ~,v r-~ ~ logic devices. Ihis ~ applies to w~ pdûu engines that may be d~ --'Iy 27 P .gi ~, .d as required. The prefer ed type of ~.~ logic is that known to the art (refer to Fogrammable 28 gate arrays by Xylinix) using batteTy backed stadc memory to create the .~ ~_I;u - between various logic 29 gates, as this rnay be rapidly elased if roquired. The ~ ~c to transfer this informado~ to the programmable 30 logic elements is Feferably via one or muldple secure address locations.

32 The e Icl~ion/~o~,lJ~iou methods dPC~b~Pd pertain to c - between service provider and user. They 33 are also 3~ r~ ~ to the secure storage of ;~fv~ t;v~ within a UCDPS, including the C lwJ~ioll and storage of 34 various values in the UCDPS memory that are ~ - ' - andlor final reDults of ~ DDillg.
36 The decrypdon andlor encrypdon E1IUC~DDe5 dc,c-;l~ for the invendon rnay interact in any way with extemal 37 IJlu~DD~s and the : rnay assist with said do~ do., andJor said encrypdon. The Feferred security 38 provided by an SPI) is itD funcdon of d~l~g and r~ ; .g t.~l~: programs in secret and/or d~lr~lg and 39 ~uces _.g ~,.lwr~: ~ data in secret. The inYention also allows for the decrypdon of ;.. r.. A,;.. that is not securely ~MENDED SHEET
Pagc~s~) IPWAU

CA 02242777 1998-07-10 ?CTlAU ~ 7 / O O 0 1 0 RECEIVE~ O 8 APR 1998 Realt~ne Decryp'don Means:
2 Another prefelTed ~ _Lsc' of tiie invention allows for i.~ tO be stored, in part at least, in e.. ;.
3 forrnat in memo y loh~ons e~cternal to ~ central 1,l. e lg unit, 4 and to be decolde, in part at least, in rea4ime as it is I ~ ~ from memory storage means, to one at least registers 5 of, one at least, processing means. The memory storage means may be secure and/or unsecure. The encTypted 6 ;-~fv~ O-\ may be s , i 7L~ ~ tiQI~C andlor data for said u~bL~ n~, andtor data for any other reason.
7 Information rnay also be hl~ in realtime as it is tl~f~ d from, one at least ~.~SSi-lg units to memory 8 storage means. lbe term realtime i8 icnown to those e ~ in the art. It ~ ,f~,.ably decrypts said infonn ~ivn in 9 the normal time that it talces the U~t),L~ -' andtor data to be tlal~f~, l~ from memory to p ~;css~ registers, in 10 which case, there are no wait states. The invention also allow~ that there may be one at least wait states ill~l. ' ed 11 in to the process. Thc realtunc d~l~o.l means may we any method anld ~jJ ,~I~.C
12 It is ~ that diffcrent d~. ~ ti~l keys apply, in part at least to il~tl l : ~ and data. It is ~ '' 7 that data 13 Cw-C~t:~ in realtune for ti~nsfer to unsecure memory slorage use different keys to informAtion that is rhad oniy.
14 The preferred method is to encrypt tbe data, in part at least, as a comple~ function of other i~r~ Al;v that is 15 .~o ~ ly available (andlor may be generated) to the decryption means wben it need to decTypt a particular byte 16 of ii~fonnation at a particulaT address. The preferred method may include encryption of data as a function of the 17 address that it is located in memory, ~dtor as a function (~lef.,.~l~ comple~18 one at least, e~l~ i version of said address, andtor 19 one at least, offscts fr~ said address (that rnay be wl~ i and/or ~wlc ~t :~d), andlor 20 one at least, register c~ltents of thc lJ~ e means, ~mdhr 21 one at least, previous register contcnu of the l~luce~u.& sneans 22 one at least, previowly accessed ~ (that may be e..~ anld/or u~e.l~ ), andtor ~ 23 one at loast, ~.~,.;ou~l~ accessed data (that may be w~l ~t i u~dtor, ~t 1)~ andtor 24 one at least, programmed registers, andtor 25 any othor stored imformation andtor a~ f~J~
26 I'he me~b4d of ~ealtimc d~Jr -- tnay also be applied, in paTt at least, to information transferred from unsecuro 27 memory storage meat~ to secure men~y storage meatls, in part at least, under DMA control. It may be applied to 28 the system CPU andtor any other p.. - ~ e me~ms.

30 The methot of rcaltimc ~w~t t~ provides a suitable method of declJ~J~lg and ex~~ling program h~ ; in 31 a securc m~mer, andtor for d~J~i~ and ~D~Lg data securely. It may be co ~1- .~1 with other secure 32 processcs ~ ~ f~ thc inventiolL

34 The lcnown att (Dallas S ~~ ' ) describes a methot of realtime decryption that is based on a comple~
35 function of the data and the address occupied by said data Furthermore, the address is e~-n,- ' One problem with 36 this mcthod, is that in mode~n PCs, the address that a progt~m is loadot into may be different on each occasion.
37 There may be multiple versions of thc proglam present concu~Tently. The invention describes a method to adjust the 38 address currently occupied by a bytc of tata, to the address used duting encryption of the info~ n. by 39 determn~ing the posidon of the program in the UCDPS memory as , ~ to a base address during its 40 wrw~ and using an offset mcans to compens~te. Any methot and apparatus is permuted, however, the 41 preferrod ~ Lr~ supplies the offset value and ~e ac~al address into a ~ ~A ti~ unit, and ~ cally 42 converts the address and supplies this the d~w~tio.~ logic. The ~ctual valuo loaded into said offset register may be IPE~,~U

CA 02242777 1998-07-10 PCT~U ~ 7 / O O 0 1 Q.
!? ~ 8 .~PR t~

calculated from informadon supplied with the program, ~l. f~ '~ly in e.~ format. This is readily achieved 2 with the ecure p,~esD~s ~ , de~ribe~ It may also be cA~ul ~ by the operadng system when loading the 3 ;.,rv... ,-;~,.. into memory (eg. from a mass storage device), anVVor self dtt~, ,.-; -~ by routines within the c~lu.~L d 4 ; ~fu~ ";0~ once loaded into memory and l.,uGeish.g. An alh,..ldli-~, is to restrict the block size of ;..r.,..- Al;.. and 5 load it to one or multiple fLxed locations within memory.
7 The preferred method of e.~ ti.,~ infr)nn~tion is to create an array of complex logic with multiple inputs, that will 8 provide variable (~ "y highly variable) outputs for mi~r changes to the input ;~r(~ ;v~ These may be g created using the programmable logic .,.~ ~ describe~ p~ iu~ly. This enable a unique set of complex logic 10 to be CvllDtlu.,t~ for one at least pro~uns. As it is ~ tl_ ~ from volatile elements, it is not practical to 11 ~ ~ the nature of the ~ d~.. During the e.,wn~tio~ of a particular byte (and/or any other packet of bits) of 12 ~ q values that are known to be able to be supplied to said complex logic are supplied as inputs. One 13 coo~ source of infi~n~ion may be the address occupied by said byte and/or an offset from this, and/or one at 14 leAst ~ ~ forms. T r ~n that is known to be present in CPU registers, and/or that may have been stored 15 from earlier operations, and/or earlier data and/or ~idl~D;~ etc may be supplied as inputs to the complex logic.
16 Other ;.~fr~ ;O may be supplied as, one at least, d~l~l,lio" keys and these may be d~ --'ly varied. The 17 e.,w~tlliu is usually done remote to the UCDPS. The informuion that is to be e,l."~t: ~ is supplied as one set of 18 inputs to an-array of ~' ~~_-or gates (and/or equivalent), and said known to be able to be supplied are fed into 19 said complex logic, with the output of said complex logic, in part at least, supplied as the other inputs to said ex-or 20 gate array. The output of the ex4r gate is the c~ ' version of the input ;"f("".A~ The process may be 21 reversed at the secure ylVC~DDUIg means coupled to said UCDPS, by cQ~-nv~ g one at least said complex logic 22 means that are r~ ly e ~ al~ l of that used in the e~,~ process. The c( to construct said 23 complex logic may be ent in one at le~st PSO's, in part at least, ~fu.~l~ in cncl~ ' fconat using otha secure 24 means ~ --,- i~d for the invention. When a particular byte (and/Qr any other packet of bits) is read in hl,~
25 format, it is supplied to one set of inputs of an e~-or artay. Ibe same r on (or fi~nctiQnq~ly equi~, ' t) that 26 was used to encrypt said particular byte is also available to the SPD and is supplied to the other inputs of said e~-or 27 array. Ihe output of said ex ûr array is a d~ ~ version of said par~icular byte.

29 The usually highly varillble nature of a c ~ ~ - program is lilcely to result in highly complex alrayS of inf~nnq~ n 30 being available to supply tO comple~c logic for any pArti~ memory access. These are likely to vary si~if'~ ~y 31 during the e. _- of the prograrn. The invention allûws that any info~ i~ thst is current and a~ ~ ~ Ic to the 32 SPD when a 1 ' byte (andJbr any other packet of bits) is accessed msy be used to create 33 ~l~ iUIl keys, as may any r on thst was ~ _ ly r-~- ' '~ and has been latched and/or 34 stored by any means. This msy include, p. rt at least, of p ~.. 'y read instructions and/or dats and/or previous 35 registers states.
36 The invention also allow that some of the bits within an encrypted byte (and/or any other bit packet) are not 37 e~.n d 38 The process may be dynamic with d~ ~ parts of a program altering various data sources to said complex logic, 39 and/or special ;- -~v- ~;o- c that may alter various inputs to ssid complex logic in any way, and/or the calling of routine,, within secure memory to modify data inputs to said complex logic.
41 The complex logic may be supplied with inputs from one at lesst global registers (~ ,v '' ) Lhat 42 may be ~ acro s different ~,g andJor bloclcs of ~ snd/or I~EA/AU

CA 02242777 1998-07-10 ~ U 9 7 / O O 0 1 0 RECEIVED O 8 APR ~998 local registers (preferably ~ v ' '~) that may be ~ ~ only for a particular program and/or block of 2 i..r~....",~.", 4 The realtime encryption (at a remote location) and tecryption (within an SPD) may use a method whereili 5 ;.,r~ 70~ is input to a complex logic means, and varied, until the data that exits is that required as I ~r 6 data. Tbe particular input value that g d the required output becomes the e.l.,.~ inf )m~ n supplied to a 7 5~ -'Iy h~ui~ale.l~ comple~t logic means within the SPD. The I ~t~ Yersion is the output of said 8 comple~ logic means. Said complex logic may use as inputs, any one or more of the sources d~sc~ d ~,.iousl~
9 for use in c~ with e~c-or based .~ g; ~i, however, the present method does not use ex-or gaus. This 10 method allows that not all i..r(-- .,. ~;o~ may be e..~ d Thu usually depends on the various data inputs available 11 (eg. registers, addresses etc) to the comple~ logic means at the time a particular unit of inforrn~irn is 12 ~ V~ t~

14 Tbe realtime e ~ t; Jclc~ - of ~ r - may also use any fixed and/or ~,." -''- matrix to remap 15 input data to different output values.

17 r~he invention allows for functions within the secure system functions to program andlor control and/or inurface 18 with, part at least, of the realtime crypto means ~1~ c~ d for the invention.19 20 ~~~ rO~~ - that is e..~i"~: ~ for realtime d~,~ on ~.~f~,.~ly includes:
21 a) svffic;~t ~1 - to inform the SPD of the type of ~~.~ used and/or any .~ s ~s included to assist 22 initialisation of the realtime d~L (eg. global aod/or local ~eys);
23 b) ~ ~ to progr mmably create, in part at least, ~he bardware realtime decryptor (eg. comple~ logic means);
24 c) information to progrun one at least d~.~plio~ keys.
25 d) infon~ation that wbon d~ ~ ~: d in nu~ltime may be clear te~a and/or require further d~ ion.

28 The remainder of this page h s been deli~at~l~ left blank.

IPE, CA 02242777 1998-07-10 ~iAU 9 ~ I ~ O U 1 ( RECEIVED l S SEP 1997 One al e - of a PS0 is d~ J with reference to Figure 6. The aT e shown is by way of e~ample 2 and the invention allows for any method tbat:
3 ..; . _.~ibly fnn~ti c ~ly limits one or multiple software objects in part at least 4 and/or S couples (directly and/or i~lly) any other type of ~.( required for the correct reversal of said r 6 1 - and/or its proceSSiTU in part t least. It ~vill be ~ ~ ' that the ability to d~ '--"y modify part at 7 least of the secure syst~n functions of a secure prOCeS6iTlg means to 1 c c ' any interoal st~ucture in a 8 software object permits ny ar~gement of ~ .1l e -~ a l_~_D;bl~y f ~ -'ly limited soft~vare object. The 9 e~ample of Figure 6 shows part at least of a PS0 with three rq~ions of thc software object ~~ .ibly r - -~Iy 10 limited as dPs~heA-11 PS0 e r ~ j- I ~ecute.l 38S requires secure d~~ ioll and secure int~nal ~ ~ g in part at least;
12 PS0~ ~ d, bj- I ~ransfer.1 410 ~equires secure d~ ~ ;w in part at least and unsecure proce~sing of part at 13 least of the de~ - (eg. by transfer to system memory for pTocessing by the system CPU l);
14 PSO~d~ ~ ~ 1 (435) in p~rt at least has p~rt of the r ' - rnissing and requiTeS ,~ in 15 part at least by functions within and/or a- c - '~ to the secure ~ss~g rneans.
16 Por any one or multiple ~cgion of a software object that are r~ ly r_ _ t;r lly limited any c ' nn of 385 17 andlor 410 andlor 435 and/or any other rnethods may be used.

19 With at least two ~uc~l.~& means ~ ' "y operational eg. System CPU 1 and secure ~ .J~l- ccsjo~ 20, there is the option of PSO.~ (n may be any nurnber) i~lil~lly and/or directly el e (in part at least) the 21 secure ~ ol to perfonn one or multiple functions and then continue with its own clear code pr~l~.llg 22 ' -D~. 'y in part at least (not showrl). There is also the option of the secure ~ E, means directly andlor 23 ill~lly f~ .i"- - e pl~ of clear code and/or ~w~ ~ e~ in system memory and this may be by 24 the system CPU(s) 1 and/or secure ~ ~l~S01 20 andlor any other means.
26 r~he PSO is ~l~e~ '~y designed for loading by the normal operating system funcdons with its access to secure 27 ~sscs traosp~ent to ~he operating syJItem. However, ~e invendon allows th~t a patch to or a m~ _ '-' of the 28 operating system may be made to ~ ,1e part at least of the invention.

The PSO ~ e( ly begins ~ ,c~.. ~ in the clear code section l~ d by PSOOr' r~ (350). r~his (350) 31 ~ e~ "y directs IJl- - ~ e promptly to PSO.inl~allse {355) that is the preferred means of activating metering of 32 software usage.

34 rfhe i~ on allows that part at least of one or multiple software objects may nol be e~ '- functions (eg.
blocks of data). Part at least of the method d~ ,c~d wiLh lef~enCe tO figure 6 may be applied in part at least, to 36 any one or multiple ~ n~ tbat facilitate ~ (using any means) between said non~ 8 software 37 objects and the secure ~ .g means.

39 Initialising I lh between PSO alld SPD
41 PSO ' ~t' ~' - (355) is usually in clear tex~ in part at least, and ~,~e( 'ly performs the jn;~ nn fUn~ticnl~ in 42 part at least, desr~ibed for Object Support h~f~ It I el ly e6 with the SPD for ~ll- of Page~ ~ME~NpDEV SHEET

CA 02242777 1998-07-10 ~AU g 7 /

resources (that usually includes a uscr : ' and data port and a secure user partition within secure memory of 2 the SPD). The preferred way to do this is via the dual port memory structure ~ 'y df O~ with reference to 3 figure 4. If l~,SOu~S are not available it ~,cr ''y jurnps to PSO.nogo (455) that may enter a loop (that may 4 include a sleep mode) An efficient method to said sleep, is to call a function that is l ,ef~ part of the UCDPS
S operating system. PSO nogo (and/or any other means) may display a message to the user in the event of no 6 ,c~su-ces. One way to do this is to have the secure I~l~Dhlg means i ;~ ~..1~, override the operating system 7 and write directly to the graphics memory. The user rnay be ~ble to ~l: ~ future action. Other actions may 8 include program i ~ , with or without a message and/or any other action.

A more detailed ~ ;v~ of the -' process is now rnade with reference to figure 7 (codes 500 to 555).
11 This drawing also ~ef~ceO items in figures 4 ~ 6). When one or multiple PSOs require ~ : with the SPD, 12 the preferred method steps are:
13 ~ S00 block interrupts if required and write a - ' to the system c~ ---A input port (200) ~- ~- e 14 use of the SPD.
~ S05 the process of writmg to the port preferably generates an interrupt so there is a rapid reSpQDSe from the 16 secure ~ , U~Oc ~ (20), o~.lDe there may be a delay while it is polled.
17 ~ 510 the secure v~.u~;,o writes to the system c~ ~ output port (201) a value that indicates if 18 there are cu~ntly no lcsol ~s and another value if there are l.~ ~s, together with the address and size 19 of a user ' input 206 and output port 207 and a user data input 208 and output 209 port. It preferably clears the value written by the system ~ ~IJIV~DVl into the system ' input pQrt 200.
21 ~ 515 the PSO reads the ;.,fV~ from the system c~ A output pQrt (201) and usually reactivates ~ Ul)tD.
23 ~ S20 if resources are currently unavailable to the PSO, it may enter any known routine eg. PSO.nogo (455).
24 The option e~dsts for it to branch to a routine to advise the user that the m~ it~lring capability of the UCDPS is culrently fully e~Pnd~
26 ~ S25 if the PSO is 8ranted access to the SPD it saves the , r ~ r ' ' user pQrt t~ ~n in an ~ - - ' '-27 location and may read and write to its user ports (206, 207, 208, 209) as required. Tbere is usually no need 28 to disable system CPU 1 interrupts when r- ' e the user ports allocatPd to it. Ihere is usually no 29 r~ 1 to modify the task D~;~ll;llg routines of the UCDPS operating system.
~ 530 if the SPD has 8ranted one or multiple PSOs access to the SPD, then , r ~r ~ ' ~ ' '- about 31 port d~i~Des, user partitions and any other ~ r '- is preferably stored in a known locadon in the 32 system pardtion.
33 ~ 5~5 the SPD waits undl the PSO starts wridng ~ tl (for example the ne~t step PSO.lock 360 to its 34 user data input port 208. The SPD rnay detect this by an interrupt triggere_ by ~r~ e certa~n ad~D~,s (eg. part of the user input port) or polling of locatdons and/or any other method.
36 ~ S40 the SPD transfers the ~ into the alloc ted secure user partition. This may be done via the 37 user ~ input port nd/or via Direct Memvry Access (DMA) and/or by direct ~ v~
38 by the secure v~.,u~ss~,, and/or any other method ~ d by a ~t; 'd ~ p ~l of the 39 invention. Thc secure ylvcesD~ 20 may directly process ' on in system CPU 1 memory.
~ 545 PSOs usually include i--r~?-~ - to assist the SPD in addidon to various encrypti~ and validity 41 checking;-rv~ ;o- eg.objectsupport t( ~MENDED SHEET
Page~5~IPEA/AU
SS

CA 02242777 1998-07-10 ~/AU 9 7 / O O ~ 1 n RECEIVED 1 5 SEP 199~

~ 550 vanous system functions are activated to decrypt and validate where appropriate and extract other 2 q relevant to the PSO.
4 The reader is directed back to Figure 6. One step in the creslion of a PSO is to take a software object from the S producer and create Obpct Support Inf ' (or OSI) that may provide certain ~ ~ to assist the 6 e~ . of the PSO. r~e OSI is usually placed near the start of the PSO, however, it rnay be located ~ ~hw~;
7 t~._~' the PSO. To protect the inf~mation in OSI from tamp~ing put at least may be C~wJ~ ~ and/or may 8 nave one or multiple che~ surns that are preferably secure and/~ w~~ .el~w.

10 The OSI may be provided in part or whole as a separate program(s) and/or as psrt of one or more other prograrns 11 and/or rnsy slready be present in the SPD and/or any other method. If the OSI is in psrt at least located in separate 12 software objects, they are preferably secl3rely cross-r ~ A rneans to do this may include a routine in the main 13 psrt of the PSO to checlc for the presence and/or va1idlty of ;-Ae~ modules. The prefelred 14 includes all OSI ~ wit'nin the PSO.
16 The following ~ ~i~ ' ~ functions may a1so be included:

18 If the secure ~)IU~o~illg means is wi~bin the system CPU (PCPU) and if it usa a modified instruction set, the PSOs 19 may use one or more of said modified ~t~ - Shovld a PSO attempt to execute in an e~i.~,.~e.l1 ~.vithout a PCPU, o le or multiple adverse outcome6 may resu t. The fo~lowing is one mesDs of ensuring that PSOs do not 21 cause problems in t'n~s scenario:
22 Com~mon il~U.,~O~ trigger is a sequence of ~.~u~,liO~;~. t'nat are common to a PCPU and the CPU that it replaces 23 are executed such t'nat a certain co 'c ' triggers ~e or multiple events in the secure parts of the SPD.
24 ~ protected software loaded into memory 25 ~ e~r '- ~ P~ at a ~ locati~ that e~ecutes t'o~ no ~r ~~~ (NOP) ~.tluc~o~r. in se~vPn~P.
26 followed by a branch to the next ih~ iull that may be the start of three more NOPs (any number, 27 _ '' ' and ~ - of suit~ble ~ _L_ - may be used) 28 ~ the instructi~ following this is a branch to a routine to terminate e~ ti~n of the progTam 29 ~ a CPU that is not a PCPU will execute these ~tll ~ and quic~ly i the program 30 ~ a PCPU has the faciiity to r~ ~ the i ~ 1 soquence of ~~ io~s triggers int~nal routines to modify 31 the data in the branch ~t~ t and/or redirects external e.~P~ I ~.. to a F- _' Iocation that enables 32 c,~ ,l. rv ~ e OfthePSO.
33 This prooess is ~ to the operatirlg system.

Checking on availability of r~S ~S. If the PSO is to eaecute in a 1 ' g e.,~il~,ll,~.ll it is possible that the 36 secure r ~-- ~e means has limited I~G~S. The PSO ~ y executes a routine to d~t~ the availability 37 of SPD ,~, ~s and any relevant ~ ~( - that the PSO requires to cc . with those l~ .U~S. A PSO
38 preferably verifies ,~ ocs cuïrently available to the secure ~Uocs;~illg means. The preferred method is to read a 39 current version number SPD.~ersion (with system CPU 1) ~d conflrm it matches that within the PSO. The invention allows that a PSO may be shipped with secure system update; ~-u . . . ~ io., as part of the PSO andlor within 41 one or multiple other PSOs. This rnay a ~ly aod/or at the user~s direction update the secure system functions Page ~5~, ~MENDED SHEET
5~ uAu CA 02242777 1998-07-10 ~/AU 9 7 / O 0 0 1 0 RECEIVED 1 5 SEP 1~97 to current i ~ and rnay suitably adjust the version number. This rnay be a ;~~--r- y ~ '--~ "' for the 2 duration of ç~,~- of the PSO and/or a semi-l and/or F change. Should the system functions 3 not be able to be updated for any reason the PSO would usually i ~ The user may be ,, . 1~ ' to arranBe 4 for the r e . c ~ chang~ to secure systern ~ln~ o 6 By including orle or multiple d~JlJlion~ witbin a PSO, the decryption process can become self-7 ,..c~ e In this situ tion the ~tl. C ~ of the PSO rnay vary decryption parameters and/or de~J~Iio,l 8 ~D ~'' F and/or installing, in part or whole, one or multiple new dec,~ iou ale~ c durinD the process of 9 - :- e the PSO that are further wed to decrypt ~ld - ~' parts of the PSO. This rnay occur on multiple 10 ~x ~ - ~ - 4, in any combinatiorl, during e - - ~ Y ~ of the program. The key to this process is to include with the PSO
11 a sub-routine that can be l~c..D, irrd and executed by functions withrn the SPD, and said sub-routine initiates the 12 process af I '~ ' ~ e the - ~ c ~ rnaterial. Said sub-routine is e...,.~ using a process that is known 13 to be reversible by functioDs within tlx SPD. Said sub-routine, in part at least is ,ef~,..c~ as PSO.lock 360. It 14 preferably includes a d~.J~io.~ ~D ~~h n and/or key to unloclc in part at least, other decryption ~6 ~ and/or 15 keys ç .~l~d~ within the PSO. Ibis preferably includes, part at least, PSO dec ~e.~l~e 365 and/or 16 PSO.~ecD~ bJe~tn (n may be any nurnber). PSO.lock 360 is wc~ in part at least, and is ~,ef~bl~
17 de~JI ~ in part at least, by a method known to be ,~;.. ' ' e by functions arld~or keys witbin andlor a- ~ - ~1e to 18 the target SPD.

20 There rnay be rnultiple methods of I '- ~ , PSO.lock 360 that preferably includes a means of ~ ' ~ to the 21 SPD which method(s) to we. The process may be recur~ive in part at least, for example; parts of PSO.~ ça~cç
22 may feedback to further decode PSO.locl~ (and/or anything else).

24 PSO.lock 360 ~f~,.~lJ includes a means to check one or muldple ~ e,~ -~ (said check may be repeated in part at least by any otha part of the PSO eg. de~4~a~ce) unique to a particular SPD and/or unique to a group of SPDs 26 and verify that it is the tarBet SPD. If not verified the process preferably I - Error and validity checking is 27 ~ ..................... r.... ,~ on the d~l Jr -29 The transfer of ;"f""" ,~to,~ from one location to another may result in i errors and the invention allows 30 for secure system error detection f,mctions that may use any known method and apparatw to detect and/or correct 31 these errors. As the usual location of the SPD is w~ithin the UCDPS, ~ r '-~ that is to be t~ r ~1 tO the SPD
32 may be ~ and ~d~"' 'y .,.o~:r,.~,l, e.g. ~ ~ . - viruses andhr attempts to reverse engineer the SPD.
33 The invention allows for secure system validity checking funrtions tbat may use any means to verify that the 34 ;~f~ supplied to the SPD is as intended by the ilLf~ 'on provider, and/or take any required actions tbat may include directly or indirectly disab}ing part or all of the SPD. Where a~ ;c~le. this may include the erasure 36 and/or r'- of secure ;-~f ~ '0~ The use of cyclic ,~ , checking (or CRC) of ~ ~m generated 37 by a service provider and c--~ cd within a PSO and then ~.c,~ s~ is one method of ~I. .idhlg secure validity 38 checking fi~nCtionc The reversal of this process in the SE~D may use any co-~ ;on of hardware and software 39 methods. The process is well known to the art. ~ a activated early in the I ,~s~ & af PSO.lock (~4~c~ibed with reference to figure 6 360 later) is a routine to compare a secret address within the secure l"o~s~iug means 41 with one e ~ within PSO.lock 360. A service provider with access to secure ~~ ~~ within the target 42 secure ~-~ ~ e means may easily prcpare such a PSO. Ihis ensures that the PSO will only be unlocked on the Page9¢~j~ AMENDED SHEET
5,1 IPEA/AU

CA 02242777 1998-07-10 ~IAU g ~ / O O 0 1 0 RECEI\IED 1 5 SEP 1997 1 intended urget. Of course multiple r'' ~~ rnay be included in the secure ~VC~ulg mams and/or the PSO.
2 These may be specific and/or global in offecl.
4 The secure ~ JCeo;~g rneans may respond to any suitable c~ g ~ by any sohware object ~~ . e 5 access to ny one or multiple functions within the SPD. It rnay d~: ~ ~ at any a}J~ r ~ ' stage that at least one 6 software object that has ~ e ' acceu to within the SPD is ~ to do so and/or that it has not 7 been tampcred with Tbe software object ~ ,.d~l~r includes e ~ hc~d~ error and/or validity checlcing ~ ~1 -8 Said software object is usually a PSO. I~ur ~ t~ h,r'~ ~n rnay use any one or multiple ~nown ~thods.

10 If one or multiple software objects are not validated the SPD rnay take any course of activn. Ihis rnay include 11 disabling part or all of the SPD. An error may be Tepo~ted to the user.

13 One or multiple object may not be validated for any reason. This rnay include that the object was not written for 14 use with part at Icast vf thc ~.~ iO~, and/vr ~' ~ ~I to the software objcct may have becn detcctcd. For 15 a~ample, tra~ errors rnay have occurred. The softwarc object may also have been ~ ~ y altered eg.
16 i , ~, with c ' of use and/or attcmpts at cou~lv~& the logical security of the securc ~,v~u,g 17 means and/or the PSO.

19 Jf the SPD receives a ~ ,h, ~ d number and/or types of errors it may decide tbat these errors are not leai~
and take any course of action for any reason. Tbis rnay include ~"uu~,~g its security. This may include declining 21 further access to andlor ~,., "' ~ of part or all of the sccure ~ ~ within the SPD. The c~ ;o~- that 22 ~ this course of action may be d~cally modifiled by the supply of an ~ ~ PSO.

24 If it is d~ h ~ FA that the software object is a valid software object for use with the SPD, ~ - ' of any relevant part of the software object d~ s what action is required of the software object. Said action rnay 26 include p~r~ e further validity checking and/or decryption and/or any othcr action.

28 Protected software objects ~ ' ly include ;~f~J~ tbat identifies the type of ~,( that is included 29 within tbe object, .~; ~s required of the SPD, information to as~;ist validity and error eheel,d,ng of the information, ~ r to assist ~IJi~tiVU of au~rypted ~ ~ - -,n and any other relevant ~ q Said 31 ~ ~ -~ may include in part at least, functions (program ~md/or data) to d~ ~ly modify part at least of 32 secure system f~m~tion~.

34 Error and/or vaiidity checking (and/or correction) may be ' ,' ~ ~, using functions ~ '~ to the secure L~l~ ' g means and/or r~ ~ within one or multipk software objects. Tbe PSOIock function 360 preferably 36 includes an ~ routine to unlock b ~ o~ keys and/or routines. To help protect system 37 integrity (or for any reason) it l le~.~ ''y does not directly decrypt ~r~ ~ parts of a PSO eg.
38 PSO~ r 1 385.13rror checking may be included in the dc~l.,r: d part of PSO.lock 360 39 (where it is ~ t "y vnly a- ~ in ide the secure ~v~DDh~g means) and/or within the c~ "~ f ~
These may be subject to PIVC~D;~,S normally available to the secure }"vr~ssol 20. Any other e.lvlJ~,alhiil~ checking 41 functions may be c ~ ~ within the PSO (eg. as part of PSO ~ d~ l~ 365) and when d~,lJ~ (in part at 42 least) used to validate other parts of the PSO. Obviously ny c ' ~ - of methods may be used.

g5g~5g IPEA/AU

CA 02242777 1998-07-10 ~ ~ 9 7 / O O 0 1 0 2 PSO.~ ~ d ~ - ~ 3C5 is ~ c~ Iy an c~ d d~ ~lJliw function (and/or keys) used to decrypt in part at least the 3 ~ y limited region .~ d by PSO,~ ~ 370. Function 365 is ~ ir ~ Iy itself 4 dcc.~l i by the d~~ ,. function loaded as PSO.lock 360.
This ~ ~ isolates Ihe cryptoglaphic process ~pplied to PSO~ock from the method used to decrypt 6 PSO.c~.~r d llce (for ~ .'r). lhis m~es it highly impract~al to launch a w~r ~, .' - attack on secure SPD
7 fi~n~ti~n~

9 By ~ ~.g a PSO to take account of ~pecific ~ ~ ; . of a particular secure l~u~S~i~lg means, it may be 10 configured to only function in said particular secure ~.~ ~ means. This is usually the case for e~nple, with I l PSO inte~ded to t~ansfer rights of acce~ and or secure communications to a F ~ _~ SPD. In the case of widely 12 ~' ~ d 1~ r~' " ~ bascd PSOs the ~ ~~ p~ s is u ually bascd on re~ersal using parametcrs generic to 13 a number of SPDs. The i . _ ~ allows that a~ r~'~ " PSOs may be ~ r~ y prepared for a p~uih ' SPD.

15 C~ 'Ut~ of Use:
16 The other usual function of the OSI is to interface candidons of use attached to one or multiple software objects 17 ~vith the ecure processing means. lbese are usually included in the functions l~r ~ ~I by PSO.
18 370 that is preferably decrypted with inf~madon provided in part at least, by PSO d~de ~ce 365.

20 G~ ~r of use are an i~li part of the invendon. One reason for coupling one or muldple software objects 21 with a secure ~- - e me ns is to enable one or muldple controls to be placed on the p'l~XjSU g of said software 22 objects.
23 T~ ' e c~nditionc of use within and/or coupled to one or multiple PSOs, 24 and 25 extracting part at least of said r I of use, in part at Ieast (~ ly) by said secure pIUC~g means, 26 preferably prior to and/or during procesliing of one or muldple PSOs, 27 provides part of the basi~ for a means of controlling PSO use.
28 Said control is preferably achieved in part at least, by having the secure ln~SailIg means conf~n (~ ( ''y prior 29 to and/or during ~.u~;.hlg of one or mu}dple PSOs) in part at kast that:
30 one or multiple rights of access (usually ~ ~r- -: ~d in part at least) coupled directly and/or ' :'~ to said 31 secure ~I~ e means are valid for use, in part at least, with the c~ ~ of use, in part at least attached to said 32 one or multiple PSOs.
33 If one or multiple secure plOC~sUlg means comply with the c~~ Q~ of use then ~lucesslllg may usually proceed.

35 Reference to hgure 8 dcpicdng one method Of ~~ B the cnn~ c of use within PSO~ Jl ' ' ~e (370 of 36 figure 6) may assist an understanding of the next part of the d~l i~ou. Part at least of said c ~ - of use may 37 be separate to the actual PSO, however, there is ~.f~dbl.~ a coupling between PSO and cu~.d;~;o~ of use and right 38 to l~ This is ~ ~t ''y a secure coupling in part at least. The invention allows for any number and/or type 39 of ~ of use and these rnay include:
41 1) Type of PSO (PSO.type) 600 Page~ A~ENDED S~EET
~ IPEA/AU

CA 02242777 1998-07-10 ~AU 9 7 / O 0 0 1 - 1 a) ~pplir~~ion PSOs 2 PSO.type.cpso 601 may be used to identiEy PSOs that in part at least usually require payment in e~ (directly - 3 andlor ~lly) for use. lhey usually include the majotity of PSOs. The ~ d use of the te~m PSO in this 4 spe~ificr inn may usually be infeTred as applying to PSO.l,~ ,a.

6 b) Secure System Update PSO
7 PSO.type ssu 602 rnay modify part at kast of the secure system functions of the secure ~ e means. The 8 prefelred method is to include the progrJm to modify tho system function and the data to inst~ll (that may be data 9 and/or program ~ U~.liVl~) within PSO.c,..,l~: ' nb;~c: eS. 'f.1 and a duplicat_ 6~ ' in a ~A~,t~
10 manner in PSO.~.i ~r~A ~.,s~; : eSe~ '~ When the PSO ~ --1jQPS itsclf with the secure p~ ~g means, the 11 latter identifies it as a PSO.typessu from c~ n~ of use within PSO1~ J~ e and then transfers 12 ~ 1 and ,~ to a user partition and decrypts each. eSec~t~.~ is then I - ' le d and co .l~ ~d to 13 execute.1. If c ~ r. .~ to be identical"4~-- 1 is allowed to execute (for example, using program start address 14 passed in PSO.initialise), ~ud ~-~vlt~ creating a block of data (dau and/or ~h~--' ). Said block of data 15 ~ iDe~lt~ a portion to be tr~msferred to secure system rnemory. rfnis method is very aecure and not amenable to a 16 number wu"cl~,g ~ L s( g , ' - attack.

18 c) Rights of Access PSO
19 PSO.l~ ~ YrS ygy 605 PSO used to transfer a right of access token to a secure ~c~C~ing means. The reader is 20 referred to ~Ygure 9 to assist with a ~ of various rights of access as they may be j r ~dvia at least 21 one PSO and one method of ,~ ,..e.l~i~ said rights within an SPD. lf the right is ~ across multiple PSOs 22 it may be a generic right and is ,ep,c ~ as PSO.l.~ L k.yyy 610. If the right is applicable to a F~ ticv 23 PSO, it is ,~,f~"~l as a distinctright og. PSO.type,db - ~t.yyy 620.
24 The type of generic or distinct right may be indicated by the value of .yyy. When stored within and/or coupled to the secure ~DI~lg means, the PSO prefLx changes to SPD to indicate that it iD actually now the ;.~f~.. ~;n-26 t c~ i by the .~li~e PSO.

28 The invention allows for any one or multiple generic rights, wherein a generic right is any token, ~,ef~bly binary, 29 that may be used to authorise in part at least, use of multiple Fotected software objects. There rnay be zero, one or 30 multiple generic rights and they rnay be indicaled by any symbol(s), ~ c~ Iy a binary number greater than zero 31 bits. They rnay be coupled directly andhr ~ ' ~y to anything (eg. cash paid~.32 33 There may be zero, one or multiple distinct rdghts 621 ~at rnay be indicated by any symbol(s), ~ a binary 34 number greater than zero bits. It may be coupled directly and/or ~ ly to anything (eg. cash p~ud). A similar 35 method des~ilx~ for socurely i ~ Ing PSO.type.ssu may be readily adapted to PSO.type.xxx.yyy.

37 The preferred generic dghts of access rnay include:
38 .yyg = money 630 directly and/or indirectly coupled to a legal tender currency. It may represent an actual exchange 39 of any valuable ~ -d ~ - (eg. cash, credit card) andlor provision of the rdght on credit. Any method may be used to ~I;QtinglJiC~ the two (if required). money~ 631 for cash and money_payup 632 for credit is one 41 method. These are not di~ - ~ in the following - . ' ~ When ~ c~ .,d to the SPD they are ~ 'y 42 stored within separate fields.

Page,9~ AMENDED SHEET
,~o ~0 IPWAU

CA 02242777 1998-07-10 ~IAU 9 7 / O O O 1 RE~EIVE~ 1 5 SEP 199 money.USD 640 indicates the generic nght is an actual smount of US dollars (for e~ample). The preferred method 2 ,c~,sw-u the amount in the basc ur~it of the currency in b~nary. Por e~ample S50 = 5000 cents.
3 moneyDM 641 is a sirnilar generic right in ~erman Marlts.
4 The st~age of clc~,tlun-c funds having a direct ~c' hip to a legal tender currency f~ the use of currency S for other ~ ~ ~~ For G~mple, a customer may have $50 stored in d~h~ ~ format in their UCDPS. They rnay 6 use some of this to pay for ~oftware, however, they may Iso we this for any other clc~,t~. - ., n It may bc 7 lJIG~.~ ' 'e to use the generic cu rency ~ ~~ d in the dctailed d~ of the hl-. on. where the lirlk with a 8 rcal cunency is indireat. This may be l.r ~ as SPDl,~y!~ k money.generic 650. The amount of 9 available C~ ~- funds ~Ire usually ~dified by use of software objects (I,.c~ ~1y by d~ g) until 10 reaching a ~ cduh ~ -;- ~ value (eg zao) when they ~Ire no 10nger valid. The invention allows that the user may be 11 advised when the value is ~.~ ' ~ a ~ h . ;-~d value. This may be user s~le ''~ genericmoney 12 preferably do not have e~cpiry dates, ho~ver, their valid}ty may be ~ >- ~ ;ly and/or ~ - . - ~ y c~ ;o~-~ by 13 any one or multiple oth~ rights andhr ~ything else. .Beneric.money is ~,.c~ ly adjusted against software object 14 use by having the secure ~ e mea~s perform the following (and/or any rl " lio.~1 ~e~ ~~ k -~ steps in part at 15 least ( ef~".ce to Figure lO may assist un(' ' e):
16 1) d~ the cost to e~cecute a PS0 (in one or multiple currencies, preferably generic currency units) per unit 17 of tune (eg. seconds) when it _ ~ the ~ ' ~ of u~e attached to one or multiple PSOs 660;
18 2) verify that gonenc rnoney is valid (eg. svffic~ funds) 661;
19 3) determine any oih~ factor6 tbat may rh ~ e ~e right to e%ecute (eg. other generic rights and,/or one or multiple d.stinct rights) 662;
21 4) ~ ~ usage - eg. p ~ ~ Dd lY i ~e the realtune c'~J ' for time base3 use and/or log events 22 (eg. each time the program is e~err~) 663.
23 5) Calculate the amount to d~ by multiplying the cost to executehnit time x time of use aod/or multiply 24 cost per event % number of events 6fS4.
6) r~e~ l 666 (or in any other way adjust) the amour t in .step 5 from SPD.l~ r i.~ money~6z 665 (.zzz 26 .~ the actual currency eg. USD, 3eneric);
27 7) Store 657 the new .~unount ir. g~r ~.~. ~y zzz 66S (and~or any other location);
28 8) Adjust the account of ihe producer 669 (or equiv~llent) ndlor agai.nst the product code 670"~"~ f~ y by 29 ; ~ ;; .g it with the arnount 664 of step 5.1he actual units of usage eg. t.;me rnay also be recorded.
30 The reader is ~t~,d baclc to l;~ue 9.

32 .yyy = ~econts 675 is a right linked to a nv.mber of unit6 of time. Said units rnay represent any period eg. seconds.
33 They are p .i'.( y supplied in e%cha~ue for payment (cash and/or cred.it). The invention allows that these may 34 have different i~U~ ~ UU~ to caier f~or diffcrent value andhr types of software objects. For example time units for use 35 agair.st games softw~re may be l~r_ ~1 "f by e ~ ' J 676 (where .'abel may represent any grouping of one 36 or multiple software objects, eg. g.ames .;.n tbis ir.~stance). The preferred - - _ 'r ~ "~ of this class of generic rlghts 37 ~,.ef~ credits one or muldple p~oducer and/or product and/or any other records for dme units used by the PS0 38 and ~ .bl~ reduces the value of .seconds 675 (and/or any ~ bg vups 676).

A variation on 675 rnay prove very popular with the market~ -h~ t 680 (where date rnay be any tirne 41 andlor date and label rnay be any grouping of software objects, eg. ga~nes)) eg. se~-")n~lc g ~ ~ O.97 rnay be 42 a generic right of access that provides I ~- - X use of multiple garne~ programs up until the period - ~ in Page~~ MEINDED SHEEr CA 02242777 1998-07-1o ~ I ~ g7 / ooa 1 the date field. The preferred period of validity is a month. This is usually e~tended with purchase of a new tolcen. In 2 the case of ~ ~ ~ e ~ ~ (a~or any other one or muldple ~ . g of software objects using this method) 3 the generic right of acces- is not usually adjusted until it becomes invalid u its e~piry date. However, the preferred 4 rnethod of paying the software producer is as a percentage of use (dme snd/or event) for their product(s) against the 5 total usage. As such a record ~y.~ of dme) of usage is logged against each producer and/or product code.
6 Obviously .g~Dos mlly be roplacod by ~y softw~re grouping eg. .inu~t; ~
7 The grouping may also include any mi~ of any type of ~oftware aFF"- The preferred ~ of this 8 class of generic rights }ucr ' ly credits one or multiple producer and/or product and/or any other records for dme 9 units used by the PSO and preferably records the total units of time used. 1his may be used to calculate a ratio of 10 use to vendors.

12 .~y = .events 690 may be similar to that dPc~be~ for .seconds. It is not usually practical as a generic right, 13 however, it may be useful as an altemative (or in ~ ; - with) to time in s~on~c ~ 680 resulting in 14 .w~ntc 1-~ ' ' 691 (and or sirnilar). A similar metering process may be applied to events based usage as 15 d~c~ for time (allowing for obvious di~f.,.~ces) 17 .~yy = optomist 695 is a generic right that y ~f~,.~l~ does not include any 1 ~nc It preferably requires 18 metering Imd recording of software usage as d~sc il~ for the other generic rights of access ~ ;Ix~ Ihis may be 19 used with organisations ~vho purc~ase ~oftware usage on credit with no specific limitations. It may also be used to 20 record the usage of objects with no co~t attached and/or any other reason. This method is preferably time limited 21 and tbis rnay be the default time Ihnitation attached to providing reports. The preferred metering means measures 22 ~ d and stores this against one or nrultiple producer and/or product records.

24 The yl~ceJ;~Ig are the preferred methods of ~u. ' g a generic access to multiple software objects that are usually 25 lin~ed to ~ ~l (c~sh and/or credit). rfhe ~ ~ . of the function in the PSO crf~li~el~ describes the 26 required functions within the SPD to facilitste these r -~ As yl~,~.O.~ stated the PSO prefLl~ is y.~f~d~l~
27 replaced by SPD, to refer to the equivalent actual tokerls within the secure ~JIucesahlg means. These PSOs are 28 ~ r ~ g one or multiple rights of access to the secure ~,~ess..-g means. rrnis preferably adds values 29 to one or multiple non-volatile storage bcations within the SPD. Said locations are preferably clear (and/or any other ~ r~ values) when the SPD is supplied to a wer for the first time. Said non-volatile storage is 31 ~ r flash memory. The use of thesc values rnay be for prep~ud credits and these are stored in a location that is 32 ~ s available credlt is used and/or they may be for credits that are unpeud and are ~,Lf~i~ ly 33 a credit limit against use. Any method rn~y be used to ~'-~ nL r' prepaid credits from unpaid credit. Generic rights 34 of this category are ~ c4~ r~i against usage and/or of limit timc and/or event validity.
36 The granting of one or multiple generic (aod/or distinct) rights of access provides multiple methods of controlling 37 access to multiple software objects. rfhe methods ~lc.~r~ll~ also ensure that the payment as been and/or will be 38 rnade. However, a repo~t on the actual wage of software objects, in part at least, is usually required in order to be 39 able to ~ ' - software vendors for u e of their software objects. The ~ c~ ~, to create said report is usually stored within the securc ~l~Salllg means and/or acc~ to said secure ~S~hlg means (preferably in a 41 ta.~.~f manner). Any means may bc used to facilitate the ~ansfer part at least of this ~ '.~ ~ - from UCDPS
42 tO servicc provider (and/or any other ~ d parties). lhe preferred means is to transf~ at least one limiting Page~ ~MENDED SHEET
~ ~2 IPEA/AU

CA 02242777 1998-07-10 ~ RECE1~ED 1 ~ SEP 199~

means into the SPD and to - t;. part or all of the fanctions of the SPD at least, if one or multiple reports are not 2 " - d (in part at least) and/or not c~.~ d as being 2eceivff2 (by any one or multiple ~ ~ r d parties) within 3 the 1 r defined in part u least, by said limiting means. The preferred limiting means is to program a time 4 limit - SPD.t' _date 700 into ~he SPD. The time limit that may be any time and/or date. This is preferably S doqle when the SPD is fir6t provided with a right of access eg. cl~t~um~, funds. The SPD ~ - ~ 'Iy C~U~ ,S the 6 currcnt time and/or date (eg. by r-- ' 1~ the preferably secure non-volatile realtime clock 89) with the value in 7 SPD t ~ _date 700 and ~ st least one generic right of accas SPD.~I~alidsgstem n 705 (n may be any 8 number) based on said compares. Wh~ SPD.termination_date is earlier than the real time, SPD.~ , n is 9 preferably Ul~r ~ ' ' ~ The default state when an SPD is supplie~ is preferably invalid. This may use any means, eg.
10 set a bit to validale and clear to invalidate. Fki~ , when the SPD is called upon by one or multiple PSOs it 11 che~ks .~ ,s~n and if invalid does not proceed. The ihl~. - allows that pa2t at least of the SPD may be 12 active for one at least PSOs when .~ n is in~alid. An ~ ., (and/or in -; - ) may be any 13 means that monitors any one or multiple events (eg. the number of times the UCDPS is switched Cl2). The invention 14 allows for any response when the repo~ng ~ are not complied with. These may be graded. They may 15 even entail r' '~ and/or erasure of lu~ parts of the SPD. Any means may be used to ~li. the SPD with the 16 preferred one being the rece~pt by the SPD of a suitably valid ted PSO report received that preferably includes a 17 new value for SPD.terrniI~ation_date allowing one or muitiple SPD.vai~, n tO be 19 Any one or multiple generic right of access not related directly and or indirectly to cl~;tl~ - funds is allowed.
20 These may include:

22 Those ~ Iy programmable by the ~, for e~ample:
23 SPD 1 . 1' ' 710 that limits access to a certain period of time. (eg. children restricted to hours of use, ~ ,ccs 24 limited to lunch breaks). This may be filrther e, ' d to restrict one or multiple types of software objects (eg.
25 computer games). There rnay be mu1tiple t~n~ 1' ' Thoy may have I .h; ' access (eg. password) 26 SPD age 715 that limits access to particular age groups.

28 Those preferably Fogrammed by the service Fovider:
29 SPD.country 720 that limits onc or multiple PS0 to certain c --30 SPD.oocupat~on 725 limits ~e or multiple PSO to one or mult~ple occllpP~ions 32 Generic rights are usually ac~ing as a flag to the secure ~. ~ g means that rnay be used in a compare function 33 with other information to make a decision on a course of action. However they may function in any manner, 34 inc1uding as de~ iuI~eys ar~or fimr~n~
36 The prefcrred method of .~,,,t~ ,g access to software objects is by generic rights of access, wherein the user has 37 ,~ ;-fle~ibility of ~ , ~ of various forms of de~u.uc ;r"~ However, the invention does allow 38 for the use of distinct rights of access for one or multiple ~i- ' software objects. These may or rnay not be used 39 in c - with generic rights of access. Distinct rights may function in any way, however, they are ~I~,f~dhl~
40 keys cssential to a d~ ~lJliùu Focess for a l ii~' software object. Any distinct right of access is allowed. Some 41 examplcs may include:

Pagef~ ME~NpDED SHEET

CA 02242777 1998-07-10 ~/AU g 7 / O 0 0 1 0 RECEIVED 1 5 ~P lg97 SPD.disl' -~",, ~ n 730 one or multiple software keys required for a panicular software object to be 2 enabled.

4 The reader is .~lil~ back to Figure 8 of the drawings.
6 d) ReportG~ n PSO
7 PSO reporLSPD 740 is a PS0 ~ ~ ~ by the SPD when a report is required. In panicular PSO repon.SPD.use 8 741 i~s a periodic report of software wagc. It may be securely v ~ using any means. The preferred method 9 uses a variation of that use in PSOssu, wherein the IJ~o j r ~ in .e~ecute.1 and ,el~ te.~'~. actually each 10 create the ame report using a different one time ~IB rithm 11 The C.l.~ ,, repor~s are tansferred to an '- ed pany (eg. service provider) who may use ~ ~ y 12 h~u..l~ of the Algo.ilh-. Q used to gerlerate the repon to retrieve clear code.
13 PSO report rece~ed 745 in a PS0 supplied to a UCDPS that confirms receipt of said PSO repor~SPD.
14 The this verifies that a y - 'i, rcport " ~ ,.b~ly by the SPD has been rueived by the SPD. It is preferably specific to a panicular SPD in that unique ~.~; within the SPD is requircd to correctly validate 16 and have it perform the required f ~ tinrr It may perform any one or multiple r t; s, directly and/or indirectly 17 within the SPD. It wually resets any - : within the SPD that are awaiting rueipt of the repart ~
18 PS0 and may do this in any way. It also usually progrurs the relevant locations with a new reporting intorval lg andlor modifies in any way any part or ~111 of the report generating and ~, ~r - system~

21 The p~ ; e are the preferred types of PSOs for use in the l,.ute~lio - and dis~bu~i~ of software objects.
22 However, functions for one type of PS0 may be c ' r' in part or whole with any other one or multiple PS0 23 r - ~ Any type of PS0 may be F ' ~. eg sccure communications PSO.type.talk 750,clu~ ~C~
24 - PSO.l,~ ,' ' 75L The method ~crnbed for sending an eu, ~ one-off t~u~ iUIl key to a target secure ~ ~---g means to retrieve ~ r --- from said target provides an efficient and secure method for 26 ;~f~ ;G~ transfer that Is self v "' ~e as to origin.

28 As ~Pe~be~d earlier in this specification, an ~ aspect of the software ~..: - /.1;Ql ih~;-.- method of the 29 invention is that it seeks to distribute large number of soft~are objects, 30 wherein, control in part at least is ~ Iy by applymg at least one generic rights of access across multlple 31 soft~are obJects and cantroDing the usc of said multiple software objects in part at least, by , I ' e said 32 generic rights of access.

34 This method contrasts ,, ~y with the l~d;l;n~ ~l method of coupling a distinct right of access (eg. a particular 35 decryption key to unlock a particular r ~ ly r~2.~ ' le software object) to the use of a particular software 36 object.

38 With the user having access to multiple software objects t'hat are e~nerhf ~lly controlled and ~ Iy ~DF -1 39 in part at least in an offline w,~,.u.,,,,w.~, a means is required for the serviee provider (or any other ne or multiple 40 ~ parties) to ~ t~
41 the usage of said multiple software objects in order to facilitau i ~; based on software usage, in particular 42 the p1'~ - - to software ~.~1..~.~ (and~or their agents~ of revenue received. These . ~t~ ;on~ usuaDy apply to PaaeS 6~ ~MENDFD SHEET
~4 ' IP ~ AU

~/AU97 / 000 1 0 PSO.cpso in particular. Otha types of PSO are usually ;~ c~'ly of limited use although they ~l~,f~,.al~ly have 2 their own ~ ,"c on use.

4 The preferred method is to include within the c " ons of use of a PSO ;..rlJ....~,;..., about the Software Produca S (andlor tb~ir agent) and/or the Software Product.

7 2) Producer ID and/or Product ID.
8 PSO.u~id 800 is prefaably a binary number of any bit-length greater than zao and is ~ef~.dbly unique to a 9 ~ - ~ sohware producer (and/or their agent). PSO.upid 805 is 1 f~ "y a binary number of any bit length 10 greater then zero. PSO.upid 805 is ~ ' 'y unique to a F i s~.' product at least. ~ tion~l information rnay be 11 included to identify the particular type ~ program PSOl~ g~ ~' 810, where label may be any relwant id. For 12 e~ample: PSO.type.game (for computer games), PSO.type c<-.. hd ~y (for . ~ y ~r'lc programs), 13 PSO.type~sound (for music), PSO.type.video (for video) etc. The invention allows for any method of id~lliry~g a 14 PSO that permits in part at least data l~,l n ~- of use to facilitate : ~ based on said use, in particular 15 the r~ " of any one or multiple p~rties entitled to receivc payment for use of said PSO.

17 3) Micr~ll ~ - ~
18 PSO.pay.~ 815 may be used as a currency identifier to indicate the currency of the producer.
19 PSO.pay.billing 820 may be used to ind~cate the currency that use of the PSO is to be billed in. This is preferably 20 PSO.pay b~ g g~nP-ric 21 PSO.pudv 825 to indicate whether this PSO may be used with a personal software card. This is a deYice that may 22 permit users of one UCDPS ~---r ly or ~ port various access rights and andlor cl~l,. - credit 23 andlor any other i r ... 't;O1- to another UCDPS.

4) Group Access codes 26 These may be uscd as generic rights of access to a particular group of SPDs. They may be on any basis. Por 27 e~ample:
28 PSO.age 830 that 1imits access to p~t;: ' age groups.
29 PSO.country 840 that limits one or multiple PSO to ccrtain c 30 PSO.~ , ~h 845 limits one or multiple PSO to one or multiple o~vp?~ nc.

32 5) Distinct Right of Access 850:
33 one or multiple codes specific to a particular PSO that the SPD (directly andlor indirectly) needs to supply to permit 34 access to said particular PSO.
36 6) L~ll..clio.~ for ~n~rl~' g Rights of Access against Usage 860.

38 The inYention allows that usage of software objects may be on any one or multiple criteria. The preferred methods 39 include:
40 any time basis eB time software object in use 41 andlor ~ ~,5 AMENDED SHEET

CA 02242777 1998-07-10 ~ I ~ 9 7 / O O 0 1 RECEIVED 1 5 SEP :~

any event o~u..~ ,es (this may be any one or multiple e~rents. eg. the number of tirnes that the prograrn is opened 2 and/or the number of times any one or multiple events occur during program ~ e - t ).

4 The invention allows for any means that i6 integTal to one or multiple PSO and/or securely coupled (in pan at least) 5 eg. a file that is ~ef~ ~ ~<d when a PSO is ~o~ that inclutes ~ ~( about the m~nipulation of rights of 6 access in response to the uuue of said PSO. The roader is directed to ~4ure 11 for the ne~ct pl~rt of tbe d~

8 PSO.generic ~ - r ~ ' ' 870 (~sbel may be any grouping of software objects). This usually indicates that 9 the PSO may operate ~nth a generic right of access ~ ' e, d use of software objects for a ~
grouping for a ~ ~ ~ d period of time. This is usually the ' - ~ of a right of access to 11 SPD.ty~ i~ e!~ ~ I ' -h~' (eg. Iabel z games).
12 PSO BPnPn~ event 1 ~ ~ ~ 875 provides a similar function with event based usage eg.
13 SPD.type gPnpric~p~v~pn~c r 15 PSO.gencri~ ee~~ ' 880 ~,,,c,( 'Iy indicates how many generic time units to deduct from that stwed in 16 SpD.typp~gpne-nc~s~4n~lr fw each second of use. PSO Jenerlc eveDts 885 preferably perforrns a similar function 17 against SPD.type g~n~ncrvents.

19 PSO.genericmoneyJa~' - 890 fw a PSO that may be used in e.~l~ge for the specified amount of cu~ency 20 units in the ~~L~_ SPD ~!n~nC .~.label ~abel may be any real currency eg. USD, ~ndlor a generic 21 currency), ~ndL ~1 ~ly includes the unhs of money to credit a ~, u.~ udu~;l account per unit of time used.

23 PSO.generi~ l ' 1 895 for a PSO that may be billed s for SpD.type~g~npric~opt~mi~t 24 PSO.pa~no~ 890 fw a PSO that require~ payment for use. Thi~ may be a fi1~ed charge to use the software and may 25 be a wne off charge that r l , -1y p~nits ~ ~ ccess on that UCDPS or a charge that grants access and 26 then bills on a usage basis using any cambinatioD of the previous methods. lt ~ c( -~y indicates the arnount to 27 charge.

29 The reader is directed back to Flgure 8 of the drawings.
31 The aWity to distribute software in mas6ive 1 ~ to the user may provide ~igr i~ - changes to the methods 32 of ~ e and ~. e software products. One meGhod may be to permit the user free or discounted access to 33 various products, particularly new products. This may inc1ude various ~ ""oli~"~ l schedule codes (PSC) within the 34 PSO, that may be desigDed to achieve any outcome that is ~ ,d by the SPD, that the PSO e~ecutes on, and this may include codes ~ e anytbing to do with ~U ~~~B any sort of product using any known method, 37 ~ a list of discounts and the time they apply may be included within the PSO, and they may be multiple. The 38 discounts may be any value, and may result in free software for variable periods of time. The facility even 39 e~ists for a producer to pay a user to try their product. Particular ~null~OtiODS may have a use by date attached to them.

Pag6 l. ~' IPWAU

CA 02242777 1998-07-10 PCr/AU ~3 7 / O O 0 1 0 RECEI\IED O 8 APR ~S98 ~ Another approach may be to gcnerate a random number in the SPD each time a program is initiated or on any 2 oth~ basis. If this matches a code in the PSO, then various free progra[n time may be provided on the current 3 PSO andlor another program by the producer and/or various prizes may be given away.
4 ~ The software may also be made available to a potential wer with part of its functions disabled, and no charge or a nominal chargc applied to the use of this partially disabled program. This may be particularly useful for 6 1~ that may take time to assess, for e~cample a new r ~ e program, where a potential customer may 7 warm to fully assess the package prior to c~ 8 to a w~lg~. ~ from an existing system. The activation to 8 a fully operational system may require a key (that may or rnay not have a charge) or simply re~uire the user to 9 e~ecute a program that inidates time and/or event b sed billing, or any other method.
11 The ~ to perform any ~ oLh ~l function may be included in pan or whole within the PSO, however, it 12 would usually rely in part or whole on secret ~.u~ within the SPD to prevent, ' - d , I - of the 13 ~I.

15 It is andcipated that the ~ ion of e.~t~ libraries of digital infonn~ion on a pay-as-used basis will be coupled 16 to a system that permits a~ isu.g to pay, part at least, the cost of inforrn~ n usagc. The secure l .vcesses of the 17 invention allow a~l~wii to be placed securely and e~posure metered - - Iy, however, it is also i.u~,~
18 that users are not - ~ 7Pd by forcing them to watch a~ ti .~t~ against their wishes. The invention seek~s to 19 describe a means for ' ~ ~ ju g ~_~ti~u~g material that talces a~l~ 3 of the secure p.ucess~ of the invention, 20 that may be used in cs with, one at lea~st, ~d _.~u.,~ method~s coupled to the Internet (or similar), however, 21 it is suitable for use in of fline UCDPS's.
~ The invention allows for the creation of software objects that may be one at least cuu.~.~tu. programs that may 23 generate one or multiple a.h~ A~ for display on a UCDPS, p-~,f~,.dl)ly in ~ ; ~;on with an SPD. The 24 a~ .~...~ts may fall into plural 8 -- that may include ~ , least of the following:
25 a) lis~la~_d at variable time~s and beyond the capability of the user to inhibit.
26 b) ~ , d at variabk times, howcver, the user has the option of disabling the display of, paTt or all of the 27 a i~ t~
28 c) ~ 4~ at the request of the user.

30 The al.. e system may be interactive and may include one u least of the following:
31 a) the user may request the display of particular r 1~ ~ : 1 . and/or products, and/or product ~
32 b)al~w, e maybec ~t"~ ~toI ~; 1 agegroups,gcnder,o~ ;o~,~I~;ol~linterestsofaparticular 33 user, and/or any other category and/or cc ' - of ~ ' 34 and 35 said i ~ about age, gender, oce. r '-' . l~l~;alloadl interests, etc may be coupled to one at least ~~ ...g 36 progratns by any mean~, 37 wherein said means may include coupling the advertising to match, part at least, of the profile of a user i~ ifled by 38 their ~ .. Jld used to access the UCDPS.
39 c) the ~ g means may adapt itse}f to display &d~ IL ~ E; on date, special oc~ . andlor on 40 any other basis 41 d) encourage users to view a~ h~g material by ~.., .; lu-g the user with rewards. This may be any type of reward 42 and if cash, may inst ntly update any el~~ funds system couplcd to thcir co...t,utc. andlor el~.vh~
67 ~ v .; _ .U

CA 02242777 1998-07-10 P'~T/~7' ~ 7 f ~
RECtlilED ~ 8 -1~.?~ lSg8 system may also generate a coupon and/or special code that on p,~ ;on to a supplier may result in the transfer 2 to tbe user of goods and/or services. Re.1f ~ n of goods and services may be achieved in person, andJor by 3 posting said coupon and/or special code, and/or by t~ ~e~ and/or by network, and/or by Internet (or similar).
4 e) coll~x~ion on; r - relating to wers with ad._~Dirlg i ~ 0 6 The r~ ulg material is usually initially created on a suitable remote computer means as a clear text program. It 7 would usually include, in part at least, a means to create and/or display one or multiple a.l~e.li~e...~ on a users 8 display m_ans (when delivered to the user and loaded and e~Pr~P~ preferably in co~ lio~ with an SPD). It may 9 include any type of menu system to permit a user to select access to ;..r",., A~;O~ that is not currently displayed, 10 and/or may include a means to read any real-time clocl~/calendar within the UCDPS; and in response to this, may 11 decide on one at least display options and or other cou~es of action. If the a~ ~,. liDillg software object is to adapt 12 itself to one at least profiles of the user ~that may be based on ny group of ~ s), it preferably includes a 13 means to obtain a user Fofile and to s~ 'y use this inf~ti~n 15 If the a~w~iDhlg software object is coupled to one at least means to reward the user for po~ g in a 16 y~ ;.c ' means, one at least of the following may be included:
17 i) one at least c ~ . ~A programs (and/br subroutines) that whcn activated by any means, ~ t . ;~e when a user 18 will be be offw~ed the chance to obtl~in areward, and said ~ may be based on:
19 ~ the number of tirnes a particular event has occuned, in which case a count of said event is stored in a non-volatile form that is l.. ef~ tan.~.~.~or; and/or 21 ~ in response to a time and/or date; an~lor ~ 22 ~ at random times; ~ndlor 23 ~ at random event intervals; and/or 24 ~ at the user's selection; and/or 25 ~ ~ any other basis.
26 ii) one u least: , _ prograTns (and/or ' uut...es) that provide one at least taslcs that the user must complete 27 cotrectly in order to be eligible for a reward, and this may be on the basis of being eligible on the basis of 28 performing~no task, to any any compla~ al ~ ent of tasks.
29 iii) one at l,east computer programs (and/or ~ ~) that del ... ,r the ~ of tasks that a user may be 30 required to c , ~ in order that said user may receive a re~vard.
31 iv) one a~ bast computer programs (~d/or sub.._ ~) that d~ the probability that a user may receive a 32 reward on the ~ , '~ '- of one at leau tasks.
33 v) one at least computer programs (atld/aq subroutines) that select the reward that will be offere~d to the user.
34 vi) one at least . , ~. "~ (and/or - ' ouLI~) that meter events to prevent any ~ d ~', "c~
35 of rewards.
36 vii) one at least c , ~v (~nd/or sul... ~ ) that generate one at least codes (preferably unique) that 37 may be provided to the wer, wherein said user may use to obtain a reward. Said codes rnay include a means to 38 identify:
39 ~ the ~) of the UCDPS used to pro~ride the reward, and/or 40 ~ the nature of the rewani and/or 41 ~ the tasks used to obtain the reward, and/or iD~D ~
IPE~ .U

CA 02242777 1998-07-10 ~T~AU ~ 7 / 0 0 ~ ~ a RECEIVE~ O ~ R 1998 ~ a time and/or da~ stamp, andlor 2 ~ any other information.
3 viii) any other infolmation that may b_ r~quired.
4 The software object may be coupled to a means to provid_ feedback to the ~l~e.~ise. and may include one at le,st 5 c ~ progt~ms aodhr ~ . to request; r~ from the user, and/or log user - ~ with the 6 -~ - e. and/or any other means.
7 The software objected is then co"._.t~ into a format that is ~ ~ from llnq ~h~nsed ~ ,;.g This is 8 preferablg achieved by ~WJ~Aio and pr_ferably by c-,~l~ wi ~ ~ it into a Protected Software Object that may have 9 any of tho ~u~wL.,s ~ X ~ for a ~.- ~ 3 software object.
11 The invention allows that any: ~ stored in part at least within one or multiple PSOs may b_ supplied in 12 p~t at least, using any means that in pa~t at least is securely linked, directly and/or ~du~ily to the pluceD~u.g of 13 said one or muldple PSOs.

15 Wbere required the SPD ~ 'ly meters softwaro object use. One method to meter use is to have 16 PSORncr~ptet.use 370 iD~lude inf~l~don about the address blocks occupied by the PSO. The SPD may record 17 this infonnadon and on a penodic bad~ e~amino the program ~h~eS cutrently being accessed by the system 18 CPU 1 e~temal to tho SPD. This is best achieved as previowly d~ by ~ ~r'- g tho secure m' V~IVCeSDVI
19 on a periodic basis and r~i~.~ the program coun~r or equivalent of the system CPU (eg. monitor the address 20 bw, this may be in as~ociation with manitoring a bw signal that indicates an ~ ~ :- fetch by system CPU1).
21 This may ooly be req~red in a multit~g system. In a single task UCDPS the SPD usually lecords initial 22 a~ and telmina~on to ~ ~ ~ period of access and/or event based measurement.

The reader directed baclc to ~l~ure 6 of the drawi~gs.

28 PSO acoe~ 375 wually indicates to the SPD that a ~ , c~ J (in part at least) PSO.d~ ~ ] dr ~b~ 1 380 29 requires d~Jl' (p~ferably wing the proce~ supped by PSO~ 360) and that 380 may then be wed to decrypt PSO~ ~cutel 385. PSOJIC~ 375 may include any itlformation. Ihis may include 31 det~ils of ~le ~ multiple bloclcs UCDPS memory occupied by the PSOAecode.we 380 and~or 32 PSO.en~ J~l d ~h~ectl38S and may include transfer ir~lfonnation (eg if DMA etc~.

36 PSO~e d- ~ 1 380 and/or PSO~J,~ J~.,l.l ~5 are ~ , transferred in pan at l_ast to a secure 37 us~ par~tiorL This may be under the ca~rol of prgramtned 1~) by Ihe system CPU I via the interface pons and/or 38 via D~ by thc SPD a~ r under prollrarn control of the SPD andlvr any othcr means. PSOA~ rb3e_l.1 385 39 is usually d~,~: d in part at least wiWn the SPD and the pragr~un and/or d~i~ beys retricved are preferably used in part at least, to decrypt pan at leut of PS0~ 1 38S. Said d~ol~ usually occurs in part 41 at Icast ~vithin the SPD. Ibe PSOJ ~ "~ Ub1 38S iB usually at Icast one block of prograrn ,.
42 and/or d ta (that may bo encrypted and/or clear code) that usu lly req~ire:

IPE,~ J

CA 02242777 1998-07-10 ~ /~ 9 7 / a o a ~ o d~~ ion in part at leas~ within DAaid SPD
2 and 3 3~.b ~ V~oD~g of part at least of the ' ~( derived from said decryption within the SPD, that rnay 4 include ~;ioD-llg in ; l~n with ~--v ~ and/or data from any other location interoal andtor eA~ternal to the S SPD.PSO.close 390 is preferably u6ed in part at least to indicate to secure system functions that the PSO has re-6 altered a clear eode section of the pro~m as indicated by PSO.e~ 39S. PSO.close 390 ~ cl ~Iy does 7 not close links between PSO and SPD (this is usually a function of PSO.t.,. ~ ~' 450 that is usually also 8 ~-r ~- ~~ for s~ ~ ~ of metering of the PSO).

Similar method steps preferably apply to the ' of the sequence shown in the PSO structure d~-A~ibc~ with 11 reference to ~Ygure6.

13 PSO.~'-e~de,~b3e ' 1 380andtorPSOA,~de r~ 405andJorPSO-~-rcd- ~bJa~1.3430andlor 14 PSO.d - - ~- c ~3eY' n may be the D m~ in part or whole andhr may be d~ .~ in part at least by the proA~ess 15 loaded in PSO.lock.1 andtor using any other resouTces ditectly andtor i~ ly available to the SPD.lhey may in 16 part at Iwt be absent. P~t at least of ~e~r functionD may be replaced andtor ~ v ~ using any means.

18 PSO.~k ~ ~-1 (350); PSO.~k ~r ~r~ (395); PSO.el~~ co~ A5 (420); PSO.~le c~eA (445) usually represent 19 parts of the a Ooftware object d~mmg the actual application ' ~ ~ ~ andtor data. They may in part at least be 20 ~"J~: ' for any reason.

22 Local and Global Data.
23 Each SPD wually needs to be uniquely characterised from other SPDs. Otherwise infom~ion created for a 24 partieular SPD - eg. ClC~,h. ~- credit uldtor any other rivght of aceess may be used in its elones. This is a fairly 25 Ostandard l~u.-v~l of ~nart eards etc.

27 Ihe inelusion of at least one y~ ( ' ly unique and seeure eode (i~ipn~ifip~d as Loeal.key.l to Loeal.key.n where n 28 may be any number) en bles eaeh SPD to have unique ~.~ iO~ facilities. They may be keys andtor decryption 29 ~g ~c Por e~ample Local~eyn may be used to unlock PSO.lock 360 whPn the PSO is targeted al a specific 30 SPD.

32 The SPD may also have unique seeure codes that may be ineluded in ' ~c ~l~n from the SPD to validate the 33 deviee andtor within reeeived ' ~ ' to validate the target. These are ,~ ~ ., by ~ e ' ~ ~ d~

35 The inclusi~v~n of at least one global secure eode (i~Pntifipd as Glo~ oy.1 to Global.key.n) enables each SPD to 36 decryptgenerically~ k;~ f~ o~ Glaba'~ ~maybedecryptionkeysand/ordecryptionAlg~ l,...c.

38 As dperrih~p~d earlier a particularly useful process is for a service provider to encrypt (sFP~ific~lly for a particular 39 SPD) a program that will e~tract ~ ~ (eg. us~ge repor~t, secret c ~.~n) from a particular SPD
40 ineluding ur~ique (~ ,) id~,..li~ g signature of the tar~et SPD. Said P~ L: d prograrn is .cf~ ccd as 41 PSO.~. -'a~act ~nd is i ~ d for d~,~ , and e c~. "~ by the targa SPD. It becomes an 42 ~ --lly self-id~ E, procel;s if the program as its first (~ '',y) function validates its target e"~ t Page~ AMENDED SHEET
,,~, 1~ IPEA/AU

CA 02242777 1998-07-10 ~ I ~ 9 7 / ~ o ~ ~ O
RECEIVED 1 5 SEP t9~

by cu~ e secret SPD paruneters with ~ ~ within said PSO~ ~act. A similar process may be 2 used to Dfer ~ - ' to an SPD using PS~-r ~ ~ver. The latter is also GcE~li~cl)r what PSOs are 3 del;~_.mg to the SPD when they require put of their progrun dccl~l 1 and e~r~ ~

5 One at least syst~n group code funcdc0s may be included. These rnay also consist of that are idendcal across a 6 particular group of devices (e.g. those destined for the same country) rnay be used for any reason. This may include 7 the ~ iu,. of certain PSOs to pa~ticular group codes. One or muldple group codes may be common to all SPDs.
8 The invendon allows that part or all of group codes may be user progsammable ar~or ~ lr~ This 9 may allow, for e~mple, parents to restrict children's access to p rdcular PSOs.
11 The invendon allows for the use of PSOs with an SPD to be controlled using any ~nown method and 1~, O~-c and 12 this is usually on the b~sis of one or muldple ~ F~ ~l Iimits cl~t~l ~ "y i ~ d to the SPD that are suitably 13 adjusted as PSOs are used. When the ~ dcr~--~ li nits re e~oecded (and/or in any other way rea~hed) the SPD
14 ~ ~ '1y stops ~ the PSOs. Ihe invendon allows that l~aid ~F~ cd limits may be granted on any basis;
15 the prefened method is to require ~ ~l for units. The invendon does allow that there are no ~-~.dcr"-rd limits 16 on the use of PSOs, however, this would usually anly ~ply to rnajor account . L~ and even they may prefer 17 to have limits placed on ~vhat i...Ll, 1 -' , ' ,~ may pend. lbe preferred method of, - ~linE usage of PSOs 18 is to pernut ~ ' 'y ' ~ use (within any ~t~--~ined bs ' ~-F) of muldple software objects and 19 record said use by the SPD. Said use may be any measurablc units of use basis. The preferred method is to prevent 20 the SPD lu~e..~i~g these PSOs unless there is sufFlcient generic rights of access, said generic rights ~ lY
21 directly and/or i~ related to one or muldple monetary values. Jn this case said generic right may be 22 cv~id~ to be a form of dcc~u~c funds. Said elc~ ~ credit funds be stored in any form. r~he preferred 23 method stores one or multiple values in the SPD and or se~urely in - - - ~' 18 locations e~cternal to the SPD.

25 An SPD may disable itself in part or whole when any .~ that are attached to the use of PSOs are not met.
26 r~his ~ ''y includes when PSOs have been d~,h . ~ as being physically uld/or logically tampered with. rrhis 27 ~ ' ly also occurs when one or multiple ~ ~, for i c( ~ ~, q ~)n ~~u~ by the SPD
28 directly and/or ~- :Iy haw not been rnet, preferably in part U least as one or muldple securely ~: - n' ~ reports.
29 Said disable rnay also occur if the SPD does not receive c4~f-~ ';0~ of receipt of said one or muldple reports by 30 ~ pardes. Said disable prefcrably occurs when one or rnuldple generic and/or disdnct rights of access are 31 .~ (eg. el~h~ - funds co~.-v ~ed). Said disable may occur for any other reason(s). An SPD that is 32 disabled in part or whoh may be rc ~ ''e~ in part or whole by any method including the supply of an 33 ~, r ~r ' ' lY C~ nf d and validated software object (for e~nple, as Feviously des~nhe~ for transferring rights 34 of access and reports) 36 Any i~f~ At;u~ included in a particular OSI may become obsolete and this may be a particular problem with prices 37 and rli~CWnt~ Any ;~fu~ C~ ~' in a OSI may be usod in part or whole with other more readily updated 38 i ~.~ - stored in any suitable locadan; this may include locadons within the SPD, and/or various files stored on 39 one or muldple mass storage devices, and/or ~ with other PSOs. It may be ~ as part of codes 40 supplied to users to update SPD credits and/or any other reason. All of this rnay be wbject to the overall control of 41 the service provider who can vary the ac~al amount charged to any particular user.

Page.~l ~MENl;~D SHEET

CA 02242777 1998-07-10 ~/A~ O ~ 1 0 RECEIVED 1 5 SEP 19~7 The preferred e_l o ' allows that a part of the 6ecure system memory of a SPD may be securely ~ d 2 with ~ tbat in icatcs an amount of credit (using any method aTldlor currency) tbat may be offset ag~unst 3 software usage (and/or any other applicable uses). When an SPD is initially shipped to a customer it is ~,~f."~l~
4 not activated to e~ecute PSOs.
6 Acdvation of a F- - I SPD may be 1 . ' ' ~ d by any me ns, ;"c~ g 7 1) The ~ contacts a scrvice provider (using any method, the most ~ L usually being via a mo~dem) and 8 supplies the service provider with the saial number of the SPD, the amount of credit required, and payment details 9 (that is L- r ~ ly a c redi~ card payrnent) that may use any Icnown method.
10 2) Using ~nown details about various i ~c ~ ~ within that F I SPD the service provider uses the ,~
11 amount of credit and e~pts this amount using any mean6 to create a p,~,f~ly unique and one time colde. The 12 C~lJ~li~ Focess rnay use any ;~fv~- d;v-- within the SPD. This may include time and,'or date and/or any other 13 unique and,'orglobal ~ ' within the SPD. It may also usc ~ IG~ ".y sccurcly) i ~ vd to 14 the SPD.
15 3) The one time codc is i ~ ~,d to the user of the SPD and entered into the ~ . . The code is df~, ~r: ~ If 16 an error i~ generated, the user may be advised. Once the amount is ev- r" ...~ the r ~ cre~dit is 17 into any ~ r ' ' secure - ..'- '~ Iocation intGmal to the SPD that cannot be tampered with.
18 4) This process may activate the SPD if required, ho~vever, the preferred dc~ as to whether or not a 19 L ' 1 SPD will c~ecute one or multiple PSOs is based on the amount of available credit.
20 5) The available credit is lJIu~Gooi~ d ' as variow PSOs are used, and the present invention allows for 21 any metbod and a~s for billing for PSO use.
22 6) Software usage of various software ûbjects may be logBed. This is dpsrnbed later.
23 7) When the credit amount is d~ ~ to a ~ h,D~ ~ amount (and said ~ t- -: -~ rnay be by the 24 service provider and/or the user) the user is advised that r' " ' ~' credit will be required shortly. The method of 25 advising the user of an ;-~ l shortage of credit may use any method and/or apparatus. However, as the 26 Fograms that ~ , ' this process ue ~JIG' 'Iy c ~ g in part or whole from within secure memory intemal 27 to the SPD, the facility acists to generate an internal inl~errupt and jump to an ~ r ' ' internal and/or e~cternal 28 program. This may occur at any time, with the most usual being shorrly after a system reset. The process may be 29 i , G ll to the opera~ng system. Thc facility e~dsts, using a similar process (and/or any other method and/or 30 apparatus) for the user to generate a currcnt report of available credit and/or software object use.
31 8) Por thc second and : , - contacts with a service provider to refresh the credit available within the SPD the 32 user will usually be also rcquired to advise the ser~ice provider of a code (that is ~,~f~dbly securely generatPd 33 within the SPD using any means). Said code may include current ~ ~ n on ~ e credit (that may be zero) 34 and may include q on the usage of part or all software objects that have been used in the period.
35 9) Step 2 is repeated, however, in addition to credit i~ , the code supplied to the user usually contains an 36 ~ message that informs one or multiple routines within the SPD that;.. r~ .. pert~uning to software 37 object use has been received by the service provider. Storage locations allocated to this information rnay then 38 be cleared.

Obviously a similar process may be applied to the transfer of any types of rights of access.

42 A user friendly menu rnay be used to as-ist part or all of the process de~nbed above.
Page5~72 IPEA~AU

CA 02242777 1998-07-10 ~/AU 9 7 / O O O ~ O
RE~EIVED 1 5 ~EP 1997 2 ~' ' g and Recording Usage of PSOs: The prcferred c .~ allows for any - e ~md/ûr ~ E
3 means of the usage of PSOs (and/or software objects). Said ~neans is preferably ~~ , ' k with multitas~ing 4 ~.." in a single ~ Svl and/or mul~u~.-o environment. Said means is preferably i . r - ~ In a 5 single tasl~ e.,~bu.uu~l ~e SPD u~ually starts n~uld e usage when activated and tennmates when the PSO
6 finishes. In a multitasking w..uv.uu~l where usage is time bwd, the pleferred method is to generate an internal 7 intelrupt within the SPD on a pcriodic basis. Said inteIrupt activates a routine wilhin secure system functions that 8 retrieves the contents of the system CPU 1 program counter (or r, I ' - eg. monitor address bus during 9 ~~hl~ on cycle). As previously d~ bed the SPD may Iceep a log of address blocks in system ~n~ry occupied 10 by one or multiple PSOs. C~ . e the current program counter with said address map determines which program 11 was h ,~-P during the inte~upt. Tbis also enables separadon of PSO from nom~l softw re objects in a 12 ' ' e e.,.bu. u,~ The invendon allows fo~ any combinadon andlor pennutadon and/or weighting for usage 13 of any one or muldple PSOs. Event usage may only require coundng e~ ~s of tbe - d e~cnt in a single 14 and m~ UCDPS. The SPD may also moDitor ~ of access to multdple ~ p~ddoDs for metering 15 n~lll " ' ' e dme - - d software objects. An ~ process that is not transparent to tbe operadng system, 16 is to have the operadng system perfonn various roudnes during taDk b~" ' ' e that may acdvate various IJI~DD~S
17 within the secure internal memory to record details about pro~lram e. ~ The ~ev.~ ~U~Db~,s are 18 transparent to the UCDPS operadng system. An -'- ~ non i r ~ l mcthod has tbe UCDPS ape~adng 19 system perfonn one or muldple roudnes during task b~ ' - g that _ay acdvate various YIUC~;S~D within secure system funcdons to record details about Fogram e ~-~inn In system CPUs with cache memory - g of the 21 address bus may be diff~ult. An alterna~ve is to have the SPD force a system CPU 1 intenupt snd ~h . 'y 22 modify ~,je~ "y tempor~ily) the system CPU interrupt vectors. This may be wed to redirect system ~ - ~ e 23 to a funcdon to provide ie~ on which software object is currently e~ ng A method wherein the secure 24 1 ~ v~ JceDbvl 2v monitors the locadons that the UCDPS operadng systcm uses to store in t sk structwe may also be- .-27 The wage of PSOs is wually recorded in part or whole within secure intcrnal non-volatile locadons, however, the 28 invendon allows that part or all of the ~ r ~ on the use of PSOs _ay be e..~"J~ and stored e~ternal to the 29 SPD. The prefemed method to store it c~ernally uses the generadon of random keys as *s~ il,cd ylli.;ously. The preferred method of saving; ~f~ ;0 to mass storage is to tag it onto the roudne within the PSO thst checks the 31 validity of ;~~f ~ in Current Data Files (CDE;~ as d~ d hter. It is ylI r ~ 1~ tO keep S ~mci~' information 32 on PSO use internal to the device, in orda that a software vendor recehres the ~, r;~ payment in the event that 33 external storage of this ~ ~.~ is CO..l, ~ If this oecurs, there may be no detsiled 1,.~ W .... of - ~g.
34 however the vendor may be correctly .. d The ~e~ IU~DD~S are ~ ,.l to the operating system. T r ~ 0~ program usage is usually ~ u~ in part at least in secwe non-voladle storage locations 36 internal to the SPD. The inventbn allows that a report on software usage may be prepared (usually in e..~,.J~: d 37 form, using any method and 1~, _ ) for i - to a service provider and/or any other ~ '1( d party on a 38 periodic basis. This may be any period and may be fnced and/or variable; this report is usually g - d by secure 39 routines within one or more SPDs from ~e~ that may be intemal and/or external to the SPD.
41 Controlllng ~. ' g) of ~ Software ObJecbs: One objective of the invention is to provide a method 42 and . r that may be used to protect software objectli in a manner that does not restrict the copying of the PSO
Pa8e5B' AMENDED 8HEE~

CA 02242777 1998-07-10 ~/AU ~ 7 ~ O O 0 RECEIVED 1 5 ~Fp 1997 In the preferred scenario it would provide at norninal or no cost, a copy of t~t particular software object to any user 2 of a UCDPS requiring it. An optimal situation would be the collation of ~11 PSOs suitable for use with a ~
3 type of UCDPS onto a c~llf~r~inn of CD ROMs that may be supplied to users at nominal or no cost. Update CD
4 ROMs rnay be made available on a periodic basis. The inverltion allows for PSOs to be supplied on any medium 5 and this may include access to a database of PSOs via the Internet.

7 An SPD provides a secure and flexible f . . hu~l for Iwt~ lg the use of PSOs using multiple methods and the 8 invention allows for all of these.

10 At some point in the ~.~ g of a PSO, and usually at the C4~ C~f~ the SPD may requires certa~n 11 ;..r~.... ~;o.~ from the PSO of .el~ e to d~ g the type of ~.~ - o~ system y~plied to the PSO. for 12 example, certain data may be extracu,d Ilrom the PSO to inform the SPD that this ~ 1 PSO may be executed 13 on a time used basis and whether or not tbis is linked to the a~ '-lity of credit within the SPD. T~ ~ on the 14 verJdor and/or the product code of the PSO and usually the amount to ch rge for a unit of e ~II;G time may then 15 be reql~ired (and this infam~ion may be required for any oth~ 1~ systems). One source of this infonn~tinn 16 is the PSO itself and this ~ ~ may be a~tracted by the SPD using any method and l~r r~llC, The usual 17 process e~tracts the ventor and product code from C~ r '~ rts of the PSO and stores it within secure memory 18 internal to the SPD. The cost of ~ . ~n,e the PSO on a time and/or event basis and/or any other basis is extracted 19 from the PSO where l~ r~
21 Where the known art gr~s a distinct ript to execute a p~t; ' software object the SPD grants a generic right to 22 execute as long as certain internal and/or external generic codes match the ~ of one or rnultiple PSOs.

24 T.he preferred ernbodiment allows that :Lr~ ed within a PSO may not be current as regards ~es~h.g 25 costs and/or any other ir~ The preferred method to canpensate for this is the provision of one or multiple 26 files loca~od on a suitable rnass storage device attached directly and/or i~i.~ll~ to the UCDPS. Said files are 27 .~ F~ d in this document as Cu~rent Data Flles (or CDI~ DF rnay be updated as required using any method 28 including - ~tic update using r ~' ~~ C ~-~ in neuly released PSOs. A current data file rnay contain 29 any ~ r - and rnay replace part at least of that within a PSO, however, it will usually include details of the 30 costs ~ with ~ part at least of the av ilable PSOs. It may include ~ ~( -on on discounts for 31 LGq..e~,J and/or quantity and/or spocial groups and/or special ~-,~tion~ andlor any other ~ ~l - A CDF
32 may have a creation date and/or one or multiple bloclai of info~rnati~ p~.~ .g to one or multiple PSOs rnay 33 include the date (or any other method and ~ r ~ to effect an equivalent result) said informr~inn p~ g, 34 became valid. When a PSO is created, the date of creluion (and/or any other method and ~r ~ to effect an 35 c~ result) is usually included within the PSO. When a PSO is ~sed the date within the PSO may be 36 ~ , ~d to that within the CDF (if present), with the more recent r " preferably used. When the PSO
37 branches to a routine to retrieve CDF i ' - from rnass aorage it rnay also save encrypted infonnation from 38 within the SPD (eg. e"~ ~ record of usage). The; r ~-nn within a CDF is ~ nably e..."J~,~d and this may 39 be for any reaso4 including p.. ~ against ~ g with the ;.~fo ,,.AI;o . Various validity checks may be 40 ~ ~ rO- ~ cd when cl - - within a CDF is loaded a~d/or used (this may be for any reason including detecting 41 ~ rl - - to the ~ ~ - - ). When an SPD generates a report for the service provider (or any other 42 a -: ~ party) it may include r ~ on the CUlTency of ~ n within a particular CDF, and/or the page5g7~ AMEIN ED SHEET

R E C E I V~ D7' ~SaS~PO ~ ~

absence of a CDF, and/or the creadon dates of the PSOs e~ e,u ~ A user rnay knows that access to a paTticular 2 CDF by the SPD may result in increascd costs to the user than would be incuned, by lvf~ ~ ~ the billing 3 ;.~f~ ';0 ~ in the actual PSO. Said user may be reluctant to update their cuTrent CDF and/or may delete the CDF
4 (the invendon allows that the presence of at least one CDF is rrquired). The invendon allows for any method and 5 ~ . ~ that rnay be uscd to cu~v Ul~.~ this potential problem, including the service provider adjwting billing to 6 reflect current charges (or any other reason).

8 The preferred ~ system is 3~ r- ' le to PSOs that are ~v.llul~ to operate within a UCDPS on an 9 . ' basis, as long as certain criteria aTe met:
~ the SPD and/or any other SPD has s~fflci~Pn~ credit ~ vd into the device (using any method and 11 apparatw) to cover the costs incurred by the wer in P~Pr~i~, the PSO, and/or 12 ~ the we of each PSO is logged and this may be dme based and/or event based ~ndlor any other method and 13 apparatus that requ~es periodic roports on softwarc we ndhr any other ~.~ to be provided to an 14 ~r ~r ' e~temalpaTty~
16 The invendon allows that PSOs may be used on a time andlor events basis. This may require the availability of 17 credit within the SPD and/or may not rcquire the availability of said credit, in which case the wer would wually be 18 billed for use of software after ~u. ' og a periodic report to the service provider. As the PSO is wed the 19 appropriate units of wage (that may bc time and/or - y and/or any other token) are ~, ef~v.~.~ly ~ vDDi~vly 20 incremented agamst a pardcular ~_~dol/lu~ ?lc[ code (and/or any other method). When available credit is 21 ~luff~ ._ly utilised in r---~ ~ with the use of one or multipb PSOs, the amount of available credit to the user 22 is preferably i~ The credit ~its within a SPI) may represent any token and/or currency, using any 23 method. The invention allows for any method and lir ~ to securely store this ~ and this may be 24 intemal and/or e~ternal to the SPD. A number of method steps were dPc~bed earlier for i ~ ~ ~ credit to a 25 particular SPD. A sirnilar mcthod may be used for . r~yi~g a service provider with ~ ~ - about PSO wage 26 and for the service provider to inform the SPD that this qhas been received. Said received wually 27 validates further we of PSOs.

29 For PSOs that require the availability of credit within the SPD for c - ~ u~v. - ~ . a wer may be required to provide a report when available credit within the SPD is zero;
31 ar~or 32 some other ~ t - ,~ 1 amount 33 and/or 34 the user may be required to report U~OllllaLi(Jll to the service provider on a periodic basis, and said periodic basis may be any period and it may be varied by the service provider, 36 andlor 37 the user may be required to report to the service provider when a certain number of events have occurred, that may 38 be any c4~ io~. of events, including the number of times one or multiple PSOs have been used;
39 and/or 40 a wer may be required to provide a report to any ~ party for any reason.

Page,6~ ~ ~MtNDE SHEET

CA 02242777 1998-07-10 P~/AU

PSOs that do not require the presence of available credit within the SPD may share any of the reporting 2 ,~t~ i howcver, thcy u wally are ~ ~r r u to the state of credit within the SPD. In practice a 3 mix of methods may be uscd and a paiodic report may be required. When a rcport is required on a penodic basis, a 4 secure battery backed realtime cloclc/calendar is the prefd source of g~: ~ (in c; with S ~ and/or -' ~.~ infarm~on on the time inter als to be used) when the rclevant time interval has 6 occurred. When available credit e.xpires and/or a certain date and/or time is reached andlor a certain number of 7 events and/or type of cvents havc occurrod, part or all of the functions of the SPD may bc disabled.

9 Whatever the triBger point for rcquiring thc user to supply the service provider with a report ,, ~ by sccure 10 methods vithin and/or in ~ with the SPD, the method ~teps to supply said report and to r ~_ the 11 SPD for furtha usc may usc any method ~md apparatus, including:
12 l) When thc SPD deterrnincs that inforrnation within the SPD aod/or stored external to the SPD is due for reporting 13 to a servicc provider, any method may be used to alert the user. The prcferred rnethod uscs the ability of the SPD to 14 call routines i , '~ to thc ~r n~e system by having the secure ~ ~l.r 20 DM~ ~ ~ to 15 display mcmory. This may be used to ovalay a message on the display device of the UCDPS advising the user to 16 executc a program that will 8enerate a report~ Tbis is preferably at the start of a ~g session.
17 2) The report generator i~ c~a~utcd and tbis may display a menu based system to assist the user through the process.
18 ~f information is to be trlmsmitted to the &ervicc Fovider via a modem and any rcturn info~mation received by the 19 same method then the E~ocess may be fully - ~d Jnd i , to the user. The invention allows for any 20 method and apparatus thllt assists the u~er with the proce~s. The report 6 ~ ' usually triggers routines within the 21 SPD that collate and ~Icrypt the I r - to be supplied to the service provider, with the ~ ~ usually 22 including one or multiple unique identity codes for a par~cular SPD, and this may and/or may not be e - ~ ~ The 23 report would usually be inte8rated with any ~ ~.( to be supplied to a service provider as regards credit 24 ~ g witbm a SPD.
25 3) The wer contacts a ervice provider ~using any method, the most cu~ ,n,P~ll usually being via a modem) and 26 supplies the service provider with the lrr - - v ~ by the report generator. As ~.~P.~ if using a 27 modem tbis process rnay have rninimal user ~ ~ iu~ f a modem is not available the ~ ~ - rnay be sent 28 by any method, including as a file on a diskette and/or the ~c rnay be read over a ~lG~ f (this may be 29 verbal or use the rmmeric pad) and/or any other method.
4) On receipt of the ~ ~ ~ the service provider ~ ~ -- the identifying code of the SPD L . e the 31 report and using known details about various information within that parlicular SPD decrypts the report and 32 confums that it has not been tampered with.
33 5) Any rnethod may be used to collect payment for any amounts payable as a result of w of software objects 34 and/or any other reason.
6) The service provider prepares a one time code using any method and a, r ~ that may be correctly ~ t,d 36 by the target SPD and is usually specific to a particular SPD.
37 7) The one time code is i ~ .,d to the user of the SPD and entered into the computer. The code is d~.~ ~ If 38 an error is v - d the user may be advised. The purpose of this ~ is usually to advise routines within 39 the SPD tbat a valid report was received by the service provider. This usually allows futther use of PSOs to proceed.
Other i ~ . e.g. credit may be included witb said one time code. The process ~ y provides a report 41 and ensures s -d use of PSOs prior to the e~cpiry da~e of the culTent period.

AMENDED SHEET
Page~;~ IPEA/A(J
7~

CA 02242777 1998-07-10 p~lAt~ ~ 7 /
RECEIVED O 8 P.PR 1998 With the c-c~do-~ of the periodic updating of internal credits and the reporting of software usage the method and 2 apparatus of software ~ - and ~li~hu~i~n may bc transparent to the user. As long as p J.U~ ts are made as 3 required the user would treat a PSO as they would any presently available software object.

S The preferred e ~ " may be c~ q" ~ to allow a user to purchase a paficular PSO for l; -;t ~ use. This 6 may use any method and 3~ r ' 5~ - g debiting the co t of the PSO from any available internal credit and 7 setting a code to indicate a variation from the usual method of adjusting rights of access against use. Said variation 8 may include no - ~ r~Pnt One method allows for a file to be kept on a suitable mass storage device sttached 9 directly and/or ~ ~ to the UCDPS (l~f~"~.ccd as Ecempt PSO Flle or ~;). This may store usually in 10 e~ d format (in part or whole), one or multiple EPF records. Each EPP record preferably includes a vendor 11 code and product code rnd a code that is unique to a particular SPD for that particular product. Said code is usually 12 created when payment is made and this may be automatic when therc is available credit in the SPD andlor may bc 13 supplied by the service provider on receipt of payment and/or any other method. When a PSO is loaded for 14 e~ routines within the PSO may access the EPP file (usually under the control of the SPD~ and ~ C
15 whether or not a ~i- ~ PSO that is normally operated on any one or multiple rights of access is e~empt in part at 16 least from this process. One altcrnativc is for the service provider to credit any debits made for use of prepaid PSOs.
17 The secure code may bc generated in part at least using similar methods d~ cd else.~ in this ~,ee 18 for securely storing inf~mation in locadons e~cternal to the SPD.

20 The preferred e ~ may be cor~lgured to permit a uscr to transfer part at least of one or multiple generic 21 and/or distinct rights to another SPD lmd/or to the service provider ~and/or any other authorised party). This may 22 also include the transf~ of ~ "- in part at lea~ This may be for any reason, for e~nple, the user 23 may havc a new UCDPS andl~ the user may wish to sell part or all of any rights to another user. The invendon also 24 allows that one or muldple PSOs may not offer this facility (eg. as indicated by an appropriate ffeld in the 25 condido~s of use). The preferred opdon may include the following method steps:
26 1) the user acdvates a program to reverse various cap~bilida granted to a panicular SPD, for example acdvadon 27 codes aDd/or discount schodule~ s would wually inidate a menu type screen on the display device of tho 28 UCDPS to assist the procu;s.
29 2) the u~cr nominates those PSOs that ~e to have part or all rights of we transferred to another SPD.
30 3) the p~g~n may change variow ir~nal locadons and may cha n8e variow external locadons such that exisdng 31 rights are no longer vaUd an the SPD.
32 4) e~.~Jt ~ informadon is supplied to the service provider indicating that various access rights to one or muldple 33 PSOs h ve been modified, and the ~ Jl~ infornuldon ~using any method and apparatus) is d~.~L: ~ and 34 verified for validity, using ny method and/or appa~s.
35 5) the u er usually inf~ms the service provider of ~e new SPDs that various access rights are to be Ll~f~ ,d to.
36 lhis may be muldple SPDs.
37 6~ any codes and/or d~counts andlor new versions of e,v,.~ PSOs are prepared for the ~ ~ ~ PSOs and 38 supplied a~ ~- 'y.
39 If the t~ansfer is baclc to the senrice provider, the user account may be credited.

AMEND-D ~ T
IPF~/)~l J

CA 02242777 1998-07-10 r~r/Au ,9 7 / O 0 0 1 0 fitC~E~

The 1.~ of other int'ormatlon. Ihe present invention also allows for the inclusion of part or all of the 2 method and apparatus dcs~ in this ~r'ic when used in co~ (in any manner) with any secure 3 appara~ (that rnay be one or multiple devices and said device may be an integrated circuit) for use in:
4 the secure deeoding of C.,~,~JL'~ (in part or whole) video ~e - and/or any other cn~.lyL ~ (in part or whole~
5 visual ~ ~ - . and~br the seeure g of the neL-- ~ signals to display the decoded i ~f" .~ ;o~\ on a 6 suitable visual output doviee, with said q ~ ~ signals ~ ~ ' 1y eo~ ~~ within a seeure loeation within said 7 visual output device andlor 8 the secure decoding of e.~.~ (in part or whole) sound inf(YTn~'i-)n andlor the secure ereation from this decoded 9 information of the nec~sary signals to drive a speaker (and/or ~ with said nccess.hy signals preferably 10 c~ witbin said spealur (or equivalent) andlor 11 the seeure decoding of encrypted (in pan or whole) te~ct as may be the case with ele~ un,c books andlor lle~_r 1~
12 (andlor any other printed ma~er of eommereia1 value th t is ~ i in ele(,l,u..ic form) and the secure g~ ,t;u..
13 of the ne c ~ r ~ signals to display the decoded information on a suitable visual output deviee;
14 this par~cularly applies when said securc apparatus securely monitors and/or logs (directly and/or " ~lly) the use 15 of the e~ d infarm tion as it is desoded and used within said secure apparatus, and/or 16 that includes (directly aodl~ i~lL~Il~) one or multiple methods and apparatus to ensure payment is made for said 17 use.

18 Any cornbination of sohware and/~ hardware andlor m crocode may be used to ' , ' the method and 19 appara~, with the preferred rnethod and apparatus:
20 retrieving pricing informa~ion f om the ~ ~L i information; and/or 21 timing the use (andlor counting the frequency of use) of said ~ ; rv~ ;o~ and/or 22 storing this within the ~ecure app~ra~s (that may include secure locations e~cternal to the secure apparatus) in non-23 volatile stûrage elemer~; andlor 24 debiting an amount of dectronic funds previously ~ L ~1 ~ within the secure 9:~ r ' . andlor 25 reco~g an amoun~ to cbarge at a futu~ date; andlor 26 gen~aillg a report of usage ~referabl~ with a 1,.~ 'a'c..n f~ each vendor andlor product) that is supplied to the 27 informa~onprovider (and/~ agentk smyor a 28 system to er~ure that s~d report of usage has been received by the relevant parties; andlor 29 that may di~ble part or 1~ll ~ its capabilYties in the event tbat d~ ' - funds e~pire andlor internal credit limits are 30 ~ d ~dhrar,epaltt is not provided to the relevant paf~ies and/or that pe~iodic inf~nation is not received from 31 saidrelevantp~; a~ld/or 32 that may bc updated with ad~"-' ' e~ t~ '~ funds aod/or any ~ ;.io~ly used (or e~tpired) credit limits reset. The 33 enc~et infonnation may be suppLied on any ca~nputer-re dable physical media (e.g. CDROM or Videodisc) 34 andlor b~adcast using ny ~thod.
36 The preferred cmbodimcnt of a secure 1,.- ' ~ means may be readily ' , '( ~I d inside any device(s) that are 37 r ~ ;' ' ~ tO the system CPU 1 of a UCDPS. The graphics and sound generaling devices of a UCDPS a~e usually 38 ~cc- '- (di~ctly and/or i~l~) to the system bus. The objective of meeting the 1~ of secure 39 processlllg of soRware objocts (that as previously d~ed may be co~uter programs andhr visual objects and/or 40 sound objects) may readily implementod in a graphics tevice andlor sound device wing the method and apparatus 41 d~ r~ ~ ;kd These ~ l1( may be im~ in a single intcgrated device. The invention may be CU ~r,a., ~ to ,;j" ,,~ " _ A, ....

~ AU '~ J I U ~ '~

RECEIVEO O 8 AP.~ t~
.

P ~ d - any one or muldple (in part at least) types of software objects. The invendon may perfonn as a secure 2 ml-ltim~is plvu~s~gn~ans.

4 Whi1e the preferred forms and ~ g r of the invention have been ~i~close~ with .~f~,.~.cc to the prer~
5 dP~rri~ it is to be ~ t~d that various changes in detail and al~ g~ may be made without departing 6 from the spirit of the present invendon or ~rom the scope of the ~ r ~ ~ ~I claims.

10 Claim 1. A method of distributing andlor potentially distributulg a plurality of ~rplic~iorl means for use on, o~at 11 least, ele.il.. c ~
12 wherein, one at least, said ~, '; - on means is defined, in part at least, by, one at least, software objec,~/
13 and, 14 one at least, said software objects, in part at least, consists of digital inforrn~tion~
15 wherein, 16 a) one at least, said ~M~ ti. n means, co",p, ic~s in part at least: / -17 i) a computer ~rpli~tion program, 18 wherein, said c~ ute~plication program includes, 19 .i~ for sai~ograrn and/or ~ 21 datafor~ uO~, 22 and/or 23 ii) an electronic game; and/or /
24 iii) digital i ~ r,~ , of sound; and/or iv) digital infor~n~tion~ , of a song; andlor 26 v) digital inf~n~% ~ of images; andlor 27 vi) digital inf~ ~ion ,~ . of images and sound; and/or 28 vii) ~ie~ form~ion l~ h_ of a motion picture; and/or 29 viu) ~tal ;.. r~ ;0 ~ r~ of a literary te~; and/or i~, 'l prograr4 31 / wherein, 32 / said computer program includes 33 / u~llucLio~L~ for said program 34 / andlor / data for said program;
36 and /
37 ~ne at least~ of said software objects are filn~ti-~n~lly limited such that they must be used in conjl~nAtion with a 38 /secure l..u~g means .,oupled to said electronic _l~pl;A ~e.
,~ wherein, /40 said secure ~ss..l& m~, in part at least, reverses said f~lnrtionAl limitAtion . 42 ~.d

Claims (33)

What is claimed:
1. Claim 1. A method of distributing and/or potentially distributing a plurality of application means for use on, one at least, electronic appliances, wherein, one at least, said application means is defined, in part at least, by, one at least, software objects, and, one at least, said software objects, in part at least, consists of digital information, wherein, a) one at least, said application means, comprises, in part at least:
   i) a computer application program, wherein, said computer application program includes, instructions for said program and/or data for said program;
   and/or ii) an electronic game; and/or iii) digital information representative of sound; and/or iv) digital information representative of a song; and/or v) digital information representative of images; and/or vi) digital information representative of images and sound; and/or vii) digital information representative of a motion picture; and/or viii) digital information representative of a literary text; and/or ix) computer program, wherein, said computer program includes instructions for said program and/or data for said program;
   and b) one at least, of said software objects are functionally limited such that they must be used in conjunction with a secure processing means coupled to said electronic appliance, wherein, said secure processing means, in part at least, reverses said functional limitation;
   
   and c) the reversal by said secure processing means, of part at least, of one at least, functional limitations applied to, one at least, said software objects, is dependent, in part at least, on the coupling of, at least one, generic rights of access to said secure processing means, wherein, at least one, said generic rights of access, is a means that, in part at least, enables and/or has the potential to enable, said secure processing means to reverse, part at least, of said functional limitation on one at least functionally limited software objects, such that a plurality of said application means may function correctly;
   and d) said electronic appliance, in part at least, includes, one at least, of the following:
   i) a means that can access, one at least, said functionally limited software objects stored on an optical storage media, wherein, said optical media is, readable and/or writeable;
   and encrypted digital content content information that, in part at least, is representative of sound information, is maintained, in part at least, in a format that is not practical to analyse, until said maintained is converted to an analogue signal;
   ii) a means that can access, one at least, said functionally limited software objects stored on an optical storage media, wherein, said optical media is, readable and/or writeable;
   and encrypted digital content information that, in part at least, is representative of sound information, is maintained, in part at least, in a format that is not practical to analyse, until said maintained is converted to an analogue signal, wherein, said analogue signal, in part at least, can drive a speaker and/or other sound generating means;
   iii) a means that can access, one at least, functionally limited software objects stored on an optical storage media, wherein, said optical media is, readable and/or writeable;
   and encrypted digital content information that, in part at least, is representative of sound information, is maintained, in part at least, in a format that is not practical to analyse, until said maintained is converted to an analogue signal, wherein, said analogue signal, in part at least, can drive a speaker and/or other sound generating means, and the analogue information for driving said speaker, is in part at least, secured from analysis in transit to the speaker and/or other sound generating means;
   iv) the means of said i) and/or ii) and/or iii), wherein said means is a peripheral device to a User Controlled Data Processing System;
   v) the means of said i) and/or ii) and/or iii), wherein said means attaches to a User Controlled Data Processing System;
   vi) the means of said v), wherein said attaches, is to, one at least, input and/or output ports coupled to a User Controlled Data Processing System;
   vii) the means of said i) and/or ii) and/or iii), wherein said means, in part at least, is an integral component of a User Controlled Data Processing System;
   viii) said iv) and/or v) and/or vi) and/or vii), wherein, part at least, of said secure processing means coupled to said electronic appliance is provided, in part at least, by a secure processing means coupled to said User Controlled Data Processing System.
2. Claim 2. A method of distributing and/or potentially distributing a plurality of application means for use on, one at least, electronic appliances, wherein, one at least, said application means is defined, in part at least, by, one at least, software objects, and, one at least, said software objects, in part at least, consists of digital information, wherein, a) one at least, said application means, comprises, in part at least:
   i) a computer application program, wherein said computer application program includes, instructions for said program and/or data for said program;
   and/or ii) an electronic game; and/or iii) digital information representative of sound; and/or iv) digital information representative of a song; and/or v) digital information representative of images; and/or vi) digital information representative of images and sound; and/or vii) digital information representative of a motion picture; and/or viii) digital information representative of a literary text; and/or ix) computer program, wherein, said computer program includes instructions for said program and/or data for said program;
   and b) one at least, of said software objects are functionally limited such that they must be used in conjunction with a secure processing means coupled to said electronic appliance, wherein, said secure processing means, in part at least, reverses said functional limitation;
   and c) the reversal by said secure processing means, of part at least, of one at least, functional limitations applied to, one at least, said software objects, is dependent, in part at least, on the coupling of, at least one, generic rights of access to said secure processing means, wherein, at least one, said generic rights of access, is a means that, in part at least, enables and/or has the potential to enable, said secure processing means to reverse. part at least, of said functional limitations on one at least functionally limited software objects, such that a plurality of said application means may function correctly, and d) said electronic appliance, in part at least, includes, one at least, of the following:
   i) a means that can access, one at least, said functionally limited software objects stored on an optical storage media, wherein, said optical media is, readable and/or writeable;
   and encrypted digital information that, in part at least, is representative of visual information, is maintained, in part at least, in a format that is not practical to analyse, until said maintained is converted to a digital and/or analogue signal to drive a display means, wherein said analogue signal, in part at least, is not a video signal;
   ii) a means that can access, one at least, said functionally limited software objects stored on an optical storage media, wherein, said optical media is, readable and/or writeable;
   and encrypted digital information that, in part at least, is representative of visual information, is maintained, in part at least, in a format that is not practical to analyse, until said maintained is converted to a digital and/or analogue signal to drive a display means, wherein said analogue signal, in part at least, is not a video signal; and said signal to drive said display means, is in part at least, secured from analysis in transit to said display means;
   iii) the means of said i) and/or ii), wherein said means is a peripheral device to a User Controlled Data Processing System;
   iv) the means of said i) and/or ii), wherein said means attaches to a User Controlled Data Processing System;
   v) the means of said iv), wherein said attaches, is to, one at least, input and/or output ports coupled to a User Controlled Data Processing System;
   vi) the means of said i) and/or ii), wherein aid means, in part at least, is an integral component of a User Controlled Data Processing System;
   vii) said iii) and/or iv) and/or v) and/or vi), wherein, part at least, of said secure processing means coupled to said electronic appliance is provided, in part at least, by a secure processing means coupled to said User Controlled Data Processing System.
3. Claim 3. A method of distributing and/or potentially distributing a plurality of application means for use on, one at least, electronic appliances, wherein, one at least, said application means is defined, in part at least, by, one at least, software objects, and, one at least, said software objects, in part at least, consists of digital information, wherein, a) one at least, said application means, comprises, in part at least:
   i) a computer application program, wherein, said computer program includes, instructions for said program and/or data for said program;
   and/or i) an electronic game; and/or ii) digital information representative of sound; and/or iv) digital information representative of a song; and/or v) digital information representative of images; and/or vi) digital information representative of images and sound; and/or vii) digital information representative of a motion picture; and/or viii) digital information representative of a literary text; and/or ix) computer program, wherein, said computer program includes instructions for said program and/or data for said program;
   and b) one at least, of said software objects are functionally limited such that they must be used in conjunction with a secure processing means coupled to said electronic appliance, wherein, said secure processing means, in part at least, reverses said functional limitation;
   and c) the reversal by said secure processing means, of part at least, of one at least, functional limitations applied to, one at least, said software objects, is dependent, in part at least, on the coupling of, at least one, generic rights of access to said secure processing means, wherein, at least one, said generic rights of access, is a means that, in part at least, enables and/or has the potential to enable, said secure processing means to reverse, part at least, of said functional limitation on one at least functionally limited software objects, such that a plurality of said application means may function correctly;
   and d) said electronic appliance, in part at least, includes, one at least, of the following:
   i) a means that can access, one at least, said functionally limited software objects stored on an optical storage media, wherein, said optical media is, readable and/or writeable;
   and said functionally limited software object, in part at least, is representative of:
   visual information and sound, or visual information, and said representative is maintained, in part at least, in a format that is not practical to analyse, and said means is a peripheral apparatus to a User Controlled Data Processing System;
   ii) the means of said i), wherein said means attaches to a User Controlled Data Processing System;
   iii) the means of said ii), wherein said attaches, is to, one at least, input and/or output ports coupled to a User Controlled Data Processing System;
   
   iv) said ii) and/or iii), wherein, part at least, of said secure processing means coupled to said electronic appliance is provided, in part at least, by a secure processing means coupled to said User Controlled Data Processing System.
4. Claim 4. A method of distributing and/or potentially distributing a plurality of computer application programs for use on, one at least, electronic appliances, wherein, one at least, said computer application programs is defined, in part at least, by, one at least, software objects, and, one at least, said software objects, consists of digital information, in part at least, and, b) one at least, of said software objects are functionally limited such that they must be used in conjunction with a secure processing means coupled to said electronic appliance, wherein, said secure processing means, in part at least, reverses said functional limitation;
   and c) the reversal by said secure processing means, of part at least, of one at least, functional limitations applied to, one at least, said software objects, is dependent, in part at least, on the coupling of, at least one, generic rights of access to said secure processing means, wherein, at least one, said generic rights of access, is a means that, in part at least, enables and/or has the potential to enable, said secure processing means to reverse, part at least, of said functional limitation on, one at least, functionally limited software objects, such that a plurality of said computer application programs may function correctly;
   and one at least of the following apply:
   i) a plurality of said computer application programs have the potential to execute in a multitasking environment coupled to said electronic appliance;
   ii) a plurality of said computer applications have the potential to execute in a multiprocessor environment coupled to said electronic appliance;
   iii) part at least, of the instructions constituting said computer application program are decrypted and executed in a logically secure environment;
   iv) part at least, of the instructions constituting said computer application program are decrypted and executed in a physically secure environment;
   v) part at least, of the data constituting said computer application program are decrypted and processed in a logically secure environment;
   vi) part at least, of the data constituting said computer application program are decrypted and processed in a physically secure environment.
5. Claim 5. The method of distributing application programs in claim 4, wherein, part at least, of said plurality of computer application programs comprises one at least computer game.
6. Claim 6. The method of converting an electronic appliance that does not provide a logically and/or physically secure processing means, to an electronic appliance that does provide a logically and/or physically secure processing means, by the method step of, attaching said logically and/or physically secure processing means, to said electronic appliance that does not provide said secure processing means, wherein, said converted electronic appliance, subject to the coupling of, one at least, appropriate rights of access to said secure processing means, is enabled, in part at least, to use and/or has the potential to be enabled, in part at least, to use, at least one, said application means, wherein, said application means are distributed as a plurality of said application means and/or are potentially able to be distributed as a plurality of application means, wherein, one at least, said application means is defined, in part at least, by, one at least, software objects, and, one at least, said software objects, in part at least, consists of digital information, wherein, a) one at least, said application means, comprises, in part at least:
   i) a computer application program, wherein, said computer application program includes, instructions for said program and/or data for said program;
   and/or ii) an electronic game; and/or iii) digital information representative of sound; and/or iv) digital information representative of a song; and/or v) digital information representative of images; and/or vi) digital information representative of images and sound; and/or vii) digital information representative of a motion picture; and/or viii) digital information representative of a literary text; and/or ix) computer program, wherein, said computer program includes instructions for said program and/or data for said program;
   and b) one at least, of said software objects are functionally limited such that they must be used in conjunction with said logically and/or physically secure processing means coupled to said electronic appliance, wherein, said secure processing means, in part at least, reverses said limitation;
   
   and c) the reversal by said logically and/or physically secure processing means, of part at least, of one at least, applied to, one at least, said software objects, is dependent, in part at least, on the coupling of, at least one, generic rights of access to said secure processing means, wherein, at least one, said generic rights of access, is a means that, in part at least, enables and/or has the potential to enable, said secure processing means to reverse, part at least, of said functional limitation on one at least functionally limited software objects, such that a plurality of said application means may function correctly.
7. Claim 7. The method of claim 6, wherein, said attaching said logically and/or physically secure processing device includes, one at least of the following:
   i) replacing one at least system CPU's in a User Controlled Data Processing System with a system CPU that, in part at least, includes a logically and/or physically secure processing means;
   ii) plugging one at least apparatus into a system bus connector inside the case of a User Controlled Data Processing System;
   iii) attaching an apparatus to one at least Input and/or Output means coupled to a User Controlled Data Processing System;
   iv) attaching an apparatus to one at least parallel port means;
   v) attaching an apparatus to a serial input and/or output means.
8. Claim 8. A method of distributing and/or potentially distributing a plurality of application means for use on, one at least, electronic appliances, wherein, one at least, said application means is defined, in part at least, by, one at least, software objects, and, one at least, said software objects, in part at least, consists of digital information, wherein, a) one at least, said application means, comprises, in part at least;
   i) a computer application program, wherein, said computer application program includes, instructions for said program and/or data for said program;
   and/or ii) an electronic game; and/or iii) digital information representative of sound; and/or iv) digital information representative of a song; and/or v) digital information representative of images; and/or vi) digital information representative of images and sound; and/or vii) digital information representative of a motion picture; and/or viii) digital information representative of a literary text; and/or ix) computer program, wherein, said computer program includes instructions for said program and/or data for said program;
   and b) one at least, of said software objects are functionally limited such that they must be used in conjunction with a secure processing means coupled to said electronic appliance, wherein, said secure processing means, in part at least, reverses said functional limitation;
   
   and c) the reversal by said secure processing means, of part at least, of one at least, functional limitations applied to, one at least, said software objects, is dependent, in part at least, on the coupling of, at least one, generic rights of access to said secure processing means, wherein, at least one, said generic rights of access, is a means that, in part at least, enables and/or has the potential to enable, said secure processing means to reverse, part at least, of said functional limitation on one at least functionally limited software objects, such that a plurality of said application means may function correctly;
   and d) compiling:
   i) a plurality of said application means onto, one at least, optical media, wherein, said plurality, includes application means from a plurality of producers;
   and/or ii) one at least libraries of said application means onto, one at least, optical media, wherein, said one at least libraries, includes application means from a plurality of producers.
9. Claim 9. The method of distribution of claim 8, wherein said optical media of said d) are supplied, in part at least, to one at least said electronic appliances.
10. Claim 10. The method of distribution of claims 8 and/or 9, wherein said application means are compiled onto one at least optical media, to extend the number of available said application means and/or to update existing said application means, and supplied, in part at least, to one at least said electronic appliance.
11. Claim 11. The method of distribution of any of claims 8, 9, and/or 10, wherein, said application means, are made available, in part at least, by online means.
12. Claim 12. The method of distribution of claim 11, wherein said online means, includes, in part at least, connection to the Internet.
13. Claim 13. The method of distribution of any of claims 8, 9, 10, 11, and/or 12;
    and/or the methods of any of claims 8, 9, 10, 11, and/or 12, wherein, said plurality of application means is from a single producer and not a plurality of producers, and said secure processing means is coupled with, at least one right of access, that has a predetermined period of validity, and said one at least right of access:
    is used to enable, in part at least, the use of multiple application means from said plurality of available application means;
    and/or has the potential to enable, in part at least, the use of multiple application means from said plurality of available application means;
    for the duration of the period of validity of said right of access.
14. Claim 14. The method of distribution of claim 13, wherein, said multiple is any number greater than one and less than or equal to said plurality of available application means.
15. Claim 15. The method of distribution of claim 13, wherein, said predetermined period of validity is provided for a predetermined cost.
16. Claim 16. The method of distribution of any of claims 13, 14, 15, wherein multiple rights of access that are valid for a predetermined period are coupled to said secure processing means, wherein, one at least of said multiple rights of access is valid for the same predetermined period as one at least other said multiple rights of access;
    and/or one at least of said multiple rights of access is valid for a different predetermined period as one at least other said multiple rights of access;
    and/or one at least, of said multiple rights of access, enables and/or has the potential to enable, at least one of said application means, that is not enabled and/or not potentially able to be enabled, by one at least, other said multiple rights of access;
    and/or the predetermined cost of, one at least, said multiple rights of access, is equivalent to the predetermined cost of, one at least, other said multiple rights of access;
    and/or the predetermined cost of, one at least, said multiple rights of access, is different to the predetermined cost of, one at least, other said multiple rights of access.
17. Claim 17. The method of distribution of any of claims 15 and/or 16, wherein one at least said predetermined costs is discounted.
18. Claim 18. The method of distribution of any of claims 15 and/or 16, wherein, one at least predetermined costs, paid, in part at least, by advertising.
19. Claim 19. The method of distribution of any of claims 13, 14, 15, 16, 17 and/or 18 with the added method step of securely metering, in part at least, the usage of, one at least, said application means.
20. Claim 20. The method of distribution of claim 19, wherein said metering includes one at least of:
    i) units of time, one at least, said application means are used for;
    ii) number of events applying to, one at least, said application means;
21. Claim 21. The method of distribution of claims 19 and/or 20, wherein, a report of, part at least, of metered usage, is securely created, in part at least, and supplied, in part at least, to a location remote to said electronic appliance.
    
    Claim 22. The method of distribution of claim 21, wherein said reported metered usage, is used, in part at least, to determine, the distribution to one at least producers and/or agents of one at least said application means, of revenue paid and/or payable, for providing, one at least, said secure processing means, one at least, said right of access valid for a predetermined period.
22. Claim 22. The method of distribution of claim 22, wherein, said distribution of revenue, is based, in part at least, on the fractional and/or percentage, and/or ratio of use of one at least said application means, by one at least said secure processing means, as compared with, part or all use, of said application means, enabled by, one at least, said rights of access with a predetermined period of validity, by one at least said secure processing means.
23. Claim 23. The method of claim 22, wherein, said ratio and/or percentage and/or fraction, for one at least said application means, is determined, in part at least, by determining the number of units of time, or part thereof, used for said application means, and dividing this by part at least of the total number of units of time used for, part or all, application means accessed using, one at least, said right of access with predetermined period of validity.
24. Claim 24. The method of distribution of Claim 22, wherein, the revenue paid for use of, one at least, said application means, is based, in part at least, on time usage, however, the amount paid and/or payable to one at least producers and/or agents for n units of time used for said one at least application means, by a first secure processing means, is different to the amount paid and/or payable to said, one at least, producers and/or agents for n units of time used for the same said one at least application means, by a second secure processing means.
25. Claim 25. The method of claim 24, wherein, the amount charged for, one at least, said right of access for a predetermined period, to said one at least application means, is the same for said first secure processing means and said second secure processing means.
26. Claim 26. The method of distribution of claim 25, wherein, one at least, said right of access for a predetermined period, provides and/or potentially provides said first secure processing means and said second secure processing means access to the same plurality of application means.
27. Claim 27. The method of any of claims 4 through 26, wherein said electronic appliance, comprises a User Controlled Data Processing System, in part at least.
28. Claim 28. The method of software distribution of any of claim 1 through 27, wherein, said functional limitation includes, one at least, of:
    ~ encryption, in part at least, of said software objects;
    ~ encryption, in part at least, of one at least, essential portions of said software object;
    ~ deletion, in part at least, of digital information from said software object;
    ~ deletion, in part at least, of one at least, essential portions of digital information from said software objects;
    ~ addition of digital information to said software object;
    ~ addition of digital information to said software object, wherein said addition, in part at least, includes control information pertainingto the use of said one at least software objects and/or one at least other software objects;
    ~ addition of digital information to said software object, wherein said addition, in part at least, is a secure means to couple said software object to control information.
29. Claim 29. The method of software distribution of any of claims 1 through 28, wherein, aid secure processing means of said is coupled to a means to limit the validity of, one at least, said generic right of access.
30. Claim 30. The method of limiting the validity of said one at least generic rights of claim 29, wherein said limitation is based on, one at least, of:
    i) a predetermined date and/or time of expiration means coupled to one at least generic rights;
    ii) a predetermined date and/or time of expiration means, coupled to one at least generic rights, wherein, said expiration is coupled, in part at least, to one at least date and/or time values in a secure clock and/or calendar means, coupled to said secure processing means;
    iii) a predetermined number of units of time, wherein said units of time are consumed by the use of, one at least, said functionally limited software objects and the validity of said units of time expire, in part at least, when they reach a value, and/or a predetermined value, and/or a value of zero;
    iv) a predetermined number of units of one at least measurable events, wherein said units of measurable events are consumed by the use of, one at least, said functionally limited software objects and the validity of said units of measurable events expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    v) a predetermined number of units, of one at least, electronic funds, wherein said electronic funds are consumed by the use of, one at least, said functionally limited software objects and the validity of said electronic funds expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    vi) a predetermined number of units, of one at least, electronic funds representing, one at least generic units of currency, wherein said electronic funds are consumed by the use of, one at least, said functionally limited software objects and the validity of said electronic funds expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    vii) a predetermined number of units, of one at least, electronic funds representing one at least, legal tender currencies, wherein said electronic funds are consumed by the use of, one at least, said functionally limited software objects and the validity of said electronic funds expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    viii) a successful audit of software object usage;
    ix) a successful audit of software usage, wherein, said audit is within a predetermined time and/or date;
    x) a successful audit of software usage, wherein, said audit is within a predetermined time and/or date, and said time and/or date is determined, in part at least, on the basis of one at least values provided by a secure clock and/or calendar means coupled to aid secure processing means;
    xi) continued logical and/or physical security of said secure processing means.
31. Claim 31. The method of claim 30, wherein, said successful audit, includes the generation of a secure report of software object usage, and/or the transfer of said report to one at least, authorized parties, and/or receipt of confirmation by said secure processing means that said report has been received by one at least said authorized parties.
32. Claim 32. The method of distribution of any of claims 1 through 31, wherein, one at least, said generic rights of access, is a right of access means, in part at least, based on, one at least, of:
    i) a predetermined date and/or time of expiration means;
    ii) a predetermined date and/or time of expiration means, wherein, said expiration is coupled, in part at least, to one at least, date and/or time value in a secure clock and/or calendar means, coupled to said secure processing means;
    iii) a predetermined number of units of time;
    iv) a predetermined number of units of time, wherein said units of time are consumed by the use of, one at least, said functionally limited software objects;
    v) a predetermined number of units of, one at least, measurable events;
    vi) a predetermined number of units of one at least measurable events, wherein said units of measurable events are consumed by the use of, one at least, said functionally limited software objects and the validity of said units of measurable events expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    vii) a predetermined number of units, of one at least, electronic funds;
    viii) a predetermined number of units, of one at least, electronic funds, wherein said electronic funds are consumed by the use of, one at least, said functionally limited software objects and the validity of said electronic funds expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    ix) a predetermined number of units, of one at least, electronic funds representing, one at least generic units of currency;
    x) a predetermined number of units, of one at least, electronic funds representing, one at least generic units of currency, wherein said electronic funds are consumed by the use of, one at least, said functionally limited software objects and the validity of said electronic funds expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero;
    xi) a predetermined number of units, of one at least, electronic funds representing, one at least, legal tender currencies;
    xii) a predetermined number of units, of one at least, electronic funds representing, one at least, legal tender currencies, wherein said electronic funds are consumed by the use of, one at least, said functionally limited software objects and the validity of said electronic funds expire, in part at least, when they reach a value, and/or a predetermined value, and/or zero.
33. Claim 33. The method of distribution of any of claims 1 through 32, wherein, said secure processing means, comprises, in part at least, a logically and/or physically secure processing and memory storage means.