CN1842759A - Portable storage device and method of managing files in the portable storage device - Google Patents

Portable storage device and method of managing files in the portable storage device Download PDF

Info

Publication number
CN1842759A
CN1842759A CNA2005800010055A CN200580001005A CN1842759A CN 1842759 A CN1842759 A CN 1842759A CN A2005800010055 A CNA2005800010055 A CN A2005800010055A CN 200580001005 A CN200580001005 A CN 200580001005A CN 1842759 A CN1842759 A CN 1842759A
Authority
CN
China
Prior art keywords
file
right objects
control module
certificate
visit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2005800010055A
Other languages
Chinese (zh)
Other versions
CN100555205C (en
Inventor
李炳来
金泰成
尹重喆
郑勍任
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of CN1842759A publication Critical patent/CN1842759A/en
Application granted granted Critical
Publication of CN100555205C publication Critical patent/CN100555205C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/20Coin-freed apparatus for hiring articles; Coin-freed facilities or services for washing or drying articles, e.g. clothes, motor cars
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Abstract

A portable storage device and method of managing a file in the portable storage device are provided. The portable storage device includes a control module sorting digital rights management data from received data and forming a file comprising the digital rights management data, and a storage module storing the file. The method includes sorting digital rights management data from received data, forming a file comprising the digital rights management data, and storing the file in a storage module. Accordingly, files can be securely managed to be suitable to DRM.

Description

Portable memory and in portable memory the method for management document
Technical field
The present invention relates to a kind of in portable memory the method for management document, more specifically, relate to a kind of in the portable memory that can realize digital copyright management (DRM) method of management document.
Background technology
Recently, digital copyright management (DRM) is researched and developed energetically.The commerce services of employing DRM has come into operation and maybe will come into operation.Different with simulated data, digital content can nondestructively be replicated and can easily be re-used, handle and scatter, and only needs a spot of cost to duplicate and scatter digital content.Yet, need a large amount of cost, manpower and time production digital content.Therefore, DRM increases gradually in its application.
Make a large amount of effort and protected digital content.Traditionally, digital content protection concentrates on the unauthorized access that prevents digital content, thereby has only the people who has paid to be allowed to visit described digital content.Therefore, the people who pays for access digital content is allowed to visit the unencrypted digital content, and does not have the people who pays not to be allowed to such visit.Yet in this case, when the people who has paid deliberately scattered digital content to other people, other people can not have to use described digital content under the situation of paying for these.
Yet, in DRM, allow the digital content of anyone free access coding, but the licence that need be called as right objects is decoded and is carried out described digital content.Therefore, by using DRM can more effectively protect digital content.
Fig. 1 is the concept map of traditional DRM.DRM relates to use such as encrypting or the method for scrambling and the management that allows the content that the right objects of visit encrypted content protects (below, be called encrypted content).
With reference to Fig. 1, the DRM system comprises: device 110 and 150, and it wants to visit encrypted content; The content publisher 120, and it is content distributed; Copyright publisher 130, and its issue comprises in order to the right objects of the licence of carrying out described content (RO); And Certificate Authority 140, it issues certificate.
With the encryption format by DRM protection, device 110 can obtain the content wanted from content publisher 120.Device 110 can obtain from the right objects that receives from copyright publisher 130 in order to play the licence of encrypted content.
Because encrypted content can freely be propagated and be scattered, and can freely encrypted content be sent to device 150 so install 110.Device 150 need be in order to play the right objects of encrypted content.Can obtain right objects from copyright publisher 130.
The RO that comprises in order to the licence of carrying out content also can comprise predetermined restricted information, thereby can prevent that RO from being scattered without approval and duplicating.For example, RO can comprise about duplicating or the information of the limited number of times of mobile RO to another device from a device.In this case, when moving or duplicating RO, duplication count that is provided with in RO or mobile counting increase by 1.When duplication count or when moving counting and reaching predetermined limited number of times, forbid moving or duplicating RO, thereby prevent to scatter without approval RO.
Simultaneously, Certificate Authority 140 issue comprised about effective time limit of the certificate of the PKI of title, the relative assembly of sequence number, the Certificate Authority of certificate, the certificate of the information of the identifier of device and issue of its PKI.Whether described certificate provides about device is the information of appropriate users.Therefore, can prevent to pretend is that the intrusion device of demo plant and other device or system communicate.
Like this, DRM has protected those productions or the interests of digital content is provided, therefore the growth that can help to improve the digital content industry.
Summary of the invention
Technical matters
Remove as shown in Figure 1 to the direct transmission of encrypted content between device, recently, developed the technology of between device, transmitting RO and encrypted content by portable memory.
Therefore, for to the portable memory DRM technology in the middle of device, expect a kind of in portable memory the technology of management document safely.
Technical scheme
The invention provides a kind of in portable memory with digital copyright management (DRM) function the method for management document safely.
By studying following description, accompanying drawing and claim, above-mentioned purpose of the present invention and other purpose, characteristics and advantage will become clear for those skilled in the art.
According to an aspect of the present invention, provide a kind of portable memory, comprising: control module is used for the DRM data are classified and forming the file that comprises described DRM data from the data that receive; And memory module, be used to store described file.
Preferably but unnecessarily, control module is provided with restricted area in memory module, the file identifier that is mapped to restricted area is distributed to the file that comprises digital rights management data, and file identifier is stored in the restricted area.
Here, the file that is stored in the memory module can have tree structure.
Digital rights management data can be right objects and verify one of required authorization information with device.
Authorization information can be one of certificate and certificate cancellation tabulation.
The file that comprises digital rights management data can comprise: the right objects proprietary file and the checking proprietary file that comprises the basic document that are used for authorization information that comprise the basic document that are used for right objects.
Control module can comprise and is used for the access consideration that restraint device visit is stored in the file of memory module.
The access consideration that comprises the file of digital rights management data can be checking.The file that comprises authorization information when device visit is during with one of new authentication and certificate cancellation tabulation more, and access consideration is effective extended period of checking and certificate or certificate cancellation tabulation.
Preferably but unnecessarily, the identifier that control module is created in wherein the identifier of the content that can be carried out by right objects or right objects is mapped to the table of the file identifier of distributing to the right objects basic document, search for described table and attempt the right objects of visit, and allow device to visit described right objects to find device.
In addition, when the file in the device visit portable memory, device sends order to control module, and in response to described order, control module is visited described file, and according to described command-execution operation.
According to a further aspect in the invention, provide a kind of in portable memory the method for management document, comprise: from the data that receive digital rights management data is classified, forms the file that comprises described digital rights management data, and with described file storage in memory module.
Preferably but unnecessarily, the storage of file comprises: use control module that restricted area is set in memory module, and the file identifier that will be mapped to restricted area is distributed to the file that comprises digital rights management data.
The file that is stored in the memory module can have tree structure.
Digital rights management data can be right objects and with device verify required authorization information it
Authorization information can be one of certificate and certificate cancellation tabulation.
The file that comprises digital rights management data can comprise: comprise the right objects proprietary file of the basic document that are used for right objects and comprise the checking proprietary file of the basic document that are used for authorization information.
Described method also can comprise: control module is produced be used for the access consideration that the restraint device visit is stored in the memory storage file.
The access consideration that comprises the file of digital rights management data can be checking.
The file that comprises authorization information when device visit is during with one of new authentication and certificate cancellation tabulation more, and access consideration can be effective extended period of checking and certificate or certificate cancellation tabulation.
The identifier that control module is created in wherein the identifier of the content that can be carried out by right objects or right objects is mapped to the table of the file identifier of distributing to the right objects basic document, search for this table and attempt the right objects of visit, and allow device to visit described right objects to find device.
File in the device visit portable memory, device sends order to control module, and in response to this order, control module is visited described file, and according to described command-execution operation.
Description of drawings
By the detailed description to the preferred embodiments of the present invention that the reference accompanying drawing carries out, above-mentioned and other characteristics of the present invention and advantage will become apparent, wherein:
Fig. 1 is the concept map of conventional digital copyright management (DRM);
Fig. 2 is the schematic concept map of the DRM between portable memory and the device;
Fig. 3 is the diagrammatic sketch that illustrates according to the checking between device and multimedia card of the embodiment of the invention;
Fig. 4 is the block scheme according to the portable memory of the embodiment of the invention;
Fig. 5 is the schematic representation that is stored in the bibliographic structure in the memory module that illustrates according to the embodiment of the invention;
Fig. 6 is the table that the configuration of the right objects (RO) according to the embodiment of the invention is shown;
Fig. 7 is the table that the restriction that gives permission shown in Figure 6 is shown;
Fig. 8 illustrates the configuration according to the RO file of being supported by multimedia card of the embodiment of the invention;
Fig. 9 is the table of information that illustrates about according to the label of the type that comprises data hereof;
Figure 10 is according to the process flow diagram of the embodiment of the invention with the process of data storage in multimedia card; And
Figure 11 is the process flow diagram that is stored in the process of the file in the multimedia card according to embodiment of the invention permits access.
Embodiment
By with reference to following the detailed description and the accompanying drawings to exemplary embodiment, advantage of the present invention and characteristics and realize that method of the present invention can be understood more easily.Yet the present invention can be realized by many different forms, and should not be construed as limited to the embodiment that sets forth here.But, provide these embodiment so that this openly is thorough and complete, and this openly will convey to those skilled in the art with design of the present invention fully, the present invention will only be limited by claim.In whole instructions, identical label is represented identical parts.
Now, with reference to the accompanying drawing that exemplary embodiment of the present is shown the present invention is described more fully.The portable memory of Shi Yonging comprises the nonvolatile memory such as flash memory in the present invention, and data can be written into described storer, and can be from wherein reading and deleted data, and described storer can be connected to device.This portable memory be exemplified as intelligent medium, memory stick, compact flash (CF) card, xD card and multimedia card.Below, MMC is interpreted as portable memory.Yet portable memory according to the present invention is not limited to multimedia card.
Fig. 2 is the concept map of the digital copyright management (DRM) between multimedia card and the device.
Device 210 can obtain encrypted content from content publisher 220.Encrypted content is the content by the DRM protection.In order to play encrypted content, need be used for the right objects (RO) of encrypted content.RO can comprise to the definition of the authority of content with to the restriction of described authority, also can comprise the authority to RO itself.
Example to the authority of RO can be to move or duplicate.In other words, the RO that comprises mobile authority can be moved to another device or MMC.The RO that comprises the authority of duplicating can be copied to another device or MMC.
The mobile of RO is following processing: produce RO and make its formerly position invalid (that is, RO authority deleted or that be included among the RO itself is deleted) in new position.On the other hand, when RO was replicated, RO in situ remained under the active state.
After obtaining encrypted content, device 210 can be bought the authority of RO to obtain to play from copyright publisher 230.When device 210 when copyright publisher 230 obtains RO, device 210 can use described RO to play encrypted content.Simultaneously, device 210 can transmit described RO (move or duplicate) auto levelizer 250 by multimedia card 260.
After verifying with multimedia card 260, device 210 can move on to RO multimedia card 260.In order to use the RO that moves on to multimedia card 260 to play encrypted content, device 210 can receive the authority of playing from the authority of multimedia card 260 request broadcasts and from multimedia card 260, that is, and and contents encryption key (CEK).
Simultaneously, after verifying with multimedia card 260, device 250 can receive the authority of playing certain content from the multimedia card 260 of storage RO, and can use the authority of reception to play the certain content of encryption.Here, as mentioned above, being stored in the play count that comprises among the RO in the multimedia card 260 can be increased.
RO can be moved or copy to device 250 from multimedia card 260.Here, as mentioned above, mobile counting or the duplication count of RO can be increased.After verifying with multimedia card 260, the authority that device 210 or 250 licensed uses are included among the RO is play encrypted content, perhaps move or duplicate RO, reach predetermined the limiting to a number or amount that in RO, is provided with up to play count, mobile counting or duplication count.
As mentioned above, preferably with multimedia card exchange data such as RO before, device is verified with described multimedia card.
Fig. 3 is the diagrammatic sketch that illustrates according to the checking between device 310 and multimedia card 320 of the embodiment of the invention.The process of checking is that device 310 and multimedia card 320 checkings authenticity each other also exchange the random number that is used to produce session key.Can use the random number that during verifying, obtains to produce session key.In Fig. 3, the description on the horizontal arrow line relates to the order that another device of request is carried out specific operation, and the description under the horizontal arrow line relates to carries out the required parameter of described order or the data of transmission.
In embodiment shown in Figure 3 and following other embodiment, device 310 sends the order of the checking that is useful on, and multimedia card 320 execution are used to carry out the required operation of described order.For example, device 310 can be sent to multimedia card 320 with the order such as the checking request.Then, multimedia card 320 in response to described checking request with certificate MWith the random number of encrypting MBe sent to device 310.Therefore, the horizontal arrow of each among Fig. 3 is represented the moving direction of parameter or data.
In another embodiment of the present invention, device 310 and multimedia card 320 all can be given an order.For example, multimedia card 320 can be with auth response and certificate MWith the random number of encrypting MBe sent to device 310 together.
In Fig. 3, the subscript of object " D " indicates this object storage to produce in device 310 or by device 310, and the subscript of object " M " indicates this object storage to produce in multimedia card 320 or by multimedia card 320.
Describe described checking in detail hereinafter with reference to Fig. 3.At operation S10, device 310 will be verified request and device certificate DBe sent to multimedia card 320 together.Described device certificate DThe identifier (ID) that comprises device 310, that is, and device ID, and device PKI D, and the device certificate DDigital signature mark by Certificate Authority.
At operation S20, multimedia card 320 uses the certificate cancellation tabulation (CRL) that is stored in wherein to come the verifying attachment certificate DWhether effective.If described device certificate DBe registered among the CRL, then multimedia card 320 can be refused and install 310 and verifies.If device certificate DBe not registered among the CRL, then multimedia card 320 is checked out the device certificate DBe effectively and from the device certificate DObtain the device PKI D
At operation S25, check out the device certificate DBe that efficient multimedia card 320 produces random number M, and at operation S30 operative installations PKI DTo described random number MEncrypt.Therefore, at operation S40, by auth response is sent to multimedia card 320 or sends to device 310 from multimedia card 320 and carry out the auth response process from installing 310.During the auth response process, multimedia card 320 is with the multimedia card public certificate MWith the random number of encrypting MSend to device 310.
At operation S50, device 310 receives the multimedia card certificate MWith the random number of encrypting MAnd by checking the multimedia card certificate based on CRL MVerify multimedia card 320.In addition, device 310 is from the multimedia card certificate MObtain the multimedia card PKI MAnd the random number of private key to encrypting by using it MBe decrypted the random number that obtains by multimedia card 320 generations M
At operation S55, device 310 produces random number DAt operation S60, device 310 uses the multimedia card PKI MTo random number DEncrypt.After this, carry out the checking end process in operation S70, wherein, device 310 is with the random number of encrypting DSend to multimedia card 320.
At operation S80, multimedia card 320 receives the random number of encrypting D, and use its private key that it is decrypted.As a result, device 310 and multimedia card 320 are known the random number (random number that produces by each other DAnd random number M).
At operation S90 and S95, device 310 and the multimedia card 320 of sharing random number each other use their two random numbers to produce their session key.Described session key is identical each other.In case session key is produced, the different operating of protecting by DRM can be performed between device 310 and multimedia card 320.
Fig. 4 is the portable memory according to the embodiment of the invention, for example, and the block scheme of multimedia card 400.
In the exemplary embodiment, as term used herein " module " expression but be not subject to software or the hardware component of carrying out particular task, can edit gate array (FPGA) or special IC (ASIC) such as the scene.Can easily block configuration be carried out on one or more processors for residing in addressable storage medium and being configured to.
Therefore, as example, module can comprise parts, such as software part, OO software part, base part and task parts, process, function, attribute, process, subroutine, program code segments, driver, firmware, microcode, circuit, data, database, data structure, table, array and variable.Function that provides in parts and module can be combined into less components and module or further be divided into extra parts and module.In addition, can realize parts and module according to following mode: parts and module be the one or more CPU of operation in device or MMC.
In order to realize DRM, multimedia card 400 need security function, memory contents or RO function, with the function and the DRM function of device swap data.In order to carry out these functions, multimedia card 400 comprises the encrypting module 430 with security function, the memory module 440 with memory function, allows and installs the interface module 410 of swap data and controls the control module 420 that each module is carried out the DRM process.
Interface module 410 makes MMC 400 be connected to device.When MMC 100 was connected to device, the interface module 410 of MMC 100 can be electrically connected to the interface module of device.Yet being electrically connected only is an example, the state that connection can indicate MMC 100 to communicate by letter with device by wireless medium under the situation that does not have contact.
Encrypting module 430 comprises public key encryption module 432, session key generation module 434 and symmetric key encryption module 436.
Public key encryption module 432 is carried out public key encryption.More specifically, public key encryption module 432 is carried out rsa encryption according to the request from control module 420.During above-mentioned checking, rsa encryption can be used for random number exchange or digital signature.Public key encryption module 432 only is an example, can use to comprise that Diffie-Hellman encryption, rsa encryption, ElGamal encrypt and other public key cryptography scheme of elliptic curve cryptography.
Session key generation module 434 produces the random number that will be sent to device, and uses random number that is produced and the random number that receives from device to produce session key.Encrypt by public key encryption module 432 by the random number that session key generation module 434 produces, by interface module 410 described random number is sent to device then.Can from a plurality of random numbers that provide in advance, select random number, rather than in session key generation module 434, produce random number.
Symmetric key encryption module 436 is carried out symmetric key encryption.More specifically, symmetric key encryption module 436 uses the session key that is produced by session key generation module 434 to carry out Advanced Encryption Standard (AES) encryption.When AES encrypted the CEK be generally used for when being included in RO in and is sent to device, the use session key came described CEK is encrypted.In addition, the encryption of being undertaken by symmetric key encryption module 436 can be used for the communication period of device other important information being encrypted.In an embodiment of the present invention, during the moving of RO, can carry out the AES that uses session key and encrypt RO is encrypted.It only is an example that AES encrypts, and symmetric key encryption module 436 can be used other symmetric key encryption of encrypting such as data encryption standards (DES).
Control module 420 can be divided into restricted area and normal areas with memory module 440, the DRM relevant information is encrypted and it is stored in the restricted area, and with other data storage in normal areas.The DRM relevant information can be included in and device is verified the authorization information that the authenticity of intermediate survey device identity is required and comprise the authority of using content and the RO of authority information.Authorization information can be the authentication of multimedia card 400, the authentication or the CRL of Certificate Authority.
Control module 420 can be by being divided into memory module 440 restricted area and normal areas and the DRM relevant information being stored in the restricted area, comes the restraint device visit to be stored in DRM relevant information in the data of memory module.Can physically or in logic memory module 440 be divided into restricted area and normal areas.
For restraint device visit DRM relevant information, control module 420 can be provided with being stored in the condition of the data access in the memory module 440.Access consideration can be necessity of checking, the certificate that upgrades multimedia card or the necessity that updates stored in the CRL in the memory module 440.
For example, control module 420 can be the access restriction information about RO with verification setting.When device was attempted visit RO, control module 420 can determine whether device carries out checking with multimedia card 400, and and if only if device allows device to visit RO when normally having finished described checking.Here, visit can refer to read or write.
When RO by when device duplicates or move to multimedia card 400, control module 420 can determine whether device is verified with multimedia card, and and if only if checking when having finished permission duplicate or move.
In another example, with the access consideration of describing certificate or CRL.When device visit multimedia card 400 when reading certificate or CRL, control module 420 can be arranged to not have access consideration to conduct interviews under the situation about verifying not have to allow device.When the visit of device is renewal for certificate or CRL, control module 420 can checking and effective extended period of certificate or CRL be set to access consideration.
Simultaneously, control module 420 can use the unique-encryption key of multimedia card 400 that the DRM data that will be stored in the memory module 440 are encrypted, and the DRM data of encrypting are used for the file identifier (FID) of DRM data addressing to restricted area is stored in the restricted area of memory module 440 with dividing to be equipped with.Can partly or entirely carry out the encryption of DRM relevant information.For example, encrypted and when storage as RO, only be included in CEK among the RO can encrypted or whole RO can be encrypted.When RO was all encrypted, the ID of the content that control module 420 can maybe can be play the ID of each RO by each RO was mapped to FID, and the table of memory contents ID or RO ID respectively, to help to search for specific RO.
Memory module 440 storage encryption contents, RO, CRL etc.Can physically or in logic memory module 440 be divided into restricted area and normal areas.
Be stored in data in the memory module 440 and can have file layout in the tree structure.DRM data such as RO or CRL can be stored in the restricted area under encrypted state.Here, symmetric key encryption module 426 can be encrypted RO according to the unique-encryption key that the AES encryption uses other device not read.In addition, when RO was moved or copies to other device, symmetric key encryption module 436 can use described unique-encryption key that the RO that encrypts is decrypted.The use of symmetric key encryption only is an example.In another example, public key encryption module 432 can use the PKI of multimedia card 400 to carry out public key encryption, and ought use the private key of multimedia card 400 to carry out deciphering in case of necessity.Be used for the encrypted content of other application or the normal areas that data can be stored in memory module 440.
As mentioned above, but the visit Be Controlled module 420 of the restricted area of memory module 440 is optionally limited.
Fig. 5 is the schematic representation that is stored in the bibliographic structure in the memory module 440 that illustrates according to the embodiment of the invention.
Can be by the restricted area that access consideration protection is included in the memory module 440 in the multimedia card 400 be set.Tree structure can be used as file structure suitably to use access consideration.
The file structure of multimedia card 400 shown in Figure 5 comprises the master file corresponding with whole catalogue (MF), the proprietary file (DF) corresponding with sub-directory and the basic document (EF) of a plurality of storage required contents.In order to identify these files, can use FID.In Fig. 5, the numeral FID in each bracket.In the embodiment shown in fig. 5, because the scope of FID is to 17FE, so can produce 1023 RO EF from 1401.
DRM DF and other DF that DF can be divided into the DRM that is used for multimedia card 400 use.DRM DF can be stored in the restricted area of memory module 440.Control module 420 can be provided with access consideration according to following mode: only finish the addressable DRMDF of device with the checking of multimedia card 400.When access consideration does not satisfy, but control module 420 disable access DRM DF.When description was of the present invention, " visit " can refer to dereference, and wherein, device sends order to multimedia card 400, thereafter, and the control module 420 visit associated documents and the I/O necessary informations of multimedia card 400.
For the DRM of multimedia card 400, DRM DF can comprise RO DF and checking DF.RO DF comprises the RO EF that stores RO, and wherein, RO has been stored in the multimedia card 400 in the time of can making certainly, perhaps can be to duplicate or move from device after checking.
Checking DF comprises multimedia card and the required information of device execution checking.Checking DF comprise the card of the certificate that comprises multimedia card 400 certificate EF, comprise Certificate Authority certificate Certificate Authority certificate EF or comprise the CRL EF of CRL.
Fig. 6 illustrates the configuration according to the RO of the embodiment of the invention.
RO comprises version field 500, resources field 520 and permission field 540.
Version field 500 comprises the version information of DRM system.Resources field 520 comprises the information about content-data, and its consumption is managed by RO.Permission field 540 comprises about the information of using and moving for the content of protecting by DRM by copyright publisher permission.
In the information that is stored in resources field 520, the indication of " id " information is used to identify the identifier of RO, and " uid " information is used to identify the content of being used by RO control, and is the unified resource identifier (URI) of the content-data of DRM content format (DCF)." key value " information comprises the binary keys value that is used for encrypted content, and it is known as CEK.CEK is used for key value that the encrypted content that is used by device is decrypted.When device when multimedia card receives CEK, it can use described content.
Detailed description is stored in information in the permission field 540." permission " is to use the authority by the content of copyright publisher permission.The type of permission comprises " broadcast ", " demonstration ", " execution ", " printing " and " derivation ".
The authority of DRM content is represented in the playback component indication with audio/video format.For the content such as JAVA recreation that can not represent with audio/video format, the DRM agency does not allow based on the visit of playing.
Playback component can selectively have restriction.If there is specific limited, then the DRM agency authorizes the authority of broadcast according to specific limited.If there is no specific limited, then the DRM agency authorizes the broadcast that does not add restriction authority.
The display unit indication shows the authority of DRM content by visual device.For the content such as gif or jpeg image that can not show by visual device, the DRM agency does not allow based on the visit that shows.
The authority such as the DRM content of JAVA recreation and other application program is carried out in the execution unit indication.
The print member indication produces the authority of duplicating firmly such as the DRM content of jpeg image.
Deriving the parts indication sends to DRM content and corresponding RO and removes the DRM system that opens mobile alliance (OMA) the DRM system or the authority of content protecting system.Output block must have restriction.The DRM system of the content protecting system that described restriction appointment DRM content and its RO can be sent to.Derive parts and be divided into Move Mode and replication mode.When RO when current DRM system exports to another DRM system, under Move Mode, with described RO from current DRM system-kill, but under replication mode, not with described RO from current DRM system-kill.
When RO was exported to another system, moving-member made original RO invalid in current DRM system, and reproduction component does not make original RO invalid in current DRM system.
Fig. 7 is the table that the restriction that gives permission shown in Figure 6 is shown.
The consumption of digital content limits by the restriction to " permission ".
Count restrictions 600 has positive integer value and specifies the counting of the permission of grant content.
Date time restriction 610 is specified the extended period of permission, and optionally comprises the beginning parts or finish parts.When comprising beginning during parts, at the appointed time/date before the use of DRM content not licensed.When comprising when finishing parts, at the appointed time/date after the use of DRM content not licensed.
Interval constraint 620 is specified the RO of the time interval can carry out to(for) corresponding D RM content.When the beginning parts were included in the interval constraint 620, by during the time period that is included in the extended period parts appointment in the interval constraint 620, the consumption of DRM content was licensed after the time/date of appointment.When the end parts were included in the interval constraint 620, during the time period by extended period parts appointment before the time/date of appointment, the consumption of DRM content was licensed.
Accumulated constraint 630 appointments are when the maximum time interval of corresponding D RM content execution RO for the time period of accumulative total measurement.If the time period that accumulative total is measured surpasses the maximum time interval by accumulated constraint 630 appointments, then the DRM agency disapproves the visit to the DRM content.
The people to its binding DRM content is specified in individual's restriction 640.
DRM system that system constraint 650 given contents and RO can export to or content protecting system.The version information of version parts indication DRM system or content protecting system." Sid " parts are specified the title of DRM system or content protecting system.
Fig. 8 illustrates the configuration according to the RO file of being supported by multimedia card of the embodiment of the invention.
In the table that illustrates, " Seq " indicator sequence, " Oct " indication octal character string, " Int " indicates integer, " Bin " indication binary data type.
Multimedia card has the little memory capacity of ratio device usually, therefore supports the small data structure as RO file structure 700.RO file structure 700 comprises label, content ID, content type, permission related data and the restriction related data of RO.The permission related data comprises the label of the type of the label of indicating current data to relate to permission, the bit strings (that is License Info) 720 of indicating the content of permitting and indication permission.The restriction related data comprises the label of the type of the label of indicating current data to relate to restriction, the bit strings (that is restricted information) 740 of indicating the content that limits and indication restriction.
Shown in Figure 9 about the information of label according to the type that comprises data hereof.
In the above-described embodiments, can carry out DRM agency's function by the control module 420 of multimedia card 400.
Figure 10 is according to the process flow diagram of the embodiment of the invention with the process of data storage in multimedia card.
At operation S210, from the device reception data of multimedia card empirical tests.At operation S220, multimedia card determines that whether described data are the required DRM data of DRM between multimedia card and the device.The DRM data can be the required authorization informations such as certificate or CRL of checking, or comprise the RO of the licence that uses certain content.
When definite described data were the DRM data, at operation S230, control module 420 (Fig. 4) can be with described data storage in the restricted area of memory module 440 (Fig. 4).For this operation, control module 420 can be divided into memory module 440 normal areas that is used to store the restricted area of DRM data and is used to store other data.Can be physically or divide memory module 440 in logic.
In addition, control module 420 can be provided with the visit of being undertaken by device with restriction to the access consideration that is stored in the data in the memory module 440.Access consideration can be necessity of checking, the authentication of upgrading multimedia card or the necessity that updates stored in the CRL in the memory module 440.
For example, control module 420 can be the access restriction information about RO with verification setting.When device was attempted visit RO, control module 420 can determine whether device carries out checking with multimedia card, and and if only if device allows device to visit RO when normally having finished described checking.Here, visit can refer to read or write.When RO by when device duplicates or move to multimedia card, control module 420 can determine whether device is verified with multimedia card, and and if only if checking when having finished permission duplicate or move.
In another example, with the access consideration of describing certificate or CRL.When device visit multimedia card when reading certificate or CRL, control module 420 can be arranged to not have access consideration to conduct interviews under the situation about verifying not have to allow device.When the visit of device is renewal for certificate or CRL, control module 420 can checking and effective extended period of certificate or CRL be set to access consideration.
Simultaneously, control module 420 can use the unique-encryption key of multimedia card that the DRM data that will be stored in the memory module 440 are encrypted, and the DRM data of encrypting are equipped with branch are used for the FID of DRM data addressing to restricted area is stored in the restricted area of memory module 440.Can partly or entirely carry out the encryption of DRM relevant information.For example, encrypted and when storage as RO, only be included in CEK among the RO can encrypted or whole RO can be encrypted.When RO was all encrypted, the ID of the content that control module 420 can maybe can be play the ID of each RO by each RO was mapped to FID, and the table of memory contents ID or RO ID respectively, to help to search for specific RO.
The data that are stored in the memory module 440 can have tree structure, and can be divided into DF that is used for RO and the DF that is used for authorization information.
When data were other data such as encrypted content, at operation S240, data were stored in normal areas.
Figure 11 is the process flow diagram that is stored in the process of the file in the multimedia card according to embodiment of the invention permits access.
At operation S310, receive the request of the memory module 440 (Fig. 4) of visit multimedia card from device.At operation S320, the control module 420 (Fig. 4) of multimedia card determines whether to satisfy the access consideration that device is attempted the specific file of visit.In the above access consideration is described.
When determining to satisfy access consideration, at operation S330, control module 420 approval apparatus are visited described specific file.The visit of device can be a dereference, and wherein, device sends order to multimedia card, thereafter, and the control module 420 described file of visit and the I/O necessary informations of multimedia card.Perhaps, when using therein content ID or RO ID to be mapped to the table of FID, the ID that device is attempted described device the RO of visit maybe can send to multimedia card by the ID that described device is attempted the content that the RO of visit carries out.Then, search for described table, use described FID to find described RO and visit described RO with the FID that the ID that finds reception is mapped to.
Utilizability on the industry
As mentioned above, according to the present invention, management document is to be suitable for DRM safely.
Sum up described in detailly, it should be appreciated by those skilled in the art that: do not breaking away from fact under the situation of principle of the present invention, can carry out variations and modifications exemplary embodiment.Therefore, disclosed exemplary embodiment of the present only is used for general and purpose of description, rather than in order to limit.

Claims (22)

1, a kind of portable memory comprises:
Control module is used for digital rights management data is classified and forming the file that comprises described digital rights management data from the data that receive; And
Memory module is used to store described file.
2, portable memory as claimed in claim 1, wherein, control module is provided with restricted area in memory module, the file identifier that is mapped to restricted area is distributed to the file that comprises digital rights management data, and with described file storage in restricted area.
3, portable memory as claimed in claim 2, wherein, the file that is stored in the memory module has tree structure.
4, portable memory as claimed in claim 2, wherein, digital rights management data is right objects and verifies one of required authorization information with device.
5, portable memory as claimed in claim 4, wherein, authorization information is one of certificate and certificate cancellation tabulation.
6, portable memory as claimed in claim 5, wherein, the file that comprises digital rights management data comprises: comprise the right objects proprietary file of the basic document that are used for right objects and comprise the checking proprietary file of the basic document that are used for authorization information.
7, portable memory as claimed in claim 6, wherein, control module comprises and is used for the access consideration that restraint device visit is stored in the file of memory module.
8, portable memory as claimed in claim 7 wherein, is checking to the access consideration of the file that comprises digital rights management data.
9, portable memory as claimed in claim 7, wherein, the file that comprises authorization information when device visit is during with one of new authentication and certificate cancellation tabulation more, and access consideration is effective extended period of checking and certificate or certificate cancellation tabulation.
10, portable memory as claimed in claim 6, wherein, the identifier that control module is created in wherein the identifier of the content that can be carried out by right objects or right objects is mapped to the table of the file identifier of distributing to the right objects basic document, search for described table and attempt the right objects of visit, and allow device to visit described right objects to find device.
11, portable memory as claimed in claim 10, wherein, when the file in the device visit portable memory, device sends order to control module, in response to described order, control module is visited described file, and according to described command-execution operation.
12, a kind of in portable memory the method for management document, comprising:
From the data that receive digital rights management data is classified;
Formation comprises the file of described digital rights management data; And
With described file storage in memory module.
13, method as claimed in claim 12, wherein, the storing step of file comprises:
Use control module that restricted area is set in memory module; And
The file identifier that is mapped to restricted area is distributed to the file that comprises digital rights management data, and with described file storage in restricted area.
14, method as claimed in claim 13, wherein, the file that is stored in the memory module has tree structure.
15, method as claimed in claim 13, wherein, digital rights management data is right objects and verifies one of required authorization information with device.
16, method as claimed in claim 15, wherein, authorization information is one of certificate and certificate cancellation tabulation.
17, method as claimed in claim 16 wherein, comprises that the file of digital rights management data comprises: comprise the right objects proprietary file of the basic document that are used for right objects and comprise the checking proprietary file of the basic document that are used for authorization information.
18, method as claimed in claim 17 also comprises: control module is produced be used for the access consideration that the restraint device visit is stored in the file of memory module.
19, method as claimed in claim 18 wherein, is checking to the access consideration of the file that comprises digital rights management data.
20, method as claimed in claim 17, wherein, the file that comprises authorization information when device visit is during with one of new authentication and certificate cancellation tabulation more, and access consideration is effective extended period of checking and certificate or certificate cancellation tabulation.
21, method as claimed in claim 17, wherein, the identifier that control module is created in wherein the identifier of the content that can be carried out by right objects or right objects is mapped to the table of the file identifier of distributing to the right objects basic document, search for described table and attempt the right objects of visit, and allow device to visit described right objects to find device.
22, method as claimed in claim 21, wherein, when the file in the device visit portable memory, device sends order to control module, and in response to described order, control module is visited described file, and according to described command-execution operation.
CNB2005800010055A 2004-03-29 2005-02-28 Portable memory and in portable memory the method for management document Expired - Fee Related CN100555205C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR1020040021295A KR20050096036A (en) 2004-03-29 2004-03-29 Portable storage and management method of files in the portable storage
KR1020040021295 2004-03-29
US60/575,757 2004-06-01

Publications (2)

Publication Number Publication Date
CN1842759A true CN1842759A (en) 2006-10-04
CN100555205C CN100555205C (en) 2009-10-28

Family

ID=37031158

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005800010055A Expired - Fee Related CN100555205C (en) 2004-03-29 2005-02-28 Portable memory and in portable memory the method for management document

Country Status (8)

Country Link
EP (1) EP1754134A4 (en)
JP (1) JP4742096B2 (en)
KR (1) KR20050096036A (en)
CN (1) CN100555205C (en)
AU (1) AU2005225950B2 (en)
CA (1) CA2560474A1 (en)
NZ (1) NZ545669A (en)
WO (1) WO2005093558A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141814B (en) * 2007-10-11 2010-06-02 中兴通讯股份有限公司 System and method for mobile terminal to download DRM file to movable storage medium
CN101094062B (en) * 2006-06-21 2011-03-23 普天信息技术研究院有限公司 Method for implementing safe distribution and use of digital content by using memory card
CN101763251B (en) * 2010-01-05 2014-04-16 浙江大学 Multithreading microprocessor including decode buffer device

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070050712A (en) * 2005-11-11 2007-05-16 엘지전자 주식회사 Method and system for obtaining digital rights of portable memory card
KR101221222B1 (en) * 2005-12-06 2013-01-11 엘지전자 주식회사 System and Method of Down-Loading the Data to Portable Device
KR101389928B1 (en) 2007-01-30 2014-04-30 삼성전자주식회사 Method for supporting mutual exclusion function and drm device thereof
KR101348245B1 (en) * 2007-02-26 2014-01-08 삼성전자주식회사 Apparatus and method for providing security domain
KR101424973B1 (en) 2008-01-02 2014-08-04 삼성전자주식회사 Method, recording medium and apparatus for updating revocation list and reproducing encrypted contents
KR101076529B1 (en) 2008-07-30 2011-10-24 엘지전자 주식회사 Method and apparatus for managing digital rights of secure removable media

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000113047A (en) * 1998-10-01 2000-04-21 Hitachi Ltd Electronic book system, electronic bookshelf, and ic card
US7073063B2 (en) * 1999-03-27 2006-07-04 Microsoft Corporation Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out/checking in the digital license to/from the portable device or the like
WO2001016821A2 (en) * 1999-09-01 2001-03-08 Matsushita Electric Industrial Co., Ltd. Distribution system, semiconductor memory card, receiving apparatus, computer-readable recording medium and receiving method
JP2001092721A (en) * 1999-09-17 2001-04-06 Fujitsu Ltd Device and method for controlling content use and computer readable recording medium having content use control program recorded thereon
AU1651701A (en) * 1999-12-06 2001-06-18 Fujitsu Limited Data distribution system and recorder for use therein
AU2001244644A1 (en) * 2000-03-31 2001-10-15 Fujitsu Limited Recorder and data distributing system comprising the same
MXPA02001182A (en) * 2000-06-02 2002-07-02 Matsushita Electric Ind Co Ltd Recording medium, license management apparatus, and recording and playback apparatus.
JP2002163000A (en) * 2000-08-29 2002-06-07 Matsushita Electric Ind Co Ltd Distribution system
JP3790661B2 (en) * 2000-09-08 2006-06-28 インターナショナル・ビジネス・マシーンズ・コーポレーション Access control system
JP2002140450A (en) * 2000-11-01 2002-05-17 Sanyo Electric Co Ltd Data distributing system and data terminal equipment
JP4409081B2 (en) * 2000-11-28 2010-02-03 三洋電機株式会社 Data terminal equipment
JP2003115840A (en) * 2001-10-02 2003-04-18 Matsushita Electric Ind Co Ltd Method and system for exchanging certiftcate invalidity list, and server device
GB2387505B (en) * 2002-04-12 2005-11-23 Vodafone Plc Communication systems
KR100445092B1 (en) * 2002-06-03 2004-08-21 동 훈 김 Portable storage device for preventing outflow of data
JP4118092B2 (en) * 2002-06-19 2008-07-16 株式会社ルネサステクノロジ Storage device and information processing device
JP2004054473A (en) * 2002-07-18 2004-02-19 Renesas Technology Corp Memory card, information apparatus and information distribution method
KR20040020175A (en) * 2002-08-29 2004-03-09 예스 소프트 주식회사 The method which decodes the content file encoded by public key algorithm, and DRM client program which is independent of plug-in of viewer program
JP2004094778A (en) * 2002-09-03 2004-03-25 Matsushita Electric Ind Co Ltd Storage device and copying device
KR20020086444A (en) * 2002-10-26 2002-11-18 주식회사 드림시큐리티 Combination type usb drive having storage and operation function
KR20030029550A (en) * 2003-03-06 2003-04-14 (주)비트와이어 USB Removable disk partition (allocation) and method for this partition(allocation)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094062B (en) * 2006-06-21 2011-03-23 普天信息技术研究院有限公司 Method for implementing safe distribution and use of digital content by using memory card
CN101141814B (en) * 2007-10-11 2010-06-02 中兴通讯股份有限公司 System and method for mobile terminal to download DRM file to movable storage medium
CN101763251B (en) * 2010-01-05 2014-04-16 浙江大学 Multithreading microprocessor including decode buffer device

Also Published As

Publication number Publication date
JP2007531148A (en) 2007-11-01
EP1754134A4 (en) 2009-09-16
NZ545669A (en) 2008-03-28
CN100555205C (en) 2009-10-28
WO2005093558A1 (en) 2005-10-06
KR20050096036A (en) 2005-10-05
AU2005225950B2 (en) 2008-04-24
AU2005225950A1 (en) 2005-10-06
EP1754134A1 (en) 2007-02-21
JP4742096B2 (en) 2011-08-10
CA2560474A1 (en) 2005-10-06

Similar Documents

Publication Publication Date Title
CN1860471A (en) Digital rights management structure, portable storage device, and contents management method using the portable storage device
CN1291326C (en) Systems and methods for integrity certification and verification of content consumption environments
CN1842759A (en) Portable storage device and method of managing files in the portable storage device
CN1961370A (en) Method and apparatus for playing back content based on digital rights management, and portable storage
CN1879102A (en) Method and apparatus for playing back content based on digital rights management between portable storage and device, and portable storage for the same
CN1280737C (en) Safety authentication method for movable storage device and read and write identification device
CN1825850A (en) Secure distribution system for digital contents
CN101030243A (en) Portable storage and method for managing data thereof
CN1829950A (en) Method for determining use permission of information and content distribution system using the method
CN1961311A (en) Method and apparatus for transmitting rights object information between device and portable storage
CN1617492A (en) System and method for providing services
CN1592307A (en) System and method for distributing data
CN1934519A (en) Method of and system for generating an authorized domain
CN1543606A (en) Content management method and content management apparatus
CN1274127A (en) Security administive system, data distributing equipment and portable terminal device
CN1826000A (en) Portable information terminal and data protecting method
CN1471021A (en) Media path protection method, system and architecture system
CN1658111A (en) Binding content to an entity
CN1541391A (en) System, method, and device for playing back recorded audio, video or other content from non-volatile memory cards, compact disks or other media
CN1525682A (en) Issuing a publisher use license off-line in a digital rights management (DRM) system
CN1633686A (en) Method and device for supplying of a data set stored in a database
CN1495627A (en) Electronic musical system and electronic music play method
CN1942845A (en) Access control device and electronic device
CN101038612A (en) Method for generating licence and method and apparatus for providing contents using the same
CN1296789C (en) Method and apparatus for secure content distribution

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20091028

Termination date: 20160228

CF01 Termination of patent right due to non-payment of annual fee