Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
  • G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
  • G06F21/1011—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to devices
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
  • G06F21/108—Transfer of content, software, digital rights or licenses
  • G06F21/1083—Partial license transfers
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
  • G06F21/16—Program or content traceability, e.g. by watermarking
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/08—Payment architectures
  • G06Q20/12—Payment architectures specially adapted for electronic shopping systems
  • G06Q20/123—Shopping for digital content
  • G06Q20/1235—Shopping for digital content with control of digital rights management [DRM]
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F17/00—Coin-freed apparatus for hiring articles; Coin-freed facilities or services
  • G07F17/0014—Coin-freed apparatus for hiring articles; Coin-freed facilities or services for vending, access and use of specific services not covered anywhere else in G07F17/00
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
  • G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
  • H04L2463/101—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
  • H04L2463/103—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for protecting copyright

Definitions

• the invention relates to controlled distribution of digital products in a manner that tends to ensure that authors receive proper royalty payments for their work.
• Digitally encoded products such as software, music, images and video segments are extremely important in today's economy.
• the ease and economy with which perfect copies can be made of digitally encoded products has promoted the widespread unauthorized copying and distribution of such products through such channels as user-to-user copying and sharing, digital data networks such as the Internet, and CD-ROM publishing.
• These distribution channels have made it difficult for the creators and copyright holders of such products to regulate the use of their products or to receive payment and registration information from their users. Consequently, digital product producers often forfeit substantial revenues and valuable information about their customer base and potential markets, while businesses and universities find themselves subject to legal prosecution and intimidation for copyright infringement.
• Copy protection mechanisms Built into hardware or software.
• Copy protection mechanisms sometimes can inconvenience users who have a legitimate need for making copies.
• Copy protection mechanisms also can prevent digital product developers from taking advantage of the new distribution channels, such as the Internet.
• the CDI technique suffers from at least two problems. First, while the encryption of a data product during transmission may be very strong, it is still theoretically possible for an unauthorized third party to decipher it. Second, even if the product remains secure during transmission, once it is decrypted by the customer, CDI ' s strong encryption techniques no longer protect the product against further unauthorized distribution.
• the above- cited documents indicate that content as well as executables can be "locked" to a specific registered machine while still allowing for unrestricted distribution of the software in a crippled or time-dated mode, but the documents do not explain how this is to be accomplished.
• Schull describes a technique for distributing digital products (specifically software) by selling a password to the user.
• the user uses the password to unlock advanced features of the product, but the password is usable only on one machine.
• the technique allows users to freely distribute software to other machines and other potential users, but does not allow other users to take advantage of advanced features of the software without obtaining a new password which is specific to the new machine.
• the user generates a "passwordable- ID" either from the user's voice, by reading the serial number of the machine's CPU, or by any of a number of other suggested methods.
• the passwordable-ID is transmitted to a licensing system which uses the passwordable-ID to generate an encrypting seed for the software advanced features.
• the encrypted encrypting seed is then transmitted back to the user as a key for unlocking the advanced features of the software.
• a digital product is freely distributed through uncontrolled channels in encrypted form.
• Unencrypted preview material may also be provided in order to help the customer decide whether to purchase a license.
• one or more fragments of the encrypted product are withheld from uncontrolled distribution, and provided only upon communication with a license server.
• the technique of the present invention renders it literally impossible for an eavesdropper to recover the complete decrypted product without contacting the licensor.
• the product is not merely encrypted; to the extent of the security fragments, it is not even there.
• the customer purchases a license through the use of reader software which examines the components then present on the reader system to develop a reader system signature (RSS) .
• the reader system signature is transmitted to a license server which uses it either to encrypt the product decryption key, or to further encrypt the security fragments, or both, before sending them to the reader system.
• the reader system signature is not stored on the reader system. Rather, at the time that the customer would like to use the digital product (view an image or movie, listen to a sound or execute software, for example) , a new reader system signature is generated in the same manner as the original reader system signature.
• the new reader system signature is used to decrypt the product decryption key and/or the double-encrypted security fragments, only at the time of use. If the user is attempting to use the digital product on a different machine, such as would be the case in the event of unauthorized distribution, then the new reader system signature will not work properly and the unauthorized user will not be able to use the digital product.
• the above second aspect of the invention could be problematical in the event that the user upgrades or modifies the reader system.
• a mechanism that regenerates the reader system signature each time a digital product is to be used could prevent a legitimate user from using the product after such an upgrade.
• the machine authorization of the reader system allows a certain amount of "upgrade drift" before it is deemed advisable to check for unauthorized use.
• the reader system signature is determined by examining various components (hardware and/or software) of the reader system, to determine individual signatures for each component.
• the individual component signatures are then combined to form the overall reader system signature, for example by a weighted sum of the individual component signatures or by concatenating the individual component signatures together. If the reader system signature is determined on the basis of a weighted sum (or equivalently, a weighted average) of the individual component signatures, then the amount of permissible upgrade drift can be expressed as a percentage; that is, if the reader system signature generated upon usage of the digital product differs from the reader system signature generated at the time the product is purchased by no more than a predetermined percentage or fraction, then the usage is considered authorized.
• the reader system signature is generated as a concatenation of the individual component signatures, then the number of components which differ at usage time relative to purchase time can be specified not to exceed a specific count.
• the reader system signature generated at the time of purchase is not stored on the reader system, it can instead be uploaded to a license server. If the reader system signature generated at usage time is found by the reader system not to properly decrypt either the product decryption key or the product itself, then in an embodiment, the reader system can automatically contact the license server for reauthorization. The reader system uploads the newly generated reader system signature, and the license server performs the upgrade drift test in comparison with the reader system signature that was stored on the license server at the time of purchase.
• the license server determines that the newly generated reader system signature is within the permissible upgrade drift parameter, then it transmits a new product decryption key and/or new product security fragments, back to the reader system, encrypted according to the new reader system signature.
• the reader system is then able to decrypt the digital product and play, view or otherwise use it in the desired manner.
• one embodiment of the reader system also uploads the raw component signatures of the computer system. This allows customer support to determine which components have changed.
• the reader system signature is generated in dependence upon a component whose individual component signature carries with it external assurances of substantial uniqueness among all computer systems which could reasonably pose as authorized reader systems.
• a component signature can be used by itself, or in conjunction with other component signatures, in order to generate the overall reader system signature. If used by itself, then upgrade drift is usually not permissible without manual re-validation.
• Fig. 1 is an overall symbolic diagram of a system according to the invention.
• Fig. 2 is a block diagram illustrating the structure of a typical reader system of Fig. 1.
• Fig. 3 illustrates the overall system flow for the authoring system of Fig. 1.
• Fig. 4 is a flow chart illustrating the flow of a product registration segment of Fig. 3.
• Fig. 5 is a flow chart illustrating the general operation of the reader system of Fig. 1.
• Fig. 6 is a flow chart of the product purchase preparation step of Fig. 5.
• Fig. 7 is a flow chart illustrating one technique for generating the reader system signature.
• Figs. 8 and 9 together constitute a flow chart of steps which takes place in the license server 104 in response to receipt of a product purchase package.
• Fig. 10 is a flow chart of the step in Fig. 8 in which the license server processes the customer's payment information.
• Figs. 11-13 together constitute a flow chart of the step in Fig. 5 in which the reader system plays the digital product.
• Fig. 14 is a flow chart illustrating the license server's operations in response to receipt of a re- validation package.
• Figs. 15 and 16 are alternative details of the step in Fig. 14 in which the license server determines whether the difference between the two RSS's exceeds a threshold.
• Fig. 1 is an overall symbolic diagram of a system according to the invention.
• the system has three primary components: an authoring system 102, a license server 104 and a reader system 106.
• the overall system is most useful when used with an uncontrolled distribution channel such as an insecure public distribution network 108 (e.g., the Internet).
• an insecure public distribution network 108 e.g., the Internet.
• the author or proprietor of one or more digital products first uses the authoring system 102 to register with the license server 104 as an author.
• Author registration information is transmitted from the authoring system 102 to the license server 104, and an author ID is returned to the authoring system.
• the product When the author has a digital product to market, the product is provided to the authoring system 102, together with certain usage parameters .
• the usage parameters include a set of free usage parameters and one or more sets of paid usage parameters .
• the authoring system compresses and encrypts the digital product (compression is optional) , extracts one or more security fragments from the encrypted product and then packages the product for broadcast via the uncontrolled distribution network 108 and for upload to the license server 104.
• the authoring system then transmits the product registration package up to the license server 104 and receives a product ID in return.
• the authoring system also makes the product broadcast package available on the uncontrolled distribution network 108.
• a "product” can include one or more sub-products, all of which are considered herein to themselves be “products”.
• the customer utilizes the reading system 106 to perform those functions of the digital product which are freely authorized according to the free usage parameters that were previously specified by the author.
• Such functions can include, among other things, a preview of the digital product, and an indication of one or more licensing options which the customer can purchase. If the customer chooses to purchase one of the license options, the reader system 106 examines certain components of the reader system and, in dependence thereon, generates a reader system signature (RSS) .
• RSS reader system signature
• the reader system assembles a product purchase package including the RSS and payment information, and uploads it to the license server 104.
• the license server 104 processes the payment information and, if successful, transmits a product server download package back to the reader system.
• the reader system uses the product server download package to unlock the functions of the digital product which are authorized under the license option that the customer has purchased, and allows the user to use the product accordingly.
• the reader system 106 performs fingerprint and/or watermark insertion as described hereinafter.
• the license server 104 performs a number of functions, including maintaining a database of registered authors and storing all of the product registration packages.
• the license server 104 also stores reader system signatures from customers, performs customer payment validation, as well as certain fraud detection functions as described below.
• the license server 104 also performs the functions of royalty payment clearing. Specifically, license royalties received from (or on behalf of) customers are properly accounted for and transferred to the proper authors after deduction of a commission.
• the authoring system 102, the license server 104 and the reader system 106 are each illustrated as a respective individual block. Depending on the embodiment, each block might contain no more than a single computer, or in different embodiments, different blocks can contain more than one computer.
• one or more of the blocks 102, 104 and 106 contains a number of computers spread out over a great geographical area and interconnected by a network.
• the illustration of the authoring system 102, the license server 104, and the reader system 106 as single blocks is not intended to indicate that each must constitute only a single computer system or that each must be located at a respective single location.
• FIG. 2 is a symbolic block diagram illustrating the structure of a typical computer system which may be used as an authoring system, a reader system or a license server. It comprises a CPU 202 and cache memory 204, both connected to a CPU bus 206. Interface circuitry 208 is also connected to the CPU bus 206. The interface circuitry 208 is further connected to a main memory 210, as well as to two I/O buses: PCI-bus 212 and ISA-bus 214.
• a PCI-bus 212 Connected to the PCI-bus 212 are sound and game controllers 216, a network adapter 232 and a display adapter 218, the last of which is further connected to a monitor 220.
• a hard disk drive controller 222 Connected to the ISA-bus 214 is a hard disk drive controller 222, a CD-ROM drive controller 224, a floppy disk drive controller 226, various I/O ports 228, and a boot PROM 230.
• Most of the peripheral components illustrated in Fig. 2 include on-board configuration data which can be read by the CPU 202.
• the boot PROM 230 includes a portion which is writeable by the CPU 202 to store configuration data.
• the software to operate the authoring system 102, the license server 104 or the reader system 106 is stored on the disk drive controlled by the disk drive controller 222, and brought into main memory 210 as needed for execution.
• the computer system of Fig. 2 communicates with the other systems of Fig. 1, and with the distribution network 108, if appropriate, via the network adapter 232.
• Fig. 3 illustrates the overall system flow for the authoring system 102.
• the authoring system flow is generally divided into two segments: an author registration segment 302 followed by one or more product registration segments 304.
• the author (or other proprietor) of one or more digital products enters his or her identification information.
• Such information can include, for example, the author's name, address, Social Security or other tax ID number, password or other challenge information (for confirmation of identity during customer service calls) , e-mail address and/or telephone number (step 306) .
• the authoring system uses this information to create an author registration package which is transmitted, in step 310, to the license server 104.
• the license server 104 adds the author and the author's identification information to its registered author database, and in step 312, the authoring system 102 receives and stores and author ID from the license server 104.
• the communication between the authoring system 102 and the license server 104 in the author registration segment 302 should take place via digital certificate and one-time secure channel, or by secure, signed electronic mail.
• Fig. 4 is a flow chart illustrating the flow of a product registration segment 304 (Fig. 3) .
• the author identifies one of possibly many digital products to the authoring system 102 and enters usage parameters.
• the digital product is identified, for example, by identifying a filename within which the digital product is stored.
• the usage parameters can include such parameters as the number of copies which will be permitted to be made on the reader system, whether the reader system will be authorized to save the digital product to a hard disk, whether printing will be enabled, whether preview is enabled, and the amount of RSS drift which will be permitted on a reader system before manual reauthorization will be required.
• the usage parameters may be specified as several options, including a set of free usage parameters (for which no payment is required) and one or more options of purchasable usage parameters (functions requiring a purchased license) .
• the author can also indicate at this point whether the product should be compressed.
• the reader system extracts the appropriate preview material with the assistance of the author.
• the entire digital product is then encrypted in a step 406.
• the product is first compressed (step 408) by any known algorithm.
• the product can be compressed using a Lempel- Ziv algorithm or by a Huffman encoding algorithm.
• the compression step 408 is considered part of the product encryption step 406 because compression is, in effect, a form of encryption; it is very difficult to recover the original uncompressed product unless the algorithm used for compression is known. Compression is optional because for certain kinds of products, the benefits to be gained by compression are outweighed by the performance degradation that compression/decompression often entails.
• a product encryption key is generated.
• the key can be generated in any known manner; for example, by a pseudo-random number generator using a seed derived from the time period between two successive user key strokes.
• the compressed digital product is encrypted using the encryption key developed in step 410.
• any known key-based symmetric encryption algorithm can be used (as long as the correct complementary algorithm is used for decryption on the reader system 106) .
• One such well-known encryption algorithm is DES, described in National Institutes of Standards and Technology, "Data Encryption Standard," FIPS Publication No. 46-1 (January 1988) , incorporated by reference herein.
• Triple DES also known as DES-3)
• yet another is RC-5.
• RC-5 is described in R. W. Baldwin and R. Rivest, "The RC5, RC5-CBC,- RC5-CBC-Pad, and RC5-CTS Algorithms", INTERNET-DRAFT (March 1996) , available from ftp: //ftp.nordu.net/internet-drafts/draft-baldwin- rc5-00.txt, visited March 4, 1997, incorporated herein by reference.
• the result of product encryption step 406 is referred to herein as an encrypted "version" of the digital product.
• a “version” of a digital product is still considered to be the digital product, because it continues to include all the information of the digital product.
• a native "version” of a product also is nevertheless “the product”.
• a digital product can exist in several versions, each of which is a reversibly processed version of the native version.
• the authoring system 102 After the product encryption step 406, in step 414, the authoring system 102 generates a digest of the encrypted product. Any- suitable digesting algorithm can be used for this purpose including, for example, an error-correcting code (ECC) generator or the well-known SHA-1 algorithm.
• ECC error-correcting code
• the SHA-1 digesting algorithm is described National Institute of Standards and Technology (NIST) , FIPS Publication 180: Secure Hash Standard (SHS) (May 1993), as amended by National Institute of Standards and Technology (NIST) Announcement of Weakness in the Secure Hash Standard (May 1994) , both incorporated herein by reference.
• SHS Secure Hash Standard
• NIST National Institute of Standards and Technology
• the authoring system 102 separates one or more "security fragments" in the encrypting product.
• the security fragments preferably constitute only a small portion of the overall digital products; for example, 1-5% of the byte count of the overall product not to exceed, for example, 3OK bytes.
• the number and size of the security fragments can be predetermined and constant for all digital products, or it can be dynamically selected or optimized for different digital products. It is desirable to minimize the size of the security fragments while maximizing the effect that their absence would have in helping to prevent unauthorized usage of the digital products. One way of maximizing such effect is to include the beginning of the digital product in one of the security fragments.
• the authoring system 102 In a step 418, the authoring system 102 generates a digest of the encrypted product less the security fragments. Again any digesting algorithm, such as SHA- 1, can be used in this step.
• the authoring system 102 creates a product registration package and transmits it to the license server in step 422.
• the license registration package can form part of a digital certificate in one embodiment.
• the license server stores the product registration package and returns a product ID to the authoring system 102 (step 424) .
• the reason that the security fragments should be kept as small as possible is to minimize the storage capacity requirements of the license server.
• the authoring system 102 creates a product broadcast package for the digital product and makes it available (step 428) via any uncontrolled distribution network, such as the Internet.
• the product registration package which can also be digitally certified, includes the following items:
• usage parameters both the free usage parameters and the usage parameters at various purchasable options
• the product decryption key referred to above is whatever key is required to decrypt the results of the encryption process of step 412.
• the product decryption key will be the same as the key used for product encryption in step 410; for asymmetric encryption algorithms (such as for public key encryption) , the product decryption key might be different than the product encryption key (such as for RSA encryption) .
• the product decryption key is referred to herein as being "complementary" to the key used for product encryption in step 410.
• the product decryption key is the only segment of the product registration package which should be transmitted to the license server securely. Other segments can be transmitted securely if desired or convenient, but this is not necessary. Security of the product decryption key can be ensured, for example, by public/private key encryption of the product decryption key itself, or by connecting to the license server 104 via a secure network.
• the product broadcast package contains the following items. If more than one sub-product is included in the product broadcast package, then the package contains a set of these items for each sub- product . product ID preview material (unencrypted) free usage parameters purchasable usage parameter options
• Fig. 5 is a flow chart illustrating the general operation of the reader system 106.
• the reader software automatically generates an installation ID.
• the installation ID which is stored on disk in the reader system 106, is a substantially unique identifier of the installation.
• the installation ID is stored in such a way that if the particular installation of the reader system software was to be copied to a different system, the installation ID would likely be copied as well.
• the customer/user of the reader system 106 downloads the product broadcast package for a digital product that he or she wishes to examine .
• the customer performs one or more of the freely authorized functions, including a preview of the material in the digital product (if available) .
• the preview material might be a portion of that sound.
• the preview might be a portion of the movie, or a trailer.
• the digital product is an image, then the preview material might include a thumb nail of the image.
• the digital product is text, then the preview material might include an abstract .
• a step 506 the customer chooses to buy a license in accordance with one of the license options made available in the usage parameters.
• the customer enters his or her identification information, payment and contact information.
• the identification information can include the customer's name, address and phone, or optionally an arbitrary privacy ID. Such identification is desirable so that the licensing authority can identify the customer if and when the customer calls in for support.
• the payment information can include a credit card number and authorization and/or digital money information.
• Various forms of digital money are described in Daniel C. Lynch, "Digital Money” (John Wiley & Sons, 1996) , incorporated herein by reference.
• the reader system 106 prepares a product purchase package described hereinafter, and in a step 512, the reader system 106 uploads the product purchase package to the license server 104 at the URL identified in the product broadcast package. Note that multiple or bounce URLs may be available for this purpose.
• the product purchase package may be transmitted by secure channel and/or encrypted in a digital certificate.
• the reader system receives the product server download package for the desired digital product.
• the product server download package need not be transmitted by secure channel.
• the reader system stores the product broadcast package on the reader system (or at least accessibly to the reader system) in conjunction with the product server download package. Either at that time or at a later time, at the customer's request, the reader system plays (or otherwise uses) the product (step 518) . All further use of the product by the customer occurs on the reader system 106 through the reader system software.
• Fig. 6 is a flow chart of the step 510 (Fig. 5) in which the reader system 106 prepares the product purchase package.
• the reader system 106 generates a reader system signature (RSS) for the reading system 106. The manner in which the RSS is generated is described hereinafter.
• the reader system 106 retrieves the previously generated installation ID, and in a step 606, the reader system generates a digest of the encrypted product less the security fragments (as obtained from the product broadcast package) .
• the digest performed in step 606 should be the same as that performed by the authoring system 102 in step 418 (Fig. 4) .
• the reader system 106 extracts the product ID from the product broadcast package and in a step 610, the reader system assembles the product purchase package.
• the product purchase package includes the following items: product ID customer's installation ID customer's identification information (or privacy ID) customer's payment information customer's contact information (including information on where to send the product server download package)
• RSS of the reader system 106 generated digest of the encrypted product less security fragments
• the reader system signature can be generated in a number of different ways in different embodiments.
• the system takes advantage of serial numbers or other identifying data which may be present in the reader computer system, and which carry external assurances of substantial uniqueness. That is, many computers when manufactured are assigned a serial number or other indicator which the manufacturer of the computer, or some other authority, guarantees to be unique. For example, Apple Macintosh computers, when manufactured, are assigned an Ethernet address which is unique to that specific computer.
• the identifier can be assigned in software, such as in the operating system of the computer.
• serial number it is not essential that whatever authority assigns the serial number guarantee uniqueness; it is sufficient only in that it be extremely unlikely that two computer systems which can act as reader systems 106 carry the same identifier. This is the case where, for example, the number carries external assurances of substantial uniqueness, such as in the case of Ethernet addresses.
• the reader system signature does not rely on a component having an identifier that carries external assurances of substantial uniqueness. Instead, a plurality of components (hardware or software) are examined to determine individual component signatures. The individual component signatures are then combined to form the overall reader system signature. In one embodiment, the individual component signatures are all concatenated together in a predetermined sequence to form the overall reader system signature. The individual component signatures may be digested prior to concatenation in order to limit their size to the predefined field size. In another embodiment, optionally after digesting, the individual component signatures are averaged or summed together to form the overall reader system signature.
• the individual component signatures can be weighted prior to combination, in order to reduce the impact on the reader system signature that would result from changes in components that are more frequently subject to upgrade or replacement.
• the reader system 106 generates the reader system signature in dependence upon component signatures from the following components, to the extent present in the system. Except as indicated below, most of the component signatures set forth in this list are readable either from the CMOS or from a device manager driver. This is only an illustrative list; other embodiments can refer to other components not on this list.
• Hard Disk Drive drive ID numbers of cylinders, sectors and heads drive defective sector map (obtained from sector 0) • drive name drive manufacturer
• a combination of individual component signatures also includes one or more component signatures that carry external assurances of substantial uniqueness, to the extent such a component exists in the machine.
• Fig. 7 is a flow chart illustrating one technique for generating the reader system signature for reader system 106.
• a step 704 it is determined whether the reader system 106 includes a component which has an ID that carries external assurances of substantial uniqueness. If so, then the reader system signature is given by the component ID of that component (step 706) . If not, then in step 708, the reader system 106 obtains the data regarding the above-listed components to the extent present in the reader system 106.
• each of the individual component signatures is digested, and they are combined in step 712 to form the reader system signature.
• Fig. 8 is a flow chart of the steps which takes place in the license server 104 in response to receipt of a product purchase package. As used herein, steps which take place "in response to" a predecessor event, do so if the predecessor event influenced the performance of such steps. If there is an intervening time period, the performance of the steps can still be considered "responsive" to the predecessor event. If the performance of the steps depends on more than one predecessor event, then the steps are considered performed in response to each of the predecessor events .
• the license server 104 compares the digest from the product purchase package with the digest of the encrypted product less security fragments as stored on the server 104 with the product registration package for the product ID referred to in the newly received product purchase package. If the two digests do not match, then it is very likely that either the product broadcast package has been tampered with prior to generation of the digest on the reader system 106, or the customer is attempting to obtain the product server download package fraudulently. In this case, the license server 104 returns a package to the reader system 106 indicating that the attempt to purchase a license was unsuccessful (step 804) .
• step 806 the license server 104 processes the customer's payment information. If there is an error in this process, then again the license server returns an indication to the reader system 106 that the customer's attempt to purchase a license has been unsuccessful (step 804) .
• the license server 104 stores the customer's RSS obtained from the product purchase package in conjunction with the customer's installation ID, also obtained from the product purchase package. This information need not be stored “on” the license server 104 itself, as long as it is stored in a manner in which it is "accessible” to the license server 104 at a future time.
• the license server 104 performs certain fraud detection checks. This step is optional in different embodiments, as indicated by the dotted line surrounding the box in Fig. 8. If performed, the fraud detection step 810 can include a check of the installation ID from the product purchase package against the installation IDs that have been stored previously on the license server for other product purchases . If a large number of purchases have been made using product purchase packages specifying the same installation ID, then it is likely that someone has altered an installation of the reader system software and is passing it around to different customers who are using it to purchase licenses. The same is true if the same license has been purchased several times from the same installation ID, or if several significantly varying reader system signatures have been stored in the license server's database in conjunction with the same installation ID. A number of other fraud detection mechanisms can also be employed. In any event, an investigation is warranted if step 810 suggests that an altered version of the reader system software might be being distributed.
• Fig. 8 continues after step 810 with step 902 in Fig. 9, as indicated by the symbol "9" in both Figs. 8 and 9.
• step 902 the license server 104 further encrypts the already once-encrypted security fragments (from the product registration package) using the customer's RSS as a key.
• the key used in step 902 need not be the RSS exactly; it can be some other number which depends on the RSS. For example, it can be a digest reduction of the RSS from the customer's product purchase package. In any event, step 902 results in "double-encrypted" security fragments from the digital product.
• step 902 the product decryption key from the product registration package is also encrypted using the customer's RSS (or a number derived therefrom) as a key. Note that in a different embodiment, either step 902 or step 904 can be omitted, although such an omission would likely reduce the security of the overall system.
• the license server 104 assembles the product server download package, and in a step 908, it transmits the product server download package back to the reader system 106. Processing then resumes in the reader system 106 at step 514 (Fig. 5) .
• the product server download package includes the following items:
• Fig. 10 is a flow chart of the step 806 (Fig. 8) , in which the license server 104 processes the customer's payment information.
• Fig. 10 illustrates the process where the customer is paying by credit card; a similar process would take place where the customer is paying with digital money or in some other payment form.
• step 1002 the license server 104 transmits the charge information to a credit card clearing house.
• the credit card clearing house returns either an approval code or an error.
• step 1004 if an error was received, then the license server 104 returns an error to step 806 (Fig. 8) (Step 1006) . If an approval code was received, then in step 1008, the license server 104 credits the author's account with the amount of the approved purchase price less a commission. In step 1010, the license server 104 returns successfully to the step 806 (Fig. 8) .
• Fig. 11 is a flow chart of the step 518 in which the reader system plays the digital product. (The terms “play”, “view” and “use” are used interchangeably herein as regards a digital product.)
• the reader system 106 regenerates the RSS for the reader system. This step takes place using the same algorithm that was used in step 602 (Fig. 6) when the RSS was generated for preparation of the product purchase package.
• the reader system 106 decrypts the double-encrypted security fragments using the new
• the key used in step 1104 need not be the RSS identically; another number which depends on the RSS can be used instead. However, whatever algorithm is used to derive the key from the RSS in step 1104 should be the same as that used in step 904.
• step 1106 the reader system 106 merges the encrypted security fragments into the encrypted product less the encrypted security fragments, thereby assembling a complete, but still encrypted, version of the digital product.
• step 1108 the full encrypted digital product is digested using the same algorithm as was used originally by the authoring system 102 in step 414 (Fig. 4) .
• step 1110 the reader system 106 determines whether the newly calculated digest matches the digest which was provided by the license server 104 in the product server download package. If so, then usage of the product on the reader system 106 is authorized. Flow continues with the flowchart of Fig. 12 (as indicated by the number "12" in the small circles in both Figs. 11 and 12) . If the two digests do not match in step 1110, then usage of the product on the reader system 106 is not immediately authorized. Flow continues with the flowchart of Fig. 13, as indicated by the number "13" in the small circles in both Figs. 11 and 13.
• the current reader system signature has been confirmed to be the same as that which was used when the reader system 106 first uploaded its product purchase package in step 512 (Fig. 5) . It is also the same RSS that was used to encrypt the product decryption key as downloaded from the license server 104 to the reader system 106 in steps 908 and 514. Accordingly, in step 1202, the reader system 106 decrypts the product decryption key from the product server download package using the current RSS.
• the actual key used to decrypt the product decryption key in step 1202 need not be identical to the current RSS, as long as it is dependent thereon, and as long as the algorithm to generate the key is the same as that which was used to generate the key with which the product decryption key was originally encrypted in step 904 (Fig. 9) .
• step 1204 the reader system 106 decrypts the merged encrypted product using the product decryption key that was decrypted in step 1202.
• step 1206 if the decrypted product was compressed, it is now decompressed using an algorithm complementary to that used by the authoring system in step 408 (Fig. 4) .
• the resulting decompressed digital product is transmitted in step 1210 to an appropriate viewer. It will be appreciated that once the digital product is transmitted in step 1210 to a viewer, which may be any standard viewer appropriate to the content of the digital product, the output stream is no longer secured by the mechanisms built into the overall system as described herein. Accordingly, a step 1208 is optionally inserted between steps 1206 and 1210 of Fig. 12.
• a fingerprint and/or a watermark is (are) inserted into the digital output stream prior to or while it is being provided to the viewer.
• Watermarking is a technique using a visible identifier that will let the user know that he or she has been associated with this particular instance of the content . It acts primarily as a deterrent.
• Fingerprinting embeds and hides codes into the output stream itself that are retrievable only by the author or by the licensing authority. Such codes uniquely associate the particular copy of the digital product with the individual who purchased it . Fingerprinting is used primarily for criminal prosecution and court proceedings.
• the fingerprint is inserted in a manner which does not affect the resulting viewing experience.
• the output stream includes CD audio
• the fingerprint can be spread over a large number of the audio samples, either substituting for the low-order bit or modifying the low-order bit in an exclusive OR manner in each sample.
• the data stream can be transformed into the frequency domain, modified in the frequency domain to insert the fingerprint codes, and then transformed back to the time domain.
• steganographic techniques can be used to insert the fingerprint into the image. Steganography is described in Neil F.
• the fingerprint to be inserted in the digital output stream should preferably be either the installation ID of the reader system 106, or the reader system signature that was generated at the time of product usage (step 1102) .
• the output stream can also be randomly seeded to further hamper differential cryptanalysis. In this manner, if pirated copies of a digital product do begin to appear, the author of the product or the licensing authority should be able to determine the original source of the pirated copies by examining the fingerprint.
• the reader system 106 determines that the newly generated reader system signature is not the same as that which was generated in step 602 (Fig. 6) at the time of product purchase. In an aspect of the invention, this determination does not immediately preclude usage of the product by the customer on the reader system 106. Instead, proceeding in Fig. 13, in a step 1302, the reader system 106 prepares a re-validation package.
• the re-validation package can be the same as set forth above with respect to the product purchase package, except that the customer's payment information can be omitted.
• the reader system 106 uploads the re-validation package to the license server 104 at the URL identified in the product broadcast package.
• Fig. 14 The license server's operations in response to receipt of a re-validation package are set forth in Fig. 14.
• a step 1402 it is first determined whether the RSS in the re-validation package was based on a component in the reader system 106 having external assurances of substantial uniqueness. If so, then re-validation is considered unsuccessful (step 1404) and this result is returned to the reader system 106. If the RSS in the re-validation package was not based on a component having external assurances of substantial uniqueness, then in step 1406, the license server 104 compares the new RSS from the re- validation package to the RSS previously stored accessibly to the server for the same reader system 106 (as identified by the installation ID specified in the re-validation package) .
• the threshold can be specified as a percentage of one or the other RSS, or as a number of component signatures which differ between the two RSS's, or by a number of other different specifications . If the difference between the two RSS's does not exceed the designated threshold (step 1408) , then the re-validation is considered successful.
• the license server 104 prepares a new product server download package using the same algorithms as set forth above with respect to Fig.
• the license server 104 also stores the new RSS in conjunction with the installation ID specified in the re-validation package. A history of such ostensible reader system upgrades is maintained on the server 104.
• Fig. 15 is a detail of step 1408 (Fig. 14) in which the license server 104 determines whether the difference between the two RSS ' s exceeds the threshold specified by the author in the usage parameters for the digital product.
• the flowchart set forth in Fig. 15 represents one embodiment, in which the threshold has been specified as a percentage.
• the server 104 calculates the weighted sum of the RSS received in the product re-validation package.
• the server 104 makes the same calculation with respect to the RSS previously stored on the server 104.
• the license server 106 determines whether the difference between the two calculated values exceeds the threshold specified by the author in the usage parameters. If so, then in step 1508, the routine returns to Fig. 14 affirmatively.
• Fig. 16 is a detail of step 1408 (Fig. 14) as performed in a second embodiment, in which the upgrade drift percentage is specified as a maximum number of components whose individual component signatures can differ between the two RSS's.
• the server 104 counts the number of components of the RSS in the re-validation package, which differ from the corresponding components of the RSS previously stored on the server 106 from the original product purchase package. If the count exceeds the predetermined drift threshold, then the routine returns affirmatively (step 1606) . If not, then it returns negatively (step 1608) . Returning to the reader system flow as illustrated in Fig.
• step 1306 the reader system 106 receives the re-validation result. If the re-validation was unsuccessful (step 1308) , then the reader system displays an error message to the user and requests the customer to call customer service of the licensing authority (step 1310) . In this situation, automatic re-validation has failed, and manual re-validation as in step 1310 is necessary. During the call, a customer service representative can determine whether the customer's license should be extended to cover the reader system 106 as it now stands. If automatic re- validation was successful (step 1308) , then the reader system returns to step 514 (as indicated by the numeral "5" in the small circle in both Figs. 13 and 5) to store and process the new product server download package in the same manner as it processed the original product server download package received upon purchase.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Software Systems (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Business, Economics & Management (AREA)
• Multimedia (AREA)
• Technology Law (AREA)
• Computing Systems (AREA)
• Accounting & Taxation (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Strategic Management (AREA)
• Mathematical Physics (AREA)
• General Business, Economics & Management (AREA)
• Finance (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=25224756

Family Applications (1)

Country Status (4)

Families Citing this family (131)

Family Cites Families (2)

• 1998
  • 1998-03-11 EP EP98912914A patent/EP0968585A1/de not_active Withdrawn
  • 1998-03-11 AU AU67591/98A patent/AU6759198A/en not_active Abandoned
  • 1998-03-11 IL IL13187698A patent/IL131876A0/xx unknown
  • 1998-03-11 WO PCT/US1998/004658 patent/WO1998042098A1/en not_active Application Discontinuation

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events