JP2723231B2 - Software rights management control method - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION [Industrial Application Field] The present invention provides a software
Licenses for software, collection of usage record information, etc.
Software without interference and interference
Software in a data processing device
It relates to a rights management control method. With advances in semiconductor technology, the value of computer hardware
Degradation, miniaturization, and high functionality are rapidly progressing. Her
Advancement of hardware functions requires advancement of software
As a result, hardware developers and software developers
Clear division of labor between the issuers and users is being promoted. However, the software distribution environment is currently mixed.
It can be said that the situation is disturbed, and
For protection of software right holders and user convenience,
It is a system that balances
It is desired to build a system that supports mass distribution
You. [Prior art] Software development requires a large number of people and time.
User or a third party,
Duplicate software to make exactly the same
Can be done relatively easily. To develop software
Right holders (software right holders) pay less
In many cases, it becomes impossible to collect money.
Added the price of software products to losses due to plagiarism
Value (2) Unauthorized duplication is prohibited by contract,
(3) The software is distributed in a non-copyable medium.
(4) Use by computer serial number, etc.
Actions must be taken by limiting the possible devices.
Have been done. However, the above (1) is excessive for legitimate users.
The above (2) requires complicated contract procedures.
And the effect is not enough.
Is a problem that makes backup impossible,
Investigate the means by which it is
There is a problem that it can be manufactured.
In order to identify the computer, special
Specialization is required and free software distribution is hindered.
There is a problem of being harmed. As a solution to these problems, the applicant has
Rights of software right holders, user freedom, and distribution
Software service system that satisfies three easiness at the same time
The basic concept of the SSS is proposed. [Ryoichi Mori: “So
Software Service System ", IEICE Journal, Vol. 67,
No.4, pp.431-436 (Apr.1984)] Based on the software service system proposed here
The book is: (1) If the software meets any conditions
In addition, there should be an internal condition for permitting the execution.
You. (2) The user's rights are described inside the computer
There should be a rights record. This includes common credit
Records, purchase records, trial records, special license codes, etc.
obtain. (3) The computer records the rights record in (2) above in (1)
Use the software only if the license conditions are met
Should have an execution management mechanism that allows (4) The right holder can grasp the usage status of the software
As such, the computer should have a record of recovery work.
You. This work record can be used without any special trouble for the user.
There may be electronic means to retrieve the record. ...
You. By the way, the proposal of this software service system
Separately, encrypted instructions and data are stored in main memory.
When the instruction is fetched, the serial number of the computer
Computer architect that decrypts and executes with a decryption key such as
Kucha is known. [Problems to be Solved by the Invention]
When implementing in a ramming environment, multiple software
Multiple programs related to the right holder are calculated simultaneously in a time-sharing manner.
The vehicle will run using computer resources. in this case,
First, control the hardware mechanism related to rights management
A program that checks how the subject is licensed
(Hereinafter referred to as the license condition program)
2. Permission conditions in a multi-programming environment
The program and the software whose execution is controlled by it
Third, how to maintain the correspondence with the hardware itself
Swapping and professional
Granting access rights to perform
Tampering with the terms and conditions of the terms and conditions program
How to avoid disturbing the flow of
Considerations on whether to restrict access rights
It becomes important. Conventionally, appropriate
There was no mechanism to control the execution of the computer. The present invention solves the above problems, and
Control methods suitable for realizing rights management in a mobile environment
It is intended to provide. [Means for Solving the Problems] FIG. 1 is an explanatory view of the principle of the present invention. In FIG. 1, reference numeral 10 denotes rights management, which is a unit of rights management.
The target program, 11 checks the license conditions and checks the software
A license condition program that controls the execution of the
According to the purpose of use of users such as professional software and compiler
The software that performs the processing
Management interrupt generation mechanism for controlling interrupts related to
4 is the right to change the rights management status by a rights management interrupt
Process for changing the management status, 15 is the program status word
(PSW), 16 is the right to identify the rights-managed program 10.
Management ID (PMID), 17 is the password of the rights management target program 10.
Record the key to decrypt the encrypted instruction for each rights management ID16
Rights management table, 18 for managing encrypted instructions
Of the instruction at the time of fetching the instruction. The rights management target program 10 is, for example, a license condition program.
It is composed of a pair of RAM 11 and software
You. All or part of these may be rights-managed programs.
Encrypted with a plurality of encryption keys determined for each
Have been. Encrypted when loading rights-managed program 10
The key information for decrypting the executed instruction is the rights management target program.
Rights tube uniquely assigned in the system for Ram 10
The information is written in the right management table 17 together with the management ID 16. Program status word 15 is the current rights management
There is a field in which the logical ID 16 is set. Program
Is set in program status word 15 during program execution.
Corresponding to the rights management table 17 according to the rights management ID 16
The entry is accessed, and the decryption key (KE
Y) is read out and sent to the decoding circuit 18. Decryption
When the circuit 18 fetches the encrypted instruction,
Decryption using the decryption key read from the profit management table 17
And sends the decoded instruction to the instruction execution unit of the computer.
You. In the present invention, a processing device such as an operating system is used.
In addition to the supervisor interrupt that activates the function,
Rights management interrupt generation mechanism that controls changes related to logical state
13 will be provided. Then, the rights management interrupt generation mechanism 13
When a rights management interrupt occurs, the rights management
Rights management in the rights management table 17 by the change processing 14
Save status and current program status word 15
Change the rights management ID 16 of. As a result,
Switch the key for decrypting. [Operation] According to the present invention, the interrupt is transmitted to the operating system.
Interrupts related to resource management by the system
Rights management interrupt to control the status
Will be separated. When a rights management interrupt occurs, the rights management state changes.
The rights management based on the rights management table 17
Hardware status related to rights management
An entity that can control the structure is identified by a specific license
It can be individually limited to gram 11 or the like. Also,
Since decryption keys are managed individually, certain license condition programs
Rights such as an entry in the rights management table 17 corresponding to the
Information about rights management in other rights-managed programs10
Can prevent tampering by
You. In addition, interrupts are at least the same as traditional interrupts and rights management.
Since there are two interrupt systems, the operating system
Also prevent unwanted involvement in rights management by the system.
It becomes possible. [Embodiment] FIG. 2 is an example of a distribution form of software using the present invention.
FIG. 3 is a diagram for explaining rights management according to the present invention.
FIG. 4 is a state transition diagram of the rights management state, and FIG.
FIG. 6 shows an example of a hardware configuration used in the present invention.
Figure 7 shows an example of the configuration of the target software.
Fig. 8 shows the configuration of the P interrupt request table
Example, Fig. 9 is an example of S interrupt control, Fig. 10 is from S interrupt
FIG. 11 shows an example of the return control of the motor according to the embodiment of the present invention.
Fig. 12 shows an example of the use of tack,
FIG. 3 is a diagram for explaining the relationship between intervals and keys. The present invention is intended to protect and promote the use of software.
For example, as shown in Fig. 2, software distribution form is adopted.
It can be used when doing. The software right holder who developed the software
Use of software when distributing software
Condition program describing the conditions required of the licensee
And combine it with the software that developed it.
And encrypted, using free media, including broadcasting by radio waves.
And distribute the software. Users who want to use the software, for example,
Vending machines such as vending machines
Purchase by Shin. The content of this common credit is an example
For example, via a medium such as an IC card,
It can be entered. The user can use the IC card on which the contents of the common credit are recorded.
The software rights management control function of the present invention.
Attached to a data processing device 20 and obtained from an appropriate flow passage
The software that has been run on the data processor 20
You. As a result, the license agreement program for the software
The system operates with the decryption of the
Checks related to common credit information
U. Charges recorded on common credits as needed
Is subtracted. Required only if the check passes
Control that enables execution of the software itself. That
At that time, work record information on its use is accumulated,
Post the work record (AR) to the IC card at an appropriate time
You. The work record written on the IC card is
To continue using the credit, pay new fees
When resetting the internals of more common credits,
Read by a scanning machine and collected. This work record
By referring to the information, you can manage the software usage status.
On the basis of which multiple software right holders
And a reasonable distribution of fees can be made. The software distribution form shown in Fig. 2 is an example.
Therefore, the present invention is not a common credit,
A) When using a distribution form that manages individual usage qualification information
Can also be employed. Also, use media other than IC cards.
It is also possible to use. According to the present invention, the data processing device 20 includes a plurality of independent
Software that has been
Can be operated in a row. The rights management according to the invention is conceptually illustrated in FIG.
Become like In a multi-programming environment, operating and
If the system allocates I / O devices and processors
Management of computer hardware resources such as
You. In this case, the error may be caused by executing the wrong program.
In order not to disturb, and to use computer resources
Resources are arbitrarily determined by users who intend to use
In order to prevent the computer from being used,
The state is widely divided into the supervisor state and the supervisor state.
ing. The user's program runs in user state and
The operating system for management is usually a super
Executed in visor state. And the use of resources by users
Prevents abuse and allows the user to change the execution state without permission
Supervisor state from user state to avoid
Interruption (including indexing) by means for changing the state to the state
To separate the two states. Here, the permission condition program as described in FIG.
Related to decryption of data, reading and writing of common credits, etc.
Operate rights management under supervisor status
If it is controlled by the
Operating system that has been internally modified to
Have no resistance to loading the system.
No. On the other hand, the operating system
Countermeasures that make it difficult to change the content by making it hardware
Operating system version
Other problems occur, such as the inability to upgrade. Therefore, in the present invention, rights different from the supervisor state are set.
A special execution state called the management state is newly established. Rights management
Want to run software as free as possible
In an environment where users may think that
Or externally supplied software while avoiding negligence intervention.
Software rights management program
Can be executed. Rights management state changes state from another state to it
The point that the means is limited to interrupts and other states
Is similar to supervisor state in that it has
But unauthorized access due to cryptographic applications and key management
The point of prevention is greatly different from the supervisor state. As shown in FIG. 3, the operating system
Is unable to manage resources under supervisor status.
And the terms and conditions of the licenses
The programs 11A, 11B, ... restore the individually encrypted instructions.
Under the rights management state in which the key information to be encrypted is set,
By monitoring the execution of the software main units 12A, 12B, ...
To manage rights. Below, the license terms program and its
Together with the software itself controlled by
It is called profit management. By establishing a rights management status, the data
The data processing device performs a state transition as shown in FIG. 4, for example.
U. User (US) state, supervisor (SV) state, rights
There is a management (PM) state, and the supervisor state is SV
It is divided into p state and SVu state. SVp state and SVu state are
The instructions and access rights that can be used are exactly the same.
However, if a return instruction from interrupt is executed, the PM status
The difference is whether to return to the US state. The above four states (SVp, SVu, PM, US) are independent 2
It is represented by two status bits. One of them is Logra
S bit to be placed in the system status word 15
One is a P bit placed in the right management table 17. The state transition accompanying the change of the S bit is the supervisor state.
Program to be executed by the OS, that is, the operating system
Related to the control of the system
A state transition is a program executed in the PM state,
It relates to the control of the acceptance condition program. The state transitions of these two systems are placed in an orthogonal relationship, and
So that it does not directly affect the state transition of other systems.
Separation of the control mechanism between resource management and rights management
Is planned. Hereinafter, the conventional interrupt related to the S bit is called the S interrupt.
The rights management interrupt of the present invention related to the P bit
Called interrupt. FIG. 5 shows a hardware configuration used in the present invention.
As shown. In FIG. 5, those having the same reference numerals as those in FIG.
Corresponds to what is shown. 30 is an operation that is an instruction execution unit
/ Control part, 31 is IC card interface, 32 is IC card
Credit that stores the common credit information entered from
Register (CCR) 33 is software purchase information.
Which have rights management information specific to each software
Separate rights memory (SRM), 34 is software usage information
Is a work record memory (ARM) in which is recorded. Common credit register 32, individual rights memory 33, work record
The recording memory 34 is constituted by a nonvolatile memory. 35 is the license agreement program or the entire software
DES encryption mechanism for decrypting part or part by DES method, 3
6 is a P interrupt that stores control information such as P interrupt factors
The request table (PIT), 37 is the software that is subject to rights management.
When loading the software, decrypt the key storage described later.
Public key cryptosystem. The structure of the software handled by the device shown in Fig. 5 is, for example,
For example, it is as shown in FIG. Key storage, license agreement
From program 3 and software 12
Become. In the present embodiment, the license holder designates the license condition program 11.
The key (KEY1) given to the user is encrypted by the so-called DES method.
Encoding. In addition, at least a part of the software main body 12
By the key (KEY2), which is also arbitrarily given by the right holder
Encrypt with S method. For the DES method, for example,
"Shinichi Ichimatsu:" Research on Data Protection and Encryption ", Japanese Economy
Newspapers [1983]). The key storage unit contains a unit that identifies this software.
Security rights number (PN) and individual rights record (SR)
A private SR access key to manage access
Decrypt acceptance condition program 11 and software body 12
KEY1 and KEY2 are set. Ki
-The storage unit is, for example, RSA, one of the public key cryptosystems.
Encrypted by law. Note that this RSA method, for example,
By the authors of the "Research on Data Protection and Encryption"
Have been. Public-key cryptography knows keys that use encryption
If you do not know the decryption key that is the secret key,
There is a characteristic that the number cannot be solved. Of course others
Even if the encryption method of the above is used, the present invention can be similarly implemented.
It is possible. The key for decrypting this key storage is hardware
A) At the time of manufacture, the inside of the public key encryption mechanism 37 shown in FIG.
Keep it in. Load this software into main memory
At the time, the key storage is decrypted by the public key encryption mechanism 37
Then, the decryption result is set in the right management table 17. The rights management table 17 stores, for example, rights as shown in FIG.
It has information about interest management. The record in the rights management table 17 is
PMID, rights number (P
N), SR access key, permission condition program
DES key (KEY1) required to execute the software itself
DES key (KEY2) required to enable, KEY2 valid / invalid
Bit (K2F), Letter of rights management by license terms program
Bit indicating the status or not, the corresponding rights management pair is loaded
Initial bit that indicates that immediately after
Stack check command to confirm stack validity
Consists of nine fields. The number of rights management pairs that can exist simultaneously in the system
It is equal to the number of records in the profit management table 17. Multiple records
Has a PMID that matches the value of the current PMID in the PSW
Record is called the current PMT record, and rights management
Access to records in table 17 is normally
In this case, the operation is performed on the current PMT record. The P interrupt request table (PIT) 36 shown in FIG.
Table used by the P interrupt generation mechanism 13
And has a configuration as shown in FIG. 8, for example.
You. Each record in PIT36 is a rights control requesting a P interrupt.
A field that stores the PMID of the logical pair and its SR access key
Field that describes the cause of the requested P interrupt (P
−Reason), describe the jump destination address when a P interrupt occurs
Field (New-PC), P
From the five fields describing the parameters
Become. Record in PIT36 is a privilege that can be used only in the PM state
Generation / deletion is enabled only by an instruction.
Check the access right using the access key.
Already exists from the license condition program other than the right holder
PIT records cannot be rewritten or erased.
ing. P interrupt sources include, for example, P interrupts in the US state.
Instruction execution, timer interrupt, specific instruction in US state
Execution (instruction trap). For timer interrupt
The time interval of interrupt occurrence as a power meter
Any instruction code can be used for the instruction trap.
Can be given as a parameter. This
The license terms program may be
Controls the execution of the main unit and controls the execution of the main unit.
Work records for
ing. The P interrupt generation mechanism 13 shown in FIG.
Automatically when the cause specified by the RAM in PIT36 occurs.
Is a mechanism that causes a P interrupt to
For example, use the same general interrupt technology as the conventional technology.
Since it can be implemented by using
You. An S interrupt is issued to make the S and P interrupts independent.
The operation of the processor when it is generated is shown in, for example, FIG.
(A) to (i) shown in FIG. (A) When an S interrupt occurs, firmware etc.
Checks the P bit 0/1 of the current PMT record.
If it is 0, the control is transferred to (g). (B) If the P bit is 1, the current PSW and program
Generates a 16-bit cyclic code from the value of the ram counter
And a new stack check code 1 is set. (C) Generate a 16-bit random number and use the new stack check code.
Mode 2. (D) New stack check codes 1, 2 and current PMT
Old stack check code 1,2 taken from record
4 words (64 bits) are encrypted with KEY1 and
To torre. (E) New stack check codes 1 and 2 are assigned to the current PMT
Store to record. (F) The destination address (New-PC) of the PIT is
To the timer counter. Then, control is shifted to (h).
You. (G) If the P bit is 0, the interrupt vector is
Set to the gram counter. (H) PSW, program counter, stack format
Stack code. (I) Set the S bit of the PSW to "1" and set the operating
・ Transfer control to the system interrupt processing routine. In this example, the jump destination address at the time of the S interrupt is
New value to be set in the program counter,
Use the method of loading from the so-called interrupt vector table
Have been. In the supervisor state, RSE (Return from S-Exc
eption) instruction to execute PM status or US status
State. Processor behavior at that time
Are, for example, as shown in (a) to (g) of FIG. (A) Check the P bit 0/1 of the current PMT record.
Click. If it is 0, control is transferred to (f). (B) From the stack, stack check codes 1, 2
And old stack check codes 1 and 2
Is decrypted by KEY1 and stored in the processor. (C) Whether the value is the PSW of the stack and the value of the program counter
Generated a 16-bit cyclic code, and
Compare with the extracted stack check code 1. Irregular
If it matches, treat it as an error. That is, the PM state
Prevent transitions. (D) Next, the stack check of the current PMT record is performed.
Code 2 and the stack check extracted in (b) above.
Compare with code 2. If they do not match, an error
To process. (E) Copy old stack check codes 1 and 2 to the current PMT
Store to code. (F) Return the S bit of PSW to “0”. (G) Program counter stored in the stack
Set the value of the data to the program counter. And
Return to the routine executed immediately before the interrupt occurred. When transitioning from the PM state to the SVp state by an S interrupt,
For example, as shown in FIG.
It is evacuated to supervisor space by Sessa. Stud
The check code indicates that the information saved on the stack is
To be rewritten by the operating system
This is the code used to prevent it. The stack check code 1 is as described in FIG.
PSW and program counter saved on the stack
Is a cyclic code generated from the value of
Check code 2 is a 16-bit random number. These are
At the same time as being saved to the tack, the current PMT record
Is also stored and checked later when the information of the stack is retrieved.
Clicked. This rewrites the contents of the stack
That can be detected. For the old stack check codes 1 and 2, interrupts are nested.
To record the old stack check code
It is for Figure 11 shows the transition from the US state to the SVu state.
The data shown in (b) is saved on the stack. SV
When an S-interrupt occurs in the state shown in FIG.
Data is saved on the stack, and the P value that can be saved in the US state
When an interrupt occurs, the data shown in FIG.
Evacuated to Note that in the SV state, the P interrupt
Clicked. In the present embodiment, the program is executed for each state of SV, PM, and US.
Automatically depending on accessible space and hardware
The encryption key to be used is determined. Figure 12 shows the sky
It shows the relationship between keys and keys. The program execution in the PM state is as follows.
is there. Instruction fetch, data load / scan in PM state
Tor, subroutine call,
Main memory such as saving the program counter to the stack
The current PMT when writing or reading
Automatic encryption and decryption using KEY1 in record
Is performed by the DES encryption mechanism 35 shown in FIG. PM
The address space used in the state is exactly the same as the space in the US state.
One, not distinguished. These are controlled by key management.
Only quarantined. Even operating systems do not know the key
Unless the license condition program is suspended or forcibly terminated
Other than doing something else,
No. To return from the PM state to the US state, use RPE (Return from P-E
xception) by the execution of instructions. In the US state, the current
Performs decryption using KEY2 of the PMT record. However,
To reduce the decrease in instruction execution speed due to
Rather than encrypting all parts of the program
A method that allows the user to specify the range
Is desirable. Therefore, in the US state, the current PMT record
An instruction to control the K2F bit of
When the instruction is fetched, only while the
The encryption is performed automatically. The operating system performs the following processing. Entire rights-managed software is encrypted
Load to main memory as it is. Next, a new record is created in the rights management table 17.
Issue an instruction to execute. In this instruction,
PMID value to be given to the right management pair
The start logical address of the software key storage is
Meter. The PMID value is unique within the system.
If it works, it is optional. With this instruction, the hardware
Decrypts the key storage of software and software
Information in the rights management table 17 and a new PMT record
Create At the same time, the field of the current PMID of the PSW
To the PMID value of the rights management pair to be executed
set. Initial bit of rights management table 17
And the P bit are set to "1". Execute the RSE instruction. The current PMT record is new
This initial bit
When the RSE instruction is executed when this bit is "1", the processor
Status changes to PM status, and execution is controlled by the license condition program.
Is passed. At the same time, the initial bit is cleared
After that, the license agreement
The means for transferring control to the program is the RSE instruction for the S interrupt
Will not exist except for the execution of By the above, the rights management pair is generated, and the permission condition
Execution starts from the beginning of the program. Permission terms program
At the beginning of the program, a program for conversation with the user
Start measuring the execution time of the
To write an interrupt request to the P interrupt request table.
Grams etc. can be placed. After that, the software book
Issue an instruction to transfer control to the body. In this instruction, the P bit
Is cleared. Thereafter, the US state and the PM state are changed by the P interrupt and the RPE instruction.
The program is executed while moving back and forth. right
When the execution of the management pair ends, the operating system
The system uses the PMID of the rights management pair to be erased as a parameter.
Issue a PMT erase instruction. This allows hardware
The corresponding record in the rights management table and
The corresponding entry in the PIT is deleted. For any order relating to rights management, for example, any order
Whether or not to prepare is described in the above description of the embodiment.
Obviously, the function of each instruction is not changed or extended arbitrarily
obtain. [Effects of the Invention] As described above, according to the present invention, a multi-program
Rights with excellent maintainability and flexibility in a ramming environment
Management can be performed, and software can be freely expanded.
Distribution and distribution of software
You can build a stem.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining the principle of the present invention, FIG. 2 is a diagram for explaining an example of a software distribution form using the present invention, and FIG. FIG. 4 is a state transition diagram of a right management state, FIG. 5 is a hardware configuration example used in the present invention, FIG. 6 is a configuration example of software to be rights managed, and FIG. 7 is a right management table. FIG. 8 is an example of a P interrupt request table, FIG. 9 is an example of an S interrupt control, FIG. 10 is an example of a return control from an S interrupt, and FIG. 11 is a stack in one embodiment of the present invention. FIG. 12 is a diagram for explaining the relationship between a space and a key according to an embodiment of the present invention. In the figure, 10 is a rights management target program, 11 is a license condition program, 12 is a software main body, 13 is a rights management interrupt generation mechanism, 14 is a rights management state change process, 15 is a program status word, 16 is a rights management ID, 17 is the rights management table, 18
Represents a decoding circuit.

Continuation of front page    (56) References JP-A-60-77218 (JP, A)                 JP-A-60-191322 (JP, A)                 JP-A-63-145532 (JP, A)                 IEICE Transactions, J70-D               [1] (1987-1-25) 70-81                 IPSJ `` Super Editing / Super Distribution / Super               Architecture Symposium on Management               Bunshu "(1994) 67−76

Claims (1)

(57) [Claims] It has a computer that decrypts and executes the encrypted instruction with a given key, and as an execution state of this computer,
A supervisor state capable of executing privileged instructions used by the operating system, a rights management state capable of executing rights management instructions, and a user incapable of executing the privileged instructions and rights management instructions A rights management interrupt generation mechanism (13) for controlling a rights management interrupt for transitioning the execution state of a computer from the user state to the rights management state in a data processing device having a state. Among the programs to be rights-managed, a part or all of a first program that performs a process according to a use purpose of a user and a permission condition for execution of the first program are checked, and the execution of the first program is performed. And a second program for controlling the right and the second key respectively in advance by using first and second different keys. Decrypting the second program with the second key in the management state to operate the second program, thereby controlling the execution of the first program, and executing the first program in the user state with the first key The execution is transited to the right management state by the right management interrupt in the user state, and the control for switching the key to be decrypted from the first key to the second key is performed. In addition, the first program and the second
Manages a first key and a second key for decrypting each of the pair of programs, and executes the pair of the first program and the second program to be rights-managed in the supervisor state. When the control is transferred to another pair of the first program and the second program to be rights-managed, control for switching between the first key and the second key to be decrypted is performed. Software rights management control method.