KR101487175B1 - Host device and Storage device for separating management of RO, method for separating management of RO, and storage media recorded program executing separating RO management - Google Patents

Abstract

The present invention relates to a host terminal and a storage device for a separate RO management for managing a right object (RO) through interoperation between a host terminal and a storage device, a separate RO management method, and a recording medium on which a program for performing the same is recorded . The present invention provides a DRM agent for digital copyright protection in a host terminal and a storage device separately from a DRM agent for a host terminal and a DRM agent for a storage device, The DRM agent for the storage device transmits the digital content protected by the digital rights management (DRM) to the storage device, And performs a management function for RO of contents.

Description

TECHNICAL FIELD [0001] The present invention relates to a host terminal and a storage device for managing a removable RO, a detachable RO management method thereof, and a storage medium storing a program for performing the same. executing separating RO management}

The present invention relates to a digital rights management (DRM) system for protecting the copyright of digital contents, and more particularly, to a system for managing a rights object (RO) A host terminal, a storage device, a separate RO management method thereof, and a recording medium recording a program for performing the same.

2. Description of the Related Art [0002] Recently, various types of digital contents used in a host terminal have been developed in accordance with the increasing use of various host terminals such as a personal computer (PC) and a personal digital assistant (PDA).

Digital contents mean letters, sounds, sounds, images, and the like, which are made in a digital format. Recently, with the development of digital technology, the types of digital contents have become more diversified such as games. These digital contents are freeware that can be freely used, but most of them are developed for commercial use, and they are used after purchasing a license or a program at a predetermined price. However, there are many cases in which some users illegally copy or use them through cracking.

Therefore, to protect the rights of developers, DRM technology that protects copyright on digital contents is becoming more important.

DRM refers to technologies and services that prevent the unauthorized use of digital contents, protect the rights and interests of digital contents providers, prevent illegal copying, charge fees, settle and distribute contents, and support distribution and management. Include digital rights management technology that allows only legitimate users to use content and pay appropriate fees, software and security technology for copyright approval and enforcement, and payment / billing technology.

Particularly, in such a DRM system, various methods are used to prevent illegal copying and use of digital contents. The most common method is to use an authentication key. This method allows digital content to be installed or executed only when an authentication key is input. However, illegal use or illegal copying is still performed by users sharing the authentication key or reverse engineering the key verification algorithm.

In a more powerful way, there is a way to provide a hardware key lock so that it is executed only when the provided key lock is present when the program is executed. However, this method can also be disabled by modifying the program to bypass only the portion of the key lock.

As a result, the illegal use of digital contents is still being performed, and the damage caused by content developers due to unauthorized use of digital contents is increasing. Unauthorized use of digital contents is a factor that deteriorates the development desire of the application program of the content developer. Further, when developing digital contents, it is necessary to concentrate more on security technology for suppressing illegal copying and use, Which increases the cost, which is a burden on the content provider.

In addition, since the management of the RO is performed through the DRM agent existing in the host terminal in the existing DRM system, it is inconvenient that the DRM service can be used only through the host terminal in which the RO is installed.

Also, in some DRM systems, a storage device such as a smart card is used. In this case, however, the security for the RO is enhanced by storing the RO or the certificate in the storage device, It is inconvenient that the digital contents can be used only through the host terminal in which the DRM agent is installed.

Disclosure of Invention Technical Problem [8] The present invention has been proposed in order to solve the conventional problems, and it is an object of the present invention to provide a digital rights management system for copyright protection of digital contents, The present invention provides a host terminal and a storage device for detachable RO management that can utilize a service, a detached RO management method thereof, and a recording medium on which a program for performing the detached RO management is recorded.

The present invention provides a host terminal including a Rights Object Acquisition Protocol (ROAP) agent and a DRM agent for a host terminal as means for solving the problem. The ROAP agent acquires the RO from the server issuing the RO specifying the usage rights of the digital contents protected by the DRM. The DRM agent for the host terminal transfers the RO acquired from the ROAP agent to the storage device connected to the host terminal, and supports the use of the digital content by confirming the information of the RO through interworking with the storage device.

In the host terminal according to the present invention, the DRM agent for the host terminal receives the CEK (Content Encryption Key) for the digital contents from the storage device and decodes all or some code blocks of the digital contents.

In the host terminal according to the present invention, when the digital content is executable content based on separation execution, the DRM agent for the host terminal delivers the call of the code block for the storage device to the storage device, The result is returned and provided as digital contents.

In the host terminal according to the present invention, the ROAP agent includes a socket, a ROAP processor, a DD (Download Descriptor) parser, and a trigger DB. Here, the socket performs ROAP communication with the server. The ROAP processor communicates with the server through the socket to obtain RO of the digital content. The DD parser interprets the DD for the trigger used for RO acquisition. The trigger DB stores the ROAP trigger when the ROAP communication fails.

In the host terminal according to the present invention, the DRM agent for the host terminal includes an ROAP engine, a DRM protected content format (DCF) manager, an RO manager, a storage device interaction manager, and a DRM agent control module. The ROAP engine performs processing according to the ROAP protocol. The DCF manager manages the DCF of the digital content according to the DRM standard. The RO manager performs procedures for transferring the RO in conjunction with the server and the storage device. The storage device interaction manager performs the interlocking function of the storage device for separate RO management. The DRM agent control module controls the overall operation of the ROAP engine, the DCF manager, the RO manager, and the storage device interaction manager based on the separate RO management procedure.

In the host terminal according to the present invention, the ROAP engine may include: a ROAP processor for performing an operation of the ROAP protocol according to the DRM standard and performing an exception and error processing occurring in the operation process of the ROAP protocol; A ROAP generator for generating a ROAP message to be delivered to the server in accordance with the control of the ROAP processor; And a ROAP parser that parses the ROAP message or the ROAP message received from the server and provides the ROAP parser to the ROAP processor.

In the host terminal according to the present invention, the DCF manager may include a DCF interpreter for analyzing and analyzing digital content according to the DRM standard; And a DCF renderer for decoding the digital content.

The host terminal according to the present invention further includes a file system for storing a DCF (DRM protected content format) file of digital contents.

The present invention provides, as another means for solving the problems, a storage device which is connected to a host terminal and includes a DRM agent and a file system for a storage device. Here, the DRM agent for the storage device performs the management function for the RO of the digital contents protected by the DRM in cooperation with the host terminal. The file system stores the RO managed by the DRM agent for the storage device.

In the storage device according to the present invention, the DRM agent for the storage device performs an RO management function including at least one of installing and removing an RO transferred from a host terminal, returning RO information to a host terminal, and performing an RO updating function An RO manager; An RI (Right Issuer) context manager for managing an RI context (Right Issuer Context), which is information necessary for obtaining an RO; And a PKI manager for performing mutual authentication between the server and the storage device issuing the RO and decrypting the CEK in the RO.

In the storage apparatus according to the present invention, the PKI manager includes: a CEK manager for decrypting and extracting the encrypted CEK included in the RO; An authentication manager for obtaining a device certificate stored in the file system and providing the device certificate to the host terminal; And a signature manager for signing the ROAP message delivered to the server.

In the storage apparatus according to the present invention, the file system further stores a code block for a storage device converted to be executable in the storage device, the code block to be detached from the code area of the digital content.

As another means for solving the problem, the present invention provides a detachable RO management method for interlocking a host terminal and a storage device, wherein the host terminal acquires a trigger necessary for acquiring an RO for digital contents protected by DRM step; Accessing a server that issues an RO using a trigger, requesting the RO to obtain an RO; And transferring the acquired RO to a storage device so as to be installed in the storage device.

A separate RO management method according to the present invention includes the steps of: requesting a CEK for decrypting content to a storage device upon receiving a request for content protected by DRM from a specific application program; Receiving the decoded CEK extracted from the RO by the storage device; And decrypting the content using the CEK and transmitting the decrypted content to the application program.

A method of managing a detached RO according to the present invention includes: receiving a call of a code block for a storage device, which is separated from content and converted into a form executable on a storage device, during execution of content based on separation; Connecting a storage device with a secure channel, and passing the call over a secure channel to a storage device; Receiving an execution result value from the storage device via the secure channel after the execution of the code block for the called storage device is completed; And returning the execution result value to the separation execution-based content.

A separate RO management method according to the present invention comprises the steps of: receiving an error code according to disappearance of a usage right from a storage; Transmitting an error code to an application program; Acquiring a trigger for re-purchasing an RO according to a user's request; Acquiring an RO from the server using a trigger; And transferring the obtained RO to a storage device so that the RO is updated in the storage device.

In accordance with the present invention, there is provided a host terminal and a storage device based on a detachable RO management, and a detachable RO management method therefor, wherein the digital content is divided into at least one detachment object code block selected in the code area, Is executable executable content based on detached execution converted to connect a code block for a storage device converted to be executable in the storage device.

Here, the detachment object code block is a basic block group on a critical path of digital contents among a plurality of basic block groups composed of a plurality of basic blocks existing in the code area of the executable contents, Blocks of the plurality of basic blocks which are not related to each other and which do not allow control signals to enter into the plurality of basic blocks except for the start point, Basic block is a block of code that has attributes of single input and single output and attributes that do not allow entry of control signals from outside to inside.

In addition, the present invention provides a computer-readable recording medium on which a program for performing the above-described detached RO management method is recorded.

According to the present invention, since a part of the management function for the RO in the DRM system is separated from the DRM agent for the storage device provided in the storage device, security and mobility of the RO management that the user has legally purchased can be increased, By providing only the storage device having the DRM agent for the storage device, the user can use the digital contents or service having the usage right in any situation where access to the DRM system is difficult. As a result, it is possible to provide the user with higher convenience than the conventional one.

In addition, the present invention provides a separation execution object code block separated from the code area of the digital contents through the RO, and allows the host terminal to separately execute the separation execution object code block included in the RO through interworking with the storage device , There is an excellent effect that it can prevent illegal copying and use of digital contents fundamentally.

FIG. 1 is a diagram showing a schematic structure of a separate type RO management-based digital rights management system to which the present invention is applied.
2 is a diagram schematically showing the structure of digital contents to which the present invention is applied.
FIG. 3 is a diagram schematically illustrating the structure of digital content based on separation execution in a digital rights management system to which the present invention is applied.
FIG. 4 is a block diagram illustrating a configuration of a host terminal and a storage device for separate RO management in a digital rights management system to which the present invention is applied.
5 is a block diagram showing a detailed configuration of a ROAP agent according to the present invention.
6 is a block diagram illustrating a detailed configuration of a DRM agent for a host terminal according to the present invention.
7 is a block diagram illustrating a detailed configuration of a DRM agent for a storage device according to the present invention.
8 is a flowchart illustrating a process of purchasing digital contents in the separate RO management method of the present invention.
9 is a flowchart illustrating a process of executing digital content in the separate RO management method of the present invention.
FIG. 10 is a flowchart illustrating another execution process of digital contents in the separate RO management method of the present invention.
11 is a flowchart illustrating a re-purchase process in the separate RO management method according to the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description and the accompanying drawings, detailed description of well-known functions or constructions that may obscure the subject matter of the present invention will be omitted. It should be noted that the same constituent elements are denoted by the same reference numerals as possible throughout the drawings.

1 is a block diagram showing the entire structure of a DRM system to which the present invention is applied.

1, the DRM system 10 to which the present invention is applied includes a content providing server 12 and a host terminal 13 connected via a network 11, a wired / wireless interface And an intermediately connected storage device 14.

In the DRM system 10, a separate RO management method and a digital content separation / execution method may be applied for digital rights management. Here, the detached RO management means that two different devices, more specifically, the host terminal 13 and the storage device 14 manage the RO through interworking. In this way, by performing some processing for RO management in the storage device 14, the user can reproduce the purchased digital content from anywhere using the storage device 14, or present the right to another person . In addition, 'separate execution' means that the digital contents are executed through two different apparatuses, more concretely, the interlocking of the host terminal 13 and the storage device 14. According to this, cracking of digital contents can be prevented, and illegal copying can be fundamentally blocked.

First, in order to implement separate execution, executable executable content 15a from which a code block selected in the code area (hereinafter referred to as a separation execution object code block) is removed is stored in the host terminal 13, ) Stores a code block 15b for a storage device converted so as to be executable in the storage device 14 as a code block to be separated. In this state, the separation execution is performed in such a manner that the host terminal 13 requests the storage device 14 to return the result of the part (separation execution target code block) removed from the executable executable content 15a . Therefore, the executable content to which the separation execution technique is applied refers to content including an execution file, and includes, for example, a game program, an application program, and software.

Next, the separate RO management is performed in the storage device 14 connected to the host terminal 13 to perform an RO management function including RO installation, return RO information, and RO deletion function, , It becomes possible to use the digital contents for authorizing the RO in other places by using the storage device 14. [

The detachable RO management method can be applied to any type of digital contents including documents, image files, audio files and the like in addition to executable contents. Hereinafter, digital content based on separation execution will be described as an example.

In the above, the code block 15b for the storage device for executing the detachment may be included in the RO 16.

1, the network 11 performs a series of data transmission / reception for data transmission and information exchange between the content providing server 12 and the host terminal 13. [ For this purpose, the network 11 may be an IP network providing large capacity data transmission / reception service and seamless data service through IP, and may be an ALL-IP network having an IP network structure in which different networks are integrated based on IP. The network 11 includes a wired communication network, a mobile communication network, a wireless broadband (WiBro) network, a high-speed downlink packet access (HSDPA) network, a satellite communication network or other well-known or future wired or wireless networks or a combination thereof.

The content providing server 12 stores the executable content 15a and the storage device code block 15b that are separately executable and further generates and manages an RO that specifies the authority for the digital content, And provides it to the host terminal 13 in response to the request. Here, the content providing server 12 may further perform a function of converting the digital content into the separation execution execution type content 15a and the storage device code block 15b. In addition, the content providing server 12 may include a right issuer (RI) for issuing and managing an RO specifying the usage right of the digital content protected by the DRM. Here, although it is shown that all the services are provided through the content providing server 12, in practice, it may be composed of a plurality of servers that perform respective functions.

The host terminal 13 collectively refers to a computing device having an independent CPU capable of executing digital contents, such as a PC, a notebook, a workstation, a PDA, and the like. The host terminal 13 includes a public computer which is accessible by a plurality of users. The host terminal 13 is provided with executable content 15a. When the storage device 14 is connected to the host terminal 13 via the wired / wireless interface, the host terminal 13 executes the executable content 15a in cooperation with the storage device 14. [ In addition, the host terminal 13 requests the contents providing server 12 to purchase the digital contents according to the request of the user, executes the payment procedure, and then stores the executable contents 15a and the storing contents 15a from the contents providing server 12 The code block 15b for the device is downloaded and the executable content 15a is stored in its own memory and the code block 15b for storage is transferred to the storage device 14. [ Here, the content providing server 12 provides the RO 16 together with the executable content 15a and the storage device code block 15b to the host terminal 13 of a legitimate user. The RO 16 is transferred to the storage device 14 via the host terminal 13 and is installed in the storage device 16. At this time, the storage unit code block 15b may be provided in the RO 16. In another example, the code block 15b for the storage device may be implemented as an applet.

The wired / wireless interface connecting the host terminal 13 and the storage device 14 can be realized by a wired communication method using USB, USB2, Serial / Parallel Port, Ethernet, TCP / IP, have. Bluetooth, Zigbee, Ruby, Infrared Data Association (IrDA), and Ultra Wide Broadband (UWB) may be used as the short-range wireless communication method. In addition, various technologies to be developed in the future can be applied.

The storage device 14 is connected to the host terminal 13 via a wired or wireless interface and receives and stores and manages the storage device code block 15b and the RO 16 through the host terminal 13. [ In order to safely store the storage unit code block 15b and the RO 16, the storage device 14 preferably has a security function. In addition, the storage device 14 preferably includes a processor for performing separate execution and RO management in cooperation with the host terminal 13. [ The storage device 14 executes the storage device code block 14 at the request of the host terminal 13 and returns the resultant value to the host terminal 13 or returns the RO information, Performs installation and deletion of RO, and returns the result.

The DRM system described above can operate as follows. The content provider provides the executable content 15a to the host terminal 13 of the legitimate user through the content providing server 12 and sends the executable content 15a to the storage device 14 via the RO 16). Thereafter, when a legitimate user instructs execution of the executable content 15a installed in the host terminal 13 with the storage device 14 connected to the host terminal 13, Information is provided to the host terminal 13, and the host terminal 13 confirms the information of the RO and executes the executable content 15a if authorized. At this time, separate execution of the executable content 15a and the storage device code block 15b is performed through interlocking of the host terminal 13 and the storage device 14, and execution of the executable content 15a, Is operating normally.

A method of separating and executing digital contents applied to the DRM system will be described with reference to FIGS. 2 and 3. FIG.

Referring to FIG. 2, the digital content 20 includes a plurality of files, for example, an executable file, an application program interface (API) provided by the operating system, , API provided by the developer or a dynamic linking library (DLL). Such a digital content 20 includes a code area 21 and a data area 23. Actually, the code area 21 and the data area 23 are mixed with each other. The code area 21 includes a plurality of basic block groups 27 made up of a plurality of basic blocks 25.

Here, the basic block 25 means a sequence of instructions having attributes of a single input and a single output, and is a property that does not allow entry from the outside to the inside As shown in Fig. That is, the basic block 25 is a continuous sentence (a group of codes) executed at a time from the beginning to the end, and is a group of sentences whose execution is not stopped due to the flow control in the middle.

FIG. 3 is a diagram schematically illustrating the structure of digital content based on separation execution according to the present invention.

Referring to FIG. 3, the separation-based digital contents according to the present invention includes an executable content 30 and at least one separate execution object code block 37.

The executable content 30 includes a code area 31 and a data area 33 in which one or more stub codes 39 are inserted in place of one or more separate execution subject code blocks 37. [ At this time, the stub code 39 is a code to be inserted in place of the extracted separation execution object code block 37, and connects the execution contents 30 and the separation execution object code block 37. More specifically, the stub code 39 calls the separation execution object code block 37 and returns the result value of the separation execution object code block 37 when executing the executable content 30 Receive.

As shown in Fig. 2, the at least one separation execution object code block 37 is a block of a plurality of basic block groups 27 extracted from the code area 21 through dynamic profiling and static analysis of the original digital contents And includes a plurality of basic blocks 35 as one. More preferably, the detachment object code block 37 permits the entry of the control signal through the entry point and the movement of the control signal between the basic blocks 35 contained therein, 35, which are not related to each other.

Alternatively, when the basic block group in which the control signal enters the basic block 35 excluding the starting point is selected as the separation execution object code block 37, the separation execution object code block 37 is extracted and inserted The control signal can enter the stub code 39 in the middle of the stub code 39. In this case, the stub code 39 can not perform processing for the corresponding control signal, and eventually the execution of the service content 30 stops Or an error may occur.

A method of extracting the separation execution object code block 37 is as follows.

First, a plurality of basic block groups 27 are selected through dynamic profiling and static analysis of the code area 21 of the digital content 20 to be separated and executed shown in Fig. The selection of the plurality of basic block groups 27 is performed by executing the digital contents 20 to be separated and collecting basic information about the code area 21 during the run time and analyzing By performing a static analysis on the code area 21 through dynamic profiling that extends the range. The basic information is at least one indirect address among a branch address, a jump address, a call address, and an indirect address of RET. The basic information related to the published API of the digital content 20 is removed from the basic information and the static information about the code area 21 of the digital content 20 is generated based on the basic information from which the basic information related to the disclosed API is removed By performing the analysis, the scope of the analysis can be extended. The analysis range can be extended by substituting the indirect address among the collected basic information on the control flow. As a result, more basic block groups 27 can be selected than performing dynamic profiling or static analysis alone have.

In addition, when a control signal for entering the inside of the basic block group 27 is generated among the selected plurality of basic block groups 27, the corresponding basic block group 27 is divided based on the command address of the control signal, do. At this time, the basic block group 27 to be redefined redefines the previous first basic block group and the subsequent second basic block group including the command address of the control signal based on the command address of the control signal.

By repeating this redefinition process, a basic block group 27 including a plurality of basic blocks 25 having attributes of a single input and a single output and an attribute not allowing entry from the outside to the inside is finally obtained Can be defined precisely.

Subsequently, one or more code blocks 37 to be separated from among the plurality of basic block groups 27 are selected. 3 is executed by inserting the stub code 39 in place of the separation execution object code block 37 and separating the execution execution target code block 37 from the code area 31. [ .

At this time, the separation execution target code block 37 preferably selects a basic block group on the critical path of the digital content 20 among the plurality of basic block groups 27. [ In addition, it is possible to select the code block 37 for separation execution in consideration of the number of calls, the size, and the execution time among the plurality of basic block groups 27. [ For example, the basic block group 27 having a large number of calls, a small size, and a short execution time is selected by the separation execution object code block 37.

According to this, in the digital content, a basic block group existing on an important path and having a large number of calls, a small size, and a short execution time is selected as a code block to be separated for security, The security performance associated with copy protection can be improved.

Further, by performing static analysis using the basic information of the code area collected through dynamic profiling to extract the basic block group, the analysis range of the code area of the digital contents is extended, Can be improved.

In addition, by providing flexibility to redefine a once-defined basic block group, a basic block group having a single input and a single output, which can be candidate candidates for a separate code block, It is possible to inhibit selection of an unsuitable basic block group having an entry of the control signal into the inside thereof excluding the entry point as a code block to be detached. As a result, It is possible to suppress the occurrence of an error during execution.

1, the content providing server 12 selects the detachment object code block 37 according to the above-described method for providing the detachment-based digital contents, And converts it into a code block 15b for a storage device. Then, the executable content 15a is converted so that the storage device code block 15b can be executed in cooperation with each other. And generates an RO specifying the authority for the executable content 15a. When the user performs the payment processing and purchases the digital contents through the host terminal 13, the content providing server 12 transmits the RO content 16 including the executable content 15a and the storage device code block 15b, To the host terminal (13). The host terminal 13 stores or installs the service content 15a in the internal memory and transfers the RO 16 including the code block 15b for the storage device to the storage device 14. [ The storage device 14 installs the RO 16 and returns or deletes information of the RO according to a user's request through the host terminal 13. [ Particularly, during execution of the executable content 15a, when the storage device code block 15b is called, the storage device 14 checks the RO 16 and if it is authorized, the storage device code block 15b And then returns the resultant value to the host terminal 13. [ The host terminal 13 normally executes the executable content 15a using the returned result value.

FIG. 4 is a block diagram illustrating a configuration of a host terminal and a storage device for the separate RO management according to the present invention in the DRM system described above.

4, the host terminal 13 includes a ROAP agent 100 and a DRM agent 200 for a host terminal, and the storage device 14 includes a DRM agent 300 for a storage device And a file system 400.

The ROAP agent 100 is a module that communicates with the content providing server 12 in order to install an RO, which is a right to use digital contents. More specifically, if an application such as a media player requests decryption from the host terminal DRM agent 200 to use the digital content but does not have the right to use it, the ROAP agent 100 requests RO. At this time, the ROAP agent 100 processes the Download Descriptor (DD) of the corresponding RO and exchanges ROAP messages between the DRM agent 200 for the host terminal and the content providing server 12 using the ROAP trigger. When the ROAP communication is normally performed or abnormally performed, the ROAP agent 100 generates an Install Notification message and transmits the result to the content providing server 12.

The DRM agent 200 for a host terminal supports arbitrary applications of the host terminal 13 to use the DRM package contents. The functions provided for this include rights related functions such as acquisition and installation and deletion of RO, and functions related to playback of contents such as acquisition of CEK, opening of DCF, reading, closing and moving. The DRM agent 200 for the host terminal exchanges ROAP messages with the content providing server 12 through the ROAP agent 100 and processes the ROAP message to install and install the RO through the DRM agent 300 for the storage device And decrypts the digital content by receiving the CEK from the DRM agent 300 for the storage device according to the request of the application and provides the DRM agent 300 for the storage device 300 (RPC) to the storage device 14 via the network.

The DRM agent 300 for a storage device performs an actual management function for RO (Rights Object) of digital contents in cooperation with the host terminal 13. [ The actual management functions here include installation of RO, return of information, and deletion.

The file system 400 of the storage device 13 stores a plurality of ROs installed by the DRM agent 300 for the storage device. In addition, a plurality of code blocks 15b for a storage device can be further stored.

5 is a block diagram showing a detailed configuration of the ROAP agent 100. As shown in FIG.

5, the ROAP agent 100 included in the host terminal 13 includes a socket 110, a ROAP processor 120, a DD parser 130, and a trigger DB 140.

The socket 110 performs ROAP communication with the content providing server 12. More specifically, the ROAP message is received from the content providing server 12 and transferred to the ROAP processor 120 and the DRM agent 200 for the host terminal, and the ROAP processor 120 and the DRM agent 200 for the host terminal, Message to the content providing server 12, and performs a function of a Parse HTTP Message, a Read HTTP Message, and a Send HTTP Message.

The ROAP processor 120 is a module that manages the overall performance of the ROAP agent 100. The ROAP processor 120 receives an RO acquisition request from another application installed in the host terminal 13 and performs processing according to the request using the DRM + Lib, A UI (User Interface) indicating the execution state is displayed on the screen of the host terminal 13. [ In this regard, the ROAP processor 120 includes a Handle ROAP function.

The DD parser 130 interprets the DD for the ROAP trigger. More specifically, the DD parser 130 parses the DD using a separate XML parser Lib to store the CID (Content ID) or the URI to be installed in the DD structure.

The trigger DB 140 holds the ROAP trigger when the ROAP communication fails. In addition, the ROAP triggers stored after a certain period of time are organized according to a preset policy.

The ROAP agent 100 performs ROAP communication with the content providing server 12 to install the RO through the socket 110, the ROAP processor 120 and the DD parser 130, And processes the DD of the RO provided thereby to exchange ROAP messages between the DRM agent for the host terminal and the content providing server 12 using the ROAP trigger.

6 is a block diagram showing a detailed configuration of a DRM agent 200 for a host terminal provided in the host terminal 13. As shown in FIG.

6, the DRM agent 200 for a host terminal includes a DRM agent control module 210, a ROAP engine 220, a DCF manager 230, an RO manager 240, a storage device interaction manager 220, (250).

The DRM agent control module 210 controls and manages all operations of the DRM agent 200 for the host terminal.

The ROAP engine 220 performs processing of the five ROAP protocols defined in the OMA DRM specification. The ROAP protocol enables RI registration, device / domain RO acquisition, domain join and opt-out. The ROAP engine 220 includes three sub-modules: a ROAP processor 221, a ROAP generator 222, and a ROAP parser 223.

The ROAP processor 221 performs an operation of the ROAP protocol specified in the OMA DRM specification, and performs exception and error processing that occurs during the operation of the ROAP protocol. The ROAP processor 221 has Initialize ROAP, Handle ROAP, and Finalize ROAP functions. The ROAP generator 222 uses the XML manager to control the ROAP PDU-Device Hello, Registration Request, RO Request, Join Domain Request, Leave Domain Request-to be transmitted to the content providing server 12 according to the control of the ROAP processor 221 . The ROAP parser parses an ROAP tree or an ROAP PDU - TriggerRI Hello, Registration Response, RO Response, Join Domain Response, Leave Domain Response - issued by the RI using the XML manager and provides the ROAP processor 221 with the parsed ROAP PDU.

The DCF manager 230 manages the DCF conforming to the OMA DRM standard and includes a DCF Interpreter 231 and a DCF Renderer 232. The DCF interpreter 231 analyzes and analyzes the DCF according to the OMA DRM standard specification. At this time, analysis and analysis by the DCF interpreter 231 are performed on a box object basis, and a function of analyzing the entire DCF at a time and a function of selecting and analyzing only a specific box object are provided. The DCF interpreter 231 includes functions of a Parser Box, a Get Box, and a Find Box. In addition, the DCF interpreter 231 analyzes the DCF and analyzes the necessary information before providing it to the application through other modules. The DCF renderer 232 provides partial decryption and full decryption functions for the DCF.

The RO manager 240 provides a function of managing the RO, and more specifically, a function of operating in conjunction with the content providing server 12 and the storage device 14 in order to transfer the RO composed of a single module . In particular, the RO manager 240 includes RO management functions such as Upload RO and Delete RO.

The storage device interaction manager 240 provides a function for interworking with the DRM agent 300 for the storage device in order to supplement the function of the DRM agent 200 for the host terminal. More specifically, the storage device interaction manager 240 is composed of a single module, and performs an interworking function related to the RO and the certificate. For example, the install interactions manager 240 may include, for example, Install RO, Set RICTX, Get RITCX, Get CEK, Get ROID List by CID, Get Signature, Get Rights Info, and Notify RO.

By combining the DRM agent control module 210, the ROAP engine 220, the DCF manager 230, the RO manager 240, and the storage device interaction manager 250 described above, the DRM agent for the host terminal according to the present invention (200) supports arbitrary applications of the host terminal (13) to use digital contents.

Next, the DRM agent 300 for the storage apparatus will be described.

Referring to FIG. 7, DRM agent 300 for storage includes RO manager 310, RI context manager 320, and PKI manager 330.

The RO manager 310 of the DRM agent 300 for the storage device substantially manages the RO acquired by the DRM agent 200 for the host terminal. Therefore, in order for the RO acquired by the DRM agent 200 for the host terminal to be available, the RO manager 310 of the DRM agent 300 for the storage device must be present. More specifically, the RO manager 310 receives the RO acquired from the DRM agent 200 for the host terminal, interprets and installs the RO, and returns the information of the installed RO to the DRM agent 200 for the host terminal, And the like. The RO manager 310 includes an RO install function for installing an RO in the file system 400 of the storage device 14 or removing an installed RO, an RO parsing function for parsing an RO received through ROAP An RO information returning function (RO Info) for returning the information of the RO installed in the file system 400 to the DRM for the host terminal 200, an RO updating function (RO) for updating the consumed rights to the RO, Update.

The RI context manager 320 manages an RI context (Right Issuer Context), which is information required to acquire an RO. The RI context manager 320 stores the RI context in a predetermined area of the file system 400, Come or delete it. To this end, the RI context manager 320 includes a function (setRICTX) for storing an RI context and a function (getRICTX) for obtaining an RI context.

Finally, the PKI manager 330 provides certificate-based authentication and related functions for mutual authentication between the RI (Right Issuer) issuing an RO and the DRM agent 300 for a storage device. And a function of extracting the CEK from the RO installed in the file system 400 through the PKI manager 330. The PKI manager 330 includes three sub-modules, a CEK manager 331, an authentication manager 332, and a signature manager 333. The CEK manager 331 decrypts the encrypted CEK included in the RO to extract the CEK. The authentication manager 332 provides a function of fetching and returning the device certificate stored in the file system 400 of the storage device 14. [ The signature manager 333 provides a function of signing a ROAP message to be delivered to the RI of the content providing server 12.

The DRM agent 300 for a storage device configured as described above analyzes the RO obtained through the RO manager 310 and installs the RO in the file system 400. The DRM agent 300 for DRM agent control of the DRM agent 200 for the host terminal Stores the RI context transmitted from the DRM agent control module 210 in the file system 400 and fetches and returns the stored RI context according to the request of the DRM agent control module 210. In addition, the CEK is extracted from the RO through the PKI manager 330 and provided to the DRM agent 200 for the host terminal, and the ROAP message to be sent from the DRM agent 200 for the host terminal to the RI of the content providing server 12 Perform signature.

As described above, in the DRM system according to the present invention, the management function of the RO is partly separated into the storage device 14, so that the security and mobility of the RO management that the user has legally purchased can be increased, As a result, the convenience of users who purchase and use DRM-protected digital contents can be improved.

Next, a separate RO management DRM service method by the DRM agent 300 for a host terminal and the DRM agent 400 for a storage device will be described.

FIG. 8 is a diagram illustrating a process of delivering digital contents in a separate RO management method.

8, when the user executes the web browser 131 of the host terminal 13 and accesses the web site provided by the content providing server 12 and selects desired digital content, the web browser 131 Requests a download descriptor (DD) for downloading the digital content selected by the content providing server 12 (S81). Prior to the DD request, a payment procedure for digital content may be further performed.

Upon receiving the DD for the selected digital content from the content providing server 12 in response to the request, the web browser 131 delivers the DD to the download agent 132 (S82), and the download agent 132 The DCF of the digital content selected by the content providing server 12 using the DD is downloaded and stored in the file system 133 of the host terminal 13 at step S83.

Meanwhile, the web browser 131 requests the content providing server 12 to acquire a usage right for the selected digital content (S84). If the trigger is received in response to the request, To the ROAP agent 100 (S85).

Then, the ROAP agent 100 requests the RO of the digital content selected by the content providing server 12 using the trigger received (S86). If a response to the RO is received, the received RO is transmitted to the DRM agent 200 (S87).

The DRM agent for the host terminal 200 requests the DRM agent 300 for the storage device to install the received RO so that the DRM agent 300 for the storage device stores the obtained RO in the storage device 14. [ In the file system 400 of FIG.

Thus, a DCF file protected by the DRM and an RO required to use the digital content can be acquired for the selected digital contents, and the acquired RO is managed in the storage device 400. [

Next, FIG. 9 is a block diagram illustrating a digital content playback process in the separate RO management method according to the present invention.

Referring to FIG. 9, when the arbitrary application program 134 of the host terminal 13 wants to use the content protected by the DRM, the DRM agent 200 for the host terminal 13 requests the DRM agent 200 to read the content (S91 ). Here, the application program 134 is a program that performs an arbitrary function using digital contents, and may be, for example, an image viewer, a reproduction program of a moving picture or an audio file, or the like.

Upon receiving the request, the DRM agent 200 for the host terminal first requests the DRM agent 300 for the storage device to decrypt the DCF file of the corresponding content.

Then, the DRM agent 300 for the storage device loads the RO stored in the file system 400 and extracts the CEK from the RO (S93). The CEK extraction process may include decrypting the CEK using the private key included in the device certificate of the storage device 13.

The DRM agent 300 for storage transmits the extracted CEK to the DRM agent 200 for the host terminal in step S94 and the DRM agent for the host terminal 200 stores the CEK in the file system 133 using the received CEK The DCF file of the content is decrypted to acquire the original digital content file (S95).

The DRM agent 200 for the host terminal transfers the content obtained by the decryption to the application program 134 (S96).

According to this, only when the CEK is acquired through the DRM agent 300 for the storage device provided in the storage device 14, the contents protected by the DRM can be used.

Next, FIG. 10 is a block diagram illustrating another playback process of digital contents in the separate RO method according to the present invention.

In FIG. 10, the executive content 15a is digital content based on separation execution, in which some code blocks of the code area are encrypted by the CEK, some code blocks of the code area are separated and can be executed in the storage device 14 And is stored in the storage device 14 as the storage device code block 15b. In addition, an auxiliary execution code 158 for connection with the storage device code block 15b is additionally generated in the executable content 15a.

Referring to FIG. 10, when an execution execution based content 15a installed in the host terminal 13 is being executed, when entering the encrypted code block, the DRM agent for a host terminal The decoding unit 200 requests decoding of the code block (S1001).

The DRM agent 200 for the host terminal requests the DRM agent 300 for the storage device to decrypt the code block (S1002).

The storage DRM agent 300 extracts the CEK from the RO in the file system 400 and decrypts the decrypted CEK with the private key of the storage device 14 (S1003).

Then, the DRM agent 300 for storage transmits the extracted CEK to the DRM agent 200 for the host terminal (S1004).

 The DRM agent 200 for a host terminal decodes the corresponding code block into the received CEK and transfers the decoded code block to the auxiliary execution code 158. The auxiliary execution code 158 executes the decoded code block in a memory .

If the separated code block is reached during execution of the executable content 15a, the DRM agent 200 for a host terminal disconnects the storage device code block 15b by the auxiliary execution code 158 Execution is requested (S1006). This can be done by an RPC call.

The DRM agent 200 for the host terminal calls the storage device code block 15b through the secure channel formed between the DRM agent 200 for the storage device and the DRM agent 300 for the storage device (S1007). This can be done via an applet call.

The storage device code block 15b is executed (S1008). When the execution is completed, the resultant value is stored in the storage device DRM agent 3000 and the host terminal DRM agent 200 via the auxiliary And returns it to the execution code 158 (S1009, S1010).

The auxiliary execution code 158 applies the returned result value to the executable content 15a and continues execution using the returned result value in the executable content 15a.

The execution content 15a performs a normal operation through the host DRM agent 200 and the DRM agent 300 for the storage device that are separately formed in the host terminal 13 and the storage device 14 .

 Lastly, FIG. 11 is a block diagram illustrating a process of re-purchasing digital contents in the separate RO method according to the present invention.

11, when an application program 134 installed in the host terminal 14 desires to play back digital contents protected by DRM, the DRM agent 200 for a host terminal requests an RO check for decoding a DCF (S1101).

 The DRM agent 200 for the host terminal requests the DRM agent 300 for the storage device to decrypt the digital content and the DRM agent 300 for the DRM agent receiving the request transmits the file system 400, The DRM agent 300 for the storage device notifies the DRM agent 200 for the host terminal of the error when the use right of the RO is lost (S1103).

The DRM agent 300 for a host terminal transmits an error code to the application program 134. The application program 134 checks the error code and if the usage right expires, 12) (S1104).

After the content providing server 12 performs the re-purchase procedure (e.g., payment processing), the content providing server 12 transmits the trigger and the DD for acquiring RO to the host terminal 131 (S1105).

The trigger and the DD are transmitted to the ROAP agent 100 through the web browser 131 at step S1106 and the ROAP agent 100 requests and obtains an RO from the content providing server 12 using the received trigger (S1107). And transfers the obtained RO to the DRM agent 200 for the host terminal.

The DRM agent 200 for the host terminal instructs the DRM agent 300 for the storage device to install the transferred RO (S1109). Accordingly, the DRM agent 300 for the storage device stores the newly updated RO in the file system 400, and as a result, the RO is updated, and the digital content can be used again.

The separate RO management based DRM service method according to the present invention can be implemented in the form of software readable by various computer means and recorded in a computer readable recording medium. Here, the recording medium may include program commands, data files, data structures, and the like, alone or in combination. Program instructions to be recorded on a recording medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. For example, the recording medium may be a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical medium such as a CD-ROM or a DVD, a magneto-optical medium such as a floppy disk magneto-optical media, and hardware devices that are specially configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions may include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. Such a hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be apparent to those skilled in the art. Furthermore, although specific terms are used in this specification and the drawings, they are used in a generic sense only to facilitate the description of the invention and to facilitate understanding of the invention, and are not intended to limit the scope of the invention.

In the DRM system according to the present invention, the management of the RO is performed in the DRM agent for the storage device provided in the storage device, so that the security and mobility of the RO management that the user has legally purchased can be increased, By providing only the storage device having the DRM agent for the storage device, the user can use the digital contents or the service having the usage right in any situation where access to the DRM system is difficult. As a result, it is possible to provide the user with higher convenience than the conventional one.

In addition, the present invention provides a separation execution object code block separated from the code area of the digital contents through the RO, and allows the host terminal to separately execute the separation execution object code block included in the RO through interworking with the storage device , There is an excellent effect that it can prevent illegal copying and use of digital contents fundamentally.

10: Digital Rights Management System
11: Network
12: DRM server
13: Host terminal
14: Storage device
15a: Executable content
15b: code block for storage device
16: Rights Object (RO)
100: ROAP agent
200: DRM agent for host terminal
300: DRM agent for storage
400: File system

Claims (28)

A Rights Object Acquisition Protocol (ROAP) agent for acquiring an RO from a server issuing an RO (Right Object) specifying usage rights of digital contents protected by DRM (Digital Right Management); And
A RO terminal that receives the RO from the ROAP agent and transmits the RO to the storage device connected to the host terminal and confirms the information of the RO through the interworking with the storage device to use the digital content, Lt; RTI ID = 0.0 > DRM &
The digital content
One or more separate execution target code blocks selected in the code area are separated,
The separation execution object code block
Wherein the basic block group is a basic block group on a critical path of the digital contents among a plurality of basic block groups composed of a plurality of basic blocks existing in a code region of the digital contents. The method of claim 1, wherein the DRM agent for the host terminal
Wherein a content encryption key (CEK) for the digital content is received from the storage device, and decryption of all or a part of the code block of the digital content is performed. The method of claim 1, wherein the DRM agent for the host terminal
And if the digital content is executable content based on separation execution, transfers a call of a code block for a storage device to the storage device, returns an execution result value of the storage device code block from the storage device, And a host terminal for detachable RO management. The method of claim 1, wherein the ROAP agent
A socket for performing ROAP communication with the server;
A ROAP processor communicating with the server through the socket to obtain an RO of the digital content;
A DD parser for analyzing a download descriptor (DD) for a trigger used for obtaining the RO; And
And a trigger DB for storing a ROAP trigger when the ROAP communication fails. The method of claim 1, wherein the DRM agent for the host terminal
A ROAP engine that performs processing according to the ROAP protocol;
A DCF manager for managing a DRM protected content format (DCF) of the digital content according to a DRM standard;
An RO manager for performing a procedure for transferring an RO in cooperation with the server and the storage device;
A storage device interaction manager for performing interworking of storage devices for separate RO management; And
And a DRM agent control module for controlling operations of the ROAP engine, the DCF manager, the RO manager, and the storage device interaction manager based on the separate RO management procedure. 6. The system according to claim 5, wherein the ROAP engine
A ROAP processor for performing an operation of the ROAP protocol according to the DRM standard and performing an exception and an error process occurring in an operation process of the ROAP protocol;
A ROAP generator for generating a ROAP message to be delivered to the server under the control of the ROAP processor; And
And a ROAP parser for parsing the ROAP message or the ROAP message received from the server and providing the parsed ROAP message to the ROAP processor. 6. The system according to claim 5, wherein the DCF manager
A DCF interpreter for analyzing and analyzing the DCF according to the DRM standard; And
And a DCF renderer for performing decoding on the DCF. The method according to claim 1,
Further comprising a file system for storing a DRM protected content format (DCF) file of the digital content. The method of claim 1, wherein the digital content
Wherein the detachment execution object code block is a detachment-based executable content converted to be interlocked with a code block for a storage device executable in the storage device. delete The method of claim 1, wherein the basic block group
A plurality of basic blocks which are associated with each other and which do not allow control signals to enter into the plurality of basic blocks except for the start point, And a host terminal for the detachable RO management. 12. The method of claim 11,
Wherein the basic block is a code block having attributes of a single input and a single output and an attribute of not allowing entry of an external control signal into the host. Terminal. A storage device connected to a host terminal,
A DRM agent for a storage device that performs a management function for an RO of digital contents protected by DRM in cooperation with the host terminal; And
And a file system in which an RO managed by the DRM agent for the storage device is stored,
The digital content
One or more separate execution target code blocks selected in the code area are separated,
The separation execution object code block
Wherein the basic block group is a basic block group on a critical path of the digital contents among a plurality of basic block groups formed of a plurality of basic blocks existing in a code region of the digital contents. 14. The method of claim 13, wherein the DRM agent for the storage device
An RO manager for performing an RO management function including at least one of installation and removal of an RO transmitted from the host terminal, returning RO information to a host terminal, and updating an RO;
An RI (Right Issuer) context manager for managing a RI context (Right Issuer Context), which is information necessary to acquire the RO; And
And a PKI manager for performing mutual authentication between the server issuing the RO and the storage device and for decrypting the CEK in the RO. 15. The system according to claim 14, wherein the PKI manager
A CEK manager for decrypting and extracting the encrypted CEK included in the RO;
An authentication manager for obtaining a device certificate stored in the file system and providing the device certificate to a host terminal; And
And a signature manager for signing the ROAP message delivered to the server. 14. The system of claim 13, wherein the file system
Further comprising a code block for the storage device, the code block for storage being converted so that the code block to be separated for execution is executable in the storage device. delete 14. The method of claim 13, wherein the basic block group
A plurality of basic blocks which are associated with each other and which do not allow control signals to enter into the plurality of basic blocks except for the start point, Wherein the storage unit is a group of blocks. 19. The method of claim 18,
Characterized in that the basic block is a code block having attributes of a single input and a single output and an attribute of not allowing entry of control signals from the outside to the inside. Device. A separate RO management method for interworking between a host terminal and a storage device, the method comprising:
Obtaining a trigger needed to acquire an RO for digital content (DCF) protected by DRM;
Accessing a server issuing an RO using the trigger to obtain the RO; And
And delivering the acquired RO to the storage device so that it is installed in the storage device,
The digital content
One or more separate execution target code blocks selected in the code area are separated,
The separation execution object code block
Wherein the basic block group is a basic block group on a critical path of the digital content among a plurality of basic block groups composed of a plurality of basic blocks existing in a code region of the digital contents. 21. The method of claim 20,
Requesting a CEK for decrypting the content to the storage device upon receiving a request for content protected by the DRM from a specific application program;
Receiving a decoded CEK extracted from the RO by the storage device; And
And decrypting the content using the CEK and transferring the decrypted content to the application program. 21. The method of claim 20,
Receiving a call of a code block for a storage device in which the detachment object code block is converted into an executable form in a storage device while executing executable content based on detachment execution;
Connecting a secure channel with the storage device, and forwarding the call to the storage device over the secure channel;
Receiving an execution result value from the storage device over the secure channel after the execution of the called code block for the storage device is completed; And
And returning the execution result value to the separation execution-based content. 21. The method of claim 20,
Receiving an error code corresponding to the expiration of the usage right from the storage device;
Transferring the error code to the application program;
Acquiring a trigger for re-purchasing an RO according to a user's request;
Acquiring an RO from the server using the trigger; And
And transferring the obtained RO to a storage device so that the RO is updated in the storage device. 23. The method of claim 22, wherein the execution-based execution content
Wherein the code block to be separated is converted so as to connect a code block for a storage device executable in the storage device. delete 21. The method of claim 20, wherein the basic block group
A plurality of basic blocks which are associated with each other and which do not allow control signals to enter into the plurality of basic blocks except for the start point, Wherein the RO is a collection of blocks. 27. The method of claim 26,
Wherein the basic block is a code block having attributes of a single input and a single output and an attribute of not allowing entry of control signals from the outside to the inside. A computer-readable recording medium having recorded thereon a program for executing the detached RO management method according to any one of claims 20 to 24, 26, and 27.

Images