KR20070032083A - System and method for enhancing device dependent rights protection - Google Patents

Abstract

A system and method for enhancing the protection of digital assets while increasing the flexibility of the distribution of digital properties. In one embodiment, the digital asset is protected by one or more unique client device identifiers being tied together with the digital asset before distribution. Therefore, the decryption at the client device is dependent on the comparison of the unique client device identifier extracted from the encrypted digital asset with the unique client device identifier of the device seeking access to the digital asset.

Description

SYSTEM AND METHOD FOR ENHANCING DEVICE DEPENDENT RIGHTS PROTECTION}

The present invention generally relates to preventing unauthorized access to electrical data by limiting the ability to access desired content. In particular, the present invention provides a system and method by which electronic content can be securely transmitted over a network by binding content with unique identifiers coupled to multiple client-owned devices.

With the rapid growth of the Internet in recent years, advances in technology have resulted in software programs, music, books, video games, and even full-length movies that are available in high quality, easily replicated, and easily transmitted digital formats. It is done. This has led to unfair sales opportunities and big challenges for manufacturers and distributors of these digital assets. The same factors that make these digital assets attractive for sale, purchase, and distribution also make it a prey for intruders to easily steal, buy, or share digital assets. The result is a massive loss of income for developers and distributors of these digital assets.

This dilemma merely led to a series of defensive maneuvers to thwart intruders who had to continue to do what they were seeking. To date, these efforts have not been completely successful in protecting intellectual property rights. There remains a need for a simple and secure method for developers and distributors of electrically based materials that can trade and distribute products over the Internet and other networks. That is, the Internet and other networks enable the benefit of providing huge potential distribution media while protecting their intellectual property from illegal access and distribution, and can provide easy access to authorized buyers.

According to the present invention, a system and method are provided for enhancing the protection of digital assets while increasing the flexibility of the distribution of digital properties.

In one embodiment, the digital asset is protected by binding one or more unique client device identifiers with the digital asset prior to distribution. Therefore, the decryption at the client device is dependent on the comparison of the unique client device identifier extracted from the encrypted digital asset with the unique client device identifier of the device seeking access to the digital asset.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the embodiments of the invention. The features and advantages of the invention will be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the present invention will become more apparent from the following detailed description and the appended claims, or will be learned by the embodiments of the invention described herein.

BRIEF DESCRIPTION OF DRAWINGS To describe in the manner in which the above mentioned and other advantages and features of the present invention can be obtained, a more detailed description of the invention will be briefly given with reference to the specific embodiments shown in the accompanying drawings. If these drawings depict only typical embodiments of the invention and are therefore not intended to limit the scope of the invention, the invention will be described with additional specificity and specificity through the use of the accompanying drawings in the following. Will be described.

1 illustrates a computer network implementation including a client wanting content, a content provider, and a network with which they can communicate.

2 is a flow chart of a process in which unique client device identifiers are retrieved and used to generate a device identifier table at a server.

3 is a flow chart of the process for determining whether to allow or deny when a client accesses encrypted desired content based on the unique identifier of a device owned by a client.

4 is a data flow of an embodiment in which the unique client device identifiers are retrieved and used to generate a device identifier table in the content provider server.

Various embodiments of the invention are discussed in detail below. While specific embodiments are discussed, it should be understood that this is done for illustrative purposes only. Those skilled in the art will recognize that other components and configurations can be used without departing from the scope and spirit of the invention.

Addressing the critical need for securely transferring valuable intellectual property over networks, including the Internet, should also consider allowing easy access to digital assets by authorized buyers who often own multiple playback devices.

A feature of the present invention is that a client seeking to play desired content on multiple devices can be authorized to do so while at the same time preventing unauthorized access by a person who does not own one of a particular set of client devices. It is to be.

1 illustrates one embodiment of the invention with a client 120 capable of communicating with a content provider 110 via a network 130. In various embodiments, the network includes a wide area network (WAN), a local area network (LAN), or a combination thereof, such as the Internet. Client 120 generally acts to communicate with content provider 110 to identify and acquire digital assets.

In the illustrated embodiment, the content provider 110 is a database used to store content used to be purchased or downloaded by the server 112 and the client 120 used to receive and transmit data with the client 120. It includes a storage device 114 that includes. As shown, client 120 includes one or more client parent devices 124 and a plurality of client child devices 121, 122, 123. In one embodiment, the client source device 124 represents a processing device such as a personal computer (PC), set top box (STB) or other audio / video device (eg, mobile phone, PDA), while the client offspring devices It can represent a storage device or other device capable of receiving data retrieved by the client source device 124. Each client device 121, 122, 123, 124 may be electrically searched and may include one or more unique device identifiers that accurately identify the device.

As noted above, the client 120 may be a PC, STB, other audio / video devices (or any network-ready device), storage, portable music / video player, PDA, mobile phone. Or a classification of devices, such as any number of devices capable of accessing electronic files. In addition, a number of client storage devices 121, 122, 123 that can be used by the client source device 124 include a hard disk drive, a removable disk (compact disk (CD), a digital versatile disk). (DVD), floppy disk, ZIP disk, flash card], or other media, each of which must also possess one or more unique identifiers that are retrieved by electronic means and are not ideally erased and unaltered. do. In one embodiment, the unique identifier coupled to each of the plurality of storage devices includes one or more of the following: product ID number, serial number or product revision number.

Referring back to FIG. 1, the content provider 112 includes a server 112 and one or more content databases 114. In one embodiment, the server 112 is a Sun J2EE web server. However, any server capable of running in a web environment can be used. Since the content transmitted to the client 120 is protected, all content transmitted over the network 130 is encrypted. In one embodiment encryption is performed before the content is stored in the content database 112, thereby reducing processing time during client transactions. In an alternative embodiment the encryption of the content may be performed during a transaction when the content is requested by the client 120.

In an environment such as that of FIG. 1, various solutions have been sought to identify mechanisms that allow digital content to be sent to clients for playback or use only on client devices. This limitation is a natural consequence of the desire to limit the distribution of digital content by various clients. In accordance with the present invention, protected content may be sent to a client for use by multiple client devices. In this process, a number of unique client device identifiers are tied to the digital content. In one embodiment a device identifier table is used to store the unique device identifiers that are coupled to each of multiple client devices 121, 122, 123, 124. This feature of the present invention is highly desirable because most clients currently requesting content own a plurality of devices suitable for playing digital content. These and other features of the invention are described in more detail in the context of FIG.

2 is a flowchart illustrating a process of retrieving a client identifier, requesting desired content, and then receiving it in encrypted form in one embodiment of the present invention. The process begins at step 202 where the client 120 at the content provider's server 112 identifies the desired content located in the content database 114. In step 204 one or more unique client device identifiers are retrieved that are associated with each of the plurality of client devices 121, 122, 123, 124. For example, in one scenario the unique identifier for a PC hard disk drive may include the product ID number and serial number of the hard drive (or possibly the PC itself). In another embodiment, the unique identifier for a portable music player may include the player's serial number and product revision number. The retrieved unique client device identifiers are then encrypted in step 206 and transmitted from the client 120 to the server 112 of the content provider 110 via the network 130.

A feature of the present invention is that the content provider 110 can bundle multiple device identifiers with one protected content, thereby making the multiple devices accessible to the protected content. In one embodiment this feature of the present invention is made possible by creating a device identifier table in step 208. The plurality of device identifiers received from the client 120 in this process are stored in memory for subsequent retrieval made during the content file generation process. These device identifiers give the content provider 110 information that can accurately identify a number of devices and / or storage media that the client 120 uses to obtain access to desired content. In step 210 this device identifier table is tied to the desired content to create a content file containing information suitable for restricting access to the desired content to only those devices indicated in the device identifier table.

In one embodiment the preferred content also has a timestamp (in addition to or in place of the device identifier table) that is used to limit the time duration while the content can be accessed by client device (s). ) Can be tied. For example, a timestamp can be tied to the content specifying that a particular movie file can be viewed for a period of three or five days in a manner similar to a conventional movie rental. In this embodiment, the access to the content may be determined by comparing the timestamp with the current time.

In one embodiment the current time is retrieved from a network source, thereby preventing the local device from resetting the time reading.

The file generated in step 210 includes pre-encrypted content in which the device identifier table is combined, and is then transmitted to the client 120 in step 212 to determine whether to permit or deny access to the desired content. In one embodiment, all content made available for purchase and download is pre-encrypted and stored in the content database 114. In one embodiment, the retrieved device identifiers are received from the client in encrypted form and bound to the encrypted content in step 210 in a manner that facilitates processing time. For example, it may be used as an encryption key used to encrypt the device identifier table and also to encrypt a key used for pre-encrypted content. In this manner, access to the device identifier table and the content can be obtained using a single encryption key. In another embodiment, security is improved by using two different encryption keys to encrypt the device identifier table and the content. In alternative embodiments the content is stored in an unencrypted form. Here, both the content and device identifier table will be encrypted when the content is requested by the client 120.

3 is a flowchart illustrating a process in which encrypted content received from the content provider 110 is accessed by the client 120. This process begins at step 302 where the encrypted content file is retrieved. In step 304 the device identifier table is extracted from the encrypted content file. In one embodiment only the device identifier portion of the encrypted content file is first decrypted. In step 306 the unique client identifier of the client device on which the content is played is compared with a list of unique device identifiers included in the extracted device identifier table. In one embodiment, the same function used to retrieve the unique device identifiers in step 204 of Figure 2 is used to retrieve the unique device identifier of the current device.

In step 308, it is determined whether the client identifier of the client device on which the content is played is included in the set of one or more device identifiers included in the device identifier table. If the client device identifier is not included in the device identifier table, there is no match and the playback of the protected content is rejected and the process ends. If the client device identifier is included in the device identifier table, the client device is treated as an authorized device and a match is made. The process will then continue to step 310 where the downloaded encrypted content is decrypted. Finally, in step 312 the content is used for playback.

The advantage of the method, which allows privileged access to multiple client devices, is very clear. Access any of a number of legitimate devices that a client wants to use for playback by retrieving identifiers from multiple client devices, storing them in the memory of the content provider server and then binding a complete device identifier table to the desired content. A mechanism for authorizing is provided.

A general framework for controlling access to digital content has been described above, and a description of a detailed embodiment of protected content distribution is now described with reference to FIG. FIG. 4 shows a more detailed data flow for an embodiment of each event that occurs in the process of obtaining and obtaining encrypted content from the content provider 110, in particular the client 120 generally shown in FIG. 2. . It should be appreciated that the detailed data flow of FIG. 4 relates to the computing environment of a particular PC. This description should not be construed as limiting the concept of the present invention to be apparently applicable to other computing environments.

In the data flow shown in FIG. 4, the process begins at step 402 where a user initiates a connection to a content provider server. In one embodiment, the access is via a standard web browser function that allows a user to navigate a particular web page on a content provider web site. Once the user is connected to the content provider web page, in step 404 the content provider server downloads a Java applet (DDRPDemo.jar) to the client machine, which is executed within the browser of the client machine. Upon execution of the applet in the browser of the client machine, an authorization confirmation user interface element (e.g., an OK button) is enabled in the browser window in step 406. The user then selects the content file from the selection menu and requests the content file by providing the permission confirmation (eg, clicking the OK button) in step 408.

One of the functions of the applet is to download a file located on the content provider server and place the downloaded file in any directory in the client machine. This file will be decrypted and decompressed to create the file diskid32.exe that can be executed by the client machine. When executed, the program is instructed to retrieve the device identifier for one or more client devices and is deleted as soon as the device identifier retrieval process ends.

Before retrieving the device identifier (s), in step 410 the applet will also request authorization from the user. Once the user has provided the requested authorization (eg, a click of the OK button), the diskid32.exe program will proceed to retrieve the device identifier (s).

In general, PCs, STBs, and other audio / video devices (e.g., cell phones, audiobooks, or the like with audio / video playback capabilities) in which files in digital form may be played may be hard disk drives and removable disks. Storage devices such as (eg CD and DVD) are provided. Typically each storage device has a unique reference number assigned by a hardware vendor (e.g., a combination of vendor, product number, serial number, product revision number, and other information from the device's read only memory). Has

The diskid32.exe program is designed to retrieve the components of the defined reference number. In one embodiment, the diskid32.exe program represents a modified version of the free program DiskId32 written in C ⁺⁺ . The free program DiskId32 runs on all Windows platforms having the following functions.

Once the device identifier (s) are retrieved, the device identifier (s) are then sent to the content providing server in step 412 with the identification of the retrieved content. In one embodiment, the JSObjet class is used as the applet so that communication between the applet and the JavaScript can be performed by posting through an html form. As a result, the device identifier (s) obtained by diskid32.exe can be delivered to the content provider server via JavaScript.

Since the unique device identifier (s) will be exchanged over network 130 (eg, the Internet), encoding / encryption techniques must be met for security reasons. In conclusion, some code for encoding / encryption is integrated as an encryption module that can access the diskid32.exe program.

In one embodiment, encoding / encryption for content such as multimedia files is performed by a command line program, using a COM component encryption software package such as axsStrongBox from Morello Publishing Ltd. In this embodiment, the following settings can be used for encryption: GZIP compression, Rijndael algorithm (private key-256bit), Base64 encoding, CBC mode, and PKCS7 padding. Since these settings are set as parameters, these settings can be flexibly changed. For the key any 32 byte seed may be coded so that it does not change in the program used to access the protected file.

After the client device identifiers and content identification are retrieved from the content provider server, the content provider server may then proceed to generate the protected content file. In one embodiment, the set of device identifiers is located in a device identifier table and encrypted. This encrypted device identifier table may then be integrated with the encrypted content (optionally pre-encrypted) requested by the client to create a protected content file.

In one embodiment, the functionality is achieved by a JAVAservlet (j2ee_DDRPDemo. Class), which is executed on the content provider server. This file protection process creates a protected content file by tying the unique identifiers of the multiple client devices used for playback with the desired content requested by the client. As already discussed, the specific method for tying the device identifiers with the content is implementation dependent.

In step 414 the servlet displays an identification element (eg OK button) in the client browser that allows the user to start downloading the requested content. After the download has been requested by user approval (e.g., the click of the OK button) in step 416, the protected content file (.ddrp file) is tested for permission or denial of access to the content in step 418. To the client device to be downloaded.

It should be noted here that the corresponding decryption module accessed by the client device can be implemented as a Windows command line program that reproduces a file that can be executed on a suitable application from a file downloaded from the content provider server. do. As shown in Fig. 3, if the actual device identifier of the machine and the device identifier tied to the content file match, the content will be decoded / decrypted and restored. Note that even if some content is output to a file when the content is used in an application, the content must be processed in memory and not directly supplied to the copy software. This process ensures that the unencrypted content never remains as a replicable file on disk.

In an alternative embodiment, the protected content file may also be stored on some medium (eg, CD, DVD, or the like) at the server site and distributed to the user in physical form.

Although the foregoing description includes specific details, it should not be construed as limiting the claims in any way. Other configurations of the above-described embodiments of the invention are part of the scope of the invention. Therefore, the present invention should be limited only by the appended claims and their legal equivalents, rather than by any particular embodiment given.

Claims (22)

In a method for protecting content from unauthorized access, Identifying content at a content provider site, the plurality of client devices having access to the identified content; Retrieving a unique identifier of each of the plurality of client devices; Sending the unique identifier to the content provider site; Associating a device identifier table with the identified content including a unique identifier of each of the client devices to generate a content file protected at the content provider site; And The protected content file is downloaded to one of the client devices, based on whether an access to the protected content is included in the device identifier table of the protected content file that is associated with an identifier associated with the client device used for the access. A method for protecting content from unauthorized access comprising the step of downloading. 2. The method of claim 1, wherein said client device is a storage device. 3. The method of claim 2, wherein said storage device is a hard disk drive. 3. The method of claim 2, wherein the storage device is a removable disk. The method of claim 1, wherein the client device is a personal computer. The method of claim 1, wherein the client device is a set top box. 10. The method of claim 1, wherein the client device is an audio / video device. The method of claim 1, wherein the unique identifier of the client device is a product ID number. The method of claim 1, wherein the unique identifier of the client device is a serial number. The method of claim 1, wherein the unique identifier of the client device is a product revision number. The method of claim 1, wherein the unique identifier of the client device is a combination of two or more of a serial number, a product revision number, or a product ID number. 2. The method of claim 1, wherein said combining comprises encrypting said protected content file. 2. The method of claim 1, wherein the step of combining comprises combining the identified content with the device identifier table and timestamp. In a system for protecting content from unauthorized access, Means for identifying content at a content provider site, the plurality of client devices having access to the identified content; Means for retrieving a unique identifier of each of the plurality of client devices; Means for transmitting the unique identifier to the content provider site; Means for associating a device identifier table with the identified content to include a unique identifier of each of the client devices to generate a content file protected at the content provider site; And The protected content file is downloaded to one of the client devices, based on whether an access to the protected content is included in the device identifier table of the protected content file that is associated with an identifier associated with the client device used for the access. A system for protecting content from unauthorized access comprising means for downloading. In a method for protecting content from unauthorized access, Retrieving a plurality of unique identifiers corresponding to the plurality of client devices; Associating a device identifier table with a content file that includes a plurality of unique identifiers of the plurality of client devices to create a protected content file; And The protected content file is sent to one of the plurality of client devices, wherein access to the protected content is included in the device identifier table of the protected content file with an identifier associated with the client device used for the access. A method for protecting content from unauthorized access comprising a delivery step based on whether or not. 16. The method of claim 15, wherein the plurality of client devices comprises at least two of a storage device, a personal computer, a set top box, and an audio / video device. 16. The method of claim 15, wherein the unique identifier of the client device is a product ID number. 16. The method of claim 15, wherein the unique identifier of the client device is a serial number. 16. The method of claim 15, wherein the unique identifier of the client device is a product revision number. 16. The method of claim 15, wherein the unique identifier of the client device is a combination of two or more of a serial number, a product revision number, or a product ID number. 16. The method of claim 15, wherein said combining comprises encrypting the protected content file. In a method for protecting content from unauthorized access, Receiving a plurality of unique identifiers corresponding to the plurality of client devices; Associating a device identifier table with a content file that includes a plurality of unique identifiers of the plurality of client devices to create a protected content file; Storing the protected content file on a portable medium; And The portable medium is sent to a user, wherein access to the protected content file on the portable medium is based on whether an identifier associated with a client device used for the access is included in the device identifier table of the protected content file. A method for protecting content from unauthorized access, including sending steps.

Images