Hybrid device and person based authorization domain architecture

US 10,038,686 B2
Filed: 02/27/2015
Issued: 07/31/2018
Est. Priority Date: 07/24/2003
Status: Expired due to Term

First Claim

Patent Images

1. A server comprising:

a receiving system configured to receive, over a network, a request for a protected content, the request including a content identification of the protected content and at least one of a personal identification and a device identification, wherein the personal identification is associated with a person and the device identification is associated with a device;

a processing system configured to;

identify a domain identification associated with the received identification, wherein the domain identification associated with the received identification is provided in a corresponding rights certificate;

determine a second domain identification associated with the protected content, wherein the second domain identification is associated with at least one of;

a personal identification and a device identification;

determine whether the domain identification associated with the protected content is comparable to the second domain identification;

provide an indication of a favorable determination when the domain identification and the second domain identifications are comparable;

determine a location of the protected content; and

a transmitting system configured to;

transmit to the device requesting the protected content upon receiving the indication of favorable determination, one of;

the protected content when the protected content is remote from the device and an indication allowing access to the protected content when the protected content is local to the device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention relates to a system and a method of generating an Authorized Domain (AD) by selecting a domain identifier, and binding at least one person (P1, P2, . . . , PN₁), at least one device (D1, D2, . . . , DM), and at least one content item (C1, C2, . . . , CN₂) to the Authorized Domain (AD) given by the domain identifier (Domain_ID).

Hereby, a number of verified devices (D1, D2, . . . , DM) and a number of verified persons (P1, P2, . . . , PN₁) that is authorized to access a content item of the Authorized Domain (100) is obtained.

In this way, access to a content item of an authorized domain by a person operating a device is obtained either by verifying that the content item and the person are linked to the same domain or by verifying that the device and the content item are linked to the same domain. Thereby, enhanced flexibility for one or more persons when accessing content in an authorized domain is obtained while security of the content is still maintaining. This is further done in a simple, secure, and reliable way.

Citations

34 Claims

1. A server comprising:
- a receiving system configured to receive, over a network, a request for a protected content, the request including a content identification of the protected content and at least one of a personal identification and a device identification, wherein the personal identification is associated with a person and the device identification is associated with a device;
  
  a processing system configured to;
  
  identify a domain identification associated with the received identification, wherein the domain identification associated with the received identification is provided in a corresponding rights certificate;
  
  determine a second domain identification associated with the protected content, wherein the second domain identification is associated with at least one of;
  
  a personal identification and a device identification;
  
  determine whether the domain identification associated with the protected content is comparable to the second domain identification;
  
  provide an indication of a favorable determination when the domain identification and the second domain identifications are comparable;
  
  determine a location of the protected content; and
  
  a transmitting system configured to;
  
  transmit to the device requesting the protected content upon receiving the indication of favorable determination, one of;
  
  the protected content when the protected content is remote from the device and an indication allowing access to the protected content when the protected content is local to the device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The server of claim 1, the processing system configured to:
    - decrypt the protected content based on a decryption key associated with the protected content, the decryption key being provided in the content container.
  - 3. The server of claim 1, the transmitting system configured to:
    - transmit a decryption key associated with the protected content.
  - 4. The server of claim 1, wherein the device identification is unique for each device.
  - 5. A system comprising:
    - at least one device in a network; and
      
      the server of claim 1.

6. A server comprising:
- a receiving system configured to;
  
  receive over a network a request for a protected content, the request including a content identification of the protected content and at least one of;
  
  a personal identification of a person having access to the protected content and a device identification of a device in the network, wherein the personal identification is associated with the person and the device identification is associated with the device;
  
  a processing system configured to;
  
  determine whether at least a device identification is received;
  
  identify, when a device identification is received, a domain identification associated with the received device identification, wherein the domain identification associated with the received device identification is provided in a device rights certificate associated with the device identification;
  
  determine a second domain identification associated with the protected content, wherein the second domain identification is associated with at least one of;
  
  a personal identification and a device identification;
  
  determine whether the second domain identification is comparable to the domain identification associated with the received device identification; and
  
  provide an indication of a favorable determination when the domain identifications are comparable; and
  
  a transmitting system configured to;
  
  transmit, over the network, to the device associated with the device identification one of;
  
  the protected content and an indication of allowable access upon receiving the favorable indication.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The server of claim 6, the processing system configured to:
    - determine whether at least a personal identification is received;
      
      determine, when a personal identification is received, a domain identification associated with the received personal identification, wherein the domain identification associated with the received personal identification is provided in a personal rights certificate;
      
      determine whether the domain identification associated with the protected content is comparable to the domain identification associated with the received personal identification; and
      
      provide the indication of a favorable determination when the domain identifications are comparable.
  - 8. The server of claim 6, the processing system configured to:
    - decrypt the protected content based on a decryption key associated with the protected content.
  - 9. The server of claim 6, the transmitting system configured to:
    - transmit a decryption key associated with the protected content.
  - 10. The server of claim 6, wherein the device identification is unique for each device.
  - 11. A system comprising:
    - at least one device in a network; and
      
      the server of claim 6.

12. A server comprising:
- a receiving system configured to;
  
  receive a request for a protected content, the request including at least a content identification associated with the protected content and at least one of;
  
  a personal identification and a device identification, wherein the personal identification is associated with a person making the request and the device identification is associated with a device from which the request is made;
  
  a processing system in communication with the receiving system, the processing system configured to;
  
  determine a domain identification based on at least one of;
  
  a personal identification and a device identification, wherein the domain identification associated with the received device identification is provided in a device rights certificate associated with the device identification; and
  
  determine whether the domain identification associated with one of the at least one of the received personal identification and the device identification is comparable to a domain identification associated with the protected content; and
  
  generate a favorable indication indicating a domain identification associated with the protected content is comparable to the domain identification associated with the received identification; and
  
  a transmitting system configured to;
  
  transmit to a device providing the request the protected content and an indication of access upon receiving the favorable indication.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The server of claim 12, the processing system configured to:
    - formulate an authorized domain, identified by the domain identification, the authorized domain comprising;
      
      at least one of a plurality of persons accessing a network, each of the plurality of persons being identified by a corresponding personal identification wherein the corresponding personal identification is associated with the domain identification;
      
      at least one of at least one device accessing the network, the device identification associated with each of the at least one of the at least one device being unique and being associated with the domain identification; and
      
      a plurality of protected content associated with the domain identification.
  - 14. The server of claim 12, the processing system configured to:
    - decrypt the protected content.
  - 15. The server of claim 12, the transmitting system configured to:
    - transmit a decryption key associated with the protected content.
  - 16. The server of claim 12, wherein the personal identification is obtained from at least one of:
    - a smart card, a mobile phone, and a biometric sensor.
  - 17. The server of claim 12, the processing system configured to:
    - receive information regarding the domain identification associated with the personal identification, the information contained in the request.
  - 18. The server of claim 12, the processing system configured to:
    - receive information regarding the domain identification associated with the device identification, the information contained in the request.
  - 19. A system comprising:
    - at least one device in a network; and
      
      the server of claim 12.

20. A server comprising:
- a receiving system configured to;
  
  receive a request for protected content, the request including an identification of the content and at least one of a personal identification of a person and a device identification of a device in a network;
  
  a processor system configured to;
  
  identify a domain identification associated with the protected content;
  
  identify a domain identification associated with the at least one of;
  
  the received personal identification and the device identification, wherein the domain identification associated with the received device identification is provided in a device rights certificate associated with the device identification;
  
  determine whether the domain identification associated with one of the received identification is comparable to the domain identification associated with the protected content; and
  
  generate a favorable indication indicating a domain identification associated with the protected content is comparable to the domain identification associated with one of the at least one received personal identification and the device identification.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 21. The server of claim 20 comprising a transmission system configured to:
    - transmit the protected content to a device associated with the device identification upon receiving the favorable indication.
  - 22. The server of claim 21, the processing system configured to:
    - decrypt the protected content.
  - 23. The server of claim 20, a transmission system configured to:
    - transmit an indication of access to the protected contention to a device associated with the device identification upon receiving the favorable indication.
  - 24. The server of claim 23, wherein the indication represents a decrypting key.
  - 25. The server of claim 20, comprising a memory system configured to:
    - store the protected content on the device associated with the device identification.
  - 26. The server of claim 20, the receiving system configured to:
    - receive the domain information associated with the personal identification and the device identification.
  - 27. The server of claim 20, further comprising:
    - a storage system configured to;
      
      store an authorized domain, identified by a domain identification, the authorized domain comprising;
      
      a personal identification identifying each person of a plurality of persons accessing the network, the personal identification being associated with the domain identification;
      
      a device identification associated with each of at least one device accessing the network, the device identification being associated with the domain identification; and
      
      a plurality of protected content associated with the domain identification.
  - 28. The server of claim 27;
    - a transmission system configured to;
      
      transmit the domain identification to each of the plurality of persons and each of the at least one devices within the authorized domain.
  - 29. The server of claim 27, the processor configured to:
    - associate each of the at least one of the devices with the domain identification; and
      
      associate each of the plurality of persons with the domain identification.
  - 30. A system comprising:
    - at least one device in a network; and
      
      the server of claim 20.

31. A method for operating a server, the method comprising:
- receiving over a network, by a receiving system of a server, a request for a protected content, the network being accessible by a person, the request including a content identification of the protected content and at least one of a personal identification and a device identification, wherein the personal identification is associated with the person and the device identification is associated with a device;
  
  a processing system of the server;
  
  determining a domain identification associated with the protected content;
  
  identifying a domain identification associated with the received identification, wherein the domain identification is provided in a corresponding rights certificate associated with at least one of;
  
  at least one personal identification and at least one device identification;
  
  determining whether the domain identification associated with the protected content is comparable to the domain identification associated with the received identification;
  
  providing an indication of a favorable determination when the domain identifications are comparable;
  
  determining a location of the protected content; and
  
  transmitting, by a transmitting system of the server, to a device providing the request, upon receiving the indication of favorable determination, one of;
  
  the protected content when the protected content is remote from the device and an indication allowing access to the protected content when the protected content is local to the device.

32. A method of operating a server, the method comprising:
- receiving over a network, by a receiving system, a request for a protected content, the request including a content identification of the protected content and at least one of;
  
  a personal identification of a person having access to the network and a device identification of a device in the network;
  
  determining, by a processing system;
  
  a domain identification associated with the protected content;
  
  identifying a domain identification associated with the received identification, provided in a corresponding rights certificate associated with corresponding ones of said at least personal identification and said at least one device identification;
  
  determining whether the domain identification associated with the protected content is comparable to the domain identification associated with the received device identification; and
  
  providing an indication of a favorable determination when the domain identifications are comparable; and
  
  transmitting, by a transmitting system, upon receiving the favorable indication to a device providing said request one of;
  
  the protected content and an indication of allowable access.

33. A method of operating a server, the method comprising:
- receiving, by a receiving system, a request for a protected content, the request including at least a content identification associated with the protected content and at least one of;
  
  a personal identification and a device identification;
  
  determining, by a processing system in communication with the receiving system, a domain identification associated with the protected content,determining, by the processing system in communication with the receiving system, whether a domain identification associated with one of the at least one of the received personal identification and the device identification is comparable to the domain identification associated with the protected content, wherein the domain identification associated with the received device identification is provided in a device rights certificate associated with the device identification; and
  
  generating, by processing system in communication with the receiving system, a favorable indication indicating a domain identification associated with the protected content is comparable to the domain identification associated with one of the at least one personal identification and the device identification; and
  
  transmitting, by a transmitting system, to a device associated the request one of;
  
  the protected content and an indication of access.

34. A method of operating a server, the method comprising:
- receiving, by a receiving system, a request for protected content, the request including an identification of the content and at least one of a personal identification of a person and a device identification of a device in a network;
  
  identifying, by a processor system, a domain identification associated with the protected content;
  
  identifying, by the processor system, a domain identification associated with the at least one of a received personal identification and a device identification, wherein the domain identification associated with the received device identification is provided in a device rights certificate associated with the device identification;
  
  determining whether the domain identification associated with at least one of the at least one received personal identification and the device identification is comparable to the domain identification associated with the protected content; and
  
  generating a favorable indication indicating a domain identification associated with the protected content is comparable to the domain identification associated with one of the at least one personal identification and the device identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Media Content Protection LLC
Original Assignee
Koninklijke Philips N.V.
Inventors
Kamperman, Franciscus L. A. J., Koster, Robert Paul, Schrijen, Geert Jan
Primary Examiner(s)
Keehn, Richard G

Application Number

US14/633,574
Publication Number

US 20150172279A1
Time in Patent Office

1,250 Days
Field of Search

709225, 709229, 709245
US Class Current
CPC Class Codes

G06F 21/1012   to domains

G06F 21/31   User authentication

G06F 2221/2129   Authenticate client device ...

G11B 20/00086   Circuits for prevention of ...

G11B 20/00731   involving a digital rights ...

G11B 20/00855   involving a step of exchang...

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

Hybrid device and person based authorization domain architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid device and person based authorization domain architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links