System and method for dynamically enforcing digital rights management rules

US 20030226012A1
Filed: 05/30/2002
Published: 12/04/2003
Est. Priority Date: 05/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing digital rights management (DRM) rules at a terminal, comprising:

receiving content and at least one voucher identifying the DRM rules at the terminal;

providing on-demand authentication of an operating terminal application which is seeking access to the content, via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications;

if the terminal application is authenticated, applying the DRM rules to determine whether the terminal application may access the content; and

accessing the content by the terminal application if access is allowed in response to applying the DRM rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for enforcing digital rights management (DRM) rules in a terminal, even when the requesting rendering application is already operating. Content, which may be encrypted, is received at the terminal and securely stored. On-demand authorization is effected for the rendering application that is requesting access to the content, using secure communications between a DRM engine within the terminal and an operating system within the terminal that is augmented with a security manager adapted to engage in such secure communications. If the rendering application is found to be authorized, the DRM rules are applied to determine whether the rendering application may access the content, and if so, the content is made available to the rendering application.

110 Citations

View as Search Results

50 Claims

1. A method for enforcing digital rights management (DRM) rules at a terminal, comprising:
- receiving content and at least one voucher identifying the DRM rules at the terminal;
  
  providing on-demand authentication of an operating terminal application which is seeking access to the content, via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications;
  
  if the terminal application is authenticated, applying the DRM rules to determine whether the terminal application may access the content; and
  
  accessing the content by the terminal application if access is allowed in response to applying the DRM rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the operating terminal application is a rendering application which is already operating at the time of seeking access to the encrypted content.
  - 3. The method of claim 1, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve at least a portion of program text of a process identified by an inter-process communication (IPC) connection opened in response to a content request by the terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      providing the program text to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text.
  - 4. The method of claim 1, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking a certificate verification request at the DRM engine, wherein the certificate verification request is accompanied by arguments including a certificate of the terminal application and an identifier of a process corresponding to an inter-process communication (IPC) connection opened in response to a content request by the terminal application;
      
      receiving the certificate verification request by the security manager and verifying the certificate against a predetermined certificate value; and
      
      providing a verification indication to the DRM engine from the security manager indicating whether the certificate is correct and valid.
  - 5. The method of claim 1, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve a hash of at least a portion of program text of a process identified by an inter-process communication (IPC) connection opened in response to a content request by the terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      computing, at the security manager, the hash of the program text for each new process created;
      
      providing, from the security manager to the DRM engine, the hash of the program text corresponding to the IPC connection identified in the authentication request; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by comparing the hash of the program text with values expected by the DRM engine based on the certificate issued to the terminal application.
  - 6. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises accessing plaintext content resulting from decrypting the encrypted content at the DRM engine.
  - 7. The method of claim 6, further comprising requesting a content key from the security manager by the DRM engine, and wherein decrypting the encrypted content at the DRM engine comprises decrypting the encrypted content using the content key received from the security manager.
  - 8. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - maintaining a content key at the security manager;
      
      decrypting requested blocks of the content at the security manager using the content key; and
      
      providing the requested blocks of decrypted content to the DRM engine.
  - 9. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - requesting a content key from the security manager by the DRM engine;
      
      decrypting requested blocks of the content at the DRM engine using the content key; and
      
      providing only requested blocks of the content to the terminal application.
  - 10. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - providing a content key from the security manager to the terminal application; and
      
      decrypting the encrypted content by the terminal application using the content key.
  - 11. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - providing a content key from the DRM engine to the terminal application; and
      
      decrypting the encrypted content by the terminal application using the content key.
  - 12. The method of claim 1, further comprising:
    - issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a hash provided by the DRM engine; and
      
      returning a handle to the connection to the DRM engine.
  - 13. The method of claim 12, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the connection;
      
      providing the program text to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text.
  - 14. The method of claim 1, further comprising:
    - issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a terminal application certificate provided by the DRM engine; and
      
      returning a handle to the connection to the DRM engine.
  - 15. The method of claim 14, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the connection;
      
      providing the program text to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text.
  - 16. The method of claim 1, further comprising:
    - issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a particular type selected from a standard set of type specified in certificates; and
      
      returning a handle to the connection to the DRM engine.
  - 17. The method of claim 16, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the connection;
      
      providing the program text to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text.
  - 18. The method of claim 1, further comprising verifying the DRM engine by the security manager by computing a hash of the DRM engine'"'"'s code and associating the hash with private files created by the DRM engine.
  - 19. The method of claim 1, further comprising verifying the DRM engine by the security manager by verifying the DRM engine'"'"'s certificate and associating the certificate with private files created by the DRM engine.
  - 20. The method of claim 1, further comprising:
    - wirelessly providing the content and a voucher identifying the DRM rights to the terminal; and
      
      securely storing the content and the voucher locally at the terminal.
  - 21. The method of claim 1, wherein the terminal is a wireless terminal, and further comprising sending the content and the at least one voucher to the wireless terminal from a second wireless terminal.
  - 22. The method of claim 1, wherein applying the DRM rules comprises analyzing usage rights provided via the voucher.
  - 23. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the terminal application comprises providing on-demand authentication of each part of the multi-part terminal application.
  - 24. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the multi-part terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve program text of each part of the multi-part terminal application identified by an inter-process communication (IPC) connection opened in response to a content request by the multi-part terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      returning the program text of each part of the multi-part terminal application to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the multi-part terminal application by verifying certificates of the terminal application based on each of the returned program texts.
  - 25. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the multi-part terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve hashes of program text of each part of the multi-part terminal application identified by an inter-process communication (IPC) connection opened in response to a content request by the multi-part terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      computing, at the security manager, a hash for each of the program texts for each new process created;
      
      returning the hash of each part of the multi-part terminal application to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the multi-part terminal application by verifying certificates of the terminal application based on each of the returned hashes.
  - 26. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the multi-part terminal application comprises:
    - invoking a certificate verification request at the DRM engine, wherein the certificate verification request is accompanied by arguments including a certificate for each part of the multi-part terminal application and an identifier of a process corresponding to an inter-process communication (IPC) connection opened in response to a content request by the terminal application;
      
      receiving the certificate verification request by the security manager and verifying the certificates against predetermined certificate values; and
      
      providing a verification indication to the DRM engine from the security manager indicating whether the certificates are correct and valid.

27. A method for enforcing digital rights management (DRM) rules at a terminal when a rendering application operable within the terminal is already operating, comprising:
- requesting access to content securely stored in the terminal;
  
  requesting, by a DRM engine, at least a portion of program text of a process identified by an inter-process communication (IPC) connection opened in response to the request for content;
  
  receiving the request for the program text by a security manager and identifying the process corresponding to the IPC connection;
  
  providing the program text to the DRM engine from the security manager;
  
  verifying, by the DRM engine, whether the rendering application is authorized to access the program text of the process, wherein the program text of the process and a certificate of the rendering application are used for the verification;
  
  making an access control decision by the DRM engine if the rendering application is authorized to access the program text of the process; and
  
  making the content accessible to the rendering application if the access control decision is positive.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. The method of claim 27, wherein the requested content stored in the terminal is encrypted, and further comprising:
    - requesting, by the DRM engine, a content key for decrypting the requested content if the access control decision is positive;
      
      providing the content key to the DRM engine from the security manager; and
      
      decrypting the content at the DRM engine.
  - 29. The method of claim 28, wherein authorizing the content comprises authorizing the decrypted content to be accessed via the IPC connection by the rendering application.
  - 30. The method of claim 27, wherein requesting access to the content comprises requesting access to the content by the rendering application.
  - 31. The method of claim 30, wherein requesting content by the rendering application comprises invoking a content request accompanied by at least a content identifier that identifies the requested content, and the certificate of the rendering application.
  - 32. The method of claim 31, wherein:
    - invoking a content request further comprises invoking the content request accompanied further by a process identifier;
      
      requesting at least a portion of the program text further comprises providing the process identifier together with an identifier of the IPC connection to the security manager;
      
      verifying, by the security manager, that the process identified by the process identifier is associated with the process identified by the IPC connection identifier.
  - 33. The method of claim 27, wherein requesting access to the content comprises:
    - authenticating the rendering application by the security manager using a rendering application certificate; and
      
      forwarding a content request from the security manager to the DRM engine if the rendering application is successfully authenticated.
  - 34. The method of claim 27, wherein making the content accessible to the rendering application comprises authorizing the content to be accessed by the rendering application via the IPC connection.
  - 35. The method of claim 27, further comprising augmenting an operating system operating within the terminal to include the security manager.
  - 36. The method of claim 27, wherein requesting the program text comprises invoking a primitive to obtain the program text, wherein the primitive is accompanied by arguments including an IPC identifier to allow the security manager to identify the process corresponding to the IPC connection.

37. A terminal capable of receiving content and at least one corresponding voucher including usage rights for the content, comprising:
- a rendering application to provide a content request and to present the content upon access authorization;
  
  a digital rights management (DRM) engine coupled to receive the content request and to invoke a request to authenticate the rendering application in response thereto, wherein the request to authenticate the rendering application includes at least an identifier of an inter-process communication (IPC) connection opened in response to the content request;
  
  an operating system augmented with a security manager configured to receive the request to authenticate the rendering application and the IPC connection identifier, and in response to provide data uniquely associated with a process identified by the IPC connection; and
  
  wherein the DRM engine further receives the data and verifies a certificate of the rendering application using the data, and if the rendering application is successfully verified, allowing the rendering application access to the content as dictated by the usage rights.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The terminal as in claim 37, wherein the data uniquely associated with the process identified by the IPC connection comprises program text of the process.
  - 39. The terminal as in claim 37, wherein the data uniquely associated with the process identified by the IPC connection comprises a hash of the program text of the process.
  - 40. The terminal as in claim 37, wherein the content received at the terminal is encrypted, and wherein the security manager is further configured to provide a content key to the DRM engine in response to a key request by the DRM engine.
  - 41. The terminal as in claim 40, wherein the DRM engine is further configured to decrypt the content using the content key, and to allow the rendering application access to the decrypted content as dictated by the usage rights.
  - 42. The terminal as in claim 37, wherein the security manager is integrally implemented into the operating system kernel.
  - 43. The terminal as in claim 37, wherein the security manager is implemented outside the operating system kernel as a secure library.
  - 44. The terminal as in claim 37, wherein the terminal comprises a mobile device comprising at least one of a wireless telephone, wireless PDA, or wireless computing device.
  - 45. The terminal as in claim 37, wherein the terminal comprises a landline client terminal coupled in a server environment.

46. A content distribution system, comprising:
- (a) at least one content sending terminal to dispatch content and an associated voucher including recipient usage rights;
  
  (b) at least one content receiving terminal coupled to receive the content and the associated voucher, wherein the content receiving terminal comprises;
  
  (i) a rendering application to provide a content request and to present the content upon access authorization;
  
  (ii) a digital rights management (DRM) engine coupled to receive the content request and to invoke a request to authenticate the rendering application in response thereto, wherein the request to authenticate the rendering application includes at least an identifier of an inter-process communication (IPC) connection opened in response to the content request;
  
  (iii) an operating system augmented with a security manager configured to receive the request to authenticate the rendering application and the IPC connection identifier, and in response to provide data uniquely associated with a process identified by the IPC connection; and
  
  (iv) wherein the DRM engine further receives the data and verifies a certificate of the rendering application using the data, and if the rendering application is successfully verified, allowing the rendering application access to the content as dictated by the recipient usage rights.
- View Dependent Claims (47, 48)
- - 47. The content distribution system as in claim 46, wherein the content sending terminal comprises a wireless kiosk serving as a content retailer.
  - 48. The content distribution system as in claim 46, wherein the content sending terminal comprises a first wireless terminal, and wherein the content receiving terminal comprises a second wireless terminal capable of wireless communication with the first wireless terminal.

49. A method for distributing content for use on a plurality of terminals, comprising:
- issuing a transfer request from a receiving terminal to a sending terminal having distributable content;
  
  verifying a device certificate of the receiving terminal by the sending terminal to determine whether the receiving terminal is compliant;
  
  creating a voucher including recipient usage rights at the sending terminal and transferring the content and the voucher to the receiving terminal if the receiving terminal is verified as compliant;
  
  providing, at the receiving terminal, on-demand authentication of an operating terminal application which is seeking access to the content, via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications;
  
  if the terminal application is authenticated, applying the recipient usage rights at the receiving terminal to determine whether the terminal application may access the content; and
  
  accessing the content by the terminal application if access is allowed in response to applying the recipient usage rights.
- View Dependent Claims (50)
- - 50. The method as in claim 49, further comprising initiating a transfer trigger by the sending terminal to prompt the receiving terminal to issue the transfer request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Asokan, N., Ekberg, Jan-Erik, Teinila, Jaakko, Stenman, Jorma

Granted Patent

US 7,529,929 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06Q 20/3674   involving authentication

H04L 2463/101   applying security measures ...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

System and method for dynamically enforcing digital rights management rules

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamically enforcing digital rights management rules

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links