Secure media path methods, systems, and architectures
First Claim
1. A method comprising:
- receiving, with a client component, encrypted content that is to be protected during a rendering process;
receiving a manifest associated with the content, the manifest specifying protected media path requirements for the rendering process;
verifying that the client component is a trusted component;
creating a primary authenticator that can be used to authenticate one or more components downstream from the client component;
articulating, to the primary authenticator, one or more downstream components that need to be authenticated;
authenticating one or more downstream components using the primary authenticator;
creating at least one secondary authenticator;
articulating to the secondary authenticator one or more downstream components that need to be authenticated; and
authenticating one or more downstream components using the secondary authenticator.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems and architectures for processing renderable digital content are described. The various embodiments can protect against unauthorized access or duplication of unprotected content (i.e. decrypted content) once the content has reached a rendering device such as a user'"'"'s computer. A flexible framework includes an architecture that allows for general media sources to provide virtually any type of multimedia content to any suitably configured rendering device. Content can be protected and rendered locally and/or across networks such as the Internet. The inventive architecture can allow third parties to write components and for the components to be securely and flexibly incorporated into a processing chain. The components can be verified by one or more authenticators that are created and then used to walk the chain of components to verify that the components are trusted. The various embodiments can thus provide a standard platform that can that can be leveraged to protect content across a wide variety of rendering environments, content types, and DRM techniques.
131 Citations
70 Claims
-
1. A method comprising:
-
receiving, with a client component, encrypted content that is to be protected during a rendering process;
receiving a manifest associated with the content, the manifest specifying protected media path requirements for the rendering process;
verifying that the client component is a trusted component;
creating a primary authenticator that can be used to authenticate one or more components downstream from the client component;
articulating, to the primary authenticator, one or more downstream components that need to be authenticated;
authenticating one or more downstream components using the primary authenticator;
creating at least one secondary authenticator;
articulating to the secondary authenticator one or more downstream components that need to be authenticated; and
authenticating one or more downstream components using the secondary authenticator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more computer-readable media having computer-readable instructions thereon which, when executed by one or more processors, cause the one or more processors to:
-
receive, with a client component, encrypted content that is to be protected during a rendering process;
receive a manifest associated with the content, the manifest specifying protected media path requirements for the rendering process;
verify that the client component is a trusted component;
create a primary authenticator and at least one secondary authenticator, the authenticators being configured to authenticate one or more components downstream from the client component;
establish at least one secure communication channel between the authenticators;
articulate, to the authenticators, one or more downstream components that need to be authenticated;
authenticate one or more downstream components using the authenticators; and
allow the one or more components to communicate with one another using the secure communication channel. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computing device comprising:
-
memory;
one or more processors;
instructions in the memory which, when executed by the one or more processors, cause the one or more processors to;
receive, with a client component, encrypted content that is to be protected during a rendering process;
receive a manifest associated with the content, the manifest specifying protected media path requirements for the rendering process;
determine whether any digital rights management data associated with the content needs to be translated to a form that can be understood by an authenticator'"'"'s DRM system and, if so, effectuating translation of the digital rights management data;
verify that the client component is a trusted component;
create a primary authenticator and at least one secondary authenticator, the authenticators being configured to authenticate one or more components downstream from the client component;
establish at least one secure communication channel between the authenticators;
articulate, to the authenticators, one or more downstream components that need to be authenticated;
authenticate one or more downstream components using the authenticators; and
allow the one or more components to communicate with one another using the secure communication channel, and allow the one or more components to set up session keys for use during the rendering process.
-
-
18. A method comprising:
-
establishing one or more paths of components that are to process and render digital content;
receiving encrypted content that is to be processed by the one or more paths, the encrypted content being subject to a license that defines, at least in part, how the encrypted data is to be processed;
creating multiple authenticators to authenticate components along the one or more paths;
providing a secure communication channel between the authenticators;
determining whether any digital rights management data associated with the content needs to be translated to a form that can be understood by an authenticator'"'"'s DRM system and, if so, effectuating translation of the digital rights management data by using a separate translator module that is configured to translate the digital rights management data;
querying, with the authenticators, individual components of the one or more paths to ascertain which components the queried components pass data to;
authenticating, with the authenticators, the queried components and the components that the queried components pass data to;
establishing encryption/decryption keys with multiple components of the one or more paths for the components to use to encrypt and decrypt data. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. One or more computer-readable media having computer-readable instructions thereon which, when executed by one or more processors, cause the one or more processors to:
-
establish one or more paths of components that are to process and render digital content;
receive encrypted content that is to be processed by the one or more paths, the encrypted content being subject to a license that defines, at least in part, how the encrypted data is to be processed;
create multiple authenticators to authenticate components along the one or more paths;
provide a secure communication channel between the authenticators;
query, with the authenticators, individual components of the one or more paths to ascertain which components the queried components pass data to;
authenticate, with the authenticators, the queried components and the components that the queried components pass data to; and
establish encryption/decryption keys with multiple components of the one or more paths for the components to use to encrypt and decrypt data. - View Dependent Claims (27, 28, 29)
-
-
30. A computing device comprising:
-
memory;
one or more processors;
instructions in the memory which, when executed by the one or more processors, cause the one or more processors to;
establish one or more paths of components that are to process and render digital content;
receive encrypted content that is to be processed by the one or more paths, the encrypted content being subject to a license that defines, at least in part, how the encrypted content is to be processed;
create multiple authenticators to authenticate components along the one or more paths, at least one of the authenticators comprising a user mode authenticator for authenticating user mode components, and at least one other of the authenticators comprising a kernel mode authenticator for authenticating kernel mode components;
provide a secure communication channel between the authenticators;
query, with the authenticators, individual components of the one or more paths to ascertain which components the queried components pass data to;
authenticate, with the authenticators, queried components and, if possible, the components that the queried components pass data to; and
establish encryption/decryption keys with multiple components of the one or more paths for the components to use to encrypt and decrypt data. - View Dependent Claims (31, 32, 33, 34)
-
-
35. A method comprising:
-
establishing one or more paths of components that are to process and render digital data, individual components supporting one or more of an authenticable interface and a authentication proxy interface;
creating a first authenticator to authenticate individual components of the one or more paths;
calling, with the first authenticator, one or more authenticable interfaces on one or more respective components to ascertain components downstream from the components that are called;
authenticating one or more downstream components using the first authenticator;
for those components that support an authentication proxy interface and an authentication interface, creating a separate authenticator;
establishing an encrypted channel between the first authenticator and one or more of the separate authenticators; and
authenticating additional components using the separate authenticator. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. One or more computer-readable media having computer-readable instructions thereon which, when executed by one or more processors, cause the one or more processors to:
-
establish multiple paths of components that are to process and render digital data, individual components supporting one or more of an authenticable interface and an authentication proxy interface, the multiple paths comprising a video path for processing digital video data, and an audio path for processing digital audio data;
translate, if necessary, digital rights management data that is associated with the digital data and use the translated digital rights management data to protect the digital data during processing of the digital data;
create a first authenticator to authenticate individual components of one or more of the paths;
call, with the first authenticator, one or more authenticable interfaces on one or more respective components to ascertain components downstream from the components that are called;
authenticate one or more downstream components using the first authenticator;
for those components that support an authentication proxy interface and an authentication interface, create a separate authenticator;
establish an encrypted channel between the first authenticator and one or more of the separate authenticators and use the channel to provide encryption/decryption keys to the components for use in encrypting and decrypting data; and
authenticate additional components using the separate authenticator. - View Dependent Claims (45, 46)
-
-
47. A computing device comprising:
-
memory;
one or more processors;
instructions in the memory which, when executed by the one or more processors, cause the one or more processors to;
establish multiple paths of components that are to process and render digital data, individual components supporting one or more of an authenticable interface and an authentication proxy interface, the multiple paths comprising a video path for processing digital video data, and an audio path for processing digital audio data, the authenticable interface returning one or more of;
a list of authentication interfaces of downstream components, a list of authentication proxy interfaces of downstream components, and a list of dependent components on which to verify signatures, and key session number for the chain of authenticators;
translate, if necessary, digital rights management data that is associated with the digital data and use the translated digital rights management data to protect the digital data during processing of the digital data;
create a first authenticator to authenticate individual components of one or more of the paths;
call, with the first authenticator, one or more authenticable interfaces on one or more respective components to ascertain components downstream from the components that are called;
authenticate one or more downstream components using the first authenticator;
for those components that support an authentication proxy interface and an authentication interface, create a separate authenticator;
establish an encrypted channel between the first authenticator and one or more of the separate authenticators and use the channel to provide encryption/decryption keys to the components for use in encrypting and decrypting data; and
authenticate additional components using the separate authenticator.
-
-
48. A method comprising:
-
establishing one or more paths of components that are to process and render digital data;
receiving encrypted data that is to be processed by the one or more paths, the encrypted data being subject to a license that defines how the encrypted data is to be processed;
creating multiple authenticators to authenticate components along the one or more paths, at least one authenticator being created across a device boundary on a remote device;
providing a secure communication channel between the authenticators;
querying, with the authenticators, individual components of the one or more paths to ascertain which components the queried components pass data to;
attempting to authenticate, with the authenticators, the queried components and the components that the queried components pass data to; and
establishing encryption/decryption keys with multiple components of the one or more paths for the components to use to encrypt and decrypt data. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57)
-
-
58. A system comprising:
-
one or more components configured to be used in a processing chain of components that process protected content that is to be rendered for a user;
individual components supporting one or more of an authenticable interface and a authentication proxy interface;
the authenticable interface being callable by an authenticator to return, to the authenticator;
a list of authentication interfaces of downstream components, a list of authentication proxy interfaces of downstream components, and a list of dependent components on which to verify signatures;
the authentication proxy interface providing methods for reading and writing data from and to authenticators. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
-
-
70. A system comprising:
multiple computing devices, at least one computing device comprising a host computing device and at least one computing device comprising a remote computing device, individual computing devices comprising;
one or more components configured to be used in a processing chain of components that process protected content that is to be rendered for a user;
individual components supporting one or more of an authenticable interface and a authentication proxy interface;
the authenticable interface being callable by an authenticator to return, to the authenticator, one or more of;
a list of authentication interfaces of downstream components, a list of authentication proxy interfaces of downstream components, and a list of dependent components on which to verify signatures;
the authentication proxy interface providing methods for reading and writing data from and to authenticators.
Specification