Systems and methods for providing secure server key operations

US 20040001594A1
Filed: 06/28/2002
Published: 01/01/2004
Est. Priority Date: 06/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method for providing abstraction for secure key operations in a digital rights management system, the method comprising:

providing, in a digital rights management system, a key management interface that abstracts operations that include the use of key material;

providing a plurality of key management components for use in the digital rights management system, wherein each of the key management components enables the digital rights management system to perform a respective method for managing the key material, and integrating a selected key management component into the digital rights management system via the key management interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key management interface that allows for different key protection schemes to be plugged into a digital rights management system is disclosed. The interface exposes the functionality of signing data, decrypting data encrypted using a public key, and re-encrypting data encrypted using the public key exported by the interface to a different authenticated principal (i.e., a different public key). Thus, a secure interface can be provided such that the data does not enter or leave the interface in the clear. Such an interface exports private key operations of signing and decryption, and provides security and authentication for the digital asset server in licensing and publishing. During publishing, a client can encrypt asset keys such that only a specified entity can decrypt it, using a plug-in, for example, that implements the aforementioned interface. During licensing, the license issuing entity can use the interface to decrypt keys for assets and to sign licenses and rights labels such that the asset is protected and consumable by a host digital rights management platform. The interface thus provides an abstraction for key operations.

Citations

51 Claims

1. A method for providing abstraction for secure key operations in a digital rights management system, the method comprising:
- providing, in a digital rights management system, a key management interface that abstracts operations that include the use of key material;
  
  providing a plurality of key management components for use in the digital rights management system, wherein each of the key management components enables the digital rights management system to perform a respective method for managing the key material, and integrating a selected key management component into the digital rights management system via the key management interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein at least one of the key management components is a plug-in component.
  - 3. The method of claim 1, wherein the key material includes a private key.
  - 4. The method of claim 1, wherein the key management interface allows for external identification of the key material.
  - 5. The method of claim 1, wherein the selected key management component is selected from the plurality of key management components based on considerations of cost, security, and performance in protecting the key material.
  - 6. The method of claim 1, wherein at least one of the key management components enables the digital rights management system to perform a method comprising:
    - generating a public-private key pair for use in connection with performing a cryptographic operation, wherein the public-private key pair includes a private key;
      
      storing the private key on a front-end server; and
      
      performing the cryptographic operation on the front-end server, using the private key.
  - 7. The method of claim 1, wherein at least one of the key management components enables the digital rights management system to perform a method comprising:
    - generating a public-private key pair for use in connection with performing a cryptographic operation, wherein the public-private key pair includes a private key;
      
      storing the private key on a back-end server that is coupled to a front-end server via a local communications network; and
      
      performing the cryptographic operation on the back-end server, using the private key, in response to a request from the front-end server to perform the cryptographic operation.
  - 8. The method of claim 1, wherein at least one of the key management components enables the digital rights management system to perform a method comprising:
    - generating, on a front-end server that is accessible via a global communications network, a certificate signing public-private key pair for use in connection with signing a certificate, wherein the certificate signing public-private key pair includes a certificate signing public key and a certificate signing private key;
      
      generating a content protection public-private key pair for use in connection with encrypting or decrypting a piece of digital content, wherein the content protection public-private key pair includes a content protection public key and a content protection private key;
      
      storing the content protection private key on a back-end server that is coupled to the front-end server via a local communications network; and
      
      providing to a client application, a certificate chain that includes the certificate signing public key and the content protection public key.
  - 9. The method of claim 1, wherein at least one of the key management components enables the digital rights management system to perform a method comprising:
    - generating a root public-private key pair that includes a root private key and a root public key;
      
      issuing a root licensor certificate that contains the root public key;
      
      periodically generating a current rolling public-private key pair that includes a current rolling public key and a current rolling private key; and
      
      receiving a request from a client application to perform a digital rights management operation; and
      
      performing the digital rights management operation using the current rolling public-private key pair.

10. A method for providing secure key operations, the method comprising:
- providing a plurality of key management plug-in components for use in a digital rights management system, wherein each of the key management plug-in components enables the digital rights management system to perform a respective method for managing key material;
  
  selecting a selected key management plug-in from the plurality of key management plug-ins; and
  
  integrating the selected key management plug-in into the digital rights management system.

11. A method for providing secure server key operations in a system comprising a front-end server that is accessible via a global communications network and a back-end server that is coupled to the front-end server via a local communications network, the method comprising:
- generating a public-private key pair for use in connection with performing a cryptographic operation, wherein the public-private key pair includes a private key;
  
  storing the private key on the back-end server; and
  
  performing the cryptographic operation on the back-end server, using the private key, in response to a request from the front-end server to perform the cryptographic operation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the back-end server includes a database server that contains a database, and wherein:
    - storing the private key comprises storing the private key in the database.
  - 13. The method of claim 12, wherein performing the cryptographic operation comprises performing the cryptographic operation on the database server.
  - 14. The method of claim 13, wherein performing the cryptographic operation comprises calling, from the front-end server, a stored procedure that causes the cryptographic operation to be performed on the database server.
  - 15. The method of claim 12, wherein the back-end server includes a crypto server that is communicatively coupled to the database server and to the front-end server, and wherein:
    - performing the cryptographic operation comprises initiating, from the crypto server, a stored procedure that causes the cryptographic operation to be performed on the database server.
  - 16. The method of claim 15, wherein performing the cryptographic operation comprises passing, from the front-end server to the crypto server, a request that causes the crypto server to initiate the stored procedure.
  - 17. The method of claim 15, wherein performing the cryptographic operation comprises passing the private key from the database server to the crypto server.
  - 18. The method of claim 11, wherein performing the cryptographic operation comprises signing data.
  - 19. The method of claim 11, wherein performing the cryptographic operation comprises encrypting data.
  - 20. The method of claim 11, wherein performing the cryptographic operation comprises decrypting encrypted data.

21. A system for providing secure server key operations for rights management of digital content, the system comprising:
- a front-end server that is accessible via a global communications network; and
  
  a back-end server that is coupled to the front-end server via a local communications network, wherein a public-private key pair is generated for use in connection with performing a cryptographic operation, the public-private key pair including a private key, and wherein the private key is stored on the back-end server and used on the back-end server to perform the cryptographic operation in response to a request from the front-end server to perform the cryptographic operation.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the back-end server includes a database server that contains a database in which the private key is stored.
  - 23. The system of claim 22, wherein the cryptographic operation is performed on the database server.
  - 24. The system of claim 23, wherein the front-end server is adapted to call a stored procedure that causes the cryptographic operation to be performed on the database server.
  - 25. The system of claim 22, wherein the back-end server includes a crypto server that is communicatively coupled to the database server and to the front-end server, and wherein the crypto server is adapted to initiate a stored procedure that causes the cryptographic operation to be performed on the database server.
  - 26. The system of claim 25, wherein the front-end server is adapted to pass to the crypto server, a request that causes the crypto server to initiate the stored procedure.
  - 27. The system of claim 25, wherein the crypto server retrieves the private key from the database server.
  - 28. The system of claim 21, wherein the cryptographic operation comprises signing data.
  - 29. The method of claim 21, wherein the cryptographic operation comprises encrypting data.
  - 30. The method of claim 21, wherein the cryptographic operation comprises decrypting encrypted data.

31. A method for providing secure server key operations in a system comprising a front-end server that is accessible via a global communications network and a back-end server that is coupled to the front-end server via a local communications network, the method comprising:
- generating, on the front-end server, a certificate signing public-private key pair for use in connection with signing a certificate, wherein the certificate signing public-private key pair includes a certificate signing public key and a certificate signing private key;
  
  generating a content protection public-private key pair for use in connection with encrypting or decrypting a piece of digital content, wherein the content protection public-private key pair includes a content protection public key and a content protection private key;
  
  storing the content protection private key on the back-end server; and
  
  providing to a client application, a certificate chain that includes the certificate signing public key and the content protection public key.
- View Dependent Claims (32, 33, 34, 35, 36, 37)
- - 32. The method of claim 31, further comprising:
    - signing a certificate using the certificate signing private key; and
      
      providing the signed certificate to the client application.
  - 33. The method of claim 31, further comprising:
    - receiving a request for a signing licensor certificate; and
      
      providing, in response to the request, a licensor certificate signed using certificate signing private key.
  - 34. The method of claim 31, wherein the certificate chain enables the client application to encrypt the piece of digital content to the content protection public key.
  - 35. The method of claim 31, wherein the certificate chain enables the client application to decrypt an encrypted piece of digital content that has been encrypted to the content protection public key.
  - 36. The method of claim 31, wherein the certificate chain enables the client application to encrypt a content protection symmetric key to the content protection public key.
  - 37. The method of claim 31, wherein the certificate chain enables the client application to decrypt an encrypted content protection symmetric key that has been encrypted to the content protection public key.

38. A method for providing secure server key operations in a system comprising a front-end server that is accessible via a global communications network and a back-end server that is coupled to the front-end server via a local communications network, the method comprising:
- generating a content protection public-private key pair for use in connection with encrypting or decrypting a content symmetric key used to protect a piece of digital content, wherein the content protection public-private key pair includes a content protection public key and a content protection private key;
  
  storing the content protection private key on the back-end server;
  
  generating, on the front-end server, a certificate signing public-private key pair, wherein the certificate signing public-private key pair includes a certificate signing public key and a certificate signing private key; and
  
  publishing the content protection public key via a root licensor certificate that is signed using the certificate signing private key.
- View Dependent Claims (39, 40, 41)
- - 39. The method of claim 38, wherein the root licensor certificate is signed by a trusted entity.
  - 40. The method of claim 38, further comprising:
    - publishing the certificate signing public key via a signing licensor certificate.
  - 41. The method of claim 38, wherein the signing licensor certificate is signed, on the back-end server, using a digital signature that is based on the content protection private key.

42. A method for providing secure server key operations in a digital rights management system, the method comprising:
- generating a root public-private key pair that includes a root private key and a root public key;
  
  issuing a root licensor certificate that contains the root public key;
  
  periodically generating a current rolling public-private key pair that includes a current rolling public key and a current rolling private key;
  
  receiving a request from a client application to perform a digital rights management operation; and
  
  performing the digital rights management operation using the current rolling public-private key pair.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 43. The method of claim 42, wherein the current rolling public-private key is generated on a back-end server that is coupled via a local communications network to a front-end server that is accessible via a global communications network.
  - 44. The method of claim 42, wherein the request to perform the digital rights management operation is a request for a signed rights label, and wherein performing the digital rights management operation comprises signing a rights label using the current rolling private key, wherein the rights label includes rights data that represents a set of parameters for licensing a piece of digital content and, for each of one or more authorized users, a respective set of one or more rights that the authorized user has in the digital content.
  - 45. The method of claim 44, wherein the received rights label includes an encrypted content key that was encrypted to the current rolling public key.
  - 46. The method of claim 44, further comprising:
    - providing the signed rights label to a client application.
  - 47. The method of claim 42, wherein the request to perform the digital rights management operation is a request for a licensor certificate, and wherein performing the digital rights management operation comprises providing to a client application a current licensor certificate enables the client application to encrypt a content key to the current rolling public key, wherein the content key is used to encrypt or decrypt a piece of digital content.
  - 48. The method of claim 42, wherein the request to perform the digital rights management operation is a request for a license to use a piece of digital content, and wherein performing the digital rights management operation comprises using the current rolling private key to determine whether to issue a license to use to piece of digital content.
  - 49. The method of claim 48, further comprising:
    - issuing a license to use the piece of digital content.
  - 50. The method of claim 49, further comprising:
    - re-encrypting a content key to a user-supplied persona key that ties the piece of digital content to a user requesting the license.
  - 51. The method of claim 42, further comprising:
    - storing the rolling private key in a cache on the front-end server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yarmolenko, Vladimir, Cottrille, Scott C., Krishnaswamy, Vinay, Kostal, Gregory, Narin, Attila

Granted Patent

US 7,174,021 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Systems and methods for providing secure server key operations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing secure server key operations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links