ATTESTED CONTENT PROTECTION

US 20090327705A1
Filed: 06/27/2008
Published: 12/31/2009
Est. Priority Date: 06/27/2008
Status: Active Grant

First Claim

Patent Images

1. At a computer system including an operating system and one or more applications, a method for protecting content, the method comprising:

an act of establishing a protection policy to protect content, the protection policy manageable by a rights management system that includes a separate rights management server, the protection policy including;

a list of users that are authorized to access the content and computing environments that are permitted to access the content;

an act of determining that a user is attempting to access the protected content through an application at the computer system;

prior to allowing the application to access the protected content;

an act of the computer system exchanging information with the rights management server about the identity of the user so as to validate that the user is authorized to access the content; and

an act of the operating system attesting to a set of information indicating a computing environment that is permitted to access the content; and

an act of the computer system allowing the application to access to protected content in response to the operating system attesting to a computing environment that is permit to access the content and validating that the user is authorized to access the content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for protecting content. Embodiments of the invention permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.

42 Citations

View as Search Results

20 Claims

1. At a computer system including an operating system and one or more applications, a method for protecting content, the method comprising:
- an act of establishing a protection policy to protect content, the protection policy manageable by a rights management system that includes a separate rights management server, the protection policy including;
  
  a list of users that are authorized to access the content and computing environments that are permitted to access the content;
  
  an act of determining that a user is attempting to access the protected content through an application at the computer system;
  
  prior to allowing the application to access the protected content;
  
  an act of the computer system exchanging information with the rights management server about the identity of the user so as to validate that the user is authorized to access the content; and
  
  an act of the operating system attesting to a set of information indicating a computing environment that is permitted to access the content; and
  
  an act of the computer system allowing the application to access to protected content in response to the operating system attesting to a computing environment that is permit to access the content and validating that the user is authorized to access the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, wherein the act of the computer system exchanging information with the rights management server further comprises:
    - sending user authentication information for the user to the rights management server; and
      
      obtaining a user key corresponding to the user authentication information for accessing the protected content;
      
      wherein the act of computer system allowing the application to access the protected content further comprises allowing the application to use the user key to access the protected content.
  - 3. The method as recited in claim 1, wherein the act of the operating system attesting to a set of information indicating a computing environment that is permitted to access the content comprises an act of the computer system using a system health agent to collect data about the state of the computer system.
  - 4. The method as recited in claim 3, wherein the act of the operating system attesting to a set of information indicating a computing environment that is permitted to access the content comprises an act of the rights management server using a system health validator to validate the collected data.
  - 5. The method as recited in claim 1, wherein the act of the operating system attesting to a set of information indicating a computing environment that is permitted to access the content comprises an act of the operating system attesting to one or more of a listing of software loaded in the boot path of the computer system, the network location of the computer system, the code integrity policy of the operating system of the computer system, the boot options of the operating system, the kernel mode of the computer system, or some combination of the above.
  - 6. The method as recited in claim 1, wherein the act of determining that a user is attempting to access protected content through an application comprises an act of detecting that a user is attempting to access protected content protected in accordance with the established protection policy.
  - 7. The method as recited in claim 1, wherein the act of establishing a protection policy comprises an act of establishing a protection policy that includes:
    - a set of use restrictions that restrict what operations an authorized user is permitted to perform with respect to the protected content; and
      
      further comprising the act of the computer system regulating the user'"'"'s access to the protected content such that the user is permitted to perform operations that are permitted by the set of use restrictions and prevented from performing operations that are not permitted by the set of use restrictions.
  - 8. The method as recited in claim 1, wherein the protection policy is specified by a business owner of a business that originated the protected content.

9. At a computer system including an operating system and one or more applications, a method for protecting content, the method comprising:
- an act of establishing a protection policy to protect content, the protection policy including;
  
  a list of users that are authorized to access the content, operations that authorized users are permitted to perform with respect to the protected content, and computing environments that are permitted to access the content;
  
  an act of determining that a user is attempting to access protected content through an application at the computer system;
  
  an act of sending user identity information for the user to a rights management server;
  
  an act of the operating system attesting to a set of information indicating a computing environment at the computer system to the rights management server;
  
  an act of receiving a user key from the content protection server, the user key usable by the user to access the protected content, the user key being returned to the computer system from the rights management server in response to the rights management server authenticating the user and determining that the attested computing environment is permitted to access the content;
  
  an act of the operating system of the computer system permitting the application to use the user key to access the protected content; and
  
  an act of the application controlling the user'"'"'s access to the protected content in accordance with operations that the users is permitted to perform as indicated in the protection policy.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method as recited in claim 9, wherein the act of attesting to a set of information indicating a computing environment at the computer system comprises an act of using a system health agent to collect state data about the state of the computing environment of the computing system.
  - 11. The method as recited in claim 10, wherein the act of receiving a user key from the content protections server comprises an act of receiving a user key in response to the content protection server using a system health validator to validate the collected state data.
  - 12. The method as recited in claim 9, wherein the act of the operating system attesting to a set of information indicating a computing environment comprises an act of attesting to one or more of a listing of software loaded during the boot process, the network location of the computer system, the code integrity policy of the operating system, the boot options of the operating system, and the kernel mode settings of the computer system.
  - 13. The method as recited in claim 10, wherein the act establishing a protection policy to protect content comprises an act of a business owner of the protected content establishing the protection policy.

14. A computer system, the computer system comprising:
- one or more processors;
  
  system memory; and
  
  one or more physical storage media having stored thereon computer-executable instructions that, when executed by one of the processors, cause the computer system to regulate access to protected content, including the following;
  
  establish a protection policy for protecting content, the protection policy manageable by a rights management system that includes a separate rights management server, the protection policy including list of users that are authorized to access the content and computing environments that are permitted to access the content;
  
  determine that a user is attempting to access protected content through an application at the computer system;
  
  send user identity information to a rights management server;
  
  attest to information about the computing environment of the computer system to the rights management server;
  
  receive a user key from the rights management server, reception of the user key indicative of;
  
  the rights management server having authenticated the user; and
  
  the rights management server determining that the attested information portrayed a computing environment that is permitted to access the content such that the operating system is trusted to regulate the user'"'"'s access to the protected content in accordance with the protection policy.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to attest to information about the computing environment of the computer system comprise computer-executable instructions that, when executed, cause the computer system touse a system health agent to collect state data about the state of the computer system;
    - andattest to the collected state data to the rights management server.
  - 16. The system as recited in claim 15, wherein the rights management server uses a system health validator to validate data collected by the system health agent of the computer system.
  - 17. The system as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to attest to information about the computing environment of the computer system comprise computer-executable instructions that, when executed, cause the computer system to attest to one or more of the following:
    - a listing of software loaded during the boot process, the network location of the computer system, the code integrity policy of the operating system, the boot options of the operating system, and the kernel mode settings of the computer system.
  - 18. The system as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to establish a protection policy for protecting content comprise computer-executable instructions that, when executed, cause the computer system to establish a protection policy, including a set of use restrictions that restrict what operations an authorized user is permitted to perform with respect to the protected content.
  - 19. The system as recited in claim 18, further computer-executable instructions that, when executed, cause:
    - the operating system to permit the application to use the user key to access the protected content; and
      
      the application to control the user'"'"'s access to the protected content in accordance with operations that the user is permitted to perform as indicated in the protection policy.
  - 20. The system as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to establish a protection policy for protecting content comprise computer-executable instructions that, when executed, cause the computer system to establish a protection policy at the direction of a business owner of the protected content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Way (Microsoft Corporation)
Inventors
Wooten, David R., Ray, Kenneth D., Lewis, Nathan T., Setzer, Matthew C.

Granted Patent

US 8,387,152 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/10 Protecting distributed prog...

G06F 21/57 Certifying or maintaining t...

ATTESTED CONTENT PROTECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ATTESTED CONTENT PROTECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links