SYSTEM AND METHOD FOR DECENTRALIZED MANAGEMENT OF KEYS AND POLICIES

US 20140289525A1
Filed: 08/28/2009
Published: 09/25/2014
Est. Priority Date: 08/28/2009
Status: Active Grant

First Claim

Patent Images

1-45. -45. (canceled)

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of a system and method for decentralized management of keys and policies are described. Various embodiments may include a computer system configured to receive a request from a remote computer system associated with a recipient of content. Such request may include an encrypted content encryption key that is encrypted with a packaging key utilized by a packaging entity. The request may also include an identifier identifying the packaging entity. In some embodiments, the request may also include policy information specifying one or more usage rights of the content. The computer system may be configured to, in response to determining the recipient is authorized to access the content, generate the packaging key based on the identifier and a secret root seed, utilize the generated packaging key to decrypt the encrypted content encryption key, and provide the decrypted content encryption key to the remote computer system.

Citations

87 Claims

1-45. -45. (canceled)

46. A computer-implemented method, comprising:
- receiving, by a licensing system, an encrypted content encryption key from a remote computer system and a packaging entity identifier, wherein the packaging entity identifier identifies a packaging entity providing encrypted content to a content recipient associated with the remote computer system, wherein the encrypted content encryption key is encrypted by the packaging entity using a packaging key;
  
  generating, by the licensing system, the packaging key based on the packaging entity identifier and a secret root seed, wherein the secret root seed is inaccessible to the remote computer system and the packaging entity;
  
  decrypting, by the licensing system, the encrypted content encryption key with the generated packaging key to generate a decrypted content encryption key; and
  
  providing, by the licensing system, the decrypted content encryption key to the remote computer system for decrypting the encrypted content.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 47. The method of claim 46, further comprising:
    - accessing a policy provided by the packaging entity and included in a request received from the remote computer system to decrypt the encrypted content encryption key, wherein the policy is signed by the packaging entity with a digital signature;
      
      verifying, based on the digital signature, an absence of tampering with the policy as provided by the packaging entity; and
      
      determining that the content recipient is authorized to access the encrypted content using the policy.
  - 48. The method of claim 46, further comprising:
    - receiving a policy from the remote computer system specifying at least one usage right;
      
      generating a content license restricting use of the encrypted content based on the at least one usage right, wherein the at least one usage right comprises at least one of restricting use of the encrypted content to a specified time period and restricting actions that can be performed with respect to the encrypted content; and
      
      providing the content license to the remote computer system.
  - 49. The method of claim 46, further comprising:
    - receiving a policy from the remote computer system specifying at least one first usage right;
      
      obtaining a policy update from the packaging entity, wherein the policy update replaces the at least one first usage right with at least one second usage right;
      
      modifying the policy using the policy update to reflect the at least one second usage right;
      
      generating a content license restricting use of the encrypted content based on the at least one second usage right specified by the policy as modified; and
      
      providing the content license to the remote computer system.
  - 50. The method of claim 46, wherein providing the encrypted content encryption key to the remote computer system comprises:
    - encrypting a message including the encrypted content encryption key as decrypted by the packaging key, the message encrypted with an encryption key that corresponds to a decryption key accessible to the remote computer system; and
      
      providing the encrypted message to the remote computer system.
  - 51. The method of claim 46, wherein the method further comprises authenticating the content recipient.
  - 52. The method of claim 46, further comprising:
    - assigning, by the licensing system, the packaging entity identifier to the packaging entity;
      
      generating, by the licensing system, the packaging key based on the secret root seed and the packaging entity identifier, wherein the secret root seed is unknown to the packaging entity; and
      
      providing, by the licensing system, the packaging entity identifier and the packaging key to the packaging entity.
  - 53. The method of claim 52, further comprising:
    - assigning, by the licensing system, an additional packaging entity identifier that is different from the packaging entity identifier to an additional packaging entity different from the packaging entity;
      
      generating, by the licensing system, an additional packaging key that is different from the packaging key based on the secret root seed and the additional packaging entity identifier;
      
      providing, by the licensing system, the additional packaging entity identifier and the additional packaging key to the additional packaging entity.
  - 54. The method of claim 52, wherein the packaging entity identifier and the packaging key are provided to the packaging entity prior to receiving a request from the remote computer system to decrypt the encrypted content encryption key.
  - 55. The method of claim 52, wherein the packaging entity identifier and the packaging key are provided to the packaging entity via secure communication using a one- time network connection.
  - 56. The method of claim 52, further comprising deleting, by the licensing system, the packaging key from a memory of the licensing system after providing the packaging entity identifier and the packaging key to the packaging entity, wherein the packaging key is regenerated by the licensing system after receiving a request from the remote computer system to decrypt the encrypted content encryption key.

57. A licensing system comprising:
- a memory; and
  
  at least one processor coupled to the memory, wherein the at least one processor is configured to execute program instructions stored in the memory, wherein the program instructions are configured for;
  
  receiving an encrypted content encryption key from a remote computer system and a packaging entity identifier, wherein the packaging entity identifier identifies a packaging entity providing encrypted content to a content recipient associated with the remote computer system, wherein the encrypted content encryption key is encrypted by the packaging entity using a packaging key,generating the packaging key based on the packaging entity identifier and a secret root seed, wherein the secret root seed is inaccessible to the remote computer system and the packaging entity,decrypting the encrypted content encryption key with the generated packaging key to generate a decrypted content encryption key, andproviding the decrypted content encryption key to the remote computer system for decrypting the encrypted content.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
- - 58. The licensing system of claim 57, wherein the decrypted content encryption key is a symmetric key for decrypting the encrypted content.
  - 59. The licensing system of claim 57, wherein the program instructions are further configured for:
    - accessing a policy provided by the packaging entity and included in a request received from the remote computer system to decrypt the encrypted content encryption key, wherein the policy is signed by the packaging entity with a digital signature;
      
      verifying, based on the digital signature, an absence of tampering with the policy as provided by the packaging entity; and
      
      determining that the content recipient is authorized to access the encrypted content using the policy.
  - 60. The licensing system of claim 57, wherein the program instructions are further configured for:
    - receiving a policy from the remote computer system specifying at least one usage right;
      
      generating a content license restricting use of the encrypted content based on the at least one usage right, wherein the at least one usage right comprises at least one of restricting use of the encrypted content to a specified time period and restricting actions that can be performed with respect to the encrypted content; and
      
      providing the content license to the remote computer system.
  - 61. The licensing system of claim 57, wherein the program instructions are further configured for:
    - receiving a policy from the remote computer system specifying at least one first usage right;
      
      obtaining a policy update from the packaging entity, wherein the policy update replaces the at least one first usage right with at least one second usage right;
      
      modifying the policy using the policy update to reflect the at least one second usage right;
      
      generating a content license restricting use of the encrypted content based on the at least one second usage right specified by the policy as modified; and
      
      providing the content license to the remote computer system.
  - 62. The licensing system of claim 57, wherein generating the packaging key comprises performing a cryptographic hash function on the packaging entity identifier and the secret root seed to generate a result, wherein the generated packaging key is the result of the cryptographic hash function.
  - 63. The licensing system of claim 57, wherein utilizing the generated packaging key to decrypt the encrypted content encryption key comprises utilizing the generated packaging key as a symmetric key to decrypt the encrypted content encryption key according to a symmetric decryption process.
  - 64. The licensing system of claim 57, wherein providing the encrypted content encryption key to the remote computer system comprises:
    - encrypting a message including the encrypted content encryption key as decrypted by the packaging key, the message encrypted with an encryption key that corresponds to a decryption key accessible to the remote computer system; and
      
      providing the encrypted message to the remote computer system.
  - 65. The licensing system of claim 57, wherein the encrypted content is an encrypted electronic mail message.
  - 66. The licensing system of claim 57, wherein the program instructions are further configured for authenticating the content recipient.
  - 67. The licensing system of claim 57, wherein the program instructions are further configured for:
    - assigning the packaging entity identifier to the packaging entity;
      
      generating, by the licensing system, the packaging key based on the secret root seed and the packaging entity identifier, wherein the secret root seed is unknown to the packaging entity; and
      
      providing, by the licensing system, the packaging entity identifier and the packaging key to the packaging entity.
  - 68. The licensing system of claim 67, wherein the program instructions are further configured for:
    - assigning an additional packaging entity identifier that is different from the packaging entity identifier to an additional packaging entity different from the packaging entity;
      
      generating, by the licensing system, an additional packaging key that is different from the packaging key based on the secret root seed and the additional packaging entity identifier;
      
      providing, by the licensing system, the additional packaging entity identifier and the additional packaging key to the additional packaging entity.
  - 69. The licensing system of claim 67, wherein the packaging entity identifier and the packaging key are provided to the packaging entity prior to receiving a request from the remote computer system to decrypt the encrypted content encryption key.
  - 70. The licensing system of claim 67, wherein the packaging entity identifier and the packaging key are provided to the packaging entity via secure communication using a one-time network connection.
  - 71. The licensing system of claim 67, wherein the program instructions are further configured for deleting the packaging key from the memory of the licensing system after providing the packaging entity identifier and the packaging key to the packaging entity, wherein the packaging key is regenerated by the licensing system after receiving a request from the remote computer system to decrypt the encrypted content encryption key.
  - 72. The licensing system of claim 67, wherein the licensing system comprises a trusted group of licensing servers, wherein the secret root seed is accessible to each licensing server of the trusted group of licensing servers, wherein the trusted group includes a licensing server having the memory and the at least one processor in a first geographic area and an additional licensing server having an additional memory and at least one additional processor in a second geographic area, wherein the at least one additional processor is configured to execute program instructions stored in the additional memory, wherein the program instructions are further configured for:
    - receiving the encrypted content encryption key,generating the packaging key based on the packaging entity identifier and the secret root seed accessible to the licensing server and the additional licensing server;
      
      decrypting the encrypted content encryption key with the generated packaging key to generate the decrypted content encryption key; and
      
      providing the decrypted content encryption key to the remote computer system for decrypting the encrypted content.

73. A non-transitory computer-readable medium storing program instructions computer-executable on a computer system, the program instructions comprising:
- program instructions for receiving an encrypted content encryption key from a remote computer system and a packaging entity identifier, wherein the packaging entity identifier identifies a packaging entity providing encrypted content to a content recipient associated with the remote computer system, wherein the encrypted content encryption key is encrypted by the packaging entity using a packaging key;
  
  program instructions for receiving generating the packaging key based on the packaging entity identifier and a secret root seed, wherein the secret root seed is inaccessible to the remote computer system and the packaging entity;
  
  program instructions for receiving decrypting the encrypted content encryption key with the generated packaging key to generate a decrypted content encryption key; and
  
  program instructions for receiving providing the decrypted content encryption key to the remote computer system for decrypting the encrypted content.
- View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87)
- - 74. The non-transitory computer-readable medium of claim 73, wherein the decrypted content encryption key is a symmetric key for decrypting the encrypted content.
  - 75. The non-transitory computer-readable medium of claim 73, further comprising:
    - program instructions accessing a policy provided by the packaging entity and included in a request received from the remote computer system to decrypt the encrypted content encryption key, wherein the policy is signed by the packaging entity with a digital signature;
      
      program instructions for verifying, based on the digital signature, an absence of tampering with the policy as provided by the packaging entity; and
      
      program instructions for determining that the content recipient is authorized to access the encrypted content using the policy.
  - 76. The non-transitory computer-readable medium of claim 73, further comprising:
    - program instructions for receiving a policy from the remote computer system specifying at least one usage right;
      
      program instructions for generating a content license restricting use of the encrypted content based on the at least one usage right, wherein the at least one usage right comprises at least one of restricting use of the encrypted content to a specified time period and restricting actions that can be performed with respect to the encrypted content; and
      
      program instructions for providing the content license to the remote computer system.
  - 77. The non-transitory computer-readable medium of claim 73, further comprising:
    - program instructions for receiving a policy from the remote computer system specifying at least one first usage right;
      
      program instructions for obtaining a policy update from the packaging entity, wherein the policy update replaces the at least one first usage right with at least one second usage right;
      
      program instructions for modifying the policy using the policy update to reflect the at least one second usage right;
      
      program instructions for generating a content license restricting use of the encrypted content based on the at least one second usage right specified by the policy as modified; and
      
      program instructions for providing the content license to the remote computer system.
  - 78. The non-transitory computer-readable medium of claim 73, wherein generating the packaging key comprises performing a cryptographic hash function on the packaging entity identifier and the secret root seed to generate a result, wherein the generated packaging key is the result of the cryptographic hash function.
  - 79. The non-transitory computer-readable medium of claim 73, wherein utilizing the generated packaging key to decrypt the encrypted content encryption key comprises utilizing the generated packaging key as a symmetric key to decrypt the encrypted content encryption key according to a symmetric decryption process.
  - 80. The non-transitory computer-readable medium of claim 73, wherein providing the encrypted content encryption key to the remote computer system comprises:
    - encrypting a message including the encrypted content encryption key as decrypted by the packaging key, the message encrypted with an encryption key that corresponds to a decryption key accessible to the remote computer system; and
      
      providing the encrypted message to the remote computer system.
  - 81. The non-transitory computer-readable medium of claim 73, wherein the encrypted content is an encrypted electronic mail message.
  - 82. The non-transitory computer-readable medium of claim 73, further comprising program instructions for authenticating the content recipient.
  - 83. The non-transitory computer-readable medium of claim 73, further comprising:
    - program instructions for assigning the packaging entity identifier to the packaging entity;
      
      program instructions for generating the packaging key based on the secret root seed and the packaging entity identifier, wherein the secret root seed is unknown to the packaging entity; and
      
      program instructions for providing the packaging entity identifier and the packaging key to the packaging entity.
  - 84. The non-transitory computer-readable medium of claim 73, further comprising:
    - program instructions for assigning an additional packaging entity identifier that is different from the packaging entity identifier to an additional packaging entity different from the packaging entity;
      
      program instructions for generating an additional packaging key that is different from the packaging key based on the secret root seed and the additional packaging entity identifier;
      
      program instructions for providing the additional packaging entity identifier and the additional packaging key to the additional packaging entity.
  - 85. The non-transitory computer-readable medium of claim 73, wherein the packaging entity identifier and the packaging key are provided to the packaging entity prior to receiving a request from the remote computer system to decrypt the encrypted content encryption key.
  - 86. The non-transitory computer-readable medium of claim 73, wherein the packaging entity identifier and the packaging key are provided to the packaging entity via secure communication using a one-time network connection.
  - 87. The non-transitory computer-readable medium of claim 86, further comprising program instructions for deleting the packaging key from a memory after providing the packaging entity identifier and the packaging key to the packaging entity, wherein the packaging key is regenerated by the licensing server after receiving a request from the remote computer system to decrypt the encrypted content encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Agrawal, Sunil C., Nadell, Katherine K.

Granted Patent

US 8,831,228 B1
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2209/603   Digital right managament [DRM]

H04L 9/0822   using key encryption key

H04L 9/0866   involving user or device id...

H04L 9/0869   involving random numbers or...

SYSTEM AND METHOD FOR DECENTRALIZED MANAGEMENT OF KEYS AND POLICIES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

87 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DECENTRALIZED MANAGEMENT OF KEYS AND POLICIES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

87 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links