System and method for controlling access rights to and security of digital content in a distributed information system, e.g., Internet
First Claim
1. In a distributed information system, apparatus for limiting access to an owner'"'"'s digital content, comprising;
- a) means for storing the owner'"'"'s content in a document within a digital container and encrypting the document in a Document Encryption Key (DEK);
b) a secure server coupled to the system and having access to the stored container for encrypting the DEK and transferring the encrypted document in the digital container to a client on request;
c) a client station coupled to the secure server through the system for receiving the digital container and generating transaction data for acquiring the encrypted document in response to the client;
d) a Trusted Information Handler (TIH) coupled to the client station;
e) TIH means for receiving the transaction data and returning to the client station a digital signature, signing algorithm, a TIH authenticating certificate and a TIH public key for return to the client means and transfer in the digital container to the server means together with the encrypted DEK and a client public key;
f) server means for decrypting the DEK;
re-encrypting the DEK in the client public key and the TIH public key and transferring the double encrypted DEK to the client station; and
g) means for transferring the TIH encrypted DEK to the TIH for decryption and return of the decrypted document to the client station.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method for limiting access to and preventing unauthorized use of an owner'"'"'s digital content stored in an information network and available to clients under authorized conditions. The network includes at least one server coupled to a storage device for storing the limited access digital content encrypted using a random-generated key, known as a Document Encryption Key (DEK). The DEK is further encrypted with the server'"'"'s public key, using a public/private key pair algorithm and placed in a digital container stored in a storage device and including as a part of the meta-information which is in the container. The client'"'"'s workstation is coupled to the server for acquiring the limited access digital content under the authorized condition. A Trusted Information Handler (TIH) is validated by the server after the handler provides a data signature and type of signing algorithm to transaction data descriptive of the purchase agreement between the client and the owner. After the handler has authenticated, the server decrypts the encrypted DEK with its private key and re-encrypts the DEK with the handler'"'"'s public key ensuring that only the information handler can process the information. The encrypted DEK is further encrypted with the client'"'"'s public key personalizing the digital content to the client. The client'"'"'s program decrypts the DEK with his private key and passes it along with the encrypted content to the handler which decrypts the DEK with his private key and proceeds to decrypt the content for displaying to the client.
-
Citations
26 Claims
-
1. In a distributed information system, apparatus for limiting access to an owner'"'"'s digital content, comprising;
-
a) means for storing the owner'"'"'s content in a document within a digital container and encrypting the document in a Document Encryption Key (DEK); b) a secure server coupled to the system and having access to the stored container for encrypting the DEK and transferring the encrypted document in the digital container to a client on request; c) a client station coupled to the secure server through the system for receiving the digital container and generating transaction data for acquiring the encrypted document in response to the client; d) a Trusted Information Handler (TIH) coupled to the client station; e) TIH means for receiving the transaction data and returning to the client station a digital signature, signing algorithm, a TIH authenticating certificate and a TIH public key for return to the client means and transfer in the digital container to the server means together with the encrypted DEK and a client public key; f) server means for decrypting the DEK;
re-encrypting the DEK in the client public key and the TIH public key and transferring the double encrypted DEK to the client station; andg) means for transferring the TIH encrypted DEK to the TIH for decryption and return of the decrypted document to the client station. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. In a distributed information system, apparatus for limiting access to an owner'"'"'s digital content encrypted in a cryptolope container using a Document Encryption Key (DEK), comprising;
-
a) means for storing the owner'"'"'s content in a document within a digital container in the system and encrypting the document in a Document Encryption Key (DEK); b) a cryptolope server coupled to the system and having access to the stored container; c) means in the cryptolope server for encrypting the DEK using a public/private key pair and incorporating the encrypted DEK into the container; d) a client station coupled to the server through the system and a Trusted Inforrnation Handler (TIH); e) client station means for (i) acquiring the container from the server in a transaction for purposes of purchase by a purchaser;
(ii) creating data descriptive of the transaction, and (iii) presenting the data to the TIH;f) TIH means for returning to the client station means a digital signature, signing algorithm, a TIH authenticating certificate and a TIH public key for return thereof by the client station means to the server means together with the encrypted DEK and a client public key; g) cryptolope server means for processing the transaction by (i) confirming the transaction and that the TIH is known;
(ii) validating the TIH; and
(iii) confirming the digital signature was produced by the TIH;h) cryptolope server means for decrypting the server encrypted DEK and doubly encrypting the DEK using the TIH public key followed by the client public key; i) client means for (i) decrypting the DEK using the client private key and (ii) transmitting the encrypted digital content and encrypted DEK to the TIH; and j) TIH means for (i) decryption of the digital content after decryption of the encrypted DEK using the TIH private key and (ii) providing the decrypted digital content to the client station.
-
-
8. In a distributed information system including a client station coupled to a trusted information handler (TIH) and a server, a method for limiting access to an owner'"'"'s encrypted digital content stored in a digital container and encrypted in a Document Encryption Key (DEK), comprising the steps of:
-
a) encrypting the DEK in the server using a server public/private key pair and incorporating the encrypted DEK and digital content into the container; b) acquiring the container including the encrypted DEK from the server by the client station for purposes of a transaction; c) transmitting the encrypted digital content and encrypted DEK to the TIH by the client station; d) returning a digital signature, signing algorithm and a TIH authenticating certificate to the server via the client station together with the server encrypted DEK and a TIH public key and a client public key; and e) processing the transaction by the server to (i) confirm the transaction and that the TIH is known;
(ii) validate the TIH; and
(iii) confirm the digital signature was produced by the TIH. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. In a distributed information system, apparatus for limiting the use of an owner'"'"'s digital content in accordance with the owner'"'"'s requirement, comprising;
-
a) means for encrypting the owner'"'"'s digital content in a document using a Document Encryption Key (DEK) stored with the document in a cryptolope; b) server means in the system for accessing the document in the cryptolope and encrypting the DEK in a server public key part of a server public/private key pair; c) client station means in the system for acquiring the cryotolope from the server and generating transaction data relating to the document; d) trusted information handler (TIEI) means in the system for acquiring and processing the transaction data for return to the client station after signing the data using a signing algorithm;
identifying the signing algorithm;
providing a certificate of authority and a TIH public key in a TIH public/private key pair;e) client station means for returning to the server means in the cryptolope the transaction data processed by the TIH including the TIH public key;
the server encrypted DEK and a client station public key part of a client station public/private key pair;f) server means for recreating the transaction data;
confirming the TIH;
decrypting the server encrypted DEK;
doubling encrypting the DEK in the TIH public and client station public key, respectively for return of the DEK encrypted document to the client station in the cryptolope;g) client station means for receiving the cryptolope;
decrypting the encrypted DEK using the client private key and transferring the encrypted DEK document to the TIH; andh) means for decryption of the DEK at the TIH using the TIH private key and distribution of the decrypted DEK document to the client station in accordance with the owner'"'"'s requirements.
-
-
16. In a distributed information system including a client station coupled to a trusted information handler (TIH) and a server, a method for limiting the use of an owner'"'"'s digital content acquired from the system in accordance with an owner'"'"'s requirement, comprising the steps of:
-
a) encrypting the owner'"'"'s digital content in a document using a Document Encryption Key (DEK) stored with the document in a cryptolope; b) accessing the document in the cryptolope at the server and encrypting the DEK in a server public key part of a server public/private key pair; c) acquiring the cryotolope from the server at the client station and generating transaction data relating to the DEK encrypyted document; d) acquiring and processing the transaction data at the TIH for return to the client station after signing the transaction data using a signing algorithm;
identifying the signing algorithm;
providing a certificate of authority and a TIH public key in a TIH public/private key pair;e) returning to the server means by the client station the cryptolope containing the transaction data processed by the TIH including the TIH public key;
the server encrypted DEK document and a client station public key part of a client station public/private key pair;f) recreating at the server station the transaction data;
confirming the TIH;
decrypting the server encrypted DEK;
doubling encrypting the DEK in the TIH public and client station public key, respectively for return of the DEK encrypted document to the client station in the cryptolope;g) receiving the cryptolope at the client station and decrypting the doubly encrypted DEK using the client private key and transferring the encrypted DEK document to the TIH; and h) decrypting the DEK at the TIH using the TIH private key and distribution of the decrypted DEK document to the client station in accordance with the owner'"'"'s requirements.
-
-
17. Apparatus for limiting the use of an owner'"'"'s digital content in accordance with the owner'"'"'s requirements comprising;
-
a) server means for encrypting a DEK of an owner'"'"'s encrypted digital content using a server public key pan of a server public/private key pair; c) client station means for acquiring the server encrypted DEK and the owner'"'"'s encrypted digital content in a secure container and generating transaction data relating to the owner'"'"'s encrypted digital content; and d) a triasted information handler (TIH) for acquiring the transaction data in the secure container and processing the transaction data for return to the server in the secure container via the client station after signing the data using a signing algorithm. - View Dependent Claims (18, 19, 20, 21)
-
-
22. In apparatus including a server, a client station and a trusted information handler (TIH) coupled to the client station, a method for limiting the use of an owner'"'"'s digital content in the apparatus in accordance with an owners requirements, comprising the steps of:
-
a) encrypting the owner'"'"'s digital content in a document using a Document Encryption Key (DEK) stored with the document; b) accessing the encrypted document at the server and encrypting the DEK in a server public key part of a server public/private key pair; c) acquiring the encrypted document at the client station in a secure container and generating transaction data relating to the encrypted document; and d) acquiring the transaction data in the secure container and processing the Transaction data at the TIH for return to the server in the secure container via the client station after signing the transaction data using a signing algorithm;
identifying the signing algorithm;
providing a certificate of authority and a TIH public key in a TIH public/private key pair. - View Dependent Claims (23, 24, 25, 26)
-
Specification