Controlling access to content based on certificates and access predicates

US 6,820,063 B1
Filed: 01/08/1999
Issued: 11/16/2004
Est. Priority Date: 10/26/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computerized method for enforcing digital rights on content downloaded from a provider comprising:

downloading the content from the provider encrypted for a particular combination of an operating system and a central processing unit (CPU) of the computer;

downloading an access predicate, for the content, that specifies properties an application running on a computer is to have in order to process the content;

checking the access predicate against a rights manager certificate for the application requesting access to the content;

checking the access predicate against a certificate for the operating system running on the computer;

permitting access to the content only if both the rights manager certificate and the certificate for the operating system satisfy the access predicate wherein accessing the content comprises decrypting the content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Digital rights for content downloaded to a subscriber computer from a provider are specified in an access predicate. The access predicate is compared with a rights manager certificate associated with an entity, such as an application, that wants access to the content. If the rights manager certificate satisfies the access predicate, the entity is allowed access to the content. A license that specifies limitations on the use of the content can also be associated with the content and provided to the entity. The use the entity makes of the content is monitored and terminated if the entity violates the license limitations. In one aspect of the invention, the access predicate and the license are protected from tampering through cryptographic techniques.

261 Citations

36 Claims

1. A computerized method for enforcing digital rights on content downloaded from a provider comprising:
- downloading the content from the provider encrypted for a particular combination of an operating system and a central processing unit (CPU) of the computer;
  
  downloading an access predicate, for the content, that specifies properties an application running on a computer is to have in order to process the content;
  
  checking the access predicate against a rights manager certificate for the application requesting access to the content;
  
  checking the access predicate against a certificate for the operating system running on the computer;
  
  permitting access to the content only if both the rights manager certificate and the certificate for the operating system satisfy the access predicate wherein accessing the content comprises decrypting the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computerized method of claim 1, further comprising:
3. The computerized method of claim 1, further comprising:
- terminating the access by the application if the license is violated.
4. The computerized method of claim 1, further comprising:
- downloading a license for the content; and
  
  providing the license to the application accessing the content to enforce the license.
5. The computerized method of claim 4, further comprising:
- storing the content on persistent storage; and
  
  storing the license for the content on the persistent storage in an encrypted form.
6. The computerized method of claim 1, further comprising:
- storing the content on persistent storage; and
  
  storing the access predicate for the content on the persistent storage in an encrypted form.
7. The computerized method of claim 1 wherein the elements are processed in the order recited.
8. The computerized method of claim 1, wherein the access predicate specifies that the application must allow only reading of the content.
9. The computerized method of claim 1, wherein the access predicate specifies that the application must render the content at no greater than a maximum resolution.
10. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be copied.
11. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be copied in greater than a maximum resolution.
12. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be copied unless the content is accompanied by a particular license.
13. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be stored unless the content is encrypted for storage.
14. The computerized method of claim 1, wherein the access predicate specifies that the application must restrict the ability to store the content to only certain devices.
15. The computerized method of claim 1, wherein the content comprises media content, and further comprising checking the access predicate against a certificate for the CPU of the computer, and wherein the permitting comprises permitting access to the content only if each of the rights manager certificate, the certificate for the operating system, and the certificate for the CPU satisfies the access predicate.
16. The computerized method of claim 15, wherein the media content comprises audio content.
17. The computerized method of claim 15, wherein the media content comprises video content.
18. The computerized method of claim 1, further comprising:
- submitting the rights manger certificate to the provider; and
  
  wherein downloading the content comprises downloading the content from the provider only if the provider determines, based at least in part on the rights manger certificate, that the provider should establish a trust relationship with the operating system.

19. A computer system comprising:
- a processing unit;
  
  a system memory coupled to the processing unit through a system bus;
  
  a computer-readable medium coupled to the processing unit through the system bus;
  
  an application executed from the computer-readable medium by the processing unit and having a rights manager certificate, wherein the application causes the processing unit to access content;
  
  an operating system executed from the computer-readable medium and certified by the processing unit, wherein the operating system determines whether the application includes a set of properties necessary to be able to process the content by causing the processing unit to compare an access predicate associated with the content against the rights manager certificate for the application when the application causes the processing unit to access the content, and wherein the content is encrypted by a provider for the particular combination of the operating system and the processing unit; and
  
  wherein the operating system decrypts the content only if the application includes the set of properties.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 33)
- - 20. The computer system of claim 19, wherein the operating system further causes the processing unit to monitor the application accessing the content to determine compliance with a license associated with the content.
  - 21. The computer system of claim 20, wherein the operating system further causes the processing unit to terminate the access of the content by the application if the application does not comply with the license.
  - 22. The computer system of claim 19, wherein the application causes the processing unit to process the content for the application in accordance with a license associated with the content.
  - 23. The computer system of claim 22, wherein the application further causes the processing unit to modify the license to create a sublicense and to transfer the sublicense and the content to another computer system.
  - 24. The computer system of claim 22, wherein the application further causes the processing unit to transfer a sublicense and the content to another computer system.
  - 25. The computer system of claim 19, further comprising:
26. The computer system of claim 19, further comprising:
- a different application executed from the computer-readable medium by the processing unit, wherein the different application causes the processing unit to access the content for the different application using the rights manager certificate of the application.
27. The computer system of claim 19, wherein the content comprises media content, wherein the operating system determines whether the application includes the set of properties necessary to be able to process the content by further causing the processing unit to compare a certificate for the operating system to the access predicate and compare a certificate for the processing unit to the access predicate, and wherein the operating system permits access to the content only if each of the rights manager certificate, the certificate for the operating system, and the certificate for the processing unit satisfies the access predicate.
28. The computer system of claim 19, wherein the operating system further causes the processing unit to submit the rights manager certificate to a provider of the content, and wherein the application downloads the content only if the provider determines, based at least in part on the rights manager certificate, that the provider should establish a trust relationship with the operating system.
33. The computer system of claim 19, wherein the access predicate includes properties that specify that the application must do one or more of the following:
- allow only reading of the content, render the content at no greater than a maximum resolution, not allow the content to be copied, not allow the content to be copied in greater than a maximum resolution, not allow the content to be copied unless the content is accompanied by a particular license, not allow the content to be stored unless the content is encrypted for storage, and restrict the ability to store the content to only certain devices.

29. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors, enforces digital rights on content downloaded from a provider by causing the one or more processors to:
- download the content from a provider encrypted for a particular combination of an operating system and the one or more processors;
  
  download an access predicate, for the content, that specifies properties an application executed by the one or more processors is to have in order to process the content;
  
  check the access predicate against a rights manager certificate for the application requesting access to the content;
  
  check the access predicate against a certificate for the operating system executed by the one or more processors;
  
  permit access to the content only if both the rights manager certificate and the certificate for the operating system satisfy the access predicate wherein access to the content comprises decrypting the content.
- View Dependent Claims (30, 31, 32, 34, 35, 36)
- - 30. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
31. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
- download a license for the content; and
  
  monitor the application accessing the content to determine if the license is being violated.
32. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
- store the content on persistent storage; and
  
  store the access predicate for the content on the persistent storage in an encrypted form.
34. One or more computer-readable media as recited in claim 29, wherein the properties an application is to have in order to process the content comprises both a name of the application and a version of the application.
35. One or more computer-readable media as recited in claim 29, wherein the content comprises media content, and wherein the computer program further causes the one or more processors to:
- check the access predicate against a certificate for the one or more processors, and wherein the computer program causes the one or more processor to permit access to the content only if each of the rights manger certificate, the certificate for the operating system, and the certificate for the one or more processors satisfies the access predicate.
36. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
- submit the rights manager certificate to the provider; and
  
  download the content from the provider only if the provider determines, based at least in part on the rights manager certificate, that the provider should establish a trust relationship with the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.
Primary Examiner(s)
Hayes, John W.
Assistant Examiner(s)
Hewitt, II, Calvin L

Application Number

US09/227,559
Time in Patent Office

2,139 Days
Field of Search

705/51, 705/55, 705/56, 705/50, 705/52, 705/57, 705/59, 705/1, 380/4, 380/77
US Class Current

705/54
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2101   Auditing as a secondary aspect

Controlling access to content based on certificates and access predicates

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

261 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Controlling access to content based on certificates and access predicates

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

261 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others