System and method for controlling and enforcing access rights to encrypted media
DCFirst Claim
1. A user data processor for providing access to a rights controlled data object, the user data processor comprising:
- a processing device;
a communications device connected to the processing device and configured to receive an encrypted secure package containing a portion of the rights controlled data object and having at least three secure layers requiring decryption;
a user program running on the processing device, the user program configured to control access to the rights controlled data object;
a user program security module configured to at least partially decrypt a first secure layer of the secure package using a user program key associated with the user program;
a user key device associated with a user, the user key device detachably connected to the processing device, accessible by the user program, and configured to restrict the use of the data object to the user using a user key for decrypting a second secure layer of the secure package; and
a machine key device connected to and associated with the processing device and accessible by the user program, the machine key device configured to restrict the use of the data object to the user data processor using a machine key for decrypting a third secure layer of the secure package.
13 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A system for providing rights controlled access to digital media comprises a server data processor and a client data processor connected by a communications network. The user data processor provides access to a data object in accordance with rules associated with the data object by the server data processor. The client data processor comprises a machine key device and a user key device. The machine key device is preferably an installed component of the client data processor that provides encryption, decryption, and authentication functionality for the client data processor. The user key device is preferably a removable, portable device that connects to the client data processor and provides encryption, decryption, and authentication functionality for the user. A method restricts the use of a data object to a particular user and a particular data processor through the use of additional layers of encryption. The method preferably comprises encrypting a data object such that the it can be decrypted by the machine key device, and further encrypting the data object such that it can be decrypted by the user key device. A method restricts the use of a data object to a particular user and a particular data processor through the use of rules that require authentication of the machine key device and the user key device.
-
Citations
39 Claims
-
1. A user data processor for providing access to a rights controlled data object, the user data processor comprising:
-
a processing device; a communications device connected to the processing device and configured to receive an encrypted secure package containing a portion of the rights controlled data object and having at least three secure layers requiring decryption; a user program running on the processing device, the user program configured to control access to the rights controlled data object; a user program security module configured to at least partially decrypt a first secure layer of the secure package using a user program key associated with the user program; a user key device associated with a user, the user key device detachably connected to the processing device, accessible by the user program, and configured to restrict the use of the data object to the user using a user key for decrypting a second secure layer of the secure package; and a machine key device connected to and associated with the processing device and accessible by the user program, the machine key device configured to restrict the use of the data object to the user data processor using a machine key for decrypting a third secure layer of the secure package. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of restricting the use of a data object, the method comprising:
-
(A) associating a user program key with a user program configured to run on a user data processor; (B) determining whether the use of the data object is to be restricted to a particular user data processor; (C) associating a machine key device with the particular user data processor, wherein the machine key device is accessible by the user program, and wherein the machine key device maintains a portion of a machine key; (D) encrypting the data object such that decryption of a first secure layer and a second secure layer of the encrypted data object requires the user program key and the machine key, respectively; (E) determining whether the use of the data object is to be restricted to a particular user; (F) associating a user key device with the particular user, wherein the user key device is accessible by the user program, and wherein the user key device maintains a portion of a user key; and (G) encrypting the data object such that decryption of a third secure layer of the encrypted data object requires the user key. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A method of restricting the use of a rights controlled data object, the method comprising:
-
(A) associating a user program key with a user program configured to run on a user data processor; (B) encrypting the data object such that decryption of a first secure layer of the encrypted data object requires the user program key; (C) determining whether the use of the data object is to be restricted to a particular user data processor; (D) associating a machine key device with the particular user data processor, wherein the machine key device is accessible by the user program, and wherein the machine key device maintains a portion of a machine key for decrypting a second secure layer of the encrypted data object; (E) creating a machine control element configured to cause the user program to restrict use of the data object to the particular user data processor by authenticating the particular user data processor based upon at least the machine key and by at least communicating with the machine key device; (F) transmitting the encrypted data object and the machine control element to the user data processor; (G) including the machine control element in a set of control elements configured to cause the user program to control access to the data object; (H) signing the set of control elements, wherein (F) comprises transmitting the signed set of control elements; (I) determining whether the use of the data object is to be restricted to a particular user; (J) associating a user key device with the particular user, wherein the user key device is accessible by the user program, and wherein the user key device maintains a portion of a user key for decrypting a third secure layer of the encrypted data object; (K) creating a user control element configured to cause the user program to restrict use of the data object to the particular user by authenticating the particular user based upon at least the user key and by at least communicating with the user key device; and (L) including the user control element in the set of control elements. - View Dependent Claims (31, 32, 33)
-
-
34. A method of restricting the use of a data object, the method comprising:
-
(A) associating a user program key with a user program configured to run on a user data processor; (B) determining whether the use of the data object is to be restricted to a particular user data processor; (C) associating a machine key with the particular user data processor; (D) encrypting the data object such that decryption requires the user program key and the machine key; (E) transferring the encrypted data object to the user data processor; (F) determining whether the data object has been encrypted such that decryption requires the machine key; (G) decrypting a first secure layer and a second secure layer of the data object using the user program key and the machine key, respectively; (H) determining whether the use of the data object is to be restricted to a particular user; (I) associating a user key with the particular user; (J) encrypting the data object such that decryption also requires the user key; (K) determining whether the data object has been encrypted such that decryption requires the user key; and (L) decrypting a third secure layer of the data object using the user key. - View Dependent Claims (35, 36, 37, 38)
-
-
39. A secure data package for controlling the use of a data object, the package comprising a controlled portion of the data object, the controlled portion encrypted such that decryption of a first secure layer and a second secure layer of the encrypted data object requires both a user program key and a machine key, respectively, wherein a portion of the user program key is maintained by and associated with a user program configured to run on a user data processor to provide controlled access to the data object, wherein the user data processor has a permanently attached machine key device configured to maintain the machine key, and wherein the controlled portion comprises an essential portion of the data object, wherein the controlled portion is additionally encrypted such that decryption of a third secure layer of the encrypted data object requires a user key, wherein the user key is maintained by a user key device associated with a particular user and detachably connected to the processing device.
Specification