Releasing decrypted digital content to an authenticated path

US 7,353,209 B1
Filed: 03/15/2000
Issued: 04/01/2008
Est. Priority Date: 01/14/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for releasing digital content to a rendering application, the rendering application for forwarding the digital content to an ultimate destination by way of a path therebetween, the path being defined by at least one module, the digital content initially being in an encrypted form, the method comprising:

performing an authentication of at least a portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough;

decrypting the encrypted digital content if in fact each such defining module is to be trusted; and

forwarding the decrypted digital content to the rendering application for further forwarding to the ultimate destination by way of the authenticated path,wherein performing the authentication comprises;

traversing the at least a portion of the path to develop a map of each module in the path; and

authenticating each module in the map, andwherein performing the authentication comprises, for each module in the at least a portion of the path;

receiving from the module a certificate as issued by a certifying authority;

determining from the received certificate whether such received certificate is acceptable for purposes of authenticating the module;

checking a revocation list to ensure that the received certificate has not been revoked; and

refusing to decrypt the encrypted digital content if at least one module in the at least a portion of the path fails to provide an acceptable certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Digital content is released to a rendering application for forwarding by such rendering application to an ultimate destination by way of a path therebetween. The path is defined by at least one module, and the digital content is initially in an encrypted form. An authentication of at least a portion of the path is performed to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough. The encrypted digital content is decrypted if in fact each such defining module is to be trusted, and the decrypted digital content is forwarded to the rendering application for further forwarding to the ultimate destination by way of the authenticated path.

Citations

38 Claims

1. A method for releasing digital content to a rendering application, the rendering application for forwarding the digital content to an ultimate destination by way of a path therebetween, the path being defined by at least one module, the digital content initially being in an encrypted form, the method comprising:
- performing an authentication of at least a portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough;
  
  decrypting the encrypted digital content if in fact each such defining module is to be trusted; and
  
  forwarding the decrypted digital content to the rendering application for further forwarding to the ultimate destination by way of the authenticated path,wherein performing the authentication comprises;
  
  traversing the at least a portion of the path to develop a map of each module in the path; and
  
  authenticating each module in the map, andwherein performing the authentication comprises, for each module in the at least a portion of the path;
  
  receiving from the module a certificate as issued by a certifying authority;
  
  determining from the received certificate whether such received certificate is acceptable for purposes of authenticating the module;
  
  checking a revocation list to ensure that the received certificate has not been revoked; and
  
  refusing to decrypt the encrypted digital content if at least one module in the at least a portion of the path fails to provide an acceptable certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 wherein the path includes a user mode portion and a kernel portion, the method further comprising:
    - scrambling the digital content upon such digital content being outputted from the rendering application to the path such that the scrambled digital content enters the user mode portion of the path, such scrambled digital content then passing through the modules that define the user mode portion of the path and transiting from the user mode portion to the kernel portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content transiting from the user mode portion to the kernel portion.
  - 3. The method of claim 2 comprising de-scrambling the scrambled digital content by way of a de-scrambling module.
  - 4. The method of claim 2 comprising de-scrambling the scrambled digital content in the kernel portion of the path.
  - 5. The method of claim 4 comprising performing an authentication of at least a portion of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 6. The method of claim 1 wherein the path includes a user mode portion and a kernel portion, the method comprising performing an authentication of at least a portion of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 7. The method of claim 6 further comprising:
    - scrambling the digital content upon such digital content being outputted from the rendering application to the path such that the scrambled digital content enters the user mode portion of the path, such scrambled digital content then passing through the modules that define the user mode portion of the path and transiting from the user mode portion to the kernel portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content transiting from the user mode portion to the kernel portion.
  - 8. The method of claim 7 comprising de-scrambling the scrambled digital content by way of a de-scrambling module.
  - 9. The method of claim 7 comprising de-scrambling the scrambled digital content in the kernel portion of the path.
  - 10. The method of claim 1 wherein performing the authentication further comprises ignoring each module not in the map.
  - 11. The method of claim 1 wherein performing the authentication comprises:
    - authenticating an initial module;
      
      determining all first destination modules that receive data from such initial module;
      
      authenticating each such first destination module;
      
      determining all second destination modules that receive data from each such first destination module;
      
      iteratively repeating the authenticating and determining steps for third, fourth, fifth, etc. destination modules until each module in such at least a portion of the path has been determined and authenticated.
  - 12. The method of claim 11 wherein authenticating the initial module comprises authenticating a module in the at least a portion of the path that is to receive the digital content before any other module in the at least a portion of the path, whereby the initial module leads to fully determining all other modules that define the at least a portion of the path.
  - 13. The method of claim 11 comprising employing a database device to keep track of all modules determined to be in the at least a portion of the path, whereby already-determined modules in the at least a portion of the path can be recognized.
  - 14. The method of claim 1 further comprising:
    - receiving the revocation list from a certifying authority;
      
      storing the received revocation list in a secure location.
  - 15. The method of claim 1 wherein performing an authentication further comprises decrypting the encrypted digital content if all the modules in the at least a portion of the path provide an acceptable certificate.
  - 16. The method of claim 1 wherein performing an authentication further comprises, for each module in the at least a portion of the path that fails to provide an acceptable certificate:
    - defining a sub-portion of the path including the non-providing module;
      
      scrambling the digital content upon such digital content entering the sub-portion of the path, such scrambled digital content then passing through the modules that define the sub-portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the sub-portion of the path; and
      
      declaring the sub-portion trustworthy.
  - 17. The method of claim 1 wherein the path includes a user mode portion and a kernel portion, the method comprising performing an authentication of the user mode portion of the path and of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 18. The method of claim 1 wherein the path includes a tunneled portion, the method further comprising:
    - scrambling the digital content upon such digital content entering the tunneled portion of the path, such scrambled digital content then passing through the modules that define the tunneled portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the tunneled portion of the path;
      
      and wherein performing an authentication comprises performing an authentication of at least a portion of the path external to the tunneled portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough, an authentication of the tunneled portion being unnecessary.
  - 19. The method of claim 18 wherein the path includes a user mode portion, a kernel portion, and a tunneled portion in the user mode portion, the method further comprising:
    - scrambling the digital content upon such digital content entering the tunneled portion of the user mode portion of the path, such scrambled digital content then passing through the modules that define the tunneled portion of the user mode portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the tunneled portion of the user mode portion of the path;
      
      and wherein performing an authentication comprises performing an authentication of at least a portion of the path external to the tunneled portion of the user mode portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough, an authentication of the tunneled portion being unnecessary.

20. A computer-readable medium having computer-executable instructions thereon for performing a method for releasing digital content to a rendering application, the rendering application for forwarding the digital content to an ultimate destination by way of a path therebetween, the path being defined by at least one module, the digital content initially being in an encrypted form, the method comprising:
- performing an authentication of at least a portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough;
  
  decrypting the encrypted digital content if in fact each such defining module is to be trusted; and
  
  forwarding the decrypted digital content to the rendering application for further forwarding to the ultimate destination by way of the authenticated path,wherein performing the authentication comprises;
  
  traversing the at least a portion of the path to develop a map of each module in the path; and
  
  authenticating each module in the map, andwherein performing the authentication comprises, for each module in the at least a portion of the path;
  
  receiving from the module a certificate as issued by a certifying authority;
  
  determining from the received certificate whether such received certificate is acceptable for purposes of authenticating the module;
  
  checking a revocation list to ensure that the received certificate has not been revoked; and
  
  refusing to decrypt the encrypted digital content if at least one module in the at least a portion of the path fails to provide an acceptable certificate.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The method of claim 20 wherein the path includes a user mode portion and a kernel portion, the method further comprising:
    - scrambling the digital content upon such digital content being outputted from the rendering application to the path such that the scrambled digital content enters the user mode portion of the path, such scrambled digital content then passing through the modules that define the user mode portion of the path and transiting from the user mode portion to the kernel portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content transiting from the user mode portion to the kernel portion.
  - 22. The method of claim 21 comprising de-scrambling the scrambled digital content by way of a de-scrambling module.
  - 23. The method of claim 21 comprising de-scrambling the scrambled digital content in the kernel portion of the path.
  - 24. The method of claim 23 comprising performing an authentication of at least a portion of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 25. The method of claim 20 wherein the path includes a user mode portion and a kernel portion, the method comprising performing an authentication of at least a portion of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 26. The method of claim 25 further comprising:
    - scrambling the digital content upon such digital content being outputted from the rendering application to the path such that the scrambled digital content enters the user mode portion of the path, such scrambled digital content then passing through the modules that define the user mode portion of the path and transiting from the user mode portion to the kernel portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content transiting from the user mode portion to the kernel portion.
  - 27. The method of claim 26 comprising de-scrambling the scrambled digital content by way of a de-scrambling module.
  - 28. The method of claim 26 comprising de-scrambling the scrambled digital content in the kernel portion of the path.
  - 29. The method of claim 20 wherein performing the authentication further comprises ignoring each module not in the map.
  - 30. The method of claim 20 wherein performing the authentication comprises:
    - authenticating an initial module;
      
      determining all first destination modules that receive data from such initial module;
      
      authenticating each such first destination module;
      
      determining all second destination modules that receive data from each such first destination module;
      
      iteratively repeating the authenticating and determining steps for third, fourth, fifth, etc. destination modules until each module in such at least a portion of the path has been determined and authenticated.
  - 31. The method of claim 30 wherein authenticating the initial module comprises authenticating a module in the at least a portion of the path that is to receive the digital content before any other module in the at least a portion of the path, whereby the initial module leads to fully determining all other modules that define the at least a portion of the path.
  - 32. The method of claim 30 comprising employing a database device to keep track of all modules determined to be in the at least a portion of the path, whereby already-determined modules in the at least a portion of the path can be recognized.
  - 33. The method of claim 20 further comprising:
    - receiving the revocation list from a certifying authority;
      
      storing the received revocation list in a secure location.
  - 34. The method of claim 20 wherein performing an authentication further comprises decrypting the encrypted digital content if all the modules in the at least a portion of the path provide an acceptable certificate.
  - 35. The method of claim 20 wherein performing an authentication further comprises, for each module in the at least a portion of the path that fails to provide an acceptable certificate:
    - defining a sub-portion of the path including the non-providing module;
      
      scrambling the digital content upon such digital content entering the sub-portion of the path, such scrambled digital content then passing through the modules that define the sub-portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the sub-portion of the path; and
      
      declaring the sub-portion trustworthy.
  - 36. The method of claim 20 wherein the path includes a user mode portion and a kernel portion, the method comprising performing an authentication of the user mode portion of the path and of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 37. The method of claim 20 wherein the path includes a tunneled portion, the method further comprising:
    - scrambling the digital content upon such digital content entering the tunneled portion of the path, such scrambled digital content then passing through the modules that define the tunneled portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the tunneled portion of the path;
      
      and wherein performing an authentication comprises performing an authentication of at least a portion of the path external to the tunneled portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough, an authentication of the tunneled portion being unnecessary.
  - 38. The method of claim 37 wherein the path includes a user mode portion, a kernel portion, and a tunneled portion in the user mode portion, the method further comprising:
    - scrambling the digital content upon such digital content entering the tunneled portion of the user mode portion of the path, such scrambled digital content then passing through the modules that define the tunneled portion of the user mode portion of the path; and
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the tunneled portion of the user mode portion of the path;
      
      and wherein performing an authentication comprises performing an authentication of at least a portion of the path external to the tunneled portion of the user mode portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough, an authentication of the tunneled portion being unnecessary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Peinado, Marcus, Yerrace, Frank
Primary Examiner(s)
WINTER, JOHN M

Application Number

US09/525,510
Time in Patent Office

2,939 Days
Field of Search

705/59, 705/51, 705/57, 713/160, 713/201, 713/162, 713/166, 713/171, 713/193, 380/278, 380/228, 380/277, 380/43, 726/4
US Class Current

705/59
CPC Class Codes

G06F 21/10 Protecting distributed prog...

G06F 2221/2107 File encryption

Releasing decrypted digital content to an authenticated path

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Releasing decrypted digital content to an authenticated path

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links