System and method for dynamically enforcing digital rights management rules

US 7,529,929 B2
Filed: 05/30/2002
Issued: 05/05/2009
Est. Priority Date: 05/30/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A processor-implemented method comprising:

receiving content and at least one voucher identifying digital rights management (DRM) rules at a terminal that provides on-demand authentication of an operating terminal application which is seeking access to the content via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications, wherein the terminal application comprises a rendering program running on the operating system concurrently with and independently of the DRM engine, and wherein the terminal application is already running prior to being authenticated;

issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a hash provided by the DRM engine, wherein the process corresponds to the terminal application;

returning a handle to the connection to the DRM engine;

invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;

receiving the authentication request by the security manager and identifying the process corresponding to the connection;

providing the portion of program text to the DRM engine from the security manager;

verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text;

if the terminal application is authenticated, applying the DRM rules to determine whether the terminal application may access the content; and

accessing the content by the terminal application if access is allowed in response to applying the DRM rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for enforcing digital rights management (DRM) rules in a terminal, even when the requesting rendering application is already operating. Content, which may be encrypted, is received at the terminal and securely stored. On-demand authorization is effected for the rendering application that is requesting access to the content, using secure communications between a DRM engine within the terminal and an operating system within the terminal that is augmented with a security manager adapted to engage in such secure communications. If the rendering application is found to be authorized, the DRM rules are applied to determine whether the rendering application may access the content, and if so, the content is made available to the rendering application.

Citations

34 Claims

1. A processor-implemented method comprising:
- receiving content and at least one voucher identifying digital rights management (DRM) rules at a terminal that provides on-demand authentication of an operating terminal application which is seeking access to the content via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications, wherein the terminal application comprises a rendering program running on the operating system concurrently with and independently of the DRM engine, and wherein the terminal application is already running prior to being authenticated;
  
  issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a hash provided by the DRM engine, wherein the process corresponds to the terminal application;
  
  returning a handle to the connection to the DRM engine;
  
  invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;
  
  receiving the authentication request by the security manager and identifying the process corresponding to the connection;
  
  providing the portion of program text to the DRM engine from the security manager;
  
  verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text;
  
  if the terminal application is authenticated, applying the DRM rules to determine whether the terminal application may access the content; and
  
  accessing the content by the terminal application if access is allowed in response to applying the DRM rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking a certificate verification request at the DRM engine, wherein the certificate verification request is accompanied by arguments including a certificate of the terminal application and an identifier of a process corresponding to an inter-process communication (IPC) connection opened by the terminal application in response to a content request by the terminal application, wherein the process corresponds to the terminal application;
      
      receiving the certificate verification request by the security manager and verifying the certificate against a predetermined certificate value; and
      
      providing a verification indication to the DRM engine from the security manager indicating whether the certificate is correct and valid.
  - 3. The method of claim 1, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve a hash of at least a portion of program text of a process identified by an inter-process communication (IPC) connection opened by the terminal application in response to a content request by the terminal application, wherein the process corresponds to the terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      computing, at the security manager, the hash of the program text for each new process created;
      
      providing, from the security manager to the DRM engine, the hash of the program text corresponding to the IPC connection identified in the authentication request; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by comparing the hash of the program text with values expected by the DRM engine based on the certificate issued to the terminal application.
  - 4. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises accessing plaintext content resulting from decrypting the encrypted content at the DRM engine.
  - 5. The method of claim 4, further comprising requesting a content key from the security manager by the DRM engine, and wherein decrypting the encrypted content at the DRM engine comprises decrypting the encrypted content using the content key received from the security manager.
  - 6. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - maintaining a content key at the security manager;
      
      decrypting requested blocks of the content at the security manager using the content key; and
      
      providing the requested blocks of decrypted content to the DRM engine.
  - 7. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - requesting a content key from the security manager by the DRM engine;
      
      decrypting requested blocks of the content at the DRM engine using the content key; and
      
      providing only requested blocks of the content to the terminal application.
  - 8. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - providing a content key from the security manager to the terminal application; and
      
      decrypting the encrypted content by the terminal application using the content key.
  - 9. The method of claim 1, wherein receiving content comprises receiving encrypted content, and wherein accessing the content by the terminal application comprises:
    - providing a content key from the DRM engine to the terminal application; and
      
      decrypting the encrypted content by the terminal application using the content key.
  - 10. The method of claim 1, further comprising:
    - issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a terminal application certificate provided by the DRM engine, wherein the program text corresponds to the terminal application; and
      
      returning a handle to the connection to the DRM engine.
  - 11. The method of claim 10, wherein providing on-demand authentication of the operating terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the connection;
      
      providing the program text to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text.
  - 12. The method of claim 1, further comprising:
    - issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a particular type selected from a standard set of type specified in certificates; and
      
      returning a handle to the connection to the DRM engine.
  - 13. The method of claim 1, further comprising verifying the DRM engine by the security manager by computing a hash of the DRM engine'"'"'s code and associating the hash with private files created by the DRM engine.
  - 14. The method of claim 1, further comprising verifying the DRM engine by the security manager by verifying the DRM engine'"'"'s certificate and associating the certificate with private files created by the DRM engine.
  - 15. The method of claim 1, further comprising:
    - wirelessly providing the content and a voucher identifying the DRM rights to the terminal; and
      
      securely storing the content and the voucher locally at the terminal.
  - 16. The method of claim 1, wherein the terminal is a wireless terminal, and further comprising sending the content and the at least one voucher to the wireless terminal from a second wireless terminal.
  - 17. The method of claim 1, wherein applying the DRM rules comprises analyzing usage rights provided via the voucher.
  - 18. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the terminal application comprises providing on-demand authentication of each part of the multi-part terminal application.
  - 19. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the multi-part terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve program text of each part of the multi-part terminal application identified by an inter-process communication (IPC) connection opened in response to a content request by the multi-part terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      returning the program text of each part of the multi-part terminal application to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the multi-part terminal application by verifying certificates of the terminal application based on each of the returned program texts.
  - 20. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the multi-part terminal application comprises:
    - invoking an authentication request at the DRM engine to retrieve hashes of program text of each part of the multi-part terminal application identified by an inter-process communication (IPC) connection opened in response to a content request by the multi-part terminal application;
      
      receiving the authentication request by the security manager and identifying the process corresponding to the IPC connection;
      
      computing, at the security manager, a hash for each of the program texts for each new process created;
      
      returning the hash of each part of the multi-part terminal application to the DRM engine from the security manager; and
      
      verifying, by the DRM engine, the legitimacy of the multi-part terminal application by verifying certificates of the terminal application based on each of the returned hashes.
  - 21. The method of claim 1, wherein the terminal application is a multi-part terminal application, and wherein providing on-demand authentication of the multi-part terminal application comprises:
    - invoking a certificate verification request at the DRM engine, wherein the certificate verification request is accompanied by arguments including a certificate for each part of the multi-part terminal application and an identifier of a process corresponding to an inter-process communication (IPC) connection opened in response to a content request by the terminal application;
      
      receiving the certificate verification request by the security manager and verifying the certificates against predetermined certificate values; and
      
      providing a verification indication to the DRM engine from the security manager indicating whether the certificates are correct and valid.

22. A processor-implemented method comprising:
- requesting, by a rendering application, access to content securely stored in a terminal by invoking a content request accompanied by at least a content identifier that identifies the requested content, a certificate of the rendering application, and a process identifier corresponding to the rendering application;
  
  requesting, by a digital rights management (DRM) engine, at least a portion of program text of a process identified by an inter-process communication (IPC) connection between the DRM engine and the rendering application, wherein the process corresponds to the rendering application, wherein the request for the portion of program text includes the process identifier together with an identifier of the IPC connection, and wherein the rendering application comprises a program running on an operating system concurrently with and independently of the DRM engine;
  
  receiving the request for the program text by a security manager and identifying the process corresponding to the IPC connection;
  
  providing the program text to the DRM engine from the security manager;
  
  verifying, by the security manager, that the process identified by the process identifier is associated with the process identified by the IPC connection identifier;
  
  authenticating the rendering application based on the program text of the process and the certificate of the rendering application, wherein the rendering application is already operating prior to the authentication of the application;
  
  making an access control decision by the DRM engine if the rendering application is authorized to access the program text of the process;
  
  making the content accessible to the rendering application if the access control decision is positive; and
  
  wherein requesting access to the content comprises authenticating the rendering application by the security manager using a rendering application certificate and forwarding a content request from the security manager to the DRM engine if the rendering application is successfully authenticated.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The method of claim 22, wherein the requested content stored in the terminal is encrypted, and further comprising:
    - requesting, by the DRM engine, a content key for decrypting the requested content if the access control decision is positive;
      
      providing the content key to the DRM engine from the security manager; and
      
      decrypting the content at the DRM engine.
  - 24. The method of claim 23, wherein authorizing the content comprises authorizing the decrypted content to be accessed via the IPC connection by the rendering application.
  - 25. The method of claim 22, wherein making the content accessible to the rendering application comprises authorizing the content to be accessed by the rendering application via the IPC connection.
  - 26. The method of claim 22, further comprising augmenting an operating system operating within the terminal to include the security manager.
  - 27. The method of claim 22, wherein requesting the program text comprises invoking a primitive to obtain the program text, wherein the primitive is accompanied by arguments including an IPC identifier to allow the security manager to identify the process corresponding to the IPC connection.

28. An apparatus comprising:
- a rendering application to provide a content request and to present content received via the apparatus upon access authorization;
  
  a digital rights management (DRM) engine coupled to receive the content request and to invoke a request to authenticate the rendering application in response thereto, wherein the request to authenticate the rendering application includes at least an identifier of an inter-process communication (IPC) connection opened in response to the content request;
  
  an operating system augmented with a security manager configured to receive the request to authenticate the rendering application and the IPC connection identifier, and in response to provide data uniquely associated with a process identified by the IPC connection, wherein the process corresponds to the rendering application, wherein the data uniquely associated with the process identified by the IPC connection comprises a hash of the program text of the process; and
  
  wherein the DRM engine further receives the data and verifies a certificate of the rendering application using the data, and if the rendering application is successfully verified, allowing the rendering application access to the content as dictated by usage rights of a corresponding voucher received via the apparatus, wherein the rendering application comprises a program running on the operating system concurrently with and independently of the DRM engine, and wherein the rendering application is already running prior to being authenticated by the security manager.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The apparatus as in claim 28, wherein the content received at the terminal is encrypted, and wherein the security manager is further configured to provide a content key to the DRM engine in response to a key request by the DRM engine.
  - 30. The apparatus as in claim 29, wherein the DRM engine is further configured to decrypt the content using the content key, and to allow the rendering application access to the decrypted content as dictated by the usage rights.
  - 31. The apparatus as in claim 28, wherein the security manager is integrally implemented into the operating system kernel.
  - 32. The apparatus as in claim 28, wherein the security manager is implemented outside the operating system kernel as a secure library.
  - 33. The apparatus as in claim 28, wherein the apparatus comprises a mobile device comprising at least one of a wireless telephone, wireless PDA, or wireless computing device.
  - 34. The apparatus as in claim 28, wherein the apparatus comprises a landline client terminal coupled in a server environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Stenman, Jorma, Asokan, Nadarajah, Ekberg, Jan-Erik, Teinila, Jaakko
Primary Examiner(s)
ZIA, SYED

Application Number

US10/161,082
Publication Number

US 20030226012A1
Time in Patent Office

2,532 Days
Field of Search

None
US Class Current

713/161
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06Q 20/3674   involving authentication

H04L 2463/101   applying security measures ...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

System and method for dynamically enforcing digital rights management rules

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamically enforcing digital rights management rules

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links