System and method for dynamically enforcing digital rights management rules
First Claim
1. A processor-implemented method comprising:
- receiving content and at least one voucher identifying digital rights management (DRM) rules at a terminal that provides on-demand authentication of an operating terminal application which is seeking access to the content via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications, wherein the terminal application comprises a rendering program running on the operating system concurrently with and independently of the DRM engine, and wherein the terminal application is already running prior to being authenticated;
issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a hash provided by the DRM engine, wherein the process corresponds to the terminal application;
returning a handle to the connection to the DRM engine;
invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle;
receiving the authentication request by the security manager and identifying the process corresponding to the connection;
providing the portion of program text to the DRM engine from the security manager;
verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text;
if the terminal application is authenticated, applying the DRM rules to determine whether the terminal application may access the content; and
accessing the content by the terminal application if access is allowed in response to applying the DRM rules.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for enforcing digital rights management (DRM) rules in a terminal, even when the requesting rendering application is already operating. Content, which may be encrypted, is received at the terminal and securely stored. On-demand authorization is effected for the rendering application that is requesting access to the content, using secure communications between a DRM engine within the terminal and an operating system within the terminal that is augmented with a security manager adapted to engage in such secure communications. If the rendering application is found to be authorized, the DRM rules are applied to determine whether the rendering application may access the content, and if so, the content is made available to the rendering application.
-
Citations
34 Claims
-
1. A processor-implemented method comprising:
-
receiving content and at least one voucher identifying digital rights management (DRM) rules at a terminal that provides on-demand authentication of an operating terminal application which is seeking access to the content via secure communications between a DRM engine and an operating system augmented with a security manager adapted to conduct the secure communications, wherein the terminal application comprises a rendering program running on the operating system concurrently with and independently of the DRM engine, and wherein the terminal application is already running prior to being authenticated; issuing a request to the security manager by the DRM engine to provide a connection to a process whose program text matches a hash provided by the DRM engine, wherein the process corresponds to the terminal application; returning a handle to the connection to the DRM engine; invoking an authentication request at the DRM engine to retrieve at least a portion of program text of the process identified by the handle; receiving the authentication request by the security manager and identifying the process corresponding to the connection; providing the portion of program text to the DRM engine from the security manager; verifying, by the DRM engine, the legitimacy of the terminal application by verifying a certificate of the terminal application based on the program text; if the terminal application is authenticated, applying the DRM rules to determine whether the terminal application may access the content; and accessing the content by the terminal application if access is allowed in response to applying the DRM rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A processor-implemented method comprising:
-
requesting, by a rendering application, access to content securely stored in a terminal by invoking a content request accompanied by at least a content identifier that identifies the requested content, a certificate of the rendering application, and a process identifier corresponding to the rendering application; requesting, by a digital rights management (DRM) engine, at least a portion of program text of a process identified by an inter-process communication (IPC) connection between the DRM engine and the rendering application, wherein the process corresponds to the rendering application, wherein the request for the portion of program text includes the process identifier together with an identifier of the IPC connection, and wherein the rendering application comprises a program running on an operating system concurrently with and independently of the DRM engine; receiving the request for the program text by a security manager and identifying the process corresponding to the IPC connection; providing the program text to the DRM engine from the security manager; verifying, by the security manager, that the process identified by the process identifier is associated with the process identified by the IPC connection identifier; authenticating the rendering application based on the program text of the process and the certificate of the rendering application, wherein the rendering application is already operating prior to the authentication of the application; making an access control decision by the DRM engine if the rendering application is authorized to access the program text of the process; making the content accessible to the rendering application if the access control decision is positive; and wherein requesting access to the content comprises authenticating the rendering application by the security manager using a rendering application certificate and forwarding a content request from the security manager to the DRM engine if the rendering application is successfully authenticated. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. An apparatus comprising:
-
a rendering application to provide a content request and to present content received via the apparatus upon access authorization; a digital rights management (DRM) engine coupled to receive the content request and to invoke a request to authenticate the rendering application in response thereto, wherein the request to authenticate the rendering application includes at least an identifier of an inter-process communication (IPC) connection opened in response to the content request; an operating system augmented with a security manager configured to receive the request to authenticate the rendering application and the IPC connection identifier, and in response to provide data uniquely associated with a process identified by the IPC connection, wherein the process corresponds to the rendering application, wherein the data uniquely associated with the process identified by the IPC connection comprises a hash of the program text of the process; and wherein the DRM engine further receives the data and verifies a certificate of the rendering application using the data, and if the rendering application is successfully verified, allowing the rendering application access to the content as dictated by usage rights of a corresponding voucher received via the apparatus, wherein the rendering application comprises a program running on the operating system concurrently with and independently of the DRM engine, and wherein the rendering application is already running prior to being authenticated by the security manager. - View Dependent Claims (29, 30, 31, 32, 33, 34)
-
Specification