Robust and flexible digital rights management involving a tamper-resistant identity module

US 7,568,234 B2
Filed: 12/19/2002
Issued: 07/28/2009
Est. Priority Date: 08/15/2002
Status: Active Grant

First Claim

Patent Images

1. A tamper-resistant identity module adapted for physical engagement with a client system, the module comprising:

means for receiving digital content over a network and a digital-content usage device, wherein said tamper-resistant identity module comprises a digital rights management (DRM) agent for enabling usage of said digital content; and

means for performing at least part of an authentication and key agreement (AKA) procedure, and said DRM agent includes means for performing DRM processing based on information from said AKA procedure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to digital rights management, and proposes the implementation of a DRM agent (125) into a tamper-resistant identity module (120) adapted for engagement with a client system (100), such as a mobile phone or a computer system. The DRM agent (125) is generally implemented with functionality for enabling usage, such as rendering or execution of protected digital content provided to the client system from a content provider. In general, the DRM agent (125) includes functionality for cryptographic processing of DRM metadata associated with the digital content to be rendered. In a particularly advantageous realization, the DRM agent is implemented as an application in the application environment of the identity module. The DRM application can be preprogrammed into the application environment, or securely downloaded from a trusted party associated with the identity module. The invention also relates to a distributed DRM module, with communication between distributed DRM agents (125, 135) based on usage-device specific key information.

37 Citations

View as Search Results

44 Claims

1. A tamper-resistant identity module adapted for physical engagement with a client system, the module comprising:
- means for receiving digital content over a network and a digital-content usage device, wherein said tamper-resistant identity module comprises a digital rights management (DRM) agent for enabling usage of said digital content; and
  
  means for performing at least part of an authentication and key agreement (AKA) procedure, and said DRM agent includes means for performing DRM processing based on information from said AKA procedure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The tamper-resistant identity module according to claim 1, wherein said DRM agent is implemented as an application in an application environment of said tamper-resistant identity module.
  - 3. The tamper-resistant identity module according to claim 2, wherein said DRM agent application is loaded into said identity module application environment from an external trusted party associated with said identity module.
  - 4. The tamper-resistant identity module according to claim 3, wherein said identity module comprises means for authenticating said DRM agent.
  - 5. The tamper-resistant identity module according to claim 1, wherein said DRM agent includes means for extracting a content-protection key to be used for decrypting encrypted digital content provided from a content provider, based on information from said AKA procedure.
  - 6. The tamper-resistant identity module according to claim 1, wherein said DRM agent comprises means for enabling charging for digital content usage.
  - 7. The tamper-resistant identity module according to claim 1, wherein said DRM agent comprises means for managing information related to usage of said digital content, said usage information serving as a basis for charging for digital-content usage.
  - 8. The tamper-resistant identity module according to claim 7, wherein said DRM agent further comprises:
    - means for integrity protecting said usage information based on an identity-module specific key; and
      
      means for sending said integrity protected usage information to an external party managing charging of digital-content usage.
  - 9. The tamper-resistant identity module according to claim 1, wherein said DRM agent implemented in said identity module further comprises means for enabling registration of at least one digital-content usage device.
  - 10. The tamper-resistant identity module according to claim 1, further comprising means for communication between said DRM agent and further DRM functionality implemented in said digital-content usage device based on usage-device specific key information.
  - 11. The tamper-resistant identity module according to claim 10, wherein said communication means is operable for ensuring that only a usage device with valid DRM functionality is enabled to use said digital content.
  - 12. The tamper-resistant identity module according to claim 1, wherein said DRM agent comprises means for receiving, from an external trusted party, a DRM application adapted for use with a digital-content usage device, and means for transferring said DRM application into a tamper-resistant application environment in said digital-content usage device based on usage-device specific key information.
  - 13. The tamper-resistant identity module according to claim 1, wherein said DRM agent implemented in said identity module includes means for checking that the forward-lock function of the Wireless Application Protocol (WAP) is not violated.

14. A client system comprising:
- means for receiving digital content over a network;
  
  a digital-content usage device; and
  
  a tamper-resistant identity module implemented with a digital rights management (DRM) agent for enabling usage of said digital content by said digital-content usage device;
  
  wherein said identity module further comprises means for performing at least part of an authentication and key agreement (AKA) procedure, and said DRM agent includes means for performing DRM processing based on information from said AKA procedure.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The client system according to claim 14, wherein said DRM agent is implemented as an application in an application environment of said tamper-resistant identity module.
  - 16. The client system according to claim 15, wherein said DRM agent application is loaded into said identity module application environment from an external trusted party associated with said identity module.
  - 17. The client system according to claim 16, wherein said identity module comprises means for authenticating said DRM agent.
  - 18. The client system according to claim 14, wherein said DRM agent includes means for extracting a content-protection key to be used for decrypting encrypted digital content provided from a content provider, based on information from said AKA procedure.
  - 19. The client system according to claim 14, wherein said DRM agent comprises means for enabling charging for digital content usage.
  - 20. The client system according to claim 14, comprising means for communication between said DRM agent and a further DRM agent implemented in said digital-content usage device based on usage-device specific key information.
  - 21. The client system according to claim 20, wherein said communication means is operable for ensuring that only a usage device with valid DRM functionality is enabled to use said digital content.
  - 22. The client system according to claim 21, wherein said client system further comprises means for transmitting, to a trusted certification party, identification information associated with said digital-content usage device, and in response thereto receiving a protected representation of said usage-device specific key, and said DRM agent comprises means for extracting said usage-device specific key representation for storage in said tamper-resistant identity module.
  - 23. The client system according to claim 14, wherein said digital-content usage device includes a tamper-resistant application environment, and a DRM application adapted for use as a DRM agent in said usage device is loaded into said application environment at least partly based on usage-device specific key information.
  - 24. The client system according to claim 23, wherein said digital-content usage device comprises:
    - means for generating new device key information associated with a downloaded DRM application at least partly based on said usage-device specific key information; and
      
      means for replacing usage-device specific key information stored in said usage device with said new device key information.
  - 25. The client system according to claim 24, wherein said DRM agent implemented in said identity module comprises means for replacing usage-device specific key information stored in said identity module with key information corresponding to said new device key information.

26. A client system comprising:
- a tamper resistant identity module;
  
  a digital-content usage device;
  
  a first DRM agent implemented in the tamper-resistant identity module for engagement with a client device, said first DRM agent comprising means for performing first DRM processing associated with digital content;
  
  a second DRM agent implemented in the digital-content usage device adapted for using said digital content, said second DRM agent comprising means for performing second DRM processing associated with said digital content; and
  
  means for communication between said first DRM agent and said second DRM agent based on usage-device specific key information;
  
  wherein said tamper-resistant identity module comprises means for performing at least part of an authentication and key agreement (AKA) procedure, and said means for performing first DRM processing in said first DRM agent operates based on information from said AKA procedure.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 27. The client system according to claim 26, wherein said communication means is operable for ensuring that only a usage device with valid DRM functionality is enabled to use said digital content.
  - 28. The client system according to claim 26, wherein said means for performing first DRM processing in said first DRM agent includes means for extracting a content-protection key to be used for decrypting protected digital content from a content provider, based on information from said AKA procedure.
  - 29. The client system according to claim 28, wherein said communication means is operable for ensuring that said content-protection key is accessible only by a second DRM agent that properly enforces usage rules associated with said digital content.
  - 30. The client system according to claim 29, wherein said means for performing second DRM processing in said second DRM agent comprises means for decrypting encrypted digital content by means of said content-protection key.
  - 31. The client system according to claim 26, wherein said means for performing first DRM processing in said first DRM agent comprises means for enabling charging for said digital content.
  - 32. The client system according to claim 26, wherein said first DRM agent comprises:
    - means for authenticating said usage device based on said usage-device specific key information to verify that said usage device has valid DRM functionality; and
      
      means for sending DRM data enabling usage of said digital content to said second DRM agent in response to successful authentication of a usage device with valid DRM functionality.
  - 33. The client system according to claim 26, wherein said first DRM agent comprises:
    - means for encrypting DRM data enabling usage of said digital content, based on said usage-device specific key information; and
      
      means, forming part of said communication means, for sending said encrypted DRM data to said second DRM agent; and
      
      said second DRM agent comprises means for decrypting said encrypted DRM data to enable usage of said digital content, based on said usage-device specific key information.
  - 34. The client system according to claim 26, wherein said tamper-resistant identity module and said usage device are tamper-resistantly configured with usage-device specific key information.
  - 35. The client system according to claim 26, wherein said second DRM agent comprises means for compiling information related to usage of said digital content, and means for transferring said usage information to said first DRM agent based on said usage-device specific key information;
    - and said first DRM agent comprises means for sending said usage information to an external party managing charging of digital-content usage, said usage information serving as a basis for charging for digital-content usage.
  - 36. The client system according to claim 26, wherein said second DRM agent comprises means for sending a first control signal related to the digital-content usage process to said first DRM agent, and said first DRM agent comprises means for processing signal data associated with said first control signal to generate a second control signal, and means for sending said second control signal to said second DRM agent for controlling said digital-content usage process.
  - 37. The client system according to claim 26, wherein said first DRM agent is implemented as an application in an application environment of said tamper-resistant identity module.
  - 38. The client system according to claim 37, wherein said first DRM agent application is loaded into said identity module application environment from an external trusted party associated with said identity module.
  - 39. The client system according to claim 37, wherein said identity module comprises means for authenticating said DRM agent.
  - 40. The client system according to claim 26, wherein said second DRM agent is implemented as an application in a tamper-resistant application environment in said usage device.
  - 41. The client system according to claim 40, wherein said second DRM agent application is loaded into said usage-device application environment at least partly based on said usage-device specific key information.
  - 42. The client system according to claim 41, wherein said digital-content usage device comprises:
    - means for generating new device key information associated with said downloaded DRM application at least partly based on said usage-device specific key information; and
      
      means for replacing usage-device specific key information stored in said usage device with said new device key information.
  - 43. The client system according to claim 42, wherein said DRM agent implemented in said identity module comprises means for replacing usage-device specific key information stored in said identity module with key information corresponding to said new device key information.

44. A method for digital rights management (DRM) comprising the steps of:
- tamper-resistantly configuring a usage device, adapted for using digital content, with a usage-device specific key;
  
  providing a cryptographic representation of said usage-device specific key to a client device associated with said usage device;
  
  processing, at a trusted certification party, said cryptographic representation received in a request from said client device to retrieve key information representative of said usage-device specific key;
  
  securely transferring said key information from said trusted certification party to a tamper-resistant identity module in said client device, based on an identity-module specific key; and
  
  establishing communication between a first DRM agent in said tamper-resistant identity module and a second DRM agent in said usage device based on the key information transferred to the identity module and the usage-device specific key in said usage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naslund, Mats, Norrman, Karl
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Yousefi; Shahrouz

Application Number

US10/524,583
Publication Number

US 20050278787A1
Time in Patent Office

2,413 Days
Field of Search

713/187, 726/26, 380240-244
US Class Current

726/26
CPC Class Codes

G06F 21/1014   to tokens

G06F 2221/2115   Third party

G06F 2221/2129   Authenticate client device ...

G06F 2221/2135   Metering

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2153   Using hardware token as a s...

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/069   using certificates or pre-s...

H04W 8/22   Processing or transfer of t...

Robust and flexible digital rights management involving a tamper-resistant identity module

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Robust and flexible digital rights management involving a tamper-resistant identity module

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links