Secure storage for digital rights management

US 8,689,010 B2
Filed: 06/28/2007
Issued: 04/01/2014
Est. Priority Date: 06/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at least in part by a computer, comprising:

providing a computing device with digital rights management (DRM) software that has been remotely provisioned, wherein the remotely provisioned DRM software performs DRM operations, the DRM operations including acquisition and enforcement of one or more licenses pertaining to DRM data, and wherein the remotely provisioned DRM software has been remotely provisioned by;

creating a DRM partition that serves as an empty host;

generating an attestation request that includes at least;

an identity (ID) of the DRM partition; and

an identification of the computing device; and

using the attestation request to initiate a provisioning process from a remote service in which the remotely provisioned DRM software is provisioned to the DRM partition;

providing, in secure storage on the computing device, a signing key and a counter that maintains a counter value that is to be used for verification;

associating a counter value with the DRM data that is to be protected;

signing, under the influence of the remotely provisioned DRM software, the DRM data and associated counter value using the signing key, said signing providing signed DRM data and the associated counter value;

storing the signed DRM data and the associated counter value in local storage on the computing device; and

verifying that a counter value stored in the local storage matches with a counter value stored in the secure storage, wherein the act of verifying comprises sending, by the remotely provisioned DRM software, a nonce to the secure storage and receiving, responsive to said sending, a signed package that includes the nonce and a counter value to be verified.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for robustly secure storage.

Citations

15 Claims

1. A method, implemented at least in part by a computer, comprising:
- providing a computing device with digital rights management (DRM) software that has been remotely provisioned, wherein the remotely provisioned DRM software performs DRM operations, the DRM operations including acquisition and enforcement of one or more licenses pertaining to DRM data, and wherein the remotely provisioned DRM software has been remotely provisioned by;
  
  creating a DRM partition that serves as an empty host;
  
  generating an attestation request that includes at least;
  
  an identity (ID) of the DRM partition; and
  
  an identification of the computing device; and
  
  using the attestation request to initiate a provisioning process from a remote service in which the remotely provisioned DRM software is provisioned to the DRM partition;
  
  providing, in secure storage on the computing device, a signing key and a counter that maintains a counter value that is to be used for verification;
  
  associating a counter value with the DRM data that is to be protected;
  
  signing, under the influence of the remotely provisioned DRM software, the DRM data and associated counter value using the signing key, said signing providing signed DRM data and the associated counter value;
  
  storing the signed DRM data and the associated counter value in local storage on the computing device; and
  
  verifying that a counter value stored in the local storage matches with a counter value stored in the secure storage, wherein the act of verifying comprises sending, by the remotely provisioned DRM software, a nonce to the secure storage and receiving, responsive to said sending, a signed package that includes the nonce and a counter value to be verified.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - responsive to writing new DRM data, causing a change in the counter value in the secure storage and the counter value associated with the DRM data.
  - 3. The method of claim 1 further comprising:
    - reading, via the remotely provisioned DRM software, signed DRM data and the associated counter value from the local storage;
      
      checking whether the counter value associated with the signed DRM data matches with a counter value stored in the secure storage; and
      
      if said counter values match, permitting DRM operations to be performed.
  - 4. The method of claim 1, wherein the signing key is a symmetric key.
  - 5. The method of claim 1, wherein the signing key is a private key of a public/private key pair.

6. One or more hardware computer readable storage memories storing computer readable instructions which, when executed, implement a method comprising:
- providing a computing device with digital rights management (DRM) software that has been remotely provisioned, wherein the remotely provisioned DRM software performs DRM operations, the DRM operations including acquisition and enforcement of one or more licenses pertaining to DRM data, and wherein the remotely provisioned DRM software has been remotely provisioned by;
  
  creating a DRM partition that serves as an empty host;
  
  generating an attestation request that includes at least;
  
  an identity (ID) of the DRM partition; and
  
  an identification of the computing device; and
  
  using the attestation request to initiate a provisioning process from a remote service in which the remotely provisioned DRM software is provisioned to the DRM partition;
  
  providing, in secure storage on the computing device, a signing key and a counter that maintains a counter value that is to be used for verification;
  
  associating a counter value with the DRM data that is to be protected;
  
  signing, under the influence of the remotely provisioned DRM software, the DRM data and associated counter value using the signing key, said signing providing signed DRM data and the associated counter value;
  
  storing the signed DRM data and the associated counter value in local storage on the computing device; and
  
  verifying that a counter value stored in the local storage matches with a counter value stored in the secure storage, wherein the act of verifying comprises sending, by the remotely provisioned DRM software, a nonce to the secure storage and receiving, responsive to said sending, a signed package that includes the nonce and a counter value to be verified.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The one or more hardware computer readable storage memories of claim 6 further comprising:
    - responsive to writing new DRM data, causing a change in the counter value in the secure storage and the counter value associated with the DRM data.
  - 8. The one or more hardware computer readable storage memories of claim 6 further comprising:
    - reading, via the remotely provisioned DRM software, signed DRM data and the associated counter value from the local storage;
      
      checking whether the counter value associated with the signed DRM data matches with a counter value stored in the secure storage; and
      
      if said counter values match, permitting DRM operations to be performed.
  - 9. The one or more hardware computer readable storage memories of claim 6, wherein the signing key is a symmetric key.
  - 10. The one or more hardware computer readable storage memories of claim 6, wherein the signing key is a private key of a public/private key pair.

11. A computing device comprising:
- one or more hardware processors;
  
  one or more computer readable storage memories storing computer readable instructions which, when executed by the one or more processors, implement a method comprising;
  
  providing a computing device with digital rights management (DRM) software that has been remotely provisioned, wherein the remotely provisioned DRM software performs DRM operations, the DRM operations including acquisition and enforcement of one or more licenses pertaining to DRM data, and wherein the remotely provisioned DRM software has been remotely provisioned by;
  
  creating a DRM partition that serves as an empty host;
  
  generating an attestation request that includes at least;
  
  an identity (ID) of the DRM partition; and
  
  an identification of the computing device; and
  
  using the attestation request to initiate a provisioning process from a remote service in which the remotely provisioned DRM software is provisioned to the DRM partition;
  
  providing, in secure storage on the computing device, a signing key and a counter that maintains a counter value that is to be used for verification;
  
  associating a counter value with the DRM data that is to be protected;
  
  signing, under the influence of the remotely provisioned DRM software, the DRM data and associated counter value using the signing key, said signing providing signed DRM data and the associated counter value;
  
  storing the signed DRM data and the associated counter value in local storage on the computing device; and
  
  verifying that a counter value stored in the local storage matches with a counter value stored in the secure storage, wherein the act of verifying comprises sending, by the remotely provisioned DRM software, a nonce to the secure storage and receiving, responsive to said sending, a signed package that includes the nonce and a counter value to be verified.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computing device of claim 11 further comprising:
    - responsive to writing new DRM data, causing a change in the counter value in the secure storage and the counter value associated with the DRM data.
  - 13. The computing device of claim 11 further comprising:
    - reading, via the remotely provisioned DRM software, signed DRM data and the associated counter value from the local storage;
      
      checking whether the counter value associated with the signed DRM data matches with a counter value stored in the secure storage; and
      
      if said counter values match, permitting DRM operations to be performed.
  - 14. The computing device of claim 11, wherein the signing key is a symmetric key.
  - 15. The computing device of claim 11, wherein the signing key is a private key of a public/private key pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Alkove, James M., Grigorovitch, Alexandre V., Schnell, Patrik
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/823,685
Publication Number

US 20090006868A1
Time in Patent Office

2,469 Days
Field of Search

713/193, 713/189, 713/194
US Class Current

713/193
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/64   Protecting data integrity, ...

G06F 21/725   operating on a secure refer...

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

Secure storage for digital rights management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Secure storage for digital rights management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links