Releasing decrypted digital content to an authenticated path

US 8,744,969 B2
Filed: 10/02/2007
Issued: 06/03/2014
Est. Priority Date: 01/14/2000
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor;

a memory storing executable instructions that when executed by the processor causes the processor to perform the method steps of;

forwarding digital content from a rendering application to a destination, anddefining a path between said rendering application and said destination, said path being defined by at least one module; and

a digital rights management system including a black box that releases encrypted digital content to said rendering application for distribution to said destination by way of said path, said black box comprising a black box processor and a memory storing executable instructions that when executed by the black box processor causes the black box processor to perform an authentication of at least a portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough, wherein said black box processor performs the authentication by performing the steps of;

traversing the at least a portion of the path to develop a map of each module in the path,authenticating each module in the map, andfor each module in the at least a portion of the path, receiving from the module a certificate as issued by a certifying authority, determining from the received certificate whether such received certificate is acceptable for purposes of authenticating the module, checking a revocation list to ensure that the received certificate has not been revoked, and refusing to decrypt the encrypted digital content if at least one module in the at least a portion of the path fails to provide an acceptable certificate,said black box decrypting the encrypted digital content if in fact each such defining module is to be trusted and forwarding the decrypted digital content to the rendering application for further forwarding to the destination by way of the authenticated path.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Digital content is released to a rendering application for forwarding by such rendering application to an ultimate destination by way of a path therebetween. The path is defined by at least one module, and the digital content is initially in an encrypted form. An authentication of at least a portion of the path is performed to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough. The encrypted digital content is decrypted if in fact each such defining module is to be trusted, and the decrypted digital content is forwarded to the rendering application for further forwarding to the ultimate destination by way of the authenticated path.

Citations

19 Claims

1. A system comprising:
- a processor;
  
  a memory storing executable instructions that when executed by the processor causes the processor to perform the method steps of;
  
  forwarding digital content from a rendering application to a destination, anddefining a path between said rendering application and said destination, said path being defined by at least one module; and
  
  a digital rights management system including a black box that releases encrypted digital content to said rendering application for distribution to said destination by way of said path, said black box comprising a black box processor and a memory storing executable instructions that when executed by the black box processor causes the black box processor to perform an authentication of at least a portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough, wherein said black box processor performs the authentication by performing the steps of;
  
  traversing the at least a portion of the path to develop a map of each module in the path,authenticating each module in the map, andfor each module in the at least a portion of the path, receiving from the module a certificate as issued by a certifying authority, determining from the received certificate whether such received certificate is acceptable for purposes of authenticating the module, checking a revocation list to ensure that the received certificate has not been revoked, and refusing to decrypt the encrypted digital content if at least one module in the at least a portion of the path fails to provide an acceptable certificate,said black box decrypting the encrypted digital content if in fact each such defining module is to be trusted and forwarding the decrypted digital content to the rendering application for further forwarding to the destination by way of the authenticated path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1 wherein the path includes a user mode portion and a kernel portion, the path receiving scrambled digital content from the rendering application such that the scrambled digital content enters the user mode portion of the path, such scrambled digital content then passing through the modules that define the user mode portion of the path and transiting from the user mode portion to the kernel portion of the path.
  - 3. The system of claim 2 wherein the path comprises a de-scrambling module that de-scrambles the scrambled digital content upon such scrambled digital content transiting from the user mode portion to the kernel portion.
  - 4. The system of claim 3 wherein the de-scrambling module is in the kernel portion of the path.
  - 5. The system of claim 4 wherein the black box performs an authentication of at least a portion of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 6. The system of claim 1 wherein the path includes a user mode portion and a kernel portion, and the black box performs an authentication of at least a portion of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 7. The system of claim 6 wherein the the path receives scrambled digital content from the rendering application such that the scrambled digital content enters the user mode portion of the path, such scrambled digital content then passing through the modules that define the user mode portion of the path and transiting from the user mode portion to the kernel portion of the path.
  - 8. The system of claim 7 wherein the path comprises a de-scrambling module that de-scrambles the scrambled digital content upon such scrambled digital content transiting from the user mode portion to the kernel portion.
  - 9. The system of claim 8 wherein the de-scrambling module is in the kernel portion of the path.
  - 10. The system of claim 1 wherein the black box ignores each module not in the map.
  - 11. The system of claim 1 wherein said black box processor executes further executable instructions to perform authentication by:
    - authenticating an initial module;
      
      determining all first destination modules that receive data from said initial module;
      
      authenticating each said first destination module;
      
      determining all second destination modules that receive data from each such first destination module; and
      
      iteratively repeating the authenticating and determining steps for additional destination modules until each module in such at least a portion of the path has been determined and authenticated.
  - 12. The system of claim 11 wherein said black box authenticates the initial module by authenticating a module in the at least a portion of the path that is to receive the digital content before any other module in the at least a portion of the path, whereby the initial module leads to fully determining all other modules that define the at least a portion of the path.
  - 13. The system of claim 11 further comprising a database device that keeps track of all modules determined to be in the at least a portion of the path, whereby already-determined modules in the at least a portion of the path can be recognized.
  - 14. The system of claim 1 further comprising a certifying authority that provides the revocation list and a secure storage device that stores the received revocation list.
  - 15. The system of claim 1 wherein the black box decrypts the encrypted digital content if all the modules in the at least a portion of the path provide an acceptable certificate.
  - 16. The system of claim 1 wherein the black box processor executes further executable instructions to perform authentication for each module in the at least a portion of the path that fails to provide an acceptable certificate by:
    - defining a sub-portion of the path including the non-providing module;
      
      scrambling the digital content upon such digital content entering the sub-portion of the path, such scrambled digital content then passing through the modules that define the sub-portion of the path;
      
      de-scrambling the scrambled digital content upon such scrambled digital content exiting from the sub-portion of the path; and
      
      declaring the sub-portion trustworthy.
  - 17. The system of claim 1 wherein the path includes a user mode portion and a kernel portion, and the black box performs an authentication of the user mode portion of the path and of the kernel portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough.
  - 18. The system of claim 1 wherein the path includes a tunneled portion, further comprising:
    - a scrambling module that scrambles the digital content upon such digital content entering the tunneled portion of the path, such scrambled digital content then passing through the modules that define the tunneled portion of the path; and
      
      a de-scrambling module that de-scrambles the scrambled digital content upon such scrambled digital content exiting from the tunneled portion of the path,said black box authenticating at least a portion of the path external to the tunneled portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough such that an authentication of the tunneled portion is unnecessary.
  - 19. The system of claim 18 wherein the path includes a user mode portion, a kernel portion, and a tunneled portion in the user mode portion, wherein:
    - the scrambling module scrambles the digital content upon such digital content entering the tunneled portion of the user mode portion of the path, such scrambled digital content then passing through the modules that define the tunneled portion of the user mode portion of the path; and
      
      the de-scrambling module de-scrambling the scrambled digital content upon such scrambled digital content exiting from the tunneled portion of the user mode portion of the path,said black box authenticating at least a portion of the path external to the tunneled portion of the user mode portion of the path to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough-such that an authentication of the tunneled portion is unnecessary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Peinado, Marcus, England, Paul, Yerrace, Frank
Primary Examiner(s)
Huang, Tsan-Yu J

Application Number

US11/866,041
Publication Number

US 20080021839A1
Time in Patent Office

2,436 Days
Field of Search

705 50- 79
US Class Current

705/51
CPC Class Codes

G06F 21/10 Protecting distributed prog...

G06F 2221/2107 File encryption

Releasing decrypted digital content to an authenticated path

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Releasing decrypted digital content to an authenticated path

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links