System and method for digital rights management using a secure end-to-end protocol with embedded encryption keys

US 8,972,726 B1
Filed: 08/26/2009
Issued: 03/03/2015
Est. Priority Date: 08/26/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating, by a digital rights management (DRM) client, an encrypted request to authenticate a client application as a trusted consumer of protected content, the DRM client implemented within the client application, the client application configured to consume content, the request encrypted using an encryption key embedded within a binary representation of the DRM client, the encryption key having been selected from a pool of encryption keys and embedded by a software vendor during a build of the binary representation of the DRM client and being different than one or more encryption keys embedded within one or more other binary representations of the DRM client;

providing, by the DRM client, the encrypted request to an authentication server;

receiving, by the DRM client, an encrypted response from the authentication server, the authentication server being remote from the DRM client and using a particular encryption key corresponding to the encryption key of the DRM client to decrypt the encrypted request and to encrypt the encrypted response, the encrypted response including an authentication token;

decrypting, by the DRM client, the encrypted response; and

enabling the client application via the DRM client to consume the protected content based at least in part on the authentication token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of a system and method for digital rights management using a secure end-to-end protocol with embedded encryption keys are described. A DRM framework may implement a secure end-to-end protocol configured to protect messages sent between trusted endpoints by encrypting and decrypting the messages within software applications executing on each trusted endpoint. An encryption key embedded within a binary representation of a DRM client may be used by the DRM client to encrypt and decrypt messages sent over the secure protocol. The DRM client may request authentication using the secure protocol and receive an authentication token used by the DRM client to acquire a license to view protected content. The encryption key may be chosen from a pool of encryption keys and embedded in the DRM client during the software build process for the DRM client. The secure protocol may be designed according to Representational State Transfer guidelines.

Citations

26 Claims

1. A computer-implemented method, comprising:
- generating, by a digital rights management (DRM) client, an encrypted request to authenticate a client application as a trusted consumer of protected content, the DRM client implemented within the client application, the client application configured to consume content, the request encrypted using an encryption key embedded within a binary representation of the DRM client, the encryption key having been selected from a pool of encryption keys and embedded by a software vendor during a build of the binary representation of the DRM client and being different than one or more encryption keys embedded within one or more other binary representations of the DRM client;
  
  providing, by the DRM client, the encrypted request to an authentication server;
  
  receiving, by the DRM client, an encrypted response from the authentication server, the authentication server being remote from the DRM client and using a particular encryption key corresponding to the encryption key of the DRM client to decrypt the encrypted request and to encrypt the encrypted response, the encrypted response including an authentication token;
  
  decrypting, by the DRM client, the encrypted response; and
  
  enabling the client application via the DRM client to consume the protected content based at least in part on the authentication token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24, 25, 26)
- - 2. The method of claim 1, wherein:
    - the encrypted request comprises a request for a type of authentication credentials required by the authentication server to authenticate an identity of the DRM client; and
      
      the encrypted response comprises the type of authentication credentials required by the authentication server to authenticate the identity of the DRM client.
  - 3. The method of claim 2, further comprising, subsequent to said decrypting:
    - generating an authentication request comprising the authentication credentials corresponding to the DRM client, wherein the authentication credentials are the type of authentication credentials required by the authentication server; and
      
      receiving the authentication token, wherein the authentication token identifies the client application as the trusted consumer of protected content.
  - 4. The method of claim 3, further comprising:
    - generating a license request for a content license, wherein the license request comprises at least a portion of the authentication token received from the authentication server;
      
      receiving, from a license server, the content license, wherein the content license provides unprotected access to a particular piece of protected content;
      
      decrypting the protected content with an encryption key from the content license; and
      
      accessing the decrypted content.
  - 5. The method of claim 3, wherein the authentication credentials comprise:
    - a username and a password;
      
      smartcard authentication credentials;
      
      orKerberos credentials.
  - 6. The method of claim 3, wherein the authentication token is a Security Assertion Markup Language (SAML) token.
  - 7. The method of claim 1, wherein the encryption key comprises a symmetric key or a key from a public-private key pair.
  - 8. The method of claim 1, wherein said generating and said receiving comply with a protocol designed according to Representational State Transfer (REST) design guidelines.
  - 24. The computer-implemented method of claim 1, wherein selecting from the pool of encryption keys includes utilizing a round robin selection algorithm.
  - 25. The computer-implemented method of claim 1, wherein selecting from the pool of encryption keys includes utilizing a random selection algorithm.
  - 26. The computer-implemented method of claim 1, wherein the encryption key is generated via a key derivation function.

9. A system, comprising:
- a processor; and
  
  a memory having program instructions stored thereon, that when executed by the processor, cause the processor to implement a digital rights management (DRM) client within a client application, configured to;
  
  generate, within the client application, the client application configured to consume content, an encrypted request to authenticate the client application as a trusted consumer of protected content using an encryption key, the encryption key having been selected from a pool of encryption keys and embedded within a binary representation of the DRM client by a software vendor during a build of the binary representation of the DRM client and being different than one or more encryption keys embedded within one or more other binary representations of the DRM client;
  
  provide, by the DRM client, the encrypted request to an authentication server;
  
  receive, by the DRM client, an encrypted response from the authentication server, the authentication server being different from the DRM client and using a particular encryption key corresponding to the encryption key of the DRM client to decrypt the encrypted request and to encrypt the encrypted response, the encrypted response including an authentication token;
  
  decrypt, using the DRM client, the encrypted response; and
  
  enable the client application via the DRM client to consume the protected content based at least in part on the authentication token.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein:
    - the encrypted request comprises a request for a type of authentication credentials required by the authentication server to authenticate an identity of the DRM client; and
      
      the encrypted response comprises the type of authentication credentials required by the authentication server to authenticate the identity of the DRM client.
  - 11. The system of claim 10, wherein the DRM client is further configured to, subsequent to said decrypting:
    - generate an authentication request comprising the authentication credentials corresponding to the DRM client, wherein the authentication credentials are the type of authentication credentials required by the authentication server; and
      
      receive the authentication token, wherein the authentication token identifies the client application as the trusted consumer of protected content.
  - 12. The system of claim 11, wherein the DRM client is further configured to:
    - generate a license request for a content license, wherein the license request comprises at least a portion of the authentication token received from the authentication server;
      
      receive, from a license server, the content license, wherein the content license provides unprotected access to a particular piece of protected content;
      
      decrypt the protected content using an encryption key from the content license; and
      
      access the decrypted content.
  - 13. The system of claim 11, wherein the authentication credentials comprise:
    - a username and a password;
      
      smartcard authentication credentials;
      
      orKerberos credentials.
  - 14. The system of claim 11, wherein the authentication token is a Security Assertion Markup Language (SAML) token.
  - 15. The system of claim 9, wherein the encryption key comprises a symmetric key or a key from a public-private key pair.

16. A non-transitory computer-readable storage medium having program instructions stored thereon that when executed by a computer, cause the computer to implement a DRM client within a client application, configured to:
- generate, within the client application, the client application configured to consume content, an encrypted request to authenticate the client application as a trusted consumer of protected content using an encryption key embedded within a binary representation of the DRM client, the encryption key having been selected from a pool of encryption keys and embedded by a software vendor during a build of the binary representation of the DRM client and being different than one or more encryption keys embedded within one or more other binary representations of the DRM client;
  
  provide, by the DRM client, the encrypted request to an authentication server;
  
  receive, at the DRM client, an encrypted response from the authentication server, the authentication server being remote from the DRM client and using a particular encryption key corresponding to the encryption key of the DRM client to decrypt the encrypted request and to encrypt the encrypted response, the encrypted response including an authentication token;
  
  decrypt, using the DRM client, the encrypted response; and
  
  enable the client application via the DRM client to consume the protected content based at least in part on the authentication token.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer-readable storage medium of claim 16, wherein:
    - the encrypted request comprises a request for a type of authentication credentials required by the authentication server to authenticate an identity of the DRM client; and
      
      the encrypted response comprises the type of authentication credentials required by the authentication server to authenticate the identity of the DRM client.
  - 18. The computer-readable storage medium of claim 17, wherein the DRM client is further configured to, subsequent to said decrypting:
    - generate an authentication request comprising the authentication credentials corresponding to the DRM client, wherein the authentication credentials are the type of authentication credentials required by the authentication server; and
      
      receive the authentication token, wherein the authentication token identifies the client application as the trusted consumer of protected content.
  - 19. The computer-readable storage medium of claim 18, wherein the DRM client is further configured to:
    - generate a license request for a content license, wherein the license request comprises at least a portion of the authentication token received from the authentication server;
      
      receive, from a license server, the content license, wherein the content license provides unprotected access to a particular piece of protected content;
      
      decrypt the protected content with an encryption key from the content license; and
      
      access the decrypted content.
  - 20. The computer-readable storage medium of claim 18, wherein the authentication credentials comprise:
    - a username and a password;
      
      smartcard authentication credentials;
      
      orKerberos credentials.
  - 21. The computer-readable storage medium of claim 18, wherein the authentication token is a Security Assertion Markup Language (SAML) token.

22. The computer-readable storage medium of 16, wherein the encryption key comprises a symmetric key or a key from a public-private key pair.

23. A computer-implemented method, comprising:
- receiving, by a server software application, a plurality of encrypted requests to authenticate a client application as a trusted consumer of protected content from a plurality of digital rights management (DRM) clients, wherein each of the plurality of encrypted requests includes an unencrypted portion comprising a unique identifier and an encryption key corresponding to a binary representation of a DRM client that sent the encrypted request, the unique identifier and the encryption key, the encryption key having been selected from a pool of encryption keys, having been embedded into the binary representation by a software vendor during a build of the binary representation of the DRM client;
  
  for each encrypted request;
  
  accessing, by the server software application, an encryption key map;
  
  locating, using the encryption key map, an associated encryption key corresponding to the embedded unique identifier and encryption key;
  
  decrypting, by the server software application, the encrypted request using the located associated encryption key;
  
  providing, by the server software application to the plurality of DRM clients, an encrypted response that was encrypted using the associated encryption key, the encrypted response including an authentication token; and
  
  enabling the DRM client implemented within the client application to consume the protected content based at least in part on the authentication token, the client application configured to consume content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Poling, Matthew J.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
LEUNG, ROBERT B

Application Number

US12/548,143
Time in Patent Office

2,015 Days
Field of Search

None
US Class Current

713/168
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/603   Digital right managament [DRM]

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 9/0822   using key encryption key

System and method for digital rights management using a secure end-to-end protocol with embedded encryption keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for digital rights management using a secure end-to-end protocol with embedded encryption keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links