Interoperable systems and methods for peer-to-peer service orchestration

US 9,235,833 B2
Filed: 11/12/2009
Issued: 01/12/2016
Est. Priority Date: 06/05/2003
Status: Active Grant

First Claim

Patent Images

1. A method of accessing content according to a DRM policy, comprising:

communicating, using a service access point of a device, with one or more web services agents to receive;

a content object including an encrypted content item,a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a content key object including an encrypted content key for decrypting the encrypted content item,a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program;

determining authorization to access the encrypted content item using a DRM engine on the device, the DRM engine requesting cryptographic services from a host environment, comprising;

verifying, by the DRM engine, the license object,validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested from the host environment, validation comprising;

determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine,verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, andvalidating the first link object based on verification of the certificate using the DRM engine,constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, andquerying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node;

providing by the DRM engine based on a result of the query;

an indication that the encrypted content item may be accessed, anda decrypted version of the encrypted content key for decrypting the encrypted content item;

generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication;

andaccessing the decrypted version of the encrypted content item based on the indication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL. In a preferred embodiment, a media services framework is provided that enables nodes to find one another, interact, exchange value, and cooperate across tiers of networks from WANs to PANs.

253 Citations

29 Claims

1. A method of accessing content according to a DRM policy, comprising:
- communicating, using a service access point of a device, with one or more web services agents to receive;
  
  a content object including an encrypted content item,a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a content key object including an encrypted content key for decrypting the encrypted content item,a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program;
  
  determining authorization to access the encrypted content item using a DRM engine on the device, the DRM engine requesting cryptographic services from a host environment, comprising;
  
  verifying, by the DRM engine, the license object,validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested from the host environment, validation comprising;
  
  determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine,verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, andvalidating the first link object based on verification of the certificate using the DRM engine,constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, andquerying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node;
  
  providing by the DRM engine based on a result of the query;
  
  an indication that the encrypted content item may be accessed, anda decrypted version of the encrypted content key for decrypting the encrypted content item;
  
  generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication;
  
  andaccessing the decrypted version of the encrypted content item based on the indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein executing the control program comprises using a virtual machine to execute the control program and validating the first link object comprises using the virtual machine to validate the first link object according to the validity constraint.
  - 3. The method of claim 1, wherein requesting cryptographic services from the host environment comprises requesting cryptographic services indirectly from a cryptographic services module of the host environment using a host services module.
  - 4. The method of claim 1, wherein the DRM engine indirectly requests information for validating the first link object from the one or more web services agents using a host services module and the service access point.
  - 5. The method of claim 1, wherein the DRM engine indirectly provides the content key for decrypting the encrypted content item to a host application using a host services module.
  - 6. The method of claim 1, wherein the requested cryptographic services comprise decryption of the encrypted content key.
  - 7. The method of claim 1, wherein the instructions for querying an authorization graph comprise byte code executed by the DRM engine.
  - 8. The method of claim 1, wherein:
    - the license object further comprises a controller object binding the control object to the contentkey object, and a protector object binding the contentkey contentkey object to the content object, andverifying the license object comprises verifying the binding between the control object and the contentkey object and verifying the binding between the contentkey object and the content object.
  - 9. The method of claim 8, wherein:
    - the content object further comprises a content object id,the control object further comprises a control object id,the contentkey object further comprises a contentkey id,the controller object further comprises a reference to the control object id, and a controller reference to the contentkey id,the protector object further comprises a protector reference to the contentkey id and a reference to the content object,the binding between the control object and the contentkey object is verified based on the controller reference to the contentkey id and the reference to the control object id, andthe binding between the contentkey object and the content object is verified based on the protector reference to the contentkey id and the reference to the content object id.
  - 10. The method of claim 9, wherein the controller object further includes a hash of the control object and a hash of the contentkey object, and verifying the license object further comprises:
    - verifying the control object using the hash of the control object included in the controller object, andverifying the contentkey object using the hash of the contentkey object included in the controller object.
  - 11. The method of claim 9, wherein the controller object is digitally signed using a message authentication code keyed with a key that encrypted the content key, and verifying the license object further comprises verifying the digital signature of the controller object.
  - 12. The method of claim 9, wherein the controller object is digitally signed using a private key, and the controller object binds the private key to the content key based on a hash of the signing private key, and verifying the license object further comprises verifying the digital signature of the controller object.
  - 13. The method of claim 1, wherein:
    - a first node object includes first node attributes;
      
      a second node object includes second node attributes;
      
      the first link object represents a relationship between the first node and the second node and references the first node attributes and the second node attributes; and
      
      the validity constraint depends on the first node attributes and the second node attributes.
  - 14. The method of claim 13, wherein a DRM profile defines the first node attributes and the second node atributes.
  - 15. The method of claim 13, wherein a DRM profile defines a semantics of the relationship represented by the first link object.
  - 16. The method of claim 15, wherein the DRM profile defines the relationship as an ownership relationship.
  - 17. The method of claim 15, wherein the DRM profile defines the relationship as a membership relationship.
  - 18. The method of claim 15, wherein the DRM policy imposes the validity constraint based the semantics defined by the DRM profile.
  - 19. The method of claim 18, wherein the DRM profile is expressed in WSDL and the first node object and the second node object are web services agents.

20. A non-transitory computer readable medium containing instructions that, when executed by a processor of a device, cause the device to perform operations comprising:
- communicating, using a service access point of a device, with one or more web services agents to receive;
  
  a content object including an encrypted content item,a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a contentkey object including an encrypted content key for decrypting the encrypted content item,a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program;
  
  determining authorization to access the encrypted content item using a DRM engine on the device, comprising;
  
  verifying, by the DRM engine, the license object,validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested by the DRM engine from a cryptographic services module of a host environment indirectly using a host services module, validation comprising;
  
  determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine,verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, andvalidating the first link object based on verification of the certificate using the DRM engine,constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, andquerying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node;
  
  providing by the DRM engine based on a result of the query;
  
  an indication that the encrypted content item may be accessed, anda decrypted version of the encrypted content key for decrypting the encrypted content item;
  
  generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication; and
  
  accessing the decrypted version of the encrypted content item based on the indication.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The non-transitory computer readable medium of claim 20, wherein the instructions for querying an authorization graph comprise byte code executed by the DRM engine.
  - 22. The non-transitory computer readable medium of claim 20, wherein:
    - the content object further comprises a content object id,the control object further comprises a control object id,the contentkey object further comprises a contentkey id,the license object further comprises;
      
      a controller object binding the control object to the contentkey object and including a controller reference to the control object id and a reference to the contentkey id, anda protector object binding the contentkey object to the content object and including a protector reference to the contentkey id and a reference to the content object; and
      
      verifying the license object comprises;
      
      verifying the binding between the control object and the contentkey object based on the controller reference to the contentkey id and the reference to the control object id, andverifying the binding between the contentkey object and the content object based on the protector reference to the contentkey id and the reference to the content object id.
  - 23. The non-transitory computer readable medium of claim 20, wherein:
    - a first node object includes first node attributes;
      
      a second node object includes second node attributes;
      
      the first link object represents a relationship between the first node and the second node and references the first node attributes and the second node attributes; and
      
      the validity constraint depends on the first node attributes and the second node attributes.
  - 24. The non-transitory computer readable medium of claim 23, wherein the first node object and the second node object are web services agents, and the validity constraint implements a DRM policy according to a DRM profile expressed in WSDL that defines a semantics of the relationship represented by the first link object.

25. A device for obtaining and accessing a content item, comprising:
- at least one processer, anda non-transitory computer memory containing instructions that, when executed by the at least one processor, cause the device to perform operations comprising;
  
  communicating, using a service access point of a device, with one or more web services agents to receive;
  
  a content object including an encrypted content item,a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a contentkey object including an encrypted content key for decrypting the encrypted content item, anda first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program;
  
  determining authorization to access the encrypted content item using a DRM engine on the device, comprising;
  
  verifying, by the DRM engine, the license object,validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested by the DRM engine from a cryptographic services module of a host environment indirectly using a host services module, validation comprising;
  
  determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine,verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, andvalidating the first link object based on verification of the certificate using the DRM engine,constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, andquerying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node;
  
  providing, by the DRM engine, based on a result of the query;
  
  an indication that the encrypted content item may be accessed, anda decrypted version of the encrypted content key for decrypting the encrypted content item;
  
  generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication; and
  
  accessing the decrypted version of the encrypted content item based on the indication.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The device of claim 25, wherein the instructions for querying an authorization graph comprise byte code executed by the DRM engine.
  - 27. The device of claim 25, wherein:
    - the content object further comprises a content object id,the control object further comprises a control object id,the contentkey object further comprises a contentkey id,the license object further comprises;
      
      a controller object binding the control object to the contentkey object and including a reference to the control object id and a reference to the contentkey id, anda protector object binding the contentkey object to the content object and including a reference to the contentkey id and a reference to the content object; and
      
      verifying the license object comprises;
      
      verifying the binding between the control object and the contentkey object based on the reference to the contentkey id and the reference to the control object id, andverifying the binding between the contentkey object and the content object based on the reference to the contentkey id and the reference to the content object id.
  - 28. The device of claim 25, wherein:
    - a first node object includes first node attributes;
      
      a second node object includes second node attributes;
      
      the first link object represents a relationship between the first node and the second node and references the first node attributes and the second node attributes; and
      
      the validity constraint depends on the first node attributes and the second node attributes.
  - 29. The device of claim 28, wherein the first node object and the second node object are web services agents, and the validity constraint implements a DRM policy according to a DRM profile expressed in WSDL that defines a semantics of the relationship represented by the first link object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Original Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Inventors
Bradley, William, Maher, David, Boccon-Gibod, Gilles
Primary Examiner(s)
Hewitt, II, Calvin L
Assistant Examiner(s)
Nilforoush, Mohammad A

Application Number

US12/617,164
Publication Number

US 20100131412A1
Time in Patent Office

2,252 Days
Field of Search

705 50- 79
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/1073   Conversion

G06F 21/1084   via third party

G06F 21/1085   Content sharing, e.g. peer-...

G06Q 20/1235   with control of digital rig...

G06Q 2220/10   Usage protection of distrib...

G06Q 2220/18   Licensing

H04L 2209/603   Digital right managament [DRM]

H04L 2463/101   applying security measures ...

H04L 2463/102   applying security measure f...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/1061   using node-based peer disco...

H04L 67/51   Discovery or management the...

H04L 9/0822   using key encryption key

H04L 9/0825 : using asymmetric-key encryp...

H04L 9/0861 : Generation of secret inform...

H04L 9/3263 : involving certificates, e.g...

H04L 9/3271 : using challenge-response

View All

Interoperable systems and methods for peer-to-peer service orchestration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

253 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Interoperable systems and methods for peer-to-peer service orchestration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

253 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links