System and method for safe and comfortable control of digital electronic content

FIELD: communication systems.

SUBSTANCE: system has receiver, transmitter, processing element, connected to receiver and transmitter and controlling receiver and transmitter, digital rights module, connected to processing elements and controlling operation of communication device in digital rights environment on domain basis, while digital rights module of communication device together with dispenser of domains of digital rights environment on domain basis is made with possible selective addition of communication device to domain, owning one or several communication devices, which together use a cryptographic key.

EFFECT: possible selective retrieval and decoding of digital content on basis of membership in a domain.

10 cl, 11 dwg

 

The technical field to which the invention relates.

The present invention relates generally to communication systems, in particular to content management systems for secure access to digital content.

Prior art

Forecast continued rapid expansion of the digital content market. So, with the development of Internet has fundamentally changed the way of doing business. Consumers can easily make purchases using their home computers. They have purchased products can be delivered using the delivery services by UPS, FedEx or other traditional means. However, when the product is not physical and digital product, as a delivery mechanism, you can use the Internet itself. With the help of the Internet a large number of products can be represented in digital form and forward to customers. Usually, digital objects involve music, software, video, or books; but you can also consider other digital products, such as tickets, paintings or stamps. All these are examples of the content. Used herein, the term "content" refers to digital information, which is locked with a key and can be delivered either in real time, for example in the form of streaming data, or data that is stored with the capability, the capacity of subsequent access. Such content includes audio books, videos, electronic games, videos, movies in DVD format and MPEG music files in MP3 format, business data, such as e-mail and documents, updates to portable devices, such as three-way calling and ringtones for cell phones.

With the advent of the Internet and more powerful mobile computing devices consumers will soon need continuous access to digital information at any time and in any place. The communication between devices such as pagers, mobile phones, set-top boxes, home computers and in-car entertainment system will open up many opportunities for new businesses. The popularity of digital content, such as music files, MP3, electronic games and movies in DVD format, grows with incredible speed. Wireless devices to the greatest extent allow access to this digital content easy and intuitive.

Into force of this value and the rapidly growing popularity and availability of digital content, the content owners are concerned that with the introduction of these new devices to their digital content will become more vulnerable to illegal copying and distribution. To avoid the development of piracy, like the one that has received wide RA is the spread of the Internet (for example, the Napster system), content providers plan to rely on the mechanisms of secure content management. Content providers want to be sure the protection of their rights and perform reasonable distribution rules. In the field of information business digital data have independent value, resulting in the need to respect property rights and laws for the protection of copyright.

Aiming to establish itself in this market and in order to meet the content providers, many manufacturers of hardware and software implemented structure for secure digital content. Digital rights regulation (CRR DRM) is a popular colloquialism for the protection of human rights and management rules related to access to digital information and its processing. These rights and regulations govern various aspects of the digital object, for example, define the owners of the object, the order of access to the object and a value object. Rules associated with a particular digital object, often very complex. Therefore, for the development, designation and management of these rules often require software systems.

However, many recent patterns were criticized for excessive bulkiness and inconvenience in use by consumers. Protection of digital content often provide the tsya price convenience for end users. Obviously, new and more optimal solutions.

One type of digital circuit regulation of rights, which is usually considered is the approach based on the copy. In this type of system, the system of digital rights regulation, operating on a personal computer (PC, PC) or server, stores the original content and manages them. In the approach of the prior art control check in/check out", the content is cryptographically bound to a trusted system that is trusted to decide when it is necessary and whether it is necessary in General to give the information requested digital content. For each portion of the digital content is typically available a limited number of copies. The approach based software is the core of digital rights regulation, which is responsible for the production of digital copies of the original. Users request copies for their user devices, and the core of digital rights regulation tracks the number of issued copies. When the communications device, in particular a portable wireless device, for example, retrieves a copy of the portions of the digital content, the trusted system cryptographically binds a copy of the content to the device receiving the content, and reduces by one the number of copies available for checkout. Upon the return of the copy, trusted system, respectively, uvelichenie the unit number of available copies. Trusted system does not allow you to retrieve a copy of the digital content when the number of available copies is zero.

Consider, for example, the structure of the Initiative for the protection of digital music (SDMI), which manages the policy controlling the return and retrieve music for the control of digital music content. The system of digital rights regulation, acting on a PC or server that stores the original music and manages them. The number of copies of the song, which you can remove, fixed. Therefore, when all copies are checked out, you cannot produce a new copy until you returned one copy. To maintain protection of music, the structure of the SDMI stipulates as special conditions that extraction is the only means of transferring content to portable devices, which is very inconvenient for the user. Accordingly, the system SDMI is a diagram of a digital rights regulation, which has received very positive reviews from the public.

In a typical scenario, music collection of the user is stored in a cryptographically protected music library on your PC. Users with a portable music player, can copy music from your music library on the player. The system of digital rights regulation manages the library and is responsible for limiting the number of copies, to the which can leave the library. In the system, consistent with SDMI, program digital rights regulation controls policy refund control and retrieval of music. For SDMI, the number of copies of the song, which you can remove, fixed. When all copies are checked out, to extract another device, you first need to check at least one copy. To ensure the safety of musical content control check in / check out is the only way to transfer music to portable devices.

Figure 1 presents an example of the system 100 based on the copy preventing use pirated content, which cryptographically protects the content by binding it to a host-purchaser. In this system, the provider 102 supports a library of content 104 to the content. In the case of acquisition of a portion of the content provider 102 content cryptographically binds the content to the acquiring host or server 110. The host 110 with system 114 digital regulation of the rights, gets the content provider and stores it in the library 112 encrypted content. System 114 digital regulation of the rights of the host maintains a list of 116 content used to track the number of available copies of each piece of content. Any portable device 118a, 118b, s may request a portion of the content. When available, copies of the system is and 114 digital rights regulation uses a cryptographic process to transfer copy to a portable device. System 114 digital rights regulation also reduces by one the number of available copies of a portable unit of content. According to figure 1 has three copies of each piece of content. For example, the content under No. 4536 not extracted by any of the devices, so there are still three available copies. However, the content under No. 6123 currently extracted three devices 118a, 118b, s, so there is zero available copies. System 114 digital regulation of the rights will not allow the fourth device to retrieve the content under No. 6123, until one of the devices will fail return one of the copies.

In General, this meeting prior art method of controlling access to digital music is widely regarded as Intrusive and cumbersome. Particularly irritating is the fact that users have to return their copy of the music before download new music. Users of the system have a security control each time you transfer music to your device. In similar systems, without enforcement of security control copy of the return is not required, which greatly enhances the user's experience. Of course, in the absence of protection increases the likelihood of piracy of digital content, so content providers want to provide content for these systems.

p> The implementation of protection should be balanced. Content providers will not trust the systems with low level of protection, at the same time, consumers don't like systems where protection is associated with a large number of prohibitions. Approaches based on the copy control check in/check out, meet prior art and provided SDMI, and other digital regulation of rights provide security, but do not meet the needs of the end user. The system requires the user was confronted with protection every time you transfer content to a user device. This excessive protection limits the user's ability. Since coninto a trusted system is very frequency access, i.e. each time the content is moved to the user device requesting the content, or the user device when returning my content, the approach is most likely to sell on the local server or the user's PC and not on a remote server. Accordingly, in an open system, which uses a PC or other device on the local server, it is difficult to maintain and guarantee the security.

In light of the foregoing, it is apparent that the prior art does not satisfy the need for safe and transparent management of digital content, which is passed it would be less bulky, but at the same time provide adequate protection. The security requirements of digital content must protect, but also to deliver users the pleasure of working with contentimporter of figures

New features of novelty of the invention described in the claims. However, the mere invention, and preferred ways of its implementation and its additional objectives and advantages can be better understood from the following detailed description of illustrative variants of its implementation given with reference to the accompanying drawings, in which:

figure 1 - block diagram of the digital regulation of the rights-based copy that meets the prior art;

figure 2 - illustration of the participants of the digital regulation of the rights to a domain basis according to a variant implementation of the present invention;

figure 3 - illustration of the overlapping domains according to the present invention;

4 is a block diagram of a system digital rights regulation on domain basis in accordance with the present invention;

figure 5 illustrates the concept of a domain with one or more user communication devices according to the present invention;

6 illustrates a content binding domain according to the present invention;

Fig.7 diagram of a content package according to the SNO present invention;

Fig - block diagram of the user communication devices according to the present invention;

Fig.9 is a block diagram illustrating the architecture of a user device, according to the present invention;

figure 10 is a block diagram illustrating the architecture of the superintendent of domains according to the present invention;

11 is a block diagram illustrating the architecture of a content provider, according to the present invention.

Description of the invention

Although the invention can be implemented in many different types, described in detail below and illustrated in the drawings, specific embodiments of, it should be understood that this description should be considered as an illustration of the principles of the invention, but not in the order of limitation of the invention shown and described specific variants of its implementation. In the following description, identical reference position used to describe the same, similar or corresponding parts in the several drawings.

The present invention provides a user-friendly way to access the desired digital content, allowing you to manage your content and prevent piracy, using digital regulation of the rights to a domain basis, in contrast to the burdensome system of the digital regulation of the rights-based backup, the CTE is committed to the prior art. Instead of restricting access to content based on the control policies check in/check out, in which the protective restrictions come into effect whenever downloading the content to the communication device, for example, a user device (PU), or upload it from there, managing access to digital content is performed using domain approach, in which the user is faced with protective only in the acquisition of or addition to the new domain user device, or when removing it from the old domain user devices. Restricting access to the content is usually reduced to the limited number of registered devices in the domain. In this case, the domain contains one or more user devices, usually up to a certain number of communication devices that all share a public cryptographic key associated with the domain. A user who has multiple devices that wish to register these devices in the same domain.

Figure 2 shows the participants who are able to act in an illustrative system 200 digital regulation of the rights, according to the present invention. It should be understood that within the essence and scope of the invention, functions, representing different participants can be R the knowledge objects, or that the functions performed by the various participants, can, accordingly, be less or more objects. The consumer or user may acquire the communication device 202, referred to as user device (PU, UD), which represents any electronic device used to access digital content and/or manipulate. Examples of user devices include a mobile phone, play music, car stereo, digital set-top box, a personal computer, etc. the User may have, and probably has multiple user devices that it wishes to register one or more domains to which the user belongs, and which may overlap or may not overlap. In the case when at least one user communications device from the first domain at the same time registered in the second domain, said that the first and second domains overlap on this device; the circuit 300, is shown in figure 3, is an example of overlapping domains Ben, til and its. The user device may be portable and wireless, such as cellular telephone, and, thus, is able to easily connect to wireless Internet, you Can use infrared (IR, IR) technology, and technology limited range, for example, implemented in the Bluetooth standard. User devices of the Bluetooth standard can access the Internet by connecting to the device type bridge, such as a PC or a kiosk (computer connected to the Internet and accessible for the users).

Manager domain (RD, DA) 204 is responsible for registering (adding) and unregister (remove) user devices of one or more domains. When adding a device to a domain Manager domains primarily checks the device for its legality. The legitimate user of the device can be detected, because only they will have access to proper certificates and keys. Managing domains can also check the list of cancellation provided by the certifying authority (CO, CA) 206 to ensure that the keys and the device certificate is still valid. Recognizing the authenticity of the device, the administrator domain user sends to the device the proper keys, certificates and commands necessary for its registration in the domain. Managing domains can also remove devices from a domain by sending the user device to delete its domain data. Finally, the administrator of the domain meets the and limiting the number of user devices, permitted to be in the domain, and for the control of fraudulent transactions registration and removal of devices.

The manufacturer of the device (PS, DM) 208 makes custom devices that enforce usage rules of the content and, otherwise, have a safe digital rights regulation. For example, the device manufacturer can implement a custom device keys for security purposes, to other members of the digital regulation of the rights to uniquely identify each user device. The device manufacturer is also responsible for the implementation in the device authentication keys, certificates, and other secrets of the certifying authority. The software used by user device for operation in the system of digital rights regulation on domain basis, can be pre-installed on the user device or received from the distributor of the software (WD, SD) 218.

Content provider (CP, CP) 210 sells or otherwise provides content to the registered user device domain. As a content provider may be, for example, the artist who created the content, a large firm for the dissemination of content or online store, selling the content. Jus what I task content providers is to establish a set of rules and in the binding of these rules with the content and the domain which acquires the content. Consider, for example, as a content provider, namely, the ensemble XYZ, can attach rules to his latest single, titled "ABC". Writing "ABC" in the usual way, they create a file ABC.wav, and because the ensemble is interested in selling this song via the Internet, the song is compressed in the MP3 file, creating ABC.mp3. Then the MP3 file encrypt and associated with the usage rules governing the right song, the right to copy the songs, the right to edit the song, the possibility of borrowing the songs, the structure of payments for the song, as well as indicating whether to add to the song rules and who can do it. These terms of use, you can add it using the standard application. Packaging content provider of the content relates to the manipulation of the rules of the content, and not by content.

To store the content in different ways, usually depending on the content type and the corresponding retention features in the user device, the domain and the system as a whole. Content can be stored in the user device, to send in an online Bank account content (BK, SV) 212, for example, to copy on the user's PC or another available server, or deliver to the consumer as the current content. Bank content is an object, otvechayesh storing and managing the account of the user content. Content in the form of a bill is not necessarily stored in the account associated with a single end user. Instead, you can maintain a pointer to a single copy of the content, thereby preventing an excessive increase in the size of the account(s) of the user content. For example, when an end user purchases a song, it comes at the expense of end-user content and stored on the portable user device of the user. The rules associated with this portion of content can be transferred to the account of the content on the portable device. When the user decides to upload the content to the user device, the task of the Bank of the content is to guarantee the receipt of content only authentic, obeying the rules of the device, in this case, user device, and for this he can use certificates or secrets, issued by a certification authority (FR) 206 to authenticate the user's device.

Public keys associated with providing the desired level of security in the system of digital rights regulation, control certification authorities (CA) 206, and payments for services and/or content control intermediary transfer payments (GD, PB) 214. For example, a certification authority is a trusted third-party organization or company that colorarray digital certificates, pairs of public/private keys or other items necessary to verify that the content is manipulated valid and protected device. The way this verification may include the scheme's public key, the signature scheme or perhaps a scheme of sharing the secret. A scheme based on the public key involves the use of certificates to ensure that participants and device in the digital regulation of rights really are who they claim to be. According to the scheme of sharing secret, the certification body is responsible for the distribution of shared secrets. In any scheme certification body shall have agreements with device manufacturers, distributors and Resellers of transfer payments. The certification body must also have ways of issuing and revocation of certificates or secrets. The certification body, preferably, is an Autonomous system that eliminates the need in connection with the certifying authority for each playback of the content.

Gateway(s) server(s) (MS, GS) 216 provide channels or lines of communication between participants in the system; alternatively, participants can communicate directly. Examples gateway(s) server(s) can include is in itself, but not exclusively, a kiosk located in the store and having access to the Internet or RF communication channel, digital set-top box or PC. These participants in the system of digital rights regulation, in particular, the user device and the managing Director of the domains will be discussed below in more detail.

The user device 202 can assign a specific domain by registering with managing domains (RD) 204. When the device is registered in the domain 216, it "enters" into the domain. Similarly, the device can leave the domain through the cancellation of their registration. Manager 204 domains forcibly applies enrollment policy, for example, limits the number of devices in the domain 216 and limits the number of acts of accession of the devices in the domain and exit. Manager 204 domains also looking for potential fraud, tracking what devices come into domains and leave them. Excessive activity may indicate that the device is trying to cheat the system. Such devices may be prohibited from further action on registration.

Manager 204 assigns domains portable devices domain, providing them with the identifier (ID) domain, which binds to the device by the way, is resistant to interference. Binding domain ID to the user device is ISTU is performed using the built-in serial numbers and cryptographic elements, for example, secret keys and public key certificates. These cryptographic elements operate system digital rights regulation, operating on the user device and the administrator of the domain. Only the administrator of the domain has the ability to grant access to the domain. Thus, the administrator of the domain ensures that content providers that members of the domain are only those devices that are not trying to cheat the system.

When selling digital content, the content provider may request from the user device and/or the agent domain authentication domain-specific. This request process is performed with the use of standard cryptographic authentication Protocol to ensure that the interceptors messages or hackers will not be able to cheat the system. After the content provider will make sure of the suitability of the domain, the content can be sold, cryptographically tied to the ID acquiring domain. Devices outside this domain cannot access the content is cryptographically bound to a different domain that protects the content from piracy.

The encrypted content can be openly stored on any host or server system. Any portable device may request a portion of this content. The host just the case is it content to the requesting device, not controlling retrieval. Security content is cryptographically bound to a specific domain. Pirate distribution fraudulently copied music is impaired by the fact that the administrator of the domain allows each domain a limited number of devices. Hackers are not able to gain unauthorized access to the content because the system is digital regulation of the rights in the user device prevents interference.

Protection of this system that meets the present invention, less bulky than previous approaches, because users do not often have to register a login user devices in the domain and their exit from there. In the control system with check in / check out, users are faced with protective restrictions whenever you download content to their mobile devices and discharging it from there. According to the present invention, users have to deal with the protection only when purchasing a new device, or if you want to add user device to one or more domains.

Figure 4 shows the block diagram, which additionally illustrates the digital regulation of the rights to a domain basis for securely managing access to digital content. Managing domains appointed the AET communication devices, for example, the portable user device 2021, 2022, 2024domains, which in this example two: domain XBDA 410 and domain ZXZP 412, and enforces policy registration in the domain. Content from the library 404 content is protected by cryptographic binding it to one or more domains 410, 412, but not to a PC or server 406. Get the content is cryptographically bound to the domain, can only devices linked to the domain or authorized domain to receive content. All devices registered in the domain 216, are connected in the sense that they all have access to the content in the domain, as shown in the example depicted in figure 5 domain 500, which includes a variety of devices, for example, a home computer, MP3 player, car entertainment system, television set, cell phone, home entertainment system. This also means that devices in one domain, such as domain ZXZP 412 can't access the content, which is cryptographically bound to a different domain, for example, the domain XBDA 410. According to Fig.6, in the illustrative system 600, the domain 216 contains two cell phone No. 1, No. 2 and MP3 player, all of these devices communicate with the Bank 212 content; however, the stereo headphones finds the I outside of the domain and does not have access to the account content in the Bank 212 content. Note that, although it is shown that the encrypted content is stored in the library 408 encrypted content on a PC or server 406, the encrypted content can, if desired, be additionally stored in the communication device, for example, portable devices 1, 2, or 3, designated as 2021, 2022, 2024respectively.

Obviously, for communications between participants in the system digital regulation of the rights to a domain basis and method that meets the present invention, it is necessary to use a sufficiently strong cryptographic protocols. For communication with devices that support communication over the Internet, you can use standard protocols, such as WTLS Protocol (transport layer security in wireless communications) class 3 or TLS (transport layer security). For content protection, you can use a strong symmetric key cryptography, such as triple DES or AES. For authentication and signatures you can use the public key cryptography RSA or elliptic curve. The integrity of the content can be saved with a security hash functions such as SHA-1. Consider an example, when a manufacturer produces a user device. After fabrication, the user device is certified (or the manufacturer of the device libdspam by a trusted authority) and becomes a legitimate device. For certification, you can use the certificate for validation you can use the public key or shared secret key. Certified user device contains the certificate (or a reference to the certificate and the private key corresponding to this certificate, which is either a private key paired with the public key of the certificate) or the secret key (shared with the authorized bodies of the system of digital rights regulation). Similarly configure and certify managing domains. When the user wishes to register a user device in the domain, the user device and the managing Director of the domains use the Protocol to authenticate each other. This authentication is carried out in a standard way on the basis of the certificates public key or a secret key that has previously been installed in the user device and the administrator of the domain. After authentication, the administrator of the domain creates and sends to the user device domain certificate for the new domain. In the case of acquisition of new content for the domain, this certificate provides content providers. Having at its disposal the domain certificate of the user device, the village shall Avdic content can assign content to this domain using the information from the certificate. The above procedure can be done with cryptography public key or symmetric key. For key distribution approach public key is simpler than the approach of the symmetric key.

The requested content is available, primarily, from a content provider or other object in the system of digital rights regulation that has access to the requested content, as part of the package content. 7 shows the General structure of the content package. The package 700 content is the Union of five objects: header content provider (RFQ NRC) 710, legal document PGEC 720, spreadsheets 730 rights or encoded rights table, the hash table 740 and the encrypted content 750. The header 710 of the content package is mainly used to indicate the presence and size of the various objects of the package 700 of content. In the legal document 720 set of usage rules of the content. These rules usually have a standard format. Legal document also contains certificates, public keys and some of the hash values of the user device to check the rules and integrity of the other objects in the content package.

Encoded rights table (KTP, ERT) 730, which is a more effective representation of the legal document that is included with the package is ontent. The approach encoded rights table is remarkable in that it implements a binary representation of the data, which differs from the formal language, such as extensible markup language rights (XrML), and has a small size and high performance, which is especially attractive for low-power or other user devices with disabilities. Device with disabilities is a communication device of some physical characteristics which, for example, screen size, RAM, ROM, etc. is limited, for example, in connection with the processing power and loading tasks, settings, power supply/battery, memory limits and bandwidth limitations of the channel between the device and other infrastructure elements.

Encoded table 730 rights is constructed so that the rights to use the digital information from other legal documents can be converted to the format of the encoded rights table that meets the present invention, which provides compatibility system, which uses encoded rights table, with a different system of digital rights regulation, which would be cumbersome device with disabilities. Translation from one language digital rights regulation in the representation of the encoded rights table can be done using the receiving of the transcoder. Transcoder parses the data in the source language and converts them into the format of the encoded rights table or Vice versa. Content providers and owners of digital content have the freedom of choice of a preferred system of the digital rights regulation, using if necessary the software translation.

Encoded rights table has multiple sections, delimited using the assigned code words or tokens, including VERSICK (ERT_VERSION), MARKERINFO (TOKEN_OBJECT_INFO), MARKERREACHED (TOKEN_WORK_HASH), MARKERINK (TOKEN_KEY_ID), Markerplace (TOKEN_xxx_RIGHT) and MARKERPOST (TOKEN_ERT_SIGN). Section VERSET gives the version number encoded rights table. For future updates of the format of the encoded rights table will require more than new software will recognize the new version, but also recognize and earlier versions for backward compatibility. Section MARKERINFO contains information relating to the digital object associated with the encoded rights table, for example, a uniform resource locator (URL) for more information about the digital object, or to purchase a copy of the digital object. Section MARKERREACHED contains a cryptographic hash of the digital object associated with the coding for the private table of the rights, and specifies which hash algorithm you want to use. Section MARKEREL encoded rights table specifies the keys required for access to the digital object. An example is the encryption key of the content (XK, S)assigned to the receiver using the encryption algorithm with the public key. Section Markerplace contains rules for the use of the digital object. For example, it is possible to provide a section MARKERFACECOLOR to indicate that a particular key section MARKEREL has the right "to reproduce the digital object. In the description of the encoded rights table can include other rights, including streaming, borrowing, copying, moving and installation. Within each of these rights also include information identifying the portion of the digital object to which it applies. Finally, section MARKERPOST encoded rights table contains information that identifies the signature algorithm used to sign the hash value encoded rights table, outdoor or symmetric key singer and data labels.

Provider 210 content adds encrypted table 730 rights in package 700 of content to facilitate enforcement of the rules. Using the encoded rights table, you can simplify the software on user is lscom device at the expense of a small increase in the size of the package content and add some pre-processing, performed by the content provider.

To ensure the integrity of content and linking content and the right document use hashing. Hashing allows you to check the integrity of the package content.

The last part of the package content is itself encrypted content (WC, EC) 750. To avoid piracy, this content encrypted leave. The decryption key of the content embedded in the legal document and is available only to the owner or purchaser of the content.

The dotted line shows that the objects of the package 700 of the content is possible, optionally, to provide in the form of two files: file 670 license, containing the title of the content provider (RFQ), PGEC, and encrypted permissions table, and file 770 encrypted content that contains a hash table of content, an encrypted content, and a duplicate (not shown) of the header 710 of the content package.

Now consider the architecture and the preferred order of operation of the user device according to the present invention. On Fig shows a block diagram 800 of a user device 202, for example, mobile phone, etc. working in the digital environment regulation right. The communication device has a processing element type Central processor unit (CPU, CPU) 802, and a module 804 digital rights regulation, which may contain programme the hardware or software designed to control the operation of the transmitter 806 and receiver 808 in a domain environment. The user device has a different memory elements, for example, random access memory (RAM) 810, permanent memory (ROM) 812, electrically erasable programmable ROM (EEPROM) 814, etc. as well as an optional device 816 content storage with removable media. Block 824 power and adjust DC and battery 826 are designed to supply power to the user device 202. It is obvious that a software or firmware module digital rights regulation operates in conjunction with the Manager of the domains, adding custom device in one or more domains and removing it therefrom, to thereby provide selective reception and decoding of digital content based on membership in one or more domains. User device additionally has a peripheral elements, such as a keyboard 818, the display 820 and headphones 822, which are useful for communication with the user of the user device.

Figure 9 shows a flowchart 900 illustrating the architecture of a user device, showing the various components of memory and software responsible for safe access, management and playback of content on the user the consumer device 202. Basic software 902 digital regulation of the rights, referred to as module digital regulation of rights, which is shown on the drawing framed by dashed lines, is, in this illustrative embodiment, module 904 package management content module 906 link control, decoder 908 content and player 910 content. Of course, it is clear that, without going beyond the nature and scope of the invention, it is possible to offer different architecture that provides the functions of these components module 902 digital rights regulation. Basic software module digital rights regulation is responsible for working with the decrypted content and ensuring its security. In addition to this database, require different levels of support software for solving tasks such as managing files and keys, networking, and various cryptographic functions. There are also two applications that users can run for the acquisition of content and access. These applications represent the application 912 content management and application 914 web browser. It is assumed that described here applications can be trusted to the extent that they do not contain viruses and tested to ensure that no damage of the protected data or keys. A trusted entity, the example device manufacturer, responsible for the confirmation of the fact that the software user devices and applications conform to these rules.

The encrypted content received by user device, can be stored in the form of packets 916 content in non-volatile memory 918 user devices, as shown in the figure. This nonvolatile memory is a memory of open access, and security is maintained by encrypting the content in the packets of the content, and not by limiting access to this memory. In the user device memory, open access can be either internal or external to the device. Open data, linked to a particular user device or domain, for example, public key certificates, it is preferable to store in the internal memory 920. Content packages, which typically have much larger size, can be stored on a removable flash card, for example, on a removable flash memory card, the so-called multimedia card (MMC), which can be used as the memory.

Module 922 manage the file system manages memory 918, 920 open access. This module file management performs operations on files, including low-level procedures input/output. The application program more high the level of operate through the control module files to create, edit, read and organize files in the memory of open access. For example, the application 914 web browser user devices can be used to purchase packages of content to online content provider. Users may wish to copy the newly acquired packages of content on a removable memory card. These new packages of content will have a certain file extension, for example, ".cpk"that will be associated with an application assistant. After the browser will download the content package, the application will launch the installation wizard package content. This installer 924 content associated with the control module by the file system to store the newly received content.

The web browser 914 can also be used when the user wants to join the domain or leave it. According to a preferred variant implementation, when joining a domain user logs on to the web site administrator domains to get a personal domain key and the public key certificate. The safe browser will download the data, and the program 926 install key/certificate will automatically install new keys and certificates. The program 926 installation must decrypt the incoming key and pass it to the program module 928, which manages the protected memory 930 user's device.

On elizavetinska device there are two types of protected memory. The first type is the memory 932, open to intervention. In the preferred embodiment, this memory is used to store an encrypted version of the private key of the device, for example, the unique key of the device (Kulich, KuPri) or shared key domain (Kudlich, KdPri). In this memory also stores data tracking action digital regulation of the rights, for example, pay to play or single play, and software for user devices. This memory allows the intervention, because its integrity can be checked using a secure cryptographic hash values and signatures.

The hash values for memory, open to intervention, are stored in protected memory 934 of the second type, i.e. resistant to intervention. The memory of this type prevents attempts by hackers to read or change its contents. In the preferred embodiment, this memory stores the secret key used to encrypt the Cake, Kudlich. In addition, this memory are the bootstrap code and the root key, which guarantees a safe software user devices. The bootstrap code is responsible for running the operating system of the user device and for verifying the integrity of the prog is mnogo software on the user's device.

Access to protected memory blocks 932, 934 via the module 930 management of protected memory. This control module is responsible for storing and retrieving data from memory 932, open to intervention, and to properly update the corresponding hash values in memory 934, resistant to interference. Module 930 management of protected memory also checks for the presence of interference in memory 932, open to intervention. Module 928 key management/certificates/ digital accounting regulation of the rights to communicate with module 930 management of protected memory whenever required updates to protected memory in connection with new keys or digital rights regulation.

Finally, the composition of the supporting software digital rights regulation includes levels 936 networking. In particular, applications of digital regulation of rights to use tier 938 network security, for example, the secure sonnets (SSL), TLS or WTLS. These levels of protection provide a standard method of establishing secure communication channels between the user device and the server (for example, the administrator of the domain, the content provider or other user device) in the network 940. Access to a network levels has a browser application, and the control module communication the digital regulation of the rights, which is part of the basic software module digital regulation of the rights.

Basic software digital regulation of the rights of the user device, called the module of digital regulation of the rights of communication devices in a secure manner manipulates the decoded content and is used by the management application content, the user starts to play the content and manipulate. With regard to music, this control module is an application that is used to play songs, and create playlists. The user interface of this application displays information about the song such as song title, play time, and the artist's name. This application also provides the user interface for the communication between peers and to administer the domain preferences. Module content management preferably has a direct relationship with the management module's file system, allowing it to track which packages of content available for playback.

When the user decides to play a specific portion of the content module content management calls the base software digital rights regulation. The main players contentoffset for playing content and transmit it to the output device. However, before you can play the content, it needs to be decoded, but before it is decrypted. The control module packages the content is a software module designed for processing and decoding packages of content.

Software decoder content refers to the management module package content request to "open" the package content. Package content "reveal", checking legal document, the hash table and the encrypted permissions table. If opening the package, and access to it is not inconsistent with the rules, the management module package content begins reading and decrypting the encrypted content. The decrypted content is fed through buffers to the content decoder, which decompresses the content and transmits it to the main player content for playback. Having found a violation of the rules, the management module package content returns an error code. The management module package content is also responsible for updating accounting data digital regulation of the rights due to the connection with the control module keys/certificates/accounting PIU, whenever you want to play the portion of content you want to update.

The control module communication basic procedures of digital rights regulation is responsible for establishing lines of communication with other devices. These lines can be used DL is streaming, copying, borrowing or move content to other trusted devices. To establish a secure channel, the control module communication, whenever possible, use protective software components of network communication.

Figure 10 depicts a block diagram illustrating operation Manager 204 domains within a system and method for digital rights regulation on domain basis, as well as various objects used by the administrator of the domain to the safe operations of registration of the user communication devices in the domain and remove them from the domain. Basic software and/or firmware 1002 digital regulation of the rights indicated by the dotted rectangle, according to a preferred variant implementation, an application web server, which consists of a module 1004, the communication control module 1006 control device registration, the compacting machine 1008 domain keys and detector 1010 fraud/cancellation. Access to basic software 1002 digital regulation of the rights of the administrator of the domain is done through programs gateway interface (CGI), which are run by the application web server. Program gateway interface General purpose form part of the basic software is the devices digital regulation of the rights of the administrator of the domain. As in the case of user devices, to perform tasks such as memory management, networking, and various cryptographic functions require different levels of support software obespecheniyativoli that managing domains, as well as certification authority (CO)is a trusted server that is running in environment protection from physical attacks. Supporting software in managing domains is responsible for the security of your personal data, which may include private keys of domains, a list of all registered and unregistered devices, registers of acts of domains, lists defeats devices and trusted software digital rights regulation. This data is preferably stored in memory 1020, open to intervention, and some of these data are also encrypted.

To detect interference in the memory 1020, open to intervention, the desired memory 1022, resistant to interference. In accordance with the above custom device module 1024 control reserved memory is used to store and retrieve data from memory 1024, open to intervention, and to properly update the corresponding hash values in memory 1022, resistant to in the estilista.

According to a preferred variant implementation, the module 1026 domain management and data digital rights regulation operates open to the intervention of a database containing data, keys, and certificates of domains. This module 1026 management database may receive the request as a key domains belonging to a particular user device and the user device belonging to a certain domain. In memory 1029 open access of each Director of the domains also Nsert (Dacert) 1028 used to authenticate the administrator of the domain for the user device. Certification authority signs Nsert, and when establishing a secure communication channel is the exchange Nsert with the user device. Memory 1029 open-access controls module 1030 file system management. This module file management is responsible for operations on files, including low-level procedures input/output. Application program a higher level operate through the control module files to create, modify, read and organize files in the memory of open access.

Basic software digital regulation of the rights holder of domain regulates the interaction between managing domains, polzovateli the structure, and the relationship between the Manager of the domains and the content provider. The main software component of the digital regulation of the rights of the administrator of the domain is the aforementioned application web server. The web server provides a user device web page, possibly in the format of a markup language for wireless systems (WML), for example, for user devices that support the wireless application Protocol (WAP). These pages are part of the UI (PI, UI), providing users with an easy to use interface for adding devices to a domain or uninstall them from there.

If the user wishes to add a device to an existing domain or create a new domain, you must first open a web page to add to the domain of the device. If you create a new domain user is asked to choose the domain name and password. In a preferred embodiment, the managing Director of the domains can then initiate a secure authenticated connection with the user device, for example, using the WAP Protocol class 3 or equivalent Protocol. When establishing this secure channel, the managing Director of the domains gets a unique factory public key of the device to the user device. Program registrationdata managing domains uses this public key together with the domain name and password to set a new domain in the database of the digital regulation of the rights of the administrator of the domain. Finally, the steward domains creates a new pair of private and public keys for the new domain. Private key, together with instructions for its use, is placed in the file, downloadable user device. Annex 1032 installation key of the user device performs the syntactic analysis of this key file to retrieve instructions and key new domain. The instructions instruct the user device to set a key in its memory and, thus, to zaregistrirovat user device in this domain.

If the user wishes to add a device to an existing domain, the process is essentially similar. The user is asked for the name and password of an existing domain. Managing domains looking for this domain, it checks the password and confirms that limit the number of devices in the domain are not achieved. If the limit is not reached, then the steward domain adds a user device in the domain, retrieves the private key of the domain pattisue key, and then provides it to the user device over the secure authenticated channel.

If the user wishes to remove the device from the domain Manager domains first establishes a secure channel to identify and authenticate the public key of the user device is istwa. Then the steward domains looking for this public key in its database to determine a member(s) domain(s) is a user device. Then the user of the user device is asked to choose, membership in which domain or domains should be discontinued. Managing domains, processes this information and generates a package delete key, which the user device downloads. The program 1032 installation key of the user device parses this package, removes the proper key, and sends the master of the domains confirmation message. Now the managing Director of the domains can be sure that it's user device is no longer a member of a domain or domains.

Managing domains also maintains a registry of attempts for each user device to register or remove device domain. The detector 1010 fraud/feedback monitors this register. Whenever it detects suspicious behavior to the system operators managing domains receives a warning message. Operators can start additional investigation to determine whether to revoke a public key from acting suspiciously user devices. If necessary, the administrator of the domain stores sleep is OK revoked user devices and deny service to any user device, included in this list.

Finally, the administrator of the domain has the ability to contact the content provider. When selling content to the user device, the content provider requests the administrator of the domains list domains, is a member of the user device. This request operates the control module communication Manager domains. The information received by the content provider, facilitates the transaction with the user device by providing the user of the user device convenient way to purchase content for one of these domains. If the Manager of the domains and the content provider does not want to inform the user of the user device provides information about the domain.

Figure 11 depicts a flowchart 1100 illustrating the architecture of a content provider (CP) 210 suitable for providing the requested content in the digital environment regulation of the rights to a domain basis. Basic software and/or firmware 1102 digital regulation of the rights of the provider of the content indicated by the dotted rectangle and includes functions provided by the module 1104 link control, a compacting machine 1106 content and detector 1108 reviews. In a preferred embodiment of the invention, this function is provided by the application web server. Supporting software content provider performs tasks such as memory management, networking, and various cryptographic functions.

As in the case of user devices and managing domains, memory 1110, open to intervention, is used to store the private key of the content provider, list defeats and only trusted software. Bags 1112 content stored in the memory 1114 open access. These packages appoint a public key of the content provider and, thus, the content encrypted using the key to decrypt which can only the private key of the content provider. When a user device buys a content package, the basic software of the digital regulation of the rights of the content provider reassigns the content package to the public key of the user device.

Basic software 1102 digital regulation of the rights of the content provider regulates the interaction between the service provider 210 content and user device 202, and the relationship between the Manager 204 domains and supplier 210 content. According to a preferred variant implementation, the main software component of the digital regulation of the rights of the content provider is the application web server. is the application provides a user device web page, perhaps in the WML format for user devices with WAP capabilities. These pages provide users with an easy to use interface to purchase content for their domain devices.

Features additional components of the block diagram, including memory 1116 open access module 1118 management of protected memory module 1120 key management/certificate, memory 1122, open to intervention, network 1124, network layers 1126 and installer 1128 keys/certificates, similar to that described above with reference to figures 9 and 10 for the same components.

According to a preferred variant implementation, when establishing a secure authenticated channel through which the user requested content can be supplied to the requesting user, the content provider requests the private key of the user device. Then the content provider associated with the Manager of the domain to determine the domain or domains that contain that specific user device. The content provider can, optionally, create a web page, by means of which it asks the user of the user device to decide which domain you want to assign the new content. Then the content provider reassigns the content of this preferred house is well. Alternatively, the user of the user device may manually enter the name (or URL) of the domain for which he wants to buy music. Again, the content provider associated with managing domains about public key certificate for that domain. Package content respectively assigned to this domain.

Then again reassigned package is transferred to the user device, where it is installed. The user may also wish to send content to the online account of the content. In this case, the content provider may send the content package together with instructions in the corresponding Bank of the content.

The content provider has various programs gateway interface (CGI)called when visiting certain web sites. One of these programs gateway interface General purpose is a module 1104 link control, which regulates the interaction between the content provider and the administrator of the domain. To reassign the content package to the user device using a different program gateway interface General purpose, called compacting machine 1106 content. Finally, software 1108 detection cancellation is used to verify that the public key acquiring the user the ski device is not cancelled.

Domain approach consistent with the present invention, provides consumer-friendly method of accessing digital content, which prevents pirate action in relation to digital content without requiring cumbersome control policies check in / check out, provided by approaches based on the copy that meets the prior art. Access to content is limited to devices that are registered in one or several domains, but for the registered devices domain content available at any time and in any place. Trusted devices outside the domain do not have automatic access to the intradomain content, but the content may be provided, if supported by appropriate protocols content. Because access to the content is allowed only for registered devices, control policies check in/check out is not required, which greatly simplifies the user interface and extends its functionality. The end user is presented with protection only when adding new devices in one or more domains. However, security remains a reliable, because the content protection is provided by cryptographic techniques based on strong cryptographic protocols and security.

Although the invention is described with reference to specific variants of implementation, in light of the above description, specialists in this field can offer numerous alternatives, modifications, permutations and variations. Accordingly, it is assumed that the present invention embraces all such alternatives, modifications and variations that meet the scope of the attached claims. For example, note that the present invention is applicable to portable wireless devices, such as pagers, mobile phones, personal communication systems (PCS) devices, Blue Tooth, characterized by a limited range of communication, as well as to devices that are not necessarily mobile, or wireless, for example, automotive entertainment systems, TV set-top boxes that operate on digital content, and home computers.

1. The communications device is operating in the digital environment regulation of the rights to a domain basis, containing the receiver intended for receiving incoming messages for the communication device, the transmitter, for transmitting outgoing messages to the communication device, processing element, connected to the transmitter and receiver and Manager of the transmitter and receiver module digital regulation of the rights connected to the processing elements, and controlling the operation of communication devices in the digital environment regulation of the rights to a domain basis, whereas the om module digital regulation of the rights of the communication device in conjunction with the Manager of the domain environment digital regulation of the rights to a domain basis is configured to selectively add the communication device in the domain having one or more communication devices that share a cryptographic key, and, thus, allows the communication device to selectively receive and decode the digital content based on domain membership.

2. The communication device under item 1, characterized in that the transmitter is a transmitter of limited range, with limited communication range, and is capable of transmitting digital content to an authorized communication device in a limited communication range.

3. The communication device under item 1, wherein in response to receiving a user request module digital rights regulation instructs the transmitter communication device to transmit the master of the domain registration request to the communication device in the domain, and if it is determined that the communication device has access to one or more valid cryptographic elements, the module digital rights regulation instructs the receiver communication devices to take over the communication channel, the cryptographic key of the domain Manager domains to bind the communications device to the domain.

4. The communication device according to p. Z., characterized in that the module digital regulation of the rights together with the Manager of the domains removes the communication device from a domain, perform the following steps: in response to the query domain user to remove the device the VA communication module digital regulation of the rights of the communication device causes the transmitter to transmit the request to remove the communication device from a domain in response to the request to remove the communication device from the domain of the communications device receives from managing domains via a secure communication channel command to delete the cryptographic key of the domain of the communication device and after receiving the command from the administrator of the domain module digital regulation of the rights of the communication device deletes the cryptographic key of the domain.

5. The communication device under item 1, characterized in that in response to the instruction module digital regulation of the rights of the communication device transmitter to transmit the request for the digital content module digital regulation of the rights of the communication device and/or the administrator of the domain verifies the authenticity of the domain, and after checking the authenticity of the domain of the receiver communication device receives the requested digital content in encrypted form, bound to the cryptographic key of the domain in which the registered communications device.

6. The communication device under item 1, characterized in that the module digital regulation of the rights of the communication device enforces the usage rules associated with the requested digital content and accepted by the receiver in the content package containing the requested digital content.

7. The communication device under item 6, characterized in that a content package contains a table of the rights in the binary representation, which contains the terms of use.

8. The communication device under item 7, characterized in that the permissions table in binary performance is in relation contains a set of sections, having pre-defined tokens.

9. The communication device under item 1, characterized in that the module digital rights regulation as a response to the transmitter communication device, receiving a request from a second communication device domain, the requesting digital content that instructs the transmitter to transmit the requested digital content from the storage element to the second communication device.

10. The communication device according to claim 1, characterized in that in response to a request from a user device communication module digital rights regulation instructs the transmitter to transmit a request for digital content that is not available in the domain, and after checking the authenticity of the domain, the receiver receives the requested digital content in encrypted form, bound to the cryptographic key of the domain in which the registered communications device.



 

Same patents:

The invention relates to the field of telecommunications and computing, and more particularly to the field of cryptographic methods and devices for protecting information transmitted over telecommunication networks

The invention relates to radio communications, in particular, for encryption, decryption and processing information

The invention relates to the field of telecommunications and computer technology and may find use in communication systems, computing and information systems for cryptographic close binary information when communicating

The invention relates to the field of telecommunications and computing, and more particularly to the field of cryptographic methods to protect information transmitted over telecommunication networks

The invention relates to the field of telecommunications and computing, and more particularly to the field of cryptographic methods to protect information transmitted over telecommunication networks

The invention relates to the field of telecommunications and computing, and more particularly to the field of cryptographic methods and devices for protecting information transmitted over telecommunication networks

The invention relates to a method of operating a communication network, mainly radio network packet data, which contains the station operator network and a lot of user stations

The invention relates to telecommunications and computing, and more particularly to cryptographic methods for data encryption

The invention relates to the field of telecommunications and computing, and more particularly to the field of cryptographic methods for data encryption

The invention relates to the field of cryptography, namely the formation of the encryption key/decryption and can be used as a separate element in the construction of symmetric cryptographic systems designed for transmission of encrypted voice, sound, TV, etc

FIELD: establishing emergency communication session in information management system networks.

SUBSTANCE: proposed system has at least one piece of user's equipment and one or more network entities participating in establishment of emergency communication session when user's equipment initiates session establishment by sending message to network entity where identifier, such as call number or logic name of called entity, is indicated; one of network entities analyzes received identifier; if initiated session is found to be emergency communication session, information is returned to user's equipment to inform it about the fact that initiated session is just emergency communication session, whereupon user's equipment initiates emergency communication session execution; if user's equipment cannot find out that given session is emergency communication session, network will inform user's equipment about emergency communication session so as to provide for its adequate processing.

EFFECT: enhanced speed and reliability of emergency communication session identification.

38 cl, 4 dwg

FIELD: communication systems.

SUBSTANCE: system has commutated phone network and packet data transfer network Internet, control means, connected to Internet and made with possible determining of preferred route for phone calls through commutated phone network, and/or Internet, connection means, connected to commutated phone network, controlled by said control means, Internet-phone gateways, which are connected to commutated phone network and Internet network, and also authentication server, connected to Internet network.

EFFECT: higher efficiency, broader functional capabilities.

16 cl, 2 dwg

FIELD: wireless communications.

SUBSTANCE: before starting data transfer between first object, for example, access terminal, and second object, for example, data transfer network, for synchronization a set of levels and/or protocols is selected, for each selected level and protocol, i.e. for each attribute, a list of selected attribute values is determined, viewed as acceptable for first object, selected attributes and attribute values connected thereto are sent from first object, and in response only a list of processed attributes is received and lists of values of processed attributes connected thereto, each list of values of processed attributes includes values of attributes, viewed as acceptable for first object, levels and protocols in first object are then configured in accordance to list of processed attributes and values of processed attributes connected thereto.

EFFECT: higher precision, broader functional capabilities, higher efficiency.

5 cl, 22 dwg, 1 tbl

FIELD: mobile communications.

SUBSTANCE: method and device for delivering a service are based on multiple speeds of data transfer, use scaling capability of multimedia codec in asynchronous communications network with multiple aces with code separation, delivering a service of multimedia broadcast and group transfer, area of whole cell is separated on first area and second area, first data are sent to first area, and second data are sent to second area, while first controller of electric power is in control of electric power of first data, and second controller of electric power controls electric power for second data, user device, positioned in second area, receives first data and second data, and user device in second area combines first data and second data, thus receiving one data element.

EFFECT: broader functional capabilities, lower costs.

5 cl, 13 dwg

FIELD: communications engineering.

SUBSTANCE: proposed device and method are used for voice frame/ data frame transmission in mobile communication system supporting ALL-IP network.Mobile phone sends heading information using synchronization frame and then separately transfers voice frame only; communication center B detects heading information in synchronization frame received, memorizes detected heading information, and upon receiving voice frame adds heading information to voice frame and transfers voice frame with added headings to base network.

EFFECT: provision for preventing addition of headings to traffics in mobile communication line.

39 cl, 7 dwg

FIELD: telecommunication systems and methods for global network access.

SUBSTANCE: proposed system has station that provides for meeting specified regulations concerning authentication of subscribers, authorization of access and services, accounting of network resources, and mobility. These specified regulations are determined by Internet service provider at decision station concerning specified regulations which is, essentially, server connected to Internet that communicates with mentioned providing station. Internet service provider may be made in the form of encryption key for given providing station and encryption key for particular subscriber.

EFFECT: enlarged functional capabilities.

33 cl, 4 dwg

FIELD: mobile communications.

SUBSTANCE: base station determines speed of direct data transfer of data in accordance to control data about data transfer speed received from base station, reads temporary maximal total size encoder packers from buffer, determines, if it is possible to transfer these temporary packets at this speed of data transfer forms a combination of logic packets from these temporary packets, if it possible to transfer these packets at current data transfer speed, and total size of temporary packets is greater or equal to certain threshold value, and transmits logic packets with physical level packet.

EFFECT: higher data transfer speed.

3 cl, 9 dwg

The invention relates to the field of computer technology

The invention relates to signaling protocols in communication networks (e.g., mobile networks), namely the signaling Protocol in a communication network, which does not depend on the services of a media signaling underlying level

The invention relates to a device for data exchange with setting permissions on data exchange

FIELD: mobile communications.

SUBSTANCE: base station determines speed of direct data transfer of data in accordance to control data about data transfer speed received from base station, reads temporary maximal total size encoder packers from buffer, determines, if it is possible to transfer these temporary packets at this speed of data transfer forms a combination of logic packets from these temporary packets, if it possible to transfer these packets at current data transfer speed, and total size of temporary packets is greater or equal to certain threshold value, and transmits logic packets with physical level packet.

EFFECT: higher data transfer speed.

3 cl, 9 dwg

Up!