Forced interlinking of digital license with user and forced interlinking of user with several computing mechanisms in digital content rights management system (drm)

FIELD: information technologies.

SUBSTANCE: invention can be used in system of the forced performance of requirements which provides access possibility to the enciphered digital content on a computing mechanism only according to parametres the certain rights of the license got by the user of digital contents. The first confidential builder on the first computing mechanism carries out cryptographic, an estimate and the forced performance of requirements and forcedly contacts it, the first certificate of the user device corresponding to the first computing mechanism, forcedly contacts the user. Accordingly, the second confidential builder on the second computing mechanism carries out cryptographic processing, an estimate and the forced performance of requirements and forcedly contacts it, the second certificate of the user device corresponding to the second computing mechanism, also forcefully contacts the user. The first competent builder gains contents for reproduction on the first computing mechanism by means of the first certificate of the user device and the license, and the second confidential builder gains contents for reproduction on the second computing mechanism by means of the second certificate of the user device and the same license.

EFFECT: prevention of non-authorised duplication of digital content by the user related to the digital license and having of some computing mechanisms.

16 cl, 6 dwg

 

CROSS-REFERENCE TO RELATED APPLICATIONS

Subsequent applications for U.S. patents disclose the subject associated with the subject of the present invention, and fully incorporated herein by reference:

The patent application U.S. No. 10/185 .527, filed June 28, 2002 under number registry attorney MSFT-1330, "Getting SRL) for digital content and obtaining a digital license corresponding to the content based on the SRL in the DRM system".

The patent application U.S. No. 10/185 .278, filed June 28, 2002, for a number of registry attorney MSFT-1333, "Using template privileges to obtain SRL) for digital content in the DRM system".

The patent application U.S. No. 10/185 .511, filed June 28, 2002 under number registry attorney MSFT-1343, "Systems and methods for issuing licenses for the use of digital content and services".

The patent application U.S. No. 09/290 .363, filed April 12, 1999, on "Architecture and method for digital rights management content.

Provisional patent application U.S. No. 60/126 .614, filed March 27, 1999, on "Architecture and method for digital rights management content.

The scope of the invention

The present invention relates to a system digital rights management content management (DRM) for enforcement of digital content. More specifically, the present invention apply is to the system of enforcement, which provides access to the encrypted digital content on the computing device only in accordance with the parameters defined rights license purchased by the user of the digital content. More specifically, the present invention relates to the provision of digital licenses that impose restrictions on the user and associate the user to one or more computing devices.

PRIOR art

As is known, according to figure 1 the rights management of digital content (DRM) and enforcing compliance are highly desirable in respect of digital content 12, such as digital audio, digital video, digital text, digital data, digital multimedia data, etc. where the specified digital content 12 is to be distributed to users. After receiving the user of the digital content, the user plays or 'loses' digital content using the appropriate playback device, for example, media player on a personal computer 14, or similar device.

Usually the owner of the content distributing digital content 12, prefers to limit the possible actions of the user in relation to distributed digital with the hold 12. For example, the content owner may prefer to restrict copying and redistribution of the user content 12 to the second user, or may prefer to allow playback of the distributed digital content 12 a limited number of times only in the continuation of certain full-time, only on a particular device, only some specific type of player, only certain types of users, etc.

However, once distributed, the content owner in a very small extent, can control the digital content 12, if only in General has this capability. At the same time, the DRM system 10 provides a managed reproduction or playback of arbitrary forms of digital content 12, and such control is flexible and is determined by the content owner of the digital content. Usually the content 12 is distributed to the user in the form of package 13 through any appropriate channel of distribution. A package of 13 digital content distribution may contain digital content 12, the encrypted symmetric key encryption/decoding (KD) (i.e., (KD(CONTENT))), as well as other information that identifies content on how to purchase a licence for the content, etc.

The DRM system 10,based on trust, provides an opportunity for the owner of the digital content 12 to define the rules of the licenses that must be met before allowed to play digital content 12 and computing device 14 of the user, and when the content 12. Rules license may contain the above-mentioned temporary requirement and may be included in the digital license 16, you must obtain the user/computing device 14 of the user (hereinafter, these terms are used interchangeably, unless the context requires otherwise) from the content owner or its agent. License 16 also contains the key of interpretation (KD) for decoding digital content, possibly encrypted in accordance with a key that can desirious computing device of the user, and is signed by the Issuer of the license. As for access to content 12 requires a license 16, the content 12 may be distributed freely. It is essential that the license 16 must be in a form bound to or 'forcibly connected'directly or indirectly, with the computing device 14, which must be reproduced contents 12. Otherwise, the license 16 may potentially be copied to an unlimited number of other devices 14 to play well on them according to the corresponding content 12.

The owner of the piece of digital content 12 shall be treated confidentially to the fact that the computing device 14 of the user will abide by the rules and requirements defined by the content owner in the license 16, that is, that there will be no playback of digital content 12, if not satisfied with the rules and requirements of the license 16. Therefore, preferably, the computing device 14 of the user is ensured reliable (trusted) component or mechanism 18, which will not play digital content 12, except in accordance with the licensing rules contained in the license 16 that is associated with the digital content 12 and received by the user.

Trusted component 18 is generally the evaluation unit 20 licenses, which determines whether the license 16 is valid, looking at the rules and requirements of a valid license 16 and determines on the basis of review rules and requirements in the license, whether the requesting user is authorized to perform playback of the requested digital content 12 the same way, etc. Should be clear that the evaluation unit 20 licenses in the DRM system 10 intrusted with the requirements of the owner of the digital content 12 in accordance with the rules and requirements in the license 16, and the user should not be in the moznosti in their order by simply changing such trust element. Inevitably, the trusted component 18 has information on external entities authorized to issue licenses, and can confirm the identity of various objects, such as external objects, users, applications and devices.

It should be clear that the rules and requirements in the license 16 can determine whether the user has rights to perform playback of digital content 12 based on one of several factors, including information about who the user is, where the user is located, what type of computing device uses the user what the playback application calls the DRM system, the date, time, etc. Additionally, the rules and requirements in the license 16 can impose restrictions on the license 16, for example, in the sense of a predetermined number of playbacks, use, or pre-defined playing time.

The rules and requirements can be defined in the license 16 in accordance with any relevant language and syntax. For example, the language may simply define the parameters and values that must be satisfied (for example, date date must be after X), or may require fulfillment of functions in accordance with a specific scenario (for example, If the DATE is greater than X,...).

After determining unit assessment the key 20 of the license, the license 16 is valid and that the user performs installed it rules and requirements, can be carried out playback of the digital content 12. In particular, to play the content 12 from the license 16 receive the key of interpretation (KD) and applied to (KD(CONTENT)) from the package 13 content to get to the actual content 12, and then actually playing the actual content 12. Trusted component 18 may also want to review and tracking of dynamic aspects of the environment of the computing device 14, for example, by application, enabling playback of the content.

Usually to perform cryptographic functions associated with the relevant component 18, including the above-mentioned application (KD) to (KD(content)) and all other cryptographic functions, trusted component 18 has a "black box" 22. As the evaluation unit 20 licenses, a "black box " 22 in the DRM system 10 intrusted with the requirements of the owner of the digital content 12 in accordance with the rules and requirements of the license 16, and the user should not have space in their order by simply changing this trust element. Black box 22 is also designed to act as a means to enforce the license, and, in particular, to ensure that the s content of 12 only deliverables and delivered to the appropriate playback software in the computing device 14 of the user.

Can usually be provided by the implementation of a "black box" 22 and symmetric (single key) and asymmetric (public key pair - private key) cryptographic encryption and/or interpretation. In particular, the above-mentioned key interpretation (KD) is usually a symmetric key and, therefore, is transmitted in encrypted form, as other encrypted with a symmetric key or public key or a secret key. Therefore, for interpretation (KD(content)), if, for example, (KD) encrypted with a public key (PU), i.e., (PU(KD))), black box 22 must first obtain a private key (PR)corresponding to (PU), and asymmetrically apply (PR) to (PU(KD)) to obtain the result in (KD), and then symmetrically apply (KD) to (KD(content)) to obtain the content.

Black box 22 is provided classified information and he committed not to reveal secret information to anyone. Therefore, the secret information is the basis for the encryption of the content key (KD), directly or indirectly, and only a black box 22, which is a carrier of secret information, can decrypt the content key (KD). As a result, the license 16 with (KD)encrypted according to the secret information, snaps or force associated with a "black box" 22. Usually classified information which is a private key (PR-BB) key pair (PU-BB, PR-BB), which is unambiguous or nearly unique to a "black box" 22, and to encrypt (KD), directly or indirectly, use the corresponding public key (PU-BB) "black box" 22. The most significant is that "black box" 22 must be made with the possibility of concealment (PR-BB) and protection (PR-BB) and the corresponding cryptographic code review and correct, as a consequence, (PR-BB) and this code is embedded or encapsulated in the "black box" 22, with the corresponding entanglement and built-in protection.

To prevent unlimited duplication "black box" force 22 is associated with one specific hardware device. Usually forced linking is achieved by hard-coding device settings in the "black box" 22 and authentication of such parameters of the device during operation. A "black box" 22 also trusted cryptographic authentication of other software components, mainly by verifying the submitted digital signatures and therefore ensure there is no tampering of the other components of trust system 18 on the computing device 14 of the user and presents the elements, for example, licenses 16.

Usually each a "black box" 22 attached digital certificate "black box"bearing (PU-BB), odnosno the initial ID, the version number, and possibly other content certificate. As a consequence, the certificate of "black box" force associated with a "black box" 22 via line (PU-BB) and (PR-BB). The Issuer of the license 16 may decide to accept or reject the request for a license 16 from a trusted component 18 on the basis of its certificate "black box 22 and the content in it. When the request is rejected on the basis of the certificate "black box", usually, before making the request must be installed over a new black box 22 with the corresponding more with the new certificate "black box". Of course, the new black box 22 can be installed for other reasons, may be initially installed separately from the installation of the rest of the trusted component 18 may be installed with the rest of the trust component, but not activated, etc.

As stated above, DRM-license 16 must be some way to force linked, directly or indirectly, with the computing device 14, which should play back the corresponding content 12. Although direct forced linking to the specific computing device 14 is simpler, can occur such a situation that the user of a particular computing device 14 also had the t other computing device 14 and you may want to play the content 12 on the basis of a licence on other computing devices 14. For example, the user may want to play a piece of music on the desktop computer at home or the office and on the portable computer. Therefore, a need exists for a method and mechanism for compulsory binding digital license 16 more to do with the user than with the specific computing device 16. More specifically, a need exists for a method and mechanism for compulsory binding digital license 16 with a digital object that represents the user, for example, the user's certificate.

Of course, the user object/certificate user can copy the object/user certificate and a license 16 for an unlimited number of other computing devices 14 to play on them the corresponding content 12. Accordingly, a need exists for a method and mechanism to force binding the user through the user certificate with each of several particular computing device 14, thus limiting the amount of a particular computing device 14, which force is associated with any particular object/user certificate. As a result, the license 16 must be forcibly associated with each of the multiple computing devices 14.

The ESSENTIAL IS to BE INVENTIONS

At least part of the aforementioned needs, the invention, in which DRM system enables playback of digital content by the user on multiple computing devices, in accordance with the corresponding digital license, and the license is forcibly associated with the content and with the user.

In the system of the first trusted component on the first computing device performs cryptographic processing and DRM-evaluation, and enforcement requirements for the first computing device and the force associated with it, and the first certificate of the user device corresponding to the first computing device, the force associated with the user. Accordingly, the second eligible component of the second computing device performs cryptographic processing and DRM-evaluation, and enforcement requirements for the second computing device, and force associated with it, and the second certificate of the user device corresponding to the second computing device, also force associated with the user. Consequently, the first component can trust to get the content for playback on the first computing device through which the your first certificate of the user device and licenses and the second trusted component can receive content for playback on a second computing device through the second certificate of the user device and the same license. To ensure that the certificate of the user device from the user accepted the certificate request to the user device in relation to a particular computing device, and the request includes the identifier (ID) of the user and the certificate of the computing device corresponding to a computing device. Certificate computing device includes a matching public key (PU-x). On the basis of the user ID is determined whether the user has an entry in the database of user devices. If not, is created in the database user account including a user ID and a pair of public key/secret key for user (PU-USER, PR-USER). If so, then in the database is determined by the location of the records to the user.

Certificate to the computing device is obtained (PU-x), (PR-USER) encrypted according to (PU-x) to obtain the result in (PU-x(PR-USER))and (PU-USER) and (PU-x(PR-USER)) are formed subject to the issuance of the certificate of the user device. Then the generated certificate of the user device is returned to the user.

Suppose that is obsessed encrypted according to a content key (KD) to obtain the result in (KD(content)), the license includes (KD)encrypted according to (PU-USER) to obtain the result in (PU-USER(KD)), and the trust component of the computing device has a private key (PR-x)corresponding to (PU-x), an eligible component can decrypt the content for playback on a computing device, applying (PR-x) to (PU-x(PR-USER)) from the certificate of the user device to obtain (PR-USER), applying (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and applying (KD) to (KD(content)) to obtain the contents.

BRIEF DESCRIPTION of DRAWINGS

The above-described invention, as well as the subsequent detailed description of embodiments of the present invention are explained below with reference to the drawings showing embodiments of which at the moment are preferred. However, it should be borne in mind that the invention is not limited to specific configurations and shows the means.

Figure 1 - block diagram of the architecture of enforcement in a possible embodiment of a system based on trust.

2 is a block diagram of a computer system for General purpose, which can be implemented in the present invention and/or its parts.

Figure 3 is a structural diagram illustrating the contents, force associated with the license, the license is Oia, force associated with the user certificate, user certificate, the force associated with a "black box", and "black box"that forces associated with the computing device, according to the architecture of figure 1.

4 is a structural diagram depicting the contents, force associated with the license, a license that forces associated with many certificates user devices, each certificate of the user device force associated with a "black box", and each "black box" force associated with the computing device, according to one variant of implementation of the present invention.

5 is a block diagram illustrating the main steps to be performed upon receipt of the certificate of the user device 4, according to one variant of implementation of the present invention.

6 is a block diagram illustrating the main steps performed to obtain a license on behalf of a user, according to one variant of implementation of the present invention.

A DETAILED DESCRIPTION of the PREFERRED VARIANTS of the INVENTION

Computing environment

Fig. 1 and the following discussion are intended to brief General description of the corresponding computing environment, which can be implemented in the present invention and/or its parts. the hile this is not a requirement, the invention is described mainly in the context of the instructions executed by the computer, for example, a workstation client or server.

Essentially, the software modules include procedures, programs, objects, components, data structures, etc. that perform particular tasks or implement certain abstract data types. Additionally, it should be clear that the invention and/or its parts can be practically implemented in computing systems with other configurations, including hand-held devices, multiprocessor systems, microprocessor-based, programmable consumer electronics, network PC, mini-computers, General-purpose computers, etc. the Invention can also be practically implemented in distributed computing environments where tasks are performed by remote processing devices linked through a communication network. In a distributed computing environment, program modules may be located in local and remote storage devices.

According to figure 2 possible General-purpose computing system contains a standard personal computer 120 or similar device that contains a processor 121, a system memory 122, and a system bus 123 that connects various system components including the system memory to the processor 121. The system is Noah bus 123 may be any of several types of bus structures, including a memory bus or memory controller, a peripheral bus and a local bus using any of the many bus architectures. The system memory includes a random access memory RAM) 125, and a persistent storage device ROM (ROM) 124. Basic system 126 I/o BIOS (BIOS) contains basic procedures that facilitate the transfer of information between elements within the personal computer 120, for example, used during startup, is stored in ROM 124.

The personal computer 120 may further comprise a drive 127 on hard drives, performing a read from the hard disk (not illustrated) or written to, the drive 128 on magnetic disks, which shall read from a removable magnetic disk 129, or writing on it, and the tape drive 130 on the optical disks, which shall read with removable optical disk 131, for example, a CD-ROM or other optical media, or write on it. Drive 127 on hard drives, memory 128 on magnetic disks and the tape drive 130 on the optical drives connected to the system bus 123 via an interface 132 of the hard drive, interface 133 drive on magnetic disks and interface 134 of the optical drive, respectively. Disk drives and their associated media information and, read by a computer, provide nonvolatile storage of instructions readable by a computer, data structures, program modules and other data for the personal computer 120.

Although described here possible implementation uses a hard disk, a removable magnetic disk 129 and a removable optical disk 131, it should be clear that in a possible operating environment can also be used available for other computer types of storage media, readable by a computer, which can store data. Other types of storage media include tapes, magnetic tape, cards, flash memory, digital videodisc cartridge Bernoulli, RAM, ROM, etc.

On the hard disk, magnetic disk 129, optical disk 131, ROM 124 or RAM 125 can be stored for several software modules, including an operating system 135, one or more application programs 136, other program modules 137, and data 138 program. The user can enter commands and information into the personal computer 120 through input devices such as a keyboard 140 and a pointing device 142. Other input devices (not illustrated) may include a microphone, joystick, game pad, satellite dish, scanner, etc. Often these and other input devices are connected to what recession 121 through an interface 146 serial port, connected to the system bus 121, but they can be connected to the processor through another interface, for example, a parallel port, game port or a universal serial bus (USB) (upsh). To the system bus 123 via the interface, the type of video adapter 148, connected the monitor 147 or other type of display device. In addition to the monitor 147 personal computer typically includes other peripheral output devices (not shown)such as speakers and printers. According Fig. 2 possible system also includes a host adapter 155, bus 156 small computer system interface SCSI external storage device 162, connected to the bus 156 SCSI.

The personal computer 120 may operate in an environment with network structure using logical connections to one or more remote computers, such as remote computer 149. The remote computer 149 may be another personal computer, a server, a router, a network personal computer PC, a peer device or other common network node, and typically includes many or all of the elements described above in relation to personal computer 120, although figure 2 depicts only the memory 150. The logical connection indicated figure 2, include LAN connection LAN (LAN) 151 and the global CoE is WAN connection (GS) 152. Such networking environments are often used in organizations, corporate computer networks, intranets (corporate local area networks high reliability with limited access) and the Internet. The personal computer 120 may also act as the main computing machine in relation to the guest device, such as another personal computer 120, a more specialized device, such as a portable music player or portable digital assistant, etc. while the main computing machine, among other functions, loads the data into the guest device and/or unloads data from it.

When using in a network environment LAN personal computer 120 is connected with the fold line 151 through a network interface or adapter 153. When using in a network environment HS personal computer 120 typically includes a modem 154 or other means for establishing communications over a global communications network 152, such as the Internet. The modem 154, which may be internal or external, is connected to system bus 123 via an interface 146 serial port. In an environment with a network structure of software modules specified in relation to personal computer 120, or portions thereof, may be stored in a remote storage device. It is clear that depicts a network connection are possible and which may be used other means of establishing lines of communication between computers.

Compulsory binding "black box" 22 with the computing device 14. As described above, in the DRM system, each computing device 14 provides a "black box" 22 to perform cryptographic processing and functions of DRM enforcement. According to figure 3, in one embodiment of the present invention "black box" 22 each computing device 14 is provided by a unique pair of public key/secret key (PU-BBx, PR-BBx) to run through this pair of asymmetric encryption and decoding. In particular, (PR-BBx) is embedded or encapsulated in the "black box" 22 with the corresponding entanglement with built-in protection, and (PU-BBx) is provided in the corresponding certificate 24 "black box", which is issued in conjunction with the issuance of a "black box" 22 corresponding DRM server 26. As described above, the certificate 24 "black box" force associated with a "black box" 22 via line (PU-BB) and (PR-BB).

To prevent unlimited duplication "black box" 22 force associated with their computing device 14 via hard coding device settings in the "black box" 22 and the authentication device settings in his work. Typically, the device parameters are one or more of priznaki the computing device 14, encoded in a hardware ID (HWID)that uniquely identifies the computing device 14.

Therefore, it should be clear that the certificate is a "black box" 24 in addition to (PU-BBx) includes HWID computing device 14. Certificate 24 "black box" can also include an unambiguous ID of "black box" 22, the version number of the black box 22, and possibly other content of the certificate relating to a "black box" 22.

Certificate "black box" 24 signed by the private key of the DRM server 26, which issued a "black box 22 and 24 certificate "black box", (PR-DRMx). The signature based on the random data, at least part of the content certificate 24 "black box" and is verified by applying the corresponding public key (PU-DRMx). If the content is changed, the signature will not be verified. Usually the certificate 24 "black box", issued by the Issuer, includes a chain of certificates leading back to a root certificate trusted root authoritative source.

Therefore, in the end, for each computing device 14 in the DRM system 10 with him forcibly binds its "black box" 22 through the HWID, based on the characteristic of the computing device 14, and the certificate 24 "black box" force associated with "black Amiko is" by (PU-BBx) and (PR-BBx), and by the incorporation of HWID.

Forced associating the user with a "black box" 22 on the computing device 14.

In one embodiment, the present invention according to figure 3, the user is provided a digital object that represents the user, to force linking the user with a "black box" 22 on the particular computing device. In particular, a digital object is a digital certificate 28 user or similar object, which includes an unambiguous pair of public key/ secret key (PU-USER, PR-USER) to run through this pair of asymmetric encryption and decoding. It is essential that (PR-USER) 28 certificate of the user is encrypted according to a public key (PU-BBx) "black box" to obtain the result in (PU-BBx(PR-USER)). Accordingly, only a black box 22 with the corresponding (PR-BBx)can obtain (PR-USER) by applying (PR-BBx) to (PU-BBx(PR-USER)to identify (PR-USER). Consequently, the user forcibly bound by (PU-BBx(PR-USER)) 28 certificate of the user of the user using a "black box" 22 with the corresponding (PR-BBx).

Of course, (PU-USER)as the public key, can be placed in the certificate 28 user without encryption, if it is preferred. Certificate 28 user so the e may include an unambiguous ID, and possibly other content of the certificate relating to the user, for example, the system user ID. Certificate 28 user is signed with the private key of the DRM server 26, the certificate was issued on 28 user (PR-DRMx), which can be DRM server 26, the certificate was issued on 24 "black box" and "black box" 22, or other DRM server 26. As before, the signature is based on random data at least part of the content certificate 28 user and verified by applying the corresponding public key (PU-DRMX). If the content is changed, the signature will not be verified. Usually, as before, the 28 certificate of the user issued by the Issuer, includes a chain of certificates leading back to a root certificate from a trusted root authoritative source.

Therefore, in the end, the specific user certificate 28 force associated with the particular "black box" 22 with (PR-BBx), in the presence of (PU-BBx(PR-USER)), and the particular "black box" force 22 is associated with a particular computing device 14. Accordingly, a specific certificate 28 user force is associated with a particular computing device 14 and can be used only in respect of this computing device.

Compulsory binding is icensee 16 with the user.

In one embodiment, the present invention according to figure 3, the license 16 corresponding to the piece of content 12, the force associated with a specific user through its certificate 28 user. In particular, the license 16 includes a symmetric key (KD), through which the encrypted corresponding content 12 and through which the contents of the 12 force associated with the license 16)where (KD) in the license 16 is encrypted under the public key of the user (PU-USER) to obtain the result in (PU-USER(KD)). Accordingly, only the user and the certificate 28 user with the appropriate (PR-USER)can obtain (KD) by applying (PR-USER) to (PU-USER(KD)) to reveal (KD). Certainly, on behalf of the user cryptographic functions should be performed by black box 22. Therefore, the license 16 is forcibly bound by its (PU-USER(KD)) with the user certificate 28 user with the appropriate (PR-USER).

As described above, the license 16 may also include an unambiguous ID, and possibly other content licenses relating to the reproduction of the corresponding content 12, for example, the content ID for the content 12, user rights, and terms and conditions that must be met before implementation of deshifririvanie and play the content 12. And again, the license 16 is signed by the private key of the DRM server 26 that issued the license 16, (PR-DRMx), which can be DRM server 26, the certificate was issued on 24 "black box" and "black box" 22 or 28 certificate of the user or other DRM server 26. As before, the signature is based on random data, at least part of the content of the license 16, and is verified by applying the corresponding public key (PU-DRMx). If the content is changed, the signature will not be verified. Usually, as before, the license 16, issued by the Issuer, includes a chain of certificates leading back to a root certificate from a trusted root authoritative source.

Therefore, in the end, a particular license 16 force associated with a specific user and his certificate 28 user with (PR-USER) as a result of the presence of (PU-USER(KD)), the specific user certificate 28 force associated with the particular "black box" 22 with (PR-BBx), in the presence of (PU-BBx(PR-USER)), and the particular "black box" force 22 is associated with a particular computing device 14. Accordingly, a particular license 16 force associated with a particular computing device 14, and it is obvious that a particular license 16 is used only in relation to specific vychislitel the nogo device 14. However, as described in more detail below, in one embodiment of the present invention a particular license 16 may be used for several specific computing device 14.

Forced associating the user with multiple computing devices 14.

In one embodiment of the present invention, according to figure 4, 28 certificate of the user, provided the user is a 28 certificate of the user device, based on a pair of public key/ secret key (PU-USER, PR-USER), unique to a user, and forces associated with a particular computing device 14 through the "black box" 22. Significantly, as is the case in one embodiment of the present invention, the user may be provided with multiple certificates 28 user device to force linking the user with multiple computing devices 14.

Therefore, the first "black box" 22 (BB1), which must be forcibly connected, the user is provided the first certificate 28 user device, which includes (PU-USER, PR-USER), and (PR-USER) certificate 28 is encrypted in accordance with the public key of the "black box" (PU-BB1) to obtain the result in (PU-BB1(PR-USER)).According, from the first certificate 28 user device can obtain (PR-USER) only BB1 with (PR-BB1).

Accordingly, the second "black box" 22 (BB2), which must be forcibly the user is associated, is provided a second certificate 28 user device that includes the same (PU-USER, PR-USER). However, the second certificate 28 user devices (PR-USER) encrypted according to a public key of the "black box" (PU-BB2) to obtain the result in (PU-BB2(PR-USER)). Accordingly, from the second certificate 28 user device can obtain (PR-USER) only BB2 with (PR-BB2).

It should be clear that in the present invention, to force linking of the user can be provided with multiple certificates 28 customizing your device as shown (PU-BB, PR-BB) for several "black boxes" 22, each of which is on a separate computing device 14. Therefore, it should be clear that a particular license 16 force associated with a specific user, as represented by (PU-USER, PR-USER), where the user can have one or more certificates 28 user devices, each of which has (PR-USER), and where in the license 16 includes (PU-USER(KD)). Each certificate 28 user devices force associated with konkretnym "black box" 22, with (PR-BBx), in the presence of (PU-BBx(PR-USER)), and each particular "black box" force 22 is associated with a particular computing device 14. Accordingly, by each certificate 28 user of the device with (PR-USER), a specific license 16 force associated with each respective computing device 14 and thus may be used on each respective computing device 14 for playback of the corresponding content 12.

It should now be clear that the ability to enforce a content link 12 by means of a license 16 for the content from the user, and not with a particular computing device 14 provides the ability to play user content 12 on multiple computing devices 14. Additionally, this forced the binding ensures that the user content 12 between multiple computing devices 14 when the conditions defined in the license 16. Consequently, the user smallest way limited in relation to the content playback 12, however, the content 12 within the system 10 remains protected.

Certificate 28 user's device.

In one embodiment, realized is I of the present invention certificate 28 user device to force associate a user with a particular computing device 14 of several possible get through certificate request 28 user device from the server 30 certificate of the user device with access to the database 32 user devices (figure 4). It should be noted that the database 32 may be a specialized database 32, or part of a larger database, such as database or directory of users across the system.

Typically, the request identifies the user and the computing device 14, and the server 30 certificate of the user device creates a certificate 28 of the user device based on user information in the database 32 of the user device. If the user receives a certificate 28 user device for the first time, the process is slightly modified in that the server 30 certificates of end-user devices must first be created in the database 32 of the user device information about the user.

In particular, according to figure 5, the process begins when the server 30 certificate of the user device receives from a user a request for a certificate 28 user device in relation to the particular computing device 14 (step 501). It should be clear that the request may be made by the user or a trusted component 18/a"black box" 22 on a particular computing device 14 on behalf and at the request of the user is the determinant. It is essential that the request is received by server 30 contains the certificate 24 "black box" "black box" 22 (here BB1) of a particular computing device 14, and an identifier (ID) of the user. It should be noted that the user ID can be any appropriate ID that is not beyond the scope of the present invention, while the ID uniquely identifies the user to the server 30. For example, the ID can be an email address, network ID, server ID, system ID, a biometric identifier, etc.

The server 30 on the basis of the ID refers to the database 32 to determine whether the user has previously obtained a certificate 28 of the user device (step 503). If it does, the database 32 may contain an entry corresponding to the user and includes the ID. If not, then the database may not contain entries corresponding to the user and includes the ID.

If the entry for the user in the database 32 does not exist, the server 30 proceeds to create the database entries for the user. In particular, the server 30 creates for the user a pair of public key/secret key (PU-USER, PR-USER) (step 505) and saves (PU-USER, PR-USER) and user ID to the new record in the database 32 (step 507) possibly in conjunction with other relevant information, such a presentation is Noah below.

After that, the server 30 creates a user for the requested certificate 28 user device by obtaining (PU-BB1) of the presented certificate 24 "black box" (step 509), encryption (PR-USER) for user in accordance with (PU-BB1) to obtain the result in (PU-BB1(PR-USER)) (step 511), premises (PU-USER) and (PU-BB1(PR-USER)) in the newly created user certificate 28 user device, possibly along with other information that includes the user ID (step 513), and then signing the newly created certificate 28 user device using a (PR-DRMx) (step 515), and possibly attach a certificate chain to verify. Then the newly created certificate 28 user device may be returned to the requesting user (step 517).

In one embodiment, the present invention certificate 28 of the user device obtained by the user is the document consistent with XML/XrML, including:

ISSUEDTIME (time of delivery) the Time of certificate generation 28.

VALIDITYTIME (time period) - Time, which certificate 28 is valid.

DESCRIPTOR (descriptor) - the unique ID of the certificate 28.

ISSUER (the Issuer) Server 30 identified (PU-DRMx).

DISTRIBUTION POINT (point of distribution)- address of the server 28.

ISSUEDPRINCIPALS (astniki issue) - (PU-USER).

SECURITYLEVELS (security levels) - Flags that indicate whether the certificate is 28 permanent or temporary, and/or when it was created ISSUEDPRINCIPALS ID (the user ID issue).

FEDERATIONPRINCIPALS (participants integration)- (PU-BB1(PR-USER)).

Signature - Based (PR-DRMx) and at least part of the above-mentioned information.

If, in a subsequent time the server 30 certificate of the user device 30 receives from the user a new certificate request 28 of the user device with respect to another specific computing device 14 in step 501, the request received by the server 30 must include the certificate 24 "black box" "black box" 22 (here BB2) of a particular computing device 14, and an identifier (ID) of the user. However, this time the server 30, referring to the database 32 to determine, whether the received user certificate 28 of the user device, as in step 503, must be found in the database 32, the entry corresponding to the user and includes the ID. Accordingly, the server 30 must restore (PU-USER) and (PR-USER) of the entry for the user in the database 32 (step 519).

Then, as before, the server 32 creates the requested certificate 28 user device for the user by obtaining (PU-BB2) of the presented certificate 24 "black I the ICA", in step 509, encryption (PR-USER) of the user in accordance with (PU-BB2) to obtain the result in (PU-BB2(PR-USER)), as in step 511, the premises (PU-USER) and (PU-BB2(PR-USER)) in the newly created user certificate 28 user devices, possibly together with other information, including user ID, as in step 513, and then signing weave created 28 certificate of the user device using a (PR-DRMx), in step 515, and possibly attach a certificate chain to verify. Then the newly created certificate 28 user device may be returned to the requesting user at step TIR should be understood that the user may receive from the server 30 multiple certificates 28 user devices, and all received certificates 28 share a common (PU-USER) and (PR-USER), but in each certificate 28 (PR-USER) encrypted by (PR-BBx) great black box 22, as a consequence, the binding force of such certificate with the black box 22. Therefore, the license 16 may be obtained by the user through the submission of any certificate 28 user device of the user and the force associated with the user by means of (PR-USER). Additionally, the license forcibly associated with all certificates 28 p is lovetinsky user devices, and therefore, with all relevant computing devices 14 and therefore can be used on each respective computing device 14 for playback of the corresponding content 12.

Server features

The server 30 certificates of subscriber devices and the database 32 of the subscriber devices may implement, among others, the following server options:

Function Quotas In one embodiment of the present invention, the server 30 and database 32 in relation to control whether a user can be associated with multiple computing devices 14, and, if so, how. In particular, based on the user information held in the database 32, for example, how many certificates 28 user devices were issued to the user and how many certificates 28 may be issued to a user, the server 30 can forcibly set the maximum number of computing devices 14, which forcibly contacts the user by appropriate certificates 28 user devices. Additionally, based on the information from the database 32 of when the user was given every 28 certificate of the user device, the server 30 may enforce restrictions on the frequency of issuing the certificate is 28. It should be noted that the maximum number of and restrictions determined by the administrator of the server 30 in the form of the strategy server 30, and that the server must support the relevant information in the user record in the database 32 for the enforcement strategy. Of course, this strategy can have any degree of complexity and can be any appropriate strategy that does not go beyond the scope of this invention. As a possible alternative strategy that may occur such a situation that a user can be mapped to the maximum number (N) of computing devices 14, but that every 60 days (N) is incremented by 1.

Prelicensure - To request the license 16 from the licensor (object issuing the license to the licensor seems to (PU-USER) is usually in the form of a certificate, such as certificate 28 of the user device, and the license includes (PU-USER)encrypted by the content key (KD) of the corresponding content 12 to obtain the result in (PU-USER(KD)). This occurs when the requesting party is the user. However, according to Fig.6 in one embodiment, server 30 and database 32, having an entry for a user (PU-USER), the license 16 on behalf of the user may request the other party other than the user, simply by performance is Alenia (PU-USER) for user (step 601) or user ID (step 603) together with other relevant information.

It is assumed that the licensor is the server 30 certificate of the user device or server that has access to the server 30, and that presents feature is the user ID in step 603, the server 30 based on the user ID must determine from the database of the user device 32, is there for such user's account with (PU-USER) (step 605). If there is, the server 30 receives from such accounts (PU-USER) (step 607), which is then used to create the license 16 on behalf of the user through the use of (PU-USER) to encrypt the content key (KD) of the corresponding content 12 to obtain the result in (PU-USER(KD)) (step 609). Then created the license 16 and the corresponding content 12 may be sent to the user who can then play the content 12 from the license 16 to the computing device 14, for which the user has already received the appropriate certificate 28 user of the device with (PR-USER). Such reproduction can be performed even if the user never requested content 12 or license 16 and even if you can't currently have time to be United with the rest of the DRM system 10.

When the server 30 based on the user ID determines from the database of the user device 32, the entries with (PU-USER) for the user does not exist, in step 605, in one embodiment of the present invention, the server 30 may generate a new pair of public key/secret key (PU-USER, PR-USER) for the user and stores the pair in the database 32 (step 611). After that, the processing proceeds to step 609, where the newly created (PU-USER) is used to create the license 16 on behalf of the user. Although the user has no certificate 28 of the user device based on (PU-USER, PR-USER), the user only needs to identify itself to the server 30 to request such a certificate 28, as in figure 5.

Of course, when presented with the sign is (PU-USER) of the user, as in step 601, don't even need to go to the database 32. Instead, (PU-USER) is used to create the license 16 on behalf of the user through the use of (PU-USER) to encrypt the content key (KD) of the corresponding content 12 to obtain the result in (PU-USER(KD))in step 609. As before, then created the license 16 and the corresponding content 12 may be sent to the user, who can then play the content 12 in accordance with the license 16 to the computing device 14, for which the user has already received the appropriate certificate 28 user of the device with (PR-USER). A temporary Certificate 28 Polzovateley the th device - to enable the playback of the content 12 on a shared public computing device 14, in one embodiment of the present invention, the server 30 to request the user may create a temporary certificate 28 of the user device based on a predefined strategy. In particular, a temporary certificate 28 should have a relatively short duration VALIDITYTIME, perhaps of the order of 15-30 minutes, and may have temporarily installed a set of flags level of protection SECURITYLEVEL. Therefore, the trust component 18 on the computing device 14 should be empowered to consider a temporary certificate 28 only in the continuation of the short VALIDITYTIME and can store temporary certificate 28 only in RAM. Therefore, after the departure of the user from the shared public computing device 14 the validity of the interim certificate 28 either already expired or will soon expire, and when erasing RAM temporary certificate 28 is destroyed. It should also be noted that the licensor may choose not to issue a license 16 to the user on the basis of a temporary certificate 28.

CONCLUSION

Although the present invention is particularly useful in relation to the computing device 14 of the personal computer, the present invention can be applied and implemented in relation to any appropriate device without deviating from the scope of the present invention, for example, such as a server, a smart appliance, a network portable device, etc. Accordingly, the device 14 should be interpreted as including any suitable device that has DRM system 10, or participating in the architecture of DRM.

The programming necessary to implement the processes performed in connection with the present invention is relatively simple and should be clear to experts in the field of programming. Accordingly, programming is not applied. Without deviating from the essence and scope of the present invention for its execution can be used any specific programming.

From the preceding description it can be seen that the present invention provides a new and useful method and mechanism for compulsory binding digital license 16 more to do with the user than with a particular computing device 14 via object/certificate 28 user. Additionally, the present invention provides a new and useful method and mechanism to force binding the user through the object/certificate 28 user with each of several particular computing device 14, thus limiting the amount of a particular computing device 14, which force binding the tsya any particular object/certificate 28 user. Therefore, the license 16 force associated with each of the multiple computing devices 14. It should be clear that without deviating from the concepts of the invention can be made in the implementation options described above. Therefore, it should be clear that this invention is not limited to the specific disclosed variants, but is intended to cover modifications without changing the nature and scope of the present invention, as defined by the attached claims.

1. The rights management of digital content (DRM) to enable playback of digital content by the user on multiple computing devices, in accordance with the corresponding digital license, and the system contains the first trusted component on the first one of the computing devices for performing cryptographic processing and evaluation, and to enforce DRM for the first one of the computing devices, the first trusted component associated with a first one of the computing devices, the first trusted component has associated with it a first pair of public key/secret key (PU-1, PR-1), with the first trusted component contains the first black a box of (PR-1) and the first certificate black box, and PE is the first one of the computing devices has an associated first hardware identifier (HWID), and the first certificate black box includes (PU-1) and the first HWID, the first certificate of the user device associated with a first one of the computing devices, and the first certificate of the user device associated with the identifier (ID) of the user, whereby the first component can trust to get the content for playback on a first one of the computing devices through the first certificate of the user device and the license, and the license associated with the content and with the user, the second trusted component in the second one of the computing devices for performing cryptographic processing and evaluation, and to enforce DRM for the second one of the computing device, and the second trusted component associated with a second one of the computing devices, the second trusted component has associated with it a second pair of a public key (PU-2, PR-2), while the second trusted component contains a second black box with (PR-2) and the second certificate black box, and the second one of the computing devices has an associated second HWID, and the second certificate black box includes (PU-2) and the second HWID; and a second certificate of the user device associated with the second one calculates the selected device, and the second certificate of the user device associated with the user ID, whereby the second component can trust to get the content for playback on a second one of the computing devices via the second certificate of the user device and the license, the user has associated with it a pair of public key/secret key (PU-USER, PR-USER).

2. DRM system according to claim 1, in which the content is encrypted according to a content key (KD) to obtain the encrypted content (KD(content)), and the license includes a key (KD)encrypted according to (PU-USER) to obtain the encrypted content key (PU-USER(KD)), the first certificate to the user device includes (PU-USER) and also includes (PR-USER)encrypted according to (PU-1) to obtain the encrypted secret key (PU-1(PR-USER)), whereby the first trusted component can apply (PR-1) to (PU-1(PR-USER)) from the first certificate of the user device to obtain (PR-USER), can apply (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and can apply (KD) to (KD(content)) to obtain content for playback on the first one computing device, and the second certificate subscriber unit includes (PU-USE) and also includes (PR-USER), encrypted according to (PU-2) to obtain the result in (PU-2(PR-USER)), whereby the second trusted component can apply (PR-2) to (PU-2(PR-USER)) from the second certificate of the user device to obtain (PR-USER), can apply (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and can apply (KD) to (KD(content)) to obtain the contents to play on the second one of the computing devices.

3. How to enable playback of digital content by the user on multiple computing devices according to the corresponding digital license, the method includes providing a first trusted component on the first one of the computing devices for performing cryptographic processing and evaluation, and to enforce DRM for the first one of the computing devices, the first trusted component associated with a first one of the computing devices, the first trusted component has associated with it a first pair of public key/secret key (PU-1, PR-1), with the first trusted component contains the first black box with (PR-1) and the first certificate black box, and the first one of the computing devices has an associated first hardware identifier (HWID) and the first certificate black box on the includes PU-1 and the first HWID; providing the first certificate of the user device associated with a first one of the computing devices, and the first certificate of the user device associated with the user ID, whereby the first component can trust to get the content for playback on a first one of the computing devices through the first certificate of the user device and the license, and the license associated with the content and with the user; providing a second trusted component in the second one of the computing devices for performing cryptographic processing and evaluation, and to enforce DRM for the second one of the computing devices, and the second trusted component associated with a second one of the computing devices, the second trusted component has associated with it, the second pair, the public key/secret key (PU-2, PR-2), while the second trusted component contains a second black box with (PR-2) and the second certificate black box, and the second one of the computing devices has an associated second HWID, and the second certificate black box includes (PU-2) and the second HWID; and providing a second certificate of the user device associated with a second one of the computing devices, n is item the second certificate of the user device associated with the user ID, whereby the second component can trust to get the content for playback on a second one of the computing devices via the second certificate of the user device and the license, the user has associated with it a pair of public key/secret key (PU-USER, PR-USER).

4. The method according to claim 3, in which the content is encrypted according to a content key (KD) to obtain the encrypted content (KD(content)), and the license includes (KD)encrypted according to (PU-USER) to obtain the encrypted content key (PU-USER(KD)), the method further comprises providing the first certificate of the user device, which includes (PU-USER) and also includes (PR-USER)encrypted according to (PU-1) to obtain the encrypted secret key (PU-1(PR-USER)), whereby the first trusted component can apply (PR-1) to (PU-1(PR-USER)) from the first certificate of the user device to obtain (PR-USER), can apply (PR-USER) to (PU-USER(KD)) from the license to obtain apply (KD) to (KD(content)) to obtain content for playback on a first one of the computing devices; providing the second certificate of the user device, which includes (PU-USER) and also includes himself (PR-USER), encrypted according to (PU-2) to obtain the encrypted secret key (PU-2(PR-USER), whereby the second trusted component can apply (PR-2) to (PU-2(PR-USER)) from the second certificate of the user device to obtain (PR-USER), can apply (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and can apply (KD) to (KD(content)) get the content for playback on a second one of the computing devices.

5. How to enable playback of digital content by the user on multiple computing devices, and content encrypted according to a content key (KD) to obtain the encrypted content (KD(content)), and the user has a pair of public key/secret key (PU-USER, PR-USER)associated with the user ID, the method includes obtaining a license associated with the content and with the user, and the license includes (KD)encrypted according to (PU-USER) to obtain the encrypted content key (PU-USER(KD)), the first trusted component on the first one of the computing devices for performing cryptographic processing and evaluation, and to enforce DRM for the first one of the computing devices, and the first trust to mponent has associated with it a first pair of public key/secret key (PU-1, PR-1), with the first trusted component contains the first black box with (PR-1) and the first certificate black box, and the first one of the computing devices has an associated first hardware identifier (HWID), and the first certificate black box includes (PU-1) and the first HWID; obtaining the first certificate of the user device associated with a first one of the computing devices, and the first certificate of the user device includes (PU-USER)associated with the user ID, and also includes (PR USER)encrypted according to (PU-1) to obtain the encrypted secret key (PU-1(PR-USER)); applying (PR-1) to (PU-1(PR-USER)) from the first certificate of the user device to obtain (PR-USER); applying (PR-USER) to (PU-USER(KD)) from the license to obtain (KD) in the first one of the computing devices; applying (KD) to (KD(content)) to get the content for playback on a first one of the computing device; obtaining a second trusted component in the second one of the computing devices for performing cryptographic processing and evaluation, and to enforce DRM for the second one of the computing devices, and the second trusted component has associated with it a second pair of public key/secret key is (PU-2, PR-2), while the second trusted component contains a second black box with (PR-2) and the second certificate black box, and the second one of the computing devices has an associated second HWID, and the second certificate black box includes (PU-2) and the second HWID; and obtaining a second certificate of the user device associated with a second one of the computing devices, and the second certificate of the user device includes (PU-USER)associated with the user ID, and also includes (PR USER)encrypted according to (PU-2) to obtain the encrypted secret key (PU-2(PR-USER)), applying (PR-2) to (PU-2(PR-USER)) from the second certificate of the user device to obtain (PR-USER), applying (PR-USER) to (PU-USER(KD)) from the license to obtain (KD) on the second one of the computing devices, and application (KD) to (KD(content)to get the content for playback on a second one of the computing devices.

6. The method of provision of the certificate of the user device associated with a particular computing device and associated with the specific user ID that enables the playback of digital content by a particular user on a particular computing device according to suitable the digital license, moreover, the method includes receiving from a user a certificate request from an end user device in relation to the computing device, where the request includes a user ID and a certificate computing device associated with the computing device, and the certificate computing device includes a public key (PU-x)associated with the computing device, determining, based on the user ID if the user record in the database of user devices, if the entry does not exist, then create the database entries for a user, where the record includes a user ID and a pair of public key/secret key for user PU-USER, PR-USER), if the entry exists, then determining a recording location for a user in the database, obtaining (PU-x) certificate to the computing device associated with the computing device, the encoding (PR-USER) according to (PU-x) to produce the encrypted secret key (PU-x(PR-USER)), formation (PU-USER) and (PU-x(PR-USER)) in the certificate of the user device, which must be provided, and return the generated certificate of the user device to the user, whereby the content is encrypted according to a key (KD) content to obtain R is the result of the encrypted content (KD(content)), and the license associated with the content and with the user and includes (KD)encrypted according to (PU-USER) to obtain the encrypted content key (PU-USER(KD)), and the first trusted component of a computing device having a private key (PR-x)corresponding to (PU-x), can decrypt the content for playback on a computing device, applying (PR-x) to (PU-x(PR-USER)) from the certificate of the user device to obtain (PR-USER), applying (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and applying (KD) to (KD(content)) to obtain the contents, with the first trusted component includes a first black box with (PR-x) and the first certificate black box, and the computing device has an associated first hardware identifier (HWID), and the first certificate black box includes (PU-x) and the first HWID.

7. The method according to claim 6, further containing a view in the certificate of the user device, which must be provided, the time of creation of the certificate of the user device and the time during which it is provided by the certificate of the user device.

8. The method according to claim 6, further containing a view in the certificate of the user device, which must be provided, the flag indicating that awsaccesskeyid user devices permanent or temporary.

9. The method according to claim 6, further containing a signature generated certificate of the user device before returning to the user.

10. The method according to claim 6, containing to enable playback of digital content by a particular user on each of the multiple computing devices according to the corresponding digital license receiving from the user a variety of queries, each of which is a certificate request to the user device in relation to the particular one of the computing devices, the request includes the user ID and certificate computing device associated with a particular one of the computing devices, and the certificate computing device includes a public key (PU-x)associated with a particular one of the computing devices, for each request: a determination based on the user ID pair outdoor key/secret key for user (PU-USER, PR-USER), obtaining (PU-x) certificate to the computing device associated with the request, the encryption (PR-USER) in accordance with the obtained (PU-x) to produce the encrypted secret key (PU-x(PR-USER)), formation (PU-USER) and (PU-x(PR-USER)) in the certificate of the user device, which must be provided, respectively, for the dew, and return the user generated certificate of the user device, whereby the second trusted component of any computing device can decrypt the content for playback on a computing device, applying (PR-x) to (PU-x(PR-USER)) from the corresponding certificate of the user device to obtain (PR-USER), applying (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and applying (KD) to (KD(content)) to obtain the contents.

11. The method according to claim 6, containing a definition based on a predefined strategy, should be provided to the user certificate of the user device, and such certificate of the user device only if a predefined strategy.

12. The method according to claim 11, containing authoritative statement of the maximum number of computing devices for which the user should be provided with an appropriate certificate of the user device.

13. The method according to claim 11, containing authoritative statement of the frequency of provision of the certificate of the user device to the user.

14. The method of providing digital license to the requestor that requests the license on behalf of the user, to enable playback with the corresponding digital content by the user in accordance with the digital license, moreover, the contents are encrypted according to a content key (KD) to obtain the encrypted content (KD(content)), and the method includes receiving the user ID from the requesting object definition in the database based on the user ID, is there an entry for the user with the public key of the user (PU-USER), if the entry does not exist, then create the database entries for a user, where the record includes a user ID and a pair of public key/secret key (PU-USER, PR-USER), if the entry exists, then locate the entries for the user in the database, the application (PU-USER) to encrypt the content key (KD) for the content to produce encrypted content key (PU-USER(KD)), the formation of (PU-USER(KD)) in the license, which must be provided, associated with the content and with the user, returning the generated license to the requesting object, whereby the requestor sends the license to the user, and the user has (PR-USER), can decrypt the content, applying (PR-USER) to (PU-USER(KD)) from the license to obtain (KD), and applying (KD) to (KD(content)) to obtain the content at this trusted component on a computing device may receive content for playback on a computing device through a certificate is as user devices and licenses moreover, the certificate of the user device associated with the computing device, the certificate of the user device associated with the user ID, and the trust component has associated with it a pair of public key/secret key (PU-1, PR-1), and a trust component contains the first black box with (PR-1) and the first certificate black box, while the computing device is associated, the first hardware identifier (HWID), and the first certificate black box includes (PU-1) and the first HWID.

15. DRM system according to claim 1, in which the license is cryptographically associated with the content and with the user.

16. The method according to claim 3, in which the license is cryptographically associated with the content and with the user.



 

Same patents:

FIELD: information technologies.

SUBSTANCE: invention refers to method of control of decoding of program traffic set received by receiving system. Method of control of decoding of program traffic set received by receiving system implying that sequence of messages is received in conventional access subsystem (9, 10) comprising the specified receiving system, and each message is associated with one of coded program traffic set and represents information return enabling decoding of associated coded traffic by at least one decoding module (12) within receiving system. It is detected whether messages received within certain interval are associated with various coded program traffic set, and at least one of requests presented by messages received within certain interval is rejected, if number of various coded program traffics with which these messages are associated, exceeds preset value.

EFFECT: creation of receiving system, portable protector which enables program traffic provider to control program traffic set to which user of receiving system simultaneously addresses.

16 cl, 2 dwg

FIELD: information technology.

SUBSTANCE: decoder and subscription television data control system proposed contain at least two decoders, each of those is connected to at least one removable protective module. The protection is realised using identification data, contained in the decoder and protective module indicated. Besides, each of the decoders contains a descrambler and subscription television data processing deactivation units. Each decoder also contains a counter, which influences the deactivation units mentioned. Besides, at least one of the removable protective modules is assigned as primary and therefore contains decoder counter reinitialisation units.

EFFECT: provision of capability to regulate decoder operation time and to adjust operation parameters at any time using protective module.

19 cl, 13 dwg

FIELD: information encryption.

SUBSTANCE: system contains an encrypted data broadcasting centre, at least one control centre, a terminal device, a decoder located between the encrypted data broadcasting centre and the terminal device, the decoder includes an encrypted data reception and decryption module and a data access authority control module; the data access authority control module contains a protection module.

EFFECT: provision of system allowing to simplify access authority control at broadcasting centre level and ensuring optimal data security.

12 cl, 2 dwg

FIELD: receivers/decoders of services, provided with certain conditions, in particular in a system for accessing an encrypted data stream, priced per time unit.

SUBSTANCE: system contains control center (2), which transmits a data stream through a broadcasting channel, encrypted by means of control words, which are included in composition of access control messages, and meant for receipt by at least one user device (1), connected to safety block (3), having unique address and containing credit, which is reduced with purchase of products or consumption of data stream, where safety block (3) is provided with means for reducing credit for value, dependent on product, or for value, dependent on duration of access to data stream, where aforementioned values and/or duration are determined in access control messages or in conditional access messages, and system contains means, made independent from user device (1), for transmitting identifier, representing a unique number, and price code which indicates size of credit subject to load, in control center (2), and control center (2) additionally contains devices for receipt and verification of price code and for transmission of an encrypted message through broadcasting channel, having a unique address, corresponding to identifier, and giving a command to the safety block (3) to load the credit in defined amount.

EFFECT: development of a new approach to provision of access to paid television for broad clientele, substantially reduced subscriber management related costs.

5 cl, 1 dwg

FIELD: receivers/decoders of services, provided in conditional access mode, in particular, receivers having storage block (memorization device), such as a hard drive.

SUBSTANCE: method is claimed for storing an event, encrypted with usage of at least one control word (CW) in receiver/decoder (STB), connected to safety block (SC), where at least one control word and access privileges for aforementioned event are contained in access control messages (ECM-messages), method includes following operations: recording of encrypted event, and also of at least one ECM-message in storage block; transmission of at least one ECM-message into safety block (SC), verification of the fact that safety block (SC) contains access privileges for aforementioned event, generation of receipt (Q), which contains data related to management of event in reproduction mode, where receipt (Q) contains signature (SGN), generated on basis of the whole ECM-message or its part with usage of secret key (K) contained in safety block (SC) and specific for every safety block, where during later consumption of event the authenticity of the receipt (Q) is verified in prioritized manner compared to conventional access privileges, stored in safety block (SC), storage of aforementioned receipt (Q) in storage block.

EFFECT: provision of method for storing an event.

6 cl, 3 dwg

FIELD: cryptographic protocols, in particular, efficient encoding at content level.

SUBSTANCE: method is provided for generation of digital data with cryptographic protection, encoding content and composed into messages. Encoding of at least a part of the message is performed and encoded messages are provided in form of output signal in format, allowing the interface of server service to compose a message in form of at least one packet, including at least one header and useful load, where at least one header includes information, which allows the service interface in the client to assemble each message for decoding application using useful load of packets. Each message is divided onto the first and at least one additional section of the message. At least one of the message sections is encoded in such a way that it may be decoded independently from other message sections. Assembly of encrypted message is performed by addition of resynchronization marker, separating the message section from adjacent message section and including precise information about synchronization, at least for additional sections of the message.

EFFECT: synchronized decoding process in case of data loss.

14 cl, 8 dwg

FIELD: copy/access protection.

SUBSTANCE: audio/video stream processing system includes module for inputting audio/video stream, which receives audio/video stream, containing field of information about audio/video content, including first copy control information, and audio/video content field, including second copy control information; reading module which extracts first and second copy control information from received audio/video stream and determines whether first copy control information is modified; and module for decoding audio/video stream, which processes received audio/video stream in accordance to predetermined criteria, if first copy control information is modified.

EFFECT: protection of content, prevented unsanctioned processing of content.

15 cl, 8 dwg

FIELD: engineering of systems for loading and reproducing protective unit of content.

SUBSTANCE: in accordance to invention, in receiving device 110 for protected preservation of unit 102 of content on carrier 111 of information unit 102 of content is stored in protected format and has associated license file, file 141 of license being encrypted with usage of open key, associated with a group of reproduction devices 120,121, and, thus, each reproduction device 121 in group can decrypt file 141 of license and reproduce unit 102 of content, and devices not belonging to group can not do that, while device 121 for reproduction may provide the open key, specific for given device, to system for controlling content distribution, and then system for controlling content distribution returns secret key for group, encrypted with open key of device 121 for reproduction, after that device 121 of reproduction by protected method receives secret key of group and may decrypt file 141 of license.

EFFECT: creation of system for loading and reproducing protected unit of content, making it possible to constantly control usage of unit of content.

3 cl, 4 dwg

FIELD: digital audio and video technologies.

SUBSTANCE: device for storing information is made with possible receipt of data carrier, decoder is made with possible receipt of compressed encoded signals from data carrier and transmitting signals to decrypter. Decrypter is made with possible decryption of compressed encoded data encrypted data and transmitting these to decompressor. Decompressor is made with possible receipt of compressed encoded signals from decrypter and decompression of compressed encoded signals to reproduce the image.

EFFECT: higher precision, higher efficiency.

3 cl, 17 dwg

FIELD: broadcasting systems.

SUBSTANCE: method includes broadcasting of message, including text portion intended to reach user, while said message is transferred in form of conditional access message.

EFFECT: broader functional capabilities.

5 cl, 7 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns digital rights management system. (DRM) features multiple DRM servers with DRM functionality, and incoming server DRM-I is registered in the system by registration server DRM-R, so that incoming server DRM-I should be a trust server in this system. DRM-I server sends registration request to DRM-R server including representative identification data and public key (PU-E). DRM-R server checks validity of representative identification data, and if the request can be met, DRM-R server generates digital registration certificate by (PU-E) for DRM-I server for registration of DRM-I server in DRM system. Just registered DRM-I server with generated registration certificate can use it for delivery of documents with DRM in DRM system.

EFFECT: possible controlled reproduction or replay of arbitrary digital content forms in medium where documents are shared by a definite group of users.

74 cl, 17 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention deals with data protection systems. Certificate-based encryptation mechanism failing to envisage the client source computer access to the whole of the certificate corresponding to the client target computer during encryptation of the e-message to be transferred to the client target computer. Instead the client source computer addresses the certificate server a request for but part of the certificate. The certificate part referred to contains encryptation information but may fail to include (completely or partly) the certificate self-checking information. The certificate server preferably carries out any check of the certificate authenticity before transfer of encryptation information to the client source computer which enables obviation of the need to specifically perform certificate authenticity check with the client source computer especially if the certificate server has been checked for trustworthiness with the client source computer.

EFFECT: reduction of amount of memory and processor resources used for certificate-based encryptation as well as minimisation of requirements to the width of band between certificate server and client source device.

36 cl, 8 dwg

FIELD: physics.

SUBSTANCE: invention is related to methods of usage data collection for television broadcast receivers. Method of usage data collection from broadcast receiver is suggested, whereat receiver is arranged to detect and save such usage data. Method involves representation (16, 18) of confidentiality policy to receiver that identifies not only the usage data subjected to collection, but also preset usage of such data. On receiver interactive or automatic determination (22) whether received policy of confidentiality is acceptable is carried out. If yes, receiver picks up (30) usage data identified in confidentiality policy from storage, and sends them (28) to sender of confidentiality policy.

EFFECT: increased confidentiality of usage of information about habits of users viewing.

15 cl, 3 dwg

FIELD: physics.

SUBSTANCE: invention is related to method for data recording for memory of portable terminal and to memory carrier. Method for recording data for memory of portable terminal contains a stage of reading, at which data is read that is saved on memory carrier of portable terminal; stage of data comparison, at which identifying data are compared, which are individual for user of portable terminal and read from memory carrier, with user registration data registered earlier, and a record command is brought to device of data reading/recording, only when data is approved; recording stage involving recording applied data required for portable terminal to memory carrier under the condition that at the stage of data comparison a record command is sent; stage of activation involving activation of portable terminal, to which memory carrier is connected. Memory carrier contains program, by means of which actions of the said method are enabled.

EFFECT: safety of saving data required for activation of portable telephone.

2 cl, 44 dwg

FIELD: information technology.

SUBSTANCE: registration page with the interface for user mandate input is available on the client system and the entered mandate is sent to the server. As a response to receipt of the user mandate, the server generates a unique session identifier for the client system. The server also receives a digital signature for the user mandate based on the current key in the memory of cyclically changed keys and unique session identifier. Then the server encrypts the digital signature and the user mandate based on the encryption key obtained from the current key and unique session identifier. The encrypted mandate being received with the client system, the keys from the memory of cyclically changed keys are used for checking validity of the mandate. With the user mandate not approved, the user is again transferred to the registration page.

EFFECT: provision of encrypted user mandate processing.

12 cl, 7 dwg

FIELD: information technology.

SUBSTANCE: publishing user is provided with the publication certificate from the DRM server, creates the content, ciphers it with the content key (CK), creates a rights mark for this content with open key of the DRM-server (PU-DRM), for generation (PU-DRM(CK)), restores (PU-ENTITY(PR-OLP)) from the publication certificate, applies secret key (PR-ENTITY) of the corresponding (PU-ENTITY) to the (PU-ENTITY(PR-OLP)) for obtaining (PR-OLP), sign the created rights mark using (PR-OLP), connects SRL and the publication certificate with encrypted content for creation a content package distributed to another user, that must connect with the DRM-server for obtaining a license with CK for playback of the content, creates the license data corresponding with the content package, with (CK), encrypted (PU-ENTITY) for generation of (PU-ENTITY(CK)), signs the license data using (PR-OLP) and attaches the publication certificate to the publication license.

EFFECT: possibility of the content publishing without initial receipt of permission from the server and license issuing for playback of the published content without permission from the server.

20 cl, 17 dwg

FIELD: technological processes.

SUBSTANCE: invention is related to the sphere of cryptographic devices and methods of checking electronic digital signature (EDS). In the method the secret key (SK) is formed, which includes three prime many-digit binary numbers ρ, q and γ. The open key (OK) is formed, which contains three many-digit binary numbers n, α and β, where n=Eρq+l, E - even number, α - number, which is related to index q by module n, and β - number, which is related to index γ by module q. Electronic document (ED) is accepted in the form of many-digit binary number H, electronic digital signature (EDS) Q is formed depending on values of SK, OK and many-digit binary number H, the first checking many-digit binary number A is formed depending on Q, intermediate many-digit binary number W is formed depending on OK and many-digit binary number H, the second checking many-digit binary number B is formed depending on W, and numbers A and B are compared. In case parameters of numbers A and B match, conclusion is drawn about authenticity of electronic digital signature.

EFFECT: reduces size of electronic digital signature without reduction of its resistance level.

8 cl

FIELD: technological processes.

SUBSTANCE: invention is related to the sphere of electrical communication, namely to the sphere of cryptographic devices and methods of electronic digital signature (EDS) check. In the method the secret key (SK) is formed, which includes three many-digit binary numbers (MDN) p, q and γ, where p, q are prime numbers and γ is composite number. The open key (OK) is formed in the form of two many-digit binary numbers n and α, where n = pq and α - number, which is related to index q by module n. Electronic document (ED) is accepted in the form of many-digit binary number H. Electronic digital signature (EDS) Q is formed depending on values of SK, OK and many-digit binary number H. The first checking many-digit binary number A is formed depending on Q. The intermediate many-digit binary number W is generated depending on OK and many-digit binary number H. The second checking many-digit binary number B is formed depending on W, and numbers A and B are compares. In case parameters of A and B numbers match, conclusion is drawn about authenticity of electronic digital signature.

EFFECT: reduces size of electronic digital signature without reduction of its resistance level.

10 cl, 6 ex

FIELD: digital rights control system.

SUBSTANCE: system contains first user device designed for query message setup and transfer, indicating transaction to be run in relation to digital content of at least one object of digital rights (OR), rights issuer aimed to receive query message from first user device, to identify transaction and to process this transaction and to provide access rights to digital content conjointly with server for second user device designed to receive information on stated access right concession. Receive of mentioned information by second user device on digital content access right concession is confirmation of execution of this right to second user device. Method describes operation of mentioned system.

EFFECT: ability of authorized user to transfer partially used or unused object of right to another user and return of OR.

49 cl, 15 dwg, 2 tbl

FIELD: portable electronic devices.

SUBSTANCE: portable electronic device includes memory to store a secret code in the form of pre-defined character sequence; rotating device with touch surface providing for user tactile impact and installed in such a manner as to provide for rotation around its axis; feedback tools separated from the rotating device to provide for feedback to user when turning the rotating device; conversion tool to convert each turn in sequence of turns of the rotating device to a character of corresponding ordered test character sequence, and verification tool to verify the test character sequence by comparing it with pre-defined character sequence.

EFFECT: user convenience during input of test character sequence along with provision of security and restriction of access to the device or to its individual functions.

33 cl, 7 dwg

FIELD: information technologies.

SUBSTANCE: transmitter handles (for example, codes, parts, alternates and modulates) each package of data for each parallel channel, being grounded on the velocity chosen for the parallel channel, and gains numerous blocks of figures for a package. For each package of data the transmitter transmits one block of figures for once on the parallel channel until the receiver will not recover a package, or all blocks will not be transmitted yet. The receiver carries out detection and gains the blocks of figures transmitted on parallel channels. The receiver recovers the packages of data transmitted on parallel channels is independent or in the appointed order. The receiver handles (for example, demodulates, deinterlaces, carries out the recurring integration and decodes) all blocks of figures gained for each package of data, and gives out the decoded package. The receiver can estimate and kill the noises caused by recovered packages of data so packages of data recovered later can reach higher signal-noise-jamming ratio (SNJR).

EFFECT: maintenance of transmission with accruing redundancy on numerous parallel channels.

63 cl, 17 dwg, 2 tbl

Up!