Digital rights management apparatus and method. RU patent 2504005.
 Multi-factor content protection / 2501081Recipient receives content from a publisher. Some content is managed by an access server. The access server controls the recipient's use of managed content through interaction with a trusted agent at the recipient. The content is encrypted on a content key, and the content is associated with policy information. The policy information includes the content key for decrypting the content. The policy information is encrypted on an access server key allowing the policy information to be decrypted by the access server. The content key is received from the access server. The content key is encrypted on a trusted agent key. The content key is further encrypted on additional factor(s) defining additional content protection beyond that provided by trusted agent. The content key is decrypted using the trusted agent key and the at least one additional factor. The content is decrypted using the content key. |
 Method, network element and mobile station for negotiating encryption algorithms / 2488976Method of negotiating encryption algorithms comprises steps of: obtaining information that a plug-in card of the mobile station (MS) does not support a first encryption algorithm; deleting the first encryption algorithm from an encryption algorithm list permitted by a core network element according to the information that the plug-in card of the MS does not support the first encryption algorithm; sending the encryption algorithm list excluding the first encryption algorithm to an access network element, so that the access network element selects an encryption algorithm according to the encryption algorithm list excluding the first encryption algorithm and the MS capability information sent from the MS and sends the selected encryption algorithm to the MS. |
 Method and device for transmission of coding parameters / 2469485Transmitting device codes voice superframes DMR using coding parameters, and sends coding parameters in at least one of voice superframes with the help of the following: identification of a selected number of bits from multiple frames of a vocoder of a voice superframe; replacement of each of identified bits with an appropriate bit of the first coding parameter; placement of at least one coding parameter in the field of inbuilt alarm of the voice superframe; and transmission of a voice superframe with coding parameters into a receiving device. The receiving device extracts coding parameters, which may be an identifier of a key, an identifier of a logic and an initialisation vector for use in decoded messages from the transmitting device. |
 Unit using operating system and image forming apparatus using said unit / 2452009Image forming apparatus comprises: a main housing and a detachable unit. The main housing has a main controller which controls operation of the image forming apparatus. The detachable unit is connected to the main housing and is configured to perform the image forming operation with the main housing. The detachable unit comprises: a memory unit and a central processing unit (CPU). The memory unit stores an initialisation program, unique information associated with the detachable unit, and status information on use of the detachable unit. The CPU performs initialisation using the initialisation program independent of the main housing. The main controller carries out a process of authenticating the detachable unit. |
 Method of creating and authenticating collective electronic digital signature certifying electronic document / 2450438Method of generating and verifying an electronic digital signature (EDS) involves generating an elliptic curve (EC), given over a prime field GF(p), where p is a prime number of the form p=2k±µg2g±µh2h±1, where k≥99; 0<g<k; 0<h<g; µg∈{0,1};µh∈{0,1}, in form of a set of points, each given by two multidigit binary numbers (MDN) - its abscissa and ordinate; n>2 secret keys are generated in form of MDN k1, k2,…, kn; n public keys are generated from the secret keys in form of points P1, P2,…, Pn; the electronic document (ED) represented by MDN N is received; a collective public key is generated in form of points P of the EC, generated depending on points pα1, pα2,…, pα, where α1, α2,…, αm are natural numbers, 2≤m≤n, αj≤n and j=1, 2,…, m, depending on the received ED from values kα1, kα2,…, kα,m and from points P, EDS Q is generated in form of two MDN e and s; first A and second B verification MDN are generated. At least one of the verification MDN is generated depending on the collective public key P, and MDN A and B are compared. The EDS is authentic if their parameters match. |
 Content download system, content download method, content supplying apparatus, content supplying method, content receiving apparatus, content receiving method, and programme / 2432686Disclosed is a content download system comprises: a content supplying device, a content receiving device, a download apparatus designed to download encrypted content and playing control data necessary for playing said content from said content supplying device according to user operations; obtaining apparatus to confirm the existence of a license which includes a key for decrypting said encrypted content based on said playing control data when playing said downloaded content, and to obtain said license according to the confirmation result; and playing apparatus to play said encrypted content using said obtained license. Playing control metafile describes <content_title>, <drm_server_uri>, <license_id>, <license_type>, <license_description>, <user_confirmation>, <user_messsage>, and <price>. In the case when multiple licenses are set for a single content, the items <license_id> through <price> describe only the number of set licenses. |
 Method of storing and using cryptographic key / 2417410Method of storing and using a cryptographic key of asymmetric cryptographic algorithms on elliptical curves, in which a private key d is divided into parts d1,…,dn, where d=d1+…+dn (mod q), which are securely stored on key carriers, cryptographic operations for generating an electronic digital signature, decoding and/or generating a general in accordance with a Diffie-Hellman algorithm are performed distributively on key carriers without generating a general private key, and results of performing these operations are processed in a computer system (assembly unit) which generates a general result of the cryptographic operation, wherein during generation of the electronic digital signature, each key carrier generates a random number ki (7≤i≤n - number of the key carrier), generates the corresponding multiple point of the elliptical curve Ri=ki P and sends it to the computer system which finds the point R=R1+…+Rn and sends the first coordinate of that point (r) to key carriers, after which each key carrier finds si=(rdi+ki e)(mod q) and sends the obtained value to the computer system, where s=(s1+…+sn)(mod q) is generated, wherein the number pair (r, s) is the electronic digital signature. |
 Method of creating and authenticating electronic digital signature certifying electronic document / 2409903Method of generating and verifying an electronic digital signature includes the following sequence of operations: multi-bit binary number p is generated, a secret key in form of a multi-bit binary number x is generated, an open key is generated on the secret key in form of a multi-bit binary number y by raising the multi-bit binary number x to the power of a z-bit binary number k modulo p, where z>16, an electronic document, which is represented by a multi-bit binary number H, is received, depending on the value H and the value of the secret key, an electronic digital signature is created in form of a pair of multi-bit binary numbers (R,S), a first A and a second B authentication multi-bit binary number are formed and then compared, and authenticity of the electronic digital signature is indicated by coincidence of their parametres. |
 Method and device for executing cryptographic computation / 2403682Key is generated in an electronic component for a specific cryptographic algorithm. For this purpose a prime number P is stored in memory of the electronic component and at least one secret prime number is generated. In order to generate a secret prime number at step /a/ two integers p1' and p2' whose sum is equal to a number p' are randomly selected; at step /b/ it is determined (12) whether the number p' is a prime number, on the basis of a combination of the stored prime number P with the numbers p1' and p2' so as to maintain said number p' secret; at step /c/ if the number p' is determined to be a prime number, numbers p1' and p2' are stored (14) in the memory of the electronic component, otherwise steps /a/ and /b/ are repeated. |
 Method for generation and verification of collective electronic digital signature that certifies electronic document / 2402880Method for generation and verification of electronic digital signature (EDS) includes the following sequence of actions: combination of n≥2 secret keys is generated in the form of multidigit binary numbers (MBN) k1, k2,…,kn, using secret keys, n open keys P1, P2, …, Pn are generated, at least one electronic document presented by MBN is received, depending on received electronic document and on value of at least two secret keys, electronic digital sinature Q is generated in the form of two or more MBN, collective open key is generated depending on T open keys where a1, a2,…,am are natural numbers, 2≤m≤n, aj≤n and j = 1, 2,…,m, the first A and second B verification MBN are generated, besides at least one of verification MBN is generated depending on collective open key. MBN A and B are compared. If their parametres coincide, conclusion on authenticity of electronic digital signature is made. |
 Encryption/decryption device, encryption/decryption method, information processing device and computer programme / 2502201Invention realises a common key block encryption processing with improved immunity against attacks, such as attack by saturation and algebraic attacks (RYAS attacks). In the encryption device which performs common key encryption processing, S blocks which are used as nonlinear conversion processing modules in round functions established in round function execution modules are configured to use S blocks of at least two different types. Such a configuration can improve immunity against attacks by saturation. Furthermore, the types of S blocks are a mixture of different types. Use of such a configuration can improve immunity against algebraic attacks, thereby realising a highly secure encryption device. |
 Encryption device defined in standard gost 28147-89 / 2498416Round device realising a sequence of actions for each data encryption device, comprises a summation unit CM1, a substitution box K, a shift unit R, an extra register PREG. In view of using the extra register, a maximum clock frequency in the data flow chart is determined by a maximum delay in the unit CM1, and in the boxes S and R. |
 Information protection method / 2494553Disclosed is a method of protecting information based on identification data, which involves encrypting a source message and subsequent decryption using a secret key generator and by applying a computational technique, characterised by that the following procedures are performed: at the initial initialisation step, calculating a secret master key and a system public key; at the second step, sending the secret master key to the input of an algorithm which executes the secret key computation step and generates, at the request of the decryption algorithm, a secret key for the new system user; at the encryption step, encrypting the source message using the identifier of the new user and the system public key obtained at the initial initialisation step; at the decryption step, transmitting to the input of the decryption algorithm the secret key for the new user and decrypting the message obtained at the encryption step. |
 Device for encrypting data according to standards gost 28147-89 and aes / 2494471Device for encrypting data includes a GOST 28147-89 conversion circuit, an AES conversion circuit, an AES key conversion unit, a first multiplexer, a second multiplexer, a data storage and a key storage; the output of the data storage is connected to the first input of the GOST 28147-89 conversion circuit and to the first input of the AES conversion circuit; the output of the key storage is connected to the second input of the GOST 28147-89 conversion circuit, the second input of the AES conversion circuit, the input of the AES key conversion unit and the second input of the second multiplexer; outputs of the GOST 28147-89 conversion circuit and the AES conversion circuit are connected to the first and second inputs of the first multiplexer, respectively; the output of the first multiplexer is connected to the input of the data storage; the output of the AES key conversion unit is connected to the first input of the second multiplexer; the output of the second multiplexer is connected to the input of the key storage; encryption algorithm selection signals are transmitted to the control inputs of the first and second multiplexers. |
 Method of encrypting messages presented in form of multibit binary number / 2485600In the method for block encryption of a message M, which is presented in form of a multibit binary number, a private key and a cryptogram, which depends on the message M and the private key, are generated, wherein the private key is generated in form of a set of subkeys K1, K2,…, Kh, where h≥1, and auxiliary multibit binary numbers p1, p2,…, pu, pu+1, where u≥1; auxiliary multibit binary numbers R1, R2,…, Ru, D are generated and a cryptogram is generated in form of a multibit binary number C, which satisfies the comparison system C≡R1 mod p1, C≡R2 mod p2,…, C≡Ru mod pu, C=D mod pu+1, where at least one of the numbers R1, R2,…,Ru depends on the message M and one of the subkeys K1, K2,…, Kh. |
| Method for steganographic transmission of information in tcp/ip network / 2463670 Method for steganographic transmission of information, wherein a secret text is transformed via cryptographic transformation into encrypted text; a pseudorandom mask is generated based on a key, which determines the order of transmitting information and masking segments; when transmitting a masking segment on an open network, a TCP segment which does not contain secret data is transmitted, and to transmit an information TCP segment based on the key, a pseudorandom binary value with the length of the open text is formed, whose unit bits are replaced with secret data bits, after which a TCP segment which contains the obtained value of camouflaging data is formed and then sent over the network. |
 Method for coding of m message represented as multidigit binary number / 2459276Method of unit coding of a message M represented in a binary form includes the following sequence of actions: generation of a secret key in the form of a set of subkeys K1, K2, …, Kh, where h≥1, generation of auxiliary multidigit binary numbers (MBN) p, Q1 (1),Q2 (1),…,Qd (1), Q1 (2), Q2 (2), …, Qd (2),…, Q1 (k), Q2 (u),…, Qd (u), R1, R2, …, Ru, where 1<d and 1<u<d, generation of a cryptogram in the form of a set of MBN, C1, C2, …, Cd, which complies with a system of equations Q1 (1), C1 + Q2 (1)C2 +… + Qd (1)Cd = R1 mod p, Q1 (2)C1+Q2 (2)C2+…+ Qd (2)Cd =R2 mod p, …,Q1 (u)C1+Q2 (u)C2+…+Qd (u)Cd =Ru mod p, where at least one of multidigit binary numbers R1, R2,…, Ru depends on an M message, and at least one of multidigit binary numbers Q2 (1),…,Qd (1), Q1 (2), Q2 (1),…,Qd (2),…,Qd (2),…,Q1 (u), Q2 (u),…,Qd (u) depends on one of subkeys K1 K2, …, Kh. |
 Method for unit coding of m message represented in binary form / 2459275Method of unit coding of a message M represented in a binary form includes the following sequence of actions: generation of a secret key in the form of a set of subkeys K, Q1, Q2,…Qu. R1, R2…,Rh, where h≥1, breakdown of the message into subunits M1 M2,…,MU; Mu+1, Mu+2,…,M2u;…; Miu+1 Miu+2,…,M(i+1)u;…; M(w.1)u+1,…, Mwu, where i=1, 2,…, w, u≥1 and w≥1, formation of data units Bi, where i=1, 2,…, w, by generation of additional messages T(1), T(2),…, T(h) , breakdown of messages T(j) where j=1, 2,…, h, into subunits T1 (i) T2 (j)…Tw (j), coding of subunits M(i-1)u+1 M(i-1)u+2,… MjU depending on subkeys Q1 Q2,…, QU, coding of subunits Ti (1), Ti (2),…, Ti (h) depending on subkeys R1 R2,…,Rh and combination of transformed subunits M(i-1)u+1 M(i-1)u+2,…, Miu, Ti (1), Ti (2),…, Tj (h), and coding of data units Bi depending on a subkey K. |
 Encryption processing device, encryption processing method and computer programme / 2449482Block cipher with common key processing configuration is implemented with improved immunity against such attacks as saturation attacks and algebraic attacks ("РЯС" attack). In the encryption processing device which executes processing of block cipher with common key, S-blocks used as modules of nonlinear transformation processing in round function and installed in round functions execution modules are made capable to use S-blocks of at least two different types. With such configuration, immunity against saturation attacks can be improved. Additionally, types of S-blocks represent mixture of various types. |
 Method for symmetric encryption based on mixed number system / 2429575Secrete key which is a set based on a mixed number system is used to obtain an encrypted message through nonlinear transformation of information in the mixed number system. The sender then sends the encrypted message over a clear channel to a recipient and the recipient, who knows the secret key and encrypted message, computes the original message. The secret key is sent to the sender and the recipient over a closed channel before the communication session. |
 Method and apparatus for performing user video authentication / 2504004Disclosed is a method of performing video authentication of a user, which comprises steps of: receiving a user-provided authentication photograph; capturing a continuous video image of the user in real time over a certain period of time using a video capturing device at a user client; performing real-time decomposition of the video image and obtaining a series of video data frames; selecting from the series of video data frames a specific number of video data frames and generating at least one contrast image for video authentication of the user based on the specific number of video data frames; comparing the authentication photograph with the contrast image and making a decision on the user video authentication result according to the comparison result. |
FIELD: information technology.
SUBSTANCE: method comprises steps of: encoding a digital program to link said digital program with an authentication agent by packing the digital program and authentication agent into single digital content. Said authentication agent includes a program code executed by a device, wherein the device can reproduce said digital program and execute the program code. The program code is configured to authenticate the device when executed in the device; and provide said device with digital content which includes said digital program and said authentication agent. Said digital program is encrypted via a first encryption algorithm, and the decryption key of the fist encryption algorithm is encrypted via a second encryption algorithm and is stored in the authentication agent.
EFFECT: performing device authentication and authorisation independent from an authentication server.
14 cl, 7 dwg
THE TECHNICAL FIELD TO WHICH THE INVENTION RELATES
The present invention relates to the technology of digital rights management (DRM), and in particular, the method of protection of digital rights-based encryption and authentication technologies reliability, and to a device and method of playback of digital content that have the protection of digital rights.
THE LEVEL OF TECHNOLOGY
Technical data digitized information require that must be unique technology to enhance the protection of copyright such digitized content of audio and video programs, and such a technology called digital rights management technology (DRM).
Principle of operation of digital rights management technologies generally first to encode compressed digital content is created authorization center of digital content, digital contents are encrypted using the key, and the header encrypted digital contents stores the ID of digital content and the address of the authorization. When a user plays (loses) digital contents, permission for the corresponding built-in decryption key is sent to the user after authentication and authorization authorization center of digital content in accordance with the content-ID and address data in the header of the program, then digital content can be reproduced. As the content to be protected, encrypted, and thus, even if they are loaded and saved by the user, they may not be reproduced without authorization and authentication authority digital programmes. Therefore, copyright of the program is strictly protected.
In the prior art there are three types of regime DRM. One of them is based on the device DRM, the right of reproduction of the unit of digital content is made available to one or more devices; the other mode is user-based DRM, when this right is granted to the user; and the other mode is a hybrid DRM, when this right is granted to the user or device, and this means that any user can play encrypted digital content on the authorized device and the authorised user may reproduce the encrypted digital content on any device.
Fig. 1A shows the DRM system of prior art. As shown in Fig. 1A, the above system of DRM, as a rule, includes the Service Provider (SP), Publisher Rights, the terminal DRM and data carrier. Service provider and Publisher usually linked and can be combined together. Data carrier can be NAS or different types of removable media. Terminal DRM can be software or hardware item with the built-in program that can be installed on the device. The said device may be different terminals, which have the playback function, such as a mobile phone with players, Personal Digital Assistant (PDA), subscriber receiver, laptop computer, MP3 player, MP4 player, book-reading device and etc. Play referenced herein, includes the notion read the contents of digital texts. Function DRM device is provided by a built-in module DRM.
Fig. 1B shows a block diagram of DRM prior art. As shown in the figure, first client device receives digital content, including encrypted program from the publisher of digital content. Each digital content includes not only the encrypted digital agenda, but also in several other components, such as the title. The digital format of the program can be audio, video, text or something else. Distribution method or receipt of content can be provided via download from the websites, publications CD, and distribution of digital content through IPTV or wireless transmission of data, etc. As a result, in the beginning of the playback device must obtain permission to copy from the publisher rights in accordance with the direction or instructions of digital content and then play back the program in digital content with permission.
Yet in technology DRM prior art, there are also some disadvantages that need to be overcome. For example, in the DRM system, based on the device before granting device publisher copyright should check whether the device is compatible on the basis of white lists and black lists, and if the device is not compatible, publisher law does not grant the right device. In DRM, based on a person, or a hybrid, you must first perform a real-time used for this device authentication, but when the device is offline, the center of authentication cannot issue a resolution in real time or not able to authenticate copyright device, thus it is difficult to establish authorized whether the device playback of digital content.
THE ESSENCE OF THE INVENTION
The objective of the invention is to provide a device and method of digital rights management that allow you to set whether your device has a right to reproduce digital regardless, connected or not the device to the authentication server.
According to one embodiment of the invention provides a method to provide digital content to the user. Method includes the following stages: digital encoding program to allow digital program to be associated with the authentication agent, referred authentication agent includes the block of code that is executed device that can reproduce referred to the digital agenda, to authenticate the reliability of the device; and the provision, online or offline, of digital content, which includes referred to the digital agenda and the authentication agent for the mentioned devices.
The embodiment digital program is encrypted using the first encryption algorithm. Key CK decryption of the first algorithm encryption encrypted second encryption algorithm and stored in the agent authentication. Block of code is also performed to decrypt the encrypted key CK after the identity of the device has passed the authentication, so to get the key, CK and send it to DRM in the device, as mentioned DRM module then decrypts the encrypted digital content digital program; or after the identity of the device has passed the authentication, authentication agent sends the key CK decryption module DRM device, so that the DRM module decrypts the encrypted CK, and, ultimately, DRM module decrypts by CK, encrypted digital content digital program. Mentioned DRM module is pre-installed in your device module DRM.
In accordance with another embodiment of the invention provides a method to play digital content. The mentioned method comprises the following stages: receipt from the provider of services of digital content referred digital content includes digital program and authentication agent; the execution of the said agent (301) authentication to authenticate the reliability of the device; the decryption of the digital program (304) after successful authentication; and the playback of the decrypted digital content.
In accordance with another embodiment of the invention provides a method of authentication offline certification device for playback of digital content, which contains: embedding authentication agent in the digital content so that when the mentioned digital content loaded into the device, the agent runs authentication and authenticates whether your device has a certification for playback of digital content.
In accordance with another embodiment granted device playback of digital content. The said device includes: the module for to receive from the service provider of digital , referred digital content includes digital program and authentication agent; DRM module to start the agent authentication for authenticating the reliability of the device and for decryption of the digital program after a successful authentication; and playback tool for playback digital programs.
As can be seen, a significant advantage of the invention consists in that it allows you to authenticate the digital rights offline in order to determine whether the device is reliable playback device, and this authentication can be performed on the device, thus reducing the load on the server and providing the ability to authenticate the copyright in any suitable location that is not being restricted by the condition of the availability of a network.
Other tasks and achievements, together with a more complete understanding of the invention will become apparent and appreciated based on the following description and claims of the invention together with the drawings illustrating.
BRIEF DESCRIPTION OF DRAWINGS
Fig. 1A shows a schematic drawing DRM schemes of prior art;
Fig. 1B shows a block diagram of the playback of encrypted content digital data in the prior art;
Fig. 2 shows a schematic drawing of a DRM system according to one embodiment of the present invention;
Fig. 3 shows a schematic drawing component units of digital content, a transformed way of the coding of digital content, according to one embodiment of the present invention;
Fig. 4 shows a schematic drawing of components permissions according to one embodiment of the present invention;
Fig. 5A shows a block diagram of playback of digital content according to one embodiment of the present invention;
Fig. 5B shows a block diagram of playback of digital content according to one embodiment of the present invention.
ББ DESCRIPTION OF THE INVENTION
In accordance with the present invention of the first illustrated used in the invention encryption scheme. To make the picture clearer and more concise, used the following two formulas:
Y=E k (x) (1),
where E is the encryption algorithm, x is the message that should be encrypted, Y - encrypted message, k - cipher used to encrypt the message;
Y=D k (x) (2),
where D is the decryption algorithm, x - message which should be , Y - a decrypted message, k - a code used to decrypt the message.
Table 1 CipherExplanation of the properties
CKThe encryption key and the decryption of the digital program to encrypt and decrypt digital program
(Pa, Pb)A key pair to encrypt and decrypt CK
Are used in the invention two groups of ciphers, one group is a symmetric key CK used to encrypt digital program when the Service Provider (SP) is distributing digital content, and to reverse the decryption on the device; and another group of asymmetric ciphers (Pa, Pb), used to protect the key CK, which include key Pa encryption key (KEK) and key Pb decryption key (KDK). Pa is used to encrypt CK by the algorithm of Y=E Pa (CK), and Pb is used to decrypt, through equation decryption algorithm Y=D Pb (x).
Below, on the basis of option implementation, will be illustrated by the protection system of digital rights.
Referring to Fig. 2, the system 100 protect your digital rights consists of the Supplier 201 Services (SP) and device 202.
Supplier 201 Services supported by the server and contains two modules, i.e. module 2012 provision of rights and module 2011 provision of digital content, respectively, to the granting of permission and digital content. The two modules can be combined within a single server or can be on two separate servers. The two above-mentioned module does not have a mandatory conditions for the simultaneous provision of services. In accordance with the embodiment possible case is that the module 2011 provision of digital content can provide digital content in interactive mode, the module 2012 granting the right of grants permission offline; another possibility is that the module 2011 provision of digital content can provide digital content in the offline mode, the module 2012 provision of law, grants permission in interactive mode; and, moreover, the case, and module 2011 provision of digital content, and the module 2012 granting of the rights to provide the digital contents and permissions online, or offline. The resolution stipulates the rules for the device in order to play digital content. Moreover, the device 202 cannot play digital content without permission.
The interactive mode of supply includes the transfer and exchange of data between the Service Provider and device via the Internet, WAP network, wireless data, etc. in connection with the technology of the wireless interface. Operating mode of the auxiliary provision includes the preservation of digital content on a magnetic disk, optical drive, or other removable media data and the transmission of digital content in the traditional way data transmission.
Device 202 can be different types of digital terminal with the playback function, such as a mobile phone with players, Personal Digital Assistant (PDA), subscriber receiver, laptop computer, MP3 player, MP4 player, book-reading device and etc. According to one embodiment device 202 additionally contains a module 2023 storage, alternatively, the module 2024 storage device 202, has a built-in ID, device identification, whose identification code can be read and used to authenticate the device 202. Module 2024 storage can store received from the Supplier 201 Services digital content and resolution.
Function of digital rights management device 202 is a module 2022 DRM. Module 2022 DRM can be an independent software or plug-in program element, or it can be hardware scheme. According to one embodiment accepted that the module 2022 DRM is an independent software. As a rule, the said module 2022 DRM that is provided by an 201 Services or other entity or entities, authorized Supplier 201 Services. The identification code is predefined in the module 2022 DRM, to determine the identity module 2022 DRM. This identity can be associated with the original device playback of digital content. Alternatively, the module 2022 DRM may be organized in accordance with the needs of pre-authenticate authenticity of digital content and play digital content that is authenticated reliability.
In accordance with the embodiment among the digital content Provider 201 Services, each digital content 300 includes not only requires playback digital program, but also a built-in agent 301 authentication. The said agent 301 authentication actually is a module of the software, running device 202, which is used for authentication (produced for the Provider 201 Services)whether the playback device 202 (DRM module) valid user (authorised user). This can be realized through authentication, whether the identification code of the module 2022 DRM one of reliable users. Thus, the function of protecting digital rights offline.
In accordance with the embodiment device 202 contains the module 2021 receipt for receiving provided by 201 Services digital content and Authentication Agent, the built-in digital content.
In accordance with the embodiment device 202 additionally contains a module 2023 playback (play) to play (to play) digital programmes in accordance with the resolution, obtained device 202, referred module 2023 can be a means of audio/video decoding, such as MPEG-2, MPEG-4 decoder, etc. and the reproduction right is limited resolution.
In accordance with the option of carrying out the invention, when the Supplier 201 Services distributes content to digital programme in accordance with the request of the user (online or offline), it is usually necessary to first convert the digital program in a standard format such as wma, asf, wmv, etc. and encrypt the digital agenda, using a suitable algorithm. Generally speaking, in order to not cause too much load on the calculation is commonly used symmetric cryptography, that is, the same key is used for both encryption and decryption. Of course, also can be used other methods of encryption. In addition to encryption, digital program to content digital programs are also added other relevant data, and then create a digital signature and digital program is packaged into a single digital content. As described below, the encoding that is used when the Supplier 201 Services providing digital content to be explained in detail with reference to Fig. 3.
Fig. 3 shows the unit of digital content, a transformed way of the coding of digital content, in accordance with the embodiment of the present invention. As shown in the figure, the same digital content 300 includes an encrypted digital program 304, agent 301 authentication ID 302 content and some other optional components. As an alternative, he, moreover, involves digital signature 303. ID 302 content is used to display the serial number of the digital content. Digital signature 303 may reflect the authenticity of digital content publisher and protect the integrity of the content. If digital content 300 damaged, this will be established by the authentication of the signature 303.
In addition, in accordance with Fig. 3 agent 301 authentication contains the ID of the 3011 authentication agent, block 3012 code, encrypted key 3013 CK and digital signature 3014 etc. ID 3011 authentication agent displays the serial number of the agent 301 authentication to link to related content of the program. Digital signature 3014 can display the authenticity of the publisher agent 301 authentication and protect the integrity of the agent 301 authentication etc. Key CK is the key to decrypt the encrypted digital content. Code 3012 can perform and implement two functions, one for authenticating the reliability of the device 202 playback through the use of built-in black list or white list, the other to decrypt the encrypted key 3013 CK or to deliver the decryption key CK the 2022 DRM, which decrypts the key CK. This interpretation is performed through the key Pb decryption key through the use of formulas decryption algorithm. Alternatively, the agent 301 authentication can also contain key Pb decryption key.
Fig. 4 shows a schematic components resolution 400 in accordance with the embodiment of the present invention. Resolution 400, Vendor services, mainly includes: ID 401 authorization, ID 402 content restriction 403 playback, data 404 period of validity of the digital signature 405. May be other optional parts. ID 401 resolution reflects a serial number of the resolution 400, ID 402 of the content reflects the program content, appropriate to the mentioned resolution of 400. Data 404 expiration time limit reliability resolution 400, and signature 405 reflects the authenticity of the publisher and/or the date of issuance of resolution 400 and protects the integrity of the resolution.
Implementation of digital rights management feature during playback of digital programs on your device specifically described below, with reference to Fig. 5A and 5B.
The device is pre-installed module DRM, which is usually provided by the Service Provider (the mediator), which provides digital content. Modules DRM provided by different intermediaries may vary, i.e. DRM module, provided by one Supplier of the Services, may only be used for playback of digital content, referred to by the service provider; or it is possible that multiple intermediaries share the same compatible DRM module, and then the DRM module provided by a single Service Provider, can play digital content provided by multiple Service Providers (SP).
Module DRM device, you must get permission to play digital content from the Service Provider in order to play digital content to be received from the Service Provider. Alternatively, permission may be obtained by downloading from the Service Provider or other real ways in accordance with the instructions, such as the purchase of an optical drive that has stored the resolution. The user can download the resulting resolution and DRM software on the device, or even upload them to a portable storage medium (like Universal disk) and bring them with you for use on many devices. The resolution establishes the right to play the DRM module, i.e. a rule playback (playback).
Key Pb decryption key can be stored in the Agent Authentication or storage module device.
In accordance with the embodiment in the case of storage of key Pb decryption key in the Agent Authentication, as shown in Fig. 5A, the process of using the device to receive and reproduce digital content includes the following steps.
Stage S501: acquisition of digital content
The user of the device 202 receives the desired digital content from 300 Provider 201 Services online or offline.
When the user finds, via a network or other ads, digital program, which he likes, he can get digital content containing referred to the digital agenda, online or offline, for example, downloaded via the network or purchase the optical drive etc. Digital program in the above-mentioned digital content is encrypted. By Service Provider, during the process in which the digital programs are Packed into digital content, in addition to encrypting digital program is added to some other data, including authentication agent, ID, etc. Then the Service Provider forms a package of digital content, and creates a digital signature.
Alternatively, after the module 2022 DRM believes 300 digital content, may be requested, received the resolution 400 of reproduction referred to digital content, if permission has been received, the device must first obtain permission from the Service Provider in accordance with the request, and then proceed to step S502; if permission has been received, a request is made to read the resolution 400 of phase S502 is skipped.
Stage S502: obtaining
The user must receive permission from 400 to play digital content, and it is required by 2022 DRM device. Resolution 400 can be a special permission for one or more units of digital content, or it could be a universal resolution for all digital content provided by the server. Preferably, digital content registers a web site which can be downloaded permission, so the device the user can download the permission from the web site. Permission can also be obtained offline as stored on the media. The resolution specifies the restriction of reproduction, such as the number of reproductions, playback time, it is possible to preserve digital content whether it is possible to print digital content, you can change the digital content and supported it possible to get the captured image (snapshot) etc.
A Service Provider who benefits from digital rights management, obtaining a permit may be a transaction, it can, online or offline, require payment.
Stage S503: authentication reliability
Alternatively, the device 202 first authenticates, was there ever a damaged received 300 digital content, including the module 2022 DRM extracts from the received digital content digital signature digital content and digital signature authentication agent for authenticating, namely to determine whether suitable itself digital content and agent authentication, that is, whether they were illegally damaged and whether digital content content provided by the Service Provider. The purpose of this activity is to allow the module to 2022 DRM device 202 only play digital content 300 received from the 201 Services. Since the module 2022 DRM, mainly, also available from the Provider 201 Services, this may cause the device-user to receive legal digital content from the Service Provider.
The program 3012 authentication agent is running on the device 202 and agent 301 authentication begins to authenticate the device is 202 reliable playback device. This can be realized through authentication, whether DRM module device reliable, or by reading the inherent serial number of your device your device. Is used for authentication method whitelisting technology or technology black lists (of course, other ways to determine the reliability of the device are not excluded) or authentication can be accomplished on both counts. Such white list and black list can store authentication agent. A Service provider can constantly update the built-in black list and white list during the distribution of digital content in line with the development and updating a device.
If authentication is successful, that indicates that the device (i.e. DRM module) legally assigned or belong to a specified community devices, then proceed to the next step.
Stage 504: interpretation decryption key to get CK, through the use of Pb
Agent 2021 authentication retrieves the encrypted key CK (3013) and uses the formula algorithm of decoding CK=D Pb (encrypted CK)to decrypt the encrypted key CK. The key Pb decryption key is added to the agent authentication when the Service Provider distributes digital content. Then key CK is passed to the DRM. In the actual use algorithm D decoding key can hardly be compiled for a retroactive effect, so it is considered that it is safe.
Stage 505: Module 2022 DRM uses a key CK for decrypting the encrypted digital program. Generally, it is assumed that often the encryption algorithms used are pre-compiled module DRM and they can be supported by special hardware devices. Possible to file header file of digital content defined algorithms of digital encryption and decryption used content. DRM module decrypts the digital content through you obtained in step 504 CK using the algorithm specified in the file header of digital content.
DRM module reads the resolution and sends the digital agenda kernel playback, such as the kernel playback MPEG-2, MPEG-4, Flash Player or the device of reading of texts, for it to be reproduced.
In accordance with the option of carrying out the invention, when the key decryption key is included in the resolution, Recalling Fig. 5B, the playback device, digital content differs from the previous version of the implementation is that in the process of decryption key stage S504' authentication agent reads the pre-organized by the key Pb decryption key from a fixed media device data and then gets CK using the algorithm of decoding key. The remaining stages basically the same.
Moreover, the previously mentioned digital signature authentication can use different methods to create the signature, the signature with the public key. In the present invention, in order to simplify the solution, used the signature with the public key, but this does not mean the exclusion of other technologies of electronic signature. With regard to public-key signature key and algorithm for authentication of a signature may be built into the module DRM and DRM module authenticates a digital signature using the algorithm and code. If the digital signature is true, this means that the content is provided by the Service Provider and not damaged.
Expert in the appropriate field, should understand that any block diagram and drawings of the components of the functional module, included in the technical solution is revealed in the invention represent a mix of different treatment processes, which can be essentially embodied in a machine-readable carrier so that they can be run on a computer or processor, regardless of whether or not such computers or processors detail showing. It should be clear that the invention is not limited to the previously described variants of implementation and their improvements. Specialist in the relevant field will be able to make changes and improvements without derogating from the ideas and volume of certain accompanying the formula of invention. Claims of any reference characters enclosed in parentheses may not be interpreted as limiting the claims. The word «containing» does not exclude the presence of steps or phases other than those listed in the formula of the invention. Prepositions singular before the members do not exclude the presence of many such items. The invention can be implemented by means of hardware that contains a number of individual items, and/or through appropriately programmed processor. In the formula of the invention related to the device, with the transfer of several funds, some of these tools can be implemented by the same means and the same unit of hardware. Just the fact that some measures are set out in differing independent claims, does not mean that the benefit may not be used in combination of these measures.
1. The way of granting authorization for digital programs (304), which includes the stages: encoding digital programs (304) to associate referred digital programs (304) agent (301) authentication through packing digital programs (304) and the agent (301) authentication in a single digital content, the said agent (301) authentication includes code (3012), running device (202), the device is (202) can play referred to the digital agenda (304) and execute code, the code is configured for authentication reliability of the device (202) when it is run on the device; and the provision of the mentioned device (202) digital content (300), which includes referred to the digital agenda (304) and the agent (301) authentication, and referred to a digital program (304) is encrypted through the first algorithm encryption and decryption key is the first algorithm encryption is encrypted with the second encryption algorithm and stored in the agent (301) authentication.
2. The method according to claim 1, wherein code (3012) is also performed for decrypting the encrypted key (3013), after the identity of the device (202) passed the authentication, so to get the key and send it to the module (2022) digital rights management (DRM) in the device (202), and the aforementioned DRM module then decrypts the encrypted digital program (304) in digital content (300); module (2022) DRM is preinstalled on the device module DRM.
3. The method of claim 2, in which the agent (301) authentication optional includes key decryption key to decrypt the encrypted key (3013); program code (3012) agent (301) authentication is performed in order to remove it from the agent (301) authentication key and the decryption key to decrypt the encrypted key (3013) sa in accordance with a predetermined decryption algorithm corresponding to the second algorithm encryption.
4. The method of claim 2, in which, after receiving the decoded digital program module (2022) DRM controls the playback of digital programs in accordance with the previously obtained permission (400).
5. The method according to claim 4, where resolution (400) stipulates the right and rules for device in order to play digital content.
6. How to play digital content on the device (202)that includes the stages: (a) receiving of digital content (300) from a supplier (201) services, referred digital content (300) involves digital program (304) and agent (301) authentication; (b) launch of the said agent (301) authentication for authenticating the reliability of the device; (c) interpretation of digital programs (304) after successful authentication; and (d) playback digital programs (304), with digital program (304) is encrypted through the first algorithm encryption and decryption key is embedded in the agent (301) authentication, after he was encrypted by the second encryption algorithm.
7. The method according to claim 6, in which at the stage of (b) the agent (301) authentication authenticates the reliability of the device through a comparison of the pre-installed on the device ID and white list or black list, built in the agent (301) authentication.
8. The method according to claim 6, in which the stage of (b) includes the stage of the call key decryption key embedded in the agent (301) authentication for decrypting the encrypted key (3013) .
13. Device playback of digital content, which contains: the receipt for receiving of digital content (300) from a supplier (201) services, referred digital content (300) involves digital program (304) and agent (301) authentication module (2022) DRM to start the agent (301) authentication to authenticate the reliability of the device (202) and for interpretation after successful authentication, digital programs (304); and playback tool for playback of encrypted digital programs (304).
14. The device according to paragraph 13, in which digital content (300) additionally includes the ID (302) content and digital signature (303) content, which displays information such as the authenticity of the publisher (201) digital content and time, and also protects the integrity of data.