U.S. patent application number 11/509867 was filed with the patent office on 2007-02-08 for systems and methods for governing content rendering, protection, and management applications.
This patent application is currently assigned to InterTrust Technologies Corporation. Invention is credited to Michael K. MacKay, David P. Maher.
Application Number | 20070033407 11/509867 |
Document ID | / |
Family ID | 36951954 |
Filed Date | 2007-02-08 |
United States Patent
Application |
20070033407 |
Kind Code |
A1 |
MacKay; Michael K. ; et
al. |
February 8, 2007 |
Systems and methods for governing content rendering, protection,
and management applications
Abstract
System and methods are disclosed for governing digital rights
management systems and other applications through the use of
supervisory governance applications and keying mechanisms.
Governance is provided by enabling the supervisory applications to
revoke access keys and/or to block certain file system calls, thus
preventing governed applications from accessing protected
electronic content.
Inventors: |
MacKay; Michael K.; (Los
Altos, CA) ; Maher; David P.; (Livermore,
CA) |
Correspondence
Address: |
FINNEGAN, HENDERSON, FARABOW, GARRETT & DUNNER;LLP
901 NEW YORK AVENUE, NW
WASHINGTON
DC
20001-4413
US
|
Assignee: |
InterTrust Technologies
Corporation
Santa Clara
CA
|
Family ID: |
36951954 |
Appl. No.: |
11/509867 |
Filed: |
August 25, 2006 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09874744 |
Jun 4, 2001 |
7107448 |
|
|
11509867 |
Aug 25, 2006 |
|
|
|
60209454 |
Jun 4, 2000 |
|
|
|
Current U.S.
Class: |
713/171 |
Current CPC
Class: |
H04L 9/0877 20130101;
H04L 2209/603 20130101; H04L 9/0891 20130101; H04L 2463/101
20130101; G06F 21/60 20130101; H04L 9/0822 20130101; H04L 63/062
20130101 |
Class at
Publication: |
713/171 |
International
Class: |
H04L 9/00 20060101
H04L009/00 |
Claims
1-18. (canceled)
19. A method of controlling access to electronic content by an
application program running on a host computer system, the method
including: generating a request to access a piece of electronic
content, the request being generated by the application program and
comprising, at least in part, a call to a conformance library
running on the host computer system; and in response to the call to
the conformance library, connecting the conformance library to a
governance engine on the host computer system, the governance
engine being operable to govern, at least in part, the operation of
the application program, the governance engine performing the
following steps: (i) performing an integrity check on the
application program, the integrity check being operable to (a)
detect improper modifications to at least part of the application
program and (b) deny access to the piece of electronic content if
an improper modification is detected; and (ii) performing an
authorization check, the authorization check being operable to (a)
determine if the application program is authorized to access
electronic content and (b) deny access to the piece of electronic
content if authorization is not detected; and retrieving the piece
of electronic content from a file system of the host computer
system if permitted by the governance engine.
20. A method as in claim 19, wherein the application program
comprises a content rendering application.
21. A method as in claim 19, wherein the application program
comprises a digital rights management program, the digital rights
management program being operable to manage the use of the piece of
electronic content in accordance with one or more rules with which
the piece of electronic content is associated.
22. A method as in claim 19, wherein performing the authorization
check includes examining one or more digital certificates
associated with the application program, the one or more digital
certificates specifying, at least in part, the nature of the
application program's authorization to access electronic
content.
23. A method as in claim 22, wherein one or more of the digital
certificates is operable to expire at a predefined time, and
wherein the application program's authorization to access
electronic content expires when said one or more digital
certificates expire.
24. A method as in claim 23, wherein the governance engine is
operable to receive one or more new digital certificates to replace
one or more expired digital certificates, and wherein the
application program's authorization to access electronic content is
renewed when said one or more new digital certificates are received
by the governance engine.
25. A method as in claim 19, wherein performing the integrity check
includes generating a cryptographic hash of at least part of the
application program, and comparing the generated cryptographic hash
to a previously generated cryptographic hash.
26. A method of controlling access to electronic content, the
method comprising: receiving, at a conformance library running on a
computer system, a request from a governed application running on
the computer system to access a piece of electronic content,
wherein the conformance library implements one or more interfaces
that the governed application calls to access the electronic
content, and wherein the request to access the piece of electronic
content comprises at least a first call to at least a first
interface of said one or more interfaces that the conformance
library implements; connecting to a supervisory application, the
supervisory application being operable to check a credential
associated with the governed application, the supervisory
application being further operable to disable access to the piece
of electronic content by the governed application if the credential
check fails; and enabling access to the piece of electronic content
by the governed application after completion of a successful
credential check, wherein said enabling step includes making at
least a second call to at least a second interface, and wherein the
second interface comprises a file input/output interface of the
computer system that corresponds to said first interface
implemented by the conformance library.
27. The method of claim 26, further comprising invoking the
supervisory application prior to the step of connecting to the
supervisory application.
28. The method of claim 26, wherein the credential check comprises
an integrity check on the governed application, the integrity check
being operable to (a) detect improper modifications to at least
part of the governed application and (b) deny access to the piece
of electronic content if an improper modification is detected.
29. The method of claim 26, wherein the supervisory application is
further operable to perform an authorization check, the
authorization check being operable to (a) determine if the governed
application is authorized to access the piece of electronic content
and (b) deny access to the piece of electronic content if
authorization is not detected.
30. A computer-readable storage medium storing instructions that,
when executed by a computer, cause the computer to perform steps
comprising: receiving a request from a governed application running
on the computer to access a piece of electronic content, wherein
the request to access the piece of electronic content comprises at
least a first call to at least a first interface; connecting to a
supervisory application running on the computer, the supervisory
application being operable to check a credential associated with
the governed application, the supervisory application being further
operable to disable access to the piece of electronic content by
the governed application if the credential check fails; and
enabling access to the piece of electronic content by the governed
application upon completion of a successful credential check,
wherein said enabling includes making at least a second call to at
least a second interface, and wherein the second interface
comprises a file input/output interface of the computer that
corresponds to said first interface.
31. The medium of claim 30, further comprising instructions that,
when executed by the computer, cause the computer to invoke the
supervisory application prior to connecting to the supervisory
application.
32. The medium of claim 30, wherein the credential check comprises
an integrity check, the integrity check being operable to (a)
detect improper modifications to at least part of the governed
application and (b) deny access to the piece of electronic content
if an improper modification is detected.
33. The medium of claim 30, further comprising instructions that,
when executed by the computer, cause the computer to perform an
authorization check, the authorization check being operable to (a)
determine if the governed application is authorized to access the
piece of electronic content, and (b) deny access to the piece of
electronic content if authorization is not detected.
Description
RELATED APPLICATIONS
[0001] This application is a continuation of application Ser. No.
09/874,744, filed on Jun. 4, 2001, and claims the benefit of
priority from U.S. Provisional Patent Application No. 60/209,454,
entitled "Systems and Methods for Governing Content Rendering,
Protection, and Management Applications," filed Jun. 4, 2000, all
of which are incorporated herein by reference.
COPYRIGHT AUTHORIZATION
[0002] A portion of the disclosure of this patent document contains
material which is subject to copyright protection. The copyright
owner has no objection to the facsimile reproduction by anyone of
the patent document or the patent disclosure, as it appears in the
Patent and Trademark Office patent file or records, but otherwise
reserves all copyright rights whatsoever.
FIELD OF THE INVENTION
[0003] The present invention relates generally to the management of
electronic content. More specifically, systems and methods are
disclosed for governing and managing content-rendering applications
and content protection and management mechanisms.
BACKGROUND OF THE INVENTION
[0004] Advances in electronic communications, storage, and
processing technology have led to an increasing demand for digital
content. Today, large quantities of information can be readily
encoded and stored on compact and easily-transportable media, and
can be conveniently accessed using high-speed connections to
networks such as the Internet, or via wireless communication
networks such as W-LAN, W-WAN, and cellular.
[0005] However, despite the demand for digital content, and the
availability of technology that enables its efficient creation and
distribution, the threat of piracy has kept the market for digital
goods from reaching its full potential, for while one of the great
advantages of digital technology is that it enables information to
be perfectly reproduced at little cost, this is also a great threat
to the rights and interests of artists, content producers,
businesses, and other copyright holders who often expend
substantial amounts of time and money to create original works. As
a result, content owners are often reluctant to distribute their
works in electronic form--or are forced to distribute their works
at inflated (or deflated) prices to account for piracy--thus
limiting the efficiency and proliferation of the market for digital
goods, both in terms of the selection of material that is available
and the means by which that material is distributed.
[0006] While increasing attention has been paid to the development
of digital rights management (DRM) mechanisms to address the
problems described above, the large number of competing--and
typically incompatible--rights management systems have created
interoperability and security problems of their own. As a result,
content owners are often reluctant to entrust their content to any
of the array of content management mechanisms and content-rendering
applications that presently exist in the marketplace.
SUMMARY OF THE INVENTION
[0007] The present invention provides systems and methods for
enabling content owners, industry organizations, and other
interested parties to supervise or govern the application programs,
devices, and rights management systems that are used to render,
protect, or otherwise access or use electronic content. It should
be appreciated that the present invention can be implemented in
numerous ways, including as a process, an apparatus, a system, a
device, a method, a computer readable medium, or a combination
thereof. Several inventive embodiments are described below.
[0008] In one embodiment a supervisory management system is
disclosed. A secure processing application acts as the supervisor
of a second application. The secure processing application is used
to access protected digital information that is stored in a secure
electronic container. The secure processing application extracts
secret information--such as an access key or a portion of an access
key--that is needed by the second application to access protected
content. Revocation of the second application's authorization to
process protected content can be accomplished by revoking access to
the secure container through the secure processing application. In
one embodiment, the second application is a digital rights
management system that is operable to manage the use of content to
which the supervisory management system has granted access. The
content may consist of encrypted content and rules that govern the
content's use. In this embodiment, the second application is
operable to ensure that the content is used in accordance with the
rules. If it is determined that the second application is not
adequately enforcing the rules, the supervisory management system
can revoke the second application's ability to access the content
and/or the second application's ability to grant access to the
content.
[0009] In another embodiment, a governance system is established by
using a first application to act as a supervisory digital rights
managements system that controls a second application. The second
application is managed or controlled by linking with the first
application. The first application filters or mediates the calls
from the second application to certain native platform services.
When the second application makes calls to its native platform
prior to opening a file, the request is filtered through the first
application, which applies rules and/or credential checks to
regulate or manage the files to which the second application is
granted access.
[0010] In yet another embodiment a method is disclosed for
utilizing one digital rights management application to govern the
operation of another digital rights management application. A
control application receives a request to access electronic content
from the governed application. The control application also
receives a keyshare from the governed application. The control
application requests another keyshare from the governing digital
rights management application. If certain conditions are satisfied,
the governing application supplies its keyshare to the control
application. The control application uses the two keyshares to
retrieve information that is needed by the governed application to
access the requested content. The control application retrieves the
protected content and provides it to the governed application (or
provides the information needed by the governed application to
access the protected content).
[0011] In another illustrative embodiment, a system for controlling
access to electronic content is described. The system includes a
first application program that is configured to request access to
protected electronic content. The first application manages the
electronic content in accordance with rules that are associated
therewith. In addition, a second application program is provided
for releasing the protected electronic content to the first
application program in response to the first application's request.
The second application is capable of receiving information from a
third party or external source that indicates whether or not the
second application should grant access to the protected electronic
content to the first application.
[0012] In another embodiment, a method is described for controlling
an application's access to electronic content. When the application
attempts to retrieve electronic content by invoking standard file
system calls, these calls are routed to a special conformance
library which invokes a governance engine. The governance engine is
designed to perform integrity checks on the application program to
detect improper modifications. If the application program has been
improperly modified, the governance engine will deny access to the
content by blocking the file system calls. Furthermore, the
conformance library will also determine if the application program
has received affirmative authorization to access electronic
content. If no authorization is detected, then the application
program will be denied access to the electronic content. Otherwise,
the application is allowed to access the electronic content.
[0013] These and other features and advantages of the present
invention will be presented in more detail in the following
detailed description and the accompanying figures which illustrate
by way of example the principles of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
[0014] The present invention will be readily understood by the
following detailed description in conjunction with the accompanying
drawings, wherein like reference numerals designate like structural
elements, and in which:
[0015] FIG. 1 illustrates a system for governing the operation of
other digital rights management systems using a supervisory digital
rights management system.
[0016] FIG. 2 illustrates the use of a secure processing
application to manage a second digital rights management
application.
[0017] FIG. 3A illustrates a conventional mechanism for accessing
electronic content.
[0018] FIG. 3B illustrates a system for governing a content
rendering and/or management application in accordance with an
embodiment of the present invention.
[0019] FIG. 3C illustrates a system for governing a content
rendering and/or management application in accordance with another
embodiment of the present invention.
[0020] FIG. 4 illustrates a method for governing content rendering
applications and digital rights management systems.
DETAILED DESCRIPTION
[0021] A detailed description of the invention is provided below.
While the invention is described in conjunction with several
embodiments, it should be understood that the invention is not
limited to any one embodiment. Instead, the scope of the invention
is defined only by the appended claims, and encompasses numerous
alternatives, modifications, and equivalents. While numerous
specific details are set forth in the following description in
order to provide a thorough understanding of the present invention,
the present invention may be practiced without some or all of these
details. Moreover, for the purpose of clarity, certain technical
material that is known in the art related to the invention has not
been described in detail in order to avoid unnecessarily obscuring
the present invention. For example, reference will be made to a
number of terms and concepts that are well-known in the field of
cryptography. Background information on cryptography can be found,
for example, in Menezes et al., Handbook of Applied Cryptography
(CRC Press 1996)("Menezes"), and Schneier, Applied Cryptography, 2d
ed. (John Wiley & Sons 1995).
Governance Via a Secure Processing Application
[0022] In one embodiment a secure processing application (e.g., a
supervisory digital rights management system) is provided to govern
the operation of a second application. The second application may
include other digital rights management systems or other
applications. For example, the second application might comprise a
music player, video streaming application, text reader, or the
like. The supervisory DRM system has the ability to revoke the
second application's ability to access information that the second
application needs in order to grant access to content. The content
may be deployed in a globally interoperable fashion or in a
non-interoperable fashion.
[0023] Referring to FIG. 1, a secure processing application 100 is
installed on a PC client, computing device, and/or commerce service
101. As described in more detail below, the secure processing
application 100 acts as the supervisor of a second application 103
which may also be installed on system 101. Alternatively,
application 100 may be installed on a computer system that is
remote from the system on which application 103 is installed.
[0024] As shown in FIG. 1, secure processing application 100
preferably includes (or is able to establish) a protected
processing environment 110 and a protected database 104. The secure
processing application 100 is preferably able to process protected
data (e.g., cryptographic keys 130) and to enforce rules or
controls (e.g., control 105) that are associated with the
content.
[0025] In one embodiment, secure processing application 100
comprises an instance of the InterRights Point.TM. software or the
Rights/System.TM. software produced by InterTrust Technologies
Corporation of 4750 Patrick Henry Drive, Santa Clara, Calif.,
although one of ordinary skill in the art will recognize that other
suitable secure processing applications and/or digital rights
management applications could be used instead. For example, without
limitation, secure processing application 100 could comprise
software and/or hardware that implements some or all of the virtual
distribution environment functionality and features described in
commonly-assigned U.S. Pat. No. 5,892,900, entitled "Systems and
Methods for Secure Transaction Management and Electronic Rights
Protection," issued Apr. 6, 1999 ("the '900 patent"), which is
hereby incorporated by reference in its entirety. In one
embodiment, secure processing application 100 is a relatively small
footprint piece of software and/or hardware that is operable to
perform the key management and revocation functionality set forth
herein, but little if anything else. In a preferred embodiment,
secure processing application 100 is constructed using security and
tamper resistance techniques such as those described in the '900
patent to ensure that it functions in a relatively secure and
reliable fashion.
[0026] As shown in FIG. 1, secure processing application 100 is
used to access protected digital information 130 that is stored in
a secure electronic container 106 and/or in protected database 104.
The secure electronic container can take any suitable form. For
example, secure electronic container 106 might comprise a
DigiBox.RTM. or DigiFile.TM. container produced by InterTrust
Technologies Corporation, or might simply consist of an encrypted
version of the protected digital information. In other embodiments,
other secure container formats--such as those described in the '900
patent or available commercially--could be used. Similarly,
protected database 104 may also be implemented in any suitable
manner, including without limitation as described in the '900
patent and/or commonly-assigned U.S. patent application Ser. No.
09/617,148, entitled "Trusted Storage Systems and Methods", filed
Jul. 17, 2000, which is hereby incorporated by reference.
[0027] As shown in FIG. 1, in response to a request 112 from
application 103 to access content 108, secure processing
application 100 extracts secret information--such as access key
130--from secure container 106 (e.g., by decrypting the relevant
portion of secure container 106) and/or protected database 104, and
forwards this information (or information derived from, controlled
by, or otherwise related to this information) to application 103.
This secret information is needed by application 103 to access
protected content 108 and to render or make available plaintext
content 109. Alternatively, secure processing application 100 may
itself decrypt protected content 108, thus obviating the need to
forward application 103 the information 130 needed to access the
content. In either case, revocation of application 103's
authorization to process protected content 108 can be effectuated
simply by revoking application 103's access to, or use of, the
secret information 130 controlled by secure processing application
100. For example, a control 105 could be delivered to secure
application 100 that indicates that application 103 is not to be
granted access (or certain types of access) to the secret
information contained in secure container 106 or in protected
database 104. Similarly, another control could be delivered to
indicate that access to the secret information should be restored.
Additional information on exemplary implementations of controls
such as these can be found in the '900 patent, which was previously
incorporated by reference.
[0028] In some embodiments, the operation and security of some
portion of application 103 may be tested (e.g., before deployment)
to ensure compliance with operational and security requirements of
the content owner and/or system administrator. For example, the
content owner or system administrator can establish the necessary
criteria or minimal requirements that application 103 must satisfy
in order to render or process protected content 108. If it is
subsequently discovered that application 103 is no longer meeting
these requirements, then application 103's ability to access and/or
manage content can be revoked, e.g., in the manner described
above.
[0029] FIG. 2 illustrates an embodiment of a system related to the
one shown in FIG. 1. As in FIG. 1, application 103 may comprise a
DRM system or content rendering application that seeks to manage or
render protected content 108. As shown in FIG. 2, a control
application 120 is communicatively coupled to both application 100
and application 103. Control application 120 may, for example, be
created or supplied by a trusted third party (e.g., a party other
than the providers of application 100 and application 103), or may
be provided by the provider of secure processing application 100.
Control application 120 controls access to database 107, which may
be provided by the same party that provided the control application
120, or by a different party, and may, like control application
120, be located on the same system as application 100 and/or
application 103, or on a different system.
[0030] As shown in FIG. 2, application 103 provides keyshare and/or
other identification information 140 to control application 120.
This information 140 is used by application 120 to obtain access to
information stored in a database 107. A keyshare may, for example,
simply comprise a portion of a decryption key. Control application
120 is also supplied with a keyshare 134 (or an entire key) by
secure processing application 100. As shown in FIG. 2, application
100 may have retrieved keyshare (or key) 134 from a secure
container 132 and may have used a control 105 stored in its
protected database 104 to decide whether to supply keyshare 134 to
control application 120. The use of controls to govern the use of
content is described in more detail in the '900 patent, which was
previously incorporated herein by reference. Control application
120 uses keyshares 134 and 140--and possibly other keyshares
maintained by control application 120 or obtained from other
sources--to retrieve information 142 (such as a decryption key)
needed to provide access to content 108. Control application 120
supplies this information to DRM application 103, which uses it to
access protected content 108. Having obtained access to content
108, DRM application 103 governs it in accordance with any rules
with which it is associated, and, if appropriate, may provide
plaintext content 109 to a user or rendering application. In some
embodiments, control application 120 may be operable to decrypt
protected content 108 itself, thus avoiding the need to send the
information needed to decrypt (or otherwise gain access to)
protected content 108 to application 100 or application 103.
[0031] The systems described above allow different DRM systems and
applications to operate fairly independently (with respect to other
key management techniques that may be available for protecting
content), while also leveraging the hardware and/or software
security features of the secure processing application 100. As
noted above, the access key can be split between the secure
processing application 100 and the DRM application 103, so that if
application 103 has superior software and/or hardware security
capabilities to that of application 100, the protection offered by
DRM application 103 would not be compromised if the security of
application 100 was compromised. As discussed above, shares of keys
could be split among applications, portable devices, local content
management modules, and secure containers. For example, secure
container 132 could hold a share of a key necessary for the
application 103 to establish a secure channel with a portable
device, a share of a key used in the IEEE 1394 protocol, and so
forth.
[0032] In addition, in some embodiments control application 120 can
effectively serve as a mediator between two or more digital rights
management systems (e.g., application 100 and 103), giving any
digital rights management system the ability to supervise or
control the operation of the others. Referring to FIG. 2, for
example, certain content owners or distributors may want the
ability to revoke access to content 108 using either digital rights
management system 100 or 103, thus obtaining some level of
redundant protection in case either one of the rights management
systems is cracked. This could be accomplished using the
arrangement shown in FIG. 2, where either one of the rights
management system's ability to access protected content 108 and/or
the information contained in trusted database 107 could be
controlled by sending appropriate commands or controls to the other
rights management system. Thus, as shown in FIG. 2, protected
content 108 could be packaged in the encoding format used by DRM
application 103, thus giving DRM system 103 the ability to manage
the distribution and use of the content; however, this encoded
content would itself be protected (e.g., further encrypted) such
that DRM application 100 would be able to supervise the operation
of application 103 and revoke access to content 108 if desired.
Similarly, other pieces of content could be packaged in the
encoding format used by DRM application 100, thus giving DRM
application 100 the ability to manage the distribution and use of
the content; however, this encoded content could itself be
protected such that DRM application 103 would be able to supervise
the operation of application 100, and revoke access to the content
if desired. Moreover, if either DRM system was compromised, the
content owner could, if desired, prevent further access to the
content simply by sending an appropriate control to the DRM system
that had not been compromised.
[0033] In some embodiments, key distribution and revocation schemes
such as those described in Naor et al. and the CPRM standard can be
used to provide control over local DRM systems or devices. See Naor
et al., "Revocation and Tracing Schemes for Stateless Receivers,"
available at http://citeseer.nj.nec.com/420701.html (February
2001). In such embodiments, sets of keys (or keyshares) are
distributed to local DRM systems or devices (or classes of local
DRM systems or devices), and, as described above, those keys are
used to access information needed by the local DRM system or device
to access content or to perform certain functions. These keys can
be revoked and/or updated using the mechanisms described in Naor et
al. and the CPRM standard, thus providing a way to
control/supervise the operation of the local DRM system or device.
For example, if a finite geometry key distribution mechanism is
used, and each device or application is given a series (or
distinguished subset) of keys, revocation can be accomplished by
removing a series of keys from the key geometry.
[0034] An advantage of such an implementation is that a local DRM
system (such as application 103 in FIGS. 1 and 2) can be controlled
without the necessity of also installing a secure processing
application such as application 100 on the local system, and/or
without having to interactively communicate with such an
application 100 after application 103 has been deployed. A
disadvantage of such a technique is that it can be relatively
difficult to implement an efficient revocation mechanism,
especially one that enables revocation of previously-packaged
content.
Governance Via a Conformance Library and Credentials
[0035] In another embodiment, an application running on a host
computer system is governed by linking it to (or incorporating it
with) a special conformance library. The conformance library
filters or mediates certain requests from the governed application
to the host computer system's native platform services (e.g., file
input/output and the like). The conformance library invokes a
supervisory application that determines whether the governed
application has been improperly modified and whether it is
authorized to perform the requested action. If the supervisory
application determines that the governed application has not been
improperly modified and is authorized to perform the requested
action, then the governed application's request is forwarded to the
appropriate host system service, which fulfills the request just as
it would had the supervisory application not first intercepted it.
Several illustrative embodiments of the foregoing process are
described below in connection with FIGS. 3A, 3B, and 3C.
[0036] FIG. 3A illustrates the conventional manner by which an
application 302 accesses electronic content 304 on a host computer
system. Application 302 may, for example, comprise a digital rights
management application, content viewer, or any other type of
application that assists or contributes to the use, rendering,
distribution, or management of digital information. As shown in
FIG. 3A, when application 302 wishes to access content 304, it
typically makes a call, via an application programming interface
(API) 306, to a library of functions and procedures provided by the
host system for performing the detailed, low-level operations
involved in retrieving the electronic content from the host
system's storage and providing it to the requesting
application.
[0037] FIG. 3B shows how the conventional system of FIG. 3A can be
modified to provide governance over the operation of an application
320. As shown in FIG. 3B, when application 320 wishes to access a
piece of electronic content 304, it makes a call to a modified
version of the host system's file input/output API 312. Calls to
the modified API are handled by conformance library 314, which is
operable to route these calls to a governance engine (also referred
to as a supervisory application) 316 which determines whether the
application's access request should be granted or denied. If
supervisory application 316 determines that the request should be
granted, it routes the request to the host system's file I/O
library 308 via the host system's API 306. The host system then
performs the necessary operations to retrieve the electronic
content 304 for application 320.
[0038] It will be appreciated that an application 302 that was
initially designed to operate in the manner shown in FIG. 3A need
not undergo substantial modification to operate in the manner shown
in FIG. 3B. For example, application 302 can simply be modified to
indicate that calls to the host system's file I/O library 308
should be handled, instead, by conformance library 314. This would
typically involve a few relatively minor changes to the
application's header files, and not to the body of the application
(e.g., the actual form of the calls would remain unchanged, the
only change being to the identification of the library that handles
those calls). Thus, in such an embodiment, modified file I/O API
312 would be virtually identical in form to the host system's file
I/O API 306. Alternatively, each occurrence in the application of
certain file I/O calls could be modified to refer directly to a
corresponding function in the conformance library 314, although
these modified calls would preferably be similar in form to the
original file I/O calls (i.e., the modified file I/O API 312 would
preferably be similar to the host system's API 306). Thus, in a
preferred embodiment the application developer can integrate the
supervisory application with the governed application quite easily,
with little or no modification to the governed application, thus
limiting the likelihood that bugs will be introduced into the
application, or that call-paths through the governed application
will be missed and governance compromised. In addition, the
conformance library will typically be easy to test since it is
preferably API-compatible with the standard platform interfaces.
Application 320 need not be integrated in any other capacity with
the system of governance engine 316.
[0039] FIG. 3C illustrates another embodiment of a system for
governing an application in accordance with the present invention.
Referring to FIG. 3C, a governance application 360 is linked via a
conformance library 351 to a governed application 352. The
conformance library 351 implements interfaces that that the
governed application 352 must call, thereby governing the file I/O
calls (e.g., file system calls, the ability to load other code
dynamically, other system calls such as Kernel32 or Win32 API
calls, and the like) from the governed application 352. The
conformance library 351 effectively looks like a replacement set of
file system I/O calls, and possibly a small set of additional calls
(for example, GetProcAddress and LoadLibrary on Windows).
[0040] A mediator/shim 354 re-implements the actual file I/O calls
through a filter 355 where the governed calls are controlled by the
conformance library 351. The governance system effectively enforces
the requirement that the file I/O call go through the conformance
library 351 first. The mediator/shim 354 of the conformance library
351 may incorporate additional logic which, e.g., (a) allows it to
verify or validate that a legitimate authorization
certificate/conformance certificate has been given by the content
owner, and (b) to force a credential check on the application 352
to ensure that it and/or the conformance library 351 have not been
modified.
[0041] In a preferred embodiment, the conformance library 351 makes
calls to governance engine 360. Governance engine 360 may, for
example, be in the form of a commercial digital rights managements
application, such as InterTrust's InterRights Point software or
Rights/System software. Governance engine 360 may be installed on
the same computer system as application 352, or may reside
elsewhere, such as on a remote server.
[0042] The governance engine 360 checks the credential(s) 361
associated with the application 352 and/or the conformance library
351. For example, if the credential 361 comprises a
digitally-signed cryptographic hash or checksum, the governance
engine 360 preferably verifies the authenticity of the digital
signature, then computes the corresponding hash or checksum on the
appropriate portions of the governed application 352 and/or
conformance library 351 to determine whether the governed
application and/or library have been modified. If a strong, one-way
hashing algorithm such as SHA-1 is used to generate a hash of the
application and/or conformance library (or selected portions
thereof), then it will be computationally infeasible to modify the
hashed portions without detection by the governance engine (i.e.,
the hash computed by the governance engine of the modified
application will not be the same as the hash contained in the
credential).
[0043] If the governance engine 360 determines that the application
has not been modified, then the governance engine 360 checks the
certificate 362 associated with the application to determine
whether the application is authorized to perform the action that it
is seeking to perform. In one embodiment, the application's
certificate 362 forms part of credential 361. In other embodiments,
the certificate may be maintained independently by governance
engine 360, the association between the certificate and application
352 being accomplished via credential 361 (e.g., the cryptographic
hash or checksum of the application serving to identify the
application to the governance engine as the possessor of the
authorizations specified in the certificate (which might also
contain the hash or checksum)).
[0044] The certificate 362 serves as a cross-reference to ensure
that the application 352 is authorized by the content owner as a
certified or compliant application in conformance with desired
characteristics. It is intended that the content owner will be
provided with, or have access to, sufficient tools for generating
"authorization certificates" for applications 352 that implement
the conformance library 351. The content owner may be responsible
for establishing the appropriate criteria for the issuance of the
certificates (and for checking for compliance therewith). In this
regard, it will be appreciated that any suitable technique can be
used to generate and utilize the conformance credentials and
certificates, including without limitation the credentialing
techniques described in the '900 patent, Menezes at pages 321-481,
U.S. Pat. No. 6,157,721, entitled "Systems and Methods Using
Cryptography to Protect Secure Computing Environments," issued Dec.
5, 2000 ("the '721 patent"), U.S. patent application Ser. No.
09/628,692, entitled "Systems and Methods for Using Cryptography to
Protect Secure and Insecure Computing Environments," filed Jul. 28,
2000, U.S. Patent Application No. 60/210,479, entitled "Rights
Management Systems and Methods," filed Jun. 9, 2000, U.S. patent
application Ser. No. 09/863,199, entitled "Trust Management Systems
and Methods," filed May 21, 2001, each of which is hereby
incorporated by reference in its entirety, and U.S. patent
application Ser. No. 09/879,743, entitled "Rights Management
Systems and Methods," filed Jun. 11, 2001, which claims benefit to
Provisional Application No. 60/210,479, filed Jun. 9, 2000.
[0045] In one embodiment, after the application vendor has
implemented the library 351 and received a certificate 362, it
presents the application and certificate to the third-party
governance service identified by the content owner. The third-party
governance service generates a credential 361 which wraps the
certificate so that it cannot be tampered with (e.g., using a
one-way cryptographic hash); the credential is strongly
authenticated and bound to the application. The vendor receives
everything back along with the credential. The application vendor
distributes its product in the normal manner. In this embodiment,
updates to the application may require re-credentialing.
Applications that use the library need not ship the governance
engine, but once enabled with the library, will only be able
execute content-owner-controlled functions in the presence of the
governance engine.
[0046] FIG. 4 illustrates a method for governing content rendering
applications and digital rights management systems using the system
shown in FIG. 3C. As shown in FIGS. 3C and 4, when a content
rendering application or digital rights management system 352
starts, it makes a call to initialize a conformance library 351
(401). Conformance library 351 opens a connection with a governance
engine 360 (402) and forces a credential check (403). If credential
361 is bad (i.e., a "No" exit from block 404), the conformance
library returns an initialization failure (405) that disables the
application and returns a system error. Alternatively, other
failure modes could be used, including, for example, continuing
operation but providing the user with a means of obtaining a new
credential.
[0047] Referring back to FIG. 4, if credential 361 is good (i.e., a
"Yes" exit from block 404), application 352 checks certificate 362
to determine whether the application is authorized by the content
owner to access content (406). If authorization is detected (i.e.,
a "Yes" exit from block 407), the conformance library 351 will pass
subsequent API calls through to the host system's file I/O API, and
the application 352 will run normally (408). If authorization is
not detected (i.e., a "No" exit from block 407), the application's
calls will not be passed through to the file system, and the
application will thus be unable to perform the governed
operations.
[0048] It will be appreciated that a number of variations can be
made to the process shown in FIG. 4 without departing from the
principles of the present invention. For example, while FIG. 4
shows a process for determining once, when an application is
initiated, whether the application is authentic and is authorized
to perform certain actions, it should be appreciated that
alternatively, or in addition, the application's integrity and/or
authorization could be checked by the supervisory application each
time the application seeks to perform one of the governed
operations, or at predefined intervals.
[0049] In a preferred embodiment, the conformance library 351
requires governance to be affected by an enforceable set of
interactions with the governance engine 360 using the application
credentialing mechanism. However, unless the provider of the
governance engine 360 certifies the application 352, the credential
361 imposes no other control over the operation of the application
352 (and the application developer need not learn anything more
about the governance engine provider's system). An application that
incorporates this mechanism may pick up some additional runtime
characteristics, such as runtime anti-debugging, tamper resistance,
and/or the like.
[0050] In one embodiment, the actual determination of whether a
governed application has the right to render or use digital
information is made by functions implemented by the conformance
library that validate the content owner's certificate. However, the
governance interaction of establishing a valid session with the
governance engine and checking the credential is first performed in
order to determine whether the conformance library should be
allowed to access the certificate at all. If the credential is
valid, the conformance library is allowed to retrieve the
certificate, and if the certificate is valid, the conformance
library allows the governed calls (e.g., file I/O calls) to proceed
in the normal manner. The conformance library 351 thus implements
logic that: (a) checks for a credential issued by the content owner
or some other entity, and (b) implements non-subvertible linkage
and calls to the underlying governance engine. Thus, in this
embodiment, the provider of the governance engine effectively
enables the management of the governed application, but the
policies and rules that affect whether or not the application can
actually render content or perform other controlled operations are
established by authentication of the content owner's certificate.
Thus, content owners can establish a third-party governance engine
that enables strong enforcement of the content owners' policies
without imposing additional policies of the third-party provider of
the governance engine. Revocation can also be handled by using
expiring credentials and/or certificates, and forcing updates on a
predefined, periodic basis--for example, quarterly, yearly, daily,
or on a different time period or basis.
[0051] As indicated previously, in other embodiments the
application's certificate (or additional certificates associated
therewith) may be maintained and enforced by the governance engine
itself, rather than the conformance library. This allows the
content owner (and/or the provider of the governance engine) to
dynamically revoke the certificates simply by sending appropriate
commands to the governance engine (e.g., sending a new certificate
or control that revokes the original certificate).
[0052] Although the foregoing invention has been described in some
detail for purposes of clarity, it will be apparent that certain
changes and modifications may be practiced within the scope of the
appended claims. It should be noted that there are many alternative
ways of implementing both the processes and apparatuses of the
present invention. Accordingly, the present embodiments are to be
considered as illustrative and not restrictive, and the invention
is not to be limited to the details given herein, but may be
modified within the scope and equivalents of the appended
claims.
* * * * *
References