Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent
5933498
Schneck , ; et al.
August 3, 1999
Title
System for controlling access and distribution of digital property
Abstract
A method and device are provided for controlling access to data. Portions of the data are protected and rules concerning access rights to the data are determined. Access to the protected portions of the data is prevented, other than in a non-useable form; and users are provided access to the data only in accordance with the rules as enforced by a mechanism protected by tamper detection. A method is also provided for distributing data for subsequent controlled use of those data. The method includes protecting portions of the data; preventing access to the protected portions of the data other than in a non-useable form; determining rules concerning access rights to the data; protecting the rules; and providing a package including: the protected portions of the data and the protected rules. A user is provided controlled access to the distributed data only in accordance with the rules as enforced by a mechanism protected by tamper protection. A device is provided for controlling access to data having protected data portions and rules concerning access rights to the data. The device includes means for storing the rules; and means for accessing the protected data portions only in accordance with the rules, whereby user access to the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data.
Inventors:
Schneck; Paul B.
(Potomac,
MD
)
, Abrams; Marshall D.
(Silver Spring,
MD
)
Assignee:
MRJ, Inc.
(Fairfax,
VA
)
Appl. No.:
968887
Filed:
November 5, 1997
Current U.S. Class:
705/54
Field of Search:
380/4,9,21,23,24,25,49,50,51,55
U.S. Patent Documents
3504132
March 1970
Wallace, Jr.
3764742
October 1973
Abbott et al.
3798359
March 1974
Feistel
3878331
April 1975
Morgan et al.
3906460
September 1975
Halpern
3911216
October 1975
Bartek et al.
3944976
March 1976
France
3958081
May 1976
Ehrsam et al.
3996449
December 1976
Attanasio et al.
4004089
January 1977
Richard et al.
4028678
June 1977
Moran
4037215
July 1977
Birney et al.
4074066
February 1978
Ehrsam et al.
4087856
May 1978
Attanasio
4120030
October 1978
Johnstone
4168396
September 1979
Best
4183085
January 1980
Roberts et al.
4193131
March 1980
Lennon et al.
4206315
June 1980
Matyas et al.
4238854
December 1980
Ehrsam et al.
4246638
January 1981
Thomas
4264782
April 1981
Konheim
4278837
July 1981
Best
4281215
July 1981
Atalla
4306289
December 1981
Lumley
4319079
March 1982
Best
4323921
April 1982
Guillou
4433207
February 1984
Best
4446519
May 1984
Thomas
4454594
June 1984
Heffron et al.
4458315
July 1984
Uchenick
4465901
August 1984
Best
4471163
September 1984
Donald et al.
4529870
July 1985
Chaum
4558176
December 1985
Arnold et al.
4646234
February 1987
Tolman et al.
4658093
April 1987
Hellman
4757533
July 1988
Allen et al.
4796181
January 1989
Wiedemer
4827508
May 1989
Shear
4924378
May 1990
Hershey et al.
4932054
June 1990
Chou et al.
4937863
June 1990
Robert et al.
4953209
August 1990
Ryder, Sr. et al.
4961142
October 1990
Elliott et al.
4977594
December 1990
Shear
5010571
April 1991
Katznelson
5014234
May 1991
Edwards, Jr.
5023907
June 1991
Johnson et al.
5027396
June 1991
Platteter et al.
5047928
September 1991
Wiedemer
5050213
September 1991
Shear
5058162
October 1991
Santon et al.
5058164
October 1991
Elmer et al.
5103476
April 1992
Waite et al.
5113519
May 1992
Johnson et al.
5146499
September 1992
Geffrotin
5159182
October 1992
Eisele
5191193
March 1993
LeRoux
5204897
April 1993
Wyman
5222134
June 1993
Waite et al.
5235642
August 1993
Wobber et al.
5247575
September 1993
Sprague et al.
5260999
November 1993
Wyman
5263157
November 1993
Janis
5263158
November 1993
Janis
5291596
March 1994
Mita
5301231
April 1994
Abraham et al.
5319705
June 1994
Halter et al.
5337357
August 1994
Chou et al.
5339091
August 1994
Yamazaki et al.
5345588
September 1994
Greenwood et al.
5347578
September 1994
Duxbury
5369702
November 1994
Shanton
5386469
January 1995
Yearsley et al.
5386471
January 1995
Bianco
5388156
February 1995
Blackledge, Jr. et al.
5392351
February 1995
Hasebe et al.
5394469
February 1995
Nagel et al.
5400403
March 1995
Fahn et al.
5410598
April 1995
Shear
5432849
July 1995
Johnson et al.
5438508
August 1995
Wyman
5442541
August 1995
Hube et al.
5450489
September 1995
Ostrover et al.
5473687
December 1995
Lipscomb et al.
5504814
April 1996
Miyahara
5530235
June 1996
Stefik et al.
5592549
January 1997
Nagel et al.
5594491
January 1997
Hodge et al.
5594936
January 1997
Rebec et al.
5615264
March 1997
Kazmierczak et al.
5629980
May 1997
Stefik et al.
5638443
June 1997
Stefik et al.
5646992
July 1997
Subler et al.
5673316
September 1997
Auerbach et al.
Foreign Patent Documents
0332707
Sep., 1989
EP
2236604
Apr., 1991
GB
2236604
Oct., 1991
GB
9301550
Jan., 1993
WO
9500355
Aug., 1996
SE
96/27155
Sep., 1996
WO
WO92/20022
Nov., 1992
WO
WO9220022
Nov., 1992
WO
WO93/01550
Jan., 1993
WO
Other References
Abrams, M. D. et al, "Cyptography", Information Security-An Integrated Collection of Essays, Abrams, M.D. et al eds., IEEE Computer Society Press 1995, pp. 350-384. .
Choudhury, A. K. et al, "Copyright Protection for Electronic Publishing Over Computer Networks", IEEE Network, May/Jun. 1995, pp. 12-20. .
Ciciora, W. S., "Inside the Set-Top Box", IEEE Spectrum, Apr. 1995, vol. 32, No. 4, pp. 70-75. .
Department of Defense Standard, Department of Defense Trusted Computer System Evaluation Criteria, DOD 2500.28-STD, GPO 1986-623-93, 643 0, Dec. 26, 1985. .
Graubart, R., "On the Need for a Third Form of Access Control", Proceedings of the 12.sup.th National Computer Security Conference, 1989, pp. 296-303. .
K. Brunnstein and P. P. Sint, eds., KnowRight'95, Intellectual Property Rights and New Technologies: Proceedings of the KnowRight'95 Conference, Austrian Computer. .
Low, S. H. et al, "Document Marking and Identification using both Line and Word Shifting", 1995 InfoCom Proceedings, IEEE, 1995, pp. 853-860. .
McCollum, C. J. et al, "Beyond the Pale of MAC and DAC: Defining New Forms of Access Control", Proceedings of the Symposium on Research in Security and Privacy, IEEE Computer Society Press, 1990, pp. 190-200. .
National Institute of Standards and Technology (NIST) and National Security Agency (NSA), Federal Criteria for Information Technology Security: vol. I, Protection Profile Development; vol. II, Registry of Protection Profiles, Version 1.0, Dec. 1992. .
Samuelson, P., "Copyright and Digital Libraries", Communications of the AMC, Apr. 1995, vol. 38, No. 3, pp. 15-20 & 110. .
Samuelson, P. et al, "A Manifesto Concerning the Legal Protection of Computer Programs", Columbia Law Review, vol. 94, No. 8, pp. 2308-2431. .
Sandhu, R. S. "The Typed Access Matrix Model", Proceedings of the Symposium on Research in Security and Provacy, IEEE Computer Society, 1992, pp. 122-136. .
Sandhu, R. S. et al, "Implementation Considerations for the Typed Access Matrix Model in a Distributed Environment", Proceedings of the 15th National Computer Security Conference, 1992b, pp. 221-235. .
Yee, B., "Using Secure Coprocessors", Carnegie Mellon University, School of Computer Science, CMU-CS-94-149, May 1994, (also available Defense Technical Information Center as AD-A281 255). .
Maxem Chuk, N.F., Sep. 1994, "Electronic Document Distribution," AT&T Technical Journal, pp. 73-80. .
Weber, R., "Metering Technologies For Digital Intellectual Property," A Report to the Internatinal Federation of Reproduction Rights Organization, Oct. 1994,pp. 1-29. .
Clark, P.C. and Hoffman, L.J., "Bits: A Smartcard Protected Operating System," Communications of the ACM, Nov. 1994, vol. 37, No. 11, pp. 66-70, and 94. .
Saigh, W.K., Knowledge is Sacred, Video Pocket/Page Reader Systems, Ltd., 1992. .
Kahn, R.E., "Deposit, Registration And Recordation In an Electronic Copyright Management System," Corporation for National Research Initiatives, Virginia, Aug. 1992, pp. 1-29. .
Hilts, P. Mutter, J., and Taylor, S., "Books While U Wait," Publishers Weekly, Jan. 3. 1994, pp. 48-50. .
Strattner, A., `"Cash register on a chip" may revolutionize software pricing and distribution;` Wave Systems Corp., Computer Shopper. Copyright, Apr. 1994, vol. 14;No. 4; p. 62. .
O'Conner, M.A., "New distribution option for electronic publishers; iOpener data encryption and metering system for CD-ROM use; Column," CD-ROM Professional, Copyright, Mar. 1994, vol. 7;No. 2; p. 134; ISSN:1049-0833. .
Willett, S., `"Metered PCs:Is your system watching you?"; Wave Systems beta tests new technology,` InfoWorld, Copyright, May 2, 1994, p. 84. .
Linn, R.J., "Copyright and Information Servicces in the Contest of the National Research and Education Network," IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 9-20. .
Perritt, Jr., H.H., "Permissions Headers ad Contract Law," IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 27-48. .
Upthegrove, L., and Roberts, R., "Intellectual Property Header Descriptors: A Dynamic Approach," IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1,pp. 63-66. .
Sirbu, M.A., "Internet Billing Service Design and Prototype Implementation, IMA" Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 67-80. .
Simmel, S.S., and Godard, I., "Metering and Licensing of Resources: Kala's General Purpose Approach," IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 81-110. .
Kahn, R.E., "Deposit, Registration and Recordation in an Electronic Copyright Management System," IMA Intellectual property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 111-120. .
Tygar, J.D., and Bennet, Y., "Dyad: A System for Using Physically Secure Coprocessors," IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 121-152. .
Griswold, G.N., "A Method for Protecting Copyright on Networks," IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 169-178. .
Nelson, T.H., "A Publishing and Royalty Model for Networked Documents, "IMA Intellectual Property Project Proceedings, Jan. 1994, vol. 1, Issue 1, pp. 257-259. .
European Search Report for Corresponding European Application 95308420.9. .
U. Flasche et al., Decentralized Processing of Documents, Comput. & Graphics, vol. 10, No. 2, 1986, pp. 119-131. .
R. Mori et al., Superdistribution: The Concept and the Architecture, The Transactions of the IEICE, vol. E 73, No. 7, 1990, Tokyo, JP, pp. 1133-1146. .
Rosse, P.E., "Data guard", Forbes, Jun. 6, 1994, p. 101. .
Xiao-Wen Yang et al., Key distribution system for digital video signal, ICSP '96. 1996 3rd International Conference on Signal Processing Proceedings (Cat. No. 96TH8116), vol. 2 1996, pp. 847-850. .
E.A.I. Claus, Digital network for video surveillance and video distribution, Proc. SPIE--Int. Soc., Opt. Eng. vol. 2952 1996, pp. 194-204. .
R. J. Bankapur et al., Switched digital video access networks, Bell Labs Tech. J. vol. 1 No. 1 Summer 1996, pp. 66-77. .
C.A. Mandel et al., Intellectual access to digital documents:joining proven principles with new technologies, Cat. Classif. Q., vol. 22, No. 3-4 1996, pp. 25-42. .
B.J. Goldsmith et al., Digital video distribution and transmission, International Broadcasting Convention (Conf. Publ. No. 428) 1996, pp. 26-31. .
D. Van Schooneveld, Standardization of conditional access systems for digital pay television, Philips J. Res. (UK), vol. 50, No. 1-2, 1996, pp. 217-225. .
H.D. Wactlar, Intelligent access to digital video: Informedia projectComputer, vol. 29, No. 5, May 1996, pp. 46-52. .
J.E. Dail et al., Adaptive digital access protocol: A MAC protocol for multiservice broadband access networks INS, IEEE Commun. Mag. vol. 34, No. 3, Mar. 1996, pp. 104-112. .
S. Stevens et al., Informedia: improving access to digital video--Ins, Interactions, vol. 1, No. 4, Oct. 1994, pp. 67-71. .
B. Hein et al., RACE 1051: a multigigabit transport and distribution technology for provision of digital video services--INS, Proc. SPIE--Int. Soc. Opt. Eng., vol. 1974, 1993, pp. 26-33. .
Chen Ching-Chin et al., Analog, digital and multimedia: implications for information access INS, Online Information 91. 15th International Online Information Meeting Proceedings, 1991, pp. 283-292. .
Marshall Abrams, et al, Generalized Framework For Access Control, Towards Prototyping the ORGCON Policy, Oct. 1991, pp. 1-20, Proc 1991 Nat'l Computer Security Conf. .
Marshall D. Abrams, et al, Mediation and Separation in Contemporary Information Technology Systems, 1992, pp. 1-15, Proc. 1992 Nat'l Compute Security Conf. .
Marshall D. Abrams, et al, Generalized Framework for Access Control: A Formal Rule Set for The ORGCON Policy, MITRE, Apr. 1992, pp. 1-58. .
Marshall D. Abrams, Renewed Unserstanding of Access Control Policies, 1993, pp. 1-10, Proc. 16th National Computer Security Conference. .
Leonard J. LaPadula, A Rule-Set Approach to Formal Modeling of a Trusted Computer System, Computing Systems Journal, Winter 1994, vol. 7, No. 1, pp. 113-167, pp. 1-38..~
Primary Examiner:
Gregory; Bernarr E.
Attorney, Agent or Firm:
Pillsbury Madison & Sutro LLP
Parent Case Text
This is a continuation of application Ser. No. 08/584,493, filed on Jan. 11, 1996, which was abandoned upon the filing hereof.
Claims
What is claimed is:
1. A method of distributing data, the method comprising:
protecting portions of the data; and
openly distributing the protected portions of the data, whereby
each and every access to the unprotected form of the protected data is limited only in accordance with rules defining access rights to the data as enforced by a mechanism protected by tamper detection, so that unauthorized access to the protected data is not to the unprotected form of the protected data.
2. A method of distributing data for subsequent controlled use of the data by a user, the method comprising:
protecting portions of the data;
protecting rules defining access rights to the data; and
openly distributing the protected portion of the data and the protected rules, whereby
controlled access to the unprotected form of the protected data is provided only in accordance with the rules as enforced by a mechanism protected by tamper detection, so that unauthorized access to the protected data is not to the unprotected form of the protected data.
3. A method of distributing data for subsequent controlled use of the data by a user, some of the data having access rules already associated therewith, the access rules defining access rights to the data, the method comprising:
protecting portions of the data;
providing rules defining access rights to the data;
combining the provided rules with rules previously associated with the data;
protecting the combined rules; and
openly distributing the protected portions of the data and the protected combined rules, whereby
controlled access to the unprotected form of the protected data is provided only in accordance with the combined rules as enforced by an access mechanism protected by tamper detection, so that unauthorized access to the protected data is not to the unprotected form of the protected data.
4. A method of controlling secondary distribution of data, the method comprising:
protecting portions of the data;
protecting rules defining access rights to the data;
openly providing the protected portions of the data and the protected rules to a device having an access mechanism protected by tamper detection; and
limiting transmission of the protected portions of the data from the device only as protected data or in accordance with the rules as enforced by the access mechanism, so that unauthorized access to the protected portions of the data is not to the unprotected form of the protected data.
5. A method of controlling access to data with a computer system having an input/output (i/o) system for transferring data to and from i/o devices, the method comprising:
protecting portions of the data;
openly providing the protected portions of the data; and
limiting each and every access to the unprotected form of the protected data only in accordance with rules defining access rights to the data as enforced by the i/o system, so that unauthorized access to the protected portions of the data is not to the unprotected form of the protected data.
6. A method of accessing openly distributed data, the method comprising:
obtaining openly distributed data having protected data portions and rules defining access rights to the protected data portions; and
limiting each and every access to the unprotected form of the protected data only in accordance with the rules as enforced by a mechanism protected by tamper detection, so that unauthorized access to the protected portions of the data is not to the unprotected form of the protected data.
7. A method as in any one of claims 1, 3, 4 and 5 wherein the protecting of portions of the data comprises encrypting the portions of the data, whereby unauthorized access to the protected data is not to the un-encrypted form of the protected data.
8. A method as in claim 7, wherein the encrypting of portions of the data encrypts the portions of the data with a data encrypting key, the data encrypting key having a corresponding data decrypting key, the method further comprising:
encrypting the data encrypting key.
9. A method as in claim 8, further comprising:
providing a decrypting key corresponding to the key encrypting key.
10. A method as in any one of claims 2 and 3, wherein
the protecting of the rules comprises encrypting the rules.
11. A method as in claim 10, wherein the protecting of portions of the data comprises encrypting the portions of the data, whereby unauthorized access to the protected data is not to the un-encrypted form of the protected data.
12. A method as in claim 11, wherein the rules are protected such that they can be viewed and they cannot be changed.
13. A method as in claim 11, wherein
the encrypting of the rules comprises encrypting the rules with a rule encrypting key,
the encrypting of the portions of the data comprises encrypting the portions of the data with a data encrypting key,
the method further comprising encrypting the data encrypting key.
14. A method as in claim 13, wherein the mechanism comprises a unique identifier and wherein the rule encrypting key is determined as a function of the unique identifier.
15. A method as in claim 14, wherein the unique identifier is a cryptographically sealed certificate comprising a private key.
16. A method as in claim 15, wherein the certificate is destroyed upon detection of tampering.
17. A method as in claim 14, wherein the unique identifier is destroyed upon detection of tampering.
18. A method as in claim 13, wherein the mechanism includes a unique private key and wherein the rule encrypting key is associated with the private key.
19. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the data represent at least one of software, text, numbers, graphics, audio, and video.
20. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the rules indicate which users are allowed to access the protected portions of the data, the method further comprising
allowing the user access to the unprotected form of a protected portion of the data only if the rules indicate that the user is allowed to access that portion of the data.
21. A method as in any one of claims 1, 2, 3, 4, 5 and 6 wherein the rules indicate distribution rights of the data, the method further comprising:
allowing distribution of the unprotected form of the protected data portions only in accordance with the distribution rights indicated in the rules.
22. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the rules indicate access control rights of the user, the method further comprising:
allowing the user to access the unprotected form of the protected data portions only in accordance with the access control rights indicated in the rules.
23. A method as in claim 22, wherein the access control rights include at least one of:
local display rights,
printing rights,
copying rights,
execution rights,
transmission rights, and
modification rights.
24. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the rules indicate access control quantities, the method further comprising:
allowing access to the unprotected form of the protected data portions only in accordance with the access control quantities indicated in the rules.
25. A method as in claim 24, wherein the access control quantities include at least one of:
a number of allowed read-accesses to the data;
an allowable size of a read-access to the data;
an expiration date of the data;
an intensity of accesses to the data;
an allowed level of accuracy and fidelity; and
an allowed resolution of access to the data.
26. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the rules indicate payment requirements, the method further comprising:
allowing access to the unprotected form of the protected data portions only if the payment requirements indicated in the rules are satisfied.
27. A method as in any one of claims 1, 2, 3, 4 and 6, further comprising:
destroying data stored in the mechanism when tampering is detected.
28. A method as in claim 5, further comprising:
destroying data stored in the i/o system when tampering is detected.
29. A method as in any one of claims 2, 3 and 4, further comprising providing the protected portions and the protected rules provides the protected portions and the protected rules together as a package.
30. A method as in claim 29, further comprising:
providing unprotected portions of the data in the package.
31. A method as in any one of claims 2, 3 and 4, further comprising providing the protected portions and the protected rules separately.
32. A method as in any one of claims 2, 3 and 4, further comprising:
providing unprotected portions of the data.
33. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the rules relate to at least one of:
characteristics of users;
characteristics of protected data; and
environmental characteristics.
34. A method as in claim 6, wherein the protected data portions are encrypted whereby unauthorized access to the unprotected form of the protected data is not to the un-encrypted form of the protected data.
35. A device for controlling access to data, the data comprising protected data portions and rules defining access rights to the data, the device comprising:
storage means for storing the rules; and
means for accessing the unprotected form of the protected data portions only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data.
36. A device as in claim 35, further comprising:
means for storing data accessed by the means for accessing.
37. A device as in claim 35, wherein the protected data portions are encrypted using a data encrypting key and wherein the data encrypting key is encrypted with a key encrypting key, the device further comprising:
means for obtaining a data decrypting key corresponding to the data encrypting key using a key decrypting key corresponding to the key encrypting key;
means for storing the data decrypting key; and wherein the means for accessing comprises:
means for decrypting the protected data portions using the data decrypting key.
38. A device as in claim 37, further comprising:
tamper detecting mechanism for detecting tampering with the device.
39. A device as in claim 38, wherein the tamper detection means comprises:
means for destroying data including keys and other cryptographic variables stored in the device when tampering is detected.
40. A device as in claim 35, further comprising:
tamper detecting mechanism for detecting tampering with the device.
41. A device for displaying images represented by data comprising protected data portions and rules defining access rights to the data, the device comprising:
a tamper detecting mechanism;
means for storing the rules;
means for accessing the data only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data, the access being enforced by the tamper detecting mechanism; and
means for displaying the images represented by the accessed data.
42. A device for outputting images represented by data comprising protected data portions and rules defining access rights to the data, the device comprising:
a tamper detecting mechanism;
means for storing the rules;
means for accessing the data only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data, the access being enforced by the tamper detecting mechanism; and
means for outputting the images represented by the accessed data.
43. A device for outputting an audio signal represented by data comprising protected data portions and rules defining access rights to the data, the device comprising:
a tamper detecting mechanism;
means for storing the rules;
means for accessing the data only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data, the access being enforced by the tamper detecting mechanism; and
means for outputting the audio signal represented by the accessed data.
44. A device for outputting an output signal based on data comprising protected data portions and rules defining access rights to the data, the device comprising:
a tamper detecting mechanism;
means for storing the rules;
means for accessing the data only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data, the access being enforced by the tamper detecting mechanism; and
means for outputting the output signal represented by the accessed data.
45. A device for generating an output signal corresponding to data comprising protected data portions and rules defining access rights to the digital data, the device comprising:
a tamper detecting mechanism;
means for storing the rules;
means for accessing the digital data only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data, the access being enforced by the tamper detecting mechanism; and
means for generating the output signal from the accessed data.
46. A device as in any one of claims 41 and 42, wherein the images comprise at least one of text data, numbers, graphics data, and video data.
47. A device as in any one of claims 41, 42, 43, 44, 45, 46 and 40, wherein the tamper detecting mechanism comprises:
means for destroying data stored in the device when tampering is detected.
48. A device as in any one of claims 44 and 45, wherein the output signal comprises at least one of text, numbers, graphics, audio and video.
49. A device for distributing data for subsequent controlled use of the data by a user, the device comprising:
means for protecting portions of the data;
means for protecting rules defining access rights to the data; and
means providing the protected portions of the data and the protected rules;
whereby a user is provided controlled access to the data only in accordance with the rules as enforced by an access mechanism protected by tamper protection, so that unauthorized access to the protected data is not to the unprotected form of the protected data.
50. A device for distributing data for subsequent controlled use of the data by a user, some of the data having access rules already associated therewith, the access rules defining access rights to the data, the device comprising:
means for protecting portions of the data;
means for providing rules concerning access rights to the data;
means for combining the provided rules with rules previously associated with the data;
means for protecting the combined rules; and
means for providing the protected portions of the data and the protected combined rules;
whereby the user is provided controlled access to the unprotected form of the protected data only in accordance with the combined rules as enforced by an access mechanism protected by tamper detection, so that unauthorized access to the protected data is not to the unprotected form of the protected data.
51. A device as in any one of claims 49 and 50, wherein the means for providing the protected portions and the protected rules provides the protected portions and the protected rules together as a package.
52. A device as in claim 51, further comprising:
means for providing unprotected portions of the data in the package.
53. A device as in any one of claims 49 and 50, wherein the means for providing the protected portions and the protected rules provides the protected portions and the protected rules separately.
54. A device as in any one of claims 49 and 50, wherein
the means for protecting portions of the data comprises means for encrypting the portions of the data, whereby unauthorized access to the protected data is not to the unprotected form of the protected data.
55. A device as in any one of claims 49 and 50, wherein
the means for protecting the rules comprises means for encrypting the rules.
56. A device as in claim 55, wherein the means for protecting portions of the data comprises means for encrypting the portions of the data, whereby unauthorized access to the protected data is not to the un-encrypted form of the protected data.
57. A device as in claim 56, wherein
the means for encrypting the rules comprises means for encrypting the rules with a rule encrypting key,
the means for encrypting the portions of the data comprises means for encrypting the portions of the data with a data encrypting key,
the device further comprising means for encrypting the data encrypting key.
58. A device as in any one of claims 49 and 50, wherein
the rules are protected such that they can be viewed and they cannot be changed.
59. A device as in any one of claims 49 and 50, further comprising means for providing unprotected portions of the data.
60. A device as in any one of claims 49 and 50, further comprising:
means for detecting tampering with the access mechanism; and
means for destroying data stored in the access mechanism when tampering is detected by the tamper detecting means.
61. A device as in any one of claims 35, 41-45, 49 and 50, wherein the rules relate to at least one of:
characteristics of users;
characteristics of protected data; and
environmental characteristics.
62. A device as in any one of claims 35, 41-45, 49 and 50, wherein the data represent at least one of software, text, numbers, graphics, audio, and video.
63. A device as in any one of claims 35, 41-45, 49 and 50, wherein the rules indicate access control rights of the user, the device further comprising:
means for allowing the user to access the unprotected form of the protected data portions only in accordance with the access control rights indicated in the rules.
64. A device as in claim 63, wherein the access control rights include at least one of:
local display rights,
printing rights,
copying rights,
execution rights,
transmission rights, and
modification rights.
65. A device as in any one of claims 35, 41-45, 49 and 50, wherein the rules indicate access control quantities, the device further comprising:
means allowing the user to access the unprotected form of the protected data portions only in accordance with the access control quantities indicated in the rules.
66. A device as in claim 65, wherein the access control quantities include at least one of:
a number of allowed read-accesses to the data;
an allowable size of a read-access to the data;
an expiration date of the data;
an intensity of accesses to the data;
an allowed level of accuracy and fidelity; and
an allowed resolution of access to the data.
67. A process control system comprising a device for controlling access to data, the data comprising protected data portions and rules defining access rights to the data, the device comprising:
a tamper detecting mechanism;
means for storing the rules; and
means for accessing the unprotected form of the protected data portions only in accordance with the rules, whereby output of the unprotected form of the protected data portions is permitted only in such manner as is permitted by the rules, the accessing being enforced by the tamper detecting mechanism.
68. A general purpose computer system comprising:
a device for controlling access to data, the data comprising protected data portions and rules defining access rights to the data, the device comprising:
a tamper detecting mechanism;
storage means for storing the rules; and
means for accessing the unprotected form of the protected data portions only in accordance with the rules, whereby user access to the unprotected form of the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data, said access being enforced by said tamper detecting mechanism.
69. A computer system as in claim 68, wherein the tamper detecting mechanism comprises:
means for destroying data, rules and cryptographic variables stored in the device when tampering is detected.
70. A computer system as in claim 68, wherein the protected data portions are encrypted using a data encrypting key and wherein the data encrypting key is encrypted with a key encrypting key, the computer further comprising:
means for obtaining a data decrypting key corresponding to the data encrypting key using a key decrypting key corresponding to the key encrypting key;
means for storing the data decrypting key; and wherein the means for accessing comprises:
means for decrypting the protected data portions using the data decrypting key.
71. A computer system as in claim 70, wherein the device comprises a unique identifier and wherein the key encrypting key is determined as a function of the unique identifier.
72. A computer system as in claim 71, wherein the unique identifier is a cryptographically sealed certificate comprising a private key.
73. A computer system as in claim 72, wherein the certificate is destroyed upon detection of tampering.
74. A computer system as in claim 71, wherein the unique identifier is destroyed upon detection of tampering.
75. A computer system comprising:
an input/output (i/o) system for transferring data to and from all i/o devices;
means for protecting portions of the data; and
means for limiting each and every access to the unprotected form of the protected data only in accordance with rules defining access rights to the data as enforced by the i/o system, so that unauthorized access to the protected data is only to the protected form of the protected data.
76. A system as in claim 75, further comprising means for destroying data, including cryptographic variables, stored in the i/o system when tampering is detected.
77. A system as in any one of claims 69 and 75, wherein the data represent at least one of software, text, numbers, graphics, audio, and video.
78. A system as in claim 75, wherein the means for protecting portions of the data comprises means for encrypting the portions of the data, whereby unauthorized access to the protected data is not to the un-encrypted form of the protected data.
79. A system as in claim 78, wherein the means for encrypting encrypts the portions of the data with a data encrypting key, the data encrypting key having a corresponding data decrypting key, the system further comprising:
means for encrypting the data encrypting key with a key encrypting key.
80. A system as in claim 79, further comprising:
means for providing a decrypting key corresponding to the key encrypting key.
81. A computer system as in claim 75, wherein the rules indicate which users are allowed to access the protected portions of the data, the system further comprising:
means for allowing the user access to the unprotected form of a protected portion of the data only if the rules indicate that the user is allowed to access that portion of the data.
82. A computer system as in claim 75, wherein the rules indicate distribution rights of the data, the system further comprising:
means for allowing the user to distribute the unprotected form of the protected data portions only in accordance with the distribution rights indicated in the rules.
83. A system as in claim 75, wherein the rules indicate access control rights of the user, the system further comprising:
means for allowing the user to access the unprotected form of the protected data portions only in accordance with the access control rights indicated in the rules.
84. A system as in claim 83, wherein the access control rights include at least one of:
local display rights,
printing rights,
copying rights,
execution rights,
transmission rights, and
modification rights.
85. A system as in claim 75, wherein the rules indicate access control quantities, the system further comprising:
means allowing the user to access the unprotected form of the protected data portions only in accordance with the access control quantities indicated in the rules.
86. A system as in claim 85, wherein the access control quantities include at least one of:
a number of allowed read-accesses to the data;
an allowable size of a read-access to the data;
an expiration date of the data;
an intensity of accesses to the data;
an allowed level of accuracy and fidelity; and
an allowed resolution of access to the data.
87. A system as in claim 85, wherein the rules indicate payment requirements, the system further comprising:
means for allowing the user to access the unprotected form of the protected data portions only if the payment requirements indicated in the rules are satisfied.
88. A system as in any one of claims 67, 68, 70 and 75, wherein the rules relate to at least one of:
characteristics of users;
characteristics of protected data; and
environmental characteristics.
Description
FIELD OF THE INVENTION
This invention relates to the control of distribution and access of digital property as well as to the payment therefor.
BACKGROUND OF THE INVENTION
The development and deployment of digital information networks is accompanied by new concerns for the protection of rights to data and information. The U.S. Congress Office of Technology Assessment identified the following key developments relevant to the area of this invention: there has been an overall movement to distributed computing; boundaries between types of information are blurring; the number and variety of service providers has increased. Information Security and Privacy in Networked Environments, Congress, Office of Technology Assessment, OTA-TCT-606, Washington, D.C.: U.S. Government Printing Office, September 1994.
Computer networks allow more interactivity; and, most significantly, electronic information has opened new questions about copyright, ownership, and responsibility for information. Technology, business practice, and law are changing at different rates, law arguably being the slowest.
Intellectual property, or information, is different from real property. A major difference between intellectual property and real property is that intellectual property can be embodied in forms which can be copied from the owner while the owner still retains the original. For example, a broadcast or performance of a musical composition can be recorded (and copies made of the recording) while the composer retains the original composition; a photograph can be reproduced while the owner retains the original negative.
In the past, when information was stored in analog form, the copying and redistribution of such information, while problematic, did not account for as much economic loss as is possible today. The storage of information in analog form uses a physical medium that is made to have some characteristic vary in proportion with the information to be stored. For instance, the groove on a vinyl record captures the frequency and intensity (volume) of a sound by the extent of its excursion. At each stage in the process of playing a record: the stylus tracing the groove, generation of a small voltage, amplification of the voltage, and reproduction of the sound, small errors are introduced. Today's high fidelity systems are very accurate, but they are not flawless.
Indeed, copying a vinyl record to a cassette tape results in a small, but noticeable, reduction in sound quality. If multiple generations of recording (e.g., cascaded recordings) were undertaken, the resulting product would be noticeably inferior to the original. Similarly, when multiple generations of photocopies of an image are made, the quality of the resulting image is typically poor, with many dark and light areas that were not present in the original image.
It is the inevitable gradual degradation of quality that has proven to be a practical disincentive to large scale copying of analog information. Notwithstanding this observation, where the potential profits are high, such copying is undertaken even though the resulting product's quality is significantly below that of the original. Videotape copies of movies represent a good example. Some fraction of the marketplace is willing to accept a lower quality product in exchange for a significantly lower price. The logistics associated with making large numbers of copies (an inherently serial process), including obtaining the raw materials (cassettes), the reproduction equipment, and the distribution channels also have served to limit illicit production. Finally, the quality of the product as well as the markings on the package distinguish it from the original and may also serve as a disincentive (for some) to purchase an illicit copy.
Just as the invention of the printing press changed the way in which society interacted with information on paper, the technical advances in digital computers and communications in the closing years of the twentieth century have a potential for high impact on legal, moral, and business practice. The printing press is often credited as an enabling mechanism for the Renaissance and the Reformation in Europe. The advances in digital information technology will similarly impact commerce and law. Digital technology enables changing the representation of information without changing the content. (Of course the content can be changed too.)
The storage of information in digital form depends on the ability to encode information in binary form to arbitrary precision and to record that binary form in a physical medium that can take on two distinct characteristics. Preserving the fidelity of information recorded in binary (using media with two distinct and easily-differentiated characteristics) is easily accomplished. For instance, a compact disc stores information (each binary digit or bit) as the presence or absence of a hole (depression or pit) that reflects or does not reflect light. Compared to the analog recording of phonograph records, the information stored in each hole is unambiguously a binary digit, the value of which is either zero or one. No other values are possible. A digital tape stores each bit as a magnetic spot that is oriented either north/south or south/north. Today's digital sound systems use sufficiently many bits to capture sound levels beyond the ability of the human ear to distinguish a difference and in so doing attain so-called "perfect" fidelity.
A digital file can be copied with no loss of fidelity (as the mechanism need only distinguish between two easily-differentiated states). With straightforward and well-known error-correction mechanisms, even inevitable flaws can be made so improbable as to occur fewer than once in ten billion bits.
As a result of the ability to copy a file with no loss of fidelity, it is now almost impossible to differentiate a digital copy from the digital original. In a network environment recording materials, reproduction equipment and distribution are not impediments to copying. Consequently, in the digital domain the threshold inhibiting the making of illicit copies is significantly lowered. Evidence that this is the case is presented by the Software Publishers Association and by the Business Software Alliance, each of which indicates that billions of dollars of software is pirated (in the sense of being illicitly copied) each year. Additionally, print publishers hesitate to expand into the network marketplace because they are unable to control (in the sense of receiving compensation in return for rights) secondary distribution of their products as well as incorporation of their products into derivative products. Digitally stored information may include binary data, computer software, text, graphics, audio, and video. The uses of this information include news, entertainment, education, and analysis. Information may be distributed in many ways, including networks, magnetic media, CD-ROM, semiconductor memory modules, and wireless broadcast.
Copying and distributing large volumes of digital information over long distances is becoming easier and less costly. Such changes in cost and convenience of necessity impact business decisions concerning producing, distributing, promoting, and marketing. The commercial relationship among information producers (such as authors, performers, and artists), distributors (such as publishers, promoters, and broadcasters), and consumers must change in response to the technology.
The law concerning intellectual property is in ferment. Major revisions in the laws regarding the protection of computer programs have been suggested. A Manifesto Concerning the Legal Protection of Computer Programs, Samuelson, P. R. et al., Columbia Law Review, vol. 94, no. 8, pp. 2308-2431, December 1994. The European Union is working on harmonizing protection of intellectual property rights with respect to technology and differences in civil and common law countries. Commission of the European Union, Jul. 19 1995, Green Paper on Copyright and Neighboring Rights in the Information Society, catalogue number CB-CO-95-421-EN-C, ISSN 0254-1475, ISBM 92-77-92580-9, Office for Official Publications of the European Communities, L-2985
Luxembourg. In the United States, the issue of protection of intellectual property rights is being addressed in the context of the National Information Infrastructure. The uncertainty of legal protection over time and from country to country only serves to emphasize the importance of and need for technical protection of intellectual property rights in information and data.
The principal technology which has been used for protecting intellectual property is cryptography. However, devising practical retail systems for delivery of intellectual property from distributor to consumer, as distinct from confidential transmission in national security and business activities among trusted and cleared personnel, has required innovation.
Executable software-based cryptography can ensure that data are distributed only to authorized users. The information to be protected is encrypted and transmitted to the authorized user(s). Separately, a decryption key is provided only to authorized users. The key is subsequently used to enable decryption of the information so that it is available to the authorized user(s).
Other ways of controlling access to portions of data or software have included the use of external devices or tokens (dongles) needed in order to access the data or selected features of a program. Possession of the token is made evident to the computer system by physical attachment of the token to the computer. A token is generally attached to a printer, game, or network port where executable software can check on its presence prior to authorizing access. Diskettes have also been used as dongles; their presence in the diskette drive is checked by the executing software. Because they must be actively interrogated, dongles are generally used to limit access to program features and not to limit access to information.
Of those prior art systems which make some use of encryption, none protects the data after it has been decrypted. Thus, secondary distribution and multiple uses are possible.
Further, in all of the prior art, access is all or nothing, that is, once access is granted, it cannot be controlled in any other ways. This makes it difficult to control copying, secondary distribution, as well as to obtain payment for all uses.
Originator controlled data dissemination is desirable. Several policies for control of dissemination of paper documents are specified in Control of Dissemination of Intelligence Information, Directive No. 1/7, Director of Central Intelligence, May 4, 1981. This Originator-Controlled (ORCON) policy has motivated development of computerized access controls. ORCON requires the permission of the originator to distribute information beyond the original receivers designated by the originator. The Propagated Access Control (PAC) policy and the related Propagated Access Control List (PACL) were proposed as one way of implementing ORCON. "On the Need for a Third Form of Access Control," Graubart, R., Proceedings of the 12th National Computer Security Conference, pp. 296-303, 1989. Whenever an authorized subject reads an object with an associated PACL, that PACL becomes associated with the subject. Any new object created by the subject inherits the PACL. PACLs are associated with both subjects and objects.
Owner-Retained Access Control (ORAC) (described in "Beyond the Pale of MAC and DAC: Defining New Forms of Access Control," McCollum, C. J., et al. Proceedings of the Symposium on Research in Security and Privacy, IEEE Computer Society Press,
1990) is similar to PAC in propagating ACLs with non-discretionary enforcement. ORAC goes further, retaining the autonomy of all originators associated with a given object in making access decisions, while basing mediation of requests on the intersection of the access rights that have been granted. ORAC is motivated to implement several of the DCID 1/7 policies in addition to ORCON, namely NO.sub.-- CONTRACTOR, NO.sub.-- FOREIGN, and RELEASABLE.sub.-- TO.
Originator-Controlled Access Control (ORGCON) (described in "Generalized Framework for Access Control: Towards Prototyping the ORGCON Policy," Abrams, M. D., et al. Proceedings of the 14th National Computer security Conference, October 1991) is a strong form of identity-based access control--it explicitly defines authority and delegation of authority, provides for accountability, and has an explicit inheritance policy. In ORGCON, the distribution list is indelibly attached to the object (i.e., the distribution list cannot be disassociated from the object, even in the limited cases where copying is permitted). ORGCON is a read, no-copy policy. Its formal model (taught in "A Rule-Set Approach to Formal Modeling of a Trusted Computer System," LaPadula, L. J., Computing Systems Journal, Vol. 7, No. 1, pp. 113-167, Winter 1994) distinguishes among device types in order to deal with the policy that no storage copy of an object is permitted. Information may be copied only to the display and printer, but not to any other device types.
The Typed Access Matrix (TAM) Model (described in "The Typed Access Matrix Model," Sandhu, R. S., Proceedings of the Symposium on Research in Security and Privacy, IEEE Computer Society, pp. 122-136, 1992; and "Implementation Considerations for the Typed Access Matrix Model in a Distributed Environment," Sandhu, R. S., and G. S. Suri, 1992, Proceedings of the 15th National Computer Security Conference, pp. 221-235) incorporates strong typing into the access matrix model to provide a flexible model that can express a rich variety of security policies while addressing propagation of access rights and the safety problem. The safety problem is closely related to the fundamental flaw in Discretionary Access Control (DAC) that malicious code can modify the protection state. Types and rights are specified as part of the system definition; they are not predetermined in TAM.
The prior art, including cryptographic processes, tokens, dongles, so-called "uncopyable" media, various executable software protection schemes, and executable software for printing that places an identifier on all printed output in a fashion not apparent to a human, fails to limit either secondary distribution or distribution of derivative works.
This shortcoming is not a failure of mechanism, but rather it is an architectural design omission. The problem of copying by the authorized user is simply not addressed. In each case, once the data are available to an authorized user, they are basically unprotected and may be copied, modified, or transmitted at will. Schemes that include identifiers on printed material, although they may aid in identifying the source of copied material, do not prevent secondary distribution.
Executable software-based cryptography can ensure that data are distributed only to authorized users. However, once data are received they may be freely manipulated and redistributed.
The information to be protected is encrypted and transmitted to the authorized user(s). In some systems the encrypted information is made freely available. Separately, a decryption key is provided only to authorized users. The key is subsequently used to enable decryption of the information so that it is available to the authorized user(s). It is at this point that the information is subject to manipulation and redistribution without further limitation.
As mentioned above, a dongle or token can be used to authorize access to executable software. However, once access has been granted to information that information is subject to manipulation and redistribution without further limitation. Further, dongles have proven to be unpopular because of the need to keep track of them and ensure that they are separately secured.
Uncopyable media, generally used either to control distribution of information or to control usage of executable software, are unpopular because of the user's inability to create a backup copy. Further, most so-called uncopyable disks have fallen victim to general-purpose duplication programs, rendering their protection useless. Sometimes, as in early releases of Lotus 1-2-3, an uncopyable disk was provided with the executable software release and had to be inserted in a floppy-disk drive for the executable software to function (operating as a disk dongle). Users soon learned how to by-pass the executable software so that the disk need not be present. Even where partially effective, the uncopyable disk did not serve as a deterrent to capturing information and redistributing it.
The degree of protection of data is typically made by the data owners and/or distributors based on their security analysis. It is common to perform security analysis in terms of risks, threats, vulnerabilities, and countermeasures. An owner's estimate of the probability that a particular threat will materialize is crucial to selecting appropriate rules to protect property rights.
Threat can be characterized as the intensity of attack on the data, which can be described as low, medium, and high.
Low: For a security function to be rated as "suitable for use in a low threat environment," it shall be shown that the security function provides protection against unintended or casual breach of security by attackers possessing a low level of expertise, opportunities, resources and motivation. However, such a security function may be capable of being defeated by a knowledgeable attacker.
Medium: For a security function to be rated as "suitable for use in a medium threat environment," it shall be shown that the security function provides protection against attackers possessing a moderate level of expertise, opportunities, resources and motivation.
High: For a security function to be rated as "suitable for use in a high threat environment," it shall be shown that the security function provides protection against attackers possessing a high level of expertise, opportunity, resources and motivation. A successful attack is judged as being beyond normal practicality.
The following list covers some common anticipated threats to data and processing systems.
Threat: Capture of Output Signal
No matter what method is used to protect a data file, the data stored therein can be captured as a signal en route to an output device. Capture of an analog output results in some degradation of signal quality. But the market for bootleg copies of videos, for example, appears to be insensitive to such quality if the price is right. A captured digital signal suffers degradation of quality only as a result of bit errors (i.e., if the data capture was not completely accurate).
This threat is well known to the entertainment industry. Various approaches to protection have been incorporated in set-top boxes discussed in "Inside the Set-Top Box," Ciciora, W. S., IEEE Spectrum, pp. 70-75, April 1995.
Threat: Digital Copying
Once data have been decrypted, the resulting cleartext must be protected from unauthorized copying. Creating an unauthorized local copy, or disseminating the data without authorization each results in an original-quality copy without compensation to the owner.
Threat: Deliberate Attack via Legacy (pre-existing) and Customized Hardware
High-intensity attack by attackers possessing a high level of expertise, opportunity, resources and motivation must be considered. Attackers in this category might include foreign governments and industrial espionage agents, teenage crackers, and resellers of pirated intellectual property. one manifestation of this threat is in uncontrolled hardware. The nominally protected information would be available in the memory and could be accessed via dual-ported memory or even by DMA (direct memory access) from a peripheral.
A strong indication of the usefulness and desirability of the present invention can be found in the legislation pending before the U.S. congress to make illegal the by-passing or avoiding of copyright protection schemes. See S.1284, 104th Congress, 1st sess. (1995).
It is desirable to have a system of distributing data (intellectual property) that prevents copying, restricts re-distribution of the data and provides controlled access to the data.
SUMMARY OF THE INVENTION
This invention controls access to and use and distribution of data.
For example, when the data are in the form of textual and graphical information, this invention can control how much of the information is displayed and in what form; or, when the data represents a computer software program, this invention can control how much of the software's functionality is available. Classified data are similarly controlled.
In addition, this invention controls secondary distribution and creation of derivative works. Prior art systems rely on software for security. Without the tamper detection/reset mechanism of this invention, software can be modified or data can be intercepted rendering useless any attempts at control.
Degrees of protection utilized in the computer system hardware (for example, tamperproof and tamper-detect features) and the cryptographic tools will depend on the nature of the data to be protected as well as the user environment.
In one preferred embodiment, this invention is a method of controlling access to data by protecting portions of the data; determining rules concerning access rights to the data; preventing access to the protected portions of the data other than in a non-useable form; and permitting a user access to the data only in accordance with the rules as enforced by a tamper detecting mechanism.
In another preferred embodiment, this invention is a device for controlling access to digital data, the digital data comprising protected data portions and rules concerning access rights to the digital data. The device includes storage means for storing the rules; and means for accessing the protected data portions only in accordance with the rules, whereby user access to the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data.
In another aspect, this invention is a method of distributing digital data for subsequent controlled use of the data by a user. The method includes protecting portions of the digital data; preventing access to the protected portions of the data other than in a non-useable form; determining rules concerning access rights to the data; protecting the rules; and providing the protected portions of the digital data and the protected rules. The user is provided controlled access to the data only in accordance with the rules as enforced by a tamper detecting access mechanism.
In another aspect, this invention is a storage device, readable by a machine, tangibly embodying a package of digital data comprising protected portions of digital data; and rules concerning access rights to the digital data, whereby a user is provided controlled access to the digital data only in accordance with the rules as enforced by a tamper detecting access mechanism.
The data represent computer software, text, graphics, audio, and video, alone or in combinations.
The protecting is done by encrypting the portions of the data, and access is prevented to the encrypted portions of the data other than in encrypted form.
In some embodiments the rules are provided with the data, whereas in others the rules are provided separately. The rules can specify various access rights and controls, including rights of further distribution of the data.
In preferred embodiments, data are destroyed when tampering is detected.
The device containing the mechanism of the present invention can be a stand-alone device such as a facsimile machine, a television, a VCR, a laser printer, a telephone, a laser disk player, a computer system or the like.
As noted above, the rules, policies and protections of data are typically made by the data owners and/or distributors based on their security analysis of various threats. The various threats listed above are dealt with by countermeasures in the present invention.
Threat: Capture of Output Signal
Countermeasure: Encrypt or Scramble Output Signal
Protection of the output signal is accomplished with encryption of a digital signal (as is done in the present invention) and scrambling of an analog signal. This solution requires installing decryption or unscrambling capability in the output device, TV or monitor, along with appropriate tamper-detection capability. Encryption or scrambling might be effected using a public key associated with the output device (although, to prevent so-called "spoofing," obtained from a certification authority and not from the output device). Alternatively, the output might be encrypted or scrambled using a private key only available to the designated output device (again ensured via some certification mechanism). The output signal is decrypted or unscrambled by the output device using its private key and is not available in plaintext form outside of the device's protected enclosure.
Countermeasure: Protect Output Signal by Packaging
The output signal is protected by making it unavailable outside the access mechanism. A sealed-unit computer with tamper detection provides the necessary protection. Examples of the acceptability of such packaging include lap-top computers and the original Macintosh computer, as well as integrated televisions, VCRs and video or audio laser disk players.
Threat: Digital Copying
Countermeasure: Secure Coprocessor
Selection of a secure coprocessor is indicated to implement protection against unauthorized use when an operating system (OS) is determined to be untrustworthy--that is, when the OS cannot provide adequate resistance to the anticipated threat. When the OS is untrustworthy, any measures implemented in the OS, or protected by it, can be circumvented through the OS or by-passing it.
Countermeasure: Detection of Unsealing
The protection provided by a coprocessor could be circumvented by tampering. The coprocessor is protected by tamper detection that causes the rules, cryptographic data, and decrypted protected data to be destroyed. Both passive and active means are used to effect such destruction. Semiconductor memory is volatile and does not retain data when power is removed. A long-life battery provides energy sufficient to allow rewriting (zeroizing) nonvolatile memory containing, for example, the private key. Without the private key the system will be unable to decrypt any protected data and it must be returned to an authorized service facility for installation of a new private key.
Threat: Deliberate Attack via Legacy and Customized Hardware
Countermeasure: Keep the Information on the Coprocessor Board
Access may be controlled if the information leaves the coprocessor board only for output purposes. Deciphered information is retained in memory on the coprocessor board, not in main memory. Program execution occurs in the coprocessor on the board (e.g, operating in the same manner as did so-called "accelerator" coprocessors that allowed a user to install an 80286 processor in an 80186 system, allowing the user to shift all functions to or from the faster coprocessor using a software command). Where information must leave the coprocessor board, e.g., to be sent to an output device, it may, depending on the associated rules, be encrypted. To receive and process encrypted data, the output device must have an access mechanism as well as public and private keys and tamper detect capability. Because some output peripheral devices do not have the capability of retransmission, the device may be a subset of the full access mechanism associated with a processor or computer system.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other objects and advantages of the invention will be apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings, in which the reference characters refer to like parts throughout and in which:
FIG. 1 is a schematic block diagram of an embodiment of a digital data access and distribution system according to the present invention;
FIGS. 2 and 3 show logical data structures used by the system depicted in FIG. 1;
FIG. 4 is a flow chart of the authoring mechanism of the embodiment of the present invention depicted in FIG. 1;
FIG. 5 is a schematic block diagram of another embodiment of a digital data access and distribution system according to the present invention;
FIG. 6 is a logical data structure used by the embodiment depicted in FIG. 5;
FIG. 7 is a flow chart of the authoring mechanism of the embodiment of the present invention depicted in FIG. 5;
FIGS. 8 and 9 show schematic block diagrams of embodiments of the access mechanism according to the present invention;
FIGS. 10(a)-13 are flow charts of the data access using the access mechanisms shown in FIGS. 8, 9 and 15;
FIG. 14 shows an embodiment of the invention which uses an external user status determination mechanism;
FIG. 15 is a schematic block diagram of an embodiment of a distribution system for derivative works according to the present invention;
FIG. 16 is a flow chart of data access using the access mechanism shown in FIG. 15;
FIGS. 17(a) and 17(b) show packetized data according to the logical data structures shown in FIGS. 2 and 6;
FIGS. 18(a)-23(b) show various examples of data and their packaging according to the present invention; and
FIG. 24 shows various implementation levels of a typical computer system employing an access mechanism according to the present invention.
DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EXEMPLARY EMBODIMENTS
A schematic block diagram of a presently preferred exemplary embodiment of a digital data access and distribution system 100 according to the present invention is depicted in FIG. 1. System 100 includes two main components: a data distributor
102 and a user 104. The data distributor 102 takes data 106 and produces packaged data 108 which are provided to the user 104 via communication channel 105, perhaps in return for some form of payment 110.
Corresponding to each of the distributor 102 and the user 104 are the system's authoring mechanism 112 and access mechanism 114, respectively. The authoring mechanism 112 of the distributor 102 takes the data 106 to be packaged and produces packaged data 108 which is provided to user 104 by a distribution mechanism 118. The packaged data 108 may include access rules 116 in encrypted form encoded therewith, or the access rules 116 may be provided to the user 104 separately (as shown in the embodiment of FIG. 5).
The access mechanism 114 of the user 104 takes the packaged data 108, either including an encrypted version of the access rules 116 or having the access rules provided separately, and enables the user to access the data in various controlled ways, depending on the access rules.
Data 106 provided to or generated by the distributor 102 can be any combination of binary data representing, for example, computer software, text, graphics, audio, video and the like, alone or in combinations. As described below (with respect to the embodiment shown in FIG. 15), in some embodiments data 106 can also include other packaged data produced by an authoring mechanism according to this invention.
The difference between the embodiments of the distributors 102 and 190, shown in FIGS. 1 and 15, respectively, is that the distributor 102 (FIG. 1) does not include an access mechanism 114. Accordingly, distributor 102 deals only with newly created data (that is, with non-derivative data). The embodiment shown in FIG. 15 (discussed below) includes the functionality of the embodiment shown in FIG. 1, and can also deal with input of protected data (previously packaged by a distributor). The embodiment of distributor 102 shown in FIG. 1 can be implemented purely in software (depending on the trust level of the employees of the publisher), whereas the embodiment of distributor 190 shown in FIG. 15 requires some hardware implementation.
Data 106 can also be provided to the distributor in non-digital form and converted to digital form by the distributor in a known and suitable fashion. The content of the data 106 can include, for example, news, entertainment, education, analysis and the like, alone or in combinations.
Note, as used herein, computer software refers to any software program used to control any computer processor. This includes, but is in no way limited to, processors in stand-alone computers; processors in video and audio devices such as televisions, video recorders and the like; processors in output devices such as printers, displays, facsimile machines and the like; and processors in appliances, automobiles, telephones and the like.
The data 106 are typically intellectual property subject to control. In some cases, distributor 102 may receive some form of payment 110 from the user 104 for accessing the data. This payment, or some part thereof, may then be provided directly to the actual owner (not shown) of the data 106. Further, the payment or part thereof may be made before, during or after use of the data.
As noted above, the packaged data 108 may include an encrypted version of the access rules 116, or these rules may be provided to the user separately. The logical data structure for the packaged data 108 is shown in FIG. 2 and includes an encrypted body part 120, an unencrypted body part 122, encrypted rules 124 (if provided with the packaged data), and encrypted ancillary information 126. Encrypted rules 124 are an encrypted version of access rules 116.
The actual format and layout of the data is dependent on the type of data, their intended use, the manner in which they are to be accessed and the granularity of control to be exercised on the data. An encyclopedia, for example, would likely be organized differently from a movie or a musical selection. Since the data can be any combination of binary data, different parts of the packaged data 108 may be structured differently, as appropriate. Accordingly, encrypted body part 120 is potentially made up of encrypted body elements, and similarly, unencrypted body part 122 is potentially made up of unencrypted body elements.
It is, however, envisaged that in presently preferred embodiments the data will be structured such that some data parts or elements have header information which enables the data to be traversed or navigated according to whatever rules are to be applied and in a manner appropriate for those data.
An example of the structure of rules 116 is shown in FIG. 3, wherein the rules include various forms of validity checking and identification information such as version number 127, authentication data 128, license number 130, intellectual property identifier 132, first and last valid generations of the product 134, 136. The rules 116 further include an encrypted data key 138 as well as the actual rules 140, 142, 144-146 to be Is applied when access is made to the data by a user. The actual rules include, but are not limited to, standard, extended and custom permissions 140, 142, 144-146, and co-requisite rules (permission lists) of source data 145.
The function of each field in the rules shown in FIG. 3 is given in TABLE I, below.
TABLE I ______________________________________ Field Function ______________________________________ Version number 127 Defines internal configuration template Authentication (hash) 128 Validates integrity of this data file. License number of these Used by publisher to rules 130. identify owner. Intellectual property Identifies the identifier 132. intellectual property product. First valid generation of Defines extent of the product 134. validity of the license. Last valid generation of Defines extent of the product 136. validity of the license. Encrypted data key 138. Key to access the data. Standard permissions 140. List of basic access permissions for data. Extended permissions 142. List of extended access permissions for data. Custom permissions 144. Executable code modules. Co-requisite rules Indicates which source (permissions) for source data rules are needed. data 145. Token/biometrics 146 Indicates the physical tokens and/or biometric characteristics (if any) required for identification of each authorized user. System IDs/Public keys Other systems to which 147 these rules may be redistributed. ______________________________________
A complete introduction and references to further reading concerning cryptography and cryptographic techniques and mechanisms are found in Abrams, M. D. and Podell, H. J., "Cryptography," Security-An Integrated Collection of Essays, Abrams, M. D. et al, eds. IEEE Computer Society Press, 1995, which is hereby incorporated herein by reference.
The Authoring Mechanism
As shown in FIG. 1, the authoring mechanism 112 of the distributor 102 takes data 106 and produces packaged data 108 for distribution. The process of producing the packaged data which includes rules 116 is described with reference to FIGS. 1-4.
The authoring mechanism 112 incorporates existing source data 106 into a packaged format for dissemination. As noted above, data 106 can include but are not limited to combinations of computer software, text, graphics, audio, video and the like. The data 106 may be provided to the authoring mechanism 112 in various proprietary data formats used in vendor software packages as well as having lower level formats for graphics, tables, charts, spreadsheets, text, still and motion pictures, audio and the like.
Using the authoring mechanism 112, those elements of the data 106 that are to be encrypted are selected, as are the cryptographic algorithms and protocols to be employed, the payment procedures for the use of the data, and other decisions governing how the user 104 will be permitted to use the data. These decisions are used in constructing the permission lists to be included in the rules 116. Different classes of users can be defined, based, for example, on age, fee paid, qualifications and the like.
The presently preferred embodiment employs asymmetric encryption algorithms in the authoring and access mechanisms. The keys for these algorithms are protected within the system and are never exposed. The data-encrypting key, K.sub.D, is the same for all copies of the data. K.sub.D is selected by the distributor 102 and may be different for each product (i.e., for each packaged data 108). The symmetric encryption algorithm used for encrypting the data is associated with K.sub.D and may also be selected by the distributor. K.sub.D is encrypted using a rule-encrypting key K.sub.R. When the rules are distributed with the product (packaged data 108), K.sub.R is the same for all products and all embodiments of the system. When the rules are distributed separately from the product, K.sub.R can be unique for each version of the system. The rule-encrypting key K.sub.R is known only to (and protected within) each receiving computer of each user.
With reference to FIG. 4 which shows a flow chart of a version of the authoring mechanism of the present invention in which the rules are distributed with the packaged data 108, the distributor 102 (acting as a representative of the owner of the data 106) selects a data-encrypting algorithm (DEA) (step S400) and data-encrypting key K.sub.D (step S402), and encrypts the data-encrypting key K.sub.D using K.sub.R (step S404). The encrypted data-encrypting key K.sub.D is then stored in the encrypted ancillary information 126 of the packaged data 108 (in step S406).
The algorithm selection (in step S400) is based on an assessment of risk, the degree of protection desired as well as other factors such as speed, reliability, exportability and the like. As used herein, risk refers to the expected loss due to, or impact of, anticipated threats in light of system vulnerabilities and strength or determination of relevant threat agents. Alternatively, risk can refer to the probability that a particular threat will exploit a particular vulnerability of the system. An analysis of risk, threats and vulnerability is provided below. Examples of possible data-encryption algorithms include, but are not limited to, DES, RSA, PGP and SKIPJACK. The system may use a preferred encryption algorithm and may also provide a mechanism for using algorithms provided with the data 106 by the owner of the data.
The data-encrypting key K.sub.D may be generated in a typical manner, suitable for the selected data-encrypting algorithm. For data having lower value to its owner, or having lower risk of loss, all distributions may rely on a single data-encrypting key (or perhaps a small number of data-encrypting keys). Another encryption method, uses a unique data-encrypting key for each item of data to be distributed.
Having selected a data-encrypting algorithm and key, K.sub.D, (S400-S402) and having encrypted and stored the key (S404-S406), the distributor 102 proceeds to process the various elements of the data 106. The data are processed at a granularity dependent on the type of restrictions needed on their use and on the form of the data themselves, that is, the form in which the data have been provided. The distributor obtains (step S407) and examines each part or element of the data (at the desired granularity) and determines whether or not the element being processed (the current element being examined) is in the body of the data (step S408) (as opposed to being rules or ancillary information). If the current element being examined is determined to be in the body of the data, the distributor then decides whether or not the current data element is to be protected (step S410), that is, whether or not access to that element of the data is to be controlled and the data element is to be encrypted.
If the current data element is not to be protected, it is stored (step S412) in the unencrypted body part 122 of the packaged data 108. Otherwise, if the current data element is to be protected, it is encrypted using the data-encrypting key K.sub.D (step S414) and then the encrypted current data element is stored in the encrypted body part 120 of the packaged data 108 (step S416), after which the next element is processed (starting at step S407).
For example, if the data 106 are a textual article, the abstract of the article might not be protected (encrypted) while the rest of the article would be.
If the current data element is determined not to be in the body of the data (step S408), the distributor then determines if the current data element is access rules provided by the data owner (step S418). If so, the rules are protected by encrypting them using the rule-encrypting key K.sub.R (step S420) and the encrypted rules are then stored in the encrypted rules part 124 of the packaged data 108 (step S422).
If the current data element (being processed) is not access rules, the distributor determines whether or not it is ancillary information (step S424). This information includes such things as the identification of the publisher and the like. If the current data element is determined to be ancillary information, the ancillary information is protected by encrypting it using the data-encrypting key K.sub.D (step S426) and then the encrypted ancillary information is stored in the encrypted ancillary information part 126 of the packaged data 108 (step S428).
If the data are rules or ancillary information to be encrypted, then, after appropriate processing, the next data element is processed (step S407).
If the current data element is not a body part, access rules or ancillary information, some form of error is assumed to have occurred and is processed (step S430). After the error has been processed, the mechanism can continue processing the next data element (step S407) or terminate, depending on the implementation.
The operation of the system 101 shown in FIG. 5 differs from system 100 of FIG. 1 in that the rules 116 are distributed to users 104 separately from the packaged data 108. This is achieved with an authoring mechanism 148 which takes as input data 106 and rules 116 and produces, separately, packaged data 150 and packaged rules 152. The packaged data 150 without the rules has the form shown in FIG. 6, which is essentially the same as the structure shown in FIG. 2, but without the encrypted rules 124.
Note that an hybrid system, wherein some rules are packaged with the data and other rules are packaged separately is foreseen, using a combination of the mechanisms shown in FIGS. 1 and 5. In such a system, an operator selects which mode of operation to employ.
FIG. 7 shows a flow chart of a version of the authoring mechanism 148 of the present invention in which the rules 116 are distributed by distributor 102 separately from the packaged data 150. Rules 116 and data 106 can be presented to the authoring mechanism 148 in any order, or in an interleaved fashion. In fact, the rules 116 need not all be provided together. The distributor 102 first selects a data-encrypting algorithm and a data encrypting key, K.sub.D (step S700). Then the authoring mechanism 148 processes the data element-by-element (starting at step S702). As in the case of the mechanism shown in FIG. 4, a data element is assumed to be one of either a body part, ancillary information or access rules.
First it is determined whether or not the current data element is a body part (step S716). If it is determined (in step S716) that the current data element is a body element, then it must be determined (in step S718) whether or not the data are to be protected. As in the case when the rules are distributed with the packaged data 108, the decision as to whether or not to protect a specific data element depends on the owner of the data and the distribution policies as implemented in the rules.
If the data are to be protected (step S718), the data in the current data element are encrypted using data-encrypting key K.sub.D (step S720) and then the encrypted data are stored in the packaged data 150 in the encrypted body part section 120
(step S722). On the other hand, if the data in the current data element are not to be protected, the data are stored in the unencrypted body part section 122 of the packaged data 150 (in step S724). In either case, after the data element is stored (steps S722 or S724), the next data element is processed (starting at step S702).
If the current data element is determined not to be a body element (step S716), then the mechanism checks to determine whether or not the current data element is ancillary information (step S726). If the current data element is determined to be ancillary information, it is protected by encrypting it using data-encrypting key K.sub.D (step S728) and then the encrypted current data element is stored in the packaged data 150 in the encrypted ancillary information section 126 (in step S730). Then the next data element is processed, starting at step S702.
If the current data element is neither a body element (step S716) nor ancillary information (step S726), then the it is determined whether or not the current data element is access rules (step S732). If so, the rules are to be distributed separately from the packaged data 150, and are processed accordingly as follows:
If this is the first time the access mechanism is processing rules for this data set then a rule-encrypting key K.sub.R must be determined. Accordingly, it is determined whether these are the first rules being processed for this data set (step S734). If so, obtain and validate the serial number, SN, of the system (steps S736 and S738). Then calculate the rule-encrypting key K.sub.D as a function of the validated serial number (K.sub.R =.function.(SN), for some appropriate function .function. (step S740). Function .function. may, for example, be an inquiry to a certification database or certification authority to obtain the public key so as to ensure that the serial number is authentic. Having determined the rule-encrypting key (step S740), encrypt the data key K.sub.D with the calculated rule-encrypting key K.sub.R (step S742) and store the keys (step S744). Next, encrypt the rules using the rule-encrypting key K.sub.R (step S746). The encrypted rules and the encrypted data key K.sub.D are stored as packaged rules 152 for subsequent distribution. The rule-encrypting key K.sub.R may be stored or recalculated from the serial number whenever needed.
If it is determined (in step S734) that the this is not the first rules being processed for this data set, then the rule-encrypting key K.sub.R has already been calculated (step S740) and stored (step S744). In that case, the rules in the current data element are encrypted using the rule-encrypting key K.sub.R (step S742).
Once the rules in the current data element are processed, processing continues with the next data element (step S702).
If the authoring mechanism 148 determines that the current data element is not a body part (step S716), ancillary information (step S726) or rules (step S732), then some form of error has occurred and is processed (step S748). After an error has occurred, the mechanism 148 can either cease processing (step S750) or, in some embodiments, continue processing further data elements (step S702).
The data 106 provided to the distributor 102 and the packaged data 108 (or 150 and packaged rules 152, if provided separately) provided to the user 104, may be provided and distributed in various ways, including but not limited to, via digital communications networks (for example, the Internet or the projected National Information Infrastructure (NII)), magnetic media (for example, tape or disk), CD-ROM, semiconductor memory modules (for example, flash memory, PCMCIA RAM cards), and wireless (for example, broadcast). The packaged data 108 may be provided to a user as a single packaged entity or as a continuous stream of data. For example, a user may obtain a CD-ROM having a movie stored as packaged data thereon or the user may obtain the movie as a continuous stream of broadcast data for one-time viewing.
Information (such as the packaged data 108 from the distributor 102 to the user 104) can be transmitted openly, that is, using mechanisms and media that are subject to access and copying. In other words, communication channel 105 may be insecure.
The Access Mechanism
The access mechanism 114 allows a user 104 to access the data in packaged data 108 (or 150) according to the rules provided with (or separately from, as packaged rules 152) the packaged data and prevents the user or anyone else from accessing the data other than as allowed by the rules. However, having granted a user controlled access to data (according to the rules), it is necessary to prevent the user or others from gaining unauthorized access to the data. It is further necessary to prevent the data from being further distributed without authorization.
The access mechanism 114 used by the user 104 to access data is described with reference to FIG. 8 and includes a processing unit 154, read-only memory (ROM) 156, volatile memory (RAM) 158, I/O controller 165 and some form of energy source 166
such as, for example, a battery. Access mechanism 114 may also include electrically-alterable non-volatile memory 160, a hard disk 162, a display 164, and special purpose components such as encryption hardware 168.
The access mechanism 114 is also connected via insecure channels 174 and 176 and I/O controller 165 to various controlled display or output devices such as controlled printer 178 and controlled display monitor 180. (Interaction with these controlled devices is described in detail below.)
Various other devices or mechanisms can be connected to I/O controller 165, for example, display 155, printer 157, network connection device 159, floppy disk 161 and modem 163. These devices will only receive plaintext from the I/O controller
165, and then only such as is allowed by the rules. The network connection device 159 can receive either plaintext or encrypted text for further distribution.
All components of the access mechanism 114 are packaged in such a way as to exclude any unknown access by a user and to discover any such attempt at user access to the components or their contents. That is, the access mechanism 114 is packaged in a tamper-detectable manner, and, once tampering is detected, the access mechanism is disabled. The line 167 depicted in FIG. 8 defines a so-called security boundary for the components of the access mechanism 114. Any components required for tamper detection (tamper detect mechanism 169) are also included as part of the access mechanism 114. Tamper detect mechanism 169 is connected in some appropriate manner to processing unit 154, energy source 166, and non-volatile memory 160.
This invention employs a combination of physical self-protection measures coupled with means for detecting that the self-protection has been circumvented or that an attempt to circumvent the self-protection measures is being or has been made. When such intrusion is detected, passive or active mechanisms can be employed to destroy data. For example, the following can occur (not necessarily in the order stated, and usually in parallel): the access mechanism 114 is made inoperative, all cryptographic keys within the mechanism, the private key and any other keys and data are destroyed (zeroized), and power may be applied to clear non-volatile memory 160 and then is removed, resulting in loss of all data stored in volatile memory 158 so as to deny access to decryption keys as well as to any cleartext in those memories. As noted above, several operations can be accommodated or performed simultaneously when tampering is detected. This can be done by hardware circuits. Based on risk assessment and the availability of particular technology, other implementations may be selected.
Tamper detection allows the access mechanism 114 to ensure that all internal data (both the system's data and any user data) are destroyed before any tamperer can obtain them.
One way to deny access to the data within access mechanism 114 is to package all of the components within a physical case which defines the area which is excluded from user access. As an example, a typical portable lap-top computer meets the requirement of having all components within the same physical package or case. Detection that the case has been opened is straightforward and well known.
As an alternative embodiment of the access mechanism 114, the components of the access mechanism 114 can be used as a co-processor of another processor or computer. In this case, as shown in FIG. 9, the access mechanism 114 communicates with the other computer 170 via a communications channel 172. The co-processor can be implemented as a circuit board and is designed to be plugged into the bus 172 on the main board (that is, the mother board or planar board) of the other computer 170. In that case, the computer 170 will operate normally unless it needs to access controlled data, at which time it will pass control to the access mechanism 114.
The degrees of protection used in the access mechanism (for example, tamper-detect features) and the cryptographic tools employed will depend on the nature of the data to be protected as well as the user environment.
Several techniques for physically secure coprocessor packaging are described by Yee (Yee, B., Using Secure Coprocessors, Carnegie Mellon University, School of Computer Science, CMU-CS-94-149, 1994 (also available Defense Technical Information Center as AD-A281 255)). In Yee, physical protection is described as a tamper-detecting enclosure. The only authorized way through the enclosure is through a coprocessor-controlled interface. Attempts to violate physical protection in order to gain access to the components of the coprocessor module will be detected and appropriate action taken. For example, detection of attack results in erasure of non-volatile memory before attackers can penetrate far enough to disable the sensors or read memory contents.
Any known form of tamper protection and detection can be used, as long as it functions to destroy the data as required.
Any data which are to be sent out of the security boundary 167 are under the control of the access mechanism 114. All I/O requests and interrupts are handled by the access mechanism 114.
All communication between the components of the access mechanism 114 and the enclosed hard disk 162 is encrypted. Therefore, if the hard disk is removed from the mechanism, any data stored thereon will be inaccessible without the appropriate keys. The encryption of the data stored on the hard disk can use cryptographic keys generated within the access mechanism and which are never known outside of the mechanism. In this way, when tampering is detected, the cryptographic keys will be lost.
In general, within the system, the data are encrypted on any non-volatile storage devices so that they remain unavailable in the case of tampering. Unencrypted data are only present within the access mechanism 114 inside the security boundary
167 in components where the data can be destroyed when tampering with the access mechanism 114 is detected.
With reference to FIGS. 8 and 9, the access mechanism 114 is also connected via insecure channels 174 and 176 and bus 177 to various controlled or uncontrolled display or output devices such as described above. This allows the system to communicate with uncontrolled devices (so-called standard devices) as well as networks, within the context of the rules/permission list. (Interaction with these controlled devices is described in detail below.) All communications on the insecure channels 174 and 176 and on bus 177 is encrypted by the access mechanism 114 (and by the authoring mechanism 112), and the controlled output devices 178 and 180 must have suitable processing capabilities within them (including an access mechanism 114) to decrypt and process data which they receive. The display or output devices used will depend on the application and the type of data, and include, but are not limited to, printers, video display monitors, audio output devices, and the like.
The embodiment shown in FIG. 9 can also include other standard devices (connected to bus 177) such as, for example, standard printer 181, floppy disk 185, modem 187 and the like.
The Accessing Operation
When a user 104 obtains packaged data 108 (or 150) from a distributor 102, the user can then access the data according to the rules provided therewith or provided separately. Data access is supported by the access mechanism 114 and is described with reference to FIGS. 8, 9 and 10(a), where FIG. 10(a) is a flow chart of the data access using the access mechanisms shown in FIGS. 8 and 9.
Note initially that, depending on the type of data to be accessed and viewed, as well as the rules, the viewing process may or may not be interactive. For example, if a user is accessing a textual document, the user may choose to access only selected portions of that document, the choice being made by viewing an index of the document. On the other hand, if a user is accessing a movie, the viewing may be continuous (if the rules do not allow a user to re-watch portions of the movie without additional payment). The access and viewing process is described here for an interactive case, since non-interactive access can be considered access with a single ("start-viewing") interaction.
Note further that initiation of the access mechanism activates monitoring for interrupts and polling by the access mechanism 114. A user may also implicitly invoke the access mechanism by accessing an object (data) protected by the system. This invocation also activates monitoring for interrupts and polling.
The following discussion assumes, without loss of generality, that the data are being accessed by an application via an insecure operating system (OS) which invokes the access mechanism 114. The intent is to show the manner in which controlled access of the data takes place. In some foreseen environments, the operating system will be little more than a simple runtime system or there will be only one program running at all times. For example, in a video cassette recorder and playback machine (VCR), a single control program may be running at all times to control the VCR's operations. In this case, this control program is considered the application, and all access to controlled data is initiated by the control program which invokes the access mechanism 114.
To initiate an input access to a data element, a user must request the operating system to read such data into memory from an I/O device. Initiating I/O gives control to the access mechanism 114.
For input access to an input data element, the access mechanism 114 first determines whether the dataset containing the data element is already open (step S1000). If the dataset is not already open, it is opened (step S1001). Once opened, it is determined whether or not the dataset is protected (step S1002). Note that the data being accessed may or may not be part of packaged data. In some embodiments the access mechanism 114 can maintain a record of which open datasets are protected.
If it is determined that the dataset is not protected (step S1002), then control returns to the invoking process (step S1006). On the other hand, if the dataset is protected (step S1002) then it is determined whether or not the rules for this dataset are useable (present, available and valid) (step S1004). (The process of determining whether the rules are useable, i.e., step S1004, is described below with reference to FIG. 11.)
If the rules are determined to be useable (step S1004) then it is determined whether the data element being accessed is different from the most recently accessed data element (step S1008). If so, the data element is opened (step S1010) (otherwise the data element is already opened and available).
Next it is determined whether or not the data element is protected (step S1012). If the data element is not protected then control returns to the invoking process (step S1006). Otherwise, it