[go: up one dir, main page]

WO2007085989A2 - Improved certificate chain validation - Google Patents

Improved certificate chain validation Download PDF

Info

Publication number
WO2007085989A2
WO2007085989A2 PCT/IB2007/050185 IB2007050185W WO2007085989A2 WO 2007085989 A2 WO2007085989 A2 WO 2007085989A2 IB 2007050185 W IB2007050185 W IB 2007050185W WO 2007085989 A2 WO2007085989 A2 WO 2007085989A2
Authority
WO
WIPO (PCT)
Prior art keywords
content
ruleset
license
access operation
applicable
Prior art date
Application number
PCT/IB2007/050185
Other languages
French (fr)
Other versions
WO2007085989A3 (en
Inventor
Franciscus L. A. J. Kamperman
Wouter Baks
Petrus J. Lenoir
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2007085989A2 publication Critical patent/WO2007085989A2/en
Publication of WO2007085989A3 publication Critical patent/WO2007085989A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2803Home automation networks
    • H04L12/2807Exchanging configuration information on appliance services in a home automation network
    • H04L12/2812Exchanging configuration information on appliance services in a home automation network describing content present in a home automation network, e.g. audio video content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2803Home automation networks
    • H04L2012/2847Home automation networks characterised by the type of home appliance used
    • H04L2012/2849Audio/video appliances
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/101Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management

Definitions

  • DRM Digital Rights Management
  • Authorized Domains tries to find a solution to both serve the interests of the content owners (that want protection of their intellectual property) and the content consumers (that want unrestricted use of the content).
  • the basic principle is to have a controlled network environment in which content can be used relatively freely as long as it does not cross the border of the authorized domain.
  • authorized domains are centered around the home environment, also referred to as home networks.
  • a user could for example take a portable device for audio and/or video with a limited amount of content with him on a trip, and use it in his hotel room to access or download additional content stored on his personal audio and/or video system at home. Even though the portable device is outside the home network, it is a part of the user's authorized domain.
  • DRM systems typically use so-called Licenses that include the specific permissions and restricting rules to be evaluated at the moment access to the Content is desired.
  • the access to the Content will be in accordance with these permissions and restrictions.
  • These permissions and restrictions are specific for the Content in question; there is a high granularity.
  • a disadvantage of the above is that a change in a restriction or permission is very hard to do. This would require replacing or changing all already-issued Licenses in which the restriction or permission in question is recorded. For example, if a music label decides that all its content should now be freely distributable, it now has to issue replacement licenses for every piece of content to every customer.
  • This object is achieved according to the invention in a method as claimed in claim 1.
  • a separate ruleset it is possible to aggregate multiple restrictions or permissions in a single location that can be applied to various content items.
  • the restrictions or permissions applicable to multiple content items can be changed or updated at once. This applies even when the licenses to those content items have already been issued. No changes to the licenses are necessary; the only entity that needs to be changed is the ruleset.
  • the license may indicate the ruleset.
  • the ruleset applicable to the content may be determined by determining a characteristic of the content and selecting the ruleset based on the determined characteristic.
  • the characteristic preferably is one of: a type of the content, a source of the content, and a classification of the content.
  • Other preferred embodiments are set out in the dependent claims.
  • Fig. 1 schematically shows a system comprising devices interconnected via a network
  • Fig. 2 schematically illustrates a first device-based authorized domain configuration
  • Fig. 3 schematically illustrates a second device-based authorized domain configuration
  • Fig. 4 schematically illustrates a first person-based authorized domain configuration
  • Fig. 5 schematically illustrates a second person-based authorized domain configuration
  • Fig. 6 schematically illustrates an authorized domain configuration according to the invention.
  • same reference numerals indicate similar or corresponding features.
  • Some of the features indicated in the drawings are typically implemented in software, and as such represent software entities, such as software modules or objects.
  • Fig. 1 schematically shows a system 100 comprising devices 101-105 interconnected via a network 110.
  • a typical digital home network includes a number of devices, e.g. a radio receiver, a tuner/decoder, a CD player, a pair of speakers, a television, a VCR, a digital recorder, a mobile phone, a tape deck, a personal computer, a personal digital assistant, a portable display unit, a car entertainment system, and so on.
  • These devices are usually interconnected to allow one device, e.g. the television, to control another, e.g. the VCR.
  • One device such as e.g. the tuner/decoder or a set top box (STB), is usually the central device, providing central control over the others.
  • STB set top box
  • Content which typically comprises things like music, songs, movies, animations, speeches, videoclips for music, TV programs, pictures, games, ringtones, spoken books and the like, but which also may include interactive services, is received through a residential gateway or set top box 101.
  • Content could also enter the home via other sources, such as storage media like discs or using portable devices.
  • the source could be a connection to a broadband cable network, an Internet connection, a satellite downlink and so on.
  • the content can then be transferred over the network 110 to a sink for rendering.
  • a sink can be, for instance, the television display 102, the portable display device 103, the mobile phone 104 and/or the audio playback device 105.
  • rendering comprises generating audio signals and feeding them to loudspeakers.
  • rendering generally comprises generating audio and video signals and feeding those to a display screen and loudspeakers.
  • Rendering may also include operations such as decrypting or descrambling a received signal, synchronizing audio and video signals and so on.
  • the set top box 101 may comprise a storage medium S 1 such as a suitably large hard disk, allowing the recording and later playback of received content.
  • the storage medium Sl could be a Personal Digital Recorder (PDR) of some kind, for example a DVD+RW recorder, to which the set top box 101 is connected.
  • Content can also enter the system 100 stored on a carrier 120 such as a Compact Disc (CD) or Digital Versatile Disc (DVD).
  • CD Compact Disc
  • DVD Digital Versatile Disc
  • the portable display device 103 and the mobile phone 104 are connected wirelessly to the network 110 using a base station 111, for example using Bluetooth or IEEE 802.1 Ib.
  • the other devices are connected using a conventional wired connection.
  • One well- known standard is the Universal Plug and Play standard (http://www.upnp.org).
  • the devices 101-105 in the network 110 may access the content in various ways.
  • the most common form of access is the rendering of the content, but access operations such as copying, moving or exporting the content also frequently occur.
  • Exporting may involve transferring the content to another network or to a storage device such as the record carrier 120.
  • Content may also be edited, compiled, transformed, abridged, translated, combined with other content, and so on.
  • access will be used for all possible operations that may be performed on the content.
  • DRM Digital Rights Management
  • One way of protecting content in the form of digital data is to ensure that content will only be transferred from a source to a sink device if the sink device has been authenticated as being a compliant device, and the user of the content has the right to transfer (move and/or copy) that content to the sink device.
  • Content protection systems normally involve protected communication between members based on some secret, only known to devices that were tested and certified to have secure implementations. Knowledge of the secret is tested using an authentication protocol. Commonly these protocols employ public key cryptography, which use a pair of two different keys. The secret to be tested is then the private key (sometimes called secret key) of the pair, while the public key can be used to verify the results of the test. At manufacturing time compliant devices receive an identity certificate that is used in the authentication protocol to exchange the public keys of the devices.
  • a secure authenticated channel may be set up using an Authentication and Key Agreement (AKA) protocol that is based on public key cryptography.
  • AKA Authentication and Key Agreement
  • Standards such as International Standard ISO/IEC 11770-3 and ISO/IEC 9796-2, and public key algorithms such as RSA and hash algorithms like SHA-I are often used.
  • a SAC may be set up between devices that are, physically or network- wise, far away from each other.
  • various proposals have been made for some form of distance measurement that is to be performed when the SAC is set up. If the source and sink devices are too far away from each other, the SAC should not be set up or content exchange should be refused or limited.
  • Various ways to determine the relative proximity of two devices are available. Examples are international patent applications WO 2003/079638 (attorney docket PHUS020086), WO 2004/030311 (attorney docket PHUS010314) and WO 2004/030312 (attorney docket PHUS020358).
  • the public key may be accompanied by a certificate, which is digitally signed by a Certification Authority (CA), the organization that manages the distribution of public/private key-pairs for all devices. Everybody knows the CA's public key and can use it to verify the CA's signature on the certificate. In a simple implementation the public key of the CA is hard-coded into the implementation of the device.
  • CA Certification Authority
  • the system 100 is realized as an Authorized Domain (AD).
  • Authorized domains need to address issues such as authorized domain identification, device check-in, device check-out, rights check-in, rights check-out, content check-in, content check-out, as well as domain management.
  • the domain is formed by a specific set of hardware devices or software applications (referred to collectively as clients hereafter) and content.
  • a domain manager which can be one or more of the clients, a smart card or another device, controls which clients may join the domain. Only the specific set of clients in the domain (the members) is allowed to make use of the content of that domain, e.g. to open, copy, play or export it.
  • a device based AD is illustrated in Fig. 2.
  • Devices Dl, D2, D3 are bound to a domain AD, as is content Cl, C2, C3.
  • To validate an access operation to content it must be verified whether the content in question and the device on which the operation is to take place are both bound to the domain. Any person may perform the access operation, although credentials (e.g. a password, PIN or smart card) may need to be used to operate the device.
  • FIG. 3 An alternative device based AD is illustrated in Fig. 3.
  • content CI l, C 12 is bound to device Dl
  • content C21 is bound to device D2
  • content C31, C32 is bound to device D3.
  • Devices Dl, D2, D3 are still bound to the AD.
  • To validate an access operation to content it must be verified whether the content in question is bound to a Device that is bound to the AD, and whether the device on which the operation is to take place is bound to the AD. Again, any person may perform the access operation.
  • Fig. 4 is shown an AD configuration in which the content is bound to persons and a number of persons, e.g. all the members of one family, are grouped into an authorized domain.
  • Content Cl 1 C 12 is bound to person Pl
  • content C21 is bound to person P2
  • content C31, C32 is bound to person P3.
  • Persons Pl, P2, P3 are bound to the AD.
  • To validate an access operation to content it must be verified whether the person requesting the access operation is bound to the AD and whether the content in question is bound to a person that is also bound to that AD. Note that this person could be the same person who requested the access operation or a different person.
  • the access operation may be performed on every suitable and compliant device.
  • Fig. 5 It may also be desirable to also bind devices to the AD, as illustrated in Fig. 5.
  • the bindings are the same as in Fig. 4, except that now devices Dl, D2, D3 are bound to the AD as well.
  • To validate an access operation to content it must be verified whether the content in question is bound to a person bound to the AD and whether the person requesting the access operation is bound to the AD,, or whether the device on which the operation is to take place is bound to the AD.
  • a so-called Hybrid Authorized Domain-based DRM system ties content to a group that may contain devices and persons.
  • This group is typically limited to a household, such that: content can be watched on any of the members that belong to the household (e.g. TV in Living, TV in Bedroom, PC) content can be watched by any of the users that belong to the household after they have authenticated themselves on any client (such as a television in a hotel room).
  • client such as a television in a hotel room.
  • Such authentication normally involves a user authentication device such as a smart card.
  • hybrid AD systems can be found in international patent application WO 2005/010879 (attorney docket PHNL030926) and in international patent application WO 2005/093544 (attorney docket PHNL040315), both incorporated herein by reference.
  • an AD comprises a group of Clients and/or License Owners.
  • the License Owners should be entitled to access Content for which they have a License within the Domain with which they are associated and on the Clients involved.
  • To validate an access operation to content it must be verified whether appropriate bindings or links are present between the entities involved. For example, in a device-based AD, it must be verified whether the content in question and the device on which the operation is to take place are both bound to the domain.
  • the access rights regarding a piece of content are expressed in a License, which typically references the license owner (the consumer or other purchaser who obtained the License) as well as content involved.
  • a License also includes the specific permissions and restricting rules expressed in executable control code, stored in a so-called control object in the License, to be evaluated at the moment access to the Content is desired.
  • Permissions and restrictions might also be represented by a formal rights language such as e.g. defined in the ISO/IEC 21000-5:2004 MPEG-REL standard.
  • a permission is an individual right, e.g. "Play” or “Copy”, which can be limited by one or more restrictions, e.g. "only 10 times” or “not before 20:00 pm” or "only on a Saturday”.
  • a restriction used in combination with a permission provides a condition that limits the use of a permission. Every permission can have different restrictions.
  • a Link may contain restricting rules qualifying the validity of the Link, which must be evaluated at the moment the Link is to be used.
  • the association relation between a person and an AD is expressed in a Link from the AD to the person in question.
  • the membership relation between a Client and an AD is expressed in a Link from the Client to the AD in question.
  • Each Client that is a member of an AD may access (a copy of) the Content and the attests comprising the Domain configuration at a certain moment in time, e.g. by downloading such Content and attests as needed, although some or all of this data may also be broadcasted or distributed otherwise.
  • the Client When an access operation on a piece of Content is requested, the Client at which the operation is to take place evaluates the License for that Content, checking permissions and restrictions defined in that License. To this end the Client is provided with a license evaluation module that may be realized as a secure chip and/or software component, for instance on a smart card.
  • the permissions and restrictions in a License are specific for the Content to which the License applies.
  • system-wide restrictions apply to all access operations to all Content.
  • the AD can be extended by introducing a new entity referred to as a ruleset
  • an AD system may be provided with one or more rulesets.
  • Such a ruleset aggregates multiple restrictions and/or permissions in a single location. These restrictions and/or permissions can then be applied to various content items.
  • An access operation to content is valid only if the license and the ruleset both permit the access operation.
  • Fig. 6 schematically shows an extension of the AD of Fig. 5 in which rulesets RNl and RN2 have been introduced.
  • an Authorized Domain system is to be designed with a restriction that a portable audio player should contact the AD every six weeks.
  • a restriction ensures that such players stay in regular contact with the AD manager, so that updates and changes to the AD can be provided to such players. For example, this way the player can be disconnected from the AD with a grace period of at most six weeks.
  • This restriction could be added as a validity period to each individual License, requiring a player to contact the AD for an updated License every six weeks. However this introduces a large amount of redundancy. Furthermore, later the six weeks cannot be changed to three months in all the already-issued Licenses.
  • a ruleset is created for audio Content, which contains the validity period of six weeks.
  • the Client evaluates the License and determines that this ruleset applies. It then applies the rules in the ruleset. In this example, if the player has not contacted the AD in the last six weeks, the access operation will be refused. This requires a refresh of the ruleset after six weeks, providing an opportunity to update the restrictions in the ruleset.
  • the license accompanying the content indicates which ruleset or rulesets is/are applicable.
  • a ruleset may have a unique identifier that can be listed in the license to indicate which ruleset is applicable.
  • Rulesets can be set for any conceivable kind of grouping that may be applied to content. In the example above, the grouping concerned a particular music label.
  • the ruleset applicable to the content is determined by determining a characteristic of the content and selecting the ruleset based on the determined characteristic. For example, one may introduce different rulesets for different types of content: audio, video, text, photos and so on.
  • Another option is source of content: broadcasted content, downloaded from peer-to-peer network, purchased at brick-and-mortar music store, purchased at online music store, and so on.
  • Yet another option is classification of content: adult content, family content, violent content and so on.
  • a License may specify that multiple rulesets apply.
  • a television broadcaster may desire that a ruleset for broadcasted content and one for video content both apply.
  • Rulesets may be declared applicable by content owners, but also by persons that own or operate the AD.
  • the owner of an AD may for example want to set rules about adult content, such as "play only after 23:00 hours” or "password required”.
  • the ruleset may be declared applicable to content having a certain characteristic.
  • content may carry a label identifying it as adult content, and the ruleset may declare itself applicable to all adult content.
  • the above method may be implemented on a system for validating an access operation to content on a device.
  • the implementation takes the form of a computer program comprising code for causing a processing to execute the method.
  • a system comprises a module, which evaluates the license associated with the content.
  • This module is then also configured for further evaluating a ruleset applicable to the content and validating the access operation only if the license and the ruleset both permit the access operation.
  • This license management module ruleset can determine the ruleset applicable to the content from an indication provided in the license. Alternatively a determining module may be provided that determines a characteristic of the content. The license management module is then configured to select the ruleset applicable to the content based on the determined characteristic.
  • the AD is realized by so-called Links that associate persons and/or devices, generally called Nodes, to the AD.
  • a piece of Content can now only be accessed when all the relevant Links are found to be valid and all the conditions in every Link, as well as in the License, are met.
  • the exact choice of which Links need to be evaluated depends on the configuration of the AD. If so, the license evaluation module will enable a content access module to access the Content in the manner requested. Subsequently the Content can e.g. be rendered, copied and/or distributed, in accordance with the permissions and restrictions in the License.
  • the ruleset is realized by creating a separate Node, the Rule Node, and providing a Link to the Rule Node.
  • This Link contains a number of permissions, restrictions and/or rules that must be met if the License for a piece of Content specifies that a valid chain of Links to that Rule Node must exist.
  • the Rule Node for example may identify itself as being applicable to all adult content, or to all video content. A restriction such as "play only after 23:00 hours" may then be added to the Link to that Rule Node. This means that all adult content can only be accessed after 23:00 hours.
  • a Rule Node can also be used to prevent certain Clients from successfully evaluating certain Links. For example, the television in a child's bedroom may be prevented from receiving the Link to the Rule Node for adult content. It is then impossible to watch adult content on that television, since that requires a successful evaluation of the Link to that Rule Node for adult content.
  • the Domain Manager managing the AD from which the Link to a Rule Node is directed creates, issues and renews such Links.
  • the Domain Manager thus can determine which Links are to be sent to which Client.
  • a television in a child's bedroom on which access to certain adult content is requested will in turn request the Domain Manager to provide it with all relevant Links.
  • the Domain Manager will not provide that particular Link to the adult Rule Node because it has been configured not to send Links to "adult content" Rule Nodes to that television.
  • a Client generally speaking is a functional entity that can acquire and parse Licenses and Links for the purpose of getting access to an instance of Content based on the rights expressed in those Licenses and Links.
  • a Client is embodied as one or more software applications and/or hardware components in a device.
  • a Client may be provided as a software application on a device such as a mobile phone or portable music player.
  • a Client usually comprises a processor to perform the necessary operations and is equipped with a memory to store Content and/or instructions to be executed by the processor.
  • a License Owner generally speaking is an entity that is representative of a User in a Domain environment.
  • a User can be granted rights for an instance of Content.
  • Such a license grant can be represented in the system by providing a License that links (a specific instance of) Content to the License Owner.
  • a License Owner can be implemented by providing information in a data structure, record in a database or software object. The relation with the User is not explicitly defined in the system, but can for instance be realized by the User having a Device containing that information.
  • any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word “comprising” does not exclude the presence of elements or steps other than those listed in a claim.
  • the word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method of validating an access operation to content on a device, comprising evaluating a license associated with the content, characterized by further evaluating a ruleset applicable to the content and validating the access operation only if the license and the ruleset both permit the access operation. The license may indicate the ruleset. Alternatively the ruleset applicable to the content may be determined by determining a characteristic of the content and selecting the ruleset based on the determined characteristic. The characteristic preferably is one of: a type of the content, a source of the content, a classification of the content. In an embodiment one or more links are evaluated which associate a person and/or the device to an authorized domain and a link associating the ruleset to the authorized domain is evaluated as well. Also a system configured for executing the method.

Description

IMPROVED CERTIFICATE CHAIN VALIDATION
In recent years, the number of content protection systems available has been growing rapidly. Some of these systems only protect the content against unauthorized copying, while others restrict the user's ability to access the content. These systems are often referred to as Digital Rights Management (DRM) systems.
Consumers want to enjoy content without hassle and with as few limitations as possible. They want to network their devices to enable all types of different applications and easily access any type of content. They also want to be able to share/transfer content in their home environment without limitations.
The concept of Authorized Domains (ADs) tries to find a solution to both serve the interests of the content owners (that want protection of their intellectual property) and the content consumers (that want unrestricted use of the content). The basic principle is to have a controlled network environment in which content can be used relatively freely as long as it does not cross the border of the authorized domain. Typically, authorized domains are centered around the home environment, also referred to as home networks.
Of course, other contexts are also possible. A user could for example take a portable device for audio and/or video with a limited amount of content with him on a trip, and use it in his hotel room to access or download additional content stored on his personal audio and/or video system at home. Even though the portable device is outside the home network, it is a part of the user's authorized domain.
DRM systems typically use so-called Licenses that include the specific permissions and restricting rules to be evaluated at the moment access to the Content is desired. The access to the Content will be in accordance with these permissions and restrictions. These permissions and restrictions are specific for the Content in question; there is a high granularity. There can easily be thousands of Licenses in an Authorized Domain configuration. Issuing and communicating these Licenses to the devices in the AD can take a lot of resources, such as network capacity and processing power.
A disadvantage of the above is that a change in a restriction or permission is very hard to do. This would require replacing or changing all already-issued Licenses in which the restriction or permission in question is recorded. For example, if a music label decides that all its content should now be freely distributable, it now has to issue replacement licenses for every piece of content to every customer.
It is an object of the invention to improve upon the above.
This object is achieved according to the invention in a method as claimed in claim 1. By introducing a separate ruleset, it is possible to aggregate multiple restrictions or permissions in a single location that can be applied to various content items. By changing or updating the ruleset, the restrictions or permissions applicable to multiple content items can be changed or updated at once. This applies even when the licenses to those content items have already been issued. No changes to the licenses are necessary; the only entity that needs to be changed is the ruleset.
The license may indicate the ruleset. Alternatively the ruleset applicable to the content may be determined by determining a characteristic of the content and selecting the ruleset based on the determined characteristic. The characteristic preferably is one of: a type of the content, a source of the content, and a classification of the content. Other preferred embodiments are set out in the dependent claims.
The invention will now be discussed in more detail with reference to the figures, in which:
Fig. 1 schematically shows a system comprising devices interconnected via a network;
Fig. 2 schematically illustrates a first device-based authorized domain configuration;
Fig. 3 schematically illustrates a second device-based authorized domain configuration;
Fig. 4 schematically illustrates a first person-based authorized domain configuration;
Fig. 5 schematically illustrates a second person-based authorized domain configuration; and
Fig. 6 schematically illustrates an authorized domain configuration according to the invention. Throughout the figures, same reference numerals indicate similar or corresponding features. Some of the features indicated in the drawings are typically implemented in software, and as such represent software entities, such as software modules or objects.
Fig. 1 schematically shows a system 100 comprising devices 101-105 interconnected via a network 110. A typical digital home network includes a number of devices, e.g. a radio receiver, a tuner/decoder, a CD player, a pair of speakers, a television, a VCR, a digital recorder, a mobile phone, a tape deck, a personal computer, a personal digital assistant, a portable display unit, a car entertainment system, and so on. These devices are usually interconnected to allow one device, e.g. the television, to control another, e.g. the VCR. One device, such as e.g. the tuner/decoder or a set top box (STB), is usually the central device, providing central control over the others.
Content, which typically comprises things like music, songs, movies, animations, speeches, videoclips for music, TV programs, pictures, games, ringtones, spoken books and the like, but which also may include interactive services, is received through a residential gateway or set top box 101. Content could also enter the home via other sources, such as storage media like discs or using portable devices. The source could be a connection to a broadband cable network, an Internet connection, a satellite downlink and so on. The content can then be transferred over the network 110 to a sink for rendering. A sink can be, for instance, the television display 102, the portable display device 103, the mobile phone 104 and/or the audio playback device 105.
The exact way in which a content item is rendered depends on the type of device and the type of content. For instance, in a radio receiver, rendering comprises generating audio signals and feeding them to loudspeakers. For a television receiver, rendering generally comprises generating audio and video signals and feeding those to a display screen and loudspeakers. For other types of content a similar appropriate action must be taken. Rendering may also include operations such as decrypting or descrambling a received signal, synchronizing audio and video signals and so on.
The set top box 101, or any other device in the system 100, may comprise a storage medium S 1 such as a suitably large hard disk, allowing the recording and later playback of received content. The storage medium Sl could be a Personal Digital Recorder (PDR) of some kind, for example a DVD+RW recorder, to which the set top box 101 is connected. Content can also enter the system 100 stored on a carrier 120 such as a Compact Disc (CD) or Digital Versatile Disc (DVD).
The portable display device 103 and the mobile phone 104 are connected wirelessly to the network 110 using a base station 111, for example using Bluetooth or IEEE 802.1 Ib. The other devices are connected using a conventional wired connection. To allow the devices 101-105 to interact, several interoperability standards are available, which allow different devices to exchange messages and information and to control each other. One well- known standard is the Universal Plug and Play standard (http://www.upnp.org).
The devices 101-105 in the network 110 may access the content in various ways. The most common form of access is the rendering of the content, but access operations such as copying, moving or exporting the content also frequently occur. Exporting may involve transferring the content to another network or to a storage device such as the record carrier 120. Content may also be edited, compiled, transformed, abridged, translated, combined with other content, and so on. The term "access" will be used for all possible operations that may be performed on the content.
It is often important to ensure that the devices 101-105 in the network do not allow unauthorized access to the content. To do this, a content protection system, typically referred to as a Digital Rights Management (DRM) system is necessary. This content protection system ensures that only authorized and protected content transfers can occur from a first device, hereafter referred to as source device or just source, to a second device, hereafter referred to as sink device or just sink.
One way of protecting content in the form of digital data is to ensure that content will only be transferred from a source to a sink device if the sink device has been authenticated as being a compliant device, and the user of the content has the right to transfer (move and/or copy) that content to the sink device.
If transfer of content is allowed, this will typically be performed in an encrypted way to make sure that the content cannot be captured illegally in a useful format from the transport channel, such as a bus between a CD-ROM drive and a personal computer (host).
Content protection systems normally involve protected communication between members based on some secret, only known to devices that were tested and certified to have secure implementations. Knowledge of the secret is tested using an authentication protocol. Commonly these protocols employ public key cryptography, which use a pair of two different keys. The secret to be tested is then the private key (sometimes called secret key) of the pair, while the public key can be used to verify the results of the test. At manufacturing time compliant devices receive an identity certificate that is used in the authentication protocol to exchange the public keys of the devices.
To perform device authentication and encrypted content transfer, a secure authenticated channel (SAC) may be set up using an Authentication and Key Agreement (AKA) protocol that is based on public key cryptography. Standards such as International Standard ISO/IEC 11770-3 and ISO/IEC 9796-2, and public key algorithms such as RSA and hash algorithms like SHA-I are often used.
An issue may be that a SAC may be set up between devices that are, physically or network- wise, far away from each other. To limit this possibility, various proposals have been made for some form of distance measurement that is to be performed when the SAC is set up. If the source and sink devices are too far away from each other, the SAC should not be set up or content exchange should be refused or limited. Various ways to determine the relative proximity of two devices are available. Examples are international patent applications WO 2003/079638 (attorney docket PHUS020086), WO 2004/030311 (attorney docket PHUS010314) and WO 2004/030312 (attorney docket PHUS020358).
Often these proximity detection mechanisms are combined in some way with or directly follow the setting up of the SAC. Three possible mechanisms are given in international patent application WO 2004/014037 (attorney docket PHNL020681), European patent application serial number 05109517.2 (attorney docket PH003748) and US patent application serial number 60/726956 (attorney docket PH003789).
To ensure the correctness of the public/private key pair(s) involved and to check whether the key-pair is a legitimate pair of a certified device, the public key may be accompanied by a certificate, which is digitally signed by a Certification Authority (CA), the organization that manages the distribution of public/private key-pairs for all devices. Everybody knows the CA's public key and can use it to verify the CA's signature on the certificate. In a simple implementation the public key of the CA is hard-coded into the implementation of the device.
To enable the above each client holds a number of secret keys. These keys and the control flow using these keys should be well protected, for knowledge of these keys or manipulation of the control flow would allow hackers to circumvent the content protection systems. In an embodiment the system 100 is realized as an Authorized Domain (AD). Authorized domains need to address issues such as authorized domain identification, device check-in, device check-out, rights check-in, rights check-out, content check-in, content check-out, as well as domain management. For a more extensive introduction to the use of an Authorized Domain, etc., see S.A.F.A. van den Heuvel, W. Jonker, F. L.A.J. Kamperman, P.J. Lenoir, Secure Content Management in Authorised Domains, Philips Research, The Netherlands, IBC 2002 conference publication, pages 467-474, held at 12-16 September 2002. Various proposals exist that implement the concept of authorized domains to some extent.
In so-called device based ADs, the domain is formed by a specific set of hardware devices or software applications (referred to collectively as clients hereafter) and content. A domain manager, which can be one or more of the clients, a smart card or another device, controls which clients may join the domain. Only the specific set of clients in the domain (the members) is allowed to make use of the content of that domain, e.g. to open, copy, play or export it. A device based AD is illustrated in Fig. 2. Devices Dl, D2, D3 are bound to a domain AD, as is content Cl, C2, C3. To validate an access operation to content, it must be verified whether the content in question and the device on which the operation is to take place are both bound to the domain. Any person may perform the access operation, although credentials (e.g. a password, PIN or smart card) may need to be used to operate the device.
Examples of device-based ADs are given in international patent application WO 03/098931 (attorney docket PHNL020455), international patent application WO 2005/088896 (attorney docket PHNL040288) and international patent application WO 04/027588 (attorney docket PHNL030283) by the same applicant, all of which are hereby incorporated by reference.
An alternative device based AD is illustrated in Fig. 3. Here content CI l, C 12 is bound to device Dl, content C21 is bound to device D2 and content C31, C32 is bound to device D3. Devices Dl, D2, D3 are still bound to the AD. To validate an access operation to content, it must be verified whether the content in question is bound to a Device that is bound to the AD, and whether the device on which the operation is to take place is bound to the AD. Again, any person may perform the access operation.
In Fig. 4 is shown an AD configuration in which the content is bound to persons and a number of persons, e.g. all the members of one family, are grouped into an authorized domain. Content Cl 1, C 12 is bound to person Pl, content C21 is bound to person P2 and content C31, C32 is bound to person P3. Persons Pl, P2, P3 are bound to the AD. To validate an access operation to content, it must be verified whether the person requesting the access operation is bound to the AD and whether the content in question is bound to a person that is also bound to that AD. Note that this person could be the same person who requested the access operation or a different person. The access operation may be performed on every suitable and compliant device.
An example of a person-based AD is described in international patent application WO 04/038568 (attorney docket PHNL021063) by the same applicant, incorporated herein by reference, in which content is coupled to persons, which then are grouped into a domain.
It may also be desirable to also bind devices to the AD, as illustrated in Fig. 5. The bindings are the same as in Fig. 4, except that now devices Dl, D2, D3 are bound to the AD as well. To validate an access operation to content, it must be verified whether the content in question is bound to a person bound to the AD and whether the person requesting the access operation is bound to the AD,, or whether the device on which the operation is to take place is bound to the AD.
A so-called Hybrid Authorized Domain-based DRM system ties content to a group that may contain devices and persons. This group is typically limited to a household, such that: content can be watched on any of the members that belong to the household (e.g. TV in Living, TV in Bedroom, PC) content can be watched by any of the users that belong to the household after they have authenticated themselves on any client (such as a television in a hotel room). Such authentication normally involves a user authentication device such as a smart card.
Examples of hybrid AD systems can be found in international patent application WO 2005/010879 (attorney docket PHNL030926) and in international patent application WO 2005/093544 (attorney docket PHNL040315), both incorporated herein by reference.
Generally speaking, an AD comprises a group of Clients and/or License Owners. The License Owners should be entitled to access Content for which they have a License within the Domain with which they are associated and on the Clients involved. To validate an access operation to content, it must be verified whether appropriate bindings or links are present between the entities involved. For example, in a device-based AD, it must be verified whether the content in question and the device on which the operation is to take place are both bound to the domain.
The various verifications mentioned above are performed using digitally signed objects that attest to the existence of a valid link (binding) between two entities. Such objects comprise the relevant information in a machine-readable format. Other names for such an object are digital certificate, signed object, attest or attestation.
The access rights regarding a piece of content are expressed in a License, which typically references the license owner (the consumer or other purchaser who obtained the License) as well as content involved. Such a License also includes the specific permissions and restricting rules expressed in executable control code, stored in a so-called control object in the License, to be evaluated at the moment access to the Content is desired. Permissions and restrictions might also be represented by a formal rights language such as e.g. defined in the ISO/IEC 21000-5:2004 MPEG-REL standard. A permission is an individual right, e.g. "Play" or "Copy", which can be limited by one or more restrictions, e.g. "only 10 times" or "not before 20:00 pm" or "only on a Saturday". A restriction used in combination with a permission provides a condition that limits the use of a permission. Every permission can have different restrictions.
To create relations between the various entities (persons, devices, content) in an AD, so-called Links are used. A Link may contain restricting rules qualifying the validity of the Link, which must be evaluated at the moment the Link is to be used.
The association relation between a person and an AD is expressed in a Link from the AD to the person in question. The membership relation between a Client and an AD is expressed in a Link from the Client to the AD in question.
Each Client that is a member of an AD may access (a copy of) the Content and the attests comprising the Domain configuration at a certain moment in time, e.g. by downloading such Content and attests as needed, although some or all of this data may also be broadcasted or distributed otherwise.
When an access operation on a piece of Content is requested, the Client at which the operation is to take place evaluates the License for that Content, checking permissions and restrictions defined in that License. To this end the Client is provided with a license evaluation module that may be realized as a secure chip and/or software component, for instance on a smart card.
Changing or entirely taking away previous granted rights in an established configuration of relations requires relations and their associated attests to be invalidated to preserve consistency in the system. This issue is addressed in European patent application serial number 05109043.9 (attorney docket PH003633).
As noted above, the permissions and restrictions in a License are specific for the Content to which the License applies. On the other hand, system-wide restrictions apply to all access operations to all Content. To be able to set restrictions at a level between these two extremes, the AD can be extended by introducing a new entity referred to as a ruleset
In accordance with the present invention, an AD system may be provided with one or more rulesets. Such a ruleset aggregates multiple restrictions and/or permissions in a single location. These restrictions and/or permissions can then be applied to various content items. An access operation to content is valid only if the license and the ruleset both permit the access operation. Fig. 6 schematically shows an extension of the AD of Fig. 5 in which rulesets RNl and RN2 have been introduced.
As an example, consider a situation in which an Authorized Domain system is to be designed with a restriction that a portable audio player should contact the AD every six weeks. Such a restriction ensures that such players stay in regular contact with the AD manager, so that updates and changes to the AD can be provided to such players. For example, this way the player can be disconnected from the AD with a grace period of at most six weeks. This restriction could be added as a validity period to each individual License, requiring a player to contact the AD for an updated License every six weeks. However this introduces a large amount of redundancy. Furthermore, later the six weeks cannot be changed to three months in all the already-issued Licenses.
According to the invention, a ruleset is created for audio Content, which contains the validity period of six weeks. When an access operation to a piece of audio Content is requested, the Client evaluates the License and determines that this ruleset applies. It then applies the rules in the ruleset. In this example, if the player has not contacted the AD in the last six weeks, the access operation will be refused. This requires a refresh of the ruleset after six weeks, providing an opportunity to update the restrictions in the ruleset.
If the six weeks is later to be changed to three months, only one updated ruleset has to be issued instead of updated individual Licenses. This presents an enormous savings in information to be distributed and processed.
To apply a ruleset to content, various options are available. In one embodiment, the license accompanying the content indicates which ruleset or rulesets is/are applicable. A ruleset may have a unique identifier that can be listed in the license to indicate which ruleset is applicable. Rulesets can be set for any conceivable kind of grouping that may be applied to content. In the example above, the grouping concerned a particular music label. In another embodiment the ruleset applicable to the content is determined by determining a characteristic of the content and selecting the ruleset based on the determined characteristic. For example, one may introduce different rulesets for different types of content: audio, video, text, photos and so on. Another option is source of content: broadcasted content, downloaded from peer-to-peer network, purchased at brick-and-mortar music store, purchased at online music store, and so on. Yet another option is classification of content: adult content, family content, violent content and so on.
A License may specify that multiple rulesets apply. For example, a television broadcaster may desire that a ruleset for broadcasted content and one for video content both apply.
Rulesets may be declared applicable by content owners, but also by persons that own or operate the AD. The owner of an AD may for example want to set rules about adult content, such as "play only after 23:00 hours" or "password required".
If applicable rulesets are identified in the License to the content, this may present a problem in that the owner of the AD would have to modify a License issued by a content owner. The solution disclosed in international patent application WO 2005/111760 (attorney docket PHNL040536) may be used to achieve this. Another option to achieve this is described in European patent application serial number 05109043.9 (attorney docket PH003633).
Alternatively the ruleset may be declared applicable to content having a certain characteristic. In this example content may carry a label identifying it as adult content, and the ruleset may declare itself applicable to all adult content.
The above method may be implemented on a system for validating an access operation to content on a device. Preferably the implementation takes the form of a computer program comprising code for causing a processing to execute the method. Such a system comprises a module, which evaluates the license associated with the content. This module is then also configured for further evaluating a ruleset applicable to the content and validating the access operation only if the license and the ruleset both permit the access operation.
This license management module ruleset can determine the ruleset applicable to the content from an indication provided in the license. Alternatively a determining module may be provided that determines a characteristic of the content. The license management module is then configured to select the ruleset applicable to the content based on the determined characteristic.
In an embodiment the AD is realized by so-called Links that associate persons and/or devices, generally called Nodes, to the AD. A piece of Content can now only be accessed when all the relevant Links are found to be valid and all the conditions in every Link, as well as in the License, are met. The exact choice of which Links need to be evaluated depends on the configuration of the AD. If so, the license evaluation module will enable a content access module to access the Content in the manner requested. Subsequently the Content can e.g. be rendered, copied and/or distributed, in accordance with the permissions and restrictions in the License.
In this embodiment the ruleset is realized by creating a separate Node, the Rule Node, and providing a Link to the Rule Node. This Link contains a number of permissions, restrictions and/or rules that must be met if the License for a piece of Content specifies that a valid chain of Links to that Rule Node must exist.
The Rule Node for example may identify itself as being applicable to all adult content, or to all video content. A restriction such as "play only after 23:00 hours" may then be added to the Link to that Rule Node. This means that all adult content can only be accessed after 23:00 hours.
A Rule Node can also be used to prevent certain Clients from successfully evaluating certain Links. For example, the television in a child's bedroom may be prevented from receiving the Link to the Rule Node for adult content. It is then impossible to watch adult content on that television, since that requires a successful evaluation of the Link to that Rule Node for adult content.
The Domain Manager managing the AD from which the Link to a Rule Node is directed, creates, issues and renews such Links. The Domain Manager thus can determine which Links are to be sent to which Client. A television in a child's bedroom on which access to certain adult content is requested will in turn request the Domain Manager to provide it with all relevant Links. The Domain Manager, will not provide that particular Link to the adult Rule Node because it has been configured not to send Links to "adult content" Rule Nodes to that television.
Without additional measures this is not a completely secure solution, because a Link copied from another device will function well on this television set. When also state registered by a Client is required to declare the Link valid, as discussed in European patent application serial number 05109043.9 (attorney docket PH003633), filtering by a Domain Manager is secured.
In Fig. 6, the Rule Nodes RNl and RN2 have been applied to the AD configuration of Fig. 5. It will be understood that the Rule Nodes may equally well be applied to any other AD configuration.
Capitalized terms in the above have the following meaning in this document.
Figure imgf000014_0001
permissions.
A Client generally speaking is a functional entity that can acquire and parse Licenses and Links for the purpose of getting access to an instance of Content based on the rights expressed in those Licenses and Links. Typically a Client is embodied as one or more software applications and/or hardware components in a device. For example, a Client may be provided as a software application on a device such as a mobile phone or portable music player. A Client usually comprises a processor to perform the necessary operations and is equipped with a memory to store Content and/or instructions to be executed by the processor.
A License Owner generally speaking is an entity that is representative of a User in a Domain environment. A User can be granted rights for an instance of Content. Such a license grant can be represented in the system by providing a License that links (a specific instance of) Content to the License Owner. A License Owner can be implemented by providing information in a data structure, record in a database or software object. The relation with the User is not explicitly defined in the system, but can for instance be realized by the User having a Device containing that information.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer.
In device or system claims enumerating several means, some or all of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A method of validating an access operation to content on a device , comprising evaluating a license associated with the content, characterized by further evaluating a ruleset applicable to the content and validating the access operation only if the license and the ruleset both permit the access operation.
2. The method of claim 1, in which the license indicates the ruleset.
3. The method of claim 1, in which the ruleset applicable to the content is determined by determining a characteristic of the content and selecting the ruleset based on the determined characteristic.
4. The method of claim 3, in which the characteristic is one of: a type of the content, a source of the content, a classification of the content.
5. The method of claim 1, comprising evaluating one or more links associating a person and/or the device to an authorized domain and evaluating a link associating the ruleset to the authorized domain.
6. A system for validating an access operation to content on a device, comprising license management means for evaluating a license associated with the content, characterized in that the license management means are configured for further evaluating a ruleset applicable to the content and validating the access operation only if the license and the ruleset both permit the access operation.
7. The system of claim 6, in which the license management means are configured for determining the ruleset applicable to the content from an indication provided in the license.
8. The system of claim 6, further comprising determining means for determining a characteristic of the content, the license management means being configured to select the ruleset applicable to the content based on the determined characteristic.
9. A computer program product comprising code for causing a processing to execute the method of claim 1.
PCT/IB2007/050185 2006-01-26 2007-01-19 Improved certificate chain validation WO2007085989A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP06100865.2 2006-01-26
EP06100865 2006-01-26

Publications (2)

Publication Number Publication Date
WO2007085989A2 true WO2007085989A2 (en) 2007-08-02
WO2007085989A3 WO2007085989A3 (en) 2007-11-01

Family

ID=38181114

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/050185 WO2007085989A2 (en) 2006-01-26 2007-01-19 Improved certificate chain validation

Country Status (1)

Country Link
WO (1) WO2007085989A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428054A (en) * 2012-05-24 2013-12-04 华为终端有限公司 Method and apparatus for media information access control, and digital home multimedia system
US8924468B2 (en) 2008-05-08 2014-12-30 Bang & Olufsen A/S Method and means for a multilayer access control

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050071663A1 (en) * 2003-09-26 2005-03-31 General Instrument Corporation Separation of copy protection rules for digital rights management
KR101242140B1 (en) * 2004-03-26 2013-03-12 아드레아 엘엘씨 Method of and system for generating an authorized domain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8924468B2 (en) 2008-05-08 2014-12-30 Bang & Olufsen A/S Method and means for a multilayer access control
CN103428054A (en) * 2012-05-24 2013-12-04 华为终端有限公司 Method and apparatus for media information access control, and digital home multimedia system

Also Published As

Publication number Publication date
WO2007085989A3 (en) 2007-11-01

Similar Documents

Publication Publication Date Title
JP4734257B2 (en) Connection linked rights protection
US8561210B2 (en) Access to domain
US8776259B2 (en) DRM system
KR101060482B1 (en) Hybrid device and person-based licensed domain architecture
KR101242140B1 (en) Method of and system for generating an authorized domain
US20090132811A1 (en) Access to authorized domains
WO2007085989A2 (en) Improved certificate chain validation
WO2006051494A1 (en) Improved revocation in authorized domain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07700638

Country of ref document: EP

Kind code of ref document: A2