公开(公告)号：US07543140B2

公开(公告)日：2009-06-02

申请号：US10374312

申请日：2003-02-26

申请人： Blair Brewster Dillaway ,  Philip Lafornara ,  Brian A. LaMacchia ,  Rushmi U. Malaviarachchi ,  John L. Manferdelli ,  Charles F. Rose, III

发明人： Blair Brewster Dillaway ,  Philip Lafornara ,  Brian A. LaMacchia ,  Rushmi U. Malaviarachchi ,  John L. Manferdelli ,  Charles F. Rose, III

IPC分类号： H04L29/00

CPC分类号： G06F21/10 ,  H04L9/3268 ,  H04L2209/603

摘要： A digital certificate identifies an entity as having authority over the certificate to revoke same as delegated by the issuer. The certificate also has at least one revocation condition relating to possible revocation of the certificate. To authenticate the certificate, the identification of the delegated revocation authority, a location from which a revocation list is to be obtained, and any freshness requirement to be applied to the revocation list are determined from the certificate. It is then ensured that the revocation list from the location is present and that the present revocation list satisfies the freshness requirement, that the revocation list is promulgated by the delegated revocation authority identified in the certificate, and that the certificate is not identified in the revocation list as being revoked.

摘要翻译： 数字证书将一个实体认定为具有颁发机构授权的权限，以撤销与发行人授权相同的权限。 该证书还具有与可能撤销证书有关的至少一个撤销条件。 为了对证书进行身份验证，从证书中确定授权撤销机构的标识，要从中获得撤销列表的位置以及应用于撤销列表的任何新鲜度要求。 然后确保从该位置的撤销列表存在，并且本撤销列表满足新鲜度要求，撤销列表由证书中指定的授权撤销机构颁布，并且该证书在撤销中未被识别 列表被撤销。

公开(公告)号：US07376975B2

公开(公告)日：2008-05-20

申请号：US10842061

申请日：2004-05-10

申请人： Philip Lafornara ,  Rushmi U. Malaviarachchi ,  John L. Manferdelli ,  Michael David Marr ,  Charles F. Rose, III ,  Bradley Serbus

发明人： Philip Lafornara ,  Rushmi U. Malaviarachchi ,  John L. Manferdelli ,  Michael David Marr ,  Charles F. Rose, III ,  Bradley Serbus

IPC分类号： G06K9/00

CPC分类号： H04L63/0823 ,  H04L9/0825 ,  H04L9/3263 ,  H04L63/101 ,  H04L2209/603 ,  H04L2463/101

摘要： In order to allow for security beyond revocation lists, a policy regarding when permissions may be granted (in the form of a rights document, e.g. a use license or a certificate) is enforced. When a request is made for a rights document, the requester submits an account certificate which includes certain metadata regarding the requester. This metadata is analyzed to determine whether it meets a specific policy before the request is granted. If the request is not granted, the cause of the rejection may be overcome, for example by updating or upgrading some system component (hardware or software) in the requesting system. In certain cases, such an update to overcome a policy-based rejection may be performed transparently to the user.

摘要翻译： 为了允许超出撤销列表的安全性，执行关于何时可以授予权限（以权利文档的形式，例如使用许可证或证书）的策略。 当为权利文件提出请求时，请求者提交一个帐户证书，其中包括有关请求者的某些元数据。 分析此元数据以确定在批准请求之前是否满足特定策略。 如果不允许请求，则可以克服拒绝的原因，例如通过更新或升级请求系统中的一些系统组件（硬件或软件）。 在某些情况下，可以透明地对用户执行这种克服基于策略的拒绝的更新。

公开(公告)号：US07318236B2

公开(公告)日：2008-01-08

申请号：US10375246

申请日：2003-02-27

申请人： Marco A. DeMello ,  Vinay Krishnaswamy ,  Rushmi U. Malaviarachchi ,  John L. Manferdelli ,  Bradley Serbus ,  Attila Narin ,  Steve Bourne

发明人： Marco A. DeMello ,  Vinay Krishnaswamy ,  Rushmi U. Malaviarachchi ,  John L. Manferdelli ,  Bradley Serbus ,  Attila Narin ,  Steve Bourne

IPC分类号： G06F7/04 ,  H04L9/00 ,  H04Q40/00

CPC分类号： G06F21/10 ,  G06F2221/0704 ,  G06F2221/072 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/3263 ,  H04L2209/603

摘要： A first trusted component on a first computing device performs cryptography, evaluation, and enforcement and is tied thereto, and a first user-machine certificate associated with the first computing device is tied to a user. Correspondingly, a second trusted component on a second computing device performs cryptography, evaluation, and enforcement and is tied thereto, and a second user-machine certificate associated with the second computing device is also tied to the user. The first trusted component obtains the content for rendering on the first computing device by way of the first user-machine certificate and the license, and the second trusted component obtains the content for rendering on the second computing device by way of the second user-machine certificate and the same license.

摘要翻译： 第一计算设备上的第一受信任的组件执行密码学，评估和执行并与之相关联，并且与第一计算设备相关联的第一用户机器证书被绑定到用户。 相应地，第二计算设备上的第二受信任组件执行密码学，评估和执行并与之相关联，并且与第二计算设备相关联的第二用户机器证书也与用户相关联。 第一信任组件通过第一用户机器证书和许可证获得用于在第一计算设备上呈现的内容，并且第二可信组件通过第二用户机器获得用于在第二计算设备上呈现的内容 证书和相同的许可证。

公开(公告)号：US07774830B2

公开(公告)日：2010-08-10

申请号：US11080806

申请日：2005-03-14

申请人： Blair Brewster Dillaway ,  John L. Manferdelli ,  Shawn Martin Woods

发明人： Blair Brewster Dillaway ,  John L. Manferdelli ,  Shawn Martin Woods

IPC分类号： H04L9/32

CPC分类号： H04L63/102 ,  G06F21/6218 ,  H04L63/0823

摘要： An access control policy engine associated with a resource determines whether to allow a request to access same. The engine receives the request with an security token, retrieves the token determines a type thereof, and maps access decision information in the token to a common format as at least one security claim setting forth adequate information to determine a right of the requestor. Thereafter, the engine retrieves a set of rules for accessing the resource, applies the rules to the security claims to determine whether to allow the request from the requestor, and if the request is to be allowed, provides the requestor access to the resource in accordance with the request and the rights of the requestor as determined based on the security claims.

摘要翻译： 与资源相关联的访问控制策略引擎确定是否允许请求访问它。 引擎使用安全令牌接收请求，检索令牌确定其类型，并将令牌中的访问决策信息映射到通用格式作为至少一个安全权利要求，其中提供足够的信息以确定请求者的权利。 此后，引擎检索用于访问资源的一组规则，将规则应用于安全声明以确定是否允许来自请求者的请求，并且如果请求被允许，则根据请求提供对资源的请求者访问 请求者的请求和权利根据担保权利要求确定。

公开(公告)号：US07051200B1

公开(公告)日：2006-05-23

申请号：US09604518

申请日：2000-06-27

申请人： John L. Manferdelli ,  Michael David Marr ,  Vinay Krishnaswamy ,  Mariusz H. Jakubowski

发明人： John L. Manferdelli ,  Michael David Marr ,  Vinay Krishnaswamy ,  Mariusz H. Jakubowski

IPC分类号： H04L9/00

CPC分类号： G06F21/6218 ,  G06F21/10 ,  G06F2221/0704

摘要： A secure repository individualized for a hardware environment and a method and system for providing the same. The secure repository includes a hidden cryptographic key and code that applies the key without requiring access to a copy of the key. The code that implements the secure repository is generated in a manner that is at least partly based on a hardware ID associated with the hardware environment in which the secure repository is to be installed, and may also be based on a random number. Cryptographic functions implemented by the secure repository include decryption of encrypted information and validation of cryptographically signed information. The secure repository may be coupled to an application program, which uses cryptographic services provided by the secure repository, by way of a decoupling interface that provides a common communication and authentication interface for diverse types of secure repositories. The decoupling interface may take the form of a single application programmer interface (API) usable with multiple dynamically linkable libraries.

摘要翻译： 用于硬件环境的安全存储库以及用于提供硬件环境的方法和系统。 安全存储库包括隐藏的加密密钥和应用密钥而不需要访问密钥副本的代码。 实现安全存储库的代码以至少部分地基于与要安装安全存储库的硬件环境相关联的硬件ID的方式生成，并且还可以基于随机数。 由安全存储库实现的加密功能包括加密信息的解密和加密签名信息的验证。 安全存储库可以耦合到使用由安全存储库提供的加密服务的应用程序，该应用程序通过解耦接口来提供用于不同类型的安全存储库的公共通信和认证接口。 解耦接口可以采用可与多个动态可链接库一起使用的单个应用程序接口（API）的形式。

公开(公告)号：US07958373B2

公开(公告)日：2011-06-07

申请号：US12466295

申请日：2009-05-14

申请人： John L. Manferdelli ,  Michael David Marr ,  Vinay Krishnaswamy ,  Mariusz H. Jakubowski

发明人： John L. Manferdelli ,  Michael David Marr ,  Vinay Krishnaswamy ,  Mariusz H. Jakubowski

IPC分类号： G06F21/00 ,  G06F11/30

CPC分类号： G06F21/10 ,  G06F21/14 ,  G06F2211/007 ,  G06F2221/0748 ,  G06F2221/2107

摘要： A secure repository individualized for a hardware environment and a method and system for providing the same. The secure repository includes a hidden cryptographic key and code that applies the key without requiring access to a copy of the key. The code that implements the secure repository is generated in a manner that is at least partly based on a hardware ID associated with the hardware environment in which the secure repository is to be installed, and may also be based on a random number. Cryptographic functions implemented by the secure repository include decryption of encrypted information and validation of cryptographically signed information. The secure repository may be coupled to an application program, which uses cryptographic services provided by the secure repository, by way of a decoupling interface that provides a common communication and authentication interface for diverse types of secure repositories. The decoupling interface may take the form of a single application programmer interface (API) usable with multiple dynamically linkable libraries.

摘要翻译： 用于硬件环境的安全存储库以及用于提供硬件环境的方法和系统。 安全存储库包括隐藏的加密密钥和应用密钥而不需要访问密钥副本的代码。 实现安全存储库的代码以至少部分地基于与要安装安全存储库的硬件环境相关联的硬件ID的方式生成，并且还可以基于随机数。 由安全存储库实现的加密功能包括加密信息的解密和加密签名信息的验证。 安全存储库可以耦合到使用由安全存储库提供的加密服务的应用程序，该应用程序通过解耦接口来提供用于不同类型的安全存储库的公共通信和认证接口。 解耦接口可以采用可与多个动态可链接库一起使用的单个应用程序接口（API）的形式。

公开(公告)号：US20090293116A1

公开(公告)日：2009-11-26

申请号：US12486057

申请日：2009-06-17

申请人： Marco A. DeMello ,  Vinay Krishnaswamy ,  John L. Manferdelli

发明人： Marco A. DeMello ,  Vinay Krishnaswamy ,  John L. Manferdelli

IPC分类号： G06F21/24

CPC分类号： G06F21/10 ,  G06F2221/0737 ,  G06F2221/2137

摘要： A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and fully-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content. The client components include an object which accesses encrypted content, an object that parses the license and enforces the rights in the license, an object which obtains protection software and data that is individualized for the client and/or the persona operating the client, and a script of instructions that provides individualization information to a distributor of content so that the content may be individualized for the client and/or its operating persona. Content is generally protected by encrypting it with a key and then sealing the key into the content in a way that binds it to the meta-data associated with the content. In some instances, the key may also be encrypted in such a way as to be accessible only by the use of individualized protection software installed on the client, thereby binding use of the content to a particular client or set of clients.

摘要翻译： 数字版权管理系统，用于分发，保护和使用电子内容。 该系统包括接收内容的客户端架构，其中优选地通过加密保护内容，并且可以包括许可证和个性化特征。 内容受到多个级别的保护，包括：无保护; 源密封; 单独密封（或“铭刻”）; 源代码; 和完全个性化（或“所有者独占”）。 客户端还包括和/或接收允许加密内容的访问和保护的组件以及允许以为客户端个性化的形式向客户端提供内容的组件。 在某些情况下，访问内容将受到绑定到内容的许可证中定义的权利结构的约束。 客户端组件包括访问加密内容的对象，解析许可证并执行许可证中的权限的对象，获得保护软件的对象和为客户端和/或操作客户端的个人化的数据，以及 向内容分发者提供个性化信息的指令脚本，使得可以为客户端和/或其操作人员个性化内容。 内容通常通过用密钥加密来保护，然后以将其绑定到与内容相关联的元数据的方式将密钥密封到内容中。 在某些情况下，密钥还可以以仅通过使用安装在客户端上的个性化保护软件才能访问的方式进行加密，从而将内容的使用绑定到特定客户端或客户端集合。

公开(公告)号：US06996720B1

公开(公告)日：2006-02-07

申请号：US09604946

申请日：2000-06-27

申请人： Marco A. DeMello ,  Vinay Krishnaswamy ,  John L. Manferdelli

发明人： Marco A. DeMello ,  Vinay Krishnaswamy ,  John L. Manferdelli

IPC分类号： G06F12/14

CPC分类号： G06F21/10 ,  G06F2221/0737 ,  G06F2221/2137

摘要： A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and fully-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content. The client components include an object which accesses encrypted content, an object that parses the license and enforces the rights in the license, an object which obtains protection software and data that is individualized for the client and/or the persona operating the client, and a script of instructions that provides individualization information to a distributor of content so that the content may be individualized for the client and/or its operating persona. Content is generally protected by encrypting it with a key and then sealing the key into the content in a way that binds it to the meta-data associated with the content. In some instances, the key may also be encrypted in such a way as to be accessible only by the use of individualized protection software installed on the client, thereby binding use of the content to a particular client or set of clients.

公开(公告)号：US08417968B2

公开(公告)日：2013-04-09

申请号：US13153782

申请日：2011-06-06

申请人： John L. Manferdelli ,  Michael David Marr ,  Vinay Krishnaswamy ,  Mariusz H. Jakubowski

发明人： John L. Manferdelli ,  Michael David Marr ,  Vinay Krishnaswamy ,  Mariusz H. Jakubowski

IPC分类号： G06F12/14

CPC分类号： G06F21/10 ,  G06F21/14 ,  G06F2211/007 ,  G06F2221/0748 ,  G06F2221/2107

摘要： A secure repository individualized for a hardware environment and a method and system for providing the same. The secure repository includes a hidden cryptographic key and code that applies the key without requiring access to a copy of the key. The code that implements the secure repository is generated in a manner that is at least partly based on a hardware ID associated with the hardware environment in which the secure repository is to be installed, and may also be based on a random number. Cryptographic functions implemented by the secure repository include decryption of encrypted information and validation of cryptographically signed information. The secure repository may be coupled to an application program, which uses cryptographic services provided by the secure repository, by way of a decoupling interface that provides a common communication and authentication interface for diverse types of secure repositories. The decoupling interface may take the form of a single application programmer interface (API) usable with multiple dynamically linkable libraries.

公开(公告)号：US08032943B2

公开(公告)日：2011-10-04

申请号：US12486057

申请日：2009-06-17

申请人： Marco A. DeMello ,  Vinay Krishnaswamy ,  John L. Manferdelli

发明人： Marco A. DeMello ,  Vinay Krishnaswamy ,  John L. Manferdelli

IPC分类号： G06F17/30

CPC分类号： G06F21/10 ,  G06F2221/0737 ,  G06F2221/2137

摘要： A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and fully-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content. The client components include an object which accesses encrypted content, an object that parses the license and enforces the rights in the license, an object which obtains protection software and data that is individualized for the client and/or the persona operating the client, and a script of instructions that provides individualization information to a distributor of content so that the content may be individualized for the client and/or its operating persona. Content is generally protected by encrypting it with a key and then sealing the key into the content in a way that binds it to the meta-data associated with the content. In some instances, the key may also be encrypted in such a way as to be accessible only by the use of individualized protection software installed on the client, thereby binding use of the content to a particular client or set of clients.

摘要翻译： 数字版权管理系统，用于分发，保护和使用电子内容。 该系统包括接收内容的客户端架构，其中优选地通过加密保护内容，并且可以包括许可证和个性化特征。 内容受到多个级别的保护，包括：无保护; 源密封; 单独密封（或“铭刻”）; 源代码; 和完全个性化（或“所有者独占”）。 客户端还包括和/或接收允许加密内容的访问和保护的组件以及允许以为客户端个性化的形式向客户端提供内容的组件。 在某些情况下，访问内容将受到绑定到内容的许可证中定义的权利结构的约束。 客户端组件包括访问加密内容的对象，解析许可证并执行许可证中的权限的对象，获得保护软件的对象和为客户端和/或操作客户端的个人化的数据，以及 向内容分发者提供个性化信息的指令脚本，使得可以为客户端和/或其操作人员个性化内容。 内容通常通过用密钥加密来保护，然后以将其绑定到与内容相关联的元数据的方式将密钥密封到内容中。 在某些情况下，密钥还可以以仅通过使用安装在客户端上的个性化保护软件才能访问的方式进行加密，从而将内容的使用绑定到特定客户端或客户端集合。