`DeMello et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,047,411 Bl
`May 16, 2006
`
`US007047411B1
`
`(54) SERVER FOR AN ELECTRONIC
`DISTRIBUTION SYSTEM AND METHOD OF
`OPERATING SAME
`
`(75)
`
`Inventors: Marco A. DeMello, Redmond, WA
`(US); Pavel Zeman, Kirkland, WA
`(US); Vinay Krishnaswamy,
`Woodinville, WA (US); Frank D.
`Byrum, Seattle, WA (US)
`
`(73) Assignee: Microsoft Corporation, Redmond, WA
`(US)
`
`(*) Notice:
`
`Subject to any disclaimer, the termof this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1140 days.
`
`(21) Appl. No.: 09/604,540
`
`(22)
`
`Filed:
`
`Jun. 27, 2000
`
`(60)
`
`(51)
`
`Related U.S. Application Data
`Provisional application No. 60/172,318, filed on Dec. 17,
`1999, and provisional application No. 60/172,319, filed on
`Dec. 17, 1999.
`
`Int. CL
`G06F 1/24
`
`(2006.01)
`
`(52)
`
`UWS. Ch occ eeeeeeees 713/176; 713/164; 713/170:
`713/193; 713/200; 713/201
`(58) Field of Classification Search ................. 713/176,
`713/164, 170, 179, 182, 189, 193, 200, 201
`See applicationfile for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`4,405,829 A
`4,827,508 A
`
`9/1983 Rivest etal... 178/22.1
`
`5/1989 Shear .....cccceceeeeeeeene SSO/4
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`
`0 778 S12 A2
`0 795 809 A2
`
`6/1997
`9/1997
`
`OTHER PUBLICATIONS
`
`Auchsmith, D., “Tamper Resistant Software: An Implemen-
`tation”, First International Workshop, Anderson Ross(ed., )
`1996, 317-333.
`
`(Continued)
`
`Primary Examiner—Thomas R. Peeso
`(74) Attorney, Agent, or Firm—Woodcock Washburn LLP
`(57)
`ABSTRACT
`
`Aserver architecture for a digital rights management system
`that distributes and protects rights in content. The server
`architecture includesa retail site which sells content items to
`consumers, a fulfillment site which provides to consumers
`the content items sold bytheretail site, and an activation site
`which enables consumer reading devices to use content
`items having an enhanced level of copy protection, Each
`retail site is equipped with a URL encryption object, which
`encrypts, according to a secret symmetric key shared
`betweenthe retail site and the fulfillment site, information
`that is needed by the fulfillment site to process an order for
`content sold by theretail site. Uponselling a content items,
`the retail site transmits to the purchase a web page having a
`link to a URL comprising the address ofthe fulfillmentsite
`and a parameter having the encrypted information. Upon the
`following the link, the fulfillment site downloads the ordered
`content to the consumerpreparing the content if necessary in
`accordance with the type ofsecurity to be carried with the
`content. The fulfillment site includes an asynchronous ful-
`fillment pipeline which logs information about processed
`transactions using a store-and-forward messaging service.
`The fulfillment site may be implemented as several server
`devices, each having a cache which stores frequently down-
`loaded content items, in which case the asynchronous ful-
`fillment pipeline mayalso be used to invalidate the cache if
`a changeis madeat one serverthat affects the cached content
`items. An activation site provides an activation certificate
`and a secure repository executable to consumer content-
`rendering devices which enable those content rendering
`devices to render content having an enhanced level of
`copy-resistance. The activation site “activates” client-
`reading devices in a way that binds them to a persona, and
`limits the number of devices that may be activated for a
`particular persona,or the rate at which such devices may be
`activated for a particular persona.
`
`(Continued)
`
`63 Claims, 10 Drawing Sheets
`
` PC Reecer>
`
`GOOGLE 1004
`
`GOOGLE 1004
`
`1
`
`
`
`US 7,047,411 Bl
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`................. 709/201
`7/2000 Reed et al.
`6,088,717 A
`escesssesseeesee 705/I
`5/2001 Downs et al.
`6,226,618 BL
`
`713/201
`..
`10/2001 Schreiber et al.
`6,298,446 Bl
`
`....cseceeeeee 705/51
`5/2002. Wiser et al.
`6,385,596 BL
`
`
`....... 709/315
`7/2002. Dievendorff et al.
`6.425.017 BL
`8/2003: Dutta: aivcuavanacien 705126
`6,606,604 Bl
`
`ee 709/224
`9/2003 Lambert et al.
`6,629,138 BL
`
`.....
`we 709/201
`4/2004 Basani et al.
`6.718.361 BI
`............. 705/27
`8/2001 Eberhard et al.
`2001/0011238 Al
`
`1/2002 Vange ceeseesecseereesseseeee 709/223
`2002/0002611 Al
`FOREIGN PATENT DOCUMENTS
`
`4,924,378 A
`............. 713/201
`5/1990 Hershey et al.
`
`4,977,594 A
`esis 380/4
`12/1990 Shear ......44.
`3,050,213 A
`9/1991 Shear ....
`++ 380/25
`
`5,191,573 A
`3/1993 Hair ........-
`w+ 369/84
`
`5,222,134 A
`6/1993 Waite et al.
`ssseecseesesseees 380/4
`
`5,410,598 A
`4/1995 Shear v.ccisscscsscorssssnseenves 380/4
`
`5,509,070 A
`4/1996 Schull
`...
`ees 380/4
`5,629,980 A
`5/1997 Stefik et al.
`.
`vee 380/4
`5,634,012 A
`‘5/1997 Stefik et al.
`.
`.. 395/239
`5.638.443 A
`6/1997 Stefik et al.
`.
`verse 380/4
`
`5,675,734 A
`10/1997 Hair vss...
`.. 395/200.01
`
`
`5,708,780 A ........- 709/229==EP1/1998 Levergoodet al. 0 843 449 A2 5/1998
`
`
`
`2/1998. Stefi sereeeseeneee
`.. 395/244
`5,715,403 A
`WO
`WO96/24092
`8/1996
`
`vee 380/25
`5,724,425 A
`3/1998 Changet al.
`WO
`WO 96/42041
`12/1996
`
`........... 395/200.06
`5,734,823 A
`3/1998 Saigh etal.
`WO
`WO 2844402
`10/1998
`5.734.891 A
`3/1998 Saigh vse. 395/610
`WO
`WO98/45768
`10/1998
`vee 7079
`5,784,609 A
`7/1998 Kurihara...
`WO
`WO 98/58306
`12/1998
`
`
`
`
`5,809,145 A aw 705/52+WO9/1998 Slik etal. .... WO 29/0185 vi
`
`12/1998 Benson et al. vere... 7079
`5,845,281 A
`WO
`WO99/26123
`5/1999
`1/1999 Petfittcee. 380/44
`5,864,620 ;
`WO
`WO 99/4549 1
`9/1999
`3/1999 Romming sesesessssssessessees00 3804
`5,883,955
`WO
`WO 99/55055
`12/1999
`
`.. 395/186
`5,892,900.
`4/1999 Ginter et al.
`WO
`WO99/63416
`12/1999
`6/1999 Ginter et al. sess. 380/24
`5,910,987
`WO
`WO 92/634160A
`12/1999
`cececceecese-380/4
`5,915,019
`6/1999 Ginter et al.
`WO
`WO 00/08909
`2/2000
`w.- 380/24
`5,917,912
`6/1999 Ginter et al.
`WO
`yO es
`Ae
`
`5,920,861 WO 00/75760 Al—12/20007/1999 Hallet al. ... ww. 707/9 WO
`
`
`
`
`
`8/1999 Schneck et al.
`......0.... 380/4
`5,933,498
`OTHER PUBLICATIONS
`..........scereene 380/4
`§,940,504 A
`8/1999 Griswold.
`5,943,422 A
`8/1999 Van Wie etal. .
`.- 380/9
`Jaeger, T., “Flexible Control of Downloaded Executable
`
`5,949,876 A
`9/1999 Ginter et al.
`....
`. 380/4
`Content”, ACM Transactions on Information and System
`ce 705/27
`5,970,475
`10/1999 Barneset al.
`Security, 1999, 2(2), 177-228.
`
`
`5,982,871
`11/1999 Ginter et al.
`- 3804
`Shamir, A.et al., “Playing Hide and Seek with Stored Keys”,
`5,983,273 A
`11/1999 White et al.
`709/229
`:
`.
`*
`:
`4
`100 Tea 705/59 on Conference, 1999, franklin, M.
`5.991.402
`(ed),
`12/1999 Yasukawaet al.
`
`BS
`Bf
`3
`ae
`wees 380/4
`5,999,622 J
`.
`. 713/201
`6.006.332!
`12/1999 Rabne et al.
`Riley, M., et al. (Eds.),
`“Open eBook™ Publication Struc-
`2/2000 May ....-.eeesese
`. 713/200
`6,021,492
`ture 1.0,” http://www.openebook.org/specification.htm, Sep.
`
`3/2000 Subbiah et al. 7
`ce 713/201
`16, 2000, 1-77,
`6,035,403
`wae
`6,067,582
`5/2000 Smith et al. ........c.6. 710/5
`U.S. Appl. No. 09/289,513, filed Apr. 9, 1999, Wiseret al.
`
`AAAAAAAA
`
`/
`
`.
`
`AAAAAAAAA
`
`2
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 1 of 10
`
`US 7,047,411 B1
`
`(aL)INJONYS94yoogsJoaweuoju|(gJeAa]ul)70
`
`OLJaujo‘Bra)@suadl|
`
`
`squnog|AeydujauwAs\aje\dyoogpajeessasn)
`
`
`
`weesjUue}u0DoraceWedsByep-e}ayy.
`91vlZi
`
`BuiAyquep!|Geysiqnd}Buipnjour
`
`
`(‘oyuKeyauyjewwAs
`
`|Olas
`
`Blo.
`
`OFt
`
`avt
`
`VP
`
`3
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 2 of 10
`
`US 7,047,411 B1
`
`Zpsopuoy
`
`poetele-
`
`9E5
`
`éSls
`
`a”
`
`11!'|11!!'!{!!‘'1!!!!!!!1|I1!{!=
`
`Oppueoghay
`
`1
`
`6SeaBo
`
`
`
`Zpesnow6zeBeJo}SB|qeAoway
`
`UF'ogenuaeondo§=—-gzeauAddo,—aoe
`
`
`
`ieA|weitora|“euo”|%%8v]s€S0|
`seydepyISHoaplABuisses0ig
`
`
`gsoPLZ
`Jaydepywun
`
`9SSngISDS
`
`oneuBbew
`
`AUAfPAU4SIG26aew
`
`4S1QPIE
`
`wee ee ee ee a ee ee a a ee a ee ee ee ee ee ee ee ee eee eee eee
`
`
`
`4
`
`
`
`
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 3 of 10
`
`US 7,047,411 B1
`
`FIG. 3
`
` Content
`
`Database
`
`
`Management/
`LIT File
`Updates
`Encryption Tool
`Encryption
`
`
`
` Fulfillment DB
`Resolve File ID to
`(SQLserver,
`
`Content Store
`MSMOQ Site
`
`
`(LIT files)
`
`
`controller)
`
`80
`
`
`|
`
`
`
`_|Retrieves LIT
`“|
`files based on
`location
`returned by
`Piug-In
`Module
`
`URLEncrypt
`(URL Encryption COM
`Object)
`74
`
`Bookstore Servers (Web
`Front End)
`
`User Authentication
`Shopping for Books
`
`T2
`
`Viewing Receipts 70
`
`Download Server
`ISAPI Extension DLL
`78
`
`Web Content Servers
`(eBook Download Servers)
`76
`
`HTTP Downloads
`
`PC Reader 30
`
`5
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 4 of 10
`
`US 7,047,411 B1
`
`eSUOHeARIY
`
`SL
`
`UOPeARoY
`
`
`
`IdVS]40019
`
`T1gQuojsus}x3
`
`yodsseg
`
`9612/40
`
`uopeanoy
`
`SI9AJBS
`
`(4838719Sit)
`
`v6
`
`02
`
`JO}enanbget
`
`uogeoydas
`
`sajeindog«
`
`
`
`anpoyur-Bnig
`
`Aqpawinyas
`
`{uojsnpour
`
`dd
`
`(SdLLH)
`uoneAtSYWadguonensiBey&speojumogdi)LH
`SHOulsail4ezZao
`
`
`eeeyoestdvSieu}.|]OWSIA)eulledid
`
`(S914117)0}G]yoo,anjosey
`
`LITsanaujeyOWS)g@ainpowul-fnjd
`
`
`
`(Sud)“eoydes9191=BuyB60)soypasp)
`Lnsdad°|aygyuewyyin49WHCViJgowowing
`
`
`
`wewodysnoucsyoukse]98qual
`sayy|':|ieeiet98(ueluopeseg
`
`
`
`
`ainpowJanaesusory
`ogweday
`
`
`sjy6u'seue6esuasi))
`
`310}S“
`
`Buyepyeau!puewouyIns
`
`
`eunedig23038UB}UOD
`sepeayofo2dYooge
`0626
`
`
`
`peojumopyoee
`
`queuing
`
`euyjedig
`
`"2
`
`SYSey
`
`be
`
`ydAuouaUn
`
`Tan)
`
`uondAusuy
`
`
`
`(399140WOOD
`
`be
`
`810}89009
`
`
`
`gaya)S40AaS
`
`(puyuolg
`
`eZ
`
`uojeoquayyny
`
`Jo}Burddous
`
`Jasn
`
`s\diesay
`
`BuimalA,
`
`$y009q
`
`6
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 5 of 10
`
`US 7,047,411 B1
`
`GLAoyDuyouWAS
`
`UyPposeys
`
`
`
`JOAIBSPEOJUMOG
`
`92
`
`pL
`
`yalaoWOO
`
`
`jnduiTWNsessey
`
`uogdAsou3TN cL
`
`qojg
`
`
`
`paydAouesuinjayobeddsv
`
`
`
`Buuapuayydiesey
`
`
`
`(N$0|)JaAIagSI]810}SxOOg
`
`G‘Sls
`
`
`
`SJBJBWEIeC3J0}SHOOG
`
`7
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 6 of 10
`
`US 7,047,411 B1
`
`peojumog
`
`JOAI0S
`
`IdVSI
`
`uoisue}x3
`
`gZ110
`
`quSw)|PIN
`
`98eUuledid
`
`quewy/yi/ng
`
`pUoUINS
`
`
`
`OWS)eulledid
`
`o}sajepdnsesnege
`
`9Sls
`
`
`
`
`
`98(TOS)4eAI9SJUSTIN
`
`
`
`peojumogpue-ju0y
`
`
`
`TOSB14)ENIES
`
`(s966u}
`
`BU}UOBYRDOu}‘.
`
`aJeEpyjeAu!0}asnae8,78S}duoS
`
`
`
`yeu)aseqejegeu}+]qooyjuawebeuey
`
`
`
`
`
`8
`
`
`
`
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 7 of 10
`
`US 7,047,411 B1
`
`136
`
`
`For each
`116
`Individualized
`
`
`
`
`a|copy include the
`user's Name in the
`
`
`License(asrightful
`owner)
`
`
`Complete each
`License XML
`structure and sign
`each License, to
`prevent tampering
`
`
`
`
`For each Fully
`Individualized
`
`128
`
`
`
` og NT event
`
`and Retum
`
`appropriate error
`
`9
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 8 of 10
`
`US 7,047,411 B1
`
`176
`
`
`
`
`152
`
`
`Redirect user to
`customized
`
`feate new record for
`Passport Login
`
`User + Reader,
`
`
`increment # of Readers
`user has
`
`
`
`Query Passport
`APIfor User
`
`Alias & e-mail
`
`address
`
`
`
`156
`
`160
`
`162
`
`
` Persist Activation
`Keys, User ID and
`
`Machine ID in DB
`
`
`
`Instantiate page
`
`with MS Reader
`Client Connectivity
`
`
`
`
`Bid down!—LogNTevent,render
`
`
`Render standard
`Activation HTML
`
`
`0
`error message,link
`page
`
`succeed?
`for retry, support #
`
`Returm link if
`user started
`
`
`
`10
`
`10
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 9 of 10
`
`US 7,047,411 B1
`
`FIG. 9
`
`User Selects
`eBooks
`
`200
`
`202
`
`Transaction
`Concludes and
`Issue Receipt
`
`204
`
`Page
`Reader
`
`206
`
`208
`
`210
`
`User Clicks
`Link on
`Receipt Page
`to Initiate
`Download
`
`Download
`Complete
`
`Folder and
`Launch
`
`11
`
`11
`
`
`
`U.S. Patent
`
`May16, 2006
`
`Sheet 10 of 10
`
`US 7,047,411 B1
`
`FIG. 10
`
`Plug-in
`Module
`resolves the
`.4 physical
`location of the
`LIT file on the
`Content Store
`
`
`Fulfillment DB 89
`
`
`(SQL server, MSMQ client,
`Fulfitiment COM object)
`
`
`
`
`
`MSMQClient || Content
`(async.
`| Store plug-in
`pipeline) 86|Module 68
`
`
`
`
`ISAPI fetches the
`Content Store
`
`
`(Source Sealed
`Licensing
`LIT file
`
`
`LIT files) 80
`Module 77
`
`
`
`(license
`gener., rights
`
`inclusion)
`
`
`
`
`Browser presents URL
` Content Servers
`generated by URLEncrypt
`
`(IS Cluster)
`
`76
`
`
`LIT file is returned via
`
`HTTP download
`
`
`12
`
`12
`
`
`
`US 7,047,411 Bl
`
`1
`SERVER FOR AN ELECTRONIC
`DISTRIBUTION SYSTEM AND METHOD OF
`OPERATING SAME
`
`CROSS-REFERENCE TO RELATED CASES
`
`ay
`
`This application claims the benefit of U.S. Provisional
`Application Ser. No. 60/172,318 entitled “System for Dis-
`tributing Content Having Multilevel Security Protection,”
`and U.S. Provisional Application Ser. No. 60/172,319
`entitled “System and Method for Digital Rights
`Management,” both filed on Dec. 17, 1999.
`FIELD OF THE INVENTION
`
`invention relates generally to the field of
`The present
`computing, and more particularly to the use of a server to
`distribute content in accordance with a digital rights man-
`agement system.
`BACKGROUNDOF THE INVENTION
`
`2
`ment (“DRM”) system. The architecture includes an activa-
`tion server arrangement, and adistribution server arrange-
`ment. The architecture includes various security features
`that guard against unauthorized distribution or use ofpro-
`tected content, as well as software components that imple-
`ment the security features.
`In accordance withthe architecture provided, content may
`be protected at a plurality of levels, including: no protection,
`source sealed, individually sealed (or “inscribed”), source
`signed, and fully individualized (or “owner exclusive’). “No
`protection” content is distributed in an unencrypted format.
`“Source sealed” and “individually sealed’ content
`is
`encrypted and bundled with an encryption key that
`is
`cryptographically sealed with certain rights-management
`data associated with the content, such that the key cannot be
`retrieved if the rights-management data has been altered.
`The distinction between“source” and “individual” sealingis
`that “individually sealed” content includes in the rights-
`management data informationpertinent to the rightful owner
`(e.g., the owner’s name, credit card number, receipt number
`or transaction ID for the purchase transaction,etc.), such that
`this information cannot be removed from a working copy of
`the content, thereby allowing for detection of unauthorized
`distributors. The particular type of information included is
`determined by the retailer of the copy. “Signed” content is
`cryptographically signed in such a way that the rendering
`application can verify its authenticity, or the authenticity of
`its distribution channel. “Fully individualized” content is
`encrypted content provided with a decryption key that has
`not merely been sealed with the rights-management
`information, but also encrypted in such a waythat it cannot
`be accessed in the absence of a “secure repository” and
`“activation certificate,” which are issued by the activation
`server arrangement only to a particular client or set of
`clients, thereby limiting the use of such content to a finite
`number ofinstallations.
`
`The activation server arrangement includes one or more
`server computing devices which “activate” client computing
`devices by providing code and data to these devices, where
`the code and data are necessary to access “fully individu-
`alized” content on a givenclient device. In one example, the
`“data” includes an activation certificate having a public key
`and an encrypted private key, and the “code” is a program
`(e.g., a “secure repository’’) that accesses the private key in
`the activation certificate by applying, in a secure manner, the
`key necessary to decrypt
`the encrypted private key.
`Preferably, the key pair in the activation certificate is per-
`sistently associated with an authenticatable “persona,” such
`that a device can be “activated” to read content that has been
`
`individualized for that persona, but not contentthat has been
`“fully individualized” for other personas. As used herein, a
`“persona”is a unique identifier that can be tied to a user and
`can be securely authenticated by an out-of-band process—
`é.g., a username and password form on a web browser for
`use over a secure socket layer (SSL) is an example embodi-
`ment of such a process. Moreover, the activation server
`arrangement preferably provides a given activation certifi-
`cate (that is, an activation certificate having a particular key
`pair) only after authenticating credentials (e.g., a username
`and password) associated with a persona. In accordance with
`a feature of the invention, the number of devices that a
`particular persona may activate may be limited by rate and
`or by number(e.g., five activations within a first 90 day
`period, followed by an additional activation for every sub-
`sequent 90 dayperiod, up to a maximumof ten activations),
`thereby preventing the unchecked proliferation of devices on
`which individualized content can be rendered. As one
`
`bh a
`
`a
`
`4
`
`45
`
`Asthe availability and use of computers and palm-sized
`~
`electronic devices has increased, it has become commonfor 2
`documents to be transmitted and viewed electronically. With
`improving communication over infrastructures such as the
`Internet, there is a tremendous drive to provide enhanced
`services and content to the devices. Examples of services
`and content that may be provided are authored works, such
`as books or other textual material. Electronic distribution of
`text documentsis both faster and cheaper than conventional
`distribution of paper copies. The same principle applies to
`non-textual content, such as audio and video: electronic
`distribution of such content is generally faster and cheaper
`than the delivery of such content on conventional media
`(e.g., magnetic tape or optical disk). However, the lowcost
`and instantaneity of electronic distribution, in combination
`with the ease of copying electronic content, is at odds with
`the goal of controlled distribution in a mannerthat protects
`the rights of the owners ofthe distributed works.
`Once an electronic documentis transmitted to one party,
`it may be easily copied and distributed to others without
`authorization by the owner ofrights in the electronic docu-
`ment or, often, without even the owner’s knowledge. This
`type of illicit documentdistribution may deprive the author
`or content provider of royalties and/or income. A problem
`with many present delivery schemes is that they may make
`no provisions for protecting ownership rights. Other systems
`attempt to protect ownership rights, but however, are cum-
`bersome and inflexible and make the viewing/reading of the
`authored works (or otherwise rendering the authored works,
`in the case of non-text content such as music, video, etc.)
`difficult for the purchaser.
`Thus, in view ofthe above, there is a need for animproved -
`digital rights management system that allows ofdelivery of
`electronic works to purchasers in a manner that protects
`ownership rights, while also being flexible and easy to use.
`There is also a need for the system that provides flexible
`levels of security protection and is operable onseveral client
`platforms such that electronic content may be viewed/
`rendered by its purchaser on each platform. The digital
`rights management system of the present invention advan-
`tageously provides solutions to the above problems which
`protect the intellectual property rights of content owners and
`allow for authors or other content owners to be compensated
`for their creative efforts, while ensuring that purchasers are
`not over-burdened by the protection mechanism.
`SUMMARY OF THE INVENTION
`
`°
`
`60
`
`65
`
`A server architecture is provided which supports the
`distribution of protected content in a digital rights manage-
`
`13
`
`13
`
`
`
`US 7,047,411 Bl
`
`3
`example use ofthis technique, protected content may be
`distributed as a file that includes content encrypted with a
`symmetric key, where the symmetric key itself is provided
`via a license construct embedded in the file in a form
`encrypted by the certificate’s public key, thus making it
`necessary to have both the activation certificate and accom-
`panying secure repository prior to interacting with the
`licensed content.
`
`4
`whenupdates to information stored onthe fulfillment server
`are made whichaffect the content item stored in the cache,
`the fulfillment server may use the messaging service to send
`messages to the various download servers indicating that the
`item should be invalidated in the download server caches.
`Other features of the invention are described below.
`
`ay
`
`wa
`
`4
`
`45
`
`‘The distribution server arrangement includes one or more
`retail servers and one or more fulfillmentsites. Retail servers
`sell protected content (or otherwise enlist users to receive
`protected content). Fulfillmentsites providethe actual con-
`tent that has beensold by the retail servers. The operator of
`a retail server may be a different entity from the operator of
`a fulfillmentsite, thereby making it possible for a retailer to
`sell protected content simply by entering into an agreement
`whereby a fulfillment site will provide content sold by the
`retailer. This allows the retailer to sell content without
`investing in the means to store or distribute the content. In
`one example,theretailer and the fulfillment site agree ona 2
`secret (e.2., a cryptographic key), and the retailer equips its
`server with software that uses the secret
`to create an
`encrypted instruction to provide the content to the purchaser.
`The retailer may then allowthe purchaser to “fulfill” his or
`her purchase by providing an HTTP request to the purchaser
`(e.g., a POST request rendered as a hyperlink on a “receipt”
`or “confirmation” web page), where the HTTP request
`contains the address of the fulfillment site and the encrypted
`instruction. In the case of content requiring some level of
`individualization, the encrypted instruction may include the
`individualization information (e.g., the purchaser’s name,
`or,
`in the case of “fully individualized” content, the pur-
`chaser’s activation certificate). The fulfillmentsite receives
`the encrypted instruction when the purchaserclicks on the
`link, and the fulfillmentsite uses the shared secret to decrypt
`the instruction and provide the content in accordance there-
`with. A component object model (COM) object may be
`provided to the retailer which creates the encrypted instruc-
`tion,
`The fulfillment site may be organized as a fulfillment
`server plus one or more “download” servers and a content
`store. The content store stores content to be distributed to
`consumers. The fulfillment server maintains databases of
`information related to the fulfillment of content orders, such
`as the physical location of content items andthe secret(e.g.
`the cryptographic key) necessary to decrypt
`instructions
`received fromthe retailer. The download servers performthe
`actual downloading of content to consumers/purchasers of
`the content, as well as any preparation of the contentthatis
`necessary to meet the protection requirements associated 5
`with the content (e.g., the download server may perform
`individualization of the content). Each download server may
`have a cache, where the download server obtains a copy of
`acontent item from the content store (in accordance with the
`location specified in the fulfillment server database) the first
`time that download server is called upon to process a
`download ofthat item, where the download server stores the
`itemin the cache for future downloads. The cache may have
`limits associated therewith, and it may expire items out of
`the cache based on an algorithm such as a “least recently
`used” algorithm. The download server may also provide
`information regarding the downloadsthatit processes to the
`fulfillment server for entry into a log. The download server
`may provide this information in the form of messages
`through an asynchronous messaging, such as MICROSOFT
`MESSAGE QUEUE (MSMQ). The fulfillment server may
`store the informationin a “logging database.” Additionally,
`
`5
`
`60
`
`65
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The foregoing summary, as well as the following detailed
`description, is better understood when read in conjunction
`with the appended drawings. For the purpose of illustrating
`the invention,
`like references numerals represent similar
`parts throughout the several views of the drawings, it being
`understood, however, that the invention is not limited to the
`specific methods and instrumentalities disclosed.
`In the
`drawings:
`FIG. 1 is an exemplary electronic book (eBook) title file
`format;
`FIG. 2 is a block diagram showing an exemplary com-
`puting environment in which aspects of the present inven-
`tion may be implemented;
`FIG. 3 is a block diagram of an embodimentofa first
`server architecture implementing aspects of a digital rights
`management system in accordance with the invention;
`FIG. 4 is a block diagram of an embodiment of a second
`server architecture implementing aspects of a digital rights
`management system in accordance with the invention:
`FIG. 5 is a block diagram illustrating certain interactions
`within a content provider server in accordance with aspects
`ofthe invention;
`
`FIG. 6 is a block diagram showing components of an
`asynchronous fulfillment pipeline in accordance with
`aspects of the invention;
`FIG. 7 is a flow diagram illustrating the process of
`generating a license in accordance with aspects of the
`invention:
`FIG. 8 is a flow diagram illustrating a client reader
`activation process in accordance with aspects of the inven-
`tion; and
`FIGS. 9 and 10 are flow and block diagramsillustrating
`an eCommerce flow in accordance with aspects of the
`invention.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`The present invention 1s directed to a system for process-
`ing and delivery of electronic content wherein the content
`maybe protected at multiple levels. A preferred embodiment
`of the invention is described, which is directed to the
`processing and delivery of electronic books, however, the
`invention is not limited to electronic books and may include
`all digital content such as video, audio, software
`executables, data, etc.
`Overview
`
`The success of the electronic book industry will undoubt-
`edly require providing the existing book-buying public with
`an appealing, secure, and familiar experience to acquireall
`sorts oftextual material. This material may include “free” or
`low-cost material
`requiring little copy protection,
`to
`“premium-quality” electronic booktitles (herein “eBooks”)
`requiring comprehensive rights protection.
`In order to
`enable a smoothtransition from the current distribution and
`retail model for printed booksinto anelectronic distribution
`system, an infrastructure must exist to ensure a high level of
`
`14
`
`14
`
`
`
`US 7,047,411 Bl
`
`5
`copy protection for those publications that demand it, while
`supporting the distribution oftitles that require lower levels
`of protection.
`The Digital Rights Management (DRM) and Digital Asset
`Server (DAS) systems of the present
`invention advanta-
`geously provides such aninfrastructure. The present inven-
`tion makes purchasing an eBook more desirable than “steal-
`ing” (e.g., making an unauthorized copy of) an eBook. ‘The
`non-intrusive DRM system minimizes piracy risk, while
`increasing the likelihood that any piracy will be offset by
`increased sales/distribution of books in the form of eBooks.
`In addition, the present invention provides retailers with a
`system that can be rapidly deployed at a low-cost.
`The primary users of the DRM Systemare publishers and
`retailers, who use and/or deploy the DRM Systemto ensure
`legitimacy of the content sold as well as copy protection.
`Exemplary users of the DRM System maybethe traditional
`publisher, the “leading edge” publisher, and the “hungry
`author.” The traditional publisher is likely to be concerned
`~
`about losing revenue from their printed book publishing 5
`operation to eBook piracy. The leading edge publisher is not
`necessarily concerned with isolated incidents of piracy and
`may appreciate that eBooks commerce will be most suc-
`cessful
`in a system where consumers develop habits of
`purchase. Meanwhile, the hungry author, who wouldlike to
`collect money for the sale of his or her works,
`is more
`interested in attribution (e.g.,
`that the author’s name be
`permanently bound to the work).
`As will be described in greater detail below, the DRM
`System of the present invention accomplishes its goals by
`protecting works, while enabling their rightful use by
`consumers, by supporting various “levels” ofprotection. At
`the lowest
`level
`(“Level 1°),
`the content source and/or
`provider may choose no protection via unsigned and
`unsealed (clear-text) eBooks that do not include a license. A
`next
`level of protection (“Level 2”) is “source sealed,”
`which meansthat the content has been encrypted and sealed
`with a key, where the seal is made using a cryptographic
`hash of the eBook’s title’s meta-data (see below) and the key
`is necessary to decrypt the content. Source sealing guards
`against
`tampering with the content or its accompanying
`meta-data after the title has been sealed, since any change to
`the meta-data will renderthe title unusable; however, source
`sealing does not guarantee authenticity of the a copy of the
`title (1.e., source sealing does not provide a mechanism to
`distinguish legitimate copies from unauthorized copies). In
`the case of the “hungry author,” the author’s name may be
`included in the meta-data for permanent binding to the
`content, thereby satisfying the “hungry author’s” goal of
`attribution. A next level of protection (“Level 3”) is “indi-
`vidually sealed” (or “inscribed”). An “individually sealed”
`title is an eBook whose meta-data includes information
`
`ay
`
`a
`
`4
`
`45
`
`s
`
`6
`Personal Digital Assistant (PDA), PocketPC, or a purpose-
`built
`reading device). Authenticity may preferably be
`defined in three varieties: “tool signed,” which guarantees
`that the eBook title was generated by a trusted conversion
`and encryptiontool; “owner signed,” whichis a tool signed
`eBookthat also guarantees the authenticity of the content in
`the copy (e.g.,
`the owner may be the author or other
`copyright holder); and “provider signed,” which is a tool
`signed eBook that attests to the authenticity of its provider
`(e.g., the publisheror retailer of the content). ‘The “tool,” the
`owner, and the provider may each have their own asymmet-
`ric key pair to facilitate the creation and validation of digital
`signatures ofthe information. A title may be both provider
`signed and source signed, whichfacilitates authentication of
`the distribution channelof the title (e.g., through a signature
`chain in the copy). The strongest level of protectionis “fully
`individualized” or “owner exclusive” (“Level 5”). “Fully
`individualized” titles can only be opened by authenticated
`reader applications that are “activated”for a particular user,
`thereby protecting against porting of a title from one per-
`son’s reader (or readers) to a reader that is not registered to
`that person. In order for the reader of the present invention
`to open a title protected at Level 5, the Reader must be
`“activated” (i.e., the device on whichthe reader resides must
`have anactivation certificate for a particular persona, and a
`secure repository). The process ofactivation is described in
`greater detail below with reference to FIG.8.
`The systems of the present
`invention also define an
`architecture for sharing information between a reader, a
`content provider and a content source, howthat information
`is used to “seal” titles at the various levels, and how that
`information must be structured. The availability of these
`choices will enable content sources to pick and choose
`which content will be sold to what users and using what
`protection (if any). The particular information may be used
`to sign and/orsealtitles for use by a reader, and a compatible
`reader (which,
`in the case of level 5, may be a reader
`activated for a particular persona) may unseal the title and
`enable reading of the eBook. eBook File Structure
`The DRM system ofthe present invention protects con-
`tent by incorporating it
`in a file structure, such as the
`exemplary structure shownin FIG, 1. Referring to FIG. 1,
`eBook 10 contains content 16, which is text such as a book
`(or any electronic content) that has been encrypted by a key
`(the “content key”), which itself has been encrypted and/or
`sealed. In a preferred embodiment, the key is a symmetric
`key 14A that is sealed with a cryptographic hash of meta-
`data 12 or, in the case oflevel 5 titles, with the public key
`ofthe user’s activation certificate. This key is stored either
`as a separate stream in a sub-storage section of the eBook
`file (DRM Storage 14 in the diagram) or, in the case oflevel
`5 titles, in the license. (In the case of level 5 titles, instead
`of storing the content key as a separate stream, stream 144A
`contains a license, whichis a construct that definesthe rights
`that the user can exercise upon purchase of thetitle. In titles
`that have a license, the content key is contained within the
`license.). Also included in the DRM storage 14 are the
`source stream 14B, which may include the name of the
`publisher (or other content source), as well as the bookplate
`stream 14C, which, for individually sealed (level 3 and/or
`level 5) titles, includes the consumer’s nameas provided by
`the retailer (which may, for example, be obtained as part of
`the commercial transaction of purchasi