`
`(19) World Intellectual Property
`Organization
`International Bureau
`
`(43) International Publication Date
`15 January 2004 (15.01.2004)
`
`
`
`PCT
`
`(10) International Publication Number
`WO 2004/004855 Al
`
`(51) International Patent Classification’:
`
`A63F 13/00
`
`(21) International Application Number:
`PCT/US2002/029927
`
`(22) International Filing Date:
`19 September 2002 (19.09.2002)
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`(30) Priority Data:
`60/393,892
`
`English
`
`English
`
`5 July 2002 (05.07.2002)
`
`US
`
`(71) Applicant(forall designated States except US): CYBER-
`SCAN TECHNOLOGY, INC. [US/US]; 550 Hamilton
`Avenue, Palo Alto, CA 94301 (US).
`
`Jean-Marie [FR/GB]; 46 Parkside, 29-46 Knightsbridge,
`London SW1X 7JP (GB). BRUNET DE COURSSOU,
`Thierry [FR/GB]; 15A Ives Street, London SW3 2ND
`(GB). BENEY, Pierre-Jean [I7R/GB]; 9 Queensbury
`Mews West, London SW7 2DU(GB).
`
`(74) Agent: YOUNG,Alan, W.; Young Law Firm, P.C., Suite
`106, 4370 Alpine Road, Portola Valley, CA 94028 (US).
`
`(81) Designated States (national): AE, AG, AL, AM, AT, AU,
`AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU,
`CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH,
`GM,HR, HU,ID,IL,IN,IS, JP, KE, KG, KP, KR, KZ, LC,
`LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW,
`MX, MZ, NO, NZ, OM,PH,PL, PT, RO, RU, SD, SE, SG,
`SI, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ,
`VC, VN, YU, ZA, ZM, ZW.
`
`(72) Inventors; and
`(75) Inventors/Applicants
`
`(for US
`
`only):
`
`GATTO,
`
`(84) Designated States (regional): ARIPO patent (GH, GM,
`KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW),
`
`[Continued on next page]
`
`(54) Title: SECURE GAME DOWNLOAD
`
`(57) Abstract: A method for gaming terminals, gaming kiosks
`and lottery terminals to ensure that the code-signing verification
`process of downloaded game software can be trusted. Drivers
`independently developed from the operating system supplier
`are embedded within the operating system kernel to verify that
`the micro-coded hardware components,
`the BIOS (808),
`the
`operating system components and the downloaded game software
`can betrusted.
`
`
`|
`Enter Trusted Verifier Driver
`
`y
`Take Full Contro! of Computer
`(disable ail interrupts)
`810=808
`812
`~
`SN NL
`no
`816
`
`818
`814 ———] Yes
`NN
`Verify Add-on Card BIOS -- OK 2
`no
`ES
`
`gon|Ot 822 ——~|
`
`
`
`
`
`WO2004/004855A1IfMTMNITNIITIINITIIIITMATITAA
`
`804
`
`806
`
`820
`
`
`
`Verify Motherboard BIOS ~ OK 2
`
`y
`
`
`
`
`
`Verify Additional Areas
`(memory, registers, etc.) -- OK ?
`
`
`
`Release Full Control of Computer
`(enable interrupts)
`
`|
`Exit Trusted Verifier Driver
`
`a
`
`834
`
` Verify Code Signature of
`Downloaded Code -- OK ?
`
`IPR2020-01288
`Sony EX1006 Page1
`
`IPR2020-01288
`Sony EX1006 Page 1
`
`
`
`WO 2004/004855 AX
`
`__IIMIMINIINIMTANANITNTTITNI TAMIA TANA
`
`Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM),=For two-letter codes and other abbreviations, refer to the "Guid-
`European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE,
`ance Notes on Codes and Abbreviations" appearing atthe begin-
`ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE, SK,
`ning of each regular issue of the PCT Gazette.
`TR), OAPIpatent (BF, BJ, CF, CG, CI, CM, GA, GN, GQ,
`GW, ML, MR,NE, SN, TD, TG).
`Published:
`
`—_with international search report
`
`IPR2020-01288
`Sony EX1006 Page 2
`
`IPR2020-01288
`Sony EX1006 Page 2
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`SECURE GAME DOWNLOAD
`
`FIELD OF THE INVENTION
`
`This invention relates generally to the field of casino gaming terminals, gaming
`
`kiosks and lottery gaming terminals.
`
`DESCRIPTION OF THE RELATED ART
`
`On-line download of updated software and new gameshas been performed.
`
`routinely with lottery terminals since the on-line capture of lottery slips started to be
`
`deployed in the late 1980s. The techniques and procedures have been refined along the
`
`years and are now considered as essential features. On the other hand, casino regulators
`
`10
`
`have always been reluctant to introduce on-line download of updated software and of
`
`new games for casino gaming machines. Such reluctance stems from concernsrelative to
`
`unauthorized intrusion and malicious modification of software code. These concerns are
`
`understandable, particularly since the late 1990s because of the general trend of
`
`constructing gaming terminals using standard PC hardware and PC software platforms
`
`15
`
`that are subject to assault by hackers that are well versed in the techniques for taking
`
`advantage of the known weaknesses and flaws of such platforms. Even now with
`
`lotteries, the appeal of making use of the broadbandpublic Internet networkinstead of
`
`private networking is considerable, but there are indeed significant security concerns and
`
`consequently new plansare blurred with uncertainty.
`
`20
`
`Although specialized downloadutilities and software update utilities such as
`
`WindowsInstaller, InstallShield and GetRight include data integrity verification
`
`mechanismsto ensure that the downloaded codeis not corrupted, there is no mechanism
`
`to ensure that the code has not been tampered with. While secure Internet software
`
`downloadtechnologies such as Authenticode employ powerful PKT (Public Key
`
`25
`
`Infrastructure) code signing, there is no fail-proof mechanism to ensure that the code has
`
`not been tampered with at a later stage. Once an authorized properly signed software
`
`module has started execution, the operating system does not provide meansto verify if
`
`the code loaded in memory has not been tampered with to execute fraudulent operations.
`
`Although software corporations like Microsoft have lately shifted their
`
`30
`
`development focus to making their software more stable and very secure, there is always
`
`IPR2020-01288
`Sony EX1006 Page 3
`
`IPR2020-01288
`Sony EX1006 Page 3
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`the risk that an unknownbugor a back door exists somewhere amongst the millions lines
`of code that would allow someone to perpetrate some form of cheat. Hidden back-doors
`might be mandated by the United States’ NSA (National Security Agency) to be
`incorporated in operating systems to enable them to monitorterrorism and drug
`trafficking. Consequently, some corrupt employees or ex-employees havinginner
`knowledge of these back door accesses might be tempted to fraudulently exploit such
`inner knowledge. Microsoft operating systems and other modern operating systems such
`as Linux are too complex and constantly changing to consider comprehensive
`certification by labs traditionally trusted by gameregulators for certifying gaming
`products made by gaming equipment vendors.
`Moreover, using strong PKI codesigning techniques does not guaranty that the
`code can be trusted once verified because the “verifying”tool, or the tool that verifies the
`verifying tool (and so on...) mayitselfnot be trusted.
`The approach ofthe Trusted Computing Platform Alliance (TCPA), whose
`specification wasfinalized in January 2001,calls for the creation of a Trusted Platform
`Module (TPM)that requires a discrete cryptographic processor residing on the PC's
`motherboardthat contains a unique digital signature. Microsoft’s security initiative code
`named “Palladium”, on the other hand, uses new forthcoming hardware security features
`built directly into microprocessors and supporting chipsets being designed byIntel,
`AMDand National in order to run some form of low-level encryption, and it can also use
`a TPM-like module for additional encryption. Microprocessors and supporting chipsets
`that implement Palladium may support a trusted execution modethat allows
`cryptographically authenticated programsaccessto a separate memory area. Such
`microprocessors may be equipped with a security coprocessor, which stores a unique pair
`of cryptographic keys in a non-volatile memory. Such a microprocessor and coprocessor
`maythen be combinedto create a motherboard that implements Palladium functionality.
`A corresponding software component, called the Trusted Operating Root, works in
`conjunction with the microprocessor and its coprocessor. The Trusted Operating Root
`runningon the microprocessor and the coprocessor are configured to encrypt data in such
`a way that no other combination of Trusted Operating Root and coprocessor would be
`able to decryptit.
`The above security technologies are indeed promising but they require specific
`hardwarethat may take several years to be proven andto justify using them in gaming
`
`10
`
`15
`
`20
`
`25
`
`30
`
`IPR2020-01 288
`Sony EX1006 Page 4
`
`IPR2020-01288
`Sony EX1006 Page 4
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`terminals. Furthermore, there may alwayspersist a lingering distrust of such large
`corporate software providers such as, for example, Microsoft. Consequently, game
`regulators tend to hold back the deploymentof such technologies, thereby discouraging
`the early adoption of networked multimedia software technologies as applied to the
`heavily regulated gaming industry.
`
`SUMMARYOF THE INVENTION
`There is no better alternative for casinos andlotteries gaming computer hardware
`but to adopt standard PC hardware controlled by the latest generation multimedia
`software from Microsoft, QNX, WindRiver Systems, Unix or from the Linux
`community. It is, therefore, an object of this invention to provide additional security
`mechanisms that can perform independent andtrusted verification ofthe Commercial-
`Off-The-Shelf(COTS)software installed on the gaming terminals that can be trusted
`because ofits precisely defined objectives and the availability of source code for peer
`review andcertification by gaming certification labs.
`Gamingterminals, gaming kiosks and lottery terminals are hereafter collectively
`referenced as gaming machines,for ease of reference.
`The most promising approach available today in a COTS multimedia product that
`offers comprehensive security for preventing unauthorized code from executing, is
`integrated in Microsoft Windows XP, Windows 2000 and Windows .NET. There are
`three technologies that address three different layers; namely, (1) Driver Signing,(2)
`WindowsFile Protection and (3) Software Restriction Policies. These three technologies
`coverall but two aspects ofpossible execution by unauthorized modified software code,
`that is, (1) by modification of the motherboard BIOSorother add-on boards such as a
`graphic card with on-board BIOS or a SCSI controller with dedicated on-board BIOS,
`(2) by modification of an emulated CPU such as downloadable microcode for the
`Transmeta microprocessor that emulates Intel CPU instructions. The risk with the
`emulated CPU instructions can be simply avoided by not allowing the use of such
`emulating microprocessors. It is, therefore, another object of this invention to provide a
`trusted mechanismto verify that the motherboard BIOS and add-on BIOSare not
`unauthorized.It is a further object ofthis invention to provide a trusted mechanism to
`verify memory content, hardware register content and any form of data storage media.
`Verification, according to embodiments ofthe present invention,relies on a hash
`
`10
`
`15
`
`20
`
`25
`
`30
`
`IPR2020-01288
`Sony EX1006 Page 5
`
`IPR2020-01288
`Sony EX1006 Page 5
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`signature or on code signing with a trusted certificate.
`It is to be noted that the present invention covers the prevention of execution of
`unauthorized software but not the authentication of users and processes that are handled
`
`by the standard Access Control List (ACL)of the operating system.
`
`According to one embodimentthereof, the present invention is a method for a
`gaming terminalto authorize execution of downloaded software, comprising the steps of
`
`running in the gaming machine a version of Microsoft Windowsoperating system having
`
`Software Restriction Policy capability, and setting the Software Restriction Policy to
`
`authorize execution of software code-signed with a certificate from a designated trusted
`
`10
`
`party.
`
`The running step may run a version of Microsoft Windowsoperating system
`
`having System File Protection capability. The running step may run a version of
`
`Microsoft Windowsoperating system having Driver Signing capability. The method
`
`may further includethe step of setting the Microsoft Driver Signing policy to only
`
`15
`
`authorize execution of drivers code-signed with a certificate from Microsoft. A step of
`
`setting the Microsoft Driver Signing policy to only authorize execution of drivers that are
`
`code-signed with a certificate from at least one of Microsoft and a designated trusted
`
`party may also be carried out. The running step may run a version of Microsoft
`
`Windowsoperating system having System File Protection and Driver Signing
`
`20
`
`capabilities. The gaming machine may include a microprocessor and the microprocessor
`
`and the operating system in the running step maycollectively implement Microsoft's
`
`Palladium (or an equivalent) functionality. The operating system in the running step
`may be a Microsoft Windowsoperating system that, together with the microprocessor,
`
`implements Microsoft's Palladium, WindowsFile Protection and Driver Signing
`
`25
`
`capabilities or like functionalities. The gaming machine may include a motherboard and
`
`the operating system in the running step may be a version of Microsoft Windows
`operating system that, together with the motherboard, implements capabilities specified
`by the Trusted Computing Platform Alliance (TCPA)or similar functionalities. The
`
`gaming machine may include a microprocessor and the operating system in the running
`
`30
`
`step may be a version of Microsoft Windowsoperating system that, together with the
`
`microprocessor, implements TCPA, System File Protection or WindowsFile Protection
`
`and Driver Signing.
`
`According to another embodimentthereof, the present invention is also a method
`
`IPR2020-01288
`Sony EX1006 Page 6
`
`IPR2020-01288
`Sony EX1006 Page 6
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`for a gaming terminal to authorize execution of downloaded software, comprising the
`steps of: running an operating system that may include a configurable functionality for
`restricting code execution to code that has been signed by a designated trusted party, and
`configuring the restricting functionality to only authorize execution of software thatis
`
`code-signed with a certificate from the designatedtrusted party.
`
`Therestricting functionality may conform to the Microsoft Software Restriction
`
`Policy, for example. The operating system in the running step may be configured to
`prevent a replacement of selected monitored or protected system files with files that do
`
`not originate from a trusted source. The trusted source may be the sameas the
`
`designated trusted party. The operating system may include Microsoft's System File
`Protection (SFP) or Microsoft's WindowsFile Protection (WFP), for example. The
`operating system in the running step may be configuredto only allow execution of
`drivers that have been code-signed with a certificate from a trusted source. The
`
`operating system mayinclude Microsoft's Driver Signing and the trusted source may be
`Microsoft. The operating system in the running step may be configuredto preventa
`replacement of selected monitored or protected system files with files that do not
`originate from a trusted source, and only allow execution of drivers that have been code-
`
`signed with a certificate from the trusted source, such as, for example, Microsoft. The
`
`operating systemin the running step may incorporate Microsoft's Driver Signing and
`Microsoft's System File Protection (SFP) or Microsoft's WindowsFile Protection (WFP),
`for example. The gaming machine mayinclude a microprocessor and supporting
`chipsets that, together with the operating system in the running step, implements a
`Palladium-like capability. The machine may include a microprocessor and supporting
`chipsets that, together with the operating system in the running step, implements a
`Palladium-like, System File Protection and Driver Signing capabilities. The gaming
`machine may include a motherboardthat, together with the operating system in the
`running step, implements capabilities specified by the Trusted Computing Platform
`Alliance (TCPA). The gaming machine mayinclude a microprocessorthat, together
`with the operating system in the running step, implements TCPA, and Microsoft's
`WindowsFile Protection and Driver Signing.
`Accordingtostill another embodiment thereof, the present invention may also be
`viewed as a methodfor operating a gaming machine, comprising the steps of running an
`operating system loadedin the gaming machine; downloadingat least one software
`
`10
`
`15
`
`20
`
`25
`
`30
`
`IPR2020-01288
`Sony EX1006 Page 7
`
`IPR2020-01288
`Sony EX1006 Page 7
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`module into the gaming machine; checking a codesignatureof at least one downloaded
`
`software module using a trusted verification driver, and authorizing execution ofthe
`
`downloaded software module in the gaming machineonly if the downloaded software
`
`module may be successfully verified by thetrusted verification driver.
`
`The running step may run an operating system that is configured to prevent the
`replacement ofselected monitored or protected system files within the gaming machine
`with files that do not originate fromatrusted source. The running step may run an
`operating system that may include Microsoft's System File Protection (SFP) or
`Microsoft's WindowsFile Protection (WFP). The operating system in the running step
`
`10
`
`may causes the authorizing step to authorize execution of the downloaded software
`
`module only if the downloaded software module has been code-signed with a certificate
`
`fromatrusted source. The running step may run an operating system that may include
`Microsoft's Driver Signing and the trusted source may be Microsoft. The downloaded
`
`15
`
`software module may include a driver and the method further may include the step of
`setting a Microsoft Driver Signingpolicy to cause the authorizing step to only authorize
`execution of drivers that are code-signed with a certificate from Microsoft. The method
`
`may further include the step of setting a Microsoft Driver Signing policy to cause the
`
`authorizing step to only authorize execution of drivers that are code-signed with a
`
`certificate from Microsoft and/or a designated trusted source. The operating system in
`
`20
`
`the running step may be a Microsoft Windowsoperating system that includes System
`
`File Protection and/or Driver Signing capabilities. The gaming machine mayinclude a
`microprocessorthat, together withthe operating system in the runningstep, implements
`Microsoft's Palladium capability or similar capabilities from other vendors. The gaming
`machine may include a microprocessorthat, together with the operating system in the
`
`25
`
`running step, implements Microsoft's Palladium, WindowsFile Protection and/or Driver
`
`Signing capabilities, for example. The gaming machine may include a motherboardthat,
`
`together with the operating system in the running step, implements capabilities specified
`
`by the Trusted Computing Platform Alliance (TCPA). The operating system in the
`
`running step may be a Microsoft operating system, for example. The operating system in
`
`30
`
`the running step may be a Microsoft operating system implementing TCPA, System File
`
`Protection or WindowsFile Protection and/or Driver Signing, for example. The
`
`operating system in the running step mayinclude the Microsoft Software Restriction
`
`Policy or a similar functionality from another vendor.
`
`IPR2020-01288
`Sony EX1006 Page 8
`
`IPR2020-01288
`Sony EX1006 Page 8
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`The present invention may also be viewed as a methodfor verifying gaming
`
`terminal software, comprising the steps ofinstalling at least one driver into the gaming
`
`machine; taking complete control of the gaming machine with the at least one driver;
`
`verifying a legitimacyof all software and memory content in the gaming machine;
`
`relinquishing control of the gaming machine, and authorizing the gaming machineto
`
`execute only of the software that may be successfully verified. The verification step may
`
`include a challenge-response step to ensure that the trusted verifier driver has not been
`
`spoofed and/orthat the trusted verifier driver is executing.
`
`The driver(s) may be configured to execute at the highest machine permission
`
`10
`
`level. The taking step may include a step of freezing an operation of the operating
`
`system of the gaming machine. The taking step mayalso includea step of disabling
`
`interrupts on the gaming machine. The verifying step may include verifying a BIOS ofa
`
`motherboard of the gaming machine. The verifying step may include verifying a BIOS
`
`of any add-on board within the gaming machine. The verifying step may include
`
`15
`
`verifying ROM shadowing within the gaming machine, verifying hardwareregisters,
`
`verifying a signature in memory ofthe at least one driver, verifying the contentoffiles
`
`on disk within the gaming machine and/orverifying the downloadable micro-code of
`
`smart hardware within the gaming machine, for example. The method may further
`
`include a step of auditing the source code of the driver(s) by a third party. The source
`
`20
`
`code of the driver(s) may also be audited by a gamecertification lab. The method may
`
`further include a step of certifying the driver(s) by a gamecertification lab and/or by a
`
`third party. The gaming machine maybe controlled by a PC,the driver(s) may be code
`
`signed and the installing step may be triggered by one or more plug-and-play dongles
`
`inserted in one or more ports of the PC. The driver(s) installed in the installing step may
`
`25
`
`be code-signed by Microsoft's WHQL- or anothercertifying agency, for example. The
`
`verifying step may verify the legitimacy of the software and memory contents without
`
`modifying the content thereof and the method further may include a step of reporting an
`
`outcomeofthe verifying step. The gaming machine further may includeathird party
`
`30
`
`dongle installed therein and the driver(s) may be linked to the third party dongle to
`enable the third party to audit the driver(s). The gaming machine further may include a
`hard disk drive that may includea partition formatted for simple file access (by means of
`
`a FAT,for example) and wherein the method further may include a step of accessing
`
`code-signed downloaded software from the simple file access partitioned hard disk drive.
`
`IPR2020-01288
`Sony EX1006 Page 9
`
`IPR2020-01288
`Sony EX1006 Page 9
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`The hard disk drive partition may be formatted according to FAT2 protocol, for example.
`
`The verifying step may verify the memory content stored on one or moreofthe
`following withinthe gaming machine:a hard disk drive ofthe gaming machine, an
`optical memory of the gaming machine, flash memory of the gaming machine, non-
`
`volatile RAM memory of the gaming machine, ferromagnetic memoryof the gaming
`
`machine, magnetic memory of the gaming machine, and/or holographic memory ofthe
`gaming machine, for example.
`
`The present invention, according to another embodimentthereof may be seen as a
`
`gaming machine, comprising: at least one processor; at least one data storage device; a
`
`10
`
`plurality of processes spawnedby theat least one processor, the processes including
`
`15
`
`20
`
`25
`
`30
`
`processing logic for carrying out steps of: running an operating system loadedin the
`
`gaming machine; downloadingat least one software module into the gaming machine;
`checking a code signature ofat least one downloaded software module usinga trusted
`
`verification driver, and authorizing execution of the downloaded software modulein the
`
`gaming machine only if the downloaded software module may be successfully verified
`by thetrusted verification driver.
`The present invention is also a gaming machine, comprising:at least one
`
`processor; at least one data storage device; a plurality of processes spawned bytheat
`
`least one processor, the processes including processing logic for carrying outsteps of:
`installing at least one driver into the gaming machine; taking complete control ofthe
`
`gaming machine with the at least one driver; verifying a legitimacy of all software and
`memory content in the gaming machine;relinquishing control of the gaming machine,
`and
`authorizing the gaming machineto execute only of the software that may be
`
`successfully verified.
`
`BRIEF DESCRIPTION OF THE DRAWING
`
`Fig. 1 illustrates a new game deploymentcycle.
`
`Fig. 2 illustrates a conventional code signing process.
`
`Fig. 3 illustrates a conventional codeverification process.
`
`Fig. 4 illustrates an aspect of the present invention, in which the code signature
`
`verification platform is itself verified.
`
`Fig. 5 shows simplified layered view of the Microsoft security model.
`
`Fig. 6 illustrates proposed Microsoft Palladium technology.
`
`IPR2020-01288
`Sony EX1006 Page 10
`
`IPR2020-01288
`Sony EX1006 Page 10
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`Fig. 7 showsa trusted mechanism for verifying the code signing of downloaded
`game software in a gaming machine, according to an embodimentofthe present
`
`invention.
`Fig. 8 showsa first methodfor trusted verification according to an embodiment
`
`of the invention.
`
`Fig. 9 shows second method for trusted verification, according to another
`embodimentof the present invention.
`Fig. 10 showsa third methodfor trusted verification, according to yet another
`embodimentof the present invention.
`Fig. 11 shows an embodimentof the invention using the Microsoft Windows
`Hardware Quality Lab (WHQL) scheme.
`Fig. 12 shows an embodimentof the invention using the Microsoft Driver
`
`Signing scheme.
`Fig. 13 shows an embodimentof the present invention that uses a disk
`
`partitioning scheme.
`Fig. 14 shows an embodimentof the invention that uses a plug-and-play dongle
`for the activation of the trusted driver.
`Fig. 15 shows a challenge response sequence according to an embodimentof the
`
`present invention.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`Reference will now be madein detail to the construction and operation of
`preferred implementationsofthe present inventionillustrated in the accompanying
`drawings. The following description of the preferred implementationsof the present
`invention is only exemplary ofthe invention. The present invention is not limited to
`these implementations, but mayberealized by other implementations.
`A new game deployment campaign whereby oneora plurality of gaming
`machinesare to receive a new gameis represented in Fig. 1. The flowchart 100 starts at
`102 whenthe decisiontoinitiate a project to develop and release a new gameis made.
`The game developer 106 develops a new game application 104 whose code must be
`certified at 108 by a recognizedcertification lab 110. The certified code must then be
`signed 112 by a trusted party 114 that is registered with a certificate issuing authority
`(CA) 116. The trusted party 114 maybethe certification lab 110. The signed codeis
`
`10
`
`15
`
`20
`
`25
`
`30
`
`IPR2020-01288
`Sony EX1006 Page 11
`
`IPR2020-01288
`Sony EX1006 Page 11
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`10
`
`stored in a library 118 on a server on a game operator’s central system 120.
`Whenthe decision to deploy the new game 122 is taken by the game operator, the
`game terminal(s) enter into a remote download session of the code stored in the library
`124 located in the game operator’s central system 120. Prior to downloading, the code
`stored in the library may beverified for proper code signing to ensure the code has not
`been replacedin the library. Upon receiving the downloaded code,the gaming machine
`or terminal 126 executes a program to verify the code signature of the downloaded code,
`as shown at 128. If the downloaded code cannotbe trusted, the code is trashed or
`quarantined as shown at 130, 132. If the downloaded code can be trusted (successfully
`passes the verification), it is stored locally in persistent memory in the gaming machine,
`as shown at 130, 134. Persistent memory may include, for example, a hard disk, an
`optical disk, a flash memory, One-Time-Programming (OTP) memory, a magnetic
`memory, a holographic memory and a battery backed-up RAM.
`Whenthe new gameis requested to execute the downloadedcode, the stored
`signed codeis retrieved at 138 and its code signature is verified. If the retrieved
`downloaded code cannotbetrusted, the codeis trashed or quarantined as shown at 142,
`144. If the retrieved downloaded code can betrusted,it is executed at 142, 146.
`As noted by Eric Fleishman in Code Signing, The Internet Protocol Journal,
`Volume 5, Number 1, March 2002, codesigning is a mechanism to sign executable
`content. The phrase “executable content”refers to presenting executable programs ina
`mannerso that they could be run locally—tregardless of whether the executablefile
`originated locally or remotely. Code signing is commonly usedto identify authorship of
`applications distributed via the Internet. Device drivers can be code signed to inform an
`operating system ofthe authorship of that driver. For example, the device drivers for
`Windows 98/ME/2K/XP operating systems should preferentially be certified by
`Microsoft’s device driver certification laboratory. The entity signs the device driver
`executable in orderto certify that the device driver in question has indeed been
`successfully demonstrated by a Microsoft certification laboratory to correctly run on that
`operating system. Codesigning may be appliedto other typeoffiles; for example
`Microsoft .CAB files. Code signing provides only authenticity and integrity for
`electronic executable files and some otherdata files -- it does not provide user/process
`
`privacy, authentication, or authorization.
`A signature provides authenticity by assuring users as to where the code
`
`10
`
`15
`
`20
`
`25
`
`30
`
`IPR2020-01288
`Sony EX1006 Page 12
`
`IPR2020-01288
`Sony EX1006 Page 12
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`11
`
`came from and whoreally signed it. If the certificate originated from a trusted third-
`
`party Certificate Authority (CA), then the certificate embeddedin the digital signature as
`part of the code-signing process provides the assurance that the CA hascertified that the
`code signer is who he or she claims to be. Integrity occurs by using a signed hash |
`function as evidencethat the resulting code has not been tampered with since it was
`signed.
`
`Code signing appendsa digital signature to the executable codeitself.
`This digital signature provides enough information to authenticate the signer as well as to
`ensure that the code has not been subsequently modified.
`
`Code signing is an application within a PKI system. A PKI is a distributed
`infrastructure that supports the distribution and managementofpublic keys and digital
`certificates. A digital certificate is a signed assertion (via a digital signature) by a trusted
`third party, known as the Certificate Authority (CA), which correlates a public key to
`someother piece of information, such as the nameofthe legitimate holderof the private
`key associated with that public key. The binding of this information thenis used to
`establish the identity of that individual. All system participants can verify the name-key
`binding coupling of any presented certificate by merely applying the public key ofthe
`CA to verify the CA digital signature. This verification process occurs without involving
`the CA.
`
`A public key refers to the fact that the cryptographic underpinnings of
`PKI systemsrely upon asymmetric ciphers that use tworelated but different keys, a
`public key, which is generally known, and a private key, which should be knownonly by
`the legitimate holderof the public key.
`
`The certificates used to sign code can be obtained in two ways: Theyare
`either created by the code signers themselves by using oneofthe code-signingtoolkits or
`obtained from a CA. The signed codeitself reveals the certificate origin, clearly
`indicating which alternative was used. The preference of code-signing systems (and of
`the users of signed code) is that the certificates come from a CA, and CAs,to earn the fee
`
`they chargefor issuing certificates, are expected to perform "due diligence"to establish
`and verify the identity of the individualorinstitution identified by the certificate. As
`such, the CA stands behind(validates) the digital certificate, certifying that it was indeed
`issued only to the individual (or group) identified bythe certificate and that the identity
`of that individual (or group) has been verified as stated. The CA thendigitally signs the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`IPR2020-01288
`Sony EX1006 Page 13
`
`IPR2020-01288
`Sony EX1006 Page 13
`
`
`
`WO 2004/004855
`
`PCT/US2002/029927
`
`12
`
`certificate in order to formally bind this verified identity with a given private and public
`
`key pair, which is logically contained within thecertificate itself. This key pair will
`
`subsequently be used in the code-signing process.
`
`Code signing may be acc