1. The Field of the Invention
The present invention generally relates to digital rights management. More specifically, the present invention provides for protecting content within a digital rights management system for an entity.
2. Background and Related Art
Digital rights management (DRM) has become highly desirable among content owners, due in part to concerns over the distribution of copyrighted digital content (such as digital audio, digital video, digital text, digital data, digital multi-media, etc.) to users for consumption. Typical modes of distribution of such content include tangible devices such as magnetic (floppy) disk, magnetic tape, optical (compact) disc, DVD, etc. and intangible media such as electronic bulletin boards, electronic networks, the Internet, etc. Upon being received by the user, such users consume the content by rendering, playing or otherwise interacting with the digital content with the aid of an appropriate rendering device such as a media player, personal computer, or the like.
Typically, a content provider, or rights owner, such as an author, publisher, broadcaster, etc. (hereinafter “content owner”), wishes to distribute such digital content to a user or a recipient in exchange for a license fee or some other consideration. Usually, however, content owners wish to restrict what the user can do with such distributed digital content. For example, the content owner may wish to restrict the user from copying and re-distributing such content to a second unauthorized user. Accordingly, content owners have used DRM to bind content to a specific device or limited group of devices.
FIG. 1 illustrates an example of a DRM system 100, which allows a content owner to bind content to a specific device or limited group of devices. In general, the licensing process is initiated by the content owner encrypting content and packaging and distributing the content to consumers via the Internet, CD, or other conventional means. Consumers may then receive a license for consuming the content in accordance with the business rules defined by the content owner. As noted above, traditionally these rules have required that the content be bound to a specific device or limited group of devices. The following describes how a license may be used to bind content to a specific device or limited group of devices in accordance with a typical DRM model.
A content owner usually encrypts and packages the content in accordance with any number of well-known processes. Typically, however, the content will be packaged to include the encrypted content and a header portion that includes information to assist a device in consuming the content. Further, the packaged content may use a license acquisition URL to point to a location where a license may be acquired. Moreover, there is a number of other optional and important data which may be included within the packaged file, e.g., private signing key used to sign the content header, license key seed used to generate the key that is shared between the content owner and license issuer, etc.
The content 105 may be sent to a content distributor 140 and placed on a web or file server or streaming server for distribution. Consumer device 130 receiving the content may then be directed to the license acquisition URL that is embedded within the header (or other areas) of the file to acquire the appropriate license 125 for consuming content 105. Before license 125 can be requested and distributed by license issuer 115, the content owner sends to the license issuer 115 the business rules and sharing of secrets 110, which typically include the seed, public key and the business rules by which a license 125 will be granted. The rules 110 define how and under what conditions licenses may be distributed to users or consumer devices 130. For example, the rules may allow for the distribution of digital content to be played only a limited number of times, only for a certain total time, only on a certain type of machine, only on a certain type of media player, only by a certain type of user, only by a certain group of devices, etc. In any event, the license issuer 115 should be trusted in order to ensure that licenses 125 are issued in accordance with the appropriate business rules or requirements 110 as specified by the content owner.
Device 130 may obtain the content 105 from the content distributor 140 after paying such consideration 135 as defined by the content owner. As previously mentioned, in order to play the encrypted content 105 the consumer device 130 must first obtain a license 125 from the license issuer 115. A license request 120 is to the license issuer 115, which may include exchanging the content identification, information about the client computer 130 and other optional information. Based on the information received, the license issuer 115 responds with an appropriate license 125, thereby allowing the device 130 to consume the encrypted content 105.
FIG. 2 illustrates an implementation of how content 210 may be bound to the device 205 through the use of a license 215 that binds a certificate 220 to the content 210. The license 215 will typically include the encryption key (KC) to decrypt the content, the specified usage rights, information about the device 205, e.g., a device identity (D_ID), and other information. As previously mentioned, in order to tightly control the consumption of the content 210 the license is bound to a particular device or client computer 205 through the use of a certificate 220 that has the same D_ID and information specific to device 205. Similarly, content 210, encrypted with KC, includes a key identity (K_ID), which binds the content to the license that has the same K_ID. In other words, traditionally the license was valid only for device 205 and content 210, and therefore the content usually could only be consumed by the specific device 205.
With competing interests of consumers, which desire the ability to consume content on any number of devices (e.g., a desktop computer, a laptop computer, a hand-held device, devices within a car or home audio/visual system/network), various mechanisms have been created to extend licenses for consuming content to a set of devices that share both content and license. Sharing the same content and license on any of several devices more closely approximates the user's experience for tangible media, such as a CD, which may be played on any of several devices or even loaned to another.
FIG. 3 illustrates one example of how content and a license may be distributed within a domain or network 300 that includes multiple devices. Initially, device 305 requests and obtains content 310 and license 320 in accordance with a procedure similar to the one described above with regard to FIG. 1. Content 310 is encrypted and bound to a content license 320 through a key identifier (K_ID) that is specific to content 310. Rather than binding the license to a particular device, however, license 320 includes a device ecosystem or network identifier (N_ID), which binds the license to those devices that have the same N_ID. The necessary tools are also provided to generate and manage the unique network identifier N_ID, such that the content 310, license 320 and N_ID may be distributed throughout the network 300. For example, in the case of link encryption, such a system defines a framework in which devices can authenticate one another and content can flow provided the authentication was successful. As such, network device 330 may authenticate and link to device 305 in order to obtain the content 310, license 320 and N_ID for consuming the content. Similarly, device 335 may obtain license 320 in content 310 from device 330, and subsequently consume the content in accordance with the business rules defined within license 320 provided device 335 has also obtained the appropriate N_ID or certificate containing such.
Although a domain or network distribution of protected content expands the number of devices for which content can be consumed—due to concerns over wide distribution of the content to unauthorized users—the content provider or owner will typically restrict the domain to a limited number of devices or allow consumption of the protected content for a limited duration of time. As mentioned above, however, consumers have a competing interest of consuming content on any device they wish. As such, there exits a need to establish a fair compromise between these competing interests.