A content provider that delivers encrypted content and a decryption program (such as from a web site) to computer systems may want to ensure that only authorized systems may execute that program. By including in the decryption program instructions that enable that program to identify the computer system that executes it, the program can determine whether that system is authorized to run the program. If the program determines that the system is not authorized, it can discontinue execution.
An embedded identifier stored within a computer system, such as a processor serial number (hereinafter described as a “processor number”), may provide an effective way for such a program to identify such a system—if the program can retrieve that identifier, e.g., via a ring 3 instruction. Such an instruction, however, exposes the same identifier each time a system chooses to identify itself. Although this may not be particularly significant when identifying a platform to a decryption program, providing access to such a platform identifier may enable tracking of a user's Internet activity, which could enable compilation of information that links the user to various web sites.
One way to impede collection of such information is to customize the identifier for each web site. For example, in response to an identification request, a computer system may return a hash value that is a function of a processor number and a key that is unique for each web site. See copending application Ser. No. 09/259,620, filed Feb. 26, 1999 and assigned to this application's assignee. As shown in FIG. 1, web sites 36a–c may provide unique keys 34a–c, respectively, which encryption unit 31 hashes with processor number 30, producing unique hash values 32a–c for identifying computer system 10 to each web site. As a result, each web site 36a–c may identify system 10 by a different hash value 32a–c, although each hash value is generated with a single processor number 30. Because each web site associates computer system 10 with a different hash value, information about a user of system 10 may not be correlated between databases that are maintained by different web sites.
To ensure that this safeguard is not circumvented by web sites 36a–c agreeing to use the same key, it may be desirable to require that each key correspond to an address or universal resource locator (URL) for each web site 36a–c. An URL based key may be reliably tied to a particular web site by making the instruction for accessing the hash value a ring 0 instruction. In response to a web site request for that hash value, the operating system can call a driver that has ring 0 privileges. The driver then causes the processor to validate the key, e.g., by checking it against the web site's URL—which may be retrieved from the browser. If the URL matches the key, then the processor executes instructions for hashing that key with the processor number and returns the resulting hash value to the web site. If the URL does not match the key, the web site's request is rejected.
Although making hash value retrieval a ring 0 operation ensures privacy for the user, a content provider may not be comfortable relying on such an operation to ensure that delivered encrypted content, and an accompanying decryption program, runs on authorized systems only. Because inter-privilege level calls may be intercepted by rogue software, a content provider may not wish to depend on a driver (ring 0) call for this function. Content providers may instead want the decryption program to be able to invoke a ring 3 instruction to verify the identity of the computer system that executes the program.
Accordingly, there is a need for a method and apparatus that enables an application's execution to be bound to authorized platforms, while still preserving user privacy. There is a need for such a method and apparatus that enables a decryption program to detect whether a computer system is authorized to execute that program—to ensure that delivered content is not copied for use by an unauthorized platform. There is a need for such a method and apparatus that enables such a program to periodically verify the identity of the platform upon which it is executed. The present invention provides such a method and apparatus.