This invention relates generally to a method and system for distribution of data across networks, and, more specifically to a system for delivering executable software content over broadband access networks in a secure manner that enables on-demand subscription.
The on-demand delivery of software applications and multimedia data types such as audio, video, animation, etc. has not been practical until recently primarily due to the rates at which data is transmitted across communication networks. The rate at which data, formatted into a series of bits, is transmitted is referred to as a bit per second (bps). Early modems were capable of transmitting information at a rate of approximately 300 bits per second. Thereafter, the speeds at which modems were capable of transmitting and receiving data increased. With such increases in modem speed, the nature of network topologies as well as the types of data transmitted across networks began to evolve. With modem speeds of 9600 bps and 1200 bps computer networks such as the Internet were primarily an ASCII text environment with specific protocols and text messaging. Subsequent increases in modem speed enabled more complex information to be accessed over the Internet and other computer networks. While ASCII text paradigm still exist on the World Wide Web portion of the Internet today, the more recent increased bandwidth environment has enabled communication of more complex content and multimedia data types.
More recently, high performance broadband technology and cable modems, with connectivity speeds in excess of 1 million bps, are being deployed and offered by cable, telephone, cellular and satellite enterprises worldwide. Current broadband access networks include the cable industry""s shared medium Hybrid Fiber Coax (HFC) networks and the telephone industry""s digital subscriber lines (xDSL).
With the advent of broadband technology and broadband access networks, complex multimedia data types and software titles, previously only available on Compact Disc Read Only Memory (CD-ROM) and Digital Versatile Disc (DVD), hereafter referred to as xe2x80x9ctitle(s),xe2x80x9d are now capable of being remotely accessed by subscribers to broadband access network services.
There are, however, factors other than data rates that also have made on-demand delivery of titles impractical. One such obstacle preventing on-demand delivery of content including software and multimedia titles to date has been the requirement to have the title loaded onto the subscriber""s local computer system in order to execute the title. Further, the widespread copying or xe2x80x9cpiratingxe2x80x9d of title content, and the associated security risks associated with distribution of fully enabled copies of titles, has made on-demand distribution unattractive to software publishers and content libraries.
Accordingly, a need exists for a method and system for on-demand delivery of executable software content, which does not require installation of the content on the subscriber""s local computer system.
An additional need exists for a method and system to deliver content to subscriber""s in an on-demand basis which provides security to protect the value of the content and which prevents unauthorized use and copying thereof.
An additional need exists for a method and system in which content may be delivered across broadband access network in a manner which meets the latency requirements of the content being executed.
The Secure Content Delivery Platform (SCDP) of the present invention delivers high-bandwidth executable content, on-demand, over broadband, access networks. Using the SCDP platform, broadband subscribers, e.g. subscribers to cable modem and xDSL services, have access to titles across the broadband networks.
Users select a title to run from a virtual storefront, for example on the World Wide Web, which contains a virtual catalog of available titles. Upon selection of the title, the user negotiates for an actual purchase of the title. Negotiation includes user registration with a third party electronic commerce system (eCommerce), provision of user billing information, and selection of one of the purchase types offered with the selected title. Examples of possible purchase types may include 1) a time-limited demo of the title, 2) a single payment for a single usexe2x80x9d of a title, 3) a single payment which allows unlimited xe2x80x9cusesxe2x80x9d of a title over some specified time period e.g., week, month, etc.
Upon completion of the purchase negotiation, SCDP client software running on the user""s PC obtains an authorization token and keying material from a Conditional Access Server (CAS). The token authorizes the client process to run the selected title from a network file server accessible across the broadband network. The data retrieved from the file server is encrypted. The SCDP client process uses the keying material provided by the conditional access server to decrypt the data from the file server. With the present invention, titles run on the user""s PC, but the title is not downloaded, in its entirety, onto the PC. A title is formatted into an electronic package that contains the title""s files in a compressed and encrypted form, referred to hereafter as a briq. The briq is actually a portable, self-contained file system, containing all of the files necessary to run a particular title. Briqs are stored on a network file server, referred to hereafter as a RAFT server, accessible across a broadband network. The SCDP client treats the briq like a local file system on the user""s PC. When running a title, the operating system, e.g. Windows, makes read requests to this local file system. The SCDP client, which, in the illustrative embodiment, includes a Windows Virtual Device Driver (VxD), services these requests by retrieving the requested blocks of briq data from the RAFT server. After retrieving the requested block of data, the VxD decompresses and decrypts the briq data, and passes the data onto the operating system on the user""s PC.
In accordance with one aspect of the present invention, the software title is never xe2x80x9cinstalledxe2x80x9d on the target system. The SCDP client software creates an installation abstraction, maintaining the illusion for the operating system that the title currently executing is installed on the host PC. Thus, when execution of the title is terminated, there is no remaining evidence the title ran on the system. No files associated with the title are left on the PC""s hard-drive, and no operating system state information e.g., registry variables associated with the title, remains. Users of titles have the option of saving certain state information that would be desirable to maintain across plays; e.g., the xe2x80x9clevelxe2x80x9d achieved in a game, etc. Such state information may be saved in write-through file described hereinafter.
In accordance with another aspect of the present invention, the SCDP client software uses an inventive proprietary Random Access File Transport (RAFT) protocol to retrieve briq data across broadband network. The protocol provides SCDP clients with read-only access to files and directories stored on RAFT servers. Because the briq is treated like a local file system, the RAFT client does not need to be visible as an operating system drive and does not need to interface with the operating system""s file system manager, the Windows Installable File System (IFS) Manager in the illustrative embodiment. As a result, the RAFT client file system driver, a VxD in the illustrative embodiment, is smaller and simpler than a remote or network filelsystem driver. In addition, the RAFT protocol supports dynamic bandwidth restrictions, e.g., xe2x80x9cbandwidth throttlingxe2x80x9d, and access control through the use of RAFT authorization tokens.
In accordance with another aspect of the present invention, the SCDP employs a variety of security mechanisms to protect content from unauthorized access and replay. Authorization tokens and decryption keys are obtained from a conditional access server. Network communication between an SCDP client and CAS is protected via a secure remote procedure call (RPC) interface. Once a secure channel is established between SCDP client and CAS, the SCDP client requests a RAFT authorization token and keying material for the selected title. The authorization token is a signed message from the CAS indicating that the requesting user can have access to a specified briq, on a specific RAFT file server, for the length of time spelled out in the negotiated payment type.
While the RAFT authorization token gives an SCDP client access to a title""s briq, the SCDP client must still unpack, e.g. decompress and decrypt, the briq to gain access to the title""s file data. The CAS provides the user with the keying material necessary to decrypt briq data, however, the CAS does not directly provide the SCDP client with keying material. Instead, the CAS hides keying material from the user by embedding the keys in obfuscated bytecode that implements the decryption algorithm. Rather than delivering isolated keying material to the SCDP client, the CAS delivers obfuscated bytecode, referred to hereafter as an activator. The SCDP client""s virtual device driver decrypts briq data by running the activator on a bytecode interpreter. Code obfuscation makes the activator difficult to reverse engineer, requiring a hacker to spend significant time and resources to extract the keying material from the activator, at a cost typically greater than the value of the content being protected. With the contemplated invention, activators are unique per client, per briq, per execution, i.e., each activator obtained from the CAS is different and usable for one time only thereby preventing the leveraging of a single, costly reverse engineering effort out to multiple users.
In accordance with the present invention, both the RAFT authentication tokens and activators have a limited lifetime. Authorization tokens include an expiration time, after which they are no longer valid. A running activator, at a certain point, initiates an exchange with the CAS to refresh itself. If the exchange is unsuccessful, the activator becomes inoperable and the title inoperable. The refreshing of activators is referred to hereinafter as activator keepalive. The keepalive mechanism results in the delivery of an update to the currently running activator, which may include new keys, data, or even code. Authorization token refresh accompanies activator refresh. A new authorization token, along with the decryption keying data, is embedded within the new activator. At startup, the refreshed activator delivers a new RAFT authentication token to the RAFT VxD within the SCDP client.
SCDP system is media independent and will operate across any broadband networking technology, including HFC networks and the telephone industry""s digital subscriber lines, provided sufficient bandwidth exists between the user and network file servers to satisfy the latency requirements of the currently executing CD title. The SCDP system may also be implemented using 10 Mbps and 100 Mbps Ethernet Local Area Networks, for example within enterprise networks to deliver executable content over intranets as well.
According to one embodiment of the invention, a server apparatus connectable over a computer network to one or more requestor processes and at least one source of titles comprises a processor, a memory coupled to the processor, a network interface coupled to the memory and processor, conversion logic responsive to a unique identifier of a title and configured to convert the unique identifier into a location identifier indicating an address on the computer network where the title may be accessed, and activator generator logic responsive to the network interface and configured to generate an activator. The activator may comprise cryptographic data useful to a requestor for processing a title as well as a token containing data identifying a time period in which the requestor may access a source.
According to a second embodiment of the invention, a computer program product for use with a server apparatus connectable to a computer network, comprises a computer usable medium having computer usable program code embodied thereon, the computer program code further comprising (a) conversion program code responsive to a unique identifier of a title and configured to convert the unique identifier into a location identifier indicating an address on the computer network where the title may be accessed; (b) network interface program code responsive to requesting tasks on the computer network; and (c) generator program code responsive to the interface program code and configured to generate an activator for a requesting process.
According to a third embodiment of the invention, in a server apparatus connectable to a computer network, a method for enabling requesting processes to access a source of titles comprises the steps of (a) authenticating a launch string from a requesting process; (b) converting a unique identifier received from a requesting process in to a location identifier indicating an address on the computer network where the title may be accessed; (c) generating an activator; and (d) forwarding the activator to the requesting process over the computer network.
According to a fourth embodiment of the invention, a server apparatus connectable to a computer network to one or more client processes comprises a processor; a memory coupled to the processor, the memory capable of storing a plurality of titles therein; a network interface coupled to the memory and processor; authentication logic responsive to a token received from a client, the token containing data identifying a time period, and configured to determine whether the client is authorized to the memory at a specific time; and access logic responsive to the token received from the client, the token containing data uniquely identifying a title, and configured to access the memory and a title uniquely identified by the token.
According to a fifth embodiment of the invention, a computer program, product for use with a server apparatus, connectable to a computer network, comprises a computer usable medium having computer usable program code embodied thereon, the computer program code further comprising authentication program code responsive to a token received from a client, the token containing data identifying a time period, and configured to determine whether the client is authorized to access the memory at a specific time, and access program code responsive to the a token received from the client, the token containing data uniquely identifying one of the titles stored in memory, for accessing the memory and a title uniquely identified by the token.
According to a sixth embodiment of the invention, in a server apparatus connectable to a computer network, a method for enabling to access a title comprises the steps of (a) receiving a token from a client process through the network interface, the token containing data identifying a time period and data uniquely identifying a title, (b) determining whether the client is authorized to access the memory at a specific time, (c) if the client is authorized in step (b) accessing the memory and a title uniquely identified by the token, and (d) transmitting to the client at least a portion of the title identified by the token.
According to a seventh embodiment of the invention, a computer data signal embodied in a carrier wave comprises authentication program code responsive to a token received from a client, the token containing data identifying a time period, and configured to determine whether the client is authorized to access a memory at a specific time; and access program code responsive to the token received from the a client, the token containing data uniquely identifying a title stored in the memory, for accessing the memory and the title uniquely identified by the token.
According to a eight embodiment of the invention, a computer data signal embodied in a carrier wave comprises network interface program code responsive to requests from a requestor process on a computer network; conversion program code responsive to a unique identifier of a title supplied by a requesting program and configured to convert the unique identifier of the title into a location identifier indicating an address on the computer network where the title may be accessed; and generator program code responsive to the network interface program code and configured to generate an activator for a requesting process.