1. Field of the Invention
This invention relates to digital information processing systems and methods, and more particularly to systems and methods to protect digital information.
2. Description of the Related Art
The advent of new means for storing and distributing digital information brings new security concerns and problems. Such new means include CD-ROMS used for mass mailings of software, the Internet and/or World Wide Web used for electronically distributing software and other digital information, and communication channels such as satellite or digital cable-TV for broadcasting information. These means enable selling digital content quite inexpensively, especially in comparison to conventional methods of distributing such content on physical media through retail outlets. For example, computer software is recorded on magnetic media and CD-ROM, then boxed and shrink-wrapped, digital music is recorded on CD's, and digital video is recorded on optical media. The various media must then be shipped to a store, or directly to the customer. In contrast, when a network is in place, as is the case, for example, with the Internet and cable TV networks, an information provider simply needs to store the information on a medium accessible to users of the networks. However, if digital information is made available through such inexpensive means as broadcasting, distribution over the different routes of the so-called "Information Superhighway" (e.g. the Internet), and mass mailings on CD-ROM, then there exists a problem with securing the information in such a way that it will only be available to those who have paid for the right to access it.
In a July 1995 article entitled "Intellectual Value" in Wired, a popular press computer publication, the author, Esther Dyson, advocates that digital content providers should realize that the Internet allows essentially "free" copying of such content and therefore such providers can make money only by providing services related to the content. However, such an arrangement may be unacceptable to producers of digital information such as software, music, and videos, because in many cases there simply isn't a related service to sell. This article is representative of a growing recognition that the Internet provides great opportunities to reach a vast market, yet makes it difficult for information providers to be compensated for the labor, time, and investment involved with making such digital information available. The present invention is directed toward a system and method for providing a technique for such compensation by protecting such information so that it is available for use only to those who have paid for the legitimate right to use it.
The security required in data communications is much greater when open networks, such as the Internet or cable TV, are being used. Where there is greater access to the network, the possibilities for illegal copying and distribution increase. An approach known in the art for providing security of digital information is to distribute the information in an encrypted form, only releasing the necessary decryption information, called a "key", to legitimate users, that is, those who have paid for the service. The first problem with this approach is that, if implemented without safeguards, there is nothing to prevent a user from sharing the key with illegitimate users. This problem is addressed by this invention.
A second problem is that there is nothing to prevent a sophisticated legitimate user from capturing the decrypted content and sharing that with illegitimate users. Indeed, barring tamper-proof hardware decryption, there is no solution to this second problem; at some point in the process, a legitimate user must have access to the decrypted information in order to use it. If she is sufficiently sophisticated to be able to capture it, then she will be able to redistribute it. It is anticipated that the quantity of information required to be distributed will deter such behavior. In other words, if an illegitimate user must distribute a complete CD-ROM of content there is no economic incentive to do so.
There is a need for a way to reveal the decryption key, or information for reconstructing this key, in such way that this information is not easily relayed to illegitimate users. In this regard, U.S. Pat. No. 4,200,770 to Hellman et al. discusses a problem that has become known as the "key distribution problem". In that problem, two parties wish to agree on a key to use for subsequent secret communication. Thus, a solution to that problem involves keeping the key secret where both parties have a common interest in doing so. The Hellman et al. patent does not discuss how to keep the key secret, or at least difficult to reconstruct, when a legitimate user has no incentive to do so and, indeed, may have an incentive to reveal the key. This is one problem addressed by this invention.
One could sidestep the key revelation process entirely by resorting to "public-key encryption" which is discussed in U.S. Pat. No. 4,405,829 by Rivest et al. To use such an approach, each legitimate user has a "public key", which can be used to encrypt information intended for that user. Thus, the encryption of a message is "publicly computable", meaning that no secret information is necessary to compute the encryption. It is a fundamental property of public-key cryptosystems that it is "computationally infeasible" to determine the decryption key or otherwise decrypt the information, even knowing the public key. "Computationally infeasible" means that the number of operations and time required to decrypt or determine the key makes it impossible to do so for all practical purposes. However, such an approach requires encrypting the content for each user anew, since each user must have an individual public key. This completely eliminates the economy of scale available with mass replication of data (for example, on CD-ROM, etc.), wherein one key can be used to unlock the content stored on all the disks.
A solution to the problem of having a single key for the content but making it difficult for users to share that key is found in U.S. Pat. No. 5,319,705 to Halter et al. This patent is hereby incorporated herein in its entirety by this reference. The '705 patent describes a system wherein each piece of digital content to be distributed is encrypted with a different encryption key before it is distributed. A user wishing to purchase a piece of content obtains the encrypted content from a source such as a widely-distributed CD-ROM. He then communicates with an authorization center to obtain a decryption key K to decrypt the content to make it usable. The authorization center does not tell him K directly because, as discussed above, this might tempt a user to share K with friends, or even to resell it for profit. Therefore, in response to a customer order for data such as software, the authorization center applies what we call an "authorization function" to a unique customer number supplied by the customer to produce a customer key. The customer key is used to encrypt the decryption key K. K is then used to unlock the encrypted file. The customer is discouraged from sharing his authorization because it comes as a pair, and the first half of the pair, his customer key, identifies him and/or would be difficult for other users to mimic.
The security of the system and method taught by the '705 patent depends on the authorization function remaining secret to the end user. Once the authorization function is known, then an adversary user may use the authorization function to act as a "pirate authenticator" who can profit by authorizing illegitimate users to unlock encrypted digital content. A problem with the system and method taught by the '705 patent is that the authorization function can be completely understood by carefully analyzing the "extrication function", that is, the calculation that is performed on the user's computer to extricate, or obtain, the decryption key.
Unfortunately, there have been many instances of modern-day pirates who use sophisticated knowledge and technology to break into seemingly secure computer systems. The inventors of the present invention have made the critical recognition that it is fruitless to try to hide an extrication function from such sophisticated hackers, because the software for performing the extrication function must reside on the user's processor and is therefore easily analyzed by the end user. What is needed is a system and/or method to secure digital content without requiring that the extrication function be kept secret from the end user, yet the extrication function must not be usable to determine the related authorization function that resides at the authorization center.
This suggests use of a digitally signed authorization provided by the authorization center to the end user which must be entered to access secure information. A digital signature has an advantage in that the calculation performed to verify a digital signature yields no practical information on how to forge or falsify such a signature. The problem with such an approach is that verifying digital signatures relies on the test of the condition that the authorization statement is correctly signed. Therefore, the code can be easily "patched", i.e., modified, so that the test is bypassed by a sophisticated user.
In theory, it is always possible for a user to implement some type of bypassing because the user's processor computes the decryption key K. Thus a hacker can capture K and redistribute it. That this is a problem is illustrated by the current situation with piracy of TV signals by rural satellite dishes. A pirate sells to an illegitimate user a patch to his receiver, which then enables the pirate to sell to the user the individual keys K to various TV and cable networks of interest. Similarly, in the case of extrication functions, a pirate can sell a patch to an illegitimate user that enables him to bypass the extrication function, and use the decryption key directly, and then can sell the illegitimate user keys to individual content. A method and/or system that provides a disincentive for such a patch would be an advance in the art.
As referenced in the art, an additional level of security is providing by making the key very long, since this deters a potential pirate because he cannot easily transmit the key to an illegitimate user.
The inventors have recognized that it would be a significant advance in the art to design a system that has an openly available and publicly computable extrication function, that is computationally infeasible to invert. The inventors have recognized that it would be a further advance to provide such a system with extremely long decryption keys and short communication from an authorization center.