(12) United States Patent
`Ram et ai
`
`11111 11111110 lilO 1101 1H11 1011 lIIl 11111 11H 1110 IIOI Ill HE III
`US006519700B1
`US 6,519,700 Bl
`Feb. 11, 2003
`
`(10) Patent No.:
`(45) Date of Patent:
`
`(54)
`
`SELF-PROTECTING DOCUMENTS
`
`(75)
`
`Inventors: Prasad Rani, Manhattan Beach, CA
`(US); Thanh T. Ta, Huntington Beach,
`CA (US); Xin Wang, Los Angeles, CA
`(US)
`
`(73) Assignee: Contentguard Holdings, Inc.,
`Wilmington, DE (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`Appi. No.: 09/178,529
`
`Filed:
`
`Oct. 23, 1998
`
`mt. Cl.7
`
`U.S. Cl.
`
`CO6F 12/16; HO4N 7/167;
`HO4L 9/14
`713/193; 713/160; 380/45;
`380/201; 705/5 1; 705/57
`(58) Field of Search
`7 13/193, 160;
`380/28, 42, 44, 45, 47, 201; 705/51, 56,
`57
`
`(56)
`
`References CIted
`
`U.S. PATENT DOCUMENTh
`4,712,238 A ' 12/1987 Gilhousen et al.
`4,796,220 A
`1/1989 Wolfe
`4/1998 Pinder et al.
`5,742,677 A '
`8/t998 Newby et at.
`5,796,829 A
`
`380/20
`364/900
`380/4
`380/21
`
`6/1999 Ginter et al.
`5,915,019 A
`6,052,780 A * 4/201X1 Glover
`
`380/4
`713/193
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`WO
`WO
`
`0 715 241
`WO 98/11690
`WO 98/42098
`
`6/1996
`3/1998
`9/1998
`
`GO6F/1/00
`HO4L/9/00
`HO4L/9/00
`
`OTHER PUBLICATIONS
`
`European Search Report dated Jul. 31, 2002; European
`Application No. 99121165.7.
`
`* cited by examiner
`
`Pri,nary ExaminerGilberto Barron
`Assistant ExaminerJust in T. Darrow
`(74) Attorney, Agen, or FirmNixon Peabody LLP; Marc
`S. Kaufman
`
`(57)
`
`ABSTRACT
`
`A system and method for the secure distribution of elec-
`tronic documents reduces the likelihood of unauthorized
`reproduction and redistribution by either authorized or unau-
`thorized recipients. A self-protecting document (SPD) con-
`tains an encrypted document as well as a secure set of
`permissions and the software necessary to process the docu-
`ment; full decryption of the document is performed as late
`as possible so as lo minimize the possibility of intercepting
`the document before it has been fully rendered to screen or
`lo paper.
`
`17 Claims, 6 Drawing Sheets
`
`-414
`
`412
`
`420
`
`424
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 1
`
`

`
`U.S. Patent
`
`Feb. 11, 2003
`
`Sheet i of 6
`
`US 6,519,700 Bl
`
`Author / Content
`Publisher
`A
`
`112
`
`Royalty
`Payments
`
`(s'
`126
`
`Accounting
`
`Distributor
`
`Content
`
`User
`
`A
`
`(s
`116
`
`Payment
`
`,,-131
`
`y
`Audit
`Server
`
`Acctq.
`
`(s'
`128
`
`120
`
`Payment
`
`y
`
`Clearinghouse
`
`Report
`
`124
`
`(s'
`122
`
`132
`
`FIG. /
`
`FIG. 2
`(Prior Art)
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 1
`
`

`
`U.S. Patent
`
`Feb. 11, 2003
`
`Sheet 2 of 6
`
`US 6,519,700 Bl
`
`410
`
`Encrypted
`Contents
`
`430
`
`FIG. 3
`
`414
`
`Private
`Key
`
`7.-412
`
`Pol arizer,,.-4 16
`
`Decryptioj
`
`'tContents)
`
`422
`
`Polarization
`Key
`
`418
`
`428
`
`Depolarizer 4
`
`FIG. 4
`
`Rendering
`Application
`
`Polarized
`Presentation
`Data
`
`426
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 2
`
`

`
`U.S. Patent
`
`Feb. 11, 2003
`
`Sheet 3 of 6
`
`Us 6,519,790 Bi
`
`(íQ
`
`Executable Code
`
`Rights Enforcer
`Polarization Engine
`Depolanzation Engine
`
`Secure Viewer
`Rendering Engine
`
`Rights & Permissions
`
`Content
`
`524
`526
`528
`530
`532
`
`512
`
`f-
`
`514
`
`Document Meta - Info
`Rights Label Info
`
`'
`
`518
`520
`
`Protected Content
`
`522
`
`516
`
`FIG. 5
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 3
`
`

`
`Distributor
`
`__J
`
`Encryption
`J Public Key
`
`FIG. 6
`
`Author I Publisher
`
`Watermark
`
`616
`
`SPD
`
`Customize
`
`A
`
`Customization
`
`SPD
`
`SPD
`
`Generic
`
`A
`
`Creation
`
`SPD
`
`Pre-Process Ing
`
`Right
`
`pecificao
`
`Rights
`
`632
`
`7-630
`
`,-610
`
`622
`
`,-62O
`
`614
`
`PermIssions
`
`Create
`
`7626
`
`Reguest
`
`User
`
`Pre-Processing
`
`Content
`
`Content
`
`618
`
`612
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 4
`
`

`
`FIG. 7
`
`0k
`
`Perniissions
`
`Update
`
`Fail
`
`Exit
`
`_- 718 Vf
`
`Fail
`
`None
`
`Pre-Aud it
`
`0k
`
`Rights
`Enforce
`
`0k
`
`Action
`
`Authencate
`
`SPD
`& store
`Receive
`
`720
`
`F
`
`p714
`
`,/712
`
`,,-710
`
`Render
`
`Post-Audit4
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 5
`
`

`
`U.S. Patent
`
`Feb. 11, 2003
`
`Sheet 6 of 6
`
`Us 6,519,700 Bi
`
`E(x)
`
`E(x')
`
`812
`
`D
`
`0
`
`FIG. 8
`
`810
`
`xO(E(x))
`
`x'D(E(x'))
`
`FIG. 9
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 6
`
`

`
`US 6,519,700 Bl
`
`1
`SELF-PROTECTING DOCUMENTS
`
`COPYRIGHT NOTICE
`A portion of the disclosure of this patent document
`contains material which is subject to copyright protection.
`The copyright owner has no objection to the facsimile
`reproduction by anyone of the patent document or the patent
`disclosure as it appears in the Patent and Trademark Office
`file or records, but otherwise reserves all copyright rights
`whatsoever.
`
`FIELD OF THE INVENTION
`The invention relates to document rights management,
`and more particularly, to a self-protecting document scheme
`that enables electronic document protection without the need
`for additional software or hardware support for protection.
`
`BACKGROUND OF THE INVENTION
`One of the most important issues impeding the wide-
`spread distribution of digital documents via electronic com-
`merce is the current lack of protection of the intellectual
`property rights of content owners during the distribution and
`use of those digital documents. Efforts to resolve this
`problem have been termed "Intellectual Property Rights
`Management" ("IPRM"), "Digital Property Rights Manage-
`ment" ("DPRM"), "Intellectual Property Management"
`("1PM"), "Rights Management" ("RM"), and "Electronic
`Copyright Management" ("ECM").
`A document, as the term is used herein, is any unit of
`information subject to distribution or transfer, including but
`not limited to correspondence, books, magazines, journals,
`newspapers, other papers, software, photographs and other
`images, audio and video clips, and other multimedia pre-
`sentations. A document may be embodied in printed form on
`paper, as digital data on a storage medium, or in any other
`known manner on a variety of media.
`In the world of printed documents, a work created by an
`author is usually provided to a publisher, which formats and
`prints numerous copies of the work. The copies are then sent
`by a distributor to bookstores or other retail outlets, from
`which the copies are purchased by end users.
`While the tow quality of copying and the high cost of
`distributing printed material have served as deterrents to the
`illegally copying of most printed documents, it is far too
`easy to copy, modify, and redistribute unprotected electronic
`documents. Accordingly, some method of protecting elec-
`tronic documents is necessary to make it harder to illegally
`copy them. This will serve as a deterrent to copying, even if
`it is still possible, for example, to make hardcopies of printed
`documents and duplicate them the old-fashioned way.
`With printed documents, there is an additional step of
`digitizing the document before it can be redistributed elec-
`tronically; this serves as a deterrent. Unfortunately, it has
`been widely recognized that there is no viable way to
`prevent people from making unauthorized distributions of
`electronic documents within current general-purpose com-
`puting and communications systems such as personal
`computers, workstations, and other devices connected over
`local area networks (LANs), intranets, and the Internet.
`Many attempts to provide hardware-based solutions to pre-
`vent unauthorized copying have proven to be unsuccessful.
`Two basic schemes have been employed to attempt to
`solve the document protection problem: secure containers
`and trusted systems.
`
`30
`
`2
`A "secure container" (or simply an encrypted document)
`offers a way to keep document contents encrypted until a set
`of authorization conditions arc met and some copyright
`terms are honored (e.g., payment for use). After the various
`5 conditions and terms are verified with the document
`provider, the document is released to the user in clear form.
`Commercial products such as IBM's Cryptolopes and Inter-
`Trust's Digiboxes fall into this category. Clearly, the secure
`container approach provides a solution to protecting the
`io document during delivery over insecure channels, but does
`not provide any mechanism to prevent legitimate users from
`obtaining the clear document and then using and redistrib-
`uting it in violation of content owners' intellectual property.
`Cryptographic mechanisms are typically used to encrypt
`15 (or "encipher") documents that are then distributed and
`stored publicly, and ultimately privately deciphered by
`authorized users. This provides a basic form of protection
`during document delivery from a document distributor to an
`intended user over a public network, as vell as during
`20 document storage on an insecure medium.
`In the "trusted system" approach, the entire system is
`responsible for preventing unauthorized use and distribution
`of the document. Building a trusted system usually entails
`introducing new hardware such as a secure processor, secure
`25 storage and secure rendering devices. This also requires that
`all software applications that run on trusted systems be
`certified to be trusted, While building tamper-proof trusted
`systems is still a real challenge to existing technologies,
`current market trends suggest that open and untrusted sys-
`tems such as PC's and workstations will be the dominant
`systems used to access copyrighted documents. In this sense,
`existing computing environments such as PC's and work-
`stations equipped with popular operating systems (e.g.,
`Windows and UNIX) and render applications (e.g.,
`Microsoft Word) are not trusted systems and cannot be made
`trusted without significantly altering their architectures.
`Accordingly, although certain trusted components can be
`deployed, one must continue to rely upon various unknown
`40 and untrusted elements and systems. On such systems, even
`if they are expected to be secure, unanticipated bugs and
`weaknesses are frequently found and exploited.
`There are a number of issues in rights management:
`authentication, authorization, accounting, payment and
`financial clearing, rights specification, rights verification,
`rights enforcement, and document protection. Document
`protection is a particularly important issue. After a user has
`honored the rights of the content owner and has been
`permitted to perform a particular operation with a document
`so (e.g., print it, view it on-screen, play the music, or execute
`the software), the document is presumably in-the-clear, or
`unencrypted. Simply stated, the document protection prob-
`lem is to prevent the content owner's rights from being
`compromised when the document is in its most vulnerable
`state: stored, in the clear, on a machine within the user's
`control. Even when documents are securely delivered
`(typically in encrypted form) from a distributor to the user,
`it must be rendered to a presentation data form before the
`user can view or otherwise manipulate the document.
`60 Accordingly, tu achieve the highest level of protection, it is
`important to protect the document contents as much as
`possible, while revealing them to the user at a late stage and
`in a form that is difficult to recover into a useful form.
`In the known approaches to electronic document distri-
`65 bution that employ encryption, an encrypted document is
`rendered in several separate steps. First, the encrypted
`document is received by the user. Second, the user employs
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 7
`
`

`
`US 6,519,700 Bl
`
`3
`his private key (in a public key crypiosystern) to decrypt the
`data and derive the document's clear content. Finally, the
`clear content is then passed on to a rendering application,
`which translates the computer-readable document into the
`finished document, either for viewing on the user's com-
`puter screen or for printing a hardcopy. The clear content is
`required for rendering because, in most cases, the rendering
`application is a third-party product (such as Microsoft Word
`or Adobe Acrobat Reader) that requires the input document
`to be in a specific format. lt should be appreciated, then, that
`between the second and third steps, the previously protected
`document is vulnerable, It has been decrypted, but is still
`stored in clear electronic form on the user's computer. If the
`user is careless or is otherwise motivated to minimize fees,
`the document may be easily redistributed without acquiring
`the necessary permissions from the content owner.
`Accordingly, it would be beneficial to provide an elec-
`tronic document distribution scheme that minimizes the
`disadvantages of known systems. Such a scheme would
`prevent users from obtaining a useful form of an
`electronically-distributed document during the decryption
`and rendering processes.
`
`10
`
`15
`
`20
`
`4
`FIG. 2 is a flow diagram illustrating the decryption of
`protected electronic documents according to the art;
`FIG. 3 is a flow diagram illustrating the decryption of
`protected electronic documents according to a simple
`s embodiment of the invention;
`FIG. 4 is a flow diagram illustrating the decryption of
`protected electronic documents according to a preferred
`embodiment of the invention;
`FIG. 5 is a functional block diagram illustrating the data
`structures present in a self-protecting document according to
`an embodiment of the invention;
`FIG. 6 is a flow diagram illustrating the creation and
`customization of a self-protecting document according to an
`embodiment of the invention;
`FIG. 7 is a flow diagram, from a user's perspective,
`illustrating the actions performed in handling and using a
`self-protecting document according to the invention;
`FIG. 8 is a graph illustrating several possible paths
`between an unrendered and encrypted document, and ren-
`dered and decrypted presentation data;
`FIG. 9 is a flow diagram illustrating a polarization process
`according to the invention in which document format infor-
`mation remains in the clear for rendering.
`
`25
`
`SUMMARY OF THE INVENTION
`The present self-protecting document ('SPD") is not
`subject to the above-stated disadvantages of the prior art. By
`combining an encrypted document with a set of permissions
`and an executable code segment that includes most of the
`software necessary to extract and use the encrypted
`document, the self-protecting document accomplishes pm- 30
`tection of document contents without the need for additional
`hardware and software.
`The SPD system is broken down between a content
`creator (analogous to the author and the publisher of the
`traditional model) and a content distributor. The author! "
`publisher creates the original document, and decides what
`rights are to be permitted. The distributor then customizes
`the document for use by various users, ensuring via the
`customization that the users do not exceed the permissions
`they purchased.
`At the user's system, the self-protecting document is
`decrypted at the last possible moment. In an embodiment of
`the invention, various rendering facilities are also provided
`within the SPD, so thai the use of the SPD need not rely
`upon external application thai might not be trustworthy (and
`that might invite unauthorized use). In an alternative
`embodiment, interfaces and protocols are specified for a
`third-party rendering application io interact with the SPD to
`provide trusted rendering.
`In one embodiment of the invention, the encrypted docu-
`ment is decrypted by the user's system while simultaneously
`"polarizing" it with a key that is dependent, at least in part,
`on the siate of the user's system. The polarization may be
`cryptographically less secure than the encryption used for
`distribution, but sm-ves to deter casual copying. In this
`embodiment, depolarization is performed during or after the
`rendering process, so as to cause any intermediate form of
`the document to be essentially unusable.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`The invention is described below, with reference to
`detailed illustrative embodiments. It will be apparent that the
`invention can be embodied in a wide variety of forms, some
`of which may be quite different from those of the diselosed
`embodiments. Consequently, the specific structural and
`functional details disclosed herein are merely representative
`and do not limit the scope of the invention.
`FIG. i represents a top-level functional model for a
`system for the electronic distribution of documents, which
`as defined above, may include correspondence, books,
`magazines, journals, newspapers, other papees, software,
`audio and video clips, and other multimedia presentations.
`An author (or publisher) 110 creates a document's origi-
`to a distributor 114 for
`nal content 112 and passes it
`distribution. Although it is contemplated that the author may
`also distribute documents directly, without involving
`another party as a distributor, the division of labor set forth
`in FIG. i is more efficient, as it allows the author/publisher
`110 to concentrate on content creation, and not the mechani-
`cal and mundane functions taken over by the distributor 114.
`Moreover, such a breakdown would allow the distributor
`114 to realize economies of scale by associating with a
`number of authors and publishers (including the illustrated
`author/publisher 110).
`The distributor 114 then passes modified content 116 to a
`user 118. In a typical electronic distribution model, the
`modified content 116 represents an encrypted version of the
`original content 112; the distributor 114 encrypts the original
`content 112 with the user 118's public key, and modified
`content 116 is customized solely for the single user 118. The
`user 118 is then able to use his private key to decrypt the
`modified content 116 and view the original content 112.
`A payment 120 for the content 112 is passed from the user
`118 to the distributor 114 by way of a clearinghouse 122.
`The clearinghouse 122 collects requests from the user 118
`and from other users who wish to view a particular docu-
`ment. The clearinghouse 122 also collects payment
`information, such as debit transactions, credit card
`transactions, or other known electronic payment schemes,
`
`40
`
`50
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`The structure and function of the invention is best under-
`stood with reference to the included drawings, which maybe
`described as follows:
`FIG. i is a top-level block diagram representing a model os
`for the creation and commercial distribution nf electronic
`documents in either secure or insecure environments;
`
`60
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 8
`
`

`
`US 6,519,700 Bl
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`6
`documents at the user US's system. A simple embodiment
`of this scheme is illustrated in FIG. 3.
`FIG. 3 looks similar to FIG. 2, in that an encrypted
`dnciiment 310 is nasser] to a decrvntinn sten 312 (which uses
`
`5
`and forwards the collected users' payments as a payment
`batch 124 to the distributor 114. Of course, it is expected that
`the clearinghouse 122 will retain a share of the user's
`payment 120. In turn, the distributor U4 retains a portion of
`t)e payment batch 124 and forwards a payment 126
`(including royalties) to the author and publisher 110. Inone
`in presentation data 318. However an additional layer of
`embodiment of this scheme the distnbutor 114 awaits a
`protection is provided by a protecting shell 320. The pro-
`'.
`bundle ofuser requests for a single document before sending
`tecting shell 320 allows the document 310 to be decrypted
`anything out. When this is done a single document with
`.
`and rendered without ever leaving clear content (as in the
`modified content 116 can be generated for decryption by all
`clear content 216 of FIG. 2) available to be intercepted. This
`of the requesting users. This technique is well-known in the
`is accomplished by including decryption and rendering
`art.
`elements within the document 310, as will be described
`In the meantime, each time the user 118 requests (or uses)
`below with reference to FIG. 5. The included decryption and
`a document an accounting message 128 is sent to an audit
`rendering elements are adapted to limit the user's interaction
`server 130. The audit server 130 ensures that each request by
`'jth the SPD, prohibiting certain operations (such as saving
`the user 118 matches with a document sent by the distributor
`the document or performing cut-and-paste operations)
`114; accounting information 131 is received by the audit
`according to the user's permissions.
`server 130 directly from the distributor 114. Any inconsis-
`FIG. 4 is a more sophisticated version. The scheme of
`tencies are transmitted via a report 132 to the clearinghouse
`FIG. 4 includes an intermediate "polarization" step adapted
`122, which can then adjust the payment batches 124 made
`to the distributor 114. This accountiog scheme is present to 20 to secure the document after it has been decrypted but before
`it is rendered. First, the encrypted document contents 410
`reduce the possibility of fraud in this electronic document
`are passed to a polarizer 412. The polarizer 412 receives the
`distribution model, as vell as to handle any time-dependent
`user's private key 414 and, via a decryption step 416,
`usage permissions that may result
`in charges that vary,
`decrypts the document contents 410. Concurrently, the
`depending on the duration or other extent of use.
`The foregoing model for electronic commerce in 25 polarizer 412 receives a polarization key 418 from the user's
`system.
`documents, shown in FIG. 1, is in common use today. As
`This polarization key 418 is used by the polarizer 412 to
`will be shown in detail below, it is equally applicable to the
`transform the document to a version having polarized con-
`system and method set forth herein for the distribution of
`tents 420. All of these operations can take place in the open,
`self-protecting documents.
`without any kind of pmtective mechanism, provided the
`Turning now to FIG. 2, the steps performed by the user
`polarizer 412 does not store a clear version of the document
`118 (FIG. 1) in a prior art system for electronic document
`between decrypting it and polanzirig it.
`distribution are shown. As discussed above, cryptographic
`mechanisms are typically used to encipher documents.
`In one embodiment of the invention, the polarization key
`Those encrypted documents are then distributed and stored
`418 represents a combination of data elements ta}cen from
`the user's system's internal state, such as the date and time
`publicly and deciphered privately by authorized users. This
`provides a basic form ofprotection during document dcliv-
`ofday, elapsed time since the last keystroke, the processor's
`cry from a document distributor to an intended user over a
`speed and serial number, and any other information that can
`public network, as well as during document storage on an
`be repeatably derived from the user's system. It is useful to
`include some time-derived information in the polarization
`insecure medium.
`key 418 so that interception and seizure of polarized cori-
`At the outset, an encrypted document 210 is received by
`tents 420 would not be useful. Further rendering of the
`the user 118 and passed to a decryption step 212. As is well
`polarized document would not be possible, as the system
`known in the art, the decryption step 212 receives the user
`118's private key, which is stored locally at the user's
`time would have, changed too much.
`Then, once again within a protecting shell 422, the
`computer or entered by the user when needed. The document
`210 is decrypted, resulting in clear content 216 similar or
`polarized contents 420 are passed to a rendering application
`identical to the original content 112 (FIG. 1).
`424. As discussed above, typical rendering applications are
`third-party applications such as Microsoft Word or Adobe
`The clear content 216 is passed to a rendering application
`is likely that such external
`Acrobat Reader. However, it
`218, which constructs presentation data 220, or a usable
`version of the document's original content 112. In typical so rendering applications will not be able to process the polar-
`systems of this kind, the presentation data 220 is data
`ized contents 420, as the contents, any formatting codes, and
`immediately suitable for display on a video screen, for
`other cues used by the renderer will have been scrambled in
`the polarization process.
`printing as a hardcopy, or for other use depending on the
`document type.
`Hence, the rendering application 424 must be commuta-
`As discussed above, the document is vulnerable in sys- 55 live (or at least fault-tolerant), or it must receive polarized
`contents 420 that are largely complete and processable by
`tenis like this. The clear content 216 can be copied, stored,
`the application. The latter possibility will be discussed
`or passed along to other users without the knowledge or
`consent of the distributor 114 or the author/publisher 110.
`below, in connection with FIG. 9.
`Even a legitimate user may be tempted to minimize the
`The output of the rendering application is polarized
`licensing fees by capturing the document in the clear in order 60 presentation data 426, which has been formatted by the
`to redistribute and use it at will, without honoring the
`rendering application 424 but is still polarized, and hence
`intellectual property of the content owners. As discussed
`not readable by the user. The polarized presentation data 42G
`above, the present invention is directed to a scheme for
`is passed to a depolarizer 428, which receives the polariza-
`preventing such a user from obtaining a useful form of the
`tion key 418 and restores the original form of the document
`document during the rendering process on the user's system. 65 as presentation data 430. In one embodiment of the
`invention, the depolarization function is combined with the
`Accordingly, the system and method of the present inven-
`rendering or display function. In this case, the polarized
`lion sets forth an alternative scheme for handling encrypted
`
`Apple v. Achates, IPR2013-00080
`Petitioner Apple Inc. - Exhibit 1051, p. 9
`
`

`
`Us 6,519,700 Bi
`
`8
`7
`In one embodiment of the invention, the rights and
`presentation data 426 is received directly by a display
`permissions segment 514 includes information on each
`device, which can be separate from the user's system and
`receive data over a communications channel.
`authorized user's specific rights. A list of terms and condi-
`tiOns may be attached to each usage right. For example, user
`Creation of the polarization key 418, the rendering appli-
`John Doe may be given the right to view a particular
`cation 418, and the depolarization step 428 are all elements
`document and to print it twice, at a cost of Sift In this case,
`of the protecting shell 422; these are tamper-resistant pro-
`the rights and permissions segment 514 identifies John Doe,
`gram elements. It is contemplated thai all computational
`associates two rights with him (a viewing right and a
`steps that occur within the protecting shell 422 will use local
`printing right), and specifies terms and conditions including
`data only, and will not store temporary data to any globally
`accessible storage medium or memory area; only the explicit 10 the price ($10) and a limitation on printing (twice). The
`rights and permissions segment 514 may also include jofor-
`results will be exported from the protecting shell 422. This
`mation on other users.
`approach will prevent users from easily modifying operating
`In ari alternative embodiment, the rights and permissions
`system entry points or scavenging system resources so as to
`segment 514 includes only a link to external information
`intercept and utilize intermediate data.
`specifying rights information. In such a case, the actual
`It should be noted that the presentation data 430 of FIG.
`tights and permissions are stored elsewhere, for example on
`4, in alternative embodiments of the invention, can be either
`a networked permission server, which must be queried each
`device independent or device dependent. In the device-
`time the document is to be used. This approach provides the
`independent case, additional processing by a device driver
`advaotage that rights and permissions may be updated
`(such as a display driver or a printer driver) typically is
`necessary to complete the rendering process. In the presently 20 dynamically by the content owners. For example, the price
`for a view may be increased, or a user's rights may be
`preferred device-dependent case, the device-specific modi-
`terminated if unauthorized use has been detected.
`fications to the presentation data have already been made
`In either scenario, the rights and permissions segment 514
`(either in the rendering application 424 or the depolarizing
`is cryptographically signed (by methods known in the art) to
`step 428), and the presentation data 430 can be sent directly
`25 prevent tampering with the specified rights and permissions;
`to the desired output device.
`it may also be encrypted to prevent the user from directly
`The decryption schemes described with reference to
`viewing the rights and permissions of himself and others.
`FIGS. 3 and 4 above are enabled by a unique document
`The executable code segment 512, also called the "SPD
`structure, which is shown in detail in FIG. 5. As discussed
`Conttol," also contains several subsections, each of which
`above, certain operations performed by the system and 30
`comprises a software module at least partially within the
`method of the invention require trusted components. One
`executable code segment. In one embodiment of the
`way to ensure that certain unmodified code is being used to
`invention, the Java programming language is used for the
`perform the trusted aspects of the invention is to provide the
`SPD Control; however, it is contemplated that any platform-
`code along with the documents. 1'he various components of
`independent or platform-specific langiage, either inter-
`a self-protecting document according to the invention are
`preted or compiled, can be used in an implementation of this
`illustrated in FIG. 5.
`invention.
`The problem ofdocument protection is approached by the
`A rights enforcer 524 is present to verify the user's
`invention without any assumptions on the presence of
`identity, to compare a requested action by the user to those
`trusted hardware units or software modules in the user's
`system. This is accomplished by enhancing a document to be 40 actions enumerated in the rights and permissions segment
`514, and to permit or deny the requested action depending
`an active meta-document object. Content owners (i.e.,
`on the specified rights. The operation of the rights enforcer
`authors or publishers) attach rights to a document that
`524 will be discussed jO further detail below, in connection
`specify the types of uses, the necessary authorizations and
`with FIG. 7.
`the associated fees, and a software module that enforces the
`permissions granted to the user. This combination of the
`A secured polarization engine 526 is also present within
`the executable code segment 51.2; it serves to read and
`document, the associated rights, and the attached software
`polarize the data according to the system state (or other
`modules that enforce the rights is the self-protecting docu-
`ment ("SPD") of the invention. A self-protecting document
`polarization key) as discussed above. In a preferred ernbodi-
`prevents the unauthorized and uncontrolled use and distri-
`ment of the invention, the polarization engine 526 acts upon
`bution of the document, thereby protecting: the rights of the
`the document before it is stored or decrypted, so the docu-
`content owners,
`ment is never stored in the clear on the user's system. The
`polarization engine 526 is secured, that is, it is cryptographi-
`The self-protecting document 510 includes three major
`cally signed and encrypted, to prevent tampering, reverse-
`functional segments: an executable code segment 512 con-
`engineering, and disassembling.
`tains certain portions of executable code necessary to enable
`the user to use the encrypted document; a rights and per- 55
`A counterpart depolarization engine 528 is also included
`missions segment 514 contains data structures representa-
`to enable the generation of clear presentation data from the
`tive of the various levels of access, that are to be permitted
`polarized content (see FIG. 4). The depolarization engine
`to various users; and a content segment 516 includes the
`includes a set of secure window objects, providing a rela-
`tively tamper-proof interface to the rendering API
`encrypted content 116 (FIG. 1) sought to be viewed by the
`co (application program interface) of the user's system. The
`user.
`secure window objects are resistant to being intercepted,
`In a preferred embodiment of the invention, the content
`thereby reducing the possibility that the document, in its
`segment 516 of the SPD 510 includes three subsections:
`clear form, can be reconstructed by intercepting and receiv-
`document mets-information 518 (including but not limited
`ing th