`
`'
`
`‘
`
`'
`
`i>crrus97/15243
`
`SPE 503, the RPC service table is extended by an»RPC dispatch
`
`table. The preferred embodiment RPC dispatch table is
`
`organized as a list of Load Module references for each RPC
`
`service supported internally by SPE 503. Each row in the table
`
`5
`
`'
`
`contains a load module ID that services the call, a control byte
`
`that indicates whether the call can be made from an external
`
`caller, and whether the load module needed to service the call is
`
`permanently resident in SPU 500. The RPC dispatch table may
`be constructed in 5PU ROM 532 (or EEPROM) when SPU
`
`10
`
`firmware 508 is loaded into the SPU 500. If the RPC dispatch
`
`table is in EEPROM. it flexibly allows for updates to the services
`
`without load module location and version control issues.
`
`In the preferred embodiment, SPE RPC manager 550 first
`
`15
`
`references a service request against the RPC service table to
`
`determine the location of the service manager that may service
`
`the request. The RPC manager 550 then routes the service
`
`request to the appropriate service manager for action. Service
`
`requests are handled by the service manager within the SPE 503
`
`20
`
`using the RPC dispatch table to dispatch the request. Once the
`
`RPC manager 550 locates the service reference in the RPC
`
`dispatch table, the load module that services the request is called
`
`and loaded using the load module execution manager 568. The
`
`load module execution manager 568 passes control to the
`
`-373-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5001
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5001
`
`
`
`wo 93/09209
`
`PC'l‘lUS97l15243
`
`requested load module after performing all required context
`
`configuration. or if necessary may first issue a request to load it
`
`from the external management files 610.
`
`5
`
`SPU Time Baas Manager 554
`
`The time base manager 554 supports calls that relate to
`
`the real time clock ( ”RTC“) 528. In the preferred embodiment,
`
`the time base manager 554 is always loaded and ready to
`
`respond to time based requests.
`
`10
`
`The table below lists examples of basic calls that may be
`
`supported by the Lime base manager 554:
`
`15 Sets the time in the RTC 528. Access to this
`
`
`
`command may be restricted to a VDE
`
`administrator.
`
`Changes the time in the RTC 528. Access to
`
`this command may be restricted to a VDE
`
`administrator.
`
`Set GMT / local time conversion and the
`
`
`
`
`
`
`20
`
`current and allowable magnitude of user
`ad'ustments to RTC 528 time.
`
`
`
`hannel Services Mann ; er Re o nests
`
`
`
`-374-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5002
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5002
`
`
`
`W0 98/053209
`
`PCl'IUS97l1S243
`
`I: ind Time
`
`Bind timer services to a channel as an event
`source.
`
`
`
`
`
`I all Name
`Descri tion
`
`
`
`
`’ nbind Time Unbind timer services from a channel as an
`I
`event SOUTCB.
`
`Sets an alarm notification for a specific time.
`
`
`
`
`
`
`
`
`
`
`The user will be notified by an alarm event at
`
`the time of the alarm. Parameters to this
`
`request determine the event, frequency, and
`
`reuested rocessin for the alarm.
`I Cancels a reuested alarm notification.
`
`
`
`
`
`
`lear
`
`OI
`
`SPU Encryption/Decryption Manager 556
`
`The Encryption/Decryption Manager 556 supports calls to
`
`the various encrvption/decryption techniques supported by SPE
`
`10
`
`503/HPE 655.
`
`It may be supported by a hardware-based
`
`encryption/decryption engine 522 within SPU 500. Those
`
`encryption/decryption technologies not supported by SPU
`
`encrypt"decrypt engine 522 may be provided by encrypt/decrypt .
`
`manager 556 in software. The primary bulk
`
`15
`
`encryption/decryption load modules preferably are loaded at all
`
`times, and the load modules necessary for other algorithms are
`
`preferably paged in as needed. Thus. if the primary bulk
`
`encryption/decryption algorithm is DES, only the DES load
`
`modules need be permanently resident in the RAM 534a of SPE
`
`20
`
`503/HPE 655.
`
`-375-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5003
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5003
`
`
`
`W0 98109209
`
`PCI‘/US97I15243
`
`The following are examples of RPC calls supported by
`
`Encrypt/Decrypt Manager 556 in the preferred embodiment:
`
`
`
`
`
`
`Call Name
`
`PK Encrypt
`
`Eric t
`
`Dec t
`
`RC-4
`
`Descri - tion
`
`Encrypt a block using a PK (public key)
`
`algorithm.
`
`
`
`
`
`I
`
`, Encrypt a block using the RC4 (or other bulk
`.-tion) alorithm.
`
`Decrypt a block using the RC-4 (or other bulk
`
`encrvotion) algorithm.
`
`Initialize DES instance to be used.
`
`
`
`Initialize RC-4 instance to be used.
`
`5
`
`1°
`
`15
`
`20 ‘
`
`25
`
`
`
`Initialize
`
`
`
`DES
`
`Instance
`
`Initialize
`
`MD5
`
`Instance
`
`Block
`
`Initialize MD5 instance to be used.
`
`
`
`
`
`The call pa.rameters passed may include the key to be
`
`30
`
`used; mode (encryption or decryption): any needed Initialization
`
`-376-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5004
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5004
`
`
`
`W0 98/119209
`
`PCT/US97/15243
`
`Vectors; the desired cryptographic operating (e.g.. type of
`
`feedback); the identification of the cryptographic instance to be
`
`used; and the start address, destination address, and length of
`
`the block to be encrypted or decrypted.
`
`5
`
`SPU Key and Tag Manager 558
`
`The SPU Key and Tag Manager 558 supports calls for key
`
`storage, key and management file tag look up, key convolution,
`
`and the generation of random keys, tags, and transaction
`
`10
`
`numbers.
`
`The following table shows an example of a list of SPE/HPE
`
`key and tag manager service 558 calls:
`
`all Name
`2 .‘ Raneata
`
`I
`
`Deucri tion
`
`l t Kev
`Kev
`net-ate Kev
`nerate Convoluted Key
`
`Remeve the requested kev.
`l
`Set (store; the specified kev.
`I
`l Generate a key ( air) for a snecified al orithm.
`Generate a key using a specified convolution
`al - orithm and algorithm - arameter block.
`
`Return the currently set (default) convolution
`arameters for a s ecific convolution al - orithm.
`
`15
`
`20
`
`25
`
`-377-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5005
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5005
`
`
`
`WO 98/09209
`
`PCNUS97/15243
`
`
`
`
`
`
`' alculate Hash Block
`Calculate the ‘hash block nu.mber“.for a specific
`i umber
`. VDE Item ID.
`-. t Hash Parameters
`‘
`Set the hash parameters and hash algorithm.
`I
`Forces a resvnchronization ofthe hash table.
`
`
`t Hash Parameters
`D Retrieve the current hash
`
`
`- chronize Management
`Synchronize the management files and rebuild
`es
`the hash block tables based on information
`found in the tables. Reserved for VDE
`
`
`-
`
`« arameters/al - orithm.
`
`Keys and tags may be securely generated within SPE 503
`(HPE 655) in the preferred embodiment. The key generation
`
`10
`
`algorithm is typically specific to each type of encryption
`
`supported. The generated keys may be checked for cryptographic
`
`weakness Le-fore they are used. A request for Key and Tag
`
`Manager 558 to generate a key, tag and/or transaction number
`
`15
`
`preferably takes a length as its input parameter. It generates a
`
`random number (or other appropriate ‘key value) of the requested
`
`length as its output.
`
`The key and tag manager 558 may support calls to retrieve
`
`20
`
`specific keys from the key storage areas in SPU 500 and any
`
`keys stored external to the SPU. The basic format of the calls is
`
`to request keys by key type and key number. Many of the keys
`
`are periodically updated through contact with the VDE
`
`administrator, and are kept within SPU 500 in NVRAM 534b or
`
`-378-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5006
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5006
`
`
`
`W0 93/09109
`
`I
`
`"
`
`rcr/vs97/15243
`
`EEPROM because these memories are secure. updatable and
`
`non-volatile.
`
`SPE 503/HPE 655 may support both Public Key type keys
`
`.5
`
`and Bulk Encryption type keys. The public key (PK) encryption
`
`type keys stored by SPU 500 and managed by key and tag
`
`manager 558 may include. for example, a device public key, a
`
`device private key. a PK certificate, and a public key for the
`
`certificate. Generally, public keys and certificates can be stored
`
`10
`
`externally in non—secured memory if desired, but the device
`
`private key and the public key for the certificate should only be
`
`stored internally in an SPU 500 EEPROM or NVRAM 534b.
`
`Some of the types of bulk encryption keys used by the SPU 500
`
`may include, for example, general-purpose bulk encryption keys,
`
`15
`
`administrative object private header keys, stationary object
`
`private header keys, traveling object private header keys,
`
`download/initialization keys, backup keys, trail keys, and
`
`
`A management file keys.
`
`20
`
`As discussed above, preferred embodiment Key and Tag
`
`Manager 558 supports requests to adjust or convolute keys to
`
`' make new keys that are produced in a deterministic way
`
`dependent on site and/or time, for example. Key convolution is
`
`an algorithmic process that acts on a key and some set of input
`
`-379-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5007
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5007
`
`
`
`W0 98109209
`
`Pcr/Us97/15243
`
`parameter(s‘v to yield a new key. It can be used, for example, to
`
`increase the number of keys available for use without incurring’
`
`additional key storage space. It may also be used. for example,
`
`as a process to ”age“ keys by incorporating the value of real-time
`
`5
`
`RTC 528 as parameters. It can be used to make keys site specific
`
`by incorporating aspects of the site ID as parameters.
`
`Key and Tag Manager 558 also provides services relating
`
`to tag generation and management. In the preferred
`
`10
`
`embodiment, transaction and access tags are preferably stored
`
`by SPE 503 (HPE 655) in protected memory (e.g., within the
`
`NVRAM 534b of SPU 500). These tags may be generated by key
`
`and tag manager 558. They are used to, for example. check
`
`access rights to. validate and correlate data elements. For
`
`15
`
`example, they may be used to ensure components of the secured
`
`data structures are not tampered with outside of the SPU 500.
`
`Key and tag manager 558 may also support :1 trail transaction
`
`tag and a communications transaction tag.
`
`20
`
`SPU Summary Services Manager 560
`
`SPE 503 maintains an audit trail in reprogrammable non-
`
`volatile memory within the SPU 500 and/or in secure database
`
`610. This audit trail may consist of an audit summary of budget
`
`activity for financial purposes, and a security summary of SPU
`
`-380-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5008
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5008
`
`
`
`wo 93/09209
`
`PCTIUS97/15243
`
`use. When a request is made to the SPU, it logs the request as
`
`having occurred and then notes whether the request succeeded
`
`or failed. All successful requests may be summed and stored by
`
`type in the SPU 500. Failure information, including the
`
`5
`
`elements listed below, may be saved along with details of the
`
`failure:
`
`10
`
`15
`
`
`
`
`
`
`
`an SPE on Access Failures
`
`
`
`
`
`
`This information may be analyzed to detect cracking attempts or
`
`to determine patterns of usage outside expected (and budgeted)
`norms. The audit trail histories in the SPU 500 may be retained
`
`20
`
`until the audit is reported to the appropriate parties. This will
`
`allow both legitimate failure analysis and attempts to
`
`cryptoanalyze the SPU to be noted.
`
`Summary services manager 560 may store and maintain
`
`25
`
`this internal summary audit information. This audit
`
`information can be used to check for security breaches or other
`
`aspects of the operation of SPE 503. The event summaries may
`
`-381-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5009
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5009
`
`
`
`WO 98/09209
`
`PCTIUS97/15243
`
`be maintained, analyzed and used by SPE 503 (HPE 655) or a
`
`VDE administrator to determine and potentially limit abuse of
`
`electronic appliance 600. In the preferred embodiment, such
`
`parameters may be stored in secure memory (e.g., within the
`
`5
`
`NVRAM 534b of SPU 500).
`
`There are two basic structures for which summary services
`
`are used in the preferred embodiment. One (the "event summary
`data structure“) is VDE administrator specific and keeps track of
`
`10
`
`events. The event summary structure may be maintained and
`
`audited during periodic contact with VDE administrators. The
`
`other is used by VDE administrators and/or distributors for
`
`overall budget. A VDE administrator may register for event
`
`summaries and an overall budget summary at the time an
`
`15
`
`electronic appliance 600 is initialized. The overall budget
`summary may be reported to and used by a VDE administrator
`
`
`in determining distribution of consumed budget (for example) in
`
`the case of corruption of secure management files 61a
`
`Participants that receive appropriate permissions can register
`
`20
`
`their processes (e.g., specific budgets) with summary services
`
`manager 560, which may then reserve protected memory space
`
`(e.g., within NVRAM 534b) and keep desired use and/or access
`'
`.
`
`parameters. Access to and modification of each summary can be
`
`controlled by its own access tag.
`
`-382-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5010
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5010
`
`
`
`WO 98109209
`
`PCIVUS97/15243
`
`The following table shows an example of a list of PPE
`
`summary service manager 560 service calls:
`
`Create summary
`
`Create a summary service if the user
`
`info
`
`has a "ticket“ that permits her to
`
`reuest this service.
`
`Return the current value of the
`
`summary service. The caller must
`
`present an appropriate tag (and/or
`
`"ticket“) to use this request.
`
`l Set the value of a sum.rnarv service.
`
`Increment
`
`Increment the specified summary
`
`service(e.g., a scalar meter summary
`
`data area). The caller must present
`
`an appropriate tag land/or ”ticket“) to
`
`use this reuest.
`
`Destroy the specified summary service
`
`if the user has a tag and/or "ticket“
`
`that permits them to request this
`service.
`
`In the preferred embodiment, the event summary data
`
`structure uses a fixed event number to index into a look up table.
`
`The look up table contains a value that can be configured as a
`
`counter or a counter plus limit. Counter mode may be used by
`
`VDE administrators to determine device usage. The limit mode
`
`may be used to limit tampering and attempts to misuse the
`
`electronic appliance 600. Exceeding a limit will result in SPE
`
`-383 -
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5011
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5011
`
`
`
`W0 98/09209
`
`PCTIUS97/15243
`
`503 (HPE 655) refusing to service user requests until it is reset
`
`by a VDE administrator. Calls to the system wide event
`
`summary process may preferably be built into all load modules
`
`that process the events that are of interest.
`
`The following table shows examples of events that may be
`
`separately metered by the preferred embodiment event summary
`
`data structure:
`
`Initialization completed successfullv.
`
`User authentication acce ted.
`
`Communications established.
`
`Channel loads set for specified values.
`
`Dec tion comleted.
`
`Kev information updated.
`
`New budget created or ezdsting budget
`udated.
`
`New billing information generated or
`
`eicistin - billing u dated.
`
`New meter set up or existing meter
`u dated.
`
`New PERC created or ezdsting PERC
`u dated.
`
`New ob'ects re ; 'stered.
`
`Administrative objects successfully
`rocessed.
`
`Audit rocessed successfull
`
`.
`
`-384-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5012
`
`3 I
`
`Event
`
`;- e
`
`S uccessful
`
`Events
`
`10
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5012
`
`
`
`WO 98/09209
`
`PCTIUS97I1S243
`
`
`
`
`
`Failed Events
`
`
`
`
`
`
`
`
`
`
`
`Initialization failed.
`
`correlation ta match.
`
`Available budget insufiicient to complete
`re uested rocedure.
`
`Audit did not occur
`
`Administrative object did not process
`correctlv.
`
`
`
`Other failed events.
`
`Another, "overall currency budget“ summary data
`
`structure maintained by the preferred embodiment summary
`
`services manager 560 allows registration of VDE electronic
`
`appliance 600. The first entry is used for an overall currency
`
`budget consumed value, and is registered by the VDE
`
`administrator that first initializes SPE 503 (HPE 655). Certain
`
`10
`
`currency consuming load modules and audit load modules that
`
`complete the auditing process for consumed currency budget may
`
`call the summary services manager 560 to update the currency
`
`consumed value. Special authorized load modules may have
`
`-385-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5013
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5013
`
`
`
`WO 98109209
`
`PCTIUS97Il5243
`
`access to the overall currency summary, while additional
`
`summaries can be registered for by individual providers.
`
`OI
`
`SPE Authentication Managerlservice Communications
`Manager 564
`
`The Authentication Manager/Service Communications
`
`Manager 564 supports calls for user password validation and
`
`“ticket”. generation and validation. It may also support secure
`
`10
`
`communications between SPE 503 and an external node or
`
`device (e.g., a VDE administrator or distributor). It may support
`
`the following examples of authentication-related service requests
`
`in the preferred embodiment:
`
`
`
`Create User
`
`Creates a new user and stores Name Services
`
`
`
`Call Name
`
`| Deecri tion
`
`User Services
`
`
`
`Records (NSRSJ for use by the Name Services
`Mana - er 752.
`
`Authenticate
`User
`
`Authenticates a user for use of the system.
`This request lets the caller authenticate as a
`
`
`
`
`specific user ID. Group membership is also
`authenticated by this request. The
`
`
`
`
`
`
`
`Delete User
`
`Ticket Services
`
`
`
`Generate
`Ticket
`
`authentication returns a ”ticket“ for the user.
`
`
`
`
`Deletes a user’s NSR and related records.
`
`Generates a ”ticket“ for use of one or more
`services.
`
`-386-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5014
`
`15
`
`20
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5014
`
`
`
`wo 98/09209
`
`PCTIUS97/15243
`
`Authenticate
`
`Ticket
`
`Authenticates a ”ticket.“
`
`5
`
`/
`
`Not included in the table above are calls to the secure
`
`communications service. The secure communications service
`
`provided by manager 564 may provide (e.g., in conjunction with
`
`low-level services manager 582 if desired) secure
`
`communications based on a public key (or others) challenge-
`
`10
`
`response protocol. This protocol is discussed in further detail
`
`elsewhere in this document. Tickets identify users with respect
`
`to the electronic appliance 600 in the case where the appliance
`
`may be used by multiple users. Tickets may be requested by and
`
`returned to VDE software applications through a ticket-granting
`
`15
`
`protocol (e.g., Kerberosn. VDE components may require ticketspto
`
`be presented in order to authorize particular services.
`
`SPE Secure Database Manager 566
`
`Secure database manager 566 retrieves, maintains and
`
`20
`
`stores secure database records within secure database 610 on
`
`memory external to SPE 503. Many of these secure database
`
`files 610 are in encrypted form. All secure information retrieved
`
`by secure database manager 566 therefore must be decrypted by
`
`encrypt/decrypt manager 556 before use. Secure information
`
`25
`
`(e.g., records of use) produced by SPE 503 (HIPE 655) which must
`
`-387-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5015
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5015
`
`
`
`WO 98/09209
`
`PCI‘/US97Il5243
`
`be stored external to the secure execution environment are also
`
`encrypted by encrypt/decrypt manager 556 before they are stored
`
`via secure database manager 566 in a secure database file 610.
`
`(II
`
`For each VDE item loaded into SPE 503, Secure Database
`
`manager 566 in the preferred embodiment may search a master
`
`list for the VDE item ID, and then check the corresponding
`
`transaction tag against the one in the item to ensure that the
`
`item provided is the current item. Secure Database Manager
`
`10
`
`566 may maintain list of VDE item ID and transaction tags in a
`
`"hash structure" that can be paged into SPE 503 to quickly locate
`
`the appropriate VDE item ID.
`
`In smaller systems, a look up
`
`table approach may be used.
`
`In either case, the list should be
`
`structured as a pagable structure that allows VDE item ID to be
`
`15
`
`located quickly.
`
`The ”hash based“ approach may be used to sort the list
`
`into "hash buckets“ that may then be accessed to provide more
`
`rapid and efiicient location of items in the list. In the "hash
`
`20
`
`based“ approach, the VDE item IDs are ”hashed“ through a
`
`subset of the full item ID and organized as pages of the ”hashed“
`
`table. Each ”hashed“ page may contain the rest of the VDE item
`
`ID and current transaction tag for each item associated with that
`
`page. The ”hash“ table page number may be derived from the
`
`-388-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5016
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5016
`
`
`
`wo 9s/09209
`
`1>c'rrus9-ms243
`
`components of the VDE item ID, such as distribution ID, item
`
`ID, site ID, user ID. transaction tag, creator ID, type and/or
`
`version. The hashing algorithm (both the algorithm itself and
`
`the parameters to be hashed) may be configurable by a VDE
`
`5
`
`administrator on a site by site basis to provide optimum hash
`
`page use. An example of a hash page structure appears below:
`
`
`
`
`
`
`
`
`
`
`
`Hash Pae Header
`
`Distributor ID
`
`Site ID
`
`Transaction Tag
`
`Hash Pae Ent
`
`-
`
`
`
`
`
`
`
`
`
`
`10
`
`15
`
`20
`
`
`
`Item ID
`
`
`
`T e
`
`Version
`
`
`
` Transaction Ta
`
`In this example, each hash page may contain all of the
`
`25
`
`VDE item IDs and transaction tags for items that have identical
`
`distributor ID, item ID, and user ID fields (site ID will be fixed
`
`for a given electronic appliance 600). These four pieces of
`
`information may thus be used as hash algorithm parameters.
`
`-389-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5017
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5017
`
`
`
`wo 93/09209
`
`PCIIUS97/15243
`
`The ”hash"‘ pages may themselves be frequently updated,
`
`and should carry transaction tags that are checked each time a
`
`"hash" page is loaded. The transaction tag may also be updated
`
`’each time a ”hash“ page is written out.
`
`As an alternative to the hash-based approach, if the
`
`number of updatable items is kept small (such as in a dedicated
`
`consumer electronic appliance 600), then assigning each
`updatable item a unique sequential site record number as part of
`its VDE item ID may allow a look up table approach to be used.
`
`10
`
`Only a small number of bytes of transaction tag are needed per
`‘item, and a table transaction tag for all frequently updatable
`
`items can be kept in protected memory such as SPU NVRAM
`
`534b.
`
`Random Value Generator Manager 565
`
`Random Value Generator Manager 565 may generate
`
`random values. If a ha.rdware~based SPU random value
`
`generator 542 is present, the Random Value Generator Manager
`
`20
`
`565 may use it to assist in generating random values.
`
`Other SPE RPC Services 592
`
`Other authorized RPC services may be included in SPU
`
`500 by having them "register“ themselves in the RPC Services
`
`-390-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5018
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5018
`
`
`
`WO 98109209
`
`PCTlUS97I!52-13
`
`Table and adding their entries to the l?.PC Dispatch Table. For
`
`example, one or more component assemblies 690 may be used to
`
`provide additional services as an integral part of SPE 503 and its
`
`associated operating system. Requests to services not registered
`
`5
`
`in these tables will be passed out of SPE 503 (HPE 655) for
`
`external servicing.
`
`SPE 603 Performance Considerations
`
`10
`
`-
`
`-
`
`-
`
`-
`
`Performance of SPE 503 (HPE 655) is a function of:
`
`complexity of the component assemblies used
`
`number of simultaneous component assembly operations
`
`amount of internal SPU memory available
`
`speed of algorithm for block encryption/decryption
`
`15
`
`The complexity of component assembly processes along
`
`with the number of simultaneous component assembly processes
`
`is perhaps the primary factor in determining performance.
`
`These factors combine to determine the amount of code and data
`
`and must be resident in SPU 500 at any one time (the minimum
`
`20
`
`device size) and thus the number of device size "chunks" the
`
`processes must be broken down into. Segmentation inherently
`
`increases run time size over simpler models. Of course, feature
`
`limited versions of SPU 500 may be implemented using
`
`significantly smaller amounts of RAM 534. ”Agg'regate“ load
`
`-391-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5019
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5019
`
`
`
`WO 98109209
`
`PCl‘IUS97I15243
`
`modules as described above may remove flexibility in configuring
`
`VDE structures and also further limit the ability of participants
`
`to individually update otherwise separated elements, but may
`
`result in a smaller minimum device size. A very simple metering
`
`5
`
`version of SPU 500 can be constructed to operate with minimal
`
`device resources.
`
`The amount of RAM 534 internal to SPU 500 has more
`
`impact on the performance of the SPE 503 than perhaps any
`
`10
`
`other aspect of the SPU. The flexible nature ofVDE processes
`
`allows use ofa large number of load modules, methods and user
`
`data elements. It is impractical to store more than a small
`
`number of these items in ROM 532 within SPU 500. Most of the
`
`code and data structures needed to support a specific VDE
`
`15
`
`process will need to be dynamically loaded into the SPU 500 for
`
`the specific VDE process when the process is invoked. The
`
`operating system within SPU 500 then may page in the
`
`necessary VDE items to perform the process. The amount of
`
`RAM 534 within SPU 500 will directly determine how large any
`
`20
`
`single VDE load module plus its required data can be, as well as
`
`the number of page swaps that will be necessary to run a VDE
`
`process. The SPU I/O speed, encryption/decryption speed, and
`
`the amount of internal memory 532, 534 will directly afl'ect the
`
`number of page swaps required in the device. Insecure external
`
`-392-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5020
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5020
`
`
`
`WO 98/09209
`
`PCI‘IUS97IlS243
`
`memory may reduce the wait time for swapped pages to be
`
`loaded into SPU 500, but will still incur substantial
`
`encryption/decryption penalty for each page.
`
`5
`
`In order to maintain security, SPE 503 must encrypt and
`
`cryptographically seal each block being swapped out to a storage
`
`device external to a supporting SPU 500, and must similarly
`
`decrypt, verify the cryptographic seal for, and validate each block
`
`as it is swapped into SPU 500. Thus, the data movement and
`
`10
`
`encryption/decryption overhead for each swap block has a very
`
`large impact on SPE performance.
`
`The performance of an SPU microprocessor 520 may not
`
`significantly impact the performance of the SPE 503 it supports
`
`15
`
`if the processor is not responsible for moving data through the
`
`encrypt/decrypt engine 522.
`
`
`
`l
`
`I VDE Secure Database 610
`
`VDE 100 stores separately deliverable VDE elements in a
`
`20
`
`secure (e.g., encrypted) database 610 distributed to each VDE
`
`electronic appliance 610. The database 610 in the preferred
`
`embodiment may store and/or manage three basic classes of VDE
`
`items:
`
`VDE objects,
`
`-393 -
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5021
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5021
`
`
`
`W098l09209
`
`PCTlUS97I15243
`
`VDE process elements, and
`
`VDE data structures.
`
`The following table lists examples of some of the VDE
`
`items stored in or managed by information stored in secure
`
`database 610:
`
`
`
`
`jects
`
`Content Objects
`
`Provide a container for
`
`1b
`
`
`
`
`
`content.
`
`Provide a container for
`
`
`
`
`
`Administrative
`
`
`Objects
`information used to keep
`VDE 100 0
`- eratinz.
`
`
`
`Traveling Objects
`Provide a container for
`
`
`
`
`
`
`
`content and control
`
`information.
`
`
`
` Smart Objects
`Provide a container for
`(user-specified) processes
`
`and data.
` Method Cores
`
`
`
`
`
`10
`
`Provide a mechanism to
`
`relate events E0 COI'ltI‘0l
`
`mechanisms and
`
`ermissions.
`
`("LMs“)
`
`executable code.
`
`Method Data
`
`Independently deliverable
`
`
`
`
`
`
`
`Elements (”MDEs“)
`
`data structures used to
`
`control/customize
`
`
`
`
`
`
`
`Permissions Records
`Permissions to use
`
`("PERCs“)
`objects; ”b1ueprints“ to
`
`build component
`assemblies.
`
`methods.
`
`-394-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5022
`
`
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5022
`
`
`
`PCT/US9'7IlS243
`
`
`
`
`
`storing information used
`
`WO 98/09209
`
`
`
`
`User Data Elements
`
`Basic data structure for
`
`in conjunction with load
`
`Administrative Data
`
`Used by VDE node to
`
`modules.
`
`
`
`
`
`Structures
`
`
`
`maintain admim''strative
`
`
`Ul
`
`10
`
`Each electronic appliance 600 may have an instance of a
`
`secure database 610 that securely maintains the VDE items.
`
`Figure 16 shows one example of a secure database 610. The
`
`secure database 610 shown in this example includes the
`
`following VDE-protected items:
`
`°
`
`-
`
`-
`
`-
`
`one or more PERCS 808;
`
`methods 1000 (including static and dynamic method
`
`”cores“ 1000, and MDES 1202);
`
`Static UDEs 1200a and Dynamic UDES 1200b; and
`
`load modules 1100.
`
`Secure database 610 may also include the following
`
`15
`
`additional data structures used and maintained for
`
`administrative purposes:
`
`-
`
`0
`
`an “object registry“ 450 that references an object
`
`storage 728 containing one or more VDE objects;
`
`name service records 452; and
`
`-395-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5023
`
`
`
`("U'DEs“)
`
`
`
`
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5023
`
`
`
`wo 93/09209
`
`'
`
`PCT/US97I15243
`
`-
`
`configuration records 454 (including site
`
`configuration records 456 and user configuration
`
`records 458).
`
`5
`
`Secure database 610 in the preferred embodiment does not
`
`include VDE objects 300, but rather references VDE objects
`
`stored, for example. on file system 687 and/or in a separate object
`
`repository 728. Nevertheless, an appropriate ”starting point“ for
`understanding VDE-protected information may be a discussion
`
`10
`
`of VDE objects 300.
`
`VDE Objects 300
`
`VDE 100 provides a media independent container model
`
`for encapsulating content. Figure 17 shows an example ofa
`
`15
`
`’’logical‘‘ structure or format 800 for an object 300 provided by the
`
`preferred embodiment.
`
`The generalized "logical object“ structure 800 shown in
`
`Figure 17 used by the preferred embodiment supports digital
`
`20
`
`content delivery over any currently used media. "Logical object“
`
`in the preferred embodiment may refer collectively to: content;
`
`computer software and/or methods used to manipulate, record,
`
`and/or otherwise control use of said content; and permissions,
`
`limitations, administrative control information and/or
`
`-396-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5024
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5024
`
`
`
`wo 98I09209
`
`PCTIUS97IlS243
`
`requirements applicable to said content, and/or said computer
`
`software and/or methods. Logical objects may or may not be
`
`stored, and may or may not be present in. or accessible to, any
`
`given electronic appliance 600. The content portion of a logical
`
`5
`
`object may be organized as information contained in, not
`
`contained in, or partially contained in one or more objects.
`
`Briefly, the Figure 17 "logical object“ structure 800 in the
`
`preferred embodiment includes a public header 802, private
`
`10
`
`header 804, a "private body“ 806 containing one or more methods
`
`1000, permissions recordis) (PERC) 808 (which may include one
`
`or more key blocks 810), and one or more data blocks or areas
`
`812. These elements may be “packaged” within a ”container“
`
`302. This generalized. logical object structure 800 is used in the
`
`15
`
`preferred embodiment for different types of VDE objects 300
`
`categorized by the type and location of their content.
`
`The “container” concept is a convenient metaphor used to
`
`give a name to thecollection of elements required to make use of
`
`20
`
`content or to perform an administrative-type activity. Container
`
`302 typically includes identifying information, control structures
`
`and content (e.g., a property or administrative data). The term
`
`"container" is often (e.g., Bento/OpenDoc and OLE) used to
`
`describe a collection of information stored on a computer
`
`-397-
`
`Petitioner Apple Inc. — Exhibit 1002, p. 5025
`
`Petitioner Apple Inc. - Exhibit 1002, p. 5025
`
`
`
`wo 93/09209
`
`PCTlUS97Il5243
`
`system’s secondary storage system(s) or accessible to a computer
`
`system over a communications network on a ”server's“ secondary
`
`storage system. The "’container“ 302 provided by the preferred
`
`embodiment is not so limited or restricted. In VDE 100, there is
`
`5
`
`no requirement that this information is stored together, received
`
`at the same time, updated at the same time, used for only a
`
`single object, or be owned by the same entity. Rather, in VDE
`
`100 the container concept is extended and generalized to include
`real-time content and/or online interactive content passed to an
`
`10
`
`electronic appliance over a cable, by broadcast, or communicated
`
`by other electronic communication means.
`
`Thus, the “complete” VDE container 302 or logical object
`
`structure 800 may not exist at the user’s location (or any other
`
`15
`
`location, for that matter) at any one time. The "logical object“
`
`may exist over a particular period of time (or periods of time),
`
`rather than all at once. T