`X.) 000159229
`
`“34
`institute of
`the
`The Transactions of
`1“
`Information and Comm.
`Engineers
`Electronics,
`THE TRANSACTIONS OF THElElCE,V E73(1990)July. No.7, Tokyo, JP.
`
`He‘ll ‘3 /° 6
`
`1133
`
`C
`
`E
`12A PER .1
`
`l/JJ " //546
`
`/o .
`(Special issue on Cryptography and Infomation Security)
`
`l
`
`gang/oofi/
`
`Superdistribution : The Concept and the Architecture
`G»? F (7/16
`
`Ryoichi MORIT and Masaji KAWAHARATT, Members
`
`Superdistribution is an approach to distributing
`SUMMARY
`software in which software is made available freely and without
`irestrictiun but is protected from modifications and modes of usage
`not authorized by its vendor. By eliminating the need of software
`vendors to protect
`their products against piracy through copy
`“protection and similar measures. superdistribution promotes un-
`restricted disrribution of software. The superdistribution architec-
`ture we have developed provides
`three principal
`functions:
`administrative arrangements for collecting accounting informa-
`tion on software usage and fees for software usage ; an account-
`ing process that records and accumulates usage charges. pay-
`ments. and the allocation of usage charges among different soft-
`ware vendors: and a defense mechanism. utilizing digitally
`protected modules. that protects the system against interference
`with its proper operation. Superdistribution software is distribut-
`ed over public channels in encrypted form. In order to participate
`in superdistribution. a computer must be equipped with an S:b_ox
`-a digitally protected module containing microprocessors. RAM.
`ROM. and a real-time clock. The S-box preserves secret informa-
`tion such as a deciphering key and manages the proprietary
`aspects of the superdistribution system A Software Usage Moni-
`tor insures the integrity of the system and keeps track of account-
`ing infomiation. The S-box can be realized as a digitally protect-
`ed module in the form of a three~dirnensional integfited circuit.
`
`1.
`
`Introduction
`
`Superdistribution ,is an approach to distributing
`software in which software is made available freely and
`without restriction but is protected from modifications
`and modes of usage not authorized by its vendor. Super-
`distribution relies neither on law nor ethics to achieve
`these protections; instead it is achieved through a com-
`bination of electronic devices. software. and administra-
`tive arrangements whose global design we call
`the
`"Superdistribution Architecture". The concept was
`invented by Mori in 1983; it was first called the “Soft-
`ware Service System"“""’. Since 1987. work on superdis-
`tribution has been carried out by a committee of the
`Japan Electronics Industry Development Association
`(JEIDA). a non-profit industrywide organization. That
`committee is now knoWn as the Superdistribution Tech-
`
`
`Manuscript received February 14. 1990.
`Manuscript revised April 17. 1990.
`T The author is with the Institute of lnforrnation Sciences
`and Electronics, University of Tsukuba. Tsukuba-shi. 305
`Iapan.
`ii The author is with Master's Degree Program in Sciences
`and Engineering, University of Tsukuba. Tsultuba-shi, 305
`Japan.
`
`507F7/00c'
`
`nology Research Committee.
`Superdistribution of software has the following
`novel combination of desirable properties:
`( 1) Software products are freely distributed without
`restriction. The user of a software product pays for
`using that product. not for possessing it.
`(2) The vendor of a software product can set the
`terms and conditions of its use and the schedule of fees.
`if any, to be charged for its use.
`(3) Software products can be executed by any user
`having the proper equipment. provided only that the user
`adheres to the conditions of we set by the vendor and
`pays the fees charged by the vendor.
`(4 ) The proper operation of the superdistribution
`system, including the enforcement of the conditions set
`by the vendors. is ensured by tamper-resistant electronic
`devices such as digitally protected modules.
`From a different viewpoint. the needs of users and
`the needs of vendors have until now been in irreconcila-
`ble conflict because the protective measures needed by
`vendors have been viewed by users as an intolerable
`burden. The superdistribution architecture provides a
`resolution to that conflict that serves the interests of
`both parties. Wide distribution benefits vendors because
`it increases usage of their products at little added cost
`and thus brings them more income. It benefits users
`because it makes more software available and the lower
`unit costs lead to lower prices. it also creates the possibil-
`ities of additional value-added services to be provided
`by the software industry. Moreover. users themselves
`become distributors of programs that they like. since
`with superdistribution there is absolutely nothing wrong
`with giving a copy of a program to a friend or colleague.
`It might seem at first that publicly distributed soft-
`ware such as freeware and shareware already solves the
`problem addressed by superdistribution. But the likeli-
`hood of the authors being paid is too small for public for
`public domain software to play a leading role in the soft.
`ware industry. Superdistribution software is much like
`public domain software for which physical measures are
`used to ensure that the software producer is fairly com-
`pensated and that
`the software is protected against
`modification. While public domain software might
`achieve the aims of superdistribution in an idealized
`world where all users paid for software voluntarily Md
`none of them abused it. we see little hope that such an
`
`BEST AVAlLABLE‘ COPY ‘
`
`'-
`
`Petitioner Apple Inc. - Exhibit 1032, p. 1
`
`Petitioner Apple Inc. - Exhibit 1032, p. 1
`
`
`
`1134
`
`THE TRANSACTIONS OF THE IEICE. VOL. E 73, NO. 7
`
`i
`
`_
`
`Table 1 Levels of software protection technology.
`
`
`
`SdA($uperdistribution Architecture)
`superdistribution
`
`
`1983 R.Mori(UniVersity' of Tsukuba)’ "'
`
`
`execution
`'Fiight-To-Execute':ABYSS(A Basic Yorktown Security System)
`
`
`privileges
`1987 S.R.White(lBM)"‘
`
`customizing deciphering key (software is common)
`
`
`
`customizing
`1986 A.Herzberg PPS(Public Protection ol Sottware) ‘3
`software with
`1934 O.J.Alben
`(Enciphering and key management)
`
`
`1932 G.B.Purdy SPS(Soitware Protection Scheme) ‘“
`a computerJD
`
`
`
`customizing each copy of the software
`
`
`controling execution:
`
`
`
`hardware
`
`hardware key. e.-
` .. ADAPSO Key-tin. ‘"
` inhibiting duplication:
`protection
`
`
`
`
`copy protection. noncompatible ROM
`
`
`no physical
`laws & ethics
`
`protection
`
`
`
`
`idealized world will ever come to exist.
`Table 1 describes a hierarchy of levels of software
`protection“"‘”. The previous work most similar to
`superdistribution is the ABYSS architecturem‘" devel-
`oped by White. Comerford, and Weingart at the IBM
`Thomas J. Watson Research Center
`in Yorktown
`Heights, New York. ABYSS is based on the notion of a
`use-once authorization mechanism called a “token" that
`provides the “right to execute" a software product. All .
`' or part of the software product is executed within a
`_protected processor, and is distributed in encrypted
`form. Physical security for an ABYSS processor is
`provided by a dense cocoon of wires whose resistance is
`constantly monitored by the processor. A change in
`resistance indicates a likely attempt to penetrate the
`system. The chief difference between superdistribution
`and the ABYSS scheme is that superdistribution does
`not require the physical distribution of tokens or any-
`thing else to users of a software product. In other words.
`ABYSS requires that software be paid for in advance
`while superdistribution does not.
`
`2. The Superdistribution Architecture
`
`The superdistribution architecture we have devel-
`oped provides three principal functions:
`collecting
`for
`( 1 ) Administrative
`arrangements
`accounting information on software usage and fees for
`software usage.
`(2 ) An accounting proceee that records and accumu-
`lates usage charges. payments, and the allocation of
`usage charges among different software vendors.
`( 3 ) A defense mechanism, utilizing digitally protected
`modules, that protects the system against interference
`with its proper operation.
`In order to participate in superdistribution. a com-
`puter must be equipped with a device known as an 5-6:):
`(Superdistribution Box)‘. An S-box is a protected
`module containing microprocessors. RAM. ROM. and a
`real-time clock. It preserves secret information such as
`
`a deciphering key and manages the proprietary aspects
`of a superdistribution system. An S-box can be installed
`on nearly any computer. although it must be specialized
`to the computer’s CPU type. It is also possible to inte~
`grate the S-box directly into the design of a computer.
`We call a computer equipped with an S-box an 5-
`computer.
`
`Programs designed for use with superdistribution
`are known as S-programs. They can be distributed freely
`since they are maintained in an encrypted form.
`In order to make it acceptable to users. software
`vendors. and hardware manufacturers.
`the superdis
`tribution architecture has been designed to satisfy the
`following requirements :
`( 1) The presence of the S-box must not prevent the
`host computer from executing software not designed for
`the S-box. The presence of the S-box must be invisible
`while such software is active.
`( 2 ) The modifications needed to install an S-box in an
`existing computer must be simple and inexpensive.
`( 3 ) The initial
`investment
`required to make S-
`programs generally available must be small.
`(4) The execution speed of an S-program must not
`suffer a noticeable performance penalty in comparison
`with an ordinary program.
`(5) The She): and its supporting protocols must be
`unobtrusive both to users and to programmers.
`(6) The S-box must be compatible with multipro-
`gramming environments. since we anticipate that such
`environments will become very common in personal
`computers.
`
`In our current design a program can be written
`without considering the S-box, but the program must be
`explicitly encrypted before it is distributed if it is to gain
`the protections of superdistribution. This encryption can
`be done by a programmer, using the S-box itself.
`
`.——-—______—.
`
`T The S-box is unrelated to the S-boxs used in the Data
`Encryption Standard.
`
`BEST AVAILABLE COPY .
`Petitioner Apple Inc. - Exhibit 1032, p. 2
`
`Petitioner Apple Inc. - Exhibit 1032, p. 2
`
`
`
`VIORI and KAWAHARA:
`
`SUPERDlSTRlBUTlON ARCHITECTURE
`
`1135
`
`The design of a superdistribution architecture can
`be decomposed into four tasks:
`( 1) Design of the superdistribution network.
`( 2) Logical design of the S-box and its interfaces.
`( 3) Design of the supporting software and file struc-
`tures. including appropriate cryptographic protocols and
`techniques.
`( 4 ) Design of the protection for the S-box.
`Technology for-accomplishing each of these tasks is
`now nearly within to the state of the art. In the rest of to
`this paper we describe our approach to these tasks. We
`have already designed and constructed two prototype
`S-computers with their Supporting software. Prototype
`II. the version we are now working with. satisfies the six
`requirements stated above.
`
`3. Design of the Superdistribution Network
`
`The technical innovations that we describe here are
`best understood in the context of a network that pro-
`vides superdistribution of S-programs and the files need-
`ed in a user’s computer in order to support the use of the
`superdistribution services. We emphasize, however, that
`distributing the S-software itself is not a function of the
`network since a user can obtain that software by any
`convenient means—from a bulletin board. making a
`copy of a friend’s program. or perhaps purchasing a
`collection of S-programs at a nominal price. S-programs
`are stored and transmitted in encrypted form. so the
`transmission paths need not be protected in any way.
`Figure 1 illustrates a typical software distribution
`system that utilizes the superdistribution architecture.
`Each S-computer—that
`is. an end-user computer
`supporting superdistribution—is equipped with an
`S-box. The S-box contains a metering program.
`the
`Software Usage Monitor
`(SUM).
`that enforces the
`
`terms set by each software vendor for executing that
`vendor’s products and keeps track of how much the user
`owes to each vendor. The S-box generates a payment
`file that contains this information. The fees charged for
`software usage are measured in units that we call
`S-credits. Payment files are encrypted and transmitted to
`the collection agency through the network as shown in
`the figure.
`The collection agencies receive the payment files
`from users, process those files. and transmit payments to
`vendors—both the authors of the S-programs and
`the manufacturers of
`the S~boxes. Each collection
`agency has an S-box in its computer. The payment files
`are decrypted and processed under control of this S-box
`so as to ensure the integrity of payments to the vendors
`of S-programs and of the supporting hardware as well.
`The clearinghouse keeps track of funds transfers
`engendered by superdistribution. The clearinghouse can
`be either a new organization or an existing one. e. g. a
`credit card company, that
`is prepared to provide the
`necessary services. The advantage of creating a new
`organization is that
`it provides additional degrees of
`freedom in the systems design The disadvantage is that
`it requires a large initial investment. Using an existing
`organization as the clearinghouse not only saves that
`investment but also gives that organization the opportu-
`nity to enlarge its market.
`Identification numbers (lD's) are essential to this
`arrangement. Each user. each software vendor, each
`S-box manufacturer, and each collection agency has a
`unique ID. In addition. users can also have lD’s. either as
`individuals or as organizations. The 1D of a user
`is
`usually in a different name space than the ID of that
`user's machine. User [D's provide a convenient mecha-
`nism for establishing credit, since they are associated
`with the individual or organization who~‘is actually
`0..
`
`executing S-software
`
`credit limit
`
`.—I flaw-"c ‘
`
`_~ _'
`
`- - ‘32.: »
`
`network
`""‘ "
`
`payment liles--— —---
`
`user
`l1
`
`S-computer
`
`~£
`
`copy them
`from neighbors
`4—
`
` broadcasting
`
`.-.. .
`.
`.
`.
`distribution media:
`network
`
`CD.ROM
`
`acquisition oi S-software
`
`neighbor
`
`payments
`/
`
`.. — §fl& g M
`soitware maker
`
`hardware maker
`
`égfifi
`sales outlets
`
`L.
`
`.
`payment
`files
`
`.
`
`.
`credit
`limit
`1
`
`financier
`
` '
`
`‘
`
`-
`
`payments
`
`Fig.
`
`l
`
`Example of software distribution system utilizing the
`superdistribution architecture.
`
`
`
`PetitionerBEIJPJMleAlvAiLisAPiLlEt 1%21)P2, .3
`
`Petitioner Apple Inc. - Exhibit 1032, p. 3
`
`
`
`1136
`
`THE TRANSACTIONS OF THE lElCE. VOL. E 73. NO. 7
`
`/I
`
`(An organization or even an
`paying for the software.
`individual may have more than one machine.) On the
`other hand, a software distribution system based purely
`on S-box [D's can provide a high degree of privacy for
`users.
`
`f
`
`transmit a message specifying my usage to date of each
`S-program that I have run. This message is generated by
`the S-box and enciphered so that it cannot be tampered
`with by anyone. The agent charges my credit card
`account for that usage and credits the vendors of the
`software that I have used. He then transmits back to me
`
`an enciphered message that resets my authorizafion to
`$100.
`
`lb
`
`On the other hand, suppose that l physically present
`the memory card either in person or by mail. I can either
`have it renewed on the spot or (if I choose to mail it in)
`can have a second card sent to me in advance so that I
`am never without a card.
`
`3.2 Customer Support and Manuals in Superdistribu-
`tion
`
`Requiring prepayment for software usage avoids
`any risk of default, but
`such a
`requirement
`is
`unattractive to users and negates the social benefits that
`we hope to see provided through superdistribution. It is
`easy to understand why this should be so if we consider
`how people would react to being required to pay for all
`their water and electricity in advance.
`The superdistribution scheme does not provide any
`absolute guarantee that users will pay what they owe, or
`even that they will return the necessary payment files tow
`the collection agents. However, the S-box. which con-
`tains. a real-time clock. will suspend its services (other
`than transmitting payment files) if the conditions. which
`Superdistribution can also be helpful in conjunction
`are specified by the vendor or the system. are not met.
`with forms of support for users of S-programs that are
`Transmission can be either over a telecommunication Lo
`not yet provided electronically.
`link or with a memory card. In the event that a user
`Superdistribution changes the environment for tele-
`.transmits the payment
`files but does not remit
`the
`phone support. First, superdistribution eliminates the
`need to discriminate illicit and authorized users. because
`corresponding payment, a collection agent can apply
`appropriate sanctions.
`the incidence of illicit usage can be kept reasonably low.
`Superdistribution does not rely on the honesty or if Second.superdistribution providesaway of charging for
`goodwill of the manufaéturer of the S-box. It is even
`telephone support fairly. An S-program can generate a
`possible to protect software designed for the S-box
`code number. with internal checking, and charge the
`against attacks perpetrated by the manufacturer of the
`user for that code number. The user then calls the
`S-box. However, the methods of providing such protec-
`vendor, asks his questions. and provides the code num.
`her. The vendor validates the code number.
`tion are beyond the scope of this paper.
`To join the system. a user need only insert an S-box.
`Superdistributed software can be supported by
`most likely in the form of a coprocessor chip. into his or
`hypertext and other forms of electronic documentation.
`her own personal computer. A collection agency can join
`but such documentation is still unlikely to replace
`the system in the same way. The collection agency needs
`printed manuals entirely. Currently, manuals serve both
`a slightly different form of S-box. one that contains the K to educate the user and to provide an additional safe-
`software for decoding and processing the payment files.
`guard for the vendor against piracy (since a user can't
`Processing at and between the collection agencies and
`buy the manuals separately from the software). With
`the clearinghouse can be conveniently handled by a
`superdistribution, the safeguarding function is unneces-
`Credit Authorization Terminal (CAT) very similar to
`sary and paper manuals can be sold as freely as books.
`the ones now in use in many retail establishments.
`In particular, a user can obtain several copies of the
`printed manuals if he wishes, and can even purchase the
`manuals without purchasing the software at all. Similar
`remarks apply to manuals distributed on CD-ROMS.
`which could be used to generate customized versions of
`the printed manual for particular configurations of the
`software. the hardware. or other aspects of the working
`environment.
`
`30
`
`(/0
`
`3.1 Usage-of the 5-80):
`
`Suppose that I am interested in using some S-
`programs. I obtain an S-box from an agent either in
`person or by mail. My agreement with the agent
`includes a credit authorization or a prepayment of. say,
`3100.
`I can now use up to $100 worth of S-programs.
`When I obtain the S-box, I can also obtain a memory
`card for it. The memory card is used to record account-
`ing information that describes my usage of S-programs
`as well as the balance in my account.
`To renew my usage.
`I must communicate the
`accounting information to the agent. I can do this either
`by establishing modem communication with the agent or
`by physically presenting the memory card (if I have
`one)
`to the agent. Suppose I use a modem. Then I
`
`4. Design of the 5-30): and Its Interfaces
`
`The function of the S-box is to execute the Soft‘
`ware Usage Monitor in a secure way. The Sbox also
`contains the cryptographic keys that ensure the integ-
`rity of the system. These keys are kept secret by storing
`them within a digitally protected modules (see Sect. 6).
`An S-box can be added to an existing computer in
`any of several ways:
`-
`
`BEST AVAILABLE COPY
`
`Petitioner Apple Inc. - Exhibit 1032, p. 4
`
`Petitioner Apple Inc. - Exhibit 1032, p. 4
`
`
`
`as?“
`
`.‘leRI and KMVAHARA:
`
`If]
`
`UPERDISTRIBUTION ARCHITECTURE
`
`1137
`
`( 1) Attaching it to an [/0 port.
`( 2 ) Connecting it to the bus.
`(3)
`Placing it between the CPU and the bus.
`(4)
`Placing it on the same chip as the CPU or inside
`the CPU.
`Methods ( l.) and (2) require no modification to
`the computer; our Prototype I used method ( 1 ). This
`method
`has
`the disadvantage
`that
`it
`introduces
`significant overhead in a multiprogramming environ-
`ment. Method ( 4 ). though more diflicult to implement
`initially, offers the best performance and the lowest cost.
`Because methods (3) and (4) require modifying the
`“computer, we chose to use method (2 ), connection to
`the bus, for Prototype II.
`realized by making the
`This connection is best
`_S-box a coprocessor and using an existing coprocessor
`socket. Our current implementation uses a second com-
`puter connected to the coprocessor socket of the first
`one; our goal is to fabricate the S-box as a single chip
`that can be placed in that coprocessor socket. We are
`using an MC68020-based computer because of its com-
`patibility with other equipment in our laboratory, but
`adapting the design to other types of processors is not
`difficult.
`'
`All the protection needed to ensure the integrity of
`the payment files and of the software is concentrated in
`the S-box. There is no need to protect any of the commu-
`nication paths shown in Fig.2. The signals sent over the
`communication paths are all encrypted, so dedicated
`networks are not necessary to ensure the security of the
`system. Any public network can be used. and the added
`cost of a dedicated network can be avoided. In fact,
`since the communications links need not be kept con~
`stantly active the system is even suitable for use with
`portable personal computers.
`The S-box provides a limited form of protection
`against viruses,
`in that programs that are specifically
`designed to work with the S-box cannot be modified at
`the user’s computer and so cannot be disabled or other-
`wise taken over by a virus. However. the S-box does not
`
`sale communication path
`f
`
`fIIIIIIIIIIIIIIIIIIIIIIIIIIIJ’
`
`
`'IIJIlllllllllllllillllllll
`
`
`
`still unsafe at
`both ends
`
`
`
`
`
`sale communication on
`unsafe communication path
`
`
`
`
` concenira e_ e pro ec mg
`
`functions into the ends . - -
`
`
`Fig. 2 No protection of communication paths results better
`performance/cost.
`
`protect against~ programs. distributed through superdis-
`tribution or otherwise, whose effect is on parts or' the
`system unrelated to the S-box.
`Some of the functions called for may appear to be
`expensive—in particular, the ability to provide the neces-
`sary physical protection and to erase the cryprographic
`keys recorded in the S-box in the event of an attack.
`However, these functions can be achieved at reasonable
`cost if the S-box is mass-produced as a single IC chip (or
`a small group of such chips).
`The workings of the S-box, which we describe
`below, depend on the existence of cryptographic keys
`within the S-box. A potential problem could arise were
`the equipment manufacturing the S~box to be disabled
`and the values of the keys to be lost. This problem can
`be solved. although it requires the use of a different kind
`of protected module.
`We have considered but rejected the idea of using
`simpler memory cards, similar to the farecards used in
`some transit systems.
`that would merely record an
`account balance. There are two problems with such
`cards. First. separate medaahisms would still be needed
`to record and transmit the accounting information de-
`scribed above. Second. the devices generally available
`for reading and writing such cards are insufficiently
`secure. A cheater could obtain such a device and“modify
`the data on the card without using the S-box at'all.
`
`4.1 The Software Usage Monitor
`
`The Software Usage Monitor is executed in the
`S-box. It performs the following functions:
`(1)
`It monitors the execution of an S-program in
`order to make sure that
`it
`is only executed in the
`manner intended by its vendor.
`(2)
`It encrypts and decrypts S-programs and other
`necessary information.
`‘
`( 3 )
`It maintains an account of the charges associated
`with the execution of an S-program.
`An S-program can issue instructions to the Soft
`ware Usage Monitor. These instructions are realized as
`extended instructions of the CPU.
`
`In Prototype II we have implemented the Software
`Usage Monitor through an emulation of the coprocessor
`functions. We have used an MC68020 board fitted with
`an MC68881 coprocessor socket. connecting a second
`computer
`(the emulator)
`to that socket
`through an
`interface circuit as shown in Fig. 3. The current imple-
`mentation does not provide for multiprogramming
`because the Apple Macintosh we are using. to which an
`MC68020 board is plugged in. does not yet have that
`capability.
`Further limitations on Prototype II are that it does
`not provide encryption and that it is not encapsulated as
`a digitally protected module. We consider those limita-
`tions acceptable because the purpose of our experiments
`at this stage is to validate the execution control and
`
`BEST AVAILABLE COPY
`Petitioner Apple Inc. - Exhibit 1032, p. 5 A
`
`Petitioner Apple Inc. - Exhibit 1032, p. 5
`
`
`
`1138
`
`THE TRANSACTIONS OF THE IEICE. VOL. E 73, NO. 7 l
`
`charge control functions of the Software Usage Moni-
`tor.
`
`4.2 Architecture of ProtOtype ll
`
`Figure 4 shows a conceptual diagram of the archi-
`tecture of Prototype (I.
`o The MC68020 processor executes the S-program and
`communicates with the coprocessor. The coprocessor
`’ ensures the legitimacy of the execution.
`0 The
`interface
`section communicates with the
`MC68020 according to the standard MC68020 coproces-
`sor protocol"""°’.
`o The processing section interprets and executes the
`coprocessor commands issued by the MC68020.
`o The execution control section monitors the execution
`of the S~program.
`o The accounting buffer contains pricing information
`for each currently executing S-program as well as
`accumulated usage information. The pricing informa-
`tion in the accounting buffer is a subset of the informa~
`tion in the tariff section of an S-program (see Sect. 5.1).
`0 The payment file contains a record of payments.
`0 The charge control section updates the S-credit bal-
`ance, utilizing the information in the accounting buffer
`and the payment file. It also keeps a record of access
`violations and halts execution of the S-program if the
`
`(Our
`number of violations exceeds some threshold.
`experience suggests that access violations occasionally
`happen by accident, so this threshold should be nonzev
`re). The charge control section also implements func-
`tions required to support the user utility program.
`0 The cryptography section performs three functions:
`( 1 )
`It decrypts the information in the tariff section of
`the S-program and enters that
`information into the
`accounting buffer. It does this as part of the process of
`loading an S-program into the S-box. Either a public-key
`or secret-key cryptosystem methods can be used.
`(2)
`It decrypts the encrypted portions of
`the 5-
`program itself, using in this case a high-speed conven- .
`tional cryptosystem.
`'
`( 3 )
`It encrypts arbitrary programs upon request. This .
`facility is necessary so that a programmer can create
`new S-prog‘rams without outside assistance. In particu-
`lar, no assistance is needed from the manufacturer of
`the S-box.
`
`5. Design of the Supporting Software and File Struc-
`tures
`
`5.1 Structure of an S-Program
`
`The structure of an S-program as implemented in
`Prototype II is shown in Fig.5. The pricing information
`' for a S-program is contained in its tariff section. When
`execution of the S-program is initiated, the coprocessor
`verifies the information in the tariff section and copies
`the pricing information into the accounting buffer of the
`S-box. A verification routine. described, below, is embed-
`ded in the body of the S-program. Execution is aborted
`if the verification routine detects any inconsistency in
`the tariff section.
`
`The tariff section includes the following:
`( 1 ) Software ID: an identifier unique to the S-
`prog'ram.
`‘
`
`(2) Access control key: A key used by the authenti-
`cation routine in the S~program body. This key is
`checked by the coprocessor.
`
`Tar-ill Section
`
`(1) Software ID
`(2) Access Control Key
`(3) Encrypting Key
`(4) Charging Interval
`(5) Service Pricing Schedule
`
`(6) Size 0! Free Memory Space
`
`Body or
`Application
`Program
`
`
`Section Coprocessor Physically Protected by DPM
`
`PACEZZ
`
`Interface Section
`
`Execution Control
`Section
`
`Charge control
`
`‘
`Accounting
`Buller
`
`Fig. 4 Conceptual diagram of Prototype ll.
`
`Fig. 5 Structure of S-progrnm.
`
`BEST AVAILABLE COPY
`
`Petitioner Apple Inc. - Exhibit 1032, p. 6
`
`Petitioner Apple Inc. - Exhibit 1032, p. 6
`
`
`
`MORI and KA‘.V'.-‘~.l-l.-\.R.'-\: SUPERDlSTRlBUTlON ARCHITECTURE
`
`H39
`
`the
`(3) Encrypting key: A key used to encrypt
`machine instructions in the body of the S~program. An
`encrypted block of instructions is transferred to the
`coprocessor, where it
`is decrypted using this key and
`then executed.
`‘
`(4) Charging interval: the length of execution time
`for which a single Scredit is charged to the user.
`( 5 )
`Service pricing schedule :
`the number of S-credits
`charged to the user each time a particular software
`service. e. g. saving a file. has been rendered and success-
`fully completed.
`(6) The amount of memory required within the co-
`processor for executing the S-program.
`Note that
`items (4 ) and (5 ). which together
`constitute the pricing information, allow for two styles
`of charging: per unit of time (by setting (5 )
`to zero)
`or per execution (by setting ( 4 ) to zero). Combinations
`of the two styles are also possible.
`
`5.2 Execution of an S-Program
`
`Execution of an S-program is monitored by the
`program and the coprocessor working together. The
`coprocessor halts execution whenever it detects a pro-
`tocol violation. For proper protection. the S-software
`must be structured so that analysis of it by an intruder
`is not possible. Some methods of achieving this are:
`(1) The coprocessor receives a number
`from the
`S-software and compares it with an encrypted value,
`returning the result of the comparison.
`(2 ) The coprocessor
`receives data from the S-
`software and returns a jump address.
`(3) The coprocessor verifies that a particular mes-
`sage is sent by the S-software within a prescribed
`period.
`(4) The coprocessor receives a block of encrypted
`MC68020 instructions and executes them, placing the
`results of the execution in the registers and/or the
`memory of the MC68020.
`These methods can be used individually or in combi-
`nation.
`The sequence of events that takes place as an item
`of S-software is executed is as follows:
`0 Initialization. The pricing information is sent to the
`coprocessor by the initialization routine when execution
`of the S-software commences. This can be done using
`general purpose coprocessor instructions‘°"“°’. S-credits
`are then decreased periodically until execution of the
`S-software is terminated.
`o Execution. The check routine in the software body
`is executed. and execution of the software is aborted if
`the prescribed protocol is not satisfied. Methods (1)-
`( 3) of execution control as described above have been
`implemented. The implementation .techniques are as
`follows:
`—For ( 1 ), the software ID, the access control key, and
`a random number are sent
`to the coprocessor. The
`
`random number can be encrypted, although we have nor
`yet done this. The result of comparing the random
`number with a known value is then returned to the
`processor.
`--For (2). we transfer a jump address table to the
`coprocessor during initialization. This table can subse-
`quently be referenced by the S-software. The coproces-
`sor then returns the appropriate jump address.
`—For ( 3), the access control key, the range of accept-
`able response times, and a random number are sent to
`the coprocessor. The range is represented as a lower
`limit and an upper limit. The coprocessor then checks
`that the time of the next message is within the limits. If
`it
`is not. the coprocessor aborts execution of the 5-
`software by interrupting the main processor.
`0 Termination. The coprocessor is informed when
`the S-software has completed execution. This can be
`implemented using general purpose coprocessor instruc-
`tions. At this time the payment file is updated to account
`for the usage.
`
`5 .3 Supporting Files
`
`The payment file keeps track of S-credits that are
`owed as the result of software usage. Each record in