throbber
United States Patent [191
`Auerbach et al.
`
`1
`
`‘
`
`US005673316A
`
`‘
`
`1
`
`[11] Patent Number:
`[45] Date of Patent:
`
`5,673,316
`Sep. 30, 1997
`
`[54]
`
`CREATION AND DISTRIBUTION OF
`CRYP’I‘OGRAPHIC ENVELOPE
`
`9/1996 Ross et a1. .............................. .. 380/25
`5,553,143
`5,586,186 121996 Yuval et a1. .............................. .. 380/4
`
`[75]
`
`Inventors: Joshua Seth Auerbach. Ridge?eld.
`Conn.; Chee-Seng Chow. Cupertino,
`Calif.; Marc Adam Kaplan. Katonah,
`N.Y.; Je?'rey Charles Crigler. McLean,
`Va.
`
`[73]
`
`Assignee: Intemational Business Machines
`Corporation. Armonk, NY.
`
`[21]
`[22]
`[5 1]
`[52]
`[5 3]
`
`[56]
`
`Appl. No.: 625,475
`Filed:
`Mar. 29, 1996
`
`Int. CT.6 ...................................................... .. H04L 9/00
`US. Cl. ..... ..
`380/4; 380/25
`Field of Search ............................. .. 380/3, 4, 23, 24,
`380/25, 28. 49
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`6/1994
`5,319,705
`5,394,469 2/1995
`5,416,840
`5/1995
`5,428,685
`6/1995
`5,490,216
`2/1996
`5,509,070
`4/1996
`5,530,752
`6/1996
`
`Primary Examiner-David C. Cain
`Attorney, Agent, or Firm—Douglas W. Cameron
`[57]
`ABSTRACT
`
`A method and apparatus to create, distribute. sell and control
`access to digital documents using secure cryptographic
`envelopes. An envelope is an aggregation of information
`parts. where each of the parts to be protected are encrypted
`with a corresponding part encryption key. These encrypted
`information parts along with the other information parts
`become part of the envelope. Each part encryption key is
`also encrypted with a public key. and these encrypted part
`encryption keys are also included in the envelope. The
`envelope also includes a list of parts where each entry in the
`list has a part name and a secure hash of the named part. The
`list is then signed with a secret key to generate a signature.
`which is also included in the envelope. The signature can be
`veri?ed using a second public key associated with ?rst secret
`key. and the integrity of any information part in the envelope
`can be checked by computing a second hash and comparing
`it with the corresponding hash in the list of parts. Also, the
`information content of any encrypted part can only be
`recovered by knowledge of a second secret key correspond
`ing to the public key that was used to encrypt the part
`encryption keys.
`
`8 Claims, 6 Drawing Sheets
`
`CLEAR TEXT "TEASER"
`
`201
`
`/-205
`
`ENCRYPTED DOCUMENT PART
`
`204
`
`ENCRYPTED CONTROL PART
`
`v205
`ENcRYPTEO FINGERPRlNTlNG &
`WATERMARKING INSTRUCTIONS
`/206
`TERMS AND CONDITIONS
`
`-202
`
`ENcRYPTEO
`PEK
`
`//21O
`ENCRYPTED
`PEK
`
`/zn
`ENcRYPTEO
`PEK
`
`F _______ __
`
`_ _ _ _ _ _ _ _ __ C227.
`
`I
`
`:
`,
`l
`:
`I
`{
`l
`l
`I
`l
`
`LIST OF PARTS
`(PART NAME & SECURE HASHES)
`
`209'
`
`SiGNATURE ON LIST OF PARTS
`
`80M
`
`\\
`2
`08
`
`:
`l
`l
`|
`I
`l
`:
`l
`l
`l
`|
`
`h _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____|
`
`22°
`
`Petitioner Apple Inc. - Exhibit 1013, p. 1
`
`

`
`US. Patent
`
`Sep.30, 1997
`
`Sheet 1 of 6
`
`5,673,316
`
`/102
`
`BS
`(BUY
`SERVER)
`
`STEP 4
`
`103
`
`CRYPTOLOPE
`
`0s
`(DOCUMENT
`SERVER)
`
`USER PC
`
`STEP 5
`
`DFWM
`SECURITY
`BOUNDARY
`
`FIG. 1
`
`Petitioner Apple Inc. - Exhibit 1013, p. 2
`
`

`
`US. Patent
`
`Sep. 30, 1997
`
`Sheet 2 of 6
`
`5,673,316
`
`CLEAR TEXT "TEASER’
`
`201
`
`K203
`
`ENCRYPTED DocUMENT PART
`
`/ 202
`ENCRYPTED
`PEK
`
`ENCRYPTED CONTROL PART
`
`CRYPTED
`EN PEK
`
`205
`
`21 1
`
`ENCRYPTED FINGERPRINTING &
`WATERMARKING INSTRUCTIONS
`
`ENCRYPTED
`PEI<
`
`20s
`
`TERMS AND CONDITIONS
`
`209
`
`l
`:
`I
`|
`l
`I
`l
`:
`I
`'
`l L
`
`SIGNATURE 0N LIST OF PARTS
`
`________________________ "5291
`l
`LIST OF PARTS
`}
`(PART NAME & SECURE HASHES)
`I
`.
`l
`l
`I
`l
`}
`l
`l
`J
`
`BOM
`
`22.0
`
`208
`
`Petitioner Apple Inc. - Exhibit 1013, p. 3
`
`

`
`US. Patent
`
`Sep. 30, 1997
`
`Sheet 3 0f 6
`
`5,673,316
`
`BOM
`
`LIST OF PARTS
`
`207 /
`
`/209
`
`PART NAME
`
`MD5 OF PART
`
`302
`
`A ABSTRACT
`
`13ABDF77F...~
`
`501
`
`ENCRYPTED DOC
`PART 1
`
`24FDEC234...
`
`ENCRYPTED PEK 3
`
`A56FFE67...
`
`TERMS & CONDTIONS
`
`13FCD457...
`
`SIGNATURE ON LTST OF PARTS
`
`DOCUMENT SERVER’S SECRET KEY
`ENCRYPTION OF MDS OF LIST OF PARTS
`\
`\ZOB
`
`FIGS
`
`Petitioner Apple Inc. - Exhibit 1013, p. 4
`
`

`
`U.S. Patent
`
`Sep. 30, 1997
`
`Sheet 4 of 6
`
`5,673,316
`
`232:4:
`
`Emaommzm
`
`i|l!!ll‘|‘||||'I‘li'||'i
`
`rs|IIII1IIIIIi||li|IiIiIIIIII._
`:8I?.._omoi;+.._+:8ozm.._oEitaooHm;lo8_Eu$a8:.._om__o_E32_mos:Eaooma5m5_:%.§2_z_zxH._o_~_n_EfizooE:.._om_o_E__8.$u5_E5:
`
`
`
`
`
`
`
`
`
`
`
`|_
`
`Petitioner Apple Inc. - Exhibit 1013, p. 5
`
`Petitioner Apple Inc. - Exhibit 1013, p. 5
`
`

`
`US. Patent
`
`Sep. 30, 1997
`
`Sheet 5 of6
`
`5,673,316
`
`LIST OF ARTICLES TO BUY
`
`LAP-501 '
`
`USER CREOENTIALS AND USER
`AUTHENTICATION RELATED INFO
`
`202
`
`/_502
`I
`
`SOS
`
`ENCRYPTEO
`PEK
`
`ENVIRONMENTAL
`VARIABLES
`
`DFWM
`PUBLIC KEY \BOA
`
`/205
`ENCRYTEO FINGERPRINTING AND
`WATERMARKING INSTRUCTIONS
`
`ENCRYPTEO fen
`PEK
`
`TERMS AND CONDITIONS
`
`/'206
`
`I'- — — _ _ _ * _ * _ _ _ _ _ _ _I
`
`|
`I
`1
`:
`L
`
`LIST OF PARTS
`(PART NAME & SECURE HASHES)
`
`SIGNATURE ON LIST OF PARTS
`BOM
`
`209
`/|/
`P207
`I
`208
`T
`_|
`
`AUTHENTICATION & INTEGRITY CHECKINGS
`
`/"'505
`
`BUY REQUEST MESSAGE (BRM)
`
`500
`
`Petitioner Apple Inc. - Exhibit 1013, p. 6
`
`

`
`U.S. Patent
`
`Sep. 30, 1997
`
`Sheet 6 of 6
`
`5,673,316
`
`601
`
`600
`
`ACTUAL PURCHASE PRICE
`
`602
`
`603
`
`TRANSLATED PEK ———
`DECRYPTED, RE-ENCRYPTED
`AT BS
`
`TRANSLATED PEK -———
`DECRYPTED, RE-ENCRYPTED
`AT 55
`
`ECRYPTED CUSTOMIZED FINGERPRINTING
`AND WATERMARKING INSTRUCTIONS-""
`DECRYPTED,CUSTOMIZED,RE-ENCRYPTED AT BS
`
`604
`
`TRANSFORMED TERMS AND CONDITIONS
`-——-— EVALUATED AT BS
`
`605
`
`AUTHENTICATION & INTEGRITY RELATED CHECKS
`
`BUY SERVER RESPONCE (BSR)
`
`\
`
`FIG.6
`
`606
`
`Petitioner Apple Inc. - Exhibit 1013, p. 7
`
`

`
`5,673,316
`
`1
`CREATION AND DISTRIBUTION OF
`CRYPTOGRAPHIC ENVELOPE
`TECHNICAL FIELD
`This invention describes a method for the creation.
`distribution. and sale and for the controlled access of digital
`documents using the methods and techniques of secure
`cryptographic envelopes.
`BACKGROUND OF THE INVENTION
`Digital documents have numerous advantages over paper
`based. analog documents. They are easier to create.
`distribute. and duplicate. However, these advantages also
`make it di?icult to protect their associated intellectual rights
`from infringements. Nevertheless. digital documents will
`replace paper-based documents as a vehicle for the distri
`bution and sale of information in the future.
`(ID-Showcase (US. Pat. No. 5.319.705)
`An important distinction between our work and the
`CD-showcase patent [2] is that in our invention the part
`encryption key is carried in the cryptographic envelope and
`is encrypted under a public key. Whereas in CD-Showcase.
`the distributed data only contains an identi?er of the encryp
`tion key. The encryption key is stored at a server and is
`retrieved upon the presentation of the key identi?er.
`Thus. with the CD-showcase patent. it is necessary to
`maintain a key database at the server necessitating a measure
`of trust between a buy server and a document server.
`PGP (Pretty Good Privacy) PGP [3] is a public-key based
`system for sending secure e-mail. The body of the e-mail is
`encrypted using an lDEA algorithm (see. e.g.. [1]). and the
`encryption key is encrypted using the public key of the
`intended recipient. Both the encrypted e-mail text and the
`encrypted encryption key are sent. The recipient uses his
`secret key to recover the encryption key, which is then used
`to recover the plain text
`
`20
`
`25
`
`2 .
`the distribution of bulk data and (2) the controlled release of
`content through the release of PEKs.
`This invention extends on this basic concept and intro
`duees the techniques of cryptographic envelopes for content
`distribution and sale. Furthermore. the concepts and tech
`niques are generalized to handle arbitrary terms and condi
`tions on the access to and use of digital documents. The
`generalization allows cryptographic envelope to be used as
`a basis for designing and implementing distributed access
`control of digital documents.
`This invention makes it unnecessary to maintain such a
`key database at the server and furthermore allows a cleaner
`separation of trusts between the Document Server (place
`where contents are encrypted) and the Buy Server (place
`where document encryption keys can be obtained).
`Accordingly. this invention provides a method of creating
`a cryptographic envelope which can be distributed arbi
`trarily to any number of users. where only authorized users
`have access to the clear text content of the secure informa
`tion parts. With this invention. each of the information parts
`is encrypted with a corresponding part encryption key to
`generate an encrypted information part. Each part encryp
`tion key is then encrypted with a public key. A list of parts
`that are included in the envelope is also created, and each
`entry in the list has a part name and a secure hash of the
`named part. The envelope. then. includes the encrypted
`information parts. the unencrypted information parts. the
`encrypted part encryption keys and the list of parts. Finally.
`the list of parts is signed with a secret key to produce a
`signature. and this signature is also included in the envelope.
`The integrity of the list can be checked using a second public
`key associated with the secret key that was used to sign the
`list. The integrity of any one information part can be checked
`by computing a second hash on the part and comparing the
`second hash with the corresponding hash for the part in the
`list. Finally the information content of the encrypted part is
`protected from disclosure and can only be recovered with a
`part encryption key, and knowledge of a secret correspond
`ing to a public key is necessary to obtain an unencrypted part
`encryption key. The latter unencrypted key is then used to
`generate clear text from the information part.
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 gives an overview of the ?ve steps of a crypto
`graphic envelope process. The main entities involved in the
`process are the Document Server (DS) 100. the Buy Server
`(BS) 102. the decryption ?ngerprinting and watermarking
`module (DFWM) 103. and user pmsonal computer (UPC)
`101.
`FIG. 2 shows the structure of a typical cryptographic
`envelope. The minimal elements are an encrypted part 203
`and its associated entrypted part encryption key (PEK) 202.
`list of parts 209. and signature of list of parts 208.
`FIG. 3 shows the structure of a bill of materials (BOM).
`which has a list of parts 209. Each entry of the table contains
`the part name 302, e.g.. “Abstract". and the MessageDigestS
`(MDS), that is. a secure hash, of the named part 301. e.g,
`“13ADBF77F . . . ". The MDS of the list is computed and
`the resultant hash is signed using the DS’s secret key to
`produce a digital signature 208. The list 209 and the signa
`ture 208 form the DOM.
`FIG. 4 shows a typical price matrix. The columns shows
`the discount factor for various membership categories (402,
`403, 404. 405), and the rows show the quantity discount
`(406, 407. 408. 409). A sample formula for computing the
`price of the n-th copy and the total price of 11 copies is as
`shown 401.
`
`SUMMARY OF THE INVENTION
`This invention describes a method for the creation,
`distribution. and sale of digital information using the meth
`ods and techniques of secure cryptographic envelopes.
`Cryptographic envelopes use modern cryptographic tech
`niques (such as encryption and authentication) to secure
`document parts from unauthorized reading and tampering.
`The process described in this disclosure allows parts of a
`cryptographic envelope to be bought by a user and their
`informational contents released in a secure and controlled
`manner. Additional processing of the parts are introduced to
`deter piracy. Furthermore. the use of public-key technology
`makes cryptographic envelope technique a convenient.
`secure. and self-contained means of distributing digital
`information.
`Super distribution
`The basic model for information distribution assumed
`here is super distribution. (See [5} for a more in-depth
`discussion on the subject.) The basic idea is that digital
`documents (or parts) can be freely distribution over the
`Internet, by radio or television signals. by cable. by satellite,
`by local area networks, by diskettes. by CD-ROMs. and by
`BBS as long as each document is encrypted Assuming that
`the encryption process is su?iciently secure, the only way a
`user can have access to the content is to purchase the
`necessary PEKs (part encryption keys) that are typically
`orders of magnitudes more compact than the documents they
`decrypt.
`Super distribution is a powerful concept because it
`decouples the problem of information distribution into ( 1)
`
`50
`
`65
`
`Petitioner Apple Inc. - Exhibit 1013, p. 8
`
`

`
`5,673,316
`
`3
`FIG. 5 shows a Buy Request Message (BRM) 500.
`Included in the BRM are the encrypted PEKs (202. 211).
`encrypted ?ngerprinting and watermarking instructions 205.
`terms and conditions 206. and BOM 207. Items 202. 205.
`206. 207. and 211 are copied from the cryptographic enve
`lope 200 (see FIG. 2). The other parts of the BRM (501-505)
`are generated at the UPC.
`FIG. 6 shows a Buy Server Response (BSR) 600. The Buy
`Server (BS) translates the PEKs to produce translated PEKs
`(602. 603) which only the DFWM 103 can decrypt. The
`?ngerprinting and watermarking instructions are decrypted.
`customized. and re-encrypted. and the result 604 can be
`decrypted only by the DFWM. The terms and conditions in
`the BRM (500. FIG. 5) are also evaluated and may produce
`updated or transformed terms and conditions 605. The actual
`purchase price 601 is computed by applying the appropriate
`discounts on the base price.
`
`10
`
`4
`and (2) there should be means of associating di?ierent parts.
`e.g.. by naming. pointers. or indices.
`Information parts are of two types: document (201 and
`203) and control (202. 204-211). Document parts are the
`“contents". Some examples of document parts are abstracts.
`table of contents. ?gures. tables. and texts. They could also
`be portions of an executable program. a library of
`subroutines. software modules. or object components.
`Referring to FIG. 2. document parts may be encrypted
`(203). Encrypted document parts 203 are often the “valuable
`contents” to be purchased by the user (e.g.. a section of a
`book. a high resolution JPEG picture. or an MPEG stream).
`Unencrypted parts are the “teasers” 201 (e.g.. reviews of the
`book by others. the table of content. the abstract. or a low
`resolution IPEG picture). The purpose of the unencrypted
`parts is to allow the user to “preview”. "sample”. or
`“browse” the contents of a cryptographic envelope before
`the actual purchase.
`Some pre-processing. such as compression and insertion
`of special string patterns. may be applied to document parts.
`Compression reduces storage. Other pre-processing are
`modi?cation to the document parts to facilitate the ?nger
`printing and watermarking of document parts by the
`DFWM.
`Connrol parts are the metadata needed to support the
`functions and the process model of a cryptographic enve
`lope. There are two main funciions: authenticity and con?
`dentiality. The of the cryptographic envelope are not tam
`pered with. This authentication function is achieved by using
`digital signatures. The con?dentiality function is achieved
`by encryption (e.g.. using DES or IDEA). The basics of
`these encryption and authentication techniques are well
`known in the art and can be found in any modern text on
`cryptography (e.g, see [1]). All control parts are authenti
`cated and some may be encrypted. if necessary.
`Examples of control parts are price matrix (See FIG. 4.
`400) and ?ngerprinting and watermarking instructions 205
`for the post-processing of the document parts. The post
`processing of the document parts is performed by the
`DFWM. when the cryptographic envelope is open. Finger
`printing and watermarking are examples of post-processing,
`they mark document parts in a way to deter piracy.
`Referring to FIG. 4. The price matrix 400 describes the
`pricing structure for the purchase of the document parts, e.g..
`volume discount for buying multiple copies. discount for
`club membership, or corporate discount An example for
`mula 401 to compute the purchase price of 11 copies of a
`document. (Note. the price discount factor may also be time
`dependent. in which case the columns of the price matix
`(402-405) are time-limited special offers instead of club
`membership.)
`Referring to FIG. 2. terms and conditions 206 on the
`purchase and the use of the document parts can also be
`included in the cryptographic envelope. They may be
`included as document parts (in which case they will be made
`visible to the user) or included as control parts (in which
`case they will be evaluated at the Buy Server (BS) 102 and
`possibly again at the user's personal computer (UPC) 101).
`The document parts contain some textual infonnation. and
`the control parts may contain some program (e.g.. written in
`a scripting language such as Perl [4]) implementing the
`terms and conditions. (Note: The ?ngerprinting and water
`marking instructions. and the price matrix. We list them
`explicitly for clarity.)
`Con?dentiality and Authenticity
`We now describe a method in which con?dentiality can be
`achieved. Parts of value are encrypted using a DES (Data
`
`20
`
`25
`
`35
`
`DESCRIPTION OF THE PREFERRED
`EMBODIMENT
`Referring to FIG. 1. one of the key advantages of the
`cryptographic envelope process is security. It is assumed that
`the BS (Buy Server) 102 and the DS (Document Server) 100
`are secure. E.g.. they are managed and owned by the
`respective business partners in the enterprise and are oper
`ated by trusted personnel inside a glass house.
`It is also assumed that there isn’t much security at the
`UPC (User Personal Computer) 101. since it belongs to the
`user, except that it has a relatively small and secure DFWM
`(Decryption Fingerprinting and Watermarking Module) 103.
`where security is provided in software or through tamper
`resistant hardware.
`Overview of Steps
`An overview of the processing steps is as follows. (See
`FIG. 1.)
`Step l-Cryptographic Envelope Creation
`Step 2-Cryptographic Envelope Distribution
`Step 3-User-Initiated Buy Request
`Step 4-Buy Server Response
`Step S-Opening of Cryptographic Envelope
`Cryptographic Envelope Processing Steps
`Each of these processing steps is described in greater
`details.
`Step 1: Cryptographic Envelope Creation
`The ?rst step is the creation of a cryptographic envelope.
`See 200 of FIG. 2. The creation event is usually done o?lline
`by the content provider because of anticipated needs for a
`collection of digital documents to be super distributed.
`Alternatively, it could be triggered by a user request. In
`this case the a'yptographic envelope would be created
`speci?cally for the user. and the cryptographic envelope may
`contain certain information speci?c to the user or the
`request. Moreover, if it's anticipated that there will be
`similar future requests by other users. additional information
`might be included in the cryptographic envelope. and the
`cryptographic envelope is cached to allow future similar
`requests to be ful?lled more e?iciently.
`Cryptographic Envelope Parts
`A cryptographic envelope is a grouping of information
`parts. See 201-211 of FIG. 2. Some of the information parts
`are encrypted while others are in clear text. The crypto
`graphic envelope process is compatible with a wide vm'iety
`of grouping technologies (e.g. zip. tar, and the more object
`oriented approaches of OpenDoc Bento and Microsoft
`0113). The requirements on the grouping method is minimal:
`(1) the parts can be aggregated into a unit suitable for
`distribution and the parts can later be individually retrieved.
`
`45
`
`55
`
`65
`
`Petitioner Apple Inc. - Exhibit 1013, p. 9
`
`

`
`5
`
`20
`
`25
`
`30
`
`5
`Encryption Standard) algorithm (e.g.. see [1]). Different
`parts are encrypted using diiferent PEKs (part encryption
`keys). These keys are chosen randomly and independently.
`There are many ways of generating a random encryption
`key. One way is to use random or a pseudo-random number
`generator to produce a random string. which is used as the
`key. More details on these scheme can be found in [1.3].
`Each PEK is encrypted using the public key of a BS (Buy
`Server) 102 and the resultant encrypted PEK 202 (FIG. 2)
`becomes a control part in the cryptographic envelope: (Note:
`a PEK may be encrypted using di?erent BS public keys and
`all theses encrypted PEKs included in the cryptographic
`envelope.)
`There are many ways of ensuring the authenticity of a
`cryptographic envelope and its parts. We now describe one
`such method. Every cryptographic envelope has a special
`control part called BOM (Bill of Materials) 207. The BOM
`is consist of two parts: (1) a list of parts 209. and (2) a digital
`signature 208.
`We apply a secure hash function. MessageDigestS (MDS)
`(see. e.g.. [l] for details). to each part included in a cryp
`tographic envelope and create a list. Referring to FIG. 3.
`each entry in the list contains the part name or reference 302
`and a secure hash 301 of the information part corresponding
`to the part name. (E.g.. In the case of a ?le-based grouping.
`list of parts would be a ?le containing the ?le names of all
`the ?les and their corresponding hash results.)
`The list is then digitally signed with a secret key known
`only to the DS (Document Server) 100. There are many
`ways of digitally signing a document (see. e.g.. [1]). One
`way is to compute the MDS (or any other secure hash) of the
`list of parts and to encrypt the resultant hash using the secret
`key (to produce a signature) 208. The list of parts and the
`signature together are referred to as the BOM 207. Note. that
`only the public key of the DS is needed to verify the
`authenticity of the BOM.
`Authenticity of the cryptographic envelope is checked by
`decrypting the signature using the public key of the DS and
`comparing that with the MDS of list of parts. If the two
`match, then the list of parts has not been tampered with. The
`authenticity of individual parts can also be checked by
`computing the MDS of the each part. and by comparing the
`result its corresponding entry in the list. Therefore. the BOM
`207 ensures the integrity of a cryptographic envelope and all
`its parts.
`Cryptographic Envelope is Self-Contained
`An important feature of cryptographic envelope is that it
`is self-contained in the following sense. Only the public key
`of a DS is needed to verify the authenticity of the crypto
`graphic envelope. Because the encrypted PEKs (202. 210.
`211. see FIG. 2) are with the cryptographic envelope. only
`the secret key of a BS is needed recover the content.
`Moreover, di?erent Document Servers can generate crypto
`graphic envelopes using only the public key of the BS; no
`other communications between 138s and DSs are needed.
`Cryptographic Envelope Creation Steps
`We now summarize the processing steps in the creation of
`a cryptographic envelope. (See FIG. 2)
`1-a—-Assemble information parts to be included in the
`cryptographic envelope.
`l-b—-Apply optional processing steps (e.g.. compression.
`pre-?ngerprinting. and pre-watermarking) to parts.
`Keep su?icient state information of these processing
`steps to undo the operations later.
`l-c-Generate random PEKs (part encryption keys) 202.
`one for each part to be encrypted.
`l-d-Encrypt document parts with their respective PEKs
`to form the encrypted parts (203. 204. 205). which are
`included in the cryptographic envelope.
`
`45
`
`50
`
`55
`
`65
`
`5.673.316
`
`6
`l-e-—The PEKs are then encrypted using the public key of
`a BS to form encrypted PEKs (202. 210. 211). which
`are included in the cryptographic envelope. Encrypted
`PEKs and their corresponding encrypted parts are asso
`ciated.
`1-f—Also encrypt the instructions and other state infor
`mation from Step l-b using some random PEKs. The
`PEKs are encrypted with a public key of the BS. Both
`encrypted parts (203. 204. 205) and encrypted PEKs
`(202. 210. 211) are placed in the cryptographic enve
`lope.
`l-g-Include in the cryptographic envelope clear text
`parts such as “teasers‘i abstracts. and a table of content
`201.
`1-h—Include terms and conditions such as ?ngerprinting
`and watermarking instructions 205 and pricing matrix
`206. Encrypt any parts or sub-parts if necessary (and
`include their encrypted PEKs). As before associate
`encrypted parts with their encrypted PEKs.
`l-i—Create a list 209 of information parts. listing all the
`parts assembled and computing a secure hash for each
`of the parts listed.
`1-j—Create a signature 208 for BOM 207 by digitally
`signing the list. e.g.. computing the secure hash of the
`list and encrypting it with the DS secret key. The BOM
`207 (list 209 and signature 208) are added to crypto
`graphic envelope.
`See FIG. 2 for details on possible cryptographic envelope
`structure.
`Step 2: Cryptographic Envelope Distribution
`Once a cryptographic envelope is created. it can be
`distributed by any means. e.g.. sending over the Internet. by
`radio or television signals. by cable. by satellite. by
`CD-ROMs. and by BBS. Security of distribution is not
`needed. Cryptographic envelopes may be copied.
`duplicated. and shared between users. In fact. it’s our
`anticipation that “down-stream” distribution of crypto
`graphic envelope (i.e.. copying cryptographic envelope by
`friends) is a cost-elfective means of distributing crypto
`graphic envelope. Lastly. cryptographic envelope may be
`stored in any servers without any security requirement on
`the server.
`Step 3: User-Initiated Buy Request
`This step is often preceded by a user browsing the plain
`text “teaser” 201 portion of a cryptographic envelope. A user
`who is interested in the cryptographic envelope content
`would have to buy the necessary PEKs from the BS. (See
`FIG. 1.)
`Graphical User Interface
`The browsing of the cryptographic envelope is performed
`with the help of a GUI such as a modi?ed web browser that
`understands the cryptographic envelope structure. First. the
`modi?ed browser must be able to check the integrity of the
`cryptographic envelope. The user is noti?ed of any tamper
`ing of the cryptographic envelope parts through the integrity
`check. Next. the browser should be able to display the clear
`texts in the cryptographic envelope. e.g.. display the
`abstracts and table of contents. Finally. referring to FIGS. 2
`and 5. the browser must the able to extract the necessary
`parts from the cryptographic envelope 200 to construct a
`BRM (Buy Request Message) 500.
`Prior Registration
`We assume that there was a prior registration step carried
`out by the user so that the user is recognized by the BS. For
`example. the user could register with a trusted third party.
`For example. the registration may involve a phone call
`from the user to a registration center which will issue an
`
`Petitioner Apple Inc. - Exhibit 1013, p. 10
`
`

`
`7
`account number to the user. The account number is then
`forwarded to all the 1385. Alternatively. the registration
`center can digitally sign the account number; in which case.
`no update in the 138s is needed. A BS can just verify the
`account number by checking the signature.
`After registration. the user is issued certain credentials
`(e.g.. account number and other membership information). A
`credential is a document digitally signed by a trusted third
`party which contains information such as an account
`number. a?liations. or rights held by the user also, as an
`example. the third party could issue to the user certain “book
`clu ” membership credentials that entitles him to discounts
`olf the list price.
`Secure DFWM
`More speci?c to our methods is that we assume. as a result
`of registration. a secure DFWM (103. FIG. 1) (decryption
`?ngerprinting watermarking module) is instantiated at the
`UPC
`The DFWM is responsible for decrypting the parts and at
`the same time applying ?ngerprinting and watermarking on
`the decrypted parts. Watermarking puts visible markings in
`the document in such a way that is hard to erase and does not
`atfect the perusal of the document. Fingerprinting are “invis
`ible” markings in the document and are therefore hard to
`remove.
`For more information on ?ngerprinting and watermarking
`techniques. see application Ser. No. 08/494615 ?led on Jun.
`2%. 1995. and assigned to the same assignee of the instant
`application.
`Instantiation of DFWM
`There are various implementations of a secure DFWM.
`The sirnpliest is based on the public key techniques. where
`the DFWM securely generates and stores a secret key within
`the DFWM security boundary. For example, the DFWM
`could use a pseudo-random number generator to create a
`35
`public-secret key pair. The DFWM secret key is stored
`within the DFWM and the public key is lmown to the
`outside. The registration process allows the trusted third
`party to certify the DFWM public key. (See e.g.. [1] on
`public key certi?cation process.) The DFWM secret key is
`the only secret information kept in the DFWM module.
`Security of DFWM
`The DFWM could be a piece of software running in a
`physically secured module (e.g. smart cards) or running in
`the UPC environment (which is unsecure). In the former
`case. security is achieved through the physical tamper resis
`tance of the packaging. Cm'rent packaging technology can
`provide suf?cient security to the DFWM for all practical
`P"IP°5¢$
`We will focus on the latter case, where we do not assume
`the physical security of DFWM. This is the more interesting
`case. since the availability of physical security only
`enhances the security of DFWM.
`Without secure hardwares. the security of DFWM cannot
`be guaranteed. In many practical cases. we can achieve
`su?icient security using well-known software techniques
`(e.g., code-obscuring techniques well known to virus
`writm's).
`However. one of key advantages of the process described
`in this disclosure is that even if the DFWM is compromised.
`the exposure is
`The user cannot unlock a document
`part that hadn't been purchased (since the PEK is not
`available). The buy transaction is secure since it must go
`through a secure BS.
`If a DFWM is compromised (e.g.. the DFWM secret key
`is exposed). the only possible loss is that a document that a
`user purchased is not properly ?ngerprinted and water
`
`45
`
`25
`
`55
`
`65
`
`5,673,316
`
`15
`
`20
`
`8
`marked. However. the security risk is not entirely dilferent
`from the possibility of the user erasing the markings from
`the document.
`Buy Request Transaction
`We now describe the buy request transaction in greater
`detail.
`Through the Graphical User Interface (GUI). the user is
`prompted with a list of articles contained in the crypto
`graphic envelope. The user may browse the relevant
`abstracts for more information. The user may also know the
`list price of the articles. If the user still wants to buy the
`articles. the user would initiate a buy-request through the
`GUI. resulting in a BRM (Buy Request Message) (see 500,
`FIG. 5) being sent to the BS 102.
`User Authentication
`Before the buy request can be completed. the system may
`want to authenticate the user. There are many well known
`techniques for user authentication by the system. E.g.. one
`such technique (similar to what is used in Pretty Good
`Privacy [3]) is to store the user private key encrypted on the
`disk drive of the UPC.
`The user is prompted for his password. which is used to
`decrypt the private key. The private key is used to digitally
`sign or certify a buy~related message and is erased at the end
`of each session.
`Environmental variables
`Environmental variables are information about the user
`environment or information about the UPC (e.g., locale.
`time. machine type. operating system name. etc.). In
`contrast. user credentials are information about the user.
`Environmental variables are of two types: secure and
`insecure. Secure variables are verified and digitally signed
`They can be checked and signed either by the BS (dln'ing
`registration) or generated and signed by the DFWM.
`Insecure variables are generated by the UPC. They are not
`veri?ed or signed They are included solely for informa
`tional purposes. Throughout this document. environmental
`variables will mean both.
`Buy Request Message
`Referring to FIG. 5, the BRM 500 contains the following
`information copied or extracted ?'om the cryptographic
`envelope (200, FIG. 2):
`3.1—BOM of the cryptographic envelope 207
`3.2—List of articles to buy 501
`3.3—-PEKs associated with the

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket