`Comerford et al.
`
`I IIIII IIIIIIII Ill lllll lllll lllll lllll lllll lllll lllll lllll 111111111111111111
`US005109413A
`5,109,413
`[I I] Patent Number:
`[45] Date of Patent:
`Apr. 28, 1992
`
`FOREIGN PATENT DOCUMENTS
`2124808 2/1984 United Kingdom .
`
`OTHER PUBLICATIONS
`Best, "Preventing Software Piracy with Crypto-Micro(cid:173)
`processors", IEEE, 1980.
`Everett, "Padlock", Computer Bulletin, Mar. 1985, pp.
`16 et seq/"Software Protection", Open Computer Se(cid:173)
`curity.
`Herzberg, "Public Protection of Software", Lecture
`Notes in Computer Science, vol. 218, 1986, pp. 158 et
`seq.
`Kent, "Protecting Externally Supplied Software in
`Small Computers", Ph.D. Thesis, M.l.T., 1980.
`Lipson, "Little Black Box 'Blocks' Illicit Software
`Copying", Stamford Advocate (Sep. 14, 1986), pp. El
`and E2.
`Maude. "Hardware Protection Against Software Pi(cid:173)
`racy", The Communications of the ACM, Sep. 1984,
`vol. 27, No. 9, pp. 950 et seq.
`Purdy, "A Software Protection Scheme", IEEE 1982.
`ROI
`Simmons, "How to (Selectively) Broadcast a Secret",
`IEEE 1985.
`Primary Examiner-Thomas H. Tarcza
`Assistant Examiner-David Cain
`Attorney, Agent, or Firm-Pollock, Vande Sande &
`Priddy
`ABSTRACT
`[57]
`A software asset protection mechanism segregates the
`right to execute software from the software itself. The
`rights to execute, when installed on a composite com(cid:173)
`puting system, are stored in a coprocessor element of
`the composite computing system. The software asset
`protection mechanism is enhanced as described herein
`by providing for the manipulation of those rights to
`execute. More particularly, the rights to execute can be
`conditioned at least in terms of a valid period of execu(cid:173)
`tion at least in terms of a valid period of execution or a
`valid number of executions. The rights to execute can
`be safely transferred from one coprocessor to another,
`or can be returned to the software vendor. Finallv a
`method of backing up the rights to execute to pro~ide
`the user with the rights to execute in case the coproces(cid:173)
`sor element of the composite computing system fails.
`43 Claims, 19 Drawing Sheets
`
`APPLICATION FILE A
`EAK (APPLICA TJON f!LE B)
`EcsK (AK)
`EAK {Tl)
`
`[75]
`
`[54] MA'.'IIPULATING RIGHTS-TO-EXECUTE 11'
`CO:SNECTION WITH A SOFTWARE COPY
`PROTECTION MECHANISM.
`Liam D. Comerford: Carmel; Steve R.
`Inventors:
`White, New York, both of N.Y.
`International Business Machines
`Corporation, Armonk, N.Y.
`441,221
`Nov. 28, 1989
`
`[73] Assignee:
`
`[21] Appl. No.:
`[22] Filed:
`
`Related U.S. Application Data
`[63] Continuation of Ser. No. 927,299, Nov. 5. 1986, aban-
`doned.
`Int. CI.~ ............................................... H04L 9/00
`[51]
`[52] U.S. CI . ........................................................ 380/4
`[58] Field of Search ..................... 380/4; 364/200, 900
`References Cited
`[56]
`U.S. PATENT DOCUMENTS
`3,798.359 3/1974 Feistel ................................... 178/22
`3,958,081 5/1976 Ehrsam et al. ........................ 178/22
`3.996.449 12/1976 Attanasio et al. ............. 235/61.7 R
`4.104,721 8/1978 Markstein et al. .................. 364/200
`4.120,030 10/1978 Johnstone ........................... 364/200
`4,168,396 9/1979 Best ....................................... 178/22
`4,183.085 1/1980 Roberts et al. ...................... 364/200
`4.238.854 12/1980 Ehrsam et al. .......................... 375/2
`4,246.638 1/1981 Thomas ............................... 364/200
`4,278.837 7/1981 Best ........ : ......................... 178/22.09
`4,433,207 2/1984 Best .................................. 178/22.09
`4,446.519 5/1984 Thomas ............................... 364/300
`4,458,315 7/1984 Uchenick ............................ 364/200
`4.465.901 8/1984 Best .................................. 178/22.08
`4,471.163 9/1984 Donald et al. ................... 178/22.08
`4,471,216 9/1984 Herve .................................. 235/380
`4.558,176 12/1985 Arnolci et al. ....................... 364/900
`4,562.306 12/1985 Chou et al. ....................... 178/22.08
`4,599,489 7 /1986 Cargile ............................. 178/22.08
`4,609,777 9/1986 Cargile ............................. 178/22.08
`4,621,321 11/1986 Boebert et al. ..................... 364/200
`4,633,388 12/1986 Chiu .................................... 364/200
`4,644,493 2/1987 Chandra et al. .................... 364/900
`4,646,234 2/1987 Tolman et al. ...................... 364/200
`4,652,990 3/1987 Pailen et al. ........................ 364/200
`4,796,181 1/1989 Wiedemer ............................... 380/4
`5.034.980 7/1991 Kubota .................................... 380/4
`5,047,928 9/1991 Wiedemer ............................... 380/4
`5,052,040 9/1991 Preston et al. .......................... 380/4
`
`18
`
`10
`
`HOST
`
`14
`---------------- --------------~
`!PERMANENT UEUORY TEMPORARY MEMORY:
`:
`CSK
`:
`I
`I
`I
`I
`'
`I
`I
`I
`
`L ______ -------- ---------- ___ J
`26
`
`25
`
`20
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 1
`
`
`
`FIG.~
`
`r--,
`18
`I
`I
`- - - - - -1 T1 I
`L_J
`
`30
`
`APPLICATION FILE A
`EAK (APPLICATION FILE 8)
`E CSK (AK)
`EAK (Td
`
`10
`
`HOST
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`• I 20
`:
`CSK
`I
`I
`I
`I
`I
`
`L------l-------- ----------!--- I
`25
`26
`
`I
`I
`I
`I
`I
`
`0 •
`00
`•
`
`~ a ~ = f"+-
`
`>
`'CJ :,
`N ~°"
`'""'
`\C
`\C
`N
`
`ti)
`
`00 =(cid:173)
`ti) ....
`'""' 0 ....
`'""'
`\C
`
`...
`UI
`l(cid:173)o
`...
`\C
`~
`"'""' ~
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 2
`
`
`
`,r-1
`
`18J
`r----L----1.-_ I T 1
`I
`I
`L_J
`
`FIG. 2
`
`30
`
`rn
`
`10
`
`HOST
`
`14
`---------------- --------------~
`:PERMANENT MEMORY TEMPORARY MEMORY:
`•I 20
`:
`CSK
`
`I
`I
`I
`I
`I
`
`L------!-------- ----------!--- I
`25
`26
`
`I
`I
`I
`I
`I
`
`~ •
`rJJ.
`•
`'"'C
`~ """
`("D = """
`
`>
`"Cl
`:-1
`N
`Sil)
`.....
`'IC
`'IC
`N
`
`APPLICA TJON FILE A
`EAK {APPLICATION FILE B)
`E CSK{AK,CONDITION:TERMINAL
`DATE IS MARCH 1, 1987)
`EAdTj)
`
`00 =(cid:173)
`
`ft)
`ft)
`
`'* N s. .....
`
`'IC
`
`01
`
`.... .... 0
`~ .... w
`
`\0
`....
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 3
`
`
`
`r--,
`18
`I
`I
`r-------'--~1-1
`L_J
`
`10
`
`HOST
`
`FIG. 3
`
`30
`
`rn
`
`14
`
`:PERMANENT MEMORY
`CSK
`I
`AK.TERMINAL
`:
`:
`DATE
`I L------•--------
`25
`
`--------------,
`TEMPORARY MEMORY:
`I
`I
`I
`I
`I
`I
`
`----------... ---'
`26
`
`20
`
`I
`
`·APPLICATION FILE A
`EAK {APPLICATION FILE B)
`E CSK{AK,CONDITION:TERMINAL
`DATE IS MARCH 1, 1987)
`EAK{Tf)
`
`~ • 00
`
`•
`~
`~
`f"'t,,
`
`(D = f"'t,,
`
`~ :,
`N s10
`"""" ~
`N
`
`00 =(cid:173)~
`~ ....
`cu
`0 ...,
`""""
`\0
`
`01
`....
`i,,,.l
`0
`\0
`....
`~
`i,,,.l
`CH
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 4
`
`
`
`r--,
`18
`I
`I
`,---_......-~1-,
`L ,,_ J
`
`10
`
`HOST
`
`FIG.4
`
`30
`
`16
`
`14
`
`:PERMANENT MEMORY
`CSK
`I
`AK C
`:
`I
`I
`I L------•--------
`25
`
`t
`
`----------- ----,
`TEMPORARY MEMORY :
`I
`I
`I
`I
`I
`I
`__________ .., ___ I
`
`20
`
`26
`
`~ •
`00
`•
`
`~ = ~ n> = ~
`
`>
`"Cl :,
`N
`.;XJ
`....
`
`IC
`IC
`N
`
`APPLICATION FILE A
`EAK (APPLICATION FILE B)
`E CSK(AK,CONDITION: NUMBER
`OF EXECUTIONS IS C )
`EAK (TI)
`
`VJ
`g'
`
`n, -~
`
`0 ...,
`....
`
`IC
`
`...
`UI
`""'6
`0
`...
`\0
`~
`""'6
`~
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 5
`
`
`
`18)
`
`,
`
`(-1
`I
`,.. I T2
`L _ _J
`
`40
`
`FIG. 5
`
`46
`
`E CSK ( T 2 )
`
`•
`
`c::: • 00.
`""d a (D = ""
`f
`N Sx, ...
`
`l,C)
`l,C)
`N
`
`10
`
`HOST
`
`14
`
`'~ .
`
`20
`
`APPLICATION FILE A
`EAK (APPLICATION FILE B)
`EcsK (AK)
`EAK (Td
`
`00
`::r"
`~
`
`(II
`
`~ ....
`0 ..., ...
`
`l,C)
`
`01
`....
`i,,,.,l
`0
`\0
`....
`~
`i,,,.,l w
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`:
`CSK
`I
`:
`AK
`I
`L------l-------- ----------!---
`I
`25
`26
`
`I
`I
`
`I
`I
`
`l
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 6
`
`
`
`18
`
`10
`
`HOST
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`:
`CSK
`T
`I
`2
`I
`I
`t
`I
`AK
`:
`:
`L------!-- ---------------!---I
`25
`26
`
`I
`
`I
`
`FIG. 6
`
`,-1
`I
`I T2
`L _ _J
`
`40
`
`'
`
`~
`
`20
`
`EcsK( T2)
`
`APPLICATION FILE A
`EAK (APPLICATION FILE 8)
`EcsK {AK)
`EA K {T d
`
`~ •
`00
`•
`~ r=
`S"· = f"'t,,.
`
`>
`'C :,
`N
`!?'
`....
`
`IC
`IC
`N
`
`00 =(cid:173)n>
`
`n> -Q\
`
`0 .....
`....
`IC
`
`...
`UI
`i-,,l
`0
`... .a;:;.
`\c:>
`
`i-,,l
`~
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 7
`
`
`
`18
`
`10
`
`HOST
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`:
`CSK
`I
`I
`I
`I
`I
`
`L------ -------- ---------- --- I
`25
`26
`
`I
`I
`I
`I
`I
`I
`
`FIG, 7
`
`40
`
`,-1
`I
`I T2
`L _ _J
`
`46
`
`APPLICATION flLE A
`EAK (APPLICATION FILE 8)
`E CSK (AK)
`EAK (T2)
`
`~
`20 ~
`
`APPLICATION flLE A
`EAK (APPLICATION FILE 8)
`E CSK (AK)
`EAK (Td
`
`c::
`•
`TJJ
`•
`
`~ = ~
`(D = ~
`
`>
`'"Cl
`:1
`N
`00
`
`~ ....
`
`\0
`\0
`N
`
`00. =(cid:173)m m -.......
`
`0 ....
`....
`
`\0
`
`(JI
`....
`i,-.
`0
`\0
`....
`~
`i,-.
`tu
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 8
`
`
`
`U.S. Patent
`
`Apr. 28, 1992
`
`Sheet 8 of 19
`
`5,109,413
`
`0
`N
`
`co
`
`(X)
`•
`
`(!) -LL
`
`0
`
`I-(cid:173)
`(/')
`
`0 ::c
`
`.----------,
`
`I
`I
`I
`
`I~
`o
`:E
`Lu
`:a:
`
`>(cid:173)e:::
`IQ
`I ::!:
`•w
`I ::!:
`..---.---i~ I ::Z
`-
`tW:::.:::
`N
`I ~ V1 :.::
`:.::
`I ::i:U <'. <'.
`I 0:::
`I Lu
`I 0...
`
`I ·-
`
`'---------.J
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 9
`
`
`
`U.S. Patent
`
`Apr. 28, 1992
`
`Sheet 9 of 19
`
`5,109,413
`
`-CQ
`1---llllC:
`
`V')
`~
`LU
`
`0
`1,1")
`
`r- ::;i
`l"'"'z'
`'- co I
`I 7 I
`I'£ I
`lb1
`~
`
`(Q
`U")
`
`O>
`•
`
`(!) -
`
`0
`
`.... V')
`0 :z:
`
`.----------1
`
`C.0
`N
`
`I
`I
`I
`
`0
`N
`
`I~
`le:,
`I :E
`I LU
`I :E
`I
`I~ CO
`I< I--
`I a:::
`le:,
`IQ..
`I :a:
`I LU
`I 1--
`
`t-(cid:173):z
`N
`-
`L..J~
`Z v, llllC:
`llllC:
`~U <<
`a::
`L...J _c;. _______ .J
`
`LO
`N
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 10
`
`
`
`FIG. ~O
`~ - - -~
`...,,~=[ref +Te2~TeNlJ
`
`50
`
`18
`
`'
`
`10
`
`HOST
`
`EcsKl 1e)
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`: I 20
`Tej + Te2 · · · TBN
`:
`CSK
`AK1
`RN
`:
`:
`AK2
`CR=f(T91,RN)
`:
`:
`L------l-------- ----------!--- I
`25
`26
`
`c::
`•
`00
`•
`
`~ a ('t) = f"+,
`
`> "Cl
`:-c
`N
`JC
`.... \0
`
`\0
`N
`
`('!)
`
`rJl =(cid:173)
`('!) ... ....
`0
`0 .....
`.... \0
`
`tn
`_.
`i,-
`0
`\0
`--~
`"'""' w
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 11
`
`
`
`50
`r:-- -
`- - - : i
`18
`- - - ' - - - - - 1[Te2 + T93 ... TeN]I
`~ - - - -_ : J
`
`FIG. ~ f
`
`56
`
`EcsK(T9)
`
`10
`
`HOST
`
`c::
`•
`00.
`•
`
`tac a ~ = ~
`
`>
`'Cl :,
`N
`~®
`
`....
`
`\C
`\C
`N
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`:
`CSK
`Tei +Te2+·· ·TeN :
`:
`AKt
`RN CR
`:
`:
`AK2
`ARI
`:
`L------!-------- ----------i--- I
`25
`26
`
`20
`
`YES
`i
`
`PROCEED
`
`- IS AR=CR ? A
`
`NO
`t
`
`ERROR
`
`(!)
`
`(I) -....
`
`00 =(cid:173)
`....
`0 ....
`....
`
`\C
`
`(II
`""
`"""' 0
`\0
`"" ~
`"""' w
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 12
`
`
`
`18
`
`'
`
`50
`, : : - - - -~
`~ 1 [TB 2 + T B3 · · · TB~
`L -= - - - -~
`
`Fl G. ~ 2
`
`ERK ( Te2 +T93 .. ·TeN)
`
`-
`
`,EcsK(RK)
`
`ERK (AKt,AK2,USK)
`
`10
`
`HOST
`
`14
`
`I
`
`I
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`CSK
`T
`T
`T
`82 + 83 . .. BN
`l
`l
`AK t
`AK2
`RK
`l
`:
`L------!-------- ----------!--- I
`25
`26
`
`20
`
`I
`
`I
`
`~ • rJ).
`•
`~
`~
`~
`
`('D = ~
`
`>
`,,:, :,
`N s~,
`....
`'° '° N
`
`N
`
`00
`::r
`~ ....
`~
`....
`0 ....
`....
`'°
`
`U1
`
`0
`\0
`
`... ....
`... .,::.
`.... w
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 13
`
`
`
`18
`
`)
`
`•
`
`50
`jr:=----::,i
`~ 1 [r B 2 + T 83 · · · re~
`
`L.=._ __ _
`
`FIG. ~3
`
`ERK (T92+T93· .. TBN)
`1' EcsK ( RK)
`
`-.
`
`ERK (AKI ,AK~,USK)
`
`HO
`
`HOST
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`•I
`:
`CSK
`·
`'
`'
`'
`'
`L------!-------- ----------!--- I
`25
`26
`
`I
`I
`I
`
`I
`I
`I
`
`f20
`
`c::
`• "(J.)
`•
`
`~ (cid:173)
`~
`f"'t(cid:173)
`
`('D = f"'t-
`
`~ :,
`
`N
`JI)
`....
`
`\C
`\C
`N
`
`00 =(cid:173)n:,
`n:, ....
`.... cu
`0 .....
`....
`\C
`
`(JJ
`
`0
`\0
`
`-a ....
`--~ .... w
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 14
`
`
`
`t10
`
`HOST
`
`50
`rr=----~
`18
`....---...._ _ _..,.Lte3 +.re~·~e~
`
`FIG. ~4
`
`-
`
`E R K (TB 2 + T B3 ... T BN )
`TEcsK(RK)
`ERK (AKl,AK,USK)
`
`14
`
`:PERMANENT MEMORY TEMP~RARY MEMORYi
`ii t20
`:
`CSK
`I
`I
`:
`:
`T92+ T93 · · · TeN
`SRN,CR f(T92,SRN) :
`:
`I
`AR
`I
`
`- - - - - - - - - - - - - - - - - - - - _ _J
`
`25
`
`26
`
`IS AR=CR ?
`
`Y[SANO
`J
`PROCEED
`
`I
`ERROR
`
`c::
`• rJ).
`•
`
`~ a ~ = f"+-
`
`>
`'l:I
`="
`N
`SX'
`....
`
`\0
`\0
`N
`
`00 =(cid:173)~
`~ .....
`....
`.,:..
`0 ...,
`....
`
`\0
`
`...
`OI
`I-'
`0
`...
`'-0
`.s;:i..
`I-'
`~
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 15
`
`
`
`18
`
`FIG. ~5
`
`HO
`
`HOST
`
`EusK SINK(USK SOURCE)
`
`14
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`:I 120
`:USKSOURCE
`VERIFY
`•CSK
`I
`I
`I
`:AK~,AK2
`:
`L - - - - - - - - - - - - - - - - - - - - - - - - - - - I
`
`25
`
`26
`
`-t
`VERIFY USK SOURCE= Eu SK
`
`SINK( EusK SINK(USK SOURCE))
`
`NO
`
`J
`ERROR
`
`A
`!
`
`YES
`
`PROCEED
`
`~ • 'Cl).
`•
`~
`~
`~
`
`(t) = ~
`
`> ti :,
`~
`SXJ
`....
`
`\C
`\C
`~
`
`00 =(cid:173)(I)
`(I) -....
`
`OI
`
`0 .....
`....
`
`\C
`
`(IJ
`
`.... .....
`0
`\0
`....
`.s;:.
`.....
`
`(I.)
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 16
`
`
`
`U.S. Patent
`
`Apr. 28, 1992
`
`Sheet 16 of 19
`
`5,109,413
`
`0
`N
`
`ex:> -
`
`0
`
`•
`
`(!) -
`
`LL
`
`-
`
`......
`(/")
`0
`:I:
`
`-;_--------,
`
`I
`I
`I
`
`a::
`C>
`:IE
`&...I
`:IE
`>-
`a::
`< a::
`
`0
`Q..
`:IE
`......
`&...I
`I >-
`I 0:: •o
`I :;:E
`1w
`I ;::::
`
`I ·-I :Z
`- I 0::
`~ : ==u < <
`•-'='-------.J
`
`I ~ ::-::
`-
`C"-l
`'<V"l-:-:
`
`I L.J
`
`I
`I
`
`tO
`N
`
`Lt')
`N
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 17
`
`
`
`...
`
`AK f
`AK2
`
`AK3
`
`COPROCESSOR
`20
`
`- -
`
`EcsK ( RN I + AK f +Rf)
`£csK ( RN2 + AK2 +Rf)
`EcsK ( RN3 +AK3 +Rf>
`
`{
`
`RN2+AK2+Rf
`RN3+AK3 +Rf
`
`FIG. 18
`
`x _
`
`MESSAGE
`[EusK SINK(USK SOURCE)]
`
`"-cBs
`PROCEDURE
`
`1 BS
`IBS/EcsK(USK SOURCE
`COMPLETE
`USK SINK)
`START
`COPROCESSOR ~ - - -~ i - - -~~~~~ - - -~~~___ .
`120
`
`BACKUP
`INSTALLED
`
`Ts ..
`
`CONDIT ION
`REMOVED
`TE
`
`GRACE PERIOD
`~
`L------------------------- time
`
`~ •
`00 •
`'"'C = """"
`('1) = """"
`
`>
`'= :i
`N
`$'J
`....
`
`\C
`\C
`N
`
`ti)
`
`rJl =(cid:173)
`~ .... _.
`0 .....
`....
`\C
`
`U1
`
`.... .... 0
`.... w
`
`\0
`....
`.,::.
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 18
`
`
`
`U.S. Patent
`
`Apr. 28, 1992
`
`Sheet 18 of 19
`
`5,109,413
`
`FIG.19
`
`BINARY rLAGS
`
`MUL Tl-BYTE ENTRIES
`
`C
`T
`0
`R B
`M N E A A
`D R
`I A N C
`E
`s K
`A T s f' u
`T
`I E E p
`0
`R
`N
`0 0 0 0 0
`0 0 0 0 0
`.
`
`0 0 0 0 0
`0 0 1 0 1
`0 0 0 1 1
`1 1 1 0
`0
`.
`.
`1 1 1 0
`0
`1 0 1 1 1
`1 1 1
`1 0
`
`CONDITION
`
`LOCATJON AND
`VERIF'ICA TJON
`INFORMA TJON
`
`DATA
`
`DATA
`
`KEY
`
`CSK 1
`
`CSK 2
`
`CSK N
`AK 1
`
`AK 2
`
`AK 3
`.
`AK N
`MAK 1
`MAK 2
`
`i.
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 19
`
`
`
`10~
`
`HOST
`
`200
`
`HO
`
`HOST
`
`FIG. 20
`
`14
`
`14
`
`~20
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`: I 20
`: CSK I CSK 2
`AK
`:
`:
`I
`I
`L------l-------- ----------l--- I
`I
`I
`26
`25
`
`Fl G .2~
`
`SOURCE COPROCESSOR
`
`RNf
`I
`2 EcsKHRNt)
`3 EcSK2 RN2)
`4 SK=R Ni • RN2
`5
`EsK (AK)
`6
`7 DELETE AK
`8 AC DELETED------
`9
`
`~
`
`I
`I
`I
`I
`
`I
`I
`I
`I
`
`:PERMANENT MEMORY TEMPORARY MEMORY:
`: CSK I CSK 2
`:
`
`L------l-------- ----------l---~
`25
`26
`
`SINK COPROCESSOR
`
`RN2
`ECSK2 (RN2)
`E CSK ~ (RN 0
`RNf • RN 2=SK
`EsK(AK)
`ES K (AK) rcvd
`
`ACTUATE AK
`
`~ •
`rJl
`•
`~
`~
`~
`
`(D = ~
`
`>
`"Cl
`:i
`N
`~ ....
`
`\C
`\C
`N
`
`00 =(cid:173)(I)
`
`(I) -....
`
`\C
`0 .....
`....
`\C
`
`<.II
`-.
`t(cid:173)o
`\0
`-. .,:.
`i(cid:173)w
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 20
`
`
`
`MANIPULATING RIGHTS-TO-EXECUTE IN
`CONl'iECTION WITH A SOFTWARE COPY
`PROTECTION MECHANIS:'\1
`
`5
`
`1
`
`5,109,413
`
`This is a continuation of copending application Ser.
`No. 06/927,299 filed on Nov. 5, 1986 abandoned.
`DESCRIPTION
`Technical Field
`The invention is in the field of data processing, espe(cid:173)
`cially in connection with a software copy protection
`mechanism. That mechanism restricts software, distrib(cid:173)
`uted on a magnetic disk or other medium, for use on any
`computer which is associated with an authorized, physi- 15
`cally secure coprocessor where the mechanism does not
`interfere with the user creation of n"backup" copies,
`but the protection is not compromised by any such
`"backup" copies. The present invention is particularly
`directed at manipulating a right-to-execute which is a 20
`distinguishing characteristic of that copy protection
`mechanism.
`CROSS-REFERENCE TO COPENDING
`APPLICATIONS
`Reference is made to the following copending appli- 25
`cations, assigned to the assignee of this application:
`U.S. patent application Ser. No. 927,309, filed Nov. 5,
`1986; U.S. patent application Ser. No. 927,306, filed
`Nov. 5, 1986; U.S. patent application Ser. No. 927,629,
`filed Nov. 5, 1986; U.S. patent application Ser. No. 30
`927,298, filed Nov. 5, 1986; U.S. patent application Ser.
`No. 927,286, filed Nov. 5, 1986; and U.S. patent applica(cid:173)
`tion Ser. No. 927,297, filed Nov. 5, 1986.
`
`2
`conditioning the right to execute. The present invention ·
`is particularly directed at conditioning or manipulating
`or transferring the right to execute which exists in a
`coprocessor.
`In particular, the present invention provides the capa(cid:173)
`bility of safely transferring the right to execute. The
`right to execute may be transferred to another co(cid:173)
`processor or may be merely transferred outside the
`coprocessor for external storage. In either event it is
`10 essential that the process of transferring the right to
`execute not generate or allow spurious or duplicate
`rights to execute which would of course defeat the
`purpose of the copy protection mechanism. As de-
`scribed herein, the transfer of a right to execute can be
`indirect, through the use of a transfer set (which in
`many respects is identical to the distribution set through
`which the right to execute was acquired) or direct via a
`coprocessor to coprocessor communication link. Safety
`is maintained even though the communication is unse(cid:173)
`cured in the sense that the transfer transaction may be
`observed.
`The present invention also provides techniques for
`conditioning the right to execute. For ex.ample. the
`right to execute might be conditioned by a time period
`(a right to execute which exists up until a cut-off date
`and/or time) or it could be conditioned based on the
`number of times it is invoked (for example the vendor
`could se]l a user the right to execute the protected appli-
`cation ten times). As will be described, the right to
`execute can be conditioned on any other parameter so
`long as it can be measured by the coprocessor to the
`satisfaction of the source of that right to execute (the
`software vendor). The availability of conditioned rights
`BACKGROUND OF THE INVENTION
`35 to execute provides the software vendor with additional
`flexibility and it further opens up the possibility, for the
`The basic copy protection mechanism is described in
`first time in the software field, of a truly safe "return"
`copending application Ser. No. 927,629; this mechanism
`separates the software which is to be protected from the
`policy. For obvious reasons, a software vendor, using
`today's software distribution techniques, will be injeop-
`right to execute that software. To provide security and
`implement the mechanism, each computer on which a 40 ardy of giving his products away free if he accepts the
`protected application is to run (hereinafter referred to as
`"return" of software for full purchase credit. The ven-
`a host) is associated with a logically and physically
`dor has no way of verifying with present distribution
`secure coprocessor. When installed in the coprocessor,
`techniques whether or not the user has already dupli-
`cated the software so that after the return the user could
`the right-to-execute a particular protected application
`exists in the form of a software decryption key called an 45 still maintain a fully usable copy of the application.
`Using the principles descdbed herein, however, the
`application key (AK). So long as the software decryp-
`tion key AK is retained in the permanent memory of the
`software vendor can implement a "return" policy and
`coprocessor, the corresponding protected software can
`be assured that if a user returns the software, the user no
`be executed on the composite system including the host
`longer retains an executable copy.
`and coprocessor. The software copy protection mecha- 50
`Because the software copy protection mechanism
`nism has the advantage that it negligibly interferes with
`operates in the real world, with real world devices, and
`because the distinct right to execute exists in the form of
`present and contemplated software distribution tech-
`niques, it allows the user to make unlimited numbers of
`a cryptographic key stored in the permanent memory of
`"backup" copies and it does not require any two-way
`communication between the user and the software ven- 55 a coprocessor, it is necessary to address the possibility
`that the coprocessor storing the right to execute may
`dor. This is supported by distribution of an authoriza-
`tion to the coprocessor to accept a right to execute
`fail. Such failure should not result in the complete loss
`provided in the form of a hardware cartridge (or token).
`of the user's rights to execute, and the present invention
`Furthermore, the user need only employ the token the
`provides apparatus and methods for securing the user
`first time the protected application is run in order to 60 against the loss of the right to execute in the event his
`coprocessor does fail. Much as in the case with moving
`transfer the right to execute, which is represented by
`or transferring the right to execute, any hardware
`the unused token, to the coprocessor. Thereafter, the
`token may be discarded and it is thereafter totally un-
`"backup" technique (available in case a coprocessor
`necessary to maintenance or use of the right to execute.
`fails) should not have the property of being useful to
`The invention described in copending application 65 generate spurious rights to execute. The hardware
`backup method provides minimal opportunity (and
`Ser. No. 927,629 does not address manipulation of the
`right to execute (other than describing how a user may
`significant disincentive) for improperly multiplying
`first acquire it), nor does it describe the possibility of
`rights to execute.
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 21
`
`
`
`5,109,413
`
`3
`SUMMARY OF THE INVENTION
`The invention meets these and other objects as de(cid:173)
`scribed below.
`
`Conditioned Right-to-Execute
`In order to condition the right to execute, in a system
`such as described in our copending application Ser. No.
`927,629, there must be:
`1) a statement of the condition (or conditions) under IO
`which the application software may (or may not) be
`allowed to execute fully, and
`2) some objective criteria against which the condition
`or conditions can be measured, and
`3) a software program which can test the conditions 15
`against the criteria and act in a way determined by
`results of that test.
`These objectives must be met in a way which is se(cid:173)
`cure against attempts of the user, or anyone else not
`specifically authorized by the software vendor, to either 20
`vary the conditions or the objective criteria under
`which the conditions are met. In accordance with the
`invention, the criteria are stated in software, and more
`particularly, in the protected or encrypted portion of
`the application software. As is described in our copend- 25
`ing application Ser. No. 927,629, the only form in which
`application software is available to the user is in en(cid:173)
`crypted form; because the user does not have access to
`the decryption key as a data object, he is unable to
`modify, or even read the protected software. Thus, 30
`incorporating the conditions of the right to execute
`within the protected software results in securing these
`conditions against alteration by the user or anyone else
`unless authorized by the software vendor. In order to
`save (for testing) the conditions which are tested against 35
`the programmed criteria, we use some storage space in
`the non volatile memory of the coprocessor; this stor(cid:173)
`age space has already allocated to it the function of
`storing the decryption key necessary to decrypt the
`encrypted software. Thus the storage space allocated to 40
`a particular protected piece of software is expanded to
`include the condition which can be measured against
`the criteria. Because of the non-volatility of the mem(cid:173)
`ory, so Jong as the right to execute is available in the
`coprocessor, the objective conditions are also available. 45
`It should be understood that the coprocessor contains a
`continuously powered real-time clock within its physi(cid:173)
`cally secure boundary so that in the case that criteria
`involving time are to be used, the time information is
`available. Because the information is stored in a co- 50
`processor's non-volatile memory, and only the portion
`of this memory allocated to any particular application
`can be accessed by that application, the information is
`secure against any attempt at modification by the user.
`· The application software may modify the conditions 55
`stored in its portion of non-volatile memory, but may
`not change the value of the real-time clock.
`For example, the software thus could count the num(cid:173)
`ber of times or the total period it had been used by
`changing numbers kept in this storage and executing 60
`only until criteria related to number or total period of
`executions were no longer met by the stored conditions.
`As an example, assume that the software vendor has
`transferred to the user the right to execute on the condi(cid:173)
`tion that a certain terminal date had not passed, (i.e. the 65
`user has the right to execute the protected application
`up to, but not after Mar. 1, 1987). The coprocessor's
`operating instructions necessarily, therefore, provide
`
`4
`for storage of a last allowed use (terminal) date along
`with the software decryption key. Since the coproces(cid:173)
`sor maintains a real time clock, whenever the decryp(cid:173)
`tion key is accessed or at intervals during application
`5 execution, the terminal date and the current date are
`available. The terminal date provision is protected
`against unauthorized alteration by the security of the
`coprocessor as is the real time clock setting. The en-
`crypted portion of the software (the protected portion)
`describes the criterium that execution is not available
`beyond the terminal date. Whenever the protected soft-
`ware is run, the decryption key and the terminal date
`are accessed from the coprocessor's non-volatile mem(cid:173)
`ory. The criterion tested in the protected software re(cid:173)
`quires that the terminal date be compared to the current
`date; if the current date is beyond the terminal date,
`then execution of the protected software does not pro(cid:173)
`ceed. The protected software can also be arranged to
`provide for deleting the particular software decryption
`key in the event that the current date is beyond the
`terminal date. It should be apparent to those skilled in
`the art that another condition which can be substituted
`for the terminal date condition is the number of times
`the software is executed. For this case, the protected
`software describes the number of executions which
`have been authorized, and in lieu of storing the current
`date along with the software decryption key, a count of
`allowed uses is stored which is decremented each time
`the software is executed. The protected portion then
`tests the allowed number of executions against the crite(cid:173)
`rion that the number is greater than zero. It then either
`decrements the number or, if the number of authorized
`executions is zero, denies the user's request to execute
`the software (and perhaps the software decryption key
`is also deleted). It should be apparent that there are
`many variations to these specific implementations, in-
`cluding elapsed time, passwords, and combinations of
`these and other measurables, all of which are within the
`scope of the invention.
`
`Transfer of Right-to-Execute
`Transferring the right to execute from one user to
`another (or more particularly, from a source coproces(cid:173)
`sor to a sink coprocessor) can be accomplished by re(cid:173)
`constructing a distribution set. This procedure returns
`the right to execute to a portable form which is substan(cid:173)
`tially identical to that from which it was acquired in the
`first place, see copending application Ser. No. 927,629.
`This procedure, necessarily, removes the right to exe(cid:173)
`cute from the source coprocessor.
`This transaction requires that the user obtain either a
`token or a disk and a token pair (also referred to as a
`Trarisfer Set), depending on the structure of the token.
`These sets can be provided by the hardware vendor.
`The token (or cartridge) in the set is loaded by the
`coprocessor hardware manufacturer. The Transfer Set,
`prior to manipulation by the user has a single piece of
`information, token data, stored in two forms. The token
`is loaded, by the hardware vendor with clear text token
`data; the physical characteristics of the token protect
`this sensitive information from unauthorized persons.
`The same data is encrypted under a hardware manufac(cid:173)
`turer secret key called a Common· Supervisor Key
`(CSK) to generate EcsK(token data). It is stored either
`on the disk of the Transfer Set, or in the token if it is so
`structured as to allow it. Because EcsK(token data) is
`encrypted, it may be stored on the disk even though in
`that form it can be read and even copied by anyone. It
`
`APPLE EXHIBIT 1080
`APPLE v. PMC
`IPR2016-01520
`Page 22
`
`
`
`5,109,413
`
`5
`is necessary that the transfer set be prepared by a trusted
`source, such as a hardware vendor, because if the token
`contents are known, other tokens could be loaded with
`known contents and the transferred right to execute
`replicated. Assuming that the user has acquired a suit- 5
`able transfer set, the distribution set is prepared using a
`Reconstruct Distribution Set (RDS) process, by the
`user and his composite computing system, for example,
`as follows.
`A utility program, running on the host computer, JO
`signals the (source) coprocessor that an RDS sequence
`is about to begin. The utility program identifies to the
`coprocessor the location of the key to be transferred.
`The coprocessor executes a CBS (Create Backup Set)
`procedure on all allowed keys except the indexed key. 15
`The CBS procedure is described below. At this point it
`is sufficient to note that the CBS procedure invalidates
`any existing hardware backup mechanism. The co(cid:173)
`processor requests and receives a copy of the encrypted
`token descriptor EcsK(token data) from the transfer set. 20
`The coprocessor decrypts the token descriptor to pro(cid:173)
`vide clear text token data. This clear text token data is
`then encrypted using the software decryption key iden(cid:173)
`tified by the index to produce EAK(token data). The
`coprocessor then stores this encrypted token descriptor 25
`EAK(token data) in a reserved non-volatile storage area
`of the token or on the disk and either erases or other(cid:173)
`wise de-activates the software decryption key AK at
`the given storage location. The coprocessor then passes
`the encrypted token descriptor to the host for storage 30
`on the transfer set disk. As will be described later, the
`key (AK) to be transferred may be associated with
`conditions of execution. If these conditions of execution
`are unchanging (such as terminal date) then the en(cid:173)
`crypted application key may be copied to the transfer 35
`set disk. If the conditions of execution are changing
`(such as remaining hours of use or remaining number of
`uses), then the encrypted file containing the application
`key and the conditions of execution cannot be copied
`from the distribution disk without resetting the condi- 40
`tions. This synchronization of a token descriptor file
`and an application key file can be achieved by including
`a correspondence test number in each file. The next step
`in transfer is thus the preparation of an encrypted appli(cid:173)
`cation key file for storage on the transfer disk. This 45
`preparation is identical to the encrypt vendor key
`(EVK) transaction described below save that the corre(cid:173)
`spondence test number is substituted for the random
`number. This correspondence number could be a frac(cid:173)
`tion of the token data. After this preparation and trans- 50
`fer, the utility program, running in the host, then trans(cid:173)
`fers to the transfer set disk the two files containing the
`plain text and cipher text parts of the protec