|80001
`
`as) United States
`a2) Patent Application Publication co) Pub. No.: US 2013/0166921 Al
`(43) Pub. Date:
`Jun. 27, 2013
`Vijay etal.
`
`(54) PORTING DIGITAL RIGHTS MANAGEMENT
`SERVICE TO MULTIPLE COMPUTING
`PLATFORMS
`
`(75)
`
`Inventors: Shyam S. Vijay, Fremont, CA (US); Joe
`Steele, Danville, CA (US); Roderick
`David Schultz, San Francisco, CA (US)
`
`(73) Assignee: ADOBE SYSTEMS
`INCORPORATED, SanJose, CA (US)
`
`(21) Appl. No.: 13/149,758
`
`(22)
`
`Filed:
`
`May31, 2011
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`GO6F21/00
`
`(2006.01)
`
`(52) U.S.CL
`SEG sscmcnsarermncanenneeesnnenme mth bob eds EL Oe EO
`
`(57)
`
`ABSTRACT
`
`Methods, systems, and apparatus, including computer pro-
`grams encoded on a computer storage medium, for porting
`digital rights managementservices. In one aspect, a system
`includes: a hardware processor; one or more memorydevices
`coupled with the hardware processor and effecting an oper-
`ating system for the hardware processor; and a digital rights
`management (DRM) component having a DRM adaptor con-
`figured to check whether the hardware processor has a hard-
`ware-based encryption element, use the hardware-based
`encryption element if available, and use a software-based
`encryption element if the hardware-based encryption element
`is not available, wherein the software-based encryption ele-
`ment includes code compiled from source code for the hard-
`ware processor, the source code prepared for different com-
`puter platforms.
`
`Apolicaton Developer
`
`136
`
`DRM-Enabled
`Apetication
`
`Soltware Provider
`
`Sottware-Based
`Encryption Element
`Generator
`
`DRMAdaptor
`Source Cade
`
`106
`
`100 124
`
`Crypto
`
`Device
`Vendors /
`Manufacturers
`
`EX1008
`Roku V. Media Chain
`U.S. Patent No. 9,715,581
`
`EX1008
`Roku V. Media Chain
`U.S. Patent No. 9,715,581
`
`

`

`Patent Application
`
`*
`=
`Publication
`
`Jun. 27,2013 Sheet 1 of 6
`
`US 2013/0166921 Al
`
`soydepyWHORSSeQ-EMyOSpeseg-aeaes
`
`
`
`
`
`
`
`apo5aunosjuawaj3uogdhog
`
`
`
`JO}BIAvES)uoneayddy
`
`sopeceryag
`
`
`
`apOqPaessnyGg
`
`Secwor)
`
`ELL
`
`
`
`sodepywudsodepyWud
`
`
`
`
`
`aeJUUNIETUERYeaNELWYS01AagWSK}
`
`Buyeiedg
`
`gquasis
`
`
`SSNSMUeLY
`;HOpUE,,
`10895
`
`BEJedepyUG
`
`Vid¥We &Sone
`
`
`JOpOdgSBAYOSOFTJedojanaguoqecedy
`
`
`queweruogdousPAQGUSAVE
`
`

`

`Patent Application
`
`*
`=
`Publication
`
`Jun. 27,2013 Sheet 2 of 6
`
`US 2013/0166921 Al
`
`JUBWAIUORdOURpeseg-BienuESeoz
`
`-
`
`
`
`
`
`oqesuday
`
`
`
`
`
`fmoupuy“Be)washBuypiedg
`
`IOAN
`
`OF
`
`éDid
`
`deVMiCeyH
`
`OBR
`
`fom
`
`saindwion
`
`oqepgoy
`
`wnipSyy
`
`SayMCayH
`
`(shiosseoai
`
`iano}
`
`acepeoy
`
`OF?
`
`iSMOnUIAA“B'e)ual
`
`shsfuneeda
`
`b é
`
`sodepyWd
`
`uoneayddy
`
`
`
`
`
`
`
`waisicBuyndiesaonaqayaoy
`
`jodepyWed
`
`SeVMLIOS
`
`SuVMLFOS
`
`= z
`
`e.
`
`002
`
`
`
`

`

`Patent Application Publication
`
`Jun. 27,2013 Sheet 3 of 6
`
`US 2013/0166921 Al
`
`Wad
`
`Jiojdepy
`
`LOE
`
`
`
`
`
`Japduo9uoneoiddyaanen
`
`
`
`
`
`(XNO‘SMOPLIAA'KSO‘ploipuy)
`
`
`
`wsysAcBuneisdoD
`
` VeOld
`
`
`AudesBordAinareaajosAydeiioydAryauempiey
`OEPOE
`
`
`
`
`
`(Odd‘We‘98%)Ndd
`
`?he
`
`

`

`Patent Application
`
`*
`=
`Publication
`
`Jun. 27,2013 Sheet 4 of 6
`
`US 2013/0166921 Al
`
`XISOd
`
`SOBLIO}
`
`
`
`a2eJoAe
`
`
`
`OUASPeay,/XOINYY
`
`CiB51ABGQ
`
`wopuby
`
`Ofeis
`
`Sut
`
`Ble
`
`sO
`
`pioupuiy
`
`de“Old
`
`
`
`LuAaIsSASBuneiadg
`
`aa
`
`
`
`UONORISOYyGIeMpIBH=
`
`JoydepyWHO
`
`San
`
`AISACOSIC)
`
`

`

`Patent Application Publication
`
`Jun. 27,2013 Sheet 5 of 6
`
`US 2013/0166921 Al
`
`Receive information regarding different computing platforms
`for which a DRM adaptoris buildable
`
`410
`
`
`420 ooAdd hooksto
`
`440~~iy,|EO]Compile source cade to
`
`
`Add one or more hooks
`into the DRMadapior 430
`hardware ?
`
`Ne
`
`Generate software
`Shiba
`Fa
`utilities %
`
`generate ulilities to include
`inthe DRM adaptor 458
`
`Obfuscate source code for the DRM adaptor
`
`80
`
`Compile the obfuscated source code to generate the DRM adapior
`470
`
`Provide the DRM adaptor
`io effect a DRMservice on a4 target computing platform
`
`FIG. 4
`
`

`

`Patent Application Publication
`
`Jun. 27,2013 Sheet 6 of 6
`
`US 2013/0166921 Al
`
`Request information from an operaling system
`regarding a cryptographic program interface
`
`information from the operating system
`
`for the cryptographic ulllities calis into the DRM adaptor
`
`Check a digital signature
`associated with the cryptographic programinterface
`
`Use the hardware-based encryption elementfor
`cryptographic uiilities calls into a DRM adaptor
`
`Use a software-based encryption element
`
`FIG. 5
`
`

`

`US 2013/0166921 Al
`
`Jun. 27, 2013
`
`PORTINGDIGITAL RIGHTS MANAGEMENT
`SERVICE TO MULTIPLE COMPUTING
`PLATFORMS
`
`BACKGROUND
`
`[0001] This specification relates to digital rights manage-
`ment.
`
`Publishers, distributors, retailers and other provid-
`[0002]
`ers ofelectronic content often desire to restrict access to the
`electronic content to authorized users only. Electronic con-
`tent may include, for example, documents, e-books, video,
`music, computer applications, or games. to name a few
`examples. Electronic content may be usable on a variety of
`devices, such as a personal computer, laptop computer,tablet
`computer, television, set-top box, gaming system, and vari-
`ous types of mobile devices (e.g., personal digital assistant
`(PDA), portable music player, mobile phone). Electronic con-
`tent may be distributed, for example, in some encrypted or
`otherwise protected form. Encrypted content may require a
`decryption key or other mechanismfor rendering the docu-
`ment usable to an authorized user. Some types of user devices
`may include hardware that is specialized for certain encryp-
`tion and decryption processing.
`[0003] Whenelectronic contentis distributed, e.g., sold or
`lent to consumers, the electronic content can be protected by
`a digital rights management (“DRM”) system. A DRM sys-
`tem defines and enforces digital rights. A digital right is a
`permission to perform one or more actions that involve a
`content item. By managing digital rights, the DRM system
`can allow content owners to prevent unauthorized use or
`distribution of the protected content and canselectively
`authorize users to performactions that involve the protected
`content. For example, upon request, the DRM system can
`evaluate a set ofdigital rights associated with a content item,
`and based onthe evaluation, provide or deny authorization for
`anaction involving the content item.
`
`SUMMARY
`
`[0004] This specification describes technologiesrelating to
`porting digital rights managementservices.
`[0005]
`In general, one innovative aspect of the subject mat-
`ter described in this specification can be embodiedin systems
`that include a hardware processor; one or more memory
`devices coupled with the hardware processorandeffecting an
`operating system for the hardware processor; and a digital
`rights management (DRM) component having a DRM adap-
`tor configured to check whether the hardware processor has a
`hardware-based encryption element, use the hardware-based
`encryption element if available, and use a software-based
`encryption elementif the hardware-based encryption element
`is not available, wherein the software-based encryption ele-
`ment includes code compiled from source code for the hard-
`ware processor, the source code prepared for different com-
`puter platforms. Other embodiments of this aspect include
`corresponding apparatus, methods, and computer programs
`encoded on computerstorage devices.
`[0006] These and other embodiments can each optionally
`include one or more ofthe following features. The DRM
`adaptor can be configured to check availability for the hard-
`ware-based encryption element by requesting information
`from the operating systemregarding a cryptographic program
`interlace, and test acceptability of the cryptographic program
`interface based on the information. The cryptographic pro-
`
`graminterface can be supported by a dynamic library. The
`DRMadaptor can be configured to test acceptability ofthe
`cryptographic programinterface by checking a digital signa-
`ture.
`
`[0007] The DRM adaptor can be configured toinitiate a
`handshake with a loadable module using a numberthat is
`encrypted a first time, decrypted, modified, encrypted a sec-
`ond time using a different key fromthefirst time, decrypted,
`and unmodified to produce a result comparable to the number.
`The source code can include source code that was obfuscated
`before compilation. The source code can include different
`libraries specific to the different computer platforms.
`[0008]
`In general, one innovative aspect of the subject mat-
`ter describedin this specification can be embodied in methods
`that include the actions of: receiving information regarding
`different computing platforms for whicha digital rights man-
`agement (DRM) adaptor is buildable: obfuscating source
`code for the DRM adaptor, the source code being usable for
`each ofthe different computing platforms for which the DRM
`adaptor is buildable; compiling the obfuscated source codeto
`generate the DRM adaptor that accesses different sets of
`cryptographic utilities on at least two of the different com-
`puting platforms for which the DRM adaptoris buildable; and
`providing the DRM adaptor to effect a DRM service on a
`target computing platform. Other embodiments of this aspect
`include corresponding systems, apparatus, and computer pro-
`grams, configured to perform the actions of the methods,
`encoded on computer storage devices.
`[0009] These and other embodiments can each optionally
`include one or more ofthe following features. The method
`can include: adding one or more hooks, into the DRM adap-
`tor, to call into one or more programming interfaces ofa
`hardware cryptographic capability of an identified hardware
`processor, the hardware cryptographic capability including
`one of the different sets of cryptographic utilities; and com-
`piling additional source code to generate another ofthe dif-
`ferent sets of cryptographicutilities, which is included in the
`DRM adaptor. Adding the one or more hooks can include
`adding respective different sets of one or more hooksinto the
`DRM adaptorto call into respective programminginterfaces
`of different hardware cryptographic capabilities of different
`identified hardware processors.
`[0010] Compiling the additional source code can include
`compiling the additional source code multiple times for dif-
`ferent computing platforms, based onan identified operating
`system, an identified hardware processor and an identified
`compiler for each respective computing platform, to generate
`at least twoof thedifferent sets of cryptographic utilities. In
`addition, the source code for the DRM adaptor can include
`code that implements encryption key handling guidelines for
`the DRM service.
`
`Ingeneral, one innovative aspect ofthe subject mat-
`[0011]
`ter described in this specification can be embodied in a com-
`puter storage medium encoded with a computer program, the
`program including instructions that when executed by data
`processing apparatus cause the data processing apparatus to
`perform operations including: checking whether a hardware
`processor has a hardware-based encryption element; using
`the hardware-based encryption element, ifavailable, for cryp-
`tographic utilities calls into a digital rights management
`(DRM) adaptor; and using a software-based encryption ele-
`ment, if the hardware-based encryption element is not avail-
`able, for the cryptographic utilities calls into the DRM adap-
`tor, wherein the software-based encryption element includes
`
`

`

`US 2013/0166921 Al
`
`Jun. 27, 2013
`
`code compiled from source code for the hardware processor,
`the source code prepared for different computer platforms.
`Other embodiments ofthis aspect include corresponding sys-
`tems, apparatus, and methods.
`[0012] These and other embodiments can each optionally
`include one or more ofthe following features. The operations
`can include: checking availability for the hardware-based
`encryption element by requesting information from an oper-
`ating system regarding a cryptographic programinterface:
`and testing acceptability of the cryptographic programinter-
`face based on the information from the operating system. The
`cryptographic program interface can be supported by a
`dynamic library. The testing can include checking a digital
`signature associated with the cryptographic programinter-
`face, The source code can include source codethat was obfus-
`cated before compilation, and the source code can include
`different libraries specific to the different computer plat-
`forms.
`Particular embodiments of the subject matter
`[0013]
`described in this specification can be implemented so as to
`realize one or more ofthe following advantages. A software-
`based encryption element can be used if a hardware-based
`encryption element
`is not available. Secure, robust DRM
`functionality that is operating system and hardware indepen-
`dent can be used on multiple, different computing platforms.
`Secure, robust DRM functionality can be added to a new
`computing platform. DRM functionality can be added to a
`device without in-depth knowledge of DRM and without
`extensive effort by a device vendor or manufacturer, DRM-
`enabled applications can run on multiple, different computing
`platforms while using a same DRM component.
`[0014] The details of one or more embodiments of the
`subject matter described in this specification are set forth in
`the accompanying drawings and the description below. Other
`features, aspects, and advantages of the subject matter will
`become apparent fromthe description, the drawings, and the
`claims.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`license server 106 can communicate through a network 108.
`The network 108 caninclude the Internet, one or more local
`area networks (LANs), one or more wireless networks, or any
`other network capable of supporting electronic communica-
`tions. The web server 102, content server 104, and license
`server 106 can be accessed across the network 108 by client
`devices 110, e.g., personal computers 110a, mobile devices
`1105, set-top boxes 110c or other devices, such as tablet
`computers or gaming consoles.
`[0022] Aclient device 110g, 1104, or 110c¢can be provided
`by a device vendor or device manufacturer. For example, as
`illustrated by a client device 111, a device vendor 112 can
`provide the client device 110a, and as illustrated by a client
`device 113, a device manufacturer 114 canprovidetheclient
`device 1104, The client device 111 or 113 representsthe state
`ofthe client device 110¢ or 1105 whenprovidedto a user by
`the device vendor 112 or the device manufacturer 114,
`respectively. The device manufacturer 114 may be a “verti-
`cal” manufacturer in that the device manufacturer 114 may
`develop both an operating system 116 and a hardware pro-
`cessor 118 for the client device 113. The device vendor 112
`may be a “horizontal” vendorin that the device vendor 112
`may develop an operating system (OS) 120 for the client
`device 111 but not a hardware processor 122 for the client
`device 111, or may develop the hardware processor 122 but
`not the operating system 120, or may develop neither the
`operating system 120 nor the hardware processor 122 but may
`assemble the client device 111 using the operating system 120
`and the hardware processor 122.
`[0023]
`Some hardware processors can include DRM (Digi-
`tal Rights Management)-specific functionality, such as one or
`more hardware encryption elements. For example, the hard-
`ware processor 122 includes a hardware encryption element
`124 configured to perform a set of cryptographic utilities.
`Using the hardware-based encryption element 124 canresult
`in faster performance, such as faster encryption and decryp-
`tion, as compared to using software-based
`[0024] DRM utilities. The hardware encryption element
`124 can be supported by a dynamic library 125. The dynamic
`library 125 canbe included inor canbe associated with the
`FIG. Lisablock diagramshowing a systemin which
`[0015]
`operating system 120.
`digital rights management (DRM) services can be readily
`[0025] Asoftware provider 126 can developDRM software
`ported to new computing platforms.
`whichcan provide secure, robust DRM functionalitythat can
`[0016]
`FIG. 2 is a block diagram showing details of com-
`be madeavailable onavariety ofcomputing platforms, where
`puting platforms.
`a particular computing platform includes a particular operat-
`[0017]
`FIGS. 3.4 and 3B show anarchitectural framework
`ing system running on a particular hardware processor. For
`for a DRM adaptor.
`example, the software provider 126 can develop DRM adap-
`[0018]
`FIG. 4 shows a flowchart of a process of creating a
`tor source code 128 that is usable on a variety of computing
`DRM adaptor.
`platforms and can build a DRM adaptor 130 thatis targeted
`[0019]
`FIG. 5 shows a flowchart of a process of using a
`for a particular computing platform, or multiple different
`DRM adaptor.
`computing platforms. The DRM adaptor 130 can be used by
`[0020] Like reference numbers and designations in the
`the device vendor 112 or the device manufacturer 114 to
`various drawingsindicate like elements.
`implement robust, secure DRM solutions on devices pro-
`vided by the device vendor 112 or the device manufacturer
`114. The DRM adaptor can be added to devices provided by
`the device vendor 112 or the device manufacturer 114 without
`requiring a large amount of knowledgeoreffort onthe part of
`the device vendor 112 or the device manufacturer 114.
`
`DETAILED DESCRIPTION
`
`FIG. 1 is a block diagram showing a system 100 in
`[0021]
`which digital rights management (DRM) services can be
`readily ported to new computing platforms. The system 100
`includes one or more web servers 102, one or more content
`servers 104, and one or more license servers 106. Although
`only one of each ofthe servers 102, 104, and 106 is illustrated
`in FIG, 1 for convenience,the functionality ofthe servers 102,
`104, and 106 can be distributed among multiple different
`servers, The web server 102, the content server 104, and the
`
`[0026] The DRM adaptor 130 can be configured to check
`whether a hardware processor has a hardware-based encryp-
`tion element, use the hardware-based encryption element, if
`available, for cryptographicutilities calls, and use a software-
`based encryption element for the cryptographicutilities calls,
`if the hardware-based encryption element is not available.
`
`

`

`US 2013/0166921 Al
`
`Jun. 27, 2013
`
`The DRM adaptor 130 can include other DRM solutions,
`such as secure storage of critical DRM data, such as keys, and
`a secure clock.
`
`[0027] The software provider 126 can build a DRM adaptor
`132 targeted for the operating system 120 and the hardware
`processor 122 used by the client device 111 and can build a
`DRM adaptor 134 targeted for the operating system 116 and
`the hardware processor 118 used by the client device 113. The
`device vendor 112 or the device manufacturer 114 can choose
`
`to distribute the DRM adaptor 132 or the DRM adaptor 134,
`whenproviding the client device 111 or the client device 113,
`respectively, to a user, such as to enable application develop-
`ers (e.g., an application developer 136) to develop applica-
`tions that include DRM functionality. For example, the DRM
`adaptor 132 may be provided as a DRM adaptor 138 included
`in computer readable medium 140 ofthe client device 111
`and the DRM adaptor 134 may be provided as a DRM adaptor
`142 included in computer readable medium 144 of the client
`device 113.
`
`[0028] The device vendor 112 or the device manufacturer
`114 can choose whetherto expose, to the application devel-
`oper 136, someorall of the functionality provided by the
`DRM adaptor 138 or the DRM adaptor 142, respectively. For
`example, the device vendor 112 may choose to expose some
`but not all of the functionality of the DRM adaptor 138 using
`a DRM API (Application Programming Interface) 146. As
`described in more detail below, the application developer 136
`can develop an application 148 that uses DRM functionality
`provided by the DRM API 146. The application 148 can be
`used, for example, by a user ofthe client device 110a.
`[0029]
`For example, a user of a client device 110a may
`browse content items (e.g.. multimedia content) accessible
`from the web server 102. The web server 102 may, for
`example, be maintained by a retailer. The retailer may, for
`example, receive content from content owners or content
`distributors and may encode the received content. Content
`owners, content distributors, and the retailer may desire to
`restrict access to content to authorized users only and the
`retailer may encrypt a respective content item so that the
`content item can only be consumed by a user who has
`obtained a license for the content item. Metadata whichspeci-
`fies usage rules for the content item may be included with an
`encrypted version of the content item. The retailer may host
`content on the content server 104.
`
`[0030] The user ofthe client device 110a may request a
`resource located on the web server 102 that corresponds to a
`particular content item. The user may, for example, enter or
`otherwise select (e.g., by clicking on a hyperlink) a URL
`(Uniform Resource Locator), corresponding to a resource
`located on the webserver 102, into a web browserrunning on
`the client device 110a. In response to the request for the
`resource by the client device 110a, the web server 102 or the
`content server 104 can send acopyofthe resource to the client
`device 1104. In some implementations, the resource can be
`sent using a content delivery network (CDN). The content
`associated with the resource canbe, for example,a file thatis
`sent to the client device 110a, or the content can be content
`that is streamed tothe client device 110a. The content can be
`stored on the client device 110a as content 150 in a user area
`152 of the computer readable medium140.
`[0031] The content server 104 or the web server 102 can
`provide the application 148 to present the content 150. The
`application developer 136, who may be a content owner, a
`contentdistributor, or a third party application developer, can,
`
`for example, make the application 148 available from the
`content server 104 or from the web server 102. The applica-
`tion 148 can provide a runtime environment for presenting
`video, audio, text, and/or other information. The application
`148 can, for example, be included in one or morefiles that are
`separate from the content 150. For example, in some imple-
`mentations, the web server 102 can provide a SWFfile. Note
`that SWF is a file format, such as the SWF File Format
`Specification (Version 10) as published by Adobe Systems
`Incorporated of San Jose, Calif. As another example, the
`application 148 can be an Adobe® Integrated Runtime
`(AIR®) application.
`[0032] Theretailer associated with the web server 102 may
`desire that the content 150 be viewed using an application
`provided by the web server 102 or by the content server 104
`and not someother application. For example, the application
`148 provided by the web server 102 or content server 104 can
`be configured to present advertisements, gather user behavior
`data or analytics, or perform other functionality beneficial to
`the retailer associated with the web server 102 or beneficial to
`the content owner. Moreover, control of the application 148
`used to present the content 150 can prevent third parties from
`deriving an unauthorized benefit from proprietary or other-
`wise protected (e.g., copyrighted) content.
`[0033]
`In response to the request for the resource by the
`client device 110a, the web server 102 or the content server
`104 can send a copy ofthe application 148 (e.g., a copy ofa
`playerfile, such as a SWF file) to the client device 110a. The
`web server 102 can, for example, forward a requestfor the
`resource and/or the application 148 to the content server 104.
`The web server 102 or the content server 104 can send the
`
`copy of the application 148 to the client device 110a before,
`concurrently with, or after the sending of the content 150. The
`client device 110a can store the copy of the application 148 as
`an application 154.
`[0034] Theapplication 154 may be runnable usingan appli-
`cation runtime 156. For example, the user may have previ-
`ously installed the application runtime 156, or the application
`runtime 156 may be sent to the client device before, concur-
`rently with, or after the sending of the content 150 or the
`application 154. The application runtime 156 may be, for
`example, a virtual machine that can execute the application
`154 as well as other scripts or applications. The application
`runtime 156 may be, for example, a media player such as
`Adobe®Flash® Player software or may be the Adobe®
`Integrated Runtime (AIR®) software.
`[0035]
`Insome implementations, the resource or the corre-
`sponding content 150 can indicate that one or more licenses
`are needed to access (e.g., view or play) the content. In
`response to receiving the resource withsuch anindication or
`in response to the user attempting to access (e.g., view, play)
`the content 150, the client device 110a can request a license
`for the content 150 from the web server 102 or from the
`
`license server 106. In some implementations, the web server
`102 can forward a request for a license to the license server
`106 in responsetothe request for the resource fromthe client
`device 110a. In some implementations, a URL ofthe license
`server 106 can be included in metadata associated with the
`content 150.
`
`Insome implementations, the request for the license
`[0036]
`can be initiated by the application 154. The request for the
`license can include anidentity of the application 154 and/or
`some other authorization information, such as a machine
`certificate associated with the application runtime 156 and the
`
`

`

`US 2013/0166921 Al
`
`Jun. 27, 2013
`
`client device 110a. The license server 106 can validate the
`license request, can digitally sign or otherwise authenticate a
`license, and cansend the license to the client device 110a. The
`license can be sent concurrently with the sending of the con-
`tent 150 or beforeor afier the sending ofthe content 150.
`[0037] Before processing the license, the application 154 or
`the application runtime 156 can verify the license, such as by
`verifying a digital signature. The digital signature can be
`verified, for example, using one or more functions provided
`by the DRM API 146. A copyofthe license canbe stored in
`the client device 110a. The license can include a content
`identifier, an encryption key, and an authorization to present
`the content 150. In some implementations, the authorization
`to present the multimedia content 150 can include informa-
`tion to verify the application 154. The application runtime
`156 canverify the application 154, such as by confirming that
`a signature associated with the application matches a signa-
`ture included on a white list of applications, by confirming
`that the application was received froma trusted source, or by
`hashing an application file and confirming that a calculated
`hash value matches an expected hash value included in or
`with the license. The application runtime 156 canverify the
`application 154 using one or more functions provided by the
`DRM API 146.
`
`[0038] The application 154 or the application runtime 156
`can use an encryption key included inthe license to decrypt
`the content 150. In general, the application 154 or the appli-
`cation runtime 156 can use decryption, hashing, and other
`DRM-related functionality provided by the DRM adaptor
`138 through the DRM API 146. Using the DRM API 146 and
`[0039] DRM adaptor 138 can result in stronger security and
`faster developmenttimes for the application developer 136,
`as comparedto the application developer 136 implementing
`DRM functionality fromseratch.
`[0040] The DRM adaptor 138 canuse the hardware encryp-
`tion element 124 for cryptographic utilities calls into the
`DRM adaptor 138. Before using the hardware encryption
`element 124, the DRM adaptor 138 (or the runtime 156) can
`verify the hardware encryption element 124. For example, the
`DRM adaptor 138 (or the runtime 156) can verify a digital
`signature associated with the dynamic library 125 that sup-
`ports the hardware encryption element 124. As another
`example,as illustrated by an arrow157, the DRM adaptor 138
`(or the runtime 156) can perform a handshake process with
`the dynamic library 125.
`[0041]
`For example, the DRM adaptor 138 can determine a
`cryptographic key to use for the dynamic library 125. The
`DRMadaptor 138 can generate a random number R and can
`encrypt R using the key to produce an encrypted random
`number R'. The DRM adaptor 138 can send the key and the
`encrypted random numberR'to the dynamic library 125. The
`dynamiclibrary 125 can decrypt the encrypted random num-
`ber R' using the key (e.g., using the hardware encryption
`element 124) to produce a copy ofthe random numberR. The
`dynamic library 125 can increment the copy ofthe random
`number R to produce a number R2. The dynamic library 125
`can encrypt R2 using the key (e.g., using the hardware
`encryption element 124) to produce an encrypted number
`R2'. The dynamic library 125 can send the encrypted number
`R2' to the DRM adaptor 138. The DRM adaptor 138 cande-
`crypt R2' using the key to produce R2. The DRM adaptor 138
`can perform a test to determine whether R2=R+1. Ifthe test is
`true, the DRM adaptor 138 can determine that the dynamic
`library 125 and the hardware encryption element 124 are
`
`available and valid. Ifthe test is false, the DRM adaptor 138
`can determine that the dynamic library 125 and/or the hard-
`ware encryption element 124 are not valid, and can use a
`software-based encryption elementforcryptographicutilities
`calls into the DRM adaptor 138.
`[0042]
`In some implementations, the actions attributed to
`the DRM adaptor 138in the example above can be performed
`by the application runtime 156, or by the DRM adaptor 138
`operating in concert with the application runtime 156. Fur-
`ther, the handshake 157 can be performed in additional situ-
`ations. The verification handshake 157 can be performed for
`other loadable modules, for example, for any loadable mod-
`ule used to implement the hardware-based DRM adaptor
`functionality. In addition, variations on the handshake proto-
`col 157 are also possible, such as using different operations
`(e.g., other than addition or subtraction) to modify R, adding
`additional information to avoid replay attacks, etc.
`[0043] The DRM adaptor 130 canbe built by the software
`provider 126 for a new computing platform. For example,
`suppose the client device 110c¢ is a new computing device
`being developed by the device manufacturer 114. The soft-
`ware provider 126 can work with the device manufacturer 114
`to build the DRM adaptor 130 so that the DRM adaptor130 is
`targeted to the client device 110c. The device manufacturer
`114 can communicate information about a target hardware
`processor and a target operating system for the client device
`110¢ to the software provider 126.
`[0044] The software provider 126 can discuss with the
`device manufacturer 114 whetherthe target hardware proces-
`sor includes a hardware-based encryption element. If the
`target hardware processor does not include a hardware-based
`encryption element, the software provider 126 can generate a
`software-based encryption element 158 using a software-
`based encryption element generator 159. The software-based
`encryption element 158 can be specific to the targeted hard-
`ware processor, the targeted operating system, and a targeted
`compiler 160. The targeted compiler 160 can be identified
`froma set of possible compilers. In some implementations or
`for some build processes, the software provider 126 can gen-
`erate the software-based encryption element 158 even if the
`targeted hardware processor
`includes a hardware-based
`encryption element. For example, the software-based encryp-
`tion element 158 canbe used as fallback functionality if, for
`example, the DRM adaptor 130 is unable to successfully
`communicate with the hardware-based encryption element in
`the field.
`
`[0045] The DRM adaptor source code 128 can implement
`logic that includes determining, at run time, whether a hard-
`ware-based encryption element ts available, using the hard-
`ware-based encryption element,
`if available,
`for crypto-
`graphic utilities, and using a software-based encryption
`element(suchas the software-based encryption element 158),
`if a hardware-based encryption elementis not available, for
`the cryptographicutilities. Ifthe client device 110cincludes a
`hardware-based encryption element, the software provider
`126 and the device manufacturer 114 canidentify a messag-
`ing interface and the software provider 126 may add one or
`more hooks to communicate withthe target hardware proces-
`sor for the client device 110c to a hardware abstraction com-
`ponent associated with (or
`in some implementations,
`included in) the DRM adaptor source code 128.
`[0046] Continuing with the example of building the DRM
`adaptor 130 for the client device 110c, the software provider
`126 can use an obluscator 162 to obfuscate the DRM adaptor
`
`

`

`US 2013/0166921 Al
`
`Jun. 27, 2013
`
`source code 128 to create obfuscated source code 164. Code
`may be obfuscated, for ex