Abstract: Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s).

Abstract: Segmented media content rights management is described. A media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file header object includes DRM-associated features, such as one or more DRM licenses, properties, and/or attributes that correspond to the media content file to provision all of the segments of the protected media content together.

Abstract: Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage.

Abstract: Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

Abstract: This document describes tools capable of enabling cloud-based movable-component binding. The tools, in some embodiments, bind protected media content to a movable component in a mobile computing device in a cryptographically secure manner without requiring the movable component to perform a complex cryptographic function. By so doing the mobile computing device may request access to content and receive permission to use the content quickly and in a cryptographically robust way.

Abstract: This document describes tools capable of securely distributing entertainment content among and using distributed hardware. These tools may do so robustly by rebinding entertainment content between distributed hardware units. The tools, for example, may distribute content protection in hardware between a policy unit, a transcryption unit, a graphics processing unit, and a playback unit. By so doing the tools enable, among other things, users to select from many graphics cards rather than rely on the graphics capabilities of an integrated (e.g., SOC) hardware solution.

Abstract: A file format supports distribution, presentation, and storage of media presentations (“MPs”). A sequence of a MP is composed of segments of media data referred to by segmentIDs. Segments are defined as movie fragments, pursuant to the “ISO base media file format”. Multiple instances of a segment, each having a unique instanceID, are created by encoding the media data based on different encoding characteristics, referred to as encodingIDs. A sequence map box (“SMB”) stores the arrangement of a sequence's segmentIDs-to-instanceIDs, including encodingIDs. The SMB is distributed to a client-side media processing unit (“MPU”). Information regarding an instance selected for distribution to the MPU is encapsulated in an instance identifier box (“IIB”), along with the arrangement of instanceIDs for the segment, and distributed to the MPU. At the time of distribution and/or playback of the MP, the MPU interchange instances based on the contents of the SMB and/or the IIB.

Abstract: Disclosed are various embodiments for generating encrypted media content items as well as decrypting encrypted media content items. A content type is embedded in an initialization vector corresponding to an encrypted sample. Upon decryption of encrypted content, the content type is identified and an action taken based upon the detected content type.

Abstract: Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage.

Abstract: Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for robustly secure storage.

Abstract: Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage.

Abstract: Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for robustly secure storage.

Abstract: Portable digital rights for multiple devices is described. In an embodiment, a digital rights management (DRM) system includes a first device with a removable component configured as a token that is associated with a DRM license. The first device also includes a removable memory card that stores protected media content on which the first device can perform actions as permitted by the DRM license. The DRM system also includes a second device that can have the removable component and the removable memory card when removed from the first device and installed in the second device such that the second device can perform the actions on the protected media content as permitted by the DRM license.

Abstract: Techniques enable building a collection of data that defines an asset, with the data possibly having differing data types. These techniques are then capable of assigning arbitrary policy to that asset, regardless of which data types are present within the asset. In addition, these techniques enable packaging of this first asset with one or more additional assets in a self-contained envelope. Each asset within the envelope may similarly include data of differing data types. Furthermore, each of these assets may be assigned a policy that may be different than the policy assigned to the first asset. This envelope, or a collection of envelopes, may then be provided to a content-consuming device to consume the assets in accordance with each asset's specified policy.

Abstract: Systems, methods, and/or techniques (“tools”) for binding content licenses to portable storage devices are described. In connection with binding the content licenses to the portable storage devices (“stores”), a host may perform authentication protocols that include generating a nonce, sending the nonce to a store, and receiving a session key from the store, with the session key being generated using the nonce. The store may perform authentication protocols that include receiving the nonce from the host, generating a random session key based on the nonce, and sending the session key to the host.

Abstract: Systems, methods, and/or techniques (“tools”) for binding content licenses to portable storage devices are described. In connection with binding the content licenses to the portable storage devices (“stores”), a host may perform authentication protocols that include generating a nonce, sending the nonce to a store, and receiving a session key from the store, with the session key being generated using the nonce. The store may perform authentication protocols that include receiving the nonce from the host, generating a random session key based on the nonce, and sending the session key to the host.

Abstract: Computer-readable media, computerized methods, and computer systems for managing dynamic allocation of one or more protected memory segments for storing content of secure data are provided. Initially, the secure data is recognized as being carried by a media stream being communicated from a media-reading device. One or more protected target segments and protected target segments are instantiated, where these protected memory segments are protected from illicit access by hardware-based rules. Regions of hardware memory are dynamically allocated to hold these protected memory segments and the secure data is iteratively written thereto. The protected source segments are associating with the media stream based on a license attached thereto, while the protected target segments are associating with presentation devices based on a standard of output protection supported thereby.

Abstract: Segmented media content rights management is described. A media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file header object includes DRM-associated features, such as one or more DRM licenses, properties, and/or attributes that correspond to the media content file to provision all of the segments of the protected media content together.

Abstract: Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

Abstract: Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s).