Abstract: Various embodiments of a system and method for deterministic generation of a common content encryption key on distinct encryption units are described. Embodiments may include, for each given content item of multiple content items that represent one or more portions of a common media object, controlling a different encryption unit of multiple distinct encryption units to i) generate a content encryption key for the given content item based on: a common base secret shared by the multiple distinct encryption units, and an identifier specific to the media object, and ii) encrypt the given content item with the respective content encryption key generated for that content item in order to generate a respective encrypted content item. Each content encryption key generated for a given content item may be equivalent to each other content encryption key such that decryption of each encrypted content item requires a common decryption key.

Abstract: Various embodiments of a system and method for digital rights management with secure application-content binding are described. Various embodiments may include a system configured to decrypt an encrypted application key with a private key. The system may also be configured to decrypt an encrypted application including a binding key with the decrypted application key. The system may also be configured to decrypt an encrypted content key with the binding key from the decrypted application. The system may be further configured to decrypt encrypted content with the decrypted content key. In various embodiments, the system may also be configured to consume the decrypted content with the decrypted application.

Abstract: Various embodiments of a system and method of digital rights management with authorized device groups are described. Various embodiments may include a system including a digital rights management (DRM) component configured to receive a private key of an authorized device group. In various embodiments, the receipt of the private key of the authorized device group may indicate the system is an authorized member of a group of devices permitted to access content items protected by a common public key associated with the authorized device group. In various embodiments the DRM component may be configured to, for each given content item of multiple content items that are encrypted with different content keys, decrypt an encrypted content key from the given content item with the private key of the authorized device group and decrypt content from the given content item with the decrypted content key.

Abstract: Various embodiments of a system and method for transparently authenticating a user to a digital rights management entity are described. In various embodiments, a digital rights management server may be configured to receive an authentication token from a first remote computer system. Such authentication token may indicate that a particular user of the first remote computer system was authenticated by a first content provider of one or more content providers. In various embodiments, the digital rights management server may also be configured to verify the authentication token by determining that one or more portions of the authentication token were generated based on respective authentication information issued to the first content provider. In various embodiments, the digital rights management server may also be configured to, in response to verification of the authentication token, issue to the first remote computer system one or more credentials.

Abstract: Embodiments may include a content provider system configured to provide electronic content that includes multiple encrypted content items to a playback device. A playback device may be configured to acquire root licenses and/or content licenses from a license server; such licenses may cryptographically protect the content items that a playback device receives from a content provider system. In various embodiments, the electronic content may be content that is to be linearly consumed, such as a channel within a broadcast environment. In various embodiments, the playback device may explicitly request a license for one or more of the content items that it receives; such request may be issued to a license server. The license server may evaluate the request and respond to the playback device with the license for a content item. In various embodiments, the playback device may utilize the received license to decrypt and consume the respective content item.

Abstract: One embodiment of the present invention provides a system that uses digital certificates to facilitate enforcing licensing terms for applications that manipulate documents. During operation, the system obtains a credential, wherein the credential includes a private key and a digital certificate containing a corresponding public key. This digital certificate also contains a profile specifying allowed operations which can be performed on documents signed with the credential. Next, the system digitally signs a document using the credential, so that the resulting signed document is signed with the private key and includes a copy of the digital certificate with the profile specifying the allowed operations. The certificate issuer can subsequently revoke the digital certificate (which effectively revokes the license) if teens of a license agreement associated with the digital certificate are violated.

Abstract: Various embodiments of a system and method for a single request—single response protocol with mutual replay attack protection are described. Embodiments may include a system that receives multiple single request messages, each of which may include a respective nonce, timestamp, and digital signature. The system may create a record of previously received nonces that, at any given time, may include multiple message nonces received within a valid period of time prior to that given time. To validate a given single request message the system may verify the digital signature of the that message, determine that the timestamp of that message indicates a time within the valid period of time prior to the current time, and determine the nonce of the that message is not present within the record of previously received nonces. The system may send a single response message that includes the same nonce as the validated message.

Abstract: Techniques, systems, and apparatus, including medium-encoded computer program products, for protecting a document with multiple digital rights management systems are presented. A described technique includes encrypting content in accordance with a first digital rights management scheme using a key and an encryption scheme, generating a first header associated with the encrypted content in accordance with the first digital rights management scheme, generating a second header associated with the encrypted content in accordance with a second digital rights management scheme, and creating a protected document that includes the first header, the second header, and the encrypted content.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for establishing trust in an electronic document. An electronic document is received. State dependent content in the electronic document is identified. The state dependent content is content that is renderable to have a several appearances. The electronic document is presented to a user, which includes disclosing the presence of any identified state dependent content in the electronic document.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for establishing trust in an electronic document. An electronic document is received. State dependent content in the electronic document is identified. The state dependent content is content that is renderable to have a several appearances. The electronic document is presented to a user, which includes disclosing the presence of any identified state dependent content in the electronic document.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for identifying applications. In general, in one aspect, a method includes: obtaining a first certificate chain from certificates corresponding to a digitally signed application, and a second certificate chain from a successful validation of the digital signature using the certificates; and generating an identifier for the application based on one or more certificate owner names found in both the first certificate chain and the second certificate chain. Generating the identifier for the application can include finding a location in one of the first and second certificate chains that corresponds to a root of the other of the first and second certificate chains, and comparing the one or more certificate owner names found in both the first certificate chain and the second certificate chain, starting or ending with the root and the location.

Abstract: Briefly, in accordance with one or more embodiments, a transport level transactional security may be converted into a persistent document signature. In one embodiment, a digital signature of an electronic mail message may be saved in a file attached to the electronic mail message. The file with the added digital signature may be saved, transmitted, received, and/or otherwise utilized independent of the original electronic mail message. A receiving node may verify the identity of an originating node based at least in part on the digital signature contained in the file. In alternative embodiment, the signature for the file may be generated at least in part on a message to be transmitted according to a secure transmission and/or file download protocol from a server to a client.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for providing local storage service to applications that run in an application execution environment. In one aspect, a method includes receiving a request from one of the applications, wherein the request triggers local storage of information; obtaining an encryption key based on identifiers including a first identifier corresponding to the application execution environment, a second identifier corresponding to the one application, and a third identifier corresponding to the computing apparatus; encrypting the information using the encryption key; and storing the encrypted information in the computing apparatus.

Abstract: Embodiments of methods, apparatuses, systems and/or devices for processing a certificate are disclosed.

Abstract: One embodiment of the present invention provides a system that uses digital certificates to facilitate enforcing licensing terms for applications that manipulate documents. During operation, the system obtains a credential, wherein the credential includes a private key and a digital certificate containing a corresponding public key. This digital certificate also contains a profile specifying allowed operations which can be performed on documents signed with the credential. Next, the system digitally signs a document using the credential, so that the resulting signed document is signed with the private key and includes a copy of the digital certificate with the profile specifying the allowed operations. The certificate issuer can subsequently revoke the digital certificate (which effectively revokes the license) if teens of a license agreement associated with the digital certificate are violated.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for protecting a document with multiple digital rights management systems are presented. One or more aspects of the subject matter described in this specification can be embodied in one or more methods of protecting a document with multiple digital rights management systems, the one or more methods including: obtaining a document, wherein the document includes encrypted content and a first header, wherein the encrypted content has been encrypted in accordance with a first digital rights management scheme using a key and an encryption scheme, wherein the first header was generated in accordance with the first digital rights management scheme in association with the encrypted content; producing a second header associated with the encrypted content in accordance with a second digital rights management scheme; and creating a protected document including the first header, the second header, and the encrypted content.

Abstract: Various embodiments of a system and method for digital rights management with a lightweight digital watermarking component are described. Embodiments may include methods as well as elements for performing such methods. Such a method may include receiving content onto a computer system; the computer system may include a runtime component configured to consume the content. The method may include receiving a digital watermarking component on the computer system. The digital watermarking component may specify information for generating a digital watermark on the content. The method may include applying a digital watermark to the content with the runtime component in order to generate watermarked content. The digital watermark may be applied by the runtime component in accordance with the digital watermarking component. In various embodiments, the received runtime component may be configured to prevent the received content from being consumed without the digital watermark applied to the received content.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for establishing trust in an electronic document. An electronic document is received. State dependent content in the electronic document is identified. The state dependent content is content that is renderable to have a several appearances. The electronic document is presented to a user, which includes disclosing the presence of any identified state dependent content in the electronic document.

Abstract: Briefly, an embodiment of a method of certificate path processing is disclosed, which includes the following. A certificate is accessed. A first set of preferences is searched. Various preferences correlated to the certificate are identified. The correlated preferences include a preference set which is digitally or logically compatible with the specific computing system performing the processing. The preferences correlating to the specific computing system are merged with another set of preferences to form a third preference set.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for establishing trust in an electronic document. An electronic document is received. State dependent content in the electronic document is identified. The state dependent content is content that is renderable to have a several appearances. The electronic document is presented to a user, which includes disclosing the presence of any identified state dependent content in the electronic document.