+

WO1997025675A1 - Systeme a la carte securise pour logiciels d'ordinateur - Google Patents

Systeme a la carte securise pour logiciels d'ordinateur Download PDF

Info

Publication number
WO1997025675A1
WO1997025675A1 PCT/AU1997/000010 AU9700010W WO9725675A1 WO 1997025675 A1 WO1997025675 A1 WO 1997025675A1 AU 9700010 W AU9700010 W AU 9700010W WO 9725675 A1 WO9725675 A1 WO 9725675A1
Authority
WO
WIPO (PCT)
Prior art keywords
secure
information
ύie
software
secret
Prior art date
Application number
PCT/AU1997/000010
Other languages
English (en)
Inventor
John Philip Griffits
Original Assignee
John Philip Griffits
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AUPN7479A external-priority patent/AUPN747996A0/en
Priority claimed from AUPO0276A external-priority patent/AUPO027696A0/en
Priority claimed from AUPO0777A external-priority patent/AUPO077796A0/en
Priority claimed from AUPO1462A external-priority patent/AUPO146296A0/en
Application filed by John Philip Griffits filed Critical John Philip Griffits
Priority to AU13598/97A priority Critical patent/AU1359897A/en
Priority to GB9817142A priority patent/GB2325319A/en
Publication of WO1997025675A1 publication Critical patent/WO1997025675A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/109Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/123Shopping for digital content
    • G06Q20/1235Shopping for digital content with control of digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/14Payment architectures specially adapted for billing systems
    • G06Q20/145Payments according to the detected use or quantity
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/0014Coin-freed apparatus for hiring articles; Coin-freed facilities or services for vending, access and use of specific services not covered anywhere else in G07F17/00
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2135Metering

Definitions

  • TECHNICAL FIELD The distribution of software and other informauon reversibly functionally limited, usually by encryption, requiring reversal by a secure device that may also be used to provide software on a pay-as-you-use basis.
  • the invention describes a method and apparatus that protects software objects.
  • the protected information cannot be used without the assistance of one or multiple secret processing devices.
  • Said secret processing devices provide a mechanism for reversing the protection applied to said information and said reversing may only be activated by certain predetermined secure processes. The process of activating said reversing usually ensures that the producer cf said information and or their agents receive correct payment for usage.
  • One objective of the invention is to provide a means of maintaining security applied to information during and after it performs the functions required of it.
  • the known art describes a means of protecting computer software by requiring the presence of particular devices to operate properly. These devices are secure to varying extents.
  • the problem with computer software is that the protection applied must be reversed prior to providing the information to the system CPU for processing. Once reversed it is accessible to those experienced in the art.
  • Known art WO 90/13865 describes a process whereby a secure location remote to a potential user supplies an encrypted software object to a user controlled data processing system and a secure method of decrypting said encrypted software object.
  • the software object usually contains information that is continually varying. This provides security by default in that it is a waste of time analysing information that is redundant shortly after its creation. This known art does not provide effective security against objects that, once downloaded and deciphered, may be used in perpetuity as is usually the case with computer programs.
  • Page l The current invention may be used to significantly strengthen the security and flexibility of the known art described in WO 90/13865 and or AU-A-14856/95. It may also be used as a significantly more secure and flexible replacement for this known an.
  • the known art describes a cryptoprocessor (US patents 4465901, 4419079, 4278837, 4168396) that is capable of deciphering instructions and or data in realtime as it is loaded into the central processing unit. Said instructions and or data are usually stored in enciphered format in external memory.
  • This known art is not suitable for use in a user controlled data processing system: ⁇ that may variably have one or multiple programs loaded from a potentially large selection and or said programs may use different decryption parameters; and or • where the address occupied by a particular program may be different on each occasion it is loaded (said known art is particularly directed at ensuring that an encrypted program will crash with minor variations to its location in the address map); and or • where one or multiple encrypted programs may need to co-exist with clear code programs in a constantly varying environment; and or • where it is not usually practical to protect the external memory from tampering and or analysis; and or • where an interrupt to an encrypted program may direct processing to non-secure methods that may threaten the secrecy of certain information and this may include that within CPU registers at the time of interrupt and or • where an encrypted program needs to temporarily transfer processing to an unsecure location; and or • where an encrypted program needs to protect its stack from analysis; and or • where an encrypted program exists as multiple modules that are loaded as required and where one or multiple modules may use different decryption
  • the known art describes the programming of software objects into a secure microcontroller. This is restricted to a limited number of predefined functions.
  • said secure environment that may be a microprocessor
  • said secure environment includes inaccessible formation and also provides for extemal software objects, that may be selected and loaded as required from a potentially large number, to be able to transfer processing (and or pass any required data) to said inaccessible information within said secure environment
  • said secure environment includes computer instructions and or data (including that passed) which may be processed in secret within said secure environment to perform important functions and or any other functions that are absent from said software object and that provides for transfer of processing and or data back to said software object as appropriate; and or provide data that is absent from an external software object when appropriately requested by said software object.
  • Said inaccessible information • may be preprogrammed into a storage device and or • may be greater than the available storage device within said secure environment; and or • may be dynamically swapped in and out of said secure environment; and or may be transferred to said secure environment and decrypted within said environment and processed within said secure environment; and this applies for any of the preceding combinations when said secure environment is pan of: * one or multiple system microprocessors, and or • one or multiple devices attached directly and or indirectly to the user controlled data processing system, and or • within devices linked via network and or Internet (or equivalent in part or whole).
  • the known art does not describe any method and apparatus that permits multiple protected software objects, including those protected: * by software encryption decryption alone, and or • by secure decryption within a secret environment, and or • by secure decryption and secure execution of the ensuing decrypted information within a secret environment, that allows said multiple protected software objects to concurrently and or otherwise execute in a multitasking and or multiuser and or multiprocessor environment (where said multiprocessors may be the same and or different) .
  • One objective of the present invention is to provide a method and apparatus: • that overcomes part or all of the aforementioned deficiencies in the known art, and • that may be used to support a multiplicity of new methods and apparatus for distributing computer software, and • that may be used to strengthen a number of weaknesses with the current art.
  • the known art describes a number of methods for distributing software whereby the user pays on 'an as used basis' . These methods include those protected exclusively by software methods. These usually include various software clocks that count down on a predetermined basis, and inactivate the program at the appropriate time. Payment is usually made for the use of a particular object on the terms predetermined.
  • Disadvantage of this method include: • inherent lack of security; • the unsecure nature of the protection processes make it unlikely that software vendors will feel comfortable with the process; • should software vendors make a large selection of software available, users would usi ⁇ ally be required to pay for access to the full period predetermined for each program, making it unappealing for users to access a large number of different programs as required (apart from any trial periods); • lack of flexibility; • user cannot self determine the amount of time required and pay accordingly.
  • the security of the process for renting software is improved with known art described in WO 90/13865, wherein there is a secure device within the user controlled data processing system that monitors the time used by a software object downloaded from a service provider. Details of time used is periodically transferred back to the service provider.
  • This method requires the user to be on line to receive said software object and to receive the timing parameters pertaining to said software object.
  • the method also requires the user to remain on line for continued security of the process and to periodically upload elapsed time to the service provider. The user would normally be billed on a predetermined basis for software usage.
  • the known art does not describe a method and apparatus to provide a secure and secret environment for the secure recording of usage of more than one program at a time in a multitasking and or multiuser and or multiprocessor environment.
  • the known art does not describe a secure and secret environment that can be securely preprogrammed with a predetermined amount of usage, whereby said usage: • is prepaid and or • is a credit limit fer use that will be billed at a later date; and said predetermined amount of usage remains available for an extended period of time (preferably surviving loss of system power) for use as required, with said predetermined amount of usage appropriately varied according to use of multiple software objects over said extended time, and or said predetermined amount of usage may be securely updated with additional usage rights as required.
  • the known art does not describe a secure and secret environment that can: securely record usage of software objects; and or securely maintain a record of amounts owing to different vendors and or against different software objects, and or provide a report on any basis, including usage, and or temporarily or permanently disable itself in part or whole should said predetermined amount of usage be utilised, and or temporarily or permanently disable itself should it fail to receive secure confirmation that reports sent to a service provider have been received.
  • the known art does not describe a method and apparatus to permit a large number of software objects to be created that include information about their particular billing requirements, whereby said software objects are subsequently distributed on a large scale permitting each potential user to use any of the software objects as frequently as they require and only pay for use incurred, said use reducing the amount of usage predetermined within said secure and secret environment.
  • UCDPS user controlled data processing system
  • the method and apparatus described to advance the art of protecting and distributing computer software may also be adapted in part or whole to the protection and distribution of other commercially valuable information.
  • Replication or duplication may be one to many copies and may include replication of part or whole in any combination and or number.
  • decrypt(ed) and decipher(ed) may be used interchangeably and refer to reversal of a previously applied encryption process. Unless relating to a specific decryption process that is a claim of the invention it may be interpreted as being any known method of decryption.
  • Decode is generally used in the traditional computer sense of decoding addresses etc, however, where the context permits it should be interpreted as for decrypted.
  • Clear text is information that is not encrypted and may be derived from encrypted information and or may have been supplied in as clear code.
  • System CPU or System Microprocessor
  • hardware and or microcode and or software is on the same integrated circuit substrate; and or that they are on multiple substrates interfacing where necessary using any known method and apparatus within the package of the system CPU; and or part of the device is within the system CPU package and part (or all) external to the System CPU package and attached externally to the System CPU package using any method and apparatus.
  • a system CPU also referenced as system microprocessor, is one that a person experienced in the art would consider to be suitable as the primary (or one of multiple primary) processing units in a User Controlled Data Processing System (UCDPS).
  • UDPS User Controlled Data Processing System
  • Processing or process refers to the actual execution of computer instructions and or the manipulation (in any way) of data associated with the computer instructions and or manipulation (in any way) of any other data.
  • Software Object A software object is that which a person experienced in the art would consider a software object.
  • Computer programs and or subroutines that constitute part of a computer program are considered software objects.
  • Data pertaining to said computer programs is a software object.
  • Information that is processed by a UCDPS and subsequently displayed as text and or images and or sound for any reason, including as normal output from a computer program and or electronic books (and similar) and or music and or other sound and or visual imagery and or video in the form of motion pictures is a software object.
  • PCPU Within this application reference to a PCPU or Protected CPU refers to Secret Processing Device (SPD) embedded within the system microprocessor package of a UCDPS.
  • SPD Secret Processing Device
  • ESPD Reference to an External Secret Processing Device or ESSPD refers to an SPD attached directly or indirectly to any other part of the UCDPS.
  • Figure 1 is a diagram of an apparatus suitable for use as a secret processing device embedded within the system microprocessor.
  • Figure 2 is a diagram of basic embodiment of an SPD for use extemal to the system microprocessor.
  • Figure 3 is a diagram of the address map for secure functions within the system microprocessor.
  • Figure 4 is a diagram of command port structure.
  • a SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE The invention describes a method and apparatus for the protection of software against piracy and provides a secure process for the mass distribution of software. This is done by functionally limiting a software object and securely linking it with conditions of use and object support information to create a Protected Software Object (or PSO) which must be used with a Secret Processing Device (or SPD) that is directly or indirectly attached to a User Controlled Data Processing System (or UCDPS).
  • PSO Protected Software Object
  • SPD Secret Processing Device
  • UCDPS User Controlled Data Processing System
  • the preferred location of the secret processing device is within the package of the system microprocessor of the User Controlled Data Processing System where the combination is referred to as a Protected CPU (or PCPU).
  • a method of distributing software objects from a producer to a potential user comprising the method steps of: i) providing a secret processing device (or SPD) for dire ⁇ and or indirect attachment to a UCDPS whereby said SPD is any one or multiple hardware devices that may use any combination of software and or mi ⁇ ocode and or any other method to provide a secure and secret environment for processing information and or storing information and that provides the following: a) any one or multiple methods and or apparatus that: securely decrypt and execute instructions and or securely decrypt and process data that complies with part or all of the requirements of reversing functional limitations applied using the Oscar method (described later); and or reverses the functional limitations applied using the Groover method (described later); and or reverses any other functional limitations applying to a PSO; and or transfer into the SPD any part of one or multiple PSOs into the SPD that may be necessary to provide any of the functions required by said PSOs; and or access any part of one or multiple PSOs that may
  • said Groover method is any functional limitation of part or all of a software object by deletion of part or all of the information within the software object, usually at a secure location remote to the user, where part or all of the reversal of the deletion, by any method, occurs within a secure environment directly and or indirectly attached to a UCDPS such that part or all of the instructions and or data of the software obje ⁇ reconstituted by said reversal are not accessible to analysis by any unauthorised party and the execution of part or all of said instructions and or the processing (using any method) of part or all of said data that is not accessible to analysis by an unauthorised party remains in part or whole inaccessible to analysis by any unauthorised party.
  • the result is that part at least of the functional limitation placed on a software object is not compromised by the process of using said software object;
  • a means for the user to: • request the supply of one or multiple units of measurement that may be required by the SPD for any purpose, and or • receive one or multiple said units of measurement, preferably in suitably encrypted format, that may use any method, and transfer said units of measurement into the SPD, and or accessible to the SPD, and or • request the supply of one or multiple data keys that may be required by the SPD, and or • receive one or multiple data keys and transfer said data keys into the SPD, and or accessible to the SPD, using any method, and or • generate one or multiple reports of software usage and or any other information that may be required, and supply said reports to service provider and or any other external location, as required, and or • receive one or multiple codes confirming that said report has been received and supply said one or multiple codes confirming into the SPD and or accessible to the SPD, and or • request the service provider and or any other authorised party for one or multiple codes that may be used to reactivate part or all of the SPD that may have been disabled for any reason • receive one
  • Figure 1 shows an apparatus that is suitable for use as a secret processing device embedded within the system microprocessor.
  • a method of reversibly functionally limiting a software obje ⁇ that requires a secret processing device (or SPD) to reverse part or all of the functions of the reversible functional limitations and preferably includes a method of securely linking the conditions of use that apply to a particular reversibly functionally limited software obje ⁇ to said reversibly functionally limited software obje ⁇ such that this information may be used in part or whole to determine whether to permit the SPD to reverse the reversibly functionally limited software obje ⁇ .
  • SPD secret processing device
  • the conditions of use are preferably an integral part of the reversibly functionally limited software obje ⁇ and or supplied as one or multiple other modules that are linked in a manner that prevents the unauthorised separation of conditions of use and reversibly functionally limited software object
  • This permits objects to be widely distributed and used on stand alone UCDPSs conditional on the SPD that is required to reverse, in part at least, the reversible functional limitations, complying with the conditions of use.
  • the conditions of use may also be supplied in any other way, e.g. as separate modules and may be loaded, or otherwise linked, into an SPD transparently to the operating system of the UCDPS or by using said operating system.
  • a PSO When a PSO is securely linked with conditions of use it may be used on a UCDPS equipped with an SPD without any extra intervention by the user than would normally be required for the protected object in its native software object form, with the exception of any requirements that the SPD requires of the user.
  • an apparatus referenced as an SPD that has various secure system functions that allow it to interact correctly with one or multiple reversibly functionally limited software obje ⁇ prepared for use with one or multiple SPDs.
  • the SPD includes an internal secure and secret operating system referred to as secure system functions. They interact in any way required to appropriately reverse in part or whole, reversibly functionally limited software objects.
  • the secure functions of the SPD may have other applications.
  • an SPD is included within the package of the system microprocessor, such a combination may be referred to as a protected CPU (or PCPU).
  • An SPD may be directly and or indirectly attached to the UCDPS extemal to the package of the system microprocessor; this is referenced as an ESPD.
  • a PCPU may include multiple system microprocessors. There may be multiple PCPUs within a UCDPS. There may be multiple ESPDs wit in a UCDPS. Multiple SPDs in any location may interact in any way and combination with any others or not at all.
  • the embodiment of a system microprocessor to implement the apparatus of the invention is predominantly dependent on the use of secure memory storage devices of various types and an ability to securely process information within these devices and a person experienced in the art will be able to arrange logic, software and microcode in many combinations to effe ⁇ versions of an SPD and PSO that are within the spirit of the invention.
  • This arrangement permits the secure functions required of the present invention to be implemented.
  • a person knowledgable in the art will appreciate that the secure processes used for the invention may have multiple other secure applications.
  • the known art does not describe a system microprocessor suitable for use in a UCDPS that provides the secure processing functions described in this embodiment.
  • the invention allows for any system microprocessor that provides the apparatus and or functions described in the application.
  • Figure 1 shows a block diagram of a system microprocessor that may communicate with a secure mi ⁇ oprocessor that is securely linked to one or multiple secure functions, including secure memory, secure realtime clock and other secure functions.
  • secure memory When the secure memory is programmed with appropriate information, the combination ⁇ f software routines and embedded hardware functions and changes to the mi ⁇ ocode of the system microprocessor provides all of the requirements of an SPD securely embedded within the system microprocessor package.
  • This device may be used to replace the existing system microprocessor in a UCDPS and, subject to being supplied with any information required to me ⁇ the conditions of use attached to a PSO, may execute that PSO as if it were a normal software object. It will be appreciated by those experienced in the art that there are many ways of combining logic, software and microcode to implement the device as described. 1
  • Figure 1 shows the silicon chip 130 of the system microprocessor 1.
  • the system microprocessor 1 normally
  • Buffers 2, 3 and 4 various control logic 7 via buffers 4. Buffers 2, 3 and 4 are enabled/disabled during normal processing by system
  • microprocessor 1 via control line 9. Instructions are interpreted and implemented by a combination of microcode
  • the 0 DP memory 19 is not intended to store secure information; it is functioning as a port between unsecure and secure 1 processes and it is not practical for an unauthorised person to access secure information without very complex codes.
  • the invention allows for the recording of failed attempts at access and may disable itself to prevent repeated attempts to compromise secure elements. 4 5
  • the system microprocessor side of the DP memory 90 may be decoded into the normal address space of the UCDPS, 6 using any known decoding apparatus, however, the preferred method is to make the addresses occupied by the 90 7 side of the dual port memory 19 a separate address space to the UCDPS.
  • buffers 2, 3, 4 would be activated by 9 for reads from any address in the UCDPS memory.
  • Instruction TAAZ activates 11 for reading and writing.
  • TAAB disables 11 for all reading
  • the TAA instruction only affects operations that are fetching data, not
  • TBAX instruction 38 referenced as the TBAX instruction may be used to activate instruction fetches from dual port memory 19, by
  • TAA and TBA instructions may be used in any combination.
  • a reset has the same effe ⁇ as TAAB & 1 TBAY, ensuring normal processing on startup. While TBAX is active, instruction fetches from addresses outside the
  • 2 dual port memory 19 are from UCDPS memory.
  • a watchdog counter or timer may be set, and this may be automatic
  • This method and apparatus provides a novel transparent method of including one or multiple devices within a
  • Secure address block 50 is 6 predominantly memory, divided into a small amount of mask ROM 51 to initially program the other information 7 into the device, flash memory 52 for storage of information that needs to remain in the device in the event of total 8 power loss, and battery backed static memory 53, that stores important information which may be rapidly erased in
  • the microprocessor 20 communicates with the secure memory 50 via address lines 84, data 0 lines 100, and other various control lines including read write 93. Also decoded within the secure memory address is 1 a battery backed realtime clock and or calendar 89 that cannot be tampered with and a crystal. A data encryption 2 standard engine is preferably included. Decoding of secure addresses is provided by decode logic 25 and the various 3 chip select signal are output on 83 to the various secure devices.
  • the power management logic 65 receives external 4 power on 60 and battery power on 87 from (preferably rechargeable) battery 70. An A D converter 75 monitors 5 voltage. Continuous power is supplied to 50 via 87. Power management 65 may also be used for any additional 6 voltages to flash memory 52, other battery backed logic and provides recharging power to the internal battery 70.
  • the mi ⁇ oprocesor 20 communicates with the system microprocessor 1 via a dual port memory 19.
  • microprocessor 20 side 91 of dual port memory 19 is decoded by 25 via 40.
  • 29 write 23 connect with 19 to allow reads and writes of information between microprocessor 20 and dual port memory
  • the decode circuit 10 uses high order address lines 12 and
  • control lines 32 e.g.valid address
  • 11 activated by TAA, TBA. This provides a method of transferring
  • the secure microprocessor includes a dire ⁇ memory access (DMA) facility to move blocks of
  • Access to this DMA facility should be decoded into the secure function address block and should only be able to be selected by an instruction originating within secure system functions (as described later). Any possibility of an extemal program and or a program executing in a user partition having unsupervised access to the DMA controller 125 that may be programmed to move a large block of system information to extemal locations would be disasterous.
  • the microprocessor 20 would usually program the DMA controller 125 via data bus 100 and chip sele ⁇ 142 and read write 102, using a routine known to have originated within one or multiple predetermined system functions. The details of including a DMA controller 125 are not described or shown.
  • the method involves multiplexing the address 5, data 6 and control lines 7 of the system microprocessor 1, with similar signals generated by the DMA controller 125 to read or write extemal locations and multiplexing of the address, data, and control lines of microprocessor 20 to read and write secure addresses. These methods are known to the art and, because the DMA controller is within the system microprocessor chip, arbitration logic between system microprocessor 1 and DMA controller 125 would be easier to implement at a logical level than for extemal DMA controllers. This type of DMA is transparent to external devices.
  • the invention also allows that the microprocessor 20 may be a duplicate of the system microprocessor 1 providing a very powerful processing system, allowing secure and unsecure execution to proceed concurrently.
  • Another attractive option is to use two different system microprocessors e.g. an Intel type of CPU and a Motorola type of CPU. These may be multiplexed by one experienced in the art such that one system microprocessor performs normal system functions while the other provides secret processing of various functions.
  • An electronic switch that may be activated in any way, eg. hold reset low, may switch the roles.
  • the secure functions may be duplicated, in pan or whole, or each may have its own secure functions that are inactivated when a system microprocessor becomes the unsecure processor.
  • a switch from secure processing to unsecure processing preferably ensures that any potentially secret information is flushed from CPU registers and any other locations that may become accessible to external analysis in the unsecure state.
  • AU secure functions would usually be inaccessible to the system microprocessor in unsecure mode.
  • a person knowledgable in the art should be able to design such an embodiment that performs to the requirements of the invention.
  • This provides a convenient means of providing an existing UCDPS with a means cf integrating two different UCDPSs into one. Of course this scenario might be expanded to any number of system microprocessors within the one package. When multiple system microprocessors are included in the one package, the one that is normally associated with the resident operating system and peripheral arrangement in the UCDPS is referenced in this application as the Host CPU.
  • Any other system microprocessors are referenced as a Grafted CPU. No changes would usually be required to any software to operate the Host GPU, however, other support may be required to simulate the correct environment for a Grafted CPU and one solution may be to include a programmable address trap for the grafted system microprocessor that detects all accesses to resources that need emulation.
  • an address decoder 702 to receive address signals from the address bus of the UCDPS 721 and various control
  • a microprocessor 707 includes two interrupt lines 730 and 731 and an external address bus 714 and
  • non-volatile memory 708 e.g. flash memory
  • boot routine 735 to load information into non-volatile memory
  • a static RAM chip 709 is connected to microprocessor 707 low order address lines of address bus 714 and the
  • Static RAM 709 is activated by chip select 740 that is created by the address
  • decoder 705 decoding the high order address lines on address bus 714 in conjunction with valid address signal 733.
  • microprocesor 707 may read and write date to and from 709.
  • 16 microprocesor 707 side of the dual port memory 704 is attached directly to the 707 data bus 715 and read/write line
  • microprocessor 707 side of the dual port memory is
  • a rechargeable battery 710 is included providing
  • the battery 710 is recharged from the system power supply.
  • Microswitch 712 connects to interrupt
  • microprocessor 707 is normally in low power sleep mode. If awakened by interrupt 730 it
  • the SPD as described may be
  • a suitable location may be the parallel port on a shared basis with the printer;
  • Figure 3 shows a block diagram of the address map for secure functions within the system microprocessor
  • the address decoder 25 decodes a battery backed real time clock calendar 89 with chip select 140, DMA controller
  • tamper dete ⁇ 80 (preferably including a continually powered simple microcontroller to provide continuous
  • the chip selects 140,141,142,143,144,145,146, and any other additional sele ⁇ lines that may be included to access
  • this area from non-system (user) programs - usually user application programs.
  • One method to do this is to latch the 0 first address of an instruction and compare it with an address block that defines the boundaries of the secure system 1 memory 147.
  • This address block is preferably programmable to allow the size of secure system memory to be varied, 2 however, there will be a known default on reset of the secure microprocessor 20.
  • the 8 address of the first instruction may be determined by including in the microcode of secure microprocessor 20 the 9 generation of a signal to indicate that it is the first address of the instruction (this may already be the case).
  • the 0 program counter contents may also be latched.
  • Chip select 147 from decoder 25 delineates the block of memory 1 allocated to secure system functions. When the secure microprocessor 20 is reset it jumps to an initialisation routine 2 in this memory. The size of this memory is preferably variable to accommodate changing circumstances.
  • Chip select 161 preferably requires 6 the same precautions as regards checking the origin of the instruction as described for 140, 142, etc.
  • Chip sele ⁇ 147 7 decodes the secure system memory. This preferably has the same requirements for two sequential instructions to
  • 31 provides a method for a user routine to transfer processing back to system memory in a controlled way.
  • the preferred method is to have one or multiple sets of address boundary registers 170, that may only
  • a watchdog timer 190 may interrupt 191 the secure microprocessor 20 after a
  • registers are preferably stacked and cleared of sensitive information and or the registers are
  • the dual port memory is decoded by chip sele ⁇ 150.
  • the secure microprocessor 20 may also generate at
  • This interrupt may bypass any normal interrupts
  • An interrupt may also be any interrupt
  • 15 20 are preferably specific to a particular source with sufficient interrupt lines to handle all interrupting devices.
  • System memory and user memory 54 is described later. Part at least of 53 and or 54 may be replaced
  • the service provider keeps a record of part at least of the
  • Secure system functions are those functions applicable to the correct operation of the SPD and the provision of required resources to multiple secure user functions.
  • Secure user functions are those applicable to one or multiple PSO loaded into memory ofthe UCDPS that requires the SPD and system functions within the SPD for its c ⁇ rre ⁇ operation.
  • Secure user functions are usually an integral part of, or integrally linked with, a particular PSO and loaded into the SPD as required.
  • a PSO that is supplied by ⁇ ie service provider to securely update secure system functions would usually act as a secure user function, although its effect is directed at secure system functions.
  • the preferred SPD consists of the following:
  • This tamperproof environment may use a combination of secure packaging, using any known art to monitor the maintenance of the integrity of said secure packaging, together with a method of rapidly invalidating ⁇ ie contents should interference with ⁇ ie package be detected.
  • the preferred embodiment of the invention stores secret information independently of whether or not the UCDPS is active, part or all of the tamper detect and data invalidating methods preferably remain active on a continual basis.
  • the preferred method is to have the secure microprocessor 20 (Fig 1) and or a microprocessor integrated into tamper dete ⁇ 80 (Fig 1), continually powered and periodically awakened from a low power sleep mode to perform one or multiple houskeeping functions, including monitoring and or activating various intruder dete ⁇ processes.
  • Secret information that may compromise the secure nature of multiple other SPDs is preferably stored in battery backed Static RAM (SRAM), a storage medium that may be rapidly invalidated by removal of power and or by a specially created subroutine that cycles through the memory changing values and or a specially designed cascade system that triggers automatic invalidations of static memory storage elements as is known to the art (reference Dallas Semiconductors Secure Microcontrollers).
  • SRAM battery backed Static RAM
  • the invention allows for any known method and apparatus of detecting physical tampering with ⁇ ie SPD and allows for any method and apparatus of invalidating secret information in any type of memory storage device.
  • Secret infomation that is only likely to compromise the security of a particular SPD may be stored in SRAM, however, information that should survive invalidation ofthe information within SRAM is preferably stored in non- volatile locations.
  • this information needs to be programmed and OT reprogrammed dynatm ⁇ course of operation of the SPD, it is preferable to use flash memory or an equivalent.
  • ⁇ ie information does not require alteration after initial programming it may use any type of non-volatile memory storage device.
  • Information not requiring secrecy (as far as practical) and that is consistent across multiple SPDs is preferably implemented in mask ROM during ⁇ ie manufacture of the SPD. This usually includes initialisation routines to program other information into the SPD.
  • ⁇ ie CPU chosen for ⁇ ie SPD will usually already have a boot or initialisation routine embedded wi ⁇ iin.
  • IQ package integrated circuit
  • certain unique features are required in each SPD at the time of manufacture and secrecy (as far as practical) is not essential, they are preferably implemented by laser programming of masked elements. This usually applies to one or multiple passwords that are applicable to a particular SPD.
  • the secret processing device is a device that is not practical to tamper with.
  • This device contains various secure functions ⁇ iat may perform useful functions for suitably configured software objects. It also provides various secure functions that permit a provider of protected software objects, referred to as service provider, to create an effective method of renting software to users. A number of alternative methods of securely distributing software are discussed. The method is secure from the perspective of ⁇ ie producer of the software object and provides a convenient means for a potential user to have access to a large amount of software that they only pay for as they use.
  • the invention allows ⁇ iat attempts may be made to physically tamper with ⁇ ie SPD. This may be for any reason, including the unauthorised extraction of secure information from the SPD.
  • Secure system tamper detect functions using any method and apparatus, may be used to dete ⁇ tampering and or to take dire ⁇ ( ⁇ iat preferably includes immediately erasing and or altering informauon within part or all secure storage devices) and or indirect (e.g. via error functions) action in ⁇ ie event of tampering.
  • Part of ⁇ ie tamper dete ⁇ functions allow for any method and apparatus, referenced as secure system continuity functions to confirm ⁇ iat one or multiple of any tamperproof mechanisms remain intact.
  • One method is to include bidirectional logic at each end (or any other location) of the various signal lines to check for continuity of signal traces and or functioning of attached logic elements in those instances where ⁇ ie normal function does not permit this.
  • This bidirectional logic is usually connected, directly and or indirectly, to addressable elements under the control of suitable software routines.
  • the invention also allows for any method and apparatus to dete ⁇ loss of clock to the realtime clock calendar and or any one or multiple other clocked elements, including routines that periodically read these clocked devices (directly and or indirectly) to ensure ⁇ iat there are ⁇ ie expected incremental changes secondary to an active clock. It is preferable that part or all of the tamper detect mechanisms remain functional when the system power supply is removed.
  • This may include using battery power to maintain one OT multiple microprocessors within the device in an operational mode, enabling them to execute various system functions. Loss of battery voltage below a predetermined threshold (as detected by an integrated A/D converter) may trigger the erasure of pan or all secure elements. It is preferable that an independently timed function is implemented (e.g. RC network) that must be periodically refreshed by one or multiple microprocessors. This confirms the presence of an active CPU and failure to periodically refresh this function would usually cause a default erasure and or alteration of secure storage elements.
  • the invention allows that various errors and or validity failures and or any processing error and or any other event may be recorded by secure system error monitoring routines (usually implemented within secure system memory). These may perform any functions, that may include: recording abnormal events; and or in response to a predetermined number and or types of abno ⁇ nal events (and or any other reason) take one or multiple actions ( ⁇ at may be any action, including calling other functions to partially or totally disable the device); and or return processing to the system CPU (with or without error reporting).
  • the SPD may be integrated within (e.g. system CPU).
  • the functions to perform this are referenced as secure system disable functions and they may be implemented using any method and apparatus, including: the generation of various clocks (and or any other meaningful signals) that trigger immediate erasure of volatile elements; and or setting/clearing of flags (preferably in non-volatile locations) that may be read by various other functions ⁇ iat will not continue (and or any other outcome) in the event cf an unacceptable value within a flag.
  • the invention also allows for any method and apparatus that may temporarily prevent, in part or whole, action by the disable functions. This may be for any reason, however, the primary one is to stop inadvertent triggering of these functions during software development.
  • the invention allows for any method and apparatus that prevents infringement of system security when the disable functions are in part or whole temporarily inactive.
  • the memory blocks may use any types of memory storage device, in any mix and combination. There are preferred types of memory storage devices to meet the requirements of specific functions.
  • secure memory The primary purpose of secure memory is to provide part of an apparatus that, when combined wi ⁇ i a secure method of processing information within ⁇ ie secure memory and a means of transf erring information between the SPD and extemal locations, allows certain secret processes to occur and OT certain secret information to be securely stored.
  • the processing of information within secure memory may include the use of any mix of secure and unsecure programs and or data, and any interaction with resources that are external to the SPD.
  • An SPD usually has one or multiple blocks of memory storage devices that may consist of any type and combination of memory storage devices arranged to make it not practical for unauthorised parties to analyse the values stored within part or all of said memory storage devices.
  • the memory storage devices preferably:
  • (a) include one or multiple blocks of Static RAM that are made non-volatile by connection to a n ⁇ n-disruptable power source that is preferably a rechargeable battery integrated into the device and or its enclosure, and or a rechargeable battery external to said device, and said Static RAM is used in part or whole to store secret information that should usually be invalidated in the event of any tampering with said device, and said Static RAM is preferably connected directiy and or indirec ⁇ y with one or multiple methods and apparatus to dete ⁇ said tampering and invalidate and OT activate invalidation, of part or all of said secret information as a result of said tampering.
  • the invention also allows for the inclusion of any method and apparatus to invalidate in part or all secret information stored within said static RAM for any other reason.
  • This memory usually stores: (i) secret system functions implemented at least in part as software routines, at need to be maintained in secrecy (as far as practical) and that cannot be stored in encrypted format in an extemal location and loaded and decrypted as required.
  • An example of this may be ⁇ ie master decryption algorithm and or keys. If this was loaded from an extemal location it may be analysed and used to break the security of o ⁇ ier encrypted information. Partial loading of decryption algorithms may be possible as long as sufficent function is kept securely within tiie SPD.
  • Said sufficient function may in part or whole be a hardware implementation of a decryption algorithm.
  • information that may or may not need to be secret that is required to correctly interface with externally available information this may include the loading of o ⁇ ier information.
  • information that it is determined, for any reason should be within the SPD on a continual basis (iv) information ⁇ iat is loaded from external resources. This may include additional secure system functions loaded in encrypted format and subsequently decrypted and may include appropriately encrypted objects supplied by an authorised party to modify information within tiie SPD.
  • the information described in (i), (ii), (iii) and (iv) constitutes part of the secure system functions (53 of figure 3) and consists of information that is known to be available within, or able to be loaded within, ⁇ ie device when required to perform the functions ⁇ iat are an integral part of the SPD.
  • System functions are also known to have been carefully prepared and scrutinised in a secure environment to ensure that they do not corrupt and or compromise the secrecy of information within the SPD.
  • Those secure system functions that are loaded into the SPD in encrypted format usually have tamperproof validity checking processes integrated into their structure to ensure tiie validity of the information prior to associating it with o ⁇ ier secure system functions. That part of the secure memory that includes secure system functions is referenced as secure system memory.
  • These are usually software objects supplied by various producers that have a requirement for interaction with ⁇ ie SPD. They usually require appropriate conversion of the software obje ⁇ by an authorised service provider to one ⁇ iat may be recognised and processed by the SPD and such an obje ⁇ is usually referenced as protected software obje ⁇ or PSO.
  • a PSO is usually encrypted and preferably has appropriate validity checking mechanisms included to ensure that ⁇ ie information is as supplied by tiie service provider.
  • SRAM static RAM
  • iv secure user functions in (a) part (v), and or any o ⁇ ier information loaded into the SPD.
  • One of the features of the SPD is its capability, with appropriate software, to sele ⁇ random encryption keys and validity check sums, and use these to encrypt information stored externally, preferably on a mass storage device. This information may need to remain retrievable if the SRAM contents are corrupted. By retaining ⁇ ie keys to this information in non-volatile locations, a suitably protected routine may be used to retrieve this information by the service provider. It also prevents tampering with externally encrypted information as the decryption key is inaccessible and may be varied every time.
  • (d) includes one or multiple blocks of memory of mask ROM that is programmed at the time of fabricating the memory storage devices and said mask ROM preferably includes an area that may be customised to create unique information for each device, one method of customising the device is with a laser. This is usually used to initially program data into other storage devices.
  • the current system functions within an SPD preferably have a version number stored in an externally accessible location, eg. dual port memory 19 of figure 1 that may be read by PSOs to ensure the SPD has the necessary resources to meet the requirements of the PSO.
  • It provides at least one secure microprocessor 20 and a method of decoding part or all of the secure memory and any other addressable functions (e.g. timer, realtime clock, decryption/enc ⁇ yption engines, interfaces, etc) into the address space of ⁇ ie secure microprocessor 20.
  • the microprocessor is designed such that secr ⁇ information ⁇ iat it reads and or writes and or processes, in part or whole, is not exposed to unauthorised analysis.
  • the secure microprocessor 20 may be continually powered to perform reliable tamper detection and invalidation.
  • the power source is usually shared wi ⁇ i ⁇ ie battery backed SRAM and where present, the realtime clock calendar.
  • the reset line on the secure microprocessor is connected to the reset line of the host UCDPS, enabling it to perform error checking an internal stored information prior to performing functions required by the UCDPS.
  • the secure microprocessor on reset (and or any other appropriate event) and or as part of its normal functions may perform various houskeeping duties while waiting for one or multiple intrerrupts generated by the UCDPS, and or the reading of one or multiple appropriate values from one or more polled addresses, that may also be directly and or indirec ⁇ y written to by the system microprocessor, and or any other me ⁇ iod ⁇ iat activates the n ⁇ croprocessor and or any one or multiple o ⁇ ier functions of ⁇ ie SPD to further interact with ⁇ ie UCDPS as required.
  • the SPD predominantly is a secret processor of information and a secure and secret repository of information, that in part or whole is generated (including by decryption) within the SPD. It is an essential function that there is a means of transferring information in and out of the SPD witiiout compromising the security of information that must remain secret. This entails two basic requirements:
  • the preferred interfaces include any ports that are part of ⁇ ie secure microprocessor or any other part of the SPD, dual port memory 19, latches and or registers (unidirectional and or bidirectional), FIFO memory, a facility for the secure microprocessor to have direct access to the address bus of ⁇ ie UCDPS and move information under programmed control and OT by direct memory access (DMA).
  • DMA direct memory access
  • the information may be commands and or programs requiring execution and or data for any reason and OT any other information.
  • This is a function of the secure system functions and specifically those referenced as secure system I/O functions. They require similar processes to those provided by any operating system and are within the expertise of those experienced in the art of writing operating systems.
  • the SPD includes functions to load and execute externally supplied software objects that may securely modify the various secure system functions, more flexibility is provided with an SPD than many UCDPSs having part of their operating system in memory that is not easily modified.
  • the preferred embodiments of the invention provide a dual port memory 19 ⁇ iat is accessible by the secure microprocessor and ⁇ ie system microprocessor. This occupies a predetermined part of the address map (that may be programmable) as previously described with reference to Figures 1 and 3.
  • a system port structure 199 is established that may have one or multiple addresses which the system microprocessor writes to, referenced as system command input port 200 and one or multiple addresses ⁇ iat it reads from, referenced as system command output port 201.
  • the SPD reads command input ports and writes to command output ports.
  • these are usually part of a block of memory, they may be dynamically reconfigured by appropriate interaction between system microprocessor l and secure microprocessor 20. This reconfiguring may change locations and or the number of addresses constituting a port. It is preferable to have a system input data port 202 far the transfer of information other than commands from UCDPS to SPD and a system output port 203 for non-cornmand transfers from SPD to UCDPS.
  • a large block of addresses may be allocated for non-command information and the addresses and sizes may be dynamically configured.
  • the actual allocation of input and output ports is preferably a function of the SPD and is likely to be a dynamic state. In a single tasking environment this may be the only interfacing required.
  • the inclusion of a DMA channel 125 on the SPD is the preferred method of moving large blocks of information in and out of the secure memory 53, 54 of the SPD.
  • Address and control lines 220 and data lines 221 from the DMA controller 125 are multiplexed with similar signals from system microprocessor 230 are multiplexed in 235 far interface with external memory.
  • Address and control lines 222 and data llines 223 are multiplexed (not shown) with similar signals from secure microprocessor 20 for transferring information to and from secure memory 53 and 54.
  • the invention also allows for the SPD to handle the requirements of multiple PSOs in a multitasking environment and ⁇ iat tiie system command and data ports as described may be sufficient if ⁇ ie UCDPS operating system is modified to send a command to an appropriate location in a command port to instruct the SPD of a task change and does not proceed until the command is acknowledged.
  • the preferred method is to use the system command and data ports for establishing certain parameters within the SPD when a PSO first requires access to ⁇ ie SPD.
  • the PSO would usually send information requesting a user partition 54 of Figure 3 and a user port structure 205 of Figure 4.
  • the SPD would usually respond with availability of this memory and dynamically configure a user command input port 206 and or user command output port 207 and or user input data port 208 and OT user data output port 209.
  • the PSO stores these port addresses in a suitable location in its own address space and directs all commands and other information to and from these user ports until otherwise appropriate.
  • a multitasking kernel within secure system functions is preferably responsible for such port configuration as part of its functions. Additional PSOs create there own user ports, e.g.210 and 215 of Figure 4.
  • the space used by these ports is reallocated when a software object terminates interaction wi ⁇ i ⁇ ie SPD. Any one or multiple user ports may be dynamically reconfigured as required while still in use with a particular PSO. This process permits the SPD to be transparent to the UCDPS task handler.
  • the SPD If the SPD is to provide any useful processing of information supplied, it requires a me ⁇ iod of transferring information into secure areas where it may be further processed. As described, a potential unsecure process is introduced into an SPD once the facility is provided to load externally supplied information into secure memory that in part or whole consists of executable code. PSOs that are to modify the secure system functions are usually provided by the service provider from software objects in their control and the security is good. When a PSO is produced by a Producer, there can be no such guarantee of the integrity of the contained program code. The execution of this material may read information from secure system functions and write it to extemal locations. In a multiuser system, it may also compromise information relevant to another PSO.
  • the preferred method is to partition the available secure memory into parititions as previously described that includes a system partition and one or multiple user partitions.
  • Programs within a system partition may access any secure memeory address.
  • Programs within a user partition are confined to their own partition. This is implemented using dual latching of instruction sources as previously described. This protects system integrity and the integrity of one user partition from any other.
  • An alternative is to perform this function wi ⁇ i software, by checking that each instruction executing within a particular user partition is not intended to make an unauthorised access to system memory and or other user memory.
  • Another solution would be to allocate a separate microprocessor to one or multiple user functions.
  • the secure system kernel When the secure system kernel switches processing between user functions, it programs logic with ⁇ ie address boundaries of the current user partition that is compared wi ⁇ i an instruction. A separate user partition is allocated to each user function.
  • the invention allows for any method and apparatus mat prevents any particular user function from accessing, in an unauthorised manner, secure information within system partitions and or other secure user partitions.
  • the method does allow valid transfers of processing across system and user functions. It is preferable that the size of the partitions may be varied, preferably under the control of secure system functions.
  • the invention allows for secure system initialisation functions (SSIF) that may use any method and apparatus to initially program secure system functions into secure locations within the SPD, preferably into battery backed static RAM. This usually occurs prior to release of the SPD from a secure environment.
  • the SSIF are part of the secure system functions, however, they include information that it preferably not made public, however, the invention is not compromised should this occur. For tins reason they are suitable for use in mask ROM. Any o ⁇ ier secure system functions may be included into mask ROM however, this is not the preferred location for any information of a sensitive nature. It addition to security factors, the inclusion of the majority of secure system functions in reprogrammable storage elements allows them to be readily updated.
  • the invention allows ⁇ iat ⁇ iat ⁇ ie SSIF may be used later to erase and or modify and or reprogram the SPD at a later date.
  • the invention also allows mat part or all of the functions within ⁇ ie SSIF may be called by other secure functions as part of the normal operation of the SPD. For example ⁇ ie routines to load information from extemal locations and to program information into flash memory have obvious multiple uses. Certain provisions within ⁇ ie SSIF should only be capable of use when it is known ⁇ iat secure information within tiie device is invalid.
  • the preferred method and apparatus is to store tiie Secure System Initilialisation Functions within (preferably secure) storage locations prior to encapsulation (that may be the package of an IC and or any other additional packaging) of the device at the time of manufacture.
  • the SSIF information included within the device at ⁇ ie time of manufacture should be sufficient to load and or program other information into the device and where necessary initiate processing of said other information.
  • This provides an SPD tiiat may men modify itself as required.
  • Said o ⁇ ier information may be any information and may include additions to the SSBF not included at manufacture.
  • the storage locations should retain SSIF functions (in pan or whole) when o ⁇ ier information within the device is erased far any reason.
  • the SSIF may include any required support hardware to program particular storage devices, eg. charge pumps and or supply of special voltages and or timers and or glass windows to erase EPROM.
  • the SSIF is usually implemented within secure memory (that is preferably mask ROM, however, it may be any suitable type of storage device) and usually includes functions:
  • ⁇ ie SPD may load encrypted information, decrypt this information and then dire ⁇ processing to said decrypted information.
  • routines to pass information back to extemal locations completes the process.
  • the SSIF and any subsequent secure system functions may load information from any relevant extemal location to assist the process and or may call routines within extemal locations to assist the process.
  • Any SSIF function that allows programmed information to be read back for verification may use any me ⁇ iod and apparatus to prevent a user from activating this function at a later date and possibly being able to access secret information.
  • the preferred method flags a non-volatile programable location once the readback process is complete in a manner that does not leave said flag clear in ⁇ ie event of a partial readback.
  • the preferred method to prevent the flag remaining clear in the event of a partial readback is to activate a watchdog timer that times out after a predetermined interval and sets the flag preventing further verification readback by trigggering a flip flop. It is preferable said flag can only be cleared after secure storage elements have been erased and or otherwise suitably modified. This is not a function that should be available in unsecure environments.
  • One me ⁇ iod of implementing SSIF would be to serially clock ⁇ ie required information into the device via latches (that may require a certain predetermined sequence to activate the process). This may not require any predetermined software routines within the device.
  • the preferred method uses a secure software routine executing from within secure ROM that uses the Timed Password Access process described below to activate programs that perform the functions previously described for a SSIF, transferring the relevant externally supplied (and usually secret) information to the relevant internal storage devices and subsequently initiating processing of this information.
  • the actual method of programming information into the storage devices will depend on the type of storage device and may use any known method.
  • the invention allows ⁇ iat a preferably unique password is programmed (usually as part of SSIF) into each device. Without access to this unique password the probability of unauthorised activation of SSIF is not a practical outcome.
  • the SSIF may reside in memory locations exclusive to one of ⁇ ie on chip CPUs and be transferred where necessary, using any internal mechanisms (including software), to any required storage devices; and or may be loaded into memory locations shared by multiple CPU's within ⁇ ie package;
  • the invention allows ⁇ iat only one CPU or a subset of available CPU's may load information for o ⁇ ier CPU's, and OT ⁇ iat particular CPU's load formation for their own use.
  • the preferred method of activating ⁇ ie SSIF functions when ⁇ ie SPD is within ⁇ ie system microprocessor is to load ⁇ ie password into one or multiple CPU registers and execute a specially created instruction that ⁇ iat activates SSIF to read ⁇ ie password and continue as appropriate.
  • An alternative is to include the functions that dete ⁇ and process the post instruction symbol stream as described later.
  • the timed password access may use any method and apparatus. It prevents any practical gain from attempting unauthorised access to any particular password protected event It is based on a password of such complexity that in practice it would take such a long time to try all the permutations that it is not practical to gain access to ⁇ ie protected event Said complexity is assisted by incorporating a delay mechanism that restricts the frequency of attempted access. Said delay may be variable for any reason (e.g. to allow for legitimate errors) and may be created using any method including software loops and or physical delays. The delay may be a bierachical system that includes different delays depending on the number of incorrect attempts at access. It is preferable that said delay is unaffected by powering down of the device to prevent rapid power cycling defeating delay mechanisms.
  • One method and apparatus consists of the following steps: a) create one or more password keys that are stored securely. b) create a means to store a cumulative count in a device that is reprogrammable and preferably non-volatile. c) create a means to generate a known time interval. The invention allows for embodiments allowing a variable interval, this is most readily achieved by a software loop. d) create a means to input a password, eg create a specific instruction that can pass externally supplied information to the relevant routines. e) create a means to input function required should password succeed (not required if only one option). f) user activates d) and e) including transferring password and target function to ⁇ ie process.
  • step j) check tiie value in cumulative count in b). h) if less than certain predetermined value then go to step j) else proceed. i) invoke c) to generate time delay. j) increment the value in b). k) confirm step j) has occurred if there is a chance that extemal influences may interfere with j). 1) input password using d) and compare with key in a). If a match go to step o), else proceed. m) set flag in external memory to indicate failed attempt at calling program. n) exit to try again enter at f). (if predetermined count above c) retry will be immediate, otherwise a delay will be encountered every time). o) clear flag in external memory to indicate success. p) proceed with called process.
  • Etecmmic Siynnmra One OT more processes during manufacture and OT initial programming and or normal operation of the invention may rued to identify parameters unique to a particular PCPU and or ESPD and or unique to a particular group of PCPUs and OT ESPDs (for any reason, including far example, referencing a secure database to determine a password to activate the initialisation program described above). This may be done by any method known to ⁇ ie art including physical markings on ⁇ ie outside of ⁇ ie CPU package, however, ⁇ ie invention allows for one or multiple serial numbers and or any other identifying symbols to be included within ⁇ ie device, usually at the time of manufacture. These are amenable to retrieval under program control and or any other form of automatic process using any method and apparatus.
  • This provides an automatic method of uniquely identifying a particular device and or group of devices.
  • This is referenced as an electronic signature and is usually included as part of the SSIF.
  • Said one or multiple electronic signatures may be transferred to an extemal location using any method and apparatus and used by an authorised party as an index to secure information stored within ⁇ iat panicular device (and or far any o ⁇ ier reason).
  • the preferred method when ⁇ ie device is a PCPU is to create a specific instruction ⁇ iat when executed stores said serial number from a non-volatile storage location within SSIF to a predetermined CPU register. This process is usually accessible to anyone, although it may be protected by passwords and or any other method.
  • ⁇ ie serial number is usually read from an addressable location within ⁇ ie ESPD by ⁇ ie system CPU.
  • the secure system interface functions programmed into flash memory 708 would include the electronic signature and when the microprocesor 707 is first activated by an interrupt on 731 after programming of said secure system initialisation functions, a routine would transfer the electronic signature to a predetermined location in the dual port memory 704, where it is accessible to ⁇ ie system mi ⁇ oprocessor.
  • the invention allows that a secure system user password function may be included within one or multiple PCPUs and or one or multiple ESPDs and this may be required to activate part and or all of ⁇ ie invention.
  • a secure system user password function may be included within one or multiple PCPUs and or one or multiple ESPDs and this may be required to activate part and or all of ⁇ ie invention.
  • ⁇ ie case of a system CPU it may also be required to enable the normal processing functions of the device, providing a secure method cf stopping unauthorised use of the UCDPS containing said system CPU. Any method and apparatus may be used to implement this function.
  • the usual presence of programable memory and programable non-volatile storage elements provide for a plurality of methods.
  • the invention allows for a multi-tiered password system.
  • the preferred embodiment is a time based password system (as discussed elsewhere) that resides in secure system memory and activates routines ⁇ iat reverse various locks placed on part or all of ⁇ ie device.
  • the password functions usually include routines to disable part or all of ⁇ ie device in response to a specific command, a method that requires tiie user to specifically disable tiie SPD, and preferably requires entry of the correct password; and or functions (usually implemented in hardware) that disable part or all of ⁇ ie device in response to reset and or power down and or any other criteria including automatic timeout (preferably programable), the password processing system is not usually disabled; these functions automatically disable tiie SPD and OT other applicable devices and require ⁇ ie correct password to reactivate the SPD and or other applicable devices.
  • the password(s) is usually stored in secure non-volatile system memory.
  • the device may be shipped to the user with a known default password and or ⁇ ie password system disabled. Entry to the password system may use any method. In ⁇ ie case of a PCPU this may include use of a special instruction and OT a suitable Post Instruction Symbol Stream (PISS). In the case of a ESPD it may involve passing commands using one or multiple methods as described elsewhere in this application, usually by writing and or reading predetermined address locations. A user accessing the device wi ⁇ i ⁇ ie correct password may be able to change passwords.
  • the password system is usually constructed to allow the service provider to reinitiate or disable said password system by supplying an appropriate software object preferably a PSO.
  • each device toge ⁇ ier wi ⁇ i o ⁇ ier suitable support resources allows a plurality of methods of secure information transfers to be established between an information provider with access to the secure contents of the device, and or provides for the secure transfer of information in the reverse direction, and or permits information to be specifically encrypted for a particular secure system.
  • system local code functions assist the implementation of multiple secure applications, including the secure transfer cf information to a device that can verify tiie source and or validity of the information, and or the secure supply of information from a particular device ⁇ iat ⁇ ie can be verified for validity and source by an information receiver (with access to the secure information within ⁇ ie originating secure system CPU); this may be used for any reason including secure communications and or the secure transfer of electronic funds.
  • the inclusion of one OT multiple system group code functions that are identical a ⁇ oss a particular group of devices (e.g. those destined for the same country) may be used for any reason. This may include ⁇ ie restriction of certain PSOs to particular group codes.
  • One or multiple group codes may be common to all SPDs.
  • the invention allows ⁇ iat part or all of group codes may be user programmable and or password protected. This may allow, for example, parents to restrict childrens access to particular PSOs.
  • the secure local and or group codes may be data and or actual computer instructions.
  • the effectiveness of the software distribution system forming part of this application is partly dependent on a service provider having access to secure information within each SPD and tiiat some of this information is common to multiple SPDs enabling creation of PSOs that have general application, and ⁇ iat some information is specific to a particular SPD.
  • secure system command functions to dete ⁇ instructions that may be implied instructions
  • these tasks may be any and may include: commence execution of internal programs from any source; and or pass data received from extemal sources to internal functions; and or receive a request from internal functions to transfer processing back to the system CPU for any reason; and or accept data from internal functions for tranfer to a location readable by the system CPU; and or provide a command structure within ⁇ ie SPD to co-ordinate other system functions and, where appropriate, interact with secure user functions; and or where applicable, co-ordinate interaction with realtime decryption processes; and or any other required function.
  • the invention allows for any method that permits an SPD to monitor a PSO as it is executed in order to detect various specially constructed process transfer instructions and or o ⁇ ier suitable markers that indicate ⁇ iat interaction with ⁇ ie SPD is required.
  • the process transfer instruction may inherently dire ⁇ extemal programs to the appropriate internal function or may require a post instruction symbol stream as described wi ⁇ i reference to the preferred embodiment.
  • Secure system command functions also include any functions to transfer processing back to the appropriate PSO.
  • the secure system command function should be structured so that entry to secure system functions is in a regulated manner. This is readily achieved for an ESPD where interfacing may be directed to a limited number of addressable locations that may have various validity checking performed on the data. The process is more complex for a PCPU and described in more detail with reference to a PCPU.
  • An important function of secure system command functions is to direct ⁇ ie decryption of incoming encrypted information, dire ⁇ the transfer of the decrypted information to a suitable location and where this decrypted information consists of computer instructions, dire ⁇ execution to the relevant starting point in ⁇ ie decrypted program and provide any necessary support functions as said computer program is executed.
  • the incoming encrypted information is data this should be processed as required, which may include appropriately linking it with any internal and or extemal programs and or data and or special purpose functions (e.g. the data may be used to configure programable logic, creating its own decryption engine) including a linked computer program also transferred in encrypted format.
  • the command functions also dire ⁇ the retum of execution and or data to extemal locations as required.
  • the invention also allows that one or multiple hardware devices within tiie SPD may actually be fabricated in part OT whole from programmable logic devices. This particularly applies to encryption decryption engines that may be dynamically engineered as required.
  • the preferred type of programmable logic is that known to the art (refer to programmable gate arrays by Xylinix) using battery backed static memory to create the interconnections between various logic gates, as tins may be rapidly erased if required.
  • the information to transfer this information to the programmable logic elements is preferably via one or multiple addressable locations, and is preferably parallel data. Pan or all of such devices may need programming prior to leaving a secure location.
  • the system functions should provide suitable software routines such that when requested by appropriate commands, they perform a combination of functions that affect any combination of the following: • for the secure transfer of at least a portion of encrypted information constituting pan or all of a software object from a location extemal to said physical device, to a location internal to said physical device, wherein said physical device securely decrypts part or all of said encrypted information within said physical device in conjunction and or subsequent to said transfer and • may initiate and securely process part or all of the ensuing decrypted information in conjunction and or subsequent ro ⁇ ie decryption process and • may interact in any way with any o ⁇ ier internal and or external information to correctly said process and may terminate said process as required and • said terminate may transfer data and or execution to any other internal and or extemal location, including the external software object and • the preceding processes occur in a manner that minimises OT eliminates analysis of part OT ah of the decrypt
  • the secure system decryption encryption functions may eliminate the requirement to preload specific secure user functions into the device prior to supplying said device to a user. Instead each PSO may include the secure user function as encrypted information included within ⁇ ie PSO supplied to a user, resulting in a device ⁇ iat can securely process part or all of a diversity of software objects.
  • suitable system command functions may be constructed to dynamically load blocks of encrypted information in and out of secure user (and or system) memory, much larger portions of encrypted information may be utilised as pan of a software obje ⁇ than is the case with devices dependent on secure information preprogrammed into a limited amount of secure user (and or system) memory.
  • the invention also allows that the device may securely add to and or edit secure system functions using a similar process.
  • the invention also allows for part of the secure system functions to be loaded (usually in encrypted format) into the device from external storage each time a UCDPS is booted (and or on any other basis).
  • the security of the secure system routines and in particular secure system decryption routines stored within ⁇ ie SPD is pivotal to maintaining the security of processes using the device.
  • the information within secure system functions must be protected to a level that makes it not practical to defeat and while any storage device may be used to retain the secure system functions within the device, ⁇ ie preferred method uses battery backed static memory. This can be rapidly erased in the event of tampering, and such a requirement particularly applies to any system functions that are stored in decoded format.
  • the transfer of information from one location to another may result in transmission errors and the invention allows far secure system error detection functions that may use any known method and apparatus to dete ⁇ and or correct these errors.
  • information that is to be transferred to the SPD may be accessible and deliberately modified, e.g. computer viruses and or attempts to reverse engineer ⁇ ie SPD.
  • the invention allows for secure system validity checking functions, ⁇ iat may use any me ⁇ iod and apparatus to verify that ⁇ ie information supplied to ⁇ ie SPD is as intended by ⁇ ie information provider, and or take any required actions that may include directiy or indirectly (usually via secure system error monitoring routines) disabling part or all of the SPD. Where applicable, this may include ⁇ ie erasure and or alteration of secure information.
  • OT CRC cyclic redundancy checking
  • the decryption functions may in part or whole be implemented in software to decrypt externally supplied and encrypted information using any known methods, including the data encryption standard.
  • One or multiple hardware based encryption/decryption engines may perform the decryption, in part or whole.
  • Such an engine is one compatible wi ⁇ i ⁇ ie Data Encryption Standard (DES).
  • DES Data Encryption Standard
  • the me ⁇ iod of using predetermined processes located within ⁇ ie SPD to decrypt (and encrypt) information is referenced as the Standard Decryption Process in this application.
  • Standard Decryption Processes may require the supply of various codes to function correctly.
  • the original cryptography processes were developed for the secure communication of information between parties and they work well when this is the primary motive.
  • the capability of supplying an SPD with a PSO ⁇ iat can be made to perform any desired function within an SPD ⁇ iat is consistent wi ⁇ i available resources and constraints of said SPD, allows said SPD to be dynamically modified to perform any function as required. This permits a PSO and or any other internal and or extemal function to actually request one or multiple decryption functions to be loaded into the SPD.
  • Said decryption functions may include information that is used to dynamically manufacture a hardware decryption engine from programmable logic within said SPD.
  • ⁇ ie decryption process can become self modifying with ⁇ ie instructions of the actual PSO varying decryption parameters and or decryption algorithms and or installing, in part or whole, one or multiple new decryption algorithms during ⁇ ie process of executing the PSO ⁇ iat are further used to decrypt additional parts of the PSO. This may occur on multiple occasions, in any combination, during execution of the program.
  • the key to this process is to include with ⁇ ie PSO a sub-routine that can be recognised and executed by functions within the SPD, and said sub-routine initiates ⁇ ie process of unlocking the subsequent encrypted material.
  • Said sub-routine is encrypted using a process that is known to be reversible by functions within ⁇ ie SPD. The known art does not describe such a method and apparatus, which this invention references as Recursive Decryption in this application.
  • the decryption processes described are on the basis of encryption of information by a service provider with access to the secure formation within multiple SPDs and ⁇ ie decryption of information in the target SPDs.
  • PSOs may be encrypted for a specific SPD and or multiple SPDs.
  • the decryption processes described also may apply to the encryption of information from an SPD to a service provider.
  • the user has no knowledge of the encryption process and usually little knowledge of the clear code being encrypted.
  • the process can be made even more secure by the service rjrovid ⁇ sending a one off encrypted encryption process to the SPD. This process will have multiple applications and is referred to as the Coco method.
  • Standard Decryption and or Dynamic Decryption and or Recursive Decryption and or Realtime Decryption, and or the Coco method may be used in any PSO in any combination determined by the service provider.
  • the service provider may always supply the required information to ensure any chosen encryption process may be reversed in one or multiple crizt SPDs.
  • the invention allows for any known method of encryption and or decryption to be used with any part or all of the invention.
  • the encryption/decryption methods described pertain to communications between service provider and user. They are also applicable to the secure storage of information within a UCDPS, including the encryption and storage of various values in ⁇ ie UCDPS memory mat are intermediate and or final results of processing.
  • decryption and or encryption processes described for the invention may interact in any way with extemal processes and the interaction may assist with said decryption and or said encryption.
  • the preferred security provided by an SPD is its function of decrypting and executing encrypted programs in secret and or decrypting and processing encrypted data in secret.
  • the invention also allows for the decryption of information that is not securely processed.
  • the invention allows that the SPD may be programmed with one OT multiple secure user functions and any method and apparatus may be used to sele ⁇ ⁇ ie current secure user function.
  • the system functions that perform this role are 1 referenced as system task switching functions and they allow that PSOs may be co-resident and or multitasking and
  • An A/D converter may be include to detect changes to
  • the invention as described permits: 1 1) the secure transfer of encrypted information from an external source (including memory) using any method, to one 2 or multiple secure locations within a system CPU and or ESPD, and then (and or during) 3 2) ⁇ ie use of any suitable combination of mi ⁇ ocode and or hardware and or secure internal software routines and or 4 data (that may be augmented by any other software routines and or data in any location) securely decodes this
  • a CPSO has some requirement for the exchange, directly or indirectiy, of
  • the usage of CPSOs may be time and OT events based and or any other method.
  • the SPD preferably does not require its host UCDPS to be attached to any remote device that may exert some
  • the invention allows for the.use of CPSOs wi ⁇ i an SPD to be controlled using any known me ⁇ iod and apparatus
  • the preferred method is to require prepayment fOT units.
  • the invention does allow ⁇ iat there are no predefined
  • the SPD ensures that money is paid for use of
  • the preferred method stores one or multiple values in the SPD. 17
  • An SPD may disable itself in part or whole when any requirements that are attached to the use of PSOs are not
  • An SPD that is disabled in part or whole may be re-enabled in part or whole by any method including ⁇ ie supply
  • the SPD responds to any suitable command generated by a software object
  • a PSO is preferably encrypted, in part or whole, using any known one or
  • a PSO preferably includes embedded error and or validity checking information and
  • 37 preferably includes one or multiple error and validity checking processes and tiie decryption and or execution of
  • the SPD may take any course of action including disabling part or all of the SPD, reporting an error to the user using any method, denying access with no report and or any other action.
  • An object may not be acceptable for any reason including that the obje ⁇ was not created for use wi ⁇ i an SPD or that changes within ⁇ ie software object have occurred.
  • the SPD receives a predetermined number and or types of errors it may decide that these errors are not legitimate and take any course of action to protect the security of the device. This may include granting no further access and or invalidation of part or all of ⁇ ie secure information within ⁇ ie SPD.
  • the conditions that determine this course of action may be dynamically modified by the supply of an appropriate PSO.
  • any relevant part of ⁇ ie software obje ⁇ determines what action is required of ⁇ ie software object Said action may include performing further validity checking and or decryption and or any other actions as ⁇ ie PSO is processed in conjunction with the SPD.
  • Protected software objects preferably include information that identifies the type of information that is included within the object resources required of the SPD, information to assist validity and error checking of the information, information to assist decryption of encrypted information and any other relevant information.
  • Said any other relevant information may be anything consistent with ⁇ ie resources of tiie SPD because one feature of the SPD is its capability cf being securely updated to perform any software function consistent with the resources of the SPD.
  • This updating may be dynamically performed by supplying the appropriate one or multiple PSOs prior to supplying the PSO that will use the dynamically modified functions.
  • Said PSO that will use the dynamically modified functions may itself include in pan or whole the information to said dynamically modify.
  • PSOs ⁇ iat an SPD suitable for use in ⁇ ie protection and distribution of software objects preferably includes, however, functions for one type of PSO may be combined in part or whole with any other one or multiple PSO functions to create one or multiple mixed function PSOs:
  • a) Secure System Update PSO may modify ⁇ ie secure system functions of the SPD using any me ⁇ iod including data and or program instractions that are to be loaded to specific locations within secure system memory and or they may be programs and or data tiiat is to be executed to perform one or multiple functions and OT any o ⁇ ier method.
  • This type of PSO is preferably heavily encrypted wi ⁇ i multiple checksums. When validated, required action is performed by the SPD.
  • Bectronic Qedit PSO this adds values to one or multiple non-volatile storage locations within ⁇ ie SPD. Said locations are preferably clear (and or any other predetermined values) when the SPD is supplied to a user far die first time.
  • Said non-volatile storage is preferably flash memory, described previously.
  • Said values preferably equate to a number of units of available credit for use with various CPSOs and or any other reason. The use of these values may be for prepaid credits and these are stored in a location that is preferably decremented as available credit is used and or they may be for credits that are unpaid and are effectively a credit limit against use. Any method may be used to distinguish prepaid credits from unpaid credit.
  • Report Verification PSO this verifies that a particular repo ⁇ generated previously by the SPD has been received by the SPD. It is preferably specific to a particular SPD in ⁇ iat unique information within ⁇ ie SPD is required to correctly validate and have it perform the required functions. It may perform any one or multiple functions, directiy and ⁇ r indirectly within ⁇ ie SPD. It usually resets any restrictions within ⁇ ie SPD ⁇ iat are awaiting receipt of the report verification PSO and may do this in any way. It also usually programs the relevant locations wi ⁇ i a new reporting interval and or modifies in any way any part or all of the report generating and verification system.
  • One step in the creation of a PSO is to take a software obje ⁇ from the producer referenced as the primary software object and create Obje ⁇ Support Information (or OSI) ⁇ iat provides certain information to assist ⁇ ie execution of the PSO.
  • OSI Obje ⁇ Support Information
  • the actual creation of the OSI is usually a co-operative process between the producer and service provider, howev ⁇ , any operations that require the use of information within the secure system memory of a PCPU would usually be restricted to tiie service provider.
  • the OSI is usually placed near the start of the program, howev ⁇ , it may be located anywhere throughout the program as long as it is arranged in a sequence acceptable to tiie PCPU ⁇ iat will process it and or ⁇ ie PSO includes various information that may permanently and or temporarily modify the PCPU such that it can locate and use ⁇ ie OSI.
  • prote ⁇ the information in OSI from tampering, pan or all may be encrypted, and or may have various check sums at are preferably secure and or encrypted themselves.
  • the OSI may be provided in part or whole as a separate program(s) and or as part of one or more other programs and or may already be present in the PCPU and or any o ⁇ ier me ⁇ iod.
  • ⁇ ie OSI is within separate modules and contains information that the producer does not want deleted, there should be a suitably secure cross reference in the main part of the PSO to check for the presence cf independent modules and valid data within.
  • the preferred embodiment includes all information within ⁇ ie body of ⁇ ie primary software obje ⁇ one or multiple modules of ⁇ ie primary software object.
  • the actual me ⁇ iod to encrypt and decrypt information may use any known method and any number of levels and any combination of methods.
  • the OSI is a description of certain functions mat may be required, and they may be implemented using any known method and structure.
  • the ability to program the secure functions within ⁇ ie target PCPU enables any new structure to be created by supplying a suitable PSO compatible with existing structures.
  • Detection of Presence of a PCPU this is usually executed immediately after the start of PSO execution. Should a PSO attempt to execute in an environment without a PCPU one or multiple adverse outcomes may result for example the hard drive may be modified.
  • the preferred embodiments of a PCPU allow access to the secure memory by the execution of various special instructions. As these instructions do not exist in a normal CPU, their execution in this environment may cause problems.
  • the preferred me ⁇ iod of ensuring ⁇ iat PSOs are only used in a UCDPS ⁇ iat has an appropriate PCPU are:-
  • Common instruction trigger a sequence of instructions that are common to a PCPU and the CPU that it replaces are executed such that a certain combination triggers various events in he secure parts of the PCPU.
  • the following example shows one altemative:- protected software loaded into memory execution commences at a particular location that executes three no operation (NOP) instructions in sequence, followed by a branch to the next instruction ⁇ iat may be the start of three more NOPs (any number, combination and permutation of suitable instructions may be used) the instruction following this is a branch to a routine to terminate execution of ⁇ ie program a CPU tiiat is not a PCPU will execute these instructions and quickly terminate the program a PCPU will have the facility to recognise the particular sequence of instructions, this triggers internal routines to modify the data in the branch instruction and or redirects external execution to a particular location that enables continued processing of the PSO. This process is transparent to the operating system.
  • NOP no operation
  • a PCPU may have the facility to transparently override the operating system and a message may be displayed for the user to determine future action. Other actions may include program termination, with or without a message.
  • a PSO preferably checks various information currently resident within the secure system memory of the PCPU for the presence of certain functions within the system memory and that they are a version suitable for use by the PSO. This is usually confirmed by checking that the current version number of system memory functions are current for a particular PSO, however, it may use any method.
  • a PSO may be shipped wi ⁇ i certain update information included as pan of the PSO and or with other PSOs shipped with ⁇ ie PSO, and ⁇ iat a PSO may automatically and or at ⁇ ie users direction, update the system memory functions to current information and may suitably adjust ⁇ ie version number, and that this may be a temporary modification for the duration of execution of the PSO and or a semi-permanent and or permanent change.
  • the PSO would usually terminate with a request for the user to arrange for the necessary changes to system functions, however, it may take any other action.
  • a unique vendor identity code may be included in tiie PSO in a position and or any other way that can be determined by the PCPU. This code is usually consistent on each product from the producer.
  • the invention allows fOT this method or any other to differentiate PSOs that are primarily commercial objects from those that provide various support functions.
  • a unique program identity code (UP1D) is usually included in the PSO in a known location and or any other way that can be determined by ⁇ ie PCPU. This may be unique amongst products from the same producer, however, it may be identical to another product by another producer.
  • This code may be further used to categorise a particular program e.g. part of the code may identify the program as a game OT a wordprocessor, etc., and this would usually be common across all UPIDs, another part may identify ⁇ ie version number and the balance may be used to ensure that ⁇ ie UPID is unique to any others from that producer. Any other relevant information may also be included in the code.
  • the invention allows that the various sub-parts of information included in this code may in part or whole be allocated their own codes.
  • the invention allows that the billing for ⁇ ie use of a PSO may use information included within the PSO. Any of the following information may be located where the PCPU and or any other applicable devices or routines can identify it:
  • Timed Basic Charge (or TBC) - is the unit rate for use of the product
  • the preferred rate is by the hour, howev ⁇ , any time interval may be used.lt is anticipated ⁇ iat users will ultimately determine ⁇ ie type of billing they want and it will probably be based on a time used basis associated with certain frequency discounts and possibly a cut off point at which there are no additional charges.
  • the charge rate is usually in terms of a standard unit - for example it may be US Dollars. Whatever standard rate is chosen is usually standardised across PSOs.
  • the invention allows that any amount in any currency may be used.
  • the invention also allows that ⁇ ie TBC for various countries may be different far example to allow for different economic conditions.
  • Any particular PSO may include the entire set of TBCs for all countries or only a subset.
  • the TBC may not be available to all regionals.
  • the invention allows ⁇ iat a discount schedule may apply to the TBC for increasing use or whatever reason, and that this may vary from one region to another, and this discount schedule may be stored in the PSO. Further discounting may apply for different types of users, e.g. government education, business and part or all of this information may be stored in a PSO.
  • Various vendors may wish to offer various discounts for existing customers when an updated version of their product is released and or when a new product is released and these may be stored in a PSO.
  • the PSO usually includes one or multiple transaction processing codes to indicate tiie type of billing system used. This may vary from region to region and each PSO may have a list that includes transaction processing codes for all countries or any subset For any particular country, mere may be different codes for different groups eg, government users may be billed using a different method to business, and ⁇ ie combinations used may vary from one region to another. While not an exclusive list die following are the more common types of transaction processing codes:- a) The PSO may be distributed at nominal cost with the customer paying for time used. b) The PSO may be distributed at nominal cost with the customer paying for time used, however, a data key (at no cost) is required to activate the program.
  • the PSO may be distributed at nominal cost with the customer paying for time used, however, a data key is required to activate the program and there is a charge for the key; this charge may be located in the relevant fixed basic charge field.
  • the PSO may be distributed at nominal cost howev ⁇ , a data key is required to activate the program and there is a charge fOT the key, however, there are no continuing charges.
  • the PSO is only supplied on receipt of payment with additional charges for time used. A key may be required to activate the program.
  • the PSO is only supplied on receipt of payment howev ⁇ , there are no additional charge.
  • the PSO may be one mat is generic to multiple PCPUs or customised to a particular PCPU.
  • Event Basic Charge (or EBQ - the invention allows that usage of software may be based on the number of times ⁇ ie program is opened and or any other event based mechanism.
  • the Event Based Charge is the unit rate for this me ⁇ iod of billing. All of the options and or discounts and or requirements described for TBC above apply for Event Based Charge and will not be repeated, howev ⁇ , the various combinations and particular options used may vary from the TBC in any way.
  • Fixed Basic Charge (or FBC) - this is a fixed charge to use ⁇ ie software and may be a one off charge mat subsequently permits unlimited access on that UCDPS or a charge tiiat grants access and then bills on a usage basis using any combination of the previous methods. All of the options and OT discounts and or requirements described for TBC above may be applicable for Fixed Basic Charges, howev ⁇ , the various combinations and particular options used may vary from TBC in any way.
  • Transaction processing codes may be constructed to detail any combination of billing processes and discounts and anything else.
  • One method may be to permit the user free or discounted access to various products, particularly new products.
  • This may include various promotional schedule codes (PSC) within ⁇ ie PSO, that may be designed to achieve any outcome that is permitted by tiie PCPU, that the PSO executes on, and this may include codes representing anything to do wi ⁇ i promoting any sort of product using any known method, including:- • a list of discounts and ⁇ ie time they apply may be included within ⁇ ie PSO, and they may be multiple.
  • the discounts may be any value, and may result in free software for variable periods of time.
  • the facility even exists for a producer to pay a user to try their product Particular promotions may have a use by date attached to them.
  • Another approach may be to generate a random number in the PCPU each time a program is initiated or on any other basis. If this matches a code in ⁇ ie PSO, then various free program time may be provided on the current PSO and or another program by the producer and or various prizes may be given away.
  • the software may also be made available to a potential user with part of its functions disabled, and no charge or a nominal charge applied to the use of this partially disabled program. This may be particularly useful for programs that may take time to assess, for example a new accounting program, where a potential customer may want to fully assess the package prior to committing to a changeover from an existing system. The activation to a fully operational system may require a key (that may OT may not have a charge) or simply require the user to execute a program that initiates time and or event based billing, or any oth ⁇ method.
  • the information to perform any promotional function may be mcluded in part or whole within the PSO, howev ⁇ , it would usually rely in part or whole on secret processes within tiie PCPU to prevent unauthorised manipulation of the promotions.
  • Certain software products may be unsuitable far use by particular groups. For example, certain countries may be restricted from using software because of security concerns and or because it may offend certain cultures and or other software may be unsuitable for children and or it may be restricted to certain professions and or it may be restricted to use at certain times and or for any otiier reason. These are referenced as Group Restriction Codes (GRQ and may be included in a particular PSO to limit access to various categories of user.
  • GRQ Group Restriction Codes
  • Any information included in a particular OSI may become obsolete and this may be a particular problem with prices and discounts.
  • Any information contained in a OSI may be replaced in part or whole wi ⁇ i oth ⁇ more readily updated information stored in any suitable location; this may include locations within ⁇ ie PCPU, and or various files stored on one or multiple mass storage devices, and or distributed with other PSOs, and or distributed as part of codes supplied to users to update PCPU credits and or any oth ⁇ reason, and or any other method. All of this may be subject to the overall control of the service provid ⁇ who can vary the actual amount charged to any particular user. The billing process is described later in this application.
  • Part ⁇ r all of tiie information within the OSI is usually reliant on known information within ⁇ ie secure system memory of the PCPU to correctly mterpret and or execute the various functions, howev ⁇ , as part or all of this PCPU memory may be reprogrammed by suitably encrypted extemal information, part or all of which may be included within ⁇ ie PSO, ⁇ ie specific requirements of a particular PSO may be met by dynamically modifying part or all of the secure system memory. Additional flexibility may be gained by loading any required part of ⁇ ie PSO into secure us ⁇ memory for execution.
  • various functions have been detailed for the OSI, in practice a multiplicity of special functions may be included and these may occur during any part of the execution of the PSO.
  • Another step in the preparation of a PSO may be to include in the PSO various routines and data ⁇ iat will execute automatically and or under user control to update various information on ⁇ ie UCDPS for any reason and may include:- • update ⁇ ie secure system memory • update various files stored on a UCDPS ⁇ iat contain various billing information and or discounts and OT special promotions and or any other information.
  • update functions may be included as part of ⁇ ie actual PSO and OT as part of one or more oth ⁇ PSOs.
  • These other PSOs may be created specifically for ⁇ ie purpose and or may be parts of oth ⁇ PSO applications. These oth ⁇ PSOs may be supplied to the us ⁇ wi ⁇ i ⁇ ie said actual PSO and or may be supplied separately.
  • a PSO, and the PCPU with which it is to operate, are provided with a number of secure mechanisms to protect against unauthorised analysis of information stored within. As there may be considerable financial gain to any party that manages to compromise the security of either, it is anticipated ⁇ iat a number of attempts will be made to compromise the security of both, and one me ⁇ iod may be aimed at changing various parts of the PSO in an attempt to analyse the various outcomes.
  • error and or validity checking processes on information within the PSO, and these may use any known method and apparatus, and these may be dependent in part or whole on functions within the PCPU, that may include:- • routines within system memory, and or • various algorithms implemented in hardware within ⁇ ie PCPU, and or • routines loaded from external sources (usually, in part or whole, in encrypted format), and or • loaded from the PSO (usually, in part OT whole, in encrypted format), and or • any other source.
  • the error checking and validity checking is a process that usually occurs in total secrecy at both ends, wi ⁇ i the service provider the only party that knows ⁇ ie process.
  • the service provider is aware of the processes available in any particular PCPU to extract and validate any parity information and or CRC information and or any oth ⁇ information, and ⁇ ie method used to take ⁇ ie actual code of tiie PSO and generate the expected parity information and CRC information and any oth ⁇ information, and the methods to determine whether or not ⁇ ie expected information matches the extracted information.
  • the service provid ⁇ can take a PSO at any stage or stages in the conversion process from software obje ⁇ to PSO and analyse the information and add and or change data in such a mann ⁇ that the outcome when run through the error and validity checking process in the PCPU will not dete ⁇ any errors.
  • the error validity checking information may itself be encrypted.
  • the system usually only needs to work in one direction - provid ⁇ to us ⁇ , although some processes may need to be included within ⁇ ie PCPU to generate error and or validity checks on information that is to be stored in encrypted format in extemal resources (these are discussed in more detail in the applications dealing with these devices). Any numb ⁇ of error detection and validity checking processes may be applied and these may occur during various levels of the encryption process.
  • the invention also allows that error and or validity checking may be performed on part or all of the PSO with ⁇ ie actual me ⁇ iod to reverse this included within die PSO, and as long as part or all of the method to reverse is encrypted and the reversal process occurs in secrecy, there is no means of reverse engineering the process, and ⁇ ie actual methods and or apparatus used may be any known metiiod and or apparatus.
  • Encryption of the information to create the Protected Software Object The final step in the creation of a PSO is the conversion of the software object as supplied by ⁇ ie produc ⁇ together with any additional information as previously discussed to a protected program that provides the security against illegal use of the program.
  • the software obje ⁇ is converted to a PSO that in part OT whole may only be executed internal to an appropriate PCPU.
  • the software obje ⁇ may be encoded to one and or multiple levels of complexity.
  • the software obje ⁇ is preferably analysed to determine which parts require encryption, what method or methods of encryption should be applied and any ancillary information that is required to support these methods.
  • the actual arrangement of information within any part of the PSO to effe ⁇ various outcomes will be highly variable with the exception of certain functions fixed by a particular PCPU, and as the present invention allows for the provid ⁇ supplied PSO to be flexible and the functions within a particular PCPU to be programmed in a multiplicity of ways, the various combinations and permutations to achieve the same outcome are obvious, once the specific requirements and one method of achieving this are described.
  • a part of ⁇ ie secure system memory of a PCPU may be securely programmed with information that indicates an amount of credit (using any method and or currency) that may be offset against software usage (and OT any other applicable uses).
  • Various secure locations within the PCPU within a particular UCDPS may contain codes that are unique to mat particular PCPU and these codes are usually secret
  • a particular PCPU usually has a publicly accessible electronic signature that can be used to identify a particular UCDPS.
  • a particular PCPU may also have oth ⁇ characteristics that are unique to a particular PCPU, for example, particular software routines and or encryption/decryption processes and or any oth ⁇ applicable variation.
  • the process of activating a particular PCPU may be accomplished by any method and apparatus, including: 1) The us ⁇ contacts a service provid ⁇ (using any method, the most convenient usually being via a modem) and supplies the service provid ⁇ wi ⁇ i ⁇ ie serial numb ⁇ of the PCPU, the amount of credit required, and payment details (that is preferably a credit card payment) that may use any known me ⁇ iod. 2) Using known details about various information within that particular PCPU, the service provid ⁇ uses the requested amount of credit and encrypts this amount using any known method and apparatus (and an experienced person should be able to devise multiple techniques based on the en ⁇ yption/decryption processes described earlier).
  • the encryption process that may use any information (including time and or date and OT any oth ⁇ unique and or global information within the PCPU and or that may be securely transferred to the PCPU, using any known method including those described in this application) to generates a one time code at may be decrypted within the PCPU. 3) The one time code is transferred to the us ⁇ of the PCPU and entered into the comput ⁇ . The code is decrypted. If an error is generated, the user may be advised. Once the amount is confirmed the nominated credit is programmed into any appropriate secure non-volatile location internal to the PCPU that cannot be tampered with.
  • This process may activate the PCPU if required, howev ⁇ , the preferred determinant as to whether OT not a particular PCPU will execute one or multiple PSOs is based on the amount of available credit 5)
  • the available credit is progressively decremented as various PSOs are used, and the present invention allows for any method and apparatus for billing for PSO use.
  • Software usage of various software objects may be logged. This is described lat ⁇ .
  • the method of advising tiie us ⁇ of an imminent shortage of credit may use any method and or apparatus, howev ⁇ , as the programs that implement this process are preferably executing in part or whole from within secure memory internal to the PCPU, the facility exists to generate an internal interrupt and jump to an appropriate internal and or external program. This may occur at any time, with the most usual being shortly aft ⁇ a system reset The process may be transparent to the operating system.
  • the facility exists, using a similar process (and or any oth ⁇ me ⁇ iod and or apparatus) for the us ⁇ to generate a current report of available credit and or software object use.
  • ⁇ iat may include current informa ⁇ on on remaining credit (that may be z ⁇ o) and may include informauon on the usage of part or all software objects that have been used in ⁇ ie period.
  • Step 2 is repeated, howev ⁇ , in addition to ⁇ edit information, the code supplied to the us ⁇ usually contams an encrypted message that informs one or multiple routines within the PCPU that information pertaining to software obje ⁇ use has been received by the service provid ⁇ . Storage locations allocated to this information may then be cleared.
  • the present invention allows that although the process as described requires prepayment for services, ⁇ ie process is also compatible with the provision of credit withm ⁇ ie PCPU on account terms with selected users, and ⁇ ie credit amount allocated would usually be sufficient to cover expected usage (or may be any amount).
  • the actual amount to bill the us ⁇ may be calculated by subtracting the amount of credit remaining from the amount supplied in the previous period and or any other me ⁇ iod and apparatus.
  • a us ⁇ friendly menu system may be used to assist part or all of ⁇ ie process described above.
  • the present invenuon allows for any known method and apparatus that can monitor and or record the usage of PSOs (and or software objects), and preferably one that is compatible with multitasking programs in a single processor and or multiprocessor envmniment and preferably one that provides a tamperproof, secure system that operates in part or whole from within a PCPU and or any other SPD, when ⁇ ie UCDPS is an independent ennty, and or when independent and connected to a network and or when independent and connected to Internet or similar, for its correct functioning, and or when the UCDPS is dependent in part or whole on connection to a network, and or is dependent in part or whole on connection to the Internet (or similar).
  • UCDPS In a single task UCDPS the SPD usualy starts recording usage when activated and terminates when the PSO finishes.
  • the preferred method in a multitasking environment where usage is timed is to generate an internal interrupt within secure microprocessor on a periodic basis, and said interrupt activates a routine within internal secure memory ⁇ iat retrieves ⁇ ie contents of the program counter of tiie system microprocessor at ⁇ ie time of the interrupt and compare this wi ⁇ i an address map generated by the PSO to determines which program was executing dunng the interrupt.
  • the invenuon allows for any combination and or permutation and or weighting for usage of any one or multiple PSOs.
  • Event usage may only require counting ocuirences of ⁇ ie measured event in smgle and multitasking UCDPS.
  • the usage of PSOs is usually recorded in part or whole within secure internal memory, howev ⁇ , the invention allows that part or all of the information on the use of PSOs may be encrypted and stored extemal to the PCPU and or UCDPS. It is preferable to keep sufficient information on PSO use internal to the device, in ord ⁇ that a software vendor receives ⁇ ie appropnate payment in the event ⁇ iat extemal storage of this information is corrupted, in which case while there may be no detailed breakdown of transactions, the vendor is correctly remunerated.
  • the aforementioned processes are transparent to the operating system.
  • An altemative non transparent method is to have the operating system perform various routines during task switching that may activate various processes within the secure internal memory to record details about program execution.
  • Information on program usage is usually maintained in secure non-volatile storage locations internal to the SPD.
  • the invention allows that a report an software usage may be prepared (usually in encrypted form, using any method and apparatus) for transmission to a service provid ⁇ and or any oth ⁇ authorised party on a periodic basis, that may be any period and may be fixed and or variable; this report is usually generated by secure routines within one or more PCPUs from information that may be internal and or extemal to the PCPU.
  • Co ⁇ irolling execution (and or anv oth ⁇ processing ⁇ of protected software objects One objective of ⁇ ie invention is to provide a me ⁇ iod and apparatus that may be used to protect software objects in a manner that does not restrict the copying of ⁇ ie PSO and ⁇ iat in ⁇ ie preferred scenario, would provide at nominal cost a copy of that particular software obje ⁇ to any us ⁇ of a UCDPS requiring it.
  • An optimal situation would be tiie collation of all PSOs suitable for use with a particular type of UCDPS onto a collection of CD ROMs that may be supplied to users at nominal cost. Update CD ROMs may be made available on a periodic basis.
  • the invention allows for PSOs to be supplied on any medium and this may include access to a database of PSOs via ⁇ ie Internet.
  • the capacity of a SPD to decrypt externally supplied information in a secure mann ⁇ that may include realtime decryption and decryption using software routines within internal secure memory (that may be supported by hardware decryption engines) together with ⁇ ie me ⁇ iod and apparatus to securely encrypt information for transf er to a service provider (or any oth ⁇ appropriate extemal party), provides a secure and flexible environment for restricting the use of a PSO using multiple methods and ⁇ ie invention allows far all of these.
  • the SPD may requires certain information from the PSO of relevance to determining ⁇ ie type of protection system applied to the PSO, for example, certain data (or any oth ⁇ me ⁇ iod) may be extracted from ⁇ ie PSO to inform ⁇ ie SPD ⁇ iat this particular PSO may be executed on a time used basis and whether or not this is linked to the availability of credit within the SPD. Information on the vendor and or the product code of the PSO and usually the amount to charge for a unit of execution time may then be required (and this information may be required for any oth ⁇ protection systems).
  • This information is the PSO itself and this information may be extracted by the SPD, using any method and apparatus.
  • the usual process extracts (using any me ⁇ iod and apparatus) ⁇ ie vendor and produ ⁇ code from encrypted parts of the PSO and stores it within secure memory internal to the SPD.
  • the cost of executing (and or any oth ⁇ processing) the PSO on a time and or event basis and or any oth ⁇ basis is extracted from ⁇ ie PSO where applicable.
  • the SPD grants a generic right to execute as long as certain internal and or external generic codes match the requirements of one or multiple PSOs.
  • the invention allows that information contained within a PSO may not be current as regards execution costs (and or any oth ⁇ information) and provides for any metiiod and apparatus to compensate for this, with the preferred method being the provision of one ⁇ multiple files located on a suitable mass storage device attached directly and or indirec ⁇ y to ⁇ ie UCDPS, wi ⁇ i said files referenced in this document as Current Data Files (or CDF).
  • CDF may be updated as required using any method and apparai ⁇ (including automatic update using information contained in newly released PSOs).
  • a current data file may contain any information, and may replace pan at least of that within a PSO, howev ⁇ , it will usually include details of ⁇ ie costs associated wi ⁇ i executing PSOs (that may be all, or a subset of, ⁇ ie available PSOs), and this may include information on discounts for frequency and or quantity and OT special groups and or special promotions and or any oth ⁇ information.
  • a CDF may have a creation date and or one or multiple blocks of information pertaining to one or multiple PSOs may include the date (or any o ⁇ i ⁇ method and apparatus to effect an equivalent result) said inforniation pertaining, became valid.
  • ⁇ ie date of creation (and or any o ⁇ i ⁇ me ⁇ iod and apparatus to effe ⁇ an equivalent result) is usually included within the PSO and when a PSO is processed, ⁇ ie date within the PSO may be compared to that within the CDF (if present), with ⁇ ie more recent information preferably used.
  • the information within a CDF is preferably encrypted and this may be for any reason, including protection against tampering with the information.
  • Various validity checks may be performed when information within a CDF is loaded and OT used (this may be for any reason including detecting unauthorised alterations to the information).
  • an SPD When an SPD generates a report for the service provid ⁇ (or any oth ⁇ authorised party) it may include information on the currency of inforniation within a particular CDF, and or the absence of a CDF, and or the creation dates of the PSOs executed. It may be mat a us ⁇ knows that access to a particular CDF by ⁇ ie SPD may result in increased costs to the us ⁇ than would be incurred, by referencing the billing information in the actual PSO, and said us ⁇ may be reluctant to update their current CDF and or may delete the CDF (the invention allows that the presence of at least one CDF is required). The invention allows for any method and apparatus that may be used to circumvent this potential problem, including the service provid ⁇ adjusting billing to reflect current charges (or any oth ⁇ reason).
  • the preferred protection system is applicable to PSOs that are permitted to operate within a UCDPS on an unrestricted basis, as long as certain criteria are met • the PCPU and or any aha PCPU has sufficient credit programmed into the device (using any me ⁇ iod and apparatus) to cover the costs incurred by ⁇ ie us ⁇ in executing the PSO, and or • the use of each PSO is logged and this may be time based and OT event based and or any o ⁇ i ⁇ method and apparatus ⁇ iat requires periodic reports on software use and OT any o ⁇ i ⁇ information to be provided to an appropriate external party.
  • the invention allows that PSOs may be used on a time and or events basis and that this may require the availability of credit within ⁇ ie SPD and or may not require the availability of said credit in which case ⁇ ie us ⁇ would usually be billed for use of software aft ⁇ providing a periodic report to ⁇ ie service provid ⁇ .
  • the appropriate units of usage ⁇ iat may be time and or monetary and or any oth ⁇ token
  • ⁇ iat may be time and or monetary and or any oth ⁇ token
  • OT any oth ⁇ method are progressively adjusted against a particular vendor/produ ⁇ code (and OT any oth ⁇ method).
  • the credit units within a SPD may represent any token and or currency, using any method.
  • the invention allows for any mediod and apparatus to secureley store this information and this may be internal and or extemal to the SPD.
  • a number of metiiod steps were described earli ⁇ for transferring credit to a particular SPD, and a similar method is used for supplying a service provid ⁇ with information about PSO usage, and far the service provida to inform ⁇ ie SPD that this information has be ⁇ i received, and ⁇ iat fur ⁇ i ⁇ use of PSOs may continue, howev ⁇ any oth ⁇ method and apparatus is allowed for.
  • a us ⁇ may be required to provide a report when available credit within ⁇ ie SPD is zero and or some o ⁇ i ⁇ OTedetermined amount and or the us ⁇ may be required to report information to the service provid ⁇ on a periodic basis, and said periodic basis may be any period and it may be varied by the service provid ⁇ , and OT the us ⁇ may be required to report to the service provid ⁇ when a certain number of events have occurred, that may be any combination of events, including the number of times one or multiple PSOs have been used, and or a us ⁇ may be required to provide a report to any authorised party for any reason; those PSOs that do not require ⁇ ie presence cf available credit within the SPD may share any of the reporting requirements discussed, howev ⁇ , they usually are independent as to tiie state of credit within ⁇ ie SPD.
  • a practice a mix of methods may be used and a periodic report may be required.
  • a report is required on a periodic basis, a secure battery backed realtime clock/calendar is the preferred source of determining (in conjunction with rxedetermined and or otherwise information on the time intervals to be used) when tiie relevant time interval has occurred.
  • available credit expires and or a certain date and or time is reached and or a certain number of events and or type of events have occurred, part or all of the functions of the SPD may be disabled.
  • Whatev ⁇ the trigg ⁇ point for requiring ⁇ ie us ⁇ to supply ⁇ ie service provid ⁇ wi ⁇ i a report generated by secure methods within and or in conjunction wi ⁇ i ⁇ ie SPD, ⁇ ie me ⁇ iod steps to supply said report and to reactivate the SPD for further use may use any me ⁇ iod and apparatus, including: 1) When the SPD determines that internal and OT external information is due far reporting to a service provid ⁇ , any method may be used to alert the user, and one preferred method uses the ability of ⁇ ie PCPU to call routines transparently to the operating system by having the secure microprocessor DMA information to display memory and this facility may be used to ov ⁇ lay a message on tiie display device of the UCDPS advising them to execute a program that will generate a report and this is preferably at the start of a processing session.
  • the report generator is executed and this may display a menu based system to assist the user through the process. If information is to be transmitted to the service provid ⁇ via a modem and any retum information received by the same method then the process may be fully automated and transparent to the user.
  • the invention allows for any method and apparatus that assists the us ⁇ wi ⁇ i tiie process.
  • the report generator usually triggers routines within the SPD that collate and encrypt the information to be supplied to the service provid ⁇ , with ⁇ ie information usually including one or multiple unique identity codes for a particular SPD, and this may and or may not be encrypted.
  • the report would usually be integrated with any information to be supplied to a service provid ⁇ as regards credit remaining within a SPD.
  • the us ⁇ contacts a service provid ⁇ (using any method, the most convenient usually being via a modem) and supplies the service provid ⁇ wi ⁇ i ⁇ ie information generated by the report generator. As mentioned, if using a modem this process may have minimal us ⁇ intervention. If a modem is not available the information may be sent by any me ⁇ iod, including as a file on a diskette and or the information may be read ov a telephone (this may be verbal or use the numeric pad) and or any oth ⁇ method.
  • ⁇ ie service provid ⁇ determines the electronic signature of the SPD generating the report and using known details about various information within ⁇ iat particular SPD decrypts the report and confirms that it has not been tampered with. 5) Any method may be used to colle ⁇ payment for any amounts payable as a result of use of sof ware objects and or any oth ⁇ reason. 6) The service provid ⁇ prepares a one time code using any metiiod and apparatus that may be correc ⁇ y interpreted by the target SPD and is usually specific to a particular SPD. 7) The one time code is transferred to the us ⁇ of ⁇ ie SPD and entered into the computer. The code is decrypted.
  • Wi ⁇ i ⁇ ie exception of ⁇ ie periodic updating of internal credits and ⁇ ie reporting of software usage the me ⁇ iod and apparatus of software protection and distribution may be transparent to the us ⁇ . As long as payments are made as required the us ⁇ would treat a PSO as they would any presently available software object.
  • the invention allows that a us ⁇ may purchase a particular PSO for unlimited use, and this may use any method and apparatus, including debiting ⁇ ie cost of the PSO from any available internal credit and settting a code such that there is no further billing for use of this PSO; one me ⁇ iod allows for a file to be kept on a suitable mass storage device attached directiy and or indirectly to the UCDPS (referenced as Exempt PSO File, or EPF) and this may store, usually in encrypted format (in part or whole), a vendor code and product code and a code that is unique to a particulrar PCPU for that particular product.
  • EPF Exempt PSO File
  • Said code is usually created when payment is made and this may be automatic when there is available credit in the PCPU and or may be supplied by ⁇ ie service provid ⁇ on receipt of payment and or any o ⁇ i ⁇ method.
  • routines within the PCPU may access this file and determine whether or not a particular PSO that is normally charged on any type of usage basis, is exempt from this process.
  • One alternative is for the service provider to ⁇ edit any debits made for use of prepaid PSOs.
  • a variation on the method and apparatus described earh ⁇ allows for a certain group of programs to be used on an unlimited basis for a period of time, for one fixed charge. This may apply to computer games for example that may be used for $X per month, where X may be any amount.
  • a periodic report is required to determine usage of the different games in ord ⁇ to appropriately pay the vendors of those games.
  • the actual pro rata allocation to various vendors may be made by the service provid ⁇ using any agreed fo ⁇ nular. This may use a special code within the PSO and OT ⁇ ie CDF and or ⁇ ie EPF and or any oth ⁇ method.
  • the invention allows at multiple software object groupings may use this variation and the amount charged for one grouping may be the same and or different to other groupings.
  • the invention allows that part or all of the processes that require the us ⁇ to supply one or multiple codes to activate part or all of the invention far any reason, may use any method and apparatus to prevent attempts at creating said codes by trial and error and or any o ⁇ i ⁇ me ⁇ iod, wi ⁇ i tiie preferred said method and apparatus to prevent being a routines) within secure int ⁇ nal memory that log in non-volatile storage invalid attempts at entering codes and part or all of this inforniation may be stored in one or multiple external files, that may be directiy and or indirectly attached to the UCDPS.
  • the invention allows for any action to be taken including, disabling the PSO and or multiple PSOs and or the PCPU and or all processing capability, and this may be done using any method and apparatus.
  • the invention allows that a us ⁇ who has purchased in part or whole one or multiple PSOs and or earned frequency discounts on one or multiple PSOs and or any oth ⁇ reason, may wish to port these to another SPD far any reason, including that tiie us ⁇ has purchased a new machine and or because ⁇ ie us ⁇ wishes to sell part or all of any int ⁇ est in one or multiple PSOs to another user.
  • the invention also allows that one or multiple PSOs may not offer this facility.
  • the invention allows ⁇ iat there are multiple known methods and apparatus for achieving mis including, ⁇ ie preferred option that may involve the following method steps: 1) the us ⁇ activates a program to reverse various capabilities granted to a particular SPD, far example activation codes and or discount schedules.
  • Certain information is preprogrammed into the PCPU prior to being made available to a user and some of this may restrict the us ⁇ of tiiat particular PCPU from various functions available within the PCPU and or available in various information supplied by a service provid ⁇ .
  • An example may to restrict users of a particular country from various services.
  • the invention allows that some of these restrictions may be reprogrammable with information supplied by the service provid ⁇ while oth ⁇ information may be fixed.
  • a user of a UCDPS equipped with a PCPU may have various restrictions that they want placed on tiie use of ⁇ ie PCPU and ⁇ iese would normally be programmable by the user, and ⁇ iese may included any approved functions, using any known me ⁇ iod.
  • a us ⁇ may want a mast ⁇ password for themselves and this would usually be stored within non-volatile storage elements of system memory, and the correct entry of this may be required to activate ⁇ ie PCPU (in the case of a PCPU the CPUs within may be disabled). Additional passwords may also be required that allow limited access to the PCPU, for example, certain passwords may be attached to children to prevent them from using unsuitable software, or certain employees may be prevented from playing games on their computers during business hours. Certain functions may also be attached to various passwords, e.g. to monitor usage.
  • Any program and or data that is preprogrammed into a PCPU may in part or whole be the same as those within o ⁇ i ⁇ PCPUs and or may in part or whole be unique to o ⁇ i ⁇ PCPUs.
  • Any program ⁇ iat is currently within secure memory may call on any currently external programs and or data and or apparatus to assist the functions of said any program.
  • the present invention also allows for the inclusion of part or all of the method and apparatus described in this application when used in conjunction (in any mann ⁇ ) with any secure apparatus (that may be one or multiple devices) for use in: the secure decoding of encrypted (in part OT whole) video information and or any oth ⁇ encrypted (in part or whole) visual information, and or the secure generation of the necessary signals to display the decoded information on a suitable visual output device, with said necessary signals preferably constrained within a secure location within said visual output device and or ⁇ ie secure decoding of encrypted (in part OT whole) souiid information and OT the secure creai ⁇ ra fr information of the necessary signals to drive a loudspeaker (and or equivalent), with said necessary signals preferably constrained within said loudspeak ⁇ (or equivalent) and or the secure decoding of encrypted (in part OT whole) text as may be the case wi ⁇ i electronic books and or newspapers (and or any oth ⁇ printed matter of commercial value that is
  • Any combination of software and or hardware and or mi ⁇ ocode may be used to implement the metiiod and apparatus, wi ⁇ i ⁇ ie preferred method and apparatus: retrieving pricing information from the encrypted information; and or timing ⁇ ie use (and or counting the frequency of use) of said encrypted information; and or storing this within ⁇ ie secure apparatus (that may include secure locations extemal to the secure apparatus) in non- volatile storage elements; and or debiting an amount of electronic funds previously embedded within the secure apparatus; and or recording an amount to charge at a future date; and or generating a report of usage (preferably with a breakdown for each vendor and or product) that is supplied to the information provid ⁇ (and or agent); and or a system to ensure that said report of usage has been received by the relevant parties; and or that may disable part or all of its capabilities in the event ⁇ iat electronic funds expire and or internal credit limits are exceeded and or a report is not provided to the relevant parties and OT that periodic information is not received from said relevant parties; and or that may be updated with additional electromc
  • ⁇ ie normal process is to: a) block interrupts if required and write a command to the system conimand input port requesting use of the SPD. b) the process of writing to ⁇ ie port preferably generates an interrupt so there is a rapid response from the secure microprocessor, otherwise there may be a delay while it is polled. c) the secure microprocessor writes to the system command output port a value that indicates if there are currently no resources and anoth ⁇ value if there are resources, together wi ⁇ i ⁇ ie address and size of a us ⁇ command input and output port and a us ⁇ data input and output port It clears the value written by ⁇ ie system microprocessor into the system command input port.
  • the PSO reads ⁇ ie information from the system command output port and reactivates interrupts.
  • e) if resources are currently unavailable to the PSO it may ent ⁇ any known delay routine and try again later. The option exists for it to branch to a routine to advise tiie us ⁇ that ⁇ ie multitasking capability of the UCDPS is currently fully extended.
  • f) if granted access it saves the appropriate us ⁇ port information in an accessible location and may read and write to these ports as required. There is no need to disable interrupts when accessing the us ⁇ ports allocated to it. There is no requirement to modify the task switching routines of the UCDPS operating system.
  • the SPD if the SPD has granted a PSO access to the SPD then it preferably stores relevant information about the PSO us ⁇ partition in a known location in the system partition, usually wi ⁇ i information on o ⁇ ier us ⁇ partitions. h) ⁇ ie SPD waits until the PSO starts writing information to its us ⁇ data input port, this may be trigg ⁇ ed by an interrupt or polling of locations and or any other method. i) the SPD transfers ⁇ ie information into ⁇ ie allocated secure user partition. This may be done via the us ⁇ data input port and or via Direct Memory Access (DMA) or by dire ⁇ programmed I/O by the secure microprocessor and or any other method permitted by a particular embodiment of the invention.
  • DMA Direct Memory Access
  • PSOs usually include various information to assist the SPD in addition to various encryption and validity checking information.
  • various system functions are activated to decrypt and validate where appropriate and extract oth ⁇ information relevant to the PSO.
  • the PSO may be determined to be a valid System Support Object that is required to be loaded into ⁇ ie secure system partition to addresses determined by any method.
  • the system Support Object may include data and commands as to what sort of processing is required and or it may contain executable instructions, in which case the secure microprocessor will be directed to execute this program.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Strategic Management (AREA)
  • Mathematical Physics (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Procédé permettant de louer un logiciel, qui repose sur le redressement des processus de cryptage par l'intégration d'un traitement sécurisé dans le microprocesseur système d'un système de traitement de données commandé par l'utilisateur. Le procédé est constitué d'objets logiciels protégés qui, outre le fait qu'ils sont fonctionnellement limités de façon à nécessiter le redressement de ladite limitation à l'intérieur du microprocesseur, comportent des informations étroitement intégrées sur les conditions d'utilisation. Ce système est utilisé pour répartir sur une large échelle un logiciel pouvant fonctionner sur n'importe quel ordinateur. L'utilisateur est chargé sur une unité de base. Les procédés sécurisés décrits pour le microprocesseur système trouveront des applications dans d'autres procédés sécurisés.
PCT/AU1997/000010 1996-01-10 1997-01-10 Systeme a la carte securise pour logiciels d'ordinateur WO1997025675A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU13598/97A AU1359897A (en) 1996-01-10 1997-01-10 A secure pay-as-you-use system for computer software
GB9817142A GB2325319A (en) 1996-01-10 1997-01-10 A secure pay-as-you-use system for computer software

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
AUPN7479 1996-01-10
AUPN7479A AUPN747996A0 (en) 1996-01-10 1996-01-10 Method and system for protection and distribution of computer software
AUPO0276A AUPO027696A0 (en) 1996-06-06 1996-06-06 Method and apparatus for securely executing encrypted programs and or performing other private functions within the system cpu
AUPO0276 1996-06-06
AUPO0777 1996-07-01
AUPO0777A AUPO077796A0 (en) 1996-07-01 1996-07-01 Secure computer processing
AUPO1462A AUPO146296A0 (en) 1996-08-06 1996-08-06 A method and apparatus for protecting and or distributing software objects
AUPO1462 1996-08-06

Publications (1)

Publication Number Publication Date
WO1997025675A1 true WO1997025675A1 (fr) 1997-07-17

Family

ID=27424406

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU1997/000010 WO1997025675A1 (fr) 1996-01-10 1997-01-10 Systeme a la carte securise pour logiciels d'ordinateur

Country Status (3)

Country Link
CA (1) CA2242777A1 (fr)
GB (1) GB2325319A (fr)
WO (1) WO1997025675A1 (fr)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998054672A1 (fr) * 1997-05-29 1998-12-03 John Griffits Procede securise de mesure de publicites dans les systemes informatiques
WO2001046810A1 (fr) * 1999-12-22 2001-06-28 Algotronix Ltd. Procede et appareil pour la configuration sure d'un reseau de portes programmable par l'utilisateur
GB2378529A (en) * 2001-05-09 2003-02-12 Sysmedia Ltd Pay per use software
WO2002017048A3 (fr) * 2000-08-18 2003-08-21 Hewlett Packard Co Dispositif securise
FR2839793A1 (fr) * 2002-05-15 2003-11-21 Noan Olivier Le Systemes et procedes pour commander selectivement et comptabiliser l'utilisation effective de programmes tels que des progiciels sur des postes informatiques
EP1158404A3 (fr) * 2000-05-26 2004-04-14 Sharp Kabushiki Kaisha Dispositif de serveur et système de transmission d'application pour la transmission appropriée de l'application divisée en parties
EP1013026A4 (fr) * 1997-09-16 2004-09-08 Information Resource Engineeri Coprocesseur cryptographique
US7203842B2 (en) 1999-12-22 2007-04-10 Algotronix, Ltd. Method and apparatus for secure configuration of a field programmable gate array
US7240218B2 (en) 2000-02-08 2007-07-03 Algotronix, Ltd. Method of using a mask programmed key to securely configure a field programmable gate array
EP1826694A3 (fr) * 2006-02-27 2009-01-14 Broadcom Corporation Procédé et système d'architecture, système sur une puce sécurisée pour le traitement de données multimédia
EP1383060A4 (fr) * 2001-04-24 2010-02-10 Sony Corp Dispositif de traitement de l'information pour le chargement et procede
US7844808B2 (en) 2006-12-18 2010-11-30 Microsoft Corporation Computer compliance enforcement
US9489318B2 (en) 2006-06-19 2016-11-08 Broadcom Corporation Method and system for accessing protected memory
US9652637B2 (en) 2005-05-23 2017-05-16 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for allowing no code download in a code download scheme
WO2018031372A1 (fr) * 2016-08-10 2018-02-15 Qualcomm Incorporated Mise en œuvre d'une confidentialité de données d'utilisateur à résilience logicielle et basée sur un matériel en exploitant une rétention éphémère de données d'une mémoire volatile
US9904809B2 (en) 2006-02-27 2018-02-27 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for multi-level security initialization and configuration
FR3108748A1 (fr) * 2020-03-30 2021-10-01 Cosmian Tech Protection d’un logiciel secret et de données confidentielles dans une enclave sécurisée
CN115997181A (zh) * 2020-06-30 2023-04-21 发那科株式会社 控制装置

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596671B2 (en) 2005-11-09 2009-09-29 Microsoft Corporation Pre-paid computer monitoring hardware
US8451020B2 (en) 2010-09-30 2013-05-28 International Business Machines Corporation System and method for integrated circuit module tamperproof mode personalization

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0266748A2 (fr) * 1986-11-05 1988-05-11 International Business Machines Corporation Système de protection de logiciels à l'aide d'un système cryptographique à clé unique, d'un système d'autorisation basé sur le matériel et d'un coprocesseur en lieu sûr
WO1990013865A1 (fr) * 1989-04-28 1990-11-15 Softel, Inc. Procede et appareil pour commander et controler a distance l'utilisation d'un logiciel informatique
WO1992014209A1 (fr) * 1991-02-05 1992-08-20 Toven Technologies Inc. Appareil de chiffrement pour un ordinateur
EP0561685A2 (fr) * 1992-03-16 1993-09-22 Fujitsu Limited Système de protection de données électroniques
WO1993021581A2 (fr) * 1992-04-17 1993-10-28 Secure Computing Corporation Securisation de donnees cryptographiques dans un systeme informatique securise
WO1995022796A1 (fr) * 1994-02-18 1995-08-24 Infosafe Systems, Inc. Procede et appareil d'extraction d'informations protegees d'une base de donnees cd-rom

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0266748A2 (fr) * 1986-11-05 1988-05-11 International Business Machines Corporation Système de protection de logiciels à l'aide d'un système cryptographique à clé unique, d'un système d'autorisation basé sur le matériel et d'un coprocesseur en lieu sûr
WO1990013865A1 (fr) * 1989-04-28 1990-11-15 Softel, Inc. Procede et appareil pour commander et controler a distance l'utilisation d'un logiciel informatique
WO1992014209A1 (fr) * 1991-02-05 1992-08-20 Toven Technologies Inc. Appareil de chiffrement pour un ordinateur
EP0561685A2 (fr) * 1992-03-16 1993-09-22 Fujitsu Limited Système de protection de données électroniques
WO1993021581A2 (fr) * 1992-04-17 1993-10-28 Secure Computing Corporation Securisation de donnees cryptographiques dans un systeme informatique securise
WO1995022796A1 (fr) * 1994-02-18 1995-08-24 Infosafe Systems, Inc. Procede et appareil d'extraction d'informations protegees d'une base de donnees cd-rom

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998054672A1 (fr) * 1997-05-29 1998-12-03 John Griffits Procede securise de mesure de publicites dans les systemes informatiques
EP1013026A4 (fr) * 1997-09-16 2004-09-08 Information Resource Engineeri Coprocesseur cryptographique
GB2375418B (en) * 1999-12-22 2004-06-23 Algotronix Ltd Method and apparatus for secure configuration of a field programmable gate array
WO2001046810A1 (fr) * 1999-12-22 2001-06-28 Algotronix Ltd. Procede et appareil pour la configuration sure d'un reseau de portes programmable par l'utilisateur
GB2375418A (en) * 1999-12-22 2002-11-13 Algotronix Ltd Method and apparatus for secure configuration of a field programmable gate array
US7203842B2 (en) 1999-12-22 2007-04-10 Algotronix, Ltd. Method and apparatus for secure configuration of a field programmable gate array
US7240218B2 (en) 2000-02-08 2007-07-03 Algotronix, Ltd. Method of using a mask programmed key to securely configure a field programmable gate array
EP1158404A3 (fr) * 2000-05-26 2004-04-14 Sharp Kabushiki Kaisha Dispositif de serveur et système de transmission d'application pour la transmission appropriée de l'application divisée en parties
WO2002017048A3 (fr) * 2000-08-18 2003-08-21 Hewlett Packard Co Dispositif securise
EP1383060A4 (fr) * 2001-04-24 2010-02-10 Sony Corp Dispositif de traitement de l'information pour le chargement et procede
GB2378529A (en) * 2001-05-09 2003-02-12 Sysmedia Ltd Pay per use software
WO2003098433A3 (fr) * 2002-05-15 2004-05-13 Noan Olivier Le Systemes et procedes pour commander selectivement et comptabiliser l'utilisation effective de logiciels
FR2839793A1 (fr) * 2002-05-15 2003-11-21 Noan Olivier Le Systemes et procedes pour commander selectivement et comptabiliser l'utilisation effective de programmes tels que des progiciels sur des postes informatiques
US9652637B2 (en) 2005-05-23 2017-05-16 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for allowing no code download in a code download scheme
EP1826694A3 (fr) * 2006-02-27 2009-01-14 Broadcom Corporation Procédé et système d'architecture, système sur une puce sécurisée pour le traitement de données multimédia
US9177176B2 (en) 2006-02-27 2015-11-03 Broadcom Corporation Method and system for secure system-on-a-chip architecture for multimedia data processing
US9904809B2 (en) 2006-02-27 2018-02-27 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for multi-level security initialization and configuration
US9489318B2 (en) 2006-06-19 2016-11-08 Broadcom Corporation Method and system for accessing protected memory
US7844808B2 (en) 2006-12-18 2010-11-30 Microsoft Corporation Computer compliance enforcement
WO2018031372A1 (fr) * 2016-08-10 2018-02-15 Qualcomm Incorporated Mise en œuvre d'une confidentialité de données d'utilisateur à résilience logicielle et basée sur un matériel en exploitant une rétention éphémère de données d'une mémoire volatile
US10678924B2 (en) 2016-08-10 2020-06-09 Qualcomm Incorporated Hardware-based software-resilient user privacy exploiting ephemeral data retention of volatile memory
FR3108748A1 (fr) * 2020-03-30 2021-10-01 Cosmian Tech Protection d’un logiciel secret et de données confidentielles dans une enclave sécurisée
EP3889809A1 (fr) 2020-03-30 2021-10-06 Cosmian Tech Protection d'un logiciel secret et de données confidentielles dans une enclave sécurisée
WO2021197871A1 (fr) 2020-03-30 2021-10-07 Cosmian Tech Protection d'un logiciel secret et de données confidentielles dans une enclave sécurisée
CN115997181A (zh) * 2020-06-30 2023-04-21 发那科株式会社 控制装置

Also Published As

Publication number Publication date
GB9817142D0 (en) 1998-10-07
CA2242777A1 (fr) 1997-07-17
GB2325319A (en) 1998-11-18

Similar Documents

Publication Publication Date Title
Mori et al. Superdistribution: the concept and the architecture
White ABYSS: ATrusted Architecture for Software Protection
WO1997025675A1 (fr) Systeme a la carte securise pour logiciels d'ordinateur
White et al. ABYSS: An architecture for software protection
EP1431864B1 (fr) Systèmes et procédés de gestion de transactions sécurisées et de protection de droits électroniques
JP4187844B2 (ja) 実行可能なコンピュータプログラムを未許可の使用から保護するための方法
EP1625463B1 (fr) Processeur sécurisé et rétrocompatible et exécution sécurisée d'un logiciel sur celui-ci
US7124302B2 (en) Systems and methods for secure transaction management and electronic rights protection
US8055913B2 (en) Systems and methods for secure transaction management and electronic rights protection
US8639625B1 (en) Systems and methods for secure transaction management and electronic rights protection
US7844835B2 (en) Systems and methods for secure transaction management and electronic rights protection
KR100609598B1 (ko) 암호화된 개체의 동적 변환 방법 및 그 장치
US5047928A (en) Billing system for computer software
US20010037450A1 (en) System and method for process protection
US20020199110A1 (en) Method of protecting intellectual property cores on field programmable gate array
EP0265183A2 (fr) Système de facturation pour des logiciels d'ordinateur
US20030191719A1 (en) Systems and methods for secure transaction management and electronic rights protection
US20040054630A1 (en) Systems and methods for secure transaction management and electronic rights protection
JP2003529963A (ja) デジタルコンテンツの著作権侵害を防止するための方法と装置
JP2003526965A (ja) 公開暗号制御ユニット及びそのシステム
JP2000503154A (ja) デジタル所有権のアクセスと分配を制御するためのシステム
AU1359897A (en) A secure pay-as-you-use system for computer software
CA2480118C (fr) Systemes et procedes de gestion de transactions securisees et de protection de droits electroniques
CA2619600A1 (fr) Systemes et procedes de gestion de transactions securisees et de protection de droits electroniques
Merkle Copyright 1993 by Xerox Corporation. All Rights Reserved. This draft is being distributed for the purpose of feedback and commentary. As a courtesy to the author, please limit its distribution.

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE HU IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK TJ TM TR TT UA UG US UZ VN AM AZ BY KG KZ MD RU TJ TM

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): KE LS MW SD SZ UG AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref document number: 2242777

Country of ref document: CA

Kind code of ref document: A

Ref document number: 2242777

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 9817142

Country of ref document: GB

Kind code of ref document: A

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

NENP Non-entry into the national phase

Ref document number: 97524684

Country of ref document: JP

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: GB

Free format text: 19970110 A 9817142

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载