WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
Implementing a shared higher level of privilege on personal computers for copy protection of software    
United States Patent4644493   
Link to this pagehttp://www.wikipatents.com/4644493.html
Inventor(s)Chandra; Akhileshwari N. (Mahopac, NY); Comerford; Liam D. (Carmel, NY); White; Steve R. (New York, NY)
AbstractMethod and apparatus which restricts software, distributed on magnetic media, to use on a single computing machine. The original medium is functionally uncopyable, until it is modified by the execution of a program stored in a tamper proof co-processor which forms a part of the computing machine. The modified software on the original medium may then be copied, but the copy is operable only on the computing machine containing the co-processor that performed the modification.



 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History
Drawing from US Patent 4644493
Implementing a shared higher level of privilege on personal computers for copy protection of software - US Patent 4644493 Drawing
Implementing a shared higher level of privilege on personal computers for copy protection of software
Inventor     Chandra; Akhileshwari N. (Mahopac, NY); Comerford; Liam D. (Carmel, NY); White; Steve R. (New York, NY)
Owner/Assignee     International Business Machines Corporation (Armonk, NY)
Patent assignment
All assignments
Publication Date     February 17, 1987
Application Number     06/651,184
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     September 14, 1984
US Classification     705/56 380/22 705/58
Int'l Classification     G06F 009/00
Examiner     Heckler; Thomas M.
Assistant Examiner     Mills; John G.
Attorney/Law Firm     Arnold; Jack M.
Address
Parent Case    
Priority Data    
USPTO Field of Search     364/200 364/900 178/22.09
Patent Tags     implementing shared higher level privilege personal computers copy protection software
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
4577289
Comerford
360/60
Mar,1986
[0 after 0 votes]		4573119
Westheimer
713/190
Feb,1986
[0 after 0 votes]
4558176
Arnold
713/190
Dec,1985
[0 after 0 votes]		4246638
Thomas
712/208
Jan,1981
[0 after 0 votes]
4168396
Best
713/190
Sep,1979
[0 after 0 votes]		4465901
Best
713/190
Dec,1969
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


Having thus described our invention, what we claim as new, and desire to secure by Letters Patent is:

1. A software copy-protection apparatus, which is operable with a host computer system, comprising:

a magnetic medium having tracks formed thereon which are divided into sectors, with each sector being comprised of a plurality of bit storage locations, with indicia being formed in at least one portion of at least one sector, with said indicia not being modifiable by the medium write process;

a product program stored on said medium, at least a portion of which is in an encrypted form, and at least a portion of which may be in an unencrypted form;

a support computing system operable with said host computer system, including a decryption key for use in executing said product programs on said host computer system;

means for ascertaining said indicia are present on said medium;

means included in said support computing system for utilizing said decryption key to decrypt said encrypted portion of said program; and

means responsive to the ascertaining that said indicia is on said medium, and said encrypted portion of said program has been decrypted, to permit said support computing system to execute the encrypted portion of said program product and said host computer system to execute said unencrypted portion of said program product, if any.

2. The combination claimed in claim 1, including means for modifying the information on said medium by said host computer system to identify said program for use on said system.

3. The combination claimed in claim 2, including means for utilizing the modified information to prohibit the use of the program on said medium on any other computing system.

4. In a computing system, the combination comprising:

a host computer connected to a host system bus;

an interface system connected to said host system bus;

a support computer connected to a support system bus, which support system bus is connected to said interface system, with at least a portion of said support computer being logically inaccessible to said host computer with said support computer system having stored therein a first decryption key for use in decrypting programs which may be run on said computing system;

an original magnetic medium having tracks formed thereon which are divided into sectors, with each sector being comprised of a plurality of bit storage locations, with indicia in at least one bit storage location of at least one sector of at least one track that are not modifiable by the medium write process, with magnetic domain pattern marks overlapping said indicia, with said domain pattern marks not being createable by the medium write process;

information stored on said magnetic medium which includes a second encrypted decryption key which can be decrypted with said first decryption key, an encrypted part of a program which can be decrypted with said second decryption key, possibly an unencrypted part of said program, and an encrypted description of said indicia and said magnetic domain marks, which can be decrypted with said second decryption key;

means for determining first use of said medium by ascertaining the presence of said indicia and said domain pattern marks on said medium, with said magnetic domain pattern mark being destroyed by the determination, whereby said medium is made inoperable on a different computing system;

means included in said support computer for utilizing said first decryption key to decrypt said second decryption key;

means responsive to the decryption of said second decryption key to decrypt the encrypted description of said indicia and said magnetic domain pattern marks;

means for comparing the decrypted indicia and magnetic domain pattern marks with the actual indicia and the actual magnetic domain pattern marks to ascertain the authenticity of said magnetic medium;

means responsive to said magnetic medium being identified as authentic for storing said decrypted second key in said support computer, including means for storing an identifier on said magnetic medium which identifies the storage location in said support computer where said encrypted second key is stored;

means responsive to determining the existence of said identifier on said medium, including means to locate the storage location of the decrypted second key in said support computer;

means for retrieving said decrypted second key from the storage location in said support computer and for using said key to decrypt and run the encrypted portions of said program on said support computer; and means for running the unencrypted portions, if any, of said program on said host computer.

5. In a computing system, the combination comprising:

a host computer system connected to a host computer bus;

a processor connected to a support computer bus, which communicates with said host computing system, and which executes a particular set of instructions, with the execution and results of predetermined ones of said particular set of instructions being inaccessible to said host computer system;

a read-only memory, connected to said support computer bus, addressable by said processor, and 13 not addressable by said host computer system, wherein said read-only memory includes data representing a private decryption key, which is to be used in conjunction with a particular public-key encryption/decryption algorithm; a first read-write memory, connected to said support computer bus, addressable by said processor, and not addressable by said host computer system;

a second read-write memory, connected to each of said host computer bus and said support computer bus, addressable by each of said processor and said host computer system;

a set of communicating registers, connected to each of said host computer bus and said support computer bus, addressable by each of said processor and said host computer system for transferring data between each other; and

a set of bus receivers, connected from said host computer bus to said support computer bus, which enable the state of said host system bus to be monitored from said support computer bus.

6. The combination claimed in claim 5, wherein said processor includes means for examining the execution of instructions and the results of instruction execution by said host computer, utilizing said set of bus receivers.

7. The combination claimed in claim 6, wherein said processor, said read-only memory, said first and second read-write memories, said set of communicating registers and said set of bus receivers are physically enclosed in a tamper-proof package.

8. The combination claimed in claim 7, including:

an original magnetic medium having tracks formed thereon which are divided into sectors, with each sector being comprised of a plurality of bit storage locations, with doubly-marked regions comprised of a first mark comprised of indicia in at least one bit storage location of at least one sector of at least one track that are not modifiable by the medium write process, and a second mark comprised of magnetic domain pattern marks overlapping said indicia, with said magnetic domain pattern marks not being createable by the medium write process;

information stored on said magnetic medium including an encrypted decryption key and encrypted mark descriptors, and further including an application program, at least a portion of which is encrypted;

means for reading said encrypted decryption key into said first read-write memory; means for utilizing said private decryption key stored in said read-only memory and said encrypted decryption key stored in said first read-write memory to decrypt said encrypted decryption key, and storing the decrypted key in said first read-write memory;

means for reading said encrypted mark descriptors from said magnetic medium and storing same in said first read-write memory;

means for utilizing said decrypted key stored in said first-read write memory to decrypt the encrypted descriptors stored in said first read-write memory, including means for storing the decrypted descriptors back in said first read-write memory;

means for one of detecting the existence of, and measuring the properties of, said doubly marked regions on said magnetic medium to produce mark descriptors, including means for storing said mark descriptors in said first read-write memory;

means for producing a first comparison by comparing said decrypted descriptors with said mark descriptors;

means responsive to the first comparison to indicate one of said magnetic medium is a copy if there is no comparison, and indicating said magnetic medium is an original if there is a comparison;

a portion of said first read-write memory which is persistent, in the sense that information written into said persistent portion is retained when electrical power is not supplied to said persistent portion;

means responsive to the determination that there is a comparison, for storing said decrypted key in the persistent portion of said first read-write memory, and writing said original magnetic medium with the address where said decrypted key is stored in said first read-write memory.
 Description Submit all comments and votes
 


DESCRIPTION

1. Technical Field

The invention is in the field of data processing, and specifically is directed to a software copy protection mechanism. In particular, a mechanism is provided which restricts software, distributed on disks or other magnetic medium, to use on a single computing machine, while allowing the creation of "backup" copies without compromising the protection.

2. Background Art

Copy-protection mechanisms are utilized to inhibit software piracy, which is the creation of unauthorized copies of commercial software. As the market for personal computers, home computers, work stations and intelligent products grows, piracy increasingly becomes a problem. The purpose of a copy-protection mechanism is to deter piracy by making copying of software as difficult as possible. Two basic classes of copy protection mechanisms have evolved to deter piracy, namely, software-based and hardware-key.

Software-based methods encode information on a disk so that conventional copying facilities available in most operating systems cannot accurately copy the information to another disk. The program on the disk checks for this encoded information, and fails to function unless it is there. Copying programs are now commercially available which can successfully copy most disks protected in this manner.

Hardware-key methods rely on the existence of information known as the "key", available to the program, but resident in the system hardware rather than on changeable magnetic medium like the disk. The program checks for the "key" information, and fails to function if the key is not found. Hardware duplication facilities are not commonly found in personal computers, while disk duplication facilities are. This makes hardware keys more costly to duplicate than software, so these methods can be more effective than software-based methods in detering piracy.

One proposed hardware-key method requires that the computer manufacturer install a hardware serial number in each machine as the hardware-key. This method requires every piece of software to be customized to a particular machine. This limits the availability and the interchangeability of software. A second method, currently in use, requires the software user to buy a special piece of hardware with each software product. This piece of hardware provides the key, and it has to be attached to the machine whenever the corresponding software is run, which makes the method unattractive.

In a large part each of the above protection methods is vulnerable to copying of a binary image of the running application from the system working memory, after such key checks have been made.

A number of patents have issued directed to software copy-protection mechanisms, each having certain advantages and disadvantages. Two such patents, U.S. Pat. No. 4,246,638 to Thomas and U.S. Pat. No. 4,168,396 to Best provide a protection mechanism by means which are essentially similar to each other. In both instances, the software package which is to be run on some particular personal computer is customized by the manufacturer to be compatible with the decryption keys and systems built into that particular computer. This is extremely cumbersome and places a large burden on users and vendors alike. The software used in the operation of the apparatus described in these patents causes no changes in structure to take place either in the user's computer or in the distribution disk.

U.S. Pat. No. 4,238,854 to Ehrsam et al addresses itself to a different problem, namely a means by which an encryption/decryption engine may be integrated into a multi-user mainframe computer system to protect a user's files from access by other users. It does not address itself either to the implementation of a distribution channel between software vendors and users of personal computers or to the execution environment for such protected software. It assumes that an operating system or hardware mechanism for provision of levels of privilege already exist in the machine in which this engine is to be installed. This is not the common case in personal computers.

U.S. Pat. No. 3,996,449 to Attanasio et al addresses itself to a problem faced by the operators of large mainframe computers. This problem is "penetration of security" meaning "a successful subversion of the file management component to change the backup copy of the operating system" or "counterfeiting the computer manufacturer's packing and delivery procedure" (for software). Such subversion or counterfeiting is accomplished by a third party who seeks to gain access to confidential files, payroll programs, or other potentially lucrative information or processors by means of features one has installed in the operating system.

U.S. patent application Ser. No. 06-567,294 entitled, "A Hardware Key-on-Disk System for Copy-Protecting Magnetic Storage Media", filed Dec. 30, 1983, which application is assigned to the assignee of the subject invention, incorporates the best features of both software based and hardware key methods. A hardware key is encoded directly onto a magnetic medium such as a floppy disk. This key consists of indicia in at least one subsection of at least one section of the disk that are not modifiable by the conventional medium write process. The data read from a section containing indicia differs in a predictable way from the data written to that section. The disk can be authenticated as the original disk by comparing a read-following-write with the expected results of such an operation. The software functions only in the presence of this key, as the key indicates the original medium is present. Software use is thus restricted to those users possessing an original distribution disk. Backup copies are not allowed by this system.

According to the subject invention, a method is set forth which restricts software, distributed on disks, to use on a single machine and allows backup copying. This mechanism involves making the distribution disks functionally uncopyable, until it is modified by the execution of a procedure which requires the cooperation of a co-processor. Upon modification, the software may be copied but can only be used on the machine containing the co-processor which participated in the modification procedure.

DISCLOSURE OF THE INVENTION

Method and apparatus are disclosed for the copy-protection of software, distributed on magnetic medium such as floppy disks, and used on a computing system. The apparatus which comprise the copy protection system consists of structures or marks imposed on the distribution magnetic medium, and a hardware subsystem installed in the intended recipient computer system. The hardware subsystem is a computing system the components of which include; a CPU, read only memory (ROM) which is logically inaccessible from the host system and containing software in the form of a monitor (which begins execution at power-on-time), random access memory (RAM) a portion of which is logically inaccessible from the host system and a portion of which may, under the control of the subsystem CPU be read from or written to by the host CPU, a memory in the form of "nonvolatile" RAM such as EEPROM, which is logically inaccessible from the host system, a timer and a real time clock which are logically inaccessible from the host system, a register which may, under the control of the subsystem CPU be read from or written to by the host CPU, and a set of bus receivers by means of which the subsystem CPU may "observe" the state of the host system bus. All of the above mentioned components of the hardware subsystem are logically accessible to the subsystem CPU, and are packaged in a manner which makes them physically inaccessible to the user of the host computing system.

The portion of the apparatus which consists of structures imposed on the distribution magnetic medium consists of two sorts of structures. One of these kinds is purely a pattern of magnetic domains on the medium which are not within the repertoire of domain patterns which can be created by the medium read/write apparatus of the target computer. The other kind of structure consists of regions on the medium on which boundaries between magnetic domains cannot be imposed by the medium read/write apparatus of the target computer. Very large magnetic domains are an example of the first kind of structure. Media voids are an example of the second kind of structure. The apparatus which consists of the two kinds of structures imposed on the distribution magnetic medium is so configured that the structures overlap each other.

While the medium read/write apparatus of the host system cannot create these structures, it can, through operations which can be performed by the read/write apparatus of the host system, detect and measure these structures. The operations required to measure the structures which won't support domain transitions are precisely the operations which will destroy the structure which consists of a domain pattern.

The destruction of one kind of structure by the write-read operation performed on the other kind of structure provides a means to the hardware subsystem to determine whether or not a particular piece of magnetic medium has been accessed by a subsystem of its own kind. The procedures performed by the subsystem allow the transfer of a certain critical piece of information from the medium only if this transfer has not ever been performed from this medium in the past. The procedure of transferring the information thus changes the structures on the medium so that no apparatus of this kind will perform the critical information transfer in the future. The hardware subsystem is supplied with a piece of information built in which is critical to the use of the information transferred from the magnetic medium, thus, the subsystem cannot be replicated by the user. The subsystem can "observe" the portion of the transfer process mediated by the host system. Thus, the transfer cannot be mimicked by software run on the host. The magnetic medium cannot be replicated by the user or used more than once for the transfer, thus, the medium cannot be copied in a form useful for the transfer operation.

The critical information which is transferred is a decryption key needed to run a portion of the application software on the subsystem. The decryption key is itself encrypted. The critical information built into the subsystem is the decryption key needed to restore the transferred decryption key to useful form, thus, the user cannot use this information without the cooperation of a subsystem of this kind.

Means are thus provided to bind a particular software distribution package, some part of which is in encrypted form, to a particular hardware subsystem and means are provided to make repeating this binding with the same particular software distribution package or replica thereof to another system, exceedingly difficult. Software distributed on magnetic medium is, by these means, protected from copying.

After such a binding has taken place, the support hardware may be called upon to execute some portion of the protected software. The support hardware which experienced the binding to that software package alone has the means to fill this call, as it alone has the key to decrypt the software. Both decryption and execution take place in memory which is logically and physically inaccessible to the user. Thus, the software is protected from copying by never being exposed to the user in a useable form.

After the transfer process is complete, when the support hardware is called upon to decrypt and execute some portion of the software, the apparatus comprised of structures on the distribution medium are not accessed. Since all other parts of the distribution medium are reproducible, the medium read/write apparatus of the host system can reproduce them. Thus, "backup" copies can be made after transfer but only the original system has the means to use the "backups".

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram representation of a computing system, including support hardware, according to the invention;

FIGS. 2.0-2.3 are sectional diagrams of a disk, illustrating how doubly marked regions are created thereon;

FIG. 3 is a section of a sector on a disk, illustrating the placement of doubly marked regions relative to a data record;

FIGS. 4.0-4.3 are sections of a sector on a disk, illustrating the four step process for reading and writing data from the sector to verify the existence of a doubly marked region on the disk;

FIG. 5 is a flow chart illustrating the support software which executes in the host computer;

FIG. 6 is a flow chart illustrating the monitor software which executes in the support hardware;

FIGS. 7.1, 7.2 and 7.3, when viewed with FIG. 7.1 on top, FIG. 7.2 in the middle and FIG. 7.3 on the bottom, constitute a flow chart illustrating how the first-use-initialization (FUI) software which executes in the support hardware;

FIG. 8 is a detailed flow chart of flow chart element 88 in FIG. 7.2;

FIGS. 9.1 and 9.2 when viewed with 9.1 on the top and 9.2 on the bottom, constitute a detailed flow chart of element 102 in FIG. 7.2;

FIG. 10 is a detailed flow chart of the elements 78 and 136 in FIGS. 7.1 and 7.2, respectively; and

FIG. 11 is a flow chart of the load-decrypt-run (LDR) program according to the invention.

BEST MODE OF CARRYING OUT THE INVENTION

The name Personal Computer, or Single User System or Individual Work Station given to a class of small computers is misleading. Unless the user has also written all the programs including the operating system used in the computer, these machines are better titled Single Operator Systems. From the point of view of classical operating systems, this places the user/operator in a position of trust in which he has access to all the system code and system facilities. In common Single Operator Systems, this exposure of the system code and the system hardware facilities is an opportunity to replicate and distribute code, which on classical large computing systems, with separate operators and users, would be unavailable. The means by which this security is achieve on large systems is the implementation of a system in which users are given a privilege status level which is tested by the system to determine whether or not the user may execute certain instructions or access certain data for reading or modification.

It is the purpose of this invention to teach how a system utilizing privilege may be implemented on Single Operator Systems to the advantage of the hardware manufacturer, the software vendor, and the scrupulous Single Operator System user. It is called a "Shared Higher Level of Privilege System" because it can be viewed as providing each software vendor with an instanciation of a higher privilege level than the user, without giving any vendor access to other vendors' privileged information. By using this system, a portion of the hardware and software of the system is hidden in a co-processor subsystem (hereafter called the Support Hardware) which is installed in the Single Operator System (hereafter called the host) so that some portion of the vendor software can be made inaccessible to the user. In addition a method for transporting software on floppy disks or other magnetic medium is provided which allows the software vendor to hide some fraction of the software from the user in spite of the user being able to examine it with the resources available to him on the system. This is not to say that if the user makes a sufficient investment of time and money, by adding resources to his system beyond those needed for computing (e.g., logic analyzers and digital recorders), that he will still be unable to expose the code, rather that without such things, the resources of the Single Operator System which are available to the user are insufficient to obtain the code for piracy. Use of the resources of the Single Operator System are the overwhelmingly common means piracy, thus this system can dramatically reduce piracy in its common form and make piracy unprofitable due to its cost in time and tools in other cases.

For purposes of description, the host hardware is assumed to be an IBM Personal Computer (PC) the operation of which is described in the IBM Personal Computer Technical Reference Manual, 1981, and the host disk operating system (DOS) is assumed to be IBM PC DOS. This is done for the sake of clarity, and because the operations and DOS services of this combination are typical of a class of machine in which this system is useful. It should be understood that these DOS and hardware operations are intended to be representative of all analogous operations on this or other possible host systems under this or other operating systems.

A software copy protection system employing a shared higher level of privilege is composed of two parts; the hardware privilege support system installed in the work station, and the floppy disks or other magnetic medium which are used to transport the software from the vendor to the user. The floppy disk and the support hardware are modified by the first attempt to use the software on the disk. These modifications make the fact that the disk has been loaded detectable.

Disks which are used with this system are prepared by creating two kinds of marks on the disk which are not producible by conventional disk drives but which can be detected by them. These marks are in the form of the absence of material which can have its magnetization changed by a disk drive write head (the medium coating is either absent or replaced with higher coercivity material) and in the form of domains which cannot be created by conventional disk drive write heads (for instance a region in which the orientation of the domain remains unchanged for distances large enough to cause a loss of synchronization in the disk system).

For the remainder of this description, marks which are made by modifying the medium will be referred to as MM marks, and marks which are made by the creation of a domain pattern will be referred to as DP marks.

Both these marks have properties such as location and extent, which can be used to encode information. The location and extent of the DP marks and the location and extent of the MM marks can be detected by use of appropriate procedures on conventional disk drives.

The location within a given sector of the DP type of mark may be found by reading a sector twice, and comparing the results of the two read operations. Since DP marked sectors do not contain the transitions needed by the disk control system to keep its clock synchronized, the two read operation will reliably show different data in the portion of the sector which follows the beginning of the DP mark. The location of the DP mark found by this method is approximately reproducible within limits set by the hardware in the disk system.

The marks made by modifying the magnetic medium are detected by a sequence of operations. First, a pattern of domains such that some domain transitions coincide with the MM marks is written to the sector containing the marks. The sector is then read, and the results of the read operation are compared with the result expected given the write operation if the sector had been unmarked. The location and extent of the marks can be derived from the results of this comparison.

The MM marks can be "written" on the disk by laser photodecomposition ablation as described in previously referenced patent application Ser. No. 06-567,294. DP marks may then be made over MM marks by moving a formatted disk through a uniform magnetic field of width approximately equal to the width of a sector, so that sectors with MM marks are swept by the magnetic field. A band of large magnetic domains is thus created across the disk. The disk is then reformatted on all the tracks except those containing MM marks.

A disk treated this way would then contain both kinds of marks, with the DP marks covering the MM marks.

It is important to note that the operations required to "read" the MM marks are exactly the kind which will destroy the DP kind of marks. That is, the act of writing a pattern onto a sector will create domains on the disk which will support the synchronization in the disk system.

On a protected disk, the DP marks are made over a sector containing the MM marks. This is done in order to insure that the DP mark will be destroyed by reading the MM marks which lie "below" it. Any domain structure which both cannot be made by a conventional drive and which can be measured in some way by a read operations can be used for this purpose.

The location and extent of both kinds of mark are recorded in a file on the disk. This information can be used in the preparation of other files on the disk but it is always encrypted before the disk preparation is complete.

In addition to the marks there are files stored on the disk. The files fall into two categories: (1) the protected application software, and (2) the information needed by the support hardware to load and run the encrypted part of the application.

The application software must consist of at least one file of encrypted program. This part of the application is encrypted with a key provided by the software vendor. The decryption key for that file is itself encrypted with an RSA public key provided by the manufacturer of the support hardware. This encrypted decryption key (EDK) is also recorded in a file on the disk. It is in the best interest of the software vendor to encrypt those fractions of the application software which he considers proprietary, as it is the encrypted fraction of the software which will be protected from redistribution by the user. A complete, prepared disk which is ready to be sold or released consists of at least:

1. A doubly marked region which could be unique to the disk.

2. An application which consists of at least one file of program encrypted with a key selected by the software vendor which may include the disk marking parameters in the key.

3. The decryption key in encrypted form where the encryption is by the RSA public key provided by the support hardware manufacturer.

4. A program which calls for the services support hardware (first-use-initialization and load-decrypt-run), and which obtains services from the host for the support hardware at its request.

5. The descriptions of the doubly marked region(s) in an encrypted form where the encryption key is the same key used with the application software.

It should be noted here that the RSA private decryption key must be kept a secret by the hardware manufacturer, and that the software vendor is better protected if the encryption key used to protect his software includes the marking information. The encryption key can be made unique to each disk by this method. It should be clear that the degree of protection offered by this system depends on the fraction of the total protection system utilized by an implementer.

If piracy of a protected disk is attempted at this point, then the pirate could be attempting to make copies of the disk on which the vendor has supplied the protected software which will work without the support hardware, or which can be transported to systems with the support hardware. Each case will be discussed separately.

If the pirate wanted to make copies of the disk which will operate on systems which contain the support hardware, then he must duplicate all the features of the ready-for-distribution disk. Any conventional copying program should be able to copy the encrypted application and the encrypted decryption key in the encrypted non-executable form, but no conventional disk drive could make the doubly marked region. No copy program running on a personal computer has the hardware facilities needed to copy that part of the distribution disk. As will be seen later, the support hardware utilizes and changes the mark at the first-use-initialization. It will not accept the transfer of the data need to run the protected program if at the first use of a protected program it does not find a doubly marked region whose marks correspond correctly to the descriptions of the marks stored in an encrypted file. Piracy by copying the protected disk for use on a support-hardware-equipped system is thus inhibited by the difficulties of duplicating the doubly marked region(s).

If the pirate wishes to make copies of the disk which will run on systems without support hardware, he must first decrypt those parts of the application program which have been encrypted. Since there are two processors in support hardware equipped system, it is possible that the application may be written to operate concurrently on the two processors, or use special facilities on the support hardware. If so, the application must be drastically modified to be operational.

Piracy by copying a decrypted version of the application is thus inhibited by the strength of the encryption method used to render the application and the EDK unreadable. It is practical to make this a virtually insurmountable task. Even if this were accomplished, the software could still be useless unless it were rewritten to run without a coprocessor.

In order for the copy protection system to be useful, it is necessary not only that no useful copy can be made of the distribution disk, but also that:

1. The distribution disk be able to be used in one and only one system.

2. The user be able to make unlimited quantities of backup copies of the disk, all of which are useless on other systems.

3. The software never reside in system memory in a form which allows the user to make a binary image of the system memory with a complete working version of the application which could be loaded in other systems.

This part of the protection system is implemented with the support hardware. The support hardware is itself a computing system. It has its own processor, firmware in read only memory (ROM), hardware timers, a real time clock (or other hardware means for obtaining a "random" number), and RAM. It could be installed in a personal computer as a card set. It communicates with the system in which it resides through a region of common memory, and through a set of registers which reside in the port address space of the host system. It is important to note that the common memory is part of the support hardware system. The support hardware controls its bus transceivers and can cause this memory to be unavailable to the host for read operations. Other configurations are possible, but all require that only a portion of the support hardware memory be addressable by the host system. It is also necessary that the portion of the support hardware memory which is not addressable by the host system be physically inaccessible to the user. It is this memory in which the support hardware will decrypt and run the encrypted portion of the application software.

In addition to the processor, common memory, hardware timers, and port addressed registers, the support hardware has physically and logically secure memory space which contains ROM and EEPROM memory devices.

The ROM devices contain the system firmware. It is in the form of a monitor whose commands are the services which the host system may request from the support hardware. A complete set of such services would include as a minimum set:

1. Perform first-use initialization.

2. Load, decrypt, and run application.

The EEPROM device is used by the support hardware as a secure, nonvolatile memory in which decryption keys of initialized applications are stored.

The point should be made that the processor in the support hardware must have at least two levels of privilege itself so that the memory occupied by the EEPROM and the ROM, and the clock and hardware timers, can be properly secured from the user.

All applications software decrypted and run on the support hardware is at a lower level of privilege than the ROM resident firmware which controls EEPROM access, loading, decrypting, and running operations. This structure is needed in the support hardware to prevent the user from writing a monitor which would run on the support hardware which would access the firmware and the EEPROM and dump the contents of these into common memory.

As was noted earlier, the support hardware must be physically as well as logically secure. This security is required in order to prevent the user from using logic analyzers or other digital control and recording devices to gain a record of the content of the secure memory space. It is worth noting that, given the present state of the art of semiconductor technology, physical security for the support hardware could be obtained by packaging the complete support system in a single chip package. This package could be built so that any effort at physical access (to probe the memory content to obtain a set of decryption keys and algorithms) would destroy the information in the ROM and EEPROM. This could be accomplished with a combination of piezo-electric drives (to destroy the MOS gates in the memory devices if the package were stressed sufficiently or if stress in the package were released) and conducting lines on the IC or package which would oxidize rapidly if the package were opened in the air.

While a single IC package is the preferred packaging technique for the support hardware, the system could be built by at least two other methods:

1. As a set of chips which communicate with each other over a proprietary encrypted bus.

2. As a conventional chip set assembled on a board and encapsulated with a tamper protection system.

The support hardware is an addition made to a "Host" Individual Work Station. This work station is a single common bus microprocessor based computer system. The IBM PC is typical of this class of machines. Such systems use the bus (which can be an array of transmission lines with sockets at intervals) as a communications medium between logically separate subsystems. Some of these subsystems may reside on the same packaging element (in this case a printed circuit board called the "System Board") as supports the bus. Subsystems which are necessary to the function of the system or for expansion of the function of the system are added by attachment to the bus through the sockets. It should be noted that the components which constitute a subsystem may be made so that parts of the subsystem may reside on different packaging elements.

The complement of subsystems which are shown in FIG. 1, in the region labeled "Conventional Computing System" as indicated at 2, is an example of a common, nearly minimal host system. The host CPU 4 is a single chip microprocessor and a group of support chips. The host CPU 4 is supplied with a periodic signal called a clock and with connection to the bus by the support chips. The microprocessor is commonly supplied with more support than this, but all support is aimed at executing a repeating cycle of fetches of instructions from memory, fetches of data from some selected element of the system (such as Random Access Memory), execution of instructions, and when needed, storage of resulting data in a selected element of the system. The host CPU 4 may have support supplied to it called direct memory access (DMA) which allows the microprocessor to be relieved of tasks which involve the movement of data from one addressable element to another.

The microprocessor controls the type of bus operation performed (fetch, store, etc.) and the type of element selected (RAM, Port Addressed Register, etc.) by which of the control lines in the bus is "asserted" (changed to the appropriate potential according to a protocol called the bus definition). By these means, the microprocessor is able to obtain a collection of instructions (called a program), execute the instructions on a set of data, and cause the data stored in other elements of the system to change as a consequence of the execution of the instructions.

The RAM 6 is a subsystem from which data can be fetched from or written to by the host CPU 4. It is the subsystem used to store data and instructions which are loaded from some other source. If it has meaningful content, then that content has been written to it by the host CPU 4. At the time that the computer is powered on, the RAM 6 contents are, for practical purposes, meaningless.

The ROM 8 is a subsystem from which data can only be fetched. It may contain a collection of programs which are needed to start useful operation of the computer and which are useful for controlling the remaining subsystems.

The remaining subsystems, terminal control unit 9, display 11, input device 13, disk system control unit 15 and disk drive 17 can be characterized as having both addressable elements and mechanical, optical, or electromagnetic (or other) elements which can affect human se