 |
Description  |
|
|
FIELD OF THE INVENTION
The present invention relates to providing access to data stored on a
portable data storage unit. More particularly, it relates to a system for
delivering encrypted data on a portable data storage unit and transmitting
an access code from a remote location to decrypt the encrypted data.
BACKGROUND OF THE INVENTION
As advances in data high density storage technology continue to progress,
more homes and business are acquiring computer peripherals capable of
reading the new forms of portable data storage media. For example,
high-density media such as compact disc-read only memory (CD-ROM) is
becoming a popular medium for storing advanced forms of electronic
information such as textual, visual (video or photographs) and audio
information as well as interactive media. CD-ROMs contain enough storage
space to hold the equivalent of 250,000 pages of text, 12,000 images, 1.5
hours of video, 500 paperback books or 430 magazines. Moreover, CD-ROM
technology supports an extremely cost effective replication feature
averaging $0.05 per replicated CD. CD-ROM players can be coupled to
television sets or computers so that the user can access textual and
visual information as well as audio information stored on a CD-ROM.
It is common practice for most publishers to collect and process their
information electronically, that is, on word processors and computers.
Their data is maintained in electronic form until it is time to mail it to
the subscriber. At that time, the information is printed, subscribers mail
labels are attached and the published information is sent via a postal
service to the subscriber. Under this system, the costs of printing and
delivery are extremely high. Moreover, environmental concerns have
necessitated the need to consider paper a critical resource. Accordingly,
the need for a new publishing medium has been recognized. For example, see
U.S. Pat. Nos. 4,827,508, 4,977,594 and 5,050,213, issued May 2, 1989,
Dec. 11, 1990 and Sep. 17, 1991 respectively to Shear.
Subscription services to the home and office through standard postal
channels provide subscribers with magazines, trade journals, financial
updates and book of the month clubs. These subscription services require
the user (subscriber) to pay a fixed amount either in advance or monthly.
During the time which the subscription is valid, the publisher continues
to mail its information to that subscriber. Moreover, any single user may
be the subscriber of a multitude of journals or magazines. It is also
likely a single subscriber may hold subscriptions to several magazines
published by the same publisher.
Also other types of published or archived information, such as corporate,
government, or legal records, are printed on paper for dissemination. When
disseminated, such records may inadvertently or intentionally be read by
those unauthorized to do so since there is no way to insure that the
reader is authorized to access to printed matter. Moreover, since some
published corporate or legal information is subject to constant updates
which renders the previously published material obsolete, it is preferable
but often difficult to purge dated material from circulation.
Again referring to the Shear patents, these systems audit or meter a user's
access activity. Because a key to unlock encrypted data is present on the
user's hardware, such as a PCMCIA card, the decryption function is
inhibited at the user's site in order to prevent unauthorized access to
the data. Thus, according to the systems of Shear, access to the
information on the portable storage medium, such as a CD-ROM, is available
to a user without prior authorization for access. Therefore, there is no
way to insure that the reader is authorized to access to the information
stored on the CD-ROM prior to the user's access. Furthermore, those
systems do not provide a way in which access to out-of-date information
can be blocked.
The need for protection of information stored on, for example, CD-ROMs,
from unauthorized access needs to be satisfied before such a publication
distribution system is acceptable to publishers. Security provided at both
the publisher's site and subscriber's site is needed to prevent the
unauthorized access to data contained on the media. Moreover, valid
subscribers need to be protected when their subscription service is
terminated.
SUMMARY OF THE INVENTION
There are at least three basic features of the present invention. They
include, encryption of data in a particular manner, distribution of the
data under a particular distribution scheme and controlling the use of the
data through an update scheme. Many benefits are provided by these basic
features as will be discussed in detail below.
This invention includes publishing data on a removable or portable media,
preferably high density, such as a CD-ROM or a magnetic optical (MO).
Thus, one or more publishers may incorporate several, if not, all of their
periodic publications on a single media. The present invention includes
partitioning the media according to the different publications into data
sets, and then providing a protection, access, and use audit scheme to
these data sets. Thus, only validated subscribers are able to gain access
to the information stored on the CD-ROM.
Another important feature of the present invention is that it provides the
publisher the tools to configure and set up data and billing according to
the publisher's own choice. At the time they create the media, publishers
are provided flexibility in billing to charge subscribers in accordance
with the type of information being sold. This flexibility is incorporated
into the publishing process.
More specifically, the protection and access scheme of the present
invention includes providing the publisher with an encryption tool on, for
example, a personalized PCMCIA, or other suitable program storage medium.
Under this implementation of the present invention, when the publisher
loads a program stored locally, menu driven options appear on the
publisher's computer screen which allow the publisher to define the user's
or subscriber's access to the publisher's data. The billing options are
also known as "attributes," which include, for example, subscription
duration. The billing attributes are associated with Key Material
Identifiers (KMIDs), which are in essence, indexes or identifying codes
for the purpose of correlating billing attributes with access codes.
Access code and key are used interchangeably herein. An access code
corresponding to a particular segment of data stored on the CD-ROM is
ultimately downloaded to the subscriber so that they may gain access to
the information.
The program stored on the publisher's PCMCIA enables the publisher to
encrypt the data so that an access code or key is required to decrypt it.
The encrypted or scrambled data along with the KMID is then stored on a
portable storage medium. Corresponding billing information is also stored
in a separate file for the user's review. The CD-ROM is then transferred
to the user. The user is also in possession of a PCMCIA, or other suitable
storage medium which has on it software for communicating with the
billing/access center and managing downloaded access codes. The user
further has available a telephone line or comparable medium, a computer
with a modem and peripherals capable of reading the PCMCIA and the CD-ROM.
An application on the user's personal computer enables a menu to appear on
the screen of the computer when the user loads the CD-ROM containing
publisher's data into its reading hardware. The menu lists, for example,
the publications available for sale and the billing information. The user
then, via the software stored on the PCMCIA card, requests access to one
or more of the publications by highlighting or pointing to a publication
for sale and then sending the request to the billing/access center. The
KMID or identifying index and required billing data, such as a credit or
debit card number, is sent to a remote billing station via the telephone
line. The billing station, upon credit approval, matches the KMID to the
access code and transmits the key and access parameter, e.g. time of
subscription purchased, to the user via the telephone line. The key is
then installed on the user's PCMCIA card. The user may then access the
particular publication which is accessible by that particular access code
or key.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 depicts the overall system of the present invention;
FIG. 2 shows the user/billing station subsystem of Box 11 of FIG. 1;
FIG. 3 shows the publisher/billing station subsystem of Box 12 of FIG. 1;
FIG. 4 is a schematic showing the information sent to the billing/access
center by the publisher and by the user;
FIG. 5 is a block diagram of some elements of the publisher's station of
the present invention;
FIG. 6 is a block diagram of the publisher's PCMCIA;
FIG. 7 is a flow chart of publisher's billing software;
FIG. 8 depicts a screen display of attribute choices available during the
publisher's utilization of the present invention;
FIG. 9 depicts a second screen display of security choices available during
the publisher's utilization of the present invention;
FIG. 10 shows a list of the type of information stored on the removable
media of the present invention;
FIG. 11 is a block diagram of some elements of the subscriber's station of
the present invention;
FIG. 12 is a block diagram of the subscriber's PCMCIA;
FIG. 13 is a flow chart of the subscriber's key request process;
FIG. 14 is a block diagram of key data base and billing/access center;
FIG. 15 is a flow chart of the billing/access center process; and
FIG. 16 is a chart illustrating the cryptographic update feature of the
present invention.
DETAILED DESCRIPTION OF THE INVENTION
The system and method of the present invention generally includes two
subsystems and submethods. The first part of this discussion will focus
upon the two subsystems and how they interrelate in order to make the
whole system. The second part of this discussion which begins below, will
concentrate on the implementation of each part of the system.
Referring to FIG. 1, box 11 and box 12 are two different portions of the
overall system which overlap at box 13. In box 12, the publisher 21 of
data is shown. The data can include any type of data which can be stored
on a portable storage unit 22 such as, and hereinafter referred to as
CD-ROM 22. After the data is generated and before it is stored on the
CD-ROM 22, it is encrypted or scrambled so that it cannot be accessed
without the appropriate access code. Accordingly, the present invention
incorporates standard cryptographic techniques such as symmetric key
encryption, digital signature, asymmetric key exchanges, or challenge
response. Alternatively, this invention may utilize any non-standard
cryptographic techniques.
After the publisher 21 encodes the data, it communicates certain
information to billing/access center 23 shown in box 13, as will be
discussed in detail below. The publisher 21 stores the encrypted data on
the CD-ROM 22 and then distributes the data via distribution channels such
as the postal service 24. Distribution channels can also include
inter-office distribution, for example, in a corporate, government or
legal environment among others. Ultimately, the CD-ROM is received by a
user 26. The user has a computer (which includes a processor) or a
television set or monitor with a processor and a CD-ROM reader. The user's
computer is equipped with either a software program and/or hardware which
is used to communicate with billing/access center 23 and which has a
controller to process the data received from billing/access center 23.
When the user 26 loads the CD-ROM 22 into its CD-ROM reader, the user is
presented with a menu on the computer or television monitor or screen
which indicates what data is stored on the CD-ROM 22. A portion of the
data on the CD-ROM 22 may not be encrypted so the user can access that
portion without an access code. However, at least a portion of the data,
according to the present invention, is encrypted. In order for the user to
access the encrypted data, the user must obtain an access code or a key to
decrypt the encrypted data. In order to obtain an access code, the user 26
communicates with the billing/access center 23 via connection 27, which is
a telephone line or other communication apparatus or device, sending a
request for a particular access code. Upon authorization, billing/access
center 23 downloads or sends to the user 26 via connection 27, an access
code to decrypt the data.
FIG. 2 shows the user/billing/access center subsystem in more detail. As
mentioned above, the user's computer is equipped with either a software
program and/or hardware which is used to communicate with billing/access
center 23 and which is used control the data received from billing/access
center 23. As depicted in FIG. 2, an application to open and provide use
"screens" is resident on the machine. Communication is therefore enabled
between the PCMCIA card 29 which is loaded into PCMCIA drive 32 and the
user operating the computer 31. The PCMCIA card 29 is supplied to user so
that the user can provide a request 27' to the billing/access center 23
for an access code to decrypt encrypted data. Upon authorization,
billing/access center 23 downloads or sends to the user 26 the access code
via connection 27". Connection 27' and 27" can be the same line or
transmission means, such including standard electronic mail formats. The
access code or key is stored on the user's PCMCIA card 29 for reasons
which will become clear below.
Now referring to FIG. 3, the publisher's station 36 consists of a
workstation for organizing and gathering information. A writer device to
create CD-ROM 35 is in communication with the publishers workstation. The
publisher is provided its own publisher PCMCIA card 33 on which a software
program is stored in order to allow the publisher to define and control
access to the data at the time the information is organized for
publication on the CD-ROM. Alternatively, hardware can be provided to the
publisher in place of software.
The data 34, as mentioned above can include, for example video, image,
photographs, databases, sound, software. The data is either generated on
or loaded onto the publisher's computer 36. In accordance with the present
invention, before the data is stored on the CD-ROM 22, the publisher
determines the billing partitions which are based on like data, e.g.
singles magazines, single database, group of similar photographs, modules
of executable software and single fonts. The publisher also separates the
data into different data sets such as files, sub directories, directories
and volumes under different symmetric cryptographic keys so that access to
each different segment is only possible with a key which matches that data
segment.
The billing partitions are categorized according to how the publisher wants
to bill for access to the data. Access control to the data set(s) is
therefore controlled via the billing or "attribute" mechanism of the
present invention. Attributes are assigned to the data sets by the
publisher 21 and are bound to the access code which is hereinafter
referred to as the key, such used by the user 26 to decrypt the individual
data sets. Each individual symmetric key is then bound to or assigned a
unique Key Material Identifier (KMID) which will be described in detail
below.
The attributes are defined, implemented and used to determine charges for
access to the data encrypted by the user 26 prior to access. One example
of an attribute is time duration. For example, one CD-ROM may contain a
January issue of a magazine. CD-ROMs issued for months following January
may contain subsequent issues of the same magazine. The publisher may wish
to offer 1 year, 2 year and 3 years subscriptions, as well as a free 1
month trial subscription. These four different time durations constitute
four different attributes. Thus, according to the present invention, a
cryptographic update process is applied to allow can be access for fixed
periods of time depending on which time duration was chosen by the user. A
configuration for an attribute is a data structure of variable length
containing flags indicating which metric is present and parameters
indicating metric values and units.
Other examples of attributes include "one time buy" attribute where the
information is purchased once, and all information protected by that key
is available to the subscriber. Also included is an "on demand" attribute
where the use of the data is monitored based on a publisher defined
parameter including number of times the key can be used, the number of
transactions, number of bytes or number of files transferred. Moreover,
advertising attributes such are available. For example, a "file bypass"
attribute allows the publisher to define files or data sets which are
bypassed or are in plain text. Also, a "trial period" attribute allows the
user to obtain access to these files for a fixed period of time without a
copy or print capability. Applications, such as the trial period,
communicates directly with the PCMCIA card to control access to
application specific functions, such as copy or print. These applications
are modified to support the PCMCIA interface. Furthermore, by a "reduced
resolution" attribute, the publisher allows viewing of a particular file
without quality resolution. The attributes can be representable by
constant values and can also be functions of variables.
After determination of the data partitions by the publisher, and after the
publisher defines the attribute to be used with each data set, the
attribute is bound with a key and a Key Material Identifier (KMID). The
KMID acts as an index or identifying code so that the billing/access
center can provide the proper key or access code to open the desired data
set. This information is combined by the publisher 21 to create a unique
file containing the attribute information for the entire media to be
distributed. This information is sent to the billing/access center. The
software stored on the PCMCIA card 33 further allows the publisher 21 to
encrypt the data and include the attribute and the KMID on the CD.
The system of the present invention therefore includes assignment of the
key and KMID to a database and the keeping of such information by the
billing/access center 23. It further includes the user sending to the
billing/access center a particular KMID in order to receive a key to
access the desired data. These elements of this system are shown in FIG.
4, where the unique file 37 containing the key, attribute and KMID for
each data set is transmitted to the billing/access center 23 which is
billing or authorization center 23 by the publisher. This file 37 is
downloaded into a central distribution site. The only information that
needs to be written to the CD-ROM 22 is the start and stop sector
information along with the KMID associated with each particular data set
38. A special "Read-Me" file can be created which allows the subscriber to
read information concerning pricing (which match the attributes) for the
individual data sets. The "mastered" information is then replicated and
distributed by the publisher via any transport method suitable.
Returning to FIG: 2, the user 26 is able to load the CD-ROM into a CD-ROM
reader 28 and read the special "Read-Me" file to see what is available on
the portable storage media. When the user 26 has identified a particular
data set the user wishes to access, the user 26 uses the PCMCIA card 29
which is loaded into the PCMCIA drive 32 to communicate with the
billing/access center, billing/access center 23 a request including the
KMID which identifies the desired key via connection 27'. The
billing/access center, once having authorized access, downloads via line
27" the key associated with the KMID.
When downloaded, the key may reside on the user's PCMCIA card 29 or on
appropriate hardware. The key will access the data set of the instant
CD-ROM and subsequent CD-ROMs which are distributed in accordance with the
limits of the attribute. Therefore, if the attribute indicates a six month
time duration as indicated in box 37 and box 38 of FIG. 4, and the first
access occurs in January, the user 26 may use the user PCMCIA card 29
through June in order to access the equivalent data set on subsequently
distributed CD-ROMs. After the first use of the key, the subsequent use of
the key is maintained and audited by the local user environment, that is,
through the user PCMCIA card 29.
In order to provide for limited time duration attributes, the present
invention utilizes "key zeroization" which occurs when an attribute
condition is met or can be remotely invoked by the billing/access center.
For example, an attribute condition having been met would include the
passage of time which is monitorable by a time clock. Since updated data
is released periodically, keys are derived from the originally generated
key through a cryptographic update process. This feature allows the
publisher to distribute its periodic information under a different key
which is derived from the last key based on a cryptographic operation. The
number of updates valid for a subscriber is encoded in the KMID/attribute
information. The cryptographic update process of the present invention is
described in detail below and with reference to FIG. 16.
The user's PCMCIA card 29 is used to audit and maintain the count of
updates provided by the publisher. Each CD-ROM contains information about
the update release of a particular KMID as well as time stamping
information used by the user's PCMCIA card 29 for time based key
management functions. A clock can also be installed on the PCMCIA card.
The zeroization feature of the present invention provides the advantage
that the access of, for example, corporate, government or legal records
which are frequently updated can be avoided or stopped. By using a key
which zeroizes after one or only a few reviews of the data or after a
short time duration, the publisher insures that out-of-date frequently
updated records will not be confused with current records.
The user's PCMCIA card 29 is also used to authenticate the subscriber to
the billing/access center. Each subscriber is assigned a unique
public/private key pair to be used in all transmissions, such being stored
on the user's PCMCIA card 29. Different users key pairs or personalities
allow the user to sign purchase orders or to make purchase requests with
the appropriate personalities. This feature is important in the situation
where a single person holds, whether temporary or permanently, several
different offices. For example, the president of a company may sign a
separate request as a purchasing agent but may sign a separate access
request, with different privileges, as president of the company.
Accordingly, this invention supports the authentication of different user
personalities, as defined by the subscriber, to provide electronic
purchase authorizations. Furthermore, each user PCMCIA card 29 contains a
unique Pin Phrase to validate the user and their use of the personalities
and cryptographic functions of the card at the user's site or through an
optional challenge/response system.
When an individual wishes to gain access to files stored on the CD-ROM, the
key must be resident on the card, that is, already purchased. If not, the
subscriber must create a purchase request and send this request to the
billing/access center. All requests containing payment methods, e.g.
credit card numbers, are encrypted in the public/private key pair. All
purchase requests can be also be signed by the appropriate authorizing
personality before the billing/access center will process any purchase
request.
In the situation where a purchase is not made, that is, where inter-office
distribution of CD-ROM to provide corporate, government or legal
information in-house, the authentication feature is especially desirable.
Unauthorized access to sensitive information is more easily avoided in
accordance with the present invention than when information is
disseminated on printed media.
To recap, referring to FIG. 1, at the billing/access center 23 the request
27 is received in the form of, for example, electronic mail. The mail is
received and the signature is validated to authenticate the source of the
request. Included with the mail message is the requested KMID (see FIG.
4). This is then used as a look up index into a large database containing
the stored cryptographic keys. Under one embodiment of the present
invention, the following steps occur. The billing/access center 23 obtains
the publisher defined attributes assigned to the KMID from the database
and provides this information to the requester. The requester is then
allowed to select a form of payment for the key which is sent to the
billing/access center. The billing/access center then validates the
payment method and authorization. The KMID and its binded attributes are
then sent to the user. At the user's site, the KMID and attributes are
loaded onto the user PCMCIA card 29 for control of access and for audit
purposes by the card. The user now has access to the purchased
information. The KMID and use of the keys according to the publisher's
definition is monitored and maintained by the user's PCMCIA card 29. As
mentioned above, when an attribute condition is met, e.g. the subscriber
has reached the number of purchase bytes or the time has expired, the
user's PCMCIA card 29 will automatically zeroize with respect to that
publication. Further access by the user will require another call to the
billing/access center 23.
The above discussion described in detail general features of the subsystems
of present invention and how they relate to one another. The following
discussion repeats some of the above discussion with less of an emphasis
of the interrelationship of the elements of the present invention, but
with more of an emphasis on the components and method steps of the
elements of the present invention.
As discussed above, by logically grouping and categorizing the publisher's
information, the publisher can then define the billing and advertising
functions associated with the data sets to be published. After the
publisher gathers all information that is intended for publication on a
particular CD-ROM of series of CD-ROMs, the information is then be
assigned the access and subscription attributes defined by the present
invention. A standard publisher's configuration is shown in the block
diagram of FIG. 5. There the publisher's workstation 36 is shown on which
to gathering and organizing information. The publisher is provided with
billing premastering software 41 for such organization. In communication
with the workstation is the CD-ROM writer driver 35 to create the CD-ROM.
Finally, the key data base 42 which is stored at publisher's site contains
the used keys and their alias, history and current attribute definitions.
The key database 42 also contains a list of unused keys which the
publisher can use and define the attributes for such unused keys. After
the publisher defines the use of a particular key, that information is
sent to the remote billing/access center 23.
The encryption device 43 is stored on the publisher's PCMCIA card 33 shown
in FIG. 6. Each publisher is assigned a unique and personal PCMCIA card 33
which contains, in a FLASH or EEPROM non-volatile memory 44, the
publishers personalities and provides audit information about data
published and its author. The personalities of the publisher are similar
to those of the user as described above. The non-volatile memory 44
further contains the publisher's unique storage variable (K.sub.s) used as
part of the password algorithm. The aforementioned information can be
stored on the publisher's PCMCIA card and are encrypted by this local key.
Additionally, the publisher's workstation automatically records the CD-ROM
identification and KMIDs used to publish a particular CD-ROM. This audit
data is stored and maintained by the key data base 42.
The digital signature provided by the PCMCIA card 33 assures the
billing/access center and/or the subscriber that the published data was in
fact published on the CD-ROM by the authorized publisher of that
particular information. This feature avoids piracy of copyrighted
material, as well as falsified records in the corporate, government and
legal environment.
The audit information stored on the publisher's PCMCIA card 33 is auditable
from the billing/access center 23. Since there is a transmission line
between the billing/access center and the publisher, the billing/access
center can access information stored on the publisher's PCMCIA card 33 to
analyze the publisher's activity for many purposes, including improving
the system.
The PCMCIA card 33 can be a hardware card or a software application for
emulating the hardware card functions. As a standard feature, it contains
a volatile memory or RAM 46 and a bus interface 47 so that it may
communicate with the publisher's computer system 36.
Before the publisher can actually encrypt and/or sign any information to
the CD-ROM, it logs onto the PCMCIA card 33 which supports a logon phrase
either through the keyboard interface or one which can be directly input
to the card reader. The phrase may be any length or any set of ascii
characters the publisher assigns. For enhanced security, the publisher may
use biometrics (voice) after the logon phrase for a more secure logon
which binds the publisher to the card and its resources. The publisher
logs onto the card prior to performing any security related functions.
After logon, the publisher may use the resources of the PCMCIA card 33. The
card, whether performed as a software function on the publisher's computer
36 or as a separate hardware card, provides all of the cryptographic
functions required by the publisher to generate a CD for supporting an
electronic subscription service. The encryption for the CD application is
performed at the sector level to support random access on large data
bases. The microprocessor 48 operates as the encryption device 43 to allow
the publisher to associate files, directories, sub directories, vo | | |
