JP2002541528A - Protected online music distribution system - Google Patents

Abstract

(57) Abstract A protected music distribution system allows digital products, such as music, video, or computer software, to be associated via a public telecommunications network, such as the Internet, using a client-server architecture. Distributed in a protected form with the media. Digital products are stored and controlled by a content manager computer system and sold by another merchant computer system. The protected music distribution system includes a music distribution center that operates with any number of client systems and any number of merchant systems. The music distribution center includes a content manager and at least one distribution server. The content manager maintains a media information database, a master media file system, and a transaction database. Further, the music distribution center interfaces with a media licensing center, which communicates with one or more distributed rights agent servers and merchant servers. The store server is executed in a store computer system, and the store computer system also includes an HTTP (HyperText Transfer Protocol) server. The merchant server interfaces with various payment processing systems. The client system includes a media player and a web browser. Additional distribution servers and media licensing centers operate outside of and independent of the music distribution center and interface with the music distribution center.

Description

DETAILED DESCRIPTION OF THE INVENTION

This specification is a continuation-in-part of US patent application Ser. No. 09/020025, filed Feb. 6, 1998.

FIELD OF THE INVENTION [0002] The present invention relates generally to the field of commerce over wide area computer networks, and more particularly, to the distribution of digital media data over publicly accessible wide area computer networks. .

Background of the Invention [0003] Wide area computer networks, such as the Internet, have grown remarkably recently, both in terms of data traffic and popularity. As a result, such wide area networks have become increasingly popular as distribution media for digital products. From a commerce perspective, "distribution" has two distinct phases: purchase and distribution. Many vendors that use wide area computer networks for commercial distribution support only the purchase phase online. As used herein, "online" means via a computer network. Typically, current online vendors provide catalogs that list or describe products available online. The customer reviews the product by browsing a catalog, for example, using a World Wide Web browser, and makes a purchase by providing payment information, for example, credit card information. The purchased merchandise is delivered to the customer off-line, ie, via a distribution channel other than a computer network, such as via mail. By far, the majority of products purchased in this form are traditional non-digital products such as books, clothing, and food. Digital products, such as computer software, digitized video, and digitized audio, are also purchased in this form, with product selection and purchase taking place online, but distribution via floppy diskette, CD-ROM. In a conventional manner by mailing the purchaser a digital product of conventional media, such as a video cassette, audio tape, or audio CD.

[0004] Unlike traditional online purchase and offline distribution systems, a complete system for online distribution of digital products, such as digital audio, should provide online support for both the purchase and distribution phases. Such online distribution systems present a number of special issues that are not relevant to non-digital products. For example, unauthorized copying of digital products is particularly important. Traditional distribution of music on CDs and cassette tapes has estimated the loss from piracy from unauthorized copying of music to be around $ 1 billion annually worldwide.
Unauthorized copying of digital audio and the ability to make perfect copies pose an even greater risk of loss to the music industry, making it available for purchase on the Internet. It was the single biggest factor to be reluctant. Therefore, online music purchasing and distribution systems must be explicitly protected from various attacks and abuse to protect the intellectual property rights of music owners.

[0005] There are several security risks in online distribution of music. First,
There are considerable security risks in simply maintaining digital media products on a computer system connected to a public network such as the Internet for access by consumers. Buyer reviews digital product,
In order to be able to purchase effectively, the product must generally be stored on a computer accessible via a computer network. However, for the commercial value of such digital products, whether audio data, video data, or software, such computers may be the target of unauthorized access attempts to digital products High in nature.
Furthermore, the very existence of online commerce systems is in itself a trigger for crackers to break the security controls of such systems and try to gain access to them. Therefore, online distribution systems for digital products must be protected from such direct attacks. In addition, if the online music distribution system is compromised, it is desirable that the underlying digital product itself be protected against unauthorized copying.

[0006] Similarly, the protocols and transmission mechanisms used by online distribution systems to distribute digital products to legitimate buyers also prevent unauthorized users from intercepting the distribution of digital products during transmission over a network. , Must be protected.

Finally, after a digital product has been delivered to a user, the product itself must be protected from unauthorized copying by the user or others.

[0008] The need for security in such online distribution systems is inconsistent with the many features that customers demand for flexibility and ease of use. In particular, with respect to the purchase of songs and related media (eg, lyrics, graphics, liner notes, etc., which may normally accompany the usual distribution of traditional audio media)
Consumers want to be able to sample audio products before purchasing.
It would be desirable for such an online music distribution system to provide a mechanism that allows a user to play a limited portion of the song and display the associated media without having to purchase the song. In addition, consumers must be able to yield preview music to other potential new customers.

[0009] Similarly, buyers of music in a conventional form, such as a compact disc or cassette, may have purchased portable compact disc players and cassette tapes.
You are used to simple and easy-to-use consumer devices such as players. In order to successfully distribute music over the Internet, security requirements must not unduly hinder the usability of the consumer's system. Consumers must be able to purchase and play audio media in an easy and protected manner. However, security measures, particularly cryptographic mechanisms, must render purchased audio unusable outside of certain equipment and mechanisms designed to work with the distribution system.

[0010] Similarly, consumers are accustomed to being able to play purchased music anywhere they can carry CDs and CD players. Consumers expect similar portability when purchasing digital media over the Internet. Thus, a desirable online music distribution system would allow consumers to transfer purchased audio not only on a single computer, but on all platforms with the appropriate licensed playback device and licensee's personal identification. Must be able to play.

Furthermore, for the very high audio fidelity currently available using regular CD products, audio purchased from the online music distribution system via the Internet has at least the same level of fidelity. Must, or consumers will not buy such products. Therefore, the encryption or compression method used must not cause significant signal loss and must not impair playback performance.

[0012] Various forms of online payment processing systems are currently available and in use, including credit and debit card authorization systems. In addition, digital cash and micropayments (mic
Many new forms of online payment systems, including payments, are currently under development and will be developed in the future. Therefore, the online distribution system
Do not require a single form of payment and do not use your own payment processing system. Rather, the desired online distribution system must be adaptable to integration with all forms of payment processors. Similarly, many stores,
They provide their own online commerce server from which they offer and distribute such products as product retail vendors. The desired online distribution system must be integrated with various merchant systems.

[0013] Online music distribution systems must also allow the restoration of protected digital goods by consumers who have lost the identification or other security information (such as encryption keys) needed to use the purchase. . In addition, independent agents that guard against piracy must also be able to retrieve infringing copies and identify the creator of such infringement.

SUMMARY OF THE INVENTION In accordance with the present invention, a protected online music distribution system is provided for selecting, previewing, downloading, and transporting audio and other digital products over a wide area computer network, such as the Internet. Provide consumers with the flexibility and ease of use. The protected online music distribution system furthermore
Provides security for digital products in all phases of the purchase and distribution transaction throughout the distribution system.

An online music distribution system according to the present invention includes various cooperating components that communicate via a public wide area computer network such as the Internet. These components include a content manager, one or more distribution servers, a media data file system, and a media information database. Internet communication by this system
Facilitated by an HTTP server. Any number of individual buyers may
Use a client computer system with a wide web browser and a media player. World wide web browsers are known and are sometimes referred to herein simply as "web browsers."

Further in accordance with the present invention, the payment portion of the purchase transaction is processed by a merchant computer system that receives and processes the purchase request, while maintaining inventory of digital products and distributing such digital products. Is executed by the remote distribution center computer system. By decoupling the merchant computer system from the remote distribution center computer system, web-based merchants that provide other non-digital products delivered in conventional fashion, for example, via regular physical product shipments, have become Be able to offer product sales. Further, greater flexibility is provided in the physical or topological placement of such merchant computer systems and such distribution center computer systems. For example, a central store computer system
Purchase requests and payments can be processed while the requested digital product is delivered online from the physically or topologically closest of the plurality of distribution center computer systems. Alternatively, various independently operated merchant computer systems may offer the same digital product from the same distribution center computer system, possibly at different competing prices.

[0017] Secure distribution of digital products is provided by three aspects of the online distribution system according to the present invention. First, unlike a conventional digital product distribution system, the online distribution system has both two phases of online distribution: the commerce phase of the purchase transaction, such as the purchase and payment authorization, and the purchased media itself. Support the delivery of This aspect of the online music distribution system is provided by having the content manager control the storage of digital products in the media data file system and manage the transaction aspects of purchase or preview transactions with buyers. Is done. On the other hand, the actual distribution of the digital product is performed by one of the distribution servers.
Managed by one.

Given the security needs of restricting copying and preventing unauthorized access attempts while the digital product is stored on a server or while the digital product is traveling across a network, Online distribution systems provide secure protocols for completing purchase transactions and delivering audio and other media. First, the user's media player and user identification are authenticated by the content manager. Second,
The particular media being purchased is encrypted using information known only to the media player of the purchaser (separate from the mere encryption key) that uniquely identifies the purchaser.
In this manner, only the purchaser's media player can decrypt and play the purchased audio. Third, the particular purchase transaction itself is represented by a protected and trusted object passed between the content manager, the media player, and the distribution server. Fourth, digital products
After being delivered to the media player by the delivery server, the digital product is inaccessible without the various decryption keys and purchaser's confidential personal information.

In another aspect of the online distribution system according to the present invention, an encrypted version and an unencrypted version of a portion of a digital product, eg, a song of a digital audio product, are provided with descriptive text, artwork, and Along with other information, it is combined into a single media data file. The encrypted version of the song is a high fidelity audio image purchased. The unencrypted version of the song, which can be either a selected portion or the entire song, was recorded at a lower quality, such as a higher compression ratio or a lower sample rate. These unencrypted low quality "clips" are available free of charge for consumers to preview to decide whether to purchase a high fidelity version. In addition, descriptive information such as cover art, lyrics, and credits are also available for preview.

In another aspect of the online distribution system according to the present invention, a complete security protocol allows purchase-quality audio images to be created from artist creation to user purchase and playback through various stages of development and playback. , Protected. Purchase quality audio data, when created by an artist, is encrypted using a media key, which is a cryptographically strong random number generated by an audio authoring tool. The media key is then encrypted using the content manager's public key. A cryptographically strong random number is a random number of sufficient length or, equivalently, a random number selected from a sufficiently large number of possible values, for which it is very difficult to determine the random number by guesswork or deduction. The encrypted high quality version of the song is combined with the low quality unencrypted version, descriptive information, and media key into a media data file. The media data file is uploaded to the content manager for storage on the media data file system and made available for purchase by the consumer. While stored in the online music distribution system, the audio image remains encrypted and tied to a particular content manager.

In order to purchase a media data file, a consumer must first
Register with the Line Sensing Center to get a digital passport. The passport is a combination of data including personal information that uniquely identifies the user, confidential information of the user, and encryption key information used to encrypt media data for his use. . The identification information is usually a user's name, address, and the like. The confidential information is preferably information that the user prefers to keep confidential, such as the user's credit card number. This information is combined in the passport with a public / private key pair generated by the media licensing center into a digital certificate that authenticates its identity. The secret key information is then separately encrypted using a symmetric key containing the passphrase selected by the user and a cryptographically strong random key.

The passport supports security during various phases of the purchase of the media data file. First, the certificate is used to authenticate the purchaser to the content manager and distribution server.

Second, the purchaser's public key from the passport is used by the content manager to encrypt the media key of the media data file to be purchased. In this manner, only the purchaser's media player can decrypt the media key of the purchased audio and play the music. When the media player receives the media data file for playback, the media player decrypts the media key contained in the media data file using the secret key stored in the passport. The media key is then used to decrypt the audio image for playback on the user's machine.

Third, the inclusion of confidential information (such as the user's credit card number) in the passport further precludes the buyer from simply giving his passport and a copy of the purchased audio to another person. Designed to make. During playback,
A media player displays the user's confidential information on a computer display. By displaying sensitive information, buyers can protect the confidentiality of their passport,
Thus, a strong incentive is provided to protect the media indirectly purchased.

The integrity of the purchase and delivery phases of the transaction is based on the content manager, the delivery server, using the buyer's passport and another trusted data object called a media voucher. , Protected by a protocol between the user's web browser and the media player. The media voucher uniquely identifies the purchased media, the particular purchase transaction, and the particular distribution server that distributes the purchased media to the media player. A particular purchase transaction is represented by a voucher ID generated by the content manager. media·
The voucher will be issued after the user's credit card has been verified and payment has been authorized.
Provided by the content manager to the user's web browser. The content manager also provides a receipt token, which is a cryptographically strong random number used by the media player to complete a transaction with the designated distribution server. This completes the purchase phase of the transaction.

Thereafter, a transaction delivery phase is performed between the media player and the delivery server, along with a verification of the transaction provided by the content manager. The media player creates a message authentication code from the receipt from the media voucher and the voucher ID and the consumer's certificate from the passport. This step ties certain transactions to purchases. These data are transmitted to the distribution server. The delivery server verifies the message authentication data using the voucher ID and certificate chain from the packet and the receipt obtained from the content manager. In this step, the identity of the media player is verified against the distribution server. Content Manager
The media key of the purchased audio image is encrypted using the purchaser's public key. Thereafter, the distribution server may distribute the audio to the purchaser's media player. In this way, only the purchaser can decrypt the purchased audio.

DETAILED DESCRIPTION System Overview Referring to FIG. 1, a protected music distribution system 100 uses a client-server architecture to provide music and related media over a public telecommunications network such as the Internet. Distribute in a protected manner. Although a music distribution system is described, it will be appreciated that many of the systems described herein are equally applicable to the distribution of electronically or digitally stored products, including, for example, motion video and computer software. I want to be. The protected music distribution system 100 includes a music distribution center 124 that operates with any number of client systems 126 and any number of merchant systems 136.
FIG. 1 shows only one of each of the client system 126 and the store system 136 for convenience. The music distribution center 124 includes a content manager 112 and at least one distribution server 118. The content manager 112 includes a media information database 106, a master media
Maintains file system 120 and transaction database 130. In addition, the music distribution center 124 interfaces with the media line sensing center 110 and the media line sensing center 11
0 communicates with one or more distributed rights agent servers 108 and merchant servers 132. The store server 132 operates in the store system 136, and the store system 136 includes an HTTP (HyperText Transfer).
Protocol server 122 is also included. The merchant server 132 interfaces with various payment processing systems 134. Client system 1
26 includes a media player 116 and a web browser 128. In a preferred embodiment, operating outside and independent of music distribution center 124,
Interface with music distribution center 124 in the manner described herein with respect to distribution server 118 and media licensing center 110, respectively.
There are additional distribution servers and media line sensing centers.

The client system 126 has two basic components: a media player 116 and a web browser 128. Web browser 128 may be a conventional web browser with an added interface to media player 116 to pass information to media player 116.

The music distribution center 124 is a UNIX® based operating system.
Sun Microsystems SPARCstat running system
or an In which runs the Microsoft Corporation's Windows NT® operating system.
Servers, such as tel Pentium (R) based computers
Runs on a class computer system. The media player 116
Apple Computer, Inc., running Apple's MacOS® operating system. Macintosh (registered trademark)
Systems and Windows of Microsoft Corporation
A software product that can run on a variety of computer platforms, including Intel's Pentium-based computers running the ws95 / 98 or Windows NT operating systems.

The music distribution center 124 uses normal TCP / IP for unprotected channels.
About communication protocol and protected communication, Netscape Comuni
station Inc. Secure Sockets Layer v.
Client System 126, Media Line Sensing Center 110, Store Server 132, Authoring Tool over a public communication network, preferably the Internet, using a secure protocol over TCP, such as 3 (SSL). 102 and various other components, such as rights agent 108. The web browser 128 of the client system 126 interfaces with the music distribution center 124 via the world wide web portion of the Internet using normal HTTP and HTTP over SSL, and the HTTP server 122 of the merchant system 136. .

Data Objects In the protected music distribution system 100, management of the purchase of digital products is decoupled from the distribution of these products to purchasers. This separation is supported in two ways. First, the management of all purchases and other transactions
The distribution of purchased media content, which is mainly processed by the content manager 112, is performed by the distribution server 118. Second, three separate data objects are used to encapsulate information used at different stages of different transactions. The first data object is the media data file where the media content is stored and encrypted at the time of purchase using the purchaser's encryption key. The second data object is a media voucher object that encapsulates information specific to an individual transaction, including the media data to be purchased and one of the distribution servers 118 that distributes the media data. is there. The third data object is a passport object that links the first two data objects and encapsulates the user's personal confidential information and the encryption key.

Media Data File Referring to FIG. 2, media data file 2 according to one embodiment of the present invention
00 is shown. Media data files, such as media data file 200, are stored in master media file system 120 (FIG. 1). Media data file 200 is illustrative, and includes the following data fields, each of which stores data representing a component of media data file 200: .

The header 202 generally defines information necessary for decoding the media data file 200. This information includes a file format version, a table of contents 222 in the media data file 200 expressed as an offset.
And security information such as authentication information including a digital signature of data extracted from the media data file 200.

The media description data 204 includes text data and image data related to the audio content of the media data file 200. These data include title, artist, lyrics, descriptive text such as liner notes, promotional art image data, and cover art image data. These data are preferably digitally signed to ensure that they are not altered. The file author can encrypt individual components of the media description data 204, leaving other components unencrypted. This allows potential buyers the freedom to see, for example, liner notes and credit data,
This allows such potential buyers to access the media data file 20
At the same time, it is possible to determine whether zero audio content is intriguing, while at the same time ensuring that only purchasers can see other data of commercial value, such as lyrics.

The media data file 200 includes at least one media data chunk 206. Each media data chunk 206 includes an audio image 208 that can optionally be watermarked, compressed, encrypted, or a combination thereof. Various audio images 208 or respective media data chunks 20
6 to produce different playback quality levels using different sampling rates and compression ratios. Each audio image 208 encodes either an entire song or a portion thereof. Using a plurality of different audio images 208 of different audio qualities allows an artist to provide a single media data file 200 representing different versions of the same song, with different platforms and different audio Users with playback capabilities can preview the song. Media data chunk 2
06 also includes optional restrictions on actions such as playback and recording to external devices or files.

The watermarking of the audio image 208 is performed by inserting additional data directly into the audio data stream before compression.
For example, Solana Technolo of San Diego, California, USA
A suitable watermark, such as gy, is implemented. Alternatively, co-pending US patent application Ser. No. 09/1725, the description of which is incorporated herein by reference.
No. 83, Applicant's Levine, entitled "Robus
t Watermark Method and Apparatus for
Achieving the watermarking in the manner described in "Digital Signals", filed Oct. 14, 1998. Preferably, compression of audio image 208 is effected through the use of a high quality compression algorithm. Each algorithm has a unique identifier to enable the system to operate with multiple compression formats. Compression is performed, for example, by using Dolby Laborat.
ories, Inc. It can be implemented using the company's AC-3 compression algorithm.

The audio image 208 is encrypted using a symmetric media key, which is generated by the authoring tool 102 (FIG. 1) and is preferably a cryptographically strong random number. In this exemplary embodiment, the encryption algorithm used to encrypt the audio image 208 (FIG. 2) includes DES
And RC4. With the encryption using the symmetric media key, the substantial content of the audio image 208 is transferred to the media player 116 (FIG. 1).
) Allows the audio image 208 to be decoded in real time. Real-time decryption reduces the amount of audio image 208 (FIG. 2) available in the memory buffer in unencrypted form at any one time, thereby reducing the probability of unauthorized access to the audio image.

As described further below, the media key is stored in the content manager 112 (FIG. 1) while the media data file 200 (FIG. 2) is stored in the master media file system 120. Separately encrypted using the public key of When the media data file 200 is delivered to the purchaser, the media key is encrypted using the private key of the content manager 112, and the media key is encrypted using the public key of the user's media player 116. Is re-encrypted. This locks the media key, and thus the audio image 208, to the purchaser's media player 116.

For each of the audio images 208, the media data chunk 206 includes an encryption parameter 210 such as a DES initialization vector.

The media data chunk 206 also includes an index table 212 for the audio image 208 that defines timing information for the image,
The media player 116 (FIG. 1) or the distribution server 118 can randomly access any portion of the audio image during playback or streaming. Index table 212 (FIG. 2) can be implemented as an array of timing data and position information.

The clip and song information 214 defines the duration, start time, and duration of the clip in the song, along with fade-out and fade-in parameters, which are preferably the duration of each fade. You. If the fade parameter is a duration, the actual fade is performed by the media player 116. Clip audio data is not encrypted. This allows prospective buyers to preview a portion of the song.

The “for sale” flag 216 defines whether the media data chunk 206 is for sale or can only be previewed.

A time stamp 218, such as a SMPTE time stamp, is provided for editing the media data file 200 using a professional audio editing tool.

A transaction ID 220 is added to each copy of the media data file 200 that is delivered to the purchaser. The transaction ID 220 is used to uniquely identify each copy of the purchased media data file 200 and is used by the media player 116 to receive the media data file 2 upon receipt.
00 is added. The transaction ID 220 includes a media voucher ID
, The timestamp at the time of delivery to the media player 116, the certificate serial number of the content manager 112 when the content manager permits the delivery of the media data file 200, and the media player
Preferably, the certificate of the media player 116 when receiving the data file 200 is included.

Finally, the media data file 200 includes a table of contents 222 for the entire media data file 200. The table of contents 222 includes the location of each item of data within the media data file 200, and its type and subtype. Types include text, audio, and graphics. Text subtypes include artist, title, lyrics, liner
Notes and other textual information is included. Graphic subtypes include:
Includes cover art, promotional art, and promotional art.

Media Voucher A media voucher is a media voucher such as a media data file 200.
An object used to control the purchase and preview of data files. For each purchase or preview of media data file 200, a new media voucher is created by content manager 112 (FIG. 1) and provided to media player 116. The media voucher may include a particular media data file, such as media data file 200 (FIG. 2), obtained by media player 116 and a distribution server, such as distribution server 118, that provides the media data file. Used to identify both.

Referring to FIG. 3, media voucher 300 includes a unique voucher ID 302 generated by content manager 112 (FIG. 1) and a media data file to be delivered, for example, media data file 200. (Figure 2
) Is uniquely included in the media ID 304 (FIG. 3). Voucher ID 30
2 (FIG. 3) limits the use of the media voucher 300 to a single purchase or preview transaction. Receipt 306
A cryptographically strong random number generated by the content manager 112 (FIG. 1) that creates a voucher ID and message authentication code (MAC) for the consumer certificate to bind media data delivery to the purchase transaction. Used for The MAC is preferably a keyed message authentication code defined in Internet RFC 2104. Delivery server address 308 specifies the IP address and TCP port of a delivery server, for example, delivery server 118, that provides media data file 200 to user media player 116.

The media voucher 300 includes items 302 through 3 to represent multiple purchases.
08 may be included in plurality. Such multiple purchases may be, for example, all songs of a particular album.

Passport A passport is a data object that provides security information specific to each user of the system. The end user is issued a passport by the media line sensing center 110 (FIG. 1) during the registration process. The passport is stored on the user's computer and is used to decrypt the respective media key of the media data file 200 purchased by the user during playback. By encrypting the media key of the purchased media data file 200 using the public key of the user's media player 116, the media data file 200 is bound to a particular user, but depending on the user's passport, The user can decrypt and play the file on his media player 116. Furthermore, the passport contains the user's confidential personal information, which prevents the user from freely copying his or her own passport and distributing it to others.

Referring to FIG. 4, a passport 400 according to the present invention includes a consumer certificate 402
, Consumer public key 404, consumer secret key 412, encrypted personal information 414
, And a registration key 420. The consumer certificate 402 is used to authenticate the purchaser of the media data file 200 and the consumer public key 404 is
Used to encrypt parts of the media data file 200 that are purchased. The consumer certificate 402 has a known ordinary ITU-TX. 509 format and is issued by a trusted certificate authority, which is the media line sensing center 110 in the preferred embodiment.
ITU-T X. Each of the consumer certificates 402 in the 509 format has a consumer public key 404 and a set of validity dates 40 defining the period during which the certificate is valid.
6, serial number 408, and a certification authority such as Media Line Sensing
The digital signature 410 of the center 110 is included.

The consumer secret key 412, along with the consumer public key 404, is generated by the media line sensing center 110 (FIG. 1). The generation of a key pair by the media line sensing center 110 simplifies recovery in the event that a consumer loses a secret key and eliminates the need for key generation by the media player 116, thereby simplifying the media player 116. To simplify the registration protocol. It is important to keep the media player 116 simple because the media player 116 must generally be downloaded and installed by the user's client computer system and the user's client computer system However, it typically has lower processing power than the server computer system in the media line sensing center 110.

The passport 400 (FIG. 4) further includes personal confidential information 414. This information preferably identifies the user, which may include, for example, the user's name 416 and other similar information (eg, address). In addition, the personal confidential information 414 includes information that the user typically prefers to keep confidential, such as credit card numbers 418 and similar information. This personal confidential information is displayed by the media player 116 during playback of the substantial audio content of the media data file 200. Such a technique discourages the user from giving others a copy of the passport 400 for unauthorized sharing of the media data file 200.
This is because doing so causes the personal confidential information 414 to be displayed to others.

The consumer secret key 412 and personal information 414 are encrypted using the user's registration key 420. This key is also used for the media line sensing center 110 (
1). Registration key 420 (FIG. 4) is encrypted using a passphrase entered by the user during the registration process and stored in passport 400.

When a user purchases a media data file 200 (FIG. 2), a consumer certificate 402 (FIG. 4) including a public key 404 is provided to the content manager 112.
(FIG. 1). The content manager 112 encrypts the media key of the media data file 200 (FIG. 2) using the public key 404 (FIG. 4) and distributes it to the media player 116 (FIG. 1). When the media player 116 receives the media data file 200 (FIG. 2) and the encrypted media key, the media player 116 (FIG. 1) uses the registration key 420 (FIG. 4). , Decrypts the secret key 412, decrypts the media key, and uses the media key to decrypt the audio image itself.
The media player 116 (FIG. 1) further decrypts the personal information 414 using the registration key 420 (FIG. 4), and the personal information 414 is displayed to the user.
The user is required to enter the previously entered passphrase during playback to decrypt the registration key 420.

Component Overview Content Manager The content manager 112 (FIG. 1) includes one or more computer
All or part of the process, is the central transaction processor of the music distribution center 124 and is responsible for the overall management of the substantial content of the media data files. Such administration includes (i) receiving and storing published media data files 120, such as media data files 200 (FIG. 2) from various authors, and (ii) only specific users. Managing preview and purchase transactions by individual users of the media data file, including encrypting the media data file 200 in a manner that allows access to the media for playback; and (iii) media. Includes reporting to rights agents about such use, for the author's correct compensation for fees and royalties from the purchase of data and other uses. The content manager 112 (FIG. 1) stores details of each transaction in a transaction database 130.

Merchant Server The merchant server 132 is all or part of one or more computer processes that enables preview and purchase transactions to be performed remotely from the content manager 112,
Manager 112 maintains full control of access to digital products, such as media data file 200 in master media file 120.
This allows the content manager 112 to clear the digital product in the master media file 120 while allowing various merchant systems, such as the merchant system 136, to act as virtual stores, provide product information, and sell. It becomes possible to work as a ring house. Such a merchant system is managed by the content manager 112 and includes the master media file 1
Products other than those stored at 20 may also be provided.

To perform purchase and preview transactions, merchant system 136 needs general information about digital products stored in master media file 120 that is available via merchant system 136. And Thus, as part of the initialization process, the selected digital products in the master media file 120 that the content manager 112 (FIG. 1) intends to deliver to the client computer system instead of the merchant system 136 , For example, a media data file 200 (FIG. 2)
Is supplied to the store system 136. Such inventory data also specifies additional information for the selected digital product, including, for example, costs imposed by the content manager 112 for each of the selected digital products and additional details of the digital product. As a result, the merchant system 136 can provide prospective buyers with enough details to enable a purchase decision. The merchant system 136 can raise the price beyond the cost specified in the inventory data to gain profit. In an alternative embodiment,
The inventory data includes the suggested retail price that the merchant system 136 is obligated to charge, for example, by contractual agreement.

Delivery Server The delivery server 118 is the media player 1 of the client system 126.
16 is all or part of one or more computer processes that deliver a media data file, such as media data file 200 (FIG. 2), to a user via 16 (FIG. 1). Specifically, the distribution server 118 receives a request from the media player 116 to preview or purchase a media data file 200 containing audio data and sends such a request for authentication and encryption to the content. Route to manager 112 to deliver requested media data files or requested parts. Distribution server 118
May render the requested media data file or portion thereof as a real-time streaming preview of the substantial content of the audio data for immediate playback on the media player 116, or CD for subsequent playback by or for playback by a normal CD player
Deliver as a purchase by protected transfer of media data files to client system 126 for recording to.

Media Player 116 responds to user-generated commands according to conventional user interface techniques to play substantial content of the audio data to be purchased or previewed, and also to respond to user-generated commands. All or part of one or more computer processes for digitally recording purchased media data files in an external memory such as a CD-Recordable, CD-RW, minidisk, or flash memory device It is. Media player 116 may view a list of purchased and stored media data files, such as media data files 200, view art and graphics for covers and promotions, read lyrics and other liner information, Provides user interface controls for organizing play lists and track lists and other music database management functions. FIG. 14 shows the media player 116.
2 shows an example of a user interface of the.

The media player 116 (FIG. 1) also stores and manages the user's passport 400 (FIG. 4) and decrypts the audio image in real time during the playback of the requested streaming audio image. To access the passport data of the passport 400.

Media Line Sensing Center Media line sensing center 110 is all or part of one or more computer processes that collectively form licensing and certification authorities. Wants to purchase data from music distribution center 124,
New users of the protected music distribution system 100 must first register with the media licensing center 110 to obtain a consumer certificate 402 (FIG. 4) that includes a public / private key pair. Media licensing center 110 (FIG. 1) generates these public / private key pairs on behalf of media player 116 to encrypt media data files 200 (FIG. 2), Generates other information that is received by player 116 (FIG. 1) so that only a particular user's media player 116 is included in media data file 200 purchased by that user. Responsible for decrypting data 208 (FIG. 2) so that it can be reproduced. Media licensing center 110 (FIG. 1) also authenticates new users upon registration and various media data files move through the system to authenticate various other components of music distribution center 124. When doing
These components generate a certificate that is appended to the media data file.

The media line sensing center 110 has, for example, a passport 400 (
A user passport such as that shown in FIG. 4) is also generated.

One of the certificates issued by the media licensing center 110 (FIG. 1) is a certificate for the content manager 112. These certificates are designed to have a relatively short validity period, preferably on the order of one to two weeks. This short validity period is likely to mean that content copied without permission
Used to ensure that "pirate" sites that use the manager's 112 certificate can be stopped in a timely manner. Accordingly, the media licensing center 110 updates the certificate of the content manager 112 when the certificate expires.

Finally, the media line sensing center 110 has a media data
Generate a rights report for use of the file and communicate such rights report to rights agent 108.

The foregoing elements are the basic components for the protected distribution of music data, given a collection of music media and other media. Media for distribution
To form the data file 200, the individual artists use the authoring tool 102 to create audio data and associated data in the media data file 200 for distribution over a network to the content manager 112. Media data to be transferred to the master media data file 12
Create for storage in 0. Information describing the master media data files is extracted by the content manager 112 from each of the master media data files and stored in the media information database 106.

The distribution hub The artist uses the content manager 1 from the authoring tool 102.
You can upload a master media file directly to
Instead, the master media file can be transferred to the distribution hub 104 for augmentation. The distribution hub is a computer or computer managed by a recording agency or record label or other agent that manages the creation and promotion of the artist's work or otherwise participates with the artist.
System. The distribution hub 104 includes the content manager 11
Used to add an agent code identifying the right agent responsible for receiving purchase and usage information from the artist along with an agency identification code identifying the artist and media data created by the artist to the agency. can do. For example, the agency code may be a product code or SKU code that the agency uses to track each artist's work.

Merchant Server and Payment Processor The merchant server 132 is an external system that acts as an authorized electronic retailer on a music and media network. Payment processing system 134 is a conventional payment authorization system, such as a credit card authorization system or a debit card authorization system.

Operational Overview The protected music distribution system 100 and music distribution center 124 according to the present invention
Provides multiple processes and workflows to support the protected distribution of music and related media. This workflow includes:

Publication: This is a master media data file authoring tool 1.
02 or the distribution hub 104 to the content manager 112. Media Information Database 1 by Content Manager 112
After being imported into 06 and cataloged, the master media file is generally made available for preview and purchase by individual users.

Registration: Each entity of the system registers with the media licensing center 110 to obtain a certificate that is used to authenticate the identity of the transferred data by the various entities. Specifically, the user registers to obtain a consumer certificate that is used by the content manager 112 to authenticate the identity of the purchaser of the media data file. The author may also use the content manager 112 to authenticate the author when uploading the master media data file for inclusion in the master media file system 120.
Register to get the author's certificate used by. The content manager 112 registers with the media licensing center 110 to obtain a certificate that allows the content manager 112 to distribute the media data file itself.

Preview: This process is supported by the distribution server 118 and the media player 116 to provide real-time streaming of audio data at the media player 116 and display of the associated media data. . The preview allows the user to access the client system 12
6 for permanent storage on a hard disk and subsequent recording on a CD-R or other portable media.

Purchase: This process is a transaction of purchasing a media data file from the content manager 112 and distributing the purchased media data file to the media player 116 by the distribution server 118.

Rights Reporting: The rights reporting process provides a tamper proof mechanism that tracks electronic music distribution in a secure manner. In this process, the content manager 11
From 2 to various rights agents 108, media usage (purchase, preview, etc.) is uploaded in a protected manner. This uploaded information will include the number of times various media data files have been used or purchased, including such payments for royalty payments to artists, owners, record labels, etc. and other fees. Accurate use reporting is possible. These mechanisms will allow music industry participants to protect their copyrights, and these mechanisms will be used by rights reporting agencies to correlate the volume of electronic distribution of media data files. Distributors can be charged for royalties.

Publication Publication is the process of distributing media data files 200 from respective authors to the content manager 112 for inclusion in the music distribution center 124. FIG. 5 shows an event trace of the publication process. First, step 5
At 02, the artist creates a media
Construct the data file 200 (FIG. 2). Generally, individual authors record various musical works in digital form and obtain or design cover and promotional art that is incorporated with the music into media data files 200 (FIG. 2). The artist uses the authoring tool 102 (Figure 1).
) To perform the desired digital signature processing and editing on the digitally recorded audio data. Authoring tool 102 also provides audio image compression, watermarking, and encryption. The authoring tool 102 is also used by the artist to enter media description data 204 (FIG. 2), such as the artist's name, song title, and lyrics, as described above.

The artist can include in the media data file 200 a plurality of different audio images 208, each having a different quality level with respect to bandwidth, determined by the compression level and the sampling rate.

Media Data File 20 Including Encryption of Audio Image 208
0, the authoring tool 102 (FIG. 1) establishes a connection with the content manager 112 at step 504 (FIG. 5) and, as a request for identification of the content manager 112, A user·
Submit account name and password. At step 506, the content manager 112 (FIG. 1) responds with the version and certificate of the content manager 112. The certificate of the content manager 112 includes the public key of the content manager 112.

The authoring tool 102 and the content manager 112 mutually authenticate each other. Content manager 112 authenticates authoring tool 102 according to the previously sent user account name and password. At step 508, authoring tool 102 authenticates content manager 112 in the following manner. Authoring tool 102 receives the time stamp, authoring tool 102 username, and password digitally signed by content manager 112. Authoring Tool 10
2 verifies the signature and authenticates the content manager 112 to the authoring tool 102. In step 508 (FIG. 5), the authoring tool 1
02 (FIG. 1) further verifies that the certificate of the content manager 112 has been signed by the issuing certification authority, in this case the media licensing center 110.

At steps 510 through 514 (FIG. 5), the content manager 112 (FIG. 1) authenticates the authoring tool 102 in a similar manner. That is, the identification of the authoring tool 102 is requested (step 510), and the version and certificate of the authoring tool 102 including the public key of the authoring tool 102 and the encryption information of the authoring tool 102 are received (step 512). Verify the certificate and the encryption information (step 514). MIT's Kerberos
Other authentication protocols, such as a system, may be used between the authoring tool 102 and the content manager 112.

After the mutual authentication is completed, the authoring tool 102 (FIG. 1) sends the file name and length of the media data file 200 to the content manager 112 at step 516 (FIG. 5). Further, at step 518, authoring tool 102 generates one or more media keys for media data file 200. In one embodiment, a single media key is
It corresponds to the entire media data file 200. In an alternative embodiment, a single separate media key corresponds to each of the media data chunks 206 (FIG. 2). The media key generated by authoring tool 102 (FIG. 1) is preferably a cryptographically strong random number. This media key is used to encrypt the audio image 208 (FIG. 2).

At step 520 (FIG. 5), authoring tool 102 (FIG. 1) encrypts the media key using the public key of content manager 112 using the specified encryption algorithm. At this point, Content Manager 1
Only 12 (FIG. 1) can decrypt the media key and, therefore, the audio image 208 (FIG. 2). In step 522 (FIG. 5), authoring tool 102 (FIG. 1) encrypts the audio image of media data file 200 using the original unencrypted media key. In step 524 (FIG. 5), the authoring tool 102
(FIG. 1) provides the content manager 112 (FIG. 1) with the encrypted media
The key is transmitted, and at step 526, the complete media data file 200 (FIG. 2) with the audio image encrypted is transmitted.

At step 528, content manager 112 (FIG. 1) receives media data file 200 (FIG. 2) and extracts media description data therefrom. At step 530, the content manager 112 (FIG. 1)
Update media information database 106 with new entries for data file 200. At step 532, the content manager 112 stores the media data file 200 in the master media data file system 120. If the "sale" flag 216 (FIG. 2) of the new media data file 200 is set, the media data file 2
00 is ready for purchase by the consumer. Security of the media data files 200 at the master media data file system 120 is provided by permanent encryption of the individual media keys of each media data file 200 using the public key of the content manager 112. Brought. Additional security for the private key of the content manager 112, eg, GT
E Internet working / SafeKeyper S of BBN
igner products or other tamper-proof hardware.

Registration Registration allows music distribution center 12 to participate in later transactions.
4 establishes the identity of the trusted buyer. FIG. 6 shows an event trace 600 of the process of registration by a user.

At startup, at step 602 (FIG. 6), the media player 116 checks for the presence of the user's passport 400 (FIG. 4) including the user's secret key.
If the passport 400 (FIG. 4) does not exist, in step 604 (FIG. 6)
The media player 116 (FIG. 1) activates the web browser 128 and the URL of the HTTP server registration page of the media line sensing center 110.
give. At step 606, web browser 128 (FIG. 1) requests a registration page. In response, the media line sensing center 110
At step 608, the HTML registration page is returned, and the registration page is displayed by web browser 128.

The registration page is a form for collecting personal information necessary for registering a user.
HTML forms are well known and use conventional user interface techniques to prompt the user to enter data. Personal information includes the full name billing address, telephone number, email address, credit card number, and credit card expiration date. Other personal information that can be collected includes:
For example, a driver's license number is included. The user enters this data using the web browser 128 and presses, for example, a Register button,
Accordingly, in step 610, the registration data is transferred to the media line sensing
It is transmitted to the center 110. This information is provided by the Netscape Common
ations, Inc. Secure Sockets Layer v.
Preferably, it is transmitted over a protected communication link, such as 3.

At step 612, the media line sensing center 110 extracts the credit card information and verifies the information by requesting a credit card authorization from the payment processor 134. If approved by payment processing system 134, at step 614, data representing the credit authorization is
Returned to line sensing center 110. If the credit card is not approved, the media licensing center 110 returns a page with the error message to the web browser 128 requesting the corrected information.

After the credit card is authorized, at step 616 (FIG. 6), the media line sensing center 110 sends a new passport for the user's media player 116 (FIG. 1), for example, passport 400 (FIG. 6). 4) is generated. Media Line Sensing Center 110 (FIG. 1) uses consumer public key 4
Generate a public key / private key pair that will be 04 and a private key 412. media·
The line sensing center 110 represents the passport 400 with a hierarchy of certificates that are sequentially signed, starting with the certificate of the media certification center 110 player certification authority and ending with the consumer certificate 402. A certificate chain, (b) a consumer certificate 402 signed by the media licensing center 110, including a generated public key 404, and (c) a cryptographically strong, randomly generated registration key 420. Formatted as a file containing the consumer's private key 412, encrypted using (d) the consumer personal information 414, also encrypted using the registration key, (e) the plaintext registration key 420.

The consumer's secret key 412 and personal information 414 are also digitally signed with the media line sensing center 110's secret key to prevent tampering.

In step 618 (FIG. 6), passport 400 (FIG. 4) defines a predefined MIME type that identifies passport 400 to web browser 128 (FIG. 1) as data for media player 116. To the web browser 128 over a secure connection. In step 620, web browser 1
28 passes the passport 400 to the media player 116.

At step 622, the media player 116 verifies the passport 400 for authentication and tamper detection by authenticating the certificate chain. The certificate chain starts with the root certificate of the media licensing center 110 stored in the media player 116, decrypts the hash of the certificate using the public key of the root certificate, and decrypts the decrypted hash. Is authenticated by comparing to the newly generated hash. If the hashes are the same, the next certificate is authenticated in the same way.

After verifying the passport 400, at step 624, the media player 1
16 prompts the user to enter a passphrase for the registration key. Step 6
At 26, the media player 116 encrypts the registration key 420 using the passphrase provided by the user. In this exemplary embodiment, the registration key encryption is R
. S. A. Data Security, Inc. BSAFE PBE (M
(D5 + DES) algorithm.

At step 628, the passport 400 is provided to the client computer 126
To a local file system on The passport 400 can be stored at a default location or at a location specified by the user. The file format of the passport 400 is Microsoft Corp. Inc.'s Windows operating system and Apple Computer Inc. Company Ma
Operating system independent to provide passport 400 portability between cOSs.

The user is now authorized to purchase and preview music from the protected music distribution system 100 (FIG. 1).

In this exemplary embodiment, the passphrase while it is stored in the memory of the client system 126 and the decrypted private key are used by a malicious program or authorized by an applet such as the ActiveX and Javascript applets. Must be protected from unauthorized copying. Such unauthorized copying allows for the transmission of sensitive information to unauthorized entities within the wide area network of the protected music distribution system 100, and thus such unauthorized copying represents a significant breach of security. there is a possibility. Furthermore, while the media player 116 is active, the media key must remain as encrypted as possible, for example,
It must be decrypted only immediately before use of the media and re-encrypted immediately after such use.

If either the registration key 420 or the passphrase for encrypting the registration key 420 is lost, the registration key 420 is transferred from the media line sensing center 110 to the media player 116 for media line sensing. It can be sent again via the SSL connection of the web browser 128 to the web server at the center 110 side.

The media licensing center 110 maintains a persistent database of all issued consumer certificates, including personal information 414 associated with each certificate.

Preview FIG. 7 shows an event trace 700 of a preview of the media data file 200 prior to purchase.

The preview begins with the user viewing a web page with a link to a preview of the desired media data file 200 in the web browser 128. FIG. 8 shows an exemplary web page for selecting a preview. The link is a link to the HTTP server 122, and when clicked, the web browser 128 requests the HTTP server 122 to preview the media data file 200 in step 702 (FIG. 7). The URL of the link encodes the media ID and the type of request: clip or whole song.

The HTTP server 122 receives the preview request and, at step 704, invokes the content manager 112 over a potentially unsecured TCP connection to request the media ID and request type, in this case, the preview type request. hand over.

The content manager 112 receives the preview request and proceeds to step 706
Verify that the media data file 200 specified by the media ID exists. In the exemplary embodiment, this is done by first accessing a cache of media IDs of frequently accessed songs. If the requested media ID is not in the cache, the content manager 112 checks the master media file system 120 for the requested media data file 200. If the media data file 200 does not exist there, the content manager 112 returns an error.

The content manager 112 determines that the requested media data file 2
00, the content manager 112 determines in step 708 the distribution server 118 to process the request to preview the file.
Is available.

In this exemplary embodiment, each distribution server 118 is configured by the system provider to have a limited number of active streams of data that are licensed and distributed at one time. Content manager 112 maintains a list of distribution servers 118 with which content manager 112 operates, as well as the number of active streams and the total number of streams for each of distribution servers 118. Each distribution server 118 registers with the content manager 112 and supplies the network address of the distribution server 118. content·
The manager 112 configures each registered distribution server 118 using the number of streams allocated to the distribution server 118, the basic UDP port used for the stream, and the port number for accepting stream requests.

When distribution server 118 allocates a stream, distribution server 118 updates content manager 112 with this information. Thus, to determine the availability of the distribution server 118, the content manager determines, for the first available distribution server 118 that has not allocated all streams,
Examine this list. If no stream is available, the content manager 112 returns a message to the web browser 128 indicating that the preview cannot be delivered at this time.

Assuming that the content manager 112 identifies an available distribution server 118, the content manager 112 proceeds to step 710,
The voucher 300 is generated and returned to the HTTP server 122. This includes the network address 308 and port number of the distribution server 118, the voucher ID 302
, And a media ID 304.

In step 712, the HTTP server 122 generates an HTTP response in which the media voucher data is embedded, and returns the generated HTTP response to the web browser 128. A MIME type that causes the web browser 128 to call the media player 116 using the response data is defined.

At step 714, the web browser 128 receives the HTTP response and stores the data of the media voucher 300 in a local file. The web browser 128 passes the file name of this file to the media player 116 at step 716.

At step 718, the media player 116 determines that the media voucher 300
Receives the file name of the file, reads the file, and executes the media voucher 300.
, The address 308 and port of the distribution server, the voucher ID 302, and the media ID 304 are extracted. Media player 116
Sets up a communication channel with the designated distribution server 118 at step 720 and passes the voucher ID 302, media ID and bandwidth request, which is the media connection 116 Is the estimated value of The media player 116 is connected to the distribution server 1 by the media player 116.
Provide port information identifying the port that receives the streamed audio data from.

At step 722, distribution server 118 receives the voucher ID and media ID, contacts content manager 112, and obtains media information from media information database 106. The distribution server 118 specifies to the content manager 112 the media ID of the media data file 200, the number and specific type of information retrieved from the media description data 204. This step is for obtaining the latest information on the media data file 200 in case there is any update to, for example, price information or other data. Content manager 112 responds at step 724 with the respective media information of the requested type.

At step 726, distribution server 118 sends the media information to media player 116. This information allows the media player 116 to determine the duration of the clip or song, the data size of the encoded audio being delivered, the start and end times of the clip, the fade-in duration, the fade-out duration, and the bandwidth. Be informed.

At step 728, the distribution server 118 sends the media data file 200
To the media player 116. To stream the media data file 200, the distribution server 118 determines the voucher ID 302 of the media voucher 300, the media player 11 receiving the stream.
6, a network address, a transfer protocol such as TCP or UDP,
By providing the content manager 112 with the bandwidth requested by the media player 116 and the media ID of the requested media data file 200, the delivery server 118 allows one of its streams for a particular request. Is notified to the content manager 112.

In step 730, the media player 116 receives the streamed media data file 200 and plays the substantial content of the audio image according to the provided media information parameters. At any point, the user can stop the stream and instruct the media player 116 to download any of the free data over the same connection. When the streaming is completed, the distribution server 118 determines the voucher ID 302, the status of the stream, the duration of the song played by the consumer, and if present, which audio image 208 was downloaded to the media player 116. To release the stream
12 is notified.

The media player 116 user interface supports controls for controlling audio streaming, including fast forward, rewind, pause, and stop controls. To implement these controls, media player 116 and distribution server 118 use a time-based transport protocol. The media player 116 transmits to the distribution server 118 a transport instruction specifying a time offset in the audio image at which playback is to be started. The distribution server 118 advances or rewinds to the designated time. The fast forward user control causes a fixed increment of time to advance and the rewind control causes a fixed decrement of time. Negative time values are used to indicate stop and restart of playback.

[0112] The media voucher 300 can include a play list of a plurality of tracks. Accordingly, the media player 116 may use the media voucher 30
Steps 720 to 730 are repeated for each zero track.

Purchases FIGS. 9A-9D show an event trace 900 of a purchase of a media data file 200 for permanent storage and playback by a user's media player 116.

First, a user can use a web browser 128 to make menus, catalogs, indices, some form of music and media available for purchase that can be similar in form to the preview listing of FIG. Or look at other listings. In step 902 (FIG. 9A), the user's web browser 1
From 28 (FIG. 1), a request to purchase a particular song is sent to the HTTP server 122, for example, by the user clicking a "Buy It" button. This button generates a URL including the media ID of the song to be purchased. For example, a call to the HTTP server 122 (FIG. 1) may be of the form: https: // web-server-addr / cgi-bin / purchase? mid = MID Here, web-server-addr is the host name or IP address of the HTTP / SSL server and the TCP port, and MID is the media ID. is there.

In step 904 (FIG. 9A), the HTTP server 122 (FIG. 1) transfers the purchase request data to the store server 132 and sends the requested media data file,
For example, in this illustrative example, authorization to pay for media data file 200 (FIG. 2) is initiated. In a preferred embodiment, this data is transferred using a secure connection.

The payment information is preferably collected at this point. Step 906 (FIG. 9A)
), The store server 132 (FIG. 1) generates a payment request form, sends this form back to the HTTP server 122, and the HTTP server 122
At (FIG. 9A), the form is submitted for display by web browser 128 (FIG. 1).

At step 910 (FIG. 9A), the user completes the form by entering data authorizing payment for the requested media data file. Typically, such payment authorization data includes the user's name, credit card account number, and credit card expiration date. For example, a call to the HTTP server 122 (FIG. 1) may be of the form: https: // web-server-addr / cgi-bin / ccinfo? cc = CCNO & exp = DATE & Mid = MID where CCNO is the credit card number and DATE is the expiration date of the credit card.

At step 912 (FIG. 9A), the web browser 128 (FIG. 1) sends the payment authorization data back to the HTTP server 122 in a protected manner, step 914.
In FIG. 9A, the HTTP server 122 passes this data to the store server 132.
If payment information is not collected at this stage, payment information will be collected after the appointment is created, as described more fully below.

In this exemplary embodiment, the HTTP server 122 and the merchant server 132
Executed within the store system 136 and collectively, the master media file 12
Service request for purchase and preview of audio content stored at 0. Further, the master media file 120 is located remotely, for example, at a music distribution center 124. As described above, this allows operators of the merchant system 136 to provide digital products and process transactions relating to the digital products while the digital products are stored elsewhere in the wide area network. You. As a result, the store system 13
Interaction between the HTTP server 122 and the store server 132 and the content manager 112 of the music distribution center 124 can be performed via a publicly accessible wide area network such as the Internet. Therefore, step 916
(FIG. 9A), the merchant server 132 (FIG. 1) preferably uses X.400 for authentication and key exchange. A secure connection to the content manager 112 is established using a 509 certificate and a cryptographically strong random number as the session encryption key. After the secure connection is established, the merchant server 132 uses the session key to
The reservation request to the manager 112 is encrypted. The reservation request specifies the requested media data file 200, and the reservation request includes the requested media file.
The media ID of the data file 200 and the requested quality level are included, and the requested quality level includes information such as the bit rate of the audio image and the number of channels. In step 918 (FIG. 9A), the store server 13
2 (FIG. 1) sends the encrypted reservation request to the content manager 112. At step 920 (FIG. 9A), the content manager 112 (FIG. 1)
The reservation request is decrypted and in response, verifies that the requested song of the specified quality level actually exists in the master media file 120 and is available for purchase.

The content manager 112 searches the media information database 106 for the received media ID to confirm that the requested song exists and is available for purchase. If the media data file 200 identified by the media ID is present in the database, the content manager 112 forms and encrypts a voucher packet for the merchant server 132 at step 922 (FIG. 9A). . Otherwise, the content manager 112 (FIG. 1)
) Returns a message indicating that the media ID does not correspond to a known media data file 200 or that the corresponding file is not available for sale. This information is transmitted to the web browser 128 via the HTTP server 122.
Will be sent back to In step 924 (FIG. 9A), the content manager 112
(FIG. 1) sends the encrypted voucher packet, which is decrypted by the merchant server 132 at step 926 (FIG. 9B). 1
In an embodiment, the encryption and decryption of the booking request and the returned voucher packet is performed by the Net between the merchant server 132 (FIG. 1) and the content manager 112.
scale Communications, Inc. Secure So
tickets Layer v. 3 as an integrated part of a protected communication link.

The voucher packet contains the content manager 11 to track the reservation.
Voucher ID, timestamp marking the start of the reservation,
Includes an expiration lifetime that specifies when the reservation becomes invalid, a delivery authorization token that marks the reservation as authorized or unauthorized to remove the reservation. Finally, the voucher packet includes a receipt token that is returned to the media player 116 within the media voucher to begin downloading the requested media data file 200 from the distribution server 118. The distribution permission token is a secret token between the content manager 112 and the store server 132 and is not disclosed to the user. The token and the receipt token are preferably cryptographically strong random numbers.

The content manager 112 updates the transaction database 130 to include new items with data from voucher packets. This data is then used to authenticate the download request from media player 116 for the verified purchase. Specifically, the content manager 112 maintains three sets of data about media files that have been reserved and are available for retrieval. (I) Pending purchase. These are media data files 200 that have been reserved but not yet authorized for distribution. (Ii) Purchased and undelivered. These are media data files 200 that have been authorized for distribution, for which a receipt token has been issued, but which have not yet been redeemed. (Iii) Purchased and delivered. These are the media data files 200 for which a receipt token has been issued, verified, and redeemed for delivery of the file to the requesting media player 116.

When a voucher packet is issued for a reservation, the voucher packet is added to a list of pending purchases.

In an alternative embodiment, payment data is provided using an electronic wallet such as the Wallet by CyberCash, Inc. of Reston, Virginia, USA. In this embodiment, the store server 132 uses a “Wallet” button and a “Wallet” button.
Create a web page with a "Retrieve It" button. When the user clicks the wallet button, the store server 13
2 returns an invoice with a "wallet" MIME type indicating the amount of the purchase.
Web browser 128 launches a wallet application specific to the wallet MIME type. The wallet application recognizes the information on the invoice and displays to the user a set of different payment form options available to the user, such as an electronic cash, check, or specific credit card.
The user selects one of these payment forms using conventional graphical user interface techniques. The wallet application connects to the merchant server 132 and distributes the requested payment information using, for example, a network protocol defined by the manufacturer of the wallet application. The consumer clicks on the “Pay” button to complete the transaction.

In either embodiment, in step 928 (FIG. 9B), the store server 132
Connect to payment processing system 134 to request payment. In response, at step 930 (FIG. 9), payment processing system 134 (FIG. 1) verifies the availability of the funds and sends a payment authorization to merchant server 132.

After the store server 132 (FIG. 1) receives the payment authorization, the store server 132
Notifies the content manager 112 that the user has purchased media associated with the voucher ID. This involves encrypting the voucher ID and permission token previously sent to the merchant server 132 (FIG. 1) in step 932 (FIG. 9B) and a permission notification including a flag indicating the new state of the reservation as permitted for distribution. In step 934 (FIG. 9B), the encrypted permission notification is sent to the content manager 11.
2 is transmitted. At step 936, the content manager 112 (FIG. 1) decrypts the authorization notification and at step 938 (FIG. 9B) updates the transaction database 130 (FIG. 1) to purchase a voucher packet with this voucher ID. And reflect what was allowed for the download. This notification allows the content manager 112 to request the requested media
The data file 200 is allowed to be used for distribution. Step 9
At 40 (FIG. 9B), the content manager 112 (FIG. 1) uses the voucher ID and the updated permission token (which can be used to identify the recorded permission and change the recorded permission). And encrypting the packet containing the
In FIG. 9B), the packet is transmitted. In step 944 (FIG. 9B), the store server 132 (FIG. 1) decrypts the packet and restores the voucher ID and the updated authorization token.

After the store server 132 (FIG. 1) permits the purchase, the store server 132 logs this information in the internal purchase database. To log purchases,
There are two purposes. First, such a log record allows a store to store sales of particular content. Second, with such logging,
Merchants can accurately report to rights agent 108 for copyright notice and billing purposes. In this exemplary embodiment, two logs are used, a merchant log and an audit log. The store log is in plain text, and the audit log is stored in an encrypted form. Audit logs are regularly stored at Media Line Sensing Center 1.
Uploaded to 10. Protocols for creating and verifying audit logs are described below under "
Reporting Rights ".

In the wallet payment embodiment described above, the merchant server 132 returns a payment receipt to the wallet application.

In cases other than the wallet, the store server 132 executes step 946 (FIG. 9C).
And via an independently established secure HTTP connection, "Retrieve
Create a web page with an "It" link and send it to web browser 128. In step 948 (FIG. 9C), the web browser 128
Display the page. The “Retrieve It” link includes the URL of distribution server 118 (FIG. 1) as the distribution server that provides the requested media data file 200. An example of this data is shown. https: // web-server-addr / cgi-bin / lavs? vid = VVV & receipt = RRR Here, VVV is a voucher ID and RRR is a receipt token.

When the user clicks this link in web browser 128 in step 950 (FIG. 9C), another secure HTTP with HTTP server 122
The connection is set up by web browser 128 (FIG. 1), and in step 952 (FIG. 9C), the voucher ID and receipt token are
22 CGI script. At step 954, the CGI script contacts the content manager 112 (FIG. 1) to request a media voucher 300 (FIG. 3) including the voucher ID, receipt token, distribution server network address and port number. The “Retrieve it” URL may include multiple voucher ID / receipt pairs to retrieve multiple media data files 200 in a single operation. Content Manager 11
2 (FIG. 1) generates a media voucher 300 (FIG. 3), step 956 (FIG. 3).
In FIG. 9C), it returns to the HTTP server 122. At step 958, the HTTP server 122 (FIG. 1) transfers the media voucher 300 to the web browser 128 via a secure HTTP connection. In addition, the request and transmission of the media voucher in steps 954 (FIG. 9C) and 956 may also be performed using a
Executed over the connection or otherwise passed in encrypted form between HTTP server 122 and content manager 112. This is because such information passes through publicly accessible networks.

The media voucher 300 (FIG. 3) is returned as data for the media player 116 (FIG. 1) along with a MIME type that identifies the media voucher 300. Accordingly, the web browser 128 proceeds to step 960 (FIG. 9C)
The media voucher 300 is passed to the media player 116.

At step 962, the media player 116 (FIG. 1) prompts the user to enter a passphrase associated with the secret key registered with the media player 116. The prompt is displayed once or every time per session, depending on the preferences that can be set by the user. Security is provided in this step by passphrase protection of the user's private key 412 (FIG. 4) in passport 400.

At step 964 (FIG. 9C), the media player 116 (FIG. 1) uses the receipt token (a secret shared with the content manager 112) to provide the voucher ID 302 (FIG. 3) and the consumer certificate. 402 (FIG. 4) is authenticated. Media player 116 (FIG. 1) establishes a TCP connection (which may be unsecured) to distribution server 118 using the address and port specified in media voucher 300 (FIG. 3). The media player 116 (FIG. 1) uses the receipt token as a key to create a message containing the keyed MAC of the voucher ID 302 (FIG. 3). This message is signed and step 9
At 66 (FIG. 9C), the distribution server 118 (FIG.
). At step 968 (FIG. 9C), the distribution server 118 (FIG. 1)
The encrypted data and the plaintext voucher ID 302 (FIG. 3) are sent to the content manager 112 (FIG. 1) for verification.

The content manager 112 maps the voucher ID 302 (FIG. 3) to a receipt token in the transaction database 130 (FIG. 1), and in step 970 (FIG. 9C) uses the receipt token to the MAC. Verify the encoded voucher ID and other data.

[0135] If the voucher ID is verified, in step 972 (FIG. 9D), the content
The manager 112 (FIG. 1) encrypts the media key of the song using the media player 116's public key. In this manner, the media is specifically licensed to consumers individually. The media data file 200 (FIG. 2)
Hereafter referred to as licensed media. The security of this step of the transaction is that the media player 116 (FIG. 1) uses both the public / private key pair issued by the media licensing center 110 and the receipt sent as part of the purchase transaction. It comes from the fact that you have to prove that you have. The certificate chain is verified upon receipt from the player.

In step 974 (FIG. 9D), the content manager 112 (FIG. 1) uses the encrypted media key with audio quality information (such as bit rate and number of channels), the media key itself. The public key algorithm and encryption parameters, the distribution permission token, the media ID, the voucher ID, the certificate serial number of the content manager, and the certificate number of the media player are returned to the distribution server 118.

At step 976 (FIG. 9D), distribution server 118 (FIG. 1) retrieves metadata associated with the licensed media from content manager 112. The media ID identifies the licensed media,
The consumer certificate received by distribution server 118 in step 966 (FIG. 9C) identifies the user of media player 116 (FIG. 1). Thus, the content manager 112 selects metadata about the licensed media and the user. Meta data associated with the licensed media (which in this exemplary embodiment is a music audio signal) may include, for example, lyrics, graphical images of album artwork, motion images, etc.
Videos, performer biographies, liner notes, credits, and commentary can be included. Meta data associated with the user includes, for example, passport 400
Or the advertising artwork selected by the content manager 112 according to information about the user stored by the content manager 112. Such information can be as simple as address information that allows the advertising artwork to be regional. Instead, such information can be more specific and include age, marital status, income, hobbies, and the like. In such a case, the advertising artwork may be selected by the content manager 112 according to such user demographic information.

At step 978 (FIG. 9D), distribution server 118 (FIG. 1) retrieves the licensed media from master media file 120 according to the media ID included in media voucher 300 (FIG. 3). At step 980 (FIG. 9D), the distribution server 118 (FIG. 1) may use the retrieved information, including the licensed media and meta data, to determine which licensed media and metadata To ensure that the media player 116 cannot determine if it has been downloaded, secure media such as SSL may be used.
Send to media player 116 using a protocol. The downloaded media data is hashed by the media player 116,
The hash is sent back to the distribution server 118 and the media player 116
Verifies that the data received is complete and accurate. In a preferred embodiment, distribution server 118 limits the rate of data transfer to media player 116 to conserve network resources.

After the distribution is completed and verified, the distribution server 118 executes step 982 (FIG. 9).
At D), notify the content manager 112 of the completed distribution, indicating the voucher ID, media ID, receipt token, download duration, and authentication token. Content manager 112 (FIG. 1) updates transaction database 130 to reflect the delivery of the media data file and records information describing the delivery in a log file. Step 9
At 84 (FIG. 9D), the media player 116 (FIG. 1) prompts the user to indicate that the received licensed media is ready for playback, or Playback can be started automatically.

When playing the received media data file 200 (either immediately or later), a consumer passphrase is entered. Media Player 11
6 extracts the encrypted registration key 420 (FIG. 4) from the passport 400 and decrypts it using the passphrase. The media player 116 (FIG. 1) extracts the encrypted secret key 412 (FIG. 4) from the passport 400 and decrypts it using the registration key 420. The media player 116 (FIG. 1) uses the consumer's private key 41
Use 2 to decrypt the media key. Finally, the media player 116
The media key is used to decrypt the audio image 208 (FIG. 2) in real time as the media is played.

While the audio image 208 is being played, the consumer's personal information 414 (FIG. 4), including the consumer's confidential information 418, from the passport 400 is transmitted to the user of the media player 116 (FIG. 1). -Preferably displayed on the interface. The display of this information is a strong deterrent to a user transferring an illegal copy of the media data file 200 (FIG. 2) to another user. I mean,
By doing so, it becomes necessary to display the confidential information 418 (FIG. 4) of the user. Further, since the media player 116 (FIG. 1) provided the consumer certificate 402 (FIG. 4) as part of the distribution protocol, the certificate serial number along with the voucher ID 302 (FIG. 3) is stored in the media data file. Embedded. Thus, either the store that owns the store server 132 (FIG. 1) that sells music or the media licensing center 110 retrieves the consumer's personal information and retrieves the media data file 200 (FIG. 2). To identify this person as a source of piracy.

Reporting Rights At startup, the content manager 112 (FIG. 1) communicates with the media licensing center 110 to initiate a protected anti-tamper log used for rights reporting information. The content manager 112 and the media licensing center 110 negotiate a shared secret, a cryptographically strong random number used for encrypting and verifying the log. This secret is stored only in the media licensing center 110, so the log created by the content manager 112 cannot be verified until after the log has been delivered to the media licensing center 110. .

An entry in the protected log is created for every media data file sold. Protected logging is known and is described, for example, in B. Schneier and J. Kelsey, "Cryp.
graphical Support for Secure Logs on
"Untrusted Machines", The Seventh USE
NIX Security Symposium Proceedings, U
SENIX Press, pages 53-62 (January 1998). When creating an entry, the secret is used as a key for encryption and for creating a keyed MAC, which is then hashed using a text string to create the key used for the next log entry Is done. The keyed MAC contains an encrypted log entry with a "running hash" that is updated by hashing the current encrypted data to an old hash value. Since the encryption key and MAC key are different for each log entry and are created via a one-way hash function, the only way to verify the log or decrypt the entry is
Start with a shared secret stored only in the media licensing center 110. This makes the log very secure against tampering after the log has been created. Also, since all previous items are included in the hash for each item, it is almost impossible to remove items in the middle of the log without being detected when the log is verified by the media line sensing center 110. .

This logging protocol is used to create an entry each time a media data file is completely downloaded by the media player 116. Log entries include timestamp, track title, artist name, track author, song length, selling price, certificate ID from media player 116, voucher ID, media data file name, and any audio image. Includes a descriptor that identifies whether the file has been downloaded. The logs are periodically uploaded to the media line sensing center 110 and verified off-line by batch processing. Once verified, the purchase information can be processed (eg, aggregated by artist, track, etc.) to determine the correct royalty or other payment based on sales and previews.

Component Architecture Content Manager FIG. 10 shows the software modules of the preferred embodiment of the content manager 112. The content manager 112 includes a database access module 1002, a security module 1004, a management module 1006, a rights reporting module 1008, a publication module 1010, a commerce module 1012, a logging module 1014, and a certificate update module 1016. .

Database Access Module 1002: This module is
Manages all requests for data from media files 120 and media information database 106. Various other modules interface with this module to retrieve, update, create, or delete media data files 200, media description data 204. The database module 1002 receives data requests, typically as name-value pairs, and translates these requests into SQL requests for the underlying database.

Publication module 1010: This module is for media data file 2
00 provides an interface for both external uploading from the authoring tool 102 and importing the media data file 200 from the local file system of the computer hosting the content manager 112.

Specifically, the publishing module 1010 exports the following functions.

Upload File: This message is sent by the authoring tool 102 to begin uploading a media data file, for example, the media data file 200. This message contains the length of the media data file being uploaded, a flag indicating whether the file should be created or overwriting an existing file, and a flag indicating whether the file should be uploaded in a protected manner . This message also contains the file name of the file. If the file is to be uploaded in a protected manner, the publishing module 1010 sends from the security module 1004 the public key of the content manager 112 for encrypting the media key of the audio image, the public key of the content manager 112. Get the certificate and the algorithm used to encrypt the public key itself. This information is passed to the authoring tool 102 to authenticate the content manager 112 during the publishing process (at step 508 in FIG. 5).

Upload Data: This message is sent by the authoring tool 102 to the content manager 112, where it is uploaded as described in the previous message (FIG. 5).
At step 522).

Upload Abort: This message terminates the ongoing upload.

Upload Space: This message requests the amount of free space available in Content Manager 112 for a new upload. The announcement module 1010 responds with the total number of kilobytes allocated to the upload and the number of free kilobytes remaining.

Import file: This message directs the publishing module 1010 to import a file from the local file system.

List Project: This message gives a list of files or subprojects in the local directory. Specify the path name of the directory by message data. The publication module 1010 responds with the number of items in the project, the file name of each item, and a flag for each item that indicates whether the item represents a file or a subproject.

File Info (file information): This message requests detailed information of the file specified by the path name. The publishing module 1010 responds with the file length, a flag indicating the file type, and a URL to request streaming of the file.

Create Project (Project Creation): This message requests creation of a project specified by a path name.

Rename File (Change File Name): This message changes the name of the file from the specified source path name to the specified destination path name.

Delete File (delete file): This message deletes the file specified by the path name.

Security module 1004: This module manages various encryption operations provided by the content manager 112. This includes media key encryption, digital signatures on certificates and other data.
Key generation is preferably provided by an RSA BSAFE key generation routine. The digital signature is performed according to the known PKCS # 1 MD5 + RSA algorithm.

Commerce Module 1012: This module manages the transactions for previewing and purchasing media data files 200. This module interfaces with the security module 1004 to obtain encryption services and interfaces with the database access module 1002 to obtain media information. Commerce module 1012 also determines whether media data file 200 is available for sale.

The commerce module 1012 interfaces with the merchant server 132 to receive purchase requests and provide reservations. The commerce module 1012 interfaces with the merchant server 132 to provide reservations for media data files,
Protect.

The commerce module 1012 also provides the media player 116 with a media voucher 300 including generation and verification of a receipt token and an authentication token.
To deliver.

In addition, the commercial transaction module 1012 includes a pending purchase, a purchased undelivered file,
Maintain a list of reserved and available media files for retrieval, including tracking of purchased and delivered files. Commerce module 1
012 exports the following functions.

Preview: This message includes the media ID 304. In response to the preview message, the commerce module 1012
Distribution server 11 that can stream media for preview
Address and port and voucher I used to track transactions
D302, and send the media voucher 300.

Reserve: This message includes a media ID 304, a quality indicator identifying the audio image 208 in the media data file to be reserved, and the number of audio channels (eg, “mono”). Or "stereo"). In response to the booking message, the commerce module 1012 sends a voucher ID 302 to track the transaction, a timestamp at the beginning of the transaction, a timeout value indicating the number of seconds that the booking is valid, an authorization string to change the booking, And return the playback receipt string used to download the file.

Authorize: This message includes a voucher ID 302, an authorization string, and a status value indicating that the reservation must be made available for download. In response to the authorization message, the commerce module 10
12 sends back a new authorization string to make the next change to the reservation.

Expire: This message contains a voucher ID 302, an authorization string, and a status value indicating that the reservation must be removed from the system.

Deliver (delivery): This message includes a voucher ID 302 and a receipt 306. In response to the delivery message, the commerce module 1012
A media voucher 300 including a delivery server 118 address and port from which media can be downloaded, a voucher ID 302 used to track transactions, and a receipt 306 used to validate the media player 116 at the time of delivery. Send it back.

Management module 1006: In this module, the number of distribution servers and the number of active streams allocated to each server, the port used by the content manager 112 for network transmission and reception of requests, and the number of songs available for purchase Operating parameters of the system, including numbers, are defined. This module also manages and tracks performance statistics such as aggregate and throughput. The management module 1006 exports the following functions.

Get Config: In response to the Get Configuration message, the management module 1006 sends the current configuration data in the form of a configuration file.

Set Config: This message contains the configuration file for the Content Manager 112 and, in response to the configuration message,
The management module 1006 sets the configuration according to the included configuration file.

CM Shutdown: By this message,
The content manager 112 is shut down.

DS Shutdown: By this message,
The distribution server specified by the network address included in the message is shut down.

Delete DS Configuration: This message shuts down the distribution server specified by the network address contained in the message, for example, distribution server 118, and the distribution server Removed from the configuration.

[0175] CM Statistics: This message requests system statistics. The management module 1006 responds with the following. Uptime: The time during which the content manager 112 was running. #Vouchers: Number of media vouchers 300 issued by content manager 112. CacheSize: The maximum number of media data files 200 that can be cached. #Items: Current number of media data files 200 in cache. #Access: Total number of accesses to the media data file 200. #Misses: Number of accesses to media data file 200 that were not in the cache. Using #Items, #Access, and #Misses, the system provider can determine whether increasing the cache size is appropriate. # In-cache: media data file 2 currently in cache
Number of accesses to 00. #DS: Number of distribution servers connected to the content manager 112. DS Address n: Network address of the nth distribution server 118. #Streams n: The number of streams allocated to the n-th distribution server 118. #Used n: The number of streams used by the n-th distribution server 118.

Log recording module 1014: This module is
Error logging of errors during communication between the T.12 and other system components; purchase logging to log each purchase of the media data file 200; and logging each preview of the media data file. Provides a preview log record for recording. These logs are stored in the rights reporting module 1008
Is used to generate and report sales, usage, and credit offsets of the media data file 200.

[0177] Rights reporting module 1008: This module communicates with the rights agent 108 to report usage and grand totals for various media data files 200 in the system. The rights report includes the identification, type of use, and media data file for each media data file purchased or downloaded.
The agent information or agent code specified specifically for the file 200 is included.

Certificate Update Module 1016: This module interfaces with the Media Line Sensing Center 110 to receive content manager 112 certificate updates. The certificate of the content manager 112 is issued with a short validity period, preferably of about one to two weeks. by this,
The content manager 112 will need to be re-certified periodically, ensuring that the content manager 112 remains authenticated over time.

Distribution Server FIG. 11 illustrates the software architecture of one embodiment of distribution server 118. Distribution server 118 includes a request processor 1102, a preview module 1104, a purchase module 1106, and a content manager communication module 1108.

Request Processor 1102: This module processes a request for preview or purchase of a media data file from the media player 116. The request is sent to either the preview module 1104 or the purchase module 1106, depending on the type of request encoded in the URL passed to the HTTP server 122. This module provides a DS registration function and the distribution server 11
8 is registered in the content manager 112.

Content Manager Communication Module 1108: This module is used by the Content Manager to request configuration information, verify voucher IDs, obtain up-to-date media information, obtain purchase verification information, and digitally sign information. Establish a TCP connection with 112.

Preview Module 1104: This module is for Media Player 1
Respond to a request to stream media data for real-time playback of audio by H.16. This module provides the following functions.

Allocate Stream: This message is used to indicate that a stream has been allocated for a particular preview request.
Sent by the preview module 1104 to the content manager 112. This message specifies the voucher ID of the request, the network address of the media player 116 when the media player receives the stream, the bandwidth requested by the media player 116, and the media ID of the file to be streamed. You.

Release Stream: This message is used by the preview module 1104 to release the stream following completion of the request.
To the content manager 112. This message includes the voucher ID, the error condition, the duration of the stream, and the identification of the streamed audio image.

The preview module 1104 is based on RFC-1889 and RFC-189.
0, also implements a streaming protocol for streaming media data based on Real Time Transfer Protocol. Streaming protocols include:

Initiate: This message is sent by the media player 116 to initiate a connection to the distribution server 118. This message is sent to the network address (media voucher 300) of distribution server 118.
), The media player's port to receive the stream, bandwidth, voucher ID, and media ID.

Stream Ready: This message is used to provide clip and song parameters for previewing the file, including lead-in and lead-out, fade-in and fade-out, bandwidth, and duration. Sent by distribution server 118 to media player 116.

The actual streaming is managed by the transport control protocol. The transport message specifies a particular time within the audio image 208 that is accessed to start streaming playback. Since the distribution server 118 can only seek to a well-defined location in the audio image 208 (defined in the index table), the media player 116 first determines the time closest to the beginning of the stream. Must be determined. Accordingly, preview module 1104 supports a Query Time function that requests a desired start time. The preview module 1104 sends a Nearest Time message to the Query Time function indicating the time closest to the desired start time and the number of bytes transmitted from the specified time to the end of the clip. respond. The transport function takes the specified time (the closest time response) and instructs the preview module 1104 to start streaming from the specified time.

Purchase module 1106: This module manages a secure channel of communication based on a shared “secret” that is a receipt token generated by security module 1004 as part of media voucher 300. This module exports the following functions:

[0190] Rereadem Initiate: This message is sent by the media player 116 to initiate a connection for downloading the media data file 200.

[0192] Redeem Approved: This message is sent by the purchasing module 1106 to the media player 116 when the purchase request is approved by verifying the encrypted verification information.

[0192] Restart Start: This message is sent by the media player 116 to start the download itself.

Get Info: This message is sent by the purchase module 1106 to the content manager 112 to request media description data.
Sent to

Readem Data Transfer Done: This message is sent by the purchase module 1106 when all data has been transferred.

Media Line Sensing Center Media Line Sensing Center 110 is responsible for generating certificates to other system components and generating key pairs for media player 116. FIG. 12 shows the software and software of the media line sensing center 110.
One embodiment of the architecture is shown, which includes the following modules:

[0196] Key generation module 1202: This module
Provide a public / private key pair for the server and possibly for the content manager.

Request handler module 1204: This module handles all external communication to media line sensing center 110. This may be via a web page form for routing a user requesting a passport or content manager 112 certificate to the authentication module 1206, or for requesting to recover a lost or forgotten passphrase. Can be achieved.

Authentication module 1206: This module uses any external system to verify the user identity to verify the address and to separately verify the credit card via payment processing system 134 to request a passport. Authenticate. For the content manager certificate, authentication module 1206 verifies that there is an account set up for the particular music distribution center 124 making the request.

Certificate generation module 1208: This module contains all other system
Supply a certificate for the component. In this way, media line sensing
The center 110 works as a certification authority. The certificate is ITU-TX. Preferably, the certificate includes the public key of the requesting entity (generated by that entity or by the key generation module 1202),
Includes information identifying the requesting entity, verification information, and the digital signature of the media licensing center 110. Digital signature is RSA
It is preferably generated according to the Laboratories PKCS # 1 specification. Specifically, this module creates a consumer certificate 402 during registration with the event trace 600.

Passport generation module 1210: This module receives the consumer certificate 402 from the certificate generation module 1208, the consumer's private key from the key generation module 1202, and the user's personal information from the registration form via the web browser 128. And generate a registration key 420, and transfer all of this data to the media
It is packaged as a registration file to be distributed to the player 116.

Certificate database module 1212: This module
00 is a data repository that permanently stores the appropriate consumer identification information and registration keys to allow for the recovery of 00. This module also stores account information for music distribution centers.

Management module 1214: This module generates reports of various information about passports and certificates, including the number of issued passports 400 and certificates, currently valid certificates, and expired certificates.

[0203] Certificate update module 1216: Certificates issued by certificate generation module 1208 have varying validity periods. The validity period of the consumer certificate is
One year. The validity period of the certificates of the content manager 112 and the distribution server 118 is about two to four weeks. The certificate update module 1216 periodically reviews the passport database 1212 to determine which certificate has expired. Certificate update module 1216 authenticates the entity holding the expired certificate and issues a new certificate.

Media Player FIG. 13 shows the software architecture of the media player 116. The media player 116 is capable of decrypting and playing media data files and later on a recordable compact disc ("CD") for playback on a regular CD player.
Recording audio data files from media data files to CDs and recording to semiconductor memory devices. Media Player 1
16 interfaces with a distribution server 118 to receive media data files, and the media player 116 includes the following modules.

User interface module 1314: This module plays,
Audio, including controls for fast-forwarding, rewinding, pausing playback, and displaying the time, remaining time, artist information, track information, cover and promotional illustration art, and lyrics along with the display Providing a user interface for controlling the reproduction of data; These controls operate on both streaming audio data from the distribution server 118 during the preview transaction and playing back locally stored audio data, including audio recorded on the compact disc by the user. The various controls are responsive to signals generated by the user via physical manipulation of the user input device of the client system 126 in a conventional manner, and transport and download protocol messages to the distribution server 118. Call the function that generates

Network communication module 1300: This module
Or managing the media player 116's interface with the network, including establishing a TCP connection with either the protected channel or the unprotected channel with the proxy. Network communication module 1300
Has the ability to establish a connection, request media to preview or purchase,
Provides playback control functions such as stop, start at time offset, and connection shutdown functions.

Passport Management Module 1302: This module is responsible for managing a user's passport. This module operates during registration of the media player 116 and during playback of audio data. During registration, web browser 1
28 receives the registration file from the passport generation module 1210 of the media line sensing center 110 via an SSL connection. The registration file contains the data used in the user's passport, and the registration file is stored locally on the client computer 126. The registration file is not encrypted in this exemplary embodiment. Web browser 128 calls media player 116 and provides the file name and path of this registration file. The passport management module 1302 extracts the passport data from the registration file and uses the pass phrase specified by the user, for example, RSA PKCS
The passport data is encrypted according to the # 5 algorithm. During playback, the passport management module 1302 is used to first decrypt the passport using the passphrase and use the user's private key to decrypt the media key stored in the passport. The media key is then transmitted to the playback module 1316
Is used to decrypt the encrypted audio data in the purchased media data file. Further, the passport management module 1302
Decrypts personal information 414 from passport 400, including the user's name and sensitive information such as credit card numbers, and provides the name and sensitive information to user interface module 1314 for display during playback.

Purchase module 1304: This module manages the purchase of media data files. This module is used to identify the media to be purchased
It interfaces with web browser 128 to receive vouchers 300 and interfaces with a distribution server, such as distribution server 118, to effectuate distribution. This module then communicates with the distribution server 118 to download the media data files in a protected manner, including generation of download messages according to the distribution server's 118 download protocol. The purchase module 1304 obtains the consumer certificate 402 from the passport 400 by:
It also interfaces with the passport management module 1302. The consumer certificate is provided to the distribution server 118, which passes the consumer certificate to the content manager 112 for encrypting the media key with the consumer's public key contained therein. .

[0209] Preview module 1306: This module manages media request and acquisition from distribution server 118 and real-time streaming. The preview module 1306 interfaces with the distribution server 118 via transport controls to stream media for preview and free download.

[0210] File management module 1308: This module manages media data from the local hard disk of the client computer system 124
Read file 200 and write media data file 200 to its local hard disk.

CD device management module 1310: This module is a CD-Record
Format the media data file 200 for writing to a table or other writable device. Formats include decompression and CD
Includes formats to the Red Book standard. The decompressed data is preferably maintained in an encrypted format until just before writing the data to the device.

Track List Module 1312: This module organizes the user's media data files into various lists of media tracks and provides a user interface to access and manage this information. This allows the user to create a list of media to be recorded on a CD or similar portable storage media.

[0213] Playback module 1316: This module performs the playback of the media data file 200, including decrypting the audio image 208 using the media key. The playback module 1316 implements controls to start, stop, pause, rewind, and fast forward playback.

The above description is illustrative only and not restrictive. Rather, the invention is limited only by the claims.

[Brief description of the drawings]

FIG. 1A is a diagram of a protected online music distribution system according to the present invention.

FIG. 1B is a diagram of a protected online music distribution system according to the present invention.

FIG. 2 is a diagram of a media data file.

FIG. 3 is a diagram of a media voucher.

FIG. 4 is a diagram of a passport.

FIG. 5A is an event trace of a publication process.

FIG. 5B is an event trace of a publication process.

FIG. 6A is an event trace of a registration process.

FIG. 6B is an event trace of a registration process.

FIG. 7A is an event trace of a preview process.

FIG. 7B is an event trace of a preview process.

FIG. 8 is a diagram of a web page for selecting a preview during a preview process.

FIG. 9AA is an event trace of a purchase process.

FIG. 9AB is an event trace of a purchase process.

FIG. 9BA is an event trace of a purchase process.

FIG. 9BB is an event trace of a purchase process.

FIG. 9CA is an event trace of a purchase process.

FIG. 9CB is an event trace of a purchase process.

FIG. 9DA is an event trace of a purchase process.

FIG. 9DB is an event trace of a purchase process.

FIG. 10 is a diagram of a content manager.

FIG. 11 is a diagram of a distribution server.

FIG. 12 is a diagram of a media line sensing center.

FIG. 13 is a diagram of a media player.

FIG. 14 is an illustration of one embodiment of a media player user interface.

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme court ゛ (Reference) G06F 17/60 332 G06F 17/60 332 512 512 (81) Designated countries EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE), OA (BF, BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, GM, KE, LS, MW, SD, SL, SZ, TZ, UG, ZW), EA (AM, AZ, BY, KG, KZ) , MD, RU, TJ, TM), AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, CA, CH, CN CR, CU, CZ, DE, DK, DM, DZ, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP , KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU, SD, SE, S G, SI, SK, SL, TJ, TM, TR, TT, TZ, UA, UG, UZ, VN, YU, ZA, ZW (72) Inventor Cherenson, Andrew Earl United States 94022 Los Angeles, California Jordan Avenue 814 (72) Inventor Ansel, Steven T. United States 94439 California Fremont Sequim Common 302 (72) Inventor Canon, Susan A. Ameri United States, 95128 California San Jose Woodland suberythemal Interview · 2458 F-term (reference) 5B082 AA13 GA11 Ru HA05 [continuation of the summary]. The store server runs within a store computer system, and the store computer system also includes an HTTP (HyperText Transfer Protocol) server. The merchant server interfaces with various payment processing systems. Client systems include media players and web browsers. Additional distribution servers and media licensing centers operate outside of and independent of the music distribution center and interface with the music distribution center.

Claims (50)

[Claims] 1. A method for conducting electronic commerce via a computer network, comprising: receiving a purchase request for a digital product in a store computer system of the computer network; and specifying a reward for the digital product. Receiving payment data within the merchant system; and transmitting the payment data to a content manager computer system different from the merchant computer system coupled to the content manager computer system via the computer network. Requesting a digital product reservation; and requesting, within the content manager computer system, a distribution of the digital product to a client computer system via the computer network. Receiving a distribution request signal from the merchant computer system; identifying the digital product; and transmitting transaction identification data representing a reward for the payment data to the client computer system; Receiving, within the distribution computer system, the transaction identification data from the client computer system; determining the digital product within the distribution computer system according to the transaction identification data; Transmitting the digital product from a system to the client computer system. 2. The method of claim 1, further comprising transmitting a signal from the distribution computer system to the content manager computer system indicating that transmission of the digital product to the client computer system is complete. 2. The method according to 1. 3. The method of claim 2, further comprising: identifying, by the content manager computer system, the digital product and recording purchase data indicating that the digital product has been purchased. 4. A media line sensing computer system comprising:
4. The method of claim 3, further comprising: transmitting the purchase data by the content manager computer system to the media line sensing computer system so that a reward for selling the digital product can be distributed. . 5. In order to form aggregated purchase data, the content
Aggregating purchase data from the manager computer and other purchase data from one or more other content manager computer systems; and wherein the rights agent computer system pays for the sale of the digital product. 5. The method of claim 4, further comprising: transmitting the aggregated purchase data to the rights agent computer system for distribution. 6. Recording the purchase data comprises encrypting the purchase data in such a manner that data kept secret by the media line sensing computer system is required to decrypt the purchase data. 4. The method of claim 3, comprising: 7. The method of claim 6, wherein encrypting the purchase data is performed in such a way that a change in the purchase data after the encryption is detected. 8. The method of claim 6, wherein encrypting the purchase data is performed such that removal of the purchase data from the sequence of purchase data records after the encryption is detected. 9. Transmitting the digital product from the distribution computer system to the client computer system comprises creating a new encryption key intended to be used only once and encrypting. Encrypting the digital product using the new encryption key to form an encrypted digital product; transmitting the encrypted digital product to the client computer system; The method of claim 1, further comprising: decrypting the encrypted digital product in the client computer system to recover the product; and destroying the new encryption key. 10. A request for a reservation by the merchant computer system: encrypting data representing the requested reservation; and transmitting the encrypted data to the content manager computer system. The method of claim 1, comprising: decrypting the data within the content manager computer system. 11. In response to a request for a reservation by the merchant computer system, the content manager computer system includes: (i) the transaction identification data; and (ii) product identification data identifying the digital product. And (iii) forming transaction data including binding data for binding the transaction to the computer system; and transmitting the transaction data to the merchant computer system, The method of claim 1, resulting in such a reservation. 12. The method of claim 11, wherein transmitting the transaction identification data includes encrypting the transaction identification data. 13. The method of claim 1, further comprising: transmitting the payment data from the merchant computer system to a payment institution; and receiving payment authorization data from the payment institution within the merchant computer system. the method of. 14. The method of claim 13, further comprising transmitting the payment authorization data to the content manager computer system. 15. The method of claim 14, wherein transmitting the payment authorization data comprises: encrypting the payment authorization data. 16. The method of claim 14, further comprising: recording by the content manager computer system that payment for the digital product has been authorized. 17. The contents computer according to claim 17, wherein
17. The method of claim 16, further comprising receiving acknowledgment data from a manager computer system indicating that a payment for the digital product has been recorded. 18. The method of claim 17, wherein the acknowledgment data includes the transaction identification data and a payment authorization token identifying a payment authorization recorded by the content manager computer system. 19. The method of claim 18, wherein said distribution request signal includes said transaction identification data and said distribution permission token. 20. The method of claim 19, wherein the distribution request signal is generated in response to a URL selection by the user, wherein the URL specifies the transaction identification data and the distribution permission token. 21. The method of claim 17, wherein the acknowledgment data is encrypted. 22. The method according to claim 22, wherein the distribution request signal is transmitted to the client computer.
The method of claim 1, wherein the method is received from a system in the content manager computer system, and wherein the distribution request signal is generated by the client computer system in response to a user generated control signal. 23. The user generated control signal is associated with a graphical user interface of a web browser, and the user generated control signal transmits the distribution request signal to the client computer system. 23. The method of claim 22, causing the system to transmit, wherein the merchant computer system communicates the distribution request signal to the content manager computer system. 24. The method of claim 1, wherein said delivery request signal includes said transaction identification data. 25. The method of claim 24, wherein the distribution request signal is generated in response to a selection of a URL by the user, wherein the URL specifies the transaction identification data. 26. The method of claim 1, wherein the transaction identification data received by the distribution computer system is certified as originating from the client computer system. 27. The method of claim 26, wherein the transaction identification data is certified by signing the transaction identification data using asymmetric key encryption. 28. The method of claim 1, wherein said digital product comprises a digitized audio signal. 29. The method of claim 28, wherein said digital product comprises a selection of one or more music. 30. The method of claim 29, wherein the digital product further comprises text data representing lyrics of the one or more music. 31. The method of claim 29, wherein the digital product further comprises text data representing the one or more musical liner notes. 32. The method of claim 29, wherein the digital product further comprises text data representing artist credits of the one or more music. 33. The method of claim 29, wherein the digital product further comprises textual data representative of the one or more musical reviews. 34. The method of claim 29, wherein the digital product further comprises one or more graphical images of album artwork associated with the one or more music. 35. The method of claim 29, wherein the digital product further comprises one or more graphical images of promotional artwork accompanying the one or more music. 36. The method of claim 35, wherein said advertising artwork is selected specifically for said client computer system. 37. The method of claim 36, wherein the advertising artwork is selected according to the information of the user of the client computer system, particularly for the client computer system. 38. The method of claim 37, wherein said information of said user is demographic. 39. A method for conducting electronic commerce over a computer network, comprising: receiving a purchase requirement for a digital product in a merchant computer system of the computer network; and specifying a reward for the digital product. Receiving the payment data in the store system, the store data being different from the store computer system,
Requesting a reservation of the digital product from a content manager computer system coupled to the content manager computer system via a network; readable by the content manager computer system;
And receiving voucher data from the content manager computer system wherein the reward specified by the payment data presents a transaction to be exchanged for the digital product to the content manager computer system. Method. 40. Inventory data specifying available digital products, including said digital products, and awarding to said content manager computer system for each of said available digital products is provided by said content manager. 40. The method of claim 39, further comprising receiving from a computer system. 41. Requesting a reservation: encrypting data representing the requested reservation; transmitting the encrypted data to the content manager computer system; 41. Decrypting the data in a manager computer system. 42. The method of claim 40, further comprising: transmitting the payment data from the merchant computer system to a payment institution; and receiving payment authorization data from the payment institution within the merchant computer system. the method of. 43. The method of claim 42, further comprising transmitting said payment authorization data to said content manager computer system. 44. The method of claim 43, wherein transmitting the payment authorization data comprises: encrypting the payment authorization data. 45. In the store computer system, the contents
The method of claim 44, further comprising receiving acknowledgment data from a manager computer system indicating that a payment for the digital product has been recorded. 46. The method of claim 45, wherein the acknowledgment data includes the transaction identification data and a payment authorization token identifying a payment authorization recorded by the content manager computer system. 47. The method of claim 46, wherein said delivery request signal includes said transaction identification data and said payment authorization token. 48. The method of claim 47, wherein said delivery request signal is generated in response to a URL selection by said user, said URL specifying said transaction identification data and said payment authorization token. 49. The method of claim 45, wherein the acknowledgment data is encrypted. 50. A method for conducting electronic commerce over a computer network, comprising performing a purchase phase of a transaction in a first computer system coupled to the computer network, wherein the purchase phase comprises: ,
Performing a purchase phase, including selecting a digital product for purchase and authorizing payment for the digital product; and in a second computer system coupled to the first computer system via the computer network. Performing a distribution phase of the transaction, wherein the distribution phase includes performing a distribution phase.