| 发明名称 |
MEDIA CLIENT DEVICE AUTHENTICATION USING HARDWARE ROOT OF TRUST |
| 摘要 |
A client device for media playback includes a user-installable media client application which implements the client-side of a digital rights management (DRM) system. The client device employs secure boot and verifies the user-installed application. The application is hardened against reverse engineering, and it utilizes a special API provided by the client device to tie into the secure boot, bridging the gap between the secure boot and the client-side of the DRM system contained within the application. |
| 申请公布号 |
US2016162669(A1) |
申请公布日期 |
2016.06.09 |
| 申请号 |
US201414907152 |
申请日期 |
2014.07.23 |
| 申请人 |
AZUKI SYSTEMS, INC. |
发明人 |
MIKHAILOV Mikhail;NAIR Raj |
| 分类号 |
G06F21/12;H04L9/32;G06F21/57 |
主分类号 |
G06F21/12 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method by which a client device proves its authenticity to a media client to be user-installed on the client device as well as to a rights management server communicatively coupled to the client device, comprising:
engaging in a secure boot process to confirm that an image persistently stored in the client device and including firmware for execution is specifically keyed for use in a rights management scheme employing a private encryption key at the rights management server and a corresponding public encryption key securely stored in the image, the firmware being configured and operative upon execution to respond to a request from the media client by returning a device registration message encrypted using the public encryption key, the secure boot process including (1) verifying a signature of the stored public encryption key using a first verification key securely stored in one-time-programmable (OTP) storage of the client device, (2) decrypting an encrypted symmetric key contained in the image and verifying a signature of the decrypted symmetric key using one or more second verification keys securely stored in the OTP storage, and (3) verifying a signature of the persistently stored image using the decrypted symmetric key; loading and executing the firmware upon successful completion of the secure boot process; and by the firmware during subsequent operation and in response to the request from the media client, using the persistently stored public encryption key to create the encrypted device registration message and returning the encrypted device registration message to the media client for forwarding to the rights management server as part of a device authentication process. |
| 地址 |
Acton MA US |
