WO2011147693A1 - Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) - Google Patents
Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) Download PDFInfo
- Publication number
- WO2011147693A1 WO2011147693A1 PCT/EP2011/057762 EP2011057762W WO2011147693A1 WO 2011147693 A1 WO2011147693 A1 WO 2011147693A1 EP 2011057762 W EP2011057762 W EP 2011057762W WO 2011147693 A1 WO2011147693 A1 WO 2011147693A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data object
- computer
- edrm
- key
- identification information
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 21
- 230000006870 function Effects 0.000 claims description 22
- 238000009795 derivation Methods 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims 2
- 238000013475 authorization Methods 0.000 abstract description 4
- 230000001419 dependent effect Effects 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 8
- 238000004519 manufacturing process Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000010276 construction Methods 0.000 description 3
- 210000003608 fece Anatomy 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
Definitions
- the present invention relates to a method and a sys tem for providing ⁇ EDRM (Enterprise Digital Rights Ma ⁇ management) protected data objects.
- payload data may be control data from multiple machines that interact with each other. It is thus possible, for example, that a large number of production machines for producing a product communicate with one another at a production site and also exchange data with remote production sites and / or suppliers. Here, individual recipients, such as suppliers, certain rights to the transmitted data will be granted. So it is possible that a customer of a production company transmits construction plans of a component. This is to ensure that the production company only reads out the corresponding construction plans, but does not change or pass them on.
- Digital rights management realizes an access protection on documents, regardless of a storage location of the documents.
- a protected document can only be opened and edited by an authorized user in accordance with his access rights, regardless of which storage device the document was stored on or to which arithmetic unit the document was sent.
- An unauthorized outsider, which no access rights have been endures overall can, with a copy of the document received any unau ⁇ torinstrumente information.
- documents are encrypted according to at least one encryption algorithm.
- the publisher additionally defines the rights of specific users or groups in the content of the document, which are summarized in a license information, also known as issuance license.
- the encrypted file is sent together with the license information to a server.
- the license information may describe, for example, that a third party, such as a configuration machine GeWiS ⁇ se parts of a construction plan to read, print and / or may store.
- the license information may include a symmetric key used to encrypt and decrypt the document. Since this very key represents secret information, the license information can be encrypted with the public key of the server and the publisher can digitally sign the license information.
- the license information can be stored and maintained centrally on a server. However, the license information can also be accommodated in a file with the encrypted document, whereby only a less dynamic rights management is made possible.
- the access-protected document will read from ⁇ .
- the client can take over the communication with the server in order to determine the symmetric key and the rights of a present document.
- the client can the rights to another readout unit wei ⁇ ter sacrifice provided for the observance of the rights read.
- a decryption of the document can be carried out by the client, which also carries out a possibly required re-encryption at a later time.
- the publisher or rights holder must therefore regularly have a communication link to the EDRM server. Only then is it possible to register the corresponding EDRM protected data object on the EDRM server in the manner described above.
- industrial devices often do not have a network connection or are merely connected to a separate manufacturing network from which an EDRM server can not be reached.
- a data object key for decrypting the data object as a function of a data identification Information of the data object and the device identification ⁇ information by means of a key derivation function
- an EDRM protected data object is generated offline by the first computer, without an existing connection to the EDRM server.
- a user authorized by the EDRM server in this case the second computer, can open the EDRM-protected data object.
- a EDRM server receives according to the invention of a new EDRM protected document only aware when a client than two ⁇ ter computer requests a license to use this data object. From the information of the requesting client as a second computer and stored configuration information, such as default policies that lack of use authorizations and obj be ektgresl determined to derive a EDRM- license information to erzeu ⁇ gen.
- the system according to the invention for providing at least one EDRM (Enterprise Digital Rights Management) protected
- Data object includes a first calculator that provides a two-th ⁇ computer an encrypted data object.
- the system comprises an EDRM server, which is set up to carry out the following steps on request of the second computer after a successful authentication of the second computer:
- a data object key for decrypting the data object as a function of a data identification Information of the data object and the device identification ⁇ information by means of a key derivation function
- Figure 1 is a schematic representation of a worndia- gram of a first embodiment of the method according OF INVENTION ⁇ dung,
- Figure 2 is a schematic representation of a worndia- grams of a second embodiment of the method according OF INVENTION ⁇ dung.
- an EDRM protected data object is generated offline by a first computer without a connection to the EDRM server.
- the EDRM protected data object is then transmitted to a second computer, for example a maintenance and diagnostic computer, from the first computer. Since the data object is in encrypted form, it can not be processed by the second computer. Therefore, the second computer authenticates itself against a EDRM- server and transmits as part of the request, the data ⁇ identification information and the device identification information to the server EDRM-.
- the EDRM server checks the access authorization of the second computer to the data output by the first computer. Since the EDRM protected data object is not known at the EDRM servers that access ⁇ right be proven from a device-dependent policy. Based on the obtained data identification information and the equipment In addition, the data object key is determined.
- FIG. 1 shows a flow diagram of a first exemplary embodiment of the inventive method with a Ma ⁇ machine 101, which is for example an X-ray device or a Ge ⁇ advises manufacturing control. Depicted is still a service device 102 and an EDRM server 103.
- the service device 102 requests service data from the machine 101, for example, for maintenance or diagnostics 104. This service data is provided in EDRM protected form by the machine 101.
- the machine 101 is determined, the requested service data and generates a corresponding réelleenidentifi- z istsinformation Doc-ID 105.
- the machine determines 101 the associated document key Docek using a key derivation function depending on a EDRM device key EDevK and Dokumentenidentifizie ⁇ approximate information Doc ID 105.
- this document key Docek the document content, ie the determined service data encrypted, 105.
- the thus EDRM protected docu ⁇ ment is 106.
- transmitted to the service unit 102 is possible because ⁇ in that the entire Document content, ie the ge ⁇ entire service data, or only a part of the document content, ie only a part of the service data is encrypted with the key DocEK.
- several variant are possible because ⁇ in that the entire Document content, ie the ge ⁇ entire service data, or only a part of the document content, ie only a part of the service data is encrypted with the key DocEK.
- the service device 102 can not initially open the document because it is in encrypted form. Initially, therefore, the service device 102 authenticates itself to the EDRM server 103 (ERM-S) in steps 107 and 108.
- the authorization of the service device 102 is checked 110 by the EDRM server 103 on request 109 by the service device 102. If the service device 102 protected to use the EDRM document entitled it receives subsequent ⁇ chd of the EDRM server license information 111.
- This License Information con- tains the document key Docek, and should receive, justifying ⁇ supply information which rights the authenticated service Device 102 are granted. Such usage rights include, for example, printing, copying, displaying or modifying the document or part of the document.
- the EDRM server determines the document key used Docek from the document identification information Doc ID and EDRM device key EDevK the machine 101.
- the document identification information Doc ID determines the EDRM server from the request of the service device 102 currencies ⁇ rend the EDevK the EDRM server already exists.
- the EDRM server finally determines the usage rights assigned to the EDRM document on the basis of the device identification information of the machine 101 contained in or from the document identification information Doc-ID.
- the EDRM server creates an entry for this document in its database.
- FIG. 2 shows a further exemplary embodiment of the present invention, in which a service manager 201 is additionally provided.
- a service manager 201 is additionally provided.
- the same process steps and network components are provided in FIG. 2 with the same reference numerals as in FIG.
- the service device 102 does not have the authority to open the EDRM protected document 202.
- the EDRM-protected data is therefore from the service device
- the service manager 201 then authenticates itself to the EDRM server 102 in steps 204 and 205. If the service manager 201 is authenticated, the EDRM server will authenticate 203 to the service manager 201
- Key Derivation Function for example, an HMAC-SHA1 function is used, in which the device identification information and the data identification information are received as input parameters.
- HMAC-SHA1 function As a key derivation function (Key Derivation Function), for example, an HMAC-SHA1 function is used, in which the device identification information and the data identification information are received as input parameters.
- HMAC-SHA1 function As a key derivation function (Key Derivation Function), for example, an HMAC-SHA1 function is used, in which the device identification information and the data identification information are received as input parameters.
- the document identification information Doc-ID comprises, for example, a pseudorandom or continuously document-specific identifier.
- an identifier determined for example by means of a hash function from the document content or the creation time ⁇ point (date / time)
- an identifying information of the issuing computer used to create the document identification information.
- the identifying information of the issuing computer is, for example, a computer name, an IP address, a MAC address or a secondary address. rien number.
- identification information of the assigned EDRM server can be included in the creation of the document identification information.
- the document identification information can be represented in the following format, for example:
- Doc-Id :: ⁇ document identifier> '@' ⁇ host ID>.
- EDRM-protected documents offline.
- Offline means that there is no communication connection to an EDRM server.
- a EDRM server is not available, for example, because it is located in a different network segment, such as an office network, or because the industrial system does not support online pharmacy ⁇ ne communication with a backend system, or because the communication takes place semi-online, ie, there is only a limited online connection.
- Client to display / evaluate the EDRM protected data to communicate online with the EDRM server.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Un objet de données protégé par EDRM est produit offline par un premier ordinateur sans qu'une liaison au serveur EDRM n'existe. L'objet de données protégé par EDRM est ensuite transmis à un second ordinateur. Etant donné que l'objet de données se trouve sous une forme encryptée, il ne peut pas être traité par le second ordinateur. Le second ordinateur s'authentifie donc vis-à-vis du serveur EDRM et lui transmet, dans le corps de sa requête, l'information d'identification de données et l'information d'identification d'appareil du premier ordinateur. Le serveur EDRM contrôle le droit d'accès du second ordinateur aux données émises par le premier ordinateur. Etant donné que l'objet de données protégé par EDRM n'est pas connu du serveur EDRM, les droits d'accès sont attestés par un système dépendant de l'appareil et la clef de décryptage de l'objet des données est déterminée.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102010021655.0 | 2010-05-26 | ||
DE102010021655A DE102010021655A1 (de) | 2010-05-26 | 2010-05-26 | Verfahren zum Bereitstellen von EDRM (Enterprise Digital Rights Management) geschützten Datenobjekten |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011147693A1 true WO2011147693A1 (fr) | 2011-12-01 |
Family
ID=44262972
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2011/057762 WO2011147693A1 (fr) | 2010-05-26 | 2011-05-13 | Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE102010021655A1 (fr) |
WO (1) | WO2011147693A1 (fr) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111104690A (zh) * | 2019-11-22 | 2020-05-05 | 北京三快在线科技有限公司 | 文档监测方法、装置、服务器及存储介质 |
CN114531249A (zh) * | 2020-10-30 | 2022-05-24 | ***通信有限公司研究院 | 一种请求处理方法及相关设备 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5745879A (en) * | 1991-05-08 | 1998-04-28 | Digital Equipment Corporation | Method and system for managing execution of licensed programs |
US5917912A (en) * | 1995-02-13 | 1999-06-29 | Intertrust Technologies Corporation | System and methods for secure transaction management and electronic rights protection |
US20020013772A1 (en) * | 1999-03-27 | 2002-01-31 | Microsoft Corporation | Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out / checking in the digital license to / from the portable device or the like |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009154526A1 (fr) * | 2008-06-19 | 2009-12-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Procédé et dispositif pour protéger un contenu privé |
-
2010
- 2010-05-26 DE DE102010021655A patent/DE102010021655A1/de not_active Ceased
-
2011
- 2011-05-13 WO PCT/EP2011/057762 patent/WO2011147693A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5745879A (en) * | 1991-05-08 | 1998-04-28 | Digital Equipment Corporation | Method and system for managing execution of licensed programs |
US5917912A (en) * | 1995-02-13 | 1999-06-29 | Intertrust Technologies Corporation | System and methods for secure transaction management and electronic rights protection |
US20020013772A1 (en) * | 1999-03-27 | 2002-01-31 | Microsoft Corporation | Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out / checking in the digital license to / from the portable device or the like |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111104690A (zh) * | 2019-11-22 | 2020-05-05 | 北京三快在线科技有限公司 | 文档监测方法、装置、服务器及存储介质 |
CN111104690B (zh) * | 2019-11-22 | 2022-03-18 | 北京三快在线科技有限公司 | 文档监测方法、装置、服务器及存储介质 |
CN114531249A (zh) * | 2020-10-30 | 2022-05-24 | ***通信有限公司研究院 | 一种请求处理方法及相关设备 |
Also Published As
Publication number | Publication date |
---|---|
DE102010021655A1 (de) | 2011-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102018104679A1 (de) | In Tonken übersetzte Hardware-Sicherheitsmodule | |
DE19827659B4 (de) | System und Verfahren zum Speichern von Daten und zum Schützen der Daten gegen einen nichtauthorisierten Zugriff | |
DE60316861T2 (de) | Verfahren und Vorrichtung zur Verschlüsselung/Entschlüsselung von Daten | |
DE60224219T2 (de) | Sicheres drucken eines dokuments | |
EP3452941B1 (fr) | Procédé de documentation électronique d'informations de licence | |
EP2454704A1 (fr) | Procédé de lecture d'attributs d'un jeton d'identification | |
DE102009017221A1 (de) | Information-Rights-Management | |
EP3649768A1 (fr) | Procédé de remplacement sécurisé d'un premier certificat de fabricant déjà introduit dans un appareil | |
WO2010026152A1 (fr) | Procédé d'attribution d'une autorisation d'accès à un objet informatisé dans un système d'automatisation, programme informatique et système d'automatisation | |
DE60112227T2 (de) | Verfahren und vorrichtung zur sicheren datenverteilung | |
EP4016338A1 (fr) | Contrôle d'accès aux données sauvegardées dans un nuage | |
EP3876127A1 (fr) | Maintenance distante d'appareil basée sur la mémorisation distribuée de données | |
DE102020205993B3 (de) | Konzept zum Austausch von kryptographischen Schlüsselinformationen | |
AT519025B1 (de) | Verfahren zum Austausch von Datenfeldern von zertifizierten Dokumenten | |
WO2011147693A1 (fr) | Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) | |
EP2491513B1 (fr) | Procédé et système de fourniture d'objets de données à protection erdm | |
EP3629516A1 (fr) | Solution décentralisée de gestion d'identité | |
DE102018102608A1 (de) | Verfahren zur Benutzerverwaltung eines Feldgeräts | |
DE10251408A1 (de) | Sicherer und vermittelter Zugriff für E-Dienste | |
EP3288215A1 (fr) | Procede et dispositif de sortie de certificats d'authentification et module de securite | |
DE10134489B4 (de) | Asymmetrisches Kryptographieverfahren | |
DE112007000419B4 (de) | Digitale-Rechte-Managementsystem mit diversifiziertem Inhaltsschutzprozess | |
EP4123960B1 (fr) | Procédé et dispositif de fourniture d'un secret utilisateur numérique associé à un objet de données protégé | |
WO2017190857A1 (fr) | Procédé et dispositif de sécurisation d'accès à des appareils | |
DE102017208899A1 (de) | Klassenbasiertes Verschlüsselungsverfahren |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11723349 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11723349 Country of ref document: EP Kind code of ref document: A1 |