WO2011147693A1 - Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) - Google Patents

Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) Download PDF

Info

Publication number
WO2011147693A1
WO2011147693A1 PCT/EP2011/057762 EP2011057762W WO2011147693A1 WO 2011147693 A1 WO2011147693 A1 WO 2011147693A1 EP 2011057762 W EP2011057762 W EP 2011057762W WO 2011147693 A1 WO2011147693 A1 WO 2011147693A1
Authority
WO
WIPO (PCT)
Prior art keywords
data object
computer
edrm
key
identification information
Prior art date
Application number
PCT/EP2011/057762
Other languages
German (de)
English (en)
Inventor
Rainer Falk
Steffen Fries
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2011147693A1 publication Critical patent/WO2011147693A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]

Definitions

  • the present invention relates to a method and a sys tem for providing ⁇ EDRM (Enterprise Digital Rights Ma ⁇ management) protected data objects.
  • payload data may be control data from multiple machines that interact with each other. It is thus possible, for example, that a large number of production machines for producing a product communicate with one another at a production site and also exchange data with remote production sites and / or suppliers. Here, individual recipients, such as suppliers, certain rights to the transmitted data will be granted. So it is possible that a customer of a production company transmits construction plans of a component. This is to ensure that the production company only reads out the corresponding construction plans, but does not change or pass them on.
  • Digital rights management realizes an access protection on documents, regardless of a storage location of the documents.
  • a protected document can only be opened and edited by an authorized user in accordance with his access rights, regardless of which storage device the document was stored on or to which arithmetic unit the document was sent.
  • An unauthorized outsider, which no access rights have been endures overall can, with a copy of the document received any unau ⁇ torinstrumente information.
  • documents are encrypted according to at least one encryption algorithm.
  • the publisher additionally defines the rights of specific users or groups in the content of the document, which are summarized in a license information, also known as issuance license.
  • the encrypted file is sent together with the license information to a server.
  • the license information may describe, for example, that a third party, such as a configuration machine GeWiS ⁇ se parts of a construction plan to read, print and / or may store.
  • the license information may include a symmetric key used to encrypt and decrypt the document. Since this very key represents secret information, the license information can be encrypted with the public key of the server and the publisher can digitally sign the license information.
  • the license information can be stored and maintained centrally on a server. However, the license information can also be accommodated in a file with the encrypted document, whereby only a less dynamic rights management is made possible.
  • the access-protected document will read from ⁇ .
  • the client can take over the communication with the server in order to determine the symmetric key and the rights of a present document.
  • the client can the rights to another readout unit wei ⁇ ter sacrifice provided for the observance of the rights read.
  • a decryption of the document can be carried out by the client, which also carries out a possibly required re-encryption at a later time.
  • the publisher or rights holder must therefore regularly have a communication link to the EDRM server. Only then is it possible to register the corresponding EDRM protected data object on the EDRM server in the manner described above.
  • industrial devices often do not have a network connection or are merely connected to a separate manufacturing network from which an EDRM server can not be reached.
  • a data object key for decrypting the data object as a function of a data identification Information of the data object and the device identification ⁇ information by means of a key derivation function
  • an EDRM protected data object is generated offline by the first computer, without an existing connection to the EDRM server.
  • a user authorized by the EDRM server in this case the second computer, can open the EDRM-protected data object.
  • a EDRM server receives according to the invention of a new EDRM protected document only aware when a client than two ⁇ ter computer requests a license to use this data object. From the information of the requesting client as a second computer and stored configuration information, such as default policies that lack of use authorizations and obj be ektgresl determined to derive a EDRM- license information to erzeu ⁇ gen.
  • the system according to the invention for providing at least one EDRM (Enterprise Digital Rights Management) protected
  • Data object includes a first calculator that provides a two-th ⁇ computer an encrypted data object.
  • the system comprises an EDRM server, which is set up to carry out the following steps on request of the second computer after a successful authentication of the second computer:
  • a data object key for decrypting the data object as a function of a data identification Information of the data object and the device identification ⁇ information by means of a key derivation function
  • Figure 1 is a schematic representation of a worndia- gram of a first embodiment of the method according OF INVENTION ⁇ dung,
  • Figure 2 is a schematic representation of a worndia- grams of a second embodiment of the method according OF INVENTION ⁇ dung.
  • an EDRM protected data object is generated offline by a first computer without a connection to the EDRM server.
  • the EDRM protected data object is then transmitted to a second computer, for example a maintenance and diagnostic computer, from the first computer. Since the data object is in encrypted form, it can not be processed by the second computer. Therefore, the second computer authenticates itself against a EDRM- server and transmits as part of the request, the data ⁇ identification information and the device identification information to the server EDRM-.
  • the EDRM server checks the access authorization of the second computer to the data output by the first computer. Since the EDRM protected data object is not known at the EDRM servers that access ⁇ right be proven from a device-dependent policy. Based on the obtained data identification information and the equipment In addition, the data object key is determined.
  • FIG. 1 shows a flow diagram of a first exemplary embodiment of the inventive method with a Ma ⁇ machine 101, which is for example an X-ray device or a Ge ⁇ advises manufacturing control. Depicted is still a service device 102 and an EDRM server 103.
  • the service device 102 requests service data from the machine 101, for example, for maintenance or diagnostics 104. This service data is provided in EDRM protected form by the machine 101.
  • the machine 101 is determined, the requested service data and generates a corresponding réelleenidentifi- z istsinformation Doc-ID 105.
  • the machine determines 101 the associated document key Docek using a key derivation function depending on a EDRM device key EDevK and Dokumentenidentifizie ⁇ approximate information Doc ID 105.
  • this document key Docek the document content, ie the determined service data encrypted, 105.
  • the thus EDRM protected docu ⁇ ment is 106.
  • transmitted to the service unit 102 is possible because ⁇ in that the entire Document content, ie the ge ⁇ entire service data, or only a part of the document content, ie only a part of the service data is encrypted with the key DocEK.
  • several variant are possible because ⁇ in that the entire Document content, ie the ge ⁇ entire service data, or only a part of the document content, ie only a part of the service data is encrypted with the key DocEK.
  • the service device 102 can not initially open the document because it is in encrypted form. Initially, therefore, the service device 102 authenticates itself to the EDRM server 103 (ERM-S) in steps 107 and 108.
  • the authorization of the service device 102 is checked 110 by the EDRM server 103 on request 109 by the service device 102. If the service device 102 protected to use the EDRM document entitled it receives subsequent ⁇ chd of the EDRM server license information 111.
  • This License Information con- tains the document key Docek, and should receive, justifying ⁇ supply information which rights the authenticated service Device 102 are granted. Such usage rights include, for example, printing, copying, displaying or modifying the document or part of the document.
  • the EDRM server determines the document key used Docek from the document identification information Doc ID and EDRM device key EDevK the machine 101.
  • the document identification information Doc ID determines the EDRM server from the request of the service device 102 currencies ⁇ rend the EDevK the EDRM server already exists.
  • the EDRM server finally determines the usage rights assigned to the EDRM document on the basis of the device identification information of the machine 101 contained in or from the document identification information Doc-ID.
  • the EDRM server creates an entry for this document in its database.
  • FIG. 2 shows a further exemplary embodiment of the present invention, in which a service manager 201 is additionally provided.
  • a service manager 201 is additionally provided.
  • the same process steps and network components are provided in FIG. 2 with the same reference numerals as in FIG.
  • the service device 102 does not have the authority to open the EDRM protected document 202.
  • the EDRM-protected data is therefore from the service device
  • the service manager 201 then authenticates itself to the EDRM server 102 in steps 204 and 205. If the service manager 201 is authenticated, the EDRM server will authenticate 203 to the service manager 201
  • Key Derivation Function for example, an HMAC-SHA1 function is used, in which the device identification information and the data identification information are received as input parameters.
  • HMAC-SHA1 function As a key derivation function (Key Derivation Function), for example, an HMAC-SHA1 function is used, in which the device identification information and the data identification information are received as input parameters.
  • HMAC-SHA1 function As a key derivation function (Key Derivation Function), for example, an HMAC-SHA1 function is used, in which the device identification information and the data identification information are received as input parameters.
  • the document identification information Doc-ID comprises, for example, a pseudorandom or continuously document-specific identifier.
  • an identifier determined for example by means of a hash function from the document content or the creation time ⁇ point (date / time)
  • an identifying information of the issuing computer used to create the document identification information.
  • the identifying information of the issuing computer is, for example, a computer name, an IP address, a MAC address or a secondary address. rien number.
  • identification information of the assigned EDRM server can be included in the creation of the document identification information.
  • the document identification information can be represented in the following format, for example:
  • Doc-Id :: ⁇ document identifier> '@' ⁇ host ID>.
  • EDRM-protected documents offline.
  • Offline means that there is no communication connection to an EDRM server.
  • a EDRM server is not available, for example, because it is located in a different network segment, such as an office network, or because the industrial system does not support online pharmacy ⁇ ne communication with a backend system, or because the communication takes place semi-online, ie, there is only a limited online connection.
  • Client to display / evaluate the EDRM protected data to communicate online with the EDRM server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Un objet de données protégé par EDRM est produit offline par un premier ordinateur sans qu'une liaison au serveur EDRM n'existe. L'objet de données protégé par EDRM est ensuite transmis à un second ordinateur. Etant donné que l'objet de données se trouve sous une forme encryptée, il ne peut pas être traité par le second ordinateur. Le second ordinateur s'authentifie donc vis-à-vis du serveur EDRM et lui transmet, dans le corps de sa requête, l'information d'identification de données et l'information d'identification d'appareil du premier ordinateur. Le serveur EDRM contrôle le droit d'accès du second ordinateur aux données émises par le premier ordinateur. Etant donné que l'objet de données protégé par EDRM n'est pas connu du serveur EDRM, les droits d'accès sont attestés par un système dépendant de l'appareil et la clef de décryptage de l'objet des données est déterminée.
PCT/EP2011/057762 2010-05-26 2011-05-13 Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise) WO2011147693A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102010021655.0 2010-05-26
DE102010021655A DE102010021655A1 (de) 2010-05-26 2010-05-26 Verfahren zum Bereitstellen von EDRM (Enterprise Digital Rights Management) geschützten Datenobjekten

Publications (1)

Publication Number Publication Date
WO2011147693A1 true WO2011147693A1 (fr) 2011-12-01

Family

ID=44262972

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/057762 WO2011147693A1 (fr) 2010-05-26 2011-05-13 Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise)

Country Status (2)

Country Link
DE (1) DE102010021655A1 (fr)
WO (1) WO2011147693A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111104690A (zh) * 2019-11-22 2020-05-05 北京三快在线科技有限公司 文档监测方法、装置、服务器及存储介质
CN114531249A (zh) * 2020-10-30 2022-05-24 ***通信有限公司研究院 一种请求处理方法及相关设备

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5745879A (en) * 1991-05-08 1998-04-28 Digital Equipment Corporation Method and system for managing execution of licensed programs
US5917912A (en) * 1995-02-13 1999-06-29 Intertrust Technologies Corporation System and methods for secure transaction management and electronic rights protection
US20020013772A1 (en) * 1999-03-27 2002-01-31 Microsoft Corporation Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out / checking in the digital license to / from the portable device or the like

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009154526A1 (fr) * 2008-06-19 2009-12-23 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et dispositif pour protéger un contenu privé

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5745879A (en) * 1991-05-08 1998-04-28 Digital Equipment Corporation Method and system for managing execution of licensed programs
US5917912A (en) * 1995-02-13 1999-06-29 Intertrust Technologies Corporation System and methods for secure transaction management and electronic rights protection
US20020013772A1 (en) * 1999-03-27 2002-01-31 Microsoft Corporation Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out / checking in the digital license to / from the portable device or the like

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111104690A (zh) * 2019-11-22 2020-05-05 北京三快在线科技有限公司 文档监测方法、装置、服务器及存储介质
CN111104690B (zh) * 2019-11-22 2022-03-18 北京三快在线科技有限公司 文档监测方法、装置、服务器及存储介质
CN114531249A (zh) * 2020-10-30 2022-05-24 ***通信有限公司研究院 一种请求处理方法及相关设备

Also Published As

Publication number Publication date
DE102010021655A1 (de) 2011-12-01

Similar Documents

Publication Publication Date Title
DE102018104679A1 (de) In Tonken übersetzte Hardware-Sicherheitsmodule
DE19827659B4 (de) System und Verfahren zum Speichern von Daten und zum Schützen der Daten gegen einen nichtauthorisierten Zugriff
DE60316861T2 (de) Verfahren und Vorrichtung zur Verschlüsselung/Entschlüsselung von Daten
DE60224219T2 (de) Sicheres drucken eines dokuments
EP3452941B1 (fr) Procédé de documentation électronique d'informations de licence
EP2454704A1 (fr) Procédé de lecture d'attributs d'un jeton d'identification
DE102009017221A1 (de) Information-Rights-Management
EP3649768A1 (fr) Procédé de remplacement sécurisé d'un premier certificat de fabricant déjà introduit dans un appareil
WO2010026152A1 (fr) Procédé d'attribution d'une autorisation d'accès à un objet informatisé dans un système d'automatisation, programme informatique et système d'automatisation
DE60112227T2 (de) Verfahren und vorrichtung zur sicheren datenverteilung
EP4016338A1 (fr) Contrôle d'accès aux données sauvegardées dans un nuage
EP3876127A1 (fr) Maintenance distante d'appareil basée sur la mémorisation distribuée de données
DE102020205993B3 (de) Konzept zum Austausch von kryptographischen Schlüsselinformationen
AT519025B1 (de) Verfahren zum Austausch von Datenfeldern von zertifizierten Dokumenten
WO2011147693A1 (fr) Procédé permettant de fournir des objets de données protégés par edrm (enterprise digital rights management = gestion des droits numériques en entreprise)
EP2491513B1 (fr) Procédé et système de fourniture d'objets de données à protection erdm
EP3629516A1 (fr) Solution décentralisée de gestion d'identité
DE102018102608A1 (de) Verfahren zur Benutzerverwaltung eines Feldgeräts
DE10251408A1 (de) Sicherer und vermittelter Zugriff für E-Dienste
EP3288215A1 (fr) Procede et dispositif de sortie de certificats d'authentification et module de securite
DE10134489B4 (de) Asymmetrisches Kryptographieverfahren
DE112007000419B4 (de) Digitale-Rechte-Managementsystem mit diversifiziertem Inhaltsschutzprozess
EP4123960B1 (fr) Procédé et dispositif de fourniture d'un secret utilisateur numérique associé à un objet de données protégé
WO2017190857A1 (fr) Procédé et dispositif de sécurisation d'accès à des appareils
DE102017208899A1 (de) Klassenbasiertes Verschlüsselungsverfahren

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11723349

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11723349

Country of ref document: EP

Kind code of ref document: A1