Patrik Schnell

Techniques enable creation of a preview license for digital content. In some instances, the preview license indicates that it allows a content-consuming device to consume less than all of the content. This preview license may create a list specifying multiple portions of the digital content that the content-consuming device may consume. These techniques may also present to a device user an offer to purchase rights to consume all of the digital content after consumption of the preview-licensed… Show more

Techniques enable creation of a preview license for digital content. In some instances, the preview license indicates that it allows a content-consuming device to consume less than all of the content. This preview license may create a list specifying multiple portions of the digital content that the content-consuming device may consume. These techniques may also present to a device user an offer to purchase rights to consume all of the digital content after consumption of the preview-licensed portion(s). In other instances, a content server may embed the preview license into a content package that contains the digital content, allowing the server to distribute the package to multiple devices. In still other instances, the preview license may be bound to a domain rather than to individual devices. This allows member devices to share the digital content and the preview license, such that each member device may enjoy the preview experience. Show less

Disclosed are various embodiments for a client application for streaming media. The client application estimates the bandwidth of the client and the latency between the client and a media distribution service. A bit rate for a media stream is determined using the latency, a buffer state, and the estimated bandwidth. A time to send the request is determined using the estimated bandwidth and latency.

Disclosed are various embodiments for a client application for streaming media. The client application estimates the bandwidth of the client and the latency between the client and a media distribution service. A bit rate for a media stream is determined using the latency, a buffer state, and the estimated bandwidth. A time to send the request is determined using the estimated bandwidth and latency.

Disclosed are various embodiments for a service for selecting the bandwidth of a media stream. The service correlates the buffer state of a client with previously communicated portions of the stream. The service then determines a bit rate for subsequent portions of the stream. A manifest may be generated indicating a source for content at the determined bit rate.

Techniques are described by which multiple, independently encoded video streams may be combined into a single decodable video stream. These techniques take advantage of existing features of commonly used video codecs that support the independent encoding of different regions of an image frame (e.g., H.264 slices or HEVC tiles). Instead of including different parts of the same image, each region corresponds to the encoded image data of the frames of one of the independent video streams.

Disclosed are various embodiments for selecting fragments of a media item. An estimated bandwidth for a client is calculated. A confidence score for the estimated bandwidth is determined. When the confidence score falls below a threshold, the estimated bandwidth is modified. A fragment for the media item is selected using the modified estimated bandwidth.

Techniques are described by which multiple, independently encoded video streams may be combined into a single decodable video stream. These techniques take advantage of existing features of commonly used video codecs that support the independent encoding of different regions of an image frame (e.g., H.264 slices or HEVC tiles). Instead of including different parts of the same image, each region corresponds to the encoded image data of the frames of one of the independent video streams.

Disclosed are various embodiments for generating encrypted media content items as well as decrypting encrypted media content items. A content type is embedded in an initialization vector corresponding to an encrypted sample. Upon decryption of encrypted content, the content type is identified and an action taken based upon the detected content type.

Disclosed are various embodiments for requesting fragments of a media item. A latency to a media distribution service and bandwidth for a client are estimated. A time to request a subsequent fragment from the media item is determined. Sources for the fragment are scored and one of the sources is selected. The fragment is requested from the selected source.

A DRM technique involves packaging an advertisement using a data structure that encapsulates a number of advertising segments along with signed information, such as a table of hashes, associated with some of the advertising segments. In one scenario, the data structure and the signed information are separately protected using public key and/or digital signature cryptographic schemes. The advertisement is delivered to a user of a consumer electronic device (CED) separately from delivery of a… Show more

A DRM technique involves packaging an advertisement using a data structure that encapsulates a number of advertising segments along with signed information, such as a table of hashes, associated with some of the advertising segments. In one scenario, the data structure and the signed information are separately protected using public key and/or digital signature cryptographic schemes. The advertisement is delivered to a user of a consumer electronic device (CED) separately from delivery of a digital license, which governs user consumption of the advertisement. The digital license includes keys used in connection with the cryptographic scheme, and references a condition to be satisfied with respect to consumption of the advertisement. As advertising segments are verified and consumed by the user/CED, information is recorded and used to determine whether the license condition was satisfied. Satisfaction of the license condition may result in access to program content or additional licenses. Show less

An anti-cheating system may comprise a combination of a modified environment, such as a modified operating system, in conjunction with a trusted external entity to verify that the modified environment is running on a particular device. The modified environment may be may be modified in a particular manner to create a restricted environment as compared with an original environment which is replaced by the modified environment. The modifications to the modified environment may comprise… Show more

An anti-cheating system may comprise a combination of a modified environment, such as a modified operating system, in conjunction with a trusted external entity to verify that the modified environment is running on a particular device. The modified environment may be may be modified in a particular manner to create a restricted environment as compared with an original environment which is replaced by the modified environment. The modifications to the modified environment may comprise alternations to the original environment to, for example, detect and/or prevent changes to the hardware and/or software intended to allow cheating or undesirable user behavior. Show less

Techniques enable creation of a preview license for digital content. In some instances, the preview license indicates that it allows a content-consuming device to consume less than all of the content. This preview license may create a list specifying multiple portions of the digital content that the content-consuming device may consume. These techniques may also present to a device user an offer to purchase rights to consume all of the digital content after consumption of the preview-licensed… Show more

Techniques enable creation of a preview license for digital content. In some instances, the preview license indicates that it allows a content-consuming device to consume less than all of the content. This preview license may create a list specifying multiple portions of the digital content that the content-consuming device may consume. These techniques may also present to a device user an offer to purchase rights to consume all of the digital content after consumption of the preview-licensed portion(s). In other instances, a content server may embed the preview license into a content package that contains the digital content, allowing the server to distribute the package to multiple devices. In still other instances, the preview license may be bound to a domain rather than to individual devices. This allows member devices to share the digital content and the preview license, such that each member device may enjoy the preview experience. Show less

Techniques for delivering content are described that vary the bit rate with which the content is delivered to achieve a consistent level of quality from the user's perspective. This is achieved through the use of quality metrics associated with content fragments that guide decision making in selecting from among the different size fragments that are available for a given segment of the content. Fragment selection attempts to optimize quality within one or more constraints.

This patent relates to selecting the highest quality fragment corresponding to a segment of a video that will successfully download in time for viewing. A media distribution service receives a state of a client’s video buffer and calculates an estimation of the bandwidth and latency of a communications channel to the client. The media distribution service determines how likely each fragment is to arrive on time for viewing, and selects a fragment based on those likelihoods. A manifest of… Show more

This patent relates to selecting the highest quality fragment corresponding to a segment of a video that will successfully download in time for viewing. A media distribution service receives a state of a client’s video buffer and calculates an estimation of the bandwidth and latency of a communications channel to the client. The media distribution service determines how likely each fragment is to arrive on time for viewing, and selects a fragment based on those likelihoods. A manifest of selected fragments are sent to the client. Show less

Disclosed are various embodiments for generating encrypted media content items as well as decrypting encrypted media content items. A content type is embedded in an initialization vector corresponding to an encrypted sample. Upon decryption of encrypted content, the content type is identified and an action taken based upon the detected content type.

Some examples include provisioning secret material onto an electronic device. For instance, an electronic device may be provided with a provisioning key that can be used for provisioning other secret material on the electronic device. The provisioning key may be encrypted at a secure location using an on-chip key that is also sent to a processor manufacturer. The encrypted provisioning key may subsequently be decrypted by an electronic device having a processor installed that includes the… Show more

Some examples include provisioning secret material onto an electronic device. For instance, an electronic device may be provided with a provisioning key that can be used for provisioning other secret material on the electronic device. The provisioning key may be encrypted at a secure location using an on-chip key that is also sent to a processor manufacturer. The encrypted provisioning key may subsequently be decrypted by an electronic device having a processor installed that includes the on-chip key. The provisioning key is saved to the device and may then be used for securely provisioning other secret material onto the electronic device, such as one or more keys, one or more digital certificates, or other digital rights management information. Accordingly, the provisioning key provides the device manufacture with the ability to securely install secret material to the electronic device using a key that is never shared outside of a secure environment. Show less

Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in… Show more

Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s). Show less

Segmented media content rights management is described. A media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file header object… Show more

Segmented media content rights management is described. A media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file header object includes DRM-associated features, such as one or more DRM licenses, properties, and/or attributes that correspond to the media content file to provision all of the segments of the protected media content together. Show less

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide… Show more

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage. Show less

Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the… Show more

Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information. Show less

This document describes tools capable of enabling cloud-based movable-component binding. The tools, in some embodiments, bind protected media content to a movable component in a mobile computing device in a cryptographically secure manner without requiring the movable component to perform a complex cryptographic function. By so doing the mobile computing device may request access to content and receive permission to use the content quickly and in a cryptographically robust way.

This document describes tools capable of securely distributing entertainment content among and using distributed hardware. These tools may do so robustly by rebinding entertainment content between distributed hardware units. The tools, for example, may distribute content protection in hardware between a policy unit, a transcryption unit, a graphics processing unit, and a playback unit. By so doing the tools enable, among other things, users to select from many graphics cards rather than rely on… Show more

This document describes tools capable of securely distributing entertainment content among and using distributed hardware. These tools may do so robustly by rebinding entertainment content between distributed hardware units. The tools, for example, may distribute content protection in hardware between a policy unit, a transcryption unit, a graphics processing unit, and a playback unit. By so doing the tools enable, among other things, users to select from many graphics cards rather than rely on the graphics capabilities of an integrated (e.g., SOC) hardware solution. Show less

A file format supports distribution, presentation, and storage of media presentations ("MPs"). A sequence of a MP is composed of segments of media data referred to by segmentIDs. Segments are defined as movie fragments, pursuant to the "ISO base media file format". Multiple instances of a segment, each having a unique instanceID, are created by encoding the media data based on different encoding characteristics, referred to as encodingIDs. A sequence map box ("SMB") stores the arrangement of a… Show more

A file format supports distribution, presentation, and storage of media presentations ("MPs"). A sequence of a MP is composed of segments of media data referred to by segmentIDs. Segments are defined as movie fragments, pursuant to the "ISO base media file format". Multiple instances of a segment, each having a unique instanceID, are created by encoding the media data based on different encoding characteristics, referred to as encodingIDs. A sequence map box ("SMB") stores the arrangement of a sequence's segmentIDs-to-instanceIDs, including encodingIDs. The SMB is distributed to a client-side media processing unit ("MPU"). Information regarding an instance selected for distribution to the MPU is encapsulated in an instance identifier box ("IIB"), along with the arrangement of instanceIDs for the segment, and distributed to the MPU. At the time of distribution and/or playback of the MP, the MPU interchange instances based on the contents of the SMB and/or the IIB. Show less

Disclosed are various embodiments for generating encrypted media content items as well as decrypting encrypted media content items. A content type is embedded in an initialization vector corresponding to an encrypted sample. Upon decryption of encrypted content, the content type is identified and an action taken based upon the detected content type.

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide… Show more

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage. Show less

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide… Show more

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for robustly secure storage. Show less

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide… Show more

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for robustly secure storage. Show less

Portable digital rights for multiple devices is described. In an embodiment, a digital rights management (DRM) system includes a first device with a removable component configured as a token that is associated with a DRM license. The first device also includes a removable memory card that stores protected media content on which the first device can perform actions as permitted by the DRM license. The DRM system also includes a second device that can have the removable component and the… Show more

Portable digital rights for multiple devices is described. In an embodiment, a digital rights management (DRM) system includes a first device with a removable component configured as a token that is associated with a DRM license. The first device also includes a removable memory card that stores protected media content on which the first device can perform actions as permitted by the DRM license. The DRM system also includes a second device that can have the removable component and the removable memory card when removed from the first device and installed in the second device such that the second device can perform the actions on the protected media content as permitted by the DRM license. Show less

Systems, methods, and/or techniques ("tools") for binding content licenses to portable storage devices are described. In connection with binding the content licenses to the portable storage devices ("stores"), a host may perform authentication protocols that include generating a nonce, sending the nonce to a store, and receiving a session key from the store, with the session key being generated using the nonce. The store may perform authentication protocols that include receiving the nonce from… Show more

Systems, methods, and/or techniques ("tools") for binding content licenses to portable storage devices are described. In connection with binding the content licenses to the portable storage devices ("stores"), a host may perform authentication protocols that include generating a nonce, sending the nonce to a store, and receiving a session key from the store, with the session key being generated using the nonce. The store may perform authentication protocols that include receiving the nonce from the host, generating a random session key based on the nonce, and sending the session key to the host. Show less

Techniques enable building a collection of data that defines an asset, with the data possibly having differing data types. These techniques are then capable of assigning arbitrary policy to that asset, regardless of which data types are present within the asset. In addition, these techniques enable packaging of this first asset with one or more additional assets in a self-contained envelope. Each asset within the envelope may similarly include data of differing data types. Furthermore, each of… Show more

Techniques enable building a collection of data that defines an asset, with the data possibly having differing data types. These techniques are then capable of assigning arbitrary policy to that asset, regardless of which data types are present within the asset. In addition, these techniques enable packaging of this first asset with one or more additional assets in a self-contained envelope. Each asset within the envelope may similarly include data of differing data types. Furthermore, each of these assets may be assigned a policy that may be different than the policy assigned to the first asset. This envelope, or a collection of envelopes, may then be provided to a content-consuming device to consume the assets in accordance with each asset's specified policy. Show less

Computer-readable media, computerized methods, and computer systems for managing dynamic allocation of one or more protected memory segments for storing content of secure data are provided. Initially, the secure data is recognized as being carried by a media stream being communicated from a media-reading device. One or more protected target segments and protected target segments are instantiated, where these protected memory segments are protected from illicit access by hardware-based rules… Show more

Computer-readable media, computerized methods, and computer systems for managing dynamic allocation of one or more protected memory segments for storing content of secure data are provided. Initially, the secure data is recognized as being carried by a media stream being communicated from a media-reading device. One or more protected target segments and protected target segments are instantiated, where these protected memory segments are protected from illicit access by hardware-based rules. Regions of hardware memory are dynamically allocated to hold these protected memory segments and the secure data is iteratively written thereto. The protected source segments are associating with the media stream based on a license attached thereto, while the protected target segments are associating with presentation devices based on a standard of output protection supported thereby. Accordingly, the protected source segments are mapped to the protected target segments according to whether the license encompasses the standard of the output protection. Show less

Segmented media content rights management is described. In embodiment(s), a media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file… Show more

Segmented media content rights management is described. In embodiment(s), a media device can receive segments of protected media content from media content streams that each include a different version of the protected media content. A media content file can be generated to include the segments of the protected media content that are sequenced to render the protected media content for viewing. A file header object can be instantiated in a file header of the media content file, where the file header object includes DRM-associated features, such as one or more DRM licenses, properties, and/or attributes that correspond to the media content file to provision all of the segments of the protected media content together. Show less

A mixed-media service collection for multimedia platforms allows simultaneous access to various mixed-media services for rendering multimedia content, depending on current client conditions. In one implementation, in response to the client accessing a service collection, for example, by changing channels, only some of the mixed-media services in the service collection are simultaneously actuated based on client conditions. The client conditions may include the availability of subsystems to… Show more

A mixed-media service collection for multimedia platforms allows simultaneous access to various mixed-media services for rendering multimedia content, depending on current client conditions. In one implementation, in response to the client accessing a service collection, for example, by changing channels, only some of the mixed-media services in the service collection are simultaneously actuated based on client conditions. The client conditions may include the availability of subsystems to implement services and the client's authorization to receive services. If client conditions do not allow some services in the service collection to be actuated, then other services in the service collection are available to be actuated instead. Show less

In order to achieve a more robust level of piracy protection, a gap protection scheme is utilized. This protection scheme may utilize the notion of a gap, which may comprise any entity or component that is withheld from a distribution that is required in order to run or execute a software title or is required in order to play and enjoy any other type of protected asset.

A key escrow service is described. In embodiment(s), the key escrow service maintains an escrow license that includes an escrow content key that is associated with protected media content which is distributed from a content distributor to a media device. A content key that is associated with the protected media content can be received from the content distributor, and the content key can then be encrypted with a public escrow key to generate the escrow content key. The escrow license can be… Show more

A key escrow service is described. In embodiment(s), the key escrow service maintains an escrow license that includes an escrow content key that is associated with protected media content which is distributed from a content distributor to a media device. A content key that is associated with the protected media content can be received from the content distributor, and the content key can then be encrypted with a public escrow key to generate the escrow content key. The escrow license can be generated to include the escrow content key, and the escrow content key can then be communicated back to the content distributor that provides a digital rights management (DRM) license to the media device. The DRM license can include both the escrow content key and the content key encrypted with a public key that corresponds to the media device. Show less

In accordance with one or more aspects, a first device receives a digital certificate of a second device. The first device generates a digitally signed temporary domain join request and sends the request to a domain controller. The domain controller generates, for the first device, a temporary domain certificate allowing the first device to temporarily consume content bound to the domain. The temporary domain certificate is sent to the first device, allowing the first device to temporarily… Show more

In accordance with one or more aspects, a first device receives a digital certificate of a second device. The first device generates a digitally signed temporary domain join request and sends the request to a domain controller. The domain controller generates, for the first device, a temporary domain certificate allowing the first device to temporarily consume content bound to the domain. The temporary domain certificate is sent to the first device, allowing the first device to temporarily consume content bound to the domain. Show less

To enforce content access restrictions, a license associated with protected content is generated. This license may have at least one evolving parameter. That is, the parameter value may change; e.g., depending upon content access, copying, etc. For example, each successive generation of a license may have an incremented value in an evolving "generation" parameter. The license may also have evolving rules that describe different content access rules for different values in the evolving parameter.

Techniques enable seamless movement and consumption of licensed digital content amongst multiple devices. In some embodiments, these techniques allow establishment of a domain capable of having multiple member devices. Each member device of the domain typically comprises a content-consuming device such as a personal computer, a portable media player, or the like. These techniques enable a license associated with digital content to bind to a domain rather than an individual device. As such, each… Show more

Techniques enable seamless movement and consumption of licensed digital content amongst multiple devices. In some embodiments, these techniques allow establishment of a domain capable of having multiple member devices. Each member device of the domain typically comprises a content-consuming device such as a personal computer, a portable media player, or the like. These techniques enable a license associated with digital content to bind to a domain rather than an individual device. As such, each member device of the domain may contain a domain identity and, with the identity, may consume the content with use of the license and in accordance with policy described in the license. These tools may also enable a member device to join multiple domains and to contain an identification of each of these multiple domains. Show less