Skip to content

Barry / rf-depot

Go to a project
Toggle navigation
Toggle navigation pinning
Switch branch/tag
New_portable.htm 24.7 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 
<html xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 9">
<meta name=Originator content="Microsoft Word 9">
<link rel=File-List href="./New_portable_files/filelist.xml">
<title>Meeting for analyzing security impact of changing usage model</title>
<!--[if gte mso 9]><xml>
 <o:DocumentProperties>
  <o:Author>pramila</o:Author>
  <o:Template>Normal</o:Template>
  <o:LastAuthor>pramila</o:LastAuthor>
  <o:Revision>2</o:Revision>
  <o:TotalTime>811</o:TotalTime>
  <o:LastPrinted>2002-05-21T03:01:00Z</o:LastPrinted>
  <o:Created>2002-05-30T23:00:00Z</o:Created>
  <o:LastSaved>2002-05-30T23:00:00Z</o:LastSaved>
  <o:Pages>4</o:Pages>
  <o:Words>1333</o:Words>
  <o:Characters>7600</o:Characters>
  <o:Company>RouteFree</o:Company>
  <o:Lines>63</o:Lines>
  <o:Paragraphs>15</o:Paragraphs>
  <o:CharactersWithSpaces>9333</o:CharactersWithSpaces>
  <o:Version>9.3821</o:Version>
 </o:DocumentProperties>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;
	mso-font-charset:2;
	mso-generic-font-family:auto;
	mso-font-pitch:variable;
	mso-font-signature:0 268435456 0 0 -2147483648 0;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
h1
	{mso-style-next:Normal;
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:1;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-font-kerning:0pt;}
p.MsoBodyTextIndent, li.MsoBodyTextIndent, div.MsoBodyTextIndent
	{margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.25in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";
	font-weight:bold;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
@list l0
	{mso-list-id:31005300;
	mso-list-type:hybrid;
	mso-list-template-ids:828171864 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l1
	{mso-list-id:86538236;
	mso-list-type:hybrid;
	mso-list-template-ids:-1683428478 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l2
	{mso-list-id:403575719;
	mso-list-type:hybrid;
	mso-list-template-ids:658133446 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l3
	{mso-list-id:444469449;
	mso-list-type:hybrid;
	mso-list-template-ids:1654275524 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l4
	{mso-list-id:908198256;
	mso-list-type:hybrid;
	mso-list-template-ids:-1444274116 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l5
	{mso-list-id:1074739482;
	mso-list-type:hybrid;
	mso-list-template-ids:-673706772 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l6
	{mso-list-id:1127358479;
	mso-list-type:hybrid;
	mso-list-template-ids:902577200 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l6:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l7
	{mso-list-id:1151017732;
	mso-list-type:hybrid;
	mso-list-template-ids:820946706 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l7:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l8
	{mso-list-id:1195533505;
	mso-list-type:hybrid;
	mso-list-template-ids:141089468 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l8:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l9
	{mso-list-id:1629049004;
	mso-list-type:hybrid;
	mso-list-template-ids:697829360 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l9:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l10
	{mso-list-id:1880430999;
	mso-list-type:hybrid;
	mso-list-template-ids:-769519742 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l10:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l11
	{mso-list-id:1925065401;
	mso-list-type:hybrid;
	mso-list-template-ids:1871338490 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l11:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l12
	{mso-list-id:2029863714;
	mso-list-type:hybrid;
	mso-list-template-ids:1845134276 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l12:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
</head>

<body lang=EN-US style='tab-interval:.5in'>

<div class=Section1>

<h1>Analyzing Security Impact of New Usage Model</h1>

<p class=MsoNormal><b><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></b></p>

<p class=MsoNormal><b>Current model: <o:p></o:p></b></p>

<p class=MsoNormal>Take the BB player to the depot for the following
transactions:</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l12 level1 lfo2;tab-stops:list .5in'>Purchase
     license for new content</li>
 <li class=MsoNormal style='mso-list:l12 level1 lfo2;tab-stops:list .5in'>Download
     content corresponding to license already purchased</li>
 <li class=MsoNormal style='mso-list:l12 level1 lfo2;tab-stops:list .5in'>Return
     license for content (revocation)</li>
 <li class=MsoNormal style='mso-list:l12 level1 lfo2;tab-stops:list .5in'>Activate
     or de-activate BB</li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>New model:<o:p></o:p></b></p>

<p class=MsoNormal>Take the BB player to the depot for only one operation:</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l7 level1 lfo3;tab-stops:list .5in'>Activate
     or de-activate BB (perhaps)</li>
</ul>

<p class=MsoNormal>For all other transactions, take the smart media card (on a
removable slot on the BB) to the depot and use it to perform the transaction on
behalf of the BB. Bring it home and plug it into the slot to use as before.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>From a security point of view the one major difference is
that the component connected to the depot now does not have a
CPU/micro-controller and does not have the private key corresponding to the BB.
</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Let us analyze the basic security operations and how they
would be performed in the two cases:</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l7 level1 lfo3;tab-stops:list .5in'><b>Content
     authentication</b>:<span style="mso-spacerun: yes">  </span>proving (while
     downloading and playing) that the content came from our servers.</li>
 <li class=MsoNormal style='mso-list:l7 level1 lfo3;tab-stops:list .5in'><b>Server
     authentication</b>: proving (while acquiring licenses) that the
     license-server is authorized by us.</li>
 <li class=MsoNormal style='mso-list:l7 level1 lfo3;tab-stops:list .5in'><b>Client
     authentication</b>: proving to our server that the hardware it is talking
     to is an authorized BB. </li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Let us assume we have the following resources to achieve the
above:</p>

<p class=MsoNormal><b>Current model: <o:p></o:p></b></p>

<p class=MsoNormal>The chip is capable of performing real time operations in
response to the server. It carries its private, public key pair internally and
is capable of signing and verifying a signature. It is capable of performing
decryption internally.</p>

<p class=MsoNormal><b>New model:<o:p></o:p></b></p>

<p class=MsoNormal>The memory card is capable of carrying information from a BB
player to a depot and vice versa, but it does not have a CPU, hence cannot
perform a real time computation when connected to the server or depot. It does
not contain any keys/identity of its own. </p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Let us assume that we can replace the current model with the
following instead and analyze the equivalence.</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l5 level1 lfo5;tab-stops:list .5in'>The
     server can send any signed message to the BB player embedded in the
     license. It is encrypted by the BB public key, hence copying does not make
     the license work on another player. It could send, in addition,<span
     style="mso-spacerun: yes">  </span>a message number for the BB player to
     use in a subsequent response to prevent replay.</li>
 <li class=MsoNormal style='mso-list:l5 level1 lfo5;tab-stops:list .5in'>The BB
     player can send any signed message/response to the server by writing it to
     the memory card. It could include the signed message and BB certificate
     and the above message number.<span style="mso-spacerun: yes">  </span>It
     could be copied, but should be used in online transactions so that the
     server can detect a copy by observing the number. It could be encrypted by
     server public key. If copies are made of the message, it could cause a
     denial of service problem since the server has to decrypt and check the
     message number to know the problem.</li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Using the above two tools we can try to translate all the
solutions to the new model.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Content authentication</b>: </p>

<p class=MsoNormal>Covers usage: <b>downloading content</b>.</p>

<p class=MsoNormal><b>Current model: </b>The authentication of content is done
as follows: (this is a summary, the details are in the respective document).</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l0 level1 lfo4;tab-stops:list .5in'>The
     content license contains the content encryption key. The content is
     delivered to the BB from the depot encrypted by that key</li>
 <li class=MsoNormal style='mso-list:l0 level1 lfo4;tab-stops:list .5in'>The
     BB’s on-chip decryption engine decrypts and does signature verification
     simultaneously. It re-encrypts using a second key only known to the chip
     and writes out to the flash.</li>
 <li class=MsoNormal style='mso-list:l0 level1 lfo4;tab-stops:list .5in'>It
     verifies the signature and writes the (content id, re-encryption key) pair
     to flash.</li>
 <li class=MsoNormal style='mso-list:l0 level1 lfo4;tab-stops:list .5in'>The
     decryption engine uses the new key during playback.</li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>New model:<o:p></o:p></b></p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l1 level1 lfo6;tab-stops:list .5in'>The
     depot transfers content in its original encrypted form to the smart media
     card. <b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l1 level1 lfo6;tab-stops:list .5in'>At
     home, when the card is plugged into the player, the above operations work
     without change, now the smart media card replaced by the depot. (As
     content is loaded from the memory card to the flash it is re-encrypted).<b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Client authentication: (license purchase or return)<o:p></o:p></b></p>

<p class=MsoNormal><b>Current model:<o:p></o:p></b></p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l6 level1 lfo7;tab-stops:list .5in'>Client
     authentication was not required for purchasing licenses since the licenses
     would be useless to someone who did not own a BB player anyway. The
     licenses are encrypted by player public key so that implicitly
     authenticates the player who requested it.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l6 level1 lfo7;tab-stops:list .5in'>Client
     authentication would be required to return a license since the player
     owner is returned some money as a result. Also, he should not have access
     to the content after that. After purchase, the idea was that it would be
     returned without a chance to make a copy of the content to a smart media
     card. (Otherwise it could be reloaded to flash later thus re-creating an
     internal key, making it playable).<b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal><b><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></b></p>

<p class=MsoNormal><b>New model:<o:p></o:p></b></p>

<p class=MsoNormal><b>(license return/refund)<o:p></o:p></b></p>

<p class=MsoNormal>If the license has not been copied to memory card, no
problem.</p>

<p class=MsoNormal>If it has been copied and the retailer wants to revoke it,
it is a problem, we may have to disallow that. (Basically he has to make sure
he issues the license after collecting the money.)</p>

<p class=MsoNormal>If we still want to revoke/return after the person has taken
it home, this may be one way:</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l8 level1 lfo8;tab-stops:list .5in'>The
     license now contains a license id.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l8 level1 lfo8;tab-stops:list .5in'>When
     the BB player user wants to return the license he has purchased, the BB
     should write in internal state, corresponding to the content id, the
     revoked license id, and write a signed message to delete that content id,
     to memory card.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l8 level1 lfo8;tab-stops:list .5in'>When
     the user goes to get his money back, the message is read from the card and
     the server authorizes the refund.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l8 level1 lfo8;tab-stops:list .5in'>The
     player will not play any content corresponding to a revoked license id.<b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Problem: this could need unlimited storage in the internal
flash eventually.</p>

<p class=MsoNormal><b><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></b></p>

<p class=MsoNormal><b>License purchase:<o:p></o:p></b></p>

<p class=MsoNormal>If client authentication is required it can be done this
way: </p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l10 level1 lfo10;tab-stops:list .5in'>A
     prior embedded message in a license contains a random challenge from the
     server to be used for a future license purchase.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l10 level1 lfo10;tab-stops:list .5in'>The
     BB player takes some user input (that he is going to take the card out to
     get content) and generates a request for license message, with the random
     challenge signed, and writes out to the memory card. The server requests
     this message and verifies before issuing a license.<span
     style="mso-spacerun: yes">  </span>The license contains a random challenge
     for a future request session, and so on.<b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal><b>Server (license server) authentication:<o:p></o:p></b></p>

<p class=MsoNormal><b>Current model:<o:p></o:p></b></p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l11 level1 lfo9;tab-stops:list .5in'>The
     license server certificate revocation list would be used to invalidate a
     compromised server issuing certificates. This list could be sent to the BB
     when it was connected to the depot. <b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal><b>New model:<o:p></o:p></b></p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l11 level1 lfo9;tab-stops:list .5in'>The
     player now does not connect to the depot, so the server sends a CRL
     embedded in a license, signed an encrypted as usual. The BB player updates
     its revocation list from the license.<b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal><b>(If the rogue server uses the same method to revoke
current server and switch, it could become a race? I think we need an ultimate
protected root server whose certificate cannot be revoked by this scheme, and
use that to override…or something like that).<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Other management operations:<o:p></o:p></b></p>

<p class=MsoNormal><b>Current model:<o:p></o:p></b></p>

<p class=MsoNormal style='margin-left:.25in'>While being connected to the
depot, the BB would be queried for </p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l11 level1 lfo9;tab-stops:list .5in'>Space
     available on flash</li>
 <li class=MsoNormal style='mso-list:l11 level1 lfo9;tab-stops:list .5in'>Content
     on flash etc.</li>
</ul>

<p class=MsoNormal><b>New model:<o:p></o:p></b></p>

<p class=MsoNormal>The BB has to write this in a signed message to memory card
before the card is taken to the depot.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>New possibilities:<o:p></o:p></b></p>

<p class=MsoNormal><b>Home content repository: </b>The smart media cards could
be used as content storage for multiple BBs in the home. For example</p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l2 level1 lfo11;tab-stops:list .5in'>Insert
     card in first BB, it writes license purchase request message signed by that
     BB.</li>
 <li class=MsoNormal style='mso-list:l2 level1 lfo11;tab-stops:list .5in'>Insert
     card in second BB, it writes similar message signed by second BB.</li>
 <li class=MsoNormal style='mso-list:l2 level1 lfo11;tab-stops:list .5in'>Take
     card to depot and pay for two licenses</li>
 <li class=MsoNormal style='mso-list:l2 level1 lfo11;tab-stops:list .5in'>Acquire
     one copy of content and two licenses on same card</li>
 <li class=MsoNormal style='mso-list:l2 level1 lfo11;tab-stops:list .5in'>Use
     card to transfer content into flash in both BBs.</li>
</ul>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>User friendly BB name</b>: During activation, if the user
picks a user-friendly name for the BB(could be phone number etc.) we could
register the name in the server and make sure it is unique. After that the user
could refer to the name to request license purchase (if we did not require
hardware authentication). This would then work instead of the method above.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Buying gifts or purchasing for others: <o:p></o:p></b></p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l4 level1 lfo12;tab-stops:list .5in'>The
     user requests a license for a named content and named BB and pays for it.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l4 level1 lfo12;tab-stops:list .5in'>The
     server looks up the BBID and issues a license for that BBID<b>.<o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l4 level1 lfo12;tab-stops:list .5in'>The
     license (encrypted by the named BB public key) is stored with content in
     memory card<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l4 level1 lfo12;tab-stops:list .5in'>The
     user hands over/mails the card to the intended gift recipient.<b><o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l4 level1 lfo12;tab-stops:list .5in'>The
     user could take the memory card back.<b><o:p></o:p></b></li>
</ul>

<p class=MsoNormal>In this case if the hardware authentication is required, the
recipient name has to be input to the BB (by keyboard UI on screen or numeric
UI on screen) and the BB writes the request for license message for the named
BB, onto memory card. Rest is as before.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Summary:<o:p></o:p></b></p>

<p class=MsoNormal><b>There is no significant impact to using the memory as a
means of downloading content to the BB but for the following minor issues:<o:p></o:p></b></p>

<ul style='margin-top:0in' type=disc>
 <li class=MsoNormal style='mso-list:l9 level1 lfo13;tab-stops:list .5in'><b>There
     is no easy way to revoke a wrong license purchase initiated by a
     retailer.<span style="mso-spacerun: yes">  </span>(That can be fixed with
     the exception that the user now has to go to the same retailer to get
     content or establish a server connection to get content from another
     retailer).<o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l9 level1 lfo13;tab-stops:list .5in'><b>If
     you want to return a license after it is written to the memory card, the
     user has to take it home and make the player authorize the return.<o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l9 level1 lfo13;tab-stops:list .5in'><b>There
     is no way for the user to confirm that the license is good before he
     walked out of the store<o:p></o:p></b></li>
 <li class=MsoNormal style='mso-list:l9 level1 lfo13;tab-stops:list .5in'><b>We
     cannot trivially authenticate the player at the time of license download.
     We could do some “round trip” challenge-response scheme spanning two trips
     to the depot.<o:p></o:p></b></li>
</ul>

<p class=MsoNormal><b><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></b></p>

<p class=MsoNormal><b><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><span style="mso-spacerun: yes"> </span></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

</div>

</body>

</html>