CA2498684A1 - Apparatus for encryption key management - Google Patents
Apparatus for encryption key management Download PDFInfo
- Publication number
- CA2498684A1 CA2498684A1 CA002498684A CA2498684A CA2498684A1 CA 2498684 A1 CA2498684 A1 CA 2498684A1 CA 002498684 A CA002498684 A CA 002498684A CA 2498684 A CA2498684 A CA 2498684A CA 2498684 A1 CA2498684 A1 CA 2498684A1
- Authority
- CA
- Canada
- Prior art keywords
- key
- encrypted
- receiver
- validator
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/41—Structure of client; Structure of client peripherals
- H04N21/418—External card to be used in combination with the client device, e.g. for conditional access
- H04N21/4181—External card to be used in combination with the client device, e.g. for conditional access for conditional access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/234—Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs
- H04N21/2347—Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving video stream encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/254—Management at additional data server, e.g. shopping server, rights management server
- H04N21/2541—Rights Management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
- H04N21/26606—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
- H04N21/26613—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/44—Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs
- H04N21/4405—Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs involving video stream decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/45—Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
- H04N21/462—Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
- H04N21/4623—Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/633—Control signals issued by server directed to the network components or client
- H04N21/6332—Control signals issued by server directed to the network components or client directed to client
- H04N21/6334—Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
- H04N21/63345—Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/162—Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
- H04N7/163—Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/167—Systems rendering the television signal unintelligible and subsequently intelligible
- H04N7/1675—Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
Abstract
An apparatus (102) and a receiver (110), which are in a broadband communication system (100), includes the logic (232) necessary for encrypting content (254) through the use of encryption keys. This content is received by the receivers (110). The receiver (110) validates the keys and denies the use of the content (254) if the keys become invalid.
Claims (71)
1. A method of controlling access to an encrypted instance of service, which was encrypted by a first key, the method implemented in a receiver in a subscriber television system, the method comprising the steps of:
(a) encrypting the first key using a public key of a private key-public key pair belonging to the receiver, thereby converting the first key into an encrypted first key;
(b) associating a key validator with the encrypted first key, wherein the key validator includes a time indicator that indicates whether the encrypted first key is valid;
(c) determining whether the encrypted first key is valid;
(d) responsive to the encrypted first key being valid, decrypting the encrypted first key thereby recovering the first key; and (e) responsive to the encrypted first key being valid, decrypting the encrypted service instance using the recovered first key.
(a) encrypting the first key using a public key of a private key-public key pair belonging to the receiver, thereby converting the first key into an encrypted first key;
(b) associating a key validator with the encrypted first key, wherein the key validator includes a time indicator that indicates whether the encrypted first key is valid;
(c) determining whether the encrypted first key is valid;
(d) responsive to the encrypted first key being valid, decrypting the encrypted first key thereby recovering the first key; and (e) responsive to the encrypted first key being valid, decrypting the encrypted service instance using the recovered first key.
2. The method of claim 1, prior to step (a), further including the steps of:
(f) receiving the instance of service at the receiver;
(g) encrypting the instance of service using the first key; and (h) storing the encrypted instance of service; and after step (a), further including the step of, (i) storing the encrypted first key.
(f) receiving the instance of service at the receiver;
(g) encrypting the instance of service using the first key; and (h) storing the encrypted instance of service; and after step (a), further including the step of, (i) storing the encrypted first key.
3. The method of claim 2, wherein the instance of service received at the receiver includes ciphertext, and prior to the step (g), further including the step of:
(j) decrypting the ciphertext of the instance of service using a third key.
(j) decrypting the ciphertext of the instance of service using a third key.
4. The method of claim 3, prior to step (j), further including the steps of:
(k) receiving a message and the service instance concurrently, wherein the message includes a third key token; and (l) generating the third key using the third key token.
(k) receiving a message and the service instance concurrently, wherein the message includes a third key token; and (l) generating the third key using the third key token.
5. The method of claim 1, wherein the time indicator includes a starting time and an ending time for which the first key is valid.
6. The method of claim 1, wherein the time indicator includes a time specifier and a range specifies, wherein the first key is valid for times between the time specifies and the time specifies plus the range specifies.
7. The method of claim 1, wherein the time indicator includes a time specifies and a range specifies, wherein the first key is valid for times between the time specifies minus the range specifies and the time specifies.
8. The method of claim 1, further including the steps of:
prior to step (c), (f) associating the encrypted first key with a key authenticator;
and after step (d), (g) authenticating the recovered first key using at least a portion of the recovered first key, wherein the recovered first key is used for decrypting the encrypted instance of service only when the recovered first key is authentic.
prior to step (c), (f) associating the encrypted first key with a key authenticator;
and after step (d), (g) authenticating the recovered first key using at least a portion of the recovered first key, wherein the recovered first key is used for decrypting the encrypted instance of service only when the recovered first key is authentic.
9. The method of claim 8, wherein the step (g) further includes the steps of:
(h) making a HASH digest using at least a portion of the recovered first key as an input for a HASH function; and (i) comparing the HASH digest with the key authenticator and authenticating the key authenticator when it is the same as the HASH digest.
(h) making a HASH digest using at least a portion of the recovered first key as an input for a HASH function; and (i) comparing the HASH digest with the key authenticator and authenticating the key authenticator when it is the same as the HASH digest.
10. The method of claim 9, wherein the input for the HASH function includes at least a portion of the key validator.
11. The method of claim 9, wherein the key authenticator is a digitally signed HASH digest that is signed by the private key of the public key-private key pair associated with the receiver, and the step (g) further includes:
(h) authenticating the signature of the receiver using the public key of the public key-private key pair.
(h) authenticating the signature of the receiver using the public key of the public key-private key pair.
12. The method of claim 1, further including the step of:
generating at the receiver the first key.
generating at the receiver the first key.
13. The method of claim 1, wherein the private key is stored within a memory of a secure processor, wherein the memory is accessible only to the secure processor, and prior to step (c), further including the steps of:
(f) responsive to the first key being valid, providing the encrypted first key to the secure processor; and (g) decrypting the encrypted first key using the private key of the public key-private key pair.
(f) responsive to the first key being valid, providing the encrypted first key to the secure processor; and (g) decrypting the encrypted first key using the private key of the public key-private key pair.
14. The method of claim 13, prior to step (c), further including the steps of:
(h) associating the first key with a key authenticator, the key authenticator indicating the authenticity of the validator associated with the first key;
and (i) authenticating the first key using at least a portion of the first key, wherein the first key is used for decrypting the encrypted instance of service only when the validator associated with the first key is authentic.
(h) associating the first key with a key authenticator, the key authenticator indicating the authenticity of the validator associated with the first key;
and (i) authenticating the first key using at least a portion of the first key, wherein the first key is used for decrypting the encrypted instance of service only when the validator associated with the first key is authentic.
15. The method of claim 14, wherein the step (i) further includes the steps of:
(j) making a HASH digest using at least a portion of the first key as an input for HASH function; and (k) comparing the HASH digest with the key authenticator and authenticating the key authenticator when it is the same as the HASH digest.
(j) making a HASH digest using at least a portion of the first key as an input for HASH function; and (k) comparing the HASH digest with the key authenticator and authenticating the key authenticator when it is the same as the HASH digest.
16. The method of claim 15, wherein the input for the HASH function includes at least a portion of the key validator.
17. The method of claim 15, wherein the key authenticator is a digitally signed HASH digest that was signed by the private key of the public key-private key pair associated with the receiver, and the step (i) further includes:
(l) authenticating the signature of the receiver using the public key of the public key-private key pair.
(l) authenticating the signature of the receiver using the public key of the public key-private key pair.
18. The method of claim 1, wherein the key validator is encrypted using the public key of the private key-public key pair belonging to the receiver.
19. The method of claim 1, prior to the step (a), further including the steps of:
(f) duplicating the first key; and (g) encrypting the duplicate first key with a third key.
(f) duplicating the first key; and (g) encrypting the duplicate first key with a third key.
20. The method of claim 19, wherein the third key is a public key of a public key-private key pair, the private key securely stored at a headend of a subscriber television system.
21. The method of claim 20, and after step (b) further including the steps of:
(h) transmitting from a receiver the encrypted duplicate first key to the headend;
and (i) receiving at the receiver a second key validator that indicates the validity of the receiver to use the first key to decrypt the encrypted service.
(h) transmitting from a receiver the encrypted duplicate first key to the headend;
and (i) receiving at the receiver a second key validator that indicates the validity of the receiver to use the first key to decrypt the encrypted service.
22. The method of claim 1, and after step (b) further including the steps of:
(f) transmitting from a receiver the encrypted first key to a headend of a subscriber television system;
(g) receiving at the receiver from the headend the encrypted first key; and (f) decrypting the encrypted first key using a private key of a public key-private key pair associated with the receiver.
(f) transmitting from a receiver the encrypted first key to a headend of a subscriber television system;
(g) receiving at the receiver from the headend the encrypted first key; and (f) decrypting the encrypted first key using a private key of a public key-private key pair associated with the receiver.
23. A receiver in a digital subscriber network, the receiver receiving content provided by an entitlement agent through a first communication link, the receiver comprising:
a first key validator including a validation token having a time specifier for which the first key is validated;
an encryptor adapted to encrypt the first key using a public key of a public key-private key pair associated with the receiver; and a decryptor adapted to decrypt the first key using the private key of the public key-private key pair.
a first key validator including a validation token having a time specifier for which the first key is validated;
an encryptor adapted to encrypt the first key using a public key of a public key-private key pair associated with the receiver; and a decryptor adapted to decrypt the first key using the private key of the public key-private key pair.
24. The receiver of claim 23, wherein the decryptor is included in a secure processor having a memory that includes the private key of the receiver, and the memory is accessible only to the secure processor.
25. The receiver of claim 23, further including:
a storage device having encrypted content stored therein, wherein the encrypted content was encrypted using the first key; and a second decryptor adapted to decrypt the encrypted content using the decrypted first key.
a storage device having encrypted content stored therein, wherein the encrypted content was encrypted using the first key; and a second decryptor adapted to decrypt the encrypted content using the decrypted first key.
26. The receiver of claim 23, further including:
an output port adapted to communication with an external storage device; and a second decryptor adapted to decrypt the encrypted content using the decrypted first key.
an output port adapted to communication with an external storage device; and a second decryptor adapted to decrypt the encrypted content using the decrypted first key.
27. The receiver of claim 23, further including:
an authenticator adapted to authenticate the first key, wherein the authenticator generates an authentication token associated with the first key.
an authenticator adapted to authenticate the first key, wherein the authenticator generates an authentication token associated with the first key.
28. The receiver of claim 23, wherein the authenticator further includes:
a digest maker adapted to making a HASH digest using at least a portion of the first key as an input to a HASH function; and a comparator adapted to compare the HASH digest with the authentication token.
a digest maker adapted to making a HASH digest using at least a portion of the first key as an input to a HASH function; and a comparator adapted to compare the HASH digest with the authentication token.
29. The receiver of claim 28, wherein the authenticator further includes:
a digital signer adapted to apply the private key of the public key-private key pair to the authentication token.
a digital signer adapted to apply the private key of the public key-private key pair to the authentication token.
30. The receiver of claim 27, wherein the authenticator is included in a secure processor having a memory that includes a private key of the public key-private key pair and the memory is successful only to the secure processor.
31. The receiver of claim 23, wherein the first key validator further includes:
a clock adapted to measure time from a predetermined time; and a comparator adapted to compare the measured time with the validation token, wherein the comparator uses the time specifier and the measured time to determine if the first key is valid.
a clock adapted to measure time from a predetermined time; and a comparator adapted to compare the measured time with the validation token, wherein the comparator uses the time specifier and the measured time to determine if the first key is valid.
32. The receiver of claim 23, further including:
a memory having a first key encrypted by the public key of the public key-private key pair and a duplicate first key encrypted by a second public key-private key pair, wherein the second public key is associated with the entitlement agent.
a memory having a first key encrypted by the public key of the public key-private key pair and a duplicate first key encrypted by a second public key-private key pair, wherein the second public key is associated with the entitlement agent.
33. The receiver of claim 32, further including:
a transceiver adapted to transmit a request for a validation token, wherein the validation token includes a time specifier indicating when the first key is valid.
a transceiver adapted to transmit a request for a validation token, wherein the validation token includes a time specifier indicating when the first key is valid.
34. In a receiver coupled to a subscriber television network, a method of controlling access to an encrypted instance of service provided to the receiver by a headend of the subscriber television network, the method comprising the steps of:
receiving at the receiver a service instance;
encrypting the service instance with a first key;
generating a key validator having a time indicator included therein;
encrypting the first key with a second key, thereby converting the first key into an encrypted first key;
associating the encrypted first key with the key validator;
storing the encrypted service instance, the encrypted first key and the key validator in a storage device;
responsive to receiving a request for the stored encrypted service, retrieving the encrypted first key and the key validator from the storage device;
responsive to retrieving the encrypted key validator, determining whether the encrypted first key is valid using the key validator;
responsive to the encrypted first key being valid, decrypting the encrypted first key with a third key, thereby recovering the first key; and responsive to recovering first key, decrypting the encrypted service instance.
receiving at the receiver a service instance;
encrypting the service instance with a first key;
generating a key validator having a time indicator included therein;
encrypting the first key with a second key, thereby converting the first key into an encrypted first key;
associating the encrypted first key with the key validator;
storing the encrypted service instance, the encrypted first key and the key validator in a storage device;
responsive to receiving a request for the stored encrypted service, retrieving the encrypted first key and the key validator from the storage device;
responsive to retrieving the encrypted key validator, determining whether the encrypted first key is valid using the key validator;
responsive to the encrypted first key being valid, decrypting the encrypted first key with a third key, thereby recovering the first key; and responsive to recovering first key, decrypting the encrypted service instance.
35. The method of claim 34, further including the steps of:
generating a key authenticator using at least a portion of the key validator;
associating the key authenticator with the encrypted first key and with the key validator; and storing the key authenticator in the storage device;
wherein the step of determining whether the encrypted first key is valid, further includes the steps of:
retrieving the key authenticator from the storage device; and determining whether the key validator is authentic using the key authenticator, wherein the encrypted first key is valid only if the key validator is authentic.
generating a key authenticator using at least a portion of the key validator;
associating the key authenticator with the encrypted first key and with the key validator; and storing the key authenticator in the storage device;
wherein the step of determining whether the encrypted first key is valid, further includes the steps of:
retrieving the key authenticator from the storage device; and determining whether the key validator is authentic using the key authenticator, wherein the encrypted first key is valid only if the key validator is authentic.
36. The method of claim 35, wherein the key authenticator includes a signed first HASH digest, the first HASH digest being the output of a HASH function having at least a portion of the key validator as an input, wherein the first HASH
digest was signed by the third key, and the step of determining whether the key validator is authentic includes the steps of:
generating a second HASH digest using at least a portion of the key validator as an input to a HASH function;
decoding the signed first HASH digest with the second key; and comparing the decoded first HASH digest with the second HASH digest, wherein the key validator is authentic only if the decoded first HASH
digest is the same as the second HASH digest.
digest was signed by the third key, and the step of determining whether the key validator is authentic includes the steps of:
generating a second HASH digest using at least a portion of the key validator as an input to a HASH function;
decoding the signed first HASH digest with the second key; and comparing the decoded first HASH digest with the second HASH digest, wherein the key validator is authentic only if the decoded first HASH
digest is the same as the second HASH digest.
37. The method of claim 34, wherein the second key is a public key of private key-public key pair belonging to the receiver and the third key is the private key belonging to the receiver.
38. The method of claim 34, further including the steps of:
duplicating the first key;
encrypting the first key with a fourth key, thereby converting the duplicate first key into a second encrypted first key;
responsive to the first key being invalid, transmitting a first message including the second encrypted first key to the headend;
responsive to transmitting the message, receiving a second message from the headend; and responsive to the second message, decrypting the encrypted service instance.
duplicating the first key;
encrypting the first key with a fourth key, thereby converting the duplicate first key into a second encrypted first key;
responsive to the first key being invalid, transmitting a first message including the second encrypted first key to the headend;
responsive to transmitting the message, receiving a second message from the headend; and responsive to the second message, decrypting the encrypted service instance.
39. The method of claim 38, wherein the second message includes a second key validator, and further including the steps of:
determining whether the second key validator is authentic using the key authenticator; and responsive to the second key validator being authentic, decrypting the first encrypted first key, thereby recovering the first key.
determining whether the second key validator is authentic using the key authenticator; and responsive to the second key validator being authentic, decrypting the first encrypted first key, thereby recovering the first key.
40. The method of claim 38, wherein the second message includes a third encrypted first key, and further including the step of:
decrypting the third encrypted first key with the third key, thereby recovering the first key.
decrypting the third encrypted first key with the third key, thereby recovering the first key.
41. The method of claim 34, wherein the service instance received at the receiver includes ciphertext, and prior to encrypting the service instance, further including the step of:
receiving a decryption key token at the receiver, wherein the decryption key token is received concurrently with the service instance;
generating a fourth key using the decryption key token; and decrypting the ciphertext of the service instance using the fourth key.
receiving a decryption key token at the receiver, wherein the decryption key token is received concurrently with the service instance;
generating a fourth key using the decryption key token; and decrypting the ciphertext of the service instance using the fourth key.
42. The method of claim 34, wherein the time indicator includes a starting time and an ending time for which the first key is valid.
43. The method of claim 34, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier and the time specifier plus the range specifier.
44. The method of claim 34, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier minus the range specifier and the time specifier.
45. In a subscriber television system having a head-end and a receiver that receives a service instance from the head-end, the receiver, the receiver comprising:
a first processor adapted to encrypt a service instance with a first key and adapted to encrypt the first key with a public key of a public key-private key pair belonging to the receiver, thereby converting the first key into an encrypted first key, the first processor further adapted to generate a key validator having a time indicator included therein;
storage means in communication with the first processor, the storage means adapted to store the encrypted first key, the encrypted service instance and a key authenticator;
a secure element in communication with the first processor, the secure element having a second processor and a memory, the memory having the private key belonging to the receiver stored therein, the second processor adapted to generate a key authenticator using at least a portion of the key validator and the public key belonging to the receiver, wherein the memory of the secure element is not accessible to the first processor; and an input port in communication with the first processor adapted to receiver commands from a subscriber input device, wherein responsive to a command from the subscriber input device received at the input port, the first processor determines whether the encrypted first key is valid using the key validator, the second processor decrypts the encrypted first key using the private key, thereby recovering the first key, and determines whether the key validator is authentic using the private key and the key validator, and responsive to both the first key being valid and the key validator being authentic, the first processor decrypts the service instance using the recovered first key.
a first processor adapted to encrypt a service instance with a first key and adapted to encrypt the first key with a public key of a public key-private key pair belonging to the receiver, thereby converting the first key into an encrypted first key, the first processor further adapted to generate a key validator having a time indicator included therein;
storage means in communication with the first processor, the storage means adapted to store the encrypted first key, the encrypted service instance and a key authenticator;
a secure element in communication with the first processor, the secure element having a second processor and a memory, the memory having the private key belonging to the receiver stored therein, the second processor adapted to generate a key authenticator using at least a portion of the key validator and the public key belonging to the receiver, wherein the memory of the secure element is not accessible to the first processor; and an input port in communication with the first processor adapted to receiver commands from a subscriber input device, wherein responsive to a command from the subscriber input device received at the input port, the first processor determines whether the encrypted first key is valid using the key validator, the second processor decrypts the encrypted first key using the private key, thereby recovering the first key, and determines whether the key validator is authentic using the private key and the key validator, and responsive to both the first key being valid and the key validator being authentic, the first processor decrypts the service instance using the recovered first key.
46. The receiver of claim 45, wherein the time indicator includes a starting time and an ending time for which the first key is valid.
47. The receiver of claim 45, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier and the time specifier plus the range specifier.
48. The receiver of claim 45, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier minus the range specifier and the time specifier.
49. The receiver of claim 45, wherein the second processor is further adapted to generate a HASH digest of at least a portion of the key validator and at least a portion the first key, wherein the key authenticator includes the HASH digest signed by the private key.
50. The receiver of claim 49, wherein the second processor is further adapted to generate a second HASH digest of at least a portion of the key validator and at least a portion the recovered first key, decode the signed HASH digest of the key authenticator using the public key, and compare the second HASH digest with the decoded HASH
digest, wherein responsive to the second HASH digest being the same as the decoded HASH digest, the second processor provides the recovered first key to the first processor.
digest, wherein responsive to the second HASH digest being the same as the decoded HASH digest, the second processor provides the recovered first key to the first processor.
51. The receiver of claim 50, wherein responsive to the second HASH digest not being the same as the decoded HASH digest, the second processor does not provide the recovered first key to the first processor.
52. The receiver of claim 45, further including:
a transceiver in communication with the first processor and the headend of the subscriber television system, wherein the first processor is adapted to duplicate the first key and encrypt the duplicate first key with a second public key, thereby converting the duplicate first key into a second encrypted first key, responsive to the encrypted first key being invalid, the first processor generates a message for the headend including the second encrypted first key and the transceiver transmits the message to the headend.
a transceiver in communication with the first processor and the headend of the subscriber television system, wherein the first processor is adapted to duplicate the first key and encrypt the duplicate first key with a second public key, thereby converting the duplicate first key into a second encrypted first key, responsive to the encrypted first key being invalid, the first processor generates a message for the headend including the second encrypted first key and the transceiver transmits the message to the headend.
53. The receiver of claim 52, wherein the transceiver receives a second message, responsive to the second message, the first processor decrypts the encrypted service instance.
54. The receiver of claim 53, wherein the second message includes a second key validator, responsive to the second key validator, the first processor validates the first encrypted first key using the second key validator.
55. The receiver of claim 45, wherein the storage means includes a harddrive.
56. The receiver of claim 45, wherein the storage means includes a storage device external to the receiver.
57. In a subscriber network system having a head-end and a receiver that receives a service instance from the head-end, the receiver, which is located remotely from the head-end, stores the service instance at the remote location and restricts access to the stored service instance, the receiver comprising:
a port adapted to receive the service instance;
a storage device at the remote location, the storage device having an encrypted first key, a key validator, and key authenticator stored therein, and wherein the first key is used for decrypting the service instance when the first key is valid;
a memory having a private key-public key pair for the receiver stored therein;
and a processor in communication with the memory, the processor adapted to use the public key of the receiver to encrypt the first key and generate the key validator and the key authenticator, wherein the key validator includes a time indicator used for determining whether the first key is valid or has expired, the key authenticator includes a hash digest signed by the private key of the receiver, and the hash digest is the output of a hash function having as inputs at least a portion of the key validator and at least a portion of the first key.
a port adapted to receive the service instance;
a storage device at the remote location, the storage device having an encrypted first key, a key validator, and key authenticator stored therein, and wherein the first key is used for decrypting the service instance when the first key is valid;
a memory having a private key-public key pair for the receiver stored therein;
and a processor in communication with the memory, the processor adapted to use the public key of the receiver to encrypt the first key and generate the key validator and the key authenticator, wherein the key validator includes a time indicator used for determining whether the first key is valid or has expired, the key authenticator includes a hash digest signed by the private key of the receiver, and the hash digest is the output of a hash function having as inputs at least a portion of the key validator and at least a portion of the first key.
58. The receiver of claim 57, further including:
a decryptor in communication with the processor and the storage device, the decryptor adapted to use the first key to decrypt the encrypted stored service instance; and wherein the processor is adapted to use the encrypted first key, the key validator and the key authenticator to determine whether the decryptor should be provided with the first key.
a decryptor in communication with the processor and the storage device, the decryptor adapted to use the first key to decrypt the encrypted stored service instance; and wherein the processor is adapted to use the encrypted first key, the key validator and the key authenticator to determine whether the decryptor should be provided with the first key.
59. The receiver of claim 58, wherein the processor is further adapted to decrypt the encrypted first key using the private key of the receiver and generate a second hash digest using at least a portion of the first key and at least a portion of the key validator as inputs to the hash function, use the public key of the receiver to process the authentication token, compare the second hash digest with the processed authentication token, and responsive to the second hash digest and the processed authentication token not being the same, the processor determines therefrom that the decryptor is not to be provided with the first key.
60. The receiver of claim 59, wherein the processor is further adapted to use the time specifier of the key validator to determine whether the first key has expired and when the first key is expired determine therefrom that the decryptor is not to be provided with the first key.
61. The receiver of claim 57, wherein the service instance is provided to the subscriber network by an entitlement agent having a public key-private key pair associated therewith, the memory having the public key associated with the entitlement agent stored therein, and the processor is further adapted to copy the first key and encrypt the copy of the first key with public key associated with the entitlement agent and provide the encrypted copy of the first key to the storage device, which stores the encrypted copy of first key therein.
62. The receiver of claim 61, further including:
a transceiver in communication with the processor adapted to transmit messages to the head-end, wherein the processor is further adapted to generate a message having the encrypted copy of the first key included therein, and the transceiver transmits the message to the head-end
a transceiver in communication with the processor adapted to transmit messages to the head-end, wherein the processor is further adapted to generate a message having the encrypted copy of the first key included therein, and the transceiver transmits the message to the head-end
63. The receiver of claim 62, wherein the transceiver receives message from the head-end, the received message includes an encrypted second copy of the first key, and the processor decrypts the encrypted second copy of the first key using the private key of the receiver.
64. The receiver of claim 63, wherein the received message includes a second key validator, the processor uses the second key validator to generate a second key authenticator, and the second key validator and the second key authenticator are stored in the storage device.
65. In a subscriber television system having a head-end and a receiver that receives a service instance from the head-end, the receiver, which is located remotely from the head-end at a subscriber's premises restricts access to the stored service instance, a method of accessing the restricted service instance, the method implemented at the receiver and comprising the steps of:
receiving the service instance;
encrypting the service instance with a first key;
storing the encrypted service instance in a storage device at the premises of the subscriber;
encrypting the first key with a second key, thereby converting the first key to an encrypted first key, wherein the second key is a public key of a private key-public key pair belonging to the receiver;
associating a key validator with the encrypted first key, wherein the key validator includes a time indicator that indicates whether the encrypted first key is valid;
associating a key authenticator with the encrypted first key, wherein the key authenticator includes a digest signed by the private key and indicates whether the key validator is authentic;
storing the encrypted first key, the key validator, and the key authenticator;
determining whether the encrypted first key is valid using the key validator;
responsive to the encrypted first key being valid, decrypting the encrypted first key with the private key of the receiver, thereby recovering the first key;
responsive to the encrypted first key being valid, authenticating the key validator using the key authenticator;
responsive to both the encrypted first key being valid and the key validator being authentic, decrypting the encrypted service instance.
receiving the service instance;
encrypting the service instance with a first key;
storing the encrypted service instance in a storage device at the premises of the subscriber;
encrypting the first key with a second key, thereby converting the first key to an encrypted first key, wherein the second key is a public key of a private key-public key pair belonging to the receiver;
associating a key validator with the encrypted first key, wherein the key validator includes a time indicator that indicates whether the encrypted first key is valid;
associating a key authenticator with the encrypted first key, wherein the key authenticator includes a digest signed by the private key and indicates whether the key validator is authentic;
storing the encrypted first key, the key validator, and the key authenticator;
determining whether the encrypted first key is valid using the key validator;
responsive to the encrypted first key being valid, decrypting the encrypted first key with the private key of the receiver, thereby recovering the first key;
responsive to the encrypted first key being valid, authenticating the key validator using the key authenticator;
responsive to both the encrypted first key being valid and the key validator being authentic, decrypting the encrypted service instance.
66. The method of claim 65, prior to the step of encrypting the first key, further including the steps of:
duplicating the first key;
encrypting the duplicate first key with a third key, wherein the third key is a public key provided to the receiver from the head-end of the subscriber television system;
storing the encrypted duplicate first key; and responsive to the encrypted first key being invalid, transmitting the encrypted duplicate first key to the headend; and responsive to transmitting the encrypted duplicate first key, decrypting the encrypted service instance.
duplicating the first key;
encrypting the duplicate first key with a third key, wherein the third key is a public key provided to the receiver from the head-end of the subscriber television system;
storing the encrypted duplicate first key; and responsive to the encrypted first key being invalid, transmitting the encrypted duplicate first key to the headend; and responsive to transmitting the encrypted duplicate first key, decrypting the encrypted service instance.
67. The method of claim 66, prior to the step of decrypting the service instance, further including the steps of:
receiving from the head-end a second key validator;
validating the encrypted first key using the second key validator; and decrypting the encrypted first key, thereby recovering the first key.
receiving from the head-end a second key validator;
validating the encrypted first key using the second key validator; and decrypting the encrypted first key, thereby recovering the first key.
68. The method of claim 66, prior to the step of decrypting the service instance, further including the steps of:
receiving from the head-end a second encrypted first key, wherein the second encrypted first key was generated by encrypting the first key with the public key of the receiver; and decrypting the second encrypted first key using the private key of the receiver.
receiving from the head-end a second encrypted first key, wherein the second encrypted first key was generated by encrypting the first key with the public key of the receiver; and decrypting the second encrypted first key using the private key of the receiver.
69. The method of claim 65, wherein the digest of the key authenticator includes the HASH digest that is the output of a HASH function having as inputs at least a portion of the key validator and at least a portion of the first key.
70. The method of claim 69, wherein the step of authenticating further includes the steps of:
signing the HASH digest of the key authenticator with the public key of the receiver;
generating a second HASH digest using at least a portion of the key validator and at least a portion of the recovered first key as inputs; and comparing the second HASH digest with the first HASH digest, wherein the key validator is authentic responsive to the first and second HASH digests being the same.
signing the HASH digest of the key authenticator with the public key of the receiver;
generating a second HASH digest using at least a portion of the key validator and at least a portion of the recovered first key as inputs; and comparing the second HASH digest with the first HASH digest, wherein the key validator is authentic responsive to the first and second HASH digests being the same.
71. The method of claim 65, wherein the step of determining whether the first key is valid further includes the steps of:
determining a current time; and determining from the current time and the time indicator of the key validator whether the first encrypted key is valid.
determining a current time; and determining from the current time and the time indicator of the key validator whether the first encrypted key is valid.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/242,100 | 2002-09-12 | ||
US10/242,100 US7200868B2 (en) | 2002-09-12 | 2002-09-12 | Apparatus for encryption key management |
PCT/US2002/029339 WO2004025892A1 (en) | 2002-09-12 | 2002-09-17 | Apparatus for encryption key management |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2498684A1 true CA2498684A1 (en) | 2004-03-25 |
CA2498684C CA2498684C (en) | 2012-03-20 |
Family
ID=31991326
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2498684A Expired - Fee Related CA2498684C (en) | 2002-09-12 | 2002-09-17 | Apparatus for encryption key management |
Country Status (5)
Country | Link |
---|---|
US (1) | US7200868B2 (en) |
EP (1) | EP1547297A4 (en) |
JP (1) | JP4182055B2 (en) |
CA (1) | CA2498684C (en) |
WO (1) | WO2004025892A1 (en) |
Families Citing this family (134)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030200548A1 (en) * | 2001-12-27 | 2003-10-23 | Paul Baran | Method and apparatus for viewer control of digital TV program start time |
EP1343286A1 (en) * | 2002-03-04 | 2003-09-10 | BRITISH TELECOMMUNICATIONS public limited company | Lightweight authentication of information |
US7890771B2 (en) * | 2002-04-17 | 2011-02-15 | Microsoft Corporation | Saving and retrieving data based on public key encryption |
US7181010B2 (en) | 2002-05-24 | 2007-02-20 | Scientific-Atlanta, Inc. | Apparatus for entitling remote client devices |
US7861082B2 (en) * | 2002-05-24 | 2010-12-28 | Pinder Howard G | Validating client-receivers |
US8171567B1 (en) | 2002-09-04 | 2012-05-01 | Tracer Detection Technology Corp. | Authentication method and system |
US8036250B1 (en) * | 2002-10-25 | 2011-10-11 | Bigband Networks Inc. | Method and apparatus of mutliplexing media streams |
US20040151315A1 (en) * | 2002-11-06 | 2004-08-05 | Kim Hee Jean | Streaming media security system and method |
JP3737798B2 (en) * | 2002-11-25 | 2006-01-25 | 株式会社東芝 | Transmitting apparatus, receiving apparatus and receiving method |
US6882729B2 (en) * | 2002-12-12 | 2005-04-19 | Universal Electronics Inc. | System and method for limiting access to data |
TW200511860A (en) * | 2003-05-14 | 2005-03-16 | Nagracard Sa | Duration computing method in a security module |
US7289632B2 (en) * | 2003-06-03 | 2007-10-30 | Broadcom Corporation | System and method for distributed security |
US6724335B1 (en) * | 2003-06-03 | 2004-04-20 | Broadcom Corporation | Systems and methods for digital upconversion for television signals |
US7437559B2 (en) * | 2003-11-19 | 2008-10-14 | Hewlett-Packard Development Company, L.P. | Electronic message authentication |
US8165297B2 (en) * | 2003-11-21 | 2012-04-24 | Finisar Corporation | Transceiver with controller for authentication |
FR2864391B1 (en) * | 2003-12-19 | 2006-03-17 | Viaccess Sa | METHOD FOR PROTECTION AGAINST MISUSE OF A MULTIPLEX AND DIFFUSION SYSTEM FOR CARRYING OUT SAID METHOD |
US7474852B1 (en) * | 2004-02-12 | 2009-01-06 | Multidyne Electronics Inc. | System for communication of video, audio, data, control or other signals over fiber |
EP1564994A1 (en) * | 2004-02-13 | 2005-08-17 | Nagravision S.A. | Method for managing rights of subscribers to a multi-operator pay television system |
KR100574974B1 (en) * | 2004-02-26 | 2006-05-02 | 삼성전자주식회사 | Apparatus and method having conditional access and copy protection scheme for encoded broadcast data |
ATE433164T1 (en) | 2004-03-12 | 2009-06-15 | Ingenia Technology Ltd | METHOD AND DEVICES FOR GENERATING AUTHENTICABLE ITEMS AND THEIR SUBSEQUENT VERIFICATION |
EP2128790A3 (en) | 2004-03-12 | 2011-01-26 | Ingenia Technology Limited | Authenticity verification with linearised data |
US7370166B1 (en) * | 2004-04-30 | 2008-05-06 | Lexar Media, Inc. | Secure portable storage device |
US7590243B2 (en) * | 2004-05-04 | 2009-09-15 | The Directv Group, Inc. | Digital media conditional access system for handling digital media content |
TWI280026B (en) * | 2004-07-02 | 2007-04-21 | Univ Chang Gung | RSA with personalized secret |
US8266429B2 (en) * | 2004-07-20 | 2012-09-11 | Time Warner Cable, Inc. | Technique for securely communicating and storing programming material in a trusted domain |
US8312267B2 (en) | 2004-07-20 | 2012-11-13 | Time Warner Cable Inc. | Technique for securely communicating programming content |
GB2417592B (en) | 2004-08-13 | 2006-07-26 | Ingenia Technology Ltd | Authenticity verification of articles |
US7602914B2 (en) * | 2004-08-18 | 2009-10-13 | Scientific-Atlanta, Inc. | Utilization of encrypted hard drive content by one DVR set-top box when recorded by another |
US7630499B2 (en) * | 2004-08-18 | 2009-12-08 | Scientific-Atlanta, Inc. | Retrieval and transfer of encrypted hard drive content from DVR set-top boxes |
US7602913B2 (en) * | 2004-08-18 | 2009-10-13 | Scientific - Atlanta, Inc. | Retrieval and transfer of encrypted hard drive content from DVR set-top box utilizing second DVR set-top box |
US20060047601A1 (en) * | 2004-08-25 | 2006-03-02 | General Instrument Corporation | Method and apparatus for providing channel key data |
JP4576936B2 (en) * | 2004-09-02 | 2010-11-10 | ソニー株式会社 | Information processing apparatus, information recording medium, content management system, data processing method, and computer program |
US7822344B1 (en) * | 2004-10-01 | 2010-10-26 | Multidyne Electronics Inc. | System for communication of video, audio, data, control or other signals over fiber in a self-healing ring topology |
TWI269967B (en) * | 2004-10-13 | 2007-01-01 | Rdc Semiconductor Co Ltd | System and method for data processing |
WO2006048856A1 (en) * | 2004-11-01 | 2006-05-11 | Nds Limited | Efficient and secure renewal of entitlements |
EP1662788A1 (en) * | 2004-11-24 | 2006-05-31 | Nagravision SA | Method and system for access control of audio/video data |
KR100584455B1 (en) * | 2005-04-01 | 2006-05-26 | 삼성전자주식회사 | Scm pon by using wdm |
GB2428948B (en) * | 2005-07-27 | 2007-09-05 | Ingenia Technology Ltd | Keys |
RU2417448C2 (en) | 2005-07-27 | 2011-04-27 | Инджениа Холдингс Лимитед | Authenticity verification |
RU2008107316A (en) * | 2005-07-27 | 2009-09-10 | Инджениа Текнолоджи Лимитед (Gb) | CHECKING THE PRODUCT SIGNATURE CREATED ON THE BASIS OF THE SIGNALS RECEIVED THROUGH THE SCATTERING OF THE COherent OPTICAL RADIATION FROM THE PRODUCT SURFACE |
JP2009503672A (en) * | 2005-07-27 | 2009-01-29 | インゲニア・テクノロジー・リミテッド | Prescription authentication using speckle patterns |
JP2007053461A (en) * | 2005-08-16 | 2007-03-01 | Sony Corp | Transmission/reception system, reception method, receiving apparatus and method, and program |
US20080101614A1 (en) * | 2005-08-31 | 2008-05-01 | General Instrument Corporation | Method and Apparatus for Providing Secured Content Distribution |
US20070055982A1 (en) * | 2005-09-02 | 2007-03-08 | Netgear Inc. | System and method for digital content media distribution |
GB2429950B (en) * | 2005-09-08 | 2007-08-22 | Ingenia Holdings | Copying |
KR100803596B1 (en) * | 2005-11-25 | 2008-02-19 | 삼성전자주식회사 | Method and apparatus for decryption using external device or service on revocation mechanism, method and apparatus for supporting decryption therefor |
EP1969525A1 (en) | 2005-12-23 | 2008-09-17 | Ingenia Holdings (UK)Limited | Optical authentication |
GB2434442A (en) * | 2006-01-16 | 2007-07-25 | Ingenia Holdings | Verification of performance attributes of packaged integrated circuits |
US20070180538A1 (en) * | 2006-02-01 | 2007-08-02 | General Instrument Corporation | Method and apparatus for limiting the ability of a user device to replay content |
KR100846787B1 (en) * | 2006-02-15 | 2008-07-16 | 삼성전자주식회사 | Method and apparatus for importing transport stream |
EP1827019A1 (en) * | 2006-02-23 | 2007-08-29 | Nagravision S.A. | Conditional access method to conditional access data |
US7590601B2 (en) * | 2006-03-17 | 2009-09-15 | Wildtangent, Inc | Licensing media consumption using digital currency |
US9082113B2 (en) * | 2006-03-17 | 2015-07-14 | Wildtangent, Inc. | Licensing media consumption using digital currency |
US9087326B2 (en) * | 2006-03-17 | 2015-07-21 | Wildtangent, Inc. | Accruing and/or providing digital currency for media consumption |
US20070219924A1 (en) * | 2006-03-17 | 2007-09-20 | Wildtangent, Inc. | User interfacing for licensed media consumption using digital currency |
US8208796B2 (en) * | 2006-04-17 | 2012-06-26 | Prus Bohdan S | Systems and methods for prioritizing the storage location of media data |
US8775319B2 (en) | 2006-05-15 | 2014-07-08 | The Directv Group, Inc. | Secure content transfer systems and methods to operate the same |
GB2440386A (en) * | 2006-06-12 | 2008-01-30 | Ingenia Technology Ltd | Scanner authentication |
US9277295B2 (en) * | 2006-06-16 | 2016-03-01 | Cisco Technology, Inc. | Securing media content using interchangeable encryption key |
US7978720B2 (en) * | 2006-06-30 | 2011-07-12 | Russ Samuel H | Digital media device having media content transfer capability |
US20080005204A1 (en) * | 2006-06-30 | 2008-01-03 | Scientific-Atlanta, Inc. | Systems and Methods for Applying Retention Rules |
US20080022304A1 (en) * | 2006-06-30 | 2008-01-24 | Scientific-Atlanta, Inc. | Digital Media Device Having Selectable Media Content Storage Locations |
US9137480B2 (en) * | 2006-06-30 | 2015-09-15 | Cisco Technology, Inc. | Secure escrow and recovery of media device content keys |
US8520850B2 (en) | 2006-10-20 | 2013-08-27 | Time Warner Cable Enterprises Llc | Downloadable security and protection methods and apparatus |
US20080103875A1 (en) * | 2006-10-31 | 2008-05-01 | Michael Kokernak | Methods and systems for an interactive data finder |
US8732854B2 (en) | 2006-11-01 | 2014-05-20 | Time Warner Cable Enterprises Llc | Methods and apparatus for premises content distribution |
US20080167992A1 (en) * | 2007-01-05 | 2008-07-10 | Backchannelmedia Inc. | Methods and systems for an accountable media advertising application |
US8621540B2 (en) | 2007-01-24 | 2013-12-31 | Time Warner Cable Enterprises Llc | Apparatus and methods for provisioning in a download-enabled system |
US8532300B1 (en) * | 2007-02-13 | 2013-09-10 | Emc Corporation | Symmetric is encryption key management |
EP2113152B1 (en) * | 2007-02-21 | 2015-04-08 | TP Vision Holding B.V. | A conditional access system |
RU2339077C1 (en) * | 2007-03-13 | 2008-11-20 | Олег Вениаминович Сахаров | Method of operating conditional access system for application in computer networks and system for its realisation |
US8762714B2 (en) * | 2007-04-24 | 2014-06-24 | Finisar Corporation | Protecting against counterfeit electronics devices |
CN101669322B (en) * | 2007-05-08 | 2013-07-03 | 汤姆森特许公司 | Method and apparatus for adjusting decryption keys |
GB2450131B (en) * | 2007-06-13 | 2009-05-06 | Ingenia Holdings | Fuzzy Keys |
US7849318B2 (en) * | 2007-06-19 | 2010-12-07 | Yahoo! Inc. | Method for session security |
US8108680B2 (en) * | 2007-07-23 | 2012-01-31 | Murray Mark R | Preventing unauthorized poaching of set top box assets |
US9049344B2 (en) | 2007-08-24 | 2015-06-02 | At&T Intellectual Property I, L.P. | Method and system for providing content |
US7949133B2 (en) * | 2007-09-26 | 2011-05-24 | Pinder Howard G | Controlled cryptoperiod timing to reduce decoder processing load |
US9148286B2 (en) * | 2007-10-15 | 2015-09-29 | Finisar Corporation | Protecting against counterfeit electronic devices |
FI20075776L (en) * | 2007-10-31 | 2009-05-01 | Eads Secure Networks Oy | End-to-end encrypted communication |
WO2009059331A2 (en) * | 2007-11-02 | 2009-05-07 | Finisar Corporation | Anticounterfeiting means for optical communication components |
US8819423B2 (en) * | 2007-11-27 | 2014-08-26 | Finisar Corporation | Optical transceiver with vendor authentication |
US8675872B2 (en) * | 2007-11-28 | 2014-03-18 | Echostar Technologies L.L.C. | Secure content distribution apparatus, systems, and methods |
US8051455B2 (en) | 2007-12-12 | 2011-11-01 | Backchannelmedia Inc. | Systems and methods for providing a token registry and encoder |
US20100322427A1 (en) * | 2008-03-31 | 2010-12-23 | Robert Bosch Gmch | Method for managing encryption keys in a communication network |
KR101526584B1 (en) * | 2008-04-04 | 2015-06-09 | 삼성전자주식회사 | Method and apparutus for broadcasting service using encryption key in a communication system |
GB2460625B (en) * | 2008-05-14 | 2010-05-26 | Ingenia Holdings | Two tier authentication |
EP2124439A1 (en) * | 2008-05-21 | 2009-11-25 | Nagravision S.A. | Method for assigning and managing subscriptions to receive remotely broadcast products |
US8204220B2 (en) * | 2008-09-18 | 2012-06-19 | Sony Corporation | Simulcrypt key sharing with hashed keys |
US20100098074A1 (en) * | 2008-10-22 | 2010-04-22 | Backchannelmedia Inc. | Systems and methods for providing a network link between broadcast content and content located on a computer network |
US9094721B2 (en) | 2008-10-22 | 2015-07-28 | Rakuten, Inc. | Systems and methods for providing a network link between broadcast content and content located on a computer network |
US8160064B2 (en) * | 2008-10-22 | 2012-04-17 | Backchannelmedia Inc. | Systems and methods for providing a network link between broadcast content and content located on a computer network |
GB2466465B (en) * | 2008-12-19 | 2011-02-16 | Ingenia Holdings | Authentication |
GB2466311B (en) * | 2008-12-19 | 2010-11-03 | Ingenia Holdings | Self-calibration of a matching algorithm for determining authenticity |
WO2010086855A2 (en) * | 2009-01-29 | 2010-08-05 | Fortress Applications Ltd. | System and methods for encryption with authentication integrity |
US9602864B2 (en) | 2009-06-08 | 2017-03-21 | Time Warner Cable Enterprises Llc | Media bridge apparatus and methods |
US9866609B2 (en) | 2009-06-08 | 2018-01-09 | Time Warner Cable Enterprises Llc | Methods and apparatus for premises content distribution |
US8443431B2 (en) * | 2009-10-30 | 2013-05-14 | Alcatel Lucent | Authenticator relocation method for WiMAX system |
GB2476226B (en) | 2009-11-10 | 2012-03-28 | Ingenia Holdings Ltd | Optimisation |
US8971535B2 (en) * | 2010-05-27 | 2015-03-03 | Bladelogic, Inc. | Multi-level key management |
US9906838B2 (en) | 2010-07-12 | 2018-02-27 | Time Warner Cable Enterprises Llc | Apparatus and methods for content delivery and message exchange across multiple content delivery networks |
US20120124394A1 (en) * | 2010-11-17 | 2012-05-17 | David Brudnicki | System and Method for Providing a Virtual Secure Element on a Portable Communication Device |
EP2566157A1 (en) | 2011-09-02 | 2013-03-06 | Nagravision S.A. | Method to optimize reception of entitlement management messages in a Pay-TV system |
US8989083B2 (en) | 2011-03-01 | 2015-03-24 | Broadcom Corporation | Conditional access system for satellite outdoor unit |
US9264230B2 (en) | 2011-03-14 | 2016-02-16 | International Business Machines Corporation | Secure key management |
GB2489671A (en) * | 2011-03-28 | 2012-10-10 | Sony Corp | Cryptographic key distribution for IPTV |
GB2489672A (en) * | 2011-03-28 | 2012-10-10 | Sony Corp | Authentication certificate distribution to set top boxes |
US8619990B2 (en) | 2011-04-27 | 2013-12-31 | International Business Machines Corporation | Secure key creation |
US8634561B2 (en) * | 2011-05-04 | 2014-01-21 | International Business Machines Corporation | Secure key management |
US8566913B2 (en) | 2011-05-04 | 2013-10-22 | International Business Machines Corporation | Secure key management |
US8755527B2 (en) | 2011-05-04 | 2014-06-17 | International Business Machines Corporation | Key management policies for cryptographic keys |
US8789210B2 (en) | 2011-05-04 | 2014-07-22 | International Business Machines Corporation | Key usage policies for cryptographic keys |
US8948399B2 (en) * | 2011-05-27 | 2015-02-03 | Novell, Inc. | Dynamic key management |
KR101767301B1 (en) | 2011-09-09 | 2017-08-10 | 라쿠텐 인코포레이티드 | Systems and methods for consumer control over interactive television exposure |
US9565472B2 (en) | 2012-12-10 | 2017-02-07 | Time Warner Cable Enterprises Llc | Apparatus and methods for content transfer protection |
US20140282786A1 (en) | 2013-03-12 | 2014-09-18 | Time Warner Cable Enterprises Llc | Methods and apparatus for providing and uploading content to personalized network storage |
WO2015013209A1 (en) * | 2013-07-25 | 2015-01-29 | Thomson Licensing | Method and system for displaying remaining time of rental |
US10148669B2 (en) | 2014-05-07 | 2018-12-04 | Dell Products, L.P. | Out-of-band encryption key management system |
US9621940B2 (en) | 2014-05-29 | 2017-04-11 | Time Warner Cable Enterprises Llc | Apparatus and methods for recording, accessing, and delivering packetized content |
US9553853B2 (en) * | 2014-12-23 | 2017-01-24 | Intel Corporation | Techniques for load balancing in a packet distribution system |
EP3113501A1 (en) | 2015-06-29 | 2017-01-04 | Nagravision SA | Content protection |
US11032589B1 (en) * | 2016-08-09 | 2021-06-08 | Google Llc | Methods, systems, and media for ensuring consumption of portions of media content |
US10783279B2 (en) * | 2016-09-01 | 2020-09-22 | Atmel Corporation | Low cost cryptographic accelerator |
US10320563B2 (en) * | 2016-09-23 | 2019-06-11 | Apple Inc. | Cryptographic entropy tree |
US10693639B2 (en) * | 2017-02-28 | 2020-06-23 | Blackberry Limited | Recovering a key in a secure manner |
US10853057B1 (en) * | 2017-03-29 | 2020-12-01 | Amazon Technologies, Inc. | Software library versioning with caching |
US10951599B2 (en) | 2017-06-02 | 2021-03-16 | Arris Enterprises Llc | Secure shell (SSH) server public key validation by a SSH client in a high volume device deployment |
US10951467B2 (en) * | 2017-06-02 | 2021-03-16 | Arris Enterprises Llc | Secure enabling and disabling points of entry on a device remotely or locally |
US10911243B1 (en) | 2018-12-14 | 2021-02-02 | Wells Fargo Bank, N.A. | Time-based digital signature |
US10903999B1 (en) * | 2019-09-11 | 2021-01-26 | Zscaler, Inc. | Protecting PII data from man-in-the-middle attacks in a network |
CN111580522A (en) * | 2020-05-15 | 2020-08-25 | 东风柳州汽车有限公司 | Control method for unmanned vehicle, and storage medium |
US11809493B2 (en) * | 2021-01-19 | 2023-11-07 | Micro Focus Llc | System and method for tokenization of data |
US20230131060A1 (en) * | 2021-10-22 | 2023-04-27 | Microsoft Technology Licensing, Llc | Secure authentication using attestation tokens and inviolable quotes to validate request origins |
US20240056651A1 (en) * | 2022-08-09 | 2024-02-15 | Dish Network, L.L.C. | Digital rights management using a gateway/set top box without a smart card |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2448825A1 (en) * | 1979-02-06 | 1980-09-05 | Telediffusion Fse | SYSTEM FOR TRANSMITTING INFORMATION BETWEEN A TRANSMISSION CENTER AND RECEIVING STATIONS, WHICH IS PROVIDED WITH A MEANS OF CONTROLLING ACCESS TO THE INFORMATION TRANSMITTED |
JP2606419B2 (en) * | 1989-08-07 | 1997-05-07 | 松下電器産業株式会社 | Cryptographic communication system and cryptographic communication method |
US6157719A (en) * | 1995-04-03 | 2000-12-05 | Scientific-Atlanta, Inc. | Conditional access system |
US5878141A (en) * | 1995-08-25 | 1999-03-02 | Microsoft Corporation | Computerized purchasing system and method for mediating purchase transactions over an interactive network |
CA2242596C (en) * | 1996-01-11 | 2012-06-19 | Mrj, Inc. | System for controlling access and distribution of digital property |
US6021491A (en) * | 1996-11-27 | 2000-02-01 | Sun Microsystems, Inc. | Digital signatures for data streams and data archives |
US6226618B1 (en) * | 1998-08-13 | 2001-05-01 | International Business Machines Corporation | Electronic content delivery system |
US6289455B1 (en) * | 1999-09-02 | 2001-09-11 | Crypotography Research, Inc. | Method and apparatus for preventing piracy of digital content |
US20020169958A1 (en) * | 2001-05-14 | 2002-11-14 | Kai Nyman | Authentication in data communication |
US20030093680A1 (en) * | 2001-11-13 | 2003-05-15 | International Business Machines Corporation | Methods, apparatus and computer programs performing a mutual challenge-response authentication protocol using operating system capabilities |
US20030204738A1 (en) * | 2002-04-30 | 2003-10-30 | Morgan Stephen Paul | System and method for secure distribution of digital content via a network |
US7418599B2 (en) * | 2002-06-03 | 2008-08-26 | International Business Machines Corporation | Deterring theft of media recording devices by encrypting recorded media files |
-
2002
- 2002-09-12 US US10/242,100 patent/US7200868B2/en active Active
- 2002-09-17 CA CA2498684A patent/CA2498684C/en not_active Expired - Fee Related
- 2002-09-17 WO PCT/US2002/029339 patent/WO2004025892A1/en active Application Filing
- 2002-09-17 JP JP2004535372A patent/JP4182055B2/en not_active Expired - Fee Related
- 2002-09-17 EP EP02761682A patent/EP1547297A4/en not_active Withdrawn
Also Published As
Publication number | Publication date |
---|---|
CA2498684C (en) | 2012-03-20 |
US20040052377A1 (en) | 2004-03-18 |
WO2004025892A1 (en) | 2004-03-25 |
EP1547297A1 (en) | 2005-06-29 |
US7200868B2 (en) | 2007-04-03 |
JP2005539425A (en) | 2005-12-22 |
JP4182055B2 (en) | 2008-11-19 |
EP1547297A4 (en) | 2012-02-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2498684A1 (en) | Apparatus for encryption key management | |
JP4714402B2 (en) | Secure transmission of digital data from an information source to a receiver | |
KR101366243B1 (en) | Method for transmitting data through authenticating and apparatus therefor | |
CN1655503B (en) | A secure key authentication and ladder system | |
US9071595B2 (en) | Certificate validity checking | |
JP4510281B2 (en) | System for managing access between a method and service provider for protecting audio / visual streams and a host device to which a smart card is coupled | |
KR100756324B1 (en) | Optional verification of interactive television content | |
EP1155527B1 (en) | Protecting information in a system | |
US6542610B2 (en) | Content protection for digital transmission systems | |
CN109218825B (en) | Video encryption system | |
TWI478566B (en) | A method of establishing a session key and units for implementing the method | |
US8176331B2 (en) | Method to secure data exchange between a multimedia processing unit and a security module | |
CN109151508B (en) | Video encryption method | |
JP2005245010A5 (en) | ||
WO2009155813A1 (en) | Method for storing encrypted data in client and system thereof | |
CA2487057A1 (en) | Apparatus for entitling remote client devices | |
HU224303B1 (en) | Method for managing symmetric key in a communication network and device for processing data in a communication network | |
EP1183818A1 (en) | Secure control of security mode | |
CN102802036A (en) | System and method for identifying digital television | |
EP3476078A1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
CN101394398B (en) | Content protecting method and system oriented to terminal digital interface | |
US20220171832A1 (en) | Scalable key management for encrypting digital rights management authorization tokens | |
JP2000216773A (en) | Method and system for discriminating propriety of encrypted information | |
Kim | Secure communication in digital TV broadcasting | |
WO2009153846A1 (en) | Authentication system, registration device, and authentication device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed |
Effective date: 20180917 |
|
MKLA | Lapsed |
Effective date: 20180917 |