CA2498684A1 - Apparatus for encryption key management - Google Patents

Apparatus for encryption key management Download PDF

Info

Publication number
CA2498684A1
CA2498684A1 CA002498684A CA2498684A CA2498684A1 CA 2498684 A1 CA2498684 A1 CA 2498684A1 CA 002498684 A CA002498684 A CA 002498684A CA 2498684 A CA2498684 A CA 2498684A CA 2498684 A1 CA2498684 A1 CA 2498684A1
Authority
CA
Canada
Prior art keywords
key
encrypted
receiver
validator
processor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002498684A
Other languages
French (fr)
Other versions
CA2498684C (en
Inventor
Mark D. Mattox
Anthony J. Wasilewski
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2498684A1 publication Critical patent/CA2498684A1/en
Application granted granted Critical
Publication of CA2498684C publication Critical patent/CA2498684C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/418External card to be used in combination with the client device, e.g. for conditional access
    • H04N21/4181External card to be used in combination with the client device, e.g. for conditional access for conditional access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/254Management at additional data server, e.g. shopping server, rights management server
    • H04N21/2541Rights Management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26606Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • H04N21/63345Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Abstract

An apparatus (102) and a receiver (110), which are in a broadband communication system (100), includes the logic (232) necessary for encrypting content (254) through the use of encryption keys. This content is received by the receivers (110). The receiver (110) validates the keys and denies the use of the content (254) if the keys become invalid.

Claims (71)

1. A method of controlling access to an encrypted instance of service, which was encrypted by a first key, the method implemented in a receiver in a subscriber television system, the method comprising the steps of:
(a) encrypting the first key using a public key of a private key-public key pair belonging to the receiver, thereby converting the first key into an encrypted first key;
(b) associating a key validator with the encrypted first key, wherein the key validator includes a time indicator that indicates whether the encrypted first key is valid;
(c) determining whether the encrypted first key is valid;
(d) responsive to the encrypted first key being valid, decrypting the encrypted first key thereby recovering the first key; and (e) responsive to the encrypted first key being valid, decrypting the encrypted service instance using the recovered first key.
2. The method of claim 1, prior to step (a), further including the steps of:
(f) receiving the instance of service at the receiver;
(g) encrypting the instance of service using the first key; and (h) storing the encrypted instance of service; and after step (a), further including the step of, (i) storing the encrypted first key.
3. The method of claim 2, wherein the instance of service received at the receiver includes ciphertext, and prior to the step (g), further including the step of:
(j) decrypting the ciphertext of the instance of service using a third key.
4. The method of claim 3, prior to step (j), further including the steps of:
(k) receiving a message and the service instance concurrently, wherein the message includes a third key token; and (l) generating the third key using the third key token.
5. The method of claim 1, wherein the time indicator includes a starting time and an ending time for which the first key is valid.
6. The method of claim 1, wherein the time indicator includes a time specifier and a range specifies, wherein the first key is valid for times between the time specifies and the time specifies plus the range specifies.
7. The method of claim 1, wherein the time indicator includes a time specifies and a range specifies, wherein the first key is valid for times between the time specifies minus the range specifies and the time specifies.
8. The method of claim 1, further including the steps of:
prior to step (c), (f) associating the encrypted first key with a key authenticator;
and after step (d), (g) authenticating the recovered first key using at least a portion of the recovered first key, wherein the recovered first key is used for decrypting the encrypted instance of service only when the recovered first key is authentic.
9. The method of claim 8, wherein the step (g) further includes the steps of:
(h) making a HASH digest using at least a portion of the recovered first key as an input for a HASH function; and (i) comparing the HASH digest with the key authenticator and authenticating the key authenticator when it is the same as the HASH digest.
10. The method of claim 9, wherein the input for the HASH function includes at least a portion of the key validator.
11. The method of claim 9, wherein the key authenticator is a digitally signed HASH digest that is signed by the private key of the public key-private key pair associated with the receiver, and the step (g) further includes:
(h) authenticating the signature of the receiver using the public key of the public key-private key pair.
12. The method of claim 1, further including the step of:
generating at the receiver the first key.
13. The method of claim 1, wherein the private key is stored within a memory of a secure processor, wherein the memory is accessible only to the secure processor, and prior to step (c), further including the steps of:
(f) responsive to the first key being valid, providing the encrypted first key to the secure processor; and (g) decrypting the encrypted first key using the private key of the public key-private key pair.
14. The method of claim 13, prior to step (c), further including the steps of:
(h) associating the first key with a key authenticator, the key authenticator indicating the authenticity of the validator associated with the first key;
and (i) authenticating the first key using at least a portion of the first key, wherein the first key is used for decrypting the encrypted instance of service only when the validator associated with the first key is authentic.
15. The method of claim 14, wherein the step (i) further includes the steps of:
(j) making a HASH digest using at least a portion of the first key as an input for HASH function; and (k) comparing the HASH digest with the key authenticator and authenticating the key authenticator when it is the same as the HASH digest.
16. The method of claim 15, wherein the input for the HASH function includes at least a portion of the key validator.
17. The method of claim 15, wherein the key authenticator is a digitally signed HASH digest that was signed by the private key of the public key-private key pair associated with the receiver, and the step (i) further includes:
(l) authenticating the signature of the receiver using the public key of the public key-private key pair.
18. The method of claim 1, wherein the key validator is encrypted using the public key of the private key-public key pair belonging to the receiver.
19. The method of claim 1, prior to the step (a), further including the steps of:
(f) duplicating the first key; and (g) encrypting the duplicate first key with a third key.
20. The method of claim 19, wherein the third key is a public key of a public key-private key pair, the private key securely stored at a headend of a subscriber television system.
21. The method of claim 20, and after step (b) further including the steps of:
(h) transmitting from a receiver the encrypted duplicate first key to the headend;
and (i) receiving at the receiver a second key validator that indicates the validity of the receiver to use the first key to decrypt the encrypted service.
22. The method of claim 1, and after step (b) further including the steps of:
(f) transmitting from a receiver the encrypted first key to a headend of a subscriber television system;
(g) receiving at the receiver from the headend the encrypted first key; and (f) decrypting the encrypted first key using a private key of a public key-private key pair associated with the receiver.
23. A receiver in a digital subscriber network, the receiver receiving content provided by an entitlement agent through a first communication link, the receiver comprising:
a first key validator including a validation token having a time specifier for which the first key is validated;
an encryptor adapted to encrypt the first key using a public key of a public key-private key pair associated with the receiver; and a decryptor adapted to decrypt the first key using the private key of the public key-private key pair.
24. The receiver of claim 23, wherein the decryptor is included in a secure processor having a memory that includes the private key of the receiver, and the memory is accessible only to the secure processor.
25. The receiver of claim 23, further including:
a storage device having encrypted content stored therein, wherein the encrypted content was encrypted using the first key; and a second decryptor adapted to decrypt the encrypted content using the decrypted first key.
26. The receiver of claim 23, further including:
an output port adapted to communication with an external storage device; and a second decryptor adapted to decrypt the encrypted content using the decrypted first key.
27. The receiver of claim 23, further including:
an authenticator adapted to authenticate the first key, wherein the authenticator generates an authentication token associated with the first key.
28. The receiver of claim 23, wherein the authenticator further includes:
a digest maker adapted to making a HASH digest using at least a portion of the first key as an input to a HASH function; and a comparator adapted to compare the HASH digest with the authentication token.
29. The receiver of claim 28, wherein the authenticator further includes:
a digital signer adapted to apply the private key of the public key-private key pair to the authentication token.
30. The receiver of claim 27, wherein the authenticator is included in a secure processor having a memory that includes a private key of the public key-private key pair and the memory is successful only to the secure processor.
31. The receiver of claim 23, wherein the first key validator further includes:
a clock adapted to measure time from a predetermined time; and a comparator adapted to compare the measured time with the validation token, wherein the comparator uses the time specifier and the measured time to determine if the first key is valid.
32. The receiver of claim 23, further including:
a memory having a first key encrypted by the public key of the public key-private key pair and a duplicate first key encrypted by a second public key-private key pair, wherein the second public key is associated with the entitlement agent.
33. The receiver of claim 32, further including:
a transceiver adapted to transmit a request for a validation token, wherein the validation token includes a time specifier indicating when the first key is valid.
34. In a receiver coupled to a subscriber television network, a method of controlling access to an encrypted instance of service provided to the receiver by a headend of the subscriber television network, the method comprising the steps of:
receiving at the receiver a service instance;
encrypting the service instance with a first key;
generating a key validator having a time indicator included therein;
encrypting the first key with a second key, thereby converting the first key into an encrypted first key;
associating the encrypted first key with the key validator;
storing the encrypted service instance, the encrypted first key and the key validator in a storage device;
responsive to receiving a request for the stored encrypted service, retrieving the encrypted first key and the key validator from the storage device;

responsive to retrieving the encrypted key validator, determining whether the encrypted first key is valid using the key validator;
responsive to the encrypted first key being valid, decrypting the encrypted first key with a third key, thereby recovering the first key; and responsive to recovering first key, decrypting the encrypted service instance.
35. The method of claim 34, further including the steps of:
generating a key authenticator using at least a portion of the key validator;
associating the key authenticator with the encrypted first key and with the key validator; and storing the key authenticator in the storage device;
wherein the step of determining whether the encrypted first key is valid, further includes the steps of:
retrieving the key authenticator from the storage device; and determining whether the key validator is authentic using the key authenticator, wherein the encrypted first key is valid only if the key validator is authentic.
36. The method of claim 35, wherein the key authenticator includes a signed first HASH digest, the first HASH digest being the output of a HASH function having at least a portion of the key validator as an input, wherein the first HASH
digest was signed by the third key, and the step of determining whether the key validator is authentic includes the steps of:
generating a second HASH digest using at least a portion of the key validator as an input to a HASH function;
decoding the signed first HASH digest with the second key; and comparing the decoded first HASH digest with the second HASH digest, wherein the key validator is authentic only if the decoded first HASH
digest is the same as the second HASH digest.
37. The method of claim 34, wherein the second key is a public key of private key-public key pair belonging to the receiver and the third key is the private key belonging to the receiver.
38. The method of claim 34, further including the steps of:
duplicating the first key;
encrypting the first key with a fourth key, thereby converting the duplicate first key into a second encrypted first key;
responsive to the first key being invalid, transmitting a first message including the second encrypted first key to the headend;
responsive to transmitting the message, receiving a second message from the headend; and responsive to the second message, decrypting the encrypted service instance.
39. The method of claim 38, wherein the second message includes a second key validator, and further including the steps of:
determining whether the second key validator is authentic using the key authenticator; and responsive to the second key validator being authentic, decrypting the first encrypted first key, thereby recovering the first key.
40. The method of claim 38, wherein the second message includes a third encrypted first key, and further including the step of:
decrypting the third encrypted first key with the third key, thereby recovering the first key.
41. The method of claim 34, wherein the service instance received at the receiver includes ciphertext, and prior to encrypting the service instance, further including the step of:
receiving a decryption key token at the receiver, wherein the decryption key token is received concurrently with the service instance;
generating a fourth key using the decryption key token; and decrypting the ciphertext of the service instance using the fourth key.
42. The method of claim 34, wherein the time indicator includes a starting time and an ending time for which the first key is valid.
43. The method of claim 34, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier and the time specifier plus the range specifier.
44. The method of claim 34, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier minus the range specifier and the time specifier.
45. In a subscriber television system having a head-end and a receiver that receives a service instance from the head-end, the receiver, the receiver comprising:
a first processor adapted to encrypt a service instance with a first key and adapted to encrypt the first key with a public key of a public key-private key pair belonging to the receiver, thereby converting the first key into an encrypted first key, the first processor further adapted to generate a key validator having a time indicator included therein;
storage means in communication with the first processor, the storage means adapted to store the encrypted first key, the encrypted service instance and a key authenticator;
a secure element in communication with the first processor, the secure element having a second processor and a memory, the memory having the private key belonging to the receiver stored therein, the second processor adapted to generate a key authenticator using at least a portion of the key validator and the public key belonging to the receiver, wherein the memory of the secure element is not accessible to the first processor; and an input port in communication with the first processor adapted to receiver commands from a subscriber input device, wherein responsive to a command from the subscriber input device received at the input port, the first processor determines whether the encrypted first key is valid using the key validator, the second processor decrypts the encrypted first key using the private key, thereby recovering the first key, and determines whether the key validator is authentic using the private key and the key validator, and responsive to both the first key being valid and the key validator being authentic, the first processor decrypts the service instance using the recovered first key.
46. The receiver of claim 45, wherein the time indicator includes a starting time and an ending time for which the first key is valid.
47. The receiver of claim 45, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier and the time specifier plus the range specifier.
48. The receiver of claim 45, wherein the time indicator includes a time specifier and a range specifier, wherein the first key is valid for times between the time specifier minus the range specifier and the time specifier.
49. The receiver of claim 45, wherein the second processor is further adapted to generate a HASH digest of at least a portion of the key validator and at least a portion the first key, wherein the key authenticator includes the HASH digest signed by the private key.
50. The receiver of claim 49, wherein the second processor is further adapted to generate a second HASH digest of at least a portion of the key validator and at least a portion the recovered first key, decode the signed HASH digest of the key authenticator using the public key, and compare the second HASH digest with the decoded HASH
digest, wherein responsive to the second HASH digest being the same as the decoded HASH digest, the second processor provides the recovered first key to the first processor.
51. The receiver of claim 50, wherein responsive to the second HASH digest not being the same as the decoded HASH digest, the second processor does not provide the recovered first key to the first processor.
52. The receiver of claim 45, further including:
a transceiver in communication with the first processor and the headend of the subscriber television system, wherein the first processor is adapted to duplicate the first key and encrypt the duplicate first key with a second public key, thereby converting the duplicate first key into a second encrypted first key, responsive to the encrypted first key being invalid, the first processor generates a message for the headend including the second encrypted first key and the transceiver transmits the message to the headend.
53. The receiver of claim 52, wherein the transceiver receives a second message, responsive to the second message, the first processor decrypts the encrypted service instance.
54. The receiver of claim 53, wherein the second message includes a second key validator, responsive to the second key validator, the first processor validates the first encrypted first key using the second key validator.
55. The receiver of claim 45, wherein the storage means includes a harddrive.
56. The receiver of claim 45, wherein the storage means includes a storage device external to the receiver.
57. In a subscriber network system having a head-end and a receiver that receives a service instance from the head-end, the receiver, which is located remotely from the head-end, stores the service instance at the remote location and restricts access to the stored service instance, the receiver comprising:
a port adapted to receive the service instance;
a storage device at the remote location, the storage device having an encrypted first key, a key validator, and key authenticator stored therein, and wherein the first key is used for decrypting the service instance when the first key is valid;
a memory having a private key-public key pair for the receiver stored therein;
and a processor in communication with the memory, the processor adapted to use the public key of the receiver to encrypt the first key and generate the key validator and the key authenticator, wherein the key validator includes a time indicator used for determining whether the first key is valid or has expired, the key authenticator includes a hash digest signed by the private key of the receiver, and the hash digest is the output of a hash function having as inputs at least a portion of the key validator and at least a portion of the first key.
58. The receiver of claim 57, further including:
a decryptor in communication with the processor and the storage device, the decryptor adapted to use the first key to decrypt the encrypted stored service instance; and wherein the processor is adapted to use the encrypted first key, the key validator and the key authenticator to determine whether the decryptor should be provided with the first key.
59. The receiver of claim 58, wherein the processor is further adapted to decrypt the encrypted first key using the private key of the receiver and generate a second hash digest using at least a portion of the first key and at least a portion of the key validator as inputs to the hash function, use the public key of the receiver to process the authentication token, compare the second hash digest with the processed authentication token, and responsive to the second hash digest and the processed authentication token not being the same, the processor determines therefrom that the decryptor is not to be provided with the first key.
60. The receiver of claim 59, wherein the processor is further adapted to use the time specifier of the key validator to determine whether the first key has expired and when the first key is expired determine therefrom that the decryptor is not to be provided with the first key.
61. The receiver of claim 57, wherein the service instance is provided to the subscriber network by an entitlement agent having a public key-private key pair associated therewith, the memory having the public key associated with the entitlement agent stored therein, and the processor is further adapted to copy the first key and encrypt the copy of the first key with public key associated with the entitlement agent and provide the encrypted copy of the first key to the storage device, which stores the encrypted copy of first key therein.
62. The receiver of claim 61, further including:
a transceiver in communication with the processor adapted to transmit messages to the head-end, wherein the processor is further adapted to generate a message having the encrypted copy of the first key included therein, and the transceiver transmits the message to the head-end
63. The receiver of claim 62, wherein the transceiver receives message from the head-end, the received message includes an encrypted second copy of the first key, and the processor decrypts the encrypted second copy of the first key using the private key of the receiver.
64. The receiver of claim 63, wherein the received message includes a second key validator, the processor uses the second key validator to generate a second key authenticator, and the second key validator and the second key authenticator are stored in the storage device.
65. In a subscriber television system having a head-end and a receiver that receives a service instance from the head-end, the receiver, which is located remotely from the head-end at a subscriber's premises restricts access to the stored service instance, a method of accessing the restricted service instance, the method implemented at the receiver and comprising the steps of:
receiving the service instance;
encrypting the service instance with a first key;
storing the encrypted service instance in a storage device at the premises of the subscriber;
encrypting the first key with a second key, thereby converting the first key to an encrypted first key, wherein the second key is a public key of a private key-public key pair belonging to the receiver;
associating a key validator with the encrypted first key, wherein the key validator includes a time indicator that indicates whether the encrypted first key is valid;

associating a key authenticator with the encrypted first key, wherein the key authenticator includes a digest signed by the private key and indicates whether the key validator is authentic;
storing the encrypted first key, the key validator, and the key authenticator;
determining whether the encrypted first key is valid using the key validator;
responsive to the encrypted first key being valid, decrypting the encrypted first key with the private key of the receiver, thereby recovering the first key;
responsive to the encrypted first key being valid, authenticating the key validator using the key authenticator;
responsive to both the encrypted first key being valid and the key validator being authentic, decrypting the encrypted service instance.
66. The method of claim 65, prior to the step of encrypting the first key, further including the steps of:
duplicating the first key;
encrypting the duplicate first key with a third key, wherein the third key is a public key provided to the receiver from the head-end of the subscriber television system;
storing the encrypted duplicate first key; and responsive to the encrypted first key being invalid, transmitting the encrypted duplicate first key to the headend; and responsive to transmitting the encrypted duplicate first key, decrypting the encrypted service instance.
67. The method of claim 66, prior to the step of decrypting the service instance, further including the steps of:
receiving from the head-end a second key validator;
validating the encrypted first key using the second key validator; and decrypting the encrypted first key, thereby recovering the first key.
68. The method of claim 66, prior to the step of decrypting the service instance, further including the steps of:

receiving from the head-end a second encrypted first key, wherein the second encrypted first key was generated by encrypting the first key with the public key of the receiver; and decrypting the second encrypted first key using the private key of the receiver.
69. The method of claim 65, wherein the digest of the key authenticator includes the HASH digest that is the output of a HASH function having as inputs at least a portion of the key validator and at least a portion of the first key.
70. The method of claim 69, wherein the step of authenticating further includes the steps of:
signing the HASH digest of the key authenticator with the public key of the receiver;
generating a second HASH digest using at least a portion of the key validator and at least a portion of the recovered first key as inputs; and comparing the second HASH digest with the first HASH digest, wherein the key validator is authentic responsive to the first and second HASH digests being the same.
71. The method of claim 65, wherein the step of determining whether the first key is valid further includes the steps of:
determining a current time; and determining from the current time and the time indicator of the key validator whether the first encrypted key is valid.
CA2498684A 2002-09-12 2002-09-17 Apparatus for encryption key management Expired - Fee Related CA2498684C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/242,100 2002-09-12
US10/242,100 US7200868B2 (en) 2002-09-12 2002-09-12 Apparatus for encryption key management
PCT/US2002/029339 WO2004025892A1 (en) 2002-09-12 2002-09-17 Apparatus for encryption key management

Publications (2)

Publication Number Publication Date
CA2498684A1 true CA2498684A1 (en) 2004-03-25
CA2498684C CA2498684C (en) 2012-03-20

Family

ID=31991326

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2498684A Expired - Fee Related CA2498684C (en) 2002-09-12 2002-09-17 Apparatus for encryption key management

Country Status (5)

Country Link
US (1) US7200868B2 (en)
EP (1) EP1547297A4 (en)
JP (1) JP4182055B2 (en)
CA (1) CA2498684C (en)
WO (1) WO2004025892A1 (en)

Families Citing this family (134)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030200548A1 (en) * 2001-12-27 2003-10-23 Paul Baran Method and apparatus for viewer control of digital TV program start time
EP1343286A1 (en) * 2002-03-04 2003-09-10 BRITISH TELECOMMUNICATIONS public limited company Lightweight authentication of information
US7890771B2 (en) * 2002-04-17 2011-02-15 Microsoft Corporation Saving and retrieving data based on public key encryption
US7181010B2 (en) * 2002-05-24 2007-02-20 Scientific-Atlanta, Inc. Apparatus for entitling remote client devices
US7861082B2 (en) * 2002-05-24 2010-12-28 Pinder Howard G Validating client-receivers
US8171567B1 (en) 2002-09-04 2012-05-01 Tracer Detection Technology Corp. Authentication method and system
US8036250B1 (en) * 2002-10-25 2011-10-11 Bigband Networks Inc. Method and apparatus of mutliplexing media streams
US20040151315A1 (en) * 2002-11-06 2004-08-05 Kim Hee Jean Streaming media security system and method
JP3737798B2 (en) * 2002-11-25 2006-01-25 株式会社東芝 Transmitting apparatus, receiving apparatus and receiving method
US6882729B2 (en) * 2002-12-12 2005-04-19 Universal Electronics Inc. System and method for limiting access to data
TW200511860A (en) * 2003-05-14 2005-03-16 Nagracard Sa Duration computing method in a security module
US6724335B1 (en) * 2003-06-03 2004-04-20 Broadcom Corporation Systems and methods for digital upconversion for television signals
US7289632B2 (en) 2003-06-03 2007-10-30 Broadcom Corporation System and method for distributed security
US7437559B2 (en) * 2003-11-19 2008-10-14 Hewlett-Packard Development Company, L.P. Electronic message authentication
US8165297B2 (en) * 2003-11-21 2012-04-24 Finisar Corporation Transceiver with controller for authentication
FR2864391B1 (en) * 2003-12-19 2006-03-17 Viaccess Sa METHOD FOR PROTECTION AGAINST MISUSE OF A MULTIPLEX AND DIFFUSION SYSTEM FOR CARRYING OUT SAID METHOD
US7474852B1 (en) * 2004-02-12 2009-01-06 Multidyne Electronics Inc. System for communication of video, audio, data, control or other signals over fiber
EP1564994A1 (en) * 2004-02-13 2005-08-17 Nagravision S.A. Method for managing rights of subscribers to a multi-operator pay television system
KR100574974B1 (en) * 2004-02-26 2006-05-02 삼성전자주식회사 Apparatus and method having conditional access and copy protection scheme for encoded broadcast data
CA2559283C (en) 2004-03-12 2014-08-26 Russell Paul Cowburn Authenticity verification methods, products and apparatuses
CN100527152C (en) 2004-03-12 2009-08-12 英根亚技术有限公司 Methods and apparatuses for authenticatable printed articles and subsequently verifying them
US7370166B1 (en) * 2004-04-30 2008-05-06 Lexar Media, Inc. Secure portable storage device
US7590243B2 (en) * 2004-05-04 2009-09-15 The Directv Group, Inc. Digital media conditional access system for handling digital media content
TWI280026B (en) * 2004-07-02 2007-04-21 Univ Chang Gung RSA with personalized secret
US8312267B2 (en) 2004-07-20 2012-11-13 Time Warner Cable Inc. Technique for securely communicating programming content
US8266429B2 (en) 2004-07-20 2012-09-11 Time Warner Cable, Inc. Technique for securely communicating and storing programming material in a trusted domain
GB2417592B (en) 2004-08-13 2006-07-26 Ingenia Technology Ltd Authenticity verification of articles
US7602914B2 (en) 2004-08-18 2009-10-13 Scientific-Atlanta, Inc. Utilization of encrypted hard drive content by one DVR set-top box when recorded by another
US7602913B2 (en) 2004-08-18 2009-10-13 Scientific - Atlanta, Inc. Retrieval and transfer of encrypted hard drive content from DVR set-top box utilizing second DVR set-top box
US7630499B2 (en) * 2004-08-18 2009-12-08 Scientific-Atlanta, Inc. Retrieval and transfer of encrypted hard drive content from DVR set-top boxes
US20060047601A1 (en) * 2004-08-25 2006-03-02 General Instrument Corporation Method and apparatus for providing channel key data
JP4576936B2 (en) 2004-09-02 2010-11-10 ソニー株式会社 Information processing apparatus, information recording medium, content management system, data processing method, and computer program
US7822344B1 (en) * 2004-10-01 2010-10-26 Multidyne Electronics Inc. System for communication of video, audio, data, control or other signals over fiber in a self-healing ring topology
TWI269967B (en) * 2004-10-13 2007-01-01 Rdc Semiconductor Co Ltd System and method for data processing
ATE550876T1 (en) * 2004-11-01 2012-04-15 Nds Ltd EFFICIENT AND SECURE RENEWAL OF PERMISSIONS
EP1662788A1 (en) * 2004-11-24 2006-05-31 Nagravision SA Method and system for access control of audio/video data
KR100584455B1 (en) * 2005-04-01 2006-05-26 삼성전자주식회사 Scm pon by using wdm
GB2428948B (en) * 2005-07-27 2007-09-05 Ingenia Technology Ltd Keys
WO2007012816A1 (en) 2005-07-27 2007-02-01 Ingenia Technology Limited Verification of authenticity
JP2009503672A (en) * 2005-07-27 2009-01-29 インゲニア・テクノロジー・リミテッド Prescription authentication using speckle patterns
RU2008107316A (en) * 2005-07-27 2009-09-10 Инджениа Текнолоджи Лимитед (Gb) CHECKING THE PRODUCT SIGNATURE CREATED ON THE BASIS OF THE SIGNALS RECEIVED THROUGH THE SCATTERING OF THE COherent OPTICAL RADIATION FROM THE PRODUCT SURFACE
JP2007053461A (en) * 2005-08-16 2007-03-01 Sony Corp Transmission/reception system, reception method, receiving apparatus and method, and program
US20080101614A1 (en) * 2005-08-31 2008-05-01 General Instrument Corporation Method and Apparatus for Providing Secured Content Distribution
US20070055982A1 (en) * 2005-09-02 2007-03-08 Netgear Inc. System and method for digital content media distribution
GB2429950B (en) * 2005-09-08 2007-08-22 Ingenia Holdings Copying
KR100803596B1 (en) * 2005-11-25 2008-02-19 삼성전자주식회사 Method and apparatus for decryption using external device or service on revocation mechanism, method and apparatus for supporting decryption therefor
EP2110776B1 (en) * 2005-12-23 2012-10-31 Ingenia Holdings Limited Optical authentication
GB2434442A (en) * 2006-01-16 2007-07-25 Ingenia Holdings Verification of performance attributes of packaged integrated circuits
US20070180538A1 (en) * 2006-02-01 2007-08-02 General Instrument Corporation Method and apparatus for limiting the ability of a user device to replay content
KR100846787B1 (en) * 2006-02-15 2008-07-16 삼성전자주식회사 Method and apparatus for importing transport stream
EP1827019A1 (en) * 2006-02-23 2007-08-29 Nagravision S.A. Conditional access method to conditional access data
US20070219924A1 (en) * 2006-03-17 2007-09-20 Wildtangent, Inc. User interfacing for licensed media consumption using digital currency
US9082113B2 (en) * 2006-03-17 2015-07-14 Wildtangent, Inc. Licensing media consumption using digital currency
US7590601B2 (en) * 2006-03-17 2009-09-15 Wildtangent, Inc Licensing media consumption using digital currency
US9087326B2 (en) * 2006-03-17 2015-07-21 Wildtangent, Inc. Accruing and/or providing digital currency for media consumption
US8208796B2 (en) * 2006-04-17 2012-06-26 Prus Bohdan S Systems and methods for prioritizing the storage location of media data
US8775319B2 (en) 2006-05-15 2014-07-08 The Directv Group, Inc. Secure content transfer systems and methods to operate the same
GB2440386A (en) * 2006-06-12 2008-01-30 Ingenia Technology Ltd Scanner authentication
US9277295B2 (en) 2006-06-16 2016-03-01 Cisco Technology, Inc. Securing media content using interchangeable encryption key
US7978720B2 (en) * 2006-06-30 2011-07-12 Russ Samuel H Digital media device having media content transfer capability
US20080005204A1 (en) * 2006-06-30 2008-01-03 Scientific-Atlanta, Inc. Systems and Methods for Applying Retention Rules
US9137480B2 (en) 2006-06-30 2015-09-15 Cisco Technology, Inc. Secure escrow and recovery of media device content keys
US20080022304A1 (en) * 2006-06-30 2008-01-24 Scientific-Atlanta, Inc. Digital Media Device Having Selectable Media Content Storage Locations
US8520850B2 (en) 2006-10-20 2013-08-27 Time Warner Cable Enterprises Llc Downloadable security and protection methods and apparatus
US20080103875A1 (en) * 2006-10-31 2008-05-01 Michael Kokernak Methods and systems for an interactive data finder
US8732854B2 (en) 2006-11-01 2014-05-20 Time Warner Cable Enterprises Llc Methods and apparatus for premises content distribution
US20080167992A1 (en) * 2007-01-05 2008-07-10 Backchannelmedia Inc. Methods and systems for an accountable media advertising application
US8621540B2 (en) 2007-01-24 2013-12-31 Time Warner Cable Enterprises Llc Apparatus and methods for provisioning in a download-enabled system
US8532300B1 (en) * 2007-02-13 2013-09-10 Emc Corporation Symmetric is encryption key management
KR20090111846A (en) * 2007-02-21 2009-10-27 코닌클리케 필립스 일렉트로닉스 엔.브이. A conditional access system
RU2339077C1 (en) * 2007-03-13 2008-11-20 Олег Вениаминович Сахаров Method of operating conditional access system for application in computer networks and system for its realisation
US8762714B2 (en) * 2007-04-24 2014-06-24 Finisar Corporation Protecting against counterfeit electronics devices
CN101669322B (en) * 2007-05-08 2013-07-03 汤姆森特许公司 Method and apparatus for adjusting decryption keys
GB2450131B (en) * 2007-06-13 2009-05-06 Ingenia Holdings Fuzzy Keys
US7849318B2 (en) * 2007-06-19 2010-12-07 Yahoo! Inc. Method for session security
US8108680B2 (en) * 2007-07-23 2012-01-31 Murray Mark R Preventing unauthorized poaching of set top box assets
US9049344B2 (en) 2007-08-24 2015-06-02 At&T Intellectual Property I, L.P. Method and system for providing content
US7949133B2 (en) * 2007-09-26 2011-05-24 Pinder Howard G Controlled cryptoperiod timing to reduce decoder processing load
US9148286B2 (en) * 2007-10-15 2015-09-29 Finisar Corporation Protecting against counterfeit electronic devices
FI20075776L (en) * 2007-10-31 2009-05-01 Eads Secure Networks Oy End-to-end encrypted communication
US20090240945A1 (en) * 2007-11-02 2009-09-24 Finisar Corporation Anticounterfeiting means for optical communication components
US8819423B2 (en) * 2007-11-27 2014-08-26 Finisar Corporation Optical transceiver with vendor authentication
US8675872B2 (en) * 2007-11-28 2014-03-18 Echostar Technologies L.L.C. Secure content distribution apparatus, systems, and methods
US8051455B2 (en) 2007-12-12 2011-11-01 Backchannelmedia Inc. Systems and methods for providing a token registry and encoder
US20100322427A1 (en) * 2008-03-31 2010-12-23 Robert Bosch Gmch Method for managing encryption keys in a communication network
AU2009252117B2 (en) * 2008-04-04 2013-05-09 Samsung Electronics Co., Ltd. Method and apparatus for providing broadcast service using encryption key in a communication system
GB2460625B (en) * 2008-05-14 2010-05-26 Ingenia Holdings Two tier authentication
EP2124439A1 (en) * 2008-05-21 2009-11-25 Nagravision S.A. Method for assigning and managing subscriptions to receive remotely broadcast products
US8204220B2 (en) * 2008-09-18 2012-06-19 Sony Corporation Simulcrypt key sharing with hashed keys
US9094721B2 (en) 2008-10-22 2015-07-28 Rakuten, Inc. Systems and methods for providing a network link between broadcast content and content located on a computer network
US8160064B2 (en) * 2008-10-22 2012-04-17 Backchannelmedia Inc. Systems and methods for providing a network link between broadcast content and content located on a computer network
US20100098074A1 (en) * 2008-10-22 2010-04-22 Backchannelmedia Inc. Systems and methods for providing a network link between broadcast content and content located on a computer network
GB2466311B (en) * 2008-12-19 2010-11-03 Ingenia Holdings Self-calibration of a matching algorithm for determining authenticity
GB2466465B (en) * 2008-12-19 2011-02-16 Ingenia Holdings Authentication
CN102317904B (en) * 2009-01-29 2015-03-11 堡垒应用有限公司 System and methods for encryption with authentication integrity
US9602864B2 (en) 2009-06-08 2017-03-21 Time Warner Cable Enterprises Llc Media bridge apparatus and methods
US9866609B2 (en) 2009-06-08 2018-01-09 Time Warner Cable Enterprises Llc Methods and apparatus for premises content distribution
US8443431B2 (en) * 2009-10-30 2013-05-14 Alcatel Lucent Authenticator relocation method for WiMAX system
GB2476226B (en) 2009-11-10 2012-03-28 Ingenia Holdings Ltd Optimisation
US8971535B2 (en) * 2010-05-27 2015-03-03 Bladelogic, Inc. Multi-level key management
US9906838B2 (en) 2010-07-12 2018-02-27 Time Warner Cable Enterprises Llc Apparatus and methods for content delivery and message exchange across multiple content delivery networks
US20120124394A1 (en) * 2010-11-17 2012-05-17 David Brudnicki System and Method for Providing a Virtual Secure Element on a Portable Communication Device
EP2566157A1 (en) 2011-09-02 2013-03-06 Nagravision S.A. Method to optimize reception of entitlement management messages in a Pay-TV system
US8989083B2 (en) * 2011-03-01 2015-03-24 Broadcom Corporation Conditional access system for satellite outdoor unit
US9264230B2 (en) 2011-03-14 2016-02-16 International Business Machines Corporation Secure key management
GB2489671A (en) * 2011-03-28 2012-10-10 Sony Corp Cryptographic key distribution for IPTV
GB2489672A (en) * 2011-03-28 2012-10-10 Sony Corp Authentication certificate distribution to set top boxes
US8619990B2 (en) 2011-04-27 2013-12-31 International Business Machines Corporation Secure key creation
US8566913B2 (en) 2011-05-04 2013-10-22 International Business Machines Corporation Secure key management
US8755527B2 (en) 2011-05-04 2014-06-17 International Business Machines Corporation Key management policies for cryptographic keys
US8634561B2 (en) * 2011-05-04 2014-01-21 International Business Machines Corporation Secure key management
US8789210B2 (en) 2011-05-04 2014-07-22 International Business Machines Corporation Key usage policies for cryptographic keys
US8948399B2 (en) * 2011-05-27 2015-02-03 Novell, Inc. Dynamic key management
MY165765A (en) 2011-09-09 2018-04-23 Rakuten Inc System and methods for consumer control
US9565472B2 (en) 2012-12-10 2017-02-07 Time Warner Cable Enterprises Llc Apparatus and methods for content transfer protection
US20140282786A1 (en) 2013-03-12 2014-09-18 Time Warner Cable Enterprises Llc Methods and apparatus for providing and uploading content to personalized network storage
WO2015013209A1 (en) * 2013-07-25 2015-01-29 Thomson Licensing Method and system for displaying remaining time of rental
US10148669B2 (en) 2014-05-07 2018-12-04 Dell Products, L.P. Out-of-band encryption key management system
US9621940B2 (en) 2014-05-29 2017-04-11 Time Warner Cable Enterprises Llc Apparatus and methods for recording, accessing, and delivering packetized content
US9553853B2 (en) * 2014-12-23 2017-01-24 Intel Corporation Techniques for load balancing in a packet distribution system
EP3113501A1 (en) 2015-06-29 2017-01-04 Nagravision SA Content protection
US11032589B1 (en) * 2016-08-09 2021-06-08 Google Llc Methods, systems, and media for ensuring consumption of portions of media content
US10783279B2 (en) * 2016-09-01 2020-09-22 Atmel Corporation Low cost cryptographic accelerator
US10320563B2 (en) * 2016-09-23 2019-06-11 Apple Inc. Cryptographic entropy tree
US10693639B2 (en) * 2017-02-28 2020-06-23 Blackberry Limited Recovering a key in a secure manner
US10853057B1 (en) * 2017-03-29 2020-12-01 Amazon Technologies, Inc. Software library versioning with caching
US10951467B2 (en) * 2017-06-02 2021-03-16 Arris Enterprises Llc Secure enabling and disabling points of entry on a device remotely or locally
US10728233B2 (en) 2017-06-02 2020-07-28 Arris Enterprises Llc Secure key management in a high volume device deployment
US10911243B1 (en) * 2018-12-14 2021-02-02 Wells Fargo Bank, N.A. Time-based digital signature
US10903999B1 (en) * 2019-09-11 2021-01-26 Zscaler, Inc. Protecting PII data from man-in-the-middle attacks in a network
CN111580522A (en) * 2020-05-15 2020-08-25 东风柳州汽车有限公司 Control method for unmanned vehicle, and storage medium
US11809493B2 (en) * 2021-01-19 2023-11-07 Micro Focus Llc System and method for tokenization of data
US20230131060A1 (en) * 2021-10-22 2023-04-27 Microsoft Technology Licensing, Llc Secure authentication using attestation tokens and inviolable quotes to validate request origins
US20240056651A1 (en) * 2022-08-09 2024-02-15 Dish Network, L.L.C. Digital rights management using a gateway/set top box without a smart card

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2448825A1 (en) * 1979-02-06 1980-09-05 Telediffusion Fse SYSTEM FOR TRANSMITTING INFORMATION BETWEEN A TRANSMISSION CENTER AND RECEIVING STATIONS, WHICH IS PROVIDED WITH A MEANS OF CONTROLLING ACCESS TO THE INFORMATION TRANSMITTED
JP2606419B2 (en) * 1989-08-07 1997-05-07 松下電器産業株式会社 Cryptographic communication system and cryptographic communication method
US6157719A (en) 1995-04-03 2000-12-05 Scientific-Atlanta, Inc. Conditional access system
US5878141A (en) * 1995-08-25 1999-03-02 Microsoft Corporation Computerized purchasing system and method for mediating purchase transactions over an interactive network
EP0880840A4 (en) 1996-01-11 2002-10-23 Mrj Inc System for controlling access and distribution of digital property
US6021491A (en) * 1996-11-27 2000-02-01 Sun Microsystems, Inc. Digital signatures for data streams and data archives
US6226618B1 (en) * 1998-08-13 2001-05-01 International Business Machines Corporation Electronic content delivery system
US6289455B1 (en) * 1999-09-02 2001-09-11 Crypotography Research, Inc. Method and apparatus for preventing piracy of digital content
US20020169958A1 (en) * 2001-05-14 2002-11-14 Kai Nyman Authentication in data communication
US20030093680A1 (en) * 2001-11-13 2003-05-15 International Business Machines Corporation Methods, apparatus and computer programs performing a mutual challenge-response authentication protocol using operating system capabilities
US20030204738A1 (en) * 2002-04-30 2003-10-30 Morgan Stephen Paul System and method for secure distribution of digital content via a network
US7418599B2 (en) * 2002-06-03 2008-08-26 International Business Machines Corporation Deterring theft of media recording devices by encrypting recorded media files

Also Published As

Publication number Publication date
US20040052377A1 (en) 2004-03-18
EP1547297A4 (en) 2012-02-08
CA2498684C (en) 2012-03-20
EP1547297A1 (en) 2005-06-29
WO2004025892A1 (en) 2004-03-25
JP2005539425A (en) 2005-12-22
US7200868B2 (en) 2007-04-03
JP4182055B2 (en) 2008-11-19

Similar Documents

Publication Publication Date Title
CA2498684A1 (en) Apparatus for encryption key management
JP4714402B2 (en) Secure transmission of digital data from an information source to a receiver
KR101366243B1 (en) Method for transmitting data through authenticating and apparatus therefor
CN1655503B (en) A secure key authentication and ladder system
US9071595B2 (en) Certificate validity checking
JP4510281B2 (en) System for managing access between a method and service provider for protecting audio / visual streams and a host device to which a smart card is coupled
KR100756324B1 (en) Optional verification of interactive television content
EP1155527B1 (en) Protecting information in a system
CN109218825B (en) Video encryption system
TWI478566B (en) A method of establishing a session key and units for implementing the method
US8176331B2 (en) Method to secure data exchange between a multimedia processing unit and a security module
CN109151508B (en) Video encryption method
JP2005245010A5 (en)
WO2009155813A1 (en) Method for storing encrypted data in client and system thereof
CA2487057A1 (en) Apparatus for entitling remote client devices
HU224303B1 (en) Method for managing symmetric key in a communication network and device for processing data in a communication network
EP1183818A1 (en) Secure control of security mode
CN102802036A (en) System and method for identifying digital television
EP3476078A1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN101394398B (en) Content protecting method and system oriented to terminal digital interface
US20220171832A1 (en) Scalable key management for encrypting digital rights management authorization tokens
JP2000216773A (en) Method and system for discriminating propriety of encrypted information
Kim Secure communication in digital TV broadcasting
WO2009153846A1 (en) Authentication system, registration device, and authentication device
JP2000004430A (en) Pay broadcast reception method and receiver therefor

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed

Effective date: 20180917

MKLA Lapsed

Effective date: 20180917