EP1145243A2 - Copy protection by message encryption - Google Patents

Copy protection by message encryption

Info

Publication number
EP1145243A2
EP1145243A2 EP99932846A EP99932846A EP1145243A2 EP 1145243 A2 EP1145243 A2 EP 1145243A2 EP 99932846 A EP99932846 A EP 99932846A EP 99932846 A EP99932846 A EP 99932846A EP 1145243 A2 EP1145243 A2 EP 1145243A2
Authority
EP
European Patent Office
Prior art keywords
ticket
key
copy
embedded watermark
receiver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP99932846A
Other languages
German (de)
French (fr)
Other versions
EP1145243A3 (en
Inventor
Michael A. Epstein
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Publication of EP1145243A2 publication Critical patent/EP1145243A2/en
Publication of EP1145243A3 publication Critical patent/EP1145243A3/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00884Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a watermark, i.e. a barely perceptible transformation of the original data which can nevertheless be recognised by an algorithm
    • G11B20/00898Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a watermark, i.e. a barely perceptible transformation of the original data which can nevertheless be recognised by an algorithm based on a hash function
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00217Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source
    • G11B20/00224Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source wherein the key is obtained from a remote server
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00485Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier
    • G11B20/00557Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier wherein further management data is encrypted, e.g. sector headers, TOC or the lead-in or lead-out areas
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00731Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a digital rights management system for enforcing a usage restriction
    • G11B20/00746Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a digital rights management system for enforcing a usage restriction wherein the usage restriction can be expressed as a specific number
    • G11B20/00753Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a digital rights management system for enforcing a usage restriction wherein the usage restriction can be expressed as a specific number wherein the usage restriction limits the number of copies that can be made, e.g. CGMS, SCMS, or CCI flags
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00731Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a digital rights management system for enforcing a usage restriction
    • G11B20/00746Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a digital rights management system for enforcing a usage restriction wherein the usage restriction can be expressed as a specific number
    • G11B20/00811Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a digital rights management system for enforcing a usage restriction wherein the usage restriction can be expressed as a specific number wherein said number is encoded as a cryptographic token or ticket
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00884Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving a watermark, i.e. a barely perceptible transformation of the original data which can nevertheless be recognised by an algorithm
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • H04N2005/91307Television signal processing therefor for scrambling ; for copy protection by adding a copy protection signal to the video signal
    • H04N2005/91328Television signal processing therefor for scrambling ; for copy protection by adding a copy protection signal to the video signal the copy protection signal being a copy management signal, e.g. a copy generation management signal [CGMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • H04N2005/91307Television signal processing therefor for scrambling ; for copy protection by adding a copy protection signal to the video signal
    • H04N2005/91335Television signal processing therefor for scrambling ; for copy protection by adding a copy protection signal to the video signal the copy protection signal being a watermark

Definitions

  • This invention relates to the field of entertainment systems, and in particular to copy protection for copyrighted material.
  • a computationally difficult process is one that can be expected to require an inordinate amount of time to complete, relative to the potential gain that may be realized by devoting this amount of time.
  • the Linnartz scheme uses a hashing function that provides a hash value from a seed value in such a manner that it is computationally difficult to determine the seed value, given the hash value.
  • FIG. 1 illustrates the Linnartz ticket scheme.
  • the multiple instances of player 110 and recorder 120 are used to illustrate the use of the same or another player 110 and recorder 120 with different inputs 101, 102, 111, 112, 122, 132.
  • a protected recording such as a DVD disk, can be encoded as "copy-never” 101 or "copy-once" 102.
  • the material content C also contains an embedded watermark W that is a hash value of a physical mark P. As in a paper watermark, the watermark W is an encoding that is embedded in the recorded material in such a manner that it does not interfere with the rendering of the material, but cannot be removed from the material without adversely affecting the quality of the material.
  • the physical mark P is a code that is embedded in the material of the disk media that can be read by a disk player 110, and also cannot be removed from the disk media without affecting the quality of the disk media.
  • a copy-never disk 101 may or may not contain a ticket T.
  • the copy- once disk 102 contains an embedded watermark W that is a four-times-hash of the physical mark P, and a ticket T that is a once-hash value of the physical mark P.
  • a compliant player 110 plays a recording that contains an embedded watermark W if and only if: the embedded watermark W is a once- hash of the physical mark P; the embedded watermark W is a thrice-hash of the ticket T; or the embedded watermark W is a once-hash of the ticket T. Any other combination of embedded watermark W, ticket T, and physical mark P is deemed an illegal copy, and the compliant player 110 will not play the illegal copy. If the recording is deemed legal, the compliant player 110 provides as an output the material C, with its embedded watermark W, and a transformed ticket T' that is a once-hash of the incoming ticket T.
  • the compliant player 110 provides an output 111 from the copy-never disk 101 because the embedded watermark W is equal to a once-hash of the physical mark P, and provides an output 112 from the copy-once disk 102 because the embedded watermark W is equal to the thrice-hash of the ticket T.
  • a compliant recorder 120 makes a copy of a recording that contains an embedded watermark W and ticket T, if and only if the embedded watermark W is a twice hash of the ticket T.
  • the copy-never output 111 does not have an embedded watermark W that is a twice hash of the transformed ticket T', and thus will not be recorded by the compliant recorder 120.
  • the copy-once output 112 contains an embedded watermark W that is a four-times-hash of the physical mark P, and a transformed ticket T' that is a once-hash of the original ticket T.
  • the transformed ticket T' is a twice-hash of the physical mark P, and therefore the embedded watermark W is a twice-hash of the transformed ticket T'. Because the embedded watermark W is a twice-hash of the incoming transformed ticket T', the compliant recorder 120 makes a copy 122 of the copy-once material 112. The compliant recorder 120 attaches a once-hash of the incoming ticket T' as a new ticket T" on the copy 122. Because the incoming ticket T' is a twice-hash of the physical mark P, the new ticket T" is a thrice-hash of the physical mark P. The combination of an embedded watermark W that is a once-hash of the attached ticket defines a "copy-no-more" recording.
  • the playback of the original copy-once disk 102 will always produce an output that contains the material C, with its embedded watermark W, and a transformed ticket T' that is a once-hash of the incoming ticket T. Because the original ticket T is a once-hash of the physical mark P, and the transformed ticket T' is a twice-hash of the physical mark P, the embedded watermark W will always be a twice-hash of the transformed ticket T', and therefore recordable.
  • a mass production of the copy-once disk 102 can be effected by merely operating a number of recorders 120 in parallel, each receiving the output 112 of the player 110. Note that this mass production can be performed using recorders 120 that are compliant with the ticketing scheme of Linnartz. As discussed above, a compliant player 110 plays a recording that contains an embedded watermark W if and only if: the embedded watermark W is a once-hash of the physical mark P; the embedded watermark W is a thrice-hash of the incoming ticket; or the embedded watermark W is a once-hash of the incoming ticket.
  • the embedded watermark W is a once-hash of the ticket T", and therefore a legally playable copy.
  • the compliant player 110 plays the legal copy-no-more copy 122 and produces an output 132 that includes the material content C, its embedded watermark W, and a transformed ticket T'" that is a hash of the incoming ticket T".
  • the transformed ticket T'" of the output 132 is a four-times hash of the physical mark P.
  • the compliant recorder 120 makes a copy of a recording that contains an embedded watermark W and ticket T, if and only if the embedded watermark W is a twice hash of the ticket T.
  • the copy-no-more output 132 does not have an embedded watermark W that is a twice hash of the transformed ticket T'", and therefore will not be recorded by the compliant recorder 120.
  • the output of the compliant player is assumed to be displayable on a display device. That is, there are no display restrictions placed on a display device.
  • the arrangement of the embedded watermark W and the ticket T at the output 132 of the compliant player 110 is an embedded watermark W that equals the ticket T.
  • a restriction were placed on a display device based on the embedded watermark W and ticket T, it must allow the display of an output wherein the embedded watermark and ticket are equal.
  • an attempted restriction on the display of copyright material based on the Linnartz embedded watermark and trademark scheme could be overcome by merely replacing whatever ticket is provided by a copy of the embedded watermark.
  • FIGs. 2 and 3 illustrate applications of the prior-art ticket processing scheme for controlling the copying of copyright material that is communicated via a broadcast channel, such as a "pay-per-view" transmission from a service provider.
  • FIG. 2 illustrates the transmission of a copy-never broadcast 201
  • FIG. 3 illustrates the transmission of a copy-once broadcast 202.
  • the broadcast 201, 202 is encrypted.
  • a conditional access decrypter 210 decrypts the encrypted broadcast 201, 202 to provide a decrypted output 211, 212 that contains the material content C, an embedded watermark W, and a ticket T.
  • the conditional access decrypter 210 may be, for example, a "cable-box" that decrypts the incoming broadcast after arrangements are made with the service provider for the payment of the fees associated with the receipt of the material content C, or after a "smart-card" is plugged into the cable box.
  • the decrypted output 211 will include the material content C, an embedded watermark W that equals a double-hash of a physical mark P, and a ticket T that is also equal to the double-hash of the physical mark P.
  • the "physical" mark P may be an arbitrary code associated with the broadcast, or it may be related to an attribute of the broadcast, such as a modulated signal within the broadcast.
  • the origin of the mark P is somewhat arbitrary, except that it should not be "publicly-available"; that is, it should not be easy to determine. Alternative methods can be used to supply the appropriate ticket value.
  • the service provider may provide a ticket that is a single-hash of the physical mark P, and the conditional access decrypter 210 can be configured to apply a single-hash to the incoming ticket, as is performed in the conventional conforming player 110.
  • the service provider may provide the double-hashed ticket directly, and the conditional access decrypter 210 merely passes the incoming ticket on as the output ticket.
  • the compliant recorder 120 will only make copies of watermarked material when the embedded watermark is equal to the twice-hash of the incoming ticket. In this copy-never case, the embedded watermark W is equal to the incoming ticket T, and therefore the compliant recorder 120 will not make a copy of this copy-never material 211.
  • a compliant display device 220 will display the copy-never material 211 because the embedded watermark equals the ticket.
  • the decrypted output 212 will include the material content C, an embedded watermark W that equals a four- hash of the physical mark P, and a ticket T that equals a double-hash of the physical mark P. Because the embedded watermark W is equal to a twice-hash of the incoming ticket T, a compliant recorder 120 will produce a authorized copy 222 of the decrypted output 212, and a compliant display device 220 will provide a display of the decrypted output 212.
  • the copy 222 from the recorder 120 includes the material content C, its embedded watermark W, and a transformed ticket T that is equal to a single-hash of the incoming ticket T. Because the incoming ticket T is a twice-hash of the physical mark P, the transformed ticket T' is equal to a thrice-hash of the physical mark P.
  • a plurality of compliant recorders 120 may be configured to receive the output of the decrypter 210 and will produce a corresponding plurality of copies 222.
  • a non-compliant "blind" copy of the material 212 can be made and subsequently provided to any compliant recorder 120 for an unlimited number of copies 222.
  • a 'blind" copy is substantially a bit-for-bit copy, with no transformation of the information as it is copied.
  • the presence of the physical mark P on the disk media precluded the use of a blind copy, because the physical mark P would not have been transferred with the information that is copied, and a compliant device will reject a copy having an embedded watermark that differs from a single-hash or four-hash of the physical mark P.
  • the physical mark P is communicated, it will be part of the broadcast information, and therefore will be transferred with the information during a blind copy.
  • the player When the copy 222 is provided to a player 110, the player will match the embedded watermark W to a single-hash of the ticket T', and will provide an output 232 that contains the material content C, the embedded watermark W, and a transformed ticket T" that is a single-hash of the incoming ticket T', or, equivalently, a four-hash of the physical mark P.
  • a compliant recorder 120 will not make a copy of the output 232, because the embedded watermark W is not a twice-hash of the incoming ticket T".
  • the compliant display device will display the output 230, because the embedded watermark W is equal to the incoming ticket T". Note that a non-compliant player can have authorized and unauthorized copies of the material content C displayed by a conforming display device 220 by merely providing a ticket T" that is equal to the embedded watermark W.
  • an encryption scheme between the device that communicates the material content and the intended receiver of this content is provided.
  • the encryption is applied to the ticket that conveys copy and display rights.
  • the encryption scheme in a preferred embodiment is dynamic.
  • the channel between the providing device and the receiving device is configured for the exclusive use of these two devices; thereafter, the channel may be configured for the exclusive use of another set of devices.
  • conforming devices contain verifiable certificates of authenticity, and channels are established only when each device on the channel verifies the other device's authenticity.
  • FIG. 1 illustrates a block diagram of an example prior-art ticket processing scheme for controlling the copying of copyright material on a physical media.
  • FIGs. 2 and 3 illustrate applications of the prior- art ticket processing scheme for controlling the copying of copyright material that is communicated via a broadcast channel.
  • FIG. 4 illustrates an example block diagram of a ticket processing scheme for controlling the display of copyright material in accordance with this invention.
  • FIG. 5 illustrates an example block diagram for a ticket processing scheme for controlling the copying of copyright material in accordance with this invention.
  • FIG. 6 illustrates an example flow diagram for a ticket processing scheme for controlling the display or copy of copyright material in accordance with this invention.
  • FIG. 4 illustrates an example block diagram of a ticket processing scheme for controlling the copying of copyright material in accordance with this invention. Illustrated in FIG. 4 are a conditional access module 300 and a display device 400.
  • the conditional access module receives a broadcast 301 that may or may not be encrypted, and which may or may not be copy protected.
  • the brackets ⁇ ⁇ used in FIG. 4 illustrate items that may or may not be present in a particular broadcast 301.
  • a Broadcast decrypter 350 is a conventional broadcast decrypter that decrypts the broadcast 301 if it is encrypted, otherwise, it passes it on unmodified, such that the output 351 of the broadcast decrypter comprises the material content C, it's embedded watermark W, if any, and associated ticket T, if any.
  • a ticket detector 340 separates the ticket T 341, if present, from the output 351 to produce a material content C and it's embedded watermark W, if any, signal 342, and . communicates the ticket 341 to a ticket encrypter 330.
  • the ticket encrypter 330 encrypts the ticket T using a key K 321 to produce an encrypted ticket E ⁇ (T) 331 that can only be decrypted by the display device 400 that is currently bound to it, as will be discussed further below.
  • the material content C and it's embedded watermark W, if any, signal 342, and the encrypted ticket E ⁇ (T) 331, if any, are communicated to the display device 400 as a communicated signal 401.
  • the display device 400 includes a ticket detector 440 that processes the communicated signal 401 to produce a material content C and it's embedded watermark W, if any, signal 442, and extracted ticket 431, if any. If, as illustrated in FIG. 4, the conditional access module 300 is a compliant device in accordance with this invention, the extracted ticket 431 will be equal to the encrypted ticket E K (T) 331. If the communicated signal 401 is not from the compliant conditional access module 300, the extracted ticket 431 will not be equal to the encrypted ticket E ⁇ (T) 331.
  • the ticket decrypter 430 decrypts the extracted ticket 431 based on a key K' 421, such that the resultant ticket T 441 matches the original ticket T 431 if and only if the decryption key K' 421 corresponds to the encryption key K 321.
  • One key corresponds to another if that key decrypts an encryption produced by the other.
  • the keys K 321 and K' 421 are equal to each other.
  • the keys K 321 and K' 421 are private and public keys, respectively, of a private/public encryption key pair.
  • a display controller 460 controls the display of the material content C and it's embedded watermark W, if any, signal 442, based upon the relationship between the embedded watermark W, if any, and the decrypted ticket T 441.
  • the material content C will be displayed if and only if one of the following three conditions are met:
  • the embedded watermark W equals a twice-hash of the decrypted ticket T 441.
  • the first condition corresponds to material content C that is not copy or display protected.
  • the second condition corresponds to the copy-never 212 and copy-no-more 232 states of the prior art ticketing scheme, respectively, and the third condition corresponds to the copy-once 222 state of the prior art ticketing scheme, as illustrated in FIGs. 2 and 3.
  • the embedded watermark W in the prior art ticketing scheme if present, will equal the original ticket T 341 in the copy-never 212 and copy-no-more 232 states, and will equal the twice hash of the original ticket T 341 in the copy-once state 222. Because the .
  • decrypted ticket T 441 will only equal the original ticket T 341 when the display device has a key K' 421 that corresponds to the key K 321 at the conditional access module 300, protected material content C will only be displayed when the conditional access module 300 and display device 400 have corresponding keys K 321 and K' 421. Thus, if a blind copy of the communicated signal 401 is made, it will only be displayable on the display device 400 that contains the key K' 421 that corresponds to key K 321.
  • FIG. 5 illustrates a corresponding recorder 500 in accordance with this invention.
  • the recorder 500 is substantially similar to the display device 400 except for the substitution of a copy controller 560 for the display controller 460.
  • the copy controller 560 allows a copy of the content material C to be made if and only if one of the following two conditions are met: - there is no embedded watermark; or - the embedded watermark W equals a twice-hash of the decrypted ticket T 441.
  • the first condition corresponds to material content C that is not copy or display protected.
  • the second condition corresponds to the copy-once 222 state of the prior art ticketing scheme, as illustrated in FIG 3. Because the decrypted ticket T 441 will only equal the original ticket T 341 when the display device has a key K' 421 that corresponds to the key K 321 at the conditional access module 300, copy-once material C that has an embedded watermark W that is equal to a twice hash of the original ticket T 341 will only be copied when the conditional access module 300 and recorder 500 have corresponding keys K 321 and K' 421. Thus, if a blind copy of the communicated signal 401 is made, it will only be copyable on the recorder 500 that contains the key K' 421 that corresponds to key K 321.
  • each receiver 400, 500 has a private key that is associated with an identifier of the receiver 400, 500, and the conditional access module 300 has a list of public keys corresponding to each identifier.
  • the public key forms the key K 321 and the private key forms the key K' 421.
  • the ticket encrypter 330 and decrypter 430 are an asymmetric encrypter/decrypter pair. The same identifier and public/private key pair may be assigned to multiple receivers 400, 500; assigning a unique public/private key pair to each receiver 400,
  • FIG. 4 illustrates explicit key generators 320 and 420 that generate keys K 321 and K' 421.
  • An example set of key generators 320, 420 include a "Diffie-
  • each key generator 320, 420 selects a random large integer x, y, respectively, and publicly exchange key parameters 325 that include a large prime n, and a number g that is primitive mod n.
  • both K and K' are equal to g xy mod n. Because x and y are kept private, the determination of the key K, K' is computationally difficult.
  • the ticket encrypter 330 and ticket decrypter 430 are a symmetric encrypter/decrypter pair, each using the same key value g xy mod n to encrypt and decrypt the ticket T. Note that two receivers 400, 500 will not generate the same key value with a conventional access module 300 unless they both select the same random number y. In a preferred embodiment of this invention, the receivers 400, 500 are created such that the likelihood of creating the same random number at the same time is minimal. Thus, as compared to the prior-art ticketing system, placing compliant recorders 500 in parallel to the communicated signal 401 will not allow each to copy material that is in the copy-once state
  • creating a blind copy of the communicated signal 401 will only allow the compliant recorder 500 having the proper key K' to produce multiple one-at-a-time copies.
  • FIGs. 4 and 5 illustrate the optional use of corresponding pairs of authenticators 310, 410 with the key generators 320, 420.
  • the authenticator 310 initiates the authentication process upon receipt of a trigger 346 from the ticket detector by requesting a certification 411 from the authenticator 410.
  • the certification 411 is a verifiable digital certificate, common in the art, that is provided by the manufacturer of the receiver and contains an identification of the particular receiver.
  • the authenticator 310 verifies the certificate, using conventional digital signature verification techniques, and communicates the results 311 of this certification to the key generator 320. In this manner, the receiver 400, 500 can be re-authenticated upon receipt of each ticketed material 301. Non-conforming receivers, or particular receivers 400, 500 that have had their authorization revoked, can thus be prevented from receiving ticketed material.
  • the determination or generation of the appropriate key K 321 to correspond to the key K' 421 can occur periodically, randomly, or, as mentioned above, upon receipt of ticketed material 301.
  • the key determination or generation also occurs whenever the communications path between the conditional access module 300 and receiver 400, 500 is newly established. In this manner, the conditional access module 300 can be reassigned, or bound, to a different receiver 400, 500, as required.
  • the conditional access module 300 in a preferred embodiment includes a pair of key generators 320, and corresponding ticket encrypters 330, each associated with a channel.
  • the output 401 of one channel is provided, for example, to a display device 400 at the same time that the output 401 of the other channel is provided to a recorder 500, so that an authorized copy of the protected material can be made at the same time that an authorized viewing occurs.
  • the output 401 of each channel has a different encrypted ticket, depending upon the receiver 400, 500 attached to each output 401.
  • FIG. 6 illustrates a flow diagram for a compliant conditional access module 300 and receiver 400, 500, in accordance with this invention.
  • the broadcast material is received at the conditional access module 300.
  • the broadcast material contains encrypted material 620, it is decrypted, at 625; if it contains a ticket 630, the ticket is encrypted, at 635, using a key that corresponds to a key in the receiver 400, 500, as discussed above.
  • the decrypted material and encrypted ticket is transmitted to the receiver 400, 500, at 640.
  • the receiver 400, 500 determines whether the material contains a ticket. If, at 650, the received material has a ticket, it is decrypted, at 655 using the key associated with the receiver 400, 500. If the receiver 400, 500 is a recorder 500, at 660, the test at 680 is applied to determine if the material is copyable.
  • the material content and embedded watermark W, if any, is copied 685, along with a hash of the decrypted ticket T, consistent with the prior- art ticketing scheme. Otherwise, the copy step 685 is bypassed. If, at 660, the receiver 400, 500 is a display device 400, the test at 670 is applied. If there is no embedded watermark W in the material, or if the embedded watermark W matches the decrypted ticket or a thrice-hash of the decrypted ticket, the material content C is displayed 675. Otherwise, the display step 675 is bypassed. After copying, displaying, or bypassing, the process continues, at 690, awaiting the receipt of the next broadcast material, at 610.
  • the foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within its spirit and scope.
  • the above described ticket encryption scheme at the conditional access module may be embodied in other devices, such as a conventional player 110, an unconditional access module, or any other device that receives ticketed material from a source and provides it to an intended receiver 400, 500.
  • the details of the prior art ticketing scheme is presented above for illustration purposes. Other ticketing schemes may also be employed, requiring only a change to the particular ticket tests 675, 685 to correspond to such schemes.
  • the ticket encrypter 330 can be located at the site of the provider of the broadcast 301, such that the material 301 is received at the broadcast decrypter 350 with a ticket that is suitably encrypted for decryption by the receiver 400, 500.
  • the conditional access module 300 will include means for communicating an identification of the receiver 400, 500 to the provider of the broadcast 301.
  • some or all of the illustrated components of the conditional access module 300 may be included in the receiver 400, 500, or other device.

Abstract

An encryption scheme is provided between a device that communicates material content and the intended receiver of this content. The encryption is applied to a ticket that conveys copy and display rights. To allow for the portability of devices, the encryption scheme in a preferred embodiment is dynamic. At any point in time, the channel between the providing device and the receiving device is configured for the exclusive use of these two devices; thereafter, the channel may be configured for the exclusive use of another set of devices. To prevent the use of non-conforming devices within the system, conforming devices contain verifiable certificates of authenticity, and channels are established when each device on the channel verifies the other device's authenticity.

Description

Copy protection by ticket encryption.
This invention relates to the field of entertainment systems, and in particular to copy protection for copyrighted material.
Digital recordings have the unique property that copies of the recorded material have the same quality as the original. As such, the need for an effective copy protection scheme is particularly crucial for the protection of copyright material that is digitally recorded. A cost-effective method of copy protection is discussed in detail by Jean-Paul Linnartz et al., in Philips Electronics Response to Call for Proposals Issued by the Data Hiding Subgroup Copy Protection Technical Working Group, July 1997 ("Linnartz"), which is incorporated herein by reference. The Linnartz scheme operates by attaching a "ticket" to the recorded material; the ticket comprises a verifiable "count" that is decremented at each stage of the playback and recording process, and is computationally difficult to increment. A computationally difficult process is one that can be expected to require an inordinate amount of time to complete, relative to the potential gain that may be realized by devoting this amount of time. The Linnartz scheme uses a hashing function that provides a hash value from a seed value in such a manner that it is computationally difficult to determine the seed value, given the hash value.
FIG. 1 illustrates the Linnartz ticket scheme. The multiple instances of player 110 and recorder 120 are used to illustrate the use of the same or another player 110 and recorder 120 with different inputs 101, 102, 111, 112, 122, 132. A protected recording, such as a DVD disk, can be encoded as "copy-never" 101 or "copy-once" 102. The material content C also contains an embedded watermark W that is a hash value of a physical mark P. As in a paper watermark, the watermark W is an encoding that is embedded in the recorded material in such a manner that it does not interfere with the rendering of the material, but cannot be removed from the material without adversely affecting the quality of the material. The physical mark P is a code that is embedded in the material of the disk media that can be read by a disk player 110, and also cannot be removed from the disk media without affecting the quality of the disk media. A copy-never disk 101 may or may not contain a ticket T. The copy- once disk 102 contains an embedded watermark W that is a four-times-hash of the physical mark P, and a ticket T that is a once-hash value of the physical mark P.
By agreement among manufacturers, a compliant player 110 plays a recording that contains an embedded watermark W if and only if: the embedded watermark W is a once- hash of the physical mark P; the embedded watermark W is a thrice-hash of the ticket T; or the embedded watermark W is a once-hash of the ticket T. Any other combination of embedded watermark W, ticket T, and physical mark P is deemed an illegal copy, and the compliant player 110 will not play the illegal copy. If the recording is deemed legal, the compliant player 110 provides as an output the material C, with its embedded watermark W, and a transformed ticket T' that is a once-hash of the incoming ticket T. As illustrated, the compliant player 110 provides an output 111 from the copy-never disk 101 because the embedded watermark W is equal to a once-hash of the physical mark P, and provides an output 112 from the copy-once disk 102 because the embedded watermark W is equal to the thrice-hash of the ticket T.
By agreement among manufacturers, a compliant recorder 120 makes a copy of a recording that contains an embedded watermark W and ticket T, if and only if the embedded watermark W is a twice hash of the ticket T. The copy-never output 111 does not have an embedded watermark W that is a twice hash of the transformed ticket T', and thus will not be recorded by the compliant recorder 120. The copy-once output 112 contains an embedded watermark W that is a four-times-hash of the physical mark P, and a transformed ticket T' that is a once-hash of the original ticket T. Because the original ticket T is a once-hash of the physical mark P, the transformed ticket T' is a twice-hash of the physical mark P, and therefore the embedded watermark W is a twice-hash of the transformed ticket T'. Because the embedded watermark W is a twice-hash of the incoming transformed ticket T', the compliant recorder 120 makes a copy 122 of the copy-once material 112. The compliant recorder 120 attaches a once-hash of the incoming ticket T' as a new ticket T" on the copy 122. Because the incoming ticket T' is a twice-hash of the physical mark P, the new ticket T" is a thrice-hash of the physical mark P. The combination of an embedded watermark W that is a once-hash of the attached ticket defines a "copy-no-more" recording.
Note that in the Linnartz scheme, there are no restrictions on the number of copies that can be made from the "copy-once" disk 102. That is, the playback of the original copy-once disk 102 will always produce an output that contains the material C, with its embedded watermark W, and a transformed ticket T' that is a once-hash of the incoming ticket T. Because the original ticket T is a once-hash of the physical mark P, and the transformed ticket T' is a twice-hash of the physical mark P, the embedded watermark W will always be a twice-hash of the transformed ticket T', and therefore recordable. A mass production of the copy-once disk 102 can be effected by merely operating a number of recorders 120 in parallel, each receiving the output 112 of the player 110. Note that this mass production can be performed using recorders 120 that are compliant with the ticketing scheme of Linnartz. As discussed above, a compliant player 110 plays a recording that contains an embedded watermark W if and only if: the embedded watermark W is a once-hash of the physical mark P; the embedded watermark W is a thrice-hash of the incoming ticket; or the embedded watermark W is a once-hash of the incoming ticket. Because the incoming ticket T" from the copy-no-more copy 122 is a thrice-hash of the physical mark P, and the embedded watermark W is a four-times hash of the physical mark P, the embedded watermark W is a once-hash of the ticket T", and therefore a legally playable copy. The compliant player 110 plays the legal copy-no-more copy 122 and produces an output 132 that includes the material content C, its embedded watermark W, and a transformed ticket T'" that is a hash of the incoming ticket T". The transformed ticket T'" of the output 132 is a four-times hash of the physical mark P.
The compliant recorder 120, as discussed above, makes a copy of a recording that contains an embedded watermark W and ticket T, if and only if the embedded watermark W is a twice hash of the ticket T. The copy-no-more output 132 does not have an embedded watermark W that is a twice hash of the transformed ticket T'", and therefore will not be recorded by the compliant recorder 120.
Note that in the Linnartz scheme, the output of the compliant player is assumed to be displayable on a display device. That is, there are no display restrictions placed on a display device. Note also that the arrangement of the embedded watermark W and the ticket T at the output 132 of the compliant player 110 is an embedded watermark W that equals the ticket T. Thus, if a restriction were placed on a display device based on the embedded watermark W and ticket T, it must allow the display of an output wherein the embedded watermark and ticket are equal. Thus, an attempted restriction on the display of copyright material based on the Linnartz embedded watermark and trademark scheme could be overcome by merely replacing whatever ticket is provided by a copy of the embedded watermark.
For completeness, FIGs. 2 and 3 illustrate applications of the prior-art ticket processing scheme for controlling the copying of copyright material that is communicated via a broadcast channel, such as a "pay-per-view" transmission from a service provider. FIG. 2 illustrates the transmission of a copy-never broadcast 201, and FIG. 3 illustrates the transmission of a copy-once broadcast 202. As is common in the art, the broadcast 201, 202 is encrypted. A conditional access decrypter 210 decrypts the encrypted broadcast 201, 202 to provide a decrypted output 211, 212 that contains the material content C, an embedded watermark W, and a ticket T. The conditional access decrypter 210 may be, for example, a "cable-box" that decrypts the incoming broadcast after arrangements are made with the service provider for the payment of the fees associated with the receipt of the material content C, or after a "smart-card" is plugged into the cable box.
If, as in FIG. 2, the transmission is a copy-never broadcast 201, the decrypted output 211 will include the material content C, an embedded watermark W that equals a double-hash of a physical mark P, and a ticket T that is also equal to the double-hash of the physical mark P. In the case of a broadcast, the "physical" mark P may be an arbitrary code associated with the broadcast, or it may be related to an attribute of the broadcast, such as a modulated signal within the broadcast. The origin of the mark P is somewhat arbitrary, except that it should not be "publicly-available"; that is, it should not be easy to determine. Alternative methods can be used to supply the appropriate ticket value. The service provider may provide a ticket that is a single-hash of the physical mark P, and the conditional access decrypter 210 can be configured to apply a single-hash to the incoming ticket, as is performed in the conventional conforming player 110. Alternatively, the service provider may provide the double-hashed ticket directly, and the conditional access decrypter 210 merely passes the incoming ticket on as the output ticket. As discussed above, the compliant recorder 120 will only make copies of watermarked material when the embedded watermark is equal to the twice-hash of the incoming ticket. In this copy-never case, the embedded watermark W is equal to the incoming ticket T, and therefore the compliant recorder 120 will not make a copy of this copy-never material 211. A compliant display device 220, on the other hand, will display the copy-never material 211 because the embedded watermark equals the ticket.
If, as in FIG. 3, the transmission is a copy-once broadcast 202, the decrypted output 212 will include the material content C, an embedded watermark W that equals a four- hash of the physical mark P, and a ticket T that equals a double-hash of the physical mark P. Because the embedded watermark W is equal to a twice-hash of the incoming ticket T, a compliant recorder 120 will produce a authorized copy 222 of the decrypted output 212, and a compliant display device 220 will provide a display of the decrypted output 212. The copy 222 from the recorder 120 includes the material content C, its embedded watermark W, and a transformed ticket T that is equal to a single-hash of the incoming ticket T. Because the incoming ticket T is a twice-hash of the physical mark P, the transformed ticket T' is equal to a thrice-hash of the physical mark P.
Note that as in the ticketed disk scheme discussed above, a plurality of compliant recorders 120 may be configured to receive the output of the decrypter 210 and will produce a corresponding plurality of copies 222. Note also that a non-compliant "blind" copy of the material 212 can be made and subsequently provided to any compliant recorder 120 for an unlimited number of copies 222. A 'blind" copy is substantially a bit-for-bit copy, with no transformation of the information as it is copied. In the aforementioned ticketed disk scheme, the presence of the physical mark P on the disk media itself precluded the use of a blind copy, because the physical mark P would not have been transferred with the information that is copied, and a compliant device will reject a copy having an embedded watermark that differs from a single-hash or four-hash of the physical mark P. In the broadcast example, however, if the physical mark P is communicated, it will be part of the broadcast information, and therefore will be transferred with the information during a blind copy. When the copy 222 is provided to a player 110, the player will match the embedded watermark W to a single-hash of the ticket T', and will provide an output 232 that contains the material content C, the embedded watermark W, and a transformed ticket T" that is a single-hash of the incoming ticket T', or, equivalently, a four-hash of the physical mark P. A compliant recorder 120 will not make a copy of the output 232, because the embedded watermark W is not a twice-hash of the incoming ticket T". The compliant display device will display the output 230, because the embedded watermark W is equal to the incoming ticket T". Note that a non-compliant player can have authorized and unauthorized copies of the material content C displayed by a conforming display device 220 by merely providing a ticket T" that is equal to the embedded watermark W.
It is an object of this invention to prevent the display of unauthorized copies of material on a conforming display device. It is a further object of this invention to prevent the unauthorized copying of material on a conforming recording device. It is a further object of this invention to prevent the unauthorized copying of material on a non-conforming recording device, or to render such unauthorized copies useless for a conforming display or recording device.
These objects and others are achieved by providing an encryption scheme between the device that communicates the material content and the intended receiver of this content. The encryption is applied to the ticket that conveys copy and display rights. To allow for the portability of devices, the encryption scheme in a preferred embodiment is dynamic. At any point in time, the channel between the providing device and the receiving device is configured for the exclusive use of these two devices; thereafter, the channel may be configured for the exclusive use of another set of devices. To prevent the use of non- conforming devices within the system, conforming devices contain verifiable certificates of authenticity, and channels are established only when each device on the channel verifies the other device's authenticity.
The invention is explained in further detail, and by way of example, with reference to the accompanying drawings wherein:
FIG. 1 illustrates a block diagram of an example prior-art ticket processing scheme for controlling the copying of copyright material on a physical media. FIGs. 2 and 3 illustrate applications of the prior- art ticket processing scheme for controlling the copying of copyright material that is communicated via a broadcast channel.
FIG. 4 illustrates an example block diagram of a ticket processing scheme for controlling the display of copyright material in accordance with this invention.
FIG. 5 illustrates an example block diagram for a ticket processing scheme for controlling the copying of copyright material in accordance with this invention.
FIG. 6 illustrates an example flow diagram for a ticket processing scheme for controlling the display or copy of copyright material in accordance with this invention.
FIG. 4 illustrates an example block diagram of a ticket processing scheme for controlling the copying of copyright material in accordance with this invention. Illustrated in FIG. 4 are a conditional access module 300 and a display device 400. The conditional access module receives a broadcast 301 that may or may not be encrypted, and which may or may not be copy protected. The brackets { } used in FIG. 4 illustrate items that may or may not be present in a particular broadcast 301. A Broadcast decrypter 350 is a conventional broadcast decrypter that decrypts the broadcast 301 if it is encrypted, otherwise, it passes it on unmodified, such that the output 351 of the broadcast decrypter comprises the material content C, it's embedded watermark W, if any, and associated ticket T, if any. A ticket detector 340 separates the ticket T 341, if present, from the output 351 to produce a material content C and it's embedded watermark W, if any, signal 342, and . communicates the ticket 341 to a ticket encrypter 330. In accordance with this invention, the ticket encrypter 330 encrypts the ticket T using a key K 321 to produce an encrypted ticket Eκ(T) 331 that can only be decrypted by the display device 400 that is currently bound to it, as will be discussed further below. The material content C and it's embedded watermark W, if any, signal 342, and the encrypted ticket Eκ(T) 331, if any, are communicated to the display device 400 as a communicated signal 401.
The display device 400 includes a ticket detector 440 that processes the communicated signal 401 to produce a material content C and it's embedded watermark W, if any, signal 442, and extracted ticket 431, if any. If, as illustrated in FIG. 4, the conditional access module 300 is a compliant device in accordance with this invention, the extracted ticket 431 will be equal to the encrypted ticket EK(T) 331. If the communicated signal 401 is not from the compliant conditional access module 300, the extracted ticket 431 will not be equal to the encrypted ticket Eκ(T) 331. The ticket decrypter 430 decrypts the extracted ticket 431 based on a key K' 421, such that the resultant ticket T 441 matches the original ticket T 431 if and only if the decryption key K' 421 corresponds to the encryption key K 321. One key corresponds to another if that key decrypts an encryption produced by the other. In a symmetric key system, the keys K 321 and K' 421 are equal to each other. In an asymmetric key system, the keys K 321 and K' 421 are private and public keys, respectively, of a private/public encryption key pair.
A display controller 460 controls the display of the material content C and it's embedded watermark W, if any, signal 442, based upon the relationship between the embedded watermark W, if any, and the decrypted ticket T 441. In accordance with this invention, the material content C will be displayed if and only if one of the following three conditions are met:
- there is no embedded watermark;
- the embedded watermark W equals the decrypted ticket T 441; or
- the embedded watermark W equals a twice-hash of the decrypted ticket T 441. The first condition corresponds to material content C that is not copy or display protected. The second condition corresponds to the copy-never 212 and copy-no-more 232 states of the prior art ticketing scheme, respectively, and the third condition corresponds to the copy-once 222 state of the prior art ticketing scheme, as illustrated in FIGs. 2 and 3. As discussed above, the embedded watermark W in the prior art ticketing scheme, if present, will equal the original ticket T 341 in the copy-never 212 and copy-no-more 232 states, and will equal the twice hash of the original ticket T 341 in the copy-once state 222. Because the . decrypted ticket T 441 will only equal the original ticket T 341 when the display device has a key K' 421 that corresponds to the key K 321 at the conditional access module 300, protected material content C will only be displayed when the conditional access module 300 and display device 400 have corresponding keys K 321 and K' 421. Thus, if a blind copy of the communicated signal 401 is made, it will only be displayable on the display device 400 that contains the key K' 421 that corresponds to key K 321.
FIG. 5 illustrates a corresponding recorder 500 in accordance with this invention. The recorder 500 is substantially similar to the display device 400 except for the substitution of a copy controller 560 for the display controller 460. The copy controller 560 allows a copy of the content material C to be made if and only if one of the following two conditions are met: - there is no embedded watermark; or - the embedded watermark W equals a twice-hash of the decrypted ticket T 441.
The first condition corresponds to material content C that is not copy or display protected. The second condition corresponds to the copy-once 222 state of the prior art ticketing scheme, as illustrated in FIG 3. Because the decrypted ticket T 441 will only equal the original ticket T 341 when the display device has a key K' 421 that corresponds to the key K 321 at the conditional access module 300, copy-once material C that has an embedded watermark W that is equal to a twice hash of the original ticket T 341 will only be copied when the conditional access module 300 and recorder 500 have corresponding keys K 321 and K' 421. Thus, if a blind copy of the communicated signal 401 is made, it will only be copyable on the recorder 500 that contains the key K' 421 that corresponds to key K 321. Although multiple copies can be made by the same recorder 500 from the blind copy of communicated signal 401, the use of an encrypted ticket in accordance with this invention precludes the simultaneous copying of multiple copies, thereby minimizing the economic gains that can be realized by a one-at-a-time production of the protected material.
A variety of techniques are commonly available for generating corresponding encryption keys K 321, K' 421. (For ease of reference, the term receiver 400, 500 will be used to refer to either the display device 400 or the recorder 500.) In the simplest case, each receiver 400, 500 has a private key that is associated with an identifier of the receiver 400, 500, and the conditional access module 300 has a list of public keys corresponding to each identifier. The public key forms the key K 321 and the private key forms the key K' 421. In this embodiment, the ticket encrypter 330 and decrypter 430 are an asymmetric encrypter/decrypter pair. The same identifier and public/private key pair may be assigned to multiple receivers 400, 500; assigning a unique public/private key pair to each receiver 400,
500 allows an individual public key to be revoked in the event that a violation of copy rights is discovered.
Alternatively, FIG. 4 illustrates explicit key generators 320 and 420 that generate keys K 321 and K' 421. An example set of key generators 320, 420 include a "Diffie-
Hellman" key-exchange algorithm, common in the art. In the Diffie-Hellman scheme, each key generator 320, 420 selects a random large integer x, y, respectively, and publicly exchange key parameters 325 that include a large prime n, and a number g that is primitive mod n. Key generator 320 communicates X = gx mod n to key generator 420, and, Key generator 420 communicates Y = gy mod n to key generator 320. Then,
Key generator 320 computes K = Yx mod n, and Key generator 420 computes K = Xy mod n.
In this manner, both K and K' are equal to gxy mod n. Because x and y are kept private, the determination of the key K, K' is computationally difficult. In this embodiment, the ticket encrypter 330 and ticket decrypter 430 are a symmetric encrypter/decrypter pair, each using the same key value gxy mod n to encrypt and decrypt the ticket T. Note that two receivers 400, 500 will not generate the same key value with a conventional access module 300 unless they both select the same random number y. In a preferred embodiment of this invention, the receivers 400, 500 are created such that the likelihood of creating the same random number at the same time is minimal. Thus, as compared to the prior-art ticketing system, placing compliant recorders 500 in parallel to the communicated signal 401 will not allow each to copy material that is in the copy-once state
222. Similarly, as noted above, creating a blind copy of the communicated signal 401 will only allow the compliant recorder 500 having the proper key K' to produce multiple one-at-a-time copies.
Additional security may be provided by a combination of alternative security schemes. For example, FIGs. 4 and 5 illustrate the optional use of corresponding pairs of authenticators 310, 410 with the key generators 320, 420. The authenticator 310 initiates the authentication process upon receipt of a trigger 346 from the ticket detector by requesting a certification 411 from the authenticator 410. The certification 411 is a verifiable digital certificate, common in the art, that is provided by the manufacturer of the receiver and contains an identification of the particular receiver. The authenticator 310 verifies the certificate, using conventional digital signature verification techniques, and communicates the results 311 of this certification to the key generator 320. In this manner, the receiver 400, 500 can be re-authenticated upon receipt of each ticketed material 301. Non-conforming receivers, or particular receivers 400, 500 that have had their authorization revoked, can thus be prevented from receiving ticketed material.
Note that the determination or generation of the appropriate key K 321 to correspond to the key K' 421 can occur periodically, randomly, or, as mentioned above, upon receipt of ticketed material 301. In a preferred embodiment the key determination or generation also occurs whenever the communications path between the conditional access module 300 and receiver 400, 500 is newly established. In this manner, the conditional access module 300 can be reassigned, or bound, to a different receiver 400, 500, as required. Note also that the conditional access module 300 in a preferred embodiment includes a pair of key generators 320, and corresponding ticket encrypters 330, each associated with a channel. The output 401 of one channel is provided, for example, to a display device 400 at the same time that the output 401 of the other channel is provided to a recorder 500, so that an authorized copy of the protected material can be made at the same time that an authorized viewing occurs. In this embodiment, the output 401 of each channel has a different encrypted ticket, depending upon the receiver 400, 500 attached to each output 401. For completeness, FIG. 6 illustrates a flow diagram for a compliant conditional access module 300 and receiver 400, 500, in accordance with this invention. At 610, the broadcast material is received at the conditional access module 300. If the broadcast material contains encrypted material 620, it is decrypted, at 625; if it contains a ticket 630, the ticket is encrypted, at 635, using a key that corresponds to a key in the receiver 400, 500, as discussed above. The decrypted material and encrypted ticket is transmitted to the receiver 400, 500, at 640. Upon receipt, the receiver 400, 500 determines whether the material contains a ticket. If, at 650, the received material has a ticket, it is decrypted, at 655 using the key associated with the receiver 400, 500. If the receiver 400, 500 is a recorder 500, at 660, the test at 680 is applied to determine if the material is copyable. If there is no embedded watermark W in the material, or if the embedded watermark W matches a twice-hash of the decrypted ticket, the material content and embedded watermark W, if any, is copied 685, along with a hash of the decrypted ticket T, consistent with the prior- art ticketing scheme. Otherwise, the copy step 685 is bypassed. If, at 660, the receiver 400, 500 is a display device 400, the test at 670 is applied. If there is no embedded watermark W in the material, or if the embedded watermark W matches the decrypted ticket or a thrice-hash of the decrypted ticket, the material content C is displayed 675. Otherwise, the display step 675 is bypassed. After copying, displaying, or bypassing, the process continues, at 690, awaiting the receipt of the next broadcast material, at 610.
The foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within its spirit and scope. For example, the above described ticket encryption scheme at the conditional access module may be embodied in other devices, such as a conventional player 110, an unconditional access module, or any other device that receives ticketed material from a source and provides it to an intended receiver 400, 500. Similarly, the details of the prior art ticketing scheme is presented above for illustration purposes. Other ticketing schemes may also be employed, requiring only a change to the particular ticket tests 675, 685 to correspond to such schemes.
Note that the particular functions and structures in the figures are presented for illustration purposes. Alternative arrangements are feasible. For example, the ticket encrypter 330 can be located at the site of the provider of the broadcast 301, such that the material 301 is received at the broadcast decrypter 350 with a ticket that is suitably encrypted for decryption by the receiver 400, 500. In this embodiment, the conditional access module 300 will include means for communicating an identification of the receiver 400, 500 to the provider of the broadcast 301. In like manner, some or all of the illustrated components of the conditional access module 300 may be included in the receiver 400, 500, or other device. These and other system configuration and optimization options will be evident to one of ordinary skill in the art in view of this invention, and are included within the scope of the following claims.

Claims

CLAIMS:
1. A device (300) comprising: a ticket detector (340) that extracts a ticket (341) and a material content (342) with embedded watermark (W) from a source, a ticket encrypter (330) that encrypts the ticket (341) based on a key (321) that depends upon an intended receiver of the material content (342), to provide an encrypted ticket (331) that is communicated with the material content (342) with embedded watermark (W) to a receiving device (400, 500).
2. The device (300) of claim 1, further including a broadcast decrypter (430) that decrypts a broadcast transmission (301) to form the source of the ticket (341) and material content (342) with embedded watermark (W).
3. The device (300) of claim 1, further including a key generator (320) that generates the key (321) that depends upon the intended recei ver .
4. The device (300) of claim 3, wherein the key generator (320) includes a Diffie-Hellman key-exchange system.
5. The device (300) of claim 1, further including an authenticator (310) that authenticates the receiving device (400, 500) as the intended receiver.
6. A receiver (400, 500) comprising: a ticket detector (340) that extracts an encrypted ticket (431) from a received communication (401) that includes the encrypted ticket (431) and a material content (442) with an embedded watermark (W), a ticket decrypter (430) that decrypts the encrypted ticket (431) to form a decrypted ticket (441), and a controller (460, 560) that determines at least one of a display permission and a copy permission based on the embedded watermark (W) and the decrypted ticket (441)..
7. The receiver (400, 500) of claim 6, further including a key generator (420) that generates a key (421) that is provided to the ticket decrypter (430) to decrypt the encrypted ticket (431) to form the decrypted ticket (441).
8. The receiver (400, 500) of claim 7, wherein the key generator (420) includes a Diffie-Hellman key-exchange system.
9. The receiver (400, 500) of claim 6, further including an authenticator (410) that provides a certification (411) to a device (300) that provides the received communication (401) to facilitate a creation of the encrypted ticket (431).
10. The receiver (400, 500) of claim 6, wherein the controller (460, 560) determines the at least one display permission and copy permission based on at least one hash of the decrypted ticket (441).
11. The receiver (400, 500) of claim 6, further including at least one of a display
(400) and a copier (500).
12. A method for communicating a copyright material comprising: encrypting (635) a ticket (341) associated with the copyright material to form an encrypted ticket (331) based on an intended receiver, and communicating (640) the encrypted ticket (331) with the copyright material to a receiving device (400, 500) to facilitate an enforcement of the copyright in dependence upon whether the receiving device (400, 500) is the intended receiver.
13. The method of claim 12, further including generating a key (321) based on the intended receiver that is used in encrypting (635) the ticket (341).
14. The method of claim 13, wherein the step of generating the key (321) includes effecting a Diffie-Hellman key-exchange.
15. The method of claim 12, further including authenticating the receiving device (400, 500) as the intended receiver.
16. A method for enforcing protection to copyright material comprising: decrypting (655) an encrypted ticket (431) to form a decrypted ticket (441), determining (670, 680) at least one of a display permission and a copy permission based on the decrypted ticket (441) and a watermark that is embedded in the copyright material.
17. The method of claim 16 further including generating a key (421) that is used in decrypting the encrypted ticket (431).
18. The method of claim 17, wherein the step of generating the key (421) includes effecting a Diffie-Hellman key-exchange.
19. The method of claim 16, wherein the step of determining (670, 680) at least one display permission and copy permission is based on at least one hash of the decrypted ticket (441).
EP99932846A 1998-07-14 1999-07-07 Copy protection by message encryption Withdrawn EP1145243A3 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US9272798P 1998-07-14 1998-07-14
US92727P 1998-07-14
US33362899A 1999-06-15 1999-06-15
US333628 1999-06-15
PCT/EP1999/004766 WO2000004549A2 (en) 1998-07-14 1999-07-07 Copy protection by ticket encryption

Publications (2)

Publication Number Publication Date
EP1145243A2 true EP1145243A2 (en) 2001-10-17
EP1145243A3 EP1145243A3 (en) 2004-11-03

Family

ID=26785979

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99932846A Withdrawn EP1145243A3 (en) 1998-07-14 1999-07-07 Copy protection by message encryption

Country Status (5)

Country Link
EP (1) EP1145243A3 (en)
KR (1) KR20010023967A (en)
CN (1) CN1333975A (en)
TW (1) TW406249B (en)
WO (1) WO2000004549A2 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7908635B2 (en) 2000-03-02 2011-03-15 Tivo Inc. System and method for internet access to a personal television service
US8812850B2 (en) 2000-03-02 2014-08-19 Tivo Inc. Secure multimedia transfer system
US8171520B2 (en) 2000-03-02 2012-05-01 Tivo Inc. Method of sharing personal media using a digital recorder
US8261315B2 (en) 2000-03-02 2012-09-04 Tivo Inc. Multicasting multimedia content distribution system
US20020166056A1 (en) * 2001-05-04 2002-11-07 Johnson William C. Hopscotch ticketing
CN100356789C (en) * 2004-09-01 2007-12-19 华为技术有限公司 Method and device for protecting broadband audio-video broadcasting content
CN100364332C (en) * 2004-09-01 2008-01-23 华为技术有限公司 Method for protecting broadband video-audio broadcasting content
US9967534B1 (en) 2004-11-19 2018-05-08 Tivo Solutions Inc. Digital video recorder video editing system
JP4140624B2 (en) * 2005-09-16 2008-08-27 ソニー株式会社 Information processing apparatus, information recording medium manufacturing apparatus, information recording medium and method, and computer program
CN101052068B (en) 2006-04-03 2011-04-06 华为技术有限公司 Device and method for providing wet current
KR101319057B1 (en) * 2006-12-11 2013-10-17 톰슨 라이센싱 Text-based anti-piracy system and method for digital cinema

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5574787A (en) * 1994-07-25 1996-11-12 Ryan; John O. Apparatus and method for comprehensive copy protection for video platforms and unprotected source material
KR0136458B1 (en) * 1994-12-08 1998-05-15 구자홍 Copy protection apparatus of digital magnetic recording and reproducing system
CA2179223C (en) * 1995-06-23 2009-01-06 Manfred Von Willich Method and apparatus for controlling the operation of a signal decoder in a broadcasting system
CN1160955C (en) * 1995-10-09 2004-08-04 松下电器产业株式会社 Data transmitter, data transmitting method, data receiver, information processor, and information recording medium
WO1997043853A1 (en) * 1996-05-15 1997-11-20 Macrovision Corporation Method and apparatus for copy protection of copyrighted material on various recording media
DE69807807T2 (en) * 1997-01-27 2003-05-28 Koninkl Philips Electronics Nv METHOD AND DEVICE FOR TRANSMITTING CONTENT INFORMATION AND RELATED ADDITIONAL INFORMATION
JP3794646B2 (en) * 1997-08-26 2006-07-05 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ System for transferring content information and supplementary information related to it

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0004549A2 *

Also Published As

Publication number Publication date
TW406249B (en) 2000-09-21
EP1145243A3 (en) 2004-11-03
WO2000004549A2 (en) 2000-01-27
KR20010023967A (en) 2001-03-26
CN1333975A (en) 2002-01-30
WO2000004549A3 (en) 2001-06-07

Similar Documents

Publication Publication Date Title
US6550011B1 (en) Media content protection utilizing public key cryptography
JP4714402B2 (en) Secure transmission of digital data from an information source to a receiver
US7224805B2 (en) Consumption of content
US7047422B2 (en) User access to a unique data subset of a database
US4658093A (en) Software distribution system
US7480802B2 (en) License-based cryptographic technique, particularly suited for use in a digital rights management system, for controlling access and use of bore resistant software objects in a client computer
US7840805B2 (en) Method of and apparatus for providing secure communication of digital data between devices
US7996322B2 (en) Method of creating domain based on public key cryptography
JP5309206B2 (en) Method for preventing laundering and repackaging of multimedia content in a content distribution system
US20080235810A1 (en) Method of Authorizing Access to Content
KR100721269B1 (en) A method for limiting simultaneous copies of content material and a check-out/check-in device
KR20030027066A (en) Device arranged for exchanging data, and method of authenticating
JP2006527955A (en) Improved safety-certified channel
US6748531B1 (en) Method and apparatus for confirming and revoking trust in a multi-level content distribution system
JP2004362547A (en) Method for constituting home domain through device authentication using smart card, and smart card for constituting home domain
WO2006077222A1 (en) System and method for secure and convenient handling of cryptographic binding state information
EP1145243A3 (en) Copy protection by message encryption
JP2000113048A (en) Contents receiver group and ic card to be used for the same
JP4713745B2 (en) Authentication communication apparatus and authentication communication system
JP3846230B2 (en) Content information authentication playback device
EP1412833A1 (en) Consumption of digital data content with digital rights management
JP2002520682A (en) Copy protection with ticket encryption
JP2005080145A (en) Reproducing apparatus management method, content data reproducing apparatus, content data distribution apparatus, and recording medium
JP2006201986A (en) Method for controlling copy of digital content and management apparatus
MXPA06008255A (en) Method of authorizing access to content

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

XX Miscellaneous (additional remarks)

Free format text: DERZEIT SIND DIE WIPO-PUBLIKATIONSDATEN A3 NICHT VERFUEGBAR.

PUAK Availability of information related to the publication of the international search report

Free format text: ORIGINAL CODE: 0009015

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

RIC1 Information provided on ipc code assigned before grant

Ipc: 7H 04N 5/913 A

17P Request for examination filed

Effective date: 20011207

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20041123