EP1031206A2 - Systeme et procede servant a rechercher des dispositifs de securite compromis - Google Patents

Systeme et procede servant a rechercher des dispositifs de securite compromis

Info

Publication number
EP1031206A2
EP1031206A2 EP98963737A EP98963737A EP1031206A2 EP 1031206 A2 EP1031206 A2 EP 1031206A2 EP 98963737 A EP98963737 A EP 98963737A EP 98963737 A EP98963737 A EP 98963737A EP 1031206 A2 EP1031206 A2 EP 1031206A2
Authority
EP
European Patent Office
Prior art keywords
authorized
clients
security devices
illicitly
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP98963737A
Other languages
German (de)
English (en)
Inventor
Kenneth J. Birdwell
Yacov Yacobi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Corp
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Publication of EP1031206A2 publication Critical patent/EP1031206A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17345Control of the passage of the selected programme
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/109Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/16Program or content traceability, e.g. by watermarking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26606Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/442Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
    • H04N21/44236Monitoring of piracy processes or activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence

Definitions

  • This invention relates to a data delivery system in which data is encrypted and served to multiple clients that are authorized to decrypt the data. More particularly, this invention relates to systems and methods for discovering authorized clients that have been compromised and are illicitly transferring decryption capabilities to unauthorized clients so that the unauthorized clients can decrypt the data.
  • a slightly more difficult problem concerns the broadcast or multicast delivery of data over a unidirectional network from one source to many receivers.
  • Well-known systems of this type include broadcast and cable television, radio, satellite entertainment, and network multicasting.
  • One common technique used in cable and satellite television is to scramble the data prior to transmission.
  • Authorized users are equipped with cable decoders or satellite descramblers to descramble the data after transmission.
  • the descramblers are usually implemented as hardware devices having a decoding chip or software code for decrambling the data transmission. Unauthorized users who intercept the data transmission are prevented from decoding the data because they do not possess the descrambler.
  • Cryptographic solutions can also be used to protect broadcast data delivery.
  • the data is encrypted at the content provider prior to transmission and broadcast in the encrypted format.
  • Authorized users are given keying materials before or during the broadcast for use in decrypting the data. Unauthorized users can eavesdrop on the data transmissions, but are unable to decrypt the data into meaningful information without access to the keying materials. As a result, the data transmissions are secure.
  • the decoding capabilities are implemented in hardware- or software-based security devices located at the authorized users' residents. Due to this isolation, the security devices are susceptible to being compromised. Despite the best devised plans, protection schemes will inevitably be attacked by pirates who attempt to circumvent the protection schemes for purposes of illegal gain. With sufficient time and resources, a pirate masquerading as an authorized user can patiently reverse engineer a descrambling code or deduce cryptographic keying material. Once the security device is compromised, the pirate can illicitly sell the decoding information to unauthorized users for illegal profit, allowing the unauthorized users to receive the data transmission.
  • This inventors have developed a system and method which addresses the problems of pirate attacks.
  • a data delivery system has a content server or other mechanism for delivering encoded content to multiple authorized clients.
  • the content is encrypted using a cryptographic keying material, although other encoding protocols may be used.
  • the authorized clients are equipped with security devices having decoding capabilities, such as decryption keying materials, to decode the content. Unauthorized clients are prevented from decoding the content because they are not supplied with the decoding capabilities.
  • a traitor detection system is provided to discover an identity of an authorized client that has been compromised and is illicitly transferring decoding capabilities to unauthorized clients.
  • the traitor detection system generates different decoding capabilities and creates an association file which relates the decoding capabilities to different authorized clients.
  • the decoding capabilities are traced to determine which of them is illicitly transferred to an illegitimate user.
  • the traitor detection system consults the association file to identify one or more of the authorized clients that were supplied with the illicitly transferred decoding capabilities as a possible source of the illicit transfer. The process is repeated for the identified clients with a new set of decoding capabilities to successively narrow the field of possible pirating clients, until the compromised security device is identified.
  • the number of decoding capabilities for each detection cycle can be varied from two at the low end, to one-per-client at the high end. With two-per-cycle, the population of clients is successively reduced by half with detection occurring at log base two of the number of clients. This approach requires more detection cycles to identify the compromised security device, but involves less generation and distribution of decoding capabilities for each cycle. At one-per-client, the compromised security device can be found in one detection cycle, but at a tradeoff in that the amount of decoding capabilities sent along with the data transmission is quite large.
  • the data transmission is segmented into M blocks. For each transmission block, the traitor detection system supplies N different keys to N groups of authorized security devices. The keys enable the security devices to receive that block of the data transmission.
  • Fig. 1 is a diagrammatic illustration of a data delivery system for sending data over a network to multiple authorized clients according to one implementation.
  • Fig. 1 also shows an illicit transfer of decoding capabilities from an authorized client to an unauthorized client.
  • Fig. 2 is a block diagram of a server computing unit.
  • Fig. 3 is a block diagram of an authorized client computing unit.
  • Fig. 4 is a block diagram of a cryptographic unit resident at the client.
  • Fig. 5 is a flow diagram showing steps in one method for discovering an identity of an authorized client that is illicitly transferring authorization keys to unauthorized clients.
  • Fig. 6 is a flow diagram showing steps in another method for discovering an identity of a compromised client.
  • Fig. 7 is a diagrammatic illustration of a data transmission delivered according to the Fig. 6 method. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
  • This invention concerns techniques for discovering an identity of authorized clients that have been compromised and are illicitly transferring decoding capabilities to unauthorized clients.
  • the decoding capabilities are described in a preferred implementation of cryptographic technologies having keying materials for encryption and decryption of data.
  • the following discussion assumes that the reader is familiar with cryptography.
  • the reader is directed to a text written by Bruce Schneier and entitled, "Applied Cryptography: Protocols, Algorithms, and Source Code in C,” published by John Wiley & Sons, copyright 1994 (second edition 1996), which is hereby incorporated by reference.
  • the invention is described in the context of an exemplary system architecture for delivery of content to broadcast-enabled personal computers (PCs).
  • data can be served from multiple servers concurrently over a data network, such as the Internet, to a broadcast station where it is transmitted over a broadcast network to the broadcast-enabled PCs.
  • the invention may be implemented in other system architectures.
  • the invention can be implemented in the context of conventional cable or RF television distribution architecture in which content is broadcast from a station to multiple televisions.
  • the invention can be implemented in a conventional network architecture in which content is sent from a server to multiple clients using, for example, a multicast protocol.
  • Fig. 1 shows an exemplary data delivery system 20 in which content is delivered from multiple content servers 22(1), 22(2), ..., 22(K) to multiple clients 24(1), 24(2), 24(3), ..., 24(M).
  • the content servers 22(1)-22(K) are connected to a broadcast center 26 via a bi-directional data network 28 which enables two-way communication between the content servers 22(1)-22(K) and the broadcast center 26.
  • the content servers serve content in the form of audio, video, animation, bit maps or other graphics, applications or other executable code, text, hypermedia, or other types of data.
  • the bi-directional data network 28 represents various types of networks, including the Internet, a LAN (local area network), a WAN (wide area network), and the like.
  • the data network 28 can be implemented in a number of ways, including wire-based technologies (e.g., fiber optic, cable, wire, etc.) and wireless technologies configured for two-way communication (e.g., satellite, RF, etc.).
  • the data network 28 can further be implemented using various available switching technologies (e.g., ATM (Asynchronous
  • Transfer Mode Ethernet, etc.
  • different data communication protocols e.g., TCP/IP, IPX, etc.
  • the broadcast center 26 receives the data served from the content servers 22(1)- 22(K) over the network 28 and broadcasts the data over a broadcast network 30 to the clients 24(1)-24(M).
  • the broadcast network 30 can be implemented in a variety of ways, including satellite, radio, microwave, cable, and the like.
  • the broadcast center 26 includes a router 32, a signal generator 34, and a broadcast transmitter 36.
  • the router 32 is coupled to the bi-directional data network 28 to receive the data served over the network 28 from the content servers 22(1)-22(K).
  • the router 32 is a final node of the data network 28 in which data communication is bidirectional to that point and unidirectional past that point.
  • the router 32 is preferably configured as a bridge-router between the traditional data network 28 and the broadcast network 30.
  • a bridge-router is capable of supporting video and audio broadcast transmission.
  • the router 32 converts the data from a network packet format to a format appropriate for broadcast transmission.
  • the signal generator 34 generates a broadcast signal with the data embedded thereon to carry the data over the broadcast network 30.
  • the broadcast signal is passed to the transmitter 36 where it is broadcast over the broadcast network 30 to the clients 24(1)-24(M).
  • the clients might still be able to communicate with the broadcast center 26 or content servers 22(1)-22(K) using a different back channel, such as a connection to the data network 28, but this aspect is not shown in the drawings.
  • the data is encrypted at the content servers 22(1)-22(K) prior to transmission to ensure secure delivery over the data network 28 and broadcast network 30.
  • the data can be encrypted at the broadcast center 26 prior to broadcast transmission.
  • Authorized clients 24(1)-24(K) are provided with decryption capabilities, represented by a key 38, to decrypt the data.
  • the decryption capabilities are described below in more detail with reference to Fig. 3.
  • the clients 24(1)-24(M) can be implemented in a number of ways, including desktop computers, laptop computers, televisions with set-top boxes, and computer enhanced television units.
  • the clients are broadcast- enabled PCs which are described below in more detail with reference to Fig. 3.
  • An unauthorized client 39 is also shown in Fig. 1.
  • the unauthorized client 39 can be similar to an authorized client in every respect, except that the unauthorized client is not legitimately equipped with the decryption capabilities. Instead, the unauthorized client 39 obtains the decryption capabilities through illegal transfer from one of the authorized clients 24(1)-24(M).
  • Fig. 2 shows an exemplary implementation of a content server 22(1) that is configured to both serve the content in an encrypted format and to supply the keying material.
  • the content server 22(1) generates the keying materials used to encrypt the content and transmits the keying materials ahead of the content to the authorized clients 24(1)-24(M).
  • different servers might be employed to separate the functions of key generation and management and content serving.
  • the keying materials might be supplied in other ways besides transmission over the networks. For instance, authorization keys which permit access to the data transmission stream might be supplied routinely (e.g., once a week) on a disk to the authorized users.
  • the content server 22(1) includes a server computer 40 having a processor 42 (e.g., Pentium® Pro microprocessor from Intel Corporation), volatile memory 44 (e.g., RAM), and program memory 46 (e.g., ROM, flash, disk drive, floppy disk drive, CD-ROM, etc.).
  • the computer 40 is configured, for example, as a personal computer or workstation running a multitasking, disk-based operating system, such as Windows® NT from Microsoft Corporation.
  • the server computer 40 is connected to the data network 28 via a network connection 48.
  • the content server 22(1) has multiple storage disks 50 which are implemented as a disk array to store various forms of content.
  • the content server 22(1) is shown configured as continuous media file server which serves video and audio data files from a disk array of storage disks 50. However, the content server 22(1) may also be configured to serve other forms of data.
  • the server 22(1) is illustrated with two software programs: a key generator 52 and a key/client associator 54. Each program is stored in program memory 46, loaded into volatile memory 44 when launched, and executed on the processor 42.
  • the key generator 52 produces cryptographic keys that are used to encrypt the data served by the server 22(1) and to decrypt the data when it reaches the clients. More particularly, the key generator 52 creates two tiers of random symmetric keys. The keys in the first tier are called “session keys" and are used to encrypt the data being served. The session keys are given out just before the data transmission. The keys in the second tier are referred to as "authorization keys" and are used to encrypt the session keys. The authorization keys are distributed to authorized clients well ahead of the data transmission.
  • the encryption key can be calculated from the decryption key, and vice versa. In many cases, the encryption key and the decryption key are the same. The symmetric key must be known to both the sender and receiver, but otherwise kept secret. Once the symmetric key is divulged, any party can encrypt or decrypt messages. Examples of suitable symmetric ciphers include DES (Data Encryption
  • the data is encrypted by a symmetric encryption algorithm "E” using the session key "Ksession” as follows:
  • the session key "Ksession” is then encrypted by a symmetric encryption algorithm “E” using the authorization key "Kauthorization” as follows:
  • the authorization keys are preferably distributed to the authorized clients 24 in encrypted format using the authorized clients' public keys of asymmetric key pairs.
  • An "asymmetric" key algorithm involves two separate keys, a public key and a private key. The keys are based upon a mathematical relationship in which one key cannot be calculated (at least in any reasonable amount of time) from the other key. The public key is distributed to other parties and the private key is maintained in confidence by the holder. The asymmetric public and private keys ensure two results. First, only the holder of the private key can decrypt a message that is encrypted with the corresponding public key. Second, if another party decrypts a message using the public key, that party can be assured that the message was encrypted by the private key and thus originated with someone (and presumably the holder) of the private key.
  • An example asymmetric cipher is the well-known RSA cryptographic algorithm named for the creators Rivest, Shamir, and Adleman.
  • the server encrypts the authorization key in an asymmetric encryption algorithm "E” using the public key of the authorized client 24(1) "Kpub_24(l), as follows:
  • FIG. 3 shows an exemplary configuration of an authorized client 24(1) implemented as a broadcast-enabled computer. It includes a central processing unit 60 having a processor 62 (e.g., x86 or Pentium® microprocessor from Intel Corporation), volatile memory 64 (e.g., RAM), and program memory 66 (e.g., ROM, Flash, disk drive, floppy disk drive, CD-ROM, etc.).
  • the client 24(1) has one or more input devices 68 (e.g., keyboard, mouse, etc.), a computer display 70 (e.g., VGA, SVGA), and a stereo I/O 72 for interfacing with a stereo system.
  • input devices 68 e.g., keyboard, mouse, etc.
  • a computer display 70 e.g., VGA, SVGA
  • stereo I/O 72 for interfacing with a stereo system.
  • the client 24(1) includes a digital broadcast receiver 74 (e.g., satellite dish receiver, RF receiver, microwave receiver, multicast listener, etc.) and a tuner 76 which tunes to appropriate frequencies or addresses of the broadcast network 30 (Fig. 1).
  • the tuner 76 is configured to receive digital broadcast data in a particularized format, such as MPEG-encoded digital video and audio data, as well as digital data in many different forms, including software programs and programming information in the form of data files.
  • the client 24(1) also has a modem 78 which provides dial-up access to the data network 28 to provide a back channel or direct link to the content servers 22. In other implementations of a back channel, the modem 78 might be replaced by a network card, or an RF receiver, or other type of port/receiver which provides access to the back channel.
  • the client 24(1) runs an operating system which supports multiple applications.
  • the operating system is preferably a multitasking operating system which allows simultaneous execution of multiple applications.
  • the operating system employs a graphical user interface windowing environment which presents the applications or documents in specially delineated areas of the display screen called "windows."
  • One preferred operating system is a Windows® brand operating system sold by Microsoft Corporation, such as Windows® 95 or Windows® NT or other derivative versions of Windows®. It is noted, however, that other operating systems which provide windowing environments may be employed, such as the Macintosh operating system from Apple Computer, Inc. and the OS/2 operating system from IBM.
  • the client 24(1) is illustrated with a key listener 80 to receive the authorization and session keys transmitted from the server.
  • the keys received by listener 80 are used by the cryptographic security services implemented at the client to enable decryption of the session keys and data.
  • Cryptographic services are implemented through a combination of hardware and software.
  • a secure, tamper-resistant hardware unit 82 is provided external to the CPU 60 and two software layers 84, 86 executing on the processor 62 are used to facilitate access to the resources on the cryptographic hardware 82.
  • the software layers include a cryptographic application program interface (CAPI) 84 which provides functionality to any application seeking cryptographic services (e.g., encryption, decryption, signing, or verification).
  • One or more cryptographic service providers (CSPs) 86 implement the functionality presented by the CAPI to the application.
  • the CAPI layer 84 selects the appropriate CSP for performing the requested cryptographic function.
  • the CSPs 86 perform various cryptographic functions such as encryption key management, encryption/decryption services, hashing routines, digital signing, and authentication tasks in conjunction with the cryptographic unit 82.
  • a different CSP might be configured to handle specific functions, such as encryption, decryption, signing, etc., although a single CSP can be implemented to handle them all.
  • the CSPs 86 can be implemented as dynamic linked libraries (DLLs) that are loaded on demand by the CAPI, and which can then be called by an application through the CAPI 84.
  • DLLs dynamic linked libraries
  • Fig. 4 shows the cryptographic unit 82 in more detail. It includes a logic unit 90, a secure non- volatile memory 92, and an interface 94 to the client. These components are constructed with tamper-resistant integrated circuit chips that are hardened against external scanning and are constructed using semiconductor processes that render it difficult to reverse engineer through layer-by-layer dissection.
  • the interface 94 is preferably a high speed interface, such as a PCI bus connection. Other high speed connections include VLB and 1394 serial connections. The connection between the cryptographic unit 82 and client CPU 60 does not need to be secure.
  • a public/private key pair Internal to the cryptographic hardware 82 is a public/private key pair which is randomly generated during manufacturing.
  • a private key 96 is confidentially maintained within the device and never exposed, while a public key 98 can be exported to the client.
  • Each client security device has its own public/private key pair which can be used as a means for identification of the client for purposes of distributing authorization keys.
  • the public/private key pair are shown stored in memory 92, although the private key may be hardcoded into the unit.
  • the public key is signed by the manufacturer to produce a signature 100 which can be exported for purposes of authenticating the hardware unit. Both the public key 98 and the manufacture signature 100 can be passed to the client CPU 60.
  • the cryptographic unit 82 has an asymmetric key cryptographic cipher 102 which provides cryptographic functions involving the public/private key pair, such as decryption of an authorization key 104 for a data transmission.
  • the asymmetric cipher 102 is implemented in hardware as part of the logic unit 94.
  • a suitable asymmetric cipher is the RSA algorithm.
  • the cryptographic unit 82 also has a high speed symmetric key cryptographic cipher 106 implemented in the logic unit 94.
  • the symmetric cipher 104 is used to decrypt session keys 108 and the data itself. Symmetric ciphers offer suitable real-time speed for bulk decryption of data, whereas asymmetric ciphers are too slow for general bulk decryption.
  • a suitable symmetric cipher is the Triple-DES Cipher-Block- Chaining algorithm, although other ciphers are acceptable (e.g., IDEA, RC4, etc.).
  • the key listener 80 invokes the CAPI 84 and CSP 86 to perform the decryption of the authorization key.
  • the authorization key is passed in its encrypted format from the CSP 86 through to the cryptographic unit 82.
  • the asymmetric cipher 102 uses the confidential private key 96 (i.e., "Kpri_24(l)") to decrypt the authorization key according to a decryption function "D," as follows:
  • the authorization key 104 is stored in secure memory 92 and subsequently used to decrypt the data.
  • the client CPU 60 cannot read or access the authorization key 104; rather, the authorization key is maintained in confidence within the tamper-resistant hardware unit 82.
  • the symmetric cipher 106 Upon receipt of the encrypted session key, the symmetric cipher 106 is invoked to decrypt the session key.
  • the symmetric cipher 106 uses the authorization key 104 to decrypt the session key as follows:
  • the session key 108 is likewise stored in secure memory 92. As the client receives the encrypted data, the data is directly passed to the cryptographic unit 82 in an encrypted format. The symmetric cipher 106 uses the session key 108 to decrypt the data as follows:
  • any server can generate keys for any client without intervention by a central authority. Because each server 22(1)-22(K) is independent and generates their own symmetric keys, the compromise of one server's keys does not jeopardize any other server.
  • authorization keys to distribute session keys, the server has tremendous flexibility to assign what session keys the client can receive. In the case of subscription services, for example, the content server can establish a set of transmissions that the client is authorized to receive, while holding out other transmissions that the client is not authorized to receive.
  • the data delivery system 20 can be configured to provide one authorization key for each data transmission (e.g., one key per television show or movie), or one authorization key for several transmissions (e.g., one key for four movies), or one authorization key for a period of time (e.g., one key per day or week). Since the private key, authorization key, and session key are kept confidential in the cryptographic unit 82 and the decryption is performed in the unit, the client CPU 60 is unable to obtain the keys and share them with others.
  • one authorization key for each data transmission e.g., one key per television show or movie
  • one authorization key for several transmissions e.g., one key for four movies
  • one authorization key for a period of time e.g., one key per day or week
  • the cryptographic units may be compromised in a manner that permits the pirating user to transfer the authorization keys to unauthorized clients, such as client 39 in Fig. 1.
  • unauthorized clients such as client 39 in Fig. 1.
  • the system operators often learn of the illegal activity. For instance, undercover law enforcement agencies or private investigators might covertly purchase authorization keys on a black market or from a broker of stolen goods. The existence of pirated keys reveals that a client has been compromised; but this knowledge does not, unfortunately, lead to identification of the specific client because many authorized clients receive the same authorization keys.
  • Fig. 5 shows exemplary steps in a method for discovering an identity of an authorized client that is known to be compromised as illicitly transferring authorization keys to unauthorized clients.
  • the steps are implemented in hardware and software resident at either the content server, the authorized clients, or the unauthorized clients, as identified in the figure. The steps are described with reference to Figs. 1-4.
  • the key generator 52 in server 22(1) generates one or more session keys and multiple authorization keys for a single data transmission (step 120 in Fig. 5).
  • the key/client associator 54 relates the different authorization keys to different authorized clients (step 122).
  • the key /client associator 54 constructs a key /client association table 56 which inherently associates through its data structure the authorization keys and clients.
  • the table 56 can be organized with a key data field to hold the authorization keys and a client data field to information identifying the client, such as a client ID or the client's public key.
  • the content server 22(1) generates two authorization keys, assigning the first authorization key to one half of the clients and the second authorization key to the other half of the clients.
  • the content server can generate one authorization key for every client, to provide a one-to-one correspondence between the keys and clients.
  • the authorization keys are distributed to the clients well ahead of any data transmission.
  • the authorization keys are preferably encrypted using the public keys of the associated clients, although they may be delivered on a storage medium or the like directly to the appropriate authorized clients.
  • the server encrypts the data with the one or more session keys (step 126) and then encrypts the session keys with the authorization keys (step 128).
  • the encrypted session keys are transmitted over the networks to the authorized clients 24(1)-24(M) just before the data transmissions.
  • the cryptographic unit 82 uses the authorization key it was assigned to decrypt the one or more session keys (step 132 in Fig. 5). The cryptographic unit 82 then uses the session keys to decrypt the data (step 134).
  • the server operator can trace the authorization key to the client(s) that were assigned the authorization key (step 140 in Fig. 5).
  • the server cross- references the discovered authorization key via the key/client association file to identify the authorized client(s) that received the authorization key.
  • the process either narrows the population of suspect clients, or precisely identifies the traitor client (step 142 in Fig. 5). For example, if the clients are split into two groups, each with a different authorization key, the process will halve the population of possible traitors with each cycle. For precise identification, the process requires a number of iterations equal to log base two of the number of clients in the population.
  • the key/client associator 54 associates the N authorization keys with N separate groups of clients (step 156 in Fig. 6).
  • the first set of N authorization keys are distributed to the respective groups of clients (step 158 in Fig. 6).
  • the server also delivers the first block of the data transmission (step 160).
  • the clients use the authorization keys to decrypt the session keys for the first block of the data transmission to enable the client to receive and decrypt the first block of data.
  • the first N authorization keys cannot be used, however, to decrypt session keys belonging to subsequent blocks in the data transmission.
  • the server operator learns that one of the N keys has been illicitly transferred from an authorized client to one or more unauthorized clients (step 162 in Fig. 6).
  • the server analyzes which one of the N groups of authorized clients was sent the suspect key.
  • the identified group includes the compromised client, while the rest of the N groups of clients are eliminated.
  • the process is then repeated for the identified group for the next i th block in the data transmission (step 164 in Fig. 6).
  • Fig. 7 shows an example of this method in which a data transmission 170 is destined to 10,000 authorized clients, one of which is believed to be compromised.
  • the key generator produces ten new authorization keys and assigns them to ten groups of 100 clients within the population. Again, one of the ten keys is found to be illegally conveyed and the suspect group is noted. The second iteration narrows the population of potential traitors to 100.
  • the key generator produces ten new authorization keys and assigns them to ten groups of 10 clients within the reduced population. The third iteration narrows the population of potential traitors to 10.
  • the key generator produces ten new authorization keys and assigns each one to one client in the suspect population. When one of these keys is transferred illegally, the operator can pinpoint the compromised client and initiate legal proceedings against that user. Accordingly, by properly selecting the number of segments M and the number of keys N for each segment, the operator can precisely identify the compromised client during a single data transmission.
  • the implementation described above employs a security device based on cryptographic functions.
  • This invention may also be utilized in connection with security devices that employ other types of encoding/decoding technologies.
  • the authorized clients might be given authorization passwords or numbers for use in receiving broadcast content.
  • the authorized client might be supplied with descrambling codes, or the like, to enable receipt of a scrambled data transmission.
  • the invention has been described in language more or less specific as to structural and methodical features. It is to be understood, however, that the invention is not limited to the specific features described, since the means herein disclosed comprise preferred forms of putting the invention into effect. The invention is, therefore, claimed in any of its forms or modifications within the proper scope of the appended claims appropriately interpreted in accordance with the doctrine of equivalents.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Technology Law (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

Un système de transmission de données possède un serveur de contenu ou autre mécanisme servant à transmettre un contenu codé à de multiples clients autorisés. Ces clients autorisés sont équipés de dispositifs de sécurité pourvus de capacités de décodage afin de décoder le contenu. Les clients non autorisés sont empêchés de décoder le contenu parce qu'ils ne sont pas en possession des capacités de décodage. Un système de détection de fraudeur, faisant partie du système de transmission de données, permet de découvrir l'identité d'un client autorisé ayant été compromis et transférant de manière illicite des capacités de décodage à des clients non autorisés. Ce système de détection de fraudeur génère différentes capacités de décodage et crée un fichier d'association qui informe différents clients autorisés des différentes capacités de décodage. On repère ces capacités de décodage afin de déterminer la capacité qui est transférée de façon illicite à un utilisateur non autorisé. Dans l'éventualité d'un transfert illicite d'une de ces capacités de décodage, le système de détection de fraudeur consulte le fichier d'association afin d'identifier un ou plusieurs des clients autorisés ayant initialement reçu les capacités de décodage transférées de façon illicite. L'ensemble de clients identifiés comprend le client compromis. On réitère ce processus pour l'ensemble de clients identifiés avec un nouvel ensemble de capacités de décodage afin de rétrécir progressivement le champ des clients pirates éventuels jusqu'à ce qu'on localise avec précision le dispositif de sécurité compromis.
EP98963737A 1997-10-14 1998-09-16 Systeme et procede servant a rechercher des dispositifs de securite compromis Withdrawn EP1031206A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US94943897A 1997-10-14 1997-10-14
US949438 1997-10-14
PCT/US1998/019352 WO1999019822A2 (fr) 1997-10-14 1998-09-16 Systeme et procede servant a rechercher des dispositifs de securite compromis

Publications (1)

Publication Number Publication Date
EP1031206A2 true EP1031206A2 (fr) 2000-08-30

Family

ID=25489083

Family Applications (1)

Application Number Title Priority Date Filing Date
EP98963737A Withdrawn EP1031206A2 (fr) 1997-10-14 1998-09-16 Systeme et procede servant a rechercher des dispositifs de securite compromis

Country Status (3)

Country Link
EP (1) EP1031206A2 (fr)
JP (1) JP2003502719A (fr)
WO (1) WO1999019822A2 (fr)

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7415110B1 (en) 1999-03-24 2008-08-19 Intel Corporation Method and apparatus for the generation of cryptographic keys
JP2000330783A (ja) * 1999-05-20 2000-11-30 Nec Corp ソフトウェア不正コピー防止システムおよびソフト不正コピー防止プログラムを記録した記録媒体
KR20010004791A (ko) * 1999-06-29 2001-01-15 윤종용 인터넷 환경의 이동통신시스템에서 사용자 정보 보안 장치 및그 방법
GB2353682B (en) 1999-07-15 2004-03-31 Nds Ltd Key management for content protection
IL130963A (en) 1999-07-15 2006-04-10 Nds Ltd Key management for content protection
US6477252B1 (en) * 1999-08-29 2002-11-05 Intel Corporation Digital video content transmission ciphering and deciphering method and apparatus
US6947558B1 (en) 1999-08-29 2005-09-20 Intel Corporation Stream cipher having a shuffle network combiner function
US6920221B1 (en) 1999-08-29 2005-07-19 Intel Corporation Method and apparatus for protected exchange of status and secret values between a video source application and a video hardware interface
US7068786B1 (en) 1999-08-29 2006-06-27 Intel Corporation Dual use block/stream cipher
US6731758B1 (en) 1999-08-29 2004-05-04 Intel Corporation Digital video content transmission ciphering and deciphering method and apparatus
US6289455B1 (en) 1999-09-02 2001-09-11 Crypotography Research, Inc. Method and apparatus for preventing piracy of digital content
EP1111924A1 (fr) 1999-12-22 2001-06-27 Irdeto Access B.V. Procédé pour contrôler l'utilisation d'un signal de programme dans un système de télédiffusion, et dispositif de commande pour un récepteur pour la mise en oeuvre d' un tel procédé
EP1111923A1 (fr) * 1999-12-22 2001-06-27 Irdeto Access B.V. Procédé pour l' utilisation d' un système d' accès conditionnel pour des applications de télédiffusion
US7003107B2 (en) 2000-05-23 2006-02-21 Mainstream Encryption Hybrid stream cipher
FR2811505B1 (fr) * 2000-07-06 2002-12-06 At Sky Systeme de controle d'acces aux donnees numeriques en ligne et hors ligne au moyen d'un serveur de cles logicielles
FR2811503B1 (fr) * 2000-07-07 2002-12-06 Innovatron Sa Procede de delivrance de sequences audio, video ou textuelles par teletransmission de donnees numeriques individuellement tatouees en fonction du destinataire
US7505593B2 (en) 2002-12-09 2009-03-17 International Business Machines Corporation Method for tracing traitors and preventing piracy of digital content in a broadcast encryption system
US9520993B2 (en) 2001-01-26 2016-12-13 International Business Machines Corporation Renewable traitor tracing
US7103184B2 (en) 2002-05-09 2006-09-05 Intel Corporation System and method for sign mask encryption and decryption
FR2856539A1 (fr) * 2003-06-17 2004-12-24 France Telecom Procede et systeme tracables de chiffrement et/ou de dechiffrement d'informations, et supports d'enregistrement pour la mise en oeuvre du procede
JP2005079864A (ja) * 2003-08-29 2005-03-24 Toshiba Corp 放送装置、受信装置、放送方法及び受信方法
GB2419222B (en) 2004-10-15 2007-05-30 Zootech Ltd Copy deterrent for an audiovisual product
US8161296B2 (en) * 2005-04-25 2012-04-17 Samsung Electronics Co., Ltd. Method and apparatus for managing digital content
JP2006311625A (ja) * 2006-08-18 2006-11-09 Toshiba Corp 放送装置、受信装置、放送方法及び受信方法
US20090202079A1 (en) * 2008-02-11 2009-08-13 Nokia Corporation Method, apparatus and computer program product for providing mobile broadcast service protection
JP2010104035A (ja) * 2010-01-25 2010-05-06 Toshiba Corp 受信装置及び受信方法
JP2010119138A (ja) * 2010-02-15 2010-05-27 Toshiba Corp 受信装置及び受信方法
JP6018880B2 (ja) * 2012-11-05 2016-11-02 日本放送協会 暗号化装置、復号装置、暗号化プログラム、および復号プログラム
US9936008B2 (en) * 2013-12-03 2018-04-03 Red Hat, Inc. Method and system for dynamically shifting a service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9919822A2 *

Also Published As

Publication number Publication date
WO1999019822A3 (fr) 1999-06-17
JP2003502719A (ja) 2003-01-21
WO1999019822A2 (fr) 1999-04-22

Similar Documents

Publication Publication Date Title
WO1999019822A2 (fr) Systeme et procede servant a rechercher des dispositifs de securite compromis
CN1146185C (zh) 保护系统中的信息
US7480385B2 (en) Hierarchical encryption key system for securing digital media
US7466826B2 (en) Method of secure transmission of digital data from a source to a receiver
RU2433548C2 (ru) Способ дескремблирования скремблированного информационного объекта контента
JP4976107B2 (ja) データのユニットをスクランブル及びデスクランブルする方法
CN1655495B (zh) 用于以强配对将安全密钥传送到目标用户的系统和方法
EP1560361B1 (fr) Authentification de clé sécurisée et système d'échelle
US6550008B1 (en) Protection of information transmitted over communications channels
JP4818559B2 (ja) 放送分野への条件付きアクセスシステムを操作する方法
KR100898437B1 (ko) 통신 네트워크에서 대칭 키를 관리하는 방법, 통신 디바이스 및 통신 네트워크에서 데이터를 처리하기 위한 디바이스
US20060184796A1 (en) System and method for a variable key ladder
US20060047976A1 (en) Method and apparatus for generating a decrpytion content key
US6516414B1 (en) Secure communication over a link
JP4740859B2 (ja) 携帯用安全モジュールペアリング
US7529375B2 (en) Method for processing encrypted data for first domain received in a network pertaining to a second domain
JP4447908B2 (ja) 新しい装置を導入するローカルデジタルネットワーク及び方法と、そのネットワークにおけるデータ放送及び受信方法
US7415440B1 (en) Method and system to provide secure key selection using a secure device in a watercrypting environment
CN111431846A (zh) 数据传输的方法、装置和系统
KR102286784B1 (ko) Uhd 방송 콘텐츠 보안 시스템
US20220417001A1 (en) System and method for securely delivering keys and encrypting content in cloud computing environments
US20040019805A1 (en) Apparatus and method for securing a distributed network
US9124770B2 (en) Method and system for prevention of control word sharing
JP2006129535A (ja) ストリームメディアデータのスクランブル放送システム
JP2004172870A (ja) ストリームメディアデータのスクランブル放送システム

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20000502

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): DE FR GB

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20020403