EP1031206A2 - Systeme et procede servant a rechercher des dispositifs de securite compromis - Google Patents
Systeme et procede servant a rechercher des dispositifs de securite compromisInfo
- Publication number
- EP1031206A2 EP1031206A2 EP98963737A EP98963737A EP1031206A2 EP 1031206 A2 EP1031206 A2 EP 1031206A2 EP 98963737 A EP98963737 A EP 98963737A EP 98963737 A EP98963737 A EP 98963737A EP 1031206 A2 EP1031206 A2 EP 1031206A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- authorized
- clients
- security devices
- illicitly
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000001010 compromised effect Effects 0.000 title claims abstract description 37
- 238000001514 detection method Methods 0.000 claims abstract description 16
- 238000013475 authorization Methods 0.000 claims description 72
- 230000005540 biological transmission Effects 0.000 claims description 51
- 239000000463 material Substances 0.000 claims description 41
- 238000012546 transfer Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 abstract description 9
- 230000007246 mechanism Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000006854 communication Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000003860 storage Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000002224 dissection Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/173—Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
- H04N7/17345—Control of the passage of the selected programme
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/109—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
- H04N21/26606—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/442—Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
- H04N21/44236—Monitoring of piracy processes or activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/167—Systems rendering the television signal unintelligible and subsequently intelligible
- H04N7/1675—Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
Definitions
- This invention relates to a data delivery system in which data is encrypted and served to multiple clients that are authorized to decrypt the data. More particularly, this invention relates to systems and methods for discovering authorized clients that have been compromised and are illicitly transferring decryption capabilities to unauthorized clients so that the unauthorized clients can decrypt the data.
- a slightly more difficult problem concerns the broadcast or multicast delivery of data over a unidirectional network from one source to many receivers.
- Well-known systems of this type include broadcast and cable television, radio, satellite entertainment, and network multicasting.
- One common technique used in cable and satellite television is to scramble the data prior to transmission.
- Authorized users are equipped with cable decoders or satellite descramblers to descramble the data after transmission.
- the descramblers are usually implemented as hardware devices having a decoding chip or software code for decrambling the data transmission. Unauthorized users who intercept the data transmission are prevented from decoding the data because they do not possess the descrambler.
- Cryptographic solutions can also be used to protect broadcast data delivery.
- the data is encrypted at the content provider prior to transmission and broadcast in the encrypted format.
- Authorized users are given keying materials before or during the broadcast for use in decrypting the data. Unauthorized users can eavesdrop on the data transmissions, but are unable to decrypt the data into meaningful information without access to the keying materials. As a result, the data transmissions are secure.
- the decoding capabilities are implemented in hardware- or software-based security devices located at the authorized users' residents. Due to this isolation, the security devices are susceptible to being compromised. Despite the best devised plans, protection schemes will inevitably be attacked by pirates who attempt to circumvent the protection schemes for purposes of illegal gain. With sufficient time and resources, a pirate masquerading as an authorized user can patiently reverse engineer a descrambling code or deduce cryptographic keying material. Once the security device is compromised, the pirate can illicitly sell the decoding information to unauthorized users for illegal profit, allowing the unauthorized users to receive the data transmission.
- This inventors have developed a system and method which addresses the problems of pirate attacks.
- a data delivery system has a content server or other mechanism for delivering encoded content to multiple authorized clients.
- the content is encrypted using a cryptographic keying material, although other encoding protocols may be used.
- the authorized clients are equipped with security devices having decoding capabilities, such as decryption keying materials, to decode the content. Unauthorized clients are prevented from decoding the content because they are not supplied with the decoding capabilities.
- a traitor detection system is provided to discover an identity of an authorized client that has been compromised and is illicitly transferring decoding capabilities to unauthorized clients.
- the traitor detection system generates different decoding capabilities and creates an association file which relates the decoding capabilities to different authorized clients.
- the decoding capabilities are traced to determine which of them is illicitly transferred to an illegitimate user.
- the traitor detection system consults the association file to identify one or more of the authorized clients that were supplied with the illicitly transferred decoding capabilities as a possible source of the illicit transfer. The process is repeated for the identified clients with a new set of decoding capabilities to successively narrow the field of possible pirating clients, until the compromised security device is identified.
- the number of decoding capabilities for each detection cycle can be varied from two at the low end, to one-per-client at the high end. With two-per-cycle, the population of clients is successively reduced by half with detection occurring at log base two of the number of clients. This approach requires more detection cycles to identify the compromised security device, but involves less generation and distribution of decoding capabilities for each cycle. At one-per-client, the compromised security device can be found in one detection cycle, but at a tradeoff in that the amount of decoding capabilities sent along with the data transmission is quite large.
- the data transmission is segmented into M blocks. For each transmission block, the traitor detection system supplies N different keys to N groups of authorized security devices. The keys enable the security devices to receive that block of the data transmission.
- Fig. 1 is a diagrammatic illustration of a data delivery system for sending data over a network to multiple authorized clients according to one implementation.
- Fig. 1 also shows an illicit transfer of decoding capabilities from an authorized client to an unauthorized client.
- Fig. 2 is a block diagram of a server computing unit.
- Fig. 3 is a block diagram of an authorized client computing unit.
- Fig. 4 is a block diagram of a cryptographic unit resident at the client.
- Fig. 5 is a flow diagram showing steps in one method for discovering an identity of an authorized client that is illicitly transferring authorization keys to unauthorized clients.
- Fig. 6 is a flow diagram showing steps in another method for discovering an identity of a compromised client.
- Fig. 7 is a diagrammatic illustration of a data transmission delivered according to the Fig. 6 method. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
- This invention concerns techniques for discovering an identity of authorized clients that have been compromised and are illicitly transferring decoding capabilities to unauthorized clients.
- the decoding capabilities are described in a preferred implementation of cryptographic technologies having keying materials for encryption and decryption of data.
- the following discussion assumes that the reader is familiar with cryptography.
- the reader is directed to a text written by Bruce Schneier and entitled, "Applied Cryptography: Protocols, Algorithms, and Source Code in C,” published by John Wiley & Sons, copyright 1994 (second edition 1996), which is hereby incorporated by reference.
- the invention is described in the context of an exemplary system architecture for delivery of content to broadcast-enabled personal computers (PCs).
- data can be served from multiple servers concurrently over a data network, such as the Internet, to a broadcast station where it is transmitted over a broadcast network to the broadcast-enabled PCs.
- the invention may be implemented in other system architectures.
- the invention can be implemented in the context of conventional cable or RF television distribution architecture in which content is broadcast from a station to multiple televisions.
- the invention can be implemented in a conventional network architecture in which content is sent from a server to multiple clients using, for example, a multicast protocol.
- Fig. 1 shows an exemplary data delivery system 20 in which content is delivered from multiple content servers 22(1), 22(2), ..., 22(K) to multiple clients 24(1), 24(2), 24(3), ..., 24(M).
- the content servers 22(1)-22(K) are connected to a broadcast center 26 via a bi-directional data network 28 which enables two-way communication between the content servers 22(1)-22(K) and the broadcast center 26.
- the content servers serve content in the form of audio, video, animation, bit maps or other graphics, applications or other executable code, text, hypermedia, or other types of data.
- the bi-directional data network 28 represents various types of networks, including the Internet, a LAN (local area network), a WAN (wide area network), and the like.
- the data network 28 can be implemented in a number of ways, including wire-based technologies (e.g., fiber optic, cable, wire, etc.) and wireless technologies configured for two-way communication (e.g., satellite, RF, etc.).
- the data network 28 can further be implemented using various available switching technologies (e.g., ATM (Asynchronous
- Transfer Mode Ethernet, etc.
- different data communication protocols e.g., TCP/IP, IPX, etc.
- the broadcast center 26 receives the data served from the content servers 22(1)- 22(K) over the network 28 and broadcasts the data over a broadcast network 30 to the clients 24(1)-24(M).
- the broadcast network 30 can be implemented in a variety of ways, including satellite, radio, microwave, cable, and the like.
- the broadcast center 26 includes a router 32, a signal generator 34, and a broadcast transmitter 36.
- the router 32 is coupled to the bi-directional data network 28 to receive the data served over the network 28 from the content servers 22(1)-22(K).
- the router 32 is a final node of the data network 28 in which data communication is bidirectional to that point and unidirectional past that point.
- the router 32 is preferably configured as a bridge-router between the traditional data network 28 and the broadcast network 30.
- a bridge-router is capable of supporting video and audio broadcast transmission.
- the router 32 converts the data from a network packet format to a format appropriate for broadcast transmission.
- the signal generator 34 generates a broadcast signal with the data embedded thereon to carry the data over the broadcast network 30.
- the broadcast signal is passed to the transmitter 36 where it is broadcast over the broadcast network 30 to the clients 24(1)-24(M).
- the clients might still be able to communicate with the broadcast center 26 or content servers 22(1)-22(K) using a different back channel, such as a connection to the data network 28, but this aspect is not shown in the drawings.
- the data is encrypted at the content servers 22(1)-22(K) prior to transmission to ensure secure delivery over the data network 28 and broadcast network 30.
- the data can be encrypted at the broadcast center 26 prior to broadcast transmission.
- Authorized clients 24(1)-24(K) are provided with decryption capabilities, represented by a key 38, to decrypt the data.
- the decryption capabilities are described below in more detail with reference to Fig. 3.
- the clients 24(1)-24(M) can be implemented in a number of ways, including desktop computers, laptop computers, televisions with set-top boxes, and computer enhanced television units.
- the clients are broadcast- enabled PCs which are described below in more detail with reference to Fig. 3.
- An unauthorized client 39 is also shown in Fig. 1.
- the unauthorized client 39 can be similar to an authorized client in every respect, except that the unauthorized client is not legitimately equipped with the decryption capabilities. Instead, the unauthorized client 39 obtains the decryption capabilities through illegal transfer from one of the authorized clients 24(1)-24(M).
- Fig. 2 shows an exemplary implementation of a content server 22(1) that is configured to both serve the content in an encrypted format and to supply the keying material.
- the content server 22(1) generates the keying materials used to encrypt the content and transmits the keying materials ahead of the content to the authorized clients 24(1)-24(M).
- different servers might be employed to separate the functions of key generation and management and content serving.
- the keying materials might be supplied in other ways besides transmission over the networks. For instance, authorization keys which permit access to the data transmission stream might be supplied routinely (e.g., once a week) on a disk to the authorized users.
- the content server 22(1) includes a server computer 40 having a processor 42 (e.g., Pentium® Pro microprocessor from Intel Corporation), volatile memory 44 (e.g., RAM), and program memory 46 (e.g., ROM, flash, disk drive, floppy disk drive, CD-ROM, etc.).
- the computer 40 is configured, for example, as a personal computer or workstation running a multitasking, disk-based operating system, such as Windows® NT from Microsoft Corporation.
- the server computer 40 is connected to the data network 28 via a network connection 48.
- the content server 22(1) has multiple storage disks 50 which are implemented as a disk array to store various forms of content.
- the content server 22(1) is shown configured as continuous media file server which serves video and audio data files from a disk array of storage disks 50. However, the content server 22(1) may also be configured to serve other forms of data.
- the server 22(1) is illustrated with two software programs: a key generator 52 and a key/client associator 54. Each program is stored in program memory 46, loaded into volatile memory 44 when launched, and executed on the processor 42.
- the key generator 52 produces cryptographic keys that are used to encrypt the data served by the server 22(1) and to decrypt the data when it reaches the clients. More particularly, the key generator 52 creates two tiers of random symmetric keys. The keys in the first tier are called “session keys" and are used to encrypt the data being served. The session keys are given out just before the data transmission. The keys in the second tier are referred to as "authorization keys" and are used to encrypt the session keys. The authorization keys are distributed to authorized clients well ahead of the data transmission.
- the encryption key can be calculated from the decryption key, and vice versa. In many cases, the encryption key and the decryption key are the same. The symmetric key must be known to both the sender and receiver, but otherwise kept secret. Once the symmetric key is divulged, any party can encrypt or decrypt messages. Examples of suitable symmetric ciphers include DES (Data Encryption
- the data is encrypted by a symmetric encryption algorithm "E” using the session key "Ksession” as follows:
- the session key "Ksession” is then encrypted by a symmetric encryption algorithm “E” using the authorization key "Kauthorization” as follows:
- the authorization keys are preferably distributed to the authorized clients 24 in encrypted format using the authorized clients' public keys of asymmetric key pairs.
- An "asymmetric" key algorithm involves two separate keys, a public key and a private key. The keys are based upon a mathematical relationship in which one key cannot be calculated (at least in any reasonable amount of time) from the other key. The public key is distributed to other parties and the private key is maintained in confidence by the holder. The asymmetric public and private keys ensure two results. First, only the holder of the private key can decrypt a message that is encrypted with the corresponding public key. Second, if another party decrypts a message using the public key, that party can be assured that the message was encrypted by the private key and thus originated with someone (and presumably the holder) of the private key.
- An example asymmetric cipher is the well-known RSA cryptographic algorithm named for the creators Rivest, Shamir, and Adleman.
- the server encrypts the authorization key in an asymmetric encryption algorithm "E” using the public key of the authorized client 24(1) "Kpub_24(l), as follows:
- FIG. 3 shows an exemplary configuration of an authorized client 24(1) implemented as a broadcast-enabled computer. It includes a central processing unit 60 having a processor 62 (e.g., x86 or Pentium® microprocessor from Intel Corporation), volatile memory 64 (e.g., RAM), and program memory 66 (e.g., ROM, Flash, disk drive, floppy disk drive, CD-ROM, etc.).
- the client 24(1) has one or more input devices 68 (e.g., keyboard, mouse, etc.), a computer display 70 (e.g., VGA, SVGA), and a stereo I/O 72 for interfacing with a stereo system.
- input devices 68 e.g., keyboard, mouse, etc.
- a computer display 70 e.g., VGA, SVGA
- stereo I/O 72 for interfacing with a stereo system.
- the client 24(1) includes a digital broadcast receiver 74 (e.g., satellite dish receiver, RF receiver, microwave receiver, multicast listener, etc.) and a tuner 76 which tunes to appropriate frequencies or addresses of the broadcast network 30 (Fig. 1).
- the tuner 76 is configured to receive digital broadcast data in a particularized format, such as MPEG-encoded digital video and audio data, as well as digital data in many different forms, including software programs and programming information in the form of data files.
- the client 24(1) also has a modem 78 which provides dial-up access to the data network 28 to provide a back channel or direct link to the content servers 22. In other implementations of a back channel, the modem 78 might be replaced by a network card, or an RF receiver, or other type of port/receiver which provides access to the back channel.
- the client 24(1) runs an operating system which supports multiple applications.
- the operating system is preferably a multitasking operating system which allows simultaneous execution of multiple applications.
- the operating system employs a graphical user interface windowing environment which presents the applications or documents in specially delineated areas of the display screen called "windows."
- One preferred operating system is a Windows® brand operating system sold by Microsoft Corporation, such as Windows® 95 or Windows® NT or other derivative versions of Windows®. It is noted, however, that other operating systems which provide windowing environments may be employed, such as the Macintosh operating system from Apple Computer, Inc. and the OS/2 operating system from IBM.
- the client 24(1) is illustrated with a key listener 80 to receive the authorization and session keys transmitted from the server.
- the keys received by listener 80 are used by the cryptographic security services implemented at the client to enable decryption of the session keys and data.
- Cryptographic services are implemented through a combination of hardware and software.
- a secure, tamper-resistant hardware unit 82 is provided external to the CPU 60 and two software layers 84, 86 executing on the processor 62 are used to facilitate access to the resources on the cryptographic hardware 82.
- the software layers include a cryptographic application program interface (CAPI) 84 which provides functionality to any application seeking cryptographic services (e.g., encryption, decryption, signing, or verification).
- One or more cryptographic service providers (CSPs) 86 implement the functionality presented by the CAPI to the application.
- the CAPI layer 84 selects the appropriate CSP for performing the requested cryptographic function.
- the CSPs 86 perform various cryptographic functions such as encryption key management, encryption/decryption services, hashing routines, digital signing, and authentication tasks in conjunction with the cryptographic unit 82.
- a different CSP might be configured to handle specific functions, such as encryption, decryption, signing, etc., although a single CSP can be implemented to handle them all.
- the CSPs 86 can be implemented as dynamic linked libraries (DLLs) that are loaded on demand by the CAPI, and which can then be called by an application through the CAPI 84.
- DLLs dynamic linked libraries
- Fig. 4 shows the cryptographic unit 82 in more detail. It includes a logic unit 90, a secure non- volatile memory 92, and an interface 94 to the client. These components are constructed with tamper-resistant integrated circuit chips that are hardened against external scanning and are constructed using semiconductor processes that render it difficult to reverse engineer through layer-by-layer dissection.
- the interface 94 is preferably a high speed interface, such as a PCI bus connection. Other high speed connections include VLB and 1394 serial connections. The connection between the cryptographic unit 82 and client CPU 60 does not need to be secure.
- a public/private key pair Internal to the cryptographic hardware 82 is a public/private key pair which is randomly generated during manufacturing.
- a private key 96 is confidentially maintained within the device and never exposed, while a public key 98 can be exported to the client.
- Each client security device has its own public/private key pair which can be used as a means for identification of the client for purposes of distributing authorization keys.
- the public/private key pair are shown stored in memory 92, although the private key may be hardcoded into the unit.
- the public key is signed by the manufacturer to produce a signature 100 which can be exported for purposes of authenticating the hardware unit. Both the public key 98 and the manufacture signature 100 can be passed to the client CPU 60.
- the cryptographic unit 82 has an asymmetric key cryptographic cipher 102 which provides cryptographic functions involving the public/private key pair, such as decryption of an authorization key 104 for a data transmission.
- the asymmetric cipher 102 is implemented in hardware as part of the logic unit 94.
- a suitable asymmetric cipher is the RSA algorithm.
- the cryptographic unit 82 also has a high speed symmetric key cryptographic cipher 106 implemented in the logic unit 94.
- the symmetric cipher 104 is used to decrypt session keys 108 and the data itself. Symmetric ciphers offer suitable real-time speed for bulk decryption of data, whereas asymmetric ciphers are too slow for general bulk decryption.
- a suitable symmetric cipher is the Triple-DES Cipher-Block- Chaining algorithm, although other ciphers are acceptable (e.g., IDEA, RC4, etc.).
- the key listener 80 invokes the CAPI 84 and CSP 86 to perform the decryption of the authorization key.
- the authorization key is passed in its encrypted format from the CSP 86 through to the cryptographic unit 82.
- the asymmetric cipher 102 uses the confidential private key 96 (i.e., "Kpri_24(l)") to decrypt the authorization key according to a decryption function "D," as follows:
- the authorization key 104 is stored in secure memory 92 and subsequently used to decrypt the data.
- the client CPU 60 cannot read or access the authorization key 104; rather, the authorization key is maintained in confidence within the tamper-resistant hardware unit 82.
- the symmetric cipher 106 Upon receipt of the encrypted session key, the symmetric cipher 106 is invoked to decrypt the session key.
- the symmetric cipher 106 uses the authorization key 104 to decrypt the session key as follows:
- the session key 108 is likewise stored in secure memory 92. As the client receives the encrypted data, the data is directly passed to the cryptographic unit 82 in an encrypted format. The symmetric cipher 106 uses the session key 108 to decrypt the data as follows:
- any server can generate keys for any client without intervention by a central authority. Because each server 22(1)-22(K) is independent and generates their own symmetric keys, the compromise of one server's keys does not jeopardize any other server.
- authorization keys to distribute session keys, the server has tremendous flexibility to assign what session keys the client can receive. In the case of subscription services, for example, the content server can establish a set of transmissions that the client is authorized to receive, while holding out other transmissions that the client is not authorized to receive.
- the data delivery system 20 can be configured to provide one authorization key for each data transmission (e.g., one key per television show or movie), or one authorization key for several transmissions (e.g., one key for four movies), or one authorization key for a period of time (e.g., one key per day or week). Since the private key, authorization key, and session key are kept confidential in the cryptographic unit 82 and the decryption is performed in the unit, the client CPU 60 is unable to obtain the keys and share them with others.
- one authorization key for each data transmission e.g., one key per television show or movie
- one authorization key for several transmissions e.g., one key for four movies
- one authorization key for a period of time e.g., one key per day or week
- the cryptographic units may be compromised in a manner that permits the pirating user to transfer the authorization keys to unauthorized clients, such as client 39 in Fig. 1.
- unauthorized clients such as client 39 in Fig. 1.
- the system operators often learn of the illegal activity. For instance, undercover law enforcement agencies or private investigators might covertly purchase authorization keys on a black market or from a broker of stolen goods. The existence of pirated keys reveals that a client has been compromised; but this knowledge does not, unfortunately, lead to identification of the specific client because many authorized clients receive the same authorization keys.
- Fig. 5 shows exemplary steps in a method for discovering an identity of an authorized client that is known to be compromised as illicitly transferring authorization keys to unauthorized clients.
- the steps are implemented in hardware and software resident at either the content server, the authorized clients, or the unauthorized clients, as identified in the figure. The steps are described with reference to Figs. 1-4.
- the key generator 52 in server 22(1) generates one or more session keys and multiple authorization keys for a single data transmission (step 120 in Fig. 5).
- the key/client associator 54 relates the different authorization keys to different authorized clients (step 122).
- the key /client associator 54 constructs a key /client association table 56 which inherently associates through its data structure the authorization keys and clients.
- the table 56 can be organized with a key data field to hold the authorization keys and a client data field to information identifying the client, such as a client ID or the client's public key.
- the content server 22(1) generates two authorization keys, assigning the first authorization key to one half of the clients and the second authorization key to the other half of the clients.
- the content server can generate one authorization key for every client, to provide a one-to-one correspondence between the keys and clients.
- the authorization keys are distributed to the clients well ahead of any data transmission.
- the authorization keys are preferably encrypted using the public keys of the associated clients, although they may be delivered on a storage medium or the like directly to the appropriate authorized clients.
- the server encrypts the data with the one or more session keys (step 126) and then encrypts the session keys with the authorization keys (step 128).
- the encrypted session keys are transmitted over the networks to the authorized clients 24(1)-24(M) just before the data transmissions.
- the cryptographic unit 82 uses the authorization key it was assigned to decrypt the one or more session keys (step 132 in Fig. 5). The cryptographic unit 82 then uses the session keys to decrypt the data (step 134).
- the server operator can trace the authorization key to the client(s) that were assigned the authorization key (step 140 in Fig. 5).
- the server cross- references the discovered authorization key via the key/client association file to identify the authorized client(s) that received the authorization key.
- the process either narrows the population of suspect clients, or precisely identifies the traitor client (step 142 in Fig. 5). For example, if the clients are split into two groups, each with a different authorization key, the process will halve the population of possible traitors with each cycle. For precise identification, the process requires a number of iterations equal to log base two of the number of clients in the population.
- the key/client associator 54 associates the N authorization keys with N separate groups of clients (step 156 in Fig. 6).
- the first set of N authorization keys are distributed to the respective groups of clients (step 158 in Fig. 6).
- the server also delivers the first block of the data transmission (step 160).
- the clients use the authorization keys to decrypt the session keys for the first block of the data transmission to enable the client to receive and decrypt the first block of data.
- the first N authorization keys cannot be used, however, to decrypt session keys belonging to subsequent blocks in the data transmission.
- the server operator learns that one of the N keys has been illicitly transferred from an authorized client to one or more unauthorized clients (step 162 in Fig. 6).
- the server analyzes which one of the N groups of authorized clients was sent the suspect key.
- the identified group includes the compromised client, while the rest of the N groups of clients are eliminated.
- the process is then repeated for the identified group for the next i th block in the data transmission (step 164 in Fig. 6).
- Fig. 7 shows an example of this method in which a data transmission 170 is destined to 10,000 authorized clients, one of which is believed to be compromised.
- the key generator produces ten new authorization keys and assigns them to ten groups of 100 clients within the population. Again, one of the ten keys is found to be illegally conveyed and the suspect group is noted. The second iteration narrows the population of potential traitors to 100.
- the key generator produces ten new authorization keys and assigns them to ten groups of 10 clients within the reduced population. The third iteration narrows the population of potential traitors to 10.
- the key generator produces ten new authorization keys and assigns each one to one client in the suspect population. When one of these keys is transferred illegally, the operator can pinpoint the compromised client and initiate legal proceedings against that user. Accordingly, by properly selecting the number of segments M and the number of keys N for each segment, the operator can precisely identify the compromised client during a single data transmission.
- the implementation described above employs a security device based on cryptographic functions.
- This invention may also be utilized in connection with security devices that employ other types of encoding/decoding technologies.
- the authorized clients might be given authorization passwords or numbers for use in receiving broadcast content.
- the authorized client might be supplied with descrambling codes, or the like, to enable receipt of a scrambled data transmission.
- the invention has been described in language more or less specific as to structural and methodical features. It is to be understood, however, that the invention is not limited to the specific features described, since the means herein disclosed comprise preferred forms of putting the invention into effect. The invention is, therefore, claimed in any of its forms or modifications within the proper scope of the appended claims appropriately interpreted in accordance with the doctrine of equivalents.
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Technology Law (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Virology (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Un système de transmission de données possède un serveur de contenu ou autre mécanisme servant à transmettre un contenu codé à de multiples clients autorisés. Ces clients autorisés sont équipés de dispositifs de sécurité pourvus de capacités de décodage afin de décoder le contenu. Les clients non autorisés sont empêchés de décoder le contenu parce qu'ils ne sont pas en possession des capacités de décodage. Un système de détection de fraudeur, faisant partie du système de transmission de données, permet de découvrir l'identité d'un client autorisé ayant été compromis et transférant de manière illicite des capacités de décodage à des clients non autorisés. Ce système de détection de fraudeur génère différentes capacités de décodage et crée un fichier d'association qui informe différents clients autorisés des différentes capacités de décodage. On repère ces capacités de décodage afin de déterminer la capacité qui est transférée de façon illicite à un utilisateur non autorisé. Dans l'éventualité d'un transfert illicite d'une de ces capacités de décodage, le système de détection de fraudeur consulte le fichier d'association afin d'identifier un ou plusieurs des clients autorisés ayant initialement reçu les capacités de décodage transférées de façon illicite. L'ensemble de clients identifiés comprend le client compromis. On réitère ce processus pour l'ensemble de clients identifiés avec un nouvel ensemble de capacités de décodage afin de rétrécir progressivement le champ des clients pirates éventuels jusqu'à ce qu'on localise avec précision le dispositif de sécurité compromis.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US94943897A | 1997-10-14 | 1997-10-14 | |
US949438 | 1997-10-14 | ||
PCT/US1998/019352 WO1999019822A2 (fr) | 1997-10-14 | 1998-09-16 | Systeme et procede servant a rechercher des dispositifs de securite compromis |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1031206A2 true EP1031206A2 (fr) | 2000-08-30 |
Family
ID=25489083
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP98963737A Withdrawn EP1031206A2 (fr) | 1997-10-14 | 1998-09-16 | Systeme et procede servant a rechercher des dispositifs de securite compromis |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1031206A2 (fr) |
JP (1) | JP2003502719A (fr) |
WO (1) | WO1999019822A2 (fr) |
Families Citing this family (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7415110B1 (en) | 1999-03-24 | 2008-08-19 | Intel Corporation | Method and apparatus for the generation of cryptographic keys |
JP2000330783A (ja) * | 1999-05-20 | 2000-11-30 | Nec Corp | ソフトウェア不正コピー防止システムおよびソフト不正コピー防止プログラムを記録した記録媒体 |
KR20010004791A (ko) * | 1999-06-29 | 2001-01-15 | 윤종용 | 인터넷 환경의 이동통신시스템에서 사용자 정보 보안 장치 및그 방법 |
GB2353682B (en) | 1999-07-15 | 2004-03-31 | Nds Ltd | Key management for content protection |
IL130963A (en) | 1999-07-15 | 2006-04-10 | Nds Ltd | Key management for content protection |
US6477252B1 (en) * | 1999-08-29 | 2002-11-05 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US6947558B1 (en) | 1999-08-29 | 2005-09-20 | Intel Corporation | Stream cipher having a shuffle network combiner function |
US6920221B1 (en) | 1999-08-29 | 2005-07-19 | Intel Corporation | Method and apparatus for protected exchange of status and secret values between a video source application and a video hardware interface |
US7068786B1 (en) | 1999-08-29 | 2006-06-27 | Intel Corporation | Dual use block/stream cipher |
US6731758B1 (en) | 1999-08-29 | 2004-05-04 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US6289455B1 (en) | 1999-09-02 | 2001-09-11 | Crypotography Research, Inc. | Method and apparatus for preventing piracy of digital content |
EP1111924A1 (fr) | 1999-12-22 | 2001-06-27 | Irdeto Access B.V. | Procédé pour contrôler l'utilisation d'un signal de programme dans un système de télédiffusion, et dispositif de commande pour un récepteur pour la mise en oeuvre d' un tel procédé |
EP1111923A1 (fr) * | 1999-12-22 | 2001-06-27 | Irdeto Access B.V. | Procédé pour l' utilisation d' un système d' accès conditionnel pour des applications de télédiffusion |
US7003107B2 (en) | 2000-05-23 | 2006-02-21 | Mainstream Encryption | Hybrid stream cipher |
FR2811505B1 (fr) * | 2000-07-06 | 2002-12-06 | At Sky | Systeme de controle d'acces aux donnees numeriques en ligne et hors ligne au moyen d'un serveur de cles logicielles |
FR2811503B1 (fr) * | 2000-07-07 | 2002-12-06 | Innovatron Sa | Procede de delivrance de sequences audio, video ou textuelles par teletransmission de donnees numeriques individuellement tatouees en fonction du destinataire |
US7505593B2 (en) | 2002-12-09 | 2009-03-17 | International Business Machines Corporation | Method for tracing traitors and preventing piracy of digital content in a broadcast encryption system |
US9520993B2 (en) | 2001-01-26 | 2016-12-13 | International Business Machines Corporation | Renewable traitor tracing |
US7103184B2 (en) | 2002-05-09 | 2006-09-05 | Intel Corporation | System and method for sign mask encryption and decryption |
FR2856539A1 (fr) * | 2003-06-17 | 2004-12-24 | France Telecom | Procede et systeme tracables de chiffrement et/ou de dechiffrement d'informations, et supports d'enregistrement pour la mise en oeuvre du procede |
JP2005079864A (ja) * | 2003-08-29 | 2005-03-24 | Toshiba Corp | 放送装置、受信装置、放送方法及び受信方法 |
GB2419222B (en) | 2004-10-15 | 2007-05-30 | Zootech Ltd | Copy deterrent for an audiovisual product |
US8161296B2 (en) * | 2005-04-25 | 2012-04-17 | Samsung Electronics Co., Ltd. | Method and apparatus for managing digital content |
JP2006311625A (ja) * | 2006-08-18 | 2006-11-09 | Toshiba Corp | 放送装置、受信装置、放送方法及び受信方法 |
US20090202079A1 (en) * | 2008-02-11 | 2009-08-13 | Nokia Corporation | Method, apparatus and computer program product for providing mobile broadcast service protection |
JP2010104035A (ja) * | 2010-01-25 | 2010-05-06 | Toshiba Corp | 受信装置及び受信方法 |
JP2010119138A (ja) * | 2010-02-15 | 2010-05-27 | Toshiba Corp | 受信装置及び受信方法 |
JP6018880B2 (ja) * | 2012-11-05 | 2016-11-02 | 日本放送協会 | 暗号化装置、復号装置、暗号化プログラム、および復号プログラム |
US9936008B2 (en) * | 2013-12-03 | 2018-04-03 | Red Hat, Inc. | Method and system for dynamically shifting a service |
-
1998
- 1998-09-16 JP JP2000516305A patent/JP2003502719A/ja not_active Withdrawn
- 1998-09-16 EP EP98963737A patent/EP1031206A2/fr not_active Withdrawn
- 1998-09-16 WO PCT/US1998/019352 patent/WO1999019822A2/fr not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO9919822A2 * |
Also Published As
Publication number | Publication date |
---|---|
WO1999019822A3 (fr) | 1999-06-17 |
JP2003502719A (ja) | 2003-01-21 |
WO1999019822A2 (fr) | 1999-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO1999019822A2 (fr) | Systeme et procede servant a rechercher des dispositifs de securite compromis | |
CN1146185C (zh) | 保护系统中的信息 | |
US7480385B2 (en) | Hierarchical encryption key system for securing digital media | |
US7466826B2 (en) | Method of secure transmission of digital data from a source to a receiver | |
RU2433548C2 (ru) | Способ дескремблирования скремблированного информационного объекта контента | |
JP4976107B2 (ja) | データのユニットをスクランブル及びデスクランブルする方法 | |
CN1655495B (zh) | 用于以强配对将安全密钥传送到目标用户的系统和方法 | |
EP1560361B1 (fr) | Authentification de clé sécurisée et système d'échelle | |
US6550008B1 (en) | Protection of information transmitted over communications channels | |
JP4818559B2 (ja) | 放送分野への条件付きアクセスシステムを操作する方法 | |
KR100898437B1 (ko) | 통신 네트워크에서 대칭 키를 관리하는 방법, 통신 디바이스 및 통신 네트워크에서 데이터를 처리하기 위한 디바이스 | |
US20060184796A1 (en) | System and method for a variable key ladder | |
US20060047976A1 (en) | Method and apparatus for generating a decrpytion content key | |
US6516414B1 (en) | Secure communication over a link | |
JP4740859B2 (ja) | 携帯用安全モジュールペアリング | |
US7529375B2 (en) | Method for processing encrypted data for first domain received in a network pertaining to a second domain | |
JP4447908B2 (ja) | 新しい装置を導入するローカルデジタルネットワーク及び方法と、そのネットワークにおけるデータ放送及び受信方法 | |
US7415440B1 (en) | Method and system to provide secure key selection using a secure device in a watercrypting environment | |
CN111431846A (zh) | 数据传输的方法、装置和系统 | |
KR102286784B1 (ko) | Uhd 방송 콘텐츠 보안 시스템 | |
US20220417001A1 (en) | System and method for securely delivering keys and encrypting content in cloud computing environments | |
US20040019805A1 (en) | Apparatus and method for securing a distributed network | |
US9124770B2 (en) | Method and system for prevention of control word sharing | |
JP2006129535A (ja) | ストリームメディアデータのスクランブル放送システム | |
JP2004172870A (ja) | ストリームメディアデータのスクランブル放送システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20000502 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): DE FR GB |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20020403 |