EP1329050A2 - Module pour la transmission securisee de donnees - Google Patents

Module pour la transmission securisee de donnees

Info

Publication number
EP1329050A2
EP1329050A2 EP01988996A EP01988996A EP1329050A2 EP 1329050 A2 EP1329050 A2 EP 1329050A2 EP 01988996 A EP01988996 A EP 01988996A EP 01988996 A EP01988996 A EP 01988996A EP 1329050 A2 EP1329050 A2 EP 1329050A2
Authority
EP
European Patent Office
Prior art keywords
data packets
module
computer
interface
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01988996A
Other languages
German (de)
English (en)
Inventor
Christophe Genevois
Jean Luc Duhamel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Identiv GmbH
Original Assignee
SCM Microsystems GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SCM Microsystems GmbH filed Critical SCM Microsystems GmbH
Publication of EP1329050A2 publication Critical patent/EP1329050A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/418External card to be used in combination with the client device, e.g. for conditional access
    • H04N21/4181External card to be used in combination with the client device, e.g. for conditional access for conditional access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]

Definitions

  • the invention relates to a module for the secure transmission of data in a computer network, in which data is transmitted according to a network protocol, the data being organized in data packets, consisting of a header and a content that can be encrypted.
  • DVD Digital Video Broadcasting
  • the object of the invention is to provide a module for secure data transmission in a computer network, which offers the highest level of security with high data throughput and easy connection to existing computers.
  • a module of the type mentioned at the beginning is provided: a bidirectional interface to a computer connected to the network, the module via the interface with the computer
  • a processor can exchange data packets, commands and messages, an interface to a smart card on which an identifier is stored, a filter logic circuit that filters out authorization messages from the data packets received from the computer via the network and forwarded to the module via the bidirectional interface with memory for controlling the module, which calculates at least one cryptographic key by means of the authorization messages and by means of the germination stored in the smart card, a decryption logic circuit which can separate the header from the content of the data packets, the content contained in the data packets by means of the processor calculated cryptographic key, which interacts with a decryption method implemented in the hardware of the logic circuit, can decrypt and attach the header again to the decrypted content of the data packets, the data packets then using the bid directional interface to the computer.
  • Such a module has considerable advantages: On the one hand, the decryption of the data in a hardware logic circuit takes place very quickly, so that large amounts of data can be processed in a short time, which is particularly important in DVB. On the other hand, the module is as
  • Hardware is secured much better against unauthorized access (hacking) to the encrypted data and the keys themselves than a Software decoder in an open, unsecured environment, as represented by a computer.
  • a module of the type mentioned at the outset which provides: a first interface to a computer network, via which the module can receive data packets from the computer network, a second interface to a computer, via which the module can send data packets to the computer, - an interface to a smart card on which an identifier is stored, a filter logic circuit that filters authorization messages from the data packets received from the network and forwarded to the module via the first interface, a processor with Memory for controlling the module, using the authorization messages and the ones stored in the smart card
  • Identifier calculates at least one cryptographic key
  • a decryption logic circuit that can separate the header from the content of the data packets, can decrypt the content contained in the data packets by means of the cryptographic key calculated by the processor, which interacts with a decryption method implemented in the hardware of the logic circuit Can attach the header again to the decrypted content of the data packets, the data packets then being routed to the computer via the second interface.
  • FIG. 1 shows a block diagram of a first embodiment of a module according to the invention
  • FIG. 2 shows a block diagram for an application of the module from FIG. 1 in a network
  • FIG. 3 shows a block diagram of a second embodiment of a module according to the invention.
  • FIG. 4 shows a block diagram for one possible application of the module from FIG.
  • CA Conditional Access
  • data packets are created according to a network protocol. eg the well-known Internet Protocol (IP), whereby the media content in the packets can be encrypted.
  • IP Internet Protocol
  • the module 10 is designed as a plug-in card for a PCMCIA slot in a computer, advantageously a laptop 12, which is connected to a computer network 34.
  • the module 10 itself contains a bidirectional interface module 14, which for the sake of simplicity is referred to below as a bidirectional interface 14, a processor 20 with memory and an interface module 22 to a slot 24 (not shown) for a smart card 26 , which in the following are called the interface for a smart card for the sake of simplicity.
  • the processor 20 is connected via the control lines 25 to all other modules of the module and controls the functions of the module 10.
  • the bidirectional interface 14 is connected via the bus 15 to an interface module (not shown) in the computer 12.
  • the module can receive data packets received from the computer via the network 34 via the bus 15 and, after decryption, pass them on to the computer 12. It is also conceivable that the module 10 can communicate with the computer 12 via the bus 15, which makes it possible to operate the module 10 from the computer 12.
  • the interface 15 can forward data to a filter logic circuit 16 via a connection 30 and exchange data with a decryption logic circuit 18 via a second connection 32.
  • FIG. 2 shows a section of a network 40 to which the computer 12 is connected.
  • the function of the module 10 is described below using the example of a DVB transmission from the service provider 42 to the customer's computer 12.
  • the service provider 42 provides a DVB signal 44.
  • This signal is intended to be sent over the network 40 in data packets in such a way that only certain authorized customers are able to receive and read this signal.
  • the signal is packaged in data packets in a known manner and the content of the data packets is encrypted in an encoder 46 (also called a scrambler) with changing cryptographic keywords that are generated in a word generator 48.
  • the information required to decrypt the data packets is sent as so-called Entitlement Control Message (ECM) and as Entitlement Management Message (EMM) together with the signal in the data packets.
  • ECM Entitlement Control Message
  • EMM Entitlement Management Message
  • the EMMs contain user-specific data that give a certain customer or a certain group of customers access to certain Enable programs (pay per channel) or for certain programs (pay per view).
  • the assignment to a specific customer or a specific customer group is established by an identifier, which can be stored in the smart card, for example.
  • the service provider therefore has the corresponding customer data in a database 50 so that the EMMs can be sent automatically.
  • the ECMs contain program-specific data, namely the key words by means of which the data packets can be decrypted again. To make it even more difficult to break up the encryption without authorization, the keywords are changed frequently during the broadcast.
  • the ECMs are sent much more frequently than the EMMs, since the user-specific data rarely change compared to the keywords.
  • the data packets are sent via the network 40, which can be, for example, the Internet, a private network or a company-internal intranet. They are given a header specific to the respective network protocol, which contains certain information that is important for transmission to the network. With the Internet protocol IP this can e.g.
  • the computer 12 which e.g. Via a modem 46, as shown, can be connected to the network via a network card or in some other way, receives the data packets and forwards them to module 10 without further processing via the PCMCIA interface.
  • the data packets can be passed on both to the filter logic circuit 16 and to the decryption logic circuit 18.
  • the filter logic circuit filters out any EMMs and ECMs contained in the data and passes them on to the processor 20 via the bus 25.
  • the processor 20 When the processor 20 receives an EMM which is intended for the customer identified by the identifier contained in the smart card 26, it loads the information contained therein into the memory and holds it there until it is replaced by more current information from a new one EMM can be overwritten. This information includes, for example, the authorization to be able to access a specific program or a specific program. If the processor 20 then receives ECMs relating to this particular program or program, it can use this information and the identifier stored in the smart card 26 from the ECMs to obtain the cryptographic keys for decrypting the content of the data packets from which the program is made exists, calculate. The processor 20 forwards the calculated keys to the decryption logic circuit 18.
  • the decryption logic circuit 18 includes a header logic circuit, not shown in detail, that the
  • the header logic circuit can be used with others Embodiments of the invention may also be part of the interface module 14, so that the data to the filter logic circuit 16 via the connection 30 only consist of the content of the data packets.
  • the decryption logic circuit 18 uses the calculated keys to decrypt the content of the data packets using an encryption method implemented in their hardware and to return the decrypted content to the interface again.
  • the header logic circuit then retrieves the stored header from the memory and adds it to the now decrypted content of the data packet, so that the packet is complete again. and forwards this via the bidirectional bus 15 to the computer 12, in which further processing can take place in the usual way.
  • the content of data packets for which the customer does not have access authorization cannot be decrypted by the decryption logic circuit 18. These data packets are either not sent to the interface at all or are not encrypted
  • Computer 12 forwarded so that they can not be processed by the computer 12.
  • the interface 14 can be generated by the computer 12 via its interface module (not shown) and the bus 15 in the computer
  • the invention offers the advantage of being easy to use, since the computer can be equipped with access to the offers of the service provider without opening the computer or changing its hardware in any other way.
  • the hardware implementation of the encryption logic offers the advantage that the processor of the computer is not additionally burdened with decryption or encryption. This also means a considerable speed advantage, which is essential for a smooth display, especially with the large amounts of DVB data.
  • such a module is independent of the respective operating system of the computer, since it works purely at the protocol level of the network. This means that the module has a much larger application area than a purely software-based decryption system.
  • the module 100 has a first interface 160 to a computer network 140 and a second interface 162 to a computer 1 12. Both interfaces work according to the same protocol and on the same physical layer, for example Ethernet, so that the module 100 directly into the network line 150 the computer network 140 and the computer 1 12 can be switched on.
  • the interfaces 160, 162 in the module 100 merely take on the function of connecting to the network, comparable to a network card in a computer.
  • CA Conditional Access
  • the data packets received from the network 140 are passed through the IP switch 164.
  • the IP switch 164 data packets received via the first interface 160, which are intended for the CA unit 110 based on their IP address, are filtered out and fed to the CA unit 110, which decrypts the data content of the packets as previously described and returns the data packets.
  • the CA unit 1 10 can have a connection 166 to the second interface 162, by means of which the module 100 can be controlled by the computer 1 12 via the network line 152.
  • the computer thus already receives the data packets transmitted in encrypted form by the service provider 42, so that it can proceed further as with the offers distributed in the network 140 without access restrictions.
  • the module 100 can also be completely transparent to the other data packets, i.e. the network connection can run undisturbed, as if the module 100 were not present at all.
  • a particular advantage of this embodiment is that the secure access option can be created even more easily. There is no need for an additional interface on the computer 112, since the module 100 is looped into the existing network connection line 150.
  • a subnetwork that is to say a plurality of interconnected computers, can also be provided with the access option in this way.
  • Decrypting data packets as well as encrypting unencrypted content can be done with the help of the described modules, in principle any content to be protected, e.g. emails that are sent in packets according to a network protocol, securely between two or more computers, or between different computers Transfer subnets of a network safely.
  • An exemplary arrangement is shown schematically in FIG. 4, where the modules 200 act as a kind of lock between a secure subarea 270, for example a company's internal network, and an unsecured public area 272 of the network.
  • each computer 212 or each sub-area of the network 270 from which access to the saved data should be possible is connected to the public sub-network via a module according to the invention.
  • the data to be protected is sent unencrypted within the secure subareas 270, outside, ie in the unsecured public area 272 of the network, the data packets are only on the way with encrypted content.
  • the module according to the invention thus fulfills the function of a “hardware firewall” in an efficient manner.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Communication Control (AREA)

Abstract

L'invention concerne un module pour la transmission sécurisée de données dans un réseau informatique. Ce module présente une interface bidirectionnelle communiquant avec un ordinateur relié au réseau. Ce module peut échanger des paquets de données, des instructions et des messages avec l'ordinateur par l'intermédiaire de l'interface. En outre, ce module dispose d'une interface communiquant avec une carte à puce sur laquelle est mémorisée une identification. Ce module contient un circuit logique de filtrage qui élimine par filtrage des messages d'autorisation présents dans les paquets de données reçus par l'ordinateur par l'intermédiaire du réseau et transmis au module par l'intermédiaire de l'interface bidirectionnelle. Le module comprend également un processeur contenant une mémoire et servant à commander le module. Ce processeur calcule au moins une clé cryptographique au moyen des messages d'autorisation et au moyen de l'identification mémorisée dans la carte à puce. Le module comprend enfin un circuit logique de décodage qui peut séparer l'en-tête du contenu des paquets de données, qui peut décoder le contenu des paquets de données au moyen de la clé cryptographique calculée au moyen du processeur et associée à un procédé de décodage réalisé dans le matériel du circuit logique et qui peut rajouter l'en-tête au contenu décodé des paquets de données. Ces derniers peut être réacheminés à l'ordinateur par l'intermédiaire de l'interface bidirectionnelle.
EP01988996A 2000-10-27 2001-10-29 Module pour la transmission securisee de donnees Withdrawn EP1329050A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10053390A DE10053390A1 (de) 2000-10-27 2000-10-27 Modul zur sicheren Übertragung von Daten
DE10053390 2000-10-27
PCT/EP2001/012480 WO2002035763A2 (fr) 2000-10-27 2001-10-29 Module pour la transmission securisee de donnees

Publications (1)

Publication Number Publication Date
EP1329050A2 true EP1329050A2 (fr) 2003-07-23

Family

ID=7661330

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01988996A Withdrawn EP1329050A2 (fr) 2000-10-27 2001-10-29 Module pour la transmission securisee de donnees

Country Status (4)

Country Link
US (1) US20040221156A1 (fr)
EP (1) EP1329050A2 (fr)
DE (1) DE10053390A1 (fr)
WO (1) WO2002035763A2 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EE200000390A (et) * 2000-11-02 2002-06-17 Artec Design Group O� Protokolli analüüsil baseeruv andmete krüpteerimisseade
FR2834154B1 (fr) * 2001-12-21 2005-03-11 Oberthur Card Syst Sa Unite electronique incluant des moyens de cryptographie capables de traiter des informations a haut debit
DE502004008948D1 (de) * 2004-10-11 2009-03-19 Swisscom Schweiz Ag Kommunikationskarte für mobile Netzwerkgeräte sowie Authentifikationsverfahren für Benutzer mobiler Netzwerkgeräte
US7822017B2 (en) * 2004-11-18 2010-10-26 Alcatel Lucent Secure voice signaling gateway

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4797928A (en) * 1987-01-07 1989-01-10 Miu Automation Encryption printed circuit board
US5644354A (en) * 1992-10-09 1997-07-01 Prevue Interactive, Inc. Interactive video system
US5521979A (en) * 1994-04-22 1996-05-28 Thomson Consumer Electronics, Inc. Packet video signal inverse transport system
US5590202A (en) * 1995-01-18 1996-12-31 Zenith Electronics Corporation Countdown system for conditional access module
SE509033C2 (sv) * 1996-06-26 1998-11-30 Telia Ab Metod för säker överföring av datainformation mellan Internet www-servar och dataterminaler
US5987606A (en) * 1997-03-19 1999-11-16 Bascom Global Internet Services, Inc. Method and system for content filtering information retrieved from an internet computer network
US6040851A (en) * 1998-01-20 2000-03-21 Conexant Systems, Inc. Small-format subsystem for broadband communication services
KR200184316Y1 (ko) * 1998-04-08 2000-06-01 김용만 스마트 카드 리더기
US6697489B1 (en) * 1999-03-30 2004-02-24 Sony Corporation Method and apparatus for securing control words
WO2000059210A1 (fr) * 1999-03-30 2000-10-05 Sony Electronics, Inc. Systeme d'interfaçage de dispositifs multiples d'acces conditionnel
FR2799075B1 (fr) * 1999-09-23 2001-11-23 Thomson Multimedia Sa Terminal numerique multimedia et module detachable cooperant avec ledit terminal comportant une interface protegee contre la copie

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0235763A2 *

Also Published As

Publication number Publication date
DE10053390A1 (de) 2002-05-08
US20040221156A1 (en) 2004-11-04
WO2002035763A2 (fr) 2002-05-02
WO2002035763A3 (fr) 2002-07-04

Similar Documents

Publication Publication Date Title
DE69738628T2 (de) Kontrolle für einen globalen datentransportstrom
DE69723650T2 (de) Verfahren zur Beglaubigung von Daten mittels Verschlüsselung und System zur Beglaubigung unter Verwendung eines solchen Verfahrens
DE69533024T2 (de) Zugriffskontrollsystem für an einem Privatnetz angeschlossene Computer
DE60222012T2 (de) System und verfahren für hybriden bedingten zugang für empfänger verschlüsselter übertragungen
DE60306835T2 (de) Vorrichtung zur sicheren Mehrfachsendung
DE60217576T2 (de) Vorrichtungen und Verfahren zur Übertragung und Implementierung von Steuerungsanweisungen zum Zugriff auf Empfängerfunktionalitäten
DE60131990T3 (de) Vorrichtung und verfahren zur selektiven verschlüsselung von über ein netzwerk zu übertragenden multimediadaten
DE60214015T2 (de) Gerät, Datenverteilungssystem mit einem solchen Geräten, Verfahren zur Übertragung von Daten
DE60213650T2 (de) Zugriff auf verschlüsselten rundsendeinhalt
DE69719803T3 (de) Verhinderung von wiedergabeangriffen auf durch netzwerkdiensteanbieter verteilte digitale informationen
DE69533953T2 (de) System für signaturlose Übertragung und Empfang von Datenpaketen zwischen Computernetzwerken
DE69735528T2 (de) Verfahren zum Schutz von Informationen übertragen von einem Sicherungselement nach einen Dekoder und Schutzsystem, das ein solches Verfahren verwendet
DE60127681T2 (de) System zum Inhaltsschutz und zur Kopierverwaltung für ein Netzwerk
EP2146285A1 (fr) Procédé de fonctionnement d'un système d'accès conditionnel, destiné aux réseaux informatiques, et système de sa mise en oeuvre
WO2014118306A1 (fr) Système de traitement vidéo intégré doté de moyens matériels
WO2019145207A1 (fr) Procédé et système de publication d'au moins une clé cryptographique
DE69927581T2 (de) Vernetzte einheit mit bedingtem zugriff
DE69835670T2 (de) Datenübertragungssystem
DE69821183T2 (de) Zugangskontrollverfahren für Hausnetz und Anordnung zu dessen Durchführung
EP1668817B1 (fr) Procédé et dispositif de chiffrement et de déchiffrement
EP1329050A2 (fr) Module pour la transmission securisee de donnees
EP0740439B1 (fr) Méthode, système et équipement d'abonné pour séparation protégée contre la manipulation des circulations de messages
DE10029643A1 (de) Verfahren zur abhörsicheren Übertragung von IP-Diensten über ein Rundfunkmedium
DE10244079A1 (de) Verfahren zum Bereitstellen eines verschlüsselten IP-basierenden Gruppen-Dienstes
EP2165459B1 (fr) Dispositif et procédé de traitement de flux de données

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20030430

AK Designated contracting states

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: DUHAMEL, JEAN, LUC

Inventor name: GENEVOIS, CHRISTOPHE

17Q First examination report despatched

Effective date: 20040216

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20040827