EP1506661A2 - Procede de distribution de donnees avec controle d acces - Google Patents

Procede de distribution de donnees avec controle d acces

Info

Publication number
EP1506661A2
EP1506661A2 EP03752810A EP03752810A EP1506661A2 EP 1506661 A2 EP1506661 A2 EP 1506661A2 EP 03752810 A EP03752810 A EP 03752810A EP 03752810 A EP03752810 A EP 03752810A EP 1506661 A2 EP1506661 A2 EP 1506661A2
Authority
EP
European Patent Office
Prior art keywords
data
address
user
access
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP03752810A
Other languages
German (de)
English (en)
French (fr)
Inventor
Gilles Merle
Denis Piarotas
Noel Fontaine
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Viaccess SAS
Original Assignee
Viaccess SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Viaccess SAS filed Critical Viaccess SAS
Publication of EP1506661A2 publication Critical patent/EP1506661A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the invention is in the field of access control and relates more particularly to a method of distributing digital data to a plurality of user terminals connected, via an IP type data transmission network, to a supplier services, each receiver terminal being identified in the network by an IP address and by a unique address UA registered in a security processor.
  • French patent application No. 01 13963 filed by France TELECOM on October 29, 2001 describes a method of broadcasting with access control of audiovisual programs to a plurality of terminals connected to an IP type network.
  • each service provided via the network is allocated an address and access conditions defined by the service provider.
  • a scrambling platform receives as input IP / UDP datagrams supplied in clear by a data server, and filters the IP / UDP datagrams of the data to be scrambled according to the IP addresses and destination ports present in the header of these datagrams.
  • the invention aims to remedy the drawbacks of the prior art described above by a method for defining the access conditions in point-to-point mode and in broadcast mode in correlation, on the one hand, with the user or users requesting the services and, on the other hand, with the content distributed.
  • the invention makes it possible to define the access conditions, no longer at the network layer (ISO layer 3), relative to IP parameters, but at the presentation layer (ISO 6 layer) in order make data distribution independent of changes in IP addresses.
  • the data to be distributed is associated with an access condition defined at the HTTP protocol level.
  • the data are distributed in point-to-point mode according to the following steps: - send, from a user terminal, an HTTP request comprising at least 1 IP address of said terminal, the unique address UA and a parameter (URI) making it possible to locate the data requested in a content server;
  • - send from a user terminal, an HTTP request comprising at least 1 IP address of said terminal, the unique address UA and a parameter (URI) making it possible to locate the data requested in a content server;
  • URI Resource Identities
  • a personalized ECM is generated as a function of the access criterion (CA) and of an encrypted control word CW.
  • the encryption of the control word CW is carried out by a key Ket obtained by diversification of a root key Ke specific to the service provider. This diversification is carried out according to the unique address UA specific to each user.
  • said data is distributed in broadcast mode to a group of user terminals identified by a group address. This distribution takes place in the following stages:
  • the data is transmitted in broadcast mode of the PUSH type, commonly called in English.
  • the broadcast can be controlled by a user, usually the first user who sends a first HTTP request to receive the service.
  • This user can also stop broadcasting data using a second HTTP. This is particularly useful when a particular user makes information under his control available to several other users. This is the case, for example, of a distance learning application in which a teacher and several listeners are connected to the transmission network, the teacher • being the user who controls the broadcasting (triggering and stopping) of content .
  • the scrambled data is encapsulated in an IP datagram comprising:
  • the security processor is a smart card.
  • this processor can be a program stored in the user terminal.
  • the invention also relates to a management platform for controlling access to scrambled data transmitted to a plurality of user terminals connected to a service provider via an IP type network, each user terminal being identified in the network. by an IP address and by a single UA address registered in a security processor, said platform comprising at least one central server capable of associating a criterion of access to the data to be distributed at the level of the HTTP protocol in response to an HTTP request issued from a user terminal.
  • the data to be distributed can be extracted according to a parameter (URI) from a content server.
  • URI parameter
  • the platform according to the invention further comprises at least one scrambling unit and at least one content server.
  • the data to be broadcast can be audiovisual programs or multimedia data.
  • FIG. 1 represents a general diagram of an access management platform according to the invention
  • - Figure 2 is a block diagram illustrating a first variant implementation of the method of the invention
  • FIG. 3 schematically illustrates the mode of encapsulation of the data distributed by the method according to the invention
  • FIG. 4 is a flowchart illustrating the first variant of implementation of the method of the invention.
  • FIG. 5 schematically illustrates a procedure for diversifying access control messages according to the invention.
  • FIG. 7 is a block diagram illustrating a second variant implementation of the method of the invention.
  • Each user is provided with a terminal 2 equipped with a smart card reader.
  • Each user has a personal smart card identified by a unique address UA (for Unique Address) containing information on the rights of access to audiovisual services provided by one or more operators.
  • UA for Unique Address
  • each user terminal can be a gateway terminal communicating with a plurality of terminals grouped together in a local network.
  • the gateway terminal which is provided with a smart card containing at least one right of access to the services provided.
  • Audiovisual content is stored on remote servers and. each content is likely to be called by a URI (for Uniform Resource Indicator) which is a field of the HTTP header allowing to address a resource in a unique way.
  • URI Uniform Resource Indicator
  • user terminals 2 are connected to the Viaccess Net “4 platform, through the Internet network 6 or through an IP backbone.
  • a first output router 8 is arranged at the output of the Internet network 6 and is connected to a second router 10 interconnection which is connected to a firewall server 12 directly connected to the platform Viaccess Net ® 4.
  • the Viaccess Net platform 4 comprises a first local access network 14 comprising a central server 16 whose function is to supervise the communications between the user terminals 2 and the platform 4.
  • the first local area network 14 furthermore comprises a cache server 18 intended for storing information not requiring scrambling such as for example service presentation pages, a DNS server 20 intended for translating the IP addresses of internal servers into names. external to the Viacess Net platform 4 and a second security server 22 intended to provide functional redundancy of the central server 16.
  • This first local access network 14 is connected, through a scrambling station 24, to a second local network 26 and to a third local network 28.
  • the second local network 26 comprises content servers 30 and the third local network 28 comprises an ECM generator 32 and an ECM management station 34.
  • the central server 16 consists of two separate functional units, a first unit 40 dedicated to authenticating users and filtering HTTP requests transmitted to the platform 4, and a second unit 42 capable of associating a control criterion (CA) for the data to be distributed.
  • User authentication consists in checking whether the UA received with the HTTP request is listed in a right management center 44 located at the operator. Beforehand, the user who wishes to receive one or more audiovisual programs receives from the operator information relating to the access criteria (CA) to the audiovisual programs likely to be requested. After consulting a presentation server
  • the user sends (arrow 50) to the central server 16 an HTTP GET request indicating his unique address UA, his IP address and the URI corresponding to the programs requested.
  • the authentication unit 40 filters the HTTP request using the unique address UA and performs the following actions:
  • this unit 40 verifies that the TCP acknowledgment packets are received within the maximum transit time between the platform 4 and the client terminal 2;
  • the session can be interrupted if the maximum transit time is exceeded.
  • the central server 16 then sends (arrow 52) to the operator's management center 44 the IP address of the terminal 2 for the return channel, the UA address of the user and the URI called as well as the address IP from which data should be sent and which is retrieved by the user from the presentation server 46.
  • the management center 44 gives its agreement or refuses access (arrow 54) to the content as a function of the rights prerecorded in a database 56.
  • CA Access criterion
  • the scrambling unit 24 sends an acknowledgment (arrow 59) to the authentication unit 40 confirming that it expects the stream from the content server 30 to scramble selected by the user with the associated UA and IP address as well as the access criterion (CA).
  • CA access criterion
  • the HTTP GET request is then retransmitted by the authentication unit 40 (arrow 60) to the unit 42.
  • the response to the HTTP GET request transmitted from the content server 30 to the central server 16 is then returned (arrow 62) to the unit 42.
  • the latter inserts an additional field in the IP frame consisting of an HTTP header with a “Content” field -Location "which will recall the URI to the scrambling unit 24.
  • the central server 16 sends (arrow 64) the HTTP response to the scrambling unit 24 for scrambling.
  • the scrambling unit 24 scrambles the data and transmits it (arrow 66) to the user terminal 2 which descrambles it thanks to the control information transmitted and to the rights recorded in the smart card.
  • FIG. 3 schematically illustrates the structure of the packets transmitted to the scrambling unit 24 by the central server 16.
  • This HTTP response comprises:
  • An access control header 76 containing the URI of the data delivered
  • FIG. 4 illustrates in detail the different stages of the method in the case of an implementation in point-to-point mode.
  • step 90 the user sends the request
  • This secure tunnel is specific to each link with a terminal 2 and can be based on the SSL protocol (for Secure Socket Layer), or the SSH protocol (for Secure Shell), or even the IPSec protocol. Securing allows greater integrity and confidentiality to be added to the data circulating on the Internet between terminal 2 and the Viacess Net 4 platform.
  • step 92 the central server 16 recovers the URI of the content requested and checks the validity of the GET request.
  • the central server 16 transmits it to the scrambling station 24 and to the content server 30 (step 96).
  • the central server 16 establishes a link between the terminal 2 and the cache server 18 to enable it to consult data which should not be scrambled, such as for example service presentation pages (step 98).
  • the content server 30 delivers the data requested to the scrambling unit 24 via the central server 16.
  • the latter adds to each data packet delivered by the content server 30 the "Content Location" field Containing the URI and returns this packet to the scrambling unit 24 where the data is scrambled with the added HTTP header (step 100).
  • step 102 the central server 16 removes the location header field from the HTTT header and delivers to the terminal 2 the encrypted stream (step 104) via the secure channel between the Viaccess Net 4 platform and the terminal 2.
  • step 106 the scrambled data is received by the user terminal 2 where it is descrambled.
  • a personalized ECM conveying the access conditions and an encryption root key Ke of this program is generated according to the access criterion (CA) and an encrypted CW control word.
  • CA access criterion
  • the encryption of the control word CW is carried out by a key Keu A obtained by diversification of the root key Ke specific to the service provider. This diversification is carried out according to the unique address UA specific to each user.
  • the requested program can only be seen by the user whose card is targeted by the ECM-U and contains at least one right conforming to the access criterion (CA) described in the ECM-U.
  • CA access criterion
  • FIG. 5 schematically illustrates the procedure for diversifying the root key Ke.
  • the latter is subjected to a processing in a calculation module 107 which receives as input the unique address UA of each user.
  • the result of this calculation is the diversified key Ke UA depending on the unique address of the user UA.
  • the key Keu A is then used to encrypt the control word CW.
  • This function is performed by a module 108 which receives the value Ker and CW.
  • FIG. 6 schematically illustrates this principle in the case where two terminals 110 and 112 having respectively the unique address UA1 and UA2 send an HTTP request to the platform 4 to receive a program.
  • the ECMs are personalized by the control word CW encrypted by the diversified key Ke UA to generate, by means of a calculation function 120, an ECM-Ul and an ECM-U2 intended respectively for the terminal UA1 and the terminal UA2.
  • the ECM-Ul and 1 ⁇ CM-U2 are then multiplexed by a multiplexing module 132 and then transmitted to the users.
  • the broadcast is made to all the terminals configured by a group address.
  • the user sends (arrow 130) the HTTP request to the central server 16 with the group address.
  • the latter authenticates (arrows 132-134) the originator of the request, and checks (arrow 136) if the requested content is actually broadcast. If the requested content is not broadcast, the central server 16 transmits to the user terminal a stop message.
  • the authenticated user receives the broadcast content.
  • the management center 44 gives its agreement or refuses the content access session after transfer of all the parameters entered previously;
  • the response can be positive for broadcasting, in this case, the content server delivers the requested data (step 138) to the scrambling unit 24 which transmits this data (step 140) after scrambling.
  • the answer can also be negative, in this case the distribution of data is refused.
  • the group IP address and the URI are sent with an order to start broadcasting the content generated by the central server 16;
  • the requested stream is broadcast and the source IP address for the broadcast is that of the content server 30; - the response is finally returned to the terminal
  • step 142 which descrambles the content received using previously installed decoding software.
  • the method of the invention can be implemented in a system for controlling access to a service with marketing of Content via the HTTP protocol.
  • This content can include images of an HTML page subject to access conditions, or a portion of text.
  • This system can allow the implementation of servers delivering content that is scrambled in order to market a download of videos, audio files (music, etc.), etc.
  • the invention can be implemented in the fields of the following PC applications:
  • Content On Demand - Offer of content on demand such as the stock market or online banking, television, video clips or even radio,
  • the invention can also be applied to sectors of the business requiring the use of the Internet for the dissemination of data in Unicast (videotaped meetings, videoconferences on a VPN network, access to documentation with a high degree of confidentiality, etc. .).
  • IP Service Operators may implement the delivery of scrambled content, which may be viewed following the prior purchase.
  • Intranet consultations requiring strong scrambling, associated with management of read / write rights on content to be downloaded by an IP network, can constitute additional applications of the invention.
  • the invention can also be implemented to control access to content received via a receiver provided with a TV decoder.
  • the invention can be implemented in mobile telephony or satellite telephony applications.
  • the technologies targeted for transport are the interactive applications of GSM, GPRS and UMTS.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
EP03752810A 2002-05-17 2003-05-15 Procede de distribution de donnees avec controle d acces Withdrawn EP1506661A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0206086 2002-05-17
FR0206086A FR2839834B1 (fr) 2002-05-17 2002-05-17 Procede de distribution de donnees avec controle d'acces
PCT/FR2003/001473 WO2003098870A2 (fr) 2002-05-17 2003-05-15 Procede de distribution de donnees avec controle d'acces

Publications (1)

Publication Number Publication Date
EP1506661A2 true EP1506661A2 (fr) 2005-02-16

Family

ID=29286576

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03752810A Withdrawn EP1506661A2 (fr) 2002-05-17 2003-05-15 Procede de distribution de donnees avec controle d acces

Country Status (7)

Country Link
US (1) US20060015615A1 (ja)
EP (1) EP1506661A2 (ja)
JP (1) JP2005526329A (ja)
CN (1) CN100531187C (ja)
AU (1) AU2003254532A1 (ja)
FR (1) FR2839834B1 (ja)
WO (1) WO2003098870A2 (ja)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1693999A4 (en) * 2003-12-11 2011-09-14 Panasonic Corp PACK STATION DEVICE
US7774825B2 (en) * 2004-12-16 2010-08-10 At&T Intellectual Property I, L.P. Methods & apparatuses for controlling access to secured servers
US8929360B2 (en) 2006-12-07 2015-01-06 Cisco Technology, Inc. Systems, methods, media, and means for hiding network topology
EP2647213B1 (en) * 2010-12-02 2017-07-26 Nagravision S.A. System and method to record encrypted content with access conditions
US10814893B2 (en) 2016-03-21 2020-10-27 Ge Global Sourcing Llc Vehicle control system
US11072356B2 (en) 2016-06-30 2021-07-27 Transportation Ip Holdings, Llc Vehicle control system
US10218628B2 (en) * 2017-04-12 2019-02-26 General Electric Company Time sensitive network (TSN) scheduler with verification
US10116661B2 (en) 2016-12-27 2018-10-30 Oath Inc. Method and system for classifying network requests

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6351467B1 (en) * 1997-10-27 2002-02-26 Hughes Electronics Corporation System and method for multicasting multimedia content
US6108789A (en) * 1998-05-05 2000-08-22 Liberate Technologies Mechanism for users with internet service provider smart cards to roam among geographically disparate authorized network computer client devices without mediation of a central authority
US6345307B1 (en) * 1999-04-30 2002-02-05 General Instrument Corporation Method and apparatus for compressing hypertext transfer protocol (HTTP) messages
DE19939281A1 (de) * 1999-08-19 2001-02-22 Ibm Verfahren und Vorrichtung zur Zugangskontrolle zu Inhalten von Web-Seiten unter Verwendung eines mobilen Sicherheitsmoduls
CA2405783A1 (en) * 2000-04-17 2001-10-25 Mitch A. Benjamin Secure dynamic link allocation system for mobile data communication
US6910074B1 (en) * 2000-07-24 2005-06-21 Nortel Networks Limited System and method for service session management in an IP centric distributed network
JP2002290458A (ja) * 2001-03-26 2002-10-04 Fujitsu Ltd マルチキャストシステム
FR2823936B1 (fr) * 2001-04-19 2003-05-30 France Telecom Procede et systeme d'acces conditionnel a des services ip
FR2833446B1 (fr) * 2001-12-12 2004-04-09 Viaccess Sa Protocole de controle du mode d'acces a des donnees transmises en mode point a point ou point multi-point
US20030149792A1 (en) * 2002-02-06 2003-08-07 Leonid Goldstein System and method for transmission of data through multiple streams

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO03098870A2 *

Also Published As

Publication number Publication date
FR2839834A1 (fr) 2003-11-21
AU2003254532A1 (en) 2003-12-02
FR2839834B1 (fr) 2004-07-30
CN1653777A (zh) 2005-08-10
AU2003254532A8 (en) 2003-12-02
WO2003098870A2 (fr) 2003-11-27
WO2003098870A3 (fr) 2004-03-25
JP2005526329A (ja) 2005-09-02
CN100531187C (zh) 2009-08-19
US20060015615A1 (en) 2006-01-19

Similar Documents

Publication Publication Date Title
EP2177025B1 (fr) Procédé et dispositif de chiffrement partiel d'un contenu numérique
EP1645100B1 (fr) Méthode de création et d'administration d'un réseau local
EP1305948B1 (fr) Methode de distribution securisee de donnees numeriques representatives d'un contenu multimedia
EP2052539B1 (fr) Méthode de révocation de modules de sécurité utilisés pour sécuriser des messages diffusés
EP1687975B1 (fr) Diffusion sécurisée et personnalisée de flux audiovisuels par un systeme hybride unicast/multicast
EP1396135A1 (fr) Procede et systeme d'acces conditionnel a des services ip
EP1470690A2 (fr) Procede et dispositif de transmission de message de gestion de titre d'acces
FR2831737A1 (fr) Procede et systeme de transmission avec controle d'acces de donnees numeriques embrouillees dans un reseau d'echange de donnees
WO2003098870A2 (fr) Procede de distribution de donnees avec controle d'acces
EP1461967B1 (fr) Methode de controle d'acces a des services specifiques par un diffuseur
EP1227640A1 (fr) Procédé et système de communication d'un certificat entre un module de sécurisation et un serveur
FR3054765B1 (fr) Procede pour la lecture sur un equipement d'un contenu multimedia avec un retard cible par rapport au direct inferieur a un retard maximal donne
FR2816417A1 (fr) Procede et systeme pour etendre le champ d'adresses publiques attribuables a une connexion au reseau internet, et leur application a la lutte contre la diffusion illegale d'oeuvres protegees
EP1570662A1 (fr) Procede de distribution de donnees et/ou services embrouilles.
EP3228083B1 (fr) Procédé de gestion du droit d'accès a un contenu numérique
FR2846831A1 (fr) Pseudo video a la demande(pvod)
EP2328316B1 (fr) Controle d'accès à un contenu numérique
FR2842681A1 (fr) Procede et systeme d'avertissement et de diffusion d'informations par un reseau public de transmission de donnees numeriques
EP1474923A2 (fr) Procede pour controler l'acces a un contenu par un terminal, terminal, serveur de droits d'usage, automate de distribution, serveur fournisseur, support de donnees et systeme associes
WO2010133459A1 (fr) Procede de chiffrement de parties particulieres d' un document pour les utilisateurs privileges
FR2920068A1 (fr) Plate-forme et procede de distribution de contenus numeriques proteges
KR20050016409A (ko) 액세스 제어에 의한 데이터 배송 방법
EP2347583A1 (fr) Systeme de gestion d'interactivite
FR2964288A1 (fr) Acquisition de droits d'acces a un contenu protege sans intervention de l'utilisateur.
FR2923110A1 (fr) Authentification securisee perfectionnee d'un client mobile.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20041105

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20080414

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20101201