EP1506661A2 - Procede de distribution de donnees avec controle d acces - Google Patents
Procede de distribution de donnees avec controle d accesInfo
- Publication number
- EP1506661A2 EP1506661A2 EP03752810A EP03752810A EP1506661A2 EP 1506661 A2 EP1506661 A2 EP 1506661A2 EP 03752810 A EP03752810 A EP 03752810A EP 03752810 A EP03752810 A EP 03752810A EP 1506661 A2 EP1506661 A2 EP 1506661A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- data
- address
- user
- access
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- the invention is in the field of access control and relates more particularly to a method of distributing digital data to a plurality of user terminals connected, via an IP type data transmission network, to a supplier services, each receiver terminal being identified in the network by an IP address and by a unique address UA registered in a security processor.
- French patent application No. 01 13963 filed by France TELECOM on October 29, 2001 describes a method of broadcasting with access control of audiovisual programs to a plurality of terminals connected to an IP type network.
- each service provided via the network is allocated an address and access conditions defined by the service provider.
- a scrambling platform receives as input IP / UDP datagrams supplied in clear by a data server, and filters the IP / UDP datagrams of the data to be scrambled according to the IP addresses and destination ports present in the header of these datagrams.
- the invention aims to remedy the drawbacks of the prior art described above by a method for defining the access conditions in point-to-point mode and in broadcast mode in correlation, on the one hand, with the user or users requesting the services and, on the other hand, with the content distributed.
- the invention makes it possible to define the access conditions, no longer at the network layer (ISO layer 3), relative to IP parameters, but at the presentation layer (ISO 6 layer) in order make data distribution independent of changes in IP addresses.
- the data to be distributed is associated with an access condition defined at the HTTP protocol level.
- the data are distributed in point-to-point mode according to the following steps: - send, from a user terminal, an HTTP request comprising at least 1 IP address of said terminal, the unique address UA and a parameter (URI) making it possible to locate the data requested in a content server;
- - send from a user terminal, an HTTP request comprising at least 1 IP address of said terminal, the unique address UA and a parameter (URI) making it possible to locate the data requested in a content server;
- URI Resource Identities
- a personalized ECM is generated as a function of the access criterion (CA) and of an encrypted control word CW.
- the encryption of the control word CW is carried out by a key Ket obtained by diversification of a root key Ke specific to the service provider. This diversification is carried out according to the unique address UA specific to each user.
- said data is distributed in broadcast mode to a group of user terminals identified by a group address. This distribution takes place in the following stages:
- the data is transmitted in broadcast mode of the PUSH type, commonly called in English.
- the broadcast can be controlled by a user, usually the first user who sends a first HTTP request to receive the service.
- This user can also stop broadcasting data using a second HTTP. This is particularly useful when a particular user makes information under his control available to several other users. This is the case, for example, of a distance learning application in which a teacher and several listeners are connected to the transmission network, the teacher • being the user who controls the broadcasting (triggering and stopping) of content .
- the scrambled data is encapsulated in an IP datagram comprising:
- the security processor is a smart card.
- this processor can be a program stored in the user terminal.
- the invention also relates to a management platform for controlling access to scrambled data transmitted to a plurality of user terminals connected to a service provider via an IP type network, each user terminal being identified in the network. by an IP address and by a single UA address registered in a security processor, said platform comprising at least one central server capable of associating a criterion of access to the data to be distributed at the level of the HTTP protocol in response to an HTTP request issued from a user terminal.
- the data to be distributed can be extracted according to a parameter (URI) from a content server.
- URI parameter
- the platform according to the invention further comprises at least one scrambling unit and at least one content server.
- the data to be broadcast can be audiovisual programs or multimedia data.
- FIG. 1 represents a general diagram of an access management platform according to the invention
- - Figure 2 is a block diagram illustrating a first variant implementation of the method of the invention
- FIG. 3 schematically illustrates the mode of encapsulation of the data distributed by the method according to the invention
- FIG. 4 is a flowchart illustrating the first variant of implementation of the method of the invention.
- FIG. 5 schematically illustrates a procedure for diversifying access control messages according to the invention.
- FIG. 7 is a block diagram illustrating a second variant implementation of the method of the invention.
- Each user is provided with a terminal 2 equipped with a smart card reader.
- Each user has a personal smart card identified by a unique address UA (for Unique Address) containing information on the rights of access to audiovisual services provided by one or more operators.
- UA for Unique Address
- each user terminal can be a gateway terminal communicating with a plurality of terminals grouped together in a local network.
- the gateway terminal which is provided with a smart card containing at least one right of access to the services provided.
- Audiovisual content is stored on remote servers and. each content is likely to be called by a URI (for Uniform Resource Indicator) which is a field of the HTTP header allowing to address a resource in a unique way.
- URI Uniform Resource Indicator
- user terminals 2 are connected to the Viaccess Net “4 platform, through the Internet network 6 or through an IP backbone.
- a first output router 8 is arranged at the output of the Internet network 6 and is connected to a second router 10 interconnection which is connected to a firewall server 12 directly connected to the platform Viaccess Net ® 4.
- the Viaccess Net platform 4 comprises a first local access network 14 comprising a central server 16 whose function is to supervise the communications between the user terminals 2 and the platform 4.
- the first local area network 14 furthermore comprises a cache server 18 intended for storing information not requiring scrambling such as for example service presentation pages, a DNS server 20 intended for translating the IP addresses of internal servers into names. external to the Viacess Net platform 4 and a second security server 22 intended to provide functional redundancy of the central server 16.
- This first local access network 14 is connected, through a scrambling station 24, to a second local network 26 and to a third local network 28.
- the second local network 26 comprises content servers 30 and the third local network 28 comprises an ECM generator 32 and an ECM management station 34.
- the central server 16 consists of two separate functional units, a first unit 40 dedicated to authenticating users and filtering HTTP requests transmitted to the platform 4, and a second unit 42 capable of associating a control criterion (CA) for the data to be distributed.
- User authentication consists in checking whether the UA received with the HTTP request is listed in a right management center 44 located at the operator. Beforehand, the user who wishes to receive one or more audiovisual programs receives from the operator information relating to the access criteria (CA) to the audiovisual programs likely to be requested. After consulting a presentation server
- the user sends (arrow 50) to the central server 16 an HTTP GET request indicating his unique address UA, his IP address and the URI corresponding to the programs requested.
- the authentication unit 40 filters the HTTP request using the unique address UA and performs the following actions:
- this unit 40 verifies that the TCP acknowledgment packets are received within the maximum transit time between the platform 4 and the client terminal 2;
- the session can be interrupted if the maximum transit time is exceeded.
- the central server 16 then sends (arrow 52) to the operator's management center 44 the IP address of the terminal 2 for the return channel, the UA address of the user and the URI called as well as the address IP from which data should be sent and which is retrieved by the user from the presentation server 46.
- the management center 44 gives its agreement or refuses access (arrow 54) to the content as a function of the rights prerecorded in a database 56.
- CA Access criterion
- the scrambling unit 24 sends an acknowledgment (arrow 59) to the authentication unit 40 confirming that it expects the stream from the content server 30 to scramble selected by the user with the associated UA and IP address as well as the access criterion (CA).
- CA access criterion
- the HTTP GET request is then retransmitted by the authentication unit 40 (arrow 60) to the unit 42.
- the response to the HTTP GET request transmitted from the content server 30 to the central server 16 is then returned (arrow 62) to the unit 42.
- the latter inserts an additional field in the IP frame consisting of an HTTP header with a “Content” field -Location "which will recall the URI to the scrambling unit 24.
- the central server 16 sends (arrow 64) the HTTP response to the scrambling unit 24 for scrambling.
- the scrambling unit 24 scrambles the data and transmits it (arrow 66) to the user terminal 2 which descrambles it thanks to the control information transmitted and to the rights recorded in the smart card.
- FIG. 3 schematically illustrates the structure of the packets transmitted to the scrambling unit 24 by the central server 16.
- This HTTP response comprises:
- An access control header 76 containing the URI of the data delivered
- FIG. 4 illustrates in detail the different stages of the method in the case of an implementation in point-to-point mode.
- step 90 the user sends the request
- This secure tunnel is specific to each link with a terminal 2 and can be based on the SSL protocol (for Secure Socket Layer), or the SSH protocol (for Secure Shell), or even the IPSec protocol. Securing allows greater integrity and confidentiality to be added to the data circulating on the Internet between terminal 2 and the Viacess Net 4 platform.
- step 92 the central server 16 recovers the URI of the content requested and checks the validity of the GET request.
- the central server 16 transmits it to the scrambling station 24 and to the content server 30 (step 96).
- the central server 16 establishes a link between the terminal 2 and the cache server 18 to enable it to consult data which should not be scrambled, such as for example service presentation pages (step 98).
- the content server 30 delivers the data requested to the scrambling unit 24 via the central server 16.
- the latter adds to each data packet delivered by the content server 30 the "Content Location" field Containing the URI and returns this packet to the scrambling unit 24 where the data is scrambled with the added HTTP header (step 100).
- step 102 the central server 16 removes the location header field from the HTTT header and delivers to the terminal 2 the encrypted stream (step 104) via the secure channel between the Viaccess Net 4 platform and the terminal 2.
- step 106 the scrambled data is received by the user terminal 2 where it is descrambled.
- a personalized ECM conveying the access conditions and an encryption root key Ke of this program is generated according to the access criterion (CA) and an encrypted CW control word.
- CA access criterion
- the encryption of the control word CW is carried out by a key Keu A obtained by diversification of the root key Ke specific to the service provider. This diversification is carried out according to the unique address UA specific to each user.
- the requested program can only be seen by the user whose card is targeted by the ECM-U and contains at least one right conforming to the access criterion (CA) described in the ECM-U.
- CA access criterion
- FIG. 5 schematically illustrates the procedure for diversifying the root key Ke.
- the latter is subjected to a processing in a calculation module 107 which receives as input the unique address UA of each user.
- the result of this calculation is the diversified key Ke UA depending on the unique address of the user UA.
- the key Keu A is then used to encrypt the control word CW.
- This function is performed by a module 108 which receives the value Ker and CW.
- FIG. 6 schematically illustrates this principle in the case where two terminals 110 and 112 having respectively the unique address UA1 and UA2 send an HTTP request to the platform 4 to receive a program.
- the ECMs are personalized by the control word CW encrypted by the diversified key Ke UA to generate, by means of a calculation function 120, an ECM-Ul and an ECM-U2 intended respectively for the terminal UA1 and the terminal UA2.
- the ECM-Ul and 1 ⁇ CM-U2 are then multiplexed by a multiplexing module 132 and then transmitted to the users.
- the broadcast is made to all the terminals configured by a group address.
- the user sends (arrow 130) the HTTP request to the central server 16 with the group address.
- the latter authenticates (arrows 132-134) the originator of the request, and checks (arrow 136) if the requested content is actually broadcast. If the requested content is not broadcast, the central server 16 transmits to the user terminal a stop message.
- the authenticated user receives the broadcast content.
- the management center 44 gives its agreement or refuses the content access session after transfer of all the parameters entered previously;
- the response can be positive for broadcasting, in this case, the content server delivers the requested data (step 138) to the scrambling unit 24 which transmits this data (step 140) after scrambling.
- the answer can also be negative, in this case the distribution of data is refused.
- the group IP address and the URI are sent with an order to start broadcasting the content generated by the central server 16;
- the requested stream is broadcast and the source IP address for the broadcast is that of the content server 30; - the response is finally returned to the terminal
- step 142 which descrambles the content received using previously installed decoding software.
- the method of the invention can be implemented in a system for controlling access to a service with marketing of Content via the HTTP protocol.
- This content can include images of an HTML page subject to access conditions, or a portion of text.
- This system can allow the implementation of servers delivering content that is scrambled in order to market a download of videos, audio files (music, etc.), etc.
- the invention can be implemented in the fields of the following PC applications:
- Content On Demand - Offer of content on demand such as the stock market or online banking, television, video clips or even radio,
- the invention can also be applied to sectors of the business requiring the use of the Internet for the dissemination of data in Unicast (videotaped meetings, videoconferences on a VPN network, access to documentation with a high degree of confidentiality, etc. .).
- IP Service Operators may implement the delivery of scrambled content, which may be viewed following the prior purchase.
- Intranet consultations requiring strong scrambling, associated with management of read / write rights on content to be downloaded by an IP network, can constitute additional applications of the invention.
- the invention can also be implemented to control access to content received via a receiver provided with a TV decoder.
- the invention can be implemented in mobile telephony or satellite telephony applications.
- the technologies targeted for transport are the interactive applications of GSM, GPRS and UMTS.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0206086 | 2002-05-17 | ||
FR0206086A FR2839834B1 (fr) | 2002-05-17 | 2002-05-17 | Procede de distribution de donnees avec controle d'acces |
PCT/FR2003/001473 WO2003098870A2 (fr) | 2002-05-17 | 2003-05-15 | Procede de distribution de donnees avec controle d'acces |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1506661A2 true EP1506661A2 (fr) | 2005-02-16 |
Family
ID=29286576
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP03752810A Withdrawn EP1506661A2 (fr) | 2002-05-17 | 2003-05-15 | Procede de distribution de donnees avec controle d acces |
Country Status (7)
Country | Link |
---|---|
US (1) | US20060015615A1 (zh) |
EP (1) | EP1506661A2 (zh) |
JP (1) | JP2005526329A (zh) |
CN (1) | CN100531187C (zh) |
AU (1) | AU2003254532A1 (zh) |
FR (1) | FR2839834B1 (zh) |
WO (1) | WO2003098870A2 (zh) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005057865A1 (ja) * | 2003-12-11 | 2005-06-23 | Matsushita Electric Industrial Co., Ltd. | パケット送信装置 |
US7774825B2 (en) * | 2004-12-16 | 2010-08-10 | At&T Intellectual Property I, L.P. | Methods & apparatuses for controlling access to secured servers |
US8929360B2 (en) | 2006-12-07 | 2015-01-06 | Cisco Technology, Inc. | Systems, methods, media, and means for hiding network topology |
US9191621B2 (en) * | 2010-12-02 | 2015-11-17 | Nagravision S.A. | System and method to record encrypted content with access conditions |
US11072356B2 (en) | 2016-06-30 | 2021-07-27 | Transportation Ip Holdings, Llc | Vehicle control system |
US10814893B2 (en) | 2016-03-21 | 2020-10-27 | Ge Global Sourcing Llc | Vehicle control system |
US10218628B2 (en) * | 2017-04-12 | 2019-02-26 | General Electric Company | Time sensitive network (TSN) scheduler with verification |
US10116661B2 (en) | 2016-12-27 | 2018-10-30 | Oath Inc. | Method and system for classifying network requests |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6351467B1 (en) * | 1997-10-27 | 2002-02-26 | Hughes Electronics Corporation | System and method for multicasting multimedia content |
US6108789A (en) * | 1998-05-05 | 2000-08-22 | Liberate Technologies | Mechanism for users with internet service provider smart cards to roam among geographically disparate authorized network computer client devices without mediation of a central authority |
US6345307B1 (en) * | 1999-04-30 | 2002-02-05 | General Instrument Corporation | Method and apparatus for compressing hypertext transfer protocol (HTTP) messages |
DE19939281A1 (de) * | 1999-08-19 | 2001-02-22 | Ibm | Verfahren und Vorrichtung zur Zugangskontrolle zu Inhalten von Web-Seiten unter Verwendung eines mobilen Sicherheitsmoduls |
JP2003531539A (ja) * | 2000-04-17 | 2003-10-21 | エアビクティ インコーポレイテッド | 移動体データ通信用の安全な動的リンク割り当てシステム |
US6910074B1 (en) * | 2000-07-24 | 2005-06-21 | Nortel Networks Limited | System and method for service session management in an IP centric distributed network |
JP2002290458A (ja) * | 2001-03-26 | 2002-10-04 | Fujitsu Ltd | マルチキャストシステム |
FR2823936B1 (fr) * | 2001-04-19 | 2003-05-30 | France Telecom | Procede et systeme d'acces conditionnel a des services ip |
FR2833446B1 (fr) * | 2001-12-12 | 2004-04-09 | Viaccess Sa | Protocole de controle du mode d'acces a des donnees transmises en mode point a point ou point multi-point |
US20030149792A1 (en) * | 2002-02-06 | 2003-08-07 | Leonid Goldstein | System and method for transmission of data through multiple streams |
-
2002
- 2002-05-17 FR FR0206086A patent/FR2839834B1/fr not_active Expired - Fee Related
-
2003
- 2003-05-15 CN CNB038111268A patent/CN100531187C/zh not_active Expired - Fee Related
- 2003-05-15 WO PCT/FR2003/001473 patent/WO2003098870A2/fr active Application Filing
- 2003-05-15 AU AU2003254532A patent/AU2003254532A1/en not_active Abandoned
- 2003-05-15 US US10/515,031 patent/US20060015615A1/en not_active Abandoned
- 2003-05-15 JP JP2004506240A patent/JP2005526329A/ja active Pending
- 2003-05-15 EP EP03752810A patent/EP1506661A2/fr not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO03098870A2 * |
Also Published As
Publication number | Publication date |
---|---|
WO2003098870A2 (fr) | 2003-11-27 |
JP2005526329A (ja) | 2005-09-02 |
AU2003254532A8 (en) | 2003-12-02 |
AU2003254532A1 (en) | 2003-12-02 |
WO2003098870A3 (fr) | 2004-03-25 |
FR2839834A1 (fr) | 2003-11-21 |
CN100531187C (zh) | 2009-08-19 |
CN1653777A (zh) | 2005-08-10 |
US20060015615A1 (en) | 2006-01-19 |
FR2839834B1 (fr) | 2004-07-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2177025B1 (fr) | Procédé et dispositif de chiffrement partiel d'un contenu numérique | |
EP1645100B1 (fr) | Méthode de création et d'administration d'un réseau local | |
EP1305948B1 (fr) | Methode de distribution securisee de donnees numeriques representatives d'un contenu multimedia | |
EP2052539B1 (fr) | Méthode de révocation de modules de sécurité utilisés pour sécuriser des messages diffusés | |
EP1687975B1 (fr) | Diffusion sécurisée et personnalisée de flux audiovisuels par un systeme hybride unicast/multicast | |
WO2003047202A2 (fr) | Methode pour acceder aux courriers electroniques video et multimedia | |
EP1396135A1 (fr) | Procede et systeme d'acces conditionnel a des services ip | |
WO2003039153A2 (fr) | Procede et systeme de transmission avec controle d'acces | |
WO2003098870A2 (fr) | Procede de distribution de donnees avec controle d'acces | |
EP1461967B1 (fr) | Methode de controle d'acces a des services specifiques par un diffuseur | |
EP1227640A1 (fr) | Procédé et système de communication d'un certificat entre un module de sécurisation et un serveur | |
EP2016735A1 (fr) | Procedes de diffusion et de reception de programmes multimedias embrouilles, terminal et tete de reseau pour ces procedes | |
EP1474923B1 (fr) | Procede pour controler l'acces a un contenu par un terminal, terminal, serveur de droits d'usage, automate de distribution, serveur fournisseur, support de donnees et systeme associes | |
FR2816417A1 (fr) | Procede et systeme pour etendre le champ d'adresses publiques attribuables a une connexion au reseau internet, et leur application a la lutte contre la diffusion illegale d'oeuvres protegees | |
EP1570662A1 (fr) | Procede de distribution de donnees et/ou services embrouilles. | |
EP1168844B1 (fr) | Procédé de sécurisation d'une transaction entre un utilisateur et un fournisseur | |
EP3228083B1 (fr) | Procédé de gestion du droit d'accès a un contenu numérique | |
FR2846831A1 (fr) | Pseudo video a la demande(pvod) | |
EP2328316B1 (fr) | Controle d'accès à un contenu numérique | |
FR2842681A1 (fr) | Procede et systeme d'avertissement et de diffusion d'informations par un reseau public de transmission de donnees numeriques | |
WO2010133459A1 (fr) | Procede de chiffrement de parties particulieres d' un document pour les utilisateurs privileges | |
FR2843468A1 (fr) | Procede et dispositif de transmission de message d'achat impulsif de donnees et services embrouilles | |
FR2920068A1 (fr) | Plate-forme et procede de distribution de contenus numeriques proteges | |
KR20050016409A (ko) | 액세스 제어에 의한 데이터 배송 방법 | |
EP2347583A1 (fr) | Systeme de gestion d'interactivite |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20041105 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20080414 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20101201 |