FR2876859A1 - METHOD AND SYSTEM FOR CONTROLLING ENABLING INTERNAL SOFTWARE ENABLING A RECEIVER TERMINAL - Google Patents

Abstract

The invention relates to the authorization control of a television receiver terminal (4), which communicates with a remote server (2) by a bidirectional link (81-82), and also receives an encoded multimedia stream. In the invention, terminal authorization information is stored with the server and with the terminal. Thus, when the terminal is powered on, the terminal automatically establishes a connection to the server, which retrieves at least part of the authorization information stored in the terminal and verifies that it matches the authorization information stored with the server. Depending on this verification, the server authorizes or not a download, to the terminal, of software applications for decoding the multimedia stream.

Description

Method and facility for enabling control of the

  The invention relates to the enabling control of the internal software of controlled access multimedia stream receiving terminals, in particular of descrambler terminals / pay television decoders.

  In multimedia data receiving terminals, particularly pay television data, there is usually a security processor (such as a smart card) integrated in the receiver or connected thereto. This security processor controls access to the data processed by the receiver, typically by allowing or prohibiting the descrambling or decoding of this data according to the compliance of the receiver with access criteria attached to this data. The security processor also makes it possible to verify the authorization of the receiving terminal to process the data, often by implementing an authentication procedure. If the security processor has verified that the terminal was enabled, it allows the execution of specific software applications to descramble / decode the media stream that receives the terminal. On the other hand, if the terminal is not enabled, the security processor inhibits the execution of the aforementioned software applications.

  Some terminals are said to be able to decode the multimedia data (for example, to decode in compression of audiovisual data in MPEG or other format) provided that internal decoding functions are activated. Activation or inhibition of these decoding functions are conditioned in particular by checking the validity or invalidity, respectively, of the access rights associated with the terminal. Moreover, multimedia data such as audiovisual data may be deliberately entangled, prior to broadcast. The data descrambling functions at the terminal can then be activated or inhibited according to the verification of the validity or invalidity of the access rights associated with the terminal. Hereinafter, the terms "descrambling" and / or "decoding" will be used to denote the functions whose execution or inhibition is conditioned by the validity or invalidity of the access rights.

  Terminals, as well as the security processors they contain, available to users, have not always proved inviolable and fraud (including forgery of authentication codes by malicious users) are always possible.

  In addition, it is often difficult for content provider operators to control the pool of terminals available to users, as well as the versions (authorized or, on the contrary, hackers) of the software applications installed in the terminals.

  Moreover, with the recent development of interactive multimedia applications, particularly in the context of pay television, many are today terminals equipped with a return path to one or more remote server (s). More specifically, a completely bi-directional link between server and terminal, for example of xDSL type (for "Digital Subscriber Line") has proved advantageous in some recent applications. Such a bidirectional link is to be distinguished from a simple conventional return channel, for example of the RTC / IP type.

  The present invention intends to take advantage of these means of communication to remote servers, which are already equipped most receiver terminals, to substantially solve the problems encountered in the prior art and indicated above.

  For this purpose, it firstly proposes a method of enabling control of at least one receiving terminal of a multimedia stream, in which the terminal is arranged: firstly, to communicate with at least one remote server by a bidirectional link, and - on the other hand, to receive a multimedia stream and descramble / decode this stream by the execution of specific software applications.

  Within the meaning of the invention, the aforementioned remote server is a download control server of the aforementioned software applications to the terminal.

  The method according to the invention then comprises the following steps.

  a) storing device authorization information is stored at the download control server and at the terminal, b) when the terminal is turned on, the terminal automatically establishes a connection to the download control server, c) the download control server retrieves at least a portion of the authorization information stored at the terminal and verifies a match with the authorization information stored with the server, and d) at least based on this check by the control server download, the latter authorizes or not a download to the terminal specific software applications for descrambling / decoding the multimedia stream.

  Thus, it will be understood that the authorization to download the descrambling / decoding software applications is given at the level of the download control server, and no longer at the receiving terminal as in the prior art technique.

  The present invention then offers many advantages. It already offers a possibility of evolution of the authorization control insofar as the download conditions, based on the authorization information present in the terminal, are fixed by the operator responsible for the aforementioned server. These conditions can therefore evolve over time according to the wishes of the operator. However, in the art of the prior art, the download conditions are defined in the receiving terminal, and can not evolve.

  Thus, while the downloading of a possible new version of the descrambling / decoding software applications was subject, in the prior art, to security rules that depended solely on the terminal (in particular its security processor), these rules security can no longer be fixed for each terminal and can change over time, thanks to the implementation of the method according to the invention. Indeed, by deporting the authorization functions to a remote download control server, dedicated in particular to the authorization control of the terminals, it is sufficient to update these security rules directly with this server, without having to intervene with terminals. It will thus be understood that the operator responsible for the authorization checks carried out by the download control server can update the software applications and / or the security rules in a single intervention on this server.

  In addition, the step of downloading the applications can be used to obtain information on the terminals, such as statistics on their configuration and their use. Indeed, it will be understood that, by implementing the method according to the invention, the operator can control the downloads, including the number of downloads for the same terminal, for example, the audience measurement, evaluate the migration security processors (for example in the form of smart cards) on a fleet of terminals, or others.

  Thus, in an advantageous embodiment, the server comprises a database storing authorization information of several terminals and terminal-specific software applications, in correspondence of at least respective terminal identifiers, for the management of the terminal. a fleet of receiving terminals available to users.

  To ensure a regular update of the descrambling / decoding software applications to the terminals, in step d), the server preferably transmits to the terminal a new version of the software applications most suitable for this terminal, if necessary. For example, the most suitable version may be the version that is available from the server and is the most recent, depending on the modernity of the terminal.

  In a particular embodiment, the software applications include at least one operating system (or "operating system" in English) for the terminal's computing resources.

  Advantageously, the aforementioned software applications include an application for descrambling / decoding the multimedia stream.

  In a first embodiment, the terminal stores, in step d), the software applications downloaded from the server to a volatile memory, each startup of the terminal, typically during a power up. In a particularly advantageous manner, none of said applications is resident in the terminal. Thus, from the remote download control server, all the descrambling / decoding software applications used by the terminals are checked, with a risk of fraud practically nil.

  In a second embodiment, the terminal stores the software applications received from the download control server in a permanent memory, typically in a flash memory or E2Prom. It will thus be understood that, in this embodiment, the downloading of the software applications is not systematic but is preferably performed for an update of the applications.

  Advantageously, in this second embodiment, the download control server can also check consistency with the terminal of the software application version which is stored in the permanent memory of the terminal. For this purpose, the server can archive, typically in the database storing the authorization information of the terminals, the versions that should be installed at the different terminals. Preferably, when it is first put into service, a terminal connects to the download control server to signify to the server the version it has in memory. The download control server then archives a reference of the version stored in this terminal, preferably in an appropriate database. Then, during the following connections, the download control server reads the version actually installed and compares it with the version archived in its database.

  Thus, it will be understood that, advantageously, the control server can further verify a consistency of the version of the software applications that is stored in the permanent memory of the terminal. In particular, if the installed version differs from the archived version, the download control server can transmit to the terminal a blocking order of the terminal or, if necessary, update the installed version. In particular, if a more appropriate version must replace the one stored in the terminal, the download control server advantageously transmits to the terminal this new version of the software applications.

  In a preferred embodiment, the aforementioned entitlement information includes authentication data. In this embodiment, in step c), the download control server authenticates the terminal by a procedure implementing on the one hand a public key provided by the terminal and on the other hand a corresponding private key derived from the stored data. from the server.

  Preferably, the method provides for mutual authentication of the download control server and the terminal, by a procedure implementing, via the bidirectional link, the public keys of the terminal and the server and the respective private keys, derived from the data stored at the terminal. server and terminal.

  For this purpose, the terminal advantageously comprises a security processor in which the authentication data of the terminal is initially stored vis-à-vis the download control server. Typically, a smart card can be provided as a security component installed at the terminal to improve the security of the download. Advantageously, thus retains, for the most part, the classical physical structure (hardware) of existing receiver terminals and which already use this type of security processors. Preferentially, there is also a substantially homologous security processor with the download control server to perform the authorization check.

  Advantageously, the method also provides a procedure for verifying the integrity of the software application data transmitted to the terminal, preferably with a verification of the authenticity of the issuer of the software application data.

  Advantageously, the respective computer programs are initially stored in the terminal, on the one hand, and on the download control server, on the other hand, in permanent memory. These programs essentially make it possible: - to first establish a communication between the download control server and the terminal, - check, on the control server side, the authorization of the terminal, - and, on the terminal side, to possibly download the applications aforementioned software.

  Thus, for the terminal, the following initial steps are preferably provided: al) the computer resource terminal is equipped to read a start-up routine, a2) a startup routine is provided that includes at least one connection instruction from the terminal to the server , a3) and this startup routine is stored in a permanent memory of the terminal.

  As such, the present invention is directed to a computer program product, intended to be stored in a permanent memory of a receiving terminal, and thus comprising a startup routine of the terminal, for the implementation of all or part of the process steps. according to the invention.

  For the server, the following initial steps are preferably provided.

  a'l) the computer resource server is equipped to read a software application download routine to the terminal, a'2) a download routine including at least one terminal enabling verification instruction is provided; '3) and stores this download routine in a permanent memory of the server.

  As such, the present invention also aims a computer program product, now intended to be stored in a permanent memory of a software application download control server for descrambling / decoding a multimedia stream, and thus comprising a download software application control routine, for the implementation of all or part of the steps of the method according to the invention.

  The present invention is advantageously applicable to the distribution of multimedia content, including pay television content, over a bidirectional broadband network (broadband network), allowing content to be delivered beyond the broadband network. simple broadcast of television signals on a mono-directional network (or "broadcast network" in English terms).

  By way of non-limiting example, the aforementioned distribution of the multimedia contents can be performed in "point-to-point" (or "peer-topeer") mode.

  As such, the present invention also aims at such an application of the method within the meaning of the invention.

  The present invention also aims at an authorization control system for downloading software applications, in particular for descrambling / decoding a multimedia stream such as an audiovisual television stream, comprising at least: a control server of downloading said software applications, and a receiving terminal, on the one hand connected to the download control server by a bidirectional link for downloading said software applications, and arranged on the other hand to receive the multimedia stream and descramble / decode this stream by the execution of the aforementioned software applications.

  The terminal of the system within the meaning of the invention comprises computer resources for: storing the first terminal authorization information, storing and reading a startup computer program including at least one automatic connection instruction to the server when setting power on the terminal.

  For its part, the download control server of the system within the meaning of the invention comprises computer resources for: storing second terminal authorization information; storing and reading a computer program for downloading software applications comprising at least : o a read instruction of the first and 5 second authorization information, o a consistency check test between the first and second authorization information, o and a download instruction software applications, conditioned at least 10 by said test .

  In the preferred embodiment where authentication of the terminal is conducted, the first and second enabling information respectively comprise first and second authentication data. The terminal startup program comprises at least one instruction for forming and communicating to the server authentication data of the terminal by a procedure implementing a public key derived from the first authentication data. The server download program includes at least one instruction for verifying the authentication data of the terminal by a procedure implementing a private key derived from the second authentication data. The aforementioned test may then comprise a consistency check instruction between the public key and the private key, in the manner of a conventional cryptographic authentication procedure. There may be mentioned, by way of non-limiting example, an authentication procedure using the "RSA" ("Rivest Shamir Adleman") cryptography algorithm.

  In the context of mutual authentication of the terminal and the server, the terminal startup and server download programs advantageously comprise homologous authentication instructions, with exchange and verification of consistency of authentication data obtained by a procedure implementing public keys transmitted via the bidirectional link and respective private keys, derived from the first and second authentication data.

  In addition to the preferred characteristics of the method in the sense of the invention, specific to the receiving terminal and the download control server, described above and that can advantageously be found in the system within the meaning of the invention, the bidirectional link between the terminal and the download control server is preferably of type xDSL (for "Digital Subscriber Line"). It will be understood, however, that the present invention can be adapted to any other bidirectional network technology.

  The present invention also relates to the receiver terminal of the system within the meaning of the invention.

  It also refers to the download control server and control system empowerment within the meaning of the invention.

  Other features and advantages of the invention will appear on examining the detailed description given hereinafter by way of non-limiting example, and the attached drawings in which: FIG. 1 represents an example of an architecture of the In the sense of the invention, FIG. 2a schematically represents the elements of a download control and entitlement control server in the sense of the invention; FIG. 2b schematically represents the structure of a receiver terminal at 3 shows schematically the structure of a flash memory of the terminal, according to a particular embodiment of the invention, and FIG. 4 represents a preferred embodiment of the various steps carried out by a method in the sense of The invention.

  We first refer to Figure 1 to describe the system within the meaning of the invention, in the architecture of a digital television network, in the example shown.

  The system comprises a bidirectional network 3 for connecting a receiving terminal 4 to a server 2 for downloading control and enabling control of the terminal. The terminal 4 and this server 2 are connected by a bidirectional link 81-82.

  In general, it is indicated that the present invention provides the control of the start-up of a digital television receiver terminal 4, as well as the secure and adapted downloading from the terminal 4 of a software application version, in particular for the descrambling / decoding. Preferably, at each start, the terminal connected to the network 3 makes a connection to the download control server 2. After mutual authentication of the two entities 4 and 2, thanks to the security processors 5 and 6 in the example described , the control server 2 retrieves information present on the terminal 4 and on the security processor 6. The control server 2 analyzes this information and allows or not the continuation of the startup process. The criteria that make it possible to define whether a receiving terminal is authorized or not to continue the start-up sequence are advantageously modifiable with the control server 2 to allow maximum flexibility.

  In particular, the server 2 can authorize or not the download of a version of the software applications to the receiving terminal. The server 2 advantageously stores all the information in order to perform statistics on the receiving terminals present on the network 3. The complete start-up of the terminal then makes it possible to access the television programs broadcast for example by another server with the reference 1 in Figure 1, which, he, ensures the distribution of multimedia content, with, for example, a broadcast of audiovisual television programs.

  Referring to FIG. 1, this multimedia distribution server 1 broadcasts the television programs (arrow 7), via the network 3 in the example represented. This server 1 is managed by the operator who broadcasts the programs.

  This multimedia distribution server 1 may or may not be distinct from the download control server 2 within the meaning of the invention.

  It will be noted that the control server 2 carries out the control of the receiver terminal 4 and, more particularly, the possible download of the software applications, in particular descrambling / decoding. The equipment 2 is hereinafter called "download control server". This server 2 is managed by the operator and / or the access control provider.

  Although a single terminal is shown in Figure 1, it is indicated that the system within the meaning of the invention may include several terminals 4, receiving the multimedia stream 7, for example containing the digital television data to be descrambled / decoded. Similarly, it is also possible to provide several download control servers 2, as well as several broadcast servers 1, for the same terminal available to a user subscribing to several digital television services.

  It is recalled that all the equipment of Figure 1 are connected by the network 3 preferably by a high speed bidirectional link, for example a wired link such as an xDSL link.

  Referring to FIG. 2a, the download control server 2 comprises: one or more security processors for ensuring the security of the connection and the downloading to the terminal; a database 21 for storing in particular data; of enabling a plurality of receiving terminals 4, in correspondence of respective identifiers, in order to advantageously manage a whole fleet of terminals available to users, - processing means, such as a processor 22 for implementing computer program instructions which will be detailed later, and - memory 23 (permanent, for example ROM type, and / or working, for example RAM type) for storing and executing program instructions.

  It is simply indicated here that the download control server 2 comprises computer resources for: - executing a program implementing a signature algorithm, which ensures the authenticity of the sender of the software applications (in this case the server of control 2) and also the integrity of the data of the signed and transmitted software applications, - preferably, furthermore execute a program implementing a CHECKSUM calculation algorithm making it possible, as will be seen later, to guarantee further the integrity data of the transmitted software applications, - furthermore executing a program implementing an authentication algorithm, preferentially mutual, between the control server 2 and the receiving terminal 4, using for example a cryptography algorithm implementing keys public and private keys, - store the version of software applications that is available for a possible the download and which is best suited for different terminals or types of terminals 4, store, for example in the database 21, a black list of unique identifiers of unauthorized security processors (for example corresponding to stolen smart cards) or hacked), and store, for example in the database 21, a blacklist of unique identifiers of unauthorized terminals (stolen or hacked for example).

  Advantageously, the download control server 2 can then perform the following actions: - the preparation of a version of software applications to download, with a calculation of the CHECKSUM on the application, the calculation of a signature, etc., - the reception of connections with the terminals, - the verification of the configuration of the terminals (prohibit for example, according to their configuration, the operation of one or more terminals), - possibly the downloading of a new software version on the terminals, - storing all the connections and information received from each terminal in the database 21.

  It is recalled that the calculation of CHECKSUM on an application is a integrity guarantee routine consisting for example in calculating the sum of the bytes that make up this application (so-called "control" sum), in particular to check the integrity of the application. a file or block of data corresponding to or used in this application.

  Referring now to FIG. 2b, the general architecture of a digital television receiver terminal 4 within the meaning of the invention comprises: processing means such as a processor 14 connected by a bus 13 to memories 15 to 18 (directly addressable by the processor 14), a ROM, nonvolatile and non-programmable, which can be ROM type, bearing the reference 15 in FIG. 2b and typically intended to store a startup program of the terminal, a volatile random access memory, for example of RAM type, referenced 16 in FIG. 2b and intended in particular for the execution of programs and the manipulation of data, as working memory, - a permanent memory, no volatile, and re-programmable, for example flash type 17 and / or type E2PROM 18, containing terminal configuration and / or security parameters.

  As indicated above, the software applications downloaded from the control server 2 can be stored in RAM 16, in a first embodiment, or in permanent memory 17 or 18, in a second embodiment, as will be seen further.

  It is simply indicated here that, in the first embodiment, the download of the descrambling / decoding software applications is performed at each startup (or power on) of the terminal. The terminal then executes these descrambling / decoding applications from a volatile memory 16.

  In the second embodiment, the download is made simply with each availability of a new appropriate version of the descrambling / decoding software applications. The terminal then executes these applications from the permanent memory 17 or 18, for example from the flash memory 17. FIG. 3 shows the structure of a flash memory 17, according to this second embodiment in which provision is made a download in permanent memory. The flash memory 17 includes a non-rewritable portion 171 ("OTP" memory) for storing all or part of the instructions of the terminal startup program. The second part 172 is a rewritable zone intended typically for storing software applications (APPL) downloaded from the server 2.

  It is indicated that, in a preferred embodiment, the software applications that can be downloaded include an operating system (or "OS" for "Operating System") responsible for managing the use of terminal resources by these applications. It will thus be understood the importance of updating the versions of such software applications with the receiving terminals. Thus, referring again to the example of FIG. 3, the last version of the operating system OS (UPD) is preferably stored in the rewritable zone 172 of the flash memory 17.

  Furthermore, the startup program can be stored in ROM 15 and / or in permanent memory 17 or 18. This boot program (or "boot" in English word) provides: - initialization of the terminal 4, - and possibly downloading a new version of the descrambling / decoding software applications.

  This startup program advantageously comprises: the minimum drivers (or "drivers") for controlling the only hardware components (processor, memory, interface with the security processor, or other) necessary for the connection, the authorization control and at download, - a connection configuration (parameterized according to main parameters to connect to the download control server 2, as well as fallback parameters allowing a connection to other control servers in the event of failure of the communication with the server 2), a program implementing an algorithm for example cryptography using a private key of the terminal, and if necessary a public key of the server, to contribute to the authentication of the terminal by the server or proceed mutual authentication of the terminal and the server, - an asymmetric algorithm implementing a private key, here to verify r the signature of the version of the downloaded software applications, and hence the integrity of the data downloaded, as well as the authenticity of the issuer of said data, and - a verification algorithm (CHECKSUM) to further control the integrity downloaded applications.

  The terminal memory also stores a unique identifier of the terminal, called for example "STB-id" in the case where the receiving terminal is a descrambler / decoder terminal of an "STB" type audiovisual stream (for "Set Top Box"). "). It is however indicated that, alternatively, the receiving terminal may consist of a lounge computer or a laptop, to which respective unique identifiers are assigned.

  The terminal 4 further comprises: an interface 10 with the network 3 (for example an xDSL modem interface) making it possible in particular to exchange data with the servers 1 and 2, a demultiplexer / descrambler 11 providing the data separation functions (audio, video, interaction data, private data, and others), a digital audio / video decoder-converter 12, audio and video, and a security processor 6 such as a smart card to ensure the security of the connection to the server 2 and the security of the download of the applications.

  The security processor 6 is connected to the terminal 4 by an input / output module 19.

  It is furthermore indicated that the user of the terminal can act on the functions of the terminal via a man / machine interface 20 connected to the aforementioned module 19. The interface 20 may comprise for example a remote control and a data display on the television screen.

  Furthermore, each security processor 6 comprises: computer resources for executing an asymmetric algorithm implementing at least one private key and at least one public key making it possible to perform mutual authentication of the terminal and the server 2; computer resources to implement a routine for reading and transmitting, in particular to the server 2 when it is the security processor 6 connected to the terminal, a unique security processor identifier denoted UA (for "Unique Address"), - a memory non-volatile re-programmable to store information such as a PIN, access rights to programs, or other.

  Referring now to Figure 4 to describe the steps of verification and possible download in an exemplary embodiment of the method within the meaning of the invention.

  FIG. 4 shows, on the left-hand side, the steps carried out by the terminal 4 and, on the right-hand side, the steps carried out by the download control server 2.

  At each start of the terminal, the startup program takes over, initializes the hardware components and executes a computer routine in the sense of the invention which preferably takes place as follows.

  In step 30, this program controls the xDSL modem of the terminal to send a connection request to the control server 2. It uses for this purpose the memorized connection parameters, mentioned above. In step 31, the control server 2, if it accepts it, establishes the connection with the terminal 4. In this step 31, the control server 2 can advantageously store the time and the address of the terminal. In step 32, the program tests whether the connection succeeded (arrow "ok") or failed (arrow "ko"). In case of failure of the connection to the main server 2 or to the fallback servers as indicated above, the program proceeds to the error handling step 52, described below.

  If the establishment of the connection is successful, in step 33, the program verifies the presence of the security processor 6, for example by resetting (or "resetting") it. In step 34, if the security processor is not present (arrow ko), the program proceeds to the error management step 52. Otherwise (arrow ok), it goes to the next step 35, corresponding in step 36 implemented by the server 2 and consisting of allowing the authentication of the terminal by the server or to verify their mutual authentication with the help of the security processor 6 of the terminal 4 and the security processor 5 of the server 2. As indicated above, this authentication can be conducted by using public keys and respective private keys.

  If this authentication step has failed (in test 37), the program proceeds to step 52. In addition, in case of failure of the peer authentication test 38 conducted with the control server 2, the server 2 stores the negative result of the authentication in step 49.

  On the other hand, if the authentication step is successfully passed, the terminal retrieves and transmits to the server 2, in step 39, the information relating to, and not exhaustively: the physical address of the terminal, the unique identifier of the security processor, - the unique identifier of the terminal (for example of the STB-id type), - if necessary, in the second aforementioned embodiment, the current version of the software applications stored in permanent memory 17 or 18, - other significant data present on the security processor 6 (program access rights, confidential access code, or other), - and the configuration or security information contained in the permanent memory 17 or 18.

  Thus, it will be understood, in general terms, that the respective identifiers are initially assigned to the terminal 4 and / or the security processor 6, which advantageously can be stored at the terminal 4 and at the server 2, as information of the terminal equipped with its security processor 6. Thus, during the connection between the server and the terminal, the latter can identify with the server by transmitting these identifiers to the server.

  For its part, the control server 2 retrieves, in step 40, the information transmitted to it by the terminal and stores it. According to one of the advantages that the present invention provides, the server can then carry out statistics on each terminal, including for example the total number of downloads since it was put into service, the average number of terminal starts per day, the number of security processors used by a terminal, or others.

  In step 41, the control server 2 verifies that the received information is consistent. In particular, and not exhaustively: the unique identifier of the security processor must not be blacklisted, - the unique identifier of the terminal must not be blacklisted, - the unique identifier of the security processor and the unique identifier of the terminal go together, the access rights derived from the security processor are consistent, - the other security information is consistent, - the version of the software applications stored in permanent memory in the terminal, in the second mode of aforementioned embodiment, must be consistent with the data in the base of the control server 2.

  It is recalled that the criteria that make it possible to define whether a receiving terminal is authorized or not to continue the start-up sequence are advantageously modifiable in the control server itself, to ensure maximum flexibility.

  If the information is not coherent, the control server 2 proceeds to the error storing step 49, then to the disconnected state with the "DECONNECT KO" anomaly bearing the reference 50.

  On the other hand, if the information is coherent: in the first embodiment (applications stored in RAM), the server 2 performs the download in the terminal of the version best adapted to the terminal (steps 44 and 45); it will be understood that in this first mode, steps 42 and 43 are not executed because the download is to be done systematically, - in the second embodiment of the invention (applications stored in permanent memory), in step 42, the control server 2 checks whether to download a new version of the software applications, for example by comparing a received version number with a version number of the software applications available on the server 2.

  In this second mode, if no download is to be made, the server 2 informs the terminal 4 that no download is to be made (step 43) and goes to the disconnection step without fault 60. For its part, the receiving terminal 4 also proceeds to the step 56 of disconnection without anomaly.

  On the other hand, in this second mode, if a download of a more appropriate version is to be performed following step 42, the server 2 informs the terminal (step 43) of the future download of the new version and, at the step 45, the terminal receives this new version.

  It will be understood that the aforementioned tests 42 and 43 on the version previously installed at the terminal can be deleted in the first advantageous embodiment where the software applications are stored in volatile memory.

  In both embodiments, the method then proceeds to step 44, in which the control server 2 sends the available and best adapted version of the software applications to the terminal, as well as the value of the CHECKSUM and a digital signature of the corresponding file.

  In step 45, the terminal receives in RAM 16 this new version and, in step 46, verifies the aforementioned digital signature using a private key provided for this purpose and the aforementioned asymmetric algorithm. In step 47, if the signature is not correct, the terminal proceeds to the error step 52. Otherwise, in step 48, the terminal checks the value of the CHECKSUM by calculating the CHECKSUM then by comparison with compared to the value sent. In test 53, if the value of the CHECKSUM is not correct, the terminal proceeds to step 52. Otherwise, the terminal saves the downloaded software applications in permanent memory 17, only in the second embodiment mentioned above, at the same time. step 54 (shown for this purpose in dashed lines in Figure 4).

  In step 55, the terminal 4 informs the control server 2 that the download operation has proceeded correctly and, in step 56, it receives the authorization to execute the software applications. Then, the terminal 4 and the server 2 can proceed to respective steps 56 and 60 disconnection without abnormality.

  Finally, the terminal can then implement the software applications allowing in particular the descrambling / decoding of the received multimedia stream.

  However, it is specified that in the event of an error at the terminal or in the event of reception (step 51) of the disconnect request by the control server when it identifies an error case (step 50), the terminal preferably executes the step 52 of preventing the server 2 from an error and to display an alarm message, for example on the screen of the television set of the subscriber, to prevent it. The terminal then disconnects from the server (step 57) and then hangs (step 58). The user must preferentially reset the terminal, in this case.

  In the event of an error detected by the server 2 (typically bad authentication or terminal parameters that are inconsistent), the server 2 proceeds to step 49 consisting of an error storage, followed by a step 50 of disconnection.

  Of course, the present invention is not limited to the embodiment described above by way of example; it extends to other variants.

  Thus, it will be understood for example that the detailed structure of the terminal shown in Figure 2b is capable of variants. Similarly, the detailed steps of the method as shown in Figure 4 are variants. An advantageous embodiment has been described above in which the authentication is carried out on the basis of the aforementioned security processors, but this implementation is still susceptible of variants, for example by providing an authentication module directly incorporated in the terminal.

  Moreover, in a less sophisticated embodiment than that described above by way of example, provision can be made for a simple identification, without authentication, of the terminal connected to the control server, although this embodiment is currently preferred.

Claims (33)

claims   A method for enabling verification of at least one receiving terminal of a multimedia stream, in which the terminal (4) is arranged: on the one hand, for communicating with at least one remote server (2) by a bidirectional link, and - secondly, for receiving a multimedia stream and decoding this stream by the execution of specific software applications, characterized in that said server is a control server (2) for downloading said software applications, and in that the method comprises the following steps.   a) store terminal authorization information at the control server and at the terminal, b) when the terminal is turned on, the terminal automatically establishes a connection to the control server, c) the control server recovers at least a part of the authorization information stored at the terminal and checks a concordance with the authorization information stored at the server, d) and, at least according to this verification, the control server authorizes or not a download, to the terminal, specific software applications for descrambling / decoding the multimedia stream.   2. Method according to claim 1, characterized in that the authorization information comprises authentication data, and in that, in step c), the control server authenticates the terminal by a procedure implementing, on the one hand, a public key provided by the terminal and, on the other hand, a corresponding private key derived from the data stored at the control server.   3. Method according to claim 2, characterized in that it comprises a mutual authentication of the server and the terminal, by a procedure implementing, via the bidirectional link, the public keys of the terminal and the server and the respective private keys, from the data stored at the server and the terminal.   4. Method according to one of claims 2 and 3, characterized in that the terminal comprises a security processor (6) in which initially stores said authentication data of the terminal vis-à-vis the control server.   5. Method according to one of the preceding claims, characterized in that it is initially assigned to the terminal an identifier, stored at the terminal and to the server, and in that during the connection of step b) , the terminal identifies itself to the server by transmitting said identifier to the server.   6. Method according to claim 4, characterized in that one assigns an identifier to the security processor, this identifier being stored near the terminal and to the server, and in that during the connection of step b ), the terminal identifies itself to the server by transmitting at least said identifier of the security processor.   7. Method according to one of the preceding claims, characterized in that the server comprises a database (21) storing authorization information of several terminals and terminal-specific software applications, in correspondence of at least identifiers respective terminals, for the management of a pool of receiving terminals available to users.   8. Method according to one of the preceding claims, wherein the software applications are regularly updated, characterized in that, in step d), the server transmits to the terminal a new version of the software applications most suitable for the terminal where appropriate.   9. Method according to one of the preceding claims, characterized in that the software applications comprise at least one operating system (OS) terminal computer resources.   10. Method according to one of the preceding claims, characterized in that the software applications comprise a descrambling / decoding application of the multimedia stream.   11. Method according to one of the preceding claims, characterized in that, in step d), the terminal stores the downloaded software applications from the server in a permanent memory.   12. The method of claim 11, taken in combination with claim 8, characterized in that the server further verifies a consistency of the software application version which is stored in the permanent memory of the terminal.   13. Method according to one of claims 1 to 10, characterized in that, in step d), the terminal stores software applications downloaded from the server into a volatile memory (16), each power up of the terminal.   14. Method according to one of the preceding claims, characterized in that it comprises a procedure for verifying the integrity of the software application data transmitted to the terminal, preferably with a verification of authenticity of the transmitter of said software application data.   15. Method according to one of the preceding claims, characterized in that it comprises the following initial steps: a1) the computer resource terminal is equipped to read a start-up routine, a2) a start-up routine including minus a terminal connection instruction to the server, a3) and store said start routine in a permanent memory of the terminal.   16. Method according to one of the preceding claims, characterized in that it comprises the following initial steps.   ail) the IT resource control server is equipped to read a software application download routine to the terminal, a'2) a download routine including at least one terminal enabling verification instruction is provided; 3) and stores said download routine in a permanent memory of the server.   17. Computer program product, intended to be stored in a permanent memory (15) of a receiving terminal, characterized in that it comprises a startup routine of the terminal, for the implementation of all or part of the process steps according to claim 15.   18. Computer program product intended to be stored in a permanent memory of a software application download control server for the descrambling / decoding of a multimedia stream, characterized in that it comprises a download control routine. software applications for the implementation of all or part of the process steps according to claim 16.   19. Application of the method according to one of claims 1 to 16 to the distribution of multimedia content, including pay television content.   20. Enabling control system for downloading software applications, in particular for descrambling / decoding a multimedia stream, characterized in that it comprises at least: a server (2) for controlling the downloading of said software applications. , and - a receiving terminal (4), on the one hand connected to the control server by a bidirectional link (81-82) for downloading said software applications, and arranged on the other hand to receive the scrambled / encoded multimedia stream and descramble / decoding this stream by executing said software applications, in that the terminal comprises computer resources for: storing first terminal authorization information, - storing and reading a startup computer program comprising at least one automatic connection instruction to the server when the terminal is turned on, and in that the control server has informational resources aids for: - storing second terminal authorization information, storing and reading a computer program for downloading software applications comprising at least.   a read instruction of the first and second authorization information, a consistency check test between the first and second authorization information, and a download instruction of the software applications, conditioned at least by said test.   21. System according to claim 20, characterized in that the first and second enabling information respectively comprise first and second authentication data, in that the startup program comprises at least one instruction for forming and communicating to the server a server. public key taken from the first data, and in that the download program includes at least one instruction for forming a private key derived from the second data, while said test includes a consistency check instruction between the public key and the private key.   22. System according to claim 21, characterized in that the startup and download programs comprise homologous authentication instructions to carry out mutual authentication of the server and the terminal, with exchange of public keys transmitted via the bidirectional link and checks of coherence with respective private keys, derived from the first and second authentication data.   23. System according to one of claims 21 and 22, characterized in that the terminal comprises a security processor (6) storing at least said first authentication data.   24. System according to one of claims 20 to 23, characterized in that said first and second enabling information comprise a terminal identifier.   25. System according to claims 23 and 24, characterized in that said first and second enabling information further comprises a security processor identifier.   26. System according to one of claims 24 and 25, characterized in that the server comprises a database (21) storing authorization information of several terminals and terminal-specific software applications, corresponding to at least respective terminal identifiers, for the management of a pool of receivers terminals available to users.   27. System according to one of claims 20 to 26, characterized in that the software applications comprise at least one terminal computer resource operating system.   28. System according to one of claims 20 to 27, characterized in that the terminal comprises a permanent memory for storing the software applications from the server.   29. System according to claim 28, characterized in that said permanent memory is a flash memory (17) and / or an E2PROM memory (18).   30. System according to one of claims 20 to 27, characterized in that the terminal comprises a volatile memory (16) for storing the software applications from the server.   31. System according to one of claims 20 to 30, characterized in that the bidirectional link (81-82) between the terminal and the server is of type xDSL.   Receiving terminal of a system according to one of claims 20 to 31.   33. Server of a system according to one of claims 20 to 31.