GB2487727A - Module for extracting decryption seed, generating a key and providing a secure host channel - Google Patents

Module for extracting decryption seed, generating a key and providing a secure host channel Download PDF

Info

Publication number
GB2487727A
GB2487727A GB1101471.9A GB201101471A GB2487727A GB 2487727 A GB2487727 A GB 2487727A GB 201101471 A GB201101471 A GB 201101471A GB 2487727 A GB2487727 A GB 2487727A
Authority
GB
United Kingdom
Prior art keywords
transport stream
module
operable
host
decryption key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1101471.9A
Other versions
GB201101471D0 (en
Inventor
David Richard Hill-Jowett
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Europe BV United Kingdom Branch
Original Assignee
Sony Europe Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Europe Ltd filed Critical Sony Europe Ltd
Priority to GB1101471.9A priority Critical patent/GB2487727A/en
Publication of GB201101471D0 publication Critical patent/GB201101471D0/en
Publication of GB2487727A publication Critical patent/GB2487727A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/418External card to be used in combination with the client device, e.g. for conditional access
    • H04N21/4181External card to be used in combination with the client device, e.g. for conditional access for conditional access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/435Processing of additional data, e.g. decrypting of additional data, reconstructing software from modules extracted from the transport stream
    • H04N21/4353Processing of additional data, e.g. decrypting of additional data, reconstructing software from modules extracted from the transport stream involving decryption of additional data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/436Interfacing a local distribution network, e.g. communicating with another STB or one or more peripheral devices inside the home
    • H04N21/4367Establishing a secure communication between the client and a peripheral device or smart card
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]

Abstract

A module 300 (e.g. Common Interface Conditional Access Module, CICAM ), to connect to a host (set-top box, STB, IDTV, etc: 200, Figure 2), comprises: a decryptor to decrypt an encrypted transport stream (TS) â e.g. scrambled using a common scrambling algorithm (CSA) - received from the host, the stream containing content data and a decryption seed (e.g. entitlement control message, ECM; entitlement management message, EMM); a decryption key generator 320 operable to extract the decryption seed from the transport stream and to generate a decryption key (control word, CW); and a secure authentication channel (SAC) generator 350 operable to generate a secure channel between the module 300 and the host (200, Figure 2), with the decryption key being provided over the secure channel (SAC). The transport (data packet) stream may comprise usage rule information, with the module further including a usage rule generator; the stream (TS) may container an identifier (ID), allowing specific usage rule generation.

Description

A Method, Modu le and Host The present invention relates to a method, module and host.
Presently, the Common Interface Plus (Cl+) interface is a standard that allows data broadcasts to be scrambled before being sent over the air and descrambled at the decoder before being displayed to the user. The decoder is located in the set-top box which receives the broadcast signals. Additionally located in the set top box is a Common Interface which allows a Common Interface ConditionalAccess Module (or CICAM hereinafter) to be provided.
In operation, the CICAM is located within the set-top box. When the broadcast signal is received, the set top box demodulates the received transport stream and sends the received transport stream to the CICAM as a demodulated stream. The CICAM then decrypts the received transport stream using the conditional access system decryption cipher and then may re-encrypt the content using a content control cipher. This data is then sent back to the set-top box where the re-encrypted data is subsequently decrypted, and viewed or stored depending on the user's preference.
Due to the large amount of bandwidth required to send two complete transport streams over the interface between the set-top box and the CICAM, it is inconvenient to have decryption for multiple tuners using this technique. It is an aim of this embodiment to therefore reduce the bandwidth of data passed over the interface between the set-top box and the CICAM.
According to a first aspect, there is provided a module configured in operation to connect to a host, the module comprising: a decryptor operable to decrypt an encrypted transport stream received from the host, the transport stream containing content data and a decryption seed; a decryption key generator operable to extract the decryption seed from the transport stream and to generate a decryption key from said decryption key seed; and a secure channel generator operable to generate a secure channel between the module and the host, whereby the secure channel generator is further operable to provide the generated decryption key to the host over the secure channel.
This is useful because only the decryption key is sent over the secure channel. Therefore, the bandwidth usage is more efficient than with the prior art.
The transport stream may further contain usage rule information and the module further comprises a usage rule generator operable to generate a rule relating to the use of the content data from the rule information in the transport stream.
The transport stream may further contain a transport stream identifier which identifies the transport stream, wherein the usage rule generator is operable to generate a rule specific to the content data of the transport stream identified by the transport identifier.
The secure channel generator may be further operable to transfer the rule relating to the use of the content over the secure channel.
The transport stream may comprise packets representing audio andlor video data.
According to another aspect, there is a host comprising an interface operable to be connected to a module according to any one of the above embodiments, the host comprising: a transport stream input operable to receive the encrypted transport stream; a module terminal operable to connect to the module, the terminal being operable to feed the encrypted transport stream to the module, the terminal being further operable to receive the decryption key from the module; and a decrypter operable to decrypt the encrypted transport stream using the received decryption key.
The host may further comprise a usage rule device operable to receive, from the module terminal, the usage rule information, and to generate a usage rule on the basis thereof; and a storage medium operable to store the usage rule in association with the decrypted transport stream.
The usage rule device may be operable to extract the transport stream identifier from the usage rule information, and the storage medium is operable to store the usage information in association with the identified transport stream on the storage medium.
The transport stream may comprise packets representing audio andlor video data.
According to another aspect, there is provided a system comprising a module according to any one of the embodiments connected to a host according to any one of the embodiments.
According to another aspect, there is provided a method of generating a. decryption key in a module and providing the generated decryption key to a host, the method comprising: decrypting a received encrypted transport stream, the transport stream containing content data and a decryption seed; extracting the decryption seed from the transport stream; generating a decryption key from said decryption key seed; generating a secure channel between the module and the host; and providing the generated decryption key to the host over the secure channel.
The transport stream may further contain usage rule information and the method further comprises generating a rule relating to the use of the content data from the rule information, in the transport stream.
The transport stream may further contain a transport stream identifier which identifies the transport stream, and the method further comprises: generating a rule specific to the content data of the transport stream identified by the transport identifier.
The method may further comprise transferring the rule relating to the use of the content over the secure' channel.
The transport stream may comprise packets representing audio and/or video data.
The method may further comprise: receiving the encrypted transport stream; feeding the encrypted transport stream to a module, and receiving the decryption key from the module; and decrypting the encrypted transport stream using the received decryption key.
The method may further comprise receiving, from the module, the usage rule information, and generating a usage rule on the basis thereof and storing the usage rule in association with the decrypted transport stream.
The method may further comprise extracting the transport stream identifier from the usage rule information, and storing the usage information in association with the identified transport stream.
The transport stream may comprise packets representing audio andlor video data.
According to another aspect, there is provided a computer program comprising computer readable instructions, which when loaded onto a computer configure the computer to perform a method according to any one of the embodiments.
A storage medium configured to store the computer program therein or thereon is also providcd.
Embodiments of the present invention are described by way of example only and with reference to the following drawings, in which: Figure TI shows a television and set-top box arrangement according to embodiments of the present invention; Figure 2 shows the set-top box and CICAM module of embodiments of Figure 1 in more detail; Figure 3 shows the CICAM module of embodiments of Figure 1 in more detail; Figure 4 shows a diagram explaining a different host embodiment of the present invention.
A television and set-top box arrangement 100 is shown in Figure 1. In this arrangement 100, a set-top box 200 (which is one example of a host) is connected to a television 110. The set-top box 200 receives television signals and other digital data such as closed caption information and Electronic Program Guide information. The set-top box 200 may receive other data broadcast over a terrestrial network, ôable network, satellite network or Jnternet Protocol (IP) content. In embodiments of the present invention, the set top box 200 receives encrypted digital data in a transport stream.
The set-top box 200 has a slot to receive a CICAM module 300. The CICAM module 300 is used to control access to the received data. The CICAM module 300 will be described in more detail with reference to Figure 3. The CICAM module 300 allows conditional access to some or all of the encrypted data. Typically, the CICAM module 300 allows access to subscription type channels and different pay-per-view events. However, there are many other applications for the CICAM module 300 within the set-top box 200. For example, the CICAM module 300 may be used to block access to certain channels (sometimes called "services") or programmes depending on user or parental choice.
The CICAM module 300 may be inserted into a PC card slot (sometimes referred to as a Personal Computer Memory Card Intemational Association) within the set-top box 200.
However, the invention is not so limited and the CICAM module 300 may take any suitable form such as a USB device. The television 110 is connected to the set-top box 200 using a cable. This may be a High Definition Multimedia Interface (HDMI) cable or any other appropriate cable. Indeed, the set-top box 200 may be integrated into the television 110, which is sometimes referred to as an integrated digital television (IDTV). In this case, the CICAM module 300 would be inserted directly into the PCMCIA slot located within the television 110 as is mandated. for IDTVs over a certain size in Europe.
Figure 2 shows a more detailed diagram of the set-top box 200. As in Figure 1, the set-top box 200 is connected to the television 110. Also, the CICAM module 300 is shown being inserted into the set-top box 200. The set-top box 200 is, in use, connected to an antenna.
The antenna receives the digital television signals, and any other data, from a broadcaster as a transport stream. Clearly, the transport stream may be received from a satellite dish, or from a cable broadcaster as appropriate. Moreover, the transport stream may be received over the Internet. In the Internet example, the transport stream will not necessarily be broadcast to a number of different set-top boxes and may be more specific to the individual user. It should be noted here that the received transport stream may include just a single service, or may include a plurality of services. Specifically, in embodiments of the present invention, other parts of the set top box 200, there may be multiple tuners. This would allow the set top box 200 to process multiple transport streams. In order to illustrate this, there are n lines illustrated in Figure 2 The received transport stream(s) are fed into the CICAM 300 using connection 235.
The received signals form a scrambled transport stream and are fed into the CICAM module 300. However, for ease of explanation, the ftmction of the set top box 200 with a single transport stream will be explained.
The transport stream is scrambled using the Common Scrambling Algorithm (CSA). The CSA is used to scramble Digital Video Broadcast (DVB) signals as would be appreciated. As the CSA is known to the skilled person, no further discussion will be provided hereinafter.
Additionally provided by the broadcaster are the Entitlement Control Message (ECM) and the Entitlement Management Message (EMIM). These are used to determine the decryption key used to descramble the scrambled DVB signals.
The received transport stream is fed into a descrambler 220. The descrambler 220 also demultiplexes the received transport stream. The deserambler 220 descrambles the received transport stream using the control word provided by the CICAM 300 as would be explained later. Additionally, the demultiplexed transport stream is stored in a CSA unenerypted format on a storage medium 230. Tn embodiments, the storage medium 230 is a hard disk drive.
However, the invention is not so limited. The storage medium may be an optical disk, solid state memory or any suitable kind of memory. In fact, the storage medium 230 may be 1.5 integrated into the set top box 200 or may be removable therefrom. The storage medium may indeed be remote to the set top box 200, for example located in a computer which is remote to the set top box 200. The computer and set top box 200 may be connected over a network.
Additionally connected to the storage medium 230 is a content management block 210. The content management block 210 stores usage rules which define at least one criterion upon which the received decrypted program can be viewed. The usage rules are stored with the decrypted content on the storage medium 230. The usage rules may consist of user defined rules such as parental control using a Personal Identification Number (PIN), or may be broadcaster defined rules such as a period of time the content may be stored on the storage medium 230 or may be both. These usage rules are provided to the set top box 200 by the CJCAM 300 as will be explained later.
Referring to Figure 3, the CICAM 300 is shown in more detail. The received signal from the broadcaster is fed into a conditional access system 310 located within the CICAM 300. The conditional access system 310 uses the ECM and EMM data received from the broadcaster to generate the control word and any usage rules provided by the user or the broadcaster or both.
The control word is generated in a control word generator 320. The usage rules are generated using an ECMIEMM filter and manager 330.' The usage rules are fed into a content manager 340 over line 335. The content manager 340 associates the usage rules generated within the conditional access system 310 with a particular transport stream. Additionally, the content manager 340 also provides licence information and other data such as parental control data, or may indicate the length of lime or number of replays of the content permitted.
The output 345 of the content manager 340 is provided to a secure authentication channel (SAC) generator 350. The SAC generator 350 generates a secure authenticated channel between the CICAM 300 and the set top box 200. The SAC is generated when the CICAM 300 and the set top box mutually authenticate with each other, as would be appreciated by the skilled person. The SAC provides a secure mechanism over which data produced by the CICAM 300 can be communicated to the set top box 200 and vice versa. This information is passed to the set top box 200 where the usage rules are provided to the content management block 210 and the control word is provided to the descrambler 220.
The operation of the set top box 200 with the CICAM 300 inserted therein will now be described.
Prior to the transport stream requiring decryption being sent by the broadcaster, the ECM for the particular transport stream is sent by the broadcaster to the set top box-The set top box 200 receives the ECM and passes the ECM to the CICAM 300. The CICAM 300 stores the ECM in the ECMIEMM filter and manager 330. It should he noted that the ECM is transmitted to many set top boxes. A short time later, the broadcaster selectively sends the EMM. Upon receipt of the PMM, the ECM!EMM filter and manager 330 generates the control word in accordance with the received ECM. In other words, each set top box receives the 11CM, but the CICAM 300 will only generate the control word used to decrypt the forthcoming transport stream after an appropriate 11MM is received by the CICAM 300. In order to perform this, the CICAM 300 may interrogate a smart card (not shown) inserted therein. The smart card is typically provided by the broadcaster. However, the invention is not so limited and the CICAM 300 may generate the control word without a smart card being inserted therein, for example if the broadcaster provides the required information over some other secure channel. The 11CM and 11MM are refreshed many times a day to ensure the security of the system. The control word is fed to the SAC generator 350. The control word will be sent over the SAC with other information as will now be explained.
The new ECM from which the control word is generated is sent along with the transport stream which is to be decrypted using the control word. However, in order to provide time for the CJCAM 300 to generate the control word, the broadcaster provides a slight delay between sending the transport stream containing the new ECM and the transport stream requiring decoding using the new control word. Wlaen the transport stream which is to be decrypted using the control word is received, the transport stream contains data other than the image data. This data includes a transport stream identifier, a usage rule indicator, licence information relating to the content within the transport stream, closed caption information and other metadata. In the context of this description, metadata broadly refers to data about data and/or the content of the data and contains less information than the data and/or content to which it refers.
The transport stream identifier is, in embodiments, a 13 bit packet which identifies the transport stream. A usage rule indicator identifies certain attributes of the content of the transport stream. For example, the usage rule indicator identifies any relevant feature of the content, for example if the content is meant for an adult audience because it contains violent scenes or the like, Additionally, the usage rule indicator may identify any other relevant attribute of the content of the transport stream. The licence information relating to the content indicates how long the content may be stored on a personal video recorder, for example.
However, the licence information may include any other relevant information relating to the content or the use of the content, such as a maximum number of viewings of the content permitted to the user.
After descrambling the transport stream, the ECM /13MM filter 330 extracts the transport stream identifier, the usage rule indicator and the licence information. This information is passed to the content manager 340. The content manager 340 analyses the extracted information, and in particular, the usage rule indicator to see if the content should be displayed to the viewer. In particular, if the content is meant for an adult audience, the owner of the set-top box 200 may have asked that a personal identification number (PIN) be provided before displaying the content. The PIN is stored in an encrypted manner within the content manager 340 and if a PIN is required, the content manager 340 prompts the set top box 200 to display a request to the user for a PIN. The content manager 340 receives the PIN input by the user and, in the event of a match, allows the content to be displayed. If not, the content manager 340 does not authorise the content to be displayed.
The control word is fed into the SAC generator 350 over line 325. Within the SAC generator 350, a secure authentication channel message (SAC message) is generated. The SAC message contains the control word for the particular transport stream, the usage rule indicator, the licence information, the transport stream identifier and any other data, such as closed caption information or metadata associated with the particular transport stream. The SAC message is then passed to the set-top box 200 over the secure access channel created by the SAC generator 350.
It should be noted here that the transport stream itself is not passed over the SAC. This reduces the amount of data passed between the CICAM 300 and the set top box 200. This improves the bandwidth usage of the interface between the CICAM 300 and the set top box 200 enabling many more transport streams to be decrypted by the set top box 200.
The SAC message is fed into the content management block 210 and the descrambler 220 of Figure 2. The descrambler 220 extracts the control word from the SAC message and uses the control word to descramble the transport stream with the particular transport stream identifier.
In order to do this, the skilled person would appreciate that some buffering of the received encrypted transport stream may be required. Therefore, although not shown, the descrambler 220 may have some buffer memory contained therein to buffer the appropriate transport stream, The content management block 210 extracts the usage rule indicator, the license information and any other data from the SAC message. The content management block 210 uses the extracted information to formulate rules. For example, the content management block 210 may use the licence information extract:ed from the SAC message to generate a content expiry date indicating the date before which the content can be played. The content management block 210 stores the extracted information in association with the descrambled transport stream on the storage medium 230. This may or may not be stored on the same storage medium, but links the rules to the appropriate piece of content, The user may then view the content from the storage medium 230 on the display 110 depending on the licence information and the usage rules.
Although the foregoing has been described with reference to a set top box 200 used in receiving DYB signals, the invention is not so limited, In fact, the present invention may be embodied in any type of host. A host can generally be defines as a device where modules can be connected. Some examples of a host include an integrated receiver device or a recorder.
So, the invention may be embodied in a host capable of receiving any type of data over any type of network. One such example may be a gateway connected to a network. The network may be a local network in a user's home or business which connects one or more hosts to the Intemet or some other type of network. This different form of host (embodied as a gateway) is described with reference to Figure 4.
Jn Figure 4, a gateway 400 is illustrated. The gateway 400 has numerous inputs from internal tuners (not shown) or may receive Internet Protocol (if) packets transferred over the Internet using the High Bandwidth Digital Content Protection (HDCP) or the Digital Transmission Content Protection (DTCP) protocols. However, the invention is not limited and any encrypted data may be received.
As in the example set forth in respect of Figure 3, the received data in the gateway 400 is encrypted and includes information enabling a control word or the like to be generated within a CICAM located within the gateway 400. In other words, the CICAM 300 in the gateway 400 will generate the control word in a similar manner to that described with reference to Figure 3 Similarly, in the gateway form factor, the received data, in embodiments, will also include a transport stream identifier, or the like, which identifies the transport stream; usage rule indicators which identifies any relevant information relating to the content of the received data, such as from which website the data is received; licence information identifying limitations on the licence of the content, for example an expiry date upon which the data should be deleted; and any other data, such as metadata. It should be noted here that in order for the host (irrespective of whether the host is embodied as a set..top box 200 or the gateway 400) to operate correctly, only the data enabling the control word, or any such decrypting key, is required. The other data noted above is merely exemplary.
In Figure 3, the interface between the CICAM 300 and the set top box 200 was a SAC interface. However, the invention is not so limited. In embodiments relating to Figure 4, the interface may be a USB 2.0 interface, or any other appropriate secure interface. A message equivalent to the SAC message described with reference to Figure 3 is passed between the CICAM 300 and the gateway 400. In other words, the message passed between the CICAM 300 and the gateway 400 will contain similar data to that of Figure 3, but the formatting of the message will be specific to the protocol used in Figure 4, such as USB 2.0.
The message will be fed to both a gateway descrambler 420 and a gateway content management block 410 over lines 405 and 415 respectively. The gateway descrambler 420 extracts the control word generated by the CICAM 300 and descrambles the appropriate part of the USB 2.0 message using the control word. Similarly, the gateway content management block 410 generates rules from the received USB 2.0 message. The gateway content management block 410 stores these rules in association with the appropriate content on the storage medium 430. As explained before, the gateway descrarnbler 420 descrambies the encrypted content using the control word and stores this on the storage medium 430. The content may be displayed to the user on a display 110, or may be accessed by any number of client devices on the network 450A-450N. The client devices may be one or more computer, games console, handheld device or display device or similar connected to the gateway 400 over a network or remotely via the Internet or the like.
Although the foregoing has been explained with the SAC message being fed into the content management block, the invention is not so limited. For example, the SAC message may be fed into a routing device within the set top box 200 which directs the segments of the message to the appropriate block within the set top box 200 or the gateway 400 or more generally, any host.
Although the foregoing has been explained with the control word being sent directly to the SAC generator, with the other data being sent to the content manager, the invention is not so limited. Data can be sent directly to the SAC generator or to the content manager as required.
Although the foregoing describes storing the data before it is viewed or used by a user, the invention is not so limited. The data can be viewed or used directly by the user or any one of the host devices on the network with or without the data being stored.
It should also be noted here that the set top box 200 does not need to receive the control word over the SAC for every transport stream. It is possible for the control word to be stored within the set top box 200 in secure memory and then only the control word when changed needs to be transferred from the CICAM 300. Indeed, in embodiments, the control word may simply be a flag which indicates that the set top box should use the previously transferred control word with one particular identified transport stream. This would reduce the bandwidth used even further.
Although the foregoing has described the set top box 200 and gateway 400 as containing distinct blocks, in embodiments of the present invention, the functionality of the blocks may be provided by computer software. The computer software contains computer readable instructions which, when loaded onto a computer configure the computer to perform such functionality. The computer software may be stored on the storage medium 230 or 430.
Alternatively, the software may be stored on any memory device such as semiconductor memory, or optical readable memory or the like. This may be within the device or remote from the device on a sewer or the like which is connectable to the device over a network.

Claims (22)

  1. CLAIMS1. A module configured in operation to connect to a host, the module comprising: a decryptor operable to decrypt an encrypted transport stream received from the host, the transport stream containing content data and a decryption seed; a decryption key generator operable to extract the decryption seed from the transport stream and to generate a decryption key from said decryption key seed; and a secure channel generator operable to generate a secure channel between the module and the host, whereby the secure channel generator is further operable to provide the generated decryption key to the host over the secure channel..
  2. 2. A module according to claim 1, wherein the transport stream further contains usage rule information and the module further comprises a usage rule generator operable to generate a rule relating to the use of the content data from the rule information in the transport stream.
  3. 3. A module according to claim 2, wherein the transport stream further contains a transport stream identifier which identifies the transport stream, wherein the usage rule generator is operable to generate a rule specific to the content data of the transport stream identified by the transport identifier.
  4. 4. A module according to either one of claim 2 or 3, wherein secure channel generator is further operable to transfer the rule relating to the use of the content over the secure channel.
  5. 5. A module according to any one of claims 1 to 4, wherein the transport stream comprises packets representing audio and/or video data.
  6. 6. A host comprising an interface operable to be connected to a module according to any one of claims I to 5, the host comprising: a transport stream input operable to receive the encrypted transport stream; a module terminal operable to connect to the module, the terminal being operable to feed the encrypted transport stream to the module, the terminal being further operable to receive the decryption key from the module; and a decrypter operable to decrypt the encrypted transport stream using the received decryption key.
  7. 7. A host according to claim 6, further comprising a usage rule device operable to receive, from the modul.e terminal, the usage rule information, and to generate a usage rule on the basis thereof; and a storage medium operable to store the usage rule in association with the decrypted transport stream.
  8. 8. A host according to claim 7, wherein the usage rule device is operable to extract the transport stream identifier from the usage rule information, and the storage medium is operable to store the usage information in association with the identified transport stream on the storage medium.
  9. 9. A host according to any one of claims 6 to 8, wherein the transport stream comprises packets representing audio and/or video data.
  10. 10. A system comprising a module according to any one of claims I to 5 connected to a host according to any one of claims 6 to 9.
  11. 11. A method of generating a decryption key in a module and providing the generated decryption key to a host, the method comprising: decrypting a received encrypted transport stream, the transport stream containing content data and a decryption seed; extracting the decryption seed from the transport stream; generating a decryption key from said decryption key seed; generating a secure channel between the module and the host; and providing the generated decryption key to the host over the secure channel.
  12. 12. A method according to claim 11, wherein the transport stream further contains usage rule information and the method fhrther comprises generating a rule relating to the use of the content data from the rule information in the transport stream.
    * *
  13. 13. A method according to claim 12, wherein the transport stream further contains a transport stream identifier which identifies the transport stream, and the method further comprises: generating a rule specific to the content data of the transport stream identified by the transport identifier.
  14. 14. A method according to either one of claims 12 or 13, further comprising transferring the rule relating to the use of the content over the secure channel.
  15. 15. A method according to any one of claims 11 to 14, wherein the transport stream comprises packets representing audio and/or video data.
  16. 16. A method according to any one of claims 11 to 15 further comprising: receiving the encrypted transport stream; feeding the encrypted transport stream to a module, and receiving the decryption key from the module; and decrypting the encrypted transport stream using the received decryption key.
  17. 17. A method according to claim 16, further comprising receiving, from the module, the usage rule information, and generating a usage rule on the basis thereof; and storing the usage rule in association with the decrypted transport stream.
  18. 18. A method according to claim 17, comprising extracting the transport stream identifier from the usage rule information, and storing the usage information in association with the identified transport stream.
  19. 19. A method according to any one of claims 16 to 18, wherein the transport stream comprises packets representing audio and/or video data.
  20. 20. A computer program comprising computer readable instructions, which when loaded onto a computer configure the computer to perform a method according to anyone of claims Ilto 19.
  21. 21. A storage medium configured to store the computer program according to claim 20 therein or thereon.
  22. 22. A module, host, method, computer program or storage medium as substantially hereinbefore described with reference to the accompanying drawings.
GB1101471.9A 2011-01-28 2011-01-28 Module for extracting decryption seed, generating a key and providing a secure host channel Withdrawn GB2487727A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1101471.9A GB2487727A (en) 2011-01-28 2011-01-28 Module for extracting decryption seed, generating a key and providing a secure host channel

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
GB1101471.9A GB2487727A (en) 2011-01-28 2011-01-28 Module for extracting decryption seed, generating a key and providing a secure host channel
EP12701769.7A EP2612503B1 (en) 2011-01-28 2012-01-13 Method and system for decrypting a transport stream
CN2012800035349A CN103210658A (en) 2011-01-28 2012-01-13 Method and system for decrypting a transport stream
US13/823,976 US9455829B2 (en) 2011-01-28 2012-01-13 Method and system for decrypting a transport stream
PCT/GB2012/050070 WO2012101420A1 (en) 2011-01-28 2012-01-13 Method and system for decrypting a transport stream

Publications (2)

Publication Number Publication Date
GB201101471D0 GB201101471D0 (en) 2011-03-16
GB2487727A true GB2487727A (en) 2012-08-08

Family

ID=43824723

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1101471.9A Withdrawn GB2487727A (en) 2011-01-28 2011-01-28 Module for extracting decryption seed, generating a key and providing a secure host channel

Country Status (5)

Country Link
US (1) US9455829B2 (en)
EP (1) EP2612503B1 (en)
CN (1) CN103210658A (en)
GB (1) GB2487727A (en)
WO (1) WO2012101420A1 (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2489671A (en) 2011-03-28 2012-10-10 Sony Corp Cryptographic key distribution for IPTV
US20170005993A9 (en) * 2012-02-08 2017-01-05 Vixs Systems, Inc. Content access device with programmable interface and methods for use therewith
GB2500615B (en) 2012-03-26 2019-10-23 Saturn Licensing Llc Selecting data packets from a packetized data stream comprising audio/video programme data packets and identification data
GB2501759B (en) 2012-05-04 2019-06-26 Saturn Licensing Llc Receiving audio/video content
DE102013219321A1 (en) * 2012-10-05 2014-04-10 Hirschmann Car Communication Gmbh Receiving system and method for operating a receiving system
GB2509759A (en) 2013-01-14 2014-07-16 Sony Corp Receiving audio/visual content-related non-viewing information via unused transmission channels
CN105446926B (en) * 2014-09-09 2020-09-22 纳瑞塔有限责任公司 USB interface for performing transport I/O
US9888283B2 (en) 2013-03-13 2018-02-06 Nagrastar Llc Systems and methods for performing transport I/O
EP2827598A1 (en) * 2013-07-18 2015-01-21 OpenTV, Inc. A system for receiving and decrypting streaming content
WO2015199370A1 (en) * 2014-06-25 2015-12-30 Lg Electronics Inc. Broadcast reception device, method of operating broadcast reception device, conditional access module, and method of operating conditional access module
USD864968S1 (en) 2015-04-30 2019-10-29 Echostar Technologies L.L.C. Smart card interface
WO2018182635A1 (en) 2017-03-30 2018-10-04 Blonder Tongue Laboratories, Inc. Enterprise content gateway
US10986398B2 (en) * 2018-11-02 2021-04-20 Dish Network L.L.C. Location-tracked media delivery across multiple media consumption devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1182874A1 (en) * 2000-08-24 2002-02-27 Canal+ Technologies Société Anonyme Digital content protection system
EP1505474A2 (en) * 1996-11-13 2005-02-09 Thomson Process for protecting an information item transmitted from a security element to a decoder, security element and decoder using such a process
EP2018059A1 (en) * 2007-07-19 2009-01-21 Panasonic Corporation Digital video broadcast receiver and method for decrypting of digital data streams

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6738905B1 (en) * 1998-04-15 2004-05-18 Digital Video Express, L.P. Conditional access via secure logging with simplified key management
US7647619B2 (en) * 2000-04-26 2010-01-12 Sony Corporation Scalable filtering table
EP1111923A1 (en) * 1999-12-22 2001-06-27 Irdeto Access B.V. Method for operating a conditional access system for broadcast applications
WO2002069567A2 (en) * 2000-10-26 2002-09-06 General Instrument Corporation Enforcement of rights and conditions for multimedia content
JP2006506902A (en) * 2002-11-15 2006-02-23 トムソン ライセンシング Method for controlling a device having an emergency alert function
FR2891104A1 (en) 2005-09-22 2007-03-23 Viaccess Sa Scrambled digital data e.g. audiovisual program, reception terminal`s fraudulent use controlling method for conditional access system, involves successively executing negative action and positive action that is needed for descrambling data
CN100454921C (en) * 2006-03-29 2009-01-21 华为技术有限公司 Digital copyright protecting method and system
US20110107081A1 (en) * 2008-03-24 2011-05-05 Keum-Yong Oh Method and apparatus for processing of broadcast data
US8610827B2 (en) * 2009-04-13 2013-12-17 Digital Keystone, Inc. Direct IPTV distribution
EP2393292A1 (en) * 2010-06-01 2011-12-07 Nagravision S.A. A method and apparatus for decrypting encrypted content

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1505474A2 (en) * 1996-11-13 2005-02-09 Thomson Process for protecting an information item transmitted from a security element to a decoder, security element and decoder using such a process
EP1182874A1 (en) * 2000-08-24 2002-02-27 Canal+ Technologies Société Anonyme Digital content protection system
EP2018059A1 (en) * 2007-07-19 2009-01-21 Panasonic Corporation Digital video broadcast receiver and method for decrypting of digital data streams

Also Published As

Publication number Publication date
US20130177154A1 (en) 2013-07-11
EP2612503A1 (en) 2013-07-10
WO2012101420A1 (en) 2012-08-02
EP2612503B1 (en) 2020-04-15
CN103210658A (en) 2013-07-17
US9455829B2 (en) 2016-09-27
GB201101471D0 (en) 2011-03-16

Similar Documents

Publication Publication Date Title
US9455829B2 (en) Method and system for decrypting a transport stream
US9467658B2 (en) Method and apparatus for protecting the transfer of data
US8385542B2 (en) Methods and apparatus for securing communications between a decryption device and a television receiver
EP1800480B1 (en) Digital rights management of a digital device
KR101081160B1 (en) Method and apparatus for protecting the transfer of data
KR101048843B1 (en) Configurable Cable Card
US7590242B2 (en) Selective multimedia data encryption
EP2245853B1 (en) Encryption system for satellite delivered television
US7836300B2 (en) Security integrated circuit
EP2373019A1 (en) Secure descrambling of an audio / video data stream
KR102281972B1 (en) Method for protecting decryption keys in a decoder and decoder for implementing said method
US20100082831A1 (en) Loadable and modular conditional access application
EP3200472A2 (en) Display apparatus, broadcast signal receiving apparatus and control methods thereof
US10440409B2 (en) Method and device allowing an access control system to be applied to the protection of streamed video
US8631430B2 (en) Enabling DRM-encrypted broadcast content through gateway into the home
KR100747656B1 (en) Multi-Descrambeler System and Method in digital broadcasting receiver
KR101217225B1 (en) Broadcast processing apparatus and method thereof
JP4709323B1 (en) Conditional reception system and card adapter
KR100510692B1 (en) Conditional Access System

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)