MXPA06005389A - Systems and methods for delivering pre-encrypted content to a subscriber terminal - Google Patents

Systems and methods for delivering pre-encrypted content to a subscriber terminal

Info

Publication number
MXPA06005389A
MXPA06005389A MXPA/A/2006/005389A MXPA06005389A MXPA06005389A MX PA06005389 A MXPA06005389 A MX PA06005389A MX PA06005389 A MXPA06005389 A MX PA06005389A MX PA06005389 A MXPA06005389 A MX PA06005389A
Authority
MX
Mexico
Prior art keywords
encrypted content
content
conditional access
encrypted
encryption
Prior art date
Application number
MXPA/A/2006/005389A
Other languages
Spanish (es)
Inventor
S Makofka Douglas
D Vince Lawrence
T Hutchings George
Original Assignee
T Hutchings George
S Makofka Douglas
D Vince Lawrence
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by T Hutchings George, S Makofka Douglas, D Vince Lawrence filed Critical T Hutchings George
Publication of MXPA06005389A publication Critical patent/MXPA06005389A/en

Links

Abstract

An exemplary content delivery system for delivering pre-encrypted content to a first subscriber terminal includes an off line encryption system configured to generate the pre-encrypted content using a control word, a caching system configured to store the pre-encrypted content and transmit the pre-encrypted content to the first subscriber terminal, a first conditional access system configured to allow a number of subscriber terminals to decrypt the pre-encrypted content, a second conditional access system configured to allow the first subscriber terminal to decrypt the pre-encrypted content, and a first encryption renewal system associated with the first conditional access system. The first encryption renewal system is configured to authorize the second conditional access system to allow the first subscriber terminal to decrypt the pre-encrypted content. An exemplary method for delivering pre-encrypted content to a first subscriber terminal includes generating the pre-encrypted content using a control word, transmitting the pre -encrypted content to the first subscriber terminal, and using an encryption renewal system associated with a first conditional access system to authorize a second conditional access system to allow the first subscriber terminal to decrypt the pre- -encrypted content.

Description

SYSTEMS AND METHODS FOR DISTRIBUTING PRE-ENCRYPTED CONTENT TO A SUBSCRIBER TERMINAL Field of Invention Recent advances in the distribution of cable and satellite subscription and audio "on demand", video and other digital content for subscribers have given rise to an increasing number of digital converter box-decoders (STBs) (sometimes referred to as Digital Consumer Terminals or "the DCT") to digitally decode and distribute broadcast programming. As the market for digital media content of this type grows and matures, there is corresponding growth in demand for new, more advanced features.
BACKGROUND OF THE INVENTION Demand video (VOD) and audio on demand are examples of features made practical by digital broadband broadcasting by cable and satellite. Unlike previous services where subscribers were granted access to scheduled encrypted broadcasts (eg, movie channels, special event scheduling, pay-per-event purchases, etc.) these on-demand services allow a subscriber to request a video desired, audio or other program at any time and to begin to see the content at any point in it. Upon receipt of the request for programming (and presumably, the authorization to bill the subscriber's account), the service provider then transmits the requested program to the subscriber converter-decoder box for viewing / listening. Systems are known in the art to ensure that, in a broadcast system by payment or subscription, only those who have paid to receive the broadcast content actually receive the broadcast content. Such a system is known as a conditional access system ("CA System" or "CAS"). Typically, pay-broadcast systems generally broadcast encrypted material and use a CAS to distribute one or more appropriate decryption keys to authorized recipients only. One area of concern, especially for direct content providers and movie companies, is to ensure the distribution of content to an STB. Content distribution often occurs on data bases, satellite networks, cable networks, and the Internet. The method by which content is produced and distributed to consumers is constantly changing. There is a constant risk of cyber hackers who are able to hack into a content distribution system and obtain digitally perfect copies of the content.
SUMMARY OF THE INVENTION An exemplary content distribution system for distributing pre-encrypted content to a first subscriber's terminal includes an off-line encryption system configured to generate the pre-encrypted content using a control word, a cache system, configured to store the pre-encrypted content and transmit the pre-encrypted content to the first subscriber terminal, a first conditional access system configured to allow a certain number of subscribers to decrypt the pre-encrypted content, a second conditional access system configured to allow the first subscriber terminal to decrypt the pre-encrypted content, and a first encryption renewal system associated with the first conditional access system. The first encryption renewal system is configured to authorize the second conditional access system to allow the first subscriber terminal to decrypt the pre-encrypted content.
An exemplary method for distributing the pre-encrypted content to a first subscriber terminal includes generating the pre-encrypted content using a control word, which transmits the pre-encrypted content to the subscriber's first terminal, and use a system for updating the encryption associated with a first conditional access system to authorize a second conditional access system to allow the subscriber's first terminal to decrypt the pre-encrypted content.
BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings illustrate various embodiments of the present invention and are a part of the specification. The illustrated embodiments are only examples of the present invention and do not limit the scope of the invention. FIGURE 1 illustrates an exemplary content distribution system that can be used to pre-encrypt and distribute content to a converter-decoder box (STB) in accordance with the principles described herein. FIGURE 2 illustrates an exemplary content distribution system where multiple CA systems control access to the same pre-encrypted content in accordance with the principles described herein.
FIGURE 3 illustrates an alternative content distribution system where multiple CA systems control access to the same pre-encrypted content in accordance with the principles described herein. FIGURE 4 shows a first content distribution system and a second content distribution system configured to share the same pre-encrypted content according to the principles described herein. FIGURE 5 is a flow chart illustrating an exemplary method for allowing multiple CA systems to control the access of one or more STBs to the pre-encrypted content in accordance with the principles described herein. Through the drawings, identical reference numbers designate similar elements, but not necessarily identical.
DETAILED DESCRIPTION OF THE INVENTION The systems and methods for distributing pre-encrypted content to one or more subscriber terminals whose access to the pre-encrypted content is controlled by two or more 'conditional access (CA) systems are described herein. An off-line encryption system generates the pre-encrypted content using a control word. A cache server stores the pre-encrypted content and transmits the pre-encrypted content to the STB. An encryption renewal system associated with a first conditional access system authorizes a second conditional access system to allow one or more subscriber terminals to decrypt the pre-encrypted content. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a complete understanding of the present system and method. It will be apparent, however, to someone of skill in the art that the present system and method can be practiced without these specific details. The reference in the specification to "one modality" or "modality" means that a particular feature, structure or characteristic described together with the modality includes at least one modality. The occurrence of the phrase "in a modality" in several places in the specification does not necessarily refer to the same modality. The term "contents" will be used herein and in the appended claims, unless specifically indicated to the contrary, to refer to any digital information that may be distributed to the subscriber's terminal such as a converter-decoder box (STB). , personal computer, mobile phone, or similar. The content may include, but is not limited to, videos on demand (VOD), audio on demand, and other digital multimedia content. The content can be distributed through any suitable data network that includes, but is not limited to, a satellite network, a cable network, a cellular wireless network or the Internet. The terms "subscriber terminal" and "converter-decoder box" will be used herein and in the appended claims, unless specifically indicated to the contrary to refer to any electronic component configured to receive content. As mentioned, there is a need for secure content distribution to legitimize subscribers or customers. A system operator generally encrypts content that is sent over a network to an STB. A content provider often encrypts the content in real time when the content is transmitted to the client. Nevertheless, in some cases, real-time encryption is not desirable or feasible. Therefore, in some modalities, a content provider encrypts the content before the content is transmitted to the STB. The encryption of content before the content is transmitted is called offline encryption or pre-encryption. Pre-encryption often reduces the cost and expenses associated with real-time encryption. FIGURE 1 illustrates an exemplary content distribution (110) system that can be used to pre-encrypt and distribute content to an STB (103). An STB (103) will be used in the following examples as an exemplary subscriber terminal. It will be recognized that the STB (103) can be any type of subscriber terminal. Among other components, the content distribution system 100 comprises a content generation system 100 for generating clear content, an offline encryption system 101 for pre-encrypting the content, a system (102) video on demand (VOD), to store the pre-encrypted content and to distribute the pre-encrypted content to the STB (103) on a demand basis, a conditional access system (121) for controlling one or more keys granting access to the pre-encrypted content, an encryption renewal system (131) (ERS) to accept requests from the VOD system (102) to generate new authorization control messages (ECMs) for the pre-encrypted content, a distribution network (134) to facilitate the distribution of the pre-encrypted content, and an interactive network (133) to provide two-way interaction between the subscriber and the VOD system (102). The additional or alternative components and arrangements to achieve the various system features (110) of content distribution are possible. In operation, the content generation system (100) generates clear content and enters the clear content in the OLES (101). Clear content is content, such as a movie that is not encrypted. The OLES (101) encrypts the clear content using an encryption scheme that may or may not be known in the art. Encryption is the transformation of content using one or more keys in a way that is apparently indeciferous and extremely difficult, if not impossible, to access or decipher without the key. A key can be a sequence of random or pseudorandom bits, for example. The use of keys to encrypt and decrypt content is known in the art. A key is also known as a control word. The OLES (101) pre-encrypts the content using one or more control words. However, for illustrative purposes, it will be assumed that the OLES (101) pre-encrypts the content using a simple control word in the examples given herein. Therefore, any reference to a "control word" means one or more control words.
The OLES (101) also generates an encryption register (ER) associated with the pre-encrypted content. The ER is a data structure comprising the control word used to pre-encrypt the content. The ER may alternatively include information that allows the ERS (131), CAS (121), or other system to generate the control word used to pre-encrypt the content. Once the clear content is pre-encrypted by the OLES (101), the resulting pre-encrypted content and the associated ER are distributed to the VOD system (102) for storage. The VOD system (102) is configured to hold together the pre-encrypted content and the associated ER. The VOD system (102) can be any system or server configured to store and distribute pre-encrypted VOD content and / or any other type of pre-encrypted content to one or more STBs (103). The VOD system (102) is also referred to as a "VOD server", or a "cache system", or a "cache server". Before the content pre-encrypted by the subscribers can be requested or observed, the VOD system (102) presents a request for an authorization control message (ECM) to the ERS (131). The request includes the ER that corresponds to the desired pre-encrypted content. The ECM is an encrypted form of the control word used to pre-encrypt the content and is CAS-specific. In other words, the ECM is generated in a way that only the STBs (103) controlled by the authorized CAS (121) can decrypt the ECM and obtain the control word needed to decrypt the pre-encrypted content. The ECM is cryptographically protected using a key (typically periodic) provided by the CAS (121). It will be recognized that the ECM can be referred to by a different name that can be generated using any encryption scheme. The ERS (131) responds to the ECM request by transmitting the ECM to the VOD system (102). Upon receiving a content request from the STB (103), the VOD system (102) transmits the pre-encrypted content and the corresponding ECM to the STB (103). In some modalities, the ECM returns to the VOD system (102) by the ERS (131) is valid and is useful with the pre-encrypted content only for a limited time when determined by the CAS (121). As mentioned, the CAS (121) is included in the content distribution system (110) to prevent unauthorized STBs from receiving and / or decrypting the pre-encrypted content. In operation, the CAS (121) is configured to generate and send a subscriber authorization message to the STB (103) if the STB (103) is authorized to receive and decrypt the pre-encrypted content. The subscriber authorization message will be referred to herein as an authorization management (EMM) message for explanatory purposes. The EMM is specific to a particular subscriber or STB (103) and includes information that authorizes the STB (103) to decode or decrypt the ECM, thereby giving access to the STB (103) to the control word needed to decrypt the pre-encrypted content. Without the EMM, the STB (103) can not decrypt the pre-encrypted content. In this way, the CAS (121) can control the access of the individual STBs (103) to the pre-encrypted content. In some cases, the content distribution system (110) may include more than one CAS (121). Each CAS (121) may belong to a different vendor or entity, for example, and may have a corresponding number of subscribers for which each CAS (121) controls access to the pre-encrypted content. In some embodiments, each CAS (121) is configured to control its access by its respective subscribers to the pre-encrypted content provided by a single system. (100) content generation and pre-encrypted by a single OLES (101). In addition, each CAS (121) can control access to the pre-encrypted content in a different way.
In other words, each CAS (121) can generate and manage the keys used in the encryption and decrypt it in a different way. In some embodiments, each CAS (121) uses a common encryption scheme such as DVS042. FIGURE 2 illustrates an exemplary content distribution system (130) where multiple CA systems (121) control access to the same pre-encrypted content. The CA systems (121) are labeled CASX to CASN in FIGURE 2 to show that any number of CA systems (121) can be included in the content distribution system (130). As shown in FIGURE 2, the content generation system (100) generates clear content that is entered into the OLES (101). The OLES (101) pre-encrypts the content using a control word, inserts the control word in the ER and transmits the pre-encrypted content and the ER to the VOD system (102). The ER and the pre-encrypted content can be transmitted simultaneously to the VOD system (102). Alternatively, the ER can be transmitted to the VOD system (102) before the transmission of the pre-encrypted content. The VOD system (102) includes a first storage unit (135) configured to store the ER and a second storage unit (136) configured to store the pre-encrypted content (136). As will be described in more detail in the following, the VOD system (102) also includes third and fourth storage units (137, 138) configured to store a number of the ECMs and words of the encrypted control (the ECs). The CIs will be described in more detail in the following. The storage units (135-138) can be any combination of volatile and non-volatile memory such as a hard disk drive and random access memory (RAM). In some embodiments, the content distribution system (130) includes an encryption renewal system (131) (ERS). As will be explained in more detail in the following, the ERS (131) is a trusted authority configured to control which of the CA systems (121) can participate in the content distribution system (130). The STBs (103) associated with a CAS (121) authorized to participate in the content distribution system (130) can successfully receive and decrypt the pre-encrypted content. On the other hand, the STBs (103) associated with a CAS (121) that is not authorized to participate in the content distribution system (130) will not be able to receive and / or decrypt the pre-encrypted content. As shown in FIGURE 2, the VOD system (102) transmits the ER to the ERS (131). As explained previously, the ER includes information that allows a CAS (121) or another system generates the control word used by the OLES (101) to pre-encrypt the clear content. In this way, the ERS (131) is configured to use the ER to generate the control word used by the OLES (101) to pre-encrypt the content. The ERS (131) can also transmit the encryption control parameters to the OLES (101). These encryption control parameters can be used by the OLES (101) to pre-encrypt the content. In addition, the ERS (131) is configured to generate one or more ECW with a generator (139) of encrypted control words (ECWG). An ECW is an encrypted version of the control word used to pre-encrypt the clear content. In some embodiments, the ERS (131) generates an ECW corresponding to each CAS (121) participating in the content distribution system (130). Alternatively, the ERS (131) may generate a single ECW that is used by each CAS (121) participating in the content distribution system (130). The ECW is also referred to as a covered control word. As shown in FIGURE 2, the ECWs are transmitted to the VOD system (102) and stored in the storage unit (138). ECWs prevent unauthorized users or cyber hackers from obtaining the control word used to pre-encrypt clear content if ECWs are intercepted while they are being transmitted. As an added security measure, the ERS (131) may periodically generate a new ECW for each CAS (121) participating in the content distribution system (130). These new ECWs are then transmitted to the VOD system (102) to replace the old ECWs stored in the storage unit (138). As mentioned, the ERS (131) is configured to control which of the CA systems (121) can participate in the content distribution system (130). In some embodiments, the ERS (131) may be programmed or configured to authorize only certain CA systems (121) to participate in the content distribution system (130). Each CAS (121) shown in FIGURE 2 is authorized to participate in the content distribution system (130) for illustrative purposes. The ERS (131) communicates with each CAS (121) authorized using a CAS authorization protocol. The CAS authorization protocol can be any communication protocol known in the art. If the ERS (131) authorizes a particular CAS (121) to participate in the content distribution system (130), the ERS (131) causes the ECW corresponding to the particular CAS (121) to be sent from the VOD system (102) to the CAS (121) particular. The CAS (121) can then decrypt the ECW using one or more keys obtained in the authorization protocol to obtain the control word used to pre-encrypt the content. The CAS (121) then generates an ECM based on the control word and transmits the ECM to the VOD system (102) for storage in the storage unit (137). In some embodiments, the CAS (121) has to be periodically re-authenticated with the ERS (131) by the CAS authorization protocol. If a CAS (121) commits or otherwise becomes unauthorized to distribute the pre-encrypted content, the ERS (131) is configured to cause the VOD system (102) to stop sending the ECW to the CAS (121). ). In this way, the ERS (131) controls which of the CA systems (121) can participate in the content distribution system (130). As mentioned, the ECM is an encrypted form of the control word used to pre-encrypt the content. The term "ECM" will be used herein and in the appended claims, unless specifically indicated to the contrary, to refer to any encrypted version of the control word used to pre-encrypt the content that is generated by a CAS (121). As shown in FIGURE 2, each CAS (121) includes an ECM generator (140) configured to generate the ECM. Each NDE can be based on any CAS-specific criteria and the corresponding ECW. As will be explained in more detail in the following, the ECM is eventually used by one or more of the STBs (103) to decrypt the pre-encrypted content. In some embodiments, CA systems (121) periodically regenerate the ECMs. These regenerated ECMs are transmitted to the VOD system (102) to replace the previously generated ECMs in the storage unit (137). In some alternative embodiments, the CA systems (121) are not configured to periodically regenerate the ECMs. In these alternative embodiments, each time a particular STB (103) makes a request for the pre-encrypted content of the VOD system (102), the corresponding CAS (121) generates the real-time ECM based on an ECW provided by the VOD system (102). The CAS (121) then transmits the ECM to the VOD system (102). The exchange of information between the VOD system (102) and the CAS (121) that facilitates the real-time generation of the ECM can be based on a SimulCrypt digital video or broadcast (DBV) protocol or any other key distribution protocol. SimulCrypt is a known protocol used in the art to share keys and other secret information between encryption systems. Each CAS (121) also includes an EMM generator (141) configured to generate an EMM corresponding to a CAS authorization (121). The EMM includes information that authorizes the STB (103) to decode or decrypt the corresponding ECM, thereby giving the STB (103) access to the control word necessary to decrypt the pre-encrypted content. Without the EMM, the STBs (103) can not decrypt the pre-encrypted content. In this way, each CAS (121) can control the access of the individual STBs (103) to the pre-encrypted content. FIGURE 2 shows that pre-encrypted content, ECMs, and EMMs can be entered into a distribution network (134). The distribution network (134) can be any network configured to distribute the pre-encrypted content, the ECMs and the EMMs to one or more STBs (103). Each STB (103) may correspond to one or more of the CA systems (121). In other words, each CA system (121) is configured to control access of one or more of the STBs (103) to the pre-encrypted content. For example, STBX (103-1) corresponds to CASx (121-1), STB2 (103-2) corresponds to CAS2 (121-2) and STBN (103-3) corresponds to CASN (121-3) . In some embodiments, any of the CA systems (121) can control the access of an STB (103) particular to the pre-encrypted content. For example, CASi (121-1) and CAS2 (121-2) can control the access of the STBi (103-1) to the pre-encrypted content. In some alternative embodiments, the access of a particular STB (103) to the pre-encrypted content is controlled by a single CAS (121). For example, the access of the STBX (103-1) to the pre-encrypted content can only be controlled by CASi (121-1). In this case, other CA systems (121) (for example, CAS2 (121-2)) can not control the access of the STBX (103-1) to the pre-encrypted content. An STB (103) may send a request for pre-encrypted content to the VOD system (102) via an interactive network (133). The interactive network (133) can be the Internet or any other type of network. A billing system (132) can bill an account corresponding to the requesting STB (103) and generates a subscriber authorization message that is transmitted to the CAS (121) corresponding to the requesting STB (103). The CAS (121) can then access the requesting STB (103) by transmitting the corresponding EMM to the requesting STB (103) and by causing the VOD system (102) to transmit the requested pre-encrypted content and the corresponding ECM to the STB (103) applicant. The STB (103) then decrypts the ECM using the authorization provided in the EMM. Finally, the STB (103) decrypts the pre-encrypted content using the decrypted control word. For example, the ERS (131) may authorize the CASX (121-1) to participate in the content distribution system (130). The ERS (131) generates and transmits an encrypted control word (ECWi) to the VOD system (102). The VOD system (102) stores ECWi in the storage unit (138). The VOD system (102) then sends the ECWx to the CASi (121-1) which decrypts the ECWX and generates an authorization control message (ECMi) based on the decrypted control word. In some embodiments, CASX (121-1) is the only CAS (121) configured to be able to decrypt the ECWi. The ECMX authorization control message is then transmitted to the VOD system (102) and stored in the storage unit (137). Any STB (103) associated with CASX (121-1) may then request pre-encrypted content of the VOD system (102). For example, the STBX (103-1) may request pre-encrypted content of the VOD system (102). If CASX (121-1) authorizes the STBX (103-1) to receive the requested pre-encrypted content, the CASi, (121-1) transmit the EMMi to the STBi (103-1). The system (102) VOD also transmits the pre-encrypted content and the ECMi to the STBX (103-1). The STBX (103-1) then decrypts the ECMX using EMMX to acquire the control word used to pre-encrypt the content. The pre-encrypted content can then be deciphered by the STBX (103-1) using the decrypted control word. FIGURE 3 illustrates an alternative content distribution system (145) where multiple CA systems (121) control access to the same pre-encrypted content. Two AC systems (121-1, 121-2) are shown for illustrative purposes only. It will be recognized that any number of CA systems (121) may be included in the content distribution system (145). Like the content distribution system (130) of FIGURE 2, the content generation system (100) generates clear content that is entered into the OLES (101). The OLES (101) pre-encrypts the content using a control word and transmits the pre-encrypted content and the ER to the VOD system (102). The system (102) VOD stores the ER in the first storage unit (135) and the pre-encrypted content in the second storage unit (136). As shown in FIGURE 3, the VOD system (102) transmits the ER to the ERS (131). The ERS (131) uses the ER to generate the control word used by the OLES (101) to pre-encrypt the content. The ERS (131) is also configured to generate an ECW for each participating CA system (121). The ECW is used by the ECMG (140) of each CA system (121) to generate a corresponding ECM. For example, the ECMG (140-1), generates a first ECMX that corresponds to the CASX. (121-1). The authentication information required to generate the ECW and ECM is exchanged via an authenticated key exchange protocol executed between the CAS (121) and the ERS (131). The key exchange protocol can be an extended SimulCrypt protocol or any other key exchange protocol. The ERS (131) can be configured to periodically regenerate the ECW. Therefore, the ECM can also change periodically. As shown in FIGURE 3, the ERS (131) can also exchange authorization data (CAS authorization data) with each authorized CA system (121). In this way, the ERS (131) can control which system (121) of CA participates in the system (145) of content distribution. The authorization data may be exchanged by any communication protocol known in the art. For example, the communication protocol can be the SimulCrypt protocol or the authenticated Diffie Hellman protocol. Once the ECMs have been generated by the ECMGs (140), the ERS (131) transmits the ECMs corresponding to the systems (121) of CA authorized to the system (102) of VOD to be stored in the unit (137) of storage. Each authorized CA system (121) also generates the EMMs corresponding to the ECMs stored in the VOD system (102). The pre-encrypted content, the ECMs and the EMMs can then be distributed to one or more STBs (103) as described in conjunction with FIGURE 2.
FIGURE 4 shows a first system (150) of content distribution and a second system (151) of content distribution configured to share the same pre-encrypted content. The first content distribution system (150) includes the content generation system (100) that generates the content and the OLES (101) that pre-encrypt the content. The first system (150) of content distribution also includes a first ERS (131-1) configured to control the participation of a number of systems (121-4) of CA in the first system (150) of content distribution. The first content distribution system (150) may also include, but is not limited to, a VOD system (102-1) and a number of the STBs (103-4). The second system (151) of content distribution includes a second ERS (131-2) configured to control the participation of a number of systems (121-5) of CA in the second system (151) of content distribution. The second content distribution system (151) may also include, but is not limited to, a VOD system (102-2) and a number of the STBs (103-5). In some embodiments, the first ERS (131-1) transmits the ER generated by the OLES (101) to the second ERS (131-2) so that the second system (151) of content distribution can use its own access systems conditionally located to ensure access to pre-encrypted content. As shown in FIGURE 4, an interface (certificate exchange) based on a certified authentication protocol can be used to allow the first ERS (131-1) to securely transfer to the second ERS (131-2) the necessary information to discover or decipher the ER. The second ERS (131-2) can then generate the control word used to pre-encrypt the content and use its own encryption scheme to generate the ECWs, ECMs, and / or other forms of control word. The certificate authentication protocol can be any protocol, such as but not limited to, the SimulCrypt protocol or the X.509 certificate exchange and verification protocol. FIGURE 5 is a flow chart illustrating an exemplary method for allowing multiple systems (121; FIGURE 2) of CA to control access of one or more STBs (103; FIGURE 2) to the pre-encrypted content. The stages shown in FIGURE 5 can be modified, removed or added according to what best suits a particular application.
First, the content is pre-encrypted using a control word (step 160). An encryption record (ER) is also generated (step 161) and transmitted to the ERS; (131; FIGURE 2) (step 162). The ERS (131; FIGURE 2) uses the ER to regenerate the control word used in step 160 to pre-encrypt the content (step 163). As shown in FIGURE 5, the ERS (131; FIGURE 2) also authorizes one or more systems (121; FIGURE 2) of CA to participate in the system (130; FIGURE 2) of content distribution (step 164) . The ERS (131; FIGURE 2) can make this authorization when exchanging CAS authorization data with CA systems (121; FIGURE 2). Once the CA systems (121; FIGURE 2) have been authorized, the ECWs corresponding to each system (121; FIGURE 2) of authorized CA are generated (step 165). The CA systems (121; FIGURE 2) can then generate the ECMs corresponding to each ECW (step 166). The exchange of information between the ERS (131; FIGURE 2) and the CA systems (121; FIGURE 2) needed to facilitate the generation of the ECMs (step 166) can be performed using any key exchange protocol, eg, SimulCrypt . The CA systems (121; FIGURE 2) can also generate an EMM for each authorized STB (103; FIGURE 2) (step 167). EMMs, pre-encrypted content and ECMs can then be transmitted to STBs (103; FIGURE 2) authorized applicants. The STBs (103; FIGURE 2) can then decrypt the pre-encrypted content (step 169) using the information contained in the EMMs and the ECMs. The foregoing description has been presented only to illustrate and describe embodiments of the invention. It is not intended to be exhaustive or to limit the invention to any precise form described. Many modifications and variations are possible in view of the previous teaching. It is intended that the scope of the invention be defined by the following claims.

Claims (10)

  1. NOVELTY OF THE INVENTION Having described the present invention, it is considered as a novelty and therefore the property described in the following claims is claimed as property.
  2. CLAIMS 1. A content distribution system for distributing pre-encrypted content for a first subscriber terminal, the system is characterized in that it comprises: an off-line encryption system configured to generate the pre-encrypted content using a control word; a cache system configured to store the pre-encrypted content and transmit the pre-encrypted content to the first subscriber terminal; a first conditional access system configured to allow a number of subscriber terminals to decrypt the pre-encrypted content; a second conditional access system configured to allow the first subscriber terminal to decrypt the pre-encrypted content; and a first encryption renewal system associated with the first conditional access system, the first encryption renewal system configured to authorize the second conditional access system to allow the first subscriber terminal to decrypt the pre-encrypted content. The content distribution system according to claim 1, characterized in that: the offline encryption system also generates an encryption register corresponding to the control word; and the encryption renewal system uses the encryption register to generate an encrypted control word corresponding to the second conditional access system, the encrypted control word is an encrypted version of the control word used to pre-encrypt the content.
  3. 3. The content distribution system according to claim 2, characterized in that: the encryption renewal system transmits the encrypted control word and the information to decrypt the encrypted control word to the second conditional access system; and the second conditional access system deciphers the encrypted control word and generates an authorization control message, the authorization control message is an encrypted form of the control word.
  4. 4. The content distribution system according to claim 1, characterized in that the encryption renewal system authorizes the conditional access system to allow the first subscriber terminal to decrypt the pre-encrypted content when communicating with the second conditional access system using a key exchange protocol.
  5. The content distribution system according to claim 1, further characterized in that it comprises a billing system configured to generate and transmit a subscriber authorization message to the second conditional access system, the subscriber authorization message authorizes the Subscriber's first terminal decrypt the pre-encrypted content.
  6. 6. The content distribution system according to claim 1, characterized in that the pre-encrypted content comprises the video-pre-encrypted content on demand.
  7. The content distribution system according to claim 1, characterized in that the encryption renewal system is provided by a first vendor and the second conditional access system is provided by a second vendor.
  8. 8. The content distribution system according to claim 1, further characterized in that it comprises: a second encryption renewal system; where the first encryption renewal system transmits encryption data to the second encryption renewal system, the encryption data comprises information that allows the second encryption renewal system to authorize a third conditional access system to allow a second subscriber terminal to decrypt the pre-encrypted content.
  9. 9. The system according to claim 1, characterized in that the second terminal of the subscriber comprises a box of the converter-decoder.
  10. 10. A method for distributing pre-encrypted content to a first subscriber terminal, the method is characterized in that it comprises: generating the pre-encrypted content using a control word; transmit the pre-encrypted content to the subscriber's first terminal; and using an encryption renewal system associated with a first conditional access system to authorize a second conditional access system to allow the subscriber's first terminal to decrypt the pre-encrypted content.
    SUMMARY OF THE INVENTION An exemplary content distribution system for distributing pre-encrypted content to a first subscriber terminal includes an off-line encryption system configured to generate the pre-encrypted content using a control word, a cache system configured to storing the pre-encrypted content and transmitting the pre-encrypted content to the first subscriber terminal, a first conditional access system configured to allow a certain number of subscribers to decrypt the pre-encrypted content, a second conditional access system configured for enabling the first subscriber terminal to decrypt the pre-encrypted content, and a first encryption renewal system associated with the first conditional access system. The first encryption renewal system is configured to authorize the second conditional access system to allow the first subscriber terminal to decrypt the pre-encrypted content. An exemplary method for distributing pre-encrypted content to a first subscriber terminal includes generating the pre-encrypted content using a control word, transmitting the pre-encrypted content to the first subscriber terminal and using an encryption renewal system associated with a first conditional access system for authorizing a second conditional access system to allow the first subscriber terminal to decrypt the pre-encrypted content.
MXPA/A/2006/005389A 2003-11-17 2006-05-12 Systems and methods for delivering pre-encrypted content to a subscriber terminal MXPA06005389A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US60/520,695 2003-11-17
US10988228 2004-11-12

Publications (1)

Publication Number Publication Date
MXPA06005389A true MXPA06005389A (en) 2006-10-17

Family

ID=

Similar Documents

Publication Publication Date Title
US7266198B2 (en) System and method for providing authorized access to digital content
US7404082B2 (en) System and method for providing authorized access to digital content
US7995603B2 (en) Secure digital content delivery system and method over a broadcast network
US8761393B2 (en) Method and apparatus for providing secure internet protocol media services
CN100459697C (en) IPTV system, enciphered digital programme issuing and watching method
KR101495458B1 (en) Service key delivery in a conditional access system
EP2506590A1 (en) Authentication Certificates
EP1815682B1 (en) System and method for providing authorized access to digital content
US20140281537A1 (en) Protection of control words employed by conditional access systems
US20050105732A1 (en) Systems and methods for delivering pre-encrypted content to a subscriber terminal
US20150003614A1 (en) Method and apparatus for providing secure internet protocol media services
EP1290885B1 (en) Secure digital content delivery system and method over a broadcast network
US7570763B2 (en) Method for subscribing service and distributing encryption key based on public-key encryption algorithm in digital CATV system
CN101521668A (en) Method for authorizing multimedia broadcasting content
CN101505400A (en) Bi-directional set-top box authentication method, system and related equipment
CN100544429C (en) A kind of mobile phone TV services content protecting method
MXPA06005389A (en) Systems and methods for delivering pre-encrypted content to a subscriber terminal
KR102286784B1 (en) A security system for broadcasting system
EP3158769A1 (en) Method and apparatus for providing secure internet protocol media services
IL152435A (en) Secure digital content delivery system and method over a broadcast network