US20090116648A9 - Key production system - Google Patents
Key production system Download PDFInfo
- Publication number
- US20090116648A9 US20090116648A9 US11/810,023 US81002307A US2009116648A9 US 20090116648 A9 US20090116648 A9 US 20090116648A9 US 81002307 A US81002307 A US 81002307A US 2009116648 A9 US2009116648 A9 US 2009116648A9
- Authority
- US
- United States
- Prior art keywords
- key
- cryptoperiod
- hash
- chain
- component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
- H04L9/16—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
Definitions
- the present invention relates to key production.
- content issued by a content provider is typically encrypted using a cryptographic key.
- the cryptographic key is typically changed periodically and frequently, every cryptoperiod, in order to prevent key attacks leading to gaining unauthorized access to the content.
- only the last issued key needs to be retained by the content consuming device and previous keys can then be derived from the last issued key.
- An example of key generation is described in section 7.3 of a document entitled “DRM Specification, Approved Version 2.0—3 Mar. 2006” issued by the Open Mobile Alliance of 4275 Executive Square, Suite 240, La Jolla, Calif. 92037, USA or via the website at www.openmobilealliance.org.
- FIG. 1 is a partly pictorial, partly block diagram view of a hash-chain 10 used in key-production.
- FIG. 2 is a partly pictorial, partly block diagram view of keys 12 being issued after a subscription.
- the hash-chain 10 has a root key 14 , which is input to the function f, thereby producing a key X i .
- the key X i is in turn input to the function f, thereby producing a key X i-1 .
- the process is then continued until the hash-chain 10 is large enough for the needs of the application giving keys 12 (for example, but not limited to, keys X 0 , X 1 , X 2 , X 3 and so on) whereby one of the keys 12 is generally issued at a time.
- the function f is typically a cryptographic one-way function.
- the root key 14 of the series of the hash-chain 10 is generally kept by the deriving side, for example, but not limited to, a broadcasting Headend or the Rights Issuer.
- the Rights Issuer then issues keys periodically, typically starting from the last key in the series, X 0 in the example of FIG. 1 , and then continuing issuing new keys back one-by-one towards the root key 14 so that the order of issuance is in the opposite direction to the order of derivation.
- the first key issued to the subscribers is the key X 0 .
- the key X 0 is suitable as a decryption key for content issued in the first time period (January).
- the key X 1 is issued to the subscribers to decrypt content issued in February.
- a key X 2 is issued to the subscribers to decrypt content issued in March, and so on. It will be appreciated that when the subscribers hold key X 1 , the subscribers no longer need to hold the key X 0 , as the key X 0 can be determined from the key X 1 using the function f. Similarly, when the subscribers hold the key X 2 , the subscribers no longer need to hold the keys X 1 and X 0 , as the keys X 1 and X 0 can be determined from the key X 2 using the function f.
- a subscriber (not shown) subscribes in March and receives the key X 2 in March, the key X 3 in April and the key X 4 in May.
- FIG. 3 is a partly pictorial, partly block diagram view of prior keys 16 being generated from a current key 18 .
- the subscriber receives the key X 5 .
- the keys X 0 , X 1 , X 2 , X 3 and X 4 can all be determined from the key X 5 using the function f.
- the keys X 0 and X 1 allow the subscriber to decrypt content issued in January and February, respectively. However, the subscriber only began subscribing in March. Therefore, the subscriber is gaining free access to the January and February content.
- derived keys are shared by many clients, for example, but not limited to, access keys to a service that is broadcast and stored, then everyone included in the subscription for a service receives all the current keys, but have the ability to derive all the past keys, even for periods for which the clients were not subscribed.
- the present invention seeks to provide an improved key production system.
- the system of the present invention in preferred embodiments thereof, includes a key production system based on two hash-chain series.
- the values of each hash-chain are associated with cryptoperiods such that one of the hash-chains has values (for example, Y 0 , Y 1 , Y 2 , Y 3 ) which progress via a first one-way function wherein progressive values correspond to later cryptoperiods (so that the order of issuance is in the same direction as the order of derivation) and the other hash-chain has values (for example, X 3 , X 2 , X 1 , X 0 ) which progress via a second one-way function wherein progressive values correspond to earlier cryptoperiods (so that the order of issuance is in the opposite direction to the order of derivation).
- the cryptographic key (Z i ) is based on a value in each hash-chain for the selected cryptoperiod (for example, X i and Y i ). Therefore, the values of the hash-chained are termed “key-components”.
- the cryptographic key, Z i is preferably, determined based on the value X i in one hash-chain and the value Y i in the other hash-chain, for the selected cryptoperiod.
- the function used to determine Z i should not allow computing the values X i from Z i and Y i and preferably not Y i from Z i and X i , for a cryptoperiod i.
- the client when a client subscribes to a service, for example, in time-period k, the client receives a key-component from each hash-chain for the current cryptoperiod, for example, X k and Y k .
- Each cryptoperiod, m during subscription, the client receives a key-component X m from the hash-chain which progresses toward the root for the cryptoperiod.
- the key-component Y m for the cryptoperiod for the hash-chain which progresses away from the root can be determined by the client based on the originally issued key-component, Y k .
- the cryptographic key Z m is determined using the appropriate key-components of each hash-chain, namely, X m and Y m .
- the client can generally only calculate the cryptographic key Z, for cryptoperiods later than or equal to k, but earlier than or equal to m.
- a key production system to determine a cryptographic key for a selected cryptoperiod, the selected cryptoperiod being later than or equal to a cryptoperiod
- a cryptoperiod there is also provided in accordance with still another preferred embodiment of the present invention a, and earlier than or equal to a cryptoperiod B, the cryptoperiod
- a being different from the cryptoperiod B, the system including a first receiver to receive a first key-component associated with the cryptoperiod
- the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, a second receiver to receive a second key-component associated with the cryptoperi
- the first key component determination module is operative to determine the one key-component in the first hash-chain for the selected cryptoperiod based on applying the first one-way function, at least once, to the first key component.
- the second key component determination module is operative to determine the one key-component in the second hash-chain for the selected cryptoperiod based on applying the second one-way function, at least once, to the second key component.
- the key determination module is operative to determine the cryptographic key by performing a cryptographic hash function on the concatenation of the one key-component in the first hash chain for the selected cryptoperiod with the one key component in the second hash-chain for the selected cryptoperiod.
- the first one-way function is the same as the second one-way function.
- a key production system to determine a cryptographic key for a selected cryptoperiod, the selected cryptoperiod being later than or equal to a cryptoperiod
- a cryptoperiod there is also provided in accordance with still another preferred embodiment of the present invention a, and earlier than or equal to a cryptoperiod B, the cryptoperiod
- a being different from the cryptoperiod B, the system including a first receiver to receive a first key-component associated with the cryptoperiod
- the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, a second receiver to receive a second key-component associated with the cryptoperi
- a key component production system to determine cryptographic key components for use in determining a cryptographic key for a selected cryptoperiod, the system including a first hash-chain module to determine a first key-component associated with the selected cryptoperiod such that the first key-component forms part of a first hash-chain having a plurality of key-components, the first hash-chain progressing via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, a second hash-chain module to determine a second key-component associated with the selected cryptoperiod such that the second key-component forms part of a second hash-chain having a plurality of key-components, the second hash-chain progressing via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, a key determination module to determine the crypto
- a key production method to determine a cryptographic key for a selected cryptoperiod the selected cryptoperiod being later than or equal to a cryptoperiod
- a cryptoperiod the cryptoperiod
- a being different from the cryptoperiod B the method including receiving a first key-component associated with the cryptoperiod
- the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, receiving a second key-component associated with the cryptoperiod B, the second key-component
- the one key-component in the first hash chain for the selected cryptoperiod is determined based on applying the first one-way function, at least once, to the first key component.
- the key-component in the second hash-chain for the selected cryptoperiod is determined based on applying the second one-way function, at least once, to the second key component.
- the cryptographic key is determined by performing a cryptographic hash function on the concatenation of the one key-component in the first hash chain for the selected cryptoperiod with the one key component in the second hash-chain for the selected cryptoperiod.
- the first one-way function is the same as the second one-way function.
- a key production method to determine a cryptographic key for a selected cryptoperiod the selected cryptoperiod being later than or equal to a cryptoperiod
- a cryptoperiod the cryptoperiod
- a being different from the cryptoperiod B the method including receiving a first key-component associated with the cryptoperiod
- the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, receiving a second key-component associated with the cryptoperiod B, the second key-component
- a key component production method to determine cryptographic key components for use in determining a cryptographic key for a selected cryptoperiod, the method including determining a first key-component associated with the selected cryptoperiod such that the first key-component forms part of a first hash-chain having a plurality of key-components, the first hash-chain progressing via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, determining a second key-component associated with the selected cryptoperiod such that the second key-component forms part of a second hash-chain having a plurality of key-components, the second hash-chain progressing via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, determining the cryptographic key for the selected cryptoperiod based on the first key-component and the second
- FIG. 1 is a partly pictorial, partly block diagram view of a hash-chain used in key-production
- FIG. 2 is a partly pictorial, partly block diagram view of keys being issued after a subscription
- FIG. 3 is a partly pictorial, partly block diagram view of prior keys being generated from a current key
- FIG. 4 a is a partly pictorial, partly block diagram view of two hash-chains for use with a key production system constructed and operative in accordance with a preferred embodiment of the present invention
- FIG. 4 b is a partly pictorial, partly block diagram view of the two-hash chains of FIG. 4 a depicted in cryptographic period order;
- FIGS. 5-8 are partly pictorial, partly block diagram views illustrating encryption key production in the system of FIG. 4 a;
- FIGS. 9-12 are partly pictorial, partly block diagram views further illustrating the system of FIG. 4 a;
- FIG. 13 is a block diagram view of the system of FIG. 4 a;
- FIG. 14 is a flow diagram of a preferred method of operation of the system of FIG. 4 a;
- FIG. 15 is a block diagram view of a key component production system constructed and operative in accordance with a preferred embodiment of the present invention.
- FIG. 16 is a flow diagram of a preferred method of operation of the system of FIG. 15 .
- FIG. 4 a is a partly pictorial, partly block diagram view of two hash-chains 20 , 22 for use with a key production system 24 constructed and operative in accordance with a preferred embodiment of the present invention.
- Each hash-chain 20 , 22 has values 26 , 30 , respectively, associated with cryptoperiods, for example, but not limited to, cryptoperiods 0, 1, 2, 3, i ⁇ 1, i.
- cryptoperiod as used in the specification and claims is defined as a period for which a cryptographic key setting is effective.
- Progressive cryptoperiods are typically of equal duration, for example, but not limited to, when the cryptoperiods progress in time.
- progressive cryptoperiods may be of unequal duration, such as when the cryptoperiods are associated with stages in a dynamic process which is typically event driven.
- cryptoperiods may be triggered by time, for example, but not limited to, starting a new cryptoperiod every 10 seconds or every month.
- new cryptoperiods may be triggered by an event, for example, but not limited to, in a content sharing environment, new cryptoperiods may be triggered when new members are added so that old members can still access old content but the new members cannot access the old content, by way of example.
- the hash-chain 22 has a root value, Y 0 .
- the other values 30 of the hash-chain 22 are determined by applying a function f 1 to the root value, Y 0 and subsequent values 30 , as necessary.
- the function f 1 is typically a cryptographic one-way function. In practice, a cryptographic Hash-function such as SHA-1 can be used as the function f 1 .
- infeasible as used in the specification and claims is defined as a problem that while theoretically is possible to solve, in practice is not, due to practical limitations in the amount of time and hardware available. For example only, if a problem can be solved using all the computers in existence working full time the next billion years, that might be considered computationally infeasible. An important property is that advances in technology and theory may well change the definition of what is infeasible.
- the values 30 progress via the function f 1 , in a direction away from the root value Y 0 , wherein progressive values 30 correspond to later cryptoperiods, for example, Y 0 corresponds to cryptoperiod 0, Y 1 corresponds to cryptoperiod 1, and so on (so that the order of issuance is in the same direction as the order of derivation).
- the value Y 1 can be determined from the value Y 0 using the function f 1 .
- the value Y 2 can be determined from the value Y 1 using the function f 1 .
- the function f 1 is a one-way function, it is infeasible to determine the value Y 0 from the value Y 1 , nor the value Y 1 from the value Y 2 .
- the hash-chain 20 has a root value 28 .
- the other values 26 of the hash-chain 20 are determined by applying a function f 2 to the root value 28 and subsequent values 26 , as necessary.
- the function f 2 is typically a cryptographic one-way function. In practice, a cryptographic Hash-function such as SHA-1 can be used for the function f 2 .
- the values 26 progress via the function f 2 , in a direction away from the root value 28 , wherein progressive values 26 correspond to earlier cryptoperiods, for example, X 3 corresponds to cryptoperiod 3, X 2 to cryptoperiod 2, X 1 to cryptoperiod 1 and X 0 to cryptoperiod 0 (so that the order of issuance is in the opposite direction to the order of derivation).
- the value X 0 can be determined from the value X 1 using the function f 2
- the value X 1 can be determined from the value X 2 using the function f 2
- the function f 2 is a one-way function, it is infeasible to determine the value X 1 from the value X 0 , nor the value X 2 from the value X 1 .
- the hash-chain values 26 , 30 are also known as key-components, as the values 26 , 30 are typically used in cryptographic key determination, described in more detail with reference to FIGS. 5 - 14 :
- FIG. 4 b is a partly pictorial, partly block diagram view of the two-hash chains 20 , 22 of FIG. 4 a depicted in cryptographic period order.
- the hash-chains 20 , 22 progress in different directions with respect to cryptographic period order.
- FIGS. 5-8 are partly pictorial, partly block diagram views illustrating encryption key production in the key production system 24 of FIG. 4 a.
- FIG. 5 depicts a subscription of a consumer (not shown) starting in March and receiving, by a device (not shown) of the consumer, a plurality of key-components 36 , namely X 2 and Y 2 .
- X 2 is from the hash-chain 20 and Y 2 is from the hash-chain 22 .
- a content decryption key 34 for decrypting a plurality of encrypted content items 32 issued in March is Z 2 .
- Z 2 is determined from X 2 and Y 2 using a function f 3 .
- the function f 3 should not allow computing the values X i from Z i and Y i and preferably not Y i from Z i and X i , for a cryptoperiod i.
- a cryptographic hash function that takes the concatenation of X i with Y i as input is a good candidate for the function f 3 .
- the function f 3 uses X 2 and Y 2 as inputs.
- Previous values of the key-components in the hash-chain 20 namely X 1 and X 0 can be derived from X 2 by applying the function f 2 to X 2 .
- the function f 1 is a one-way function
- the content decryption keys Z 0 and Z 1 cannot generally be determined and therefore a plurality of content items 38 issued in January and February encrypted using Z 0 and Z 1 , respectively, cannot generally be decrypted by the device.
- a new key-component 40 namely X 3
- X 3 is issued to the device of the consumer for the hash-chain 20 .
- the client only stores X 3 and Y 2 .
- X 2 is derived from X 3 using the function f 2 applied to X 3 .
- Y 3 is derived from Y 2 using the function f 1 applied to Y 2 .
- the content decryption key Z 2 is determined from X 2 and Y 2 using the function f 3 and a content decryption key Z 3 is determined from X 3 and Y 3 using the function f 3 .
- the encrypted content items 32 issued in March and a plurality of encrypted content items 42 issued in April may be decrypted by the device using the content decryption keys Z 2 and Z 3 , respectively.
- the content 38 cannot generally be decrypted as Z 0 and Z 1 cannot generally be determined.
- a new key-component 44 namely X 4
- X 4 is issued to the device of the consumer for the hash-chain 20 .
- the device only stores X 4 and Y 2 .
- X 2 and X 3 are derived from X 4 using the function f 2 .
- Y 3 and Y 4 are derived from Y 2 using the function f 1 . Therefore, the content decryption keys Z 2 , Z 3 and a content decryption key Z 4 can be determined from the respective values of X and Y. Therefore, the encrypted content items 32 , 42 and a plurality of encrypted content items 46 issued in May can be decrypted by the device using content decryption keys Z 2 , Z 3 and Z 4 , respectively.
- the encrypted content items 32 , 42 , 46 can still be decrypted, as the decryption keys Z 2 , Z 3 and Z 4 can be determined using the key-components Y 2 and X 4 , as well as from the key-components X 2 , X 3 , Y 3 , Y 4 derived from Y 2 and X 4 .
- FIGS. 9-12 are partly pictorial, partly block diagram views further illustrating the key production system 24 of FIG. 4 a.
- FIG. 9 depicts a consumer 52 having a device 54 for consuming a plurality of content items 56 .
- the device 54 may be any suitable consuming device, for example, but not limited to, a portable music player, portable TV, desktop computer, portable computer, a set-top box, or any other suitable portable or non-portable device.
- the consumer 52 starts subscribing to a service for receiving the content items 56 .
- the content items 56 issued in January are encrypted using a key Z JAN .
- the device 54 downloads, from a server 58 , a plurality of key components, namely X JAN and Y JAN , associated with the hash-chain 20 ( FIG. 4 a ) and the hash-chain 22 ( FIG. 4 a ), respectively.
- the device 54 also downloads, from the server 58 , the content items 56 issued in January.
- the key Z JAN is determined by the device 54 from X JAN and Y JAN .
- the key Z JAN is then used to decrypt the content items 56 .
- Encrypted content issued prior to January cannot generally be decrypted, as it is infeasible to determine values earlier than Y JAN as the function f 1 is a one-way function.
- the device 54 downloads, from the server 58 , a key component X FEB and the content items 56 issued in February encrypted with a key Z FEB .
- the key Z FEB is determined by the device 54 based on X FEB and Y FEB which is derived from Y JAN using the function f 1 .
- X FEB and Y JAN are the only key-components still being stored by the device 54
- Z JAN can still be determined by deriving X JAN from X FEB using the function f 2 . Therefore, both the content items 56 issued in January and February can be played by the consumer 52 on the device 54 .
- the device 54 downloads, from the server 58 , a key component X MAR and the content items 56 issued in March encrypted with a key Z MAR .
- the key ZMAR is determined by the device 54 from X MAR and Y MAR which is derived from Y JAN using the function f 2 .
- the consumer 52 decided not to renew the subscription in April. Nevertheless, the user downloads, from the server 58 , the content items 56 issued in April encrypted with a key Z APR .
- the device 54 may determine Y APR based on Y JAN using the function f 1 , it is infeasible for the device 54 to determine X APR from X MAR as the function f 2 is a one-way function. Therefore, the device 54 cannot generally determine Z APR nor decrypt the content items 56 issued in April.
- the subscribers are restricted to accessing content encrypted using keys associated with the subscription period.
- access to content encrypted prior to the encryption period may be allowed by supplying the subscribers with earlier keys in the hash-chain 22 for example, by supplying the consumer 52 of FIGS. 9-12 with a key component before Y JAN or supplying the subscriber of FIGS. 5-8 with the key component Y 0 or Y 1 , by way of example only.
- FIG. 13 is a block diagram view of the key production system 24 of FIG. 4 a .
- FIG. 14 is a flow diagram of a preferred method of operation of the key production system 24 of FIG. 4 a.
- the key production system 24 is preferably operative to determine a cryptographic key for a selected cryptoperiod.
- the selected cryptoperiod is typically later than, or equal to, a cryptoperiod A and earlier than, or equal to, a cryptoperiod B.
- the cryptoperiod A may be the same as, or different from, the cryptoperiod B.
- the key production system 24 preferably includes a first receiver 60 , a second receiver 62 , a first key component determination module 64 , a second key component determination module 66 and a key determination module 68 .
- the first receiver 60 is preferably operative to receive a first key-component associated with the cryptoperiod A.
- the first key-component typically forms part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function. Progressive key-components in the first hash-chain correspond to later cryptoperiods (block 70 ).
- the second receiver 62 is preferably operative to receive a second key-component associated with the cryptoperiod B.
- the second key-component typically forms part of a second hash-chain having a plurality of key-components such that the second hash-chain progresses via a second one-way function. Progressive key-components in the second hash-chain correspond to earlier cryptoperiods (block 72 ).
- the first key component determination module 64 is preferably operative to determine the key-component in the first hash-chain for the selected cryptoperiod based on applying the first one-way function, at least once (as many times as necessary), to the first key component (block 74 ).
- the second key component determination module 66 is preferably operative to determine the key-component in the second hash-chain for the selected cryptoperiod based on applying the second one-way function, at least once (as many times as necessary), to the second key component (block 76 ).
- the first one-way function may be the same as, or different from, the second one-way function.
- the key determination module 68 is preferably operative to determine the cryptographic key based on the key-component in the first hash chain for the selected cryptoperiod and the key component in the second hash-chain for the selected cryptoperiod (block 78 ).
- the key determination module 68 is preferably operative to determine the cryptographic key using a function (for example the function f 3 described with reference to FIG. 5 ) with the key-component in the first hash chain for the selected cryptoperiod and the key component in the second hash-chain for the selected cryptoperiod as input.
- a function for example the function f 3 described with reference to FIG. 5
- the key components for a selected cryptoperiod received by the subscriber devices are typically determined by a server (for example, the server 58 of FIGS. 9-12 ).
- the key components are then generally broadcast or pushed by the server or downloaded from the server by the subscriber devices.
- the server typically includes a key component production system 80 , which is now described in more detail with reference to FIGS. 15 and 16 .
- FIG. 15 is a block diagram view of the key component production system 80 constructed and operative in accordance with a preferred embodiment of the present invention.
- FIG. 16 is a flow diagram of a preferred method of operation of the system 80 of FIG. 15 .
- the key component production system 80 preferably includes a first hash-chain module 82 , a second hash-chain module 84 , a communication module 86 and a key determination module 94 .
- the first hash-chain module 82 is preferably operative to determine a first key-component associated with the selected cryptoperiod such that the first key-component forms part of a first hash-chain having a plurality of key-components (block 88 ).
- the first hash-chain progresses via a first one-way function. Progressive key-components in the first hash-chain correspond to later cryptoperiods.
- the second hash-chain module 84 is preferably operative to determine a second key-component associated with the selected cryptoperiod such that the second key-component forms part of a second hash-chain having a plurality of key-components.
- the second hash-chain progresses via a second one-way function. Progressive ones of the key-components in the second hash-chain correspond to earlier cryptoperiods (block 90 ).
- the communication module 86 is preferably operative to enable transfer of the first key-component and the second-key component to a plurality of devices for use in determination of the cryptographic key for the selected cryptoperiod.
- the communication module 86 typically broadcasts or pushes the key-components to the devices (for example, but not limited to, sending the key-components in an SMS message to mobile subscriber devices) or allows the key-components to be downloaded by the devices (block 92 ).
- the key determination module 94 is preferably operative to determine the cryptographic key for the selected cryptoperiod based on the first key-component and the second key-component. The cryptographic key is then typically used to encrypt content for consumption by the subscriber devices (block 96 ).
- present invention may be implemented in software, ROM (read only memory) form, or hardware, if desired, using conventional techniques, or any suitable combination thereof.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
- The present invention relates to key production.
- By way of introduction, content issued by a content provider is typically encrypted using a cryptographic key. The cryptographic key is typically changed periodically and frequently, every cryptoperiod, in order to prevent key attacks leading to gaining unauthorized access to the content. In order to efficiently store a collection of keys that change over time, it is generally necessary to generate the keys by deriving a series in a one-way manner. As will be explained in more detail below, only the last issued key needs to be retained by the content consuming device and previous keys can then be derived from the last issued key. An example of key generation is described in section 7.3 of a document entitled “DRM Specification, Approved Version 2.0—3 Mar. 2006” issued by the Open Mobile Alliance of 4275 Executive Square, Suite 240, La Jolla, Calif. 92037, USA or via the website at www.openmobilealliance.org.
- Reference is now made to
FIGS. 1 and 2 .FIG. 1 is a partly pictorial, partly block diagram view of a hash-chain 10 used in key-production.FIG. 2 is a partly pictorial, partly block diagram view ofkeys 12 being issued after a subscription. - The hash-
chain 10 has aroot key 14, which is input to the function f, thereby producing a key Xi. The key Xi is in turn input to the function f, thereby producing a key Xi-1. The process is then continued until the hash-chain 10 is large enough for the needs of the application giving keys 12 (for example, but not limited to, keys X0, X1, X2, X3 and so on) whereby one of thekeys 12 is generally issued at a time. The function f, is typically a cryptographic one-way function. - The
root key 14 of the series of the hash-chain 10 is generally kept by the deriving side, for example, but not limited to, a broadcasting Headend or the Rights Issuer. The Rights Issuer then issues keys periodically, typically starting from the last key in the series, X0 in the example ofFIG. 1 , and then continuing issuing new keys back one-by-one towards theroot key 14 so that the order of issuance is in the opposite direction to the order of derivation. - The first key issued to the subscribers is the key X0. The key X0 is suitable as a decryption key for content issued in the first time period (January). Similarly, in the next time period (February), the key X1 is issued to the subscribers to decrypt content issued in February. In the following time period (March), a key X2 is issued to the subscribers to decrypt content issued in March, and so on. It will be appreciated that when the subscribers hold key X1, the subscribers no longer need to hold the key X0, as the key X0 can be determined from the key X1 using the function f. Similarly, when the subscribers hold the key X2, the subscribers no longer need to hold the keys X1 and X0, as the keys X1 and X0 can be determined from the key X2 using the function f.
- Reference is now made to
FIG. 2 . A subscriber (not shown) subscribes in March and receives the key X2 in March, the key X3 in April and the key X4 in May. - Reference is now made to
FIG. 3 , which is a partly pictorial, partly block diagram view ofprior keys 16 being generated from acurrent key 18. In June, the subscriber receives the key X5. The keys X0, X1, X2, X3 and X4 can all be determined from the key X5 using the function f. The keys X0 and X1 allow the subscriber to decrypt content issued in January and February, respectively. However, the subscriber only began subscribing in March. Therefore, the subscriber is gaining free access to the January and February content. - Therefore, when derived keys are shared by many clients, for example, but not limited to, access keys to a service that is broadcast and stored, then everyone included in the subscription for a service receives all the current keys, but have the ability to derive all the past keys, even for periods for which the clients were not subscribed.
- The following reference is also believed to represent the state of the art:
- Israel unpublished patent application 174494 of NDS Limited entitled “Period Keys”.
- The disclosures of all references mentioned above and throughout the present specification, as well as the disclosures of all references mentioned in those references, are hereby incorporated herein by reference.
- The present invention seeks to provide an improved key production system.
- The system of the present invention, in preferred embodiments thereof, includes a key production system based on two hash-chain series. The values of each hash-chain are associated with cryptoperiods such that one of the hash-chains has values (for example, Y0, Y1, Y2, Y3) which progress via a first one-way function wherein progressive values correspond to later cryptoperiods (so that the order of issuance is in the same direction as the order of derivation) and the other hash-chain has values (for example, X3, X2, X1, X0) which progress via a second one-way function wherein progressive values correspond to earlier cryptoperiods (so that the order of issuance is in the opposite direction to the order of derivation). For a selected cryptoperiod i, the cryptographic key (Zi) is based on a value in each hash-chain for the selected cryptoperiod (for example, Xi and Yi). Therefore, the values of the hash-chained are termed “key-components”.
- The cryptographic key, Zi, is preferably, determined based on the value Xi in one hash-chain and the value Yi in the other hash-chain, for the selected cryptoperiod. In general, the function used to determine Zi should not allow computing the values Xi from Zi and Yi and preferably not Yi from Zi and Xi, for a cryptoperiod i.
- Therefore, when a client subscribes to a service, for example, in time-period k, the client receives a key-component from each hash-chain for the current cryptoperiod, for example, Xk and Yk. Each cryptoperiod, m, during subscription, the client receives a key-component Xm from the hash-chain which progresses toward the root for the cryptoperiod. The key-component Ym for the cryptoperiod for the hash-chain which progresses away from the root can be determined by the client based on the originally issued key-component, Yk. The cryptographic key Zm is determined using the appropriate key-components of each hash-chain, namely, Xm and Ym.
- Therefore, the client can generally only calculate the cryptographic key Z, for cryptoperiods later than or equal to k, but earlier than or equal to m.
- There is thus provided in accordance with a preferred embodiment of the present invention a key production system to determine a cryptographic key for a selected cryptoperiod, the selected cryptoperiod being later than or equal to a cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, and earlier than or equal to a cryptoperiod B, the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a being different from the cryptoperiod B, the system including a first receiver to receive a first key-component associated with the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, a second receiver to receive a second key-component associated with the cryptoperiod B, the second key-component forming part of a second hash-chain having a plurality of key-components such that the second hash-chain progresses via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, a first key component determination module to determine one of the key-components in the first hash-chain for the selected cryptoperiod, a second key component determination module to determine one of the key-components in the second hash-chain for the selected cryptoperiod, and a key determination module to determine the cryptographic key based on the one key-component in the first hash chain for the selected cryptoperiod and the one key component in the second hash-chain for the selected cryptoperiod.
- Further in accordance with a preferred embodiment of the present invention the first key component determination module is operative to determine the one key-component in the first hash-chain for the selected cryptoperiod based on applying the first one-way function, at least once, to the first key component.
- Still further in accordance with a preferred embodiment of the present invention the second key component determination module is operative to determine the one key-component in the second hash-chain for the selected cryptoperiod based on applying the second one-way function, at least once, to the second key component.
- Additionally in accordance with a preferred embodiment of the present invention, the key determination module is operative to determine the cryptographic key by performing a cryptographic hash function on the concatenation of the one key-component in the first hash chain for the selected cryptoperiod with the one key component in the second hash-chain for the selected cryptoperiod.
- Moreover, in accordance with a preferred embodiment of the present invention the first one-way function is the same as the second one-way function.
- There is also provided in accordance with still another preferred embodiment of the present invention a key production system to determine a cryptographic key for a selected cryptoperiod, the selected cryptoperiod being later than or equal to a cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, and earlier than or equal to a cryptoperiod B, the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a being different from the cryptoperiod B, the system including a first receiver to receive a first key-component associated with the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, a second receiver to receive a second key-component associated with the cryptoperiod B, the second key-component forming part of a second hash-chain having a plurality of key-components such that the second hash-chain progresses via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, a first key component determination module to determine one of the key-components in the first hash-chain for the selected cryptoperiod based on applying the first one-way function, at least once, to the first key component, a second key component determination module to determine one of the key-components in the second hash-chain for the selected cryptoperiod based on applying the second one-way function, at least once, to the second key component, and a key determination module to determine the cryptographic key based on the one key-component in the first hash chain for the selected cryptoperiod and the one key component in the second hash-chain for the selected cryptoperiod.
- There is also provided in accordance with still another preferred embodiment of the present invention a key component production system to determine cryptographic key components for use in determining a cryptographic key for a selected cryptoperiod, the system including a first hash-chain module to determine a first key-component associated with the selected cryptoperiod such that the first key-component forms part of a first hash-chain having a plurality of key-components, the first hash-chain progressing via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, a second hash-chain module to determine a second key-component associated with the selected cryptoperiod such that the second key-component forms part of a second hash-chain having a plurality of key-components, the second hash-chain progressing via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, a key determination module to determine the cryptographic key for the selected cryptoperiod based on the first key-component and the second key-component, and a communication module to enable transfer of the first key-component and the second-key component to a plurality of devices for use in determination of the cryptographic key for the selected cryptoperiod.
- There is also provided in accordance with still another preferred embodiment of the present invention a key production method to determine a cryptographic key for a selected cryptoperiod, the selected cryptoperiod being later than or equal to a cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, and earlier than or equal to a cryptoperiod B, the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a being different from the cryptoperiod B, the method including receiving a first key-component associated with the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, receiving a second key-component associated with the cryptoperiod B, the second key-component forming part of a second hash-chain having a plurality of key-components such that the second hash-chain progresses via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, determining one of the key-components in the first hash-chain for the selected cryptoperiod, determining one of the key-components in the second hash-chain for the selected cryptoperiod, and determining the cryptographic key based on the one key-component in the first hash chain for the selected cryptoperiod and the one key component in the second hash-chain for the selected cryptoperiod.
- Further in accordance with a preferred embodiment of the present invention the one key-component in the first hash chain for the selected cryptoperiod is determined based on applying the first one-way function, at least once, to the first key component.
- Still further in accordance with a preferred embodiment of the present invention the key-component in the second hash-chain for the selected cryptoperiod is determined based on applying the second one-way function, at least once, to the second key component.
- Additionally in accordance with a preferred embodiment of the present invention, the cryptographic key is determined by performing a cryptographic hash function on the concatenation of the one key-component in the first hash chain for the selected cryptoperiod with the one key component in the second hash-chain for the selected cryptoperiod.
- Moreover, in accordance with a preferred embodiment of the present invention the first one-way function is the same as the second one-way function.
- There is also provided in accordance with still another preferred embodiment of the present invention a key production method to determine a cryptographic key for a selected cryptoperiod, the selected cryptoperiod being later than or equal to a cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, and earlier than or equal to a cryptoperiod B, the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a being different from the cryptoperiod B, the method including receiving a first key-component associated with the cryptoperiod There is also provided in accordance with still another preferred embodiment of the present invention a, the first key-component forming part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, receiving a second key-component associated with the cryptoperiod B, the second key-component forming part of a second hash-chain having a plurality of key-components such that the second hash-chain progresses via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, determining one of the key-components in the first hash-chain for the selected cryptoperiod based on applying the first one-way function, at least once, to the first key component, determining one of the key-components in the second hash-chain for the selected cryptoperiod based on applying the second one-way function, at least once, to the second key component, and determining the cryptographic key based on the one key-component in the first hash chain for the selected cryptoperiod and the one key component in the second hash-chain for the selected cryptoperiod.
- There is also provided in accordance with still another preferred embodiment of the present invention a key component production method to determine cryptographic key components for use in determining a cryptographic key for a selected cryptoperiod, the method including determining a first key-component associated with the selected cryptoperiod such that the first key-component forms part of a first hash-chain having a plurality of key-components, the first hash-chain progressing via a first one-way function, progressive ones of the key-components in the first hash-chain corresponding to later cryptoperiods, determining a second key-component associated with the selected cryptoperiod such that the second key-component forms part of a second hash-chain having a plurality of key-components, the second hash-chain progressing via a second one-way function, progressive ones of the key-components in the second hash-chain corresponding to earlier cryptoperiods, determining the cryptographic key for the selected cryptoperiod based on the first key-component and the second key-component, and enabling transfer of the first key-component and the second-key component to a plurality of devices for use in determination of the cryptographic key for the selected cryptoperiod.
- The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:
-
FIG. 1 is a partly pictorial, partly block diagram view of a hash-chain used in key-production; -
FIG. 2 is a partly pictorial, partly block diagram view of keys being issued after a subscription; -
FIG. 3 is a partly pictorial, partly block diagram view of prior keys being generated from a current key; -
FIG. 4 a is a partly pictorial, partly block diagram view of two hash-chains for use with a key production system constructed and operative in accordance with a preferred embodiment of the present invention; -
FIG. 4 b is a partly pictorial, partly block diagram view of the two-hash chains ofFIG. 4 a depicted in cryptographic period order; -
FIGS. 5-8 are partly pictorial, partly block diagram views illustrating encryption key production in the system ofFIG. 4 a; -
FIGS. 9-12 are partly pictorial, partly block diagram views further illustrating the system ofFIG. 4 a; -
FIG. 13 is a block diagram view of the system ofFIG. 4 a; -
FIG. 14 is a flow diagram of a preferred method of operation of the system ofFIG. 4 a; -
FIG. 15 is a block diagram view of a key component production system constructed and operative in accordance with a preferred embodiment of the present invention; and -
FIG. 16 is a flow diagram of a preferred method of operation of the system ofFIG. 15 . - Reference is now made to
FIG. 4 a, which is a partly pictorial, partly block diagram view of two hash-chains key production system 24 constructed and operative in accordance with a preferred embodiment of the present invention. - Each hash-
chain values - The term “cryptoperiod” as used in the specification and claims is defined as a period for which a cryptographic key setting is effective. Progressive cryptoperiods are typically of equal duration, for example, but not limited to, when the cryptoperiods progress in time. However, progressive cryptoperiods may be of unequal duration, such as when the cryptoperiods are associated with stages in a dynamic process which is typically event driven. By way of example, cryptoperiods may be triggered by time, for example, but not limited to, starting a new cryptoperiod every 10 seconds or every month. By way of another example, new cryptoperiods may be triggered by an event, for example, but not limited to, in a content sharing environment, new cryptoperiods may be triggered when new members are added so that old members can still access old content but the new members cannot access the old content, by way of example.
- The hash-
chain 22 has a root value, Y0. Theother values 30 of the hash-chain 22 are determined by applying a function f1 to the root value, Y0 andsubsequent values 30, as necessary. The function f1 is typically a cryptographic one-way function. In practice, a cryptographic Hash-function such as SHA-1 can be used as the function f1. - The term “one-way function” as used in the specification and claims is a function f such that for each x in the domain f, it is easy to compute f(x) (for example using current technology computation is typically in the order of seconds or less); but for essentially all y in the range of f, it is computationally infeasible to find any x such that y=f(x). The term “infeasible” as used in the specification and claims is defined as a problem that while theoretically is possible to solve, in practice is not, due to practical limitations in the amount of time and hardware available. For example only, if a problem can be solved using all the computers in existence working full time the next billion years, that might be considered computationally infeasible. An important property is that advances in technology and theory may well change the definition of what is infeasible.
- By way of example only, it is currently believed that it is practically impossible to break the AES (Advanced Encryption Standard) via a brute force attack of exploring all 2 to the power 128 possible keys.
- The values 30 (for example, Y0, Y1, Y2, Y3) progress via the function f1, in a direction away from the root value Y0, wherein
progressive values 30 correspond to later cryptoperiods, for example, Y0 corresponds tocryptoperiod 0, Y1 corresponds tocryptoperiod 1, and so on (so that the order of issuance is in the same direction as the order of derivation). - It will be appreciated that the value Y1 can be determined from the value Y0 using the function f1. Similarly, the value Y2 can be determined from the value Y1 using the function f1. As the function f1 is a one-way function, it is infeasible to determine the value Y0 from the value Y1, nor the value Y1 from the value Y2.
- The hash-
chain 20 has aroot value 28. Theother values 26 of the hash-chain 20 are determined by applying a function f2 to theroot value 28 andsubsequent values 26, as necessary. The function f2 is typically a cryptographic one-way function. In practice, a cryptographic Hash-function such as SHA-1 can be used for the function f2. The values 26 (for example, X3, X2, X1, X0) progress via the function f2, in a direction away from theroot value 28, whereinprogressive values 26 correspond to earlier cryptoperiods, for example, X3 corresponds tocryptoperiod 3, X2 tocryptoperiod 2, X1 tocryptoperiod 1 and X0 to cryptoperiod 0 (so that the order of issuance is in the opposite direction to the order of derivation). - It will be appreciated that the value X0 can be determined from the value X1 using the function f2, Similarly, the value X1 can be determined from the value X2 using the function f2, and so on. However, as the function f2 is a one-way function, it is infeasible to determine the value X1 from the value X0, nor the value X2 from the value X1.
- The hash-
chain values values -
FIG. 4 b is a partly pictorial, partly block diagram view of the two-hash chains FIG. 4 a depicted in cryptographic period order. The hash-chains - Reference is now made to
FIGS. 5-8 , which are partly pictorial, partly block diagram views illustrating encryption key production in thekey production system 24 ofFIG. 4 a. -
FIG. 5 depicts a subscription of a consumer (not shown) starting in March and receiving, by a device (not shown) of the consumer, a plurality of key-components 36, namely X2 and Y2. X2 is from the hash-chain 20 and Y2 is from the hash-chain 22. Acontent decryption key 34 for decrypting a plurality ofencrypted content items 32 issued in March is Z2. Z2 is determined from X2 and Y2 using a function f3. In general, the function f3 should not allow computing the values Xi from Zi and Yi and preferably not Yi from Zi and Xi, for a cryptoperiod i. By way of example only, in practice a cryptographic hash function that takes the concatenation of Xi with Yi as input is a good candidate for the function f3. In the example ofFIG. 5 , the function f3 uses X2 and Y2 as inputs. - Previous values of the key-components in the hash-
chain 20, namely X1 and X0 can be derived from X2 by applying the function f2 to X2. However, since it is infeasible to determine the previous values of the key components in the hash-chain 22 namely Y1 and Y0 (not shown) from Y2 as the function f1 is a one-way function, the content decryption keys Z0 and Z1 cannot generally be determined and therefore a plurality ofcontent items 38 issued in January and February encrypted using Z0 and Z1, respectively, cannot generally be decrypted by the device. - Reference is now made to
FIG. 6 . In April, a new key-component 40, namely X3, is issued to the device of the consumer for the hash-chain 20. To save storage space, the client only stores X3 and Y2. X2 is derived from X3 using the function f2 applied to X3. Y3 is derived from Y2 using the function f1 applied to Y2. The content decryption key Z2 is determined from X2 and Y2 using the function f3 and a content decryption key Z3 is determined from X3 and Y3 using the function f3. Therefore, theencrypted content items 32 issued in March and a plurality ofencrypted content items 42 issued in April may be decrypted by the device using the content decryption keys Z2 and Z3, respectively. As described with reference toFIG. 5 thecontent 38 cannot generally be decrypted as Z0 and Z1 cannot generally be determined. - Reference is now made to
FIG. 7 . In May, a new key-component 44, namely X4, is issued to the device of the consumer for the hash-chain 20. To save storage space, the device only stores X4 and Y2. X2 and X3 are derived from X4 using the function f2. Y3 and Y4 are derived from Y2 using the function f1. Therefore, the content decryption keys Z2, Z3 and a content decryption key Z4 can be determined from the respective values of X and Y. Therefore, theencrypted content items encrypted content items 46 issued in May can be decrypted by the device using content decryption keys Z2, Z3 and Z4, respectively. - Reference is now made to
FIG. 8 . The consumer decided not to renew the subscription for June. Therefore, the device of the consumer does not receive any new key-components for June. It is possible to derive a plurality ofkey components 48, namely, Y5 and Y6, in the hash-chain 22 for June and July, respectively, from Y2 using the function f1. However, as the function f2 is a one-way function, it is infeasible to derive the key-components X5 and X6 (not shown), in the hash-chain 20 for June and July, respectively, from X4. Therefore, decryption keys Z5 and Z6 for decrypting a plurality ofencrypted content items 50 issued in June and July, respectively, generally cannot be determined. - As described above with reference to
FIG. 7 , theencrypted content items - Reference is now made to
FIGS. 9-12 , which are partly pictorial, partly block diagram views further illustrating thekey production system 24 ofFIG. 4 a. -
FIG. 9 depicts aconsumer 52 having adevice 54 for consuming a plurality ofcontent items 56. Thedevice 54 may be any suitable consuming device, for example, but not limited to, a portable music player, portable TV, desktop computer, portable computer, a set-top box, or any other suitable portable or non-portable device. - In January, the
consumer 52 starts subscribing to a service for receiving thecontent items 56. Thecontent items 56 issued in January are encrypted using a key ZJAN. Thedevice 54 downloads, from aserver 58, a plurality of key components, namely XJAN and YJAN, associated with the hash-chain 20 (FIG. 4 a) and the hash-chain 22 (FIG. 4 a), respectively. Thedevice 54 also downloads, from theserver 58, thecontent items 56 issued in January. The key ZJAN is determined by thedevice 54 from XJAN and YJAN. The key ZJAN is then used to decrypt thecontent items 56. - Encrypted content issued prior to January cannot generally be decrypted, as it is infeasible to determine values earlier than YJAN as the function f1 is a one-way function.
- Reference is now made to
FIG. 10 . In February, thedevice 54 downloads, from theserver 58, a key component XFEB and thecontent items 56 issued in February encrypted with a key ZFEB. The key ZFEB is determined by thedevice 54 based on XFEB and YFEB which is derived from YJAN using the function f1. Even though XFEB and YJAN are the only key-components still being stored by thedevice 54, ZJAN can still be determined by deriving XJAN from XFEB using the function f2. Therefore, both thecontent items 56 issued in January and February can be played by theconsumer 52 on thedevice 54. - Reference is now made to
FIG. 11 . In March, thedevice 54 downloads, from theserver 58, a key component XMAR and thecontent items 56 issued in March encrypted with a key ZMAR. The key ZMAR is determined by thedevice 54 from XMAR and YMAR which is derived from YJAN using the function f2. - Reference is now made to
FIG. 12 . Theconsumer 52 decided not to renew the subscription in April. Nevertheless, the user downloads, from theserver 58, thecontent items 56 issued in April encrypted with a key ZAPR. Although thedevice 54 may determine YAPR based on YJAN using the function f1, it is infeasible for thedevice 54 to determine XAPR from XMAR as the function f2 is a one-way function. Therefore, thedevice 54 cannot generally determine ZAPR nor decrypt thecontent items 56 issued in April. - In the above examples of
FIGS. 5-12 , the subscribers are restricted to accessing content encrypted using keys associated with the subscription period. However, access to content encrypted prior to the encryption period may be allowed by supplying the subscribers with earlier keys in the hash-chain 22 for example, by supplying theconsumer 52 ofFIGS. 9-12 with a key component before YJAN or supplying the subscriber ofFIGS. 5-8 with the key component Y0 or Y1, by way of example only. - It should be noted that it is desirable to start a new chain in place of the hash-
chain 22 occasionally, as hackers may try to combine key-components that they receive in order to be able to construct keys for cryptoperiods for which the users are not subscribed. - Reference is now made to
FIGS. 13 and 14 .FIG. 13 is a block diagram view of thekey production system 24 ofFIG. 4 a.FIG. 14 is a flow diagram of a preferred method of operation of thekey production system 24 ofFIG. 4 a. - The
key production system 24 is preferably operative to determine a cryptographic key for a selected cryptoperiod. The selected cryptoperiod is typically later than, or equal to, a cryptoperiod A and earlier than, or equal to, a cryptoperiod B. The cryptoperiod A may be the same as, or different from, the cryptoperiod B. - The
key production system 24 preferably includes afirst receiver 60, asecond receiver 62, a first keycomponent determination module 64, a second keycomponent determination module 66 and akey determination module 68. - The
first receiver 60 is preferably operative to receive a first key-component associated with the cryptoperiod A. The first key-component typically forms part of a first hash-chain having a plurality of key-components such that the first hash-chain progresses via a first one-way function. Progressive key-components in the first hash-chain correspond to later cryptoperiods (block 70). - The
second receiver 62 is preferably operative to receive a second key-component associated with the cryptoperiod B. The second key-component typically forms part of a second hash-chain having a plurality of key-components such that the second hash-chain progresses via a second one-way function. Progressive key-components in the second hash-chain correspond to earlier cryptoperiods (block 72). - When the selected cryptoperiod is not equal to the cryptoperiod A, the first key
component determination module 64 is preferably operative to determine the key-component in the first hash-chain for the selected cryptoperiod based on applying the first one-way function, at least once (as many times as necessary), to the first key component (block 74). - When the selected cryptoperiod is not equal to the cryptoperiod B, the second key
component determination module 66 is preferably operative to determine the key-component in the second hash-chain for the selected cryptoperiod based on applying the second one-way function, at least once (as many times as necessary), to the second key component (block 76). - The first one-way function may be the same as, or different from, the second one-way function.
- The
key determination module 68 is preferably operative to determine the cryptographic key based on the key-component in the first hash chain for the selected cryptoperiod and the key component in the second hash-chain for the selected cryptoperiod (block 78). - In accordance with a most preferred embodiment of the present invention, the
key determination module 68 is preferably operative to determine the cryptographic key using a function (for example the function f3 described with reference toFIG. 5 ) with the key-component in the first hash chain for the selected cryptoperiod and the key component in the second hash-chain for the selected cryptoperiod as input. - By way of introduction, the key components for a selected cryptoperiod received by the subscriber devices (for example, the
device 54 ofFIGS. 9-12 ) are typically determined by a server (for example, theserver 58 ofFIGS. 9-12 ). The key components are then generally broadcast or pushed by the server or downloaded from the server by the subscriber devices. The server typically includes a keycomponent production system 80, which is now described in more detail with reference toFIGS. 15 and 16 .FIG. 15 is a block diagram view of the keycomponent production system 80 constructed and operative in accordance with a preferred embodiment of the present invention.FIG. 16 is a flow diagram of a preferred method of operation of thesystem 80 ofFIG. 15 . - The key
component production system 80 preferably includes a first hash-chain module 82, a second hash-chain module 84, acommunication module 86 and akey determination module 94. - The first hash-
chain module 82 is preferably operative to determine a first key-component associated with the selected cryptoperiod such that the first key-component forms part of a first hash-chain having a plurality of key-components (block 88). The first hash-chain progresses via a first one-way function. Progressive key-components in the first hash-chain correspond to later cryptoperiods. - The second hash-
chain module 84 is preferably operative to determine a second key-component associated with the selected cryptoperiod such that the second key-component forms part of a second hash-chain having a plurality of key-components. The second hash-chain progresses via a second one-way function. Progressive ones of the key-components in the second hash-chain correspond to earlier cryptoperiods (block 90). - The
communication module 86 is preferably operative to enable transfer of the first key-component and the second-key component to a plurality of devices for use in determination of the cryptographic key for the selected cryptoperiod. Thecommunication module 86 typically broadcasts or pushes the key-components to the devices (for example, but not limited to, sending the key-components in an SMS message to mobile subscriber devices) or allows the key-components to be downloaded by the devices (block 92). - The
key determination module 94 is preferably operative to determine the cryptographic key for the selected cryptoperiod based on the first key-component and the second key-component. The cryptographic key is then typically used to encrypt content for consumption by the subscriber devices (block 96). - It is appreciated that present invention may be implemented in software, ROM (read only memory) form, or hardware, if desired, using conventional techniques, or any suitable combination thereof.
- It will be appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable sub-combination. It will also be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined only by the claims which follow.
Claims (17)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL178488 | 2006-10-05 | ||
IL178488A IL178488A0 (en) | 2006-10-05 | 2006-10-05 | Improved key production system |
Publications (3)
Publication Number | Publication Date |
---|---|
US20080085003A1 US20080085003A1 (en) | 2008-04-10 |
US20090116648A9 true US20090116648A9 (en) | 2009-05-07 |
US7903820B2 US7903820B2 (en) | 2011-03-08 |
Family
ID=39274962
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/810,023 Active 2029-12-11 US7903820B2 (en) | 2006-10-05 | 2007-06-04 | Key production system |
Country Status (2)
Country | Link |
---|---|
US (1) | US7903820B2 (en) |
IL (1) | IL178488A0 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090198619A1 (en) * | 2008-02-06 | 2009-08-06 | Motorola, Inc. | Aggregated hash-chain micropayment system |
CN107637010A (en) * | 2015-05-19 | 2018-01-26 | 三星Sds株式会社 | Data encryption device and method and data deciphering device and method |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8059814B1 (en) * | 2007-09-28 | 2011-11-15 | Emc Corporation | Techniques for carrying out seed or key derivation |
DE102008021933B4 (en) * | 2008-05-02 | 2011-04-07 | Secutanta Gmbh | Method for determining a chain of keys, method for transmitting a subchain of the keys, computer system and chip card I |
EP2219374A1 (en) * | 2009-02-13 | 2010-08-18 | Irdeto Access B.V. | Securely providing a control word from a smartcard to a conditional access module |
US8223974B2 (en) * | 2009-07-31 | 2012-07-17 | Telefonaktiebolaget L M Ericsson (Publ) | Self-healing encryption keys |
US8254580B2 (en) * | 2009-09-30 | 2012-08-28 | Telefonaktiebolaget L M Ericsson (Publ) | Key distribution in a hierarchy of nodes |
US8386800B2 (en) | 2009-12-04 | 2013-02-26 | Cryptography Research, Inc. | Verifiable, leak-resistant encryption and decryption |
US20120069995A1 (en) * | 2010-09-22 | 2012-03-22 | Seagate Technology Llc | Controller chip with zeroizable root key |
EP2458777A1 (en) * | 2010-11-30 | 2012-05-30 | Irdeto B.V. | Deriving one or more cryptographic keys of a sequence of keys |
US9178699B2 (en) | 2013-11-06 | 2015-11-03 | Blackberry Limited | Public key encryption algorithms for hard lock file encryption |
US10218496B2 (en) | 2014-08-04 | 2019-02-26 | Cryptography Research, Inc. | Outputting a key based on an authorized sequence of operations |
US10103882B2 (en) * | 2016-03-03 | 2018-10-16 | Dell Products, L.P. | Encryption key lifecycle management |
US20200076594A1 (en) * | 2016-03-30 | 2020-03-05 | The Athena Group, Inc. | Key update for masked keys |
US10348502B2 (en) | 2016-09-02 | 2019-07-09 | Blackberry Limited | Encrypting and decrypting data on an electronic device |
US10341102B2 (en) | 2016-09-02 | 2019-07-02 | Blackberry Limited | Decrypting encrypted data on an electronic device |
US10897354B2 (en) | 2018-01-19 | 2021-01-19 | Robert Bosch Gmbh | System and method for privacy-preserving data retrieval for connected power tools |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030044017A1 (en) * | 1999-07-23 | 2003-03-06 | Briscoe Robert John | Data distribution |
US6799270B1 (en) * | 1998-10-30 | 2004-09-28 | Citrix Systems, Inc. | System and method for secure distribution of digital information to a chain of computer system nodes in a network |
US20050114666A1 (en) * | 1999-08-06 | 2005-05-26 | Sudia Frank W. | Blocked tree authorization and status systems |
US20060036516A1 (en) * | 2004-07-22 | 2006-02-16 | Thorsten Glebe | Systems, methods, and articles of manufacture for performing product availability check |
US20060059333A1 (en) * | 2004-08-31 | 2006-03-16 | Gentry Craig B | Revocation of cryptographic digital certificates |
US20060248334A1 (en) * | 2004-12-17 | 2006-11-02 | Ramzan Zulfikar A | Use of modular roots to perform authentication including, but not limited to, authentication of validity of digital certificates |
US20060288224A1 (en) * | 2005-06-20 | 2006-12-21 | Sungkyunkwan University Foundation For Corporate Collaboration | System and method for detecting exposure of ocsp responder's session private key |
US20070074036A1 (en) * | 2004-12-17 | 2007-03-29 | Ntt Docomo Inc. | Multi-certificate revocation using encrypted proof data for proving certificate's validity or invalidity |
US20070127719A1 (en) * | 2003-10-14 | 2007-06-07 | Goran Selander | Efficient management of cryptographic key generations |
US20070150744A1 (en) * | 2005-12-22 | 2007-06-28 | Cheng Siu L | Dual authentications utilizing secure token chains |
US20080307221A1 (en) * | 2004-08-19 | 2008-12-11 | Eiichi Horita | Event-Ordering Certification Method |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002531013A (en) | 1998-11-25 | 2002-09-17 | ソニー エレクトロニクス インク | Method and apparatus for accessing recorded digital programs |
IL174494A0 (en) | 2006-03-22 | 2007-07-04 | Nds Ltd | Period keys |
-
2006
- 2006-10-05 IL IL178488A patent/IL178488A0/en unknown
-
2007
- 2007-06-04 US US11/810,023 patent/US7903820B2/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6799270B1 (en) * | 1998-10-30 | 2004-09-28 | Citrix Systems, Inc. | System and method for secure distribution of digital information to a chain of computer system nodes in a network |
US20030044017A1 (en) * | 1999-07-23 | 2003-03-06 | Briscoe Robert John | Data distribution |
US20050114666A1 (en) * | 1999-08-06 | 2005-05-26 | Sudia Frank W. | Blocked tree authorization and status systems |
US20070127719A1 (en) * | 2003-10-14 | 2007-06-07 | Goran Selander | Efficient management of cryptographic key generations |
US20060036516A1 (en) * | 2004-07-22 | 2006-02-16 | Thorsten Glebe | Systems, methods, and articles of manufacture for performing product availability check |
US20080307221A1 (en) * | 2004-08-19 | 2008-12-11 | Eiichi Horita | Event-Ordering Certification Method |
US20060059333A1 (en) * | 2004-08-31 | 2006-03-16 | Gentry Craig B | Revocation of cryptographic digital certificates |
US20060248334A1 (en) * | 2004-12-17 | 2006-11-02 | Ramzan Zulfikar A | Use of modular roots to perform authentication including, but not limited to, authentication of validity of digital certificates |
US20070074036A1 (en) * | 2004-12-17 | 2007-03-29 | Ntt Docomo Inc. | Multi-certificate revocation using encrypted proof data for proving certificate's validity or invalidity |
US20060288224A1 (en) * | 2005-06-20 | 2006-12-21 | Sungkyunkwan University Foundation For Corporate Collaboration | System and method for detecting exposure of ocsp responder's session private key |
US20070150744A1 (en) * | 2005-12-22 | 2007-06-28 | Cheng Siu L | Dual authentications utilizing secure token chains |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090198619A1 (en) * | 2008-02-06 | 2009-08-06 | Motorola, Inc. | Aggregated hash-chain micropayment system |
CN107637010A (en) * | 2015-05-19 | 2018-01-26 | 三星Sds株式会社 | Data encryption device and method and data deciphering device and method |
Also Published As
Publication number | Publication date |
---|---|
US7903820B2 (en) | 2011-03-08 |
US20080085003A1 (en) | 2008-04-10 |
IL178488A0 (en) | 2008-01-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7903820B2 (en) | Key production system | |
US20200382274A1 (en) | Secure Analytics Using an Encrypted Analytics Matrix | |
US7260215B2 (en) | Method for encryption in an un-trusted environment | |
Kaaniche et al. | A secure client side deduplication scheme in cloud storage environments | |
EP2044568B1 (en) | Method and apparatus for securely moving and returning digital content | |
EP2835933B1 (en) | Method, device and system for implementing media data processing | |
US8260710B2 (en) | Method and system for securely distributing content | |
EP2327211B1 (en) | Simulcrypt key sharing with hashed keys | |
US7546327B2 (en) | Platform independent randomness accumulator for network applications | |
US20100150344A1 (en) | Methods and devices for a chained encryption mode | |
US10608815B2 (en) | Content encryption and decryption using a custom key | |
AU2010276315B2 (en) | Off-line content delivery system with layered encryption | |
US20060047976A1 (en) | Method and apparatus for generating a decrpytion content key | |
Tayde et al. | File encryption, decryption using AES algorithm in android phone | |
EP2119091A2 (en) | Content encryption schema for integrating digital rights management with encrypted multicast | |
US7936873B2 (en) | Secure distribution of content using decryption keys | |
US11128452B2 (en) | Encrypted data sharing with a hierarchical key structure | |
JP2004501529A (en) | Method and system for uniquely associating multicasted content with each of a plurality of recipients | |
US9641328B1 (en) | Generation of public-private key pairs | |
KR101812311B1 (en) | User terminal and data sharing method of user terminal based on attributed re-encryption | |
EP3138229B1 (en) | Using web entropy to scramble messages | |
US20020126840A1 (en) | Method and apparatus for adapting symetric key algorithm to semi symetric algorithm | |
CN109194676B (en) | Data stream encryption method and data stream decryption method | |
Kolapwar | An improved geo-encryption algorithm in location based services | |
Vignesh et al. | Secure data deduplication system with efficient and reliable multi-key management in cloud storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NDS LIMITED, UNITED KINGDOM Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WAISBARD, EREZ;REEL/FRAME:019630/0969 Effective date: 20070708 |
|
AS | Assignment |
Owner name: J.P. MORGAN EUROPE LIMITED, UNITED KINGDOM Free format text: SECURITY AGREEMENT;ASSIGNORS:NDS LIMITED;NEWS DATACOM LIMITED;REEL/FRAME:022678/0712 Effective date: 20090428 Owner name: J.P. MORGAN EUROPE LIMITED,UNITED KINGDOM Free format text: SECURITY AGREEMENT;ASSIGNORS:NDS LIMITED;NEWS DATACOM LIMITED;REEL/FRAME:022678/0712 Effective date: 20090428 |
|
AS | Assignment |
Owner name: NDS HOLDCO, INC., NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNORS:NDS LIMITED;NEWS DATACOM LIMITED;REEL/FRAME:022703/0071 Effective date: 20090428 Owner name: NDS HOLDCO, INC.,NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNORS:NDS LIMITED;NEWS DATACOM LIMITED;REEL/FRAME:022703/0071 Effective date: 20090428 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: NDS LIMITED, UNITED KINGDOM Free format text: RELEASE OF INTELLECTUAL PROPERTY SECURITY INTERESTS;ASSIGNOR:NDS HOLDCO, INC.;REEL/FRAME:025940/0710 Effective date: 20110310 Owner name: NEWS DATACOM LIMITED, UNITED KINGDOM Free format text: RELEASE OF INTELLECTUAL PROPERTY SECURITY INTERESTS;ASSIGNOR:NDS HOLDCO, INC.;REEL/FRAME:025940/0710 Effective date: 20110310 |
|
AS | Assignment |
Owner name: NEWS DATACOM LIMITED, CALIFORNIA Free format text: RELEASE OF PATENT SECURITY INTERESTS;ASSIGNOR:J.P.MORGAN EUROPE LIMITED;REEL/FRAME:026042/0124 Effective date: 20110310 Owner name: NDS LIMITED, CALIFORNIA Free format text: RELEASE OF PATENT SECURITY INTERESTS;ASSIGNOR:J.P.MORGAN EUROPE LIMITED;REEL/FRAME:026042/0124 Effective date: 20110310 |
|
CC | Certificate of correction | ||
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NDS LIMITED;REEL/FRAME:030258/0465 Effective date: 20130314 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |