US20190020933A1 - Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator - Google Patents
Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator Download PDFInfo
- Publication number
- US20190020933A1 US20190020933A1 US16/073,752 US201616073752A US2019020933A1 US 20190020933 A1 US20190020933 A1 US 20190020933A1 US 201616073752 A US201616073752 A US 201616073752A US 2019020933 A1 US2019020933 A1 US 2019020933A1
- Authority
- US
- United States
- Prior art keywords
- key
- operator
- gen
- client device
- unique
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 claims abstract description 17
- 239000000463 material Substances 0.000 claims description 16
- 230000004044 response Effects 0.000 claims description 11
- 230000001010 compromised effect Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 description 20
- 238000012795 verification Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 7
- 238000009795 derivation Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- UGODCLHJOJPPHP-AZGWGOJFSA-J tetralithium;[(2r,3s,4r,5r)-5-(6-aminopurin-9-yl)-4-hydroxy-2-[[oxido(sulfonatooxy)phosphoryl]oxymethyl]oxolan-3-yl] phosphate;hydrate Chemical compound [Li+].[Li+].[Li+].[Li+].O.C1=NC=2C(N)=NC=NC=2N1[C@@H]1O[C@H](COP([O-])(=O)OS([O-])(=O)=O)[C@@H](OP([O-])([O-])=O)[C@H]1O UGODCLHJOJPPHP-AZGWGOJFSA-J 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/80—Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
- H04N21/83—Generation or processing of protective or descriptive data associated with content; Content structuring
- H04N21/835—Generation of protective data, e.g. certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
- H04L9/16—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/44—Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
- H04N21/4405—Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/60—Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client
- H04N21/63—Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
- H04N21/633—Control signals issued by server directed to the network components or client
- H04N21/6332—Control signals issued by server directed to the network components or client directed to client
- H04N21/6334—Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
- H04N21/63345—Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/167—Systems rendering the television signal unintelligible and subsequently intelligible
- H04N7/1675—Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
Definitions
- the present disclosure generally relates to a method for provisioning in a secure way unique operator specific cryptographic keys in client devices in order to use services provided by one or more operators.
- the services require a strong client authentication, a strong binding of sensitive data to a specific client device and a clean segmentation of the unique device keys between operators.
- the crypto materials required to authenticate the client device may be as simple as a certificate, which may be provided by a Certificate Authority authenticating a certificate related to the client device such as an End-Entity Certificate.
- the crypto materials for binding data to the client device may be the public key contained in the End-Entity Certificate itself.
- client devices rely on symmetric secrets, in particular when client devices implement some form of key ladder according, for example, to European Telecommunications Standards Institute ETSI TS 103 162, “ATTM (Access, Terminals, Transmission and Multiplexing) Integrated Broadband Cable and Television Networks; K-LAD Functional Specification” standard or operator proprietary key ladder standards.
- ETSI TS 103 162 European Telecommunications Standards Institute
- ADM Access, Terminals, Transmission and Multiplexing
- K-LAD Functional Specification K-LAD Functional Specification
- Document US2007/206799A1 discloses a digital rights management system, wherein a client device is first authenticated using a device public key that is sent to a trusted third party. After authentication, a first and second symmetric key are sent, encrypted with the device public key, that can only be decrypted with the corresponding device private key.
- Document EP2736190A1 discloses a method for securely transferring content between devices within a network managed by a management center.
- the method includes an activation of the network; a keys recovering phase; and a transfer of a content.
- a network key is transferred to two devices that wish to exchange content.
- a content key is encrypted using a device key and is sent to the devices with a device specific value.
- each device can decrypt the encrypted network key by deriving the device specific key using the received device value and a secret value stored in the respective devices.
- the sending device then generates a random value with which the actual content key can be derived.
- a client device may be a pay-TV set-top-box, a television set, a portable or desktop computer, a tablet, a smartphone or any other types of device able to manage and use symmetric secrets, for example, in form of key ladders.
- the client device can establish bidirectional connections with a communication network, such as the Internet, in order to transmit requests to remote servers and receive answers from them.
- the unique device cryptographic keys are specific to different operators on a same client device.
- a client device configured to exploit a scrambled service provided by an operator.
- the proposed solution relies on a dedicated provisioning server of a security provider managing symmetric secrets used by a client device.
- the method for securely receiving a multimedia content by a client device operated by one or more operator(s) involves a dedicated provisioning server of a security provider managing symmetric secrets used by the client devices and operators license servers.
- the provisioning server provides, to the client device, one or more generations of operator specific unique device secrets, which are then exploited by the various operators' license servers to deliver licenses such that authorized client devices can consume protected multimedia contents.
- the set of unique data and the global data may be renewed in case of security issues on the operator servers.
- a re-provisioning of the client device is not necessary thanks to pre-delivery of several sets, also called generations, of protected unique keys to the client device.
- the proposed solution guaranties a full segmentation of the keys among the operators using a same client device is,
- a key ladder may be used so that any key is protected by a client device personal root key.
- the key ladder may, for example, be implemented in the client device in hardware form so that the keys of the ladder and the root key are not accessible by any software present in the client device.
- the proposed solution may further allow a control of client device activation by using authentication based on the key ladder and the unique operator specific device secret by using for example a white list of client device per operator and clean billing in the provisioning server.
- the present disclosure allows an easy operation and reduces the set of sensitive data to secure in the cloud.
- FIG. 1 shows a schematic diagram of an exemplary system comprising a provisioning server, an operator license server and a client device.
- the client device receives device unique operator specific key material from the provisioning server and submits said key material to the operator license server for receiving licenses containing uniquely encrypted content key for descrambling a service provided by the operator.
- FIG. 2 shows a key ladder example used in the client device for calculating a unique derived device key used for calculating a unique operator specific device key. Further derivations allow calculating a content key for descrambling a service provided by the operator.
- An asset K is a generic term designating a vault, seed or a key as used in the following examples by the servers and/or the client devices.
- a vault or container contains one of or a set of information data, cryptographic material, encrypting/decrypting keys, identifiers or parameters.
- U K A Unique asset K (e.g. a chipset secret stored in a One Time Programmed memory),
- UO K A unique asset K, specific to an operator
- GO K A global asset K assigned to a specific operator
- U DK unique client device personal key, for example, hard coded
- GO OpVault Gen global operator vault (container) assigned to a specific operator
- GO OpSeed Gen global operator seed (cryptographic material used for building one or more cryptographic keys) assigned to a specific operator
- GO K LS Gen global Key of an operator license server assigned to a specific operator.
- Square brackets [ ] at left and right side of an asset reference mean that the asset is encrypted with a key which reference follows the right bracket.
- [Kp]CK means that the asset Kp is encrypted with the key CK.
- the suffix “Gen” means that the concerned vault, seed, or key are Generation controlled. In case of a key compromising on a server, a new provisioning to the next generation is performed.
- the servers may provide multiple sets or generations of vaults, seeds, or keys to be stored in a non-volatile memory of the client device.
- the client device may switch to a further generation of vault, seed, or key without re-provisioning or requesting them from the servers.
- a schematic diagram of an exemplary system includes a provisioning server PVS, an operator license server OpLS and a client device DEV.
- the client device DEV may connect firstly to a provisioning server PVS of a security provider and secondly to an operator license server OpLS managed by an operator or service provider.
- the provisioning server PVS may be coupled to a database DB containing identifiers, keys and parameters associated with client devices and the same associated with operators.
- the provisioning server PVS and operator license server OpLS may be grouped in one server providing to the client device DEV global keys specific to the operator, personalized licenses and keys for exploiting a particular service.
- resources of the servers may be distributed in a cloud.
- a cloud as used herein may refer to a network of remote servers hosted on the Internet and used to store, manage, access to software and other resources, and process data in place of local servers or personal computers.
- the client device DEV may be provided with an application dedicated to the operator Op (not shown) by downloading the application from an application server APPS of the operator or from an applications store in the cloud.
- the application allows downloading and storing in a non-volatile memory of the client device DEV a global operator vault GO OpVault Gen .
- the global operator vault GO OpVault Gen may be refer to a container containing at least a global operator seed GO OpSeed Gen comprising cryptographic parameters that are used during an exploitation phase of the client device DEV, described below, to calculate a unique device key specific to the operator Op to be used for decrypting keys related to a service.
- the client device DEV may exploit services provided by more than one operator.
- an application dedicated for each operator Op may be installed in order to download one global operator vault GO OpVault Gen for each operator.
- a common application for several operators may also be employed for downloading one global vault per operator.
- the global operator vault GO OpVault Gen may be provided either by the application server APPS, or a server of the operator (not shown), or the provisioning server PVS.
- an option of the application may allow downloading one or more global operator vaults GO OpVault Gen in advance when no particular service is requested.
- the client device DEV owns a unique secret device personal key U DK hard coded in a chip set. This unique secret device key U DK is independent of the operator.
- the client device DEV performs an initialization phase by requesting at the provisioning server PVS necessary cryptograms that are specific to the operator Op and usable by the concerned client device DEV only. This initialization phase may be carried out at first start of the client device DEV, after a software or firmware update, or periodically as for example every one or more months.
- the client device DEV transmits a request, in particular a pre-provisioning challenge REQp, to the provisioning server PVS.
- the pre-provisioning challenge REQp for an operator Op comprises at least unique identification data DEV-ID of the client device DEV and an identifier of the operator Op.
- the provisioning server PVS can optionally verify that the client device DEV is duly recorded in the database DB based on the received identification data DEV-ID. If the verification is successful, the provisioning server PVS retrieves from the database DB the unique device key U DK and cryptographic parameters specific to the operator Op, also called global operator seed GO OpSeed Gen . A cryptographic derivation function is then applied on the unique device key U DK by using the global operator seed GO OpSeed Gen for calculating at least one unique device derived key UO K DER Gen for the operator Op. The obtained unique device derived key UO K DER Gen is thus specific to the client device DEV and to the operator Op.
- the cryptographic derivation function may include a TDES (Triple Data Encryption) symmetric-key block cipher algorithm or an algorithm based on AES (Advanced Encryption Standard).
- the provisioning server PVS further encrypts the obtained unique device derived key UO K DER Gen with a global operator license server key GO K LS Gen to form a unique cryptogram [ UO K DER Gen ] GO K LS Gen specific to the operator and to the client device DEV.
- the global operator license server key GO K LS Gen may be also retrieved from the database DB of the provisioning server PVS.
- the unique cryptogram [ UO K DER Gen ] GO K LS Gen is then incorporated in a device instance certificate UO DIC assigned to a particular operator Op.
- the device instance certificate UO DIC is then transmitted by the provisioning server PVS, in a secure way, to the client device DEV and stored in a non-volatile memory thereof.
- the provisioned data in the client device DEV may thus comprise at least the cryptogram [ UO K DER Gen ] GO K LS Gen .
- the device instance certificate UO DIC may include a header section in clear comprising for example the identifier of the operator Op followed by encrypted payload section comprising the necessary keys, cryptograms and parameters to be used by a license server OpLS of the operator Op.
- the client device DEV sends a license request, hereafter called a post-provisioning challenge REQI, to the operator license server OpLS.
- a license request hereafter called a post-provisioning challenge REQI
- the post-provisioning challenge REQI comprises at least the device instance certificate UO DIC comprising the unique cryptogram [ UO K DER Gen ] GO K LS Gen .
- the operator license server OpLS owning the global license server key GO K LS Gen decrypts the cryptogram [ UO K DER Gen ] GO K LS Gen and obtains the unique device derived key UO K DER Gen .
- This unique device derived key UO K DER Gen is then used to encrypt a service key SK either produced by the license server OpLS itself or retrieved from an external service keys server.
- the operator license server OpLS returns, in response to the post-provisioning challenge REQI, a license L ([SK] UO K DER Gen ) comprising at least the encrypted service key [SK] UO K DER Gen .
- the received license L may be stored in a non-volatile memory of the client device DEV.
- the client device DEV owning the unique secret device key U DK may perform successive decryption operations by using a key ladder schema as illustrated by FIG. 2 .
- the key ladder allows carrying out successive derivations by applying, for example, a TDES (Triple Data Encryption) symmetric-key block cipher algorithm, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block or AES (Advanced Encryption Standard).
- TDES Triple Data Encryption
- DES Data Encryption Standard
- AES Advanced Encryption Standard
- the global operator vault GO OpVault Gen previously downloaded is processed by the client device DEV for extracting the global operator seed GO OpSeed Gen which is then input into the first stage of the key ladder together with the device unique key U DK.
- An algorithm (algo) applied to the global operator seed GO OpSeed Gen and the unique device key U DK allows calculating the unique device derived key UO K DER Gen .
- the client device DV decrypts the service key SK with the obtained unique device derived key UO K DER Gen .
- the obtained service key SK allows descrambling a scrambled service [S Op ]SK as for example a broadcast audio/video content, a video on demand content, a game, stock exchange, or any other multimedia service to be exploited by the client device DEV.
- a scrambled service [S Op ]SK as for example a broadcast audio/video content, a video on demand content, a game, stock exchange, or any other multimedia service to be exploited by the client device DEV.
- the service key SK encrypted with the unique device derived key UO K DER Gen may include a content package key Kp encrypted with the unique device derived key UO K DER Gen .
- the license L comprises in addition a content key CK encrypted with the content package key Kp.
- the client device DEV therefore decrypts the content package key Kp with the calculated unique device derived key UO K DER Gen , and the content key CK with the content package key Kp previously decrypted.
- the content package key Kp may be provided to the operator license server OpLS by an external source, as for example an operator content managing server or a head end.
- an external source as for example an operator content managing server or a head end.
- the content package key Kp may be produced by the license server OpLS independently of any external source.
- the content package key Kp may be a one time usage random value in case of a VOD content such as a movie for example.
- the value of Kp and also the content key CK binds uniquely a specific movie to one unique client device including a unique chipset key.
- Kp When the content package key Kp authorizes access to live content such as television programs broadcast over a set of channels, Kp may be segmented across bouquets of channels grouping channels according to content type as for example: sport channels, cartoon channels, music channel, film channel etc.
- one content package key Kp may be used for protecting several content keys CK, each content key CK being used to decrypt content provided by a predefined channel or one content package key Kp may be used for protecting one common content key CK used for decrypting content provided by several channels.
- the encrypted content [CONT]CK or service may be provided by any source such as a broadcast satellite, a terrestrial broadcast emitter, a cable, a wired or wireless Content Distribution Network (CDN) performing streaming by using for example IP (Internet Protocol) multicast or unicast, a VOD server of the operator, etc.
- a broadcast satellite such as a broadcast satellite, a terrestrial broadcast emitter, a cable, a wired or wireless Content Distribution Network (CDN) performing streaming by using for example IP (Internet Protocol) multicast or unicast, a VOD server of the operator, etc.
- CDN Content Distribution Network
- the obtained content key CK corresponds, for example, to a control word CW used for decrypting the multimedia content or service or to data used to calculate the control word.
- the content key may usually correspond to a key associated to a live channel for a given duration (e.g. 1 day) or to a predefined VOD movie.
- the received service or multimedia content which is encrypted with the content key CK is descrambled by the client device DEV with the content key CK obtained by the successive decryption operations from the cryptograms [Kp] UO K DER Gen and [CK]Kp provided by the operator license server OpLS of the operator.
- the content key CK is obtained by decrypting the cryptogram ([CK]Kp) with the content package key Kp by applying the algorithm (algo).
- the client device DEV further comprises a descrambler DESC for descrambling the encrypted content [CONT]CK with the content key CK, which is specific to the client device DEV and to the operator Op.
- the content in clear CONT obtained at an output of the descrambler DESC may be rendered on a television set for example.
- the content package key Kp and the content key CK can be decrypted only if the unique device derived key UO K DER Gen produced by the key ladder of the client device DEV corresponds to the unique device derived key UO K DER Gen obtained by the license server OpLS by decrypting the cryptogram [ UO K DER Gen ] GO K LS Gen with the global operator license server key GO K LS Gen .
- the operator license server OpLS uses the obtained unique device derived key UO K DER Gen for encrypting the content package key Kp and the content key CK before transmitting to the client device DEV.
- the correspondence between the unique device derived key UO K DER Gen determined by the operator license server OpLS and the unique device derived key UO K DER Gen produced by the client device DEV forms a link between the device instance certificate UO DIC Gen provided by the provisioning server PVS and the keys generated by the client device DEV based on the global operator seed GO OpSeed Gen and the unique device key U DK.
- the method as disclosed allows managing multiple operators thanks to possibility of provisioning operator specific device instance certificate UO DIC.
- the provisioning server PVS provides for a particular client device DEV a device instance certificate UO DIC to be submitted to an operator license server OpLS in order to obtain a license L ([Kp] UO K DER Gen , [CK]Kp) usable only for one given operator Op by a given client device DEV.
- the unique device derived key UO K DER Gen encrypted with the global operator license server key GO K LS Gen may be exposed to the license server of an operator Op contrarily to the unique hard coded device secret key U DK which is never exposed.
- the secret unique client key U DK is not compromised.
- the global operator seed GO OpSeed Gen being specific to the operator is used to generate a unique device derived key UO K DER Gen specific to the operator.
- the client device DEV generates a unique device derived key UO K DER Gen for each operator from a global operator seed GO OpSeed Gen provided by each operator.
- the provisioning server PVS may produce several generations of device instance certificates UO DIC gen containing each one generation of cryptogram [ UO K DER Gen ] GO K LS Gen .
- the client device DEV will receive one device instance certificate of a given generation in response to the pre-provisioning challenge.
- the client device may request a new device instance certificate UO DIC gen of next generation at the provisioning server PVS.
- the client device DEV may receive one device instance certificate UO DIC containing several generations of cryptograms [ UO K DER Gen ] GO K LS Gen to be stored in a non-volatile memory.
- the next cryptogram generation can be retrieved from the memory for transmitting to the operator license server OpLS without a request to the provisioning server PVS.
- the applications server APPS may provide an update of the application dedicated to the operator, the update leading to a download of an updated version of the global operator vault GO OpVault Gen into the client device DEV.
- the applications server APPS may provide an update of the application dedicated to the operator, the update leading to a download of an updated version of the global operator vault GO OpVault Gen into the client device DEV.
- several generations of global operator vaults GO OpVault Gen may be provided or one GO OpVault containing several generation of seeds GO OpSeed Gen .
- the global operator vault GO OpVault Gen may contain an index indicating which generation is currently used.
- the global operator vault GO OpVault Gen may be encrypted by a global operator vault key GO K Opvault which may be provided to the client device DEV by the provisioning server PVS in addition to the device instance certificate UO DIC.
- the global operator vault GO OpVault Gen of a given generation may contain the seeds of the preceding generation (s) for generating a unique device derived key UO K DER Gen of a generation preceding a current generation.
- This case may arise when a content recorded on a storage medium such as a hard disc has to be decrypted by the client device DEV with a content key CK.
- the content key CK can be obtained by the same client device DEV from a preceding seed GO OpSeed Gen generation.
- the pre-provisioning REQp challenge and the post-provisioning challenge REQI transmitted by the client device DEV the answer to the pre-provisioning challenge REQp transmitted by the provisioning server PVS and the answer to the post-provisioning challenge REQI transmitted by the operator license server OpLS are cryptographically signed.
- the signatures may comprise a digest of the transmitted data encrypted with a key of the concerned server (e.g., the PVS, the OpLS) or the client device DEV.
- the transmitting and/or the receiving party may monitor communication and obtain verification of the identity of the other party, the integrity of the encrypted data, and the origin of the transmitted encrypted data.
- a transmitting entity may create a signature on a message before transmitting the message.
- a signature of a message may be computed, for example, by applying an algorithm or signing function to the message.
- the outgoing message may be hashed by applying a unidirectional collision free hash algorithm (e.g. types MD5 or SHA) to obtain a message digest.
- a signature algorithm may then be applied to the message digest by using, for example, a private key in order to generate the signature.
- the set formed by the message and the signature may be transmitted.
- the digital signature may then be transmitted together with the message digest.
- a receiving entity may then receive the signature and the message digests and then apply the same hash algorithm used by the transmitting entity on the message to obtain a message digest.
- a verification algorithm may be applied to the message digest.
- a receiving entity may obtain the verification function of the transmitting entity. The receiving entity may compute a result from applying the verification function. If the result is true, the signature may be authenticated as created by the transmitting entity. If the result is false, the signature may be rejected as unauthorized.
- the verification algorithm may use a public key together with the message digest in order to authenticate the signature.
- the signature of the message is valid if and only if the verification function returns a true result.
- the signing algorithm and the verification algorithm are selected so that it is computationally infeasible for any entity, other than the transmitting and the receiving entities, to find, for any incoming message digest, a signature such that the verification algorithm returns a true result.
- a processing device of a client device may exploit a scrambled service provided by an operator, the client device having a unique device key for provisioning unique cryptographic key material specific to the operator and to the client device.
- the provisioned unique cryptographic key material can be configured to obtain a service key for descrambling the scrambled service.
- the processing device of the client device downloads a global operator vault, comprising at least an operator specific global seed and transmits a pre-provisioning challenge for the operator to a provisioning server.
- the provisioning challenge can include at least a unique identifier of the client device and an identifier of the operator.
- the processing device of the client device can receive from the provisioning server, at least one device instance certificate comprising a unique cryptogram associated with the operator and to the client device.
- the processing device of the client device transmits a post-provisioning challenge to an operator license server, the post-provisioning challenge comprising at least the device instance certificate, the operator license server decrypting the unique cryptogram of the device instance certificate with a global operator license server key for retrieving a unique device derived key associated with to the operator and to the client device.
- the processing device of the client device receives from the operator license server, a license comprising at least a service key encrypted with the unique device derived key.
- the processing device extracts the operator specific global seed from the global operator vault previously downloaded, calculates the unique device derived key by applying a cryptographic algorithm on the extracted global operator seed and the unique device key, and decrypts the service key with the calculated unique device derived key.
- the processing device receives and descrambling the scrambled service with the obtained service key.
- a processing device of a provisioning server checks entitlement of the client device in a database coupled to the provisioning server. In response to the entitlement checking operation being successful, the processing device of a provisioning server checks retrieves, from the database, a unique device key, an operator specific global seed, and a global operator license server key in view of a unique identifier of the client device and the identifier of the operator. The processing device of a provisioning server calculates the device derived key in view of a cryptographic algorithm on the unique device key and the global operator seed. The processing device of a provisioning server can form the unique cryptogram by encrypting the unique device derived key with the global operator license server key.
- a processing device may be one or more general-purpose processors such as a microprocessor, central processing unit, or the like. More particularly, the processing device may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. For example, a processing device is configured to execute the processing logic for performing the operations and steps discussed herein.
- CISC complex instruction set computing
- RISC reduced instruction set computing
- VLIW very long instruction word
- ASIC application specific integrated circuit
- FPGA field programmable gate array
- DSP digital signal processor
- network processor or the like.
- a processing device is configured to execute the processing logic for performing the operations and steps discussed herein.
- claimed embodiments of the present application are intended to provide one or more technical solution(s) to a technical problem unique to modern cryptography keys in client devices in order to provide strong client authentication with a strong binding of sensitive data to a specific client device and a clean segmentation of the unique device keys between operators, for at least solving the technical problems relating to large ranges of symmetric secrets that are complex to secure when deployed in public clouds.
- the claimed embodiments are substantially different from current routine steps and results when using conventional networks or computing elements because the present disclosure describes, for example, a post-provisioning challenge to an operator license server, where in response to the post-provisioning challenge, the processing device of the client device receives from the operator license server, a license comprising at least a service key encrypted with the unique device derived key, and the processing device extracts the operator specific global seed from the global operator vault previously downloaded, calculates the unique device derived key by applying a cryptographic algorithm on the extracted global operator seed and the unique device key, and decrypts the service key with the calculated unique device derived key.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Multimedia (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
Description
- The present disclosure generally relates to a method for provisioning in a secure way unique operator specific cryptographic keys in client devices in order to use services provided by one or more operators. In particular, the services require a strong client authentication, a strong binding of sensitive data to a specific client device and a clean segmentation of the unique device keys between operators.
- Currently, when a client device needs to authenticate a request for a service to an operator and receives in response to the request a license including data bound to the client device, crypto materials are required.
- When using certificates and asymmetric secrets, such as an asymmetric key pair including a private key and a public key, in a client device, the crypto materials required to authenticate the client device may be as simple as a certificate, which may be provided by a Certificate Authority authenticating a certificate related to the client device such as an End-Entity Certificate. The crypto materials for binding data to the client device may be the public key contained in the End-Entity Certificate itself.
- However some client devices rely on symmetric secrets, in particular when client devices implement some form of key ladder according, for example, to European Telecommunications Standards Institute ETSI TS 103 162, “ATTM (Access, Terminals, Transmission and Multiplexing) Integrated Broadband Cable and Television Networks; K-LAD Functional Specification” standard or operator proprietary key ladder standards. In this case, the crypto materials to be deployed on servers to authenticate a client device, and returned licenses bounded to the client device are usually in form of a large list of symmetric secrets. This list of secrets may be complex to secure when software of the servers is deployed in public clouds. The list is also difficult to maintain when updating, uploading into the servers or deploying in shared storage devices.
- Document US2007/206799A1 discloses a digital rights management system, wherein a client device is first authenticated using a device public key that is sent to a trusted third party. After authentication, a first and second symmetric key are sent, encrypted with the device public key, that can only be decrypted with the corresponding device private key.
- Document EP2736190A1 discloses a method for securely transferring content between devices within a network managed by a management center. The method includes an activation of the network; a keys recovering phase; and a transfer of a content. A network key is transferred to two devices that wish to exchange content. A content key is encrypted using a device key and is sent to the devices with a device specific value. By using the device value, each device can decrypt the encrypted network key by deriving the device specific key using the received device value and a secret value stored in the respective devices. The sending device then generates a random value with which the actual content key can be derived.
- A client device may be a pay-TV set-top-box, a television set, a portable or desktop computer, a tablet, a smartphone or any other types of device able to manage and use symmetric secrets, for example, in form of key ladders. The client device can establish bidirectional connections with a communication network, such as the Internet, in order to transmit requests to remote servers and receive answers from them.
- According to an embodiment as detailed by claim 1, there is disclosed a method for securely provisioning by a client device unique cryptographic keys and/or key material to be used for exploiting scrambled services provided by an operator.
- According to the embodiment, the unique device cryptographic keys are specific to different operators on a same client device.
- According to an embodiment as detailed by claim 9, there is disclosed a client device configured to exploit a scrambled service provided by an operator.
- The proposed solution relies on a dedicated provisioning server of a security provider managing symmetric secrets used by a client device. The method for securely receiving a multimedia content by a client device operated by one or more operator(s) involves a dedicated provisioning server of a security provider managing symmetric secrets used by the client devices and operators license servers. The provisioning server provides, to the client device, one or more generations of operator specific unique device secrets, which are then exploited by the various operators' license servers to deliver licenses such that authorized client devices can consume protected multimedia contents.
- In an example aspect the present disclosure, the set of unique data and the global data may be renewed in case of security issues on the operator servers. When a key is compromised a re-provisioning of the client device is not necessary thanks to pre-delivery of several sets, also called generations, of protected unique keys to the client device.
- The proposed solution guaranties a full segmentation of the keys among the operators using a same client device is,
- In an example aspect the present disclosure, a key ladder may be used so that any key is protected by a client device personal root key. The key ladder may, for example, be implemented in the client device in hardware form so that the keys of the ladder and the root key are not accessible by any software present in the client device.
- The proposed solution may further allow a control of client device activation by using authentication based on the key ladder and the unique operator specific device secret by using for example a white list of client device per operator and clean billing in the provisioning server.
- By using a small set of global data in each operator server, the present disclosure allows an easy operation and reduces the set of sensitive data to secure in the cloud.
-
FIG. 1 shows a schematic diagram of an exemplary system comprising a provisioning server, an operator license server and a client device. The client device receives device unique operator specific key material from the provisioning server and submits said key material to the operator license server for receiving licenses containing uniquely encrypted content key for descrambling a service provided by the operator. -
FIG. 2 shows a key ladder example used in the client device for calculating a unique derived device key used for calculating a unique operator specific device key. Further derivations allow calculating a content key for descrambling a service provided by the operator. - Following notation and abbreviations are hereafter used:
- An asset K is a generic term designating a vault, seed or a key as used in the following examples by the servers and/or the client devices. A vault or container contains one of or a set of information data, cryptographic material, encrypting/decrypting keys, identifiers or parameters.
- UK: A Unique asset K (e.g. a chipset secret stored in a One Time Programmed memory),
- GK: A completely global asset K,
- UOK: A unique asset K, specific to an operator,
- GOK: A global asset K assigned to a specific operator,
- UDK: unique client device personal key, for example, hard coded,
- GOOpVaultGen: global operator vault (container) assigned to a specific operator,
- GOOpSeedGen: global operator seed (cryptographic material used for building one or more cryptographic keys) assigned to a specific operator,
- UOKDER Gen: unique derived key specific to an operator,
- GOKLS Gen: global Key of an operator license server assigned to a specific operator.
- Square brackets [ ] at left and right side of an asset reference mean that the asset is encrypted with a key which reference follows the right bracket. For example [Kp]CK means that the asset Kp is encrypted with the key CK. An encrypted asset, as for example [Kp]CK, forms a cryptogram.
- The suffix “Gen” means that the concerned vault, seed, or key are Generation controlled. In case of a key compromising on a server, a new provisioning to the next generation is performed.
- In order to prevent re-provisioning, the servers may provide multiple sets or generations of vaults, seeds, or keys to be stored in a non-volatile memory of the client device. In the event that a key is compromised the client device may switch to a further generation of vault, seed, or key without re-provisioning or requesting them from the servers.
- Referring to
FIG. 1 , a schematic diagram of an exemplary system includes a provisioning server PVS, an operator license server OpLS and a client device DEV. According to an exemplary configuration, the client device DEV may connect firstly to a provisioning server PVS of a security provider and secondly to an operator license server OpLS managed by an operator or service provider. The provisioning server PVS may be coupled to a database DB containing identifiers, keys and parameters associated with client devices and the same associated with operators. - According to an embodiment, the provisioning server PVS and operator license server OpLS may be grouped in one server providing to the client device DEV global keys specific to the operator, personalized licenses and keys for exploiting a particular service.
- According to a further embodiment, resources of the servers (e.g., services providing, cryptographic materials generation, data storage and managing capabilities, etc.) may be distributed in a cloud. A cloud as used herein may refer to a network of remote servers hosted on the Internet and used to store, manage, access to software and other resources, and process data in place of local servers or personal computers.
- Initialization Phase Carried Out by the Client Device
- According to an embodiment, the client device DEV may be provided with an application dedicated to the operator Op (not shown) by downloading the application from an application server APPS of the operator or from an applications store in the cloud. Once the application is installed in the client device DEV, the application allows downloading and storing in a non-volatile memory of the client device DEV a global operator vault GOOpVaultGen. The global operator vault GOOpVaultGen may be refer to a container containing at least a global operator seed GOOpSeedGen comprising cryptographic parameters that are used during an exploitation phase of the client device DEV, described below, to calculate a unique device key specific to the operator Op to be used for decrypting keys related to a service.
- The client device DEV may exploit services provided by more than one operator. In this case, an application dedicated for each operator Op may be installed in order to download one global operator vault GOOpVaultGen for each operator. A common application for several operators may also be employed for downloading one global vault per operator.
- The global operator vault GOOpVaultGen may be provided either by the application server APPS, or a server of the operator (not shown), or the provisioning server PVS.
- According to a further embodiment, an option of the application may allow downloading one or more global operator vaults GOOpVaultGen in advance when no particular service is requested.
- The client device DEV owns a unique secret device personal key UDK hard coded in a chip set. This unique secret device key UDK is independent of the operator. In order to be able to receive personalized services from an operator Op, the client device DEV performs an initialization phase by requesting at the provisioning server PVS necessary cryptograms that are specific to the operator Op and usable by the concerned client device DEV only. This initialization phase may be carried out at first start of the client device DEV, after a software or firmware update, or periodically as for example every one or more months.
- During the initialization phase, the client device DEV transmits a request, in particular a pre-provisioning challenge REQp, to the provisioning server PVS. The pre-provisioning challenge REQp for an operator Op comprises at least unique identification data DEV-ID of the client device DEV and an identifier of the operator Op.
- At reception of the pre-provisioning challenge REQp, the provisioning server PVS can optionally verify that the client device DEV is duly recorded in the database DB based on the received identification data DEV-ID. If the verification is successful, the provisioning server PVS retrieves from the database DB the unique device key UDK and cryptographic parameters specific to the operator Op, also called global operator seed GOOpSeedGen. A cryptographic derivation function is then applied on the unique device key UDK by using the global operator seed GOOpSeedGen for calculating at least one unique device derived key UOKDER Gen for the operator Op. The obtained unique device derived key UOKDER Gen is thus specific to the client device DEV and to the operator Op. The cryptographic derivation function may include a TDES (Triple Data Encryption) symmetric-key block cipher algorithm or an algorithm based on AES (Advanced Encryption Standard).
- The provisioning server PVS further encrypts the obtained unique device derived key UOKDER Gen with a global operator license server key GOKLS Gen to form a unique cryptogram [UOKDER Gen]GOKLS Gen specific to the operator and to the client device DEV. The global operator license server key GOKLS Gen may be also retrieved from the database DB of the provisioning server PVS. The unique cryptogram [UOKDER Gen]GOKLS Gen is then incorporated in a device instance certificate UODIC assigned to a particular operator Op.
- The device instance certificate UODIC is then transmitted by the provisioning server PVS, in a secure way, to the client device DEV and stored in a non-volatile memory thereof. The provisioned data in the client device DEV may thus comprise at least the cryptogram [UOKDER Gen]GOKLS Gen.
- The device instance certificate UODIC may include a header section in clear comprising for example the identifier of the operator Op followed by encrypted payload section comprising the necessary keys, cryptograms and parameters to be used by a license server OpLS of the operator Op.
- Exploitation Phase Carried Out by the Client Device
- During an exploitation phase in order to acquire a service managed by the operator Op, the client device DEV sends a license request, hereafter called a post-provisioning challenge REQI, to the operator license server OpLS.
- The post-provisioning challenge REQI comprises at least the device instance certificate UODIC comprising the unique cryptogram [UOKDER Gen]GOKLS Gen. The operator license server OpLS owning the global license server key GOKLS Gen decrypts the cryptogram [UOKDER Gen]GOKLS Gen and obtains the unique device derived key UOKDER Gen. This unique device derived key UOKDER Gen is then used to encrypt a service key SK either produced by the license server OpLS itself or retrieved from an external service keys server.
- The operator license server OpLS returns, in response to the post-provisioning challenge REQI, a license L ([SK]UOKDER Gen) comprising at least the encrypted service key [SK] UOKDER Gen. The received license L may be stored in a non-volatile memory of the client device DEV.
- The client device DEV owning the unique secret device key UDK may perform successive decryption operations by using a key ladder schema as illustrated by
FIG. 2 . - The key ladder allows carrying out successive derivations by applying, for example, a TDES (Triple Data Encryption) symmetric-key block cipher algorithm, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block or AES (Advanced Encryption Standard). The derivations may be carried out by a key ladder having three stages or more.
- The global operator vault GOOpVaultGen previously downloaded is processed by the client device DEV for extracting the global operator seed GOOpSeedGen which is then input into the first stage of the key ladder together with the device unique key UDK. An algorithm (algo) applied to the global operator seed GOOpSeedGen and the unique device key UDK allows calculating the unique device derived key UOKDER Gen. The client device DV decrypts the service key SK with the obtained unique device derived key UOKDER Gen. The obtained service key SK allows descrambling a scrambled service [SOp]SK as for example a broadcast audio/video content, a video on demand content, a game, stock exchange, or any other multimedia service to be exploited by the client device DEV.
- According to an embodiment, the service key SK encrypted with the unique device derived key UOKDER Gen may include a content package key Kp encrypted with the unique device derived key UOKDER Gen. In this case, the license L comprises in addition a content key CK encrypted with the content package key Kp. The client device DEV therefore decrypts the content package key Kp with the calculated unique device derived key UOKDER Gen, and the content key CK with the content package key Kp previously decrypted.
- The content package key Kp may be provided to the operator license server OpLS by an external source, as for example an operator content managing server or a head end. When the content package key Kp corresponds to a client device specific content key related to a particular multimedia content or service such as a VOD (Video On Demand) content, the content package key Kp may be produced by the license server OpLS independently of any external source. The content package key Kp may be a one time usage random value in case of a VOD content such as a movie for example. The value of Kp and also the content key CK binds uniquely a specific movie to one unique client device including a unique chipset key.
- When the content package key Kp authorizes access to live content such as television programs broadcast over a set of channels, Kp may be segmented across bouquets of channels grouping channels according to content type as for example: sport channels, cartoon channels, music channel, film channel etc. For example, one content package key Kp may be used for protecting several content keys CK, each content key CK being used to decrypt content provided by a predefined channel or one content package key Kp may be used for protecting one common content key CK used for decrypting content provided by several channels.
- The encrypted content [CONT]CK or service may be provided by any source such as a broadcast satellite, a terrestrial broadcast emitter, a cable, a wired or wireless Content Distribution Network (CDN) performing streaming by using for example IP (Internet Protocol) multicast or unicast, a VOD server of the operator, etc.
- The obtained content key CK corresponds, for example, to a control word CW used for decrypting the multimedia content or service or to data used to calculate the control word. Over the Internet, the content key may usually correspond to a key associated to a live channel for a given duration (e.g. 1 day) or to a predefined VOD movie.
- The received service or multimedia content which is encrypted with the content key CK is descrambled by the client device DEV with the content key CK obtained by the successive decryption operations from the cryptograms [Kp]UOKDER Gen and [CK]Kp provided by the operator license server OpLS of the operator.
- The content key CK is obtained by decrypting the cryptogram ([CK]Kp) with the content package key Kp by applying the algorithm (algo). The client device DEV further comprises a descrambler DESC for descrambling the encrypted content [CONT]CK with the content key CK, which is specific to the client device DEV and to the operator Op. The content in clear CONT obtained at an output of the descrambler DESC may be rendered on a television set for example.
- The content package key Kp and the content key CK can be decrypted only if the unique device derived key UOKDER Gen produced by the key ladder of the client device DEV corresponds to the unique device derived key UOKDER Gen obtained by the license server OpLS by decrypting the cryptogram [UOKDER Gen]GOKLS Gen with the global operator license server key GOKLS Gen. The operator license server OpLS uses the obtained unique device derived key UOKDER Gen for encrypting the content package key Kp and the content key CK before transmitting to the client device DEV. The correspondence between the unique device derived key UOKDER Gen determined by the operator license server OpLS and the unique device derived key UOKDER Gen produced by the client device DEV forms a link between the device instance certificate UODICGen provided by the provisioning server PVS and the keys generated by the client device DEV based on the global operator seed GOOpSeedGen and the unique device key UDK.
- The method as disclosed allows managing multiple operators thanks to possibility of provisioning operator specific device instance certificate UODIC. The provisioning server PVS provides for a particular client device DEV a device instance certificate UODIC to be submitted to an operator license server OpLS in order to obtain a license L ([Kp]UOKDER Gen, [CK]Kp) usable only for one given operator Op by a given client device DEV.
- It has to be noted that the unique device derived key UOKDER Gen encrypted with the global operator license server key GOKLS Gen may be exposed to the license server of an operator Op contrarily to the unique hard coded device secret key UDK which is never exposed.
- The global operator seed GOOpSeedGen combined with a unique derived client secret key UDK not specific to the operator gives a secret which is unique per client device DEV, specific to the operator Op. In case of exposition of the global operator seed GOOpSeedGen to other servers, the secret unique client key UDK is not compromised. The global operator seed GOOpSeedGen being specific to the operator is used to generate a unique device derived key UOKDER Gen specific to the operator. In order to exploit several services each provided by a particular operator, the client device DEV generates a unique device derived key UOKDER Gen for each operator from a global operator seed GOOpSeedGen provided by each operator.
- Furthermore, the secret is valid during a limited time period thanks to the generation (Gen) control. The provisioning server PVS may produce several generations of device instance certificates UODICgen containing each one generation of cryptogram [UOKDER Gen]GOKLS Gen. The client device DEV will receive one device instance certificate of a given generation in response to the pre-provisioning challenge.
- In case a device instance certificate generation is compromised by hacking the operator license server OpLS or expired after a predefined time period for example, the client device may request a new device instance certificate UODICgen of next generation at the provisioning server PVS.
- According to an option, the client device DEV may receive one device instance certificate UODIC containing several generations of cryptograms [UOKDER Gen]GOKLS Gen to be stored in a non-volatile memory. In case of generation change, the next cryptogram generation can be retrieved from the memory for transmitting to the operator license server OpLS without a request to the provisioning server PVS.
- In case of a generation change, the applications server APPS may provide an update of the application dedicated to the operator, the update leading to a download of an updated version of the global operator vault GOOpVaultGen into the client device DEV. Similarly to the device instance certificate generations, several generations of global operator vaults GOOpVaultGen may be provided or one GOOpVault containing several generation of seeds GOOpSeedGen. The global operator vault GOOpVaultGen may contain an index indicating which generation is currently used.
- According to an embodiment, the global operator vault GOOpVaultGen may be encrypted by a global operator vault key GOKOpvault which may be provided to the client device DEV by the provisioning server PVS in addition to the device instance certificate UODIC.
- According to a further embodiment, the global operator vault GOOpVaultGen of a given generation may contain the seeds of the preceding generation (s) for generating a unique device derived key UOKDER Gen of a generation preceding a current generation. This case may arise when a content recorded on a storage medium such as a hard disc has to be decrypted by the client device DEV with a content key CK. The content key CK can be obtained by the same client device DEV from a preceding seed GOOpSeedGen generation.
- In several embodiments, the pre-provisioning REQp challenge and the post-provisioning challenge REQI transmitted by the client device DEV the answer to the pre-provisioning challenge REQp transmitted by the provisioning server PVS and the answer to the post-provisioning challenge REQI transmitted by the operator license server OpLS are cryptographically signed. The signatures may comprise a digest of the transmitted data encrypted with a key of the concerned server (e.g., the PVS, the OpLS) or the client device DEV.
- In an implementation, when encrypted data is transmitted over an insecure channel (e.g. the link between the cloud and the client device DEV), the transmitting and/or the receiving party (e.g., server to client device and/or vice-versa) may monitor communication and obtain verification of the identity of the other party, the integrity of the encrypted data, and the origin of the transmitted encrypted data.
- A transmitting entity may create a signature on a message before transmitting the message. A signature of a message may be computed, for example, by applying an algorithm or signing function to the message. Before creating the signature, the outgoing message may be hashed by applying a unidirectional collision free hash algorithm (e.g. types MD5 or SHA) to obtain a message digest. A signature algorithm may then be applied to the message digest by using, for example, a private key in order to generate the signature. After generating the signature, the set formed by the message and the signature may be transmitted. The digital signature may then be transmitted together with the message digest. A receiving entity (e.g., server or client device) may then receive the signature and the message digests and then apply the same hash algorithm used by the transmitting entity on the message to obtain a message digest. In order for the receiving entity to verify that the signature on the received message was created by the transmitting entity and not by a third outside party, a verification algorithm may be applied to the message digest. To verify that a signature on a message was created by a transmitting entity, a receiving entity (referenced to as a verifier) may obtain the verification function of the transmitting entity. The receiving entity may compute a result from applying the verification function. If the result is true, the signature may be authenticated as created by the transmitting entity. If the result is false, the signature may be rejected as unauthorized. Similarly, the verification algorithm may use a public key together with the message digest in order to authenticate the signature. There are several properties that may be required of the signing and verification functions, respectively. The signature of the message is valid if and only if the verification function returns a true result. In addition, the signing algorithm and the verification algorithm are selected so that it is computationally infeasible for any entity, other than the transmitting and the receiving entities, to find, for any incoming message digest, a signature such that the verification algorithm returns a true result.
- As discussed above, a processing device of a client device may exploit a scrambled service provided by an operator, the client device having a unique device key for provisioning unique cryptographic key material specific to the operator and to the client device. The provisioned unique cryptographic key material can be configured to obtain a service key for descrambling the scrambled service. The processing device of the client device downloads a global operator vault, comprising at least an operator specific global seed and transmits a pre-provisioning challenge for the operator to a provisioning server. The provisioning challenge can include at least a unique identifier of the client device and an identifier of the operator. In response to pre-provisioning challenge, the processing device of the client device can receive from the provisioning server, at least one device instance certificate comprising a unique cryptogram associated with the operator and to the client device. The processing device of the client device transmits a post-provisioning challenge to an operator license server, the post-provisioning challenge comprising at least the device instance certificate, the operator license server decrypting the unique cryptogram of the device instance certificate with a global operator license server key for retrieving a unique device derived key associated with to the operator and to the client device. In response to the post-provisioning challenge, the processing device of the client device receives from the operator license server, a license comprising at least a service key encrypted with the unique device derived key. The processing device extracts the operator specific global seed from the global operator vault previously downloaded, calculates the unique device derived key by applying a cryptographic algorithm on the extracted global operator seed and the unique device key, and decrypts the service key with the calculated unique device derived key.
- The processing device receives and descrambling the scrambled service with the obtained service key.
- In an implementation, a processing device of a provisioning server checks entitlement of the client device in a database coupled to the provisioning server. In response to the entitlement checking operation being successful, the processing device of a provisioning server checks retrieves, from the database, a unique device key, an operator specific global seed, and a global operator license server key in view of a unique identifier of the client device and the identifier of the operator. The processing device of a provisioning server calculates the device derived key in view of a cryptographic algorithm on the unique device key and the global operator seed. The processing device of a provisioning server can form the unique cryptogram by encrypting the unique device derived key with the global operator license server key.
- A processing device may be one or more general-purpose processors such as a microprocessor, central processing unit, or the like. More particularly, the processing device may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. For example, a processing device is configured to execute the processing logic for performing the operations and steps discussed herein.
- The reader of skill in the art will, of course, appreciate that claimed embodiments of the present application are intended to provide one or more technical solution(s) to a technical problem unique to modern cryptography keys in client devices in order to provide strong client authentication with a strong binding of sensitive data to a specific client device and a clean segmentation of the unique device keys between operators, for at least solving the technical problems relating to large ranges of symmetric secrets that are complex to secure when deployed in public clouds. As discussed above, the claimed embodiments are substantially different from current routine steps and results when using conventional networks or computing elements because the present disclosure describes, for example, a post-provisioning challenge to an operator license server, where in response to the post-provisioning challenge, the processing device of the client device receives from the operator license server, a license comprising at least a service key encrypted with the unique device derived key, and the processing device extracts the operator specific global seed from the global operator vault previously downloaded, calculates the unique device derived key by applying a cryptographic algorithm on the extracted global operator seed and the unique device key, and decrypts the service key with the calculated unique device derived key. For example, using a small set of global cryptographic data in each operator server, as described, indeed improves secure networked communications by allowing reducing the set of sensitive data to secure in the cloud. Thus, as clearly technical solutions to patently technical problems, the claimed embodiments cannot be misunderstood as intended to foreclose un-claimed ways of solving these or other problems.
Claims (11)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP15202609.2 | 2015-12-23 | ||
EP15202609 | 2015-12-23 | ||
PCT/EP2016/081822 WO2017108727A1 (en) | 2015-12-23 | 2016-12-20 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2016/081822 A-371-Of-International WO2017108727A1 (en) | 2015-12-23 | 2016-12-20 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/012,440 Continuation US11575977B2 (en) | 2015-12-23 | 2020-09-04 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190020933A1 true US20190020933A1 (en) | 2019-01-17 |
Family
ID=55027495
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/073,752 Abandoned US20190020933A1 (en) | 2015-12-23 | 2016-12-20 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
US17/012,440 Active 2037-04-05 US11575977B2 (en) | 2015-12-23 | 2020-09-04 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
US17/958,970 Active US11785315B2 (en) | 2015-12-23 | 2022-10-03 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
US18/463,191 Pending US20240073490A1 (en) | 2015-12-23 | 2023-09-07 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
Family Applications After (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/012,440 Active 2037-04-05 US11575977B2 (en) | 2015-12-23 | 2020-09-04 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
US17/958,970 Active US11785315B2 (en) | 2015-12-23 | 2022-10-03 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
US18/463,191 Pending US20240073490A1 (en) | 2015-12-23 | 2023-09-07 | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator |
Country Status (6)
Country | Link |
---|---|
US (4) | US20190020933A1 (en) |
EP (1) | EP3369206A1 (en) |
CN (1) | CN108476134B (en) |
BR (1) | BR112018011779B1 (en) |
SG (1) | SG11201804616VA (en) |
WO (1) | WO2017108727A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190362085A1 (en) * | 2017-06-23 | 2019-11-28 | Mitsubishi Electric Corporation | Ladder program unauthorized-use prevention system and ladder program unauthorized-use prevention method |
US11025413B2 (en) | 2018-09-04 | 2021-06-01 | International Business Machines Corporation | Securing a storage network using key server authentication |
US11038671B2 (en) | 2018-09-04 | 2021-06-15 | International Business Machines Corporation | Shared key processing by a storage device to secure links |
US11038698B2 (en) * | 2018-09-04 | 2021-06-15 | International Business Machines Corporation | Securing a path at a selected node |
US11088829B2 (en) | 2018-09-04 | 2021-08-10 | International Business Machines Corporation | Securing a path at a node |
US11496292B2 (en) | 2017-12-29 | 2022-11-08 | Nagravision S.A. | Secure installation of application keys |
CN116132163A (en) * | 2023-02-10 | 2023-05-16 | 南京百敖软件有限公司 | Method for realizing device limiting local area network fence by using DHCP protocol |
US11991273B2 (en) | 2018-09-04 | 2024-05-21 | International Business Machines Corporation | Storage device key management for encrypted host data |
Family Cites Families (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5557346A (en) * | 1994-08-11 | 1996-09-17 | Trusted Information Systems, Inc. | System and method for key escrow encryption |
US20020019814A1 (en) * | 2001-03-01 | 2002-02-14 | Krishnamurthy Ganesan | Specifying rights in a digital rights license according to events |
US7861312B2 (en) * | 2000-01-06 | 2010-12-28 | Super Talent Electronics, Inc. | MP3 player with digital rights management |
US7134144B2 (en) * | 2001-03-01 | 2006-11-07 | Microsoft Corporation | Detecting and responding to a clock rollback in a digital rights management system on a computing device |
FR2823928B1 (en) * | 2001-04-19 | 2003-08-22 | Canal Plus Technologies | METHOD FOR SECURE COMMUNICATION BETWEEN TWO DEVICES |
US7000115B2 (en) * | 2001-06-19 | 2006-02-14 | International Business Machines Corporation | Method and apparatus for uniquely and authoritatively identifying tangible objects |
US20030145203A1 (en) * | 2002-01-30 | 2003-07-31 | Yves Audebert | System and method for performing mutual authentications between security tokens |
US20040088176A1 (en) * | 2002-11-04 | 2004-05-06 | Balaji Rajamani | System and method of automated licensing of an appliance or an application |
TWI258658B (en) * | 2003-07-07 | 2006-07-21 | Sunplus Technology Co Ltd | Device in CPU using address line to proceed scrambling processing and method thereof |
US20050273629A1 (en) * | 2004-06-04 | 2005-12-08 | Vitalsource Technologies | System, method and computer program product for providing digital rights management of protected content |
JP4660123B2 (en) * | 2004-06-16 | 2011-03-30 | 株式会社東芝 | Storage medium processing method, data processing apparatus, and storage medium processing program |
US9178948B2 (en) * | 2004-07-30 | 2015-11-03 | Qualcomm Incorporated | Methods and apparatus for subscribing to multimedia delivery services in a data network |
JP4520840B2 (en) * | 2004-12-02 | 2010-08-11 | 株式会社日立製作所 | Encrypted communication relay method, gateway server device, encrypted communication program, and encrypted communication program storage medium |
US8194859B2 (en) * | 2005-09-01 | 2012-06-05 | Qualcomm Incorporated | Efficient key hierarchy for delivery of multimedia content |
CN100452075C (en) * | 2006-01-27 | 2009-01-14 | 北京飞天诚信科技有限公司 | Security control methods for date transmission process of software protection device and device thereof |
WO2008013562A1 (en) * | 2006-07-24 | 2008-01-31 | Thomson Licensing | Method, apparatus and system for secure distribution of content |
CN101132517B (en) * | 2006-08-25 | 2011-05-11 | 华为技术有限公司 | Method and system for implementing media data real-time scrambling |
US8520850B2 (en) * | 2006-10-20 | 2013-08-27 | Time Warner Cable Enterprises Llc | Downloadable security and protection methods and apparatus |
EP2122903A1 (en) * | 2006-12-21 | 2009-11-25 | International Business Machines Corporation | Key distribution for securing broadcast transmission to groups of users in wireless networks |
US8539543B2 (en) * | 2007-04-12 | 2013-09-17 | Microsoft Corporation | Managing digital rights for multiple assets in an envelope |
US9805374B2 (en) * | 2007-04-12 | 2017-10-31 | Microsoft Technology Licensing, Llc | Content preview |
KR101424972B1 (en) * | 2007-05-10 | 2014-07-31 | 삼성전자주식회사 | Method for using contents with a mobile card, host device, and mobile card |
CN101527818B (en) * | 2009-04-23 | 2011-04-20 | 天柏宽带网络科技(北京)有限公司 | Licence managing method of internet protocol television copyright management system |
US8789196B2 (en) * | 2010-05-28 | 2014-07-22 | Adobe Systems Incorporated | System and method for providing content protection of linearly consumed content with a bidirectional protocol for license acquisition |
EP2405650A1 (en) * | 2010-07-09 | 2012-01-11 | Nagravision S.A. | A method for secure transfer of messages |
US8726403B2 (en) * | 2010-09-02 | 2014-05-13 | Verizon Patent And Licensing Inc. | Secure video content provisioning using digital rights management |
EP2736190A1 (en) | 2012-11-26 | 2014-05-28 | Nagravision S.A. | Method, system and device for securely transferring content between devices within a network |
US9219607B2 (en) * | 2013-03-14 | 2015-12-22 | Arris Technology, Inc. | Provisioning sensitive data into third party |
KR101468977B1 (en) * | 2014-03-18 | 2014-12-04 | 성 탁 문 라파엘 | Method and system for authentication using a mobile device |
US9129095B1 (en) * | 2014-12-19 | 2015-09-08 | Tresorit, Kft | Client-side encryption with DRM |
CA3119735A1 (en) * | 2018-11-15 | 2020-05-22 | Airside Mobile, Inc. | Methods and apparatus for encrypting, storing, and/or sharing sensitive data |
-
2016
- 2016-12-20 WO PCT/EP2016/081822 patent/WO2017108727A1/en active Application Filing
- 2016-12-20 CN CN201680076260.4A patent/CN108476134B/en active Active
- 2016-12-20 BR BR112018011779-0A patent/BR112018011779B1/en active IP Right Grant
- 2016-12-20 EP EP16815850.9A patent/EP3369206A1/en not_active Withdrawn
- 2016-12-20 US US16/073,752 patent/US20190020933A1/en not_active Abandoned
- 2016-12-20 SG SG11201804616VA patent/SG11201804616VA/en unknown
-
2020
- 2020-09-04 US US17/012,440 patent/US11575977B2/en active Active
-
2022
- 2022-10-03 US US17/958,970 patent/US11785315B2/en active Active
-
2023
- 2023-09-07 US US18/463,191 patent/US20240073490A1/en active Pending
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190362085A1 (en) * | 2017-06-23 | 2019-11-28 | Mitsubishi Electric Corporation | Ladder program unauthorized-use prevention system and ladder program unauthorized-use prevention method |
US11496292B2 (en) | 2017-12-29 | 2022-11-08 | Nagravision S.A. | Secure installation of application keys |
US11876895B2 (en) | 2017-12-29 | 2024-01-16 | Nagravision Sarl | Secure installation of application keys |
US11025413B2 (en) | 2018-09-04 | 2021-06-01 | International Business Machines Corporation | Securing a storage network using key server authentication |
US11038671B2 (en) | 2018-09-04 | 2021-06-15 | International Business Machines Corporation | Shared key processing by a storage device to secure links |
US11038698B2 (en) * | 2018-09-04 | 2021-06-15 | International Business Machines Corporation | Securing a path at a selected node |
US11088829B2 (en) | 2018-09-04 | 2021-08-10 | International Business Machines Corporation | Securing a path at a node |
US11522681B2 (en) | 2018-09-04 | 2022-12-06 | International Business Machines Corporation | Securing a path at a node |
US11563588B2 (en) | 2018-09-04 | 2023-01-24 | International Business Machines Corporation | Securing a path at a selected node |
US11991273B2 (en) | 2018-09-04 | 2024-05-21 | International Business Machines Corporation | Storage device key management for encrypted host data |
CN116132163A (en) * | 2023-02-10 | 2023-05-16 | 南京百敖软件有限公司 | Method for realizing device limiting local area network fence by using DHCP protocol |
Also Published As
Publication number | Publication date |
---|---|
US20240073490A1 (en) | 2024-02-29 |
BR112018011779A2 (en) | 2018-12-04 |
US11575977B2 (en) | 2023-02-07 |
WO2017108727A1 (en) | 2017-06-29 |
BR112018011779B1 (en) | 2024-01-23 |
SG11201804616VA (en) | 2018-07-30 |
US20200404392A1 (en) | 2020-12-24 |
US11785315B2 (en) | 2023-10-10 |
EP3369206A1 (en) | 2018-09-05 |
US20230033476A1 (en) | 2023-02-02 |
CN108476134B (en) | 2021-03-12 |
CN108476134A (en) | 2018-08-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11785315B2 (en) | Secure provisioning, by a client device, cryptographic keys for exploiting services provided by an operator | |
JP7119040B2 (en) | Data transmission method, device and system | |
CN106464485B (en) | System and method for protecting content keys delivered in manifest files | |
US8949595B2 (en) | Mutual authentication apparatus and method in downloadable conditional access system | |
US8364964B2 (en) | Registering client devices with a registration server | |
US20200320178A1 (en) | Digital rights management authorization token pairing | |
US8694783B2 (en) | Lightweight secure authentication channel | |
US8218772B2 (en) | Secure multicast content delivery | |
US10181949B2 (en) | Data distributing over network to user devices | |
GB2489672A (en) | Authentication certificate distribution to set top boxes | |
MX2008002829A (en) | Method and apparatus for distribution and synchronization of cryptographic context information. | |
US9722992B2 (en) | Secure installation of software in a device for accessing protected content | |
GB2417652A (en) | Generating a content decryption key using a nonce and channel key data in an endpoint device | |
US20120155647A1 (en) | Cryptographic devices & methods | |
US20220171832A1 (en) | Scalable key management for encrypting digital rights management authorization tokens | |
US20120257751A1 (en) | Controlled security domains | |
KR101282416B1 (en) | DCAS, SM, TP and method for certificating security | |
Koo et al. | Key establishment and pairing management protocol for downloadable conditional access system host devices | |
US20100235626A1 (en) | Apparatus and method for mutual authentication in downloadable conditional access system | |
KR20110101784A (en) | An apparatus and method for content security in iptv service environment | |
KR101281928B1 (en) | Apparatus and method for mutual authentication in downloadable conditional access system | |
KR20110028784A (en) | A method for processing digital contents and system thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NAGRAVISION S.A., SWITZERLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BIEBER, YANN;NICOULIN, ANDRE;SIGNING DATES FROM 20180803 TO 20180813;REEL/FRAME:046645/0128 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE |
|
AS | Assignment |
Owner name: NAGRAVISION SARL, SWITZERLAND Free format text: CHANGE OF NAME;ASSIGNOR:NAGRAVISION SA;REEL/FRAME:063566/0842 Effective date: 20211220 |