WO2001019074A1 - Entitlements of objects and resources - Google Patents
Entitlements of objects and resources Download PDFInfo
- Publication number
- WO2001019074A1 WO2001019074A1 PCT/US2000/024097 US0024097W WO0119074A1 WO 2001019074 A1 WO2001019074 A1 WO 2001019074A1 US 0024097 W US0024097 W US 0024097W WO 0119074 A1 WO0119074 A1 WO 0119074A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- functional unit
- rights
- access system
- conditional access
- requirements
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/436—Interfacing a local distribution network, e.g. communicating with another STB or one or more peripheral devices inside the home
- H04N21/4367—Establishing a secure communication between the client and a peripheral device or smart card
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/443—OS processes, e.g. booting an STB, implementing a Java virtual machine in an STB or power management in an STB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/80—Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
- H04N21/81—Monomedia components thereof
- H04N21/8166—Monomedia components thereof involving executable data, e.g. software
Definitions
- This invention relates in general to secure access systems and, more specifically, to securing information within the secure access systems.
- CA systems distribute video streams from a headend of the cable TV provider to a set top box associated with a subscriber.
- the headend includes hardware that receives the video streams and distributes them to the set top boxes within the CA system. Select set top boxes are allowed to decode certain video streams according to entitlement information sent by the cable TV provider to the set top box.
- Video programs are distributed in either digital form or analog form to the set top boxes.
- the carrier channels either carry an analog video stream or carry multiple digital video streams.
- the analog video feed is modulated on a carrier and occupies the whole carrier channel for the one analog video feed.
- about eight to fourteen digital video streams may be statistically multiplexed on the same carrier channel.
- the separate digital video streams are separated by packet identification (PID) information such that the individual content streams can be removed according to their unique PID information.
- PID packet identification
- Some systems that do not provide conditional access, integrate personal computing with a TV for displaying programs.
- products such as WebTVTM integrate web browsing and e-mail programs with a TV.
- a personal computer PC is housed near the TV.
- the PC is connected to an Internet service provider (ISP) that provides the content for the web browsing and e-mail programs.
- ISP Internet service provider
- the invention relates to securing information in a secure access system.
- a method secures information in a conditional access system to authorize a functional unit.
- the functional unit has requirements related to the functional unit.
- a transmission conduit is entitled to a content receiver.
- Rights related to the functional unit are received.
- the rights are correlated with the requirements.
- the rights are checked against the requirements to provide authorization of the functional unit.
- FIG. 1 is a block diagram showing one embodiment of a content delivery system
- Fig. 2 is a block diagram illustrating an embodiment of a set top box interfaced to its environment
- Fig. 3 is a block diagram depicting an embodiment of an object message
- Fig. 4 is a block diagram showing an embodiment of a "rights" message
- Fig. 5 is a block diagram showing an embodiment of a "requirements" message
- Fig. 6 is a block diagram showing the relationship between different objects in a set top box
- Fig. 7 is a block diagram illustrating an embodiment of interaction between functional units
- Fig. 8 is a flow diagram showing an embodiment of a process for distributing functional units
- Fig. 9 is a flow diagram depicting an embodiment of a process for receiving functional units and authorizing them.
- Fig. 10 is a flow diagram illustrating an embodiment of a process for authenticating and authorizing a software object
- Fig. 11 is a flow diagram illustrating an embodiment of a process for authenticating and authorizing a running software object.
- Fig. 12 is a flow diagram illustrating another embodiment of a process for authenticating and authorizing a running software object.
- the present invention validates that functional units, such as software, are authorized for use within a television' (TV) set top box.
- Objects and resources are two examples of functional units.
- authorization and/or authentication checks are performed when checkpoints are encountered. Checkpoints are triggered, for example, when the functional units in the set top box interact with each other.
- a block diagram of one embodiment of a content delivery system 100 is shown.
- the delivery system 100 selectively provides content to a number of users based upon certain conditions being satisfied.
- Included in the system 100 are a headend 104, number of set top boxes 108, local programming receiver 112, satellite dish 116, and the Internet 120.
- the headend 104 receives content and distributes that content to users.
- Content can include video, audio, interactive video, software, firmware, and/or data. This content is received from a variety of sources that could include the satellite dish 116, the local programming receiver 112, a microwave receiver, a packet switched network, the Internet 120, etc.
- Each set top box 108 has a unique address that allows sending entitlement information to an individual set top box 108.
- one set top box 108-1 might be entitled to some particular content while another 108-2 might not.
- Equipment within the headend 104 regulates the subset of set top boxes 108 are entitled to some particular content.
- the content is generally distributed in digital form through an analog carrier channel that contains multiple content streams. All the content streams are multiplexed together into a digital stream that is modulated upon the analog carrier channel.
- the separate content streams are tracked by packet identification (PID) information such that the individual content streams can be removed according to their unique PID information.
- PID packet identification
- Other embodiments could distribute the content with transport mechanisms that include satellite dishes, microwave antennas, RF transmitters, packet switched networks, cellular data modems, carrier current, phone lines, and/or the Internet.
- FIG. 2 a block diagram of an embodiment of a display system 200 is shown.
- This embodiment provides multiple levels of object and resource security through a variety of security mechanisms.
- Included in the display system 200 are a set top box 108, network 208, printer 212, TV display 216, and wireless input device 218. These items cooperate in such a way that the user can enjoy content conditionally distributed by a content provider.
- the content can include video, audio, software, firmware, interactive TV, data, text, and/or other information.
- the content provider is a cable TV provider or multiple system operator (MSO).
- the network 208 serves as the conduit for information traveling between the set top box 108 and the headend 104 of the cable TV provider.
- the network has one hundred and twenty analog channels and a bi-directional control data channel.
- the analog channels carry content and the control data channel carries control and entitlement information.
- Each analog carrier channel has a number of digital channels multiplexed into one data stream where the digital channels are distinguished by packet identifiers (PIDs).
- PIDs packet identifiers
- the bi-directional control channel is an out- of-band channel that broadcasts data to the set top boxes 108 at one frequency and receives data from the boxes 108 at another frequency. Return data may be queued to decrease overloading during peak use periods using a store and forward methodology well known in the art.
- Other embodiments could use a cable modem, digital subscriber line (DSL), cellular data, satellite links, microwave links, or carrier current techniques for both control information and content where the content is formatted as packet switched data.
- the printer 212 is an optional accessory some users may purchase and add to their display system 200.
- the printer 212 allows printing data such as email, web pages, billing information, etc.
- the ability to use a peripheral such as a printer is regulated by an authorization check. Using this regulation feature, printers 212 compatible with the set top box 108 do not work unless proper authorization is obtained to enable that printer 212 for that set top box 108.
- the TV display 216 presents the user with audio, text and/or video corresponding to the content.
- the display 216 typically receives an analog video signal that is modulated on a carrier corresponding to channel three, channel four or a composite channel.
- the set top box 108 produces a NTSC signal, for example, modulated to the appropriate channel.
- Other embodiments could use a video monitor or digital display instead of a television display 216.
- Use of a digital display would alleviate the need for an analog conversion by the set top box 108 because digital displays, such as liquid crystal displays, use digital information to formulate the displayed picture.
- the wireless input device 218 allows interaction between the user and the set top box 108.
- This device 218 could be a remote control, mouse, keyboard, game controller, pen tablet or other input mechanism.
- An infrared transceiver on the input device 218 communicates with a similar transceiver on the set top box 108 to allow wireless communication.
- RF link or wired link could be used instead of the infrared transceiver.
- the set top box 108 has component parts that perform authentication and authorization of objects and resources.
- Objects are any collection of digital information such as software, drivers, firmware, data, video, or audio.
- Resources are anything needed by an object to operate as intended such as another object or a physical device.
- Included in the set top box 108 are a controller 220, memory 228, a printer port 232, a network port 236, an access control processor 240, a display interface 244, and an infrared (IR) port 248. These blocks communicate with each other over a bus 230 where each block has a different address to uniquely identify it on the bus 230.
- the set top box 108 is a separate device, but could be integrated with the TV display 216, a computer, an information appliance, or personal video recorder (PVR).
- the controller 220 manages operation of the set top box 108 using a trusted or secure operating system. Such functions as digital object decryption and decompression are performed in the controller 220 as well as functions such as switching TV channels for the user and presenting menus to the user. Included in the controller are a processor, an encryption engine, local memory, and other items common in computing systems.
- controller 220 could also contain an adjunct secure microprocessor for purposes of key protection or cryptographic processing. This may be appropriate in some systems where a high level of security is desired.
- the set top box 108 includes a block of memory 228.
- This memory 228 is solid state memory that could include RAM, ROM, flash, and other types of volatile and non-volatile memory. Objects and resources are stored in memory for running at a later time. During execution, programs are loaded into and executed within the memory 228, and also use the memory 228 for scratchpad space. Keys, serial numbers and authorizations can be stored in non-volatile flash memory.
- This embodiment includes a printer port 232 for interfacing to an optional printer 212. The printer port 232 resource is not available to programs unless authorized. As explained further below, each object must have authorization to use a resource such as the printer port 232.
- a checkpoint is a point in time or a step of processing where the authentication and/or authorization status of a functional unit is confirmed.
- a checkpoint is encountered when printing is requested.
- the checkpoint authorizes and authenticates the object requesting the printing.
- Checkpoints are places in one object where authentication and/or authorization are run on another object (e.g., an operating system checks authentication and authorization of an application that is running).
- checkpoints are performed when the purpose of the object becomes manifest. In the case of a printer port 232, its purpose becomes manifest when it is used to print something. Accordingly, a checkpoint is triggered to check the object using the printer port 232 resource when anything is printed. Typically, the checkpoint for printing would be in the operating system.
- the network port 236 allows bi-directional communication between the set top box 108 and the headend 104. Included in the network port 236 are a tuner and a demodulator that tune to analog carrier channels and demodulate an MPEG data stream to allow one-way delivery of content. Also included in the network port 236 is a control data transceiver or cable modem that allows for bi-directional communication of control data information and/or content. To distribute loading of the control data path to the headend 104 more evenly, a store and forward methodology may be used. Modulation of the digital video signal onto an analog signal compatible with the TV display 216 is performed by the display interface 244. As discussed above, the TV display 216 generally accepts signals modulated on channel three, channel four or a composite channel.
- the display interface 244 performs any formatting required by the digital input.
- the IR port 248 communicates bi-directionally with a wireless input device 218. Included in the IR port 248 is an IR transceiver that provides the wireless communication path with the input device 218. Other electronics in the IR port 248 convert analog signals received by the transceiver to a corresponding digital signal and convert analog signals sent to the transceiver from a corresponding digital signal.
- the controller 220 processed the digital signals so that the user can control some of the functions within the set top box 108.
- the access control processor (ACP) 240 regulates security functions within the set top box 108.
- the ACP 240 performs authentication and authorization either under the direction of the controller 220 or independent of the controller 220 as will become clear in the discussion below.
- the ACP 240 includes a processor, RAM and ROM that cooperate to execute software independent of the controller 220.
- the ACP 240 also includes a decryption engine and a hash function for deciphering content and calculating signatures. Checkpoints are embedded into the software run that trigger the ACP 240 to perform security checks.
- the ACP 240 is implemented in hardware, but other embodiments could perform the functions of the ACP 240 in software.
- the ACP 240 can also shadow the operating system (OS) to assure proper functioning of the OS. By watching the launch of objects, the ACP 240 can monitor which application objects are running. If necessary, the ACP 240 can kill running applications if a checkpoint detects an error or if authorization expires. Further, the ACP 240 could monitor memory 228 to detect any application not authorized to be in memory 228. Scratchpad memory size could also be monitored to detect applications hiding in scratchpad memory. Additionally, the ACP 240 could randomly execute checkpoints on the objects in memory to confirm their authorization and/or authenticity. Problems encountered by the ACP 240 are reported to either the OS or the headend 104. In these ways, the ACP 240 acts as a software security guard bot within the set top box 108 such that aberrant behavior is detected and reported.
- OS operating system
- the object header 304 includes attributes for the object message 300. Included in the object header 304 are a header length, an object length, a functional unit identifier, a software version, and a domain identifier. The header and object lengths respectively indicate the lengths of the object header 304 and the object 308. For authentication purposes, among other reasons, the functional unit identifier provides a unique code that allows attributing a "rights" message to the object message 300. The software version indicates the revision number of the object. Different cable TV providers are assigned domain identifiers such that all of the set top boxes 108, which might receive an object 308, can screen for objects 308 associated with their domain.
- the object 308 includes content the system 100 is designed to deliver to set top boxes 108. Upon download of the object 308, it is authenticated and authorized to verify the source of the object message 300 and availability of the object 308 to the receiving set top box 108.
- Several types of content or information can be embedded in an object, such as executable programs, firmware upgrades, run-time programs (e.g., Java® or ActiveX®), programming schedules, billing information, video, audio, and/or data.
- the object 308 can be used immediately after authentication and authorization or at a later time. Additionally, authorization can be programmed to expire after a certain amount of time or can be rechecked periodically as the object 308 is used.
- the requirements data structure 312 allows the content provider to limit access of the object 308 to predetermined subset of all the set top boxes 108.
- Each functional unit identifier is mapped to one or more rights. Rights are transported in
- the rights message 400 conveys rights to use a functional unit.
- the functional unit could be an object or a resource.
- the rights message 400 allows remotely adding new rights to a functional unit associated with the set top box 108.
- the rights message 400 typically includes a digital signature to verify the integrity of the message 400 during transport. In some embodiments, a checksum could be used instead of a digital signature.
- the rights header 404 includes attributes for the rights message 400. Included in the rights header 404 are a header length, a rights data structure length, a functional unit identifier, and a domain identifier. The header length and the rights data structure length respectively indicate the lengths of the rights header 404 and the rights data structure 408.
- the functional unit identifier provides a unique code that allows attributing the rights message 400 to a particular functional unit. Rights are conveyed to the functional units using the information in the rights data structure 408. A given functional unit may have rights to use several other functional units. These rights are contained in the rights data structure 408.
- the functional unit identifier in the rights header 404 is used to attribute the rights to a particular functional unit.
- the requirements header 504 includes attributes for the requirements message 500. Included in the requirements header 304 are a header length, a requirements data structure length, and a domain identifier.
- the header and requirements data structure lengths respectively indicate the lengths of the requirements header 504 and the requirements data structure 308. Different cable TV providers are assigned domain identifiers such that all of the set top boxes 108, which might receive an object 308, can screen for objects 308 associated with their domain.
- the requirements data structure 508 allows the content provider to limit access of a resource to predetermined subset of all set top boxes 108.
- Each functional unit identifier is mapped to one or more requirements by the requirements data structure 508.
- Rights are transported in the rights message 400 to enable operation of a functional unit so long as the rights in the rights message 400 satisfy the requirements in the requirements data structure 508 for that functional unit.
- the object message 300 is uniquely coupled with the associated requirements message 500 by a signature over both messages 300, 500. Even though transported separately, the common signature assures the pair of messages 300, 500 are not modified during transport.
- Fig. 6 some of the functional units of a set top box 108 are shown.
- Functional units toward the bottom of Fig. 6 are superordinate to the functional units near the top of Fig. 6. That is to say, functional units toward the top of Fig. 6 are subordinate to those lower in the figure.
- Superordinate functional units are responsible for imposing checkpoints on subordinate functional units.
- the hardware 604 imposes checkpoints upon the BIOS 608, OS 612 and so on up the subordination hierarchy.
- the BIOS 608 imposes checkpoints on the OS 612, but not upon the hardware 604.
- Functional units in the same ordination stratum can impose a checkpoint on another functional unit in that stratum when they interact.
- an application 616 can require execution of a checkpoint on a driver 618.
- Superordinate functional units are designed to initiate execution of the checkpoints in conjunction with the ACP 240 and subordinate objects are designed to have checkpoints impo ⁇ sed upon them.
- the BIOS 608 requires execution of a checkpoint upon the OS 612 during the boot process, during execution and/or periodically while running.
- a driver object 618 is subject to checkpoints when installed or exercised during normal operation.
- Data file objects 622 are subject to checkpoints whenever the data in the file is accessed.
- An HTML object 628 is reviewed as part of a checkpoint whenever the HTML object 628 is interpreted by a browser application 616. Referring next to Fig. 7, interaction between functional units is shown in block diagram form.
- the functional units associated with the set top box 108 include a set top box resource 704, a printer driver object 708, an e-mail object 712, and a printer port resource 716. During the normal interaction of these functional units, checkpoints are encountered that trigger authorization checks.
- the sole table correlates rights and requirements to each functional unit in Fig. 7.
- the functional unit identifier serves to conelate the object messages 300 with the rights messages 400.
- the set top box resource 704 is superordinate to the email object 712.
- a checkpoint in the object 712 checks for proper rights.
- the proper rights are defined by the requirements 720-2 of the email object 712 itself. If the e-mail right 716-1 meets the standards of the e-mail object requirements 720- 2, the e-mail object 712 continues execution past the checkpoint.
- the ACP 240 actually performs the authentication after the e-mail right 716-1 and e-mail object requirements 720-2 are respectively loaded by their associated functional units 704, 712.
- the user can add an optional printer 212.
- the ability to print is an added feature that is not included in all set top boxes 704. If the printer 212 is a purchase sanctioned by the content provider, printer driver rights 716-2, 716-4 and a printer port right 716-3 are sent in rights messages 400 to the set top box 704 from the headend 104.
- Some embodiments could provide rights to a subset of the functional units capable of using the printer port 720-3.
- the e-mail object 712 could be given the printer driver right 716-4, but the set top box resource 704 would not receive the printer driver right 716-2. In this way, only the email object 716-2 could use the printer port 720-3 and the other objects could not.
- Hooking the printer to the to the printer port can trigger display of a message on the TV 216 that asks for a secret code included with the printer 212.
- a request for the rights messages 400 that enable the printer is made to the headend 104.
- an enabling set of rights messages 400 are sent encrypted in a key based upon the secret code.
- the printer driver object 708 is factory loaded, but other embodiments could load this object 708 when needed using an object message 300. While the e-mail object 712 is running, the user may try to print an e-mail message.
- Several checkpoints authenticate the proper rights 716 are present before printing.
- the e-mail object 712 calls the printer driver 708 with the information requiring printing.
- a checkpoint in the printer driver 708 stops processing until the authorization of the e-mail object 712 is checked.
- a printer driver right 716-4 downloaded when the printer was purchased, is loaded into the ACP 240 along with the printer driver requirements 720-1 for authentication. Presuming authentication is successful, the printer driver object 708 formats the print information for the printer 212 and passes it to the printer port resource 714.
- the printer port resource 714 is the hardware port that interfaces to a cable connected to the printer 212. Once information is sent to the printer port resource 714 a checkpoint pauses the processes to check that the printer driver object 708 has proper authorization. The requirements 720-3 and rights 716-3 are loaded into the ACP 240 for authentication. Once the use by the printer driver object 708 is authenticated, the remainder of the print job is spooled to the printer port resource 714 for printing. In some embodiments, the rights 716 of one functional unit can be inherited by another functional unit. The right 716 could be conveyed to other objects 308 that might use that functional unit.
- the right 716 to use the printer port 232 could initially be associated with the e-mail object 712 alone, where this right 716 is conveyed to e-mail object 712 when the user purchased a printer 212.
- the headend 104 could authorize inheritance of that right 712 to all other functional units or subset of the functional units that might use the printer port 232. In this way, additional functional units could use the print feature.
- a flow diagram of an embodiment of a process for loading functional units is illustrated.
- This embodiment allows factory loading or field loading of functional units.
- the process begins in step 804 where the functional units are designed.
- Functional units can be objects and/or resources.
- the resources include hardware such as the set top box 108 and the hardware components inside the set top box 108.
- the various requirements for the functional units are defined.
- a determination is made in step 808 as to whether the functional unit is being installed in the factory or in the field.
- resources that are physical devices are typically installed at the factory.
- Electronically storable objects can generally be installed in the factory or the field, however, certain objects are installed in the factory such as portions of the operating system 612.
- step 812 processing continues to step 812 where the functional units are installed into the set top box enclosure.
- the physically devices and most of the objects are factory installed such that the set top box is functional before shipment to the user.
- Certain objects 308, however, are loaded into the set top box 108 after fielding it.
- step 820 processing goes from step 808 to step 820 where the objects are distributed to content providers.
- the distribution process includes electronically sending the object 308 by some type of data link such as a packet switched network.
- the content provider embeds the objects 308 in object messages 300 and broadcasts the objects 308 to set top boxes 108 over an entitled channel in step 824.
- the entitlement process for the channel includes sending keys to the entitled set top boxes such that they can decode the data stream on the channel.
- an embodiment of a process for receiving an object 308 is shown in flow diagram form.
- This embodiment receives the object and rights messages 300, 400 before authenticating their use.
- the object and rights messages 300, 400 are received from the cable TV provider by way of an entitled channel. Entitlement of a channel involves encryption of the channel for one or more set top boxes 108 using symmetric or asymmetric encryption techniques. Signatures can also be used to verify the source of the messages 300, 400 is authentic and verify their authorization for use on the set top box 108. Other embodiments, could receive the rights message 400 before the object message 300.
- step 920 the requirements 720 embedded in the object 308 are checked against the rights 716 in the rights message 400.
- This check of rights 716 against requirements 720 allows a determination as to whether the object 308 is authorized in step 924. If the object 308 is not authorized, an error is reported back to the headend 104 and the object 308 is discarded in steps 928 and 932. Alternatively, use of the object 308 is allowed in step 936 if the rights 716 satisfy the requirements 720. In this way, the object 308 is sent to the set top box 108 and checked for authorization.
- a flow diagram illustrating an embodiment of a process for authenticating and authorizing a software object 308 is shown.
- the process begins in step 1004 where the software object 308 is read into the controller 220 from memory 228.
- a signature associated with the software object 308 is checked in step 1008 to determine if the object 308 is authentic.
- the signature could be generated over both the object message 300 and requirements message 500 to provide authentication of both messages 300, 500 with the single signature.
- the software object 308 and requirements message 500 are loaded into the ACP 240 to calculate the signature.
- the calculated signature is checked against the original signature sent from the headend 104 to check authentication.
- step 1016 an enor is reported to the headend 104. This may happen immediately where a bidirectional control data channel is available or may happen at a later time where a store- and-forward methodology is used. Objects 308 that fail the authenticity test are corrupt and are discarded in step 1020. A message may or may not be presented to the user after failure of authentication.
- step 1032 a check of authorization is performed for a resource to use an object 308.
- the rights 716 of the set top box 108 are checked against the requirements 720 for the resource.
- the resource could be the same object 308 being executed such that a checkpoint causes an authorization check of the very object 308 that includes the checkpoint.
- the ACP 240 is involved in this authorization process to securely check rights against requirements.
- a determination is made in step 1036 as to whether the interaction between object 308 and resource is authorized. If the use is not authorized, the enor is reported to the user and/or headend 108 in step 1040. For example, a message could appear on the screen to notify the user that the printer port is unavailable and that the content provider should be contacted to enable this feature. If the authorization check is successful, the object 308 is allowed to begin execution in step 1024.
- authorization could be checked before authentication rather than the other way around. Authorization is typically a quicker check than authentication and a negative result from an authorization check could avoid unnecessarily checking authentication.
- the resource accessed by the object 308 could also encounter a checkpoint that requires authentication.
- the printer port resource 232 may have a requirement 720 that needs satisfaction by a corresponding right 716.
- the ACP 240 is once again used to perform this authentication. In this way, various functional units have checkpoints applied to them to check authentication and/or authorization.
- a flow diagram illustrating an embodiment of a process for authenticating the running of a software object and for authorizing that software object 308 is shown.
- the process begins in step 1104 where the software object 308 is read into the controller 220 from memory 228.
- the software object 308 is checked in step 1108 to determine if the object 308 is authentic and authorized.
- step 1116 If it is determined that the software object fails either the authorization or authentication as determined in step 1112, processing continues to steps 1116 and 1120.
- step 1116 an error is reported to the headend 114. This may happen immediately where a bi-directional control data channel is available or may happen at a later time where a store-and- forward methodology is used. Objects 308 that fail the authentication or authorization test are corrupt and are discarded in step 1120. A message may or may not be presented to the user after a failure.
- step 1124 Presuming it is determined that the software object 308 is authorized and authentic in step 1112, execution of the software object 308 is begun in step 1124. During execution, a checkpoint is encountered in the software object 308 that requires authorization in step 1128. Checkpoints are typically added to the software object 308 in places where the purpose of that object 308 becomes manifest. For example, a printer driver would have a checkpoint before the driver is used to access the printer port 232. The checkpoint could require authorization and/or authentication of the object containing the checkpoint and/or another resource.
- step 1132 a check of resource authorization is performed for an object 308.
- the resource rights 716 of the set top box 118 are checked against the resource requirements 720 for the object. It is noted, the resource needed could be the same object 308 being executed such that the checkpoint causes an authorization check of the very object 308 that includes the checkpoint.
- the ACP 240 is involved in this authorization process to securely check rights against requirements.
- step 1136 A determination is made in step 1136 as to whether the interaction between object 308 and the necessary resource is authorized. If the use is not authorized, the error is reported to the user and/or headend 118 in step 1140. For example, a message could appear on the screen to notify the user that the printer port is unavailable and that the content provider should be contacted to enable this feature. If the authorization check is successful, the object 308 is allowed to use the resource in step 1144.
- a flow diagram illustrating another embodiment of a process for authenticating the running of a software object and for authorizing that software object 308 is shown.
- the process begins in step 1204 where the software object 308 is read into the controller 220 from memory 228.
- a signature associated with the software object 308 is checked in step 1208 to determine if the object 308 is authentic.
- the signature could be generated over both the object message 300 and requirements rights message 400 500 to provide authentication of both messages 300, 400 500 with the single signature.
- the software object 308 and rights requirements message 400 500 are loaded into the ACP 240 to calculate the signature.
- the calculated signature is checked against the original signature sent from the headend 124.
- step 1216 If it is determined that the software object fails the authorization as determined in step 1212, processing continues to steps 1216 and 1220.
- step 1216 an error is reported to the headend 124. This may happen immediately where a bidirectional control data channel is available or may happen at a later time where a store- and-forward methodology is used. Objects 308 that fail the authenticity test are corrupt and are discarded in step 1220. A message may or may not be presented to the user after failure of authorization. Presuming it is determined that the software object 308 is authentic in step
- step 1212 execution of the software object 308 is begun in step 1224.
- a checkpoint is encountered in the software object 308 that requires authorization in step 1228.
- Checkpoints are typically added to the software object 308 in places where the purpose of that object 308 becomes manifest. For example, a printer driver would have a checkpoint before the driver is used to access the printer port 232. The checkpoint could require authorization and/or authentication of the object containing the checkpoint and/or another resource.
- step 1232 a check of authorization is performed for an object 308 to use a resource.
- the resource rights 716 of the set top box 128 are checked against the requirements 720 for the object 308. It is noted, the resource could be the same object 308 being executed such that the checkpoint causes an authorization check of the very object 308 that includes the checkpoint.
- the ACP 240 is involved in this authorization process to securely check rights against requirements.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU71036/00A AU7103600A (en) | 1999-09-03 | 2000-09-01 | Entitlements of objects and resources |
EP00959771A EP1219108A1 (en) | 1999-09-03 | 2000-09-01 | Entitlements of objects and resources |
CA002382576A CA2382576A1 (en) | 1999-09-03 | 2000-09-01 | Entitlements of objects and resources |
HK03101504.4A HK1049421A1 (en) | 1999-09-03 | 2003-02-28 | Entitlements of objects and resources |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15238599P | 1999-09-03 | 1999-09-03 | |
US60/152,385 | 1999-09-03 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2001019074A1 true WO2001019074A1 (en) | 2001-03-15 |
Family
ID=22542697
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/024097 WO2001019074A1 (en) | 1999-09-03 | 2000-09-01 | Entitlements of objects and resources |
Country Status (7)
Country | Link |
---|---|
EP (1) | EP1219108A1 (en) |
KR (1) | KR100679498B1 (en) |
CN (1) | CN1214620C (en) |
AU (1) | AU7103600A (en) |
CA (1) | CA2382576A1 (en) |
HK (1) | HK1049421A1 (en) |
WO (1) | WO2001019074A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001093581A2 (en) * | 2000-05-26 | 2001-12-06 | General Instrument Corporation | Authentication and/or authorization launch |
EP1246463A2 (en) * | 2001-03-30 | 2002-10-02 | Matsushita Electric Industrial Co., Ltd. | Recording and reproducing device, control method and abuse prevention system |
US9225542B2 (en) | 2006-09-22 | 2015-12-29 | Samsung Electronics Co., Ltd. | Method and apparatus for transmitting/receiving content by interconnecting internet protocol television with home network |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998055910A2 (en) * | 1997-06-05 | 1998-12-10 | Sun Microsystems, Inc. | Apparatus and method for secure device addressing |
EP0909094A1 (en) * | 1997-10-07 | 1999-04-14 | CANAL+ Société Anonyme | Multithread data processor |
WO1999030217A1 (en) * | 1997-12-11 | 1999-06-17 | Sun Microsystems, Inc. | Protection domains to provide security in a computer system |
-
2000
- 2000-09-01 WO PCT/US2000/024097 patent/WO2001019074A1/en not_active Application Discontinuation
- 2000-09-01 CA CA002382576A patent/CA2382576A1/en not_active Abandoned
- 2000-09-01 EP EP00959771A patent/EP1219108A1/en not_active Withdrawn
- 2000-09-01 KR KR1020027002750A patent/KR100679498B1/en active IP Right Grant
- 2000-09-01 CN CNB008124035A patent/CN1214620C/en not_active Expired - Fee Related
- 2000-09-01 AU AU71036/00A patent/AU7103600A/en not_active Abandoned
-
2003
- 2003-02-28 HK HK03101504.4A patent/HK1049421A1/en unknown
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998055910A2 (en) * | 1997-06-05 | 1998-12-10 | Sun Microsystems, Inc. | Apparatus and method for secure device addressing |
EP0909094A1 (en) * | 1997-10-07 | 1999-04-14 | CANAL+ Société Anonyme | Multithread data processor |
WO1999030217A1 (en) * | 1997-12-11 | 1999-06-17 | Sun Microsystems, Inc. | Protection domains to provide security in a computer system |
Non-Patent Citations (2)
Title |
---|
C. CRICHTON, J. DAVIES, J. WOODCOCK: "When to trust mobile objects: access control in the Jini Software System", TECHNOLOGY OF OBJECT-ORIENTED LANGUAGES AND SYSTEMS, 1999. TOOLS 30 PROCEEDINGS, 1 August 1999 (1999-08-01) - 5 August 1999 (1999-08-05), pages 116 - 125, XP002155686 * |
WALLACH D S ET AL: "Extensible security architectures for Java", PROCEEDINGS OF THE ACM SYMPOSIUM ON OPERATING SYSTEMS PRINCIPLES, 1997, XP002101681 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001093581A2 (en) * | 2000-05-26 | 2001-12-06 | General Instrument Corporation | Authentication and/or authorization launch |
WO2001093586A2 (en) * | 2000-05-26 | 2001-12-06 | General Instrument Corporation | Access control processor |
WO2001093586A3 (en) * | 2000-05-26 | 2002-04-18 | Gen Instrument Corp | Access control processor |
WO2001093581A3 (en) * | 2000-05-26 | 2002-05-23 | Gen Instrument Corp | Authentication and/or authorization launch |
US8356314B2 (en) | 2000-05-26 | 2013-01-15 | General Instrument Corporation | Object and resource security system |
EP1246463A2 (en) * | 2001-03-30 | 2002-10-02 | Matsushita Electric Industrial Co., Ltd. | Recording and reproducing device, control method and abuse prevention system |
EP1246463A3 (en) * | 2001-03-30 | 2007-01-03 | Matsushita Electric Industrial Co., Ltd. | Recording and reproducing device, control method and abuse prevention system |
US9225542B2 (en) | 2006-09-22 | 2015-12-29 | Samsung Electronics Co., Ltd. | Method and apparatus for transmitting/receiving content by interconnecting internet protocol television with home network |
Also Published As
Publication number | Publication date |
---|---|
HK1049421A1 (en) | 2003-05-09 |
KR100679498B1 (en) | 2007-02-07 |
KR20020028230A (en) | 2002-04-16 |
CN1372756A (en) | 2002-10-02 |
AU7103600A (en) | 2001-04-10 |
CA2382576A1 (en) | 2001-03-15 |
CN1214620C (en) | 2005-08-10 |
EP1219108A1 (en) | 2002-07-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8904424B2 (en) | Object and resource security system | |
US20020112175A1 (en) | Conditional access for functional units | |
EP1228634B1 (en) | Intrusion detection for object security | |
US20060020790A1 (en) | Authorization using ciphertext tokens in a content receiver | |
WO2001019074A1 (en) | Entitlements of objects and resources | |
EP1222814A1 (en) | Object and resource security system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2382576 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020027002750 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 008124035 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000959771 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1020027002750 Country of ref document: KR |
|
WWP | Wipo information: published in national office |
Ref document number: 2000959771 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000959771 Country of ref document: EP |