WO2001028232A1 - Object and resource security system - Google Patents

Object and resource security system Download PDF

Info

Publication number
WO2001028232A1
WO2001028232A1 PCT/US2000/027632 US0027632W WO0128232A1 WO 2001028232 A1 WO2001028232 A1 WO 2001028232A1 US 0027632 W US0027632 W US 0027632W WO 0128232 A1 WO0128232 A1 WO 0128232A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
authenticating
content
authorization
set top
Prior art date
Application number
PCT/US2000/027632
Other languages
French (fr)
Inventor
Eric J. Sprunk
Original Assignee
General Instrument Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by General Instrument Corporation filed Critical General Instrument Corporation
Priority to CA002386984A priority Critical patent/CA2386984A1/en
Priority to KR1020027004530A priority patent/KR20020038807A/en
Priority to EP00970612A priority patent/EP1222814A1/en
Priority to AU79965/00A priority patent/AU7996500A/en
Priority to JP2001529658A priority patent/JP2003511772A/en
Publication of WO2001028232A1 publication Critical patent/WO2001028232A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/254Management at additional data server, e.g. shopping server, rights management server
    • H04N21/2541Rights Management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/442Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
    • H04N21/44204Monitoring of content usage, e.g. the number of times a movie has been viewed, copied or the amount which has been watched
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4627Rights management associated to the content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/65Transmission of management data between client and server
    • H04N21/658Transmission by the client directed to the server
    • H04N21/6582Data stored in the client, e.g. viewing habits, hardware capabilities, credit card number
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/81Monomedia components thereof
    • H04N21/8166Monomedia components thereof involving executable data, e.g. software
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • H04N21/8355Generation of protective data, e.g. certificates involving usage data, e.g. number of copies or viewings allowed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence

Definitions

  • This invention relates m general to secure access systems and, more specifically, to secu ⁇ ng information
  • Cable television (TV) providers distribute video streams to subscribers by way of conditional access (CA) systems
  • CA systems distribute video streams from a headend of the cable TV provider to a set top box associated with a subsc ⁇ ber
  • the headend includes hardware that receives the video streams and distributes them to the set top boxes within the CA system
  • Select set top boxes are allowed to decode certain video streams according to entitlement information sent by the cable TV provider to the set top box
  • other video program providers use satellite dishes to wirelessly distnbute video content to set top boxes
  • Video programs are broadcast to all set top boxes, but only a subset of those boxes are given access to specific video programs For example, only those that have ordered a pay per v ew boxing match are allowed to view it even though every set top box may receive encrypted data stream for the match
  • an entitlement message is broadcast m encrypted form to all set top boxes Only the particular set top box the entitlement message is intended for can decrypt it Inside the decrypted entitlement message is a key that will decrypt the pay per view program With that key, the set top box decrypts the pay per view program as it is received in real-time
  • Some systems integrate personal computing with a TN to display content.
  • Products such as WebTVTM integrate web browsing and e-mail features with a TV.
  • a personal computer PC
  • ISP Internet service provider
  • Software programs such as the e-mail program, tend to be small and easily stored. Those skilled in the art recognize that these PC do not provide adequate security such that they are susceptible to viruses and hackers.
  • object and resource security are provided in a conditional access system. Authentication and/or authorization checks are performed at a number of checkpoints to assure security of the object and resource. Checkpoints trigger these checks when the purpose of the object or resource becomes manifest as well as other times during handling of the object or resource.
  • a process for securing information After receiving information, that information is authenticated a first time. The information is also authorized and stored. At some point, the information is authenticated a second time.
  • a content delivery system in another embodiment, includes a memory, a network port and a number of checkpoints. Content is received by a network port and retained in the memory. Each piece of content is subject to at least two checkpoints.
  • a method for authenticating and authorizing information is disclosed. After receiving information, it is authenticated and authorized. A process is run that checks either authentication or authorization once again.
  • a method for authenticating and authorizing content supplied to a conditional access set top box is disclosed. Content is received m the conditional access set top box The content is authenticated a first time with the conditional access set top box When the content is accessed withm the set top box, the content is authenticated a second time
  • Fig 1 is a block diagram showing one embodiment of a content delivery system
  • Fig 2 is a block diagram illustrating an embodiment of a set top box interfaced to its environment
  • Fig 3 is a flow diagram showing an embodiment of a process for distributing an object m a first security level
  • Fig 4 is a flow diagram showing an embodiment of a process for distributing an object in a second secu ⁇ ty level
  • Fig 5 is a block diagram depicting an embodiment of an authorization message
  • Fig 6 is a block diagram showing an embodiment of an object message
  • Fig 7 is a block diagram illustrating an embodiment of a signatory group that includes portions of the autho ⁇ zation message and the object message
  • Fig 8 is a flow diagram depicting an embodiment of a process for loading an object m a third secu ⁇ ty level
  • Fig 9 is a flow diagram showing an embodiment of a process for loading an object in a fourth secu ⁇ ty level
  • Fig 10 is a flow diagram depicting another embodiment of a process for loading an object m the fourth secu ⁇ ty level
  • Fig 11 is a flow diagram showing an embodiment of a process for checking continuously running objects m a fifth secu ⁇ ty level
  • Fig 12 is a flow diagram illustrating an embodiment of a process for allowing a free preview of an object m secu ⁇ ty level six
  • Fig 13 is a flow diagram showing an embodiment of a process for momto ⁇ ng secu ⁇ ty checks in secu ⁇ ty level seven
  • Fig. 14 is a flow diagram depicting an embodiment of a process for using execution tokens to achieve an eighth level of security.
  • Fig. 15 is a block diagram showing the relationship between different objects in a set top box.
  • the present invention authenticates and authorizes information in a television set top box throughout the lifetime of the information. Increases in the size of storage media and decreases in the size of new types of content necessitate new security measures to authenticate the source of the information and authorize the use of the information.
  • a block diagram of one embodiment of a content delivery system 100 is shown.
  • the delivery system 100 selectively provides content to a number of users based upon certain conditions being satisfied. Included in the system 100 are a headend 104, number of set top boxes 108, local programming receiver 112, satellite dish 116, and the Internet 120.
  • the headend 104 receives content and distributes that content to users.
  • Content can include video, audio, interactive video, software, firmware, and/or data. This content is received from a variety of sources that include the satellite dish 116, local programming receiver 112, microwave receivers, packet switched networks, Internet 120, etc.
  • Each set top box 108 has a unique address that allows sending entitlement information to an individual set top box 108. In this way, one set top box 108-1 might be entitled to some particular content while another 108-2 might not.
  • Equipment within the headend 104 regulates which set top boxes 108 are entitled to that content.
  • the content is generally distributed in digital form through an analog carrier channel that contains multiple content streams. All the content streams are multiplexed together into a digital stream that is modulated upon the analog carrier channel.
  • the separate content streams are separated by packet identification (PID) information such that the individual content streams can be removed according to their unique PID information.
  • PID packet identification
  • FIG. 2 a block diagram of an embodiment of a display system 200 is shown. This embodiment provides multiple levels of object and resource security through a variety of security levels. Included in the display system 200 are a set top box 108, network 208, printer 212, TV display 216, and wireless input device 218. These items cooperate in such a way that the user can enjoy content provided from a content provider.
  • the content can be video, audio, software, firmware, interactive TV, data, or other information.
  • the content provider is a cable TV provider.
  • the network 208 serves as the conduit for information traveling between the set top box 108 and the headend 104 of the cable TV provider.
  • the network has one hundred and twenty analog channels and a bi-directional control data channel.
  • the analog channels carry content and the control data channel carries control and entitlement information.
  • Each analog carrier channel has a number of digital channels multiplexed into one data stream where the digital channels are distinguished by packet identifiers (PIDs).
  • PIDs packet identifiers
  • the bi-directional control channel is an out- of-band channel that broadcasts data to the set top boxes 108 at one frequency and receives data from the boxes 108 at another frequency. Return data may be queued to decrease overloading during peak use periods using a store and forward methodology well known in the art.
  • Other embodiments could use a cable modem or digital subscriber line (DSL) for both control information and content where the content is formatted as packet switched data.
  • DSL digital subscriber line
  • the printer 212 is an optional accessory some users may purchase and add to their display system 200.
  • the printer 212 allows printing data such as email, web pages, billing information, etc.
  • the ability to use a pe ⁇ pheral like a printer is regulated by an authorization check. Using the regulation feature, printers 212 compatible with the set top box 108 do not work unless proper authorization is obtained.
  • the TV display 216 presents the user with audio and/or video co ⁇ esponding to the content.
  • the display 216 typically receives an analog video signal that is modulated on a carrier corresponding to channel three, channel four or a composite channel
  • the set top box 108 produces a NTSC signal, for example, modulated to the approp ⁇ ate channel
  • Other embodiments could use a video monitor or digital display instead of a television display 216
  • Use of a digital display would alleviate the need for an analog conversion by the set top box 108 because digital displays, such as liquid crystal displays, use digital information to formulate the displayed picture
  • the wireless input device 218 allows interaction between the user and the set top box 108
  • This device 218 could be a remote control, mouse, keyboard, game controller, pen tablet or other input mechanism
  • An infrared transceiver on the input device 218 communicates with a similar transceiver on the set top box 108 to allow wireless communication
  • RF link or wired link could be used instead of the infrared transceiver
  • the set top box 108 has component parts that perform authentication and authonzation of objects and resources Objects are any collection of digital information such as software, d ⁇ vers, firmware, data, video, or audio Resources are anything needed by an object to operate as intended such as another object or a physical device
  • Objects are any collection of digital information such as software, d ⁇ vers, firmware, data, video, or audio Resources are anything needed by an object to operate as intended such as another object or a physical device
  • Included m the set top box 108 are a controller 220, memory 228, a p ⁇ nter port 232, a network port 236, an access control processor 240, a display interface 244, and an infrared (IR) port 248 These blocks communicate with each other over a bus 132 where each block has a different address to umquely identify it on the bus 132
  • the controller 220 manages operation of the set top box 108 using a trusted or secure operating system Such functions as digital object decryption and decompression are performed m the controller
  • controller 220 could also contain an adjunct secure microprocessor for purposes of key protection or cryptographic processing This may be appropnate m some systems where a high level of secu ⁇ ty is desired
  • the set top box 108 includes a block of memory 228
  • This memory 228 is solid state memory that could include RAM, ROM, flash, and other types of volatile and non-volatile memory Objects and resources are stored m memory for running at a later time Du ⁇ ng execution, programs are loaded into and executed with the memory 228, and also use the memory 228 for scratchpad space Keys, se ⁇ al numbers and autho ⁇ zations can be stored in non-volatile flash memory
  • This embodiment includes a printer port 232 for interfacing to an optional printer 212.
  • the printer port 232 resource is not available to programs unless authorized. As explained further below, each object must have authorization to use a resource such as the printer port 232. Data is sent from the printer port 232 to the printer 212 in a serial or parallel fashion by way of a wired or wireless transport mechanism.
  • a checkpoint is a point in time or a step of processing where the authentication and/or authorization status of an object is confirmed.
  • a checkpoint is encountered when printing is requested.
  • the checkpoint authorizes and authenticates the object requesting the printing.
  • Checkpoints are places in one object where authentication and/or authorization are run on another object (e.g., an operating system checks authentication and authorization of an application that is running).
  • checkpoints are performed when the purpose of the object becomes manifest. In the case of a printer port 232, its purpose becomes manifest when it is used to print something. Accordingly, a checkpoint is triggered to check the object using the printer port 232 resource when anything is printed.
  • the checkpoint for printing would be in the operating system.
  • the network port 236 allows bi-directional communication between the set top box 108 and the headend 104. Included in the network port 236 are a tuner and a demodulator that tune to analog carrier channels and demodulate an MPEG data stream to allow one-way delivery of content. Also included in the network port 236 are a control data transceiver or cable modem that allows for bi-directional communication of control data information and/or content. To distribute loading of the control data path to the headend 104 more evenly, a store and forward methodology may be used.
  • Modulation of the digital video signal onto an analog signal compatible with the TV display 216 is performed by the display interface 244.
  • the TV display 216 generally accepts signals modulated on channel three, channel four or a composite channel.
  • the display interface 244 performs any formatting required by the digital input.
  • the IR port 248 communicates bi-directionally with a wireless input device 218. Included in the IR port 248 is an IR transceiver that provides the wireless communication path with the input device 218. Other electronics in the IR port 248 convert analog signals received by the transceiver to a corresponding digital signal and convert analog signals sent to the transceiver from a co ⁇ esponding digital signal. The controller 220 processed the digital signals so that the user can control some of the functions within the set top box 108.
  • the access control processor (ACP) 240 regulates security functions within the set top box 108.
  • the ACP 240 performs authentication and authorization either under the direction of the controller 220 or independent of the controller 220 as will become clear in the discussion below.
  • the ACP 240 includes a processor, RAM and ROM that cooperate to execute software independent of the controller 220.
  • the ACP 240 also includes a decryption engine and a hash function for deciphering content and calculating signatures.
  • checkpoints are embedded into the software run on the controller 220 that trigger the ACP 240 to perform security checks.
  • the ACP 240 can also shadow the operating system (OS) to assure proper functioning of the OS. By watching the launch of objects, the ACP 240 can monitor which application objects are running. If necessary, the ACP 240 can kill running applications if a checkpoint detects an e ⁇ or or if authorization expires. Further, the ACP 240 could monitor memory 228 to detect any application not authorized to be in memory 228. Scratchpad memory size could also be monitored to detect applications hiding in scratchpad memory. Additionally, the ACP 240 could randomly execute checkpoints on the objects in memory to confirm their authorization and/or authenticity. Problems encountered by the ACP 240 are reported to either the OS or the headend 104. In these ways, the ACP 240 acts as a software security guard bot within the set top box 108 such that abe ⁇ ant behavior is detected and reported.
  • OS operating system
  • a first level of security objects are sent to the set top box 108 by way of the network 208 in encrypted form.
  • An entitlement message that contains the decryption key is sent to the set top box 108. With the decryption key, the set top box 108 can decrypt and use the object.
  • a flow diagram of an embodiment of a process for distributing an object in the first security level is shown.
  • the process begins in step 304 where an entitlement message is formulated in the headend 104. Included in the entitlement message is a key that can decrypt the associated object.
  • the entitlement message and object are sent over the network 208 to the set top box 108. After receipt of the entitlement message and object, they are co ⁇ elated together in step 316 The key is extracted from the entitlement message and used to decrypt the object before it is w ⁇ tten to the memory 228 in steps 320, 324 and 328 This process provides both authentication and authonzation of the object by using encryption
  • a flow diagram of an embodiment of a process for dist ⁇ buting an object m a second secu ⁇ ty level is shown
  • signatures are used to authenticate an object upon download
  • the second level of secu ⁇ ty imposes a checkpoint on the object when downloaded
  • the signature is generated over a signatory group that includes portions of an authonzation message and object message in the headend 104 m step 404
  • the authonzation message is metadata related to the object message and the object message contains the object intended for the set top box 108
  • step 408 the signature m the authonzation message and the object are separately sent to the set top box 108 over the network 208
  • an asymmetnc signature is used (e g , RSA, DSA or ECC based), but a symmetnc signature (e g , DES or tnple-DES) could also be used
  • the signature is calculated and checked by the ACP 240 m steps 420 and 424 If the calculated and received signatures match, the object is stored in step 428 Alternatively, the object is discarded in step 432 if there is no match, and processing loops back to step 412 to wait for another copy of the object
  • an authonzation message 500, an object message 600 and a signatory group 700 are respectively shown m block diagram form Included m the authonzation message 500 of Fig 5 are an authonzation header 504, an authonzation
  • the authonzation header 504 indicates the configuration of the authonzation message 500 Included in the header 504 are a subtype identifier and message version
  • the subtype identifier distinguishes the va ⁇ ous types of authonzation messages 500 from one another.
  • Object subtypes have a co ⁇ esponding object message 600, but resource subtypes do not. Accordingly, the subtype identifier is used to determine if there is an object message 600 associated with an authorization message 500.
  • the authorization data structure 508 provides authorization information to the set top box 108.
  • the authorization data structure 508 contains an object identifier, a software version, cost information, entitlement information, lifetime information, and one or more program tiers.
  • the object identifier is unique for each object 608 and allows attributing an authorization message 500 to its co ⁇ esponding object message 600.
  • Version information is included in the data structure 508 to indicate the version of the object 608. Portions of the authorization data structure 508 are used to determine availability of the object 608 to the set top box 108.
  • the cost information indicates to the set top box 108, and sometimes the user, the price associated with the object 608.
  • Entitlement information is used to determine if the particular set top box 108 is authorized to accept the object 608.
  • the entitlement information may include a key if the object 608 is encrypted with a symmetric key. If the set top box 108 is not authorized for the object, there is no need to process the co ⁇ esponding object 608 when it is received. Lifetime information allows the expiration of the authorization of the object 608 to prevent use after a certain date or time.
  • Programming tiers are used to restrict authorization of objects 608 to predefined tiers such that a set top box 108 can only access objects 608 within a predetermined tier.
  • the signature 512 is used to verify that portions of both the authorization message 500 and co ⁇ esponding object message 600 are authentic.
  • a hash function such as SHA-1 or MD5 is run over the whole signatory group, whereafter the result is run through a signing algorithm such as RSA to produce the signature.
  • a simple CRC algorithm could be used for the hash function, whereafter the result could be sent through an encryption algorithm such as or triple-DES and DES to produce the signature.
  • the headend 104 calculates the signature 512 over the whole signatory group 700 before inserting the signature 512 into the authorization message 500.
  • the set top box 108 calculates the signature of the signatory group 700 upon receipt of both the authorization and object messages 500, 600. Once the signature is calculated, it is checked against the received signature to authenticate portions of both the authorization and object messages 500, 600.
  • the first and second checksums 516, 612 are calculated with either linear or non-linear algorithms. These checksums 516, 612 verify the e ⁇ or integrity of the data as it is transported to the set top box 108 over the network 208.
  • the checksum could be a cyclic redundancy check (CRC).
  • CRC cyclic redundancy check
  • the message spooler 208 calculates the checksum 516 as the message 500 is being sent and appends the checksum 516 onto the end of the message 500.
  • the set top box 108 calculates the checksum as the message 500 is received and checks the calculated checksum against the checksum 516 in the received message 500.
  • the object header 604 includes attributes for the object message 600.
  • the object header 604 includes a header length, an object length, the object identifier, the software version, and a domain identifier.
  • the header length and object length respectively indicate the lengths of the object header 604 and the object 608.
  • the object identifier provides a unique code that allows attributing the authorization message 500 to the object message 600.
  • the software version indicates the version of the object.
  • Different cable TV providers are assigned domain identifiers such that all of the set top boxes 108, which might receive an object 608, can screen for objects 608 associated with their domain.
  • the object 608 includes content the system 100 is designed to deliver to set top boxes 108.
  • Several types of information can be embedded in an object, such as executable programs, firmware upgrades, run-time programs (e.g., Java® or ActiveX®), programming schedules, billing information, video, audio, or data.
  • the object 608 can be used immediately after authentication and authorization or at a later time. Additionally, authorization can be programmed to expire after a certain amount of time.
  • the signatory group 700 is shown. This group 700 is comprised of parts of both the authorization message 500 and the object message 600. All the data used to calculate the signature 512 is included in the signatory group 700. Because the signature requires components from both the authorization message 500 and the object message 600, a failed signature check indicates one of the authorization message 500 and the software message 600 cannot be verified as originating from a trusted source.
  • the trusted source is the cable TV provider that generated the signature 512.
  • a process for loading an object in a third security level is depicted.
  • This embodiment authenticates the object before launch so that approval by the network operator is confirmed.
  • the controller 220 reads the authorization and object messages 500, 600 from the memory 228.
  • the object message 600 is loaded into the ACP 240 in step 808 and the authorization message is loaded in step 812.
  • the ACP 240 calculates the signature over the signatory group 700.
  • the ACP 240 makes a determination in step 824 as to whether the signature 512 in the authorization message 500 matches the calculated signature. If there is a match, the object 608 is authorized and the object 608 is loaded into memory 228 by the OS and allowed to execute.
  • the ACP 240 discards the object 608 and notifies the OS of an e ⁇ or if the signatures do not match.
  • a signature 512 mismatch could result from corruption during storage, a pirate replacing the object 608 or a virus corrupting the object 608.
  • FIG. 9 a flow diagram of an embodiment of a process for loading an object in a fourth security level is shown.
  • This embodiment checks for authorization prior to launching the object 608. Similar to level one security explained above, this embodiment uses encryption to achieve the authorization check.
  • a first step 904 the object message 600 is written to the memory 228 in encrypted form.
  • the object message 600 is received from the network 208 in encrypted form such that an additional encryption step would be unnecessary.
  • the authorization and object messages 500, 600 are retrieved from the memory 228 in step 908.
  • the authorization message 500 includes a key necessary to decrypt the object message 600.
  • the key and the object message 600 are loaded into the ACP in step 912.
  • the object 608 is decrypted in step 916. If the key used for decryption is not the one that is authorized for the object 608 the decryption process will be unsuccessful and the resulting product will be undecipherable.
  • the plaintext object is returned to the OS for execution if the key is co ⁇ ect in step 920. Referring next to Fig. 10, a flow diagram of another embodiment of a process for loading an object in the fourth security level is illustrated.
  • entitlements in the authorization message 500 are checked in order to confirm the object 608 is authorized before it is loaded.
  • the authorization message 500 is read from the memory 228.
  • the controller 220 loads the authorization message 500 into the ACP 240 in step 1008.
  • step 1012 the entitlement information therein is checked in step 1012.
  • the authorization of level four is typically performed coincident with the authentication of level three and before an object 608 is loaded. Authorization is performed prior to authentication because authorization is a quicker process. After the performance of authentication and authorization, the status returned to the OS is NOT AUTHORIZED, AUTHORIZED BUT NOT AUTHENTICATED, or AUTHORIZED AND AUTHENTICATED.
  • a flow diagram of an embodiment of a process for checking continuously running objects in a fifth security level is depicted.
  • objects that are running should also be authenticated to be sure they haven't been replaced or modified. Additionally, verifying authorization periodically allows the expiration of an application that has been continuously running for a period of time. A predetermined period can be used or an unpredictably changing period can also be used.
  • the process begins in step 1 104 where the object 608 is read from the memory 228. Before loading the object 608 it has a first signature, but after loading the object 608 into memory 228 the signature of the loaded object is different.
  • the addresses are translated from virtual addressing to physical addressing such that the signature changes.
  • the signature is recalculated in step 1108 to produce a second signature indicative of the loaded object.
  • the object should be loaded and maintained in memory 228 in such a way that the second signature does not change.
  • the loaded object should not have self-modifying code such that the signature would change.
  • the OS has checkpoints scheduled at regular intervals that trigger periodic authentication and authorization.
  • the process waits for the next scheduled checkpoint. Typically, these scheduled checkpoints occur at least weekly or monthly. As cable TV services are paid monthly, checking for unauthorized continuously running applications after the billing cycle is desirable.
  • Authentication and authorization is performed in step 1116 by loading the authorization message 500, loaded object and second signature into the ACP 240.
  • step 1120 A determination is made in step 1120 as to whether the authentication and authorization performed in step 1116 were performed successfully. If successful, the process loops back to step 1112 where the process waits for the next checkpoint.
  • the object is removed from memory 228 and discarded when either the authorization or authentication checks fail.
  • the ACP 240 is the time source for determining the scheduled checkpoints.
  • the ACP 240 is less susceptible to attacks that set the clock back to avoid expiration of authorization.
  • the ACP 240 does not run application software that could change the time and requires secure commands to change the time. Secure commands could use encryption or signatures to guarantee authenticity of any time changes.
  • a flow diagram of an embodiment of a process for allowing a free preview of an object is illustrated in security level six.
  • security level six As is well known in the art, users desire to try software before possibly purchasing it. Accordingly, the sixth level of security allows using the software for a period of time before a purchase is requested.
  • step 1204 the object 608 is retrieved from the memory 228.
  • step 1208 the object 608 is loaded into memory 228 whereafter execution is initiated.
  • a countdown timer is begun in step 1212 that counts down to zero when the trial period ends. It is to be understood a count-up timer could also determine expiration of the trial period.
  • the user samples the object 608 in step 1216 until the trial period ends. Completion of the sample period is determined in step 1220 by noting when the countdown timer reaches its lower bound or zero.
  • the user is given the option to purchase the object 608 in step 1224.
  • a purchase screen is formulated and presented to the user by the set top box 108 to prompt purchase of the object 608.
  • the object 608 is removed from memory 228 and discarded in step 1232. Alternatively, the object remains in memory and the entitlement information is updated to reflect the purchase in step 1228.
  • Other embodiments could use crippled demonstration software that can run forever, but is missing crucial features present in the purchased version. If the user likes the crippled version, the user is likely to purchase the full version to get the missing crucial features.
  • FIG. 13 an embodiment of a process for monitoring security checks in security level seven is depicted in flow diagram form. In this embodiment the ACP 240 shadows the OS to double-check that checkpoints are encountered regularly. The process begins in step 1304 where the time of the last OS checkpoint is recorded.
  • Checkpoints are the predetermined places in the OS or other software that cause confirmation of authentication and/or authorization confirmations. Since the ACP 240 is typically involved in the authentication and authorization process, the ACP 240 can track execution of checkpoints. In step 1308, the countdown timer is started. We note once again that this counter could also count-up rather than down. In step 1312, a determination is made as to whether a checkpoint was observed by the ACP 240. If a checkpoint was observed, processing loops back to step 1304 where the countdown timer is reset so as to start again from the beginning.
  • a check of the timer is performed in step 1316 if no checkpoint is observed. If the counter has not expired, processing loops back to step 1312 to test once again for the observation of a checkpoint. When the timer does expire without reaching a checkpoint, processing continues to step 1320 where the ACP 240 reports an e ⁇ or back to the headend 104.
  • testing for checkpoints may occur for each object 608 in the set top box 108 in the manner described above.
  • Custom criteria may be designed for each object 608 in order to detect e ⁇ ors in the execution of that object 608. Additionally, we note a trusted or secure operating system normally does not need an
  • ACP 240 to check for abe ⁇ ant behavior.
  • checking for normal functioning of the operating system i.e., check for regular checkpoints
  • a flow diagram of an embodiment of a process for using tokens to achieve an eighth level of security is shown.
  • This embodiment uses a ciphertext token to check authorization of an object 608.
  • the ciphertext token is an encrypted portion of the object crucial to normal operation. Decryption of the ciphertext token produces a plaintext token that is inserted into the object 608 to allow proper execution.
  • the process begins by encrypting a portion of the object to create a ciphertext token.
  • the key needed to decrypt the ciphertext token is stored in the ACP 240 and co ⁇ elated to the object 608 in step 1408.
  • the objects with embedded ciphertext tokens are written to the memory 228 in step 1412 where they wait for purchase.
  • step 1416 The process waits in step 1416 until the user purchases an object 608.
  • step 1418 the ciphertext token is removed from the object and sent to the ACP 240 for decryption.
  • the resulting plaintext token is returned to the OS and integrated into the object 608 to make the object 608 functional in steps 1420 and 1424.
  • the decryption process is sped up.
  • Objects toward the bottom of Fig. 15 are superordinate to the objects near the top of Fig. 15. That is to say, objects toward the top of Fig. 15 are subordinate to those lower in the figure.
  • Superordinate objects are responsible for imposing checkpoints on subordinate objects.
  • the hardware 1504 imposes checkpoints upon the BIOS 1508, OS 1512 and so on up the subordination hierarchy.
  • the BIOS 1508 imposes checkpoints on the OS 1512, but not upon the hardware 1504.
  • Objects in the same ordination stratum can impose a checkpoint on another object in that stratum when they interact.
  • an application 1516 can require execution of a checkpoint on a driver 1518.
  • Superordinate objects are designed to initiate execution of the checkpoints in conjunction with the ACP 240 and subordinate objects are designed to have checkpoints imposed upon them.
  • the BIOS 1508 requires execution of a checkpoint upon the OS 1512 during the boot process, during execution and/or periodically while running.
  • a driver object 1518 is subject to checkpoints when installed or exercised during normal operation.
  • Data file objects 1522 are subject to checkpoints whenever the data in the file is accessed.
  • An HTML object 1528 is reviewed as part of a checkpoint whenever the HTML object 1528 is interpreted by a browser application 1516.
  • Other embodiments could have one price on the first use and periodically require additional maintenance payments. Further, pricing could be per use with additional amounts per feature. For example, launching the email program is one price and printing each email adds an additional amount. Further still, videos could have a lifetime equal to just less than twice the running time to allow pausing and stopping playback, but not allow viewing the program two times. Video games could have a set lifetime of one hour or one day, for example.

Abstract

Using checkpoints to secure objects and resources in a conditional access system. Authentication and/or authorization checks are performed at a number of checkpoints to assure security of the object and resource. Checkpoints trigger these checks when the purpose of the object or resource becomes manifest as well as other times during handling of the object or resource.

Description

OBJECT AND RESOURCE SECURITY SYSTEM
This application claims the benefit of U S Provisional Application No 60/158,491 filed on October 8, 1999, U S Provisional Application No 60/165,094 filed on November 12, 1999 and U S Provisional Application No 60/174,037 filed on December 30, 1999
BACKGROUND OF THE INVENTION This invention relates m general to secure access systems and, more specifically, to secuπng information Cable television (TV) providers distribute video streams to subscribers by way of conditional access (CA) systems CA systems distribute video streams from a headend of the cable TV provider to a set top box associated with a subscπber The headend includes hardware that receives the video streams and distributes them to the set top boxes within the CA system Select set top boxes are allowed to decode certain video streams according to entitlement information sent by the cable TV provider to the set top box In a similar way, other video program providers use satellite dishes to wirelessly distnbute video content to set top boxes
Video programs are broadcast to all set top boxes, but only a subset of those boxes are given access to specific video programs For example, only those that have ordered a pay per v ew boxing match are allowed to view it even though every set top box may receive encrypted data stream for the match Once a user orders the pay per view program, an entitlement message is broadcast m encrypted form to all set top boxes Only the particular set top box the entitlement message is intended for can decrypt it Inside the decrypted entitlement message is a key that will decrypt the pay per view program With that key, the set top box decrypts the pay per view program as it is received in real-time Some systems sign entitlement messages
Only recently has storage of multiple hours of video become practical Each video program is transmitted to set top boxes as a compressed MPEG2 data stream One hour of video corresponds to about one gigabyte of compressed data Since multigigabyte storage is common today, multiple hours of video can now be stored In contrast, conventional CA systems presume content is ephemeral and cannot be stored In other words, conventional systems are designed presuming that the video programs were too large to retain them for any period of time. As those skilled in the art can appreciate, the ability to store multigigabyte video programs spawns a need for additional security measures in CA systems.
Some systems integrate personal computing with a TN to display content. Products such as WebTV™ integrate web browsing and e-mail features with a TV. In other systems, a personal computer (PC) is connected to an Internet service provider (ISP) that provides the content for the web browsing and e-mail features. Software programs, such as the e-mail program, tend to be small and easily stored. Those skilled in the art recognize that these PC do not provide adequate security such that they are susceptible to viruses and hackers.
As described above, conventional CA systems only check entitlement of video streams. With advent of larger storage and smaller Internet related programs, content can be stored and reside with the user for an indefinite period of time. To maintain control over this content, additional security measures are needed.
SUMMARY OF THE INVENTION According to the invention, object and resource security are provided in a conditional access system. Authentication and/or authorization checks are performed at a number of checkpoints to assure security of the object and resource. Checkpoints trigger these checks when the purpose of the object or resource becomes manifest as well as other times during handling of the object or resource.
In a particular embodiment, a process for securing information is disclosed. After receiving information, that information is authenticated a first time. The information is also authorized and stored. At some point, the information is authenticated a second time.
In another embodiment, a content delivery system is disclosed that includes a memory, a network port and a number of checkpoints. Content is received by a network port and retained in the memory. Each piece of content is subject to at least two checkpoints. In yet another embodiment, a method for authenticating and authorizing information is disclosed. After receiving information, it is authenticated and authorized. A process is run that checks either authentication or authorization once again. In still another embodiment, a method for authenticating and authorizing content supplied to a conditional access set top box is disclosed. Content is received m the conditional access set top box The content is authenticated a first time with the conditional access set top box When the content is accessed withm the set top box, the content is authenticated a second time
The invention will be better understood by reference to the following detailed descπption m connection with the accompanying drawings BRIEF DESCRIPTION OF THE DRAWINGS Fig 1 is a block diagram showing one embodiment of a content delivery system,
Fig 2 is a block diagram illustrating an embodiment of a set top box interfaced to its environment,
Fig 3 is a flow diagram showing an embodiment of a process for distributing an object m a first security level, Fig 4 is a flow diagram showing an embodiment of a process for distributing an object in a second secuπty level,
Fig 5 is a block diagram depicting an embodiment of an authorization message,
Fig 6 is a block diagram showing an embodiment of an object message, Fig 7 is a block diagram illustrating an embodiment of a signatory group that includes portions of the authoπzation message and the object message,
Fig 8 is a flow diagram depicting an embodiment of a process for loading an object m a third secuπty level,
Fig 9 is a flow diagram showing an embodiment of a process for loading an object in a fourth secuπty level,
Fig 10 is a flow diagram depicting another embodiment of a process for loading an object m the fourth secuπty level,
Fig 11 is a flow diagram showing an embodiment of a process for checking continuously running objects m a fifth secuπty level, Fig 12 is a flow diagram illustrating an embodiment of a process for allowing a free preview of an object m secuπty level six,
Fig 13 is a flow diagram showing an embodiment of a process for momtoπng secuπty checks in secuπty level seven, Fig. 14 is a flow diagram depicting an embodiment of a process for using execution tokens to achieve an eighth level of security; and
Fig. 15 is a block diagram showing the relationship between different objects in a set top box.
DESCRIPTION OF THE SPECIFIC EMBODIMENTS The present invention authenticates and authorizes information in a television set top box throughout the lifetime of the information. Increases in the size of storage media and decreases in the size of new types of content necessitate new security measures to authenticate the source of the information and authorize the use of the information.
In the Figures, similar components and/or features have the same reference label. Further, various components of the same type are distinguished by following the reference label by a dash and a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the several similar components having the second label.
Referring first to Fig. 1, a block diagram of one embodiment of a content delivery system 100 is shown. The delivery system 100 selectively provides content to a number of users based upon certain conditions being satisfied. Included in the system 100 are a headend 104, number of set top boxes 108, local programming receiver 112, satellite dish 116, and the Internet 120.
The headend 104 receives content and distributes that content to users. Content can include video, audio, interactive video, software, firmware, and/or data. This content is received from a variety of sources that include the satellite dish 116, local programming receiver 112, microwave receivers, packet switched networks, Internet 120, etc. Each set top box 108 has a unique address that allows sending entitlement information to an individual set top box 108. In this way, one set top box 108-1 might be entitled to some particular content while another 108-2 might not. Equipment within the headend 104 regulates which set top boxes 108 are entitled to that content. The content is generally distributed in digital form through an analog carrier channel that contains multiple content streams. All the content streams are multiplexed together into a digital stream that is modulated upon the analog carrier channel. The separate content streams are separated by packet identification (PID) information such that the individual content streams can be removed according to their unique PID information. There are around one hundred and twenty analog carrier channels in this embodiment of the system 100. Other embodiments could distribute the content with satellite dishes, microwave antennas, RF transmitters, packet switched networks, cellular data modems, carrier cuπent, phone lines, or the Internet. Referring next to Fig. 2, a block diagram of an embodiment of a display system 200 is shown. This embodiment provides multiple levels of object and resource security through a variety of security levels. Included in the display system 200 are a set top box 108, network 208, printer 212, TV display 216, and wireless input device 218. These items cooperate in such a way that the user can enjoy content provided from a content provider. The content can be video, audio, software, firmware, interactive TV, data, or other information. In this embodiment, the content provider is a cable TV provider.
The network 208 serves as the conduit for information traveling between the set top box 108 and the headend 104 of the cable TV provider. In this embodiment, the network has one hundred and twenty analog channels and a bi-directional control data channel. Generally, the analog channels carry content and the control data channel carries control and entitlement information. Each analog carrier channel has a number of digital channels multiplexed into one data stream where the digital channels are distinguished by packet identifiers (PIDs). The bi-directional control channel is an out- of-band channel that broadcasts data to the set top boxes 108 at one frequency and receives data from the boxes 108 at another frequency. Return data may be queued to decrease overloading during peak use periods using a store and forward methodology well known in the art. Other embodiments could use a cable modem or digital subscriber line (DSL) for both control information and content where the content is formatted as packet switched data.
The printer 212 is an optional accessory some users may purchase and add to their display system 200. When using the set top box 108 for personal computer tasks, the printer 212 allows printing data such as email, web pages, billing information, etc. As will be explained further below, the ability to use a peπpheral like a printer is regulated by an authorization check. Using the regulation feature, printers 212 compatible with the set top box 108 do not work unless proper authorization is obtained.
The TV display 216 presents the user with audio and/or video coπesponding to the content. The display 216 typically receives an analog video signal that is modulated on a carrier corresponding to channel three, channel four or a composite channel The set top box 108 produces a NTSC signal, for example, modulated to the appropπate channel Other embodiments could use a video monitor or digital display instead of a television display 216 Use of a digital display would alleviate the need for an analog conversion by the set top box 108 because digital displays, such as liquid crystal displays, use digital information to formulate the displayed picture
The wireless input device 218 allows interaction between the user and the set top box 108 This device 218 could be a remote control, mouse, keyboard, game controller, pen tablet or other input mechanism An infrared transceiver on the input device 218 communicates with a similar transceiver on the set top box 108 to allow wireless communication In other embodiments, RF link or wired link could be used instead of the infrared transceiver
The set top box 108 has component parts that perform authentication and authonzation of objects and resources Objects are any collection of digital information such as software, dπvers, firmware, data, video, or audio Resources are anything needed by an object to operate as intended such as another object or a physical device Included m the set top box 108 are a controller 220, memory 228, a pπnter port 232, a network port 236, an access control processor 240, a display interface 244, and an infrared (IR) port 248 These blocks communicate with each other over a bus 132 where each block has a different address to umquely identify it on the bus 132 The controller 220 manages operation of the set top box 108 using a trusted or secure operating system Such functions as digital object decryption and decompression are performed m the controller 220 as well as functions such as switching TV channels for the user and presenting menus to the user Included m the controller are a processor, an encryption engine, local memory, and other items common m computing systems
In other embodiments, the controller 220 could also contain an adjunct secure microprocessor for purposes of key protection or cryptographic processing This may be appropnate m some systems where a high level of secuπty is desired
The set top box 108 includes a block of memory 228 This memory 228 is solid state memory that could include RAM, ROM, flash, and other types of volatile and non-volatile memory Objects and resources are stored m memory for running at a later time Duπng execution, programs are loaded into and executed with the memory 228, and also use the memory 228 for scratchpad space Keys, seπal numbers and authoπzations can be stored in non-volatile flash memory This embodiment includes a printer port 232 for interfacing to an optional printer 212. The printer port 232 resource is not available to programs unless authorized. As explained further below, each object must have authorization to use a resource such as the printer port 232. Data is sent from the printer port 232 to the printer 212 in a serial or parallel fashion by way of a wired or wireless transport mechanism.
Stated generally, a checkpoint is a point in time or a step of processing where the authentication and/or authorization status of an object is confirmed. A checkpoint is encountered when printing is requested. The checkpoint authorizes and authenticates the object requesting the printing. Checkpoints are places in one object where authentication and/or authorization are run on another object (e.g., an operating system checks authentication and authorization of an application that is running). Ideally, checkpoints are performed when the purpose of the object becomes manifest. In the case of a printer port 232, its purpose becomes manifest when it is used to print something. Accordingly, a checkpoint is triggered to check the object using the printer port 232 resource when anything is printed. Typically, the checkpoint for printing would be in the operating system.
The network port 236 allows bi-directional communication between the set top box 108 and the headend 104. Included in the network port 236 are a tuner and a demodulator that tune to analog carrier channels and demodulate an MPEG data stream to allow one-way delivery of content. Also included in the network port 236 are a control data transceiver or cable modem that allows for bi-directional communication of control data information and/or content. To distribute loading of the control data path to the headend 104 more evenly, a store and forward methodology may be used.
Modulation of the digital video signal onto an analog signal compatible with the TV display 216 is performed by the display interface 244. As discussed above, the TV display 216 generally accepts signals modulated on channel three, channel four or a composite channel. For displays that accept a digital input, such as LCD displays, the display interface 244 performs any formatting required by the digital input.
The IR port 248 communicates bi-directionally with a wireless input device 218. Included in the IR port 248 is an IR transceiver that provides the wireless communication path with the input device 218. Other electronics in the IR port 248 convert analog signals received by the transceiver to a corresponding digital signal and convert analog signals sent to the transceiver from a coπesponding digital signal. The controller 220 processed the digital signals so that the user can control some of the functions within the set top box 108.
The access control processor (ACP) 240 regulates security functions within the set top box 108. For example, the ACP 240 performs authentication and authorization either under the direction of the controller 220 or independent of the controller 220 as will become clear in the discussion below. To perform its tasks, the ACP 240 includes a processor, RAM and ROM that cooperate to execute software independent of the controller 220. The ACP 240 also includes a decryption engine and a hash function for deciphering content and calculating signatures. In some embodiments, checkpoints are embedded into the software run on the controller 220 that trigger the ACP 240 to perform security checks.
The ACP 240 can also shadow the operating system (OS) to assure proper functioning of the OS. By watching the launch of objects, the ACP 240 can monitor which application objects are running. If necessary, the ACP 240 can kill running applications if a checkpoint detects an eπor or if authorization expires. Further, the ACP 240 could monitor memory 228 to detect any application not authorized to be in memory 228. Scratchpad memory size could also be monitored to detect applications hiding in scratchpad memory. Additionally, the ACP 240 could randomly execute checkpoints on the objects in memory to confirm their authorization and/or authenticity. Problems encountered by the ACP 240 are reported to either the OS or the headend 104. In these ways, the ACP 240 acts as a software security guard bot within the set top box 108 such that abeπant behavior is detected and reported.
Depending on the features desired and the security needed in the set top box 108, different levels of security are activated in the content delivery system 100. In a first level of security, objects are sent to the set top box 108 by way of the network 208 in encrypted form. An entitlement message that contains the decryption key is sent to the set top box 108. With the decryption key, the set top box 108 can decrypt and use the object.
Referring next to Fig. 3, a flow diagram of an embodiment of a process for distributing an object in the first security level is shown. The process begins in step 304 where an entitlement message is formulated in the headend 104. Included in the entitlement message is a key that can decrypt the associated object. In step 308, the entitlement message and object are sent over the network 208 to the set top box 108. After receipt of the entitlement message and object, they are coπelated together in step 316 The key is extracted from the entitlement message and used to decrypt the object before it is wπtten to the memory 228 in steps 320, 324 and 328 This process provides both authentication and authonzation of the object by using encryption
Refemng next to Fig 4, a flow diagram of an embodiment of a process for distπbuting an object m a second secuπty level is shown In the second level of secuπty, signatures are used to authenticate an object upon download In other words, the second level of secuπty imposes a checkpoint on the object when downloaded The signature is generated over a signatory group that includes portions of an authonzation message and object message in the headend 104 m step 404 The authonzation message is metadata related to the object message and the object message contains the object intended for the set top box 108
In step 408, the signature m the authonzation message and the object are separately sent to the set top box 108 over the network 208 Preferably an asymmetnc signature is used (e g , RSA, DSA or ECC based), but a symmetnc signature (e g , DES or tnple-DES) could also be used Upon receipt of the signature and the object and before stoπng the object, the signature is calculated and checked by the ACP 240 m steps 420 and 424 If the calculated and received signatures match, the object is stored in step 428 Alternatively, the object is discarded in step 432 if there is no match, and processing loops back to step 412 to wait for another copy of the object With reference to Figs 5-7, an authonzation message 500, an object message 600 and a signatory group 700 are respectively shown m block diagram form Included m the authonzation message 500 of Fig 5 are an authonzation header 504, an authonzation data structure 508, a signature 512, and a first checksum 516 The authonzation message 500 has information used to both authenticate and authonze the object message 600 Forming the object message of Fig 6 are an object header 604, an object 608 and a second checksum 612 The object message 600 serves as the transport for the object 608 The signatory group 700 includes components of the authonzation message 500 and object message 600 aπanged end-to-end The signature 512 is calculated over the whole signatory group 700 More specifically, the signatory group 700 of Fig 7 includes the authonzation header 504, authonzation data structure 508, object header 604, and object 608
The authonzation header 504 indicates the configuration of the authonzation message 500 Included in the header 504 are a subtype identifier and message version The subtype identifier distinguishes the vaπous types of authonzation messages 500 from one another. In this embodiment, there are authorization message subtypes coπesponding to objects and resources. Object subtypes have a coπesponding object message 600, but resource subtypes do not. Accordingly, the subtype identifier is used to determine if there is an object message 600 associated with an authorization message 500. There may be several types of object subtypes and resource subtypes for a given system and the message version allows distinguishing the various types.
The authorization data structure 508 provides authorization information to the set top box 108. In the case of an authorization message subtype corresponding to an object, the authorization data structure 508 contains an object identifier, a software version, cost information, entitlement information, lifetime information, and one or more program tiers. The object identifier is unique for each object 608 and allows attributing an authorization message 500 to its coπesponding object message 600. Version information is included in the data structure 508 to indicate the version of the object 608. Portions of the authorization data structure 508 are used to determine availability of the object 608 to the set top box 108. The cost information indicates to the set top box 108, and sometimes the user, the price associated with the object 608. Entitlement information is used to determine if the particular set top box 108 is authorized to accept the object 608. The entitlement information may include a key if the object 608 is encrypted with a symmetric key. If the set top box 108 is not authorized for the object, there is no need to process the coπesponding object 608 when it is received. Lifetime information allows the expiration of the authorization of the object 608 to prevent use after a certain date or time. Programming tiers are used to restrict authorization of objects 608 to predefined tiers such that a set top box 108 can only access objects 608 within a predetermined tier. The signature 512 is used to verify that portions of both the authorization message 500 and coπesponding object message 600 are authentic. A hash function such as SHA-1 or MD5 is run over the whole signatory group, whereafter the result is run through a signing algorithm such as RSA to produce the signature. Alternatively, a simple CRC algorithm could be used for the hash function, whereafter the result could be sent through an encryption algorithm such as or triple-DES and DES to produce the signature. When compiling the authorization message 500, the headend 104 calculates the signature 512 over the whole signatory group 700 before inserting the signature 512 into the authorization message 500. The set top box 108 calculates the signature of the signatory group 700 upon receipt of both the authorization and object messages 500, 600. Once the signature is calculated, it is checked against the received signature to authenticate portions of both the authorization and object messages 500, 600. If the signatures do not match, the set top box 108 discards the object message 600 because it presumably came from an improper source. The first and second checksums 516, 612 are calculated with either linear or non-linear algorithms. These checksums 516, 612 verify the eπor integrity of the data as it is transported to the set top box 108 over the network 208. For example, the checksum could be a cyclic redundancy check (CRC). The message spooler 208 calculates the checksum 516 as the message 500 is being sent and appends the checksum 516 onto the end of the message 500. Conversely, the set top box 108 calculates the checksum as the message 500 is received and checks the calculated checksum against the checksum 516 in the received message 500. If the calculated and received checksums do not match, an eπor in transmission has occuπed. Messages 500, 600 with eπors are discarded whereafter the headend 104 may send replacement messages 500, 600. The object header 604 includes attributes for the object message 600.
Included in the object header 604 are a header length, an object length, the object identifier, the software version, and a domain identifier. The header length and object length respectively indicate the lengths of the object header 604 and the object 608. As described above, the object identifier provides a unique code that allows attributing the authorization message 500 to the object message 600. The software version indicates the version of the object. Different cable TV providers are assigned domain identifiers such that all of the set top boxes 108, which might receive an object 608, can screen for objects 608 associated with their domain.
The object 608 includes content the system 100 is designed to deliver to set top boxes 108. Several types of information can be embedded in an object, such as executable programs, firmware upgrades, run-time programs (e.g., Java® or ActiveX®), programming schedules, billing information, video, audio, or data. The object 608 can be used immediately after authentication and authorization or at a later time. Additionally, authorization can be programmed to expire after a certain amount of time. Referring specifically to Fig. 7, the signatory group 700 is shown. This group 700 is comprised of parts of both the authorization message 500 and the object message 600. All the data used to calculate the signature 512 is included in the signatory group 700. Because the signature requires components from both the authorization message 500 and the object message 600, a failed signature check indicates one of the authorization message 500 and the software message 600 cannot be verified as originating from a trusted source. The trusted source is the cable TV provider that generated the signature 512.
Referring next to Fig. 8, an embodiment of a process for loading an object in a third security level is depicted. This embodiment authenticates the object before launch so that approval by the network operator is confirmed. In a first step 804, the controller 220 reads the authorization and object messages 500, 600 from the memory 228. The object message 600 is loaded into the ACP 240 in step 808 and the authorization message is loaded in step 812. Once both object and authorization messages 600, 500 are loaded, all the components of the signatory group 700 are available to the ACP 240. In step 816, the ACP 240 calculates the signature over the signatory group 700. The ACP 240 makes a determination in step 824 as to whether the signature 512 in the authorization message 500 matches the calculated signature. If there is a match, the object 608 is authorized and the object 608 is loaded into memory 228 by the OS and allowed to execute.
Alternatively, the ACP 240 discards the object 608 and notifies the OS of an eπor if the signatures do not match. A signature 512 mismatch could result from corruption during storage, a pirate replacing the object 608 or a virus corrupting the object 608.
With reference to Fig. 9, a flow diagram of an embodiment of a process for loading an object in a fourth security level is shown. This embodiment checks for authorization prior to launching the object 608. Similar to level one security explained above, this embodiment uses encryption to achieve the authorization check. In a first step 904, the object message 600 is written to the memory 228 in encrypted form. In some embodiments, the object message 600 is received from the network 208 in encrypted form such that an additional encryption step would be unnecessary.
When loading the object 608 is desired, the authorization and object messages 500, 600 are retrieved from the memory 228 in step 908. The authorization message 500 includes a key necessary to decrypt the object message 600. The key and the object message 600 are loaded into the ACP in step 912. The object 608 is decrypted in step 916. If the key used for decryption is not the one that is authorized for the object 608 the decryption process will be unsuccessful and the resulting product will be undecipherable. Alternatively, the plaintext object is returned to the OS for execution if the key is coπect in step 920. Referring next to Fig. 10, a flow diagram of another embodiment of a process for loading an object in the fourth security level is illustrated. In this embodiment, entitlements in the authorization message 500 are checked in order to confirm the object 608 is authorized before it is loaded. In step 1004, the authorization message 500 is read from the memory 228. Next, the controller 220 loads the authorization message 500 into the ACP 240 in step 1008.
Once the ACP 240 has the authorization message 500, the entitlement information therein is checked in step 1012. A determination is made in step 1016 as to whether the object 608 is authorized by checking the entitlement information. If the object 608 is authorized, it is loaded into memory by the OS and executed. Alternatively, the OS is notified of a failed authorization attempt and object 608 is discarded in step 1024 if there is no entitlement to use the object 608.
Although not express above, the authorization of level four is typically performed coincident with the authentication of level three and before an object 608 is loaded. Authorization is performed prior to authentication because authorization is a quicker process. After the performance of authentication and authorization, the status returned to the OS is NOT AUTHORIZED, AUTHORIZED BUT NOT AUTHENTICATED, or AUTHORIZED AND AUTHENTICATED.
With reference to Fig. 11, a flow diagram of an embodiment of a process for checking continuously running objects in a fifth security level is depicted. As can be appreciated, objects that are running should also be authenticated to be sure they haven't been replaced or modified. Additionally, verifying authorization periodically allows the expiration of an application that has been continuously running for a period of time. A predetermined period can be used or an unpredictably changing period can also be used. The process begins in step 1 104 where the object 608 is read from the memory 228. Before loading the object 608 it has a first signature, but after loading the object 608 into memory 228 the signature of the loaded object is different. As those skilled in the art appreciate, the addresses are translated from virtual addressing to physical addressing such that the signature changes. Accordingly, the signature is recalculated in step 1108 to produce a second signature indicative of the loaded object. It is noted, the object should be loaded and maintained in memory 228 in such a way that the second signature does not change. For example, the loaded object should not have self-modifying code such that the signature would change. The OS has checkpoints scheduled at regular intervals that trigger periodic authentication and authorization. In step 1112, the process waits for the next scheduled checkpoint. Typically, these scheduled checkpoints occur at least weekly or monthly. As cable TV services are paid monthly, checking for unauthorized continuously running applications after the billing cycle is desirable. Authentication and authorization is performed in step 1116 by loading the authorization message 500, loaded object and second signature into the ACP 240.
A determination is made in step 1120 as to whether the authentication and authorization performed in step 1116 were performed successfully. If successful, the process loops back to step 1112 where the process waits for the next checkpoint.
Alternatively, the object is removed from memory 228 and discarded when either the authorization or authentication checks fail. Preferably, the ACP 240 is the time source for determining the scheduled checkpoints. The ACP 240 is less susceptible to attacks that set the clock back to avoid expiration of authorization. Additionally, the ACP 240 does not run application software that could change the time and requires secure commands to change the time. Secure commands could use encryption or signatures to guarantee authenticity of any time changes.
Referring next to Fig. 12, a flow diagram of an embodiment of a process for allowing a free preview of an object is illustrated in security level six. As is well known in the art, users desire to try software before possibly purchasing it. Accordingly, the sixth level of security allows using the software for a period of time before a purchase is requested.
The process begins in step 1204 where the object 608 is retrieved from the memory 228. In step 1208, the object 608 is loaded into memory 228 whereafter execution is initiated. A countdown timer is begun in step 1212 that counts down to zero when the trial period ends. It is to be understood a count-up timer could also determine expiration of the trial period. The user samples the object 608 in step 1216 until the trial period ends. Completion of the sample period is determined in step 1220 by noting when the countdown timer reaches its lower bound or zero. The user is given the option to purchase the object 608 in step 1224. A purchase screen is formulated and presented to the user by the set top box 108 to prompt purchase of the object 608. If no purchase is selected, the object 608 is removed from memory 228 and discarded in step 1232. Alternatively, the object remains in memory and the entitlement information is updated to reflect the purchase in step 1228. Other embodiments could use crippled demonstration software that can run forever, but is missing crucial features present in the purchased version. If the user likes the crippled version, the user is likely to purchase the full version to get the missing crucial features. With reference to Fig. 13, an embodiment of a process for monitoring security checks in security level seven is depicted in flow diagram form. In this embodiment the ACP 240 shadows the OS to double-check that checkpoints are encountered regularly. The process begins in step 1304 where the time of the last OS checkpoint is recorded. Checkpoints are the predetermined places in the OS or other software that cause confirmation of authentication and/or authorization confirmations. Since the ACP 240 is typically involved in the authentication and authorization process, the ACP 240 can track execution of checkpoints. In step 1308, the countdown timer is started. We note once again that this counter could also count-up rather than down. In step 1312, a determination is made as to whether a checkpoint was observed by the ACP 240. If a checkpoint was observed, processing loops back to step 1304 where the countdown timer is reset so as to start again from the beginning.
Alternatively, a check of the timer is performed in step 1316 if no checkpoint is observed. If the counter has not expired, processing loops back to step 1312 to test once again for the observation of a checkpoint. When the timer does expire without reaching a checkpoint, processing continues to step 1320 where the ACP 240 reports an eπor back to the headend 104.
Although the above embodiment discusses testing for checkpoints on a single object 608, it is to be understood that testing for checkpoints may occur for each object 608 in the set top box 108 in the manner described above. Custom criteria may be designed for each object 608 in order to detect eπors in the execution of that object 608. Additionally, we note a trusted or secure operating system normally does not need an
ACP 240 to check for abeπant behavior. To thwart hackers, pirates, viruses, and memory eπors, checking for normal functioning of the operating system (i.e., check for regular checkpoints) adds an extra layer of security.
Referring next to Fig. 14, a flow diagram of an embodiment of a process for using tokens to achieve an eighth level of security is shown. This embodiment uses a ciphertext token to check authorization of an object 608. The ciphertext token is an encrypted portion of the object crucial to normal operation. Decryption of the ciphertext token produces a plaintext token that is inserted into the object 608 to allow proper execution. In step 1404, the process begins by encrypting a portion of the object to create a ciphertext token. The key needed to decrypt the ciphertext token is stored in the ACP 240 and coπelated to the object 608 in step 1408. The objects with embedded ciphertext tokens are written to the memory 228 in step 1412 where they wait for purchase. The process waits in step 1416 until the user purchases an object 608. In step 1418, the ciphertext token is removed from the object and sent to the ACP 240 for decryption. The resulting plaintext token is returned to the OS and integrated into the object 608 to make the object 608 functional in steps 1420 and 1424. By encrypting only a portion of the object 608 rather than the whole object 608, the decryption process is sped up.
The above discussion relates to running applications or objects 608 on an operating system. The concepts are equally applicable to Java™ applications rurining on a Java™ virtual machine (JNM). To aid in this abstraction, the concept of superordination and subordination are explained in relation to Fig. 15. Superordination and subordination define which object 608 has the responsibility to impose a checkpoint upon another object. Checkpoints are imposed on objects 608 during the normal interaction that occurs with other objects 608 and resources.
Referring specifically to Fig. 15, some of the objects 608 and resources in a set top box 108 are shown. Objects toward the bottom of Fig. 15 are superordinate to the objects near the top of Fig. 15. That is to say, objects toward the top of Fig. 15 are subordinate to those lower in the figure. Superordinate objects are responsible for imposing checkpoints on subordinate objects. For example, the hardware 1504 imposes checkpoints upon the BIOS 1508, OS 1512 and so on up the subordination hierarchy. The BIOS 1508 imposes checkpoints on the OS 1512, but not upon the hardware 1504. Objects in the same ordination stratum can impose a checkpoint on another object in that stratum when they interact. For example, an application 1516 can require execution of a checkpoint on a driver 1518.
Superordinate objects are designed to initiate execution of the checkpoints in conjunction with the ACP 240 and subordinate objects are designed to have checkpoints imposed upon them. For example, the BIOS 1508 requires execution of a checkpoint upon the OS 1512 during the boot process, during execution and/or periodically while running. A driver object 1518 is subject to checkpoints when installed or exercised during normal operation. Data file objects 1522 are subject to checkpoints whenever the data in the file is accessed. An HTML object 1528 is reviewed as part of a checkpoint whenever the HTML object 1528 is interpreted by a browser application 1516.
In light of the above description, a number of advantages of the present invention are readily apparent. Having multiple checkpoints that check authorization and/or authentication provides tighter security. With this added security, cable TV pirates are less likely to steal objects, viruses are less likely to go unnoticed and hackers are more likely to be detected.
A number of variations and modifications of the invention can also be used. For example, the above discussion talks of multiple levels of security. It is to be understood that the levels can be combined together to achieve the security goals of a particular system. Additionally, the above embodiments relate to cable TV providers, however, the principals are equally applicable to satellite TV systems, Internet service providers, computer systems, and other providers of content. The above embodiments discuss several pricing methods for objects.
Other embodiments could have one price on the first use and periodically require additional maintenance payments. Further, pricing could be per use with additional amounts per feature. For example, launching the email program is one price and printing each email adds an additional amount. Further still, videos could have a lifetime equal to just less than twice the running time to allow pausing and stopping playback, but not allow viewing the program two times. Video games could have a set lifetime of one hour or one day, for example.
Although the invention is described with reference to specific embodiments thereof, the embodiments are merely illustrative, and not limiting, of the invention, the scope of which is to be determined solely by the appended claims.

Claims

WHAT IS CLAIMED TS
1 A method for secunng information, the method compnsmg steps of receiving information, authenticating the information a first time, authoπzmg the information, stoπng the information, and authenticating the information a second time
2 The method for secunng information of claim 1 , the method further compnsmg a step of detecting an event that tnggers at least one of an authonzation check and an authentication check
3 The method for secunng information of claim 2, wherein the event is at least one of a checkpoint, an unpredictable peπod, a predetermined penod, and a predetermined schedule
4 The method for secunng information of claim 1 , wherein the information includes at least one of software, dnvers, firmware, video, audio, and data
5 The method for secunng information of claim 1, wherein the step of authenticating the information a first time includes authenticating the information after download, and the step of authenticating the information a second time includes authenticating the information before use of the information
6 The method for secunng information of claim 1, the method further compnsmg steps of retπevmg the information wherein the information compπses an application, authenticating the application, and niruung the application
7. The method for securing information of claim 6, wherein the step of authenticating the application includes decryption of at least a portion of the information.
8. The method for securing information of claim 1, further comprising steps of: receiving first authorization information; receiving second authorization information that replaces the first authorization information so as to extend authorization rights.
9. The method for securing information of claim 1 , the method further comprising steps of: identifying a checkpoint duπng application execution; and performing at least one of authentication and authorization in response to the uncovering step.
10. A content delivery system, comprising: a memory that stores content; a network port that receives content; and a plurality of checkpoints in software, wherein each piece of content is subject to at least two checkpoints.
11. The content delivery system of claim 10, wherein each of the plurality of checkpoints initiate at least one of authentication and authorization.
12. The content delivery system of claim 10, wherein the content comprises at least one of: software, drivers, firmware, video, audio, and data.
13. The content delivery system of claim 10, further comprising a content provider coupled to the network port.
14. The content delivery system of claim 10, further comprising an access control processor that performs at least one of the following: authentication and authorization.
15 A method for authenticating and authonzmg information, the method compnsmg steps of receiving information, authenticating the information, authonzmg the information, and running a process that checks at least one of authentication and authonzation
16 The method for authenticating and authonzmg info rmation of claim 15, the method further compnsmg a step of detecting an event that tnggers at least one of authonzation and authentication
17 The method for authenticating and authonzmg information of claim 16, wherein the event is at least one of a checkpoint, an unpredictable penod, a predetermined penod, and a predetermined schedule
18 The method for authenticating and authonzmg information of claim 15, wherein the step of authenticating the information includes decryption of at least a portion of the information
19 The method for authenticating and authonzmg information of claim 15, wherein the information includes at least one of software, dnvers, firmware, video, audio, and data
20 The method for authenticating and authoπzmg information of claim 15, further compnsmg steps of receiving first authonzation information, and receiving second authonzation information that replaces the first authonzation information so as to extend authonzation nghts
21 A method for authenticating and authonzmg content supplied to a conditional access set top box receivmg the content in the conditional access set top box, authenticating the content a first time withm the conditional access set top box, and authenticating the content a second time when the content is accessed within the conditional access set top box.
22. The method for authenticating and authorizing objects of claim 21, wherein the content comprises one of an object and a resource.
23. The method for authenticating and authorizing objects of claim 21 , wherein the conditional access set top box is integrated into an image displaying apparatus.
PCT/US2000/027632 1999-10-08 2000-10-06 Object and resource security system WO2001028232A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CA002386984A CA2386984A1 (en) 1999-10-08 2000-10-06 Object and resource security system
KR1020027004530A KR20020038807A (en) 1999-10-08 2000-10-06 Object and resource security system
EP00970612A EP1222814A1 (en) 1999-10-08 2000-10-06 Object and resource security system
AU79965/00A AU7996500A (en) 1999-10-08 2000-10-06 Object and resource security system
JP2001529658A JP2003511772A (en) 1999-10-08 2000-10-06 Object and resource security system

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
US15849199P 1999-10-08 1999-10-08
US60/158,491 1999-10-08
US16509499P 1999-11-12 1999-11-12
US60/165,094 1999-11-12
US17403799P 1999-12-30 1999-12-30
US60/174,037 1999-12-30
US58030300A 2000-05-26 2000-05-26
US09/580,303 2000-05-26

Publications (1)

Publication Number Publication Date
WO2001028232A1 true WO2001028232A1 (en) 2001-04-19

Family

ID=27496341

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/027632 WO2001028232A1 (en) 1999-10-08 2000-10-06 Object and resource security system

Country Status (7)

Country Link
EP (1) EP1222814A1 (en)
JP (1) JP2003511772A (en)
KR (1) KR20020038807A (en)
CN (1) CN1402935A (en)
AU (1) AU7996500A (en)
CA (1) CA2386984A1 (en)
WO (1) WO2001028232A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001093581A2 (en) * 2000-05-26 2001-12-06 General Instrument Corporation Authentication and/or authorization launch
FR2816783A1 (en) * 2000-11-10 2002-05-17 Guillaume Dubost Remote instantaneous transmission at 150 Mbytes per second of audio-visual data from a central point to an audio-visual data signal converter and display

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007226277A (en) * 2004-04-02 2007-09-06 Matsushita Electric Ind Co Ltd Method and apparatus for virtual machine alteration inspection
JP5098292B2 (en) * 2006-10-30 2012-12-12 株式会社日立製作所 Content decryption key extraction method and content reception device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0752786A1 (en) * 1995-07-07 1997-01-08 Thomson Consumer Electronics, Inc. Apparatus and method for authenticating transmitted applications in an interactive information system
US5912972A (en) * 1994-12-14 1999-06-15 Sony Corporation Method and apparatus for embedding authentication information within digital data
WO1999039504A1 (en) * 1998-01-29 1999-08-05 Intel Corporation Improved conditional access and content security method
EP0946019A1 (en) * 1998-03-25 1999-09-29 CANAL+ Société Anonyme Authentification of data in a digital transmission system
WO2000004727A2 (en) * 1998-07-14 2000-01-27 Koninklijke Philips Electronics N.V. Use of a watermark for the purpose of copy protection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69807807T2 (en) * 1997-01-27 2003-05-28 Koninkl Philips Electronics Nv METHOD AND DEVICE FOR TRANSMITTING CONTENT INFORMATION AND RELATED ADDITIONAL INFORMATION

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5912972A (en) * 1994-12-14 1999-06-15 Sony Corporation Method and apparatus for embedding authentication information within digital data
EP0752786A1 (en) * 1995-07-07 1997-01-08 Thomson Consumer Electronics, Inc. Apparatus and method for authenticating transmitted applications in an interactive information system
WO1999039504A1 (en) * 1998-01-29 1999-08-05 Intel Corporation Improved conditional access and content security method
EP0946019A1 (en) * 1998-03-25 1999-09-29 CANAL+ Société Anonyme Authentification of data in a digital transmission system
WO2000004727A2 (en) * 1998-07-14 2000-01-27 Koninklijke Philips Electronics N.V. Use of a watermark for the purpose of copy protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1222814A1 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001093581A2 (en) * 2000-05-26 2001-12-06 General Instrument Corporation Authentication and/or authorization launch
WO2001093581A3 (en) * 2000-05-26 2002-05-23 Gen Instrument Corp Authentication and/or authorization launch
US8356314B2 (en) 2000-05-26 2013-01-15 General Instrument Corporation Object and resource security system
FR2816783A1 (en) * 2000-11-10 2002-05-17 Guillaume Dubost Remote instantaneous transmission at 150 Mbytes per second of audio-visual data from a central point to an audio-visual data signal converter and display

Also Published As

Publication number Publication date
CA2386984A1 (en) 2001-04-19
AU7996500A (en) 2001-04-23
JP2003511772A (en) 2003-03-25
CN1402935A (en) 2003-03-12
KR20020038807A (en) 2002-05-23
EP1222814A1 (en) 2002-07-17

Similar Documents

Publication Publication Date Title
US8904424B2 (en) Object and resource security system
EP1228634B1 (en) Intrusion detection for object security
US20060020790A1 (en) Authorization using ciphertext tokens in a content receiver
EP1222814A1 (en) Object and resource security system
KR100679498B1 (en) Entitlements of objects and resources

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref country code: JP

Ref document number: 2001 529658

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 2386984

Country of ref document: CA

Ref document number: 1020027004530

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 2000970612

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020027004530

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 008163316

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 2000970612

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2000970612

Country of ref document: EP