WO2001095613A1 - A system to deliver encrypted access control information - Google Patents
A system to deliver encrypted access control information Download PDFInfo
- Publication number
- WO2001095613A1 WO2001095613A1 PCT/US2001/015811 US0115811W WO0195613A1 WO 2001095613 A1 WO2001095613 A1 WO 2001095613A1 US 0115811 W US0115811 W US 0115811W WO 0195613 A1 WO0195613 A1 WO 0195613A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- cap
- time
- crypto
- periods
- Prior art date
Links
- 229920008347 Cellulose acetate propionate Polymers 0.000 claims abstract 5
- 238000009470 controlled atmosphere packaging Methods 0.000 claims abstract 5
- 238000000034 method Methods 0.000 claims description 31
- 238000003780 insertion Methods 0.000 claims description 12
- 230000037431 insertion Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 8
- 230000001360 synchronised effect Effects 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 4
- 230000000717 retained effect Effects 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 3
- 230000015572 biosynthetic process Effects 0.000 claims 1
- WEYNBWVKOYCCQT-UHFFFAOYSA-N 1-(3-chloro-4-methylphenyl)-3-{2-[({5-[(dimethylamino)methyl]-2-furyl}methyl)thio]ethyl}urea Chemical compound O1C(CN(C)C)=CC=C1CSCCNC(=O)NC1=CC=C(C)C(Cl)=C1 WEYNBWVKOYCCQT-UHFFFAOYSA-N 0.000 description 50
- 102100021879 Adenylyl cyclase-associated protein 2 Human genes 0.000 description 42
- 101710137132 Adenylyl cyclase-associated protein 2 Proteins 0.000 description 42
- 102100027241 Adenylyl cyclase-associated protein 1 Human genes 0.000 description 31
- 101710137115 Adenylyl cyclase-associated protein 1 Proteins 0.000 description 31
- 230000006870 function Effects 0.000 description 16
- 238000001824 photoionisation detection Methods 0.000 description 11
- 101800004711 CAP-3 Proteins 0.000 description 9
- 102100025517 Serpin B9 Human genes 0.000 description 9
- 238000013478 data encryption standard Methods 0.000 description 9
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000001934 delay Effects 0.000 description 3
- RGNPBRKPHBKNKX-UHFFFAOYSA-N hexaflumuron Chemical compound C1=C(Cl)C(OC(F)(F)C(F)F)=C(Cl)C=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F RGNPBRKPHBKNKX-UHFFFAOYSA-N 0.000 description 3
- GWAOOGWHPITOEY-UHFFFAOYSA-N 1,5,2,4-dioxadithiane 2,2,4,4-tetraoxide Chemical compound O=S1(=O)CS(=O)(=O)OCO1 GWAOOGWHPITOEY-UHFFFAOYSA-N 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 101000956368 Trittame loki CRISP/Allergen/PR-1 Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012905 input function Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 230000035899 viability Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/167—Systems rendering the television signal unintelligible and subsequently intelligible
- H04N7/1675—Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/234—Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
- H04N21/2347—Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving video stream encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
- H04N21/26606—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/45—Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
- H04N21/462—Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
- H04N21/4623—Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
Definitions
- the present invention relates to a system for sharing, conditional access data, such as control words, between different conditional access systems.
- the CA data is used to encrypt access-controlled data that is subsequently decrypted and stored by an authorized terminal.
- the invention is used to provide CA data at a cable television headend in different formats to authorize corresponding groups of terminals to access encrypted programming services.
- Access to data that is provided to subscriber terminals must be strictly controlled to maintain the economic viability of subscriber networks, such as cable television networks. Accordingly, various schemes have been developed to encrypt the delivered data, e.g., using encryption schemes such as DES, and to provide associated CA data only to specific authorized terminals.
- the data is encrypted according to one or more cryptographic keys, and the CA data allows the authorized terminals to recover the key(s) to decrypt the data.
- the encryption keys may change often, such as every second or faster.
- the system should allow equipment from two or more CA providers to communicate with one another, e.g., at a common headend, to synchronize the delivery of the corresponding CA data.
- the system should be useful in any network that carries CA data, including a television network
- the CA data should be delivered to the secondary CAPs with a sufficient lead time that is based, e.g., on a processing time requirement of the secondary CAPs.
- the system should allow delivery of the CA data to the secondary CAPs well ahead of time for later use, e.g., when the content is pre-encrypted and stored, then subsequently provided to a user terminal, such as in a video on demand service.
- the present invention provides a system for sharing CA data among any number of CA providers .
- a system for streaming encrypted control words and associated timing and program data from a primary (master) conditional access provider (CAP) to one or more secondary CAPs.
- CAP conditional access provider
- CA system scaling is superior to the request/response scheme that is typical of current practice, since a continuous stream of CA data for a current crypto-period and a number of future crypto-periods are provided in a "sliding window" to allow the secondary CAPs to begin preparing their respective CA data in advance.
- the invention can be used in any packet-based distribution system, including a broadband television network headend.
- the invention enables any number of conditional access providers (CAPs) to provide CA data in an associated format for at least one service (such as a television channel) of a data stream.
- CAPs conditional access providers
- the at least one secondary CAP is responsive -to the first CA data and time data for providing second CA data in a different, second format for the successive crypto- periods .
- a data stream is provided that includes the at least one encrypted data service and first and second CA data to user terminals, including at least a first user terminal that is compatible with the first CA data, and a second user terminal that is compatible with the second CA data.
- FIG. 1 illustrates an architecture where CA data is distributed out-of-band from encrypted program data in accordance with the present invention.
- Data (e.g., program data) is provided via an input subsystem to an encryption subsystem 105, where the data is encrypted according to a control word (CW) provided from a first (master) conditional access provider (CAP- 1) 110.
- the encrypted program data is provided via a path 145 to a CA message insertion subsystem 150, which optionally includes CA message accumulation, sync and content playback subsystem 152 for a non-real-time CA data delivery embodiment.
- the program data is pre-encrypted and stored, e.g., at a file server associated with the function 150, for subsequent playback to the terminals.
- the CA data is accumulated and synchronized with the program data. This arrangement may be used for a VOD system, for example.
- CA data for encrypting the entire program, such as a movie may be provided from the primary CAP to the secondary CAPs, prior to playback of the program to the terminals .
- the entire amount of encrypted program data is not stored since the CA data from the primary CAP is used in essentially real-time by the secondary CAPs to prepare their CA data, and the CA data from all the CAPs is forwarded to the terminals with minimal delay.
- three CAPs are shown as an example, but the invention is applicable to two or more CAPs.
- a program identifier P is optionally provided to the encryption subsystem so that the appropriate program to which the CA data applies may be identified.
- a separate identifier may not be required in some cases.
- the MPEG multiplex already identifies each program.
- CAP-1 thus provides the P, CW, T data (in an encrypted form) for K crypto-periods to secondary CAPs, namely CAP-2 115 and CAP-3 120, via a network or networks 130.
- CAP-2 115 and CAP-3 120 use the CWs at the designated times, and for the designated program, to provide CA data (e.g., entitlement messages such as MPEG ECMs) to the message insertion subsystem 150, via a network or networks 140.
- CA data e.g., entitlement messages such as MPEG ECMs
- the network 140 is out-of-band from path 145.
- the message insertion subsystem 150 inserts the corresponding CA data into the data stream provided from the encryption subsystem 105, and outputs a corresponding stream via a delivery subsystem 155 to decryption subsystems associated with each of the CAPs.
- each subsystem may represent a group of terminals that are compatible with the associated CA format.
- FIG. 2 illustrates an architecture where CA data is distributed in-band with encrypted program data in accordance with the present invention.
- the encrypted program data and CA data are in-band with one another on paths 210 and 230.
- the program data is provided to a CAP-1 message insertion subsystem and a data encryption subsystem 205.
- (P,CW,T) data which includes the encrypted data CAP-1 CA data (CW)
- CAP-2 CA data is provided based on the (P,CW,T) data.
- the encrypted program data, CAP-1 CA data, CAP-2 CA data, and (P,CW,T) data are provided to a CAP-3 message insertion subsystem 245, where CAP-3 CA data is provided based on the (P,CW,T) data.
- An interface key negotiation network 250 allows the CAP-2 subsystem 225 and CAP-3 subsystem 245 to interact with the CAP-1 subsystem 205 to obtain data for decrypting the encrypted (P,CW,T) data.
- FIG. 3 illustrates the insertion of program identifier (P) , control word (CW) and timing data (T) into packets during successive crypto-periods in accordance with the present invention.
- the packet 305 is provided from CAP-1 to CAP-2 and CAP-3 during crypto-period N (300) .
- This packet 305 has a packet header, which may include the program identifier (P) , followed by (CW, T) data for, e-9- crypto-periods N through N+14, as indicated by the sliding window 390.
- CRC data may be provided at the end of the packet 305.
- the packet 305 may be time-multiplexed with other packets, such as those containing program data for various programs in a multiplex, and may be repeated several times in a single crypto-period. This occurs since the packet rate corresponds to a period that is typically shorter than the crypto-period.
- the secondary CAPs receive (P, CW, T) data in advance of the crypto-period in which the data is to be encrypted under a given CW.
- the packet 305 provides CW data for epochs (crypto- periods) up until epoch 340 (whose start time is T N+14 ) during epoch 300 (whose start time is T formulate) .
- the CAPs have a several crypto-period lead time to generate their CA data under the appropriate CW. Accordingly, processing delays of each CAP can be accommodated.
- this scheme enables system initialization to proceed smoothly, enabling each secondary CAP to begin outputting its CA data at the earliest possible cryptoperiod.
- the CA data of the primary and secondary CAPs is synchronized with the portions of the program data to which the CA data applies.
- the CA data from each CAP is played back and provided in synchronism with the encrypted program data.
- the (T) data may designate a crypto-period following some reference point of the program, such as the start of the program.
- the (T) data thus may designate a relative time rather than an absolute time.
- the (CW,T) data is accumulated and used by the secondary CAPs to prepare their CA data, which is subsequently stored for playback at the appropriate time with the encrypted program data.
- a memory may be provided at subsystems 152 or 252 for this non-real-time embodiment.
- FIG. 4 illustrates a cable television headend architecture in accordance with the present invention.
- a digital cable television or other broadband network headend 400 includes a CAP-1 controller 410 and a CAP-2 controller 455, which are configured to provide STAs (such as EMMs as known in the MPEG protocol) in respective different CA formats.
- STAs such as EMMs as known in the MPEG protocol
- only one secondary CAP is shown, although the invention may be extended to any number of secondary CAPs .
- controller 410 also provides associated STAs to an OOB modulator 415, and the resulting modulated signal is provided to a headend combiner 435.
- the 2 controller provides STAs in a corresponding format to an OOB modulator 450, and the resulting modulated signal is provided to the headend combiner 435.
- the headend combiner 435 outputs a signal to a terminal population via a conventional distribution network.
- the CAP-1 controller 410 also provides control, status and program control data (including the CWs) to a CAP-1 function 42,5, which includes a CA data encryptor and inserter, a program data encryptor, and a modulator.
- the CAP-1 function 425 may be implemented, e.g., as module in a modular processing system.
- the CAP-1 function 425 can be configured with circuit cards for different functions, such as receiving a satellite signal, decrypting and extracting data, and so forth.
- the CAP-1 function 425 also receives a program data input, e.g., such as a satellite feed comprising video, audio, computer games and the like. This is the data that is to be access-controlled by the different CA systems.
- a program data input e.g., such as a satellite feed comprising video, audio, computer games and the like.
- data may be provided from local programming sources or from a storage device.
- programming may be provided from a storage device in response to a subscriber request received via some upstream, out-of-band channel.
- the CAP-1 function 425 encrypts the input data stream according to the control, status and program control data to provide an encrypted output data stream "DS-out" containing encrypted in-band (CW, T) data to a CAP-2 CA data inserter 440.
- the CAP-2 CA data may comprise MPEG ECMs, for example.
- the CAP-1 function 425 also inserts its own CA data (in the CAP-1 format) into DS-out on packets identified by associated packet identifiers for this implementation. Generally, the secondary CAPs have no need for the CAP-1 CA data itself .
- the CAP-1 function 425 receives DS-in, modulates it (e.g., using QAM modulation), and provides it to an optional upconverter 430.
- the corresponding upconverted signal is then provided to the headend combiner 435 for distribution, e.g., via a cable network to a terminal population.
- DS-out conforms with the MPEG-2 or similar standard, and comprises a transport multiplex of, e.g., programs, and includes a PAT that lists PIDs that define each program. These are the PMT PIDs .
- the CAP-2 CA data inserter 440 comprises an analyzer that looks at the PAT, and finds the PID for a certain program, e.g., "HBO".
- the "HBO” data includes a PMT that has PIDs that define, e.g., video data for HBO, one or more channel of audio data for HBO, and ECM PIDs for HBO.
- the ECM PIDs are conveyed using the MPEG construct "CA_descriptor" within each encrypted service.
- the (CW, T) data in DS-out are delivered in ECM placeholder packets under the ECM PIDs for CAP-2.
- CA_descriptor indicates the location (PID value of transport packets) of ECM data associated with program elements when it is found in a TS PMT section. When found in a CA section, it refers to EMMs .
- the CAP-2 CA data inserter 440 may be responsive to interface key data received from the CAP-1 controller 410 via the router 420 using, e.g., a TCP/IP protocol. This key data may be used by the CAP-2 CA data inserter 440 to decrypt the encrypted (CW, T) data stream delivered on DS-out. Any shared key system may be used for this purpose.
- the router 420 acts as a firewall so that the CAP-2 system cannot recover other data from the CAP-1 system.
- the number of encrypted (CW,T) pairs that can be inserted in a MPEG transport stream packet in DS-out depends on a number of factors, including the available packet payload, CW size, and duration of the crypto- period.
- Table 1 shows an example available payload.
- MPEG Packet size 188 bytes header: 4 bytes
- the number of (CW, T) pairs that can be sent in the available packet payload can be calculated based on the size of the data elements. For a DES-based implementation, using an eight byte control word, and a four byte activation time, it is possible to insert fifteen (CW, T) pairs in the available packet payload (180 bytes) . Similar calculations for a triple DES based encryption scheme (Table 2) show that five (CW, T) pairs may be loaded in the useable packet payload, thus providing the CWs for the current and next four crypto periods .
- a Diffie-Hellman key exchange protocol can support the interface encryption requirements.
- the same key can be used to encrypt all (CW,T) or (P,CW,T) packets on all CAP-2 CA PIDs within a multiplex, thus reducing computational requirements .
- the interface key need not change frequently, perhaps every six or twelve hours, which leads to an extremely low data rate requirement on this interface.
- an Ethernet port on the CAP-1 function 425 and a CAP-2 network LAN connection may be used for communication with the CAP-2 CA data inserter 440.
- the router 420 may be used to control network traffic between the CAP-1 and CAP-2 headend LANs, and to ensure that CAP-1 messages are not presented to the CAP-2 network, except for the messages addressed to the CAP-2 CA data inserter 440.
- the CAP-1 function 425 can be used to assign a destination address and TCP port for the CAP-2 CA data inserter 440.
- a time-out mechanism is desirable to ensure that the CAP-2 CA data inserter 440 is active and on-line .
- FIG. 5 illustrates a CAP-1 module configuration and signal flow in accordance with the present invention.
- An example configuration of the CAP-1 function 425 is shown as modules that includes an L-band function 560 that receives the input data stream.
- a decrypt/extract function 562 decrypts and extracts the DS .
- a data encrypt function 564 re-encrypts the DS, e.g., according to the CAP-1 encryption scheme used by a local network provider.
- the data stream is a transport stream (TS) that includes multiple services
- TS transport stream
- each service of the TS e.g., 10-12 services per TS
- CW for each service is used to form corresponding CAP-1 CA data.
- the (P, CW, T) data is encrypted and inserted into the DS .
- the DS is provided as DS-out via an output interface 568 to the CAP-2 CA data inserter 440.
- DS-in is returned to the CAP-1 function 425 via an input interface 570, and provided to a modulator 572.
- a system controller 574 such as a CPU, and a power supply are also included in the CAP-1 function 425.
- the system controller 574 communicates with the other functions in the CAP-1 function 425 via a path 575 to coordinate and oversee their activities.
- the CAP-1 function 425 may be modified to process' multiple streams concurrently, in which case the output function 568 and input function 570 communicate with an additional secondary CAP inserter for each additional stream (e.g., a CAP-3 inserter for a 3rd stream, and so forth) .
- An additional modulator analogous to the modulator 572 may be provided for each additional stream.
- FIG. 6 illustrates a CAP-1 module configuration and signal flow with Packet Identifier (PID) filtering in accordance with the present invention.
- PID Packet Identifier
- a stream DS-out' which is a copy of DS-out, is retained by providing it from the output interface 568' to a buffer 605 that is associated with the input interface 570'.
- the input interface 570' also includes a combiner 610 and a packet filter 615.
- the packet filter (such as PID filter) 615 is established to pass only the CAP-2 CA data inserter's PIDs which are inserted into DS-in.
- the filtered data from the packet filter 610 is combined with the buffered data from the buffer 605.
- the buffer 605 is needed to temporarily store the data from DS-out' due primarily to processing delays associated with the CAP-2 CA data inserter 440.
- a stream comparison module is developed to address the concern of corruption of the transport stream.
- the stream comparison module is based on a modified input interface, and constantly performs a differential comparison between DS-out' and DS-in, while ignoring data on the assigned CAP-2 PIDs.
- This configuration can be realized by replacing the combiner 610 and packet filter 615 with an appropriate bit-wise comparison function. If a difference is detected between DS-out' and DS-in that is deemed to be significant (e.g., impacts the system), DS-out' can be passed through the input interface 570', thereby effectively bypassing DS-in, the corrupt stream.
- the packet filter 615 is believed to be simpler to implement and less computationally intensive than the comparison approach.
- the present invention provides a system for streaming encrypted CA data from a primary or master conditional access provider (CAP) to one or more secondary CAPs.
- CAP conditional access provider
- the secondary CAP There is no need for the secondary CAP to request the CWs on an as-needed basis.
- the CWs for a current crypto-period and a number of future crypto-periods are provided in a "sliding window" to allow the secondary CAP to begin preparing its CA data in advance .
- program data is pre- encrypted, and the CA data is accumulated and synchronized with the encrypted program data, e.g., at a file server, for subsequent recovery.
- the secondary CAPs must prepare their CA data for the synchronization.
- the CA data from the primary and secondary CAPs is delivered along with the program data in synchronism with the segments of the program data to which the CA data applies .
- the invention can be used in any packet-based distribution system, including virtual private networks such as an Ethernet, a SONET, and so forth.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2001264624A AU2001264624A1 (en) | 2000-06-02 | 2001-05-16 | A system to deliver encrypted access control information |
EP01939062A EP1287683A1 (en) | 2000-06-02 | 2001-05-16 | A system to deliver encrypted access control information |
CA2410583A CA2410583C (en) | 2000-06-02 | 2001-05-16 | A system to deliver encrypted access control information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/586,064 | 2000-06-02 | ||
US09/586,064 US6898285B1 (en) | 2000-06-02 | 2000-06-02 | System to deliver encrypted access control information to support interoperability between digital information processing/control equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2001095613A1 true WO2001095613A1 (en) | 2001-12-13 |
Family
ID=24344155
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2001/015811 WO2001095613A1 (en) | 2000-06-02 | 2001-05-16 | A system to deliver encrypted access control information |
Country Status (8)
Country | Link |
---|---|
US (1) | US6898285B1 (en) |
EP (1) | EP1287683A1 (en) |
KR (1) | KR20030007798A (en) |
CN (1) | CN1209904C (en) |
AU (1) | AU2001264624A1 (en) |
CA (1) | CA2410583C (en) |
TW (1) | TW525379B (en) |
WO (1) | WO2001095613A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1304881A1 (en) * | 2001-10-15 | 2003-04-23 | Beta Research GmbH | Method and device for providing data |
FR2833121A1 (en) * | 2001-12-05 | 2003-06-06 | France Telecom | METHOD OF DISTRIBUTION OF SCRAPPED DIGITAL DATA ENCRYPTION KEYS |
EP1887729A2 (en) | 2006-03-21 | 2008-02-13 | Irdeto Access B.V. | Method of providing an encrypted data stream |
CN100379270C (en) * | 2003-05-20 | 2008-04-02 | 三星电子株式会社 | Scramble release device for scrambled digital broadcasting streams in broadcasting communication convergence system |
WO2009102923A2 (en) * | 2008-02-15 | 2009-08-20 | Qualcomm Incorporated | Methods and apparatus for conditional access of non real-time content in a distribution system |
WO2011138333A1 (en) * | 2010-05-04 | 2011-11-10 | Viaccess | Methods for decrypting, transmitting and receiving control words, recording medium and control word server for implementing said methods |
KR101180185B1 (en) * | 2004-04-22 | 2012-09-05 | 나그라비젼 에스에이 | Method for processing contents intended for broadcasting |
EP1436984B2 (en) † | 2001-10-18 | 2018-05-30 | Rovi Solutions Corporation | Systems and methods for providing digital rights management compatibility |
CN109792384A (en) * | 2016-10-03 | 2019-05-21 | 日本电气株式会社 | Communication equipment, communication means, communication system and recording medium |
Families Citing this family (52)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7391865B2 (en) | 1999-09-20 | 2008-06-24 | Security First Corporation | Secure data parser method and system |
MXPA02007179A (en) * | 2000-01-28 | 2002-12-13 | Nagracard Sa | Method and system for transmission of decrypting information. |
US7257227B2 (en) * | 2000-10-26 | 2007-08-14 | General Instrument Corporation | System for denying access to content generated by a compromised off line encryption device and for conveying cryptographic keys from multiple conditional access systems |
US20020129280A1 (en) * | 2001-01-29 | 2002-09-12 | Enjoyweb, Inc. | Method, apparatus, and system for distributing compressed digital media in a secured manner |
US9100457B2 (en) | 2001-03-28 | 2015-08-04 | Qualcomm Incorporated | Method and apparatus for transmission framing in a wireless communication system |
US8121296B2 (en) | 2001-03-28 | 2012-02-21 | Qualcomm Incorporated | Method and apparatus for security in a data processing system |
US8077679B2 (en) | 2001-03-28 | 2011-12-13 | Qualcomm Incorporated | Method and apparatus for providing protocol options in a wireless communication system |
US7895616B2 (en) * | 2001-06-06 | 2011-02-22 | Sony Corporation | Reconstitution of program streams split across multiple packet identifiers |
US20060159264A1 (en) * | 2001-07-03 | 2006-07-20 | Chen Annie O | System for denying access to content generated by a compromised off line encryption device and for conveying cryptographic keys from multiple conditional access systems |
US7352868B2 (en) | 2001-10-09 | 2008-04-01 | Philip Hawkes | Method and apparatus for security in a data processing system |
US7649829B2 (en) | 2001-10-12 | 2010-01-19 | Qualcomm Incorporated | Method and system for reduction of decoding complexity in a communication system |
US7644136B2 (en) * | 2001-11-28 | 2010-01-05 | Interactive Content Engines, Llc. | Virtual file system |
US7788396B2 (en) | 2001-11-28 | 2010-08-31 | Interactive Content Engines, Llc | Synchronized data transfer system |
US7437472B2 (en) * | 2001-11-28 | 2008-10-14 | Interactive Content Engines, Llc. | Interactive broadband server system |
US20050025312A1 (en) * | 2002-01-14 | 2005-02-03 | Rijkaert Albert Maria Arnold | Distribution of encrypted information |
US8218768B2 (en) * | 2002-01-14 | 2012-07-10 | Qualcomm Incorporated | Cryptosync design for a wireless communication system |
AU2002367373A1 (en) * | 2002-01-14 | 2003-07-24 | Koninklijke Philips Electronics N.V. | System for providing time dependent conditional access |
US7457312B2 (en) * | 2002-06-19 | 2008-11-25 | Microsoft Corporation | Bandwidth sharing in advanced streaming format |
US7290057B2 (en) * | 2002-08-20 | 2007-10-30 | Microsoft Corporation | Media streaming of web content data |
FR2845545B1 (en) * | 2002-10-07 | 2005-02-04 | Alstom | SECURITY EXCHANGE METHOD OF INFORMATION MESSAGES |
JP4390710B2 (en) * | 2002-11-27 | 2009-12-24 | アールジービー・ネットワークス・インコーポレイテッド | Method and apparatus for time multiplexed processing of multiple digital video programs |
US7599655B2 (en) | 2003-01-02 | 2009-10-06 | Qualcomm Incorporated | Method and apparatus for broadcast services in a communication system |
EP1616401A4 (en) * | 2003-04-21 | 2012-01-04 | Rgb Networks Inc | Time-multiplexed multi-program encryption system |
US7398544B2 (en) * | 2003-05-12 | 2008-07-08 | Sony Corporation | Configurable cableCARD |
US8098818B2 (en) | 2003-07-07 | 2012-01-17 | Qualcomm Incorporated | Secure registration for a multicast-broadcast-multimedia system (MBMS) |
US8718279B2 (en) | 2003-07-08 | 2014-05-06 | Qualcomm Incorporated | Apparatus and method for a secure broadcast system |
CA2537293C (en) | 2003-08-29 | 2014-04-01 | Rgb Networks, Inc. | Advanced, adaptive video multiplexer system |
US8724803B2 (en) | 2003-09-02 | 2014-05-13 | Qualcomm Incorporated | Method and apparatus for providing authenticated challenges for broadcast-multicast communications in a communication system |
JP2005149129A (en) * | 2003-11-14 | 2005-06-09 | Sony Corp | Method for managing license, information processor and method, and program |
FR2871017B1 (en) * | 2004-05-28 | 2008-02-29 | Viaccess Sa | METHOD FOR DIFFUSION OF DIGITAL DATA TO A PARK OF TARGET RECEIVING TERMINALS |
CN100384251C (en) * | 2004-08-02 | 2008-04-23 | 华为技术有限公司 | User authorization method and its authorization system |
US20060031873A1 (en) * | 2004-08-09 | 2006-02-09 | Comcast Cable Holdings, Llc | System and method for reduced hierarchy key management |
EP1825412A1 (en) | 2004-10-25 | 2007-08-29 | Rick L. Orsini | Secure data parser method and system |
KR20060061219A (en) * | 2004-12-01 | 2006-06-07 | 주식회사 비에스텍 | E n c r y p t i o n p r o c e s s o r |
US8099369B2 (en) * | 2004-12-08 | 2012-01-17 | Ngna, Llc | Method and system for securing content in media systems |
US7383438B2 (en) * | 2004-12-18 | 2008-06-03 | Comcast Cable Holdings, Llc | System and method for secure conditional access download and reconfiguration |
US7933410B2 (en) * | 2005-02-16 | 2011-04-26 | Comcast Cable Holdings, Llc | System and method for a variable key ladder |
US20060200412A1 (en) * | 2005-02-23 | 2006-09-07 | Comcast Cable Holdings, Llc | System and method for DRM regional and timezone key management |
EP1742475A1 (en) * | 2005-07-07 | 2007-01-10 | Nagravision S.A. | Method to control access to enciphered data |
BRPI0618725A2 (en) | 2005-11-18 | 2011-09-06 | Rick L Orsini | secure data analyzer method and system |
FR2894757B1 (en) * | 2005-12-13 | 2008-05-09 | Viaccess Sa | METHOD FOR CONTROLLING ACCESS TO A RUBBER CONTENT |
CN100525434C (en) * | 2005-12-31 | 2009-08-05 | 华为技术有限公司 | Method for granting power to user in receiving system under digital TV condition |
RU2339077C1 (en) | 2007-03-13 | 2008-11-20 | Олег Вениаминович Сахаров | Method of operating conditional access system for application in computer networks and system for its realisation |
US7934083B2 (en) * | 2007-09-14 | 2011-04-26 | Kevin Norman Taylor | Configurable access kernel |
US8401191B2 (en) | 2008-01-24 | 2013-03-19 | Qualcomm Incorporated | Efficient broadcast entitlement management message delivery mechanism using a scheduled delivery window |
WO2010006290A1 (en) * | 2008-07-10 | 2010-01-14 | Verimatrix, Inc. | Video on demand simulcrypt |
WO2011064613A1 (en) * | 2009-11-25 | 2011-06-03 | Serela | Card sharing countermeasures |
EP2334069A1 (en) * | 2009-12-11 | 2011-06-15 | Irdeto Access B.V. | Providing control words to a receiver |
US11349699B2 (en) * | 2012-08-14 | 2022-05-31 | Netflix, Inc. | Speculative pre-authorization of encrypted data streams |
CN103780961B (en) * | 2012-10-19 | 2017-10-24 | 华为终端有限公司 | A kind of guard method of data message and equipment |
US10375030B2 (en) | 2016-06-24 | 2019-08-06 | Combined Conditional Access Development & Support | Initialization encryption for streaming content |
US20240037043A1 (en) * | 2022-07-29 | 2024-02-01 | Dell Products, L.P. | End-to-end efficient encryption with security chaining |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999053689A1 (en) * | 1998-04-15 | 1999-10-21 | Digital Video Express, L.P. | Conditional access via secure logging with simplified key management |
WO1999057889A1 (en) * | 1998-05-06 | 1999-11-11 | Sony Electronics, Inc. | Communication network |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5619501A (en) * | 1994-04-22 | 1997-04-08 | Thomson Consumer Electronics, Inc. | Conditional access filter as for a packet video signal inverse transport system |
US5796829A (en) | 1994-09-09 | 1998-08-18 | The Titan Corporation | Conditional access system |
US5944794A (en) * | 1994-09-30 | 1999-08-31 | Kabushiki Kaisha Toshiba | User identification data management scheme for networking computer systems using wide area network |
US6157719A (en) * | 1995-04-03 | 2000-12-05 | Scientific-Atlanta, Inc. | Conditional access system |
US5875396A (en) * | 1995-11-13 | 1999-02-23 | Wytec, Incorporated | Multichannel radio frequency transmission system to deliver wideband digital data into independent sectorized service areas |
US5872588A (en) * | 1995-12-06 | 1999-02-16 | International Business Machines Corporation | Method and apparatus for monitoring audio-visual materials presented to a subscriber |
US5805705A (en) | 1996-01-29 | 1998-09-08 | International Business Machines Corporation | Synchronization of encryption/decryption keys in a data communication network |
US6028933A (en) * | 1997-04-17 | 2000-02-22 | Lucent Technologies Inc. | Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network |
BR9815610A (en) * | 1997-08-01 | 2004-06-22 | Scientific Atlanta | Verification of program information source in conditional access system |
US6415031B1 (en) * | 1999-03-12 | 2002-07-02 | Diva Systems Corporation | Selective and renewable encryption for secure distribution of video on-demand |
US6229895B1 (en) * | 1999-03-12 | 2001-05-08 | Diva Systems Corp. | Secure distribution of video on-demand |
US6577621B1 (en) * | 1999-06-22 | 2003-06-10 | Ericsson Inc. | System and method for providing high-speed local telecommunications access |
US6590981B2 (en) * | 2000-02-22 | 2003-07-08 | Zyfer, Inc. | System and method for secure cryptographic communications |
-
2000
- 2000-06-02 US US09/586,064 patent/US6898285B1/en not_active Expired - Lifetime
-
2001
- 2001-05-16 KR KR1020027016305A patent/KR20030007798A/en not_active Application Discontinuation
- 2001-05-16 CA CA2410583A patent/CA2410583C/en not_active Expired - Fee Related
- 2001-05-16 CN CNB018136095A patent/CN1209904C/en not_active Expired - Lifetime
- 2001-05-16 AU AU2001264624A patent/AU2001264624A1/en not_active Abandoned
- 2001-05-16 EP EP01939062A patent/EP1287683A1/en not_active Withdrawn
- 2001-05-16 WO PCT/US2001/015811 patent/WO2001095613A1/en active Application Filing
- 2001-05-25 TW TW090112657A patent/TW525379B/en not_active IP Right Cessation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999053689A1 (en) * | 1998-04-15 | 1999-10-21 | Digital Video Express, L.P. | Conditional access via secure logging with simplified key management |
WO1999057889A1 (en) * | 1998-05-06 | 1999-11-11 | Sony Electronics, Inc. | Communication network |
Non-Patent Citations (1)
Title |
---|
"FUNCTIONAL MODEL OF A CONDITIONAL ACCESS SYSTEM", EBU REVIEW- TECHNICAL, EUROPEAN BROADCASTING UNION. BRUSSELS, BE, no. 266, 21 December 1995 (1995-12-21), pages 64 - 77, XP000559450, ISSN: 0251-0936 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1304881A1 (en) * | 2001-10-15 | 2003-04-23 | Beta Research GmbH | Method and device for providing data |
EP1436984B2 (en) † | 2001-10-18 | 2018-05-30 | Rovi Solutions Corporation | Systems and methods for providing digital rights management compatibility |
FR2833121A1 (en) * | 2001-12-05 | 2003-06-06 | France Telecom | METHOD OF DISTRIBUTION OF SCRAPPED DIGITAL DATA ENCRYPTION KEYS |
WO2003049442A1 (en) * | 2001-12-05 | 2003-06-12 | France Telecom | Method for distributing scrambled digital data decryption keys |
US7693281B2 (en) | 2001-12-05 | 2010-04-06 | France Telecom | Method for distributing scrambled digital data decryption keys |
CN100379270C (en) * | 2003-05-20 | 2008-04-02 | 三星电子株式会社 | Scramble release device for scrambled digital broadcasting streams in broadcasting communication convergence system |
KR101180185B1 (en) * | 2004-04-22 | 2012-09-05 | 나그라비젼 에스에이 | Method for processing contents intended for broadcasting |
EP1887729A2 (en) | 2006-03-21 | 2008-02-13 | Irdeto Access B.V. | Method of providing an encrypted data stream |
EP1887729A3 (en) * | 2006-03-21 | 2011-07-13 | Irdeto Access B.V. | Method of providing an encrypted data stream |
US8498412B2 (en) | 2006-03-21 | 2013-07-30 | Irdeto B.V. | Method of providing an encrypted data stream |
US8819843B2 (en) | 2008-02-15 | 2014-08-26 | Qualcomm Incorporated | Methods and apparatus for conditional access of non real-time content in a distribution system |
KR101323230B1 (en) | 2008-02-15 | 2013-11-21 | 퀄컴 인코포레이티드 | Methods and apparatus for conditional access of non real-time content in a distribution system |
WO2009102923A3 (en) * | 2008-02-15 | 2009-11-19 | Qualcomm Incorporated | Methods and apparatus for conditional access of non real-time content in a distribution system |
WO2009102923A2 (en) * | 2008-02-15 | 2009-08-20 | Qualcomm Incorporated | Methods and apparatus for conditional access of non real-time content in a distribution system |
FR2959905A1 (en) * | 2010-05-04 | 2011-11-11 | Viaccess Sa | METHOD OF DETECTING, TRANSMITTING AND RECEIVING CONTROL WORDS, RECORDING MEDIUM AND SERVER OF CONTROL WORDS FOR CARRYING OUT SAID METHODS |
WO2011138333A1 (en) * | 2010-05-04 | 2011-11-10 | Viaccess | Methods for decrypting, transmitting and receiving control words, recording medium and control word server for implementing said methods |
US8804965B2 (en) | 2010-05-04 | 2014-08-12 | Viaccess | Methods for decrypting, transmitting and receiving control words, recording medium and control word server to implement these methods |
CN109792384A (en) * | 2016-10-03 | 2019-05-21 | 日本电气株式会社 | Communication equipment, communication means, communication system and recording medium |
EP3522442A4 (en) * | 2016-10-03 | 2019-09-04 | Nec Corporation | Communication device, communication method, communication system, and recording medium |
US11101998B2 (en) | 2016-10-03 | 2021-08-24 | Nec Corporation | Communication device, communication method, and recording medium |
CN109792384B (en) * | 2016-10-03 | 2022-03-29 | 日本电气株式会社 | Communication apparatus, communication method, and recording medium |
Also Published As
Publication number | Publication date |
---|---|
CA2410583A1 (en) | 2001-12-13 |
EP1287683A1 (en) | 2003-03-05 |
CA2410583C (en) | 2010-08-10 |
AU2001264624A1 (en) | 2001-12-17 |
TW525379B (en) | 2003-03-21 |
KR20030007798A (en) | 2003-01-23 |
CN1444826A (en) | 2003-09-24 |
CN1209904C (en) | 2005-07-06 |
US6898285B1 (en) | 2005-05-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2410583C (en) | A system to deliver encrypted access control information | |
US6424714B1 (en) | Method and apparatus for providing conditional access in connection-oriented interactive networks with a multiplicity of service providers | |
KR100666438B1 (en) | Scrambling Unit For a Digital Transmission System | |
EP0872077B1 (en) | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers | |
US7298846B2 (en) | Method of identifying multiple digital streams within a multiplexed signal | |
KR100684056B1 (en) | Synchronisation of decryption keys in a data packet transmission system | |
KR101244312B1 (en) | Method of controlling communication between a head-end system and a plurality of client systems | |
US20060190403A1 (en) | Method and Apparatus for Content Protection and Copyright Management in Digital Video Distribution | |
US20030002577A1 (en) | In a subscriber network receiving digital packets and transmitting digital packets below a predetermined maximum bit rate | |
EP2373019A1 (en) | Secure descrambling of an audio / video data stream | |
JP2007525051A6 (en) | Thin DOCSIS in-band management for interactive HFC service delivery | |
JP2007525051A (en) | Thin DOCSIS in-band management for interactive HFC service delivery | |
WO2007022033A1 (en) | Protecting elementary stream content | |
EP2230845A1 (en) | Providing control words to a receiver | |
US7949133B2 (en) | Controlled cryptoperiod timing to reduce decoder processing load | |
US20110311044A1 (en) | Providing control words to a receiver | |
WO2016189105A1 (en) | Management of broadcast encrypted digital multimedia data receivers | |
JP2002536888A (en) | Transmission system | |
JPH10290222A (en) | Information decoder, its method and information transmitter-receiver | |
KR101552958B1 (en) | System and method for providing video conference using conditional access system | |
JPH10190646A (en) | Security information distribution method, receiving device and transmitting device in digital network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2410583 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020027016305 Country of ref document: KR |
|
REEP | Request for entry into the european phase |
Ref document number: 2001939062 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2001939062 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1020027016305 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 018136095 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2001939062 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |