WO2003039067A1 - Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur - Google Patents

Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur Download PDF

Info

Publication number
WO2003039067A1
WO2003039067A1 PCT/SE2002/001830 SE0201830W WO03039067A1 WO 2003039067 A1 WO2003039067 A1 WO 2003039067A1 SE 0201830 W SE0201830 W SE 0201830W WO 03039067 A1 WO03039067 A1 WO 03039067A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
packets
media stream
proxy
encrypted
Prior art date
Application number
PCT/SE2002/001830
Other languages
English (en)
Inventor
Henrik Carlsson
Dag Helstad
Christer ÖSTERLIND
Tomas Sparr
Original Assignee
Kreatel Communications Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kreatel Communications Ab filed Critical Kreatel Communications Ab
Publication of WO2003039067A1 publication Critical patent/WO2003039067A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a method defined in the preamble of claim 1.
  • the present invention also relates to an apparatus defined in the preamble of claim 5.
  • DVB-CA Digital Video Broadcasting
  • the decryption uses a separate processing unit on a smart card, which makes the decryption expensive.
  • One object of the present invention is to provide such an improved method and apparatus, which has configurable requirements on CPU utilisation on both the client and the server, and which is built on open standards.
  • this object is accomplished by providing a method and apparatus as defined in the characterising parts of the independent claims 1 and 5.
  • Fig 1 is a block diagram of an encryption system
  • Fig 2 is a flowchart showing the steps performed when the media stream is encrypted.
  • the media stream is a Moving Picture Experts Group Transport Stream (MPEG-2 TS), which refers to the family of digital video compression standards and file formats developed by this group.
  • MPEG-2 TS Moving Picture Experts Group Transport Stream
  • MPEG-2 TS achieves high compression rate by for most of the frames storing only the changes from one frame to another instead of each entire frame.
  • MP3 MPEG-1 Audio Layer-3
  • MPEG-2 PS MPEG-2 Packet Stream
  • a content protection pre-processor is represented by 1.
  • the pre-processor 1 is connected to a database 6 from which it gets the MPEG-2 TS to process.
  • a server 2 connected to an encryption proxy 3 gets the pre-processed MPEG-2 TS from the database 6.
  • the pre-processor 1 and the encryption proxy 3 are both connected to an encryption scheme 5, from which they get information concerning the encryption.
  • a client 4 communicates with the encryption proxy 3 over a network 1, e.g. Internet.
  • Fig 1 illustrates one example of the architecture of the encryption system. The person skilled in the art understands, however, that any other constellation of the parts in the system is possible.
  • some TS packets are statically, e.g. on disk, encrypted and some are dynamically, real time, encrypted.
  • the static encryption can e.g. be done by the content owner before delivering the content to operators, which reduces the risk of "in-house theft" at the operator site.
  • the pre-processor 1 analyses the MPEG-2 TS and selects the TS packets which are to be statically encrypted, encrypts these and marks at the same time the TS packets which are to be dynamically encrypted. This processing is performed only once per title, e.g. once per film when the media stream is a video stream and once per audio track when the media stream is an audio stream.
  • the encryption proxy 3 encrypts the TS packages marked by the pre-processor 1 for dynamic encryption.
  • the dynamic encryption is, however, performed once per session. This means that even if the static encryption is cracked, watching e.g. a movie is made impossible by the dynamic encryption.
  • the encryption scheme 5 contains all necessary information the pre-processor 1 and the encryption proxy 3 need in order to perform the encryption of the media stream.
  • the content owner supplies the information stored in the encryption scheme 5.
  • Typical information in the encryption scheme 5 is what and when to encrypt and what algorithm to use.
  • the combination of the pre-processor 1 and the encryption proxy 3 makes the inventive system flexible, with full control over what to encrypt and when (static or dynamic).
  • the system can e.g. be optimised for a low CPU usage, high security or low cost etc.
  • the flexibility of the system lead to that different kinds of encryption algorithms may be used, in which all packets, some packets or no packets at all can be encrypted.
  • the pre-processor 1 marks the packets (a sub set of the total number of packets) to encrypt dynamically meaning that not all encryption need to be done in real time, there are small requirements on CPU utilisation on the host running the encryption proxy 3. The requirements on CPU are configurable through the encryption scheme 5.
  • the server 2 stores the pre-processed MPEG-2 TS and creates indices.
  • the server 2 is a Video-on-Demand (VoD) server.
  • NoD gives a user the possibility to order a movie or other program content for immediate viewing on e.g. the TN.
  • the client 4 e.g. a Set-Top-Box (STB) client, comprises a web browser allowing the user to choose e.g. a movie.
  • STB Set-Top-Box
  • the client 4 then orders the chosen movie from the NoD server 2 via the encryption proxy 3. Since the encryption proxy 3 handles all communication with the client, the inventive system is independent of the server.
  • the preferred embodiment of the inventive method is based on the MPEG-2 standard for scrambling encryption of TS packet content.
  • the type of encryption used is fully configurable and a matter of agreement between the client 4 and the encryption proxy 3.
  • the client 4 and the encryption proxy 3 negotiate about a set of encryption algorithms to use among multiple encryption algorithms.
  • a two-bit bit field "transport scrambling control" in the TS header is used to indicate which kind of encryption that is used within the set of encryption algorithms according to the agreement between the client 4 and the encryption proxy 3. Multiple sets of mappings between transport scrambling control values and encryption algorithms may be supported.
  • the client 4 gets the information of which set to use from the (URL) accessed or from the ticket received when ordering the NoD.
  • the inventive method is applicable on all kinds of decryption key distributions.
  • the client 4 may negotiate with the encryption proxy 3 about what key distribution to use and how many packets which are to be dynamically encrypted by the encryption proxy 3.
  • the client 4 may e.g. request encryption of only a subset of the packets marked for dynamic encryption due to small CPU resources.
  • the encryption proxy 3 can, however, deny such a request for less encryption.
  • the negotiation between the client 4 and the encryption proxy 3 may be encrypted in order to obtain a high security level.
  • Another alternative is to use an encryption algorithm in the encryption scheme 5 that is adapted to certain kinds of clients, e.g. encrypt as few packets as possible (usually around 1/10) in order to reduce the CPU load of the client.
  • a preferred embodiment of the present invention is shown in fig 2 and the procedure for encrypting an MPEG-2 transport stream is as follows:
  • the pre-processor 1 analyses the MPEG-2 TS 6 and selects the TS packets for static and dynamic encryption according to the information in the encryption scheme 5 (step 21).
  • the packets selected for static encryption are encrypted at once, while the packets selected for dynamic encryption only are marked by the pre-processor 1 ;
  • the server 2 stores the pre-processed TS on its format (step 22).
  • the stored, partly encrypted, TS is streamed to the encryption proxy 3 (step 23).
  • the request is initiated by e.g. a user choosing a movie from a web page.
  • the client 4 and the encryption proxy 3 negotiate about which encryption set to use, before the TS is streamed to the encryption proxy 3;
  • the encryption proxy 3 encrypts the TS packets marked for dynamic encryption by the pre-processor 1, which, however, may be modified according to the negotiation between the client 4 and the encryption proxy 3 (step 24). The encryption proxy 3 then streams the encrypted TS on to the client 4 over the network 7 (step 25);
  • the client 4 decrypts all encrypted packets (step 26).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Procédé et appareil pour le chiffrement d'un train de données multimédia envoyé par un serveur (2), par l'intermédiaire d'un mandataire de chiffrement (3), à un client (4), connecté au mandataire de chiffrement (3) sur un réseau (7), les paquets du train de données multimédia étant chiffrés statiquement par un pré-processeur (1) ou dynamiquement par le mandataire de chiffrement (3). Le pré-processeur (1) sélectionne les paquets du train de données multimédia qui sont chiffrés statiquement et les paquets qui doivent être chiffrés dynamiquement tel que défini dans un mécanisme de chiffrement (5).
PCT/SE2002/001830 2001-11-01 2002-10-09 Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur WO2003039067A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0103623-5 2001-11-01
SE0103623A SE521906C2 (sv) 2001-11-01 2001-11-01 Metod och anordning för kryptering av multimediainnehåll

Publications (1)

Publication Number Publication Date
WO2003039067A1 true WO2003039067A1 (fr) 2003-05-08

Family

ID=20285829

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2002/001830 WO2003039067A1 (fr) 2001-11-01 2002-10-09 Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur

Country Status (2)

Country Link
SE (1) SE521906C2 (fr)
WO (1) WO2003039067A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999048296A1 (fr) * 1998-03-16 1999-09-23 Intertrust Technologies Corporation Procedes et appareil de commande et de protection continues du contenu de supports
US6055314A (en) * 1996-03-22 2000-04-25 Microsoft Corporation System and method for secure purchase and delivery of video content programs
WO2000048375A1 (fr) * 1999-02-11 2000-08-17 Loudeye Technologies, Inc. Systeme de distribution de media
WO2000064111A1 (fr) * 1999-04-16 2000-10-26 Unifree, L.L.C. Distribution de fichiers multimedia au moyen de protocoles de transmission adaptatifs
EP1111838A2 (fr) * 1999-12-21 2001-06-27 Xerox Corporation Système et procédé de protection cryptographique de données

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055314A (en) * 1996-03-22 2000-04-25 Microsoft Corporation System and method for secure purchase and delivery of video content programs
WO1999048296A1 (fr) * 1998-03-16 1999-09-23 Intertrust Technologies Corporation Procedes et appareil de commande et de protection continues du contenu de supports
WO2000048375A1 (fr) * 1999-02-11 2000-08-17 Loudeye Technologies, Inc. Systeme de distribution de media
WO2000064111A1 (fr) * 1999-04-16 2000-10-26 Unifree, L.L.C. Distribution de fichiers multimedia au moyen de protocoles de transmission adaptatifs
EP1111838A2 (fr) * 1999-12-21 2001-06-27 Xerox Corporation Système et procédé de protection cryptographique de données

Also Published As

Publication number Publication date
SE0103623D0 (sv) 2001-11-01
SE0103623L (sv) 2003-05-02
SE521906C2 (sv) 2003-12-16

Similar Documents

Publication Publication Date Title
EP1444561B1 (fr) Procede, appareil et systeme pour fournir de fa on securisee un materiel
US7328345B2 (en) Method and system for end to end securing of content for video on demand
KR100843346B1 (ko) 스트림 콘텐츠의 무결성 보호
EP2044568B1 (fr) Procédé et appareil pour déplacer et renvoyer de manière sécurisée un contenu numérique
US20060200412A1 (en) System and method for DRM regional and timezone key management
US8724808B2 (en) Method for secure distribution of digital data representing a multimedia content
US20130283051A1 (en) Persistent License for Stored Content
US20040151315A1 (en) Streaming media security system and method
RU2329613C2 (ru) Способ безопасной передачи данных по схеме "точка-точка" и электронный модуль, реализующий этот способ
AU2002351508A1 (en) Method, apparatus and system for securely providing material to a licensee of the material
KR20040088365A (ko) 스케일 가능한 미디어를 위한 스케일 가능하고 에러탄력적인 drm
CN101142777A (zh) 视频在线安全网络体系结构及其方法
WO2006109913A1 (fr) Systeme de protection/gestion de contenus de diffusion
US8081756B2 (en) Implementation of media-protection policies
EP1903799B1 (fr) Procede de realisation d'une previsualisation de programmes iptv, appareil de cryptage, systeme central de droits et terminal utilisateur
KR20090090332A (ko) 스크램블된 디지털 콘텐트로의 액세스를 제어하는 방법
CA2593952C (fr) Procede et appareil fournissant une barriere frontaliere entre des domaines de securite
EP1595383B1 (fr) Procedes et appareil pour l'integration de systemes de securite unidirectionnel et bidirectionnel pour assurer la distribution securisee de services chiffres
EP2403244A1 (fr) Procédé de cryptage sécurisé pour distribution de contenu électronique
WO2003039067A1 (fr) Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur
US9294788B2 (en) Method, cryptographic system and security module for descrambling content packets of a digital transport stream
WO2000067483A1 (fr) Procede et appareil de controle d'acces de services televisuels a la carte pre-cryptes
Hwang et al. Protection of MPEG‐2 Multicast Streaming in an IP Set‐Top Box Environment
EP1499062A1 (fr) Système et méthode de criptage video individuel
CA2516909A1 (fr) Methode et appareil pour distribuer du contenu a un dispositif client

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP