WO2003039067A1 - Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur - Google Patents
Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur Download PDFInfo
- Publication number
- WO2003039067A1 WO2003039067A1 PCT/SE2002/001830 SE0201830W WO03039067A1 WO 2003039067 A1 WO2003039067 A1 WO 2003039067A1 SE 0201830 W SE0201830 W SE 0201830W WO 03039067 A1 WO03039067 A1 WO 03039067A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- encryption
- packets
- media stream
- proxy
- encrypted
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
Definitions
- the present invention relates to a method defined in the preamble of claim 1.
- the present invention also relates to an apparatus defined in the preamble of claim 5.
- DVB-CA Digital Video Broadcasting
- the decryption uses a separate processing unit on a smart card, which makes the decryption expensive.
- One object of the present invention is to provide such an improved method and apparatus, which has configurable requirements on CPU utilisation on both the client and the server, and which is built on open standards.
- this object is accomplished by providing a method and apparatus as defined in the characterising parts of the independent claims 1 and 5.
- Fig 1 is a block diagram of an encryption system
- Fig 2 is a flowchart showing the steps performed when the media stream is encrypted.
- the media stream is a Moving Picture Experts Group Transport Stream (MPEG-2 TS), which refers to the family of digital video compression standards and file formats developed by this group.
- MPEG-2 TS Moving Picture Experts Group Transport Stream
- MPEG-2 TS achieves high compression rate by for most of the frames storing only the changes from one frame to another instead of each entire frame.
- MP3 MPEG-1 Audio Layer-3
- MPEG-2 PS MPEG-2 Packet Stream
- a content protection pre-processor is represented by 1.
- the pre-processor 1 is connected to a database 6 from which it gets the MPEG-2 TS to process.
- a server 2 connected to an encryption proxy 3 gets the pre-processed MPEG-2 TS from the database 6.
- the pre-processor 1 and the encryption proxy 3 are both connected to an encryption scheme 5, from which they get information concerning the encryption.
- a client 4 communicates with the encryption proxy 3 over a network 1, e.g. Internet.
- Fig 1 illustrates one example of the architecture of the encryption system. The person skilled in the art understands, however, that any other constellation of the parts in the system is possible.
- some TS packets are statically, e.g. on disk, encrypted and some are dynamically, real time, encrypted.
- the static encryption can e.g. be done by the content owner before delivering the content to operators, which reduces the risk of "in-house theft" at the operator site.
- the pre-processor 1 analyses the MPEG-2 TS and selects the TS packets which are to be statically encrypted, encrypts these and marks at the same time the TS packets which are to be dynamically encrypted. This processing is performed only once per title, e.g. once per film when the media stream is a video stream and once per audio track when the media stream is an audio stream.
- the encryption proxy 3 encrypts the TS packages marked by the pre-processor 1 for dynamic encryption.
- the dynamic encryption is, however, performed once per session. This means that even if the static encryption is cracked, watching e.g. a movie is made impossible by the dynamic encryption.
- the encryption scheme 5 contains all necessary information the pre-processor 1 and the encryption proxy 3 need in order to perform the encryption of the media stream.
- the content owner supplies the information stored in the encryption scheme 5.
- Typical information in the encryption scheme 5 is what and when to encrypt and what algorithm to use.
- the combination of the pre-processor 1 and the encryption proxy 3 makes the inventive system flexible, with full control over what to encrypt and when (static or dynamic).
- the system can e.g. be optimised for a low CPU usage, high security or low cost etc.
- the flexibility of the system lead to that different kinds of encryption algorithms may be used, in which all packets, some packets or no packets at all can be encrypted.
- the pre-processor 1 marks the packets (a sub set of the total number of packets) to encrypt dynamically meaning that not all encryption need to be done in real time, there are small requirements on CPU utilisation on the host running the encryption proxy 3. The requirements on CPU are configurable through the encryption scheme 5.
- the server 2 stores the pre-processed MPEG-2 TS and creates indices.
- the server 2 is a Video-on-Demand (VoD) server.
- NoD gives a user the possibility to order a movie or other program content for immediate viewing on e.g. the TN.
- the client 4 e.g. a Set-Top-Box (STB) client, comprises a web browser allowing the user to choose e.g. a movie.
- STB Set-Top-Box
- the client 4 then orders the chosen movie from the NoD server 2 via the encryption proxy 3. Since the encryption proxy 3 handles all communication with the client, the inventive system is independent of the server.
- the preferred embodiment of the inventive method is based on the MPEG-2 standard for scrambling encryption of TS packet content.
- the type of encryption used is fully configurable and a matter of agreement between the client 4 and the encryption proxy 3.
- the client 4 and the encryption proxy 3 negotiate about a set of encryption algorithms to use among multiple encryption algorithms.
- a two-bit bit field "transport scrambling control" in the TS header is used to indicate which kind of encryption that is used within the set of encryption algorithms according to the agreement between the client 4 and the encryption proxy 3. Multiple sets of mappings between transport scrambling control values and encryption algorithms may be supported.
- the client 4 gets the information of which set to use from the (URL) accessed or from the ticket received when ordering the NoD.
- the inventive method is applicable on all kinds of decryption key distributions.
- the client 4 may negotiate with the encryption proxy 3 about what key distribution to use and how many packets which are to be dynamically encrypted by the encryption proxy 3.
- the client 4 may e.g. request encryption of only a subset of the packets marked for dynamic encryption due to small CPU resources.
- the encryption proxy 3 can, however, deny such a request for less encryption.
- the negotiation between the client 4 and the encryption proxy 3 may be encrypted in order to obtain a high security level.
- Another alternative is to use an encryption algorithm in the encryption scheme 5 that is adapted to certain kinds of clients, e.g. encrypt as few packets as possible (usually around 1/10) in order to reduce the CPU load of the client.
- a preferred embodiment of the present invention is shown in fig 2 and the procedure for encrypting an MPEG-2 transport stream is as follows:
- the pre-processor 1 analyses the MPEG-2 TS 6 and selects the TS packets for static and dynamic encryption according to the information in the encryption scheme 5 (step 21).
- the packets selected for static encryption are encrypted at once, while the packets selected for dynamic encryption only are marked by the pre-processor 1 ;
- the server 2 stores the pre-processed TS on its format (step 22).
- the stored, partly encrypted, TS is streamed to the encryption proxy 3 (step 23).
- the request is initiated by e.g. a user choosing a movie from a web page.
- the client 4 and the encryption proxy 3 negotiate about which encryption set to use, before the TS is streamed to the encryption proxy 3;
- the encryption proxy 3 encrypts the TS packets marked for dynamic encryption by the pre-processor 1, which, however, may be modified according to the negotiation between the client 4 and the encryption proxy 3 (step 24). The encryption proxy 3 then streams the encrypted TS on to the client 4 over the network 7 (step 25);
- the client 4 decrypts all encrypted packets (step 26).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE0103623-5 | 2001-11-01 | ||
SE0103623A SE521906C2 (sv) | 2001-11-01 | 2001-11-01 | Metod och anordning för kryptering av multimediainnehåll |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2003039067A1 true WO2003039067A1 (fr) | 2003-05-08 |
Family
ID=20285829
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2002/001830 WO2003039067A1 (fr) | 2001-11-01 | 2002-10-09 | Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur |
Country Status (2)
Country | Link |
---|---|
SE (1) | SE521906C2 (fr) |
WO (1) | WO2003039067A1 (fr) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999048296A1 (fr) * | 1998-03-16 | 1999-09-23 | Intertrust Technologies Corporation | Procedes et appareil de commande et de protection continues du contenu de supports |
US6055314A (en) * | 1996-03-22 | 2000-04-25 | Microsoft Corporation | System and method for secure purchase and delivery of video content programs |
WO2000048375A1 (fr) * | 1999-02-11 | 2000-08-17 | Loudeye Technologies, Inc. | Systeme de distribution de media |
WO2000064111A1 (fr) * | 1999-04-16 | 2000-10-26 | Unifree, L.L.C. | Distribution de fichiers multimedia au moyen de protocoles de transmission adaptatifs |
EP1111838A2 (fr) * | 1999-12-21 | 2001-06-27 | Xerox Corporation | Système et procédé de protection cryptographique de données |
-
2001
- 2001-11-01 SE SE0103623A patent/SE521906C2/sv not_active IP Right Cessation
-
2002
- 2002-10-09 WO PCT/SE2002/001830 patent/WO2003039067A1/fr not_active Application Discontinuation
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6055314A (en) * | 1996-03-22 | 2000-04-25 | Microsoft Corporation | System and method for secure purchase and delivery of video content programs |
WO1999048296A1 (fr) * | 1998-03-16 | 1999-09-23 | Intertrust Technologies Corporation | Procedes et appareil de commande et de protection continues du contenu de supports |
WO2000048375A1 (fr) * | 1999-02-11 | 2000-08-17 | Loudeye Technologies, Inc. | Systeme de distribution de media |
WO2000064111A1 (fr) * | 1999-04-16 | 2000-10-26 | Unifree, L.L.C. | Distribution de fichiers multimedia au moyen de protocoles de transmission adaptatifs |
EP1111838A2 (fr) * | 1999-12-21 | 2001-06-27 | Xerox Corporation | Système et procédé de protection cryptographique de données |
Also Published As
Publication number | Publication date |
---|---|
SE0103623D0 (sv) | 2001-11-01 |
SE0103623L (sv) | 2003-05-02 |
SE521906C2 (sv) | 2003-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1444561B1 (fr) | Procede, appareil et systeme pour fournir de fa on securisee un materiel | |
US7328345B2 (en) | Method and system for end to end securing of content for video on demand | |
KR100843346B1 (ko) | 스트림 콘텐츠의 무결성 보호 | |
EP2044568B1 (fr) | Procédé et appareil pour déplacer et renvoyer de manière sécurisée un contenu numérique | |
US20060200412A1 (en) | System and method for DRM regional and timezone key management | |
US8724808B2 (en) | Method for secure distribution of digital data representing a multimedia content | |
US20130283051A1 (en) | Persistent License for Stored Content | |
US20040151315A1 (en) | Streaming media security system and method | |
RU2329613C2 (ru) | Способ безопасной передачи данных по схеме "точка-точка" и электронный модуль, реализующий этот способ | |
AU2002351508A1 (en) | Method, apparatus and system for securely providing material to a licensee of the material | |
KR20040088365A (ko) | 스케일 가능한 미디어를 위한 스케일 가능하고 에러탄력적인 drm | |
CN101142777A (zh) | 视频在线安全网络体系结构及其方法 | |
WO2006109913A1 (fr) | Systeme de protection/gestion de contenus de diffusion | |
US8081756B2 (en) | Implementation of media-protection policies | |
EP1903799B1 (fr) | Procede de realisation d'une previsualisation de programmes iptv, appareil de cryptage, systeme central de droits et terminal utilisateur | |
KR20090090332A (ko) | 스크램블된 디지털 콘텐트로의 액세스를 제어하는 방법 | |
CA2593952C (fr) | Procede et appareil fournissant une barriere frontaliere entre des domaines de securite | |
EP1595383B1 (fr) | Procedes et appareil pour l'integration de systemes de securite unidirectionnel et bidirectionnel pour assurer la distribution securisee de services chiffres | |
EP2403244A1 (fr) | Procédé de cryptage sécurisé pour distribution de contenu électronique | |
WO2003039067A1 (fr) | Procede et appareil pour le chiffrement de paquets de trains de donnees multimedia, dynamiquement ou statiquement au moyen d'un mandataire et d'un pre-processeur | |
US9294788B2 (en) | Method, cryptographic system and security module for descrambling content packets of a digital transport stream | |
WO2000067483A1 (fr) | Procede et appareil de controle d'acces de services televisuels a la carte pre-cryptes | |
Hwang et al. | Protection of MPEG‐2 Multicast Streaming in an IP Set‐Top Box Environment | |
EP1499062A1 (fr) | Système et méthode de criptage video individuel | |
CA2516909A1 (fr) | Methode et appareil pour distribuer du contenu a un dispositif client |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |