WO2004054260A1 - Method and apparatus for secure delivery of data - Google Patents

Method and apparatus for secure delivery of data Download PDF

Info

Publication number
WO2004054260A1
WO2004054260A1 PCT/GB2002/005612 GB0205612W WO2004054260A1 WO 2004054260 A1 WO2004054260 A1 WO 2004054260A1 GB 0205612 W GB0205612 W GB 0205612W WO 2004054260 A1 WO2004054260 A1 WO 2004054260A1
Authority
WO
WIPO (PCT)
Prior art keywords
user device
encryption key
data
box
segment
Prior art date
Application number
PCT/GB2002/005612
Other languages
French (fr)
Inventor
David K. Probst
Original Assignee
Skyvault Secure Digital Distribution Inc.
Jehan, Robert
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Skyvault Secure Digital Distribution Inc., Jehan, Robert filed Critical Skyvault Secure Digital Distribution Inc.
Priority to AU2002356281A priority Critical patent/AU2002356281A1/en
Priority to PCT/GB2002/005612 priority patent/WO2004054260A1/en
Priority to US10/459,727 priority patent/US20040259496A1/en
Publication of WO2004054260A1 publication Critical patent/WO2004054260A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25808Management of client data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/426Internal components of the client ; Characteristics thereof
    • H04N21/42684Client identification by a unique number or address, e.g. serial number, MAC address, socket ID
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/433Content storage operation, e.g. storage operation in response to a pause request, caching operations
    • H04N21/4331Caching operations, e.g. of an advertisement for later insertion during playback
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/47End-user applications
    • H04N21/472End-user interface for requesting content, additional data or services; End-user interface for interacting with content, e.g. for content reservation or setting reminders, for requesting event notification, for manipulating displayed content
    • H04N21/47202End-user interface for requesting content, additional data or services; End-user interface for interacting with content, e.g. for content reservation or setting reminders, for requesting event notification, for manipulating displayed content for requesting content on demand, e.g. video on demand
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • H04N21/63345Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/165Centralised control of user terminal ; Registering at central
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17309Transmission or handling of upstream communications
    • H04N7/17318Direct or substantially direct transmission and handling of requests
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/605Copy protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N5/00Details of television systems
    • H04N5/76Television signal recording
    • H04N5/91Television signal processing therefor
    • H04N5/913Television signal processing therefor for scrambling ; for copy protection
    • H04N2005/91357Television signal processing therefor for scrambling ; for copy protection by modifying the video signal
    • H04N2005/91364Television signal processing therefor for scrambling ; for copy protection by modifying the video signal the video signal being scrambled

Definitions

  • the present invention seeks to provide an improved method and apparatus for the secure delivery of data, particularly digital data.
  • Figure 2 is a schematic diagram of one embodiment of box
  • cryptographic primitives are used in a novel security protocol together with a novel key exchange protocol.
  • the system may be utilised to protect a first-run movie that has been digitised in accordance with one of the current or forthcoming standards (such as MPEG).
  • Content receivers or users first register their boxes. This registration information is stored in a secure database.
  • a subscriber registers he/she then receives a box (interface to the player) that has been initialised to contain a number of tamper-proof secrets that are shared between the station and that particular box.
  • the station stores an encrypted version of the digital content. This encrypted version ultimately arrives at some unprotected storage medium local to the player.
  • the station delivers to the box the use-once computational ability to decrypt the content and display it on the player or terminal.
  • exponent 'b' and prime 'p' are burned into the given box B (with a different 'b' for each distinct box B).
  • station A wishes to share a session key with a given box B, it randomly and uniformly picks an integer 'x' from the same range, and computes and transmits alpha ⁇ x, called "elementA", to box B.
  • Station A computes (alpha ⁇ b) ⁇ x modulo p as the shared secret key, while box B computes elementA ⁇ b modulo p as the key, where, by construction, the keys are the same.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Power Engineering (AREA)
  • Human Computer Interaction (AREA)
  • Computer Graphics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

Methods and apparatus for the secure and copy-proof distribution of digital content are disclosed. In a preferred embodiment cryptographic primitives (encryption algorithms, message-authentication codes, hash functions, random-number generators, etc.) are used in a novel security protocol. The system may be utilised to protect a first-run movie that has been digitised in accordance with one of the current or forthcoming MPEG standards (e.g., MPEG-7). Content receivers or users first register their boxes. This registration information is stored in a secure database. When a subscriber registers, he/she then receives a box (interface to his player) that has been initialised to contain a number of tamper-proof secrets that are shared between the station and that particular box. the station stores an encrypted version of the digital content. This encrypted version ultimately arrives at some unprotected storage medium local to the player. Upon demand, the station delivers to the box the use-once computational ability to decrypt the content and display it on the player or terminal.

Description

METHOD AND APPARATUS FOR SECURE DELIVERY OF DATA
The present invention pertains to methods and apparatus for ensuring the security of data such as digital content. More particularly, one preferred embodiment of the invention provides copy protection for digital content that is displayed or recreated on a player or terminal of an end user.
Content providers are increasingly storing and distributing their intellectual property works (that is, the content) in digitised form and are justifiably concerned about the possibility that this content may be misappropriated. Conventional security methods encrypt the digital content, transmit the content to the user, and trust the user's player or terminal to decrypt it in a secure fashion. Many of these conventional security methods .may .easiLy_be_broken-because-tl e-y-utilise-W-eak -proprietar -or open source- cryptographic- algorithms and protocols that are easily broken by hackers of moderate skill who promptly publish their results, nullifying the original security system.
At the present time, none of the security systems which are available in the commercial market can provide reliable copy protection. The development of such a system would constitute a major technological advance, and would satisfy long felt needs and aspirations in the both the content producing (entertainment, games, software, etc.) and telecommunications (telephone, cable, satellite networks, etc.) industries.
The present invention seeks to provide an improved method and apparatus for the secure delivery of data, particularly digital data.
According to an aspect of the present invention, there is provided a method of securing data transmitted to a user device from a content provider as specified in claim 1.
According to another aspect of the present invention, there is provided a system for transmitting data securely to a user device from a content provider as specified in claim 13.
The preferred embodiment supplies a means of copy protection for digital content.
In one embodiment of the invention, all responsibility for copy protection is removed from the user's player or terminal. All the security features are removed from the player, and placed in a secure "box". The box incorporates security protocols that use strong cryptographic algorithms as primitives to seek to ensure that the security furnished by the module cannot be broken.
In one embodiment, a delivery source or station sends a time-bounded computational ability to display the content separately from the digital content and then self-destructs. The division of labour between station and box means that unusually strong encryption algorithms may be employed, while keeping the cost of manufacture of the box low since they require relatively little processing power. When the box is purchased, a registration process enters a security protocol.
The preferred embodiments offer a distributed end-to-end system/security architecture that is completely independent of the communications medium which is employed. They may be utilised to secure or protect any digital content, including high value files that contain movies or music which are transported over a network, or which are stored on a physical medium such as a DND or CD.
Embodiments of the present invention are described below, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a schematic diagram of one embodiment of system;
Figure 2 is a schematic diagram of one embodiment of box;
Figure 3 is a flow chart of an embodiment of encryption processing routine earned out at a station; and
Figure 4 is a flow chart of an embodiment of recovery routine. One embodiment comprises a method for copy protection for the owner of digital content that is displayed on a user's player or terminal. The responsibility for copy protection is removed from the player, and is placed inside an appliance or terminal in a secure "box."
In a preferred embodiment of the invention, cryptographic primitives (encryption algorithms, message-authentication codes, hash functions, random-number generators, and so on) are used in a novel security protocol together with a novel key exchange protocol. The system may be utilised to protect a first-run movie that has been digitised in accordance with one of the current or forthcoming standards (such as MPEG). Content receivers or users first register their boxes. This registration information is stored in a secure database. When a subscriber registers, he/she then receives a box (interface to the player) that has been initialised to contain a number of tamper-proof secrets that are shared between the station and that particular box. The station stores an encrypted version of the digital content. This encrypted version ultimately arrives at some unprotected storage medium local to the player. Upon demand, the station delivers to the box the use-once computational ability to decrypt the content and display it on the player or terminal.
The box is configured for a computational workload that allows it to be manufactured relatively cheaply. The station is configured for a computational workload that allows it to keep pace with what might be one million simultaneous requests for service from one million boxes. In one embodiment, the box is a modest-sized information appliance, while a station comprises a cluster of workstations (or equivalent) as the number of boxes per station grows. Initial encryption of the digital content and security-domain initialisation of station and box both count as pre-computation in the preferred embodiment.
In the preferred embodiment, the encrypted content or ciphcrtext is stored on a removable or fixed storage medium within the user's player. The subscriber then requests the content provider to supply a "key" which enables the box to play the content. This request may require a payment from the subscriber to the content provider. Once the content provider is paid, or approval to decrypt the content stored in the user's box is granted, the station supplies the transient computational ability to display the content once. The word "transient" is used here because the computational ability self-destructs as it is used. The subscriber may issue as many requests for use-once computational ability to display this movie as desired; this resembles "pay per view" with higher-value digital content. The embodiment may employ multiple time sensitive keys which vanish as soon as they are used.
The described embodiments may be utilised to secure or protect any digital content, including high value files that contain movies or music which are transported over a network or which are stored on a physical medium such as a DND or CD.
One embodiment of the invention includes: a) encrypting digital content; b) establishing a priori shared secrets between a station and a box by tamper- proof burning of secret information into boxes prior to their registration; c) creating a security protocol to deliver the transient computational ability to a given box to display the encrypted digital content precisely once (this ability self- destructs as it is used); and d) designing the box system architecture, with particular attention paid to physical-security issues (the box's physical-security perimeter is preferably implemented by hardware means within the box).
Referring to Figure 3, there is shown a simplified embodiment of encryption routine carried out by the content provider for encrypting movies or other large data files for transmission of that data to a user box.
At step 100, the content provider obtains the digital content D relating to the particular file (such as movie file) requested by a user. At step 102, the file is divided into n blocks Dj, preferably of fixed length. At step a total of n encryption keys are generated or obtained, these preferably being 256-bit keys produced by sampling noise to produce random keys. At steps 106 to 110 the routine passes through a loop to encrypt each block Dj with its appropriate key Kj by the employed encryption algorithm until all the blocks have bee n encrypted. Finally, at step 112, the provider outputs the encrypted blocks Cj and the keys Kj for all the blocks.
Referring now to Figure 4, the recovery routine carried out by the user's box is shown. At step 120 it receives the encrypted blocks Cj and keys Kj from the content provider, as long as the box is registered and has passed a first stage authentication test, of which examples are described below. At steps 124 to 128, the routine loops to decrypt the individual encrypted blocks Cj and to destroy each key Kj once it has been used, until all the blocks have been decrypted. At step 130, the system reassembles the individual blocks Dj into their original sequence and thereby to recover the digital content. Of course, if the blocks Dj have been sent in sequential order, then the reassembly step is straightforward. However, it is envisaged that a content provider may wish to change the order of the blocks for added security purposes.
Encryption
Before the subscriber can obtain content, such as a copy of an encrypted digital film, it must first have been encrypted. This encryption must offer extremely high-assurance confidentiality and be susceptible of decryption by equipment used by the subscriber. In one embodiment of the invention, an appropriate strong encryption algorithm is selected. For encryption of large files containing high- value digital content, a choice can be made among various methods, including symmetric-key, asymmetric-key and public-key cryptography. The throughput rates for the most popular public-key encryption methods are several orders of magnitude slower than the best-known symmetric-key schemes. All operational systems use a hybrid approach that utilise both kinds of cryptography. Specifically, public-key schemes are used only for cryptographic-key exchange, while the more efficient private-key schemes are used for actual encryption and decryption of digital content. In one embodiment of the invention, no cryptographic keys are ever made public in themselves; at most, some of them are published in a secure fashion within an individual security group. Symmetric-key methods can be quite strong.
In one embodiment of the invention, the symbol "M" is used to represent a file containing a first-run movie that has been digitised according to some MPEG standard. In this particular instance, the MPEG standard also defines the decryption throughput that must be achieved by the box in order that the decrypted signal may be injected into the subscriber's player or terminal at the expected rate. (This example assumes on-the-fly decryption).
File M is divided into 's' fixed-size segments, where 's' is chosen by the security architect. Segments are portions of a file, such as a movie. By increasing the value of V, the amount of plaintext that is encrypted can be limited by any one cryptographic key. The trade-off here is between unusually high degrees of assurance and the number of keys that must be exchanged between station and box during one key-exchange protocol. The preferred embodiments have been designed with a number of parameters so that security may be increased. In general, when the level of security is increased, the performance decreases. The majority of the key-exchange work is borne by the station and is, therefore, limited only by computing power of the station.
At this point in the process, file M is a sequence of plaintext segments <b_j>, 1 <= j <= s. Each film segment b_j is encrypted using the Rijndael symmetric-key encryption algorithm, which is the new Federal Advanced Encryption Standard (AES). Rijndael is superior to the unclassified symmetric-key algorithms it replaces in both security and performance. In one embodiment, both the block length and the key length are chosen to be 256 bits. Since Rijndael is a block cipher and since it is unlikely that the length of a film segment b_j is less than or equal to 256 bits, in the case of films Rijndael is combined with an appropriate cipher-block chaining strategy such as Cipher Block Chaining (CBC). Several choices are available. A different 256-bit Rijndael key kj is used to encrypt each film segment b_j, 1 <= j <= s. The ciphertext corresponding to b is denoted c_j. The division into segments increases the strength of the encryption, by encrypting less plaintext with a given key, and also provides great flexibility in the decoding strategy.
No special care is required in selecting Rijndael keys. In one embodiment of the invention, keys are selected using a method that prevents a hacker from breaking the security of the system. A random-number generalor or other mechanism may be employed, as long as the keys are generally unpredictable and irreproducible. In one embodiment, the 256-bit keys are genuinely random numbers produced by physical processes such as electrically noisy diodes. Genuinely random numbers are used as Rijndael keys, not to make Rijndael run better nor to prevent a hacker from breaking the security of the system, but, rather, to open up entirely new key-exchange and/or key- determination possibilities.
After encryption, the encrypted-film file M' = <cj>, 1 <= j <= s, and the film-segment-key file K = <kj>, 1 <= j <= s. Both encrypted-film file M' and film-segment-key file K are stored securely in the station. The plaintext file M is no longer required.
Registration & Initialisation
The second component concerns the initialisation of both station A and box B where there is one station A and many boxes B. Some station initialisation is done once for all boxes in the security domain and some is done on a per-box basis. Box initialisation becomes "valid" as soon as the box has been registered with the security domain. 1) A box-independent public-key cryptosystem is constructed for station A based on the RSA™ cryptosystem, but using quasi-public keys. The symbols 'p' and 'q' are employed to denote two large distinct primes. The symbol n = p * q. The set of plaintexts and the set of ciphertexts are both equal to the finite ring Z_n. Any message too long to belong to Z_n is dealt with by Cipher Block Chaining (CBC). Two exponents 'e' and 'd' are constructed such that exponentiation by one exponent modulo n is the inverse of exponentiation by the other exponent modulo n. One exponent, 'pubA', chosen small, is burned into each box registered with this station, along with the modulus In'. The other exponent, 'priA', which may be large, is a secret of station A. The key 'pubA' is a quasi-public key that is burned into each box B registered with A in a tamper-proof way so that 'pubA' is not recoverable from box B. The same holds true for modulus In'.
Any box B will raise numbers to the power 'pubA' modulo n to encrypt messages intended for station A and to verify digital signatures generated by station A. This is sufficient for a rapid authentication protocol that authenticates a given box B to station A provided that each box B is given a large, (for example, 256-bit) genuinely random string 'idB', which is a shared secret between A and B, that is a unique identifier for a given box B among all boxes registered with that station.
2) A box-independent large cyclic group is then constructed, in which the discrete-logarithm problem is intractable for station A. This can be done either with standard number theory or elliptic-curve techniques. One method that may be employed is to choose a large prime 'p', and then to use the multiplicative group of integers modulo p, i.e., Z*_p, as the cyclic group. Since 'p' is a prime number, there will be many primitive elements 'x' such that raising 'x' to successive powers will generate all the elements of the cyclic group. A primitive element modulo p has the same order as the cyclic group Z*_p, viz., p - 1.
This additional machinery, on top of station A's long-lasting public-key cryptosystem, is used in the key-exchange protocol to generate session keys for encrypting the file-segment keys kj, 1 <= j <- s.
As an example, an appropriate prime 'p' and generator 'alpha' of Z*-p (2 <= alpha <= p - 2) is selected. Quasi-ElGamal key agreement may be achieved between station A and each one of one million boxes B as follows. For a given box B, A would normally need to reliably know the public key (p, alpha, alphaΛb) of B. In this example, station A has a cyclic group whose order is at least one million. Station A randomly and uniformly picks a distinct exponent 'b' 1 <= b <= p - 2, for each of the one million boxes it registers. Station A secretly computes and stores alphaΛb, for each box. As part of the registration process, exponent 'b' and prime 'p' are burned into the given box B (with a different 'b' for each distinct box B). When station A wishes to share a session key with a given box B, it randomly and uniformly picks an integer 'x' from the same range, and computes and transmits alphaΛx, called "elementA", to box B. Station A computes (alphaΛb)Λx modulo p as the shared secret key, while box B computes elementAΛb modulo p as the key, where, by construction, the keys are the same.
Considering just the first two components, after registration, a given box B securely stores: 1) the small integer 'pubA', which is station A's quasi-public key:
2) the RSA modulus 'In';
3) the 256-bit quantity 'idB' that uniquely identifies the given box B;
4) the 20-bit quantity 'bB', which probably should not be a small integer even though the adversary has no knowledge of prime 'p'; and 5) the prime 'p' that is the modulus for the cyclic group Z*-p.
Box System Architecture
In one embodiment of the invention, box B comprises two distinct modules with an extremely narrow interface. The first module is a communications module, which may comprise a communications processor, a simplified file-transfer protocol and a local disk. As a simpler alternative, the communications module may comprise a slot into which an encrypted DND can be inserted along with a DND reader. The second module is a crypto module that is responsible for the key-exchange protocol and for the decryption of the encrypted digital content. The interface between the two modules is a one-way communications channel which enables the communications module to transmit the encrypted bitstream to the crypto module.
The Physical Security of the Player
In one embodiment of the invention, the crypto module, which includes the key-exchange module and the decryption module, is provided with exceptional physical security. The crypto module is designed to be tamper-proof in a fail-safe way. Faraday cages may be used to eliminate leakage of van Eck radiation. Volatile storage, together with "erase on tamper" deletes all keying information upon tampering with extremely high assurance. Finally, all microelectronics and wires are coated with a super glue or a potting compound which destroys the underlying circuitry if they are removed or disturbed.
The tap-proof line that runs out of the decryption module is also protected. Various anti- wiretapping strategies, including the use of piezoelectric materials, are preferably employed to signal the crypto module to "wipe clean".
In one embodiment of the invention, the key-exchange module can deliver the file-segment keys kj to the decryption module as plaintext. An alternative method employs the delivery of the Rijndael-encrypted kj, along with their keys kkj. The decryption module would then perform successive Rijndael decryptions to recover first the k j and, then, the digital content.
Some of the properties of the box which are utilised in one embodiment of the invention are summarised below: 1) the communications module employs any communications medium to obtain the encrypted film: over the Internet, captured from a direct satellite broadcast, read in from a CD-ROM, and so on. The encrypted file is stored on disk or some storage medium nearby;
2) the crypto module has the following features: a) 'idB' and 'pubA' stored in box B allow cheap secure authentication of B to A; b) 'bB' stored in box B allows computation of the session key 'S' used to encrypt/decrypt the 's' film-segment keys kj 1 <= j <= s. The computation by box B is S = elementAΛbB modulo p, where 'element A' is transmitted in plaintext from A to B, and 'bB' and 'p' are secrets of box B.
The station delivers V 256-bit keys k j to the requesting box, which is 256 * s bits altogether. But each of the kj keys was chosen as a genuinely random number using some random physical process. It follows that the concatenation of all the keys kj in ascending order is a plaintext of length 256 * s bits with no redundancy whatsoever, unlike what would be expected if the plaintext were a human-comprehensible message expressed in a natural language such as English.
As their name indicates, one-time pads are never supposed to be used more than once because that would allow an adversary to exploit the redundancy of the underlying plaintext. Transmission of perfectly random plaintext allows the system to realise efficiencies that are forbidden to ordinary plaintext.
Station A and a given box B have a fixed shared secret (the 256-bit quantity that uniquely identifies box B), and a variable shared secret which changes with every invocation of the key-exchange protocol by box B. In one embodiment, the variable shared secret is 20 bits long, but this could be bootstrapped (if necessary, by iteration) to become a longer shared secret.
Either the fixed shared secret or the variable shared secret (or some combination of the two) could be used as a one-time pad to encrypt the random plaintext along one-time- pad lines, in which both encryption and decryption are simple "exclusive or".
In the remainder of this description, the 256-bit session key shall be used to perform a Rijndael encryption of the random plaintext constituted by the 's' kj.
3) 'idB' and 'pubA' (stored in permanent storage) lead to the construction of a session key 'S' for this one-time provision of the (self-destructive) computational ability of B to allow the player to display the film.
4) Session key IS' allows the Is' film-segment keys kj 1 <= j <= s, to be built up in temporary storage. They are encrypted and decrypted with session key 'S', using Rijndael. Since k j at 256 bits is much smaller than a film segment, it may be possible to use a Rijndael key that is somewhat smaller than 256 bits. If Rijndael is used for both keys and film, both the key-exchange module and the decryption module can call on the same Rijndael decryptor submodule.
5) "Tamper proof means that both temporary and permanent storage will be wiped clean if anyone attempts to open the crypto module. "Super glue", piezoelectric techniques, and physical construction together provide layered strong box or "titanium- box" physical-security to the key-like material stored in box B.
Key-Exchange Protocol
A brief description of the key-exchange protocol, where A is the station and B is one of one million boxes registered with the station, is provided below. Standard notation is used. A and B are legitimate parties.
"A --> B: x" denotes the message x sent by A to B. Spoofing is possible so that B does not normally know if the message was indeed from A. "1. A — > B: x" denotes that which the protocol designer intended as the first message of the protocol. The trustworthiness of the external world cannot be assumed so this too must be independently verified.
"{χ}k" means x encrypted under k.
"[x]kΛ-l" means x signed under kΛ-l the key that "inverts" k.
This notation recognises that the key pairs used in cryptosystems come in pairs, where one key allows encryption and the other key (the same key in symmetric-key systems) allows decryption. The private decryption key is used to generate digital signatures.
Implementation
Each key-exchange protocol step is followed by a description in simple English.
1. B --> A: {Stepl (B to A), movie, idB, numberB, MA pubA
Box B initiates one instance of the key-exchange protocol with Station A by sending him this message. Box B identifies the protocol step, the movie, and provides his genuinely-random 256-bit unique identification number 'idB'.
'NumberB' is the number of times this box has initiated this key-exchange protocol. 'MAC is a message-authentication code implemented by a keyed hash function. The file is encrypted with station A's quasi-public key 'pubA'. 'NumberB' will be incremented by one before this protocol is invoked by box B again.
2. A --> B: <Step2 (A to B), elementA, numberB, MAC> This message is sent in the clear with integrity and authentication checks. In particular, the message-authentication code (MAC) is [h(m)]priA, that is the hash of the entire message preceding the MAC digitally signed by station A. 'NumberB' could be camouflaged if this is desired. 'ElementA' is randomly selected by station A as an element of the large cyclic group managed by A. When box B receives this message, it is either discarded or else allows box B to compute the session key S = elementAΛbB. At this point, both station A and box B share the secret session key 'S', which is unavailable to anyone else even though 'elementA' was sent in the clear.
3. B --> A: {Step3 (B to A), ack}S Box B acknowledges successful computation of session key 'S'.
4. A --> B: {Step4 (A to B), segment size, s}S
The station provides some information about the file.
5. A --> B: {Step5 (A to B), j, kj}S, for 1 <= j <= s.
The station transmits all 's' film-segment keys k j to box B. Individual keys may be sent as separate messages or all keys may be sent as one long message. The conservative approach is to use a suitably-sized 'S' as a Rijndael key and encrypt each kj, or the concatenation of all kj, with the Rijndael algorithm.
6. B --> A: {Step6 (B to A), ack}S
Box B acknowledges successful termination of this instance of the key-exchange protocol. Upon recovery of all the fragment keys kj, session key 'S' is destroyed.
Decryption of Digital Content
Box B has access to 's' encrypted film-segments cj, 1 <= j <= s. He also has access (possibly all at once, possibly just in time) to V Rijndael symmetric-key decryption keys kj, 1 <= j <= s. There is great flexibility at this point. Depending on the ability to buffer within the decryption module, the segments may be decrypted in sequential order, in some other order, or even in parallel.
In the simplest case, the fragments will be decoded and sent in order to the player by secure cable. There is a clear division in time. When the box is free-standing from the player, the system guards the plaintext MPEG (in this example) signal until it enters the player through the digital input port. As soon as key kj is used to decrypt segment c j, k j is destroyed.
Installation & Security of the Box
In one embodiment of the invention, the a customised cable is used to connect the crypto module to the subscriber's player. The box may be embedded inside the player. Any tampering with the cable or the connection to the digital input port causes a shutdown of the entire crypto module and the erasure of all permanent and temporary storage within the crypto module. A description of other features of the box follows.
1) In permanent box storage, 'idB' and 'bB' are protected with extreme care, that is the tamper-proof "titanium box" must guarantee that these two bit values cannot be captured even if the box is physically attacked.
2) The fragment keys k j, 1 <= kj <- s are protected. Their physical presence inside the crypto module is relatively brief. The session key 'S' is also quite sensitive. It can be used after the fact to recover the kj.
3) It may be preferable to use distinct session keys to encrypt distinct segment keys. This could improve flexibility and efficiency, as well as increase security.
Although the present invention has been described in detail with reference to one or more preferred embodiments, persons possessing ordinary skill in the art to which this invention pertains will appreciate that various modifications and enhancements may be made without departing from the scope of the claims that follow. The various alternatives for providing a highly secure data distribution system that have been disclosed above are intended to educate the reader about preferred embodiments of the invention and are not intended to constrain the limits of the invention or the scope of claims.

Claims

1. A method of securing data transmitted to a user device from a content provider; including the steps of: providing for authentication of the user device; encrypting a data file for transmission to the user device; transmitting to the user device the data file and an encryption key specific to the transmission; decrypting the data file; and destroying the encryption key.
2. A method according to claim 1, including the steps of: dividing the data file into a plurality of segments; assigning to each data segment a segment encryption key; transmitting to the user device the plurality of data segments and the plurality of segment encryption keys; wherein the segment encryption keys are destroyed once each data segment has been decrypted.
3. A method according to claim 2, wherein the or each encryption key is destroyed immediately after decryption of the associated data segment.
4. A method according to claim 2 or 3, wherein each encryption key is destroyed prior to decryption of any other data segment.
5. A method according to any preceding claim, wherein the or each encryption key is useable within a predetermined time period.
6. A method according to any preceding claim, wherein the or each encryption key is generated from an unpredictable and/or irreproducible number source.
7. A method according to claim 6, wherein the or each encryption key is produced from a random number source.
8. A method according to claim 7, wherein the random source is a white noise generator.
9. A method according to any preceding claim, wherein the or each encryption key is a 256-bit key.
10. A method according to any preceding claim, wherein the or each encryption key is a Rijndael key.
11. A method according to any preceding claim, wherein the user device is provided with a public encryption key for providing authentication of the user device.
12. A method according to any preceding claim, including the step of providing a session encryption key usable during a transmission session between the content provider and a user device.
13. A method according to any preceding claim, wherein authentication of a user device is carried out on the basis of short data signal.
14. A method according to claim 13, wherein the short data signal is a few bits in length.
15. A system for transmitting data securely to a user device from a content provider; including: means operable to provide for authentication of the user device; encryption means for encrypting a data file for transmission to the user device; means for transmitting to the user device the data file and an encryption key specific to the transmission; decryption means for decrypting the data file; and means for destroying the encryption key.
16. A system according to claim 15, including: means for dividing the data file into a plurality of segments; means for assigning to each data segment a segment encryption key; wherein the transmitting means is operable to transmit to the user device the plurality of data segments and the plurality of segment encryption keys and the destroying means is operable to destroy the segment encryption keys once each data segment has been decrypted.
17. A system according to claim 16, wherein destroying means is operable to destroy the or each encryption key immediately after decryption of the associated data segment.
18. A system according to claim 16 or 17, wherein the destroying means is operable to destroy each encryption key prior to decryption of any other data segment.
19. A system according to any one of claims 15 to 18, including an unpredictable and/or irreproducible number source generating the or each encryption key.
20. A system according to claim 19, wherein the unpredictable and/or irreproducible number source is a random number source.
21. A system according to claim 20, wherein the random source is a white noise generator.
22. A system according to any one of claims 15 to 21, including means for providing a session encryption key usable during a transmission session between the content provider and a user device.
23. A system according to any one of claims 15 to 22, wherein the user device is provided with a memory for storage of authentication data which is destroyed upon physical opening or tampering of the device.
24. A system according to any one of claims 15 to 22, wherein the electronic components of the user device are covered in a glue or potting compound.
25. A system according to any one of claims 15 to 24, including tamper detection means for detecting tampering of the user device, the tamper detection means being operable to erase all stored data in the user device upon the detection of tampering.
26. A system according to any one of claims 15 to 25, wherein the user device does not permanently store any of the encryption keys apart from a public encryption key.
27. A system according to any one of claims 15 to 26, wherein the user device and the content provider are operable to provide for the authentication of the user device on the basis of short data signal.
28. A system according to claim 27, wherein the short data signal is a few bits in length.
PCT/GB2002/005612 2000-05-25 2002-12-11 Method and apparatus for secure delivery of data WO2004054260A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2002356281A AU2002356281A1 (en) 2002-12-11 2002-12-11 Method and apparatus for secure delivery of data
PCT/GB2002/005612 WO2004054260A1 (en) 2002-12-11 2002-12-11 Method and apparatus for secure delivery of data
US10/459,727 US20040259496A1 (en) 2000-05-25 2003-06-11 Construction project data distribution & update system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/GB2002/005612 WO2004054260A1 (en) 2002-12-11 2002-12-11 Method and apparatus for secure delivery of data

Publications (1)

Publication Number Publication Date
WO2004054260A1 true WO2004054260A1 (en) 2004-06-24

Family

ID=32482478

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2002/005612 WO2004054260A1 (en) 2000-05-25 2002-12-11 Method and apparatus for secure delivery of data

Country Status (2)

Country Link
AU (1) AU2002356281A1 (en)
WO (1) WO2004054260A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2452479A (en) * 2007-08-31 2009-03-11 Sony Corp Content protection through deletion of a decryption key in response to a predetermined event
CN106130726A (en) * 2016-08-26 2016-11-16 北京信安世纪科技有限公司 A kind of encryption method, decryption method, electronic equipment and electronic installation

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DAWSON E ET AL: "Key management in a non-trusted distributed environment", FUTURE GENERATIONS COMPUTER SYSTEMS, ELSEVIER SCIENCE PUBLISHERS. AMSTERDAM, NL, vol. 16, no. 4, February 2000 (2000-02-01), pages 319 - 329, XP004185844, ISSN: 0167-739X *
RAMASWAMY R: "APPLICATION OF A KEY GENERATION AND DISTRIBUTION ALGORITHM FOR SECURE COMMUNICATION IN OPEN SYSTEMS INTERCONNECTION ARCHITECTURE", PROCEEDINGS OF THE INTERNATIONAL CARNAHAN CONFERENCE ON SECURITY TECHNOLOGY. ZURICH, OCT. 3 - 5, 1989, ZURICH: ETH ZENTRUM-KT, CH, 1989, pages 175 - 180, XP000089313 *
SMITH S W ET AL: "Building a high-performance, programmable secure coprocessor", COMPUTER NETWORKS, ELSEVIER SCIENCE PUBLISHERS B.V., AMSTERDAM, NL, vol. 31, no. 8, 23 April 1999 (1999-04-23), pages 831 - 860, XP004304521, ISSN: 1389-1286 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2452479A (en) * 2007-08-31 2009-03-11 Sony Corp Content protection through deletion of a decryption key in response to a predetermined event
US8130962B2 (en) 2007-08-31 2012-03-06 Sony Corporation Content protection method and apparatus
CN106130726A (en) * 2016-08-26 2016-11-16 北京信安世纪科技有限公司 A kind of encryption method, decryption method, electronic equipment and electronic installation

Also Published As

Publication number Publication date
AU2002356281A1 (en) 2004-06-30

Similar Documents

Publication Publication Date Title
US6550008B1 (en) Protection of information transmitted over communications channels
EP1155527B1 (en) Protecting information in a system
US7376624B2 (en) Secure communication and real-time watermarking using mutating identifiers
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
EP2461564A1 (en) Key transport protocol
US20060161772A1 (en) Secure authenticated channel
US20100195824A1 (en) Method and Apparatus for Dynamic Generation of Symmetric Encryption Keys and Exchange of Dynamic Symmetric Key Infrastructure
JP4130653B2 (en) Pseudo public key encryption method and system
US7200752B2 (en) Threshold cryptography scheme for message authentication systems
US20100098253A1 (en) Broadcast Identity-Based Encryption
US20110194698A1 (en) Key Sharing System
JP2008527833A (en) Authentication method, encryption method, decryption method, encryption system, and recording medium
US6516414B1 (en) Secure communication over a link
KR100582546B1 (en) Method for sending and receiving using encryption/decryption key
US20110066857A1 (en) Method for secure delivery of digital content
WO2002045340A2 (en) Threshold cryptography scheme for message authentication systems
US7069448B2 (en) Context oriented crypto processing on a parallel processor array
JP4377619B2 (en) CONTENT DISTRIBUTION SERVER AND ITS PROGRAM, LICENSE ISSUING SERVER AND ITS PROGRAM, CONTENT DECRYPTION TERMINAL AND ITS PROGRAM, CONTENT DISTRIBUTION METHOD AND CONTENT DECRYPTION METHOD
US20020196937A1 (en) Method for secure delivery of digital content
WO2004054260A1 (en) Method and apparatus for secure delivery of data
RU2707398C1 (en) Method and system for secure storage of information in file storages of data
Bao et al. Secure and private distribution of online video and some related cryptographic issues
US20020126840A1 (en) Method and apparatus for adapting symetric key algorithm to semi symetric algorithm
Sarjiyus et al. New RSA Scheme For Improved Security
Rao et al. Application of elliptical curve cryptography in empowering cloud data security

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP