WO2004112385A1 - Dispositif d'adaptation, procede, systeme et terminal utilisateur permettant l'acces conditionnel - Google Patents

Dispositif d'adaptation, procede, systeme et terminal utilisateur permettant l'acces conditionnel Download PDF

Info

Publication number
WO2004112385A1
WO2004112385A1 PCT/SE2004/000931 SE2004000931W WO2004112385A1 WO 2004112385 A1 WO2004112385 A1 WO 2004112385A1 SE 2004000931 W SE2004000931 W SE 2004000931W WO 2004112385 A1 WO2004112385 A1 WO 2004112385A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual
module
user terminal
adapter arrangement
card
Prior art date
Application number
PCT/SE2004/000931
Other languages
English (en)
Other versions
WO2004112385A9 (fr
Inventor
Ted Olsson
Original Assignee
Television And Wireless Applications Europe Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Television And Wireless Applications Europe Ab filed Critical Television And Wireless Applications Europe Ab
Priority to EP04748990A priority Critical patent/EP1639812A1/fr
Publication of WO2004112385A1 publication Critical patent/WO2004112385A1/fr
Publication of WO2004112385A9 publication Critical patent/WO2004112385A9/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/418External card to be used in combination with the client device, e.g. for conditional access
    • H04N21/4181External card to be used in combination with the client device, e.g. for conditional access for conditional access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17309Transmission or handling of upstream communications
    • H04N7/17318Direct or substantially direct transmission and handling of requests

Definitions

  • the present invention is related to an adapter arrangement, a method, a system and a user terminal for enabling access to a system distributing different services via a distribution network, and in which a user terminal is used to decode these services, in accordance with the preamble of claims 1, 19, 31 and 40 respectively.
  • a user of a pay-TV system is equipped with a decoder that is connected between a TV tap and a TV set at the user's premises.
  • a main part in the system transmits encoded and uncoded signals that the decoder receives via the TV tap.
  • the encoded and uncoded signals may represent analogue or digitally encoded and uncoded TV programmes/channels, and the decoder may then decrypt parts of, or all of the encoded signals in dependence of the access rights of the user, and thereby the access rights of the decoder, i.e. which channels/programmes the user pays to gain access to.
  • Recent systems are often digital, i.e. the system broadcasts digital signals that are decoded by a digital decoder.
  • An advantage with digital systems versus analogue systems is that a considerably larger amount of data may be transmitted, and thereby a considerably larger .number of TV channels.
  • the larger capacity in the digital systems also enables space for other services, for example interactive services such as games and surfing the Internet, where a user via a return channel in the system may affect and interact with what is shown on the TV set.
  • Common for both analogue and digital pay-TV systems is that a user has to authenticate himself to the system, and from the system receive authorization information in order to gain access to the services.
  • CA card Consumer Access
  • program card also called program card
  • the CA card is a so called smart card that the user ob- tains from the pay-TV system operator. The user inserts his CA card into a card reader in his decoder and may then start to use the decoder.
  • the safety functions of the decoder reads the CA card and the authorization information received by the decoder from the CA card may include a key to a certain service that the user has ordered, and an indication of for example which channels the user has paid for and thus should have ac- ⁇ cess to. If the authorization information indicates that the user has the right to watch a certain channel, the decoder decrypts this channel.
  • a problem with current decoders is that they have to be manufactured for a particular digital TV system. This also leads to a second problem with current systems, which is that a decoder that is intended for use in a particular digital TV system generally can not be used in another, and a user that wishes to get access to various digital TV systems must therefore obtain a plurality of decoders. This is both costly and inconvenient .
  • Another object of the present invention is to provide a method for enabling access to a distribution system. This object is achieved by a method as defined in the characterising portion of claim 20.
  • Another object of the present invention is to provide a system that distributes different services via a distribution network. This object is achieved by a system as defined in the characterising portion of claim 31.
  • Another object of the present invention is to provide a user terminal for use with an adapter arrangement. This object is achieved by a user terminal as defined in the characterising . portion of claim 40.
  • the present invention provides an adapter arrangement that comprises means for enabling download of a virtual CA (Conditional Access) module to a user terminal via a distribution network.
  • the virtual CA module may substantially include functions corresponding to the functions of a conventional CA module. This has the advantage that a user terminal does not have to be provided with distribution network specific functionality for a particular distribution network during the manufac- turing process.
  • the adapter arrangement may further enable download of a virtual CA card, which substantially includes functions corresponding to functions of a conventional CA card.
  • a virtual CA card which substantially includes functions corresponding to functions of a conventional CA card.
  • the virtual CA module and/or virtual CA card may be downloaded via the distribution network via an extra data stream from a system unit, a decoder data injector.
  • This has the advantage that existing infrastructure may be maintained and the new functionality may be implemented as an extra data stream that is parallel to the existing data streams. Further, a system unit is provided that is easily adapted to a plurality of dif- ferent systems .
  • the adapter arrangement may be arranged to be capable of receiving CA modules and/or CA cards from a plurality of distribution networks. This has the advantage that the adapter arrangement may enable download of a virtual CA module and/or a virtual CA card from an arbitrary distribution system.
  • a user terminal may thus be manufactured as system independent and may be moved between various distribution networks. A user may thus change service supplier as desired without the need for purchasing or otherwise obtain a new user terminal at the change.
  • the adapter arrangement may be arranged to be adapted to a plurality of user terminals. This has the advantage that a plurality of different user terminals may be arranged to operate in a plurality of different distribution networks, which results in that a user may take any user terminal provided with an adapter arrangement according to the invention and use it in any suitable distribution network.
  • the adapter arrangement may be arranged to enable contemporary storage of two or more CA modules and/or CA cards, whereupon the user terminal receives contemporaneous access to two or more distribution systems. This has the advantage that a user terminal may be used for contemporaneous reception of services from a plurality of distribution systems .
  • a downloaded CA module and/or a downloaded CA card may be dis- carded from the user terminal and replaced with a new downloaded CA module and/or CA card.
  • the virtual CA module and/or the virtual CA card may be stored in a memory in the user terminal .
  • the memory may consist of a flash memory or a RAM memory (Random Access Memory) .
  • the use of a flash memory or any other non-volatile memory has the ad- vantage that the virtual CA module and/or the virtual CA card will remain in the memory even when the user terminal is turned off.
  • the download of the virtual CA module and/or the virtual CA card does thus not have to be repeated each time a user wishes to use his terminal.
  • the memory may however con- sist of a RAM memory. This results in a cheaper terminal since RAM memories generally are less expensive than for example flash memories .
  • the disadvantage is however that the virtual card needs to be downloaded each time the terminal is turned on.
  • the adapter arrangement may include means for secured transfer during the download of the virtual CA module and/or virtual CA card. This has the advantage that fraud by means of interception of sent out virtual CA modules or virtual CA cards is made more difficult.
  • the means for secured transfer may comprise asymmetric and/or symmetric encryption of at least part of the information to be transmitted. This has the advantage that a strong security against fraud is accomplished.
  • the adapter arrangement may be arranged to use built-in security functions of the user terminal, e.g. at download of the virtual CA module and/or virtual CA card, when generating a new set of keys or whenever use of the built-in security functions of the user terminal may be advantageous .
  • This has the advantage that then manufacturer of the user terminal may provide the user terminal with security functions that the adapter arrangement is adapted to use.
  • the download of a CA module an/or a CA card may be ordered by a user through the use of his mobile terminal, whereupon a server arrangement connected to a mobile communication network sends an order to a system unit to create the CA module and/or CA card and transmit this to the user terminal via the distribution network.
  • the user terminal may be a set-top-box, part o'f a TV set or a computer.
  • the functionality of the user terminal may advantageously be integrated in a TV set since it according to the invention is possible to obtain a distribution network independent user terminal.
  • the present invention may be practised in a digital TV network, giving all of the above stated advantages compared to current digital TV networks .
  • the services may comprise at least one of the following: TV channels, TV programmes, movies, games or any kind of encrypted data.
  • the adapter arrangement may be composed of a computer program product stored on a computer readable memory. This has the ad- vantage that the adapter arrangement easily can be made as an integrated part of the user terminal.
  • Fig. 1 schematically shows the different parts of a conventional pay-TV system in accordance with the SimulCrypt architecture defined by DVB.
  • Fig. 2 shows the present invention in a conventional pay-TV system.
  • Fig. 3 shows an alternative embodiment of the present invention in a conventional pay-TV system.
  • Fig. 4 shows another embodiment of the present invention.
  • Fig. 5a and 5b shows STB priming and initialisation flow diagrams .
  • Fig. 6 shows how a virtual CA module and a virtual CA card in accordance with the present invention can be downloaded to a user .
  • set-top-box refers to a terminal at a user's premises having a built-in decoder in order to decode incoming encrypted signals into a format suited for displaying on a TV-set.
  • SimulCrypt architec- ture which is the architecture that CA-systems (Conditional Access) of today utilize, a person skilled in the art realises that the invention may be used in other systems as well.
  • the SimulCrypt architecture comprises four constituent parts: Sub- scriber Authorisation System (SAS) 14, EMM-injector 13 generating authorisation information, ECM-injector 11 generating control word messages, and finally a decoder module at a user' s premises .
  • SAS Sub- scriber Authorisation System
  • EMM-injector 13 generating authorisation information
  • ECM-injector 11 generating control word messages
  • decoder module at a user' s premises
  • Fig. 1 shows a conventional pay-TV system 1, in which a preferred embodiment of the present invention may be applied.
  • the system 1 comprises a TV-set 2 and a set-top-box (STB) 3 connected to the TV-set 2.
  • STB 3 and/or the TV-set 2 is/are connected to a distribution network 4, which may con- sist of a terrestrial TV distribution network, a satellite TV distribution network or a cable TV network.
  • the distribution network 4 is today often a digital distribution network, in which standards developed by DVB (Digital Video Broadcasting) are used for information transfer.
  • DVB Digital Video Broadcasting
  • the described system is es- sentially a unidirectional system, in which there is no return channel on which a supplier can receive a verification from a client, and nor is there a way to verify that a receiver is an authorized receiver.
  • a unidirectional distribution network lacks the possibility to a handshake procedure in the return channel.
  • a multiplexer 5 is also connected to the distribution network 4, combining the information 6, 7, 8, 9, 10 to be sent via the distribution network 4 and attends to that the information 6, 7, 8, 9, 10 is broadcasted.
  • the information 6, 7, 8, 9, 10 comprises partly the TV channels and TV programmes or other video information 6 to be broadcasted via the distribution network 4, partly radio and other audio information (for exam- pie the sound of the TV programmes) 7, partly for example games and other information or data 8 such as for example betting information, teletext and subtitling, and partly control information 9, 10, which will be described in detail below.
  • Each provider of pay-TV services has its own pay-TV system and in order to enable coexistance of several pay-TV systems in one and the same distribution network a standard called Simul- Crypt has been developed in order to enable control information from several service providers to be broadcasted via the same distribution network.
  • a first control information 9 consists in control word messages, ECM messages (Entitlement Control Message) 9, generated in a ECM message injector 11.
  • the ECM messages 9 include information (keys for example) in order to enable decrypting of different broadcasts (TV channels for example) .
  • a certain ECM message 9 can be broadcast often, for example several times each second, in order to be immediately available to a new viewer.
  • a security module 12 in the STB 3 reads the ECM messages 9 together with the EMM messages 10 in order to receive authorisation and keys to decrypt the different broadcasts.
  • the security module 12, also called CA module, may constitute an integrated part of the STB 3 or constitute a separate module to be inserted into a so called common interface port in the STB 3.
  • the identity of the user is stored on a smart card, a CA card or program card, that the user today obtains from an operator and inserts into the STB 3, and that is connected to the security module 12 via a card reader.
  • Authorisation information used in a specific STB 3 is received from one or more EMM mes- sages 10 (Entitlement Management Message) constituting the second control information 10 and thus used in order to convey the authorities of the user to the STB.
  • the EMM messages 10 are generated by an EMM injector 13 and contain information about a receiver' s identity and which services the receiver should decrypt.
  • the security module 12 in the STB 3 reads the EMM messages 10 in order to know what the STB 3 should decrypt and make available for the user, and then uses the ECM messages 9 as decrypting keys in order to be able to decrypt the chosen services.
  • the authorities that a user should have, i.e. which EMM mes- sages 10 should be sent to a user's STB 3 is controlled by a subscriber Authorisation System, SAS 14, which is a system acting on commands from an subscriber Management System, SMS 15.
  • the SMS 15 is a system managing user information and sending requests for activation of services to the SAS 14 that translates the information from the SMS 15 to EMM messages 10 and sees to it that the security module 12 at the user' s premises receives correct authorisation in order for correct service to be decoded.
  • the SMS 15 is more or less unique to each service provider and can be designed such that it is an opera- tor that manually enters which users should have which services .
  • fig. 2 is shown a conventional CA system according to fig. 1, which has a new system node added.
  • This system node is a decoder data injector, in this embodiment called a VCAM injector 17 (Virtual Conditional Access Module) that has as its task to create virtual CA modules.
  • VCAM injector 17 Virtual Conditional Access Module
  • These virtual CA modules contain the same information and functions as in current physical CA modules of today or corresponding functionality that is integrated in STBs of today, that is, the parts that e.g. handle CA card reading and management keys that are used to decrypt EMM's, and out of which EMM' s the operational keys are extracted and used to decrypt ECM' s to recover the control word.
  • the control word is sent to the descrambler to descram- ble the video signal.
  • a user that wishes to get access to a particular CA system may according to the invention, instead of purchasing a STB that is manufactured for the particular CA system operator, purchase or otherwise obtain a more general STB that does not comprise CA module functionality of a particular system, .
  • a new virtual CA module is created and put in a so called carrousel, being a circular list containing items, into which the program codes for the different virtual CA modules are entered. The items remain in the list during a predetermined time period before they are removed. This time period should correspond to the time period needed for a STB 3 to be able to download the virtual CA module.
  • the STB After download of the virtual CA module the STB is adapted to operate in the particular CA system the virtual CA module has been downloaded for.
  • the STB now has the same functionality as a conventional STB, the STB may comprise a card reader into which a conventional CA card for the CA system may be inserted. The user may then use the STB in the same way as a conventional STB with a conventional CA card. It is not important for the invention which CA system that is used, the VCAM injector 17 may easily be adapted to different systems.
  • VCAM data stream 18 Virtual Conditional Access Module
  • the CA module for a particular CA system may be discarded and replaced by a new virtual CA module for enabling access to another CA system if a user later decides that he wishes to change to another CA system.
  • the present invention thus also solves the problem with current systems that a STB that is intended for use in one CA system generally may not be used in another CA system.
  • a function in the STB 3 determines whether the received information is to be decoded or not, i.e. whether the user has authorization to access certain information, as was explained above.
  • a certain STB 3 listens to the information stream, now also containing the extra VCAM data stream 18, and receives the virtual CA module intended for that specific STB 3.
  • the received virtual module is stored in a memory 19 in the STB 3, preferably a flash memory in the decoder chip.
  • the advantage of having a flash memory is that the virtual CA module remains in the memory even if the STB 3 is turned off.
  • An alternative is to use an ordinary RAM memory, but then it is required that the virtual CA module is downloaded each time the STB 3 is turned on, which may be perceived as time-consuming by " a user.
  • VCAM data stream 18 In order to avoid interception and download of a VCAM data stream 18 by an unauthorised user, it can be protected in different ways.
  • One way to make it more difficult for a potential eavesdropper is to encrypt the information, which will be more described below in connection with fig. 4.
  • a user may also enter a code to his/her STB 3 in order to further enhance the security.
  • the user terminal includes a unique identity.
  • the processor in a STB 3 has for example its own unique serial number, which serial number may be used as the unique identity of the STB 3.
  • the hardware has in other words a unique identity.
  • the user may have knowledge of this identity and state it to the CA system supplier during the ordering procedure.
  • the VCAM data stream 18 will then include also this unique identity and thereby the virtual CA module intended for a certain user will only be downloaded to that particular user terminal. This pro- vides a secure way to convey the virtual CA module, and fraud by means of downloading to unauthorized user terminals is made more difficult or avoided entirely.
  • Fig. 3 shows another embodiment of the present invention.
  • the system has another system node, a VCD in- jector (Virtual Conditional Access Download) 20, the task of which is to create virtual CA cards.
  • VCD in- jector Virtual Conditional Access Download
  • handling of CA cards constitutes a large cost for a digital TV operator.
  • WO 03/069911 Al handles this problem by eliminating the physical CA cards. Instead of having a digital TV operator providing a physical CA card to each user, the system creates virtual CA cards instead which are downloaded to the STBs.
  • a CA card may be downloaded as well according to the functionality described in WO 03/069911 Al. After download of the CA card, preferably also this is stored in a flash-memory in the decoder chip, the STB is both arranged for use in a particular CA system and allows the user to get access to free channels that do not require a subscription or other payment. The user may then in a conventional manner order services or subscriptions in the CA system.
  • the units for transmitting VCAM modules and VCD cards are shown as separate units. These units may however consist of one single decoder data injector. This decoder data injector may also be used to transmit other data to the decoder. Also, in the embodiment in fig. 3 the VCD card may con- stitute an integrated part of the VCAM module and the VCAM module and the VCD card may thus be transmitted to the STB as one singe unit according to the method described with reference to fig. 2.
  • a preferred embodiment of the present invention which enables secure transportation of software regarding conditional access properties, in particular CA modules and virtual CA cards, and which solves the problem with current systems that an STB that is intended for use in a particular distribution network cannot be used in another, and that a user that wishes to get ac- cess to several distribution networks have to purchase several different STBs will now be described with reference to fig 4.
  • Fig. 4 shows a conditional access system, which, as the system described in figs. 1-3, on the head end side comprises a subscriber management system (SMS) 30 connected to a subscriber authorization system (SAS) 31, which in turn is connected to an EMM encrypter 32 and an ECM encry ' pter 33, both connected to a multiplexer 34.
  • SMS subscriber management system
  • SAS subscriber authorization system
  • EMM encrypter 32 and an ECM encry ' pter 33 both connected to a multiplexer 34.
  • the services are represented as TV 35, audio 36 and data 37.
  • the multiplexer output is connected to a modulator 38 and a scrambler 39.
  • the modulator modulates the data that is to be transmitted to a suitable transmission format and the scrambler adds a scrambling signal to the data based on control words that are generated by a control word (CW) generator 40.
  • the control words generated by the CW generator are also used to generate ECM messages.
  • the modulated and scrambled signal is broadcasted by a transmitter 41, such as a satellite or an antenna and is received at a user's premises by a receiver 42 such as a satellite dish, an antenna, or via a cable for further processing by a user terminal 43 at the users premises.
  • the user terminal comprises a tuner 44 for tuning to various frequencies in the received signal, where the frequencies correspond to different services such as TV programmes, radio channels or other services.
  • the frequency tuned to is then demodulated by a demodulator 45 and demultiplexed and descram- bled so that e.g. a TV programme may be displayed on a TV set 50.
  • the SAS 31 is further connected to a Conditional Access Crypto Module (CACM) 46, which acts as an adapter between a specific operator's SAS 31 and a Soft Security Services function (SSS) 47 and enables data communication between an operator's SAS and the SSS.
  • CACM Conditional Access Crypto Module
  • SSS Soft Security Services function
  • CACMs 48, 49 connected to the SSS, where each CACM 48, 49 constitute an adapter between a CA system (the SAS in a CA system) and the SSS 47. This enables that only one SSS is needed, irrespective of the number of CA systems present.
  • the CACMs according to the present invention have the advantage that the technology of the present invention may be utilised in different CA systems irrespective of the particular technology used in these systems.
  • TV broadcasting is uni-directional . This complicates achievement of sufficient security since there often is no return channel from a STB in use.
  • the present embodiment utilises a PGP (Pretty Good Privacy) alike technique and PKI (Public Key Infrastructure) .
  • a user wishing to get access to a CA system first obtains a STB 43.
  • this STB does not have to be adapted to a particular CA system.
  • the STB comprises standardised functions for handling the incoming signal and data such as tuner 44, demodulator 45, demultiplexer and descrambler.
  • a decoder chip may include security functions that may be used by the present invention, such as ability to store private keys, a root certificate, service provider certificate, a unique chip ID, bus encryption functionality, tam- per resistance and integrity protection.
  • the decoder chip manufacturer fetches a CSP (Certificate Signing Provider) signed root certificate (action 1) and generates a public/private key pair.
  • the decoder chip ID is sent (action 2) to the CSP together with the public key (action 3) , the decoder chip model & version (action 4) and the date and time (action 5) .
  • the CSP is an external PKI instance. In this way the CSP delivers trust between the decoder chip manufacturer and TV broadcasters.
  • the decoder chip is then provided with the CSP root certificate (action 6) together with the generated private key (ac- tion 7) .
  • the primed decoder chip is then sent to the decoder manufacturer (action 8) together with an adapter arrangement 51 (action 9) .
  • the adapter arrangement 51 consists of software that is capable of utilising the security functions provided for in the decoder chip.
  • the adapter arrangement handles e.g. asymmetric and/or symmetric decryption, digital certificates, upgrades, virtual CA modules and virtual smart cards.
  • the adapter arrangement further has a function corresponding to the CACM, i.e. to enable decoder chips from multiple decoder chip manufacturers to work in the system.
  • STBs provided with the adapter arrangement will have a common interface towards the system and a user is thus free to obtain an STB from any manufacturer as long as it is provided with an adapter arrangement 51.
  • the STB is then sent to a retailer for sale (action 10) .
  • the STB When the user has obtained the STB (fig. 5b), by e.g. purchasing it from a retailer, the STB must be adapted to the specific CA system prior to use.
  • This initialisation process may be started by putting the STB into initialisation mode (fig. 5b, action 1) .
  • the STB displays the decoder chip ID (ac- tion 2) .
  • the user then makes a phone call, enters a webpage or sends a mail or a SMS to the CA system operator to provide his user identity, such as name and address (action 3), and STB identity (the chip ID) (action 4) .
  • the CA operator then sends this data (action 5 & 6) along with an ID of the CA operator (action 7), a validity of the future digital certificate (action 8) and subsidy information (action 9) to the CSP 60 via the SAS 31, CACM 46 and SSS 47.
  • the CSP then creates a digital certificate with the information received from the CA system operator and the information previously received from the de- coder chip manufacturer, and sends the digital certificate to the CA system operator (action 10) .
  • the digital certificate is stored in a data base in the CA system together with other certificates of the CA system operator's customers.
  • a certificate for the operator, operator's certificate, signed by the CSP is at the end of the initialisation sequence transmitted to the STB via the CACM, SSS, DDg 52 and DDi 53 (action 11) together with a session key encrypted with the public key of the STB (action 12) .
  • the DDg 52 (Decoder Data generator) encrypts the session key with the STB' s public key so that only the intended recipient STB is able to decrypt the session key using its private key.
  • the data encrypted by the DDg 52 is then injected into the play-out carousel by a DDi 53 (Decoder Data injector) .
  • the carousel is a circular list containing items into which the program codes representing the data to be transmitted are entered.
  • the session key remains in the list during a predetermined time period before it is removed. This time period should correspond to the time period needed for the STB to be able to download the session key.
  • VCAM virtual conditional access module
  • a virtual CA card is encrypted in the same manner by the session key and transmitted to the STB (action 14), which stores the virtual CA card in the secure memory in the STB.
  • the virtual CA card contains the STB assigned network address, management keys for EMM decryption, first free EMM' s enabling free initial free viewing and other CA data.
  • the user may repeat the initialisation procedure for the next CA system.
  • the number of CA systems that simultaneous access may be obtained can be pre programmed and controlled in the decoder chip.
  • the stored VCAM and virtual card may be discarded and replaced by a new VCAM and virtual card for the new CA operator.
  • the VCAM and virtual card may also be discarded and replaced in order to prevent and make fraud difficult, for example at regular intervals .
  • the present invention thus has the advantage that it allows the use of a single STB in a plurality of systems, and a user that wishes to get access to various distribution systems therefore must not purchase or otherwise obtain a plurality of decoders, which, as stated above is both costly and inconven- ient.
  • a special server arrangement 70 de- scribed in WO 03/056830 Al, same applicant, a user is able to create a temporary connection between his/her mobile terminal and an optional STB 3 in the system 1.
  • the server arrangement 70 is used in order to enable a user to download a virtual CA module and or a vir- tual card by means of his/her mobile phone.
  • This server arrangement 70 has the task of opening a parallel way to create EMM messages through the SAS 31 and with the aid of the DDg 52 create virtual CA modules or virtual CA cards to a certain STB 50.
  • the server arrangement also handles the debiting of ordered services.
  • This identification includes for example that the user first identifies himself through a PIN code towards his SIM card (Subscriber Identity Module) when activating the mobile terminal, after which the SIM card is identified in the mobile communication network via the IMSI number (International Mo- bile Subscriber Identity) of the SIM card.
  • SIM card Subscriber Identity Module
  • IMSI number International Mo- bile Subscriber Identity
  • the mobile communication network know who the user is, and a unique user identity, for example in the form of the phone number of the user, is sent together with the set up request to the server arrangement 70, which then uses the information as an identification and debiting basis.
  • the server arrangement 70 When the user has established contact with the server arrangement 70, the user states that he/she wishes to receive a virtual CA module and/or a virtual CA card and an identity of the STB 50 to which the user wishes to have the virtual CA module and/or card delivered. Thereafter the server arrangement 70 sends information to the SAS 31 about the user and which STB 50 that is to receive the virtual module and/or virtual card. The SAS then sends information to the DDg 52 via the CACM 46, which translates the information from the SAS 31 into a vir- tual CA module and/or a virtual CA card and sends an encrypted data stream according to the method described above.
  • the user may order a service (a TV programme for example) .
  • An EMM message representing the service is then generated via the SAS 31, and this authorisation may be temporary, an EMM message may for example be valid for only one service.
  • the server arrangement 70 may connected to the CACM, SSS or DDg 52 directly.
  • the STB has in the above description been described as a sepa- rate unit.
  • the STB functionality may however advantageously constitute an integrated part of a TV set or a computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un dispositif d'adaptation permettant l'accès à un réseau de distribution, et destiné à un terminal utilisateur qui est conçu pour recevoir et/ou décoder des services qui sont distribués par l'intermédiaire d'un réseau de distribution. Le dispositif d'adaptation comprend un moyen pour permettre le téléchargement vers le terminal utilisateur, par l'intermédiaire du réseau de distribution, d'un module d'accès conditionnel (Conditional Access / CA) virtuel. L'invention concerne aussi un procédé, un système et un terminal utilisateur.
PCT/SE2004/000931 2003-06-13 2004-06-14 Dispositif d'adaptation, procede, systeme et terminal utilisateur permettant l'acces conditionnel WO2004112385A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP04748990A EP1639812A1 (fr) 2003-06-13 2004-06-14 Dispositif d'adaptation, procede, systeme et terminal utilisateur permettant l'acces conditionnel

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0301728A SE0301728D0 (sv) 2003-06-13 2003-06-13 Adapter arrangement, method, system and user terminal for conditional access
SE0301728-2 2003-06-13

Publications (2)

Publication Number Publication Date
WO2004112385A1 true WO2004112385A1 (fr) 2004-12-23
WO2004112385A9 WO2004112385A9 (fr) 2005-08-18

Family

ID=29212460

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2004/000931 WO2004112385A1 (fr) 2003-06-13 2004-06-14 Dispositif d'adaptation, procede, systeme et terminal utilisateur permettant l'acces conditionnel

Country Status (3)

Country Link
EP (1) EP1639812A1 (fr)
SE (1) SE0301728D0 (fr)
WO (1) WO2004112385A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100161987A1 (en) * 2008-12-22 2010-06-24 Electronics And Telecommunications Research Institute Downloadable conditional access system service providing apparatus and method
WO2010120627A1 (fr) * 2009-04-13 2010-10-21 Digital Keystone, Inc. Distribution iptv directe
CN103037255A (zh) * 2011-09-30 2013-04-10 乐金电子(中国)研究开发中心有限公司 一种cam卡自动适配方法
WO2015200370A1 (fr) * 2014-06-23 2015-12-30 Syphermedia International, Inc. Procédé et appareil de fourniture de services multimédia de protocole internet sécurisé
US9277259B2 (en) 2006-10-13 2016-03-01 Syphermedia International, Inc. Method and apparatus for providing secure internet protocol media services

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0982935A2 (fr) 1998-08-11 2000-03-01 CSELT Centro Studi e Laboratori Telecomunicazioni S.p.A. Méthode et système pour la délivrance de services multimédia numériques
WO2000025475A1 (fr) 1998-10-23 2000-05-04 Qualcomm Incorporated Portabilite de souscription pour systemes sans fil
WO2001052543A1 (fr) * 2000-01-14 2001-07-19 Diva Systems Corporation Acces conditionnel a des systemes video sur demande et securite associee
US20020146125A1 (en) * 2001-03-14 2002-10-10 Ahmet Eskicioglu CA system for broadcast DTV using multiple keys for different service providers and service areas
US20030093812A1 (en) * 2001-11-09 2003-05-15 Sony Corporation System and method for delivering data to an information appliance using the ISO07816
WO2003069911A1 (fr) * 2001-12-14 2003-08-21 Television And Wireless Applications Europe Ab Procede et systeme permettant l'acces conditionnel
DE10216384A1 (de) * 2002-04-12 2003-10-30 Scm Microsystems Gmbh Zugangskontrollnetzwerk

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0982935A2 (fr) 1998-08-11 2000-03-01 CSELT Centro Studi e Laboratori Telecomunicazioni S.p.A. Méthode et système pour la délivrance de services multimédia numériques
WO2000025475A1 (fr) 1998-10-23 2000-05-04 Qualcomm Incorporated Portabilite de souscription pour systemes sans fil
WO2001052543A1 (fr) * 2000-01-14 2001-07-19 Diva Systems Corporation Acces conditionnel a des systemes video sur demande et securite associee
US20020146125A1 (en) * 2001-03-14 2002-10-10 Ahmet Eskicioglu CA system for broadcast DTV using multiple keys for different service providers and service areas
US20030093812A1 (en) * 2001-11-09 2003-05-15 Sony Corporation System and method for delivering data to an information appliance using the ISO07816
WO2003069911A1 (fr) * 2001-12-14 2003-08-21 Television And Wireless Applications Europe Ab Procede et systeme permettant l'acces conditionnel
DE10216384A1 (de) * 2002-04-12 2003-10-30 Scm Microsystems Gmbh Zugangskontrollnetzwerk

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9277259B2 (en) 2006-10-13 2016-03-01 Syphermedia International, Inc. Method and apparatus for providing secure internet protocol media services
US20100161987A1 (en) * 2008-12-22 2010-06-24 Electronics And Telecommunications Research Institute Downloadable conditional access system service providing apparatus and method
WO2010120627A1 (fr) * 2009-04-13 2010-10-21 Digital Keystone, Inc. Distribution iptv directe
US8610827B2 (en) 2009-04-13 2013-12-17 Digital Keystone, Inc. Direct IPTV distribution
CN103037255A (zh) * 2011-09-30 2013-04-10 乐金电子(中国)研究开发中心有限公司 一种cam卡自动适配方法
CN103037255B (zh) * 2011-09-30 2017-06-30 乐金电子(中国)研究开发中心有限公司 一种cam卡自动适配方法
WO2015200370A1 (fr) * 2014-06-23 2015-12-30 Syphermedia International, Inc. Procédé et appareil de fourniture de services multimédia de protocole internet sécurisé

Also Published As

Publication number Publication date
WO2004112385A9 (fr) 2005-08-18
EP1639812A1 (fr) 2006-03-29
SE0301728D0 (sv) 2003-06-13

Similar Documents

Publication Publication Date Title
KR100838892B1 (ko) 조건부 액세스를 위한 방법 및 시스템
KR100672947B1 (ko) 암호화 전송 방법 및 장치
KR100672983B1 (ko) 암호화된 데이터 스트림 전송 방법 및 장치
US8677147B2 (en) Method for accessing services by a user unit
KR100637005B1 (ko) 정보방송방법,수신기및정보처리장치
US20050050333A1 (en) System and method for secure broadcast
US20040017918A1 (en) Process for point-to-point secured transmission of data and electronic module for implementing the process
JP2007529168A (ja) 双方向ネットワークにおいて衝動買いができる放送限定受信方式
EP1568226B1 (fr) Transmission d'un message sur un reseau de telephonie mobile pour reseau multimedia numerique
RU2329612C2 (ru) Система дешифрования данных с условным доступом
JP3708905B2 (ja) 放送受信機、放送受信システム及び情報配信方法
WO2004112385A1 (fr) Dispositif d'adaptation, procede, systeme et terminal utilisateur permettant l'acces conditionnel
KR101045490B1 (ko) 쌍방향 네트워크에서 충동 구매 성능을 구비한 조건부액세스 방송 시스템
KR101138126B1 (ko) 디지털 방송 수신기의 수신 제한 시스템 및 방법
EP1624690A1 (fr) Procédé de transmission et réception de signaux vidéo
KR20160067722A (ko) Rcas 시스템에서 분산 인증 서버와 제한 수신 모듈 서브 시스템간 메시지 전송 방법 및 rcas 헤드엔드
MXPA01007879A (en) Method and apparatus for encrypted transmission
MXPA01000489A (en) Method and apparatus for secure communication of information between a plurality of digital audiovisual devices

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
COP Corrected version of pamphlet

Free format text: PAGE 4/7, DRAWINGS, ADDED

WWE Wipo information: entry into national phase

Ref document number: 2004748990

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2004748990

Country of ref document: EP