Improvements Relating to Digital Broadcasting Communications
This invention relates to Digital Broadcasting communications systems, and in particular to a system providing subscribers conditional access to digital broadcasting services and mechanisms for secure distribution of content relating to these digital broadcasting services to authorised subscribers. Across the World there is a movement at government level to reorganize and reallocate the available radio frequency spectrum to incorporate support for the evergrowing demands for personal mobile telephony and broadcasting communications. A major element of this movement is to utilise so-called digital communication services over the previous analogue systems. This has already happened several years ago with mobile telephony systems as they moved to a digital signaling system as part of the development of the now near global GSM standards . The move from analogue to digital systems is now happening across the world in both radio and television broadcast services as the new Digital Audio Broadcast (or DAB) for radio and Digital Video Broadcasting (DVB) family of standards for television services have been adopted as global standards . Whilst this new generation of digital standards provide broadcasting facilities for audio/visual services as before, they can also transfer data in various formats to suitably equipped receiving devices using Internet based protocols. Current data based services for DAB radio and digital television include electronic program guides (EPG) , MP3 audio files, games, video files, travel information and in- car navigation / telematics amongst others.
At present, almost all current commercial data services run across digital broadcast systems are either provided on a free-to-all basis or on a simple monthly subscription model to consumers. In almost all current commercial applications, it is not possible to allow subscribers to receive individual programs on a one-off basis or to download data files such as video clips, MP3 files, games etc on a pay as you go basis. This situation is further complicated in that these applications currently have no means of acknowledging the correct delivery and receipt of any item sent to an individual's receiving device through the digital broadcast medium. This is because, by their very nature, all broadcasting systems are of a one-way nature and have no return channel from the individual consumer back to the broadcaster over the broadcasting system. This makes it difficult for a commercial broadcasting service to operate an individual download service, as without confirmed delivery, it is difficult for the operator to justify billing a consumer for a specific file or other item. Recently, digital TV services have become available that operate using a digital receiver unit that receives broadcast signals collected from an aerial, satellite dish or from cable. A return channel is provided indirectly by connecting the digital receiver unit to the public telephone network. In fact, the public telephone network provides bidirectional communication between broadcaster and receiver. This allows a consumer to order programs on a pay per view basis by sending a request to the broadcaster. The broadcaster then responds by sending the appropriate key back over the public telephone network so that the digital receiver unit can decrypt the requested program.
Such a system suffers from a number of problems . In general, public telephone networks are not secure and so the encryption keys may be intercepted reasonably easily. In addition, the need for bidirectional communication across the public telephone network adds complexity to the system. Also, such a central system requires scaling to cope with potentially a large number of simultaneous transactions, e.g. as many subscribers request a program immediately before its transmission. The central system would have to handle the large number or requests, authenticate each digital receiver, check the account permissions and issue the required key back to the subscriber in a short period of time. This results in a sizeable up-front cost for the service provider. At the same time, there is a further issue within the media industry to ensure that any copyrighted material paid for and downloaded through these digital broadcasting systems by an individual is not subsequently copied and freely distributed to others on an illegal basis. From a first aspect, the present invention resides in a transmission apparatus for use in a digital broadcast system, comprising: a content provider operable to provide content of a conditional access service to be transmitted by the transmission apparatus; an encryption key provider operable to provide an encryption key to be used for encryption of content provided by the content provider; a decryption key provider operable to provide a decryption key to be used by a receiver apparatus of a subscriber who subscribes to the conditional access service to decrypt the encrypted content; a content encryption provider operable to encrypt content provided by the content provider using the encryption key provided by the key provider; a decryption
key encryption provider operable to encrypt the decryption key using a key encryption key associated with the subscriber or a group of subscribers to which the subscriber belongs; a transmitter operable to broadcast digitally the encrypted content and the decryption key; and forwarding means operable to forward the encrypted decryption key for receipt by the receiver apparatus. Thus, an improved transmission apparatus is provided that benefits from a greater level of security. The enhance security is afforded by providing means for encrypting the decryption key prior to sending the decryption key. Moreover, each decryption key is encrypted using a unique key associated with that subscriber. Hence, anyone else intercepting the decryption key will have difficulty in identifying it as a decryption key and, even if they do appreciate its significance, v/ill not be able to use the decryption key as they will not know the unique key associated with the true recipient . The above aspect should be construed functionally. As such, the physical arrangement of parts is flexible. For example, the encryption key provider and the decryption key provider may be separate or there may be a single key provider. In addition, the content encryption provider and the decryption key encryption provider may be separate or there may be a single encryption provider. In addition, a single means may provide more than one function. For example, according to a currently preferred embodiment, the decryption key provider also performs encryption of the decryption key. Optionally, the decryption key encryption provider is further operable to encrypt the decryption key using a unique key associated with the subscriber that comprises a
public key according to a PKI infrastructure. This offers a high level of security as it allows, optionally, the decryption key to be encrypted by the encryption provider using the unique key associated with the subscriber and one or more key encryption keys. Preferably, the tree hierarchy is organised according to subscribers and groups of subscribers in a branched structure. This is advantageous in a system comprising many subscribers that may leave a conditional access service at any time. New encryption and decryption key pairs should be reissued to remaining subscribers when a subscriber leaves (or after a certain number of subscribers leave) : using a tree structure means that only branches containing the old subscriber (s) need be updated with new keys. Preferably, the encryption key provider is operable to provide an updated encryption key to the encryption provider, the decryption key provider is operable to provide an updated decryption key to the encryption provider, the content encryption provider is operable to encrypt the updated decryption key with the key encryption key and the decryption key encryption provider is operable to encrypt the content using the updated encryption key, and the transmitter is operable to transmit the encrypted decryption key and encrypted content. Thus, security is raised by providing new encryption/decryption key pairs from time to time. The intervals between updates may be freely chosen, and may be regular or they may be irregular. In a currently preferred embodiment, the transmitter provides the forwarding means such that the encrypted decryption key is broadcast. This is a convenient way of distributing decryption keys and also has benefits in term of security. As mentioned above, encrypted decryption keys
are difficult to spot as they look similar to other types of encrypted data. Broadcasting the encrypted decryption keys with encrypted programs and other encrypted data effectively camouflages the encrypted keys. Preferably, the transmission apparatus further comprises a receiver unit operable to receive a signal over a channel provided by a telephone network. This channel may be used to transmit the encrypted decryption keys. However, its main advantage is seen to be in the provision of a return channel. This allows the subscriber to communicate with the transmission apparatus. For example, the receiver unit may be configured to recognise a signal received from the channel corresponding to a request made by the subscriber to join a conditional access service. As a further example, the receiver unit may be configured to recognise a signal received from the channel corresponding to an acknowledgement of receipt of a decryption key. Optionally, the content provider is operable to provide content relating to a plurality of conditional access services, and wherein the encryption key provider is operable to provide an encryption key, the decryption key provider is operable to provide a decryption key for each of the conditional access services, and the content encryption provider is operable to encrypt the content of each of the conditional access services with its associated encryption key. Thus a number of encrypted conditional access services may be transmitted, and subscribers may choose freely the services to which they will have access. The appropriate decryption keys may then be provided to those subscribers. The transmission apparatus may further comprise a subscriber database operable to store details of the subscriber relating to the conditional access services to which they
subscribe and to their unique key. The encryption provider may then be operable to receive the details stored in the subscriber database and to encrypt the decryption key for each conditional access service to which the subscriber subscribes using the subscriber's unique key. From a second aspect, the present invention resides in a receiver apparatus associated with a subscriber for use in a digital broadcast system, comprising: a key encryption key store operable to store a key encryption key associated with the subscriber or a group of subscribers to which the subscriber belongs; a decryption key receiver operable to receive an encrypted decryption key; a decryption provider operable to decrypt the encrypted decrypted key, received by the receiver, using the key encryption key provided by the key store and to provide the decrypted decryption key for storage in a decryption key store; and a content receiver operable to receive a digital broadcast including encrypted content of a conditional access service; wherein the decryption provider is operable to use the decryption key provided by the decryption key store to decrypt the encrypted content . Thus, the improved security already described in respect to a transmission apparatus above may also be enjoyed by a complementary receiver apparatus. As for the first aspect, this second aspect should be construed functionally. As such, the physical arrangement of parts is flexible. For example, the encryption key store and the decryption key store may be separate or there may be a single key store. In addition, a single means may provide more than one function. Preferably, the receiver apparatus further comprises means for communicating on a channel provided by a telephone
network, such as a public switched telephone network. Preferably, the means are operable to communicate over a a mobile telephone network. Optionally, the receiver apparatus further comprises a cache operable to receive and store content received by the content receiver and/or decrypted content from the content decryption provider. Preferably, the content receiver is operable to receive a digital broadcast including encrypted content of a plurality of conditional access services, the decryption key receiver is operable to receive an encrypted decryption key for two or more of the conditional access services, the decryption provider is operable to decrypt the encrypted decrypted keys of the two or more conditional access services using the key encryption key provided by the key encryption key store and to provide the decrypted decryption key for storage in the decryption key store, and the decryption provider is operable to decrypt the encrypted content of the two or more conditional access services using the associated decryption keys. Optionally, the receiver apparatus has an associated unique identifier that allows the receiver apparatus to be identified when conditional access services are requested. In addition, the receiver apparatus may further comprises associated slave devices, each device having a unique identifier. This allows content to be sent to the receiver apparatus that may then be distributed to all or some of the slave devices according to their unique identification numbers. For example, music files may be sent to a digital radio that can be shared with an associated MP3 player or the like. In this way, copyright material may be
distributed between multiple devices while still observing copyright law restrictions as to copying. From a third aspect, the present invention resides in a broadcast system comprising any of the transmitter apparatus described above, any of the receiver apparatus described above and a telephone network, wherein the receiver apparatus is operable to communicate with the transmitter apparatus over the telephone network. From a fourth aspect, the present invention resides in a method of operating transmission apparatus for use in a digital broadcast system, comprising: using a content provider to provide content of a conditional access service to be transmitted by the transmission apparatus; using an encryption key provider to provide an encryption key to be used for encryption of content provided by the content provider; using a decryption key provider to provide a decryption key to be used by a receiver apparatus of a subscriber who subscribes to the conditional access service to decrypt the encrypted content; using a content encryption provider to encrypt content provided by the content provider using the encryption key provided by the key provider; using a decryption key encryption provider to encrypt the decryption key using a key encryption key associated with the subscriber or a group of subscribers to which the subscriber belongs; using a transmitter to broadcast digitally the encrypted content and the decryption key; and using forwarding means to forward the encrypted decryption key for receipt by the receiver apparatus . From a fifth aspect, the present invention resides in a method of using receiver apparatus associated with a subscriber for use in a digital broadcast system, comprising: using a key encryption key store to store a key
encryption key associated with the subscriber or a group of subscribers to which the subscriber belongs; using a decryption key receiver to receive an encrypted decryption key; using a decryption provider to decrypt the encrypted decrypted key, received by the receiver, using the key encryption key provided by the key store and to provide the decrypted decryption key for storage in a decryption key store; and using a content receiver to receive a digital broadcast including encrypted content of a conditional access service; and using the decryption provider to use the decryption key provided by the decryption key store to decrypt the encrypted content . From a sixth aspect, the present invention resides in the combination of the methods according to the fourth and fifth aspects of the invention. The present invention also resides in a computer programmed to cause transmission apparatus to operate in accordance with any of the methods described above or to cause receiver apparatus to operate in accordance with any of the methods described above. In addition , the present invention resides in a computer program comprising computer code instructions that, when loaded into a computer, causes transmission apparatus to operate in accordance with any of the methods described above or to cause receiver apparatus to operate in accordance with any of the methods described above . Other optional features of the invention according to its various aspects are set out in the appended claims. The invention and optional features of preferred embodiments described above enable digital broadcasters and others to create commercially sustainable operations, allowing individual consumers to securely select and
download copyrighted material on a secure encrypted basis into a suitable receiving device that can then "unlock" the contents to the authorized consumer, whilst at the same time preventing the content of such files from being distributed to others on an illegal basis. At the same time, the invention facilitates a "return channel" from the individual consumer back to the broadcaster enabling various information to be passed back to the original content provider/broadcaster confirming the correct delivery of specific data files and other information. The present invention resides in the appreciation that a selective broadcast function can be achieved by general broadcast of encrypted content data and decryption by selected users of that data content by use of the identity of that user or device. The data content hereinafter described can comprise any form of broadcast services such as streamed audio and video services either viewed "live" or stored on a device for later viewing. It can also encompass any other form of digital data including, but not limited to MP3 audio files, web-based media content, various formats of video files, games, maps and other applications as well as graphic files including barcodes that can be "scanned" from the device using standard retail type laser scanners. The embodiment hereinafter described can be considered to be an apparatus for providing conditional access to the whole range of digital broadcasting services, such as DAB radio services, preferably comprising a secure server added to the digital broadcasting transmission system and a secure client added to the digital receiver, such as a DAB radio, wherein the secure server has means to digitally encrypt content being transmitted over the digital broadcasting
channel and means for controlling distribution of the encryption keys only to those secure clients which are authorised to receive the digital broadcast service (s) and have requested to receive those services at that point in time. In this embodiment, the digital receivers preferably have integrated electronic means to request access to the digital broadcast services via a mobile radio telephony system or fixed wired telephony system. Also the secure server preferably has means for recording each secure client's utilisation of each of the available digital delivery services, whether on a per volume or per time basis, and means for providing these accounting records to a customer billing system. The, secure client preferably has means to uniquely identify the digital receiver based on a PKI certificate stored securely on the digital receiver chipset . The embodiment described hereinafter can furthermore be considered to be a method for providing conditional access to digital broadcast service (s), such as DAB radio services, wherein a secure server preferably digitally encrypts content for transmission over the digital media channel and controls distribution of the encryption keys only to those secure clients which are authorised to receive the digital service (s) and have requested to receive those services at that point in time. The secure client preferably requests access to any of the digital broadcast services at any time via a mobile radio telephony system or fixed wired telephony system. The secure client may also uniquely identify the digital receiver based on a PKI certificate stored securely on the digital device chipset. Preferably the certificate belonging
to the digital receiver, such as a DAB radio, is associated with a secondary identifier such that the utilisation of the digital services can be billed to an account associated with this secondary identifier. The secure server preferably records each secure client's utilisation of each of the available digital broadcast services, whether on a per volume or per time basis, and provides these accounting records to a customer billing system. The secure server may also change the encryption key when one of the secure clients requests to leave or is forced to leave the associated service and distribute the updated key to the remaining secure clients. A series of secondary identifiers associated with slave electronic devices served by the digital receiver are preferably registered under the same subscription, so that content received by the digital receiver can be forwarded to the slave devices without infringing the copyright of the content owner. This is facilitated by the fact that the services/content being transmitted by the broadcaster is encrypted and can only be accessed and/or viewed by means of a key mechanism held within the receiving device that decrypts the content and presents it to the user. The received services/content is stored encrypted within the body of the receiving unit or within a removable memory storage device. This prevents private content being accessed by unauthorised viewers and also ensures that it cannot be copied and viewed on another device that has not been previously registered by the authorised user. Features of an embodiment of the present invention, provided in a digital receiving system apparatus, such as a digital radio system apparatus, include: means to support conditional access to digital broadcast services by
digitally encrypting the content and controlling distribution of the encryption keys to only those subscribers who are authorised to receive the services and have requested to receive those services at that point in time; means for digital service subscribers to request access to these services electronically via a mobile radio telephony system or fixed wired telephony system; means for the subscriber's utilisation of each of the digital services to be recorded on a per volume or per duration basis and means for providing these accounting records to a customer billing system; and means for uniquely identifying the digital receiver based on a PKI certificate stored securely on the digital receiver chipset . Features of an embodiment of the present invention, provided by a method of operating a digital receiver system, include the steps of: digitally encrypting the digital service (s) and controlling distribution of the encryption keys to only those subscribers who are authorised to receive the services and have requested to receive those services at that point in time; enabling the digital service subscriber to request via electronic means access to any of the > subscribed digital service (s) at any time; enabling the utilisation of each of the digital service (s) by each subscriber to be recorded and presented to a customer billing system; changing the encryption key when one or more of the subscribers requests to leave or is forced to leave the service and distributing the updated key to the remaining subscribers; enabling the digital service subscriber to be uniquely identified by a PKI certificate stored securely on the digital device chipset; and enabling a series of secondary identifiers associated with slave electronic devices served by the digital receiver to be
registered under the same subscriber so that content received by the digital receiver can be forwarded to the slave devices without infringing the digital rights of the content owner. Embodiments of the invention will now be described with reference to the Figures, in which: Figure 1 is a schematic diagram showing the functional relationships between the systems which co-operate to form a general embodiment of the invention; Figure 2 is a flow chart showing the process by which conditional access to digital broadcast services is effected; Figure 3 is a flow chart showing the process by which content is distributed securely to authorised subscribers; and Figure 4 is a flow chart showing the process by which content relating to the digital broadcast service is securely distributed to authorised subscribers. The following embodiments illustrate the invention using a standard digital network, such as a digital radio network according to the Digital Audio Broadcasting (DAB) as defined by the Eureka 147 standards supported by the International Telecommunications Union (ITU) . The preferred embodiment uses already established techniques for encapsulating multicast Internet Protocol (IP) packets onto the forward channel, but the techniques described herein can apply to any means for transmitting services over the digital network. The term service can apply to any common content delivered to one or more subscribing users over the forward channel and includes but is not limited to video (of any transmission standard) , audio (of any transmission standard) , data related to Internet/World Wide Web (www)
applications, data related to distributed database applications and file distribution. The system described in this invention enables Digital Broadcast operators to control which subscribers can have access to these services ("conditional access services"). This may be required for instance in service scenarios whereby the operator wishes to charge for the content received by each subscriber or where the content is sensitive in nature and therefore necessitates restricted access. The subscriber can request to join or leave any of his subscribed conditional access services at any time and may, if the receiver equipment permits, be able to access more than one service at a time. The latter can be achieved by multiplexing several of the conditional access services onto the same digital broadcast channel, using different encryption keys to separate each traffic stream. The digital receiver will only be able to decrypt those traffic streams for which the encryption keys are held. Each of the resulting data streams can either be used immediately or cached at the receiver. The Digital Broadcast operator can elect at any time to deny a subscriber access to any of the services. The Digital Broadcast operator may continue to provide existing uncontrolled "free to air" services in parallel with the conditional access services over the same digital channel if desired. The subscriber registers for the service by providing a unique identifier for the Digital Receiving device through which the subscriber can be identified when requesting access to the conditional access services. The registration process defines the set of services which the subscriber will be allowed to access, from the overall portfolio of services offered by the Digital Broadcasting operator. The
registration information may also contain supplementary identity information, for example the International Mobile Subscriber Identifier (IMSI) according to the "GSM" standard which may enable the Digital Broadcasting operator to authenticate and charge the customer against their mobile phone account. As an extension to the basic service, the subscriber may also register one or more secondary identifiers for suitably-equipped slave electronic devices such as MP3 players, digital televisions, hi-fi systems and Personal Computers which may receive and use the conditional access service (s) under the same subscription without infringing digital rights. Figure 1 shows the components which co-operate in a general embodiment of the invention. Note that the traffic links (which carry one of services described above) are shown as full lines, signalling links for (a) allowing subscribers to request access and (b) controlling distribution of the content are shown as broken lines. The core digital broadcast network comprises a number of Digital Receivers 15 receiving one or more services from a number of Transmitting Stations 9. The Digital Content Transmission system 8 provides the means to support transmission of any range of content media formats over the broadcast channel as supplied by one or more Content Servers 7. The digital broadcast network provides the means to deliver content from the Content Server to the Digital Receivers 15, over the "forward" broadcast channel. A second network, illustrated in Figure 1 as a Public Land Mobile Network (PLMN) , can optionally be added to the system, comprising one or more Base Stations 17 and Core
Networks 18. This second network provides the means to enable the Digital Receiver 15 to request services and
confirm receipt of service transmission and signalling received on the forward channel, and constitutes the "control" channel. In the preferred embodiment the return channel is supported by a standard PLMN service, such as but not limited to General Packet Radio Service (GPRS) ,
Unstructured Supplementary Services Data (USSD) , Wireless Application Protocol (WAP) or Short Message Service (SMS) according to the "GSM" standard. The invention also extends to supporting the control channel over other electronic means or, for more limited service provision, through nonelectronic means. In one arrangement of the invention, the Digital Receiver 15 is a handheld or portable device (with audio, video and/or textual outputs) to which the necessary mobile phone circuitry has been added to provide one or more of the return channel options described. In another arrangement the Digital Receiver 15 is integrated with a vehicular entertainment system (for example in-car radio or back-seat video screens) with again the necessary mobile phone circuitry added to provide one or more of the return channel options described. This arrangement can also be achieved through the use of a wireless interface facilitated by a Bluetooth link or similar between the entertainment system and a local mobile phone . The advantage of using a mobile system for the return channel over a fixed system is that there is no set-up required as the receiver is moved from location to location. The return channel is not dependent on the receiving device being in any particular location. In addition, the system does not incur installation costs over what is required to fit the equipment for the first time, also the user does not
have to spend time aligning aerials (since digital radio does not require directional receiving aerials) but only has to turn the equipment on to be able to use the service . In a further arrangement the Digital Receiver 15 is added to a standard mobile phone device in such a fashion that the subscriber continues to be served and billed by the mobile phone operator and receives additional services via the media broadcast channel . In a further arrangement the Digital Receiver 15 is a part of a fixed installation within a building and uses any available telecommunications link (for example fixed phone network, Internet, mobile network, satellite network) to provide the return channel . In a further arrangement the Digital Receiver 15 is a stand alone device (typically a household radio, mobile/car radio, video/media player or part of a home entertainment system) .and the subscriber uses a separate existing telecommunications link (for example fixed phone network, Internet, mobile network, satellite network) to provide the return channel either directly or indirectly (through a call to a human or computer based call centre) to request new services or confirm correct delivery of a requested item of entertainment or received data file. Where the particular arrangement of the Digital Receiver 15 facilitates a direct return channel back to the User Management System 4, the subscriber is able to directly interact with the service to request items of entertainment or data files which can be loaded into the Content Store 16 and subsequently transmitted to that subscriber. The particular arrangement of a mobile Digital Receiver
15 with a direct/indirect return channel is that the user can "instantly" access any particular service or content
they are authorised to receive through either a packaged subscription or on an "ad hoc" basis using the existing validation and payment mechanisms already in place within any of the mobile operators willing to participate in this service. Unlike existing fixed broadcasting services, users also have the potential capability to "roam" across any boundary or country across the world that offers a GSM based mobile telephony service and suitable radio broadcasting facilities. Validation and payment for services or content can be made back to the users mobile phone account resident at their "home" mobile operator on either a pre-pay, post pay or subscription model. The components added to this digital broadcasting architecture relevant to this invention are comprised in two subsystems. The first subsystem, the Secure Server 1, is added to or interfaced with the head-end of the Digital Broadcast Transmission system 8 and comprises a Key Server 2, Encryption Server 3, User Management System 4, Subscriber Database 5 and Content Store 16. These components may be implemented on separate hardware units or integrated into a smaller number of units or a single unit. The User Management System 4 controls which subscribers can have access to the "conditional access services" through interrogating the Subscriber Database 5. The Subscriber
Database 5 contains a directory of subscribers, each entry detailing the subscriber's identity, means by which the subscriber can be authenticated and a list of those conditional access services to which the subscriber is allowed access. The Subscriber Database 5 may also contain other information for each subscriber related to the service contract, for example defining the agreed payment mechanism.
The User Management System 4 and Subscriber Database 5 may be part of an existing operator's infrastructure. The User Management System 4 may have interfaces to external Customer Care and Billing Systems 6, such as those incorporated in existing mobile telephony systems, to enable provisioning and updating of subscriber details in the Subscriber Database 5. The interface may also provide records detailing the usage of each conditional access service made by each subscriber, whether based on volume of information transmitted or duration of service connection, in order that this may be monitored and/or the subscriber charged for use of the service . The User Management System 4 or the Content Server 7 may also advertise services over the forward channel from which the subscriber is able to select. This is known as providing an "Electronic Programme Guide" in digital broadcasting systems. Content to be transmitted over the digital broadcast channels is received from the appropriate Content Servers 7 by the Encryption Server 3. At the Encryption Server 3 a mapping exists between one or more input data streams (identifying for example by source or destination address/port number) and the output data stream for transmission over the broadcast channel (s) . More than one output stream can be supported on each channel by using suitable multiplexing techniques. Each output data stream equates to one of the conditional access services offered by the operator. The function of the Encryption Server 3 is to apply a suitable encryption algorithm to each output stream of data using a known "traffic key". A separate traffic key is used to encrypt each stream in order that access to content for each conditional access service can be
individually controlled. The operation of the Encryption Server 3 is not restricted to any particular encryption algorithm or protocol layer at which encryption is applied, and could be applied to continuous or non-continuous streams of data. Typically standard commercial or military encryption methods will be used. In one embodiment data streams are encrypted and transmitted over the broadcast channel as IP Multicast packets using established techniques for encapsulating IP packets on the DAB bearer. In this instance, standard IPSec security methods defined by IETF standards RFC 2402, 2406 can be applied to each output IP multicast stream. Content may optionally be stored locally at a Content Store 16 within the Secure Server 1, for transmission at a specified scheduled time or times, for re-transmission (for example if previous transmissions were detected as corrupted) , or for repeated cyclical transmission using a carrousel technique. This is where specific items of data are loaded into the Content Store 16 and repeatedly transmitted at regular intervals until a pre-set time limit has expired, or an acknowledgement of successful delivery has been received from the intended recipients using one of the return channels described previously. The traffic keys to be used to encrypt and decrypt each conditional access service are generated by the Key Server
2, and passed to the Encryption Server 3 and, in the case of the decryption keys, also to each currently authorised subscriber. This ensures that only authorised subscribers can decrypt the content related to each conditional access service. The key server also specifies the encryption algorithm which should be used by the Encryption Server 3 and Encryption Client 11. The traffic key is changed during
service transmission to deny subsequent access to the service for a subscriber leaving the group whether on request by the subscriber or forced to leave by the Digital Broadcast operator. This may be done as soon as the subscriber requests to leave the group, or more efficiently performed as a batch so that the traffic key update denies access to one or more subscribers who have left over a given time interval . The traffic key may also be changed to prevent unauthorised users from determining the traffic key through cryptoanalysis and hence gaining access to the content. The new traffic key is distributed to all remaining authorised subscribers. Keys may be distributed over the control channel, and/or via the broadcast forward channel as appropriate for the application. The traffic key is distributed to each user using established techniques, whereby the key is delivered to each subscriber encrypted using one or more key encryption keys and also, optionally, with their unique key (for example their public key in a PKI infrastructure) . Positive confirmation may be generated by each subscriber when a new key is received to enable the Key Server 2 to keep track of current recipients and possible stragglers. Where security is not so sensitive, traffic keys may be distributed according to key encryption keys belonging to a number of subscribers organised into one or more groups. As a result, the traffic key will be available to all members of that subscriber group. In circumstances where individual communication to a subscriber is required, e.g. to each member of a subscriber group to update traffic keys subsequent to a subscriber leaving that group, traffic keys may be encrypted using a combination of one or more key encryption keys with that subscriber's unique key. In one
embodiment keys are distributed using the Logical Key Hierarchy (LKH) approach defined in IETF standard RFC 2627 whereby the key encryption keys are arranged in a tree hierarchy. This has the benefit of improving the efficiency of key management by only re-keying those branches of the tree affected by the removal of one or more subscribers . Two major classes of conditional access service are identified with differing requirements on how the key distribution should be managed. The first class relates to continuous or continual streams of live or pre-recorded content (for example live Radio or Television) which subscribers can request to join during transmission and, if the service model permits, be charged only for that part of the content received. That is from the time the subscriber has received the necessary encryption key and can decode the content from the Digital Broadcast channel . The second relates to delivering contiguous blocks of data (for example data files, database updates, video clips) which only are meaningful at the application level when received in full. In this instance delivery of content will require scheduling and subscribers wishing to access the content will need to request to join the service and hence receive the necessary encryption keys in advance. The second subsystem, the Secure Client 10, is added or interfaced to the Digital Receiver 15 and comprises a Key Client 12, Encryption Client 11, and optionally a Cache 13 and Service Guide 14. A unique identifier 19 is also added, if not already present, to the handset to enable the subscriber or the handset to be uniquely identified when requesting a conditional access service (see later for more detail) . These components may be implemented on separate hardware units or integrated into a smaller number of units,
some or all of these may be integrated on the receiver itself. The Encryption Client 11 receives the encrypted content received on one or more of the media broadcast channels and if it has the correct traffic key(s) for one or more of the conditional access services decrypts the content using the specified algorithm. This may be viewed or listened to immediately through the Digital Receiver 15 (or peripheral device) or stored in a Cache 13, either in encrypted or decrypted form. The Key Client 12 decodes the traffic key messages received from the Key Server for the currently subscribed services using key encryption keys and optionally its private key, and provides the traffic key(s) to the Encryption Client 11. It also responds to subscriber's requests for new services, made via the Service Guide 14, by requesting the requisite traffic key from the Key Server 2. This process will require the subscriber to be authenticated, which can be achieved through a number of established techniques including password authentication,
PKI certificates or chip-based challenge handshake authentication methods (eg GSM SIM based authentication) , and then authorised for receiving the service. An electronic Service Guide 14 provides information on the available services and the attributes required to receive the content stream, for example the Broadcast service channel frequency and receive address/port of the data stream related to the conditional access service. The process by which a subscriber gains access to one of the conditional access services is now described with reference to Figure 2. When a new service becomes available the User Management System 4, potentially in response to
some external stimulus from one of the Content Servers 7, issues a notification (step 201) to all subscribers. This contains details of the service (including identifier and description) , information regarding how the Digital Receiver 15 should be configured to receive the service (including digital radio frequency and address/port to which the data stream shall be delivered) and other supplementary information (for example the service transmission time(s)). The notification can be made over an open broadcast channel, via the control channels or other electronic or no- electronic means as desired. The notification is received by the Digital Receiver 15 and displayed by the Service Guide 14 (step 202) . The subscriber can at any time, before or during service transmission, elect to request to join the service (step 203) . This is achieved by the Key Client 12 signalling to the Key Server 2 that service is required, either over the control channel or other establishment means (step 204) . As a minimum this signal contains the subscriber identity and the identifier of the service required. The subscriber identity may be a Unique Identifier 19 relating to the person using the receiver (for example through entering a code through the handset, or inserting a SmartCard or similar into the device or, in an embodiment based on a standard mobile phone device, a standard Subscriber Identity Module (SIM) ) or may be a Unique Identifier allocated to the receiver 19, preferably permanently stored on the receiving device chipset. The receipt of the signal by the Key Server 2 (step 205) causes the User Management System 4 to first authenticate the subscriber (step 206) and then determine in conjunction with the Subscriber Database 5 that the subscriber is authorised to receive the requested content
(step 208) . Authentication may require an intermediate step, in order that the Key Client 12 is challenged by the Key Server 2, similar to that familiar in GSM mobile phones. Following successful authentication and authorisation, the User Management System registers that the subscriber is now able to receive the service and commands the Key Server 2 to download the traffic key so that the subscriber can access the content (step 209) . In the simplest embodiment the traffic key is encrypted with the subscriber's unique key (for example public key in the PKI infrastructure) , which has previously been provided to the User Management System when the subscriber registered, so that the Key Client can simply retrieve the traffic key by performing the necessary decryption (for example with their corresponding private key in the PKI infrastructure) . In one embodiment, where a series of key encryption keys (KEKs) are used to distribute the traffic key according to a Logical Key Hierarchy (LKH) , the first KEK is encrypted with the unique key, the second KEK is encrypted with the encrypted version of the first KEK, and so on, until the traffic key is encrypted with the encrypted version of the last KEK. The Key Client then is delivered a series of keys each of which needs to be decrypted in turn to decipher the traffic key. When the initial key set is received (step 210) it is passed to the Encryption Client 11 and stored locally, either in volatile or permanent memory depending on security requirements. The Key Client 12 also sends a key acknowledgement signal (step 211) to the Key Server which records successful delivery (step 212) .
The process by which the content is securely distributed to authorised subscribers is now described with reference to Figure 3. When the service is initiated the Key Server 2 generates a traffic key (step 301) according to the security policy defined for the service and sets it in the Encryption Server 3 (step 302) . One or more subscribers may elect to join the service (using the procedure in Figure 2) , and if authorised receive the key set, comprising the traffic key and the series of KEKs. The Key Client 12 deciphers the traffic key using its private key and the KEKs (step 210) , and sets the traffic key in the Encryption Client 11 (step 303) . At some point after the service is initiated the Content Server begins to send data (step 304) as a continuous or non-continuous stream. The data is received and potentially reformatted by the Encryption Server 3, and may be stored within the Content Store 16 for later transmission (and re-transmission) if required by the service description (Step 306) . When the content is ready to be transmitted, it is forwarded to the Encryption Server 3, encrypted with the traffic key and transmitted over the allocated broadcast forward channel (step 307) . The data stream is received and decrypted by the authorised subscribers with the provisioned traffic key (step 308) .
Subscribers may join the service using the procedure defined in Figure 2 at any time during the service session. Subscribers may at any time also elect to leave the service. The procedure followed is shown in Figure 4. The Key Client 12 issues a signal (309) to the Key Server 2, which registers that a subscriber wishes to leave (step 310) and initiates a process to refresh the traffic key.
Depending on performance considerations this may or may not occur immediately when the request is received; if desired requests to leave may be batched over a period of time, so that the overhead in distributing the new traffic key is reduced. At the appropriate time, a new traffic key (step 311) and optionally a set of KEKs (step 312) are generated to effect the traffic key change. In one embodiment the new traffic key is distributed individually to each remaining subscriber encrypted using their unique key. This ensures that the leaving subscriber (s) cannot decrypt the new traffic key and hence no longer have access to the service . In another embodiment, which is preferable from a scalability viewpoint, the new traffic key is distributed using KEKs arranged in a Logical Key Hierarchy (LKH) . In this method, described in IETF RFC 2627, the KEKs are arranged in a binomial tree such that each node in the tree is a KEK known only to those subscribers beneath that node in the tree. To distribute the new traffic key it is necessary to change the KEKs in the hierarchy which relate to branches in the tree containing subscribers that are to be removed from the service. The new traffic key and modified KEKs are then distributed to all subscribers in such a way that only those subscribers remaining in the service can decrypt the necessary KEKs and hence discover the new traffic key. This significantly reduces the amount of new key material that has to be distributed for large subscriber populations. The new keys are downloaded over the forward channel (step 313) and received by the Key Clients (step 314) . These optionally send a key receipt (step 315) which is recorded in the Key Server (step 316) .
As soon as the new traffic key is received by the Key Client, it passes it to the Encryption Client 11 (step 317) . The Encryption Client continues to decrypt the traffic stream with the old traffic key, until it detects from the data stream that there has been a key change . The Key Server 2 continues to use the old traffic key until either (a) key receipts have been received from all the currently authorised subscribers and/or (b) a timer has elapsed. At this time the Key Server switches to the new traffic key (Step 318) and sets this key in the Encryption Server (Step 319) . All subsequent data will be encrypted with the new traffic key (Step 320) . The Encryption Client 11 will detect a change in traffic key (at step 321) by either a signalling pre-amble or preferably using a key identifier in the encrypted packet header (such as the Security Parameter Index defined by the IPSEC standard) . It then switches to the new key and continues to receive data without interruption to service. As will be appreciated by those skilled in the art, variations may be made to the embodiments described above
• without departing from the scope of the present invention as defined by the appended claims. An illustrative rather than exhaustive list of variations have been described above. The present invention may be implemented in different forms, e.g. hardware or software. As such, the above description and claims should be interpreted in a functional sense. It will be clear to the skilled person how the functional elements may be physically implemented. It will also be evident to the skilled person that various physical parts may be assigned more than one function. For example, separate receivers > transmitters, encryption providers, decryption providers, key providers and key stores may be
grouped together in different arrangements as circumstances require .