WO2005093543A1 - Computer network access control system - Google Patents

Computer network access control system Download PDF

Info

Publication number
WO2005093543A1
WO2005093543A1 PCT/IB2005/050878 IB2005050878W WO2005093543A1 WO 2005093543 A1 WO2005093543 A1 WO 2005093543A1 IB 2005050878 W IB2005050878 W IB 2005050878W WO 2005093543 A1 WO2005093543 A1 WO 2005093543A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital content
path
network
protection level
protection
Prior art date
Application number
PCT/IB2005/050878
Other languages
French (fr)
Inventor
Wilhelmus J. H. J. Bronnenberg
Maarten P. Bodlaender
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2005093543A1 publication Critical patent/WO2005093543A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Definitions

  • TECHNICAL FIELD This invention relates to a computer-implemented method of setting protection properties for a path with a receive node.
  • the path is arranged to communicate digital content which is subject to digital rights management, DRM.
  • the digital content is provided by a content provider communicating the digital content via the path to the receive node.
  • the receive node is located in a data network via which the receive node is coupled to other network entities.
  • DRM digital rights management
  • DRM is a set of technologies content owners or providers can use to protect their copyrights and stay in closer contact with their customers.
  • DRM is a system that encrypts digital media content and limits access to only those people who have acquired a proper license to play the content. That is, DRM is a technology that enables the secure distribution, promotion, and sale of digital media content on the Internet.
  • RELATED PRIOR ART EP 1 271 875 Al discloses a mutual authentication method between two devices coupled in an end-to-end configuration. When transmitting from one device to the other, the method allows to distinguish between a strongly and a weakly protected device by first verifying a certificate with a public key of a certificate authority.
  • US 20030084306A1 discloses a DRM architecture with content servers, rendering devices and a license server that distributes digital content to DRM compliant systems only.
  • a type of roaming service is disclosed which allows a license to a piece of content to be bound to a plurality of computers.
  • receivers of digital content need to comply to DRM specific requirements.
  • This prior art document is concerned only with restrictively protecting the digital content in a cascaded end-to-end system configuration wherein digital content can be handed over to a further registered destination application if a proper digital content protection is available.
  • the access is restrictively protected by the application so as not to open for uncontrolled use by other less secure applications.
  • options for accessing or manipulating the digital content is limited to the options provided by the application itself.
  • the application is hosted or run by a computer in a network.
  • other less secure applications may be run on the same computer or on other computers in the network. Since the application although validly registered can reside in a hostile environment formed by the computer itself or the network, the application may be exposed to intensive attacks. Additionally, the digital content, license keys or access keys may be exposed to eavesdropping and spoofing. Not seldom, users or network administrators configure their own network in a bad way, for example by forgetting to correctly configure a wireless network.
  • This problem is solved by means of a computer-implemented method of setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; the method comprising the steps of retrieving security settings of the network entities; and from the retrieved security settings of the network entities and a predefined security level specification deducing at which protection level digital content is to be processed on the path, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level.
  • protection of the digital content is adapted to the settings of the network. Consequently, a user that has acquired access to a piece of digital content can make use of his/hers acquired content in situations that would have been excluded otherwise.
  • an encryption level determines the complexity of the effort required for processing encryption and decryption, it is attractive to set the encryption level at a relatively low level when it is deduced that the protection level in the network is relatively high.
  • This adaptation of the processing effort to the deduced protection level is obtained when the digital content is transferred from a content provider to the receive node via the path at an encryption level selected from the deduced protection level. Protection of digital content is of utmost importance to a content provider, and typically a content provider will choose to be on the safe side in respect of protecting the digital content when and if it comes to trading this aspect for other aspects. Therefore a user was previously denied access to the digital content if the users receive conditions did not meet the highest level of content protection.
  • the receive node provides an interface to invoke a set of actions operating on the digital content, wherein the invoked set of actions is determined from the deduced protection level.
  • the actions are invoked by network entities via the network. This is possible since the retrieved security settings can provide a complete image of the protection level the network provides. It should be noted that the actions can be invoked by the content receiver itself.
  • a content provider may have or generate a range of different versions of a digital content production.
  • the range of different version can be generated at different levels of quality measured by e.g. temporal or spatial resolution, signal-to-noise level or by other more or less technical quality measures.
  • the content may also be generated at different levels of content expansion etc.
  • the deduced protection level is communicated to a content provider which is arranged to select which piece of digital content to communicate to the receive node, where the digital content to select is determined by the deduced protection level. Thereby it is possible to select which content to distribute to a given receiver depending on which how vulnerable the receiver's network is.
  • a receiver with a vulnerable network can be entitled to receive less valuable content, whereas a receiver with a sufficiently secured network can be entrusted to receive more valuable content. Consequently, more options are provided by allowing a user to be able to receive at least some digital content as opposed to being completely denied access to digital content.
  • a content provider provides services associated with a piece of digital content, which services are adopted to the deduced protection level.
  • the method further comprises the step of backwards deducing which security settings that are required to obtain a predefined protection level, a user is provided with a tool that assists in reconfiguring the network to adapt the network to a desired piece content.
  • the security settings are retrieved by querying network entities by means of the Universal Plug and Play Protocol, UPnP.
  • UPnP Universal Plug and Play Protocol
  • This protocol is wide-spread and thus increases the versatility of applications utilizing the present invention.
  • the present invention also relates to a computer-readable medium which when executed on a computer makes the computer execute the method as set forth above.
  • the invention relates to a component for setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; wherein the component comprises a query component arranged to retrieve security settings of the network entities; and an inference engine arranged to deduce at which protection level digital content is to be processed and/or transmitted on the path by making a deduction from the retrieved security settings of the network entities and a predefined security level specification, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level. Still moreover, the invention relates to a computer system comprising a component as defined in the above paragraph.
  • fig. 1 shows a computer network infrastructure
  • fig. 2 shows a block diagram according to the invention
  • fig. 3 shows a flowchart according to the invention.
  • Fig. 1 shows a device network infrastructure.
  • the infrastructure comprises a path 110 that extends between and comprises two nodes which are formed by a content provider 101 and a content receiver 104.
  • the content receiver 104 is also denoted a receive node.
  • a typical device network for instance a home network, includes a number of devices, e.g. a radio receiver, a tuner/decoder, a CD player, a pair of speakers, a television, a VCR, a tape deck, one or more personal computers, and so on. These devices are usually interconnected to allow one device, e.g. the television, to control another, e.g. the VCR.
  • One device such as e.g. a personal computer, a tuner/decoder or a set top box (STB), is usually the central device, providing central control over the others.
  • Content which typically comprises things like music, songs, movies, TV programs, pictures, games, books and the likes, but which also may include interactive services, may enter the network through a variety of sources. For example, it could be received through a residential gateway or set top box. It could be downloaded on the personal computer from the Internet, e.g. from a peer-to-peer network or from a server. Content could also enter the home via storage media like discs or using portable devices.
  • One or more of the devices in the network could be connected to a broadband cable network, an Internet connection, a satellite downlink and so on.
  • the receive node 104 which is a portion of the path 110 can be in the fonn of a certain scope of a software application or of a certain scope or partition of a computer.
  • the path 110 extends from a first network 109 to a second network 108 via gateways 102 and 103 belonging to the respective networks.
  • the path is arranged to communicate digital content or digital media content which is subject to digital rights management, DRM.
  • the receive node 104 is located in the second network 108 and by means of connections in the network 108 the receive node 104 is coupled to other network entities.
  • Such other network entities can be e.g. access points 107 and gateways 106.
  • the receive node is configured with a query interface which is arranged to query such network entities in respect of their security settings.
  • the network entities are arranged to reply to a query by providing its security settings or a representation of its security settings back to the receive node 104.
  • the security settings of the network entities are retrieved.
  • the receive node can set protection properties for the path 110 wherein it is comprised.
  • the security settings can be retrieved from a list 105 which holds security settings for the network entities at a central place. The list can be maintained by requesting security settings from the network entities either at request or at predetermined intervals.
  • Fig. 2 shows a block diagram according to the invention.
  • the block diagram illustrates components of the path comprised of the receive node 217, the communications link 209 and a content provider node 204. Additionally, the block diagram illustrates a network entity in the form of an access point 210 and 218, where the access point 201 is shown in greater detail.
  • the receive node 217 comprises a query interface 210, which is arranged to query the network entities 210 and 218 as to how they are configured with regard to security.
  • the configuration of security settings can be stored in a settings memory 202 wherefrom they are retrieved and supplied to the receive node 217 when the query interface 203 of the network entity 204 is queried by the receive node 217. Likewise, the security configuration of the network entity 218 is retrieved.
  • a predefined security level specification is stored in memory 211.
  • This specification can define different levels of security.
  • the specification can comprise a mapping between different security configurations or settings of the network and different protection levels that are prerequisites for transferring digital content to the receive node.
  • An inference engine 216 is arranged to deduce at which protection level digital content is to be processed on the path. Depending on the deduced protection level an adequate encryption protocol is selected from a set of protocols 214. An identifier of the selected encryption protocol is transmitted to the content provider node 204, wherefrom digital content can be streamed or downloaded to the receive node 217.
  • the received digital content is stored in content memory 213.
  • a set of actions performing operations on the digital content can be determined from the deduced protection level.
  • a relatively high degree of susceptibility to operations on the digital content can be allowed when it is deduced that the protection level in the network is relatively high, and vice versa.
  • Such actions are enabled via an interface 215.
  • the interface 215 can enable the actions to entities in the network or to applications within the scope of the receive node. Whether the network entities or applications within the scope of the receive node are provided access to the actions can be determined in response to the deduced protection level.
  • digital content is stored in content memory 206.
  • Encryption protocols are stored in memory 207.
  • a predefined security level specification is stored in memory 208, wherefrom it can be distributed to receive nodes.
  • Fig. 3 shows a flowchart according to the invention. The flowchart illustrates the operation of a computer-implemented method of setting protection properties for a path on which digital content is distributed.
  • step 301 the method is started and subsequently in step 302 security settings are retrieved from entities in the network.
  • step 303 it is deduced whether the retrieved network security settings complies with a predefined security level specification. If they do, (Y), step 304 guides the method to one of the steps 305, 306 or 307 in which protection properties for the path is set in dependence on the previous positive deduction.
  • step 305 an encryption protocol for the transmission of the digital content is selected.
  • step 306 the digital content is selected.
  • step 307 a set of actions performing operations on the digital content can be determined from the previous deduction.
  • the present invention encompass different embodiments of setting protection properties. For instance protection properties can be set by any one of step 305 or step 306 or step 307. Additionally, protection properties can be set by any two of the steps or any three of the steps 305, 306 and 307.
  • step 304 guides the method to one of the steps 308, 309 or 310 in which protection properties for the path is set in dependence on the previous negative deduction.
  • step 308 an encryption protocol for the transmission of the digital content is selected.
  • step 309 the digital content is selected.
  • step 310 a set of actions performing operations on the digital content can be determined from the previous deduction. Also in case the deduction had a negative outcome, the present invention encompass different embodiments of setting protection properties. For instance protection properties can be set by any one of step 308 or step 309 or step 310. Additionally, protection properties can be set by any two of the steps or any three of the steps 308, 309 and 310.
  • transmission of digital content from a provider node to a receive node can be executed. In an embodiment of the invention, the content provider is instructed to provide services that is adopted to the deduced protection level. This service setting is performed in step 313. The method ends in step 314.
  • the method can comprise the step 311 of backwards deducing which security settings that resulted in the deduced protection level.
  • Retrieval of the security settings of the entities in the network can be carried out in connection with devices that conform to a so-called universal plug-and-play (UPnP) protocol or interface, where a controllable device makes itself known through a set of predefined processes.
  • UPN universal plug-and-play
  • one or more proprietary protocols can be supported.
  • UPnP Universal Plug and Play
  • UPnP IGD Internet Gateway Device
  • AP Access Point
  • the UPnP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices.
  • UPnP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between.
  • UPnP technology can be supported on essentially any operating system and works with essentially any type of physical networking media - wired or wireless - providing maximum user and developer choice and great economics (Source: WWW.UPnP.ORG) .
  • WWW.UPnP.ORG maximum user and developer choice and great economics

Abstract

A method, a device and a system of setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; comprising: retrieving security settings of the network entities; and from the retrieved security settings of the network entities and a predefined security level specification deducing at which protection level digital content is to be processed and/or transmitted. on the path, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level. Preferably, the Universal Plug and Play, UPnP, protocol is used for retrieving the security settings.

Description

Computer Network Access Control System
TECHNICAL FIELD This invention relates to a computer-implemented method of setting protection properties for a path with a receive node. The path is arranged to communicate digital content which is subject to digital rights management, DRM. The digital content is provided by a content provider communicating the digital content via the path to the receive node. The receive node is located in a data network via which the receive node is coupled to other network entities.
BACKGROUND The Internet and personal computers have dramatically changed the way digital media content, such as music, films, and books, are produced, distributed and consumed. Downloading encoded files has gained acceptance among Internet users because it provides immediate access to desired content and does not require a trip to a store or reliance on physical media, such as a CD or DVD. However, digital media content that is available for sale on the Internet is still limited, as content owners, artists, and publishers or providers are concerned about protecting their copyrighted works from illegal use. As the market evolves and content owners or providers explore new ways to enable different business models, more premium content will become available on the Internet. Before owners or providers of premium digital media content will offer their valuable content for sale or promotion, a secure e-commerce system that protects digital content from illegal use is needed. A critical component of any such e-commerce system is digital rights management, DRM. DRM is a set of technologies content owners or providers can use to protect their copyrights and stay in closer contact with their customers. In most instances, DRM is a system that encrypts digital media content and limits access to only those people who have acquired a proper license to play the content. That is, DRM is a technology that enables the secure distribution, promotion, and sale of digital media content on the Internet. RELATED PRIOR ART EP 1 271 875 Al discloses a mutual authentication method between two devices coupled in an end-to-end configuration. When transmitting from one device to the other, the method allows to distinguish between a strongly and a weakly protected device by first verifying a certificate with a public key of a certificate authority. If that fails, it verifies using the locally available public key, which is less secure. US 20030084306A1 discloses a DRM architecture with content servers, rendering devices and a license server that distributes digital content to DRM compliant systems only. A type of roaming service is disclosed which allows a license to a piece of content to be bound to a plurality of computers. In the architecture, receivers of digital content need to comply to DRM specific requirements. This prior art document is concerned only with restrictively protecting the digital content in a cascaded end-to-end system configuration wherein digital content can be handed over to a further registered destination application if a proper digital content protection is available. Despite access to licensed digital content from further destination applications is enabled, the access is restrictively protected by the application so as not to open for uncontrolled use by other less secure applications. This results in that options for accessing or manipulating the digital content is limited to the options provided by the application itself. The application is hosted or run by a computer in a network. As is well-known, other less secure applications may be run on the same computer or on other computers in the network. Since the application although validly registered can reside in a hostile environment formed by the computer itself or the network, the application may be exposed to intensive attacks. Additionally, the digital content, license keys or access keys may be exposed to eavesdropping and spoofing. Not seldom, users or network administrators configure their own network in a bad way, for example by forgetting to correctly configure a wireless network. This allows hackers from the Internet as good as free access to their network with access to listen to and spoof messages related to the digital content. Thus, the prior art involves the problem that on the one hand options for accessing the digital content is limited and on the other hand the digital content is exposed to potential hostile actions in a remote network. SUMMARY OF THE INVENTION This problem is solved by means of a computer-implemented method of setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; the method comprising the steps of retrieving security settings of the network entities; and from the retrieved security settings of the network entities and a predefined security level specification deducing at which protection level digital content is to be processed on the path, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level. In this way protection of the digital content is adapted to the settings of the network. Consequently, a user that has acquired access to a piece of digital content can make use of his/hers acquired content in situations that would have been excluded otherwise. Since an encryption level determines the complexity of the effort required for processing encryption and decryption, it is attractive to set the encryption level at a relatively low level when it is deduced that the protection level in the network is relatively high. This adaptation of the processing effort to the deduced protection level is obtained when the digital content is transferred from a content provider to the receive node via the path at an encryption level selected from the deduced protection level. Protection of digital content is of utmost importance to a content provider, and typically a content provider will choose to be on the safe side in respect of protecting the digital content when and if it comes to trading this aspect for other aspects. Therefore a user was previously denied access to the digital content if the users receive conditions did not meet the highest level of content protection. However, in a preferred embodiment of the present invention, the receive node provides an interface to invoke a set of actions operating on the digital content, wherein the invoked set of actions is determined from the deduced protection level. Thereby, a relatively high degree of susceptibility to operations on the digital content can be allowed when it is deduced that the protection level is relatively high, and vice versa. This greatly improves the options available to a user since additionally intermediate levels of operations accessible to a user can be granted. In a preferred embodiment the actions are invoked by network entities via the network. This is possible since the retrieved security settings can provide a complete image of the protection level the network provides. It should be noted that the actions can be invoked by the content receiver itself. In some events a content provider may have or generate a range of different versions of a digital content production. The range of different version can be generated at different levels of quality measured by e.g. temporal or spatial resolution, signal-to-noise level or by other more or less technical quality measures. The content may also be generated at different levels of content expansion etc. According to a preferred embodiment, the deduced protection level is communicated to a content provider which is arranged to select which piece of digital content to communicate to the receive node, where the digital content to select is determined by the deduced protection level. Thereby it is possible to select which content to distribute to a given receiver depending on which how vulnerable the receiver's network is. Thereby a receiver with a vulnerable network can be entitled to receive less valuable content, whereas a receiver with a sufficiently secured network can be entrusted to receive more valuable content. Consequently, more options are provided by allowing a user to be able to receive at least some digital content as opposed to being completely denied access to digital content. Preferably, a content provider provides services associated with a piece of digital content, which services are adopted to the deduced protection level. When the method further comprises the step of backwards deducing which security settings that are required to obtain a predefined protection level, a user is provided with a tool that assists in reconfiguring the network to adapt the network to a desired piece content. Typically, this is applicable when a user desires to increase the protection level to be able to receive content which represents a value which is larger than the value of content that the present network settings allows to receive. In an expedient embodiment, the security settings are retrieved by querying network entities by means of the Universal Plug and Play Protocol, UPnP. This protocol is wide-spread and thus increases the versatility of applications utilizing the present invention. The present invention also relates to a computer-readable medium which when executed on a computer makes the computer execute the method as set forth above. Moreover, the invention relates to a component for setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; wherein the component comprises a query component arranged to retrieve security settings of the network entities; and an inference engine arranged to deduce at which protection level digital content is to be processed and/or transmitted on the path by making a deduction from the retrieved security settings of the network entities and a predefined security level specification, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level. Still moreover, the invention relates to a computer system comprising a component as defined in the above paragraph.
BRIEF DESCRIPTION OF THE DRAWING Several embodiments of the invention will be described in the following with reference to the drawings in which: fig. 1 shows a computer network infrastructure; fig. 2 shows a block diagram according to the invention; and fig. 3 shows a flowchart according to the invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT Fig. 1 shows a device network infrastructure. In the shown configuration the infrastructure comprises a path 110 that extends between and comprises two nodes which are formed by a content provider 101 and a content receiver 104. In terms of digital content the content receiver 104 is also denoted a receive node. A typical device network, for instance a home network, includes a number of devices, e.g. a radio receiver, a tuner/decoder, a CD player, a pair of speakers, a television, a VCR, a tape deck, one or more personal computers, and so on. These devices are usually interconnected to allow one device, e.g. the television, to control another, e.g. the VCR. One device, such as e.g. a personal computer, a tuner/decoder or a set top box (STB), is usually the central device, providing central control over the others. Content, which typically comprises things like music, songs, movies, TV programs, pictures, games, books and the likes, but which also may include interactive services, may enter the network through a variety of sources. For example, it could be received through a residential gateway or set top box. It could be downloaded on the personal computer from the Internet, e.g. from a peer-to-peer network or from a server. Content could also enter the home via storage media like discs or using portable devices. One or more of the devices in the network could be connected to a broadband cable network, an Internet connection, a satellite downlink and so on. The receive node 104, which is a portion of the path 110 can be in the fonn of a certain scope of a software application or of a certain scope or partition of a computer. The path 110 extends from a first network 109 to a second network 108 via gateways 102 and 103 belonging to the respective networks. The path is arranged to communicate digital content or digital media content which is subject to digital rights management, DRM. The receive node 104 is located in the second network 108 and by means of connections in the network 108 the receive node 104 is coupled to other network entities. Such other network entities can be e.g. access points 107 and gateways 106. According to the invention, the receive node is configured with a query interface which is arranged to query such network entities in respect of their security settings. The network entities are arranged to reply to a query by providing its security settings or a representation of its security settings back to the receive node 104. Thereby, the security settings of the network entities are retrieved. In addition thereto and in accordance with the invention, the receive node can set protection properties for the path 110 wherein it is comprised. In an alternative embodiment, the security settings can be retrieved from a list 105 which holds security settings for the network entities at a central place. The list can be maintained by requesting security settings from the network entities either at request or at predetermined intervals. Fig. 2 shows a block diagram according to the invention. The block diagram illustrates components of the path comprised of the receive node 217, the communications link 209 and a content provider node 204. Additionally, the block diagram illustrates a network entity in the form of an access point 210 and 218, where the access point 201 is shown in greater detail. The receive node 217 comprises a query interface 210, which is arranged to query the network entities 210 and 218 as to how they are configured with regard to security. The configuration of security settings can be stored in a settings memory 202 wherefrom they are retrieved and supplied to the receive node 217 when the query interface 203 of the network entity 204 is queried by the receive node 217. Likewise, the security configuration of the network entity 218 is retrieved. At the receive node 217 a predefined security level specification is stored in memory 211. This specification can define different levels of security. The specification can comprise a mapping between different security configurations or settings of the network and different protection levels that are prerequisites for transferring digital content to the receive node. An inference engine 216 is arranged to deduce at which protection level digital content is to be processed on the path. Depending on the deduced protection level an adequate encryption protocol is selected from a set of protocols 214. An identifier of the selected encryption protocol is transmitted to the content provider node 204, wherefrom digital content can be streamed or downloaded to the receive node 217. The received digital content is stored in content memory 213. Alternatively, or in addition, a set of actions performing operations on the digital content can be determined from the deduced protection level. Thereby, a relatively high degree of susceptibility to operations on the digital content can be allowed when it is deduced that the protection level in the network is relatively high, and vice versa. This greatly improves the options available to a user since additionally intermediate levels of operations accessible to a user can be granted. Such actions are enabled via an interface 215. The interface 215 can enable the actions to entities in the network or to applications within the scope of the receive node. Whether the network entities or applications within the scope of the receive node are provided access to the actions can be determined in response to the deduced protection level. At the provider node 204 digital content is stored in content memory 206. Encryption protocols are stored in memory 207. A predefined security level specification is stored in memory 208, wherefrom it can be distributed to receive nodes. Fig. 3 shows a flowchart according to the invention. The flowchart illustrates the operation of a computer-implemented method of setting protection properties for a path on which digital content is distributed. In step 301 the method is started and subsequently in step 302 security settings are retrieved from entities in the network. In the following step 303 it is deduced whether the retrieved network security settings complies with a predefined security level specification. If they do, (Y), step 304 guides the method to one of the steps 305, 306 or 307 in which protection properties for the path is set in dependence on the previous positive deduction. In step 305 an encryption protocol for the transmission of the digital content is selected. In step 306 the digital content is selected. In step 307 a set of actions performing operations on the digital content can be determined from the previous deduction. The present invention encompass different embodiments of setting protection properties. For instance protection properties can be set by any one of step 305 or step 306 or step 307. Additionally, protection properties can be set by any two of the steps or any three of the steps 305, 306 and 307. In case the retrieved network security settings do not comply with a predefined security level specification, (N), step 304 guides the method to one of the steps 308, 309 or 310 in which protection properties for the path is set in dependence on the previous negative deduction. In step 308 an encryption protocol for the transmission of the digital content is selected. In step 309 the digital content is selected. In step 310 a set of actions performing operations on the digital content can be determined from the previous deduction. Also in case the deduction had a negative outcome, the present invention encompass different embodiments of setting protection properties. For instance protection properties can be set by any one of step 308 or step 309 or step 310. Additionally, protection properties can be set by any two of the steps or any three of the steps 308, 309 and 310. When the protection properties have been set, transmission of digital content from a provider node to a receive node can be executed. In an embodiment of the invention, the content provider is instructed to provide services that is adopted to the deduced protection level. This service setting is performed in step 313. The method ends in step 314. Further, the method can comprise the step 311 of backwards deducing which security settings that resulted in the deduced protection level. Retrieval of the security settings of the entities in the network can be carried out in connection with devices that conform to a so-called universal plug-and-play (UPnP) protocol or interface, where a controllable device makes itself known through a set of predefined processes. Alternatively, or additionally, one or more proprietary protocols can be supported. Thus one way to analyze security settings is to query the device using UPnP (Universal Plug and Play). Specifically the UPnP IGD (Internet Gateway Device) and AP (Access Point) specifications can be used for this. In addition, many vendors have proprietary protocols that allow querying of current security parameters. The UPnP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPnP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between. UPnP technology can be supported on essentially any operating system and works with essentially any type of physical networking media - wired or wireless - providing maximum user and developer choice and great economics (Source: WWW.UPnP.ORG) . Despite the versatility of the UPnP protocol this is only one of various protocols; thus, in the likely event communication with a controllable device which does not support UPnP is required, an interface compatible with the device must be selected at the control computer. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A computer-implemented method of setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; the method comprising the following steps: retrieving security settings of the network entities; and from the retrieved security settings of the network entities and a predefined security level specification deducing at which protection level digital content is to be processed and/or transmitted on the path, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level.
2. A method according to claim 1, wherein the digital content is transferred from a content provider to the receive node via the path at an encryption level selected from the deduced protection level.
3. A method according to claim 1, wherein the receive node provides an interface to invoke a set of actions operating on the digital content and which invoked set of actions is determined from the deduced protection level.
4. A method according to claim 3, wherein the actions are invoked by network entities via the network.
5. A method according to claim 3, wherein the actions are invoked by the content receiver itself.
6. A method according to claim 1, wherein the deduced protection level is communicated to a content provider which is arranged to select which digital content to communicate to the receive node, where the digital content to select is determined by the deduced protection level.
7. A method according to claim 1, wherein a content provider provides services associated with a piece of digital content, which services are adopted to the deduced protection level.
8. A method according to claim 1, further comprising the step of backwards deducing which security settings are required to obtain a predefined protection level.
9. A method according to claim 8, wherein the backwards deduction is based on a representation of the security settings required to obtain the predefined protection level.
10. A method according to claim 1, wherein the security settings are retrieved by querying network entities by means of the Universal Plug and Play Protocol, UPnP.
11. A computer-readable medium which when executed on a computer makes the computer execute the method as set forth in any of the claims 1 through 10.
12. A component for setting protection properties for a path with a receive node, which is located in a data network via which the receive node is coupled to network entities; the component comprising: a query component arranged to retrieve security settings of the network entities; and an inference engine arranged to deduce at which protection level digital content is to be processed and/or transmitted on the path by making a deduction from the retrieved security settings of the network entities and a predefined security level specification, and setting the protection properties for the path to affect that the digital content is protected at the deduced protection level.
13. A computer system comprising a component as defined in claim 10.
PCT/IB2005/050878 2004-03-23 2005-03-11 Computer network access control system WO2005093543A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP04101182 2004-03-23
EP04101182.6 2004-03-23

Publications (1)

Publication Number Publication Date
WO2005093543A1 true WO2005093543A1 (en) 2005-10-06

Family

ID=34961101

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2005/050878 WO2005093543A1 (en) 2004-03-23 2005-03-11 Computer network access control system

Country Status (1)

Country Link
WO (1) WO2005093543A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009049458A1 (en) * 2007-10-15 2009-04-23 Zte Corporation An online capacity-reduction method for non-stopped service of a protection ring network of an optical transmision multiple segment
US7882356B2 (en) 2006-10-13 2011-02-01 Microsoft Corporation UPnP authentication and authorization

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997037477A2 (en) * 1996-03-29 1997-10-09 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
US5935248A (en) * 1995-10-19 1999-08-10 Fujitsu Limited Security level control apparatus and method for a network securing communications between parties without presetting the security level
WO2000074345A1 (en) * 1999-05-28 2000-12-07 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for secure communication
US20010042043A1 (en) * 1995-02-13 2001-11-15 Intertrust Technologies Corp. Cryptographic methods, apparatus and systems for storage media electronic rights management in closed and connected appliances
US20020034242A1 (en) * 1994-02-22 2002-03-21 Takayuki Sugahara Method of protection of data reproduction, and reproduction apparatus providing protection of data reproduction
EP1324541A2 (en) * 2001-12-26 2003-07-02 Kabushiki Kaisha Toshiba Communication system, wireless communication apparatus, and communication method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020034242A1 (en) * 1994-02-22 2002-03-21 Takayuki Sugahara Method of protection of data reproduction, and reproduction apparatus providing protection of data reproduction
US20010042043A1 (en) * 1995-02-13 2001-11-15 Intertrust Technologies Corp. Cryptographic methods, apparatus and systems for storage media electronic rights management in closed and connected appliances
US5935248A (en) * 1995-10-19 1999-08-10 Fujitsu Limited Security level control apparatus and method for a network securing communications between parties without presetting the security level
WO1997037477A2 (en) * 1996-03-29 1997-10-09 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
WO2000074345A1 (en) * 1999-05-28 2000-12-07 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for secure communication
EP1324541A2 (en) * 2001-12-26 2003-07-02 Kabushiki Kaisha Toshiba Communication system, wireless communication apparatus, and communication method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7882356B2 (en) 2006-10-13 2011-02-01 Microsoft Corporation UPnP authentication and authorization
WO2009049458A1 (en) * 2007-10-15 2009-04-23 Zte Corporation An online capacity-reduction method for non-stopped service of a protection ring network of an optical transmision multiple segment

Similar Documents

Publication Publication Date Title
CN1890618B (en) Connection linked rights protection
KR101038612B1 (en) Information processing device, information processing method
CN101517975B (en) By IPTV and home network being connected to each other the method and apparatus that send/receive content
KR101548753B1 (en) Method for sharing content
EP1548605B1 (en) Communication processing apparatus, communication control method, and computer program
US20060045110A1 (en) Information distribution system, terminal device, information distribution server, information distribution method, terminal device connection method, information processing program product, and storage medium
US20060265735A1 (en) Content transmission apparatus, content reception apparatus, content transmission method and content reception method
US20020157002A1 (en) System and method for secure and convenient management of digital electronic content
US20060177066A1 (en) Key management method using hierarchical node topology, and method of registering and deregistering user using the same
US20060020784A1 (en) Certificate based authorized domains
US20090144815A1 (en) Access to domain
EP1571580A2 (en) Information processing apparatus, information processing method, and computer program
CA2572532A1 (en) Method and apparatus for provisioning a device to access services in a universal plug and play (upnp) network
WO2004077267A2 (en) Delivery system providing conditional media access
JP2004180020A (en) Communication repeater, communication system, and communication control program
JP2004173148A (en) Information processing apparatus, server client system and method, and computer program
JP4470573B2 (en) Information distribution system, information distribution server, terminal device, information distribution method, information reception method, information processing program, and storage medium
US20070204350A1 (en) Secure Internet
WO2006051494A1 (en) Improved revocation in authorized domain
KR100999829B1 (en) Class-based content transfer between devices
US20050021469A1 (en) System and method for securing content copyright
KR20080034452A (en) Method, system and devices for digital content protection
WO2005093543A1 (en) Computer network access control system
KR20050084076A (en) Method for limiting the number of network devices in a communication network
KR20070115574A (en) Method for communicating data

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase