WO2007093925A1 - Improved method of content protection - Google Patents

Improved method of content protection Download PDF

Info

Publication number
WO2007093925A1
WO2007093925A1 PCT/IB2007/050303 IB2007050303W WO2007093925A1 WO 2007093925 A1 WO2007093925 A1 WO 2007093925A1 IB 2007050303 W IB2007050303 W IB 2007050303W WO 2007093925 A1 WO2007093925 A1 WO 2007093925A1
Authority
WO
WIPO (PCT)
Prior art keywords
content
key
group
section
devices
Prior art date
Application number
PCT/IB2007/050303
Other languages
French (fr)
Inventor
Johan C. Talstra
Antonius A. M. Staring
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2007093925A1 publication Critical patent/WO2007093925A1/en

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00166Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving measures which result in a restriction to authorised contents recorded on or reproduced from a record carrier, e.g. music or software
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00188Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving measures which result in a restriction to authorised devices recording or reproducing contents to/from a record carrier
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00217Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source
    • G11B20/00253Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source wherein the key is stored on the record carrier
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/0042Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the copy protection scheme being related to a specific access protection standard
    • G11B20/00427Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the copy protection scheme being related to a specific access protection standard advanced access content system [AACS]
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00485Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier
    • G11B20/00492Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier wherein content or user data is encrypted
    • G11B20/00507Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier wherein content or user data is encrypted wherein consecutive physical data units of the record carrier are encrypted with separate encryption keys, e.g. the key changes on a cluster or sector basis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • Unauthorized content distribution is a grave concern for content owners. Such distribution may occur in the form of unlicensed replication of content on read-only carriers such as DVD discs, typically in large numbers, which is then sold to the public. Other forms may be e.g. distribution over a peer-to-peer network or from an unauthorized Web site.
  • the source material e.g. might be a movie recorded on a digital camcorder in the back of a movie theater, or a stolen/leaked pre-production screener.
  • copy protection systems like the Advanced Access Content System (AACS) introduce the process of Content Certificate verification.
  • AACS Advanced Access Content System
  • Such process typically operates as follows. Legitimately produced content should be accompanied by a digital certificate covering that content.
  • the certificate is digitally signed by the licensing authority of the copy protection system that applies to the content or distribution channel.
  • a compliant player i.e. one that complies with the copy protection system in question
  • this player checks for the presence of a valid content certificate.
  • the content must also be associated with that certificate.
  • a carrier produced by an unauthorized third party or a Web site offering unauthorized downloads would not play in a compliant player, because the third party cannot create a valid content certificate.
  • the creation and verification of a digital signature involves the computation of a cryptographic hash over the content. Calculation of this hash requires an enormous amount of data processing, as the content consists of multiple gigabytes of information.
  • verifying the digital signature requires public key cryptography. Typically this consists of a point-multiplication on an elliptic curve cryptosystem (ECC) or a modular exponentiation using e.g. RSA. On today's (embedded) processors this can take many hundreds-of-thousands of 32x32-bit multiplications.
  • ECC elliptic curve cryptosystem
  • RSA modular exponentiation
  • MAC Message Authentication Code
  • This object is achieved according to the invention in a method comprising deriving an authorization element from at least one section of the content, from a group key associated with a group of devices suitable for accessing the content and from a content key to be used in decrypting the content, the authorization element enabling reconstruction of the content key given the at least one section and the group key.
  • decision-based security i.e. at some point the player has to make a decision whether or not access to the content is allowed based on the validity of a digital signature or MAC. This hinges on the proper execution of decision-making code somewhere in the player.
  • decision-making code can be tampered with, for example by altering the code to always report that the computed hash or MAC and the hash or MAC accompanying the content are identical, or to allow access regardless of the outcome of the comparison between the two.
  • the present invention provides the stronger information-based security: a carrier simply does not contain enough information to decrypt the content if it had not been authorized by the licensing authority.
  • the content decryption key is made a function of the content itself.
  • respective authorization elements are derived for each respective one of a plurality of sections of the content using the respective section, the group key and the content key.
  • each authorization element is an encrypted version of the content key, using a combination of the applicable section and the group key as an encryption key for encrypting the content key.
  • the applicable section is first subjected to a one-way function such as a cryptographic hash function to reduce the size of the (potentially large) section to a small, fixed size, e.g. 160 bits.
  • the invention makes use of the market logistics which apply equally to content owner and professional pirate. Both parties need a kind of sustainable business required to recoup their investment. Such business can only be realized if both their carriers play with a very high probability (>90%) in any given player. If a carrier has a lower probability of working, potential customers will regard it as unreliable and not purchase it.
  • Fig. 1 schematically illustrates the method according to the invention
  • Fig. 2 schematically illustrates an arrangement for content mastering, distribution and rendering
  • Fig. 3 schematically illustrates a scheme for managing revocation of group keys
  • Fig. 4 illustrates a preferred embodiment of the device.
  • same reference numerals indicate similar or corresponding features.
  • Some of the features indicated in the drawings are typically implemented in software, and as such represent software entities, such as software modules or objects.
  • Fig. 1 schematically illustrates the method according to the invention. In this method the player must combine (i) a section of the content C 1 , (ii) a group key K 1 , and (iii) an authorization key G 11 to obtain a content decryption key K.
  • This has the advantage that device revocation and content origin authentication are rolled into one single operation, without losing precious space on the carrier.
  • the content is divided into n sections, the/ h one of which is labeled as C 1 .
  • the content is encrypted with a symmetric content key denoted as K.
  • Devices are divided into m groups. The devices in each group receive a common group key.
  • the i th one of the m group keys is denoted as K 1 .
  • Furthermore a matrix G with matrix elements G 11 is provided.
  • the matrix G is to be chosen such that for all group keys K 1 and for all content sections C 1 the application of the function F to K 1 , C 1 and matrix element G y always results in the same content key K
  • the skilled person will be able to come up with a great variety of functions F and matrices G that have the desired properties. Two examples will now be given.
  • the matrix element G 11 is an encrypted version of the content key K, using a combination of the section C 1 and the group key K 1 as the encryption key.
  • the matrix G may be defined by: G ⁇ ⁇ ⁇ [ W(C j ,K) , K ]
  • the matrix element G 11 is an encrypted version of a combination of the section C 1 and the content key K, using the group key K 1 as the encryption key.
  • the matrix G may be defined by G, ⁇ E[ I M H(Q ⁇ I ]
  • i ranges over a set of group keys, andy over (a subset of) the sections of the content.
  • the set of group keys may be fixed or change as per the embodiment described with reference to Fig. 3 below.
  • the notation E[K,A] indicates that item A is encrypted using key K.
  • D [K, A] indicates that item A is decrypted using key K.
  • H'() is some cryptographic one-way function which has the property that from the output of H'() it should not be possible to deduce K 1 nor should it be computationally feasible to find a modified section C 1 such that H'() remains the same.
  • the function H() is a cryptographic one-way function like SHA-I.
  • the key K to encrypt the content is chosen and the matrix G is computed.
  • the matrix G is put on the carrier 150 together with the encrypted content.
  • the matrix G may become very large: n times m.
  • a select subset of the group keys and/or only a subset of all sections should be used in computing G. This results in a matrix G that is only partially filled. Only the computed matrix elements need to be stored in that case.
  • the discussion of Fig. 3 below explains how only using a subset of the group keys can be advantageous.
  • FIG. 2 schematically illustrates an arrangement for content mastering, distribution and rendering.
  • a content authoring facility 100 creates content such as music, songs, movies, animations, speeches, videoclips for music, TV programs, pictures, games, ringtones, spoken books or interactive services. To make the content available, it is sent to mastering facility 110 where an arrangement 111 for mastering and replication on carriers 150 such as Digital Versatile Discs is available.
  • a sub-arrangement 112 which interacts with a licensing authority 120 that has access to the abovementioned group keys K 1 .
  • the content key K is chosen either by the mastering facility 110 or the licensing authority 120.
  • the licensing authority 120 chooses the matrix G such that for all group keys K 1 and for all content sections C 1 the application of the function F to K 1 , C 1 and matrix element G y always results in the same content key K.
  • the matrix G is then supplied to the sub-arrangement 112 for recording on the carrier 150.
  • the sub-arrangement 112 supplies the sections C 1 to the licensing authority 120.
  • the authority 120 uses matrix computation module 121 to compute the matrix elements G 11 as an encrypted version of the content key K, using a combination of the section C 1 and the group key K 1 as the encryption key. Preferably this is done by computing respective values H '(CpK 1 ) for the n sections C 7 using each of the group keys K 1 available from storage means 122. Each matrix element G 11 is then computed by encrypting the content key AT using the value H '(C p K 1 ). The resulting matrix G is sent back to the arrangement 112. In a second embodiment the licensing authority 120 computes the matrix element G 11 as an encrypted version of a combination of the section C 1 and the content key K, using the group key K 1 as the encryption key.
  • the mastering facility 110 calculates the respective hashes H(C 7 ) of the n sections C 1 of the content, and sends these hashes H(C 7 ) to the licensing authority 120.
  • This has the advantage that the hashes of the sections are smaller than the sections themselves, so that the amount of data that must be exchanged is reduced.
  • the mastering facility 110 can still send the n sections C 1 of the content, and the authority 120 computes the hashes H(C 7 ) thereof.
  • the licensing authority 120 computes the matrix elements G 11 by first computing H(C) ⁇ K and encrypting the result using the group key K 1 .
  • the resulting matrix G is sent back to the arrangement 112.
  • the group keys K 1 are kept by the licensing authority 120.
  • the group keys K 1 may be made available to the mastering facility 110 so that the hashing and encrypting operations take place there. This avoids the need for transmitting sections or hashes thereof, but there is now an increased risk that the group keys may be stolen.
  • the licensing authority 120 may further comprise key generating means 123 to e.g. provide the content key AT to the mastering facility 110 for encrypting the content.
  • the mastering arrangement 111 may generate the content key K.
  • the carrier 150 may be provided with such items as a ROM mark 151, a Media Key Block 152, the matrix G and of course the encrypted content 154.
  • the licensing authority 120 may be realized as a computer system that is inside the mastering facility connected to the mastering and/or replication equipment. Another option is to have the licensing authority 120 at a separate location, allowing a mastering facility to contact it over a network such as the Internet. Subsequently the carrier 150 is marketed and sold or otherwise disposed of to a consumer, who at some point will insert the carrier 150 in his player 160 to access the content.
  • the player 160 could be e.g. a radio receiver, a tuner/decoder, a CD or DVD player, a television, a VCR, a digital recorder, a mobile phone, a tape deck, a personal computer, a personal digital assistant, a portable display unit, a car entertainment system, and so on.
  • the content may also be made available through different channels.
  • the content may be offered for download on a Web site or through a pay-per-view television scheme.
  • the player 160 is provided with an identification i of its group, for example a group number programmed into the device 160 in the factory.
  • a key reconstruction module 168 selects a section C 1 of the content 154 and the applicable matrix element G 11 from the carrier 150 and selects the appropriate group key K 1 from a storage medium 162. With this information the module 168 reconstructs the content decryption key K. If the player 160 does not have the appropriate group key K 1 , it cannot compute the content decryption key K. Note that a player may have one or more group keys, as a player may be a member of plural groups.
  • the matrix element G 11 is an encrypted version of the content key K, using a combination of the section C 1 and the group key K 1 as the encryption key.
  • the module 168 reconstructs the content decryption key K by combining the section C 1 and the group key K 1 and using the result as decryption key.
  • the matrix G may be defined by:
  • the module 168 reconstructs the content decryption key K as
  • the matrix element G 11 is an encrypted version of a combination of the section C 1 and the content key K, using the group key K 1 as the encryption key.
  • the module 168 now reconstructs the content decryption key K by decrypting the matrix element G 11 using the group key K 1 .
  • the outcome of this decryption operation is then combined again with the section C 1 to arrive at the content key K.
  • the matrix G may be defined by
  • rendering comprises generating audio signals and feeding them to loudspeakers.
  • rendering generally comprises generating audio and video signals and feeding those to a display screen and loudspeakers. For other types of content a similar appropriate action must be taken.
  • the content may also be copied onto a different carrier such as a hard disk.
  • the player 160 may be connected to a network and may be configured to provide the content to a different device which performs the actual rendering.
  • the content decryption key K which is obtained in this way does not necessarily decrypt the content directly, but may be an ingredient in a key hierarchy, and/or may be combined with other standard elements of a copy protection system such as a physical ROM mark, or a further revocation key block and/or usage rights.
  • the device 160 may be provided with a content protection system (CPS) 166 that uses one or more device keys available in storage module 167.
  • CPS content protection system
  • storage module 167 and storage module 162 may be implemented using a single storage medium.
  • Fig. 3 schematically illustrates a scheme for managing revocation of group keys.
  • the nodes of the tree 200 have been labeled in the canonical way using numbers with binary digits.
  • At the highest level there is the root node 201.
  • the next level comprises nodes 221, 222, 223, 224 also with respective labels.
  • Devices correspond to leaf nodes.
  • Device 0 (indicated in Fig. 3 with decimal number “0") corresponds to the leaf node with label "0000";
  • device 1 corresponds to the leaf node with label "0001", and so on.
  • K n Assigned to every node of the binary tree are randomly chosen group keys.
  • a group key assigned to a node with number n will be referred to as K n .
  • the key of node 212 is K 0
  • a key assigned to node 222 is K O i
  • the key for node 234 is K O n
  • a key for the last shown leaf node is Kim.
  • the root node may or may not have been assigned a key.
  • All keys on the path from the root node 201 to a particular leaf node are available to the device corresponding to that particular leaf node.
  • device 7 holds keys Ko, KQ I , Ko ⁇ and Kom and device 15 has keys Ki, Kn, Km and Kim.
  • these keys are often referred to as device keys, although it would be better to call them group keys, because such a key is shared by the group of devices contained in the sub-tree rooted at that particular node.
  • subset corresponding to node 232 comprising devices 2 and 3 is a subset of the subset corresponding to node 221 comprising devices 0, 1, 2 and 3 as well as of the subset corresponding to node 211 comprising devices 0 through 7.
  • the matrix computation module 121 now uses the keys Koooi, K 0 Oi, Koio, Koi io, Kioi and Kn to create the matrix elements G ⁇ for groups 0001, 001, 010, 0110, 101 and 11. Only these matrix elements will accompany the content. As can be seen in Fig. 3, these keys are the group keys available only to the devices in the shaded areas of the tree. This new choice of keys avoids the group keys available to the devices 0, 7, 8 and 9.
  • decryption keys are used to decrypt content keys with which in turn the content can be decrypted.
  • confidentiality of the content key is achieved.
  • the carrier simply does not contain enough information to decrypt the content if it had not been authorized by the licensing authority.
  • the content decryption key is made a function of the content itself.
  • the group keys initially used are not the root key or keys Ko or Ki. Rather, to make it very hard for the professional hacker, the initial number of group keys is already chosen to be very large, preferably 1,000 groups or more. This means that none of the group keys of the top ten layers of the tree should be used. In an advantageous embodiment, these keys do not even exist.
  • Fig. 4 schematically illustrates a preferred embodiment of the device 160.
  • selected cells from the matrix G are stored on the carrier, using the media key block structure 152.
  • each group of devices preferably selected on the basis of a key block
  • the carrier 150 comprises the content 154, the key block 152 and optionally a cryptographic salt 156.
  • a key block processing module 561 reads the key block 152 from the carrier 150 and, using keys available from storage medium 562, obtains the group key K 1 .
  • This key K 1 is fed to the hashing module 563, which computes W(C j , K 1 ) and feeds the outcome to decryption module 564.
  • the outcome of decryption module 564 is the key K which is then provided to the CPS 166 (not shown here).
  • the module 561 also supplies an identification ⁇ of the group to which the device 160 belongs to a section locator module 565. With this information, the module 565 obtains the appropriate section C 1 of content from the carrier 150
  • a device is in a group with a relatively high group number, that device always has to access a section with a high number as well. As such a section is likely far away from the location on the carrier where the matrix G, key blocks and other related information is stored, such a device has to perform a more time-consuming access operation than a device with a relatively low group number.
  • the optional cryptographic salt 156 is used.
  • the cryptographic salt 156 is mixed with the group identificationy and the outcome of this mixing operation is used as the section number.
  • the salt 156 is preferably randomly chosen by the mastering facility 110 or the licensing authority 120. This way, every player will effectively access a randomly chosen section which means that, on average, every player spends an equal amount of time in accessing the carrier for key computation.
  • An exemplary optical disc carries an encrypted digital video title combined with data processing operations that implement the title's security policies and decryption processes.
  • Player devices include a processing environment (e.g., a real-time virtual machine), which plays content by interpreting its processing operations.
  • Players also provide procedure calls to enable content code to load data from media, perform network communications, determine playback environment configurations, access secure nonvolatile storage, submit data to codecs for output, and/or perform cryptographic operations.
  • Content can insert forensic watermarks in decoded output for tracing pirate copies.
  • US patent application US20040190868A1 discloses a recording apparatus that comprises a receiving unit operable to receive content, a control unit operable to determine a recording method of the content on a recording media, and a R/W unit operable to write in and read out on the recording media.
  • the control unit includes a recording media identification unit operable to identify a type of the recording media via the R/W unit, a source identification unit operable to judge a type of a source about whether or not the received content is a content subject to a content protection, a recording method selection unit operable to select a recording method of the content on the recording media, and a recording method conversion unit.
  • any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word “comprising” does not exclude the presence of elements or steps other than those listed in a claim.
  • the word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer.
  • the device claim enumerating several means several of these means can be embodied by one and the same item of hardware.
  • the mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Abstract

A method of enabling content origin authentication, comprising deriving an authorization element from at least one section of the content, from a group key associated with a group of devices suitable for accessing the content and from a content key to be used in decrypting the content, the authorization element enabling reconstruction of the content key given the at least one section and the group key. Also a device suitable for accessing content and comprising means for authenticating the content, in which the means for authenticating are configured for reconstructing a content key to be used in decrypting the content given one of a plurality of authorization elements, at least one section of the content and a group key. Also a system comprising a plurality of such devices.

Description

Improved method of content protection
Unauthorized content distribution is a grave concern for content owners. Such distribution may occur in the form of unlicensed replication of content on read-only carriers such as DVD discs, typically in large numbers, which is then sold to the public. Other forms may be e.g. distribution over a peer-to-peer network or from an unauthorized Web site. The source material e.g. might be a movie recorded on a digital camcorder in the back of a movie theater, or a stolen/leaked pre-production screener. To combat this form of piracy, copy protection systems like the Advanced Access Content System (AACS) introduce the process of Content Certificate verification.
Such process typically operates as follows. Legitimately produced content should be accompanied by a digital certificate covering that content. The certificate is digitally signed by the licensing authority of the copy protection system that applies to the content or distribution channel. When the content is played back in a compliant player (i.e. one that complies with the copy protection system in question), this player checks for the presence of a valid content certificate. The content must also be associated with that certificate. A carrier produced by an unauthorized third party or a Web site offering unauthorized downloads would not play in a compliant player, because the third party cannot create a valid content certificate.
Generally there are two steps in the certificate verification process which are computationally intensive. First, the creation and verification of a digital signature involves the computation of a cryptographic hash over the content. Calculation of this hash requires an enormous amount of data processing, as the content consists of multiple gigabytes of information.
Second, verifying the digital signature requires public key cryptography. Typically this consists of a point-multiplication on an elliptic curve cryptosystem (ECC) or a modular exponentiation using e.g. RSA. On today's (embedded) processors this can take many hundreds-of-thousands of 32x32-bit multiplications.
In systems like AACS the problem of hash calculation is reduced with an indirection as follows. The content is divided into many sections and the hashes of these sections are put in a separate file on a carrier. The licensor only signs this file and not the content as a whole. A player selects a limited number of sections of the content and compares the hash of those sections with values stored in the file. Different players may select different sections. This means a carrier with unauthorized content still has to carry hashes for all sections. As the third party does not have the necessary private key, he will be unable to create the file with signed hashes. Still, the burden of doing public key operations remains with the players.
To alleviate this burden, one may replace the public key signature with a Message Authentication Code (MAC) scheme based on symmetric cryptography. The problem with such a MAC scheme is that the key used by the player to verify the MAC is the same key as is used to generate this MAC. Therefore a professional pirate can circumvent such scheme by reverse engineering a single player implementation (e.g. a PC software player), to obtain the key(s) necessary to generate valid MACs independent from the licensor.
It is an object of the present invention to improve on the above.
This object is achieved according to the invention in a method comprising deriving an authorization element from at least one section of the content, from a group key associated with a group of devices suitable for accessing the content and from a content key to be used in decrypting the content, the authorization element enabling reconstruction of the content key given the at least one section and the group key.
The prior art described above provides what is called decision-based security, i.e. at some point the player has to make a decision whether or not access to the content is allowed based on the validity of a digital signature or MAC. This hinges on the proper execution of decision-making code somewhere in the player. Such decision-making code can be tampered with, for example by altering the code to always report that the computed hash or MAC and the hash or MAC accompanying the content are identical, or to allow access regardless of the outcome of the comparison between the two.
The present invention provides the stronger information-based security: a carrier simply does not contain enough information to decrypt the content if it had not been authorized by the licensing authority. The content decryption key is made a function of the content itself.
Preferably respective authorization elements are derived for each respective one of a plurality of sections of the content using the respective section, the group key and the content key. In an embodiment each authorization element is an encrypted version of the content key, using a combination of the applicable section and the group key as an encryption key for encrypting the content key. Preferably in this embodiment the applicable section is first subjected to a one-way function such as a cryptographic hash function to reduce the size of the (potentially large) section to a small, fixed size, e.g. 160 bits.
The invention makes use of the market logistics which apply equally to content owner and professional pirate. Both parties need a kind of sustainable business required to recoup their investment. Such business can only be realized if both their carriers play with a very high probability (>90%) in any given player. If a carrier has a lower probability of working, potential customers will regard it as unreliable and not purchase it.
Although the professional pirate can still reverse engineer an individual player and obtain the group key in such player, this information only allows him to create a carrier which plays in the group of which this player is a member. By choosing the number of groups sufficiently large, each group is only a small fraction of the total market. This means that with a large probability, the pirated discs are unlikely to play in a randomly chosen player. To achieve the desired high probability of working, the pirate has to obtain the group keys for a large number of groups, which means reverse engineering a very large number of players.
Advantageous embodiments are set out in the dependent claims.
The invention will now be discussed in more detail with reference to the figures, in which:
Fig. 1 schematically illustrates the method according to the invention; Fig. 2 schematically illustrates an arrangement for content mastering, distribution and rendering;
Fig. 3 schematically illustrates a scheme for managing revocation of group keys; and
Fig. 4 illustrates a preferred embodiment of the device. Throughout the figures, same reference numerals indicate similar or corresponding features. Some of the features indicated in the drawings are typically implemented in software, and as such represent software entities, such as software modules or objects. Fig. 1 schematically illustrates the method according to the invention. In this method the player must combine (i) a section of the content C1, (ii) a group key K1, and (iii) an authorization key G11 to obtain a content decryption key K. This has the advantage that device revocation and content origin authentication are rolled into one single operation, without losing precious space on the carrier.
According to the invention the content is divided into n sections, the/h one of which is labeled as C1. The content is encrypted with a symmetric content key denoted as K. Devices are divided into m groups. The devices in each group receive a common group key. The ith one of the m group keys is denoted as K1. Furthermore a matrix G with matrix elements G11 is provided.
The matrix G is to be chosen such that for all group keys K1 and for all content sections C1 the application of the function F to K1, C1 and matrix element Gy always results in the same content key K The skilled person will be able to come up with a great variety of functions F and matrices G that have the desired properties. Two examples will now be given.
In a first embodiment the matrix element G11 is an encrypted version of the content key K, using a combination of the section C1 and the group key K1 as the encryption key. For example, the matrix G may be defined by: Gυ ≡ Ε[ W(Cj,K) , K ] In this example, the content key K is reconstructed as K = O[ W(C^ K1) , G11]
In a second embodiment the matrix element G11 is an encrypted version of a combination of the section C1 and the content key K, using the group key K1 as the encryption key. For example, the matrix G may be defined by G,≡ E[ IM H(Q Θ I ]
In this example, the content key K is reconstructed as K = O[ K1 , G17] ® H(Q
In both cases i ranges over a set of group keys, andy over (a subset of) the sections of the content. The set of group keys may be fixed or change as per the embodiment described with reference to Fig. 3 below. The notation E[K,A] indicates that item A is encrypted using key K. Similarly, D [K, A] indicates that item A is decrypted using key K.
H'() is some cryptographic one-way function which has the property that from the output of H'() it should not be possible to deduce K1 nor should it be computationally feasible to find a modified section C1 such that H'() remains the same. The function H'() combines a section of content with group key K1, e.g. H\A,B) = H(H(A)\\B), or H\A,B) = E[B, H(A)]. The function H() is a cryptographic one-way function like SHA-I.
In this embodiment, the key K to encrypt the content is chosen and the matrix G is computed. The matrix G is put on the carrier 150 together with the encrypted content. When the number of sections n and/or the number of groups m is large, the matrix G may become very large: n times m. To reduce the amount of data to be stored, only a select subset of the group keys and/or only a subset of all sections should be used in computing G. This results in a matrix G that is only partially filled. Only the computed matrix elements need to be stored in that case. The discussion of Fig. 3 below explains how only using a subset of the group keys can be advantageous.
If devices are programmed to use only certain sections of the content to reconstruct the content key, then only those sections need to be used in computing G. Below, with reference to Fig. 4, an embodiment in which this option is used advantageously is discussed. Fig. 2 schematically illustrates an arrangement for content mastering, distribution and rendering. A content authoring facility 100 creates content such as music, songs, movies, animations, speeches, videoclips for music, TV programs, pictures, games, ringtones, spoken books or interactive services. To make the content available, it is sent to mastering facility 110 where an arrangement 111 for mastering and replication on carriers 150 such as Digital Versatile Discs is available.
The process of mastering and replication involves the application of a copy protection scheme. To this end, a sub-arrangement 112 is provided which interacts with a licensing authority 120 that has access to the abovementioned group keys K1. The content key K is chosen either by the mastering facility 110 or the licensing authority 120. Following what has been said with reference to Fig. 1 above, the licensing authority 120 then chooses the matrix G such that for all group keys K1 and for all content sections C1 the application of the function F to K1, C1 and matrix element Gy always results in the same content key K. The matrix G is then supplied to the sub-arrangement 112 for recording on the carrier 150. In a first embodiment the sub-arrangement 112 supplies the sections C1 to the licensing authority 120. The authority 120 uses matrix computation module 121 to compute the matrix elements G11 as an encrypted version of the content key K, using a combination of the section C1 and the group key K1 as the encryption key. Preferably this is done by computing respective values H '(CpK1) for the n sections C7 using each of the group keys K1 available from storage means 122. Each matrix element G11 is then computed by encrypting the content key AT using the value H '(CpK1). The resulting matrix G is sent back to the arrangement 112. In a second embodiment the licensing authority 120 computes the matrix element G11 as an encrypted version of a combination of the section C1 and the content key K, using the group key K1 as the encryption key.
Preferably now the mastering facility 110 calculates the respective hashes H(C7) of the n sections C1 of the content, and sends these hashes H(C7) to the licensing authority 120. This has the advantage that the hashes of the sections are smaller than the sections themselves, so that the amount of data that must be exchanged is reduced. As an alternative the mastering facility 110 can still send the n sections C1 of the content, and the authority 120 computes the hashes H(C7) thereof.
In this embodiment preferably the licensing authority 120 computes the matrix elements G11 by first computing H(C) Θ K and encrypting the result using the group key K1. The resulting matrix G is sent back to the arrangement 112.
In both embodiments above the group keys K1 are kept by the licensing authority 120. As an alternative one may make the group keys K1 available to the mastering facility 110 so that the hashing and encrypting operations take place there. This avoids the need for transmitting sections or hashes thereof, but there is now an increased risk that the group keys may be stolen.
The licensing authority 120 may further comprise key generating means 123 to e.g. provide the content key AT to the mastering facility 110 for encrypting the content. Alternatively the mastering arrangement 111 may generate the content key K. During the mastering and replication process the carrier 150 may be provided with such items as a ROM mark 151, a Media Key Block 152, the matrix G and of course the encrypted content 154.
The licensing authority 120 may be realized as a computer system that is inside the mastering facility connected to the mastering and/or replication equipment. Another option is to have the licensing authority 120 at a separate location, allowing a mastering facility to contact it over a network such as the Internet. Subsequently the carrier 150 is marketed and sold or otherwise disposed of to a consumer, who at some point will insert the carrier 150 in his player 160 to access the content. The player 160 could be e.g. a radio receiver, a tuner/decoder, a CD or DVD player, a television, a VCR, a digital recorder, a mobile phone, a tape deck, a personal computer, a personal digital assistant, a portable display unit, a car entertainment system, and so on.
Alternatively to the distribution of the content on carrier 160, the content may also be made available through different channels. For example, the content may be offered for download on a Web site or through a pay-per-view television scheme.
In accordance with the present invention, the player 160 is provided with an identification i of its group, for example a group number programmed into the device 160 in the factory. A key reconstruction module 168 selects a section C1 of the content 154 and the applicable matrix element G11 from the carrier 150 and selects the appropriate group key K1 from a storage medium 162. With this information the module 168 reconstructs the content decryption key K. If the player 160 does not have the appropriate group key K1, it cannot compute the content decryption key K. Note that a player may have one or more group keys, as a player may be a member of plural groups.
In a first embodiment the matrix element G11 is an encrypted version of the content key K, using a combination of the section C1 and the group key K1 as the encryption key. The module 168 reconstructs the content decryption key K by combining the section C1 and the group key K1 and using the result as decryption key. For example, the matrix G may be defined by:
Gy ≡ Ε[ W{Cj^ , K ] In this example, the module 168 reconstructs the content decryption key K as
K = O[ W(C1 , K1) , G11]
In a second embodiment the matrix element G11 is an encrypted version of a combination of the section C1 and the content key K, using the group key K1 as the encryption key. The module 168 now reconstructs the content decryption key K by decrypting the matrix element G11 using the group key K1. The outcome of this decryption operation is then combined again with the section C1 to arrive at the content key K. For example, the matrix G may be defined by
G11 ≡ Ε[ K1 , U(C1) ® K ]
In this example, the module 168 reconstructs the content decryption key K as K = O[ K1 , G11] ® H(C1)
An attacker who tries to pass off content he created as authentic lacks the knowledge of enough group keys K1 to make his carriers playable in a substantial fraction of the player population. Using the content key K the content is then decrypted by decryption module 164 and can be rendered using rendering module 165. The exact way in which a content item is rendered depends on the type of device and the type of content. For instance, in a radio receiver, rendering comprises generating audio signals and feeding them to loudspeakers. For video content, rendering generally comprises generating audio and video signals and feeding those to a display screen and loudspeakers. For other types of content a similar appropriate action must be taken.
Alternatively to rendering, the content may also be copied onto a different carrier such as a hard disk. The player 160 may be connected to a network and may be configured to provide the content to a different device which performs the actual rendering.
It will be clear to those skilled in the art that the content decryption key K which is obtained in this way does not necessarily decrypt the content directly, but may be an ingredient in a key hierarchy, and/or may be combined with other standard elements of a copy protection system such as a physical ROM mark, or a further revocation key block and/or usage rights. The device 160 may be provided with a content protection system (CPS) 166 that uses one or more device keys available in storage module 167. Note that storage module 167 and storage module 162 may be implemented using a single storage medium.
Fig. 3 schematically illustrates a scheme for managing revocation of group keys. The nodes of the tree 200 have been labeled in the canonical way using numbers with binary digits. At the highest level, there is the root node 201. Below there are two nodes 211, 212 labeled "0" and "1". The next level comprises nodes 221, 222, 223, 224 also with respective labels. Below that there are nodes 231-238, and at the bottom the leaf nodes 240 are provided.
Devices correspond to leaf nodes. Device 0 (indicated in Fig. 3 with decimal number "0") corresponds to the leaf node with label "0000"; device 1 corresponds to the leaf node with label "0001", and so on. In practice there would of course be many more leaf nodes as there may well be hundreds of thousands of devices in the system.
Assigned to every node of the binary tree are randomly chosen group keys. A group key assigned to a node with number n will be referred to as Kn. For example the key of node 212 is K0, a key assigned to node 222 is KOi, the key for node 234 is KOn and a key for the last shown leaf node is Kim. The root node may or may not have been assigned a key.
All keys on the path from the root node 201 to a particular leaf node are available to the device corresponding to that particular leaf node. For example, device 7 holds keys Ko, KQI, Ko π and Kom and device 15 has keys Ki, Kn, Km and Kim. In some systems these keys are often referred to as device keys, although it would be better to call them group keys, because such a key is shared by the group of devices contained in the sub-tree rooted at that particular node.
Note that some of the subsets are actually subsets of another subset. For example the subset corresponding to node 232 comprising devices 2 and 3 is a subset of the subset corresponding to node 221 comprising devices 0, 1, 2 and 3 as well as of the subset corresponding to node 211 comprising devices 0 through 7.
This assignment of group keys makes it possible to selectively address subsets of all devices. Suppose that the group keys stored in devices 0, 7, 8 and 9 have been reverse engineered and used by professional pirates. This means that future legitimate content should no longer be accompanied by a matrix G from which the content decryption key may be derived.
To achieve this, the matrix computation module 121 now uses the keys Koooi, K0Oi, Koio, Koi io, Kioi and Kn to create the matrix elements Gυ for groups 0001, 001, 010, 0110, 101 and 11. Only these matrix elements will accompany the content. As can be seen in Fig. 3, these keys are the group keys available only to the devices in the shaded areas of the tree. This new choice of keys avoids the group keys available to the devices 0, 7, 8 and 9.
In copy protection systems such as Copy Protection for Recordable Media and Copy Protection for Pre-recorded Media, Video Content Protection System and AACS a comparable scheme is used to assign decryption keys. The decryption keys are used to decrypt content keys with which in turn the content can be decrypted. However in these systems only confidentiality of the content key is achieved. In the present invention, the carrier simply does not contain enough information to decrypt the content if it had not been authorized by the licensing authority. The content decryption key is made a function of the content itself.
In a preferred embodiment the group keys initially used are not the root key or keys Ko or Ki. Rather, to make it very hard for the professional hacker, the initial number of group keys is already chosen to be very large, preferably 1,000 groups or more. This means that none of the group keys of the top ten layers of the tree should be used. In an advantageous embodiment, these keys do not even exist.
Fig. 4 schematically illustrates a preferred embodiment of the device 160. Here only selected cells from the matrix G are stored on the carrier, using the media key block structure 152. Preferably only one cell from each column is chosen. This means that each group of devices (preferably selected on the basis of a key block) uses precisely one section of the content to compute the key K on the basis of which the content is then decrypted. In this embodiment the elements Gy are obtained as Gy ≡ Sy E[W(C1 , K1) , K ] and the content key K can be obtained as K = O[ W(C K) , G11] where the Kronecker Delta symbol δy is equal to 1 if the cell is to be chosen and 0 otherwise.
This embodiment has the advantage that device revocation and content certification are rolled into one single operation, without losing precious space on the carrier. In Fig. 4, the carrier 150 comprises the content 154, the key block 152 and optionally a cryptographic salt 156. In the device 160, a key block processing module 561 reads the key block 152 from the carrier 150 and, using keys available from storage medium 562, obtains the group key K1. This key K1 is fed to the hashing module 563, which computes W(Cj , K1) and feeds the outcome to decryption module 564. The outcome of decryption module 564 is the key K which is then provided to the CPS 166 (not shown here).
The module 561 also supplies an identification^ of the group to which the device 160 belongs to a section locator module 565. With this information, the module 565 obtains the appropriate section C1 of content from the carrier 150
If a device is in a group with a relatively high group number, that device always has to access a section with a high number as well. As such a section is likely far away from the location on the carrier where the matrix G, key blocks and other related information is stored, such a device has to perform a more time-consuming access operation than a device with a relatively low group number. To ensure that, on average, every player spends an equal amount of time in accessing the carrier for key computation, the optional cryptographic salt 156 is used.
The cryptographic salt 156 is mixed with the group identificationy and the outcome of this mixing operation is used as the section number. The salt 156 is preferably randomly chosen by the mastering facility 110 or the licensing authority 120. This way, every player will effectively access a randomly chosen section which means that, on average, every player spends an equal amount of time in accessing the carrier for key computation.
In international patent application WO2005/008385, technologies are disclosed to transfer responsibility and control over security from player makers to content authors by enabling integration of security logic and content. An exemplary optical disc carries an encrypted digital video title combined with data processing operations that implement the title's security policies and decryption processes. Player devices include a processing environment (e.g., a real-time virtual machine), which plays content by interpreting its processing operations. Players also provide procedure calls to enable content code to load data from media, perform network communications, determine playback environment configurations, access secure nonvolatile storage, submit data to codecs for output, and/or perform cryptographic operations. Content can insert forensic watermarks in decoded output for tracing pirate copies. If pirates compromise a player or title, future content can be mastered with security features that, for example, block the attack, revoke pirated media, or use native code to correct player vulnerabilities. US patent application US20040190868A1 discloses a recording apparatus that comprises a receiving unit operable to receive content, a control unit operable to determine a recording method of the content on a recording media, and a R/W unit operable to write in and read out on the recording media. The control unit includes a recording media identification unit operable to identify a type of the recording media via the R/W unit, a source identification unit operable to judge a type of a source about whether or not the received content is a content subject to a content protection, a recording method selection unit operable to select a recording method of the content on the recording media, and a recording method conversion unit.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements.
The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A method of enabling content origin authentication, comprising deriving an authorization element from at least one section of the content, from a group key associated with a group of devices suitable for accessing the content and from a content key to be used in decrypting the content, the authorization element enabling reconstruction of the content key given the at least one section and the group key.
2. The method of claim 1, comprising deriving a respective authorization element for each respective one of a plurality of sections of the content using the respective section, the group key and the content key.
3. The method of claim 2, in which each authorization element is an encrypted version of the content key, using a combination of the applicable section and the group key as an encryption key for encrypting the content key.
4. A device suitable for accessing content and comprising means for authenticating the content, in which the means for authenticating are configured for reconstructing a content key to be used in decrypting the content given one of a plurality of authorization elements, at least one section of the content and a group key.
5. The device of claim 4, in which the means for authenticating are configured for determining a group to which the device belongs, the means for authenticating being configured for selecting one authorization element from said plurality of authorization elements based on the determined group.
6. The device of claim 5, comprising storage means for storing a plurality of group keys, the means for authenticating being configured for selecting the group key to be used in reconstructing the content key based on the determined group.
7. A system comprising a plurality of devices as claimed in claim 4, which devices have been grouped into respective groups, and in which the devices of a single group share at least one common group key for reconstructing the content key.
8. The system of claim 7, in which the devices have been assigned a plurality of group keys, each group key of said plurality being shared with a subset of all devices, at least one of the subsets being a subset of another subset.
9. A carrier comprising content encrypted with a content key and an authorization element derived from at least one section of the content, from a group key associated with a group of devices suitable for accessing the content and from a content key to be used in decrypting the content, the authorization element enabling reconstruction of the content key given the at least one section and the group key.
PCT/IB2007/050303 2006-02-14 2007-01-30 Improved method of content protection WO2007093925A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP06101617 2006-02-14
EP06101617.6 2006-02-14

Publications (1)

Publication Number Publication Date
WO2007093925A1 true WO2007093925A1 (en) 2007-08-23

Family

ID=37982477

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/050303 WO2007093925A1 (en) 2006-02-14 2007-01-30 Improved method of content protection

Country Status (1)

Country Link
WO (1) WO2007093925A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2921530A1 (en) * 2007-09-20 2009-03-27 France Telecom Cryptographic key generating method for company, involves generating cryptographic key associated with subgroup using public information associated with parent subgroup when determined number is greater than or equal to two
RU2518164C2 (en) * 2008-09-19 2014-06-10 Награвисьон С.А. Method of enforcing rules for accessing broadcast product realised by control centre
CN110446108A (en) * 2019-06-28 2019-11-12 中国传媒大学 A kind of media cloud system and video-encryption, decryption method
US20210287230A1 (en) * 2018-07-10 2021-09-16 Sicpa Holding Sa Article anti-forgery protection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1253739A1 (en) * 2000-12-26 2002-10-30 Sony Corporation Information processing system and method
US20030016827A1 (en) * 2000-04-06 2003-01-23 Tomoyuki Asano Information recording/reproducing apparatus and method
WO2005017809A2 (en) * 2003-08-15 2005-02-24 Docomo Communications Laboratories Usa, Inc. Method and apparatus for authentication of data streams with adaptively controlled losses
WO2005024820A1 (en) * 2003-09-10 2005-03-17 Koninklijke Philips Electronics N.V. Content protection method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030016827A1 (en) * 2000-04-06 2003-01-23 Tomoyuki Asano Information recording/reproducing apparatus and method
EP1253739A1 (en) * 2000-12-26 2002-10-30 Sony Corporation Information processing system and method
WO2005017809A2 (en) * 2003-08-15 2005-02-24 Docomo Communications Laboratories Usa, Inc. Method and apparatus for authentication of data streams with adaptively controlled losses
WO2005024820A1 (en) * 2003-09-10 2005-03-17 Koninklijke Philips Electronics N.V. Content protection method and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2921530A1 (en) * 2007-09-20 2009-03-27 France Telecom Cryptographic key generating method for company, involves generating cryptographic key associated with subgroup using public information associated with parent subgroup when determined number is greater than or equal to two
RU2518164C2 (en) * 2008-09-19 2014-06-10 Награвисьон С.А. Method of enforcing rules for accessing broadcast product realised by control centre
US20210287230A1 (en) * 2018-07-10 2021-09-16 Sicpa Holding Sa Article anti-forgery protection
US11854019B2 (en) * 2018-07-10 2023-12-26 Sicpa Holding Sa Article anti-forgery protection
CN110446108A (en) * 2019-06-28 2019-11-12 中国传媒大学 A kind of media cloud system and video-encryption, decryption method

Similar Documents

Publication Publication Date Title
US7047422B2 (en) User access to a unique data subset of a database
US7845015B2 (en) Public key media key block
US7760876B2 (en) Content security layer providing long-term renewable security
US6950941B1 (en) Copy protection system for portable storage media
US9866377B2 (en) Unified broadcast encryption system
US9071423B2 (en) Identification of a compromised content player
US7536016B2 (en) Encrypted content data structure package and generation thereof
WO2001013571A1 (en) Systems and methods for compression of key sets having multiple keys
WO2004109684A1 (en) Information recording medium, data processing method, and computer program
JP4199472B2 (en) Data protection system that protects data by applying encryption
WO2007093925A1 (en) Improved method of content protection
JP2004140757A (en) Encryption method of content, decoding method of decoding encrypted data, and apparatus of the same
WO2007093946A1 (en) Improved method of content protection
EP1942391B1 (en) Computer-readable medium, device and method for playing encrypted digital video
US20070143216A1 (en) Data Signal with a Database and a Compressed Key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07705733

Country of ref document: EP

Kind code of ref document: A1