WO2016189105A1 - Gestion de récepteurs de données multimédias numériques chiffrées diffusées - Google Patents

Gestion de récepteurs de données multimédias numériques chiffrées diffusées Download PDF

Info

Publication number
WO2016189105A1
WO2016189105A1 PCT/EP2016/061942 EP2016061942W WO2016189105A1 WO 2016189105 A1 WO2016189105 A1 WO 2016189105A1 EP 2016061942 W EP2016061942 W EP 2016061942W WO 2016189105 A1 WO2016189105 A1 WO 2016189105A1
Authority
WO
WIPO (PCT)
Prior art keywords
receiver
head
synchronization
synchronization element
new
Prior art date
Application number
PCT/EP2016/061942
Other languages
English (en)
Inventor
Pierre Sarda
Pascal Junod
Original Assignee
Nagravision S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nagravision S.A. filed Critical Nagravision S.A.
Publication of WO2016189105A1 publication Critical patent/WO2016189105A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/242Synchronization processes, e.g. processing of PCR [Program Clock References]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25808Management of client data
    • H04N21/2585Generation of a revocation list, e.g. of client devices involved in piracy acts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26606Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]

Definitions

  • the present disclosure relates to encrypted digital multimedia data broadcasting technology using a conventional broadcast channel combined with a broadband bidirectional channel for distributing scrambled multimedia content to user's receivers in a secure way.
  • control word is present in (or can be computed by) the security module, i.e., on the receiver side, and the whole security of the conditional access system depends on the capability of the security module to keep the control word secret in case the receiver access rights are not sufficient. In other words, if one is able to hack the security module by extracting the control word, or by modifying the rights database stored in its memory, the conditional access system becomes insecure.
  • Cryptographic broadcast encryption can be realized through a family of cryptographic algorithms configured to secure a broadcast channel, notably by allowing the revocation of individual receivers. Thanks to these cryptographic algorithms, receivers which are not allowed to get the control word, or which are outside the system, do not have enough information to reconstruct or to decrypt the control word. In other words, the conditional access equation is defined and enforced on the headend side, instead of being defined in the head-end and enforced in the security module of the receiver. As the media is not directly encrypted by the broadcast encryption scheme, which instead encrypts a media-encrypting key, most of conventional or broadcast encryption based systems suffer from the control word- sharing problem.
  • control word can be obtained from a receiver having sufficient access rights, then it can be shared on the Internet.
  • a secure channel becomes mandatory between the conditional access system part and the descrambler, which should be confined in a secure chip.
  • Broadcast encryption aims at sending a ciphertext to a set of privileged receivers, named non-revoked receivers, using a broadcast channel.
  • Each receiver possesses a set of individual decryption keys, and as long as it does not belong to the set of revoked receivers, it can recover the plaintext.
  • Receivers in the revoked set or system outsiders are not able to decrypt any ciphertext.
  • the receivers are stateless; in other words, no synchronization between the broadcaster and the receivers can be assumed, and all the information required for decrypting the ciphertexts (besides the individual private keys that are stored on each receiver) has to be transmitted in the ciphertext.
  • this lack of synchronism means that for a typical Pay-TV scenario, the set of revoked receivers tends to increase in a monotonic fashion. This is a consequence of the fact that when a user sees his access rights change (e.g., because of a subscription change towards a less expensive subscription), the head-end is usually forced to revoke it before assigning it new key material; otherwise, the user could continue using the key material associated with his previous subscription and this would violate the CAS security.
  • the broadcast encryption scheme progressively becomes impractical, because of its ever-increasing size of the list of revoked receivers that leads to increasing bandwidth consumption.
  • several cryptographic schemes have been proposed to setup a group key, such as the Logical Key Hierarchy scheme, for instance.
  • the costs of the communication between the head-end and the receivers can also quickly become overwhelming, in particular for systems involving tens or hundreds of millions of receivers, or when the media-encrypting key must change every 10 seconds and the access rights have to be instantly enforced, for example.
  • Document WO2013/027206A1 discloses a method for broadcast encryption that allows a broadcaster to send encrypted data to a set of users such that only a subset of authorized users can decrypt the data.
  • the method supports permanent revocation of users and comprises the following modifications to the four stages of the basic Cipher-text Policy Attribute-Based Encryption techniques: a) In the setup stage: a random control component is added by the broadcaster to the master key; b) In the key generation stage: the broadcaster sends to each user a private key that includes the attributes of the user and a component that includes the state of the user, wherein the state of the user is a function of the random control component; c) In the encryption stage: the broadcaster constructs a ciphertext by use of an algorithm that includes a global secret key, wherein the global secret key is encrypted by the private keys of the subset of authorized users; and d) in the decryption stage: the broadcaster sends the ciphertext which encrypts the global secret
  • the method proceeds as follows: b) Changing the master key and the state of each user and their private keys; thereby, c) Changing the global secret key to a new global secret key, which is encrypted by the private keys of the new subset of authorized users; thereby, d) Only allowing users in the new subset of authorized users to decrypt ciphertext that has been encrypted by the broadcaster using an algorithm that includes the new global secret key; and therefore, e) Only allowing users in the new subset of authorized users to use the new global secret key.
  • the method of document WO2013/027206A1 solves the problem of ever-increasing size of the revocation lists by changing the master key and the global secret key for recovering authorization of the receivers to decrypt ciphertext encrypted by the broadcaster. Therefore, there is still a need for an improved solution for preventing ever-increasing size of revocation lists without renewing the keys of the receivers.
  • a method, according to claim 1 is proposed for managing at least one receiver by a head-end.
  • a head-end manages at least one receiver configured to process broadcast encrypted digital multimedia data by using an Attribute-Based Broadcast Encryption scheme, called hereafter ABBE scheme.
  • An ABBE scheme is a special type of broadcast encryption scheme that supports attributes, i.e., cryptographic elements that can be distributed in an individualized form to receivers sharing the same properties, such as a right to access a certain TV channel, a certain package of TV channels, or having the same geographical location, for example.
  • the ciphertexts can then grant the right to be decrypted to receivers satisfying a certain combination of attributes only, by enforcing an access equation that is frequently expressed as a Boolean equation defined over the set of attributes.
  • an ABBE scheme allows addressing large sets of receivers having attributes compatible with the access equation in a very efficient way.
  • an ABBE scheme allows revoking individual receivers in an efficient way.
  • the at least one receiver is connected to the head-end on the one hand via a broadcast channel unidirectionally transmitting streams of digital data comprising encrypted multimedia content data, control messages such as entitlement control messages ECM, and on the other hand via a secure broadband bidirectional channel, transmitting further control messages for managing the receiver.
  • the head-end manages a set comprising more than one receiver.
  • the set may include receivers having a non-revoked state and a revoked state.
  • the broadcast channel is to be understood as a unidirectional data streams transmission link from a source to at least one receiver as provided for example by a satellite, a terrestrial broadcast emitter, cable, a wired or wireless network performing streaming by using for example IP (Internet Protocol) multicast.
  • IP Internet Protocol
  • the secure broadband bidirectional channel is to be understood as a bidirectional data streams transmission link from a source to a receiver and vice-versa provided preferably through a TCP/IP network.
  • the security i.e., confidentiality, authenticity and integrity
  • TLS Transport Layer Security
  • the head-end generates at least one synchronization element and at least one media-encrypting key element, the at least one synchronization element is configured to synchronize each receiver of a set of receivers with the head-end at predefined time periods.
  • the head-end transmits periodically to each receiver of the set, via the broadcast channel, at least one synchronization cryptogram comprising, for a current time- period, the at least one synchronization element encrypted with the encrypting key of the ABBE scheme. It further transmits at least one time cryptogram comprising a current media-encrypting key element encrypted with the encrypting key of the ABBE scheme.
  • a non-revoked receiver of the set decrypts the synchronization cryptogram received via the broadcast channel and determines the at least one synchronization element.
  • the receiver also receives the at least one time cryptogram and determines the current media-encrypting key element, provided it has sufficient access rights.
  • An operation of combining the at least one synchronization element and the at least one media-encrypting key element is performed by the receiver in order to obtain a final media-encrypting key. This final media-encrypting key is then used for decrypting the encrypted multimedia content data at the current time-period, the receiver thus being synchronized with the head-end.
  • the receiver If the receiver losses synchronization with the head-end at the current time period, it requests, at the head-end via a secure broadband bidirectional channel, a new synchronization element by transmitting at least an identifier to the head-end. In response to the request, the head-end transmits, via the broadband bidirectional channel, the new synchronization element comprising the preceding synchronization element combined with an updated synchronization element.
  • the new synchronization element, the preceding synchronization element and the updated synchronization element are cryptographically chained together in a sequential way.
  • the receiver detects a synchronization loss when temporal data in the synchronization element do not correspond to the current time period, for example, when the current date is different from the date of the synchronization element. This time shift may occur for example when the synchronization cryptogram is not received at a given time because of a defective or noisy broadcast channel, or during a zapping operation or because the receiver was switched off for a certain time.
  • the receiver If the receiver is temporally revoked, for instance because of a subscription change, it obtains via the secure broadband bidirectional channel, after the head-end has verified the access rights with the identifier, a new identifier, new decryption key material and an updated synchronization element in order to recover a non-revoked state and the synchronization with the head-end.
  • the identifier of the previously revoked receiver is deleted from the list of revoked receivers comprised in the updated synchronization element.
  • the at least one synchronization cryptogram is transmitted by the head-end in form of a first entitlement control message at first crypto-periods and the at least one time cryptogram in form of a second entitlement control message at second crypto-periods.
  • the first crypto-period typically has duration greater than the duration of the second crypto-period as for example one day for the first crypto-period and 30 seconds for the second one.
  • the final media- encrypting key thus changes at periods corresponding to the second crypto-period, i.e. every 30 seconds according to the example.
  • the method of the present disclosure takes advantages of both the broadcast channel and the broadband bidirectional channel.
  • the broadcast channel is used for transmitting to a set of receivers, streams comprising encrypted multimedia content data and control messages associated with the encrypted multimedia content data.
  • the broadband bidirectional channel is used for managing receivers that have lost synchronization because they were out of service during a certain time, either because the streams were unreachable (e.g., in case of a storm), or because the receiver was off, or because the receiver was temporally revoked due to a subscription change for example and thus needs a new identifier and corresponding new decryption key material.
  • the method thus involves a hybrid broadcast encryption scheme consisting of using a stateless cryptographic ABBE scheme configured to exploit the available broadband bidirectional channel linking the head-end to each receiver in a very efficient way to recover receivers from an unsynchronized state to a synchronized state.
  • the broadcast channel is used for transmitting media streams and control messages to all receivers in a global, efficient, and fast way.
  • the relatively costly bi-directional secure channel is only used in exceptional situations, i.e., in case of a synchronization loss, or in case of subscription package change implying a temporary revocation.
  • a head-end comprising at least one server configured according to claim 6 and to a receiver, according to claim 10, configured to receive encrypted multimedia content data and to be managed by the at least one server of the head-end.
  • the head-end coupled to at least one receiver via the broadcast channel and the broadband bidirectional channel form a conditional access system.
  • Figure 1 shows a block schematic representing a head-end and a receiver configured to perform the method of the present disclosure by using a hybrid broadcast encryption scheme exploiting a broadcast channel and a broadband bidirectional channel.
  • a first solution involves only a unidirectional broadcast channel
  • a second one involves only a broadband bidirectional channel such as for example a high speed broadband Internet Protocol (IP) channel of VDSL (Very High Bitrate Digital Subscriber Line) type
  • IP Internet Protocol
  • VDSL Very High Bitrate Digital Subscriber Line
  • a third one involves a combination of two channels, i.e. a broadcast channel and a broadband channel, this combination being also called hybrid broadcast-broadband.
  • the first solution uses a unidirectional broadcast channel from the head-end to the receivers and a conditional access system (CAS) relying on a cryptographic broadcast encryption scheme as described for example in Ref. 1 or Ref. 2.
  • CAS conditional access system
  • the head-end transmits cryptographic group elements to the receivers as ciphertext, one or more additional group elements for revoked receivers, and a description of the set of revoked receivers for example in form of a list of revoked receivers identifiers. According to most existing broadcast encryption schemes, this list is necessary for the receivers to be able to decrypt ciphertexts.
  • the head-end revokes old access rights and replaces them by new ones through an individual control message. This means that the length of the ciphertext or at least the description of the set of revoked receivers increases rapidly in monotonic fashion, as previously revoked receivers must be kept revoked forever; otherwise, the CAS security would be violated.
  • a message that may have a length of 68 bytes for example, comprising cryptographic elements and an identifier, is transmitted by the head-end to each receiver. Every second, ciphertexts are also transmitted to sustain a crypto-period of 60 seconds so that the bandwidth will be already 1 '000'000 * 0.01 * 68 * 8 5.4 Mbit/s after the first month and continues growing at a rate of 5.4 Mbit/s each month.
  • Such a situation related to broadcast encryption presents major drawbacks when only one broadcast channel is used.
  • the second solution uses a bidirectional channel involving a broadband-based system where all receivers are synchronized with the head-end.
  • a broadband-based system where all receivers are synchronized with the head-end.
  • an Internet link may connect the receivers with the head-end.
  • each receiver maintains a secure channel in form of a persistent TCP (Transmission Control Protocol) connection secured with help of a security protocol, such as TLS (Transport Layer Security), and receives, from the head-end, a control word CW every minute involving an exchange of at least 128 bytes, for example.
  • TCP Transmission Control Protocol
  • TLS Transport Layer Security
  • This number of servers has to be increased by further taking into account availability and redundancy issues.
  • a fully connected conditional access system CAS will involve large costs on the head-end side in terms of computing capacities.
  • One embodiment is a so-called hybrid solution using a broadcast channel and a broadband bidirectional channel.
  • a synchronization element using the ABBE scheme is transmitted every day, and receivers that become unsynchronized can then recover their synchronized state thanks to the broadband channel, as long as their access rights are sufficient.
  • the list of revoked receivers only contains the receivers revoked during a predetermined period t (one day for example), and that these receivers will disappear from the list at the next day ⁇ t+1).
  • the conditional access system CAS illustrated by the block schematic of figure 1 comprises a head-end HE configured to manage encryption and to transmit a scrambled video transport stream SCR(TS) and a receiver REC configured to descramble the received transport stream for rendering by a television set for example.
  • the receiver REC is configured to receive broadcast content via a broadcast channel BRC, and to exchange control data, i.e. at least one synchronization element, with the head-end HE via a broadband bidirectional channel BIC, such as an Internet link.
  • the synchronization element is provided by the head-end preferably in form of a synchronization cryptogram comprising for a current time-period the at least one synchronization element encrypted with the encryption key of the ABBE scheme.
  • the synchronization cryptogram comprises temporal data, a description of the access equations in terms of attributes, cryptographic group elements and a list of revoked receiver's identifiers.
  • the attributes represent for example geographical location, technical capabilities such as supporting HD content or 4K content, operating system type and version, access conditions, i.e. subscription type defined by access to particular channels packages for a given time period, etc.
  • a broadcaster or content provider may authorize receivers to access to multimedia content data according to a complex access equation such as all receivers having access to a predefined bouquet of programs, having a predefined version of operating system but not located in a particular region or country.
  • the head-end updates the synchronization element periodically as for example each day by updating the list of revoked receiver's identifiers where the identifiers of receivers recovering a non-revoked state are cancelled.
  • the broadcast channel BRC allows for a large set of receivers to be addressed in a very efficient way; however, such unidirectional transmission cannot guarantee any synchronism between the head-end HE and the receiver, as no return path is available.
  • the broadband bidirectional channel BIC allows for a receiver REC to be kept fully synchronized with the head-end HE; however, a different session has to be maintained with every receiver REC, which may be rather expensive.
  • the method of the present disclosure solves the problem of ever-increasing size of revocation lists without renewing the keys of the receivers.
  • the method of the present disclosure implies using a chaining mechanism where all synchronization elements are cryptographically chained together in a sequential way. Hence, a receiver missing a single synchronization element will be desynchronized with the head-end. Re-synchronization can only be achieved starting from a correct state in the chain of synchronization elements.
  • the identifier transmitted with the request allows retrieving the preceding synchronization element, which is then cryptographically combined with a fresh synchronization element.
  • the head-end provides a combination of the preceding synchronization element combined with the updated synchronization element.
  • the combination operation may use cryptographic and/or mathematical functions or operations, such as a cryptographically secure hash function, for instance.
  • the new synchronization element When the head-end receives, via the broadband bidirectional secure channel, the request from the receiver, the new synchronization element is returned to the receiver if the provided identifier has sufficient access rights and is absent of the list of revoked receivers identifiers. If the receiver is not revoked, it recovers synchronization with the head-end at the current time period.
  • the new synchronization element is used with the corresponding media-encrypting key element for deriving the media-encrypting key and then decrypting the encrypted multimedia content data.
  • the receiver sends a corresponding request message to the head-end via the broadband bidirectional secure channel BIC. Only an authorized receiver may obtain the new synchronization element valid for the current time period (the current day for example) in response to the request message, i.e. when the receiver is not revoked and its access rights are sufficient.
  • the video stream scrambling is performed by the head-end HE where a generator CWg generates the secret elements (synchronization elements and media- encrypting key elements) from which the media-encrypting key, also called control word CW and having similar properties as a symmetrical cryptographic key, is derived.
  • the media-encrypting key element is provided by the head-end preferably in form of a time cryptogram comprising for a current time-period the at least one media- encrypting key element encrypted with an encryption key of the ABBE scheme.
  • the media-encrypting key element comprises also temporal data, a description of the access equations in terms of attributes, cryptographic groups elements and a list of revoked receiver's identifiers. Contrarily to the case of the synchronization element, the list of revoked receiver's identifiers of the media-encrypting key element is not used according to a preferred embodiment.
  • the time cryptogram is transmitted by the head-end at short crypto-periods having a duration of 30 seconds for example corresponding to crypto-periods at which the key of the multimedia stream scrambling scheme changes, while the synchronization cryptogram is transmitted at long crypto-periods having a duration of one day for example.
  • the media-encrypting key element is combined with the previous and the current synchronization elements at each crypto-period in order to generate for a current time period a final media-encrypting key used as a control word CW to decrypt the broadcast multimedia content.
  • the combination of these elements may be performed thanks to cryptographic functions and/or mathematical operations, such as a cryptographically secure hash function.
  • the synchronization cryptogram forms an entitlement control message ECM transmitted every day and the time cryptogram forms another entitlement control messages ECM transmitted every 30 seconds.
  • the receiver REC if no ECM message is received after 25 seconds, i.e. 5 seconds before the end of the 30 seconds crypto-period, the receiver REC is no more able to compute the control word CW depending on the previous and the current synchronization elements and the media-encrypting key element; it therefore uses the broadband bidirectional channel BIC to get at the head-end HE the ECM message corresponding to the next crypto-period.
  • the receiver may also use the bidirectional channel BIC to get the correct ECM message, instead of waiting for the next one to be received via the broadcast channel BRC.
  • a conventional DVB Common Scrambling Algorithm (DVB-CSA) or software scrambler based on AES-128 (128 bit key Advanced Encryption Standard) operated in counter CTR mode may be used to minimize processing load and descrambling time at the receiver side.
  • DVB-CSA DVB Common Scrambling Algorithm
  • AES-128 (128 bit key Advanced Encryption Standard
  • the head-end HE uses a JK-ABBE public key scheme encryptor BE (Junod-Karlov Public-Key Attribute-Based Broadcast Encryption Scheme) as described in Ref. 3, for encrypting synchronization elements and media-encrypting key elements forming respectively the synchronization cryptogram and the time cryptogram.
  • BE Joint-Karlov Public-Key Attribute-Based Broadcast Encryption Scheme
  • a receiver gets a key comprising an individualized, unique JK-ABBE private key K pri comprising individualized attributes and an identifier ID.
  • other cryptographic and/or mathematical operations may also be used for performing the combination of synchronization and media- encrypting key elements.
  • each receiver is equipped with the initial private key K pri or can request its private key from the head-end HE via the secure broadband channel BRC at installation time and uses the private key K pri to recover the at least one synchronization element and the at least one media-encrypting key element and then re-compute the final media encrypting key or control word CW.
  • a list St of revoked receivers' identifiers is defined, i.e. receivers that are not allowed to access the video content stream because their access rights are expired, for example.
  • the encryptor BE takes into account this list St of revoked identifiers ID for building the cryptograms containing a synchronization element and a media- encrypting key element.
  • the corresponding identifier is added into the list of revoked receivers in the synchronization element during one synchronization period and the head-end provides to the receiver, following a request, a new identifier, new individualized attributes and a new ABBE decryption key via the secure broadband channel.
  • the head-end may request a subscription change via a link distinct from the broadband bidirectional channel as for example a phone call to the operator managing the head-end to which the receiver is connected.
  • the head-end revokes temporally the receiver, which is no more able to decrypt multimedia content received via the broadcast channel.
  • the receiver sends a request for a new subscription with its current identifier to the head-end via the broadband bidirectional channel.
  • the head-end transmits via the same channel a new identifier and a new decrypting key comprising new attributes including the access rights corresponding to the new subscription.
  • the receiver is then resynchronized with the head-end and the identifier of the preced ing subscription canceled from the list of next synchronization element.
  • ECM message As the maximum size for an ECM message is usually limited, for example to 188 bytes, as defined by the MPEG transport stream TS standard, multiple ECM messages may be transmitted in the video content stream for a same cryptogram and associated information. In particular, depending on the number of revoked identifiers ID, multiple ECM messages are necessary to transmit the list of revoked receivers' identifiers and associated description. Decryption can be performed only when the receiver has received all ECM messages carrying each different part of the necessary information to determine the control word CW for a current crypto-period.
  • the head-end HE represented by figure 1 comprises a control word generator CWg configured to generate a random value S, representing either a media-encrypting key element, or a synchronization element, used by the encryptor BE to build the corresponding cryptograms and as an input parameter for a key derivation algorithm (implemented for example by a SHA-256 hash function used in Hash Message Authentication Code (HMAC) mode).
  • a key derivation algorithm implemented for example by a SHA-256 hash function used in Hash Message Authentication Code (HMAC) mode.
  • HMAC Hash Message Authentication Code
  • the encryptor BE receives a command "Get ECM from S" from a multiplexer module MUX associated to the scrambler SCR each time a cryptogram, that can be an encrypted synchronization element or a media-encrypting key element, has to be generated and transmitted in an ECM message.
  • the multiplexer module MUX forms the scrambled stream SCR(TS) transmitted to each receiver via the broadcast channel BRC. This stream contains audio / video content packets as well as the ECM messages required by the receiver REC for descrambling the stream, i.e. the ECM messages including the synchronization element and the ECM including the media-encrypting key element.
  • the encryptor BE is associated to a transceiver configured to transmit, via the broadband bidirectional secure channel BIC, at least one new synchronization element to the receiver upon reception of a synchronization request comprising at least an identifier of the receiver REC.
  • the encryptor BE may further use a network interface Wl connected to a server handling a database, via a local network or Internet for example, providing a list of revoked receivers' identifiers Rev REC ID forming a set St defined for a given time- period t. This list is then taken into account by the JK-ABBE scheme to build the cryptogram that will be incorporated into one or more ECM messages.
  • the ECM messages further comprise an identifier of the ECM message, information related to the number of messages and frames required to complete information when multiple ECM messages are required.
  • the receiver REC comprises a descrambler DSCR operating with a DVB-CSA or an AES-CTR algorithm similar to the one of the scrambler SCR of the head-end HE.
  • the ECM messages, ignored by the descrambler DSCR, are transferred to a decryptor BD configured to operate with the inverse of the JK-ABBE scheme used by the encryptor BE of the head-end HE.
  • the control words CW and related information are then reconstructed from the information extracted from one or more ECM messages before being used by the descrambler DSCR.
  • the decryptor BD further comprises a transceiver linked to the broadband bidirectional channel BIC that is mainly used, in case of synchronization loss, to request and retrieve information such as updated synchronization elements that would normally be transmitted through the broadcast channel BRC when the receiver is synchronized with the head-end.
  • Ref 1 "Revocation and Tracing Schemes for Stateless Receivers", Dalit Naor, Moni Naor, Jeff Lotspiech, IBM Almaden Research Center, San-Jose, CA. 95120, USA
  • Ref 2 "Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys", Dan Boneh, Craig Gentry, Brent Waters, Stanford University, Stanford, CA 94305, USA.
  • Ref 3 "An Efficient Public-Key Attribute-Based Broadcast Encryption Scheme Allowing Arbitrary Access Policies", Pascal Junod, Alexandre Karlov, Workshop on Digital Rights Management (DRM'10), ACM (Association for Computing Machinery), 2010.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Computer Graphics (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

Le procédé selon l'invention et un serveur de tête de réseau gérant au moins un récepteur tirent parti d'une liaison de transmission unidirectionnelle et d'une liaison de transmission bidirectionnelle. La transmission unidirectionnelle est utilisée par la tête de réseau pour émettre, vers un ou plusieurs récepteurs, des flux contenant des données de contenu multimédia chiffré et des données d'accès conditionnel associées aux données de contenu multimédia chiffré. Afin de synchroniser les récepteurs avec la tête de réseau à des périodes de temps données, la tête de réseau est configurée pour gérer des récepteurs qui ont été révoqués ou hors d'atteinte pendant un certain temps. Le procédé utilise ainsi un schéma de chiffrement de diffusion hybride consistant à utiliser un schéma de chiffrement de diffusion basé sur un attribut cryptographique sans état configuré pour exploiter la liaison de transmission bidirectionnelle disponible entre la tête de réseau et les récepteurs d'une manière très efficace. Des récepteurs révoqués retrouvent un état non révoqué impliquant une synchronisation avec la tête de réseau.
PCT/EP2016/061942 2015-05-28 2016-05-26 Gestion de récepteurs de données multimédias numériques chiffrées diffusées WO2016189105A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP15169696 2015-05-28
EP15169696.0 2015-05-28

Publications (1)

Publication Number Publication Date
WO2016189105A1 true WO2016189105A1 (fr) 2016-12-01

Family

ID=53284051

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/061942 WO2016189105A1 (fr) 2015-05-28 2016-05-26 Gestion de récepteurs de données multimédias numériques chiffrées diffusées

Country Status (1)

Country Link
WO (1) WO2016189105A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018207187A1 (fr) * 2017-05-10 2018-11-15 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Procédé et système pour effectuer un chiffrement de diffusion doté de capacité de révocation
CN110909368A (zh) * 2019-11-07 2020-03-24 腾讯科技(深圳)有限公司 一种数据加密方法、装置以及计算机可读存储介质
US11251954B2 (en) 2017-05-10 2022-02-15 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Method and system for performing broadcast encryption with revocation capability

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013027206A1 (fr) 2011-08-24 2013-02-28 Ben-Gurion University Of The Negev Research & Development Authority Procédé de cryptage de diffusion à base d'attribut à révocation permanente

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013027206A1 (fr) 2011-08-24 2013-02-28 Ben-Gurion University Of The Negev Research & Development Authority Procédé de cryptage de diffusion à base d'attribut à révocation permanente

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
DALIT NAOR; MONI NAOR; JEFF LOTSPIECH: "Revocation and Tracing Schemes for Stateless Receivers", IBM ALMADEN RESEARCH CENTER
DAN BONEH; CRAIG GENTRY: "Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys", BRENT WATERS
PASCAL JUNOD AND ALEXANDRE KARLOV: "An efficient public-key attribute-based broadcast encryption scheme allowing arbitrary access policies", 10TH ANNUAL ACM WORKSHOP ON DIGITAL RIGHTS MANAGEMENT 2010 (DRM 10) : HELD IN CONJUNCTION WITH CCS 10 ; CHICAGO, ILLINOIS, USA, 4 OCTOBER 2010, CURRAN, RED HOOK, NY, 1 January 2010 (2010-01-01), pages 13 - 24, XP009145981, ISBN: 978-1-4503-0091-9, DOI: 10.1145/1866870.1866875 *
PASCAL JUNOD; ALEXANDRE KARLOV: "Workshop on Digital Rights Management (DRM'10", 2010, ACM, article "An Efficient Public-Key Attribute-Based Broadcast Encryption Scheme Allowing Arbitrary Access Policies"

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018207187A1 (fr) * 2017-05-10 2018-11-15 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Procédé et système pour effectuer un chiffrement de diffusion doté de capacité de révocation
US11251954B2 (en) 2017-05-10 2022-02-15 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Method and system for performing broadcast encryption with revocation capability
CN110909368A (zh) * 2019-11-07 2020-03-24 腾讯科技(深圳)有限公司 一种数据加密方法、装置以及计算机可读存储介质
CN110909368B (zh) * 2019-11-07 2023-09-05 腾讯科技(深圳)有限公司 一种数据加密方法、装置以及计算机可读存储介质

Similar Documents

Publication Publication Date Title
CA2470132C (fr) Chiffrement d'un contenu recu
CA2571533C (fr) Validation de recepteurs clients
US7995603B2 (en) Secure digital content delivery system and method over a broadcast network
US8385545B2 (en) Secure content key distribution using multiple distinct methods
EP1600000B1 (fr) Enregistreur video personnel a acces conditionnel
JP5106845B2 (ja) スクランブルされたコンテンツデータオブジェクトをデスクランブルする方法
US20060190403A1 (en) Method and Apparatus for Content Protection and Copyright Management in Digital Video Distribution
US20060101524A1 (en) Hierarchical encryption key system for securing digital media
US9385997B2 (en) Protection of control words employed by conditional access systems
US8693692B2 (en) Direct delivery of content descrambling keys using chip-unique code
WO2011120901A1 (fr) Désembrouillage sécurisé d'un flux de données audio/vidéo
GB2489671A (en) Cryptographic key distribution for IPTV
TWI523533B (zh) 控制字符之加密方法、傳送方法、解密方法、這些方法所用之記錄媒體以及控制字符伺服器
EP1290885B1 (fr) Systeme et procede de fourniture de contenu protege sur un reseau de diffusion
WO2016189105A1 (fr) Gestion de récepteurs de données multimédias numériques chiffrées diffusées
WO2006024234A1 (fr) Procede et appareil permettant de proteger un contenu video ou audio a large bande radiodiffuse
CN207744080U (zh) 一种基于量子加密的数字电视节目流传输系统
EP1175781A1 (fr) Procede et appareil de controle d'acces de services televisuels a la carte pre-cryptes
Zhang et al. An efficient group key management scheme for secure multicast with multimedia applications
CN107948727A (zh) 一种基于量子加密的数字电视节目流传输系统及方法
JP2002218435A (ja) 映像配信サービス方法およびそのための装置
Prathap et al. Pay per view–a multimedia multicast application with effective key management
IL152435A (en) Secure digital content delivery system and method over a broadcast network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16728248

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16728248

Country of ref document: EP

Kind code of ref document: A1