METHOD AND APPARATUS FOR PROVIDING CONDITIONAL ACCESS IN CONNECTION-ORIENTED INTERACTIVE NETWORKS WITH A MULTIPLICITY OF SERVICE PROVIDERS
First Claim
1. In an interactive information services system for providing at least one of video, audio, and data (program) requested by a customer from a service provider (SP) and for transmitting the requested program in program bearing packets to a set top unit (STU) associated with the customer, apparatus positioned between the SP and the STU for ensuring that only the customer has access to said program, said apparatus comprising:
- means for receiving program bearing packets in a first network protocol from a first data link and removing said packets from said first network protocol;
means for adding conditional access to said program bearing packets; and
, means for re-encapsulating said program bearing packets in a second network protocol and outputting said program bearing packets over a second data link.
6 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are described for ensuring that programs comprising at least one of video, audio, and data that are requested by a customer from a service provider (SP) via an interactive information services system, which transmits the requested programs in program bearing packets to a set top unit (STU) associated with the customer, are accessible by only authorized customers. The apparatus is positioned between the SP and the STU and comprises: means for receiving the program beating packets in a first network protocol from a first data link and removing the packets from the first network protocol; means for adding conditional access to the program bearing packets; and, means for re-encapsulating the program bearing packets in a second network protocol and outputting the program bearing packets over a second data link. Methods and apparatus for applying conditional access are described that comprise encrypting selected program bearing packets with a first key; encrypting the first key with a second key; and, encrypting the second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within the STU associated with the customer.
149 Citations
52 Claims
-
1. In an interactive information services system for providing at least one of video, audio, and data (program) requested by a customer from a service provider (SP) and for transmitting the requested program in program bearing packets to a set top unit (STU) associated with the customer, apparatus positioned between the SP and the STU for ensuring that only the customer has access to said program, said apparatus comprising:
-
means for receiving program bearing packets in a first network protocol from a first data link and removing said packets from said first network protocol;
means for adding conditional access to said program bearing packets; and
,means for re-encapsulating said program bearing packets in a second network protocol and outputting said program bearing packets over a second data link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28, 29, 30, 31, 32, 33, 36, 37, 38, 39, 40, 41, 42)
-
-
24. In a digital video delivery system, wherein a plurality of programs are stored at a server in a transport packet format and delivered in a first protocol format to a network for delivery to a subscriber, a method for linking the server to the network and applying conditional access to the transport packets comprising:
-
selecting program bearing packets comprising a program requested by the customer;
encrypting said selected program bearing packets according to a first encryption algorithm using a first key;
encrypting said first key according to a second encryption algorithm using a second key;
providing the encrypted said first key to the customer;
encrypting said second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within the STU associated with the customer; and
,providing the encrypted said second key to the customer.
-
-
34. In a digital video delivery system, wherein a plurality of programs are stored at a server in a transport packet format and delivered in a first protocol format to a network for delivery to a subscriber, a method for linking the server to the network and applying conditional access to the transport packets comprising:
-
receiving transport packets embedded in a first network level protocol;
removing the transport packets from said first network level protocol;
for each transport packet, determining if conditional access should be added;
applying conditional access to said packets; and
,outputting the packets in one of the first network protocol and a second network protocol.
-
-
35. In a digital information delivery system wherein a plurality of programs are stored in a transport packet format and are delivered to a network for transmission to an authorized customer, a method for applying conditional access to the transport packets comprising the steps of:
-
(a) selecting packets comprising a program requested by a customer;
(b) encrypting the program bearing transport packets according to a first encryption algorithm using a first key;
(c) outputting the encrypted transport packets for delivery to the authorized customer over the digital network;
(d) encrypting said first key according to a second encryption algorithm using a second key;
(e) generating a message authentication code comprising a hash of said first key and said second key according to a hashing function;
(f) providing the encrypted said first key and said message authentication code to the authorized customer ver the digital network;
(g) encrypting said second key according to a third encryption algorithm using a third key;
(h) applying a digital signature to the encrypted said second key such that the authorized customer can verify the origin of the encrypted said second key; and
,(i) providing the encrypted and digitally signed said second key to the authorized customer over the digital network.
-
-
43. In a digital transmission system wherein groups of program bearing packets are transmitted over a digital network between a service provider at a transmission site and a customer having a reception site, a method of selectively providing conditional access to the program within said program bearing packets comprising the steps of:
-
at the transmission site;
(a) selecting packets bearing a particular program that are to be delivered to at least one selected customer;
(b) encrypting at least a portion of the selected packets with a first key using a first encryption algorithm;
(c) encrypting said first key with a second key using a second encryption algorithm;
(d) generating a message authentication code for the first key comprising a hash of a concatenation of said second key with said first key according to a hashing function;
(e) generating an entitlement control message comprising a concatenation of said message authentication code and said first key;
(f) generating a digital signature for said second key comprising a hash of said second key according to a hashing function and encrypting said hash of said second key with a private key associated with the SP, said private key having a public-key counterpart, in accordance with a public key encryption algorithm;
(g) forming an entitlement management message comprising said encrypted key and said digital signature;
(h) encrypting at least a portion of said entitlement management message with a public key according to a public-key encryption algorithm, wherein said public key is associated with said at least one selected customer;
(i) multiplexing said selected program bearing packets, said entitlement control messages, and said entitlement management message into said digital network for reception by said at least one customer'"'"'s reception site;
at the reception site;
(j) receiving said selected program bearing packets, said entitlement control messages, and said entitlement management messages at said at least one customer'"'"'s reception site;
(k) recovering said second key from said entitlement management message by;
decrypting said encrypted portion of said entitlement management message using a private-key corresponding to said public key associated with said at least one selected customer;
retrieving said digital signature portion and decrypting said digital signature portion with a public-key counterpart to said private key associated with the SP;
retrieving said second key and hashing said second key;
authenticating said second key when said digital signature is equivalent to said hashed second key;
(l) recovering said first key from said entitlement control messages by;
decrypting said first key with said second key;
concatenating said first key and said second key;
generating a hash value by hashing said concatenated first key and said second key;
authenticating said first key when said hash value is equivalent to said message authentication code contained in said entitlement control message; and
,(m) decrypting said selected packets bearing said particular program with said first key. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
-
-
51. In a digital transmission system wherein a plurality of service providers (SPs) transmit program bearing packets over a digital network for delivery to at least one selected customer, wherein the SPs add conditional access levels to program bearing packets by (a) encrypting a portion of said program packets with a first key using a first encryption algorithm;
- (b) encrypting said first key with a second key using a second encryption algorithm;
(c) encrypting a portion of the second key with a public key using a public-key encryption algorithm, wherein said public key is associated with said at least one selected customer and wherein said public key has a private key counterpart; and
, (d) providing said program bearing packets, said first key, and said second key to said at least one customer, a method of recovering the program bearing packets at said at least one customer'"'"'s reception site, comprising the steps of;
(a) receiving said selected program bearing packets, said first key, and said second key at said at least one customer'"'"'s reception site;
(b) decrypting the encrypted said second key using said private-key corresponding to said public key associated with said at least one selected;
(c) decrypting said first key with said second key; and
,(d) recovering said program bearing packets by decrypting said encrypted portion of said program bearing packets with said first key.
- (b) encrypting said first key with a second key using a second encryption algorithm;
-
52. In a digital transmission system wherein a plurality of service providers (SPs) transmit program bearing packets over a digital network for delivery to at least one selected customer, wherein the plurality of SPs add conditional access levels to program bearing packets by (a) encrypting a portion of said program packets with a first key using a first encryption algorithm;
- (b) encrypting said first key with a second key using a second encryption algorithm and appending a message authentication code to said first key;
(c) encrypting a portion of the second key with a public key using a public-key encryption algorithm, wherein said public key is associated with said at least one selected customer and wherein said public key has a private key counterpart, and appending a digital signature to said second key; and
, (d) providing said program bearing packets, said first key and said appended message authentication code, and said second key and said appended digital signature to said at least one customer, a method of recovering the program bearing packets by said at least one customer'"'"'s reception site, comprising the steps of;
(a) receiving said selected program bearing packets, said first key and said appended message authentication code, and said second key and said appended digital signature at said at least one customer'"'"'s reception site;
(b) decrypting the encrypted said second key using a private-key corresponding to said public key associated with said at least one selected customer with said inverse of said public-key encryption algorithm;
(c) authenticating said second key for use in decryption by matching the appended digital signature with a digital signature stored at the customer'"'"'s reception site that corresponds to at least one of said plurality of SPs;
(d) decrypting said first key with said second key;
(e) authenticating said first key for use in decryption by matching the appended message authentication code with a message authentication code generated at the customer'"'"'s reception site; and
,(f) decrypting said encrypted portion of said program bearing packets with said first key.
- (b) encrypting said first key with a second key using a second encryption algorithm and appending a message authentication code to said first key;
Specification