Secure multicast flow

US 20040025013A1
Filed: 07/30/2002
Published: 02/05/2004
Est. Priority Date: 07/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a request for a specific data flow from an end-user device, the method comprising:

a) receiving a request data transmission unit (DTU) from the end user device, said request DTU requesting said specific data flow for said end user device;

b) extracting identification data from said DTU, said identification data identifying said end user device and said specific data flow;

c) determining if said request DTU is legitimate based at least a portion of said identification data; and

d) executing a predetermined set of steps based on whether said request DTU is legitimate as determined in step c).

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices and systems for providing content providers with a secure way to multicast their data flows only to legitimate end users. By making a specific decision for each potentially legitimate end user requesting a specific data flow, differing subscriber profiles may be taken into account. Furthermore, end to end encryption is avoided by having a switch and/or router control the specific data flow to a specific end user. Each end user sends a request DTU to the switch and/or router asking for permission to join a multicast group. The switch and/or router extracts identification data from the request data transmission unit (DTU) and determines whether the requesting end user is cleared for the requested specific data flow. This determination may be made by sending a query DTU containing the identification data to a policy server which checks the identification data against preprogrammed criteria in its databases. The policy server then sends a response DTU to the switch and/or router confirming or denying the authenticity or legitimacy of the request based on the identification data. In the meantime, after the switch and/or router sends the query DTU to the policy server, the switch and/or router allows the specific requested data flow to proceed to the requesting end user. If, based on the response from the policy server, the request is determined to not be legitimate or authentic, the specific data flow is terminated. If the request is legitimate or authentic, then the data flow is allowed to flow uninterrupted by the switch and/or router.

71 Citations

View as Search Results

33 Claims

1. A method for authenticating a request for a specific data flow from an end-user device, the method comprising:
- a) receiving a request data transmission unit (DTU) from the end user device, said request DTU requesting said specific data flow for said end user device;
  
  b) extracting identification data from said DTU, said identification data identifying said end user device and said specific data flow;
  
  c) determining if said request DTU is legitimate based at least a portion of said identification data; and
  
  d) executing a predetermined set of steps based on whether said request DTU is legitimate as determined in step c).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 27, 28)
- - 2. A method according to claim 1 wherein step c) includes transmitting said identification data to a policy server for authentication of said request DTU.
  - 3. A method according to claim 2 wherein step c) includes receiving a response from said policy server, said response containing an indication of a legitimacy of said request DTU.
  - 4. A method according to claim 2 wherein step c) includes determining that said request DTU is legitimate based on whether a response is received from said policy server.
  - 5. A method according to claim 2 wherein said policy server uses predetermined business rules in conjunction with at least a portion of said identification data to determine if said request DTU is to be authenticated.
  - 6. A method according to claim 1 wherein said predetermined set of steps includes at least one step selected from a group comprising:
    - allowing a data transmission of said specific data flow to said end user device if said request DTU is legitimate; and
      
      terminating a previously allowed transmission of said specific data flow to said end user device if said request DTU is not legitimate.
  - 7. A method according to claim 1 wherein said method is executed by a device selected from a group comprising:
    - a network switch; and
      
      a network router.
  - 8. A method according to claim 1 wherein said identification data includes data selected from a group comprising:
    - a network address of the end user device; and
      
      a hardware specific address of the end user device.
  - 9. A method according to claim 1 wherein said identification data includes data identifying a source of said specific data flow.
  - 10. A method according to claim 1 wherein said request DTU is an IGMP (Internet Group Management Protocol) message requesting permission to join a specific multicast group said specific multicast group receiving said specific data flow.
  - 11. A method according to claim 1 wherein said specific data flow is a multicast stream.
  - 12. A method according to claim 11 wherein said multicast stream has encoded thereon multimedia content.
  - 13. A method according to claim 2 further including the step of caching previous responses from said policy server.
  - 27. A method according to claim 8 wherein said network address is an IP address.
  - 28. A method according to claim 8 wherein said hardware specific address is a MAC address.

14. A network device for routing multiple data flows from data servers to end user devices, the device comprising:
- means for receiving a request data transmission unit (DTU) from an end user device, said request DTU requesting a specific data flow for said end user device;
  
  means for extracting identification data from said request DTU, said identification data identifying said end user device and said specific data flow;
  
  means for transmitting a query regarding an authentication of said request DTU to a policy server capable of authenticating said request DTU based on at least a portion of said identification data, said query containing said at least a portion of said identification data;
  
  means for receiving a response from said policy server, said response being related to said query; and
  
  means for routing said specific data flow to said end user device, wherein said network device allows or prevents access to said specific data flow by said end user device based on whether said request DTU is legitimate.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A network device according to claim 14 further including:
    - means for terminating said specific data flow to said end user device after said specific data flow has been routed to said end user device, wherein said network device terminates said specific data flow to said end user if said network device receives a response from said policy server indicating that said request DTU is not legitimate.
  - 16. A network device according to claim 14 wherein said identification data includes data selected from a group comprising:
    - IP address of the end user device;
      
      MAC address of the end user device.
  - 17. A network device according to claim 14 wherein said identification data includes data identifying a data server which is a source of said specific data flow.
  - 18. A network device according to claim 14 wherein said request DTU is an IGMP (Internet Group Management Protocol) message requesting permission to join a specific multicast group said specific multicast group receiving said specific data flow.
  - 19. A network device according to claim 15 further including caching means for caching previous responses from said policy server.

20. Computer readable media having encoded thereon a computer software product comprising:
- a software module for receiving a request data transmission unit (DTU) from an end user device, said request DTU requesting a specific data flow for said end user device;
  
  a software module for extracting identification data from said request DTU, said identification data identifying said end user device and said specific data flow;
  
  a software module for determining if said request DTU is legitimate based on at least a portion of said identification data; and
  
  a software module for allowing a transmission of said specific data flow to said end user device.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. Computer readable media according to claim 20 wherein said product includes a software module chosen from a group comprising:
    - a software module for terminating said transmission of said specific data flow in the event said request DTU is not legitimate; and
      
      a software module for preventing said transmission of said specific data flow in the event said request DTU is not legitimate.
  - 22. Computer readable media according to claim 20 wherein said software module for determining if said request DTU is legitimate includes:
    - a software submodule for transmitting said identification data to a policy server for authentication of said request DTU based on said identification data; and
      
      a software submodule for receiving a response from said policy server, said response containing an indication of an authenticity of said request DTU.
  - 23. Computer readable media according to claim 20 wherein said identification data includes data selected from a group comprising:
    - a network address of the end user device; and
      
      a hardware specific address of the end user device.
  - 24. Computer readable media according to claim 20 wherein said data includes data identifying a source of said specific data flow.
  - 25. Computer readable media according to claim 23 wherein said network address is an IP address.
  - 26. Computer readable media according to claim 23 wherein said hardware specific address is a MAC address.

29. A method of authenticating an end user device capable of coupling to a network, the method comprising:
- a) receiving a data transmission unit (DTU) from said end user device, said DTU containing identification data identifying said end user device and specific data to which said end user device is supposed to have access;
  
  b) extracting said identification data from said DTU; and
  
  c) determining if said end user device is entitled to access said specific data based on at least a portion of said identification data and a set of predetermined business rules.
- View Dependent Claims (30, 31, 32, 33)
- - 30. A method according to claim 29 wherein step c) further includes transmitting said identification data to a policy server, said policy server having means for authenticating said end user device using said identification data and said set of business rules.
  - 31. A method according to claim 30 wherein said step c) further includes receiving a response from said policy server, said response containing an indication of an authenticity of said end user device.
  - 32. A method according to claim 30 wherein step c) includes determining if said end user device is authentic based on whether a response is received from said policy server.
  - 33. A method according to claim 29 further including a step selected from a group comprising:
    - allowing said end user device to gain access to said specific data in the event said end user device is entitled to have access to said specific data;
      
      allowing a continuation of previously allowed access to said specific data by said end user device in the event said end user device is entitled to have access to said specific data;
      
      preventing access to said specific data by said end user device in the event said end user device is not entitled to have access to said specific data; and
      
      terminating previously allowed access to said specific data by said end user device in the event said end user device is not entitled to have access to said specific data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
iMagicTV, Inc. (Nokia Corporation)
Inventors
Dion, Gino Louis, Higgins, Sean Gordon, Parker, Alistair John

Granted Patent

US 7,263,610 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/163
CPC Class Codes

H04N 21/2541   Rights Management protectin...

H04N 21/25816   involving client authentica...

H04N 21/6125   involving transmission via ...

H04N 21/6175   involving transmission via ...

H04N 21/6334   for authorisation, e.g. by ...

H04N 21/6405   Multicasting data broadcast...

H04N 7/17318   Direct or substantially dir...

Secure multicast flow

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Secure multicast flow

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others