Secure packet-based data broadcasting architecture

US 20040064688A1
Filed: 10/03/2003
Published: 04/01/2004
Est. Priority Date: 07/14/2000
Status: Active Grant

First Claim

Patent Images

1. Method for processing packets with encrypted data received by a client (3;

78-81) from a head-end (1;

4;

74, 83) connected to the client (3;

78-81) through at least one network (2;

77, 82), wherein the data packets comprise at least an encryption header (54, 55;

69) and an encrypted payload (52, 53;

70), comprising extracting the encryption header (54, 55;

69) from a data packet;

extracting and decrypting the encrypted payload (52, 53;

70) to form clear data (71);

generating a clear data packet header (72); and

generating a clear data packet fragment comprising the clear data packet header (72) and the clear data (71);

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing packets with encrypted data received by a client from a server through at least one network wherein the data packets comprise at least an encryption header (46) and payload (45), extracting the encryption header (54, 55; 69) from a data packet, extracting and decrypting the encrypted payload to form a clear data, generating a clear data packet segment. Secure packet-based transmission of content data from a server to at least one client comprises retrieving a clear data packet comprising an unencrypted payload, dividing the unencrypted payload into one or more segments, applying an encrypted algorithm to each segment to generate encrypted segments (47), generating encryption header for each encrypted segment composing a packet with encrypted data for each encrypted segment comprising the encrypted header (46), a data packet header and transmission of each of the composed packets to the client.

181 Citations

33 Claims

1. Method for processing packets with encrypted data received by a client (3;
- 78-81) from a head-end (1;
  
  4;
  
  74, 83) connected to the client (3;
  
  78-81) through at least one network (2;
  
  77, 82), wherein the data packets comprise at least an encryption header (54, 55;
  
  69) and an encrypted payload (52, 53;
  
  70), comprising extracting the encryption header (54, 55;
  
  69) from a data packet;
  
  extracting and decrypting the encrypted payload (52, 53;
  
  70) to form clear data (71);
  
  generating a clear data packet header (72); and
  
  generating a clear data packet fragment comprising the clear data packet header (72) and the clear data (71);
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20, 33)
- - 2. Method according to claim 1, further is comprising providing the clear data packet fragment as input to a network protocol stack (29) on the client (3;
    - 78-81) that is capable of buffering clear data packet fragments and assembling them into a clear data packet.
  - 3. Method according to claim 1 or 2, wherein the encryption header (54, 55;
    - 69) of the packet with encrypted data comprises information allowing assembly in the stack (29) of a clear data packet from related clear data packet fragments, which method further comprises extracting the information from the encryption header (54, 55;
      
      69) and including it with the clear data packet fragment.
  - 4. Method according to claim 3, wherein the information is used to generate a transport layer protocol header (73), which is included with the clear data packet fragment.
  - 5. Method according to claim 3, wherein the information comprises an offset value relative to a first bit of the clear data (71) generated from a related encrypted data packet, wherein the offset value is included in the clear data packet fragment.
  - 6. Method according to any one of claims 1-5, further comprising retrieving decryption information (60) specified in the encryption header (54, 55;
    - 69), wherein said information (60) is used to decrypt the encrypted payload (52, 53;
      
      70).
  - 7. Method according to claim 6, wherein a decryption key is retrieved from among a plurality of valid decryption keys according to a key indicator specified in the encryption header (54, 55;
    - 69).
  - 20. Application of a method according to any one of the preceding claims for multicasting, broadcasting or unicasting digital video.
  - 33. Program suitable for loading onto a computer (1, 3;
    - 74, 78-81), so that the computer (1, 3;
      
      74, 78-81) running the program is capable of carrying out a method according to any one of claims 1 to 20.

8. Method for secure packet-based transmission of content data from a head-end (1;
- 4;
  
  74, 83) to at least one client (3;
  
  78-81), through at least one network (2;
  
  77, 82) to which the head-end (1;
  
  4;
  
  74, 83) and the client (3;
  
  78-81) are connected, comprising;
  
  retrieving a clear data packet comprising an unencrypted payload;
  
  dividing the unencrypted payload into one or more fragments (50, 51);
  
  applying an encryption algorithm to each fragment (50, 51) to generate encrypted fragments (52, 53);
  
  generating an encryption header (54, 55) for each encrypted fragment (52, 53);
  
  composing a packet with encrypted data for each encrypted fragment (52, 53), comprising the fragment (52, 53), the encryption header (54, 55) for the fragment (52, 53) and a data packet header (56, 57); and
  
  transmitting each of the thus composed packets to the client (3;
  
  78-81).
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 9. Method according to claim 8, wherein, in dividing the unencrypted payload into fragments (50, 51), the fragment size is chosen to keep the size of the packets with encrypted data below a maximum transmission unit of the network (2;
    - 77, 82).
  - 10. Method according to claim 8 or 9, further comprising retrieving conditional access data specified in the clear data packet wherein the conditional access data is used to generate the encrypted fragments (52, 53).
  - 11. Method according to any one of claims 8-10, wherein information is encoded in the encryption header (54, 55;
    - 69) for each fragment (52, 53) regarding the length of the fragment (52,53) before encryption and the extra length added by the encryption algorithm.
  - 12. Method according to any one of claims 8-11, wherein the encryption header (54) for at least one fragment (52) is provided with information regarding the length of the clear data packet and information regarding a checksum of the unencrypted payload, to allow re-assembly of the clear data packet at the client (3;
    - 78-81).
  - 13. Method according to any one of claims 8-12, wherein the encryption header (54, 55, 69) comprises a flag to distinguish data packets composed from a first encrypted fragment (52) from data packets composed from further encrypted fragments (53) generated from the same unencrypted payload as the first encrypted fragment (52).
  - 14. Method according to any one of claims 8-13, wherein information comprising an offset of an unencrypted fragment (51) with respect to a first fragment (50) of the unencrypted payload is provided in the encryption header (55) for the encrypted fragment (53) generated from the unencrypted fragment (51).
  - 15. Method according to any one of claims 8-13, wherein information specifying the encryption algorithm applied to the fragment (50, 51) is encoded in the encryption header (54, 55).
  - 16. Method according to any one of claims 8-15, further comprising transmitting as data packets Entitlement Management Messages, for authorising a client (3;
    - 78-81) to make use of a particular service.
  - 17. Method according to any one of claims 8-16, further comprising transmitting as data packets Entitlement Control Messages, comprising decryption information, for selectively authorising a client (3;
    - 78-81) to receive data belonging to a particular service.
  - 18. Method according to any one of claims 8-17, further comprising transmitting as data packets Information Messages identifying a service and comprising information for receiving messages belonging to the service.
  - 19. Method according to any one of claims 15-18, wherein each packet with encrypted data is provided with an address and/or a port, wherein a header is provided for each message data packet, which header comprises a different address and/or a port.

21. System for secure packet-based transfer of content data, comprising a head-end (1;
- 4;
  
  74, 83) that is connected to a network (2;
  
  77, 82) and comprises a receiver for receiving clear data packets from a source (7;
  
  76), an encryption unit (6) for encrypting at least part of the data packets and generating data packets comprising the encrypted part of the clear data packets and a network interface (25) for sending the data packets through the network (2;
  
  77, 82), which system further comprises at least one client (3;
  
  78-81) connected to the network (2;
  
  77, 82), with a network interface (27) for receiving data packets sent through the network (2;
  
  77, 82), capable of composing data packets from data packet fragments, wherein the client (3;
  
  78-81) comprises a decryption unit (30) for generating clear data (71) by decrypting encrypted data (52, 53;
  
  70) comprised in the received data packets and for generating data packet fragments from the clear data (71).

22. Client (3;
- 78-81), connected to a head-end (1;
  
  4;
  
  74, 83) through a network (2;
  
  77, 82), comprising;
  
  a data packet receiver (27), capable of receiving data packets transmitted from the head-end (1;
  
  4;
  
  74, 83) through the network (2;
  
  77, 82);
  
  a buffer (29) for storing data packet fragments and composing a data packet from them;
  
  an application program interface (28) for passing data packet fragments to the buffer (29); and
  
  a decryption unit (30), for generating unencrypted data packet fragments by decrypting encrypted data (52, 53;
  
  70) in a data packet, wherein the application program interface (28) is programmed to transfer received data packets comprising encrypted data (52, 53;
  
  70) to the decryption unit (30) and to pass unencrypted data packet fragments to the buffer (29).
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. Client according to claim 22, comprising a decryption manager (31) for processing conditional access messages comprised in the data-packets transmitted from the head-end (1;
    - 4;
      
      74, 83) and for transferring decryption keys to the decryption unit (30).
  - 24. Client according to claim 22 or 23, further comprising an interface (35) to a secure element (33) for transferring conditional access messages to the secure element (33) and receiving decryption keys generated by the secure element (33).
  - 25. Client according to claim 24, suitable for connection to a smart card reader (34), so that a smart card (33) inserted into the smart card reader (34) forms the secure element.
  - 26. Client according to any one of claims 22 to 25, wherein the decryption unit (30) comprises a database (62) that can be updated using information (60) comprised in conditional access messages received by the client (3, 78-81).
  - 27. Client according to claim 26, wherein the database (62) links addresses and/or ports specified in received data packets to keys for decrypting encrypted data (52, 53;
    - 70) comprised in the received data packets.
  - 28. Smart card suitable for use with a smart card reader (34) connected to a client (3;
    - 78-81) according to any one of claims 23-28 for generating decryption keys using conditional access messages sent to it from the client (3;
      
      78-81).

29. Data packet, suitable for transmission over a network (2;
- 77, 82), comprising a first header (56, 57;
  
  67), an encrypted payload (52, 53;
  
  7.0), generated by encrypting a data fragment (50, 51) using an encryption algorithm and a key, and an encryption header (54, 55;
  
  69) comprising information detailing the algorithm and key used to encrypt the payload (52, 53;
  
  70).
- View Dependent Claims (30, 31, 32)
- - 30. Data packet according to claim 29, wherein the encryption header (54, 55;
    - 69) further comprises data specifying the length of the data fragment (50, 51) before encryption.
  - 31. Data packet according to claim 29 or 30, wherein the destination address is a multicast address, for transmitting the data packet to a plurality of clients (3;
    - 78-81) connected to the network (2;
      
      77, 82).
  - 32. Data packet according to any one of claims 29-31, wherein the first header (56, 57;
    - 67) conforms to the Internet Protocol standard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Irdeto B.V. (MultiChoice Group Ltd.)
Original Assignee
Irdeto B.V. (MultiChoice Group Ltd.)
Inventors
Jacobs, Andre

Granted Patent

US 7,739,496 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 2463/101   applying security measures ...

H04L 63/0245   Filtering by information in...

H04L 63/0428   wherein the data content is...

H04L 63/0853   using an additional device,...

H04L 69/166   IP fragmentation; TCP segme...

Secure packet-based data broadcasting architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Secure packet-based data broadcasting architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links