Secure digital content delivery system and method over a broadcast network

US 20040101138A1
Filed: 03/11/2003
Published: 05/27/2004
Est. Priority Date: 05/22/2001
Status: Active Grant

First Claim

Patent Images

1. A method for creating a secure transmission mechanism for a plurality of end user devices in a packet-based network, comprising:

providing a plurality of packets;

securing said plurality of packets according to security information to form secured packets;

transmitting said security information to more than one end user device simultaneously through the packet-based network; and

multi-casting said secured packets to the plurality of end user devices.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for secure distribution of digital media content through a packet-based network such as the Internet. The security of the present invention does not require one-to-one key exchange, but rather enables keys, and/or information required in order to build the key, to be broadcast through the packet-based network. The digital media content is then also preferably broadcast, but cannot be accessed without the proper key. However, preferably only authorized end-user devices are able to access the digital media content, by receiving and/or being able to access the proper key. Thus, the present invention is useful for other types of networks in which digital media content is more easily broadcast rather than unicast, in addition to packet-based networks.

Citations

85 Claims

1. A method for creating a secure transmission mechanism for a plurality of end user devices in a packet-based network, comprising:
- providing a plurality of packets;
  
  securing said plurality of packets according to security information to form secured packets;
  
  transmitting said security information to more than one end user device simultaneously through the packet-based network; and
  
  multi-casting said secured packets to the plurality of end user devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 2. The method of claim 1, wherein said plurality of packets contain broadcast data from a broadcasting event.
  - 3. The method of claims 1 or 2, wherein said packets are distributed through a second distribution channel, said second distribution channel being different from the packet-based network.
  - 4. The method of claim 3, wherein said second distribution channel is selected from the group consisting of satellite, cable, and wireless channels.
  - 5. The method of claims 1 or 2, wherein said packets are distributed through the packet-based network.
  - 6. The method of any of claims 1-5, wherein said security information includes control word information for key generation at each end user device.
  - 7. The method of claim 6, wherein an ECM (entitlement control message) is sent to said end user devices for said security information for said key generation, such that said ECM contains said control word information for said key generation.
  - 8. The method of claim 7, wherein said ECM is multi-cast to said end user devices, and wherein an EMM (entitlement control message) is also transmitted to said end user devices, such that EMM information contained in said EMM is required for said end user device to access said ECM.
  - 9. The method of claim 8, wherein said EMM is transmitted to said end user devices by an out-of-band message, such that said EMM is not transmitted with said secured packets.
  - 10. The method of claim 9, wherein said out-of-band message is an e-mail (electronic mail) message.
  - 11. The method of claims 8-10, wherein the packet-based network is an IP network and said ECM is transmitted through said IP network according to at least one of a multicast IP address and an IP port, such that said end user device is notified of said at least one of said multicast IP address and said IP port through an IP notification protocol.
  - 12. The method of any of claims 8-11, wherein said end user device filters at least one of said ECM and said EMM according to at least one characteristic selected from the group consisting of a characteristic of said end user device and a characteristic of information stored by said end user device.
  - 13. The method of claim 12, wherein said end user device filters said ECM according to EMM information, such that only an ECM for which EMM information has been received is accessed by said end user device.
  - 14. The method of claim 13, wherein said ECM is contained in a packet, and an IP address for said packet is announced to said end user device, such that said end user device filters said ECM by listening to said IP address for receiving said packet if said end user device has received said EMM information.
  - 15. The method of claim 12, wherein said end user device filters at least one of said ECM and said EMM according to whether said at least one of said ECM and said EMM is designated as unique, group or general.
  - 16. The method of any of claims 8-15, wherein said EMM information includes a service identifier, and wherein said service identifier is related to a type of content of said secured packets.
  - 17. The method of claim 16, wherein said secured packets contain a plurality of different types of content, each type of content having a separate service identifier, such that differential access to said different types of content by said end user device is provided according to said service identifiers.
  - 18. The method of claims 16 or 17, wherein said service identifier corresponds to a plurality of ECMs.
  - 19. The method of any of claims 8-18, wherein said EMM information includes an identifier for determining access to said secured packets according to at least one characteristic selected from the group consisting of a characteristic of an end user device and a characteristic of information stored on said end user device.
  - 20. The method of claim 19, wherein said identifier is a blackout identifier for identifying an end user device blocked from accessing a content of said ECM.
  - 21. The method of claim 20, wherein said blackout identifier corresponds to at least one characteristic stored in said end user device.
  - 22. The method of claim 21, wherein said at least one characteristic includes a geographical location of said end user device.
  - 23. The method of any of claims 8-22, wherein said ECM enables differential access to said secured packets by said end user device according to a plurality of identifiers transmitted in said EMM.
  - 24. The method of any of claims 8-23, wherein said end user device stores at least a content of at least one of said ECM and said EMM.
  - 25. The method of claim 24, wherein said ECM has a limited key period, such that a new ECM is periodically received to access said plurality of packets.
  - 26. The method of claim 25, wherein a length of said key period is at least partially determined by a length of a session for receiving said secured packets by said end user device.
  - 27. The method of claim 26, wherein said length of said key period is less than said length of said session, such that at least one of a new ECM and a new EMM must be received repeatedly during said session.
  - 28. The method of claim 27, wherein said EMM has a limited authorization period, such that a new EMM is periodically received to access said plurality of packets.
  - 29. The method of any of claims 7-28, wherein at least a portion of said secured packets are accessible with said ECM only, without said EMM, as a preview of said secured packets.
  - 30. The method of any of claims 8-29, wherein said security information is transmitted according to a standard IP protocol.
  - 31. The method of claim 30, wherein said packets are transmitted as part of a multi-cast session, and wherein an announcement for said session is transmitted according to a standard announcement protocol.
  - 32. The method of claims 30 or 31, wherein said standard IP protocol is IPSEC.
  - 33. The method of claim 32, wherein said announcement includes information for relating each ECM to a service identifier contained in an EMM.
  - 34. The method of claim 33, wherein said announcement protocol is SDP (session description protocol).
  - 35. The method of claims 33 or 34, wherein said ECM is associated with at least a portion of a multi-cast session with said end user device, and wherein said association is transmitted in said secured packets as an attribute parameter.
  - 36. The method of claim 35, wherein said ECM is synchronized with said secured packets with an SPI (security parameters index) value of said secured packets.
  - 37. The method of claim 36, wherein a new key period is indicated by a change in said SPI value, such that a new ECM is required to access said secured packets.
  - 38. The method of any of claims 31-37, wherein announcement packets are encrypted.
  - 39. The method of any of claims 19-38, wherein said end user device is blocked from further access to said secured packets through revocation with at least one of an EMM and an ECM.
  - 40. The method of claim 39, wherein said revocation is for a specific end user device.
  - 41. The method of claim 40, wherein said revocation is for a plurality of end user devices.
  - 42. The method of any of claims 39-41, wherein said revocation causes a new service identifier to be required for accessing a content of an ECM corresponding to said secured packets.
  - 43. The method of any of claims 8-42, wherein said end user devices receive at least said secured packets from at least one peer end user device.
  - 44. The method of claim 43, wherein said at least one peer end user device generates at least one of said EMM and said ECM.
  - 45. The method of claim 44, wherein said at least one peer end user device includes a secure server for generating said least one of said EMM and said ECM.
  - 46. The method of claims 44 or 45, wherein said EMM generated by said at least one peer end user device is authenticated by a central authorization entity.
  - 47. The method of claims 44-46, wherein said EMM generated by said at least one peer end user device is mapped to a new ECM for accessing said secure packets by a central authorization entity.
  - 48. The method of any of claims 44-47, wherein said packets are transmitted as part of a multi-cast session, an announcement for said session is transmitted according to a standard announcement protocol, and said announcement includes at least an SPI (security parameters index) for relating each ECM to a service identifier contained in an EMM, such that said at least one peer end user device generates at least one of said announcement and said SPI.
  - 49. The method of any of claims 37-48, wherein said central authorization entity controls at least one of said ECM, said EMM, said announcement and said SPI.
  - 50. The method of any of claims 37-49, wherein at least one of said EMM and said ECM, is generated by said central authorization entity.
  - 51. The method of any of claims 37-50, wherein said end user devices are located in a cluster, and wherein each cluster is coordinated by said central authorization entity.
  - 52. The method of claim 51, wherein said cluster is continuously validated by said central authorization entity.
  - 53. The method of any of claims 7-52, wherein a pay-per-view ECM contains purchasing information for purchasing access to said secured packets and wherein EMM information is not required to access said pay-per-view ECM.
  - 54. The method of any of claims 7-52, wherein an EMM contains a credit for purchasing access to said secured packets for pay-per-view content.
  - 55. A secure transmission mechanism produced by the method of any of claims 1-54.

56. A method for producing a conditional access (CA) system for use in a packet-switched environment (packet CA system) from a CA system for use in a broadcast environment (broadcast CA system), the method comprising:
- providing a broadcast CA system comprising at least one CA security characteristic;
  
  providing a packet-switched data transmission system including a security subsystem having a plurality of packet-switched security characteristics; and
  
  creating a mapping from the at least one CA security element to at least one of the plurality of packet-switched security elements, thereby producing a packet CA system.
- View Dependent Claims (57, 58, 59, 60)
- - 57. The method according to claim 56 and wherein the packet-switched data transmission system comprises an IP system.
  - 58. The method according to claim 57 and wherein the IP system comprises an IPSEC subsystem, and the IPSEC subsystem comprises the plurality of packet-switched security elements.
  - 59. The method according to any of claims 56-58 and wherein the broadcast CA system comprises an EMM/ECM based CA system.
  - 60. A conditional access (CA) system for use in a packet-switched environment (packet CA system) produced by the method of any of claims 56-59.

61. A packet-switched conditional access (CA) system for use with an end-user playback device, the CA system comprising:
- a protected data receiver for receiving protected data protected with at least one key;
  
  an ECM packet receiver for receiving at least one ECM packet from a packet-switching network; and
  
  an ECM-based key generator for generating said at least one key from said at least one ECM packet.
- View Dependent Claims (62, 63, 64)
- - 62. The system according to claim 61 and also comprising:
    - a key synchronizer for synchronizing said at least one key generated by the ECM-based key generator with a portion of said protected data protected with said at least one key generated by the ECM-based key generator.
  - 63. The system according to claim 62 and wherein the key synchronizer comprises:
    - an ECM memory for storing a plurality of ECM packets; and
      
      an ECM packet chooser for choosing, from among the plurality of ECM packets stored by the ECM memory, an ECM packet corresponding to said portion of said protected data and sending said chosen ECM packet to said ECM-based key generator.
  - 64. The system according to any of claims 61-63 and wherein the ECM packet receiver comprises an IPSEC receiver for receiving the at least one ECM packet from the packet-switching network using an IPSEC protocol.

65. A method for providing an entitlement control message (ECM) based conditional access (CA) system based on a packet-switching network comprising:
- receiving a plurality of ECMs via the packet-switching network;
  
  storing the plurality of received ECMs; and
  
  choosing, from among the plurality of stored ECMs, an ECM for providing access to CA-protected data.
- View Dependent Claims (66, 67, 68, 69, 70, 71)
- - 66. The method according to claim 65 and wherein the CA-protected data comprises encrypted data, and the method also comprises:
    - utilizing the chosen ECM to decrypt the encrypted data.
  - 67. The method according to claim 66 and wherein the utilizing comprises:
    - generating, from the ECM, a key for decrypting the encrypted data.
  - 68. The method according to claim 67 and wherein the generating comprises, at least in part:
    - utilizing at least a portion of the ECM as an input to a one-way function; and
      
      utilizing an output of the one-way function as at least a portion of the key.
  - 69. The method according to any of claims 65-68 and wherein the packet-switching network comprises an IP-based network.
  - 70. The method according to claim 69 and wherein the IP-based network comprises an IPSEC-based network.
  - 71. The method according to claim 70 and wherein the plurality of ECMs are delivered using an IPSEC-based protocol.

72. A method for creating a secure transmission mechanism for a plurality of end user devices in a packet-based network, comprising:
- encrypting a plurality of packets with a key to form encrypted packets, said key having associated key information for determining said key;
  
  multi-casting said associated key information to the plurality of end user devices through the packet-based network, thereby obviating the need to send said associated key information to each end user device individually; and
  
  multi-casting said encrypted packets to the plurality of end user devices to form the secure transmission mechanism.
- View Dependent Claims (73, 74, 75)
- - 73. The method of claim 72, wherein said associated key information is used by each end user device to generate said key.
  - 74. The method of claims 72 or 73, wherein said plurality of packets include streaming data from a broadcasting event.
  - 75. The method of claims 72 or 73, wherein said plurality of packets include data from a broadcasting event transmitted as a file.

76. A method for creating a secure transmission mechanism for a plurality of end user devices in a packet-based network, comprising:
- multi-casting a plurality of secured packets and security information to the plurality of end user devices, thereby obviating the need for a one-to-one transmission of said security information to each end user device individually and thereby forming the secure transmission mechanism.
- View Dependent Claims (77)
- - 77. The method of claim 76, wherein said security information is sent through the packet-based network and said plurality of secured packets is sent through a separate channel to the plurality of end user devices.

78. A system for multi-casting secure packets to a plurality of end user devices in a packet-based network, the secure packets being secured according to security information, comprising:
- (a) a broadcast headend connected to the plurality of end user devices at least through the packet-based network, said broadcast headend transmitting the security information to more than one of the plurality of end user devices, thereby obviating the need to send the security information to each end user device individually, and said broadcast headend transmitting the secure packets to the plurality of end user devices, wherein at least one of the security information and the secure packets is transmitted through the packet-based network.

79. In a system for multi-casting secure packets to a plurality of end user devices in a packet-based network, the system comprising a broadcast headend connected to the plurality of end user devices at least through the packet-based network, providing a method for securing the packets, the method comprising:
- securing the secure packets according to security information, transmitting the security information by the broadcast headend to more than one end user device simultaneously according to a multi-casting protocol; and
  
  transmitting the secure packets by the broadcast headend to the plurality of end user devices;
  
  wherein at least one of the security information and the secure packets is transmitted through the packet-based network.
- View Dependent Claims (80)
- - 80. The method of claim 79, wherein the secure packets are multi-cast in a session and the broadcast headend transmits an authorization message to the plurality of end user devices to enable the end user devices to access said session, such that the security information includes said authorization message.

81. A method for creating a secure transmission mechanism for a plurality of end user devices in an IP network, comprising:
- providing a plurality of data units for transport through the IP network;
  
  securing said plurality of data units according to security information to form secured data units;
  
  transmitting said security information to more than one end user device simultaneously through the IP network; and
  
  multi-casting said secured data units to the plurality of end user devices.

82. A method for creating a secure transmission mechanism for a plurality of end user devices in a network having a characteristic of being at least one of packet-based and IP, comprising:
- providing a plurality of data units;
  
  securing said plurality of data units according to a control word to form secured data units, said control word being generated from security information;
  
  transmitting said security information to more than one end user device simultaneously through the network;
  
  multi-casting said data units to the plurality of end user devices; and
  
  generating said control word at each end user device with said security information.

83. A method for creating a secure transmission mechanism for a plurality of end user devices in an IP network, comprising:
- providing a plurality of data units for transport through the IP network;
  
  securing said plurality of data units according to security information to form secured data units;
  
  transmitting said security information to more than one end user device simultaneously through the IP network;
  
  transmitting an announcement according to SDP (session description protocol) of IPSEC to said end user devices for indicating an association between said security information and said secured data units, and multi-casting said secured data units to the plurality of end user devices.
- View Dependent Claims (84, 85)
- - 84. The method of claim 83, wherein said security information is related to a key for securing said secured data units, said key being changed according to a key period, a change of said key period being announced by an SPI (security parameters index) in a security information message according to ESP (IP encapsulating security payload) protocol.
  - 85. The method of claim 83, wherein said security information is related to a single key for securing said secured data units, and wherein said security information is transmitted according to a plurality of different ECMs, generated according to Simulcrypt protocols.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synamedia Limited
Original Assignee
NDS Limited (Cisco Systems, Inc.)
Inventors
Zucker, Arnold, Epstein, Steve, Tsuria, Yossi, Revital, Dan, Simkin, Steven

Granted Patent

US 7,995,603 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/210
CPC Class Codes

G06F 21/1063   Personalisation

G06F 21/109   by using specially-adapted ...

G06F 2221/2109   Game systems

G06F 2221/2153   Using hardware token as a s...

H04L 63/065   for group communications cr...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04N 21/26606   for generating or managing ...

H04N 21/4623   Processing of entitlement m...

H04N 21/6125   involving transmission via ...

H04N 21/63345   by transmitting keys key di...

H04N 21/6405   Multicasting data broadcast...

H04N 21/64322   IP

H04N 7/163   by receiver means only

H04N 7/165   Centralised control of user...

H04N 7/1675   Providing digital key or au...

H04N 7/17318   Direct or substantially dir...

Secure digital content delivery system and method over a broadcast network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

85 Claims

Specification

Solutions

Use Cases

Quick Links

Secure digital content delivery system and method over a broadcast network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

85 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links