Downloadable security and protection methods and apparatus
First Claim
1. Network apparatus disposed substantially at a first location of a content-based network and adapted for delivery of security information to a second location of said network, comprising:
- a content provisioning apparatus;
a conditional access apparatus in communication with said provisioning apparatus; and
an authentication apparatus in communication with at least said conditional access apparatus;
wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said second location both;
(i) at least one cryptographic key, and (ii) encrypted code configured to provide at least protection of said content at a secure element disposed at said second location.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user'"'"'s premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported. A network security architecture comprising an authentication proxy (AP), provisioning system (MPS), and conditional access system (CAS) is also disclosed, which can interface with a trusted authority (TA) for cryptographic element management and CPE/user device authentication.
-
Citations
67 Claims
-
1. Network apparatus disposed substantially at a first location of a content-based network and adapted for delivery of security information to a second location of said network, comprising:
-
a content provisioning apparatus; a conditional access apparatus in communication with said provisioning apparatus; and an authentication apparatus in communication with at least said conditional access apparatus; wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said second location both;
(i) at least one cryptographic key, and (ii) encrypted code configured to provide at least protection of said content at a secure element disposed at said second location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. Network apparatus disposed substantially at a first node of a content-based network and adapted for delivery of security information to a second node of said network, comprising:
-
a content provisioning apparatus; a security management apparatus in communication with said provisioning apparatus; and an authentication apparatus in communication with at least said security management apparatus; wherein at least said authentication and security management apparatus are configured to cooperate to transmit to said second node encrypted code configured to manage at least one of (i) a trusted domain (TD) policies or configuration, and (ii) digital rights management (DRM) policies or configuration, within a secure element of a client device disposed at said second node. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of operating a security management architecture within a content-based network, comprising:
-
providing an encrypted software image to a client device; providing a first cryptographic key to said client device; using said first cryptographic key to enable decryption of said software image; providing at least a second cryptographic key to said client device; and using said second key to decrypt encrypted content delivered to said client device. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A method of operating a security management architecture within a content-based network, comprising:
-
providing an encrypted software image to a client device having a security processor; providing a first cryptographic key to said client device; using said first cryptographic key to enable decryption of said software image; and configuring at least a portion of the security processor of said client device using at least said decrypted software image. - View Dependent Claims (31, 32, 33, 34)
-
-
35. Network security apparatus adapted for transmission of security information to an authenticated client device in data communication with said network, the apparatus comprising:
-
a security management apparatus adapted for communication with said network; and an authentication apparatus in communication with at least said security management apparatus; wherein said authentication and security management apparatus are configured to cooperate to transmit to said authenticated client device;
(i) a portion of a public-private key pair, said client device comprising the other portion of said key pair; and
(ii) encrypted code configured to manage at least one aspect of a security architecture within a secure element of a client device;wherein said public-private key pair is configured to decrypt said encrypted code. - View Dependent Claims (36, 37, 38)
-
-
39. A method of remotely providing a trusted domain for content protection within a premises having a client device, comprising:
-
transmitting encrypted software to said client over a network; transmitting a first decryption key to said client device; using a second decryption key to access said first decryption key; using said first decryption key to decrypt said software; and using said software to establish at least a portion of said trusted domain within said client device; wherein content can be securely transported within said trusted domain. - View Dependent Claims (40, 41)
-
-
42. Security apparatus for use with a content-based network, comprising:
-
client-side security management apparatus in operative communication with the network and adapted to maintain at least a portion of a trusted domain within a client device using at least a secure element; and network security management apparatus in operative communication with the network and said client-side management apparatus, said network security management apparatus adapted to control at least one of the configuration and operation of said client-side apparatus in order to protect content delivered to said client device against unauthorized distribution or reproduction. - View Dependent Claims (43, 44)
-
-
45. A method of doing business over a content-based network, comprising:
-
identifying a plurality of substantially unique client devices in data communication with said network; and selectively configuring at least one of said plurality of client devices based at least in part on a service request from a subscriber associated with said at least one device, said selective configuration comprising; generating personalization data specific to said at least one client devices; transmitting said data to said at least one client device; and establishing at least one security permission or policy within a secure element of said at least one client device, said at least one permission or policy enabling provision of said requested service. - View Dependent Claims (46, 47, 48, 49, 50)
-
-
51. A method delivering secure software over a network to a remote client device, comprising:
-
providing via a first entity device credentials along with the public key for said client device to a second entity; returning a client device-specific personalized software image to said first entity from said second entity; returning a common software image to said first entity from said second entity; encrypting at least the device-specific image for the specific client device based at least in part on said public key; and sending via the first entity said encrypted device-specific image and said common image. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58)
-
-
59. Network apparatus comprising:
-
a common image server; and a device-specific image server; wherein said apparatus is adapted to securely obtain and deliver a device-specific software image, as well as a common software image, to at least a secure element of a target client device, said common image being applicable to all of a plurality of client devices having a common configuration and disposed within a network, and said device-specific image being specific to only said secure element of said target client device. - View Dependent Claims (60, 61, 62)
-
-
63. Network apparatus for use in providing secure content and software downloads to a plurality of client devices within a cable television network, the apparatus comprising:
-
secure download infrastructure adapted for data communication with a trusted authority (TA); a media provisioning system in data communication with said infrastructure; a billing system in data communication with said provisioning system; a media security system in data communication with said provisioning system; and a media services system in data communication with said provisioning system; wherein; said secure download infrastructure and said TA cooperate to provide cryptographic elements and at least one secure client device software image for delivery by said infrastructure to said client devices; and said provisioning system and said security system determine and apply entitlements for selected ones of said client device in order to authorize providing said cryptographic elements and said at least one software image thereto.
-
- 64. An on-demand conditional access apparatus for use in a content based network having a plurality of client devices associated therewith, said apparatus comprising a computerized server adapted to establish a security envelope around at least a portion of a requesting one of said client devices, said security envelope allowing for the protection of both content and software images contained therein.
Specification