Apparatus and methods for provisioning in a download-enabled system

US 20080177998A1
Filed: 01/24/2007
Published: 07/24/2008
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. Network apparatus disposed substantially at a first location of a content-based network and adapted for provisioning of a security device at a second location of the network, comprising:

a provisioning subsystem comprising both cable modem and video provisioning apparatus;

wherein said provisioning apparatus is adapted to maintain;

identifying information of said security device;

information regarding a topological context of said security device in the network; and

the software configuration of said security device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods for provisioning of customer premise equipment (CPE) equipped with a secure microprocessor to receive e.g., digital video content by entering unique identification of the CPE at one or more servers located at the headend or other location of a content-based network. In one embodiment, the CPE comprises a download-enabled (e.g., DCAS) host with embedded cable modem and embedded set-top box functionality, and the provisioning includes enabling DOCSIS functionality of the CPE, assigning an IP address to the CPE and providing the CPE with a client image for the conditional access system chosen by the network operator. In one variant, the network operator can deactivate a provisioned device while connected to the network, as well when disconnected from the network. The network operator can also add, delete or replace conditional access client image in a provisioned device.

Citations

45 Claims

1. Network apparatus disposed substantially at a first location of a content-based network and adapted for provisioning of a security device at a second location of the network, comprising:
- a provisioning subsystem comprising both cable modem and video provisioning apparatus;
  
  wherein said provisioning apparatus is adapted to maintain;
  
  identifying information of said security device;
  
  information regarding a topological context of said security device in the network; and
  
  the software configuration of said security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network apparatus of claim 1, further comprising a conditional access apparatus in communication with said provisioning subsystem;
    - andan authentication apparatus in communication with at least said conditional access apparatus;
      
      wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said security device both;
      
      (i) at least one cryptographic key, and (ii) encrypted code configured to provide at least protection of content at said security device.
  - 3. The network apparatus of claim 1, wherein said first location comprises a cable system head-end, and said second location comprises a residence or business enterprise.
  - 4. The network apparatus of claim 1, wherein said first location comprises a hub within a broadcast switched architecture (BSA) network.
  - 5. The network apparatus of claim 2, further comprising a personalization server (PS) apparatus in communication with said conditional access system, said PS being adapted to select said at least one cryptographic key and encrypted code based at least in part on a communication received from said security device.
  - 6. The network apparatus of claim 5, further comprising an interface to a trusted authority (TA), said TA providing said at least one cryptographic key to said PS based at least in part on information contained in said communication from said client device to said network apparatus.
  - 7. The network apparatus of claim 6, wherein said authentication apparatus comprises software configured to authenticate said secure element based at least in part on said communication received from said secure element, said authentication comprising a condition precedent for downloading of said at least one key and encrypted code.
  - 8. The network apparatus of claim 2, wherein said encrypted code comprises a secure firmware adapted to run on said secure element of said client device.
  - 9. The network apparatus of claim 8, wherein said network apparatus is further configured to transmit second code to said client device, said second code comprising a conditional access (CA) client, said CA client adapted to run on said secure element to enforce at least one CA policy.

10. Network apparatus disposed substantially at a first node of a content-based network and adapted for delivery of security information to a second node of said network, comprising:
- a content provisioning apparatus;
  
  a security management apparatus in communication with said provisioning apparatus; and
  
  an authentication apparatus in communication with at least said security management apparatus;
  
  said provisioning, management, and authentication apparatus cooperating to;
  
  provision a client device coupled to said network;
  
  establish an account associated with said client device;
  
  authenticate a physically secure element of said client device; and
  
  provide at least one secure software image to said secure element, said at least one secure image enabling at least in part access to content distributed over said network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The network apparatus of claim 10, wherein at least said authentication and security management apparatus are configured to cooperate to transmit to said second node said secure image configured to manage at least one of (i) a trusted domain (TD) policies or configuration, and (ii) digital rights management (DRM) policies or configuration, within said secure element of said client device disposed at said second node.
  - 12. The network apparatus of claim 10, wherein said first node comprises a cable system head-end, and said second node comprises a residence or business enterprise.
  - 13. The network apparatus of claim 12, wherein said apparatus is configured to deliver said secure image via a DOCSIS-compliant cable modem.
  - 14. The network apparatus of claim 12, wherein said apparatus is configured to deliver said secure image via an in-band downstream QAM.
  - 15. The network apparatus of claim 10, wherein said first node comprises a hub within a broadcast switched architecture (BSA) network.
  - 16. The network apparatus of claim 10, further comprising a personalization server (PS) apparatus in communication with said security management system, said PS being adapted to select said secure image based at least in part on a communication received from said client device.
  - 17. The network apparatus of claim 16, wherein said authentication apparatus comprises software configured to authenticate said secure element of said client device based at least in part on said communication received from said client device, said authentication being required before downloading said secure image.
  - 18. The network apparatus of claim 10, wherein said client device disposed at said second node comprises a premises content distribution apparatus for use with a plurality or media-capable devices, said content distribution apparatus comprising:
    - a first interface capable of at least receiving media content from a first network;
      
      a mass storage device in data communication with said first interface and adapted to store at least a portion of said media content;
      
      a coaxial cable interface configured to provide networking throughout at least a portion of said premises over coaxial cable present therein; and
      
      a wireless access interface adapted to support at least one wireless network substantially within said premises;
      
      wherein said media content is accessible to users on both said coaxial cable network and said at least one wireless network.

19. Network security apparatus for use with a client-side security management apparatus in operative communication with a content-based network, said client-side apparatus adapted to maintain at least a portion of a trusted domain within a client device using at least a secure element, said network security apparatus comprising:
- a content provisioning apparatus;
  
  a conditional access apparatus in communication with said provisioning apparatus; and
  
  an authentication apparatus in communication with at least said conditional access apparatus;
  
  wherein said authentication, provisioning and conditional access apparatus are configured to cooperate to transmit to said secure element of said client device both;
  
  (i) at least one cryptographic key, and (ii) encrypted code configured to provide at least protection of said content at said client device.

20. A method of delivering secure software over a network to a client device, comprising:
- entering information associated with said client device within at least one of a DNCS or billing system of said network;
  
  coupling said client device to said network;
  
  establishing a network address for said client device;
  
  providing via a first entity device credentials along with a cryptographic element for said client device to a second entity;
  
  returning a client device-specific personalized software image to said first entity from said second entity;
  
  returning a common software image to said first entity from said second entity;
  
  encrypting at least the device-specific image for the specific client device based at least in part on said cryptographic element; and
  
  sending via the first entity said encrypted device-specific image and said common image.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method of claim 20, wherein said first entity comprises an authentication proxy, and said second entity comprises a personalization server.
  - 22. The method of claim 20, wherein said device credentials are uniquely associated with a secure element of said client device.
  - 23. The method of claim 22, wherein said personalized software image is uniquely associated with said secure element of said client device.
  - 24. The method of claim 23, wherein said cryptographic element comprises a public key corresponding to a private key retained within said client device, said private key being adapted to decrypt said encrypted at least device-specific image.

25. In a cable television network, a method of provisioning, for operation within said network, a client device having a security device substantially unique to said client device, the method comprising:
- acquiring a network address for said client device;
  
  placing an authentication entity in contact with said security device;
  
  authenticating said security device to said entity;
  
  obtaining personalization information associated with said security device based at least in part on said authenticating;
  
  providing said personalization information to said security device over said network;
  
  obtaining a software image common to all of a plurality of client devices having a common configuration and disposed within the network; and
  
  processing one or more messages at said client device in order to determine conditional access privileges.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The method of claim 25, further comprising decoding received content based at least in part on said privileges.
  - 27. The method of claim 25, wherein said client device comprises a cable modem function, and said method further comprises conducting a cable modem registration process using at least said cable modem function.
  - 28. The method of claim 27, wherein said cable modem function comprises a DOCSIS-compliant cable modem, and said network address comprises an IP address.
  - 29. The method of claim 25, wherein said authentication entity comprises software configured to authenticate said security device based at least in part on at least one cryptographic element received from said security device.
  - 30. The method of claim 25, wherein said personalization information comprises a personalized software image substantially unique to said security device of said client device.

31. Network apparatus comprising:
- a provisioning system;
  
  a common image server; and
  
  a device-specific image server;
  
  wherein said apparatus is adapted to securely obtain and deliver a device-specific software image, as well as a common software image, to at least a secure element of a target client device, said common image being applicable to all of a plurality of client devices having a common configuration and disposed within a network, and said device-specific image being specific to only said secure element of said target client device;
  
  wherein said delivery of said device-specific image and said common image is conducted pursuant to said client device being provisioned within said network by said provisioning system.
- View Dependent Claims (32, 33, 34)
- - 32. The apparatus of claim 31, wherein said apparatus is adapted to communicate over said network with said secure element disposed on said target device, at least said device-specific image being adapted to run within a software environment of said secure element in order to enforce one or more security policies within a domain associated with said target device.
  - 33. The apparatus of claim 31, wherein said network comprises a content-based delivery network, and said target device comprises an OCAP-compliant premises device having a cable modem and an RF tuner, said cable modem being used to receive at least a portion of said device-specific image after said cable modem has registered within said network as part of said act of provisioning.
  - 34. The apparatus of claim 31, wherein said provisioning system comprises a video provisioning apparatus, and a DOCSIS provisioning apparatus, said DOCSIS apparatus adapted to provision a cable modem associated with said target client device for use in provisioning other portions of said client device.

35. A method of doing business over a content-based network, comprising:
- selectively configuring at least one network client device based at least in part on a service request from a subscriber associated with said at least one device, said selective configuration comprising;
  
  entering information associated with said at least one device into at least one of a billing system or digital network control system (DNCS) of said network;
  
  generating personalization data specific to said at least one client device when said at least one device is coupled into communication with said network;
  
  transmitting said data to said at least one client device; and
  
  establishing at least one security permission or policy within a secure element of said at least one client device, said at least one permission or policy enabling provision of said requested service.
- View Dependent Claims (36, 37, 38)
- - 36. The method of claim 35, wherein said act of generating personalization data comprises generating an encrypted software image and cryptographic key that is unique to said secure element of said at least one client device.
  - 37. The method of claim 35, wherein said coupling into communication is performed by said subscriber.
  - 38. The method of claim 35, further comprising provisioning a cable modem function associated with said client device, said cable modem function being used to receive said transmitted data.

39. Network apparatus for use in providing secure content and software downloads to a plurality of client devices within a cable television network, the apparatus comprising:
- secure download infrastructure adapted for data communication with a trusted authority (TA);
  
  a media provisioning system in data communication with said infrastructure;
  
  a billing system in data communication with said provisioning system; and
  
  a media security system in data communication with said provisioning system.
- View Dependent Claims (40)
- - 40. The apparatus of claim 39, wherein:
    - said secure download infrastructure and said TA cooperate to provide cryptographic elements and at least one secure client device software image for delivery by said infrastructure to said client devices; and
      
      said provisioning system and said security system determine and apply entitlements for selected ones of said client devices in order to authorize providing said cryptographic elements and said at least one software image thereto.

41. For consumer premises equipment (CPE) comprising a conditional access (CA) download-enabled secure host, and modem and set-top box functionality, a method of provisioning said CPE when connected to a content-based network, comprising:
- enabling the modem functionality of the CPE;
  
  assigning a network address to the CPE; and
  
  providing the CPE with at least one image for the conditional access host chosen by an operator of said network.
- View Dependent Claims (42, 43)
- - 42. The method of claim 41, wherein said modem comprises a DOCSIS-compliant cable modem, and said network address comprises an IP address.
  - 43. The method of claim 42, wherein said act of providing at least one image comprises providing at least a personalized image (PI) that is unique to said CPE.

44. A method of doing business over a content-based network, comprising:
- migrating a client device having a first conditional access profile from a first location within said network to a second location within said network, said migrating comprising;
  
  downloading a second conditional access profile to said device at said second location; and
  
  provisioning said device so as to allow for operation thereof within said network at said second location.
- View Dependent Claims (45)
- - 45. The method of claim 44, wherein said provisioning comprises:
    - entering information associated with said client device into at least one of a billing system or digital network control system (DNCS) of said network;
      
      performing at least one of generating or verifying personalization data specific to said client device when said device is coupled into communication with said network at said second location; and
      
      establishing at least one security permission or policy within a secure element of said client device, said at least one permission or policy enabling provision of a requested service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Original Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Inventors
Carlucci, John B., Markley, Jeffrey P., Bevilacqua, John G., Guduru, Srinivas, Apsangi, Shrikant, Schnitzer, Jason Kazimir

Granted Patent

US 8,621,540 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04N 21/2541   Rights Management protectin...

H04N 21/4182   for identification purposes...

H04N 21/42684   Client identification by a ...

H04N 21/4623   Processing of entitlement m...

H04N 21/4627   Rights management associate...

H04N 21/4753   for user identification, e....

H04N 21/6118   involving cable transmissio...

H04N 21/63345   by transmitting keys key di...

H04N 21/8355   involving usage data, e.g. ...

H04N 7/17318   Direct or substantially dir...

Apparatus and methods for provisioning in a download-enabled system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and methods for provisioning in a download-enabled system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links