Network Security System

US 20090077379A1
Filed: 05/01/2006
Published: 03/19/2009
Est. Priority Date: 10/27/2005
Status: Active Grant

First Claim

Patent Images

1. A system for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the system comprising a plurality of operationally connected elements including:

a content storage medium to store the encrypted content therein;

a decryption input disseminator including;

a secret share distribution module to distribute a plurality of secret shares to the other devices;

a decryption input accumulator including;

a secret share receive module to receive at least some of the secret shares from the other devices; and

a secret reconstruction module to form a content decryption input from the at least some secret shares received by the secret share receive module;

a content decryption module to;

receive the encrypted content from the content storage medium and the content decryption input from the secret reconstruction module; and

decrypt the encrypted content using the content decryption input thereby rendering decrypted content; and

a content consumer to use the decrypted content decrypted by the content decryption module,wherein the secret shares distributed to the other devices are in an encrypted format for at least one of decryption by the consuming device and the other devices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for restricting access to encrypted content stored in a consuming device (12) which is part of a network (10) including other devices (14), the system including a content storage medium to store the encrypted content, a secret-share distribution module to distribute secret-shares to the other devices (14), a secret-share receive module to receive the secret-shares from the other devices (14), a secret reconstruction module to form a content decryption input from the secret-shares received by the secret-share receive module, a content decryption module to receive the encrypted content from the content storage medium and the content decryption input from the secret reconstruction module and decrypt the encrypted content using the content decryption input thereby rendering decrypted content, and a content consumer to use the decrypted content, wherein the secret shares distributed to the other devices (14) are in an encrypted format for decryption by the consuming device (12) or the other devices (14).

120 Citations

24 Claims

1. A system for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the system comprising a plurality of operationally connected elements including:
- a content storage medium to store the encrypted content therein;
  
  a decryption input disseminator including;
  
  a secret share distribution module to distribute a plurality of secret shares to the other devices;
  
  a decryption input accumulator including;
  
  a secret share receive module to receive at least some of the secret shares from the other devices; and
  
  a secret reconstruction module to form a content decryption input from the at least some secret shares received by the secret share receive module;
  
  a content decryption module to;
  
  receive the encrypted content from the content storage medium and the content decryption input from the secret reconstruction module; and
  
  decrypt the encrypted content using the content decryption input thereby rendering decrypted content; and
  
  a content consumer to use the decrypted content decrypted by the content decryption module,wherein the secret shares distributed to the other devices are in an encrypted format for at least one of decryption by the consuming device and the other devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system according to claim 1, wherein:
    - the elements also include a content and secret receive module to receive the encrypted content and the content decryption input for forwarding to the content storage medium and the decryption input disseminator, respectively;
      
      the decryption input disseminator also includes;
      
      a secret share splitting module to;
      
      split the content decryption input into the secret shares; and
      
      erase the content decryption input from the consuming device; and
      
      a secret share encryption module to encrypt the secret shares created by the secret share splitting module; and
      
      the decryption input accumulator also includes a secret share decryption module to;
      
      decrypt the at least some secret shares received by the secret share receive module; and
      
      forward the decrypted secret shares to the secret reconstruction module.
  - 3. The system according to claim 2, wherein the secret shares are encrypted by the secret share encryption module only for decryption by the consuming device.
  - 4. The system according to claim 2, wherein the secret share splitting module is operative to split the content decryption input into the secret shares in accordance with a threshold scheme such that the secret reconstruction module only needs a predetermined number of any of the secret shares in order to form the content decryption input, the predetermined number being greater than one but less than the number of the other devices.
  - 5. The system according to claim 4, wherein the threshold scheme is based on the Shamir secret-sharing method.
  - 6. The system according to claim 1, wherein the elements also include a content and secret receive module to:
    - receive the encrypted content and the secret shares, the secret shares being received encrypted such that each of the secret shares is uniquely encrypted for decryption by a corresponding one of the other devices; and
      
      forward the encrypted content to the content storage medium and the encrypted secret shares to the secret share distribution module.
  - 7. The system according to claim 1, wherein:
    - the elements also include a content and secret receive module to;
      
      receive the encrypted content and the secret shares, the secret shares being received doubly encrypted by an inner encryption and then an outer encryption such that the outer encryption needs to be decrypted before the inner encryption, the outer encryption being uniquely encrypted for decryption by a corresponding one of the other devices, the inner encryption being for decryption only by the consuming device; and
      
      forward the encrypted content to the content storage medium and the encrypted secret shares to the secret share distribution module; and
      
      the decryption input accumulator also includes a secret share decryption module to;
      
      decrypt the at least some secret shares received by the secret share receive module; and
      
      forward the decrypted secret shares to the secret reconstruction module.
  - 8. The system according to claim 6, wherein the secret shares are formed in accordance with a threshold scheme such that the secret reconstruction module only needs a predetermined number of any of the secret shares in order to form the content decryption input, the predetermined number being greater than one but less than the number of the other devices.
  - 9. The system according to claim 8, wherein the threshold scheme is based on the Shamir secret-sharing method.
  - 10. The system according to claim 1, wherein:
    - the content consumer is a media player; and
      
      the decrypted content includes a video frame.
  - 11. The system according to claim 10, wherein the content decryption input is an entitlement control message.
  - 12. The system according to claim 1, wherein:
    - the content consumer is a computer processor; and
      
      the decrypted content includes at least part of a data file.
  - 13. The system according to claim 10, wherein the content decryption input is a decryption key.
  - 14. The system according to claim 2, wherein the secret share distribution module is operative to distribute each of the secret shares to the other devices with a message authentication code of a corresponding one of the secret shares, the secret share decryption module being operative to verify the message authentication code of each of the at least some secret shares received by the secret share receive module.
  - 15. The system according to claim 1, wherein the secret share distribution module is operative to distribute each of the secret shares to the other devices with a message authentication code of the content decryption input, the secret share reconstruction module being operative to verify the message authentication code of the content decryption input.

16. A system for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the system comprising a plurality of operationally connected elements including:
- a secret share splitting module to split a content decryption input into a plurality of secret shares;
  
  a secret share encryption module to encrypt the secret shares thereby rendering encrypted secret shares; and
  
  a broadcast module to broadcast;
  
  the encrypted content to the consuming device; and
  
  the encrypted secret shares to at least one of the consuming device and the other devices.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system according to claim 16, wherein the secret share splitting module is operative to split the content decryption input into the secret shares in accordance with a threshold scheme such that only a predetermined number of any of the secret shares is needed in order to re-form the content decryption input, the predetermined number being greater than one but less than the number of the other devices.
  - 18. The system according to claim 17, wherein the threshold scheme is based on the Shamir secret-sharing method.
  - 19. The system according to claim 16, wherein the secret share encryption module is operative to encrypt the secret shares, such that each of the encrypted secret shares is uniquely encrypted for decryption by a corresponding one of the other devices.
  - 20. The system according to claim 16, wherein the secret share encryption module is operative to encrypt the secret shares, such that each of the encrypted secret shares is doubly encrypted by an inner encryption and then an outer encryption such that the outer encryption needs to be decrypted before the inner encryption, the outer encryption being uniquely encrypted for decryption by a corresponding one of the other devices, the inner encryption being for decryption only by the consuming device.

21. A method for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the method comprising:
- storing the encrypted content therein;
  
  distributing a plurality of secret shares to the other devices;
  
  receiving at least some of the secret shares from the other devices;
  
  forming a content decryption input from the at least some secret shares;
  
  decrypting the encrypted content using the content decryption input thereby rendering decrypted content; and
  
  using the decrypted content decrypted,wherein the secret shares distributed to the other devices are in an encrypted format for at least one of decryption by the consuming device and the other devices.

22. A method for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the method comprising:
- splitting a content decryption input into a plurality of secret shares;
  
  encrypting the secret shares thereby rendering encrypted secret shares; and
  
  broadcasting the encrypted secret shares to at least one of the consuming device and the other devices.

23. A system for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the system comprising a plurality of operationally connected elements including:
- means for storing the encrypted content therein;
  
  means for distributing a plurality of secret shares to the other devices;
  
  means for receiving at least some of the secret shares from the other devices;
  
  means for forming a content decryption input from the at least some secret shares received by the secret share receive module;
  
  means for receiving the encrypted content from the content storage medium and the content decryption input from the secret reconstruction module;
  
  means for decrypting the encrypted content using the content decryption input thereby rendering decrypted content; and
  
  means for using the decrypted content decrypted by the content decryption module,wherein the secret shares distributed to the other devices are in an encrypted format for at least one of decryption by the consuming device and the other devices.

24. A system for restricting access to encrypted content stored in a consuming device which is part of a network including other devices, the system comprising a plurality of operationally connected elements including:
- means for splitting a content decryption input into a plurality of secret shares;
  
  means for encrypting the secret shares thereby rendering encrypted secret shares; and
  
  means for broadcasting;
  
  the encrypted content to the consuming device; and
  
  the encrypted secret shares to at least one of the consuming device and the other devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dorrendorf, Leo, Geyzel, Zeev

Granted Patent

US 8,842,835 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

H04L 2209/60 Digital content management,...

H04L 9/085 Secret sharing or secret sp...

Network Security System

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Network Security System

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links