ENCRYPTING A UNIQUE CRYPTOGRAPHIC ENTITY

US 20100058047A1
Filed: 08/28/2009
Published: 03/04/2010
Est. Priority Date: 08/28/2008
Status: Active Grant

First Claim

Patent Images

1. A client device, configured to enforce digital rights management rules, the client device comprising:

an input/output module configured to receive, at a client a global-key (GK-) encrypted unit key data (UKD) including a GK-encrypted unique cryptographic entity (UCE) and a GK-encrypted unit key number (UKN) from a key generation facility (KGF);

a decryption module configured to decrypt the GK-encrypted UKD using a global key (GK) to determine a decrypted UCE and a decrypted UKN;

an encryption module configured to encrypt the decrypted UKN and the decrypted UCE using a device unique key (DUK) to determine a DUK-encrypted UKN and a DUK-encrypted UCE;

wherein the encryption module is configured to append the DUK-encrypted UCE to the DUK-encrypted UKN to form a DUK-encrypted UKD, and the client device is configured to store the DUK-encrypted UKD in the memory; and

a UKN verification module is configured to verify that the DUK-encrypted UKN was generated and stored in the client device by determining if a digital rights management (DRM) value is not equal to the GK-encrypted UKN, andif the DRM value is not equal to the GK-encrypted UKN, then verifying the DUK-encrypted value was generated and stored in the client device and, after the verifying, the decryption module is subsequently operable to decrypt the DUK-encrypted UKD and the client device is subsequently operable to utilize the UCE as a cryptographic identity of the device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of encrypting a unique cryptographic entity (UCE), where a client device receives a global-key (GK-) encrypted UKD comprising a GK-encrypted UCE and a GK-encrypted unit key number (UKN). The client device verifies that the GK-encrypted UKN is the same as a pre-provisioned value and then decrypts the GK-encrypted UKD using a global key (GK). The client device then re-encrypts the decrypted UKD using a device user key (DUK) to determine a DUK-encrypted UCE and a DUK-encrypted UKN. The DUK-encrypted UKN is verified as not equal to the GK-encrypted UKN. The DUK-encrypted UKN is then appended to the DUK-encrypted UCE to form a DUK-encrypted UKD and stored in a memory.

Citations

20 Claims

1. A client device, configured to enforce digital rights management rules, the client device comprising:
- an input/output module configured to receive, at a client a global-key (GK-) encrypted unit key data (UKD) including a GK-encrypted unique cryptographic entity (UCE) and a GK-encrypted unit key number (UKN) from a key generation facility (KGF);
  
  a decryption module configured to decrypt the GK-encrypted UKD using a global key (GK) to determine a decrypted UCE and a decrypted UKN;
  
  an encryption module configured to encrypt the decrypted UKN and the decrypted UCE using a device unique key (DUK) to determine a DUK-encrypted UKN and a DUK-encrypted UCE;
  
  wherein the encryption module is configured to append the DUK-encrypted UCE to the DUK-encrypted UKN to form a DUK-encrypted UKD, and the client device is configured to store the DUK-encrypted UKD in the memory; and
  
  a UKN verification module is configured to verify that the DUK-encrypted UKN was generated and stored in the client device by determining if a digital rights management (DRM) value is not equal to the GK-encrypted UKN, andif the DRM value is not equal to the GK-encrypted UKN, then verifying the DUK-encrypted value was generated and stored in the client device and, after the verifying, the decryption module is subsequently operable to decrypt the DUK-encrypted UKD and the client device is subsequently operable to utilize the UCE as a cryptographic identity of the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The client device according to claim 1, further comprising;
    - a boot module configured to reboot the client device; and
      
      wherein after the rebooting, the UKN verification module performs the verifying that the DUK-encrypted UKN was generated and stored in the client device by determining if the DRM value is not equal to the GK-encrypted UKN, andafter the verifying, the decryption module performs the decryption of the DUK-encrypted UKD and the client device utilizes the UCE as the cryptographic identity of the device, andif the DRM value is equal to the GK-encrypted UKN, determining the DUK-encrypted value was not generated and stored in the client device and rejecting the encrypted UKD.
  - 3. The client device according to claim 2, whereinthe decryption module is further configured to decrypt a non-random data (NRD) using the decrypted UCE.
  - 4. The client device according to claim 1, whereinthe input/output module is configured to receive a GK-encrypted NRD after receipt of the GK-encrypted UKD;
    - the decryption module is configured to decrypt the GK-encrypted NRD using the GK; and
      
      the encryption module is configured to re-encrypt the NRD using the decrypted UCE, after decryption of the DUK-encrypted UCE with the DUK.
  - 5. The client device according to claim 4, further comprising;
    - a signature validation module configured to validate a signature appended to the NRD after decryption of the GK-encrypted NRD using the GK.
  - 6. The client device according to claim 1, wherein the signature validation module is configured to validate a signature field after the decryption module decrypts the GK-encrypted UKD using the GK to determine the decrypted UCE and the decrypted UKN.
  - 7. The client device according to claim 1, wherein the decryption module is further configured to remove additional encryption from the GK-encrypted UKD before removing encryption from the GK-encrypted UKD using the GK to determine the decrypted UCE and the decrypted UKN.
  - 8. The client device according to claim 1, wherein the decryption module is further configured to extract a hardware service information (HSI) from the UKD.

9. A method for encrypting content, said method comprising:
- a device receiving a GK-encrypted UKD, wherein the GK-encrypted UKD includes a GK-encrypted UCE and a GK-encrypted UKN;
  
  decrypting the GK-encrypted UKD using a GK to determine a decrypted UCE and a decrypted UKN;
  
  reapplying encryption to the decrypted UCE and the decrypted UKN using a DUK to determine a DUK-encrypted UCE and a DUK-encrypted UKN;
  
  appending the device UKN to the encrypted UCE to form a DUK-encrypted UKD;
  
  storing the DUK-encrypted UKD in a memory; and
  
  verifying that the stored DUK-encrypted UKN is not equal to the GEK-encrypted UKN and if the DUK-encrypted UKN is verified as not equal to GK-encrypted UKN utilizing UCE as a cryptographic identity of the device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method according to claim 9, further comprising:
    - after decrypting the GK-encrypted UKD using the GK, validating a signature over the decrypted UKD using a public key.
  - 11. The method according to claim 9, wherein receiving the UKD comprises:
    - having the KGF generate the GK-encrypted UCE;
      
      having the KGF append the GK-encrypted UKN to the GK-encrypted UCE to form the GK-encrypted UKD; and
      
      having the KGF send the GK-encrypted UKD to the client device.
  - 12. The method according to claim 11, wherein the KGF acts as a certificate authority (CA);
    - andwhere UKE includes a device private key, andthe client device is provisioned with both UKD and a corresponding digital certificate that is issued by the KGF.
  - 13. The method according to claim 11, said method further comprising steps performed by a computing apparatus of:
    - after having the KGF append the GK-encrypted UKN to the GK-encrypted UCE to produce the GK-encrypted UKD, having the KGF decrypt the GK-encrypted UKN and the GK-encrypted UCE using the GK to determine a decrypted UCE and a decrypted UKN, wherein the decrypted UCE and the decrypted UKN form a decrypted UKD; and
      
      having the KGF generate a signature field over the decrypted UKD and appending the signature field to the encrypted UKD.
  - 14. The method according to claim 13, said method further comprising steps performed by a computing apparatus of:
    - after having the KGF produce the GK-encrypted UKD, having the KGF encrypt HSI using the GK and append the GK-encrypted HSI to the encrypted UKD; and
      
      after having the KGF decrypt the GK-encrypted UKN and the GK-encrypted UCE using the GK, appending the HSI to the decrypted UKN and the decrypted UCE before having the KGF generate a signature field over the decrypted UKD and appending the signature field to the encrypted UKD.
  - 15. The method according to claim 9, said method further comprising steps performed by a computing apparatus of:
    - rebooting the client device; and
      
      after the rebooting, retrieving the DUK-encrypted UKN and the GK-encrypted UKN, and performing the verifying that the stored DUK-encrypted UKN is not equal to the GEK-encrypted UKN and if the DUK-encrypted UKN is verified as not equal to GK-encrypted UKN utilizing UCE as the cryptographic identity of the device.
  - 16. The method according to claim 9, wherein the UCE is one of a 128-bit advanced encryption standard (AES) key, an Elliptic Curve private key, and a Diffie-Hellman private key.
  - 17. The method according to claim 9, said method further comprising steps performed by a computing apparatus of:
    - prior to verifying that a GK-encrypted UKN is same as a pre-provisioned value, removing additional layers of encryption.

19. A computer readable storage medium on which is embedded one or more computer programs, said one or more computer programs implementing a method for encrypting content, said one or more computer programs comprising a set of instructions for:
- a device receiving a GK-encrypted UKD, wherein the GK-encrypted UKD includes a GK-encrypted UCE and a GK-encrypted UKN;
  
  verifying that the GK-encrypted UKN is same as a pre-provisioned value;
  
  if the GK-encrypted UKN is same as the pre-provisioned value, decrypting the GK-encrypted UKD using a GK to determine a decrypted UCE and a decrypted UKN;
  
  reapplying encryption to the decrypted UCE and the decrypted UKN using a DUK to determine a DUK-encrypted UCE and a DUK-encrypted UKN;
  
  verifying that the DUK-encrypted UKN is not equal to the encrypted UKN;
  
  if the DUK-encrypted UKN is not equal to the encrypted UKN, appending the device UKN to the encrypted UCE to form a DUK-encrypted UKD; and
  
  storing the DUK-encrypted UKD in a memory.
- View Dependent Claims (20)
- - 20. The computer readable storage medium according to claim 19, said one or more computer programs further including a set of instructions for:
    - rebooting the client device; and
      
      after the rebooting, retrieving the DUK-encrypted UKN and the GK-encrypted UKN, and performing the verifying that the stored DUK-encrypted UKN is not equal to the GEK-encrypted UKN and if the DUK-encrypted UKN is verified as not equal to GK-encrypted UKN utilizing UCE as the cryptographic identity of the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Medvinsky, Alexander

Granted Patent

US 8,538,890 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

ENCRYPTING A UNIQUE CRYPTOGRAPHIC ENTITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTING A UNIQUE CRYPTOGRAPHIC ENTITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links