KEY DISTRIBUTION SYSTEM

US 20100296655A1
Filed: 03/03/2009
Published: 11/25/2010
Est. Priority Date: 03/10/2008
Status: Active Grant

First Claim

Patent Images

1. A key distribution system for controlling access to content by a plurality of rendering devices, comprising:

an epoch module to provide a plurality of epochs, each of the epochs including a plurality of service key periods;

a service key module to provide a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content across the service key periods of the one epoch;

a group module to provide a plurality of group keys for each of the epochs such that;

for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;

for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;

each of the service keys is valid across all the groups; and

in different ones of the epochs, the rendering devices are grouped differently;

an encryption module to encrypt, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys; and

a delivery module to distribute to the rendering devices, for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key distribution system for controlling access to content by rendering devices, comprising an epoch module to provide epochs, each epoch including service key periods, a service key module to provide a batch of service keys, a group module to provide group keys for each epoch such that each rendering device is assigned a group key grouping together the devices having the same group key, thereby defining groups, in different epochs the devices are grouped differently, an encryption module to encrypt, for each epoch, each service key in the batch of service keys, individually with each group key yielding a plurality of group-key-encrypted service keys from each service key, and a delivery module to distribute to the devices, for each one of the epochs, the group-key-encrypted service keys for the batch of service keys and the group keys of the one epoch. Related apparatus and methods are also described.

Citations

38 Claims

1. A key distribution system for controlling access to content by a plurality of rendering devices, comprising:
- an epoch module to provide a plurality of epochs, each of the epochs including a plurality of service key periods;
  
  a service key module to provide a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content across the service key periods of the one epoch;
  
  a group module to provide a plurality of group keys for each of the epochs such that;
  
  for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;
  
  for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;
  
  each of the service keys is valid across all the groups; and
  
  in different ones of the epochs, the rendering devices are grouped differently;
  
  an encryption module to encrypt, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys; and
  
  a delivery module to distribute to the rendering devices, for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The system according to claim 1, wherein the service key module is operative to provide the service keys so that, for each one of the epochs, the batch of the service keys is provided for employment in decryption of the content for a plurality of services across the service key periods of each one of the epochs such that a different one of the service keys in the batch is valid for each different combination of the services and the service key periods.
  - 3. The system according to claim 1, wherein the delivery module is operative to distribute, for each one of the groups, the batch of the service keys of the one epoch to the rendering devices of the one group in at least one key package.
  - 4. The system according to claim 3, wherein the delivery module is operative to include at least one additional service key of an epoch after the one epoch in the at least one key package so as to provide a grace period for content access after the end of the one epoch.
  - 5. The system according to claim 3, wherein the delivery module is operative to distribute, for each one of the groups, the group keys of the one epoch to the rendering devices of the one group in the at least one key package.
  - 6. The system according to claim 3, wherein the epoch module is operative to provide, for each one of the epochs, an epoch key, the encryption module being operative to encrypt, for each one of the groups, the at least one key package of the one group using the epoch key of the one epoch.
  - 7. The system according to claim 3, wherein the delivery module is operative to include an identification in the at least one key package of the one group, the identification identifying the at least one key package of the one group as being associated with the one group.
  - 8. The system according to claim 1, wherein the group module is operative to assign the group keys to the rendering devices randomly/pseudo-randomly.
  - 9. The system according to claim 1, wherein:
    - the rendering devices are operative to determine to which of the groups the rendering devices belong by employing a function having parameters; and
      
      the delivery module is operative to distribute the function and/or the parameters to the rendering devices.
  - 10. The system according to claim 9, wherein the function includes a hash function.
  - 11. The system according to claim 9, wherein the function is function of at least one of the following:
    - a user key and a device ID.
  - 12. The system according to claim 1, further comprising a traitor identifier to identify a traitor device of the rendering devices based on the traitor device distributing, at least one of the group-key-encrypted service keys and/or at least one of the group keys.
  - 13. The system according to claim 2, further comprising a period master key module to provide for each one of the service key periods in the one epoch a different period master key, the encryption module being operative to further encrypt each one of the group-key-encrypted service keys using the period master key of the one service key period of the one group-key encrypted service key being encrypted.
  - 14. The system according to claim 13, wherein the delivery module is operative to distribute, for each one of the service key periods, the period master key for the one service key period not before the start of a service key period immediately prior to the one service key period.
  - 15. The system according to claim 13, wherein the delivery module is operative to distribute, for each one of the service key periods, the period master key for the one service key period not before the start of the one service key period.
  - 16. The system according to claim 13, wherein the period master key module is operative to provide the period master key for each one of the service key periods such that the period master key for the one service key period is the same across all of the groups and across all of the services.
  - 17. The system according to claim 1, wherein:
    - each of the rendering devices is associated with a different user key;
      
      the user key of each of the rendering devices is associated with one of the group keys;
      
      the encryption module is operative to encrypt, for each one of the rendering devices, the one group key of the one rendering device using the user key of the one rendering device, yielding a user-key-encrypted group key for each of the rendering devices; and
      
      the delivery module is operative to distribute to the rendering devices the user-key-encrypted group key of each of the rendering devices.
  - 18. The system according to claim 17, wherein:
    - each of the rendering devices has a unique identification; and
      
      the delivery module is operative to distribute at least some of the user-key-encrypted group keys with the unique identification identifying the rendering devices associated with the at least some user-key-encrypted group keys.
  - 19. The system according to claim 17, wherein:
    - at least some of the user-key-encrypted group keys are associated with at least some of the rendering devices; and
      
      the delivery module is operative to distribute the at least some user-key-encrypted group keys without identifying the at least some rendering devices of the at least some user-key-encrypted group keys such that the at least some rendering devices need to identify which one of the at least some user-key-encrypted group keys is associated with which one of the at least some rendering devices by trial and error decryption of the at least some user-key-encrypted group keys.
  - 20. The system according to claim 19, wherein the delivery module is operative to distribute verification data to the at least some rendering devices, so that the at least some rendering devices check a result of the trial and error decryption against the verification data.
  - 21. The system according to claim 1, wherein:
    - the group module is operative to create a plurality of supergroups, one of the supergroups including the plurality of groups for the rendering devices, another one of the supergroups including a plurality of other groups for a plurality of other rendering devices;
      
      the group module is operative to provide a plurality of other group keys for each of the epochs thereby defining the other groups, in different ones of the epochs the other rendering devices are grouped differently;
      
      the encryption module is operative to encrypt, for each of the epochs, each of the service keys in the batch of the service keys with each of the other group keys, such that each one of the service keys is individually encrypted with a different one of the other group keys yielding a plurality of other-group-key-encrypted service keys from each one of the service keys; and
      
      the delivery module is operative to distribute the other-group-key-encrypted service keys for the batch of the service keys and the other group keys of the one epoch to the other rendering devices according to a first delivery schedule.
  - 22. The system according to claim 21, wherein:
    - the delivery module is operative to distribute the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch to the rendering devices according to a second delivery schedule; and
      
      the first delivery schedule is different from the second delivery schedule.
  - 23. The system according to claim 22, wherein the first delivery schedule has a higher delivery frequency than the second delivery schedule.
  - 24. The system according to claim 1, wherein:
    - the group module is operative to create a plurality of supergroups, one of the supergroups including the plurality of groups for the rendering devices, another one of the supergroups including a plurality of other groups for a plurality of other rendering devices;
      
      the epoch module is operative to provide a plurality of other epochs, each of the other epochs including a number of the service key periods, the epochs commencing according to a plurality of first start dates, the other epochs commencing according to a plurality of second start dates, the first start dates being different from the second start dates;
      
      the service key module is operative to provide, for each of the other epochs, another batch of the service keys;
      
      the group module is operative to provide a plurality of other group keys for each of the other epochs thereby defining the other groups, in different ones of the other epochs the other rendering devices are grouped differently;
      
      the encryption module is operative to encrypt, for each of the other epochs, each of the service keys in the other batch of the service keys with each of the other group keys, such that each of the service keys of the other batch is individually encrypted with a different one of the other group keys yielding a plurality of other-group-key-encrypted service keys from each one of the service keys of the other batch; and
      
      the delivery module is operative to distribute, for each one of the other epochs, the other-group-key-encrypted service keys for the other batch of the service keys and the other group keys of the one epoch to the other rendering devices.

25-33. -33. (canceled)

34. A key distribution method for controlling access to content by a plurality of rendering devices, comprising:
- providing a plurality of epochs, each of the epochs including a plurality of service key periods;
  
  providing a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content across the service key periods of the one epoch;
  
  providing a plurality of group keys for each of the epochs such that;
  
  for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;
  
  for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;
  
  each of the service keys is valid across all the groups; and
  
  in different ones of the epochs, the rendering devices are grouped differently;
  
  encrypting, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys; and
  
  distributing to the rendering devices, for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch.

35-37. -37. (canceled)

38. A key distribution system for controlling access to content by a plurality of rendering devices, comprising:
- means for providing a plurality of epochs, each of the epochs including a plurality of service key periods;
  
  means for providing a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content across the service key periods of the one epoch;
  
  means for providing a plurality of group keys for each of the epochs such that;
  
  for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;
  
  for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;
  
  each of the service keys is valid across all the groups; and
  
  in different ones of the epochs, the rendering devices are grouped differently;
  
  means for encrypting, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys; and
  
  means for distributing to the rendering devices, for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
NDS Limited (Cisco Systems, Inc.)
Inventors
Waisbard, Erez, Solow, Hillel

Granted Patent

US 8,396,222 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

G06F 21/1012   to domains

G06F 21/1015   to users

G06F 2221/2151   Time stamp

H04L 2209/60   Digital content management,...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/0833   involving conference or gro...

H04L 9/088   Usage controlling of secret...

H04N 21/26606   for generating or managing ...

H04N 21/4623   Processing of entitlement m...

H04N 21/8355   involving usage data, e.g. ...

H04N 7/1675   Providing digital key or au...

KEY DISTRIBUTION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

KEY DISTRIBUTION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links