Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers
First Claim
1. In an interactive information services system for providing at least one of video, audio, and data (program) requested by a customer from a service provider (SP) and for transmitting the requested program in program bearing packets to a set top unit (STU) associated with the customer, apparatus positioned between the SP and the STU associated with the customer, apparatus positioned between the SP and the STU for ensuring that only the customer has access to said program, said apparatus comprising:
- means for receiving program bearing packets in a first network protocol from a first data link and removing said packets from said first network protocol;
means for adding conditional access to said program bearing packets, saidmeans for applying conditional access comprising;
means for selecting program bearing packet comprising a program requested by the customer;
means for encrypting said selected program bearing packets according to a first encryption algorithm using a first key;
means for encrypting said first key according to a second encryption algorithm using a second key;
means for providing the encrypted said first key to the customer;
means for encrypting said second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within the STU associated with the customer;
means for providing the encrypted said second key to the customer; and
,means for hashing a concatenation of said first key and said second key according to a hashing function to produce an authentication code from which the STU can determine the authenticity of said first key; and
,means for re-encapsulating said program bearing packets in a second network protocol and outputting said program bearing packets over a second data link.
4 Assignments
0 Petitions
Accused Products
Abstract
A control system provides secure transmission of programs, including at least one of video, audio, and data, between a service provider and a customer'"'"'s set top unit over a digital network. Program bearing data packets are recieved in a first network protocol over a first data link and removed from the first network protocol. Packets representing a particular program requested by a customer having a set top unit are selected. Conditional access is provided to the selected program. In particular, program bearing packets are encrypted according to a first encryption algorithm using a first key, which is then encrypted according to a second encryption algorithm using a second key. The first keys are transported in packets to the customer'"'"'s set top units along with the program packets. A public key cryptographic technique encrypts the second key such that the public key used in the encryption corresponds to the private key of the customer'"'"'s set top unit. After the conditional access layers have been added, the packets are encapsulated and output in a second network protocol destined for the set top unit.
-
Citations
50 Claims
-
1. In an interactive information services system for providing at least one of video, audio, and data (program) requested by a customer from a service provider (SP) and for transmitting the requested program in program bearing packets to a set top unit (STU) associated with the customer, apparatus positioned between the SP and the STU associated with the customer, apparatus positioned between the SP and the STU for ensuring that only the customer has access to said program, said apparatus comprising:
-
means for receiving program bearing packets in a first network protocol from a first data link and removing said packets from said first network protocol; means for adding conditional access to said program bearing packets, said means for applying conditional access comprising; means for selecting program bearing packet comprising a program requested by the customer; means for encrypting said selected program bearing packets according to a first encryption algorithm using a first key; means for encrypting said first key according to a second encryption algorithm using a second key; means for providing the encrypted said first key to the customer; means for encrypting said second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within the STU associated with the customer; means for providing the encrypted said second key to the customer; and
,means for hashing a concatenation of said first key and said second key according to a hashing function to produce an authentication code from which the STU can determine the authenticity of said first key; and
,means for re-encapsulating said program bearing packets in a second network protocol and outputting said program bearing packets over a second data link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. In an interactive information services system for providing at least one of video, audio, and data (program) requested by a customer from a service provider (SP) and for transmitting the requested program in program bearing packets to a set top unit (STU) associated with the customer, apparatus positioned between the SP and the STU for ensuring that only the customer has access to said program, said apparatus comprising:
-
means for receiving program bearing packets in a first network protocol from a first data link and removing said packets from said first network protocol; means for adding conditional access to said program bearing packets; said means for applying conditional access comprising; means for selecting program bearing packets comprising a program requested by the customer; means for encrypting said selected program bearing packets according to a first encryption algorithm using a first key; means for encrypting said first key according to a second encryption algorithm using a second key; means for hashing a concatenation of said first key and said second key according to a hashing function to produce an authentication code from which the STU can determine the authenticity of said first key; means for providing the encrypted said first key and the hash of said first key concatenated with said second key to the customer; means for encrypting said second key according to a third encryption algorithm using a third key corresponding to a private key stored within the STU associated with the customer; means for providing a digital signature based on said second key, the STU using the digital signature to verify the source of said second key; means for providing the encrypted said second key and the digital signature to the customer; and means for re-encapsulating said program bearing packets in a second network protocol and outputting said program bearing packets over a second data link. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. In a digital video delivery system, wherein a plurality of programs are stored at a service provider (SP) in a transport packet format and delivered in a first protocol format to a network for delivery to a subscriber, a method for linking the SP to the network and applying conditional access to the transport packets comprising:
-
selecting program bearing packets comprising a program requested by the customer; encrypting said selected program bearing packets according to a first encryption algorithm using a first key; encrypting said first key according to a second encryption algorithm using a second key; providing the encrypted said first key to the customer; encrypting said second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within a set top unit (STU) associated with the customer; providing the encrypted said second key to the customer; and wherein applying conditional access further comprises the step of hashing a concatenation of said first key and said second key according to a hashing function to produce an authentication code from which the STU can determine the authenticity of said first key. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. In a digital information delivery system wherein a plurality of programs are stored in a transport packet format and are delivered to a network for transmission to an authorized customer, a method for applying conditional access to the transport packets comprising the steps of:
-
(a) selecting packets comprising a program requested by an authorized customer; (b) encrypting the program bearing transport packets according to a first encryption algorithm using a first key; (c) outputting the encrypted transport packets for delivery to the authorized customer over the network; (d) encrypting said first key according to a second encryption algorithm using a second key; (e) generating a message authentication code comprising a hash of the concatenation of said first key and said second key according to a hashing function; (f) providing the encrypted said first key and said message authentication code to the authorized customer over the network; (g) encrypting said second key according to a third encryption algorithm using a third key; (h) applying a digital signature to the encrypted said second key, the authorized customer using the digital signature to verify the origin of the encrypted said second key; and
,(I) providing the encrypted and digitally signed said second key to the authorized customer over the network. - View Dependent Claims (37, 38, 39, 40, 41, 42)
-
-
43. In a digital transmission system wherein groups of program bearing packets are transmitted over a digital network between a service provider (SP) at a transmission site and a customer having a reception site, a method of selectively providing conditional access to a program within said program bearing packets comprising the steps of:
-
at the transmission site; (a) selecting packets bearing a particular program to be delivered to at least one selected customer; (b) encrypting at least a portion of the selected packets with a first key using a first encryption algorithm; (c) encrypting said first key with a second key using a second encryption algorithm; (d) generating a message authentication code for the first key comprising a hash of a concatenation of said second key with said first key according to a hashing function; (e) generating an entitlement control message comprising a concatenation of said message authentication code and said first key; (f) generating a digital signature for said second key comprising a hash of said second key according to a hashing function and encrypting said hash of said second key with a private key associated with the SP, said private key having a public-key counterpart, in accordance with a first public key encryption algorithm; (g) forming an entitlement management message comprising said encrypted key and said digital signature; (h) encrypting at least a portion of said entitlement management message with a public key according to a second public-key encryption algorithm, wherein said public key is associated with said at least one selected customer; (I) multiplexing said selected program bearing packets, said entitlement control message and said entitlement management message into said digital network for reception by said at least one customer'"'"'s reception site; at the reception site; (j) receiving said selected program bearing packets, said entitlement control message, and said entitlement management message at said at least one customer'"'"'s reception site; (k) recovering said second key from said entitlement management message by; decrypting said encrypted portion of said entitlement management message using a private-key corresponding to said public key associated with said at least one selected customer, retrieving said digital signature portion and decrypting said digital signature portion with a public-key counterpart to said private key associated with the SP;
retrieving said second key and hashing said second key, andauthenticating said second key when said digital signature is equivalent to said hashed second key; (I) recovering said first key from said entitlement control message by; decrypting said first key with said second key, concatenating said first key and said second key, generating a hash value by hashing said concatenated first key and said second key, and authenticating said first key when said hash value is equivalent to said message authentication code contained in said entitlement control message; and
,(m) decrypting said selected packets bearing said particular program with said first key. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
-
Specification