Preventing replay attacks on digital information distributed by network service providers
First Claim
1. A method of protecting a given encrypted instance of a service that a service provider provides via a network to a subscriber,the method being practiced in apparatus by means of which the subscriber accesses instances of the service for limited periods of time and the method comprising the steps of:
- receiving a first message from the service provider, the first message including at least a period specifier which specifies a given period of time and an authorization for the service;
receiving a second message from the service provider, the second message being associated with the given instance and including at least an identification of the service, a time specifier which specifies a time, and first decryption information for the given instance;
receiving the given instance; and
using the first decryption information and second decryption information accessible to the apparatus to decrypt the given instance only if the identification of the service from the second message indicates the same service as the authorization therefor from the first message and the time specified by the time specifier from the second message is within the period specified by the period specifier from the first message.
3 Assignments
0 Petitions
Accused Products
Abstract
A technique for preventing replay attacks on digital information distributed by network service providers. At the beginning of a subscription period for a service, a network service provider sends entitlement messages to the subscriber which provide the subscriber for the service with a session key and authorization information. The authorization information specifies a service and a period of time. When an encrypted instance of a service is distributed on the network, it is accompanied by a series of entitlement control messages. Each of the messages includes a value which can be used with the session key to obtain a control word for decrypting the encrypted instance and a time specifier. The subscriber equipment which decrypts the instance of the service does so only if the time specifier in the entitlement control message specifies a time within the time period specified by the authorization information.
180 Citations
42 Claims
-
1. A method of protecting a given encrypted instance of a service that a service provider provides via a network to a subscriber,
the method being practiced in apparatus by means of which the subscriber accesses instances of the service for limited periods of time and the method comprising the steps of: -
receiving a first message from the service provider, the first message including at least a period specifier which specifies a given period of time and an authorization for the service; receiving a second message from the service provider, the second message being associated with the given instance and including at least an identification of the service, a time specifier which specifies a time, and first decryption information for the given instance; receiving the given instance; and using the first decryption information and second decryption information accessible to the apparatus to decrypt the given instance only if the identification of the service from the second message indicates the same service as the authorization therefor from the first message and the time specified by the time specifier from the second message is within the period specified by the period specifier from the first message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of protecting a given encrypted instance of a service that a service provider
provides via a network to a subscriber, the method comprising the steps performed by the service provider of: -
sending a first message to apparatus by means of which the subscriber accesses instances of the service for limited periods of time, the first message including at least a period specifier which specifies a given period of time and an authorization for the service; sending a second message to the apparatus, the second message being associated with the given instance and including at least an identification of the service, a time specifier which specifies a time, and first decryption information for the given instance, and sending the given instance via the network to the apparatus, the apparatus using the first decryption information and second decryption information accessible to the apparatus to decrypt the given instance only if the identification of the service from the second message indicates the same service as the authorization therefor from the first message and the time specified by the time specifier from the second message is within the period specified by the period specifier from the first message. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An entitlement management message used in a system for providing encrypted instances of services to subscribers via a network, the subscribers accessing the instances by means of apparatus coupled to the network and each subscriber having subscribed for access to instances of the service for a period of time,
the entitlement management message comprising: -
a period specifier which specifies the period of time and an authorization for the service; the apparatus responding to the entitlement management message by storing the contents thereof for later use in determining whether to decrypt an instance of the service. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
-
31. An entitlement control message used in a system for providing encrypted instances of services to subscribers via a network, the subscribers accessing the instances by means of apparatus coupled to the network and each subscriber having subscribed for access to instances of the service for a period of time,
the entitlement control message being associated with an instance and comprising: -
an identification of the service; a time specifier which specifies a time; and first decryption information for the given instance, the apparatus using previously-stored second decryption information and the first decryption information to decrypt the given instance only if the identification of the service from the entitlement control message indicates the same service as a previously-stored authorization therefor and the time specified by the time specifier is within a period specified by a previously-stored period specifier. - View Dependent Claims (32)
-
-
33. Apparatus coupled to a network for accessing encrypted instances of a service which a service provider provides to a subscriber via the network, the subscriber being permitted by the service provider to access instances of the service for limited periods of time and the apparatus comprising:
-
a receiver that receives messages and the instances from the service provider via the network; a processor coupled to the receiver that processes the messages; and a decrypter coupled to the processor and the receiver that decrypts the instances, the messages including a first message including at least a period specifier which specifies a given period of time and an authorization for the service and a second message associated with the given instance and including at least an identification of the service, a time specifier which specifies a time, and first decryption information for the given instance and the receiver receiving the first and second messages and providing them to the processor, the processor using the first decryption information and second decryption information accessible to the apparatus to enable the decrypter to decrypt an instance received in the receiver only if the processor determines that the identification of the service from the second message indicates the same service as the authorization therefor from the first message and the time specified by the time specifier from the second message is within the period specified by the period specifier from the first message. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification