Source authentication of download information in a conditional access system
First Claim
1. A method for authenticating a source of information in a cable television system comprising head end equipment and set top terminals, the method comprising the steps of:
- providing source information as an input to a secure hash function for producing an output, wherein said source information includes a logic segment; and
using at least a portion of said output from said secure hash function as a source authentication token.
2 Assignments
0 Petitions
Accused Products
Abstract
A cable television system provides conditional access to services. The cable television system includes a headend from which service “instances”, or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances for display to system subscribers. The service instances are encrypted using public and/or private keys provided by service providers or central authorization agents. Keys used by the set tops for selective decryption may also be public or private in nature, and such keys may be reassigned at different times to provide a cable television system in which piracy concerns are minimized.
161 Citations
36 Claims
-
1. A method for authenticating a source of information in a cable television system comprising head end equipment and set top terminals, the method comprising the steps of:
-
providing source information as an input to a secure hash function for producing an output, wherein said source information includes a logic segment; and
using at least a portion of said output from said secure hash function as a source authentication token. - View Dependent Claims (2, 3, 4, 5, 6, 13, 14, 15)
storing, at a receiver included in the cable television system, a public key of a public-private key pair; and
storing, at a transmitter included in the cable television system, a private key of a public-private key pair.
-
-
3. The method set forth in claim 2, wherein authentication further comprises the step of:
transmitting said source authentication token and said source information.
-
4. The method of claim 3, further comprising the step of:
encrypting said source authentication token prior to its transmission.
-
5. The method set forth in claim 4, wherein said authentication further comprises, at said receiver, the steps of:
-
receiving said source authentication token and said source information wherein said logic segment of said source information is configured for execution in said receiver;
decrypting said source authentication token using a public key of the public-private key pair, wherein said public key is stored by said receiver;
providing said source information as an input into said secure hash function for producing an output;
using at least a portion of said output from said secure hash function at said receiver as a receiver authentication token; and
comparing said source authentication token with said receiver authentication token, the information being authentic when said source authentication token and said receiver authentication are the same.
-
-
6. The method set forth in claim 5, wherein said public key comprises a certified public key provided by a certification authority.
-
13. The method of claim 3, further comprising the step of:
- encrypting said source authentication token prior to its transmission.
-
14. The method set forth in claim 13, wherein said authentication further comprises, at the receiver, the steps of:
-
receiving said source authentication token and said source information;
decrypting said source authentication token using a public key of the public-private key pair, wherein said public key is stored by the receiver;
providing said source information as an input into said secure hash function for producing an output;
using at least a portion of said output from said secure hash function at the receiver as a receiver authentication token; and
comparing said source authentication token with said receiver authentication token, the information being authentic when said source authentication token and said receiver authentication are the same.
-
-
15. The method set forth in claim 14, wherein said public key comprises a certified public key provided by a certification authority.
-
7. A method, in a cable television system comprising head end equipment for providing download information, a set top terminal for receiving the download information, and a communication medium coupled therebetween, of verifying the head end equipment as a source of the download information, the method comprising the steps of:
-
at said head end equipment, providing said download information as an input to a secure hash function to generate a source authentication token;
encrypting a control word using a private key provided by a conditional access authority, wherein said private key is included in a public-private key pair; and
transmitting said source authentication token, said download information, and said encrypted control word over the communication medium;
at said set top terminal, receiving said source authentication token, said encrypted control word, and said download information;
decrypting said encrypted control word using a public key included in said public-private key pair;
providing said download information as an input to said secure hash function for producing an output;
using at least a portion of said output from said secure hash function at said set top terminal as a receiver authentication token; and
comparing said source authentication token with said receiver authentication token, the download information being authentic when said source authentication token and said receiver authentication token are the same. - View Dependent Claims (16, 17, 18)
executing said logic segment at said receiver after said download information has been authenticated.
-
-
18. The method set forth in claim 7, wherein said download information includes a data segment for an application configured for execution at said set top terminal.
-
8. A head end for providing verifiable download information, the head end comprising:
-
a data port for receiving a private key provided by a certification authority, wherein said private key is included in a public-private key pair;
a memory for storing the private key;
a processor for performing a secure hash function having as inputs said download information and a control word, said hash function producing an output;
a device for creating a source authentication token from at least a portion of said output of said secure hash function;
an encryptor for encrypting said control word; and
a transmission device for transmitting said source authentication token, said encrypted control word, and said download information. - View Dependent Claims (19, 20)
-
-
9. A set top terminal for verifying an information source, said set top terminal comprising:
-
a port for receiving a message comprising download information, a source authentication token, and a control word from said information source;
a memory for storing a public key that is included in a public-private key pair;
a decryptor coupled to said port for decrypting said control word using said public key;
a processor coupled to said decryptor for performing a secure hash function having as inputs said decrypted control word and said download information wherein said secure hash function produces an output, and for creating a receiver authentication token from at least a portion of said output from said secure hash function; and
a comparator for comparing said source authentication token with said receiver authentication token, wherein the processor accepts the download information as authentic when said source authentication token and said receiver authentication token are the same. - View Dependent Claims (21, 22, 23, 24)
-
-
10. A cable television system for verifying the source of download information, the cable television system comprising:
-
a certification authority for generating and providing public and private keys within the cable television system;
an entitlement agent for providing verifiable download information, the entitlement agent comprising;
a data port for receiving a private key provided by the certification authority, wherein said private key is included in a public-private key pair generated by the certification authority;
a memory for storing the private key;
a processor for performing a secure hash function having as inputs said download information and a control word, said secure hash function producing an output;
a device for creating a source authentication token from at least a portion of said output of said secure hash function;
an encryptor for encrypting said control word; and
a transmission device for transmitting said source authentication token, said encrypted control word, and said download information;
a set top terminal for verifying an information source, said set top terminal comprising;
a port for receiving a message comprising said download information, said source authentication token, and said encrypted control word from said entitlement agent;
a memory for storing a public key that is included in said public-private key pair;
a decryptor coupled to said port for decrypting said encrypted control word using said public key;
a processor coupled to said decryptor for performing a secure hash function having as inputs said control word and said download information, said secure hash function producing an output, and for creating a receiver authentication token from at least a portion of said output from said secure hash function; and
a comparator for comparing said source authentication token with said receiver authentication token, wherein the processor accepts the download information as authentic when said source authentication token and said receiver authentication token are the same; and
a communication medium for coupling said certification authority, said set top terminal, and said entitlement agent. - View Dependent Claims (11, 12, 25, 26)
-
-
27. A method for providing a receiver in a cable television system with a verifiable logic segment, the method comprising:
-
including said logic segment as an input to a secure hash function for producing an output; and
using at least a portion of said output from said secure hash function as a source authentication token. - View Dependent Claims (28, 29, 30, 31, 32, 33)
storing, at said receiver, a public key of the public-private key pair; and
storing, at a transmitter included in the cable television system a private key of the public-private key pair.
-
-
29. The method set forth in claim 28, wherein authentication further comprises the step of:
transmitting said source authentication token and said logic segment.
-
30. The method of claim 29, further comprising the step of:
encrypting said source authentication token prior to its transmission.
-
31. The method set forth in claim 30, wherein said verification further comprises, at said receiver, the steps of:
-
receiving said source authentication token and said source information, wherein said logic segment of said source information is configured for execution in said receiver;
decrypting said source authentication token using a public key of the public-private key pair, wherein said public key is stored by said receiver;
including said logic segment as an input into said secure hash function for producing an output;
using at least a portion of said output from said secure hash function at said receiver as a receiver authentication token; and
comparing said source authentication token with said receiver authentication token, the information being authentic when said source authentication token and said receiver authentication token are the same.
-
-
32. The method set forth in claim 31, wherein said public key comprises a certified public key provided by a certification authority.
-
33. The method set forth in claim 31, further comprising the step:
executing said logic segment at said receiver after said download information has been authenticated.
-
34. A method for providing verifiable data from head end equipment to a receiver in a cable television system, the method comprising the steps of:
-
providing source information as an input to a secure hash function for producing an output, wherein said source information includes a data segment for an application configured for execution at the receiver; and
using at least a portion of said output from said secure hash function as a source authentication token. - View Dependent Claims (35, 36)
storing a public key of a public-private key pair at the receiver; and
storing a private key of the public-private key pair at a transmitter included in the cable television system.
-
-
36. The method set forth in claim 35, wherein authentication further comprises the steps of:
transmitting said source authentication token and said source information.
Specification