Apparatus for entitling remote client devices

US 6,748,080 B2
Filed: 05/24/2002
Issued: 06/08/2004
Est. Priority Date: 05/24/2002
Status: Active Grant

First Claim

Patent Images

1. A master-receiver in a subscriber network that receives a service instance from a headend and re-transmits the service instance to a client-receiver, the master-receiver comprising:

a transceiver adapted to transmit messages and the service instance to the client-receiver and receive a plurality of messages and information therefrom; and

a processor in communication with the transceiver, adapted to process messages from the client-receiver and dynamically determine an encryption scheme for the service instance transmitted to the client-receiver, wherein the processor is adapted to use at least one message of the plurality of received client-receiver messages to determine the encryption scheme for the service instance, wherein the at lest one message includes hardware information of the client-receiver that the processor is adapted to use for dynamically determining the encryption scheme of the transmitted service instance.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A master-receiver in a subscriber television network receives service instances and entitlement information from a headend of the subscriber television network and re-transmits service instances to a client-receiver after dynamic encryption scheme determination.

175 Citations

73 Claims

1. A master-receiver in a subscriber network that receives a service instance from a headend and re-transmits the service instance to a client-receiver, the master-receiver comprising:
- a transceiver adapted to transmit messages and the service instance to the client-receiver and receive a plurality of messages and information therefrom; and
  
  a processor in communication with the transceiver, adapted to process messages from the client-receiver and dynamically determine an encryption scheme for the service instance transmitted to the client-receiver, wherein the processor is adapted to use at least one message of the plurality of received client-receiver messages to determine the encryption scheme for the service instance, wherein the at lest one message includes hardware information of the client-receiver that the processor is adapted to use for dynamically determining the encryption scheme of the transmitted service instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The master-receiver of claim 1, further including:
3. The master-receiver of claim 1, wherein the processor is adapted to use a protocol for secure Internet communication to determine the encryption scheme.
4. The master-receiver of claim 1, further including:
- a cryptographic device adapted to encrypt the service instance.
5. The master-receiver of claim 1, further including:
- a secure element adapted to entitle and disentitle the client-receiver to access service instances.
6. The master-receiver of claim 1, further including:
- a secure element having an entitlement map that associates service instances to entitlements granted to the client-receiver, wherein the master-receiver is adapted to use the entitlement map to determine whether the client-receiver is authorized to receive a service instance.
7. The master-receiver of claim 6, wherein the secure element further includes a second processor and a memory having the private key of private key-public key pair for the receiver, wherein the memory is accessible only to the second processor.
8. The master-receiver of claim 7, wherein the entitlement map is accessible only to the second processor.
9. The master-receiver of claim 1, further including:
- an entitlement manager module adapted to entitle the client-receiver to access the service instance.
10. The master-receiver of claim 9, wherein the entitlement manager module is further adapted to disentitle the client-receiver, wherein prior to disentitlement the client-receiver was entitled to access the service instance and after disentitlement the client-receiver can no longer access the service instance.
11. The master-receiver of claim 9, wherein the entitlement manager module is further adapted to generate a secure message for the client-receiver, and wherein the secure message includes an authentication token that authenticates that the secure message was generated by the master-receiver.
12. The master-receiver of claim 11, wherein the secure message includes content of which at least a portion of the content is used as an input for a hash function to produce a digest, which is signed by a private key of a public key-private key pair of the master-receiver, and the signed digest is the authentication token included in the at least one secure message.
13. The master-receiver of claim 11, further including:
- a port coupled to a communication link coupling the master-receiver to the headend and adapted to receive a secure message addressed to the client-receiver having content included therein, wherein the entitlement manager module authenticates the received secure message and includes the content in the generated secure message.
14. The master-receiver of claim 13, wherein at least a portion of the content of the received secure message includes encrypted content and the entitlement manager module decrypts the encrypted content using the private key of a public key-private key pair of the master-receiver.
15. The master-receiver of claim 1, further including:
- a second transceiver in communication with the headend adapted to transmit messages to the headend and receive messages therefrom; and
  
  wherein the service instance transmitted to the client-receiver is received in the master-receiver responsive to the master-receiver transmitting a service request message through the second transceiver.
16. The master-receiver of claim 15, wherein the service request message includes a receiver identifier, and the receiver identifier is associated with the master-receiver.
17. The master-receiver of claim 15, wherein the service request message includes a receiver identifier and the receiver identifier is associated with the client-receiver.

18. A method of providing a service instance to a client-receiver in two-way communication with a master-receiver, which is in communication with a headend of a subscriber network system, the method implemented in the master-receiver and comprising the steps of:
- receiving a message from the client-receiver, the message having client-receiver type information included therein;
  
  dynamically determining an encryption scheme, wherein determining the encryption scheme includes the act of using the client-receiver type information to determine the encryption scheme; and
  
  determining whether to encrypt the service instance according to the dynamically determined encryption scheme.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The method of claim 18, further including the steps of:
21. The method of claim 18, further including the steps of:
- generating a secure message for the client-receiver for the service instance; and
  
  transmitting the secure message to the client-receiver, thereby disentitling the client-receiver to access the service instance.
22. The method of claim 18, further including the steps of:
- receiving a message from the client-receiver; and
  
  responsive to receiving the message, transmitting a service request message to the headend for the service instance, whereby the service instance is received at the master-receiver in response to the transmitted service request message.
23. The method of claim 18, further including the step of:
- checking an entitlement map for the client-receiver to determine whether the client-receiver is entitled to receive the service instance, wherein the entitlement map includes multiple entitlements, each entitlement is either a permission or lack of permission for the client-receiver to receive a particular service instance, and wherein the service instance is only encrypted according to the dynamically determined encryption scheme when the entitlement associated with the service instance is a permission for the client-receiver to receive the service instance.
24. The method of claim 23, further including the steps of:
- receiving an entitlement message from the headend having at least one entitlement for the client-receiver included therein; and
  
  updating the entitlement map to include the at least one entitlement.
25. The method of claim 23, further including the steps of:
- prior to the step of checking, receiving a message from the client-receiver for the service instance; and
  
  responsive to determining that the client-receiver is not entitled to receive the service instance, updating the entitlement map to change the state of the entitlement associated with the service instance, whereby after the update, the client-receiver is entitled to receive the service instance.

19. The method of 18, wherein the step of determining whether to encrypt the service instance includes the steps of:
- determining whether the service instance is encrypted;
  
  responsive to determining the service instance is encrypted;
  
  decrypting the service instance, wherein decrypting the service instance includes the act of converting the service instance to an unencrypted service instance; and
  
  encrypting the unencrypted service instance using the dynamically determined encryption scheme, wherein the step of encrypting the unencrypted service instance includes the act of converting the unencrypted service instance to an encrypted service instance;
  
  responsive to determining the service instance is not encrypted;
  
  encrypting the service instance using the dynamically determined encryption scheme, wherein the step of encrypting the service instance includes the act of converting the service instance to an encrypted service instance;
  
  and further including the step of;
  
  transmitting the encrypted service instance to the client-receiver.

26. A master-receiver in a subscriber network that receives a service instance from a headend and re-transmits the service instance to a client-receiver, the master-receiver comprising:
- a port adapted to receive the service instance;
  
  a transceiver adapted to transmit messages and the service instance to the client-receiver and receive a plurality of messages and information therefrom;
  
  a cryptographic device in communication with the port and the transceiver adapted to encrypt the service instance; and
  
  a processor in communication with the transceiver and the cryptographic device adapted to process the messages from the client-receiver and adapted to dynamically determine an encryption scheme for the service instance transmitted to the client-receiver, wherein the processor is adapted to use at least one message of the plurality of received client-receiver messages to determine the encryption scheme for the service instance, wherein the at least one message includes hardware information of the client-receiver that the processor is adapted to use for dynamically determining the encryption scheme of the transmitted service instance.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 27. The master-receiver of claim 26, further including:
28. The master-receiver of claim 26, wherein the processor is adapted to use a protocol for secure Internet communication to determine the encryption scheme.
29. The master-receiver of claim 28, wherein the protocol is the Secure Sockets Layer (SSL) protocol.
30. The master-receiver of claim 28, wherein the protocol is the DTCP protocol.
31. The master-receiver of claim 28, wherein the protocol is the Content Protection for Recordable Media (CPRM) protocol.
32. The master-receiver of claim 28, wherein the protocol is the Transport Layer Security (TLS) protocol.
33. The master-receiver of claim 26, wherein the received client-receiver messages include at least one message conforming to the Universal Plug and Play (UPnP) standard.
34. The master-receiver of claim 26, wherein the received client-receiver messages include at least one message conforming to the Jini standard.
35. The master-receiver of claim 26, wherein the received client-receiver messages include at least one message conforming to the Open Service Gateway Initiative standard.
36. The master-receiver of claim 26, further including:
- a secure element having an entitlement manager module adapted to entitle the client-receiver to access the service instance.
37. The master-receiver of claim 36, the entitlement manager module is further adapted to disentitle the client-receiver, wherein prior to disentitlement the client-receiver was entitled to access the service instance and after disentitlement the client-receiver can no longer access the service instance.
38. The master-receiver of claim 36, wherein the entitlement manager module is further adapted to generate a secure message for the client-receiver, and wherein the secure message includes an authentication token that authenticates that the secure message was generated by the master-receiver.
39. The master-receiver of claim 38, wherein the secure message includes content of which at least a portion of the content is used as an input for a hash function to produce a digest that is signed by a private key of a public key-private key pair of the master-receiver, and the signed digest is the authentication token included in the secure message.
40. The master-receiver of claim 38, wherein the port receives a secure message addressed to the client-receiver having content included therein, the entitlement manager module authenticates the received secure message and includes the content in the generated secure message.
41. The master-receiver of claim 40, wherein at least a portion of the content of the received secure message includes encrypted content and the entitlement manager module decrypts the encrypted content using the private key of a public key-private key pair of the master-receiver.
42. The master-receiver of claim 26, further including:
- a second transceiver in communication with the port adapted to transmit messages to the headend and receive messages therefrom; and
  
  wherein the service instance transmitted to the client-receiver is received in the master-receiver responsive to the master-receiver transmitting a service request message through the second transceiver.
43. The master-receiver of claim 42, wherein the service request message includes a receiver identifier, and the receiver identifier is associated with the master-receiver.
44. The master-receiver of claim 42, wherein the service request message includes a receiver identifier and the receiver identifier is associated with the client-receiver.
45. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through an Ethernet communication link.
46. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a powerline communication link.
47. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a telephone line communication link.
48. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a wireless communication link.
49. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a coaxial cable.

50. A master-receiver in a subscriber network system having a headend in two-way communication with the master-receiver, which is in two-way communication with a client-receiver, wherein the master-receiver receives an encrypted service instance from the headend of the subscriber network and re-transmits the service instance to the client-receiver, the master-receiver comprising:
- a port coupled to a communication link coupling the master-receiver to the headend;
  
  a first transceiver coupled to the port adapted to receive entitlement messages from the headend and to transmit messages to the headend;
  
  a second transceiver in communication with the client-receiver adapted to transmit information including the service instance to the client-receiver and receive messages from the client-receiver; and
  
  a processor in communication with the first transceiver and the second transceiver, the processor adapted to determine whether to decrypt the encrypted service instance and re-encrypt the service instance using a dynamically selected encryption scheme, wherein the processor uses at least one message of the received client-receiver messages to dynamically select the encryption scheme, and a memory having a client-receiver type table stored therein, wherein the processor uses the client-receiver type table and the at least one message to dynamically select the encryption scheme.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 51. The master-receiver of claim 50, wherein responsive to a message received at the master-receiver, the processor suspends determining whether to decrypt and re-encrypt the service instance and transmits the service instance to the client-receiver according to parameters established by the headend.
  - 52. The master-receiver of claim 50, wherein responsive to a message received at the master-receiver, the master-receiver suspends transmitting the service instance to the client-receiver.
  - 53. The master-receiver of claim 50, wherein the received client-receiver messages include at least one message conforming to the Universal Plug and Play (UPnP) standard.
  - 54. The master-receiver of claim 50, wherein the received client-receiver messages include at least one message conforming to the Jini standard.
  - 55. The master-receiver of claim 50, wherein the received client-receiver messages include at least one message conforming to the Open Service Gateway Initiative (OSGI) standard.
  - 56. The master-receiver of claim 50, wherein the processor further includes an entitlement management module adapted to generate a secure message that communicates entitlements to the client-receiver for the encrypted service.
  - 57. The master-receiver of claim 56, wherein the of the secure message includes content and an authentication token, which is a digitally signed hash digest of at least a portion of the secure message content, and the entitlement management module generates the hash digest and uses a private key of a public key-private key pair of the master-receiver to digitally sign the hash digest.
  - 58. The master-receiver of claim 56, wherein the entitlement management module uses at least a portion of a shared secret as an input to a hash function to generate a hash digest, and the shared secret is shared between the master-receiver and the client-receiver, and the secure message includes the hash digest as an authentication token.
  - 59. The master-receiver of claim 56, wherein the content of the secure message is encrypted by the entitlement management module using a public key of a public key-private key pair of the client-receiver.
  - 60. The master-receiver of claim 50, wherein a plurality of service instances including the encrypted service instance are received by the port through the communication link, and further including:
61. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through an Ethernet communication link.
62. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a powerline communication link.
63. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a telephone line communication link.
64. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a wireless communication link.
65. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a coaxial cable.

66. A method of providing a service instance to a client-receiver, which is coupled to a master-receiver in a subscriber network having a headend in two-way communication with the master-receiver, the method implemented in the master-receiver and comprising the steps of:
- receiving a message from the client-receiver, the message having client-receiver type information included therein, receiving content of a service instance;
  
  dynamically determining an encryption scheme for encrypting the received content of the service instance wherein the client-receiver type information is used to determine the encryption scheme; and
  
  determining whether to encrypt the received content of the service instance according to the dynamically determined encryption scheme.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73)
- - 67. The method of claim 66, further including the steps of:
68. The method of claim 66, further including the steps of:
- determining whether the received content of the service instance is encrypted; and
  
  responsive to both determining the received content of the service instance is encrypted and determining to not encrypt the received content of the service instance according to the dynamically determined encryption scheme, transmitting the received content of the service instance to the client-receiver.
69. The method of claim 66, further including the steps of:
- determining whether the received content of the service instance is encrypted; and
  
  responsive to both determining the received content of the service instance is not encrypted and determining to encrypt the received content of the service instance according to the dynamically determined encryption scheme;
  
  encrypting the received content according to the dynamically determined encryption scheme, wherein the step of encrypting the received content includes the act of converting the received content to an encrypted content; and
  
  transmitting the encrypted content to the client-receiver.
70. The method of claim 66, further including the steps of:
- determining whether the received content of the service instance is encrypted; and
  
  responsive to both determining the received content of the service instance is encrypted and determining to encrypt the received content of the service instance according to the dynamically determined encryption scheme;
  
  decrypting the received content of the service instance, wherein the step of decrypting the received content includes the act of converting the received content of the service instance to an unencrypted content;
  
  encrypting the unencrypted content according to the dynamically determined encryption scheme, wherein the step of encrypting the unencrypted content includes the act of converting the unencrypted content to an encrypted content; and
  
  transmitting the encrypted content to the client-receiver.
71. The method of claim 66, prior to step receiving content of the service instance, further including the steps of:
- generating a secure message for the client-receiver entitling the client-receiver access to the encrypted service instance; and
  
  transmitting the secure message to the client-receiver, thereby entitling the client-receiver to access the encrypted service instance.
72. The method of claim 66, prior to step receiving content of the service instance, further including the steps of:
- generating a secure message for the client-receiver disentitling the client-receiver access to the encrypted service instance; and
  
  transmitting the secure message to the client-receiver, thereby disentitling the client-receiver to access the encrypted service instance.
73. The method of claim 66, prior to step receiving content of the service instance, further including the steps of:
- receiving a message from the client-receiver; and
  
  responsive to receiving the message, transmitting a service request message to the headend for the service instance, whereby the service instance is received at the master-receiver in response to the transmitted service request message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tech 5 SAS
Original Assignee
Scientific-Atlanta Incorporated (Cisco Systems, Inc.)
Inventors
Russ, Samuel H., Gaul, Michael A., Pinder, Howard G., Wasilewski, Anthony J.
Primary Examiner(s)
Smithers, Matthew

Application Number

US10/154,495
Publication Number

US 20030219127A1
Time in Patent Office

746 Days
Field of Search

380/239, 380/210, 380/211, 380/232, 380/240, 725/31, 705/52
US Class Current

380/239
CPC Class Codes

H04L 12/2805   Home Audio Video Interopera...

H04N 21/2347   involving video stream encr...

H04N 21/41265   having a remote control dev...

H04N 21/42684   Client identification by a ...

H04N 21/43615   Interfacing a Home Network,...

H04N 21/43637   involving a wireless protoc...

H04N 21/4367   Establishing a secure commu...

H04N 21/4405   involving video stream decr...

H04N 21/4408   involving video stream encr...

H04N 21/4623   Processing of entitlement m...

H04N 21/472   End-user interface for requ...

H04N 21/47815   Electronic shopping payment...

H04N 21/482   End-user interface for prog...

H04N 21/8586   by using a URL processing c...

H04N 7/162   Authorising the user termin...

H04N 7/1675   Providing digital key or au...

Apparatus for entitling remote client devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

73 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus for entitling remote client devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

73 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links