Apparatus for entitling remote client devices
First Claim
Patent Images
1. A master-receiver in a subscriber network that receives a service instance from a headend and re-transmits the service instance to a client-receiver, the master-receiver comprising:
- a transceiver adapted to transmit messages and the service instance to the client-receiver and receive a plurality of messages and information therefrom; and
a processor in communication with the transceiver, adapted to process messages from the client-receiver and dynamically determine an encryption scheme for the service instance transmitted to the client-receiver, wherein the processor is adapted to use at least one message of the plurality of received client-receiver messages to determine the encryption scheme for the service instance, wherein the at lest one message includes hardware information of the client-receiver that the processor is adapted to use for dynamically determining the encryption scheme of the transmitted service instance.
4 Assignments
0 Petitions
Accused Products
Abstract
A master-receiver in a subscriber television network receives service instances and entitlement information from a headend of the subscriber television network and re-transmits service instances to a client-receiver after dynamic encryption scheme determination.
175 Citations
73 Claims
-
1. A master-receiver in a subscriber network that receives a service instance from a headend and re-transmits the service instance to a client-receiver, the master-receiver comprising:
-
a transceiver adapted to transmit messages and the service instance to the client-receiver and receive a plurality of messages and information therefrom; and
a processor in communication with the transceiver, adapted to process messages from the client-receiver and dynamically determine an encryption scheme for the service instance transmitted to the client-receiver, wherein the processor is adapted to use at least one message of the plurality of received client-receiver messages to determine the encryption scheme for the service instance, wherein the at lest one message includes hardware information of the client-receiver that the processor is adapted to use for dynamically determining the encryption scheme of the transmitted service instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
a memory having a client-receiver type table included therein, wherein the processor is adapted to use the client-receiver type table to identify a classification for the client-receiver and is adapted to use the classification in determining the encryption scheme for the service instance.
-
-
3. The master-receiver of claim 1, wherein the processor is adapted to use a protocol for secure Internet communication to determine the encryption scheme.
-
4. The master-receiver of claim 1, further including:
a cryptographic device adapted to encrypt the service instance.
-
5. The master-receiver of claim 1, further including:
a secure element adapted to entitle and disentitle the client-receiver to access service instances.
-
6. The master-receiver of claim 1, further including:
a secure element having an entitlement map that associates service instances to entitlements granted to the client-receiver, wherein the master-receiver is adapted to use the entitlement map to determine whether the client-receiver is authorized to receive a service instance.
-
7. The master-receiver of claim 6, wherein the secure element further includes a second processor and a memory having the private key of private key-public key pair for the receiver, wherein the memory is accessible only to the second processor.
-
8. The master-receiver of claim 7, wherein the entitlement map is accessible only to the second processor.
-
9. The master-receiver of claim 1, further including:
an entitlement manager module adapted to entitle the client-receiver to access the service instance.
-
10. The master-receiver of claim 9, wherein the entitlement manager module is further adapted to disentitle the client-receiver, wherein prior to disentitlement the client-receiver was entitled to access the service instance and after disentitlement the client-receiver can no longer access the service instance.
-
11. The master-receiver of claim 9, wherein the entitlement manager module is further adapted to generate a secure message for the client-receiver, and wherein the secure message includes an authentication token that authenticates that the secure message was generated by the master-receiver.
-
12. The master-receiver of claim 11, wherein the secure message includes content of which at least a portion of the content is used as an input for a hash function to produce a digest, which is signed by a private key of a public key-private key pair of the master-receiver, and the signed digest is the authentication token included in the at least one secure message.
-
13. The master-receiver of claim 11, further including:
a port coupled to a communication link coupling the master-receiver to the headend and adapted to receive a secure message addressed to the client-receiver having content included therein, wherein the entitlement manager module authenticates the received secure message and includes the content in the generated secure message.
-
14. The master-receiver of claim 13, wherein at least a portion of the content of the received secure message includes encrypted content and the entitlement manager module decrypts the encrypted content using the private key of a public key-private key pair of the master-receiver.
-
15. The master-receiver of claim 1, further including:
-
a second transceiver in communication with the headend adapted to transmit messages to the headend and receive messages therefrom; and
wherein the service instance transmitted to the client-receiver is received in the master-receiver responsive to the master-receiver transmitting a service request message through the second transceiver.
-
-
16. The master-receiver of claim 15, wherein the service request message includes a receiver identifier, and the receiver identifier is associated with the master-receiver.
-
17. The master-receiver of claim 15, wherein the service request message includes a receiver identifier and the receiver identifier is associated with the client-receiver.
-
18. A method of providing a service instance to a client-receiver in two-way communication with a master-receiver, which is in communication with a headend of a subscriber network system, the method implemented in the master-receiver and comprising the steps of:
-
receiving a message from the client-receiver, the message having client-receiver type information included therein;
dynamically determining an encryption scheme, wherein determining the encryption scheme includes the act of using the client-receiver type information to determine the encryption scheme; and
determining whether to encrypt the service instance according to the dynamically determined encryption scheme. - View Dependent Claims (20, 21, 22, 23, 24, 25)
generating a secure message for the client-receiver for the service instance; and
transmitting the secure message to the client-receiver, thereby entitling the client-receiver to access the service instance.
-
-
21. The method of claim 18, further including the steps of:
-
generating a secure message for the client-receiver for the service instance; and
transmitting the secure message to the client-receiver, thereby disentitling the client-receiver to access the service instance.
-
-
22. The method of claim 18, further including the steps of:
-
receiving a message from the client-receiver; and
responsive to receiving the message, transmitting a service request message to the headend for the service instance, whereby the service instance is received at the master-receiver in response to the transmitted service request message.
-
-
23. The method of claim 18, further including the step of:
checking an entitlement map for the client-receiver to determine whether the client-receiver is entitled to receive the service instance, wherein the entitlement map includes multiple entitlements, each entitlement is either a permission or lack of permission for the client-receiver to receive a particular service instance, and wherein the service instance is only encrypted according to the dynamically determined encryption scheme when the entitlement associated with the service instance is a permission for the client-receiver to receive the service instance.
-
24. The method of claim 23, further including the steps of:
-
receiving an entitlement message from the headend having at least one entitlement for the client-receiver included therein; and
updating the entitlement map to include the at least one entitlement.
-
-
25. The method of claim 23, further including the steps of:
-
prior to the step of checking, receiving a message from the client-receiver for the service instance; and
responsive to determining that the client-receiver is not entitled to receive the service instance, updating the entitlement map to change the state of the entitlement associated with the service instance, whereby after the update, the client-receiver is entitled to receive the service instance.
-
-
19. The method of 18, wherein the step of determining whether to encrypt the service instance includes the steps of:
-
determining whether the service instance is encrypted;
responsive to determining the service instance is encrypted;
decrypting the service instance, wherein decrypting the service instance includes the act of converting the service instance to an unencrypted service instance; and
encrypting the unencrypted service instance using the dynamically determined encryption scheme, wherein the step of encrypting the unencrypted service instance includes the act of converting the unencrypted service instance to an encrypted service instance;
responsive to determining the service instance is not encrypted;
encrypting the service instance using the dynamically determined encryption scheme, wherein the step of encrypting the service instance includes the act of converting the service instance to an encrypted service instance;
and further including the step of;
transmitting the encrypted service instance to the client-receiver.
-
-
26. A master-receiver in a subscriber network that receives a service instance from a headend and re-transmits the service instance to a client-receiver, the master-receiver comprising:
-
a port adapted to receive the service instance;
a transceiver adapted to transmit messages and the service instance to the client-receiver and receive a plurality of messages and information therefrom;
a cryptographic device in communication with the port and the transceiver adapted to encrypt the service instance; and
a processor in communication with the transceiver and the cryptographic device adapted to process the messages from the client-receiver and adapted to dynamically determine an encryption scheme for the service instance transmitted to the client-receiver, wherein the processor is adapted to use at least one message of the plurality of received client-receiver messages to determine the encryption scheme for the service instance, wherein the at least one message includes hardware information of the client-receiver that the processor is adapted to use for dynamically determining the encryption scheme of the transmitted service instance. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
a memory having a client-receiver type table included therein, wherein the processor is adapted to use the client-receiver type table to identify a classification for the client-receiver and is adapted to use the classification in determining the encryption scheme for the service instance.
-
-
28. The master-receiver of claim 26, wherein the processor is adapted to use a protocol for secure Internet communication to determine the encryption scheme.
-
29. The master-receiver of claim 28, wherein the protocol is the Secure Sockets Layer (SSL) protocol.
-
30. The master-receiver of claim 28, wherein the protocol is the DTCP protocol.
-
31. The master-receiver of claim 28, wherein the protocol is the Content Protection for Recordable Media (CPRM) protocol.
-
32. The master-receiver of claim 28, wherein the protocol is the Transport Layer Security (TLS) protocol.
-
33. The master-receiver of claim 26, wherein the received client-receiver messages include at least one message conforming to the Universal Plug and Play (UPnP) standard.
-
34. The master-receiver of claim 26, wherein the received client-receiver messages include at least one message conforming to the Jini standard.
-
35. The master-receiver of claim 26, wherein the received client-receiver messages include at least one message conforming to the Open Service Gateway Initiative standard.
-
36. The master-receiver of claim 26, further including:
a secure element having an entitlement manager module adapted to entitle the client-receiver to access the service instance.
-
37. The master-receiver of claim 36, the entitlement manager module is further adapted to disentitle the client-receiver, wherein prior to disentitlement the client-receiver was entitled to access the service instance and after disentitlement the client-receiver can no longer access the service instance.
-
38. The master-receiver of claim 36, wherein the entitlement manager module is further adapted to generate a secure message for the client-receiver, and wherein the secure message includes an authentication token that authenticates that the secure message was generated by the master-receiver.
-
39. The master-receiver of claim 38, wherein the secure message includes content of which at least a portion of the content is used as an input for a hash function to produce a digest that is signed by a private key of a public key-private key pair of the master-receiver, and the signed digest is the authentication token included in the secure message.
-
40. The master-receiver of claim 38, wherein the port receives a secure message addressed to the client-receiver having content included therein, the entitlement manager module authenticates the received secure message and includes the content in the generated secure message.
-
41. The master-receiver of claim 40, wherein at least a portion of the content of the received secure message includes encrypted content and the entitlement manager module decrypts the encrypted content using the private key of a public key-private key pair of the master-receiver.
-
42. The master-receiver of claim 26, further including:
-
a second transceiver in communication with the port adapted to transmit messages to the headend and receive messages therefrom; and
wherein the service instance transmitted to the client-receiver is received in the master-receiver responsive to the master-receiver transmitting a service request message through the second transceiver.
-
-
43. The master-receiver of claim 42, wherein the service request message includes a receiver identifier, and the receiver identifier is associated with the master-receiver.
-
44. The master-receiver of claim 42, wherein the service request message includes a receiver identifier and the receiver identifier is associated with the client-receiver.
-
45. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through an Ethernet communication link.
-
46. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a powerline communication link.
-
47. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a telephone line communication link.
-
48. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a wireless communication link.
-
49. The master-receiver of claim 26, wherein the transceiver communicates with the client-receiver through a coaxial cable.
-
50. A master-receiver in a subscriber network system having a headend in two-way communication with the master-receiver, which is in two-way communication with a client-receiver, wherein the master-receiver receives an encrypted service instance from the headend of the subscriber network and re-transmits the service instance to the client-receiver, the master-receiver comprising:
-
a port coupled to a communication link coupling the master-receiver to the headend;
a first transceiver coupled to the port adapted to receive entitlement messages from the headend and to transmit messages to the headend;
a second transceiver in communication with the client-receiver adapted to transmit information including the service instance to the client-receiver and receive messages from the client-receiver; and
a processor in communication with the first transceiver and the second transceiver, the processor adapted to determine whether to decrypt the encrypted service instance and re-encrypt the service instance using a dynamically selected encryption scheme, wherein the processor uses at least one message of the received client-receiver messages to dynamically select the encryption scheme, and a memory having a client-receiver type table stored therein, wherein the processor uses the client-receiver type table and the at least one message to dynamically select the encryption scheme. - View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
a user interface adapted to receive user input for selecting a given service instance of the plurality of service instances;
a plurality of tuners coupled to the port, the plurality of tuners including a first tuner tuned to the encrypted service instance and a second tuner for tuning to the given selected service instance; and
a processor coupled to the user interface adapted to selectively tune the second tuner to the given selected service instance.
-
-
61. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through an Ethernet communication link.
-
62. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a powerline communication link.
-
63. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a telephone line communication link.
-
64. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a wireless communication link.
-
65. The master-receiver of claim 50, wherein the second transceiver communicates with the client-receiver through a coaxial cable.
-
66. A method of providing a service instance to a client-receiver, which is coupled to a master-receiver in a subscriber network having a headend in two-way communication with the master-receiver, the method implemented in the master-receiver and comprising the steps of:
-
receiving a message from the client-receiver, the message having client-receiver type information included therein, receiving content of a service instance;
dynamically determining an encryption scheme for encrypting the received content of the service instance wherein the client-receiver type information is used to determine the encryption scheme; and
determining whether to encrypt the received content of the service instance according to the dynamically determined encryption scheme. - View Dependent Claims (67, 68, 69, 70, 71, 72, 73)
determining whether the received content of the service instance is encrypted; and
responsive to both determining the received content of the service instance is not encrypted and determining to not encrypt the received content of the service instance according to the dynamically determined encryption scheme, transmitting the received content of the service instance to the client-receiver.
-
-
68. The method of claim 66, further including the steps of:
-
determining whether the received content of the service instance is encrypted; and
responsive to both determining the received content of the service instance is encrypted and determining to not encrypt the received content of the service instance according to the dynamically determined encryption scheme, transmitting the received content of the service instance to the client-receiver.
-
-
69. The method of claim 66, further including the steps of:
-
determining whether the received content of the service instance is encrypted; and
responsive to both determining the received content of the service instance is not encrypted and determining to encrypt the received content of the service instance according to the dynamically determined encryption scheme;
encrypting the received content according to the dynamically determined encryption scheme, wherein the step of encrypting the received content includes the act of converting the received content to an encrypted content; and
transmitting the encrypted content to the client-receiver.
-
-
70. The method of claim 66, further including the steps of:
-
determining whether the received content of the service instance is encrypted; and
responsive to both determining the received content of the service instance is encrypted and determining to encrypt the received content of the service instance according to the dynamically determined encryption scheme;
decrypting the received content of the service instance, wherein the step of decrypting the received content includes the act of converting the received content of the service instance to an unencrypted content;
encrypting the unencrypted content according to the dynamically determined encryption scheme, wherein the step of encrypting the unencrypted content includes the act of converting the unencrypted content to an encrypted content; and
transmitting the encrypted content to the client-receiver.
-
-
71. The method of claim 66, prior to step receiving content of the service instance, further including the steps of:
-
generating a secure message for the client-receiver entitling the client-receiver access to the encrypted service instance; and
transmitting the secure message to the client-receiver, thereby entitling the client-receiver to access the encrypted service instance.
-
-
72. The method of claim 66, prior to step receiving content of the service instance, further including the steps of:
-
generating a secure message for the client-receiver disentitling the client-receiver access to the encrypted service instance; and
transmitting the secure message to the client-receiver, thereby disentitling the client-receiver to access the encrypted service instance.
-
-
73. The method of claim 66, prior to step receiving content of the service instance, further including the steps of:
-
receiving a message from the client-receiver; and
responsive to receiving the message, transmitting a service request message to the headend for the service instance, whereby the service instance is received at the master-receiver in response to the transmitted service request message.
-
Specification