Apparatus, system and method for selectively encrypting different portions of data sent over a network

US 7,165,175 B1
Filed: 09/06/2000
Issued: 01/16/2007
Est. Priority Date: 09/06/2000
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. An apparatus for selectively encrypting data for transmission over a network in packets between a server and a client, the apparatus comprising:

a parser configured to parse a payload portion of the data in a packet from a non-payload portion of the packet data;

an encrypter configured to determine if the payload portion of the packet data is to be encrypted by examining the payload portion of the packet data to recognize a predefined data type, and if it is to be encrypted, to encrypt the payload portion of the packet data; and

a data combiner configured to combine the encrypted payload portion of the packet data with the non-payload portion of the packet data, wherein the non-payload portion of the packet data includes more than routing information.

View all claims

6 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

An apparatus and method for selectively encrypting portions of data sent over a network between a server and a client. The apparatus includes parsing means for separating a first portion of the data from a second portion of the data, encrypting means for encrypting only of the first portion of the data, and combining means for combining the encrypted first portion of the data with the second portion of the data, wherein the second portion of the data is not encrypted. The apparatus further includes decrypting means installed at the client for decrypting the encrypted portion of the data. The apparatus is platform independent in terms of media format and data protocol. The encryption unit encrypts data transparently to the client based on the media format. The apparatus of the invention is implemented as one of an application and a plug-in object. The method for selectively encrypting portions of data which differ from each other in at least on characteristic sent over a network between a server and a client includes parsing the data into a first and second portion, encrypting only the first portion of the data, and sending the encrypted first portion and the second portion of the data over the network to the client. The method further includes receiving data from the server, determining whether a data stream is established between the server and the client, and negotiating an encryption key with a decryption shim of the client.

282 Citations

94 Claims

1. An apparatus for selectively encrypting data for transmission over a network in packets between a server and a client, the apparatus comprising:
- a parser configured to parse a payload portion of the data in a packet from a non-payload portion of the packet data;
  
  an encrypter configured to determine if the payload portion of the packet data is to be encrypted by examining the payload portion of the packet data to recognize a predefined data type, and if it is to be encrypted, to encrypt the payload portion of the packet data; and
  
  a data combiner configured to combine the encrypted payload portion of the packet data with the non-payload portion of the packet data, wherein the non-payload portion of the packet data includes more than routing information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The apparatus of claim 1, wherein the packet data includes streaming data.
  - 3. The apparatus of claim 1, wherein the non-payload portion of the packet data includes at least one of a header, control data and routing data.
  - 4. The apparatus of claim 1, further comprising a transmitter configured to send the combined payload and non-payload portions of the packet data over the network to the client.
  - 5. The apparatus of claim 1, further comprising a receiver configured to receive the data from the server before the data is sent in the packet over the network to the client.
  - 6. The apparatus of claim 1, further comprising a device configured to establish a data stream between the server and the client.
  - 7. The apparatus of claim 1, further comprising a key negotiator configured to negotiate an encryption key with the client.
  - 8. The apparatus of claim 7, wherein key negotiation and key exchange occur during transmission of a stream.
  - 9. The apparatus of claim 8, wherein the encrypter is transparent to the server.
  - 10. The apparatus of claim 7, wherein key negotiation can determine if the encryption key is current.
  - 11. The apparatus of claim 1, further comprising a decrypter configured to decrypt the encrypted payload portion of the packet data at the client.
  - 12. The apparatus of claim 1, wherein the parser is further configured to parse the packet data into different portions based on a media format.
  - 13. The apparatus of claim 1, wherein the encrypter is further configured to encrypt the payload portion of the packet data based on a media format.
  - 14. The apparatus of claim 1, wherein the apparatus is implemented utilizing an application that includes a pluggable core encoding an encryption algorithm for encrypting the payload portion of the packet data, wherein the pluggable core enables the encryption algorithm to be readily changed.
  - 15. The apparatus of claim 1, wherein the apparatus in implemented on an encryption bridge.
  - 16. The apparatus of claim 1, wherein the payload packet data includes multimedia data.
  - 17. The apparatus of claim 1, wherein the parser is further configured to parse the packet data into different portions based on a data protocol used to transmit a data stream of packets.
  - 18. The apparatus of claim 1, wherein the parser parses the packet data based on a data protocol.

19. A method for selectively encrypting data in a packet received from a data source, the data including payload and non-payload portions which differ from each other in at least one characteristic, the received data to be subsequently sent over a network to a client, the method comprising:
- parsing the received packet data into portions including the payload and non-payload portions;
  
  determining if the payload portion is to be encrypted based on a format of the payload portion of the packet data by examining the payload portion of the packet data to recognize a predefined data type, and if it is to be encrypted, encrypting the payload portion of the received packet data; and
  
  sending the received packet data including the encrypted payload portion and the non-payload portion of the received packet data over the network to the client.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The method of claim 19, wherein the data source is a server.
  - 21. The method of claim 19, further comprising determining whether a stream is established between a server and the client.
  - 22. The method of claim 19, further comprising negotiating an encryption key with the client.
  - 23. The method of claim 22, wherein the received packet data from the data source is streaming data sent during a streaming session and the negotiating of the encryption key is carried out during the streaming session.
  - 24. The method of claim 22, wherein the received packet data from the data source is streaming data sent during a streaming session, the method further comprising examining the client during the streaming session and terminating the streaming session if the encryption key on the client is invalid.
  - 25. The method of claim 22, wherein the encryption key is negotiated with a decryption shim on the client.
  - 26. The method of claim 19, further comprising determining whether the received packet data is streaming data.
  - 27. The method of claim 26, further comprising parsing, encrypting and sending the packet data if the packet data is streaming data and sending the packet data if the packet data is not streaming data.
  - 28. The method of claim 19, further comprising determining whether a shim is present on the client.
  - 29. The method of claim 28, further comprising sending a shim to the client if it is determined that the shim is not present on the client.
  - 30. The method of claim 19, further comprising determining whether an encryption key on the client is current.
  - 31. The method of claim 19, wherein the packet data includes at least one of a header, control data and routing data.
  - 32. The method of claim 19, wherein the packet data received from the data source for sending to the client is a stream of packets, the method further comprising determining whether a particular packet is the last packet in a data stream.
  - 33. The method of claim 32, further comprising receiving feedback from a decryption shim on the client if it is determined that the particular packet is not the last packet in the data stream.
  - 34. The method of claim 19, further comprising determining whether the client is compromised.
  - 35. The method of claim 34, further comprising continuing parsing, encrypting and sending the packet data into the payload and non-payload portions if it is determined that the client is not compromised.
  - 36. The method of claim 34, further comprising terminating the sending to the client if it is determined that the client is compromised.

37. A method for streaming data at a client, the data including payload and non-payload portions which differ from each other in at least one characteristic, the streaming data is included in a plurality of packets having been sent over a network to the client from an encryption source, the method comprising:
- receiving the packet data sent over the network;
  
  parsing the packet data into portions including the payload and non-payload portions;
  
  if the payload portion of the packet data is encrypted based on a format of the payload portion of the packet data, as determined by an examination of the payload portion of the packet data to recognize a predefined data type, decrypting the payload portion of the packet data; and
  
  passing the decrypted payload portion of the packet data to a higher level of operations for play in the client.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 38. The method of claim 37, further comprising prior to the parsing, determining whether the packet data is an unencrypted stream.
  - 39. The method of claim 38, further comprising passing the packet data to a higher level of operations without parsing and decrypting if it is determined that the packet data is an unencrypted stream.
  - 40. The method of claim 37, further comprising negotiating a decryption key with the encryption source.
  - 41. The method of claim 40, wherein the streaming data is sent from the encryption source during a streaming session and said negotiating the decryption key is carried out during the streaming session.
  - 42. The method of claim 40, further comprising terminating a stream if the decryption key is invalid.
  - 43. The method of claim 42, wherein the terminating of the encrypted stream includes sending a feedback signal to the encryption source instructing to stop sending the packet data over the network.
  - 44. The method of claim 37, wherein the packet data is sent from the encryption source over the network as a stream of data packets, the method further comprising determining whether a particular packet received by the client is a last packet in a data stream.
  - 45. The method of claim 44, further comprising sending feedback to the encryption source if it is determined that the particular packet is not the last packet in the data stream.
  - 46. The method of claim 37, further comprising determining whether the client is compromised.
  - 47. The method of claim 46, further comprising continuing the parsing, decrypting and passing the packet data as aforesaid if it is determined that the client is not compromised.
  - 48. The method of claim 46, further comprising terminating a streaming session if it is determined that the client is compromised.
  - 49. The method of claim 37, further comprising terminating a streaming session based on a determination that the client is compromised.

50. A method for selectively encrypting data for transmission over a network, the method comprising:
- receiving a plurality of packets;
  
  examining the data of each received packet to identify a plurality of portions that include at least a payload portion and a non-payload portion;
  
  determining if at least one of the payload portion is to be encrypted by examining the at least one payload portion to recognize a predefined data type, and if the at least one payload portion is to be encrypted, encrypting the at least one payload portion;
  
  at least the non-payload portion of the packet to remain unencrypted, wherein the plurality of portions of encrypted payload and unencrypted non-payload for a packet being combined after such encryption determination.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57)
- - 51. The method of claim 50, wherein the packet data is received from a data source, wherein the packet data includes streaming data and wherein the at least one data portion of a packet to remain unencrypted includes at least one of a header, control data and routing data.
  - 52. The method of claim 51, wherein the streaming data is included in the at least one data portion of the packet to remain unencrypted.
  - 53. The method of claim 52, further comprising:
    - transmitting the combined packet data over the network to a client; and
      
      negotiating and exchanging a key with the client before the combined data is transmitted over the network to the client, the key enabling the client to decrypt the encrypted portion of the packet data for play on the client.
  - 54. The method of claim 53, wherein the streaming data is sent during a streaming session and wherein the negotiating and exchanging the key is carried out during the streaming session.
  - 55. The method of claim 54, further comprising examining the client during the streaming session and terminating the streaming session if the key on the client is invalid.
  - 56. The method of claim 55, wherein the data source is a server and the examining of the packet data is carried out on an encryption bridge between the server and the network so that the examining of the packet data, encrypting and combining of the plurality of data portions is transparent to the server.
  - 57. The method of claim 56, wherein the key negotiating and exchanging and the decryption using the key is carried out using a shim on the client, the shim being configured so that the negotiating and exchanging of the key thereby and the decrypting of the data thereby is transparent to the client.

58. An apparatus for selectively encrypting streaming data packets received from a streaming data source for transmission over a network to a client, the apparatus comprising:
- a parser configured to parse a plurality of portions of the streaming data packets, wherein the plurality of portions include a payload portion and a non-payload portion in each of the streaming data packets;
  
  an encrypter configured to encrypt at least the payload portion if it is determined, based on an examination of a format of the payload portion to recognize a predefined data type, payload portion is to be encrypted, but not encrypt at least one other data portion of the plurality of data portions; and
  
  a data combiner configured to combine the encrypted payload portion with at least one unencrypted non-payload data portion.
- View Dependent Claims (59, 60, 61, 62, 63)
- - 59. The apparatus of claim 58, further comprising a negotiator, wherein the negotiator negotiates and exchanges a key with the client before the combined packet data is transmitted over the network to the client, the key enabling the client to decrypt the encrypted payload portion of the packet data for play on the client.
  - 60. The apparatus of claim 59, wherein the streaming data is sent from the streaming data source during a streaming session.
  - 61. The apparatus of claim 60, further configured to perform actions including examining the client during the streaming session and terminating the streaming session if the client has been compromised.
  - 62. The apparatus of claim 58, wherein the at least one unencrypted data portion of the packet data includes at least one of a header, control data and routing data.
  - 63. The apparatus of claim 58, wherein the streaming data source is at least one server.

64. An apparatus for selectively encrypting data received from a data source for transmission in packets over a network to a client, comprising:
- a parser configured to parse at least two portions of the packet data, at least one of the two portions of the packet data including more than routing information for a packet;
  
  an encrypter configured to determine if a payload portion of the packet data is to be encrypted based on an examination of the payload portion the packet data to recognize a predefined data type, and if it is to be encrypted, encrypting the payload portion of packet data not including the routing information for the packet; and
  
  a data combiner configured to combine the parsed at least two portions of the packet data following encryption of the payload portion of data not including the routing information for the packet.
- View Dependent Claims (65, 66, 67, 68, 69)
- - 65. The apparatus of claim 64, wherein an unencrypted portion of the packet data includes at least one of a header and control data.
  - 66. The apparatus of claim 65, wherein the parser parses the data into different portions based on a data protocol used to transmit the data.
  - 67. The apparatus of claim 65, wherein the portion of the packet data to be encrypted includes media data encoded in a media format and wherein the encrypter encrypts the packet data to be encrypted based on the media format.
  - 68. The apparatus of claim 67, wherein the apparatus is implemented utilizing an application that includes a pluggable core encoding an encryption algorithm for encrypting the packet data, the pluggable core being replaceable to enable the encryption algorithm to be readily changed.
  - 69. The apparatus of claim 68, wherein the apparatus is implemented on an encryption bridge.

70. An apparatus for selectively encrypting data received from a data source during a downloading operation, the data being received from the data source for transmission in packets over a network to a client receiving the downloaded packetized data, comprising:
- a parser configured to parse at least two portions of the data in a packet, wherein the packet data includes a payload portion and a non-payload portion;
  
  an encrypter configured to determine if the payload portion of the packet data is to be encrypted based on a format of the payload portion of the packet data, wherein the format is determined based on an examination of the payload portion of the packet data to recognize a predefined data type, and if it is to be encrypted, encrypting the payload portion of the packet data; and
  
  a data combiner configured to combine the encrypted payload portion of the packet data with an unencrypted portion of packet data for transmission over the network.
- View Dependent Claims (71, 72, 73)
- - 71. The apparatus as defined in claim 70, wherein the downloaded data is included in the encrypted payload portion of the packet data.
  - 72. The apparatus of claim 71, wherein the unencrypted portion of packet data includes at least one of a header, control data and routing data.
  - 73. The apparatus of claim 72, further comprising a key negotiator configured to perform actions including negotiating and exchanging a key with the client before the packet data is sent over the network to the client, the key enabling the client to decrypt the encrypted payload portion of data.

74. An apparatus for selectively encrypting data, received from a data source during a downloading operation and for selectively encrypting data received in packets from a data source during a streaming operation, the packet data being received from the data source for transmission over a network to a client receiving the downloaded or streaming data, comprising:
- a means for parsing at least two portions of the data included in a packet, wherein the packet data comprises at least a payload portion and a non-payload portion;
  
  a means for determining if the payload portion of the at least two portions of data is to be encrypted based on a format of the one portion of packet data that is determined by recognizing a predefined data type in the payload portion of the at least two portions, and if the a payload portion of data is to be encrypted, employing a means for encrypting only the payload portion of the at least two portions of data; and
  
  a means for combining the encrypted payload portion of the packet data with at least the unencrypted portion of the packet data for transmission over the network.
- View Dependent Claims (75, 76, 77, 78, 79, 80)
- - 75. The apparatus of claim 74, wherein during the streaming operation, the streaming data is included in the packet data portion that is to be encrypted.
  - 76. The apparatus as defined in claim 75, further comprising a key negotiating means configured to negotiate and exchange a key with the client before the streaming data is sent over the network to the client, the key enabling the client to decrypt the encrypted payload portion of the packet data for play on the client.
  - 77. The apparatus of claim 74, further comprising a client examining means configured to examine the client during a streaming session and terminate the streaming session if the client has been compromised.
  - 78. The apparatus of claim 77, wherein the packet data portion that is not encrypted includes at least one of a header, control data and routing data.
  - 79. The apparatus of claim 74, wherein during a downloading operation, the downloaded data is included in the packet data portion that is to be encrypted.
  - 80. The apparatus of claim 79, wherein the data portion that is not encrypted includes at least one of a header, control data and routing data.

81. A shim deployed on a client, the shim comprising:
- a data receiver configured to receive partially encrypted packet data transmitted to the client, wherein another device parsed the packet data into a payload portion and a non-payload portion and determined the payload portion of the packet data to be encrypted based on a format of the payload portion of the packet data, wherein the format is determined by an examination of that payload portion of the packet data to recognize a predefined data type;
  
  a parser configured to parse the partially encrypted packet data to select the payload portion of the packet data to be decrypted;
  
  a decrypter configured to decrypt the payload portion of the packet data selected for decrypting by the parser; and
  
  a data transmitter configured to send the decrypted packet data to a higher level operation resident on the client.
- View Dependent Claims (82, 83, 84, 85, 86, 87, 88, 89, 90, 91)
- - 82. The shim of claim 81, wherein an encrypted portion of the transmitted packet data includes media data, the data transmitter being further configured to send the decrypted media data to a media player resident on the client.
  - 83. The shim of claim 82, wherein the media data is streaming media transmitted to the client during a streaming session.
  - 84. The shim of claim 83, wherein the unencrypted portion of the packet data includes at least one of a header, control data and routing data.
  - 85. The shim of claim 83, further comprising an analyzer configured to analyze a behavior of the client to detect known media piracy techniques and to terminate the streaming session if a known media piracy technique is detected.
  - 86. The shim of claim 83, further comprising an analyzer configured to analyze a behavior of the client to detect suspicious client behavior and to terminate the streaming session if specific behavior is detected.
  - 87. The shim of claim 83, further comprising an analyzer configured to analyze a behavior of the client to detect known media piracy techniques and to terminate operation of at least the decrypter when a media piracy technique is detected.
  - 88. The shim of claim 83, further comprising an analyzer configured to analyze a behavior of the client to detect suspicious client behavior and to terminate the operation of at least the decrypter if suspicious behavior is detected.
  - 89. The shim of claim 83, further comprising a key negotiator configured to negotiate and exchange a key with the client before the packet data is sent over the network to the client, the key enabling the client to decrypt the encrypted portion of the packet data for play on the client.
  - 90. The shim of claim 83, wherein the streaming data is sent to the client from an encryption source, the shim further including a key negotiator configured to negotiate and exchange a key with the encryption source, the key being used by the decrypter to decrypt the encrypted portion of the packet data.
  - 91. The shim of claim 90 wherein the key negotiator is further configured to carry out the negotiating and exchanging of the key with the encryption source during the streaming session.

92. A method for providing data in packets over a network, comprising:
- determining a plurality of portions of data in a packet that includes a payload portion and a non-payload portion;
  
  determining if at least the payload portion of the plurality of portions of the packet data is to be encrypted based an examination of the payload portion, wherein the examination is to recognize a predefined data type and if the payload portion is to be encrypted, selectively encrypting the payload portion in the plurality of portions, wherein at least one other non-payload portion remains unencrypted;
  
  authenticating a client to receive the packet that includes the selectively encrypted payload portion; and
  
  transmitting the packet that includes the selectively encrypted payload portion to the authenticated client.
- View Dependent Claims (93, 94)
- - 93. The method of claim 92, wherein authenticating the client further comprises the client accepting a shim transmitted from a server that is selectively encrypting the payload portion, and wherein the shim is configured to send back a confirmation.
  - 94. The method of claim 92, wherein authenticating the client further comprises the client transmitting a self-generated certificate.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Widevine Technologies Incorporated (Alphabet Inc.)
Inventors
Robertson, Dan, Baker, Brian, Walker, Amanda, Kollmyer, Aric, Taylor, Neal, Hunsche, Dick, Kollmyer, Brad, Rutman, Mike, Shapiro, Eric, MacLean, Duncan
Primary Examiner(s)
Louis-Jacques; Jacques
Assistant Examiner(s)
Nalven; Andrew L.

Application Number

US09/656,166
Time in Patent Office

2,323 Days
Field of Search

713/160, 713/154, 380/42, 380/283, 707/9, 709/250, 709/246, 709/232
US Class Current

713/154
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 65/1101   Session protocols

H04L 65/70   Media network packetisation

H04L 65/765   intermediate

H04L 9/065   Encryption by serially and ...

H04N 21/23476   by partially encrypting, e....

H04N 21/8193   dedicated tools, e.g. video...

H04N 7/1675   Providing digital key or au...

Apparatus, system and method for selectively encrypting different portions of data sent over a network

First Claim

6 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

282 Citations

94 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, system and method for selectively encrypting different portions of data sent over a network

First Claim

6 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

282 Citations

94 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links