Data communications

US 7,209,560 B1
Filed: 12/15/1998
Issued: 04/24/2007
Est. Priority Date: 12/19/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method of distributing digitally encoded data, comprising:

a) dividing said data into a multiplicity of frames,b) encrypting said frames,c) distributing multiple copies of the said data frames to a multiplicity of users, each frame being distributed with a control field,d) communicating a seed value for key generation to respective secure modules located at each of the multiplicity of users,e) decrypting the data frames at respective users using keys derived from the seed value communicated to the secure module, the secure module being arranged to enable decryption of a respective frame only when said control field has been passed to the secure module,f) passing a control message, for modifying and controlling the availability of keys, in the control field to the secure module at a selected one or more users, andg) at the secure module of the or each selected user, in response to the said control message, controlling the availability of keys generated from the said seed value, thereby controlling access by the users to the said data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a data communications system a remote data source outputs data as a series of application data units (ADUs). Each ADU is individually encrypted with a different key. The keys are transmitted (for example using Internet multicasting) via a communications network to one or more customer terminals. At the terminals a sequence of keys is generated for use in decrypting the ADUs. A record is kept of the keys generated, and this record may subsequently be used to generate a receipt for the data received by the customer. The keys may be generated, and the record stored within a secure module such as a smartcard.

61 Citations

View as Search Results

25 Claims

1. A method of distributing digitally encoded data, comprising:
- a) dividing said data into a multiplicity of frames,b) encrypting said frames,c) distributing multiple copies of the said data frames to a multiplicity of users, each frame being distributed with a control field,d) communicating a seed value for key generation to respective secure modules located at each of the multiplicity of users,e) decrypting the data frames at respective users using keys derived from the seed value communicated to the secure module, the secure module being arranged to enable decryption of a respective frame only when said control field has been passed to the secure module,f) passing a control message, for modifying and controlling the availability of keys, in the control field to the secure module at a selected one or more users, andg) at the secure module of the or each selected user, in response to the said control message, controlling the availability of keys generated from the said seed value, thereby controlling access by the users to the said data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A method according to claim 1, in which each data frame includes a frame identity field, and each key generated by the secure module is specific to one frame identified by the said field.
  - 3. A method according to claim 1, in which the step of distributing multiple copies of the said data comprises multicasting packets of data via a communications network to the plurality of users.
  - 4. A method according to claim 1, in which the control message is distributed with a data frame to the multiplicity of users, a user identity field identifying a selected user or group of users is included in the control message, and the control message is acted on only by the user or group of users identified by the said user identity field.
  - 5. A method according to claim 1, in which the control message includes a stop flag, and in response to the stop flag the generation of keys at the or each selected user is stopped.
  - 6. A method according to claim 1, including returning a response signal from the secure module to the source of the control message.
  - 7. A method according to claim 6, in which the control message includes a contact sender flag, and the step of returning a response signal from the secure module is carried out when the contact sender flag is set.
  - 8. A method according to claim 6, including transmitting a further control message to the user on receipt of the said response signal.
  - 9. A customer terminal for use in a method according to claim 1, the customer terminal comprising:
    - a) a data interface for connection to a data communications channel;
      
      b) a key generator programmed to generate from a seed value keys for use in decrypting data frames;
      
      c) decryption means connected to the data interface and the key generator and arranged to decrypt data frames received via the data interface; and
      
      d) key control means connected to the key generator, the key control means comprising;
      
      an interface for receiving control fields; and
      
      control means arrange to only release keys for decrypting those respective data frames received with a control field;
      
      the control means being arranged to in response to control messages in the control fields, control the availability to the user keys generated from the seed value.
  - 10. A data server for use in method according to claim 1, the data server comprising:
    - a) a data interface for connection to a data communications channel;
      
      b) means for outputting encrypted data frames with control fields via the data interface onto the communications channel for receipt by a multiplicity of customer terminals;
      
      c) means for outputting the control fields having control messages onto a data communications channel for controlling the operation of key generators at customer terminals.
  - 11. A method according to claim 1, including generating keys from the seed value by iterated operations on the seed value by selected ones of a plurality of predetermined functions.
  - 12. A method according to claim 1, including applying different characteristic variations to data decrypted at different respective customer terminals.
  - 13. A method according to claim 1, including a plurality of remote data sources, each outputting a respective plurality of frames.
  - 14. A method according to claim 13, in which the customer terminal receives a primary seed value common to different respective data streams from the plurality of data sources, and derives from the common primary key a plurality of different respective secondary seed values for decrypting frames from different respective data sources.
  - 15. A method according to claim 14, in which data received from different data sources includes different respective source identity values, and the respective secondary seed value is generated from the primary seed value by modifying the primary seed value with the source identity value.
  - 16. A method according to claim 1, in which each data frame includes a frame type field.
  - 17. A method according to claim 16, including storing a receipt including data from the frame type field.
  - 18. A method as in claim 1, wherein the control message received by the secure module causes the secure module to cease releasing keys.
  - 19. A method as in claim 1, wherein each of the frames is encrypted with a different key.

20. A method of operating a customer terminal in a data communications system, the method comprising:
- a) receiving at the customer terminal a multiplicity of encrypted data frames, each with a control field;
  
  b) receiving at the customer terminal a seed value for key generation;
  
  c) passing the said seed value for key generation to a secure module located at the customer terminal;
  
  d) generating in the secure module using the seed value keys for the decryption of data frames;
  
  e) decrypting using the said keys only those respective data frames for which a control field has been received;
  
  f) passing to the said secure module a control message received in the control field; and
  
  g) in response to the said control message, controlling the availability of keys generated using the said seed value and thereby controlling access by the user of the customer terminal to data received at the customer terminal.
- View Dependent Claims (21, 22)
- - 21. A method as in claim 20, wherein the control message received by the secure module causes the secure module to cease releasing keys.
  - 22. A method as in claim 20, wherein each of the frames is encrypted with a different key.

23. A data communications system comprisinga) a remote data source arranged to output a plurality of frames;
- b) encryption means for encrypting the plurality of frames with different respective keys;
  
  c) a communications channel arranged to distribute multiple copies of the encrypted data frames, each with a control field;
  
  d) a multiplicity of customer terminals arranged to receive from the communications channel respective copies of the encrypted data frames with the control fields;
  
  e) a key generator located at a customer terminal and programmed to generate from a seed value keys for use in decrypting data frames;
  
  f) key control means connected to the key generator, the key control means comprising;
  
  an interface for receiving the control fields; and
  
  control means arranged to only release keys for decrypting those respective frames for which a control field is received and being arranged to, in response to the said control messages in the control fields, control the availability to the user of keys generated from the seed value; and
  
  g) decryption means connected to the key generator and arrange to decrypt the data frames received at the customer terminal from the communications channel.
- View Dependent Claims (24, 25)
- - 24. A data communications system according to claim 23, in which the communications channel is a packet-switched data network.
  - 25. A data communications system as in claim 23, wherein the control message received by the key control means causes the key control means to cease releasing keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Briscoe, Robert J, Fairman, Ian R
Primary Examiner(s)
Barrón, Jr.; Gilberto
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US09/555,929
Time in Patent Office

3,052 Days
Field of Search

713200-201, 713160-161, 713/165, 713/170, 380/201, 380/203, 380228-229, 380/232, 380/235, 380/255, 380/262, 709/226, 709/217, 709/233, 235/384, 726/2, 726/5, 726/18, 726/27
US Class Current

380/255
CPC Class Codes

G06F 21/109   by using specially-adapted ...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2135   Metering

H04L 12/18   for broadcast or conference...

H04L 2209/60   Digital content management,...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/168   above the transport layer

H04L 9/0877   using additional device, e....

Data communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Data communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links