Method and system for authorizing client devices to receive secured data streams

US 8,001,371 B2
Filed: 09/08/2009
Issued: 08/16/2011
Est. Priority Date: 09/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

extracting a client key from an encrypted section of a digital certificate received at a server;

extracting an expiration timestamp by decrypting a data file associated with the digital certificate using a decryption key in the server;

sending a program key to a client after encrypting the program key using the client key;

obtaining an issuance timestamp for specific content requested by the client; and

sending the specific content, encrypted using the program key, to the client in response to the issuance timestamp being earlier than the expiration timestamp.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for authorizing client devices to receive secured data streams through the use of digital certificates embedded in the client devices. A freely distributed cryptographically signed group file with an embedded expiration date is associated with each individual digital certificate. A single group file can be associated with more than one digital certificate but each digital certificate is associated with a single group file. The group file contains cryptographic keys that can be used to decrypt a section of the digital certificate revealing a set of client keys. The client keys are then used to encrypt a program key which are then sent back to the client device. When the client device requests a specific data stream or digital content, an issuance timestamp associated with the content is compared to the expiration date in the group file. If the issuance timestamp is after the expiration date, the client device is declined. If the issuance timestamp is before the expiration date, the requested content, encrypted utilizing the program key, is sent to the client device.

24 Citations

View as Search Results

76 Claims

1. A method, comprising:
- extracting a client key from an encrypted section of a digital certificate received at a server;
  
  extracting an expiration timestamp by decrypting a data file associated with the digital certificate using a decryption key in the server;
  
  sending a program key to a client after encrypting the program key using the client key;
  
  obtaining an issuance timestamp for specific content requested by the client; and
  
  sending the specific content, encrypted using the program key, to the client in response to the issuance timestamp being earlier than the expiration timestamp.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - extracting a group identifier from an unencrypted section of the digital certificate; and
      
      utilizing the group identifier to obtain the data file associated with the digital certificate.
  - 3. The method of claim 1, further comprising:
    - searching for the data file on at least a portion of a non-volatile computer readable memory device accessible to the server; and
      
      in response to the data file not being found on the non-volatile computer readable memory device, downloading the data file from another server.
  - 4. The method of claim 3, further comprising searching for the data file on at least one of a hard drive, an optical disk, or a non-volatile semiconductor memory based device.
  - 5. The method of claim 1, further comprising downloading a newer data file in response to the expiration timestamp being a predetermined period less than a current time.
  - 6. The method of claim 1, further comprising associating the data file with at least one other digital certificate.
  - 7. The method of claim 1, further comprising determining that the decryption key came from an authorized source in response to a computed checksum of the data file being substantially similar to a checksum contained in the decrypted section of the data file.
  - 8. The method of claim 1, wherein extracting the client key or extracting the expiration timestamp includes using a public key.
  - 9. The method of claim 1, further comprising terminating the session in response to detecting tampering of the digital certificate.
  - 10. The method of claim 1, further comprising determining the digital certificate is valid in response to calculating a hash signature of the decrypted section of the digital certificate.
  - 11. The method of claim 1, wherein sending the specific content includes:
    - generating a set of one or more session keys;
      
      encrypting the set of one or more session keys using the client key; and
      
      establishing a session with the client by sending the encrypted session keys to the client.
  - 12. The method of claim 11, further comprising:
    - sending keep-alive messages, encrypted with at least one session key, to the client; and
      
      receiving keep-alive acknowledgements, encrypted with at least another session key, from the client.
  - 13. The method of claim 12, further comprising terminating the session in response to an invalid keep-alive acknowledgement being received or more than a predetermined number of the keep alive messages being sent without receiving the keep-alive acknowledgements.

14. A device, comprising:
- means for extracting a client key from an encrypted section of a digital certificate received at a server;
  
  means for extracting an expiration timestamp by decrypting a data file associated with the digital certificate using a decryption key in the server;
  
  means for sending a program key to a client after encrypting the program key using the client key;
  
  means for obtaining an issuance timestamp for specific content requested by the client; and
  
  means for sending the specific content, encrypted using the program key, to the client in response to the issuance timestamp being earlier than the expiration timestamp.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The device of claim 14, further comprising:
    - means for extracting a group identifier from an unencrypted section of the digital certificate; and
      
      means for obtaining the data file associated with the digital certificate using the group identifier.
  - 16. The device of claim 14, further comprising:
    - means for searching for the data file on at least a portion of a non-volatile computer readable memory device accessible to the server; and
      
      in response to the data file not being found on the non-volatile computer readable memory device, means for downloading the data file from another server.
  - 17. The device of claim 16, further comprising means for searching for the data file on at least one of a hard drive, an optical disk, or a non-volatile semiconductor memory based device.
  - 18. The device of claim 14, further comprising means for downloading a newer data file in response to the expiration timestamp being a predetermined period less than a current time.
  - 19. The device of claim 14, further comprising means for associating the data file with at least one other digital certificate.
  - 20. The device of claim 14, further comprising means for determining that the decryption key came from an authorized source in response to a computed checksum of the data file being substantially similar to a checksum contained in the decrypted section of the data file.
  - 21. The device of claim 14, wherein the means for extracting the client key or the means for extracting the expiration timestamp operate in response to a public key.
  - 22. The device of claim 14, further comprising means for detecting tampering of the digital certificate.
  - 23. The device of claim 14, further comprising means for determining the digital certificate is valid in response to calculating a hash signature of the decrypted section of the digital certificate.
  - 24. The device of claim 14, wherein the means for sending the specific content includes:
    - means for generating a set of one or more session keys;
      
      means for encrypting the set of one or more session keys using the client key; and
      
      means for establishing a session with the client by sending the encrypted session keys to the client.
  - 25. The device of claim 24, further comprising:
    - means for sending keep-alive messages, encrypted with at least one session key, to the client; and
      
      means for receiving keep-alive acknowledgements, encrypted with at least another session key, from the client.
  - 26. The device of claim 25, further comprising terminating the session in response to an invalid keep-alive acknowledgement being received or more than a predetermined number of the keep alive messages being sent without receiving the keep-alive acknowledgements.

27. An article of manufacture including a computer-readable medium having instructions stored thereon that, in response to execution by a computing device, cause the computing device to perform operations comprising:
- extracting a client key from an encrypted section of a digital certificate received at a server;
  
  extracting an expiration timestamp by decrypting a data file associated with the digital certificate using a decryption key in the server;
  
  sending a program key to a client after encrypting the program key using the client key;
  
  obtaining an issuance timestamp for specific content requested by the client; and
  
  sending the specific content, encrypted using the program key, to the client in response to the issuance timestamp being earlier than the expiration timestamp.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The article of claim 27, wherein the operations further comprise:
    - extracting a group identifier from an unencrypted section of the digital certificate; and
      
      utilizing the group identifier to obtain the data file associated with the digital certificate.
  - 29. The article of claim 27, wherein the operations further comprise:
    - searching for the data file on a memory device accessible to the server; and
      
      in response to the data file not being found on the memory device, downloading the data file from another server.
  - 30. The article of claim 27, wherein the operations further comprise searching for the data file on at least one of a hard drive, an optical disk, or a non-volatile memory device.
  - 31. The article of claim 27, wherein the operations further comprise downloading a newer data file in response to the expiration timestamp being a predetermined period less than a current time.
  - 32. The article of claim 27, wherein the operations further comprise associating the data file with at least one other digital certificate.
  - 33. The article of claim 27, wherein the operations further comprise determining that the decryption key came from an authorized source in response to a computed checksum of the data file being substantially similar to a checksum contained in the decrypted section of the data file.
  - 34. The article of claim 27, wherein the operations further comprise terminating the session in response to detecting tampering of the digital certificate.
  - 35. The article of claim 27, wherein the decryption key is embedded in software running on the server.
  - 36. The article of claim 27, wherein the operations further comprise determining the digital certificate is valid in response to calculating a hash signature of the decrypted section of the digital certificate.
  - 37. The article of claim 27, wherein sending the specific content includes:
    - generating a set of one or more session keys;
      
      encrypting the set of one or more session keys using the client key; and
      
      establishing a session with the client by sending the encrypted session keys to the client.
  - 38. The article of claim 37, wherein the operations further comprise:
    - sending keep-alive messages, encrypted with at least one session key, to the client; and
      
      receiving keep-alive acknowledgements, encrypted with at least another session key, from the client.
  - 39. The article of claim 38, wherein the operations further compriseterminating the session in response to an invalid keep-alive acknowledgement being received or more than a predetermined number of the keep alive messages being sent without receiving the keep-alive acknowledgements.

40. A server, comprising:
- a memory configured to store program code; and
  
  a processor configured to execute the stored program code to;
  
  extract a client key from an encrypted section of a digital certificate received at the server;
  
  extract an expiration timestamp by decrypting a data file associated with the digital certificate using a decryption key stored in the memory of the server;
  
  transmit a program key to a client after encrypting the program key using the client key;
  
  obtain an issuance timestamp for specific content requested by the client; and
  
  transmit the specific content, encrypted using the program key, to the client in response to the issuance timestamp being earlier than the expiration timestamp.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 41. The server of claim 40, wherein the processor is further configured to execute the stored program code to:
    - extract a group identifier from an unencrypted section of the digital certificate; and
      
      use the group identifier to obtain the data file associated with the digital certificate.
  - 42. The server of claim 40, wherein the processor is further configured to execute the stored program code to:
    - search for the data file on a memory device accessible to the server; and
      
      in response to the data file not being found on the non-volatile computer readable memory device, download the data file from another server.
  - 43. The server of claim 42, wherein the processor is further configured to execute the stored program code to search for the data file on at least one of a hard drive, an optical disk, or a non-volatile semiconductor memory based device.
  - 44. The server of claim 40, wherein the processor is further configured to download a newer data file in response to the expiration timestamp being a predetermined period less than a current time.
  - 45. The server of claim 40, wherein the processor is further configured to associate the data file with at least one other digital certificate.
  - 46. The server of claim 40, wherein the processor is further configured to determine that the decryption key came from an authorized source in response to a computed checksum of the data file being substantially similar to a checksum contained in the decrypted section of the data file.
  - 47. The server of claim 40, wherein the processor is further configured to extract the client key or extract the expiration timestamp includes using a public key.
  - 48. The server of claim 40, wherein the processor is further configured to terminate the session in response to detecting tampering of the digital certificate.
  - 49. The server of claim 40, wherein the processor is further configured to determine the digital certificate is valid in response to calculating a hash signature of the decrypted section of the digital certificate.
  - 50. The server of claim 40, wherein the processor is further configured to:
    - generate a set of one or more session keys;
      
      encrypt the set of one or more session keys using the client key; and
      
      establish a session with the client by sending the encrypted session keys to the client.
  - 51. The server of claim 50, wherein the processor is further configured to:
    - send keep-alive messages, encrypted with at least one session key, to the client; and
      
      receive keep-alive acknowledgements, encrypted with at least another session key, from the client.
  - 52. The server of claim 51, wherein the processor is further configured to terminate the session in response to an invalid keep-alive acknowledgement being received or more than a predetermined number of the keep alive messages being sent without receiving the keep-alive acknowledgements.

53. A method, comprising:
- transmitting, to a server, a digital certificate including an encrypted section having a client key;
  
  receiving, from the server, a program key encrypted using the client key;
  
  transmitting, to the server, a request for content encrypted using the program key; and
  
  receiving, from the server, the content encrypted using the program key in response to an issuance timestamp being earlier than an expiration timestamp;
  
  wherein the request for content includes the issuance timestamp; and
  
  wherein the expiration timestamp is configured to be decrypted from a digital file associated with the digital certificate using a decryption key.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 54. The method of claim 53,wherein the digital certificate includes a group identifier;
    - andwherein the group identifier is configured to be used to decrypt the digital file.
  - 55. The method of claim 53,wherein at least a portion of the digital file is configured to be downloaded by the server from another server.
  - 56. The method of claim 53,wherein a newer data file is configured to downloaded by the server in response to the expiration timestamp being a predetermined time less than a current time.
  - 57. The method of claim of 53,wherein the data file is configured to be associated with at least one other digital certificate.
  - 58. The method of claim 53,wherein the decryption key is configured to be deemed from an authorized source in response to a computed checksum of the data file being substantially similar to a checksum contained in a decrypted section of the data file.
  - 59. The method of claim 53,wherein the expiration timestamp is configured to be decrypted from the digital file using a public key.
  - 60. The method of claim 53,wherein the digital certificate is configured to be deemed valid in response to calculating a hash signature of a decrypted section of the digital certificate.
  - 61. The method of claim 53, further comprising receiving, from the server, a set of one or more session keys encrypted using the client key.
  - 62. The method of claim 61, further comprising:
    - receiving, from the server, keep-alive messages encrypted with at least one session key; and
      
      transmitting, to the server, keep-alive acknowledgements encrypted with at least another session key.
  - 63. The method of claim 62, further comprising terminating a session in response to an invalid keep-alive message from the server.
  - 64. The method of claim 53, further comprising terminating a session in response to detecting tampering of the digital certificate.

65. A client, comprising:
- a memory configured to store program code; and
  
  a processor configured to execute the stored program code to;
  
  transmit, to a server, a digital certificate including an encrypted section having a client key;
  
  receive, from the server, a program key encrypted using the client key;
  
  transmit, to the server, a request for content encrypted using the program key; and
  
  receive, from the server, the content encrypted using the program key in response to an issuance timestamp being earlier than an expiration timestamp;
  
  wherein the request for content includes the issuance timestamp; and
  
  wherein the expiration timestamp is configured to be decrypted from a digital file associated with the digital certificate using a decryption key.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 66. The client of claim 65,wherein the digital certificate includes a group identifier;
    - andwherein the group identifier is configured to be used to decrypt the digital file.
  - 67. The client of claim 65,wherein at least a portion of the digital file is configured to be downloaded by the server from another server.
  - 68. The client of claim 65,wherein a newer data file is configured to downloaded by the server in response to the expiration timestamp being a predetermined time less than a current time.
  - 69. The client of claim 65,wherein the data file is configured to be associated with at least one other digital certificate.
  - 70. The client of claim 65,wherein the decryption key is configured to be deemed from an authorized source in response to a computed checksum of the data file being substantially similar to a checksum contained in a decrypted section of the data file.
  - 71. The client of claim 65,wherein the expiration timestamp is configured to be decrypted from the digital file using a public key.
  - 72. The client of claim 65,wherein the digital certificate is configured to be deemed valid in response to calculating a hash signature of a decrypted section of the digital certificate.
  - 73. The client of claim 65, further comprising receiving, from the server, a set of one or more session keys encrypted using the client key.
  - 74. The client of claim 73, further comprising:
    - receiving, from the server, keep-alive messages encrypted with at least one session key; and
      
      transmitting, to the server, keep-alive acknowledgements encrypted with at least another session key.
  - 75. The client of claim 74, further comprising terminating a session in response to an invalid keep-alive message from the server.
  - 76. The client of claim 65, further comprising terminating a session in response to detecting tampering of the digital certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lee Capital LLC (Intellectual Ventures LLC)
Original Assignee
Lee Capital LLC (Intellectual Ventures LLC)
Inventors
Langer, Randy
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US12/555,748
Publication Number

US 20100023759A1
Time in Patent Office

707 Days
Field of Search

713/156, 726/10
US Class Current

713/156
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 9/0833   involving conference or gro...

H04L 9/302   involving the integer facto...

H04L 9/3263   involving certificates, e.g...

H04L 9/3297   involving time stamps, e.g....

Method and system for authorizing client devices to receive secured data streams

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

76 Claims

Specification

Use Cases

Quick Links

Others

Method and system for authorizing client devices to receive secured data streams

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

76 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others