Method, apparatus and system for use in distributed and parallel decryption

US 8,103,004 B2
Filed: 08/18/2004
Issued: 01/24/2012
Est. Priority Date: 10/03/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for use in decrypting content, comprising:

receiving a first content key at a first system for the decryption of a first track of encrypted content;

encrypting the first content key according to a first instance key stored at the first system producing a first encrypted content key;

communicating the first encrypted content key over an externally accessible communication link to a second system;

generating the first instance key at the second system from both a master key and a first key generation indicator value, such that the first instance key is not communicated to the second system;

where the master key is recorded at the second system prior to the second system being coupled with the externally accessible communication link and prior to the second system receiving the first encrypted content key;

where the first key generation indicator value is stored at the second system prior to receiving the first encrypted content key;

wherein the generating the first instance key at the second system comprises;

the second system accessing the master key and the first key generation indicator value;

the second system receiving, from the first system, a verification value;

the second system verifying that the first key generation indicator value corresponds with the verification value;

generating, when the first key generation indicator value is verified, the first instance key at the second system as the function of both the first key generation indicator value and the master key;

altering, at the second system without further communication from the first system, the key generation indicator value when the key generation indicator value is not verified;

verifying, at the second system, the altered key generation indicator value corresponds the verification value; and

generating, when the altered key generation indicator value is verified and when the first key generation indicator value is not verified, the first instance key at the second system as a function of both the altered key generation indicator value and the master key stored at the second system;

decrypting the first encrypted content key using the generated first instance key at the second system providing a first unencrypted content key; and

decrypting the first track of encrypted content using the first unencrypted content key at the second system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present embodiments advantageously provide methods and systems for use in decrypting content, and in some preferred embodiments expanding a security environment to distribute the computational processing involved in decryption. In some embodiments, a method for use in decrypting content is provided that receives a first content key at a first system for the decryption of a first track of encrypted content; encrypts the first content key according to a first instance key known at the first system; communicates the first encrypted content key over an externally accessible communication link to a second system; generates the first instance key at the second system independent of the first system; decrypts the first encrypted content key using the generated first instance key at the second system; and decrypts the first track of encrypted content using the first unencrypted content key at the second system.

23 Citations

View as Search Results

17 Claims

1. A method for use in decrypting content, comprising:
- receiving a first content key at a first system for the decryption of a first track of encrypted content;
  
  encrypting the first content key according to a first instance key stored at the first system producing a first encrypted content key;
  
  communicating the first encrypted content key over an externally accessible communication link to a second system;
  
  generating the first instance key at the second system from both a master key and a first key generation indicator value, such that the first instance key is not communicated to the second system;
  
  where the master key is recorded at the second system prior to the second system being coupled with the externally accessible communication link and prior to the second system receiving the first encrypted content key;
  
  where the first key generation indicator value is stored at the second system prior to receiving the first encrypted content key;
  
  wherein the generating the first instance key at the second system comprises;
  
  the second system accessing the master key and the first key generation indicator value;
  
  the second system receiving, from the first system, a verification value;
  
  the second system verifying that the first key generation indicator value corresponds with the verification value;
  
  generating, when the first key generation indicator value is verified, the first instance key at the second system as the function of both the first key generation indicator value and the master key;
  
  altering, at the second system without further communication from the first system, the key generation indicator value when the key generation indicator value is not verified;
  
  verifying, at the second system, the altered key generation indicator value corresponds the verification value; and
  
  generating, when the altered key generation indicator value is verified and when the first key generation indicator value is not verified, the first instance key at the second system as a function of both the altered key generation indicator value and the master key stored at the second system;
  
  decrypting the first encrypted content key using the generated first instance key at the second system providing a first unencrypted content key; and
  
  decrypting the first track of encrypted content using the first unencrypted content key at the second system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16, 17)
- - 2. The method of claim 1, further comprising:
    - receiving a second content key at the first system for the decryption of a second track of encrypted content;
      
      encrypting the second content key according to the first instance key stored at the first system producing a second encrypted content key;
      
      communicating the second encrypted content key over the communication link to the second system;
      
      decrypting the second encrypted content key using the generated first instance key at the second system providing a second unencrypted content key; and
      
      simultaneously decrypting, at the second system, the second track of encrypted content using the second unencrypted content key at the second system while decrypting the first track of encrypted content using the first unencrypted content key at the second system.
  - 3. The method of claim 1, further comprising:
    - renewing the first system including receiving a second instance key;
      
      encrypting a third content key at the first system according to the second instance key producing a third encrypted content key;
      
      communicating the third encrypted content key over the communication link to the second system;
      
      notifying the second system of the renewing of the first system;
      
      identifying, at the second system, a second key generation indicator value;
      
      generating, in response to the notifying the second system, the second instance key at the second system as a function of both the master key and the second key generation indicator value;
      
      decrypting the third encrypted content key using the generated second instance key at the second system providing a third unencrypted content key; and
      
      decrypting of a third track of encrypted content using the third unencrypted content key at the second system.
  - 4. The method of claim 3, further comprising:
    - preventing the use of the first instance key at the second system following the generation of the second instance key at the second system.
  - 5. The method of claim 3, wherein the notifying the second system of the renewing of the first system comprises communicating a new verification value to the second system where the new verification value is different than a the verification value;
    - andthe generating the second instance key at the second system comprises;
      
      verifying that the second key generation indicator value corresponds with the new verification value; and
      
      generating the second instance key, when the second key generation indicator value corresponds with the new verification value, as a function of both the master key and the second key generation indicator value.
  - 6. The method of claim 1, further comprising:
    - determining that a first time period has expired; and
      
      preventing the decryption at the second system with the first unencrypted content key of a remaining portion of the first track that is still encrypted when the first time period has expired.
  - 7. The method of claim 6, wherein the communicating the first encrypted content key further comprises communicating a first lifetime of the first content key such that the determining that the first time period has expired comprises determining the first lifetime of the first content key has expired;
    - andcommunicating a second lifetime of the first content key to the second system such that the second system again allows decryption at the second system with the first unencrypted content key of at least some of the remaining portion of the first track that was encrypted when the first time period expired.
  - 16. The method of claim 1, further comprising:
    - generating, at the second system, a challenge message prior to receiving the first encrypted content key;
      
      storing, at the second system, at least a portion of the challenge message;
      
      forwarding, from the second system to the first system, the challenge message;
      
      receiving, at the second system from the first system, a response to the challenge message comprising the first encrypted content key and a challenge verification parameter;
      
      extracting, at the second system, the challenge verification parameter from the communication received from the first system;
      
      altering, at the second system, the at least the portion of the stored challenge message;
      
      determining, at the second system, whether the altered portion of the challenge message corresponds to the challenge verification parameter; and
      
      implementing the decrypting of the first encrypted content key when the altered portion of the challenge message corresponds to the challenge verification parameter.
  - 17. The method of claim 16, wherein the generating the challenge message comprises generating a non-zero challenge value;
    - wherein the storing the at least the portion of the challenge message comprises;
      
      storing, when the first key generation indicator value is verified, the challenge value associated with a slot; and
      
      storing a zero value, and not the challenge value, in response to determining that the first key generation indicator value is not verified; and
      
      ignoring, at the second system when the zero value does not correspond to the challenge verification parameter, the received first encrypted content key and not allowing the decrypting of the first encrypted content key.

8. A method for use in decrypting content, comprising:
- receiving, at a first device coupled with a communication link, a first encrypted content key, wherein the first encrypted content key is encrypted by an external system using a first instance key;
  
  where the first encrypted content key is received over the communication link;
  
  the external system is external to the first device; and
  
  where communications over the communication link are accessible by one or more additional devices;
  
  generating the first instance key within the first device such that the first instance key is not communicated to the first device, wherein the generating the first instance key comprises;
  
  accessing a master key stored within the first device, where the master key is stored within the first device prior to the first device being coupled with the communication link and prior to the first device receiving the first encrypted content key;
  
  accessing a key generation indicator value stored within the first device, where the key generation indicator value is stored within the first device prior to the first device receiving the first encrypted content key;
  
  receiving, from the external system, a verification value;
  
  verifying the key generation indicator value corresponds with the verification value; and
  
  generating, when the key generation indicator value is verified, the first instance key as a function of both the master key and the key generation indicator value;
  
  adjusting, at the first device and without further communication from the external system, the key generation indicator value when the key generation indicator value is not verified providing an adjusted key generation indicator value;
  
  verifying, at the first device, that the adjusted key generation indicator value corresponds with the verification value; and
  
  generating, when the adjusted key generation indicator value is verified, the first instance key at the first device as a function of both the adjusted key generation indicator value and the master key stored at the first device;
  
  decrypting, at the first device, the first encrypted content key using the generated first generated instance key;
  
  extracting, at the first device, a first content key through the decryption of the first encrypted content key; and
  
  decrypting, at the first device, a first track of encrypted content with the first content key.
- View Dependent Claims (9)
- - 9. The method of claim 8, further comprising:
    - preventing further decryption, at the first device, with the first instance key generated from the key generation indictor value and the master key when the key generation indicator value is not verified.

10. A system comprising:
- a main system coupled with a network to receive a first content key;
  
  a sub-system;
  
  a communication link coupled between the main system and sub-systems;
  
  the main system comprising a first instance key and an encryption circuit such that the encryption circuit encrypts the first content key with the first instance key to produce a first encrypted content key, and the main system communicates the first encrypted content key and further communicates a validation value to the sub-system over the communication link; and
  
  the sub-system comprises a first slot, a decryption circuit coupled with the first slot, an instance key generator coupled with the decryption circuit, a master key, and a counter that provides a first key generation indicator value,wherein the master key is stored at the sub-system prior to the main system receiving the first encryption content key;
  
  wherein the sub-system stores the first encrypted content key in the first slot;
  
  wherein the instance key generator generates, upon validating the first key generation indicator value relative to the validation value, a first generated instance key as a function of both the master key and the first key generation indicator value;
  
  wherein the counter provides an adjusted first key generation indicator value when the first key generator indicator value is not validated, and the instance key generator generates an adjusted first generated instance key as a function of both the master key and the adjusted first key generation indicator value upon validating the adjusted first key generation indicator value relative to the validation value;
  
  wherein the first generated instance key is identical to the first instance key of the main system; and
  
  wherein the decryption circuit decrypts the first encrypted content key with the first generated instance key retrieving the first content key and decrypts at least a portion of a first track of encrypted content using the first content key.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the communication link is a user accessible bus.
  - 12. The system of claim 10, wherein the sub-system further comprises a digital signal processor coupled with the decryption circuit, wherein the digital signal processor receives the decrypted first content from the decryption circuit and renders the first content from the sub-system.
  - 13. The system of claim 10, wherein the sub-system further comprises a second slot such that the sub-system stores a second encrypted content key in the second slot, the instance key generator generates a second generated instance key as a function of the master key and a second key generation indicator value, and the decryption circuit decrypts the second encrypted content key with the second generated instance key retrieving the unencrypted second content key and decrypts at least a portion of a second track of encrypted content using the unencrypted second content key.
  - 14. The system of claim 10, wherein the main system further receives a second instance key replacing the first instance key, and further receives a second content key, such that the encryption circuit encrypts the second content key with the second instance key to produce a second encrypted content key, and the main system communicates the second encrypted content key and a new verification value to the sub-system over the communication link;
    - andthe instance key generator generates a second generated instance key as a function of the master key and a further adjusted first key generation indicator value, when the further adjusted key generation indicator value is verified relative to the new verification value, such that the second generated instance key is identical to the second instance key of the main system, and the decryption circuit decrypts the second encrypted content key with the second generated instance key retrieving the unencrypted second content key and decrypts second encrypted content using the unencrypted second content key.
  - 15. The system of claim 14, wherein the decryption circuit prevents further decryption using the first generated instance key following the generation of the second generated instance key, and prevents the further use of the first key generation indicator value in the generation of instance keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sony Corporation (Sony Group Corp.), Sony Electronics Inc. (Sony Group Corp.)
Original Assignee
Sony Corporation (Sony Group Corp.), Sony Electronics Inc. (Sony Group Corp.)
Inventors
Chavanne, Pierre, Steele, Oscar, Kawamoto, Yoji, Swenson, Eric
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Teslovich, Tamara

Application Number

US10/921,498
Publication Number

US 20050074125A1
Time in Patent Office

2,715 Days
Field of Search

380/277, 380/281, 726/26, 726/27, 726/28, 726/29, 726/30
US Class Current

380/281
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 2209/603   Digital right managament [DRM]

H04L 2463/062   applying encryption of the ...

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

Method, apparatus and system for use in distributed and parallel decryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus and system for use in distributed and parallel decryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links