Method and apparatus for providing a border guard between security domains
First Claim
1. A method for defining rules and enforcing rules of transitioning a digital content between two security domains having different security requirements, the method comprising:
- establishing a first security domain for receiving, from a digital content source, a transport stream comprising a digital content;
establishing a second security domain associated with devices for storage of the digital content at a receiver device, wherein the second security domain is established at the border of the first security domain and the second security domain;
wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; and
if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain;
receiving and storing the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact;
otherwise, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain;
performing authorization for conditional access of transport stream from the first security domain;
providing a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content;
selecting at least one rule from the DRM rules to be transmitted with the digital content;
transmitting the at least one rule with the digital content from the first security domain to the second security domain;
translating a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain;
continuously enforcing the at least one rule during usage of the digital content in the second security domain; and
maintaining control over the usage of the digital content in the second security domain.
6 Assignments
0 Petitions
Accused Products
Abstract
The present invention discloses an apparatus and method for defining and enforcing rules of transition between two security domains, e.g., a transport domain and a persistent security domain. In turn, a border guard, e.g., a security device, is provided between these two domains that enforce rules for transition between the two security domains. This novel approach of defining a transport domain and a persistent security domain simplifies the classification of the digital content and its movement through the system. Namely, the border guard once established between the two systems can enforce DRM rules associated with how contents are moved between the two domains.
-
Citations
15 Claims
-
1. A method for defining rules and enforcing rules of transitioning a digital content between two security domains having different security requirements, the method comprising:
-
establishing a first security domain for receiving, from a digital content source, a transport stream comprising a digital content; establishing a second security domain associated with devices for storage of the digital content at a receiver device, wherein the second security domain is established at the border of the first security domain and the second security domain; wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; and if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain; receiving and storing the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact; otherwise, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain; performing authorization for conditional access of transport stream from the first security domain; providing a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content; selecting at least one rule from the DRM rules to be transmitted with the digital content; transmitting the at least one rule with the digital content from the first security domain to the second security domain; translating a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain; continuously enforcing the at least one rule during usage of the digital content in the second security domain; and maintaining control over the usage of the digital content in the second security domain. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps of a method for defining rules and enforcing rules of transitioning a digital content between two security domains having different security requirements, comprising:
-
establishing a first security domain for receiving, from a digital content source, a transport stream comprising digital content; establishing a second security domain associated with devices for storage of the digital content at a receiver device, wherein the second security domain is established at the border of the first security domain; wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; and if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain; receiving and storing the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact; otherwise, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain; performing authorization for conditional access of transport stream from the first security domain; providing a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content; selecting at least one rule from the DRM rules to be transmitted with the digital content; transmitting the at least one rule with the digital content from the first security domain to the second security domain; translating a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain; continuously enforcing the at least one rule during usage of the digital content in the second security domain; and maintaining control over the usage of the digital content in the second security domain. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A receiver device comprising a security device, the security device in a standalone mode defining and enforcing rules of transitioning a digital content between two security domains having different security requirements, the security device comprising:
-
means for establishing a first security domain for receiving, from a digital content source, a transport stream comprising digital content; and means for establishing a second security domain associated with devices for storage and usage of the digital content at a receiver device; wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; the receiver device further comprising; means for receiving and storing, if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact; and the security device further comprising; means for performing, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, authorization for conditional access of transport stream from the first security domain; means for providing, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content; means for selecting, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, at least one rule from the DRM rules to be transmitted with the digital content; means for transmitting, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, the at least one rule with the digital content from the first security domain to the second security domain; means for translating, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain; means for continuously enforcing, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, the at least one rule during usage of the digital content in the second security domain; and means for maintaining control, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, over the usage of the digital content in the second security domain.
-
Specification