Method and apparatus for providing a border guard between security domains

US 8,156,560 B2
Filed: 12/30/2004
Issued: 04/10/2012
Est. Priority Date: 12/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method for defining rules and enforcing rules of transitioning a digital content between two security domains having different security requirements, the method comprising:

establishing a first security domain for receiving, from a digital content source, a transport stream comprising a digital content;

establishing a second security domain associated with devices for storage of the digital content at a receiver device, wherein the second security domain is established at the border of the first security domain and the second security domain;

wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; and

if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain;

receiving and storing the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact;

otherwise, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain;

performing authorization for conditional access of transport stream from the first security domain;

providing a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content;

selecting at least one rule from the DRM rules to be transmitted with the digital content;

transmitting the at least one rule with the digital content from the first security domain to the second security domain;

translating a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain;

continuously enforcing the at least one rule during usage of the digital content in the second security domain; and

maintaining control over the usage of the digital content in the second security domain.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses an apparatus and method for defining and enforcing rules of transition between two security domains, e.g., a transport domain and a persistent security domain. In turn, a border guard, e.g., a security device, is provided between these two domains that enforce rules for transition between the two security domains. This novel approach of defining a transport domain and a persistent security domain simplifies the classification of the digital content and its movement through the system. Namely, the border guard once established between the two systems can enforce DRM rules associated with how contents are moved between the two domains.

18 Citations

View as Search Results

15 Claims

1. A method for defining rules and enforcing rules of transitioning a digital content between two security domains having different security requirements, the method comprising:
- establishing a first security domain for receiving, from a digital content source, a transport stream comprising a digital content;
  
  establishing a second security domain associated with devices for storage of the digital content at a receiver device, wherein the second security domain is established at the border of the first security domain and the second security domain;
  
  wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; and
  
  if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain;
  
  receiving and storing the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact;
  
  otherwise, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain;
  
  performing authorization for conditional access of transport stream from the first security domain;
  
  providing a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content;
  
  selecting at least one rule from the DRM rules to be transmitted with the digital content;
  
  transmitting the at least one rule with the digital content from the first security domain to the second security domain;
  
  translating a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain;
  
  continuously enforcing the at least one rule during usage of the digital content in the second security domain; and
  
  maintaining control over the usage of the digital content in the second security domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said first security domain is a transport domain.
  - 3. The method of claim 2, wherein said second security domain is a persistent security domain.
  - 4. The method of claim 1, wherein said translating is performed by a border guard in the receiver device, wherein the border guard further comprises a security device, further wherein the security device comprises an application specific integrated circuit (ASIC).
  - 5. The method of claim 4, wherein said border guard enforces said at least one rule associated with how an associated content of the digital content is moved between said first and second domains.
  - 6. The method of claim 5, wherein said at least one rule is specified by a source of said associated content and is enforced by said border guard.
  - 7. The method of claim 5, further comprising:
    - employing a portable renewable security card, where said border guard operates cooperatively with said portable renewable security card for enforcing said at least one rule for transition between said first and second security domains.

8. A non-transitory computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps of a method for defining rules and enforcing rules of transitioning a digital content between two security domains having different security requirements, comprising:
- establishing a first security domain for receiving, from a digital content source, a transport stream comprising digital content;
  
  establishing a second security domain associated with devices for storage of the digital content at a receiver device, wherein the second security domain is established at the border of the first security domain;
  
  wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain; and
  
  if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain;
  
  receiving and storing the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact;
  
  otherwise, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain;
  
  performing authorization for conditional access of transport stream from the first security domain;
  
  providing a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content;
  
  selecting at least one rule from the DRM rules to be transmitted with the digital content;
  
  transmitting the at least one rule with the digital content from the first security domain to the second security domain;
  
  translating a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain;
  
  continuously enforcing the at least one rule during usage of the digital content in the second security domain; and
  
  maintaining control over the usage of the digital content in the second security domain.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium of claim 8, wherein said first security domain is a transport domain.
  - 10. The computer-readable medium of claim 9, wherein said second security domain is a persistent security domain.
  - 11. The computer-readable medium of claim 8, wherein said translating is performed by a border guard in the receiver device, wherein the border guard further comprises a security device, further wherein the security device is an application specific integrated circuit (ASIC).
  - 12. The computer-readable medium of claim 11, wherein said border guard enforces said at least one rule associated with how an associated content of the digital content is moved between said first and second domains.
  - 13. The computer-readable medium of claim 12, wherein said at least one rule is specified by a source of said associated content.
  - 14. The computer-readable medium of claim 8, further comprising:
    - employing a portable renewable security card, where a border guard operates cooperatively with said portable renewable security card for enforcing said at least one rule for transition between said first and second security domains.

15. A receiver device comprising a security device, the security device in a standalone mode defining and enforcing rules of transitioning a digital content between two security domains having different security requirements, the security device comprising:
- means for establishing a first security domain for receiving, from a digital content source, a transport stream comprising digital content; and
  
  means for establishing a second security domain associated with devices for storage and usage of the digital content at a receiver device;
  
  wherein the digital content source can cause the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, and the digital content source also can cause the digital content to be transmitted from the first security domain to the second security domain;
  
  the receiver device further comprising;
  
  means for receiving and storing, if the digital content source causes the digital content to be pre-positioned on the receiver device while the digital content remains in the first security domain, the digital content on the receiver device with transport security associated with the first security domain kept intact and with encryption associated with the first security domain kept intact; and
  
  the security device further comprising;
  
  means for performing, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, authorization for conditional access of transport stream from the first security domain;
  
  means for providing, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, a session ID for authorizing both a program and associated digital rights management (DRM) rules received with the digital content in the first security domain, and authenticating each session request received from a particular device in the second security domain for usage of the digital content;
  
  means for selecting, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, at least one rule from the DRM rules to be transmitted with the digital content;
  
  means for transmitting, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, the at least one rule with the digital content from the first security domain to the second security domain;
  
  means for translating, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, a first protection in the first security domain of the digital content and the at least one rule attached to the digital content to a second protection in the second security domain of the digital content and the at least one rule for secure delivery and locking the usage of the digital content to the particular device in the second security domain;
  
  means for continuously enforcing, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, the at least one rule during usage of the digital content in the second security domain; and
  
  means for maintaining control, if the digital content source causes the digital content to be transmitted from the first security domain to the second security domain, over the usage of the digital content in the second security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Okimoto, John I., Kimball, Bridget D., Chen, Annie O., Habrat, Michael T., Petty, Douglas M., Sprunk, Eric, Tang, Lawrence W.
Primary Examiner(s)
Laforgia, Christian
Assistant Examiner(s)
Baum, Ronald

Application Number

US11/027,206
Publication Number

US 20060150252A1
Time in Patent Office

2,658 Days
Field of Search

726/26
US Class Current

726/26
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04N 21/4147   PVR [Personal Video Recorde...

H04N 21/4405   involving video stream decr...

H04N 21/4408   involving video stream encr...

H04N 21/8355   involving usage data, e.g. ...

H04N 7/1675   Providing digital key or au...

Method and apparatus for providing a border guard between security domains

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing a border guard between security domains

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links