System for digital rights management using distributed provisioning and authentication
First Claim
1. A method for providing access rights to content in a secure digital content distribution system, the system including a provisioning service for allocating rights to a human user to a Digital Rights Management (DRM) client application, including an entitlement service for assigning authorization data for digital content to the DRM client application and an authentication service for verifying the identity of the DRM client application, the method comprising:
- operating a ticket granting service at a first administrative domain, the first administrative domain controlling access to content delivery servers;
operating a first authentication service at a second administrative domain, the second administrative domain controlling access, for the DRM client application associated with a first set of human users, to second administrative domain content, wherein the first administrative domain is different from the second administrative domain;
operating a second authentication service at a third administrative domain, the third administrative domain controlling access, for a second set of human users, to third administrative domain content, wherein the second set of users are different from the first set of users,wherein each of the administrative domains shares an inter-realm key with the ticket granting service and each of the authentication services issues a ticket granting ticket which enables the DRM client application to request service tickets from the ticket granting service and;
granting the service ticket to the DRM client application from the ticket granting service, the service ticket containing authentication data which enables the DRM client application to access second administrative domain content via, one of the content delivery servers, and third administrative domain content via one of the content delivery servers.
4 Assignments
0 Petitions
Accused Products
Abstract
A digital rights management system (DRM) for restricting and permitting content access in a digital content distribution network such as a network used to deliver television programming. The DRM uses distributed authentication and provisioning so that the potentially many different entities involved in the content distribution network can have localized management and control. Distributed authentication can use single or multiple instances of authentication services. A ticket granting service (TGS) is used to allow clients to request services. In one approach, multiple authentication services use a common key that is known to the TGS. In another approach, unique keys are provided to each authentication service and these keys are communicated to the TGS. Distributed provisioning allows different entities to grant access rights or other resources. Provisioning service (PS) processes can execute at multiple different physical locations. Synchronization among the different PSs is provided by a managing entity or in a peer-to-peer transfer to help ensure the uniqueness of user IDs. New clients can make an initialization request from a key management system via an appropriate protocol. The requests can be made from a single, dedicated authentication service, from an authentication service associated with a specific provisioning service, or from multiple authentication services in the network.
-
Citations
17 Claims
-
1. A method for providing access rights to content in a secure digital content distribution system, the system including a provisioning service for allocating rights to a human user to a Digital Rights Management (DRM) client application, including an entitlement service for assigning authorization data for digital content to the DRM client application and an authentication service for verifying the identity of the DRM client application, the method comprising:
-
operating a ticket granting service at a first administrative domain, the first administrative domain controlling access to content delivery servers; operating a first authentication service at a second administrative domain, the second administrative domain controlling access, for the DRM client application associated with a first set of human users, to second administrative domain content, wherein the first administrative domain is different from the second administrative domain; operating a second authentication service at a third administrative domain, the third administrative domain controlling access, for a second set of human users, to third administrative domain content, wherein the second set of users are different from the first set of users, wherein each of the administrative domains shares an inter-realm key with the ticket granting service and each of the authentication services issues a ticket granting ticket which enables the DRM client application to request service tickets from the ticket granting service and; granting the service ticket to the DRM client application from the ticket granting service, the service ticket containing authentication data which enables the DRM client application to access second administrative domain content via, one of the content delivery servers, and third administrative domain content via one of the content delivery servers. - View Dependent Claims (2)
-
-
3. A secure digital content distribution system comprising:
-
a first plurality of entities for providing authentication services, the plurality of entities being located at different administrative domains at different locations each other and controlling access to content at their respective administrative domain; a second plurality of entities for providing provisioning services based on information provided by one or more of the plurality of entities for providing authentication services; wherein each of the administrative domains shares an inter-realm key with a ticket granting service and each of the authentication services is configured to grant a ticket granting ticket to a client which enables it to request service tickets from the ticket granting service; the ticket granting service which is configured to grant the service ticket to the client, the service ticket containing authentication data which enables the client to access content at each of the administrative domains via each authentication service; and a session rights service which is configured to construct a session rights object (SRO), wherein the SRO includes at least one purchase option selected by the client, the client being a Digital Rights Management DRM client application associated with a user. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
Specification