Key distribution system

US 8,396,222 B2
Filed: 03/03/2009
Issued: 03/12/2013
Est. Priority Date: 03/10/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A key distribution system for controlling access to content by a plurality of rendering devices, comprising computer processing machinery including:

an epoch processing machinery to provide a plurality of epochs, each of the epochs including a plurality of service key periods;

a service key processing machinery to provide a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content for a plurality of services across the service key periods of the one epoch such that a different one of the service keys in the batch is valid for each different combination of the services and the service key periods;

a group processing machinery to provide a plurality of group keys for each of the epochs such that;

for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;

for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;

each of the service keys is valid across all the groups; and

in different ones of the epochs, the rendering devices are grouped differently thereby facilitating traitor tracing;

a period master key processing machinery to provide for each one of the service key periods in the one epoch a different period master key;

an encryption processing machinery to encrypt, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys the encryption processing machinery being configured to further encrypt each one of the group-key-encrypted service keys using the period master key of the one service key period; and

a delivery processing machinery to;

(a) distribute to the rendering devices for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch; and

(b) for each one of the service key periods, distribute the period master key for the one service key period to the rendering devices during the service key period immediately prior to the one service key period.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key distribution system for controlling access to content by rendering devices, comprising an epoch module to provide epochs, each epoch including service key periods, a service key module to provide a batch of service keys, a group module to provide group keys for each epoch such that each rendering device is assigned a group key grouping together the devices having the same group key, thereby defining groups, in different epochs the devices are grouped differently, an encryption module to encrypt, for each epoch, each service key in the batch of service keys, individually with each group key yielding a plurality of group-key-encrypted service keys from each service key, and a delivery module to distribute to the devices, for each one of the epochs, the group-key-encrypted service keys for the batch of service keys and the group keys of the one epoch. Related apparatus and methods are also described.

Citations

21 Claims

1. A key distribution system for controlling access to content by a plurality of rendering devices, comprising computer processing machinery including:
- an epoch processing machinery to provide a plurality of epochs, each of the epochs including a plurality of service key periods;
  
  a service key processing machinery to provide a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content for a plurality of services across the service key periods of the one epoch such that a different one of the service keys in the batch is valid for each different combination of the services and the service key periods;
  
  a group processing machinery to provide a plurality of group keys for each of the epochs such that;
  
  for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;
  
  for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;
  
  each of the service keys is valid across all the groups; and
  
  in different ones of the epochs, the rendering devices are grouped differently thereby facilitating traitor tracing;
  
  a period master key processing machinery to provide for each one of the service key periods in the one epoch a different period master key;
  
  an encryption processing machinery to encrypt, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys the encryption processing machinery being configured to further encrypt each one of the group-key-encrypted service keys using the period master key of the one service key period; and
  
  a delivery processing machinery to;
  
  (a) distribute to the rendering devices for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch; and
  
  (b) for each one of the service key periods, distribute the period master key for the one service key period to the rendering devices during the service key period immediately prior to the one service key period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system according to claim 1, wherein the delivery processing machinery is configured to distribute, for each one of the groups, the batch of the service keys of the one epoch to the rendering devices of the one group in at least one key package.
  - 3. The system according to claim 2, wherein the delivery processing machinery is configured to include at least one additional service key of an epoch after the one epoch in the at least one key package so as to provide a grace period for content access after the end of the one epoch.
  - 4. The system according to claim 2, wherein the delivery processing machinery is configured to distribute, for each one of the groups, the group keys of the one epoch to the rendering devices of the one group in the at least one key package.
  - 5. The system according to claim 2, wherein the epoch processing machinery is configured to provide, for each one of the epochs, an epoch key, the encryption processing machinery being configured to encrypt, for each one of the groups, the at least one key package of the one group using the epoch key of the one epoch.
  - 6. The system according to claim 2, wherein the delivery processing machinery is configured to include an identification in the at least one key package of the one group, the identification identifying the at least one key package of the one group as being associated with the one group.
  - 7. The system according to claim 1, wherein the group processing machinery is configured to assign the group keys to the rendering devices randomly/pseudo-randomly.
  - 8. The system according to claim 1, wherein:
    - the rendering devices are configured to determine to which of the groups the rendering devices belong by employing a function having parameters; and
      
      the delivery processing machinery is configured to distribute the function or the parameters to the rendering devices.
  - 9. The system according to claim 8, wherein the function includes a hash function.
  - 10. The system according to claim 8, wherein the function is function of at least one of the following:
    - a user key and a device ID.
  - 11. The system according to claim 1, further comprising a traitor identifier to identify a traitor device of the rendering devices based on the traitor device distributing, at least one of the group-key-encrypted service keys or at least one of the group keys.
  - 12. The system according to claim 1, wherein the period master key processing machinery is configured to provide the period master key for each one of the service key periods such that the period master key for the one service key period is the same across all of the groups and across all of the services.
  - 13. The system according to claim 1, wherein:
    - each of the rendering devices is associated with a different user key;
      
      the user key of each of the rendering devices is associated with one of the group keys;
      
      the encryption processing machinery is configured to encrypt, for each one of the rendering devices, the one group key of the one rendering device using the user key of the one rendering device, yielding a user-key-encrypted group key for each of the rendering devices; and
      
      the delivery processing machinery is configured to distribute to the rendering devices the user-key-encrypted group key of each of the rendering devices.
  - 14. The system according to claim 13, wherein:
    - each of the rendering devices has a unique identification; and
      
      the delivery processing machinery is configured to distribute at least some of the user-key-encrypted group keys with the unique identification identifying the rendering devices associated with the at least some user-key-encrypted group keys.
  - 15. The system according to claim 13, wherein:
    - at least some of the user-key-encrypted group keys are associated with at least some of the rendering devices; and
      
      the delivery processing machinery is configured to distribute the at least some user-key-encrypted group keys without identifying the at least some rendering devices of the at least some user-key-encrypted group keys such that the at least some rendering devices need to identify which one of the at least some user-key-encrypted group keys is associated with which one of the at least some rendering devices by trial and error decryption of the at least some user-key-encrypted group keys.
  - 16. The system according to claim 15, wherein the delivery processing machinery is configured to distribute verification data to the at least some rendering devices, so that the at least some rendering devices check a result of the trial and error decryption against the verification data.
  - 17. The system according to claim 1, wherein:
    - the group processing machinery is configured to create a plurality of supergroups, one of the supergroups including the plurality of groups for the rendering devices, another one of the supergroups including a plurality of other groups for a plurality of other rendering devices;
      
      the group processing machinery is configured to provide a plurality of other group keys for each of the epochs thereby defining the other groups, in different ones of the epochs the other rendering devices are grouped differently;
      
      the encryption processing machinery is configured to encrypt, for each of the epochs, each of the service keys in the batch of the service keys with each of the other group keys, such that each one of the service keys is individually encrypted with a different one of the other group keys yielding a plurality of other-group-key-encrypted service keys from each one of the service keys; and
      
      the delivery processing machinery is configured to distribute the other-group-key-encrypted service keys for the batch of the service keys and the other group keys of the one epoch to the other rendering devices according to a first delivery schedule.
  - 18. The system according to claim 17, wherein:
    - the delivery processing machinery is configured to distribute the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch to the rendering devices according to a second delivery schedule; and
      
      the first delivery schedule is different from the second delivery schedule.
  - 19. The system according to claim 18, wherein the first delivery schedule has a higher delivery, frequency than the second delivery schedule.
  - 20. The system according to claim 1, wherein:
    - the group processing machinery is configured to create a plurality of supergroups, one of the supergroups including the plurality of groups for the rendering devices, another one of the supergroups including a plurality of other groups for a plurality of other rendering devices;
      
      the epoch processing machinery is configured to provide a plurality of other epochs, each of the other epochs including a number of the service key periods, the epochs commencing according to a plurality of first start dates, the other epochs commencing according to a plurality of second start dates, the first start dates being different from the second start dates;
      
      the service key processing machinery is configured to provide, for each of the other epochs, another batch of the service keys;
      
      the group processing machinery is configured to provide a plurality of other group keys for each of the other epochs thereby defining the other groups, in different ones of the other epochs the other rendering devices are grouped differently;
      
      the encryption processing machinery is configured to encrypt, for each of the other epochs, each of the service keys in the other batch of the service keys with each of the other group keys, such that each of the service keys of the other batch is individually encrypted with a different one of the other group keys yielding a plurality of other-group-key-encrypted service keys from each one of the service keys of the other batch; and
      
      the delivery processing machinery is configured to distribute, for each one of the other epochs, the other-group-key-encrypted service keys for the other batch of the service keys and the other group keys of the one epoch to the other rendering devices.

21. A key distribution method for controlling access to content by a plurality of rendering devices by a server, the server performing acts comprising:
- providing a plurality of epochs, each of the epochs including a plurality of service key periods;
  
  providing a plurality of service keys so that, for each one of the epochs, a batch of the service keys is provided for employment in decryption of the content for a plurality of services across the service key periods of the one epoch such that a different one of the service keys in the batch is valid for each different combination of the services and the service key periods;
  
  providing a plurality of group keys for each of the epochs such that;
  
  for each of the epochs, each of the rendering devices is assigned one of the group keys such that more than one of the rendering devices may be assigned a same one of the group keys;
  
  for each of the epochs, the assignment of the group keys groups together the rendering devices having the same one group key, thereby defining a plurality of groups;
  
  each of the service keys is valid across all the groups; and
  
  in different ones of the epochs, the rendering devices are grouped differently thereby facilitating traitor tracing;
  
  providing for each one of the service key periods in the one epoch a different period master key;
  
  encrypting, for each of the epochs, each of the service keys, in the batch of the service keys with each of the group keys, such that each of the service keys is individually encrypted with a different one of the group keys yielding a plurality of group-key-encrypted service keys from each of the service keys;
  
  encrypting each one of the group-key-encrypted service keys using the period master key of the one service key period;
  
  distributing to the rendering devices, for each one of the epochs, the group-key-encrypted service keys for the batch of the service keys and the group keys of the one epoch; and
  
  for each one of the service key periods, distributing the period master key for the one service key period to the rendering devices during the service key period immediately prior to the one service key period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
NDS Limited (Cisco Systems, Inc.)
Inventors
Solow, Hillel, Waisbard, Erez
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
BECHTEL, KEVIN M

Application Number

US12/735,207
Publication Number

US 20100296655A1
Time in Patent Office

1,470 Days
Field of Search

380200-201, 380/255, 380277-281, 380 44- 45, 713/150, 726/26, 726/32
US Class Current

380/279
CPC Class Codes

G06F 21/1012   to domains

G06F 21/1015   to users

G06F 2221/2151   Time stamp

H04L 2209/60   Digital content management,...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/0833   involving conference or gro...

H04L 9/088   Usage controlling of secret...

H04N 21/26606   for generating or managing ...

H04N 21/4623   Processing of entitlement m...

H04N 21/8355   involving usage data, e.g. ...

H04N 7/1675   Providing digital key or au...

Key distribution system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Key distribution system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links