Downloadable security and protection methods and apparatus
First Claim
1. Network apparatus disposed at a first location of a content delivery network and adapted for delivery of security information to a second location of said network, comprising:
- a content provisioning apparatus;
a conditional access apparatus in communication with said provisioning apparatus; and
an authentication apparatus in communication with at least said conditional access apparatus;
wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said second location both;
(i) at least one cryptographic key, and (ii) encrypted code modules, which are configured to when executed by a secure processor at said second location, provide at least protection of said content at a secure element disposed at said second location, said encrypted code comprising at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user'"'"'s premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported. A network security architecture comprising an authentication proxy (AP), provisioning system (MPS), and conditional access system (CAS) is also disclosed, which can interface with a trusted authority (TA) for cryptographic element management and CPE/user device authentication.
175 Citations
26 Claims
-
1. Network apparatus disposed at a first location of a content delivery network and adapted for delivery of security information to a second location of said network, comprising:
-
a content provisioning apparatus; a conditional access apparatus in communication with said provisioning apparatus; and an authentication apparatus in communication with at least said conditional access apparatus; wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said second location both;
(i) at least one cryptographic key, and (ii) encrypted code modules, which are configured to when executed by a secure processor at said second location, provide at least protection of said content at a secure element disposed at said second location, said encrypted code comprising at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of delivering security information from a network apparatus disposed at a first location of a content delivery network to a second location of said network, comprising:
-
providing content to an entity at said second location from a content delivery element of said network apparatus; transmitting at least one cryptographic key to said entity via a cooperation of an authentication apparatus and a conditional access apparatus of said network apparatus; and transmitting one or more encrypted code modules to said entity via a cooperation of said authentication apparatus and said conditional access apparatus of said network apparatus, said one or more encrypted code modules configured to, when executed by a secure processor of said entity, provide at least protection of said content at a secure element disposed at said entity; wherein said encrypted code modules each comprise at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer readable apparatus comprising a non-transitory medium configured to store a computer program thereon, said computer program, when executed, configured to:
-
receive at a network apparatus a communication from a client device, said client device comprising at least a secure processor and a secure element; authenticate said secure element based at least in part on said communication; and conditional on said secure element being authenticated; deliver content to said client device; select at least one cryptographic key based at least in part on information in said communication; transmit said at least one cryptographic key to said client device; select one or more encrypted code modules based at least in part on information in said communication; and transmit said one or more encrypted code modules to said client device; wherein said one or more encrypted code modules are configured to, when executed by said secure processor of said client device, provide at least protection of said content at said secure element; and wherein said encrypted code modules each comprise at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location. - View Dependent Claims (23, 24, 25, 26)
-
Specification