Downloadable security and protection methods and apparatus

US 8,520,850 B2
Filed: 10/20/2006
Issued: 08/27/2013
Est. Priority Date: 10/20/2006
Status: Active Grant

First Claim

Patent Images

1. Network apparatus disposed at a first location of a content delivery network and adapted for delivery of security information to a second location of said network, comprising:

a content provisioning apparatus;

a conditional access apparatus in communication with said provisioning apparatus; and

an authentication apparatus in communication with at least said conditional access apparatus;

wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said second location both;

(i) at least one cryptographic key, and (ii) encrypted code modules, which are configured to when executed by a secure processor at said second location, provide at least protection of said content at a secure element disposed at said second location, said encrypted code comprising at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user'"'"'s premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported. A network security architecture comprising an authentication proxy (AP), provisioning system (MPS), and conditional access system (CAS) is also disclosed, which can interface with a trusted authority (TA) for cryptographic element management and CPE/user device authentication.

175 Citations

26 Claims

1. Network apparatus disposed at a first location of a content delivery network and adapted for delivery of security information to a second location of said network, comprising:
- a content provisioning apparatus;
  
  a conditional access apparatus in communication with said provisioning apparatus; and
  
  an authentication apparatus in communication with at least said conditional access apparatus;
  
  wherein at least said authentication and conditional access apparatus are configured to cooperate to transmit to said second location both;
  
  (i) at least one cryptographic key, and (ii) encrypted code modules, which are configured to when executed by a secure processor at said second location, provide at least protection of said content at a secure element disposed at said second location, said encrypted code comprising at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The network apparatus of claim 1, wherein said first location comprises a cable system head-end, and said second location comprises a residence or business enterprise.
  - 3. The network apparatus of claim 2, wherein said apparatus is configured to deliver said at least one key and encrypted code via a DOCSIS-compliant cable modem.
  - 4. The network apparatus of claim 2, wherein said apparatus is configured to deliver said at least one key and encrypted code via an in-band downstream QAM.
  - 5. The network apparatus of claim 1, wherein said first location comprises a hub within a broadcast switched architecture (BSA) network.
  - 6. The network apparatus of claim 1, further comprising a personalization server (PS) apparatus in communication with said conditional access system, said PS being adapted to select said at least one cryptographic key and encrypted code based at least in part on a communication received from a client device disposed at said second location and comprising said secure element.
  - 7. The network apparatus of claim 6, further comprising an interface to a trusted authority (TA), said TA providing said at least one cryptographic key to said PS based at least in part on information contained in said communication from said client device to said network apparatus.
  - 8. The network apparatus of claim 7, further comprising a trusted authority proxy (TAP), said TAP in at least periodic communication with a remote trusted authority (TA), said TAP providing said at least one cryptographic key to said PS based at least in part on information contained in said communication from said client device to said network apparatus, and independent of communication with said TA.
  - 9. The network apparatus of claim 6, wherein said authentication apparatus comprises software configured to authenticate said secure element based at least in part on said communication received from said secure element, said authentication comprising a condition precedent for downloading of said at least one key and encrypted code.
  - 10. The network apparatus of claim 1, wherein said encrypted code comprises a secure client adapted to run on said secure element of said client device.
  - 11. The network apparatus of claim 10, wherein said network apparatus is further configured to transmit a bootloader program to run on said secure element to enable at least a portion of said transmitting of said cryptographic key and encrypted code.
  - 12. The network apparatus of claim 10, wherein said network apparatus is further configured to transmit second code to said client device, said second code comprising a conditional access (CA) client, said CA client adapted to run on said secure element to enforce at least one CA policy.

13. A method of delivering security information from a network apparatus disposed at a first location of a content delivery network to a second location of said network, comprising:
- providing content to an entity at said second location from a content delivery element of said network apparatus;
  
  transmitting at least one cryptographic key to said entity via a cooperation of an authentication apparatus and a conditional access apparatus of said network apparatus; and
  
  transmitting one or more encrypted code modules to said entity via a cooperation of said authentication apparatus and said conditional access apparatus of said network apparatus, said one or more encrypted code modules configured to, when executed by a secure processor of said entity, provide at least protection of said content at a secure element disposed at said entity;
  
  wherein said encrypted code modules each comprise at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, wherein said act of providing content to said entity at said second location comprises providing said content to a client device disposed thereat and comprising said secure processor and said secure element.
  - 15. The method of claim 14, further comprising:
    - receiving at said network apparatus a communication from a client device; and
      
      based at least in part on said communication, selecting said at least one cryptographic key and said one or more encrypted code modules via a personalization server (PS) apparatus in communication with said conditional access apparatus of said network apparatus.
  - 16. The method of claim 15, further comprising receiving from a trusted authority (TA) said at least one cryptographic key, said at least one cryptographic key being received at said PS based at least in part on information contained in said communication from said client device.
  - 17. The method of claim 16, further comprising receiving from a trusted authority proxy (TAP) in at least periodic communication with a remote trusted authority (TA), said at least one cryptographic key, said at least one cryptographic key being received at said PS based at least in part on information contained in said communication from said client device, and independent of communication with said TA.
  - 18. The method of claim 15, further comprising using said authentication apparatus to authenticate said secure element based at least in part on said communication received from said client device, said authentication comprising a condition precedent for downloading of said at least one cryptographic key and said encrypted code modules.
  - 19. The method of claim 13, wherein said act of transmitting said one or more encrypted code modules to said entity comprises transmitting a secure client configured to run on said secure element of said client device.
  - 20. The method of claim 19, further comprising transmitting a bootloader program from said network apparatus to said client device, said boatloader program configured to run on said secure element to enable at least a portion of said transmission of said cryptographic key and encrypted code modules.
  - 21. The method of claim 19, further comprising transmitting a second code to said client device, said second code comprising a conditional access (CA) client, said CA client adapted to run on said secure element to enforce at least one CA policy.

22. A computer readable apparatus comprising a non-transitory medium configured to store a computer program thereon, said computer program, when executed, configured to:
- receive at a network apparatus a communication from a client device, said client device comprising at least a secure processor and a secure element;
  
  authenticate said secure element based at least in part on said communication; and
  
  conditional on said secure element being authenticated;
  
  deliver content to said client device;
  
  select at least one cryptographic key based at least in part on information in said communication;
  
  transmit said at least one cryptographic key to said client device;
  
  select one or more encrypted code modules based at least in part on information in said communication; and
  
  transmit said one or more encrypted code modules to said client device;
  
  wherein said one or more encrypted code modules are configured to, when executed by said secure processor of said client device, provide at least protection of said content at said secure element; and
  
  wherein said encrypted code modules each comprise at least two portions, a first portion being common to a plurality of second locations, and a second portion being unique to said second location.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The computer readable apparatus of claim 22, wherein said network apparatus comprises a headend entity of a content delivery network, and said client device is located at a residence or business enterprise within said content delivery network.
  - 24. The computer readable apparatus of claim 22, wherein said network apparatus is configured to transmit said at least one cryptographic key and said one or more encrypted code modules via a DOCSIS-compliant cable modem.
  - 25. The computer readable apparatus of claim 22, wherein said network apparatus is configured to transmit said at least one cryptographic key and said one or more encrypted code modules via an in-band downstream QAM.
  - 26. The computer readable apparatus of claim 22, wherein said network apparatus comprises a hub entity within a broadcast switched architecture (BSA) network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Original Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Inventors
Helms, William L., Carlucci, John B., Schnitzer, Jason Kazmir
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US11/584,208
Publication Number

US 20080098212A1
Time in Patent Office

2,503 Days
Field of Search

None
US Class Current

380/239
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 8/63   Image based installation; C...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/60   Digital content management,...

H04L 2209/605   Copy protection

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04N 21/2347   involving video stream encr...

H04N 21/2351   involving encryption of add...

H04N 21/2541   Rights Management protectin...

H04N 21/2543   Billing , e.g. for subscrip...

H04N 21/25816 : involving client authentica...

H04N 21/26606 : for generating or managing ...

H04N 21/26613 : for generating or managing ...

H04N 21/4353 : involving decryption of add...

H04N 21/4363 : Adapting the video stream t...

H04N 21/4405 : involving video stream decr...

H04N 21/4623 : Processing of entitlement m...

H04N 21/4627 : Rights management associate...

H04N 21/478 : Supplemental services, e.g....

H04N 21/6118 : involving cable transmissio...

H04N 21/63345 : by transmitting keys key di...

H04N 21/8166 : involving executable data, ...

H04N 21/8193 : dedicated tools, e.g. video...

H04N 7/167 : Systems rendering the telev...

H04N 7/1675 : Providing digital key or au...

View All

Downloadable security and protection methods and apparatus

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Downloadable security and protection methods and apparatus

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links