Downloadable security and protection methods and apparatus

US 10,362,018 B2
Filed: 03/19/2018
Issued: 07/23/2019
Est. Priority Date: 10/20/2006
Status: Active Grant

First Claim

Patent Images

1. A computerized method of operating a security management architecture within a content delivery network, the computerized method comprising:

identifying a plurality of computerized client devices in data communication with the content delivery network;

receiving data representative of a request for a service from a subscriber associated with at least one of the plurality of computerized client devices; and

configuring the at least one of the plurality of computerized client devices based at least in part on the request, the configuring comprising;

generating personalization data specific to the at least one computerized client device;

transmitting the personalization data to the at least one computerized client device, wherein the transmitting of the personalization data comprises transmitting a message having a common image encryption key, the message being specifically encrypted for the at least one computerized client device, and wherein the common image encryption key enables the at least one computerized client device to decrypt a common software image, the common software image being applicable to all of the plurality of computerized client devices based on a shared hardware and software configuration of respective processor apparatus of the plurality of computerized client devices; and

establishing at least one security permission or policy within a secure element of the at least one computerized client device, the at least one security permission or policy enabling provision of the requested service to the at least one client device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user'"'"'s premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported. A network security architecture comprising an authentication proxy (AP), provisioning system (MPS), and conditional access system (CAS) is also disclosed, which can interface with a trusted authority (TA) for cryptographic element management and CPE/user device authentication.

446 Citations

20 Claims

1. A computerized method of operating a security management architecture within a content delivery network, the computerized method comprising:
- identifying a plurality of computerized client devices in data communication with the content delivery network;
  
  receiving data representative of a request for a service from a subscriber associated with at least one of the plurality of computerized client devices; and
  
  configuring the at least one of the plurality of computerized client devices based at least in part on the request, the configuring comprising;
  
  generating personalization data specific to the at least one computerized client device;
  
  transmitting the personalization data to the at least one computerized client device, wherein the transmitting of the personalization data comprises transmitting a message having a common image encryption key, the message being specifically encrypted for the at least one computerized client device, and wherein the common image encryption key enables the at least one computerized client device to decrypt a common software image, the common software image being applicable to all of the plurality of computerized client devices based on a shared hardware and software configuration of respective processor apparatus of the plurality of computerized client devices; and
  
  establishing at least one security permission or policy within a secure element of the at least one computerized client device, the at least one security permission or policy enabling provision of the requested service to the at least one client device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computerized method of claim 1, wherein the receiving the data representative of the request for the service comprises receiving data representative of a service request for a feature offered within only selected levels of a network operator service subscription plan.
  - 3. The computerized method of claim 1, wherein the receiving the data representative of the request for the service comprises receiving data representative of a service request for download and distribution of protected digitally rendered content to a second computerized device in data communication with the at least one computerized client device.
  - 4. The computerized method of claim 3, further comprising distributing, based at least on the service request, the protected digitally rendered content to the second computerized device, the distributing comprising delivering encrypted digitally rendered video content to the second computerized device via a high-speed serialized bus protocol interface.
  - 5. The computerized method of claim 3, further comprising distributing, based at least on the service request, the protected digitally rendered content to the second computerized device, the distributing comprising delivering encrypted digitally rendered video content to the second computerized device via a Wi-Fi (IEEE-802.11) interface.
  - 6. The computerized method of claim 1, wherein the generating of the personalization data comprises generating an encrypted software image and cryptographic key that is unique to the secure element of the at least one computerized client device.

7. Computerized network apparatus for use in providing secure digitally rendered content and software downloads to a plurality of computerized client devices within a content delivery network, the computerized network apparatus comprising:
- secure download infrastructure adapted for data communication with a computerized trusted authority (TA);
  
  a media provisioning system in data communication with the secure download infrastructure;
  
  a billing system in data communication with the media provisioning system;
  
  a media security system in data communication with the media provisioning system; and
  
  a media services system in data communication with the media provisioning system;
  
  wherein;
  
  the media provisioning system and the media security system determine and cause application of data relating to entitlements for at least one of the plurality of computerized client devices in order to authorize provision of a least one cryptographic element and at least one secure client device software image to the at least one of the plurality of computerized client devices;
  
  the secure download infrastructure and the TA are configured to cooperate to provide the at least one cryptographic element and the at least one secure client device software image for delivery by the secure download infrastructure to the at least one of the plurality of computerized client devices based at least upon said authorization thereof;
  
  the provision of the at least one secure client device software image comprises provision of a device-specific software image within an encrypted data structure; and
  
  decryption of the encrypted data structure is required by the at least one of the plurality of computerized client devices to load a common software image.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 20)
- - 8. The computerized network apparatus of claim 7, wherein the common software image is applicable to all of the plurality of computerized client devices having a common configuration and disposed within the content delivery network, and the device-specific software image is specific to only the at least one of the plurality of computerized client devices.
  - 9. The computerized network apparatus of claim 8, wherein:
    - the common software image comprises a software image that is provided to all of the plurality of computerized client devices associated with a first service level, the first service level indicative of one or more functions enabled at the plurality of computerized client devices associated with the first service level; and
      
      the device-specific software image is provided only to the at least one of the plurality of computerized client devices, the device-specific software image comprising a software image based on the at least one of the plurality of computerized client devices being associated with a second service level, the second service level indicating one or more additional functions relative to the first service level.
  - 10. The computerized network apparatus of claim 7, wherein the computerized network apparatus is adapted to communicate over the network with at least one respective secure element disposed on the at least one of the plurality of computerized client devices, the device-specific software image being configured to run within at least one respective software environment of the at least one secure element in order to enforce one or more security policies within a domain associated with the at least one of the plurality of computerized client devices.
  - 11. The computerized network apparatus of claim 10, wherein:
    - the at least one respective secure element comprises a secure microprocessor (SM) of the at least one of the plurality of computerized client devices;
      
      the computerized network apparatus further comprises a computerized server configured to establish a security envelope around the SM of the at least one of the plurality of computerized client devices, the security envelope configured to protect both digitally rendered content and the at least one secure client device software image processed via the SM.
  - 12. The computerized network apparatus of claim 11, wherein the security envelope is established based at least on receipt of data representative of a request from at least one of the at least one of the plurality of computerized client devices to download the digitally rendered content.
  - 13. The computerized network apparatus of claim 7, wherein the at least one cryptographic element comprises a public key, the public key corresponding to a private key retained within the at least one of the plurality of computerized client devices, the private key configured to decrypt the encrypted data structure.
  - 20. The computerized network apparatus of claim 7, wherein execution of the common software image comprises execution of a separate graphical user interface (GUI) from at least one respective computer program applications of the at least one of the plurality of computerized client devices.

14. A computerized method delivering secure software over a network to a computerized client device, the computerized method comprising:
- providing, via a first network entity, credentials along with a public key for the computerized client device to a second network entity;
  
  receiving a device-specific software image to the first network entity from the second network entity, the device-specific software image being specific to only the computerized client device, the device-specific software image encrypted for the computerized client device based at least in part on the public key;
  
  receiving a common software image from the second network entity, the common image comprising an image applicable to all of a plurality of computerized client devices having a common configuration and disposed within the network, the plurality of computerized client devices comprising the computerized client device; and
  
  transmitting, via the first network entity, the encrypted client device-specific software image and the common software image;
  
  wherein a private key corresponding to the public key is required by the computerized client device to decrypt the encrypted client device-specific software image, and decryption of the encrypted client device-specific software image is required to decrypt the common software image.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computerized method of claim 14, wherein the providing, via the first network entity, the credentials along with the public key for the computerized client device to the second network entity comprises providing, via a computerized authentication proxy apparatus, the credentials along with the public key for the computerized client device to a personalization server apparatus.
  - 16. The computerized method of claim 14, wherein the encryption of the device-specific software image comprises using at least a portion of the personalization server apparatus to personalize the device-specific software image according to an account associated with a user of the computerized client device, the account identifying a service level indicating one or more capabilities, the personalized device-specific software image configured to support the one or more capabilities.
  - 17. The computerized method of claim 16, wherein the encryption of the personalized device-specific software image comprises using at least a portion of the computerized authentication proxy apparatus to verify the account.
  - 18. The computerized method of claim 14, wherein the transmitting comprises transmitting the encrypted device-specific image and the common image within an encrypted message attachment.
  - 19. The computerized method of claim 14, further comprising causing the first network entity to notify the second network entity of a status of the delivery of at least the device-specific software image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Original Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Inventors
Helms, William L., Carlucci, John B., Schnitzer, Jason Kazmir
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US15/925,554
Publication Number

US 20180278597A1
Time in Patent Office

491 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 8/63   Image based installation; C...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/60   Digital content management,...

H04L 2209/605   Copy protection

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04N 21/2347   involving video stream encr...

H04N 21/2351   involving encryption of add...

H04N 21/2541   Rights Management protectin...

H04N 21/2543   Billing , e.g. for subscrip...

H04N 21/25816 : involving client authentica...

H04N 21/26606 : for generating or managing ...

H04N 21/26613 : for generating or managing ...

H04N 21/4353 : involving decryption of add...

H04N 21/4363 : Adapting the video stream t...

H04N 21/4405 : involving video stream decr...

H04N 21/4623 : Processing of entitlement m...

H04N 21/4627 : Rights management associate...

H04N 21/478 : Supplemental services, e.g....

H04N 21/6118 : involving cable transmissio...

H04N 21/63345 : by transmitting keys key di...

H04N 21/8166 : involving executable data, ...

H04N 21/8193 : dedicated tools, e.g. video...

H04N 7/167 : Systems rendering the telev...

H04N 7/1675 : Providing digital key or au...

View All

Downloadable security and protection methods and apparatus

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

446 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Downloadable security and protection methods and apparatus

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

446 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links