Apparatus and method for enabling secure content decryption within a set-top box

US 7,328,455 B2
Filed: 06/28/2001
Issued: 02/05/2008
Est. Priority Date: 06/28/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing security authentication of a content driver by a content decryption component in order to verify an identity of the content driver as a secure content driver, wherein the content driver and the content decryption component are located within a kernel application space, wherein the kernel application space is modified for registering the secure content driver with the content decryption component in order for the secure content driver to receive security identity authentication, wherein the content decryption component is tamper-resistant;

receiving an encrypted content stream from the secure content driver;

performing integrity authentication of a run-time image of the secure content driver; and

while integrity authentication of the secure content driver is verified, streaming decrypted content to the secure content driver to enable playback of the decrypted content to a user,wherein performing integrity authentication further comprises;

decrypting the encrypted content stream received from the secure content driver;

while decrypting the received encrypted content stream, performing a hash value calculation of code segments that perform functionality of the secure content driver while loaded in memory;

selecting a stored digital signature of the run-time image of the secure content driver;

decrypting the digital signature to reveal a run-time hash value;

comparing the computed hash value with the run-time hash value of the secure content driver; and

while the calculated hash value matches the run-time hash value of the secure content driver, repeating the decryption, the performing, the selecting and the comparing until decryption of the received encrypted content stream is complete.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for enabling secure content decryption within a set-top box are described. The method includes performance of security authentication of a content driver by a content decryption component. Security authentication is performed in order to verify an identity of the content driver as a secure content driver. Next, the content decryption component receives an encrypted content stream from the secure content driver. Once received, the content decryption component performs integrity authentication of a run-time image of the secure content driver. Finally, while integrity authentication of the secure content driver is verified, the content decryption component streams decrypted content to the secure content driver to enable playback of the decrypted content to a user.

221 Citations

27 Claims

1. A method comprising:
- performing security authentication of a content driver by a content decryption component in order to verify an identity of the content driver as a secure content driver, wherein the content driver and the content decryption component are located within a kernel application space, wherein the kernel application space is modified for registering the secure content driver with the content decryption component in order for the secure content driver to receive security identity authentication, wherein the content decryption component is tamper-resistant;
  
  receiving an encrypted content stream from the secure content driver;
  
  performing integrity authentication of a run-time image of the secure content driver; and
  
  while integrity authentication of the secure content driver is verified, streaming decrypted content to the secure content driver to enable playback of the decrypted content to a user,wherein performing integrity authentication further comprises;
  
  decrypting the encrypted content stream received from the secure content driver;
  
  while decrypting the received encrypted content stream, performing a hash value calculation of code segments that perform functionality of the secure content driver while loaded in memory;
  
  selecting a stored digital signature of the run-time image of the secure content driver;
  
  decrypting the digital signature to reveal a run-time hash value;
  
  comparing the computed hash value with the run-time hash value of the secure content driver; and
  
  while the calculated hash value matches the run-time hash value of the secure content driver, repeating the decryption, the performing, the selecting and the comparing until decryption of the received encrypted content stream is complete.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein performing security authentication further comprises:
    - locating authorization information of the secure content driver;
      
      decrypting the authorization information received from the secure content driver; and
      
      authenticating an identity of the secure content driver based on the decrypted authorization information.
  - 3. The method of claim 2, wherein authenticating the identity further comprises:
    - calculating a hash value of a static image of the secure content driver prior to loading the secure content driver into memory;
      
      selecting a stored digital signature of the static image;
      
      decrypting the stored digital signature to retrieve a pre-calculated hash value of the secure content driver;
      
      comparing the pre-calculated hash value with the calculated hash value; and
      
      when the calculated hash value matches the pre-calculated hash value of the secure content driver, notifying the secure content driver of successful security authentication.
  - 4. The method of claim 1, wherein performing security authentication further comprises:
    - once security authentication of the content driver is established, determining a run-time at memory location of the secure content driver; and
      
      establishing a function entry point for receiving the stream of encrypted content from the secure content driver.
  - 5. The method of claim 1, further comprising:
    - receiving a content decryption key in order to enable decryption of encrypted content streams received from the secure content driver;
      
      receiving a digital signature of a static image of the secure content driver; and
      
      receiving a digital signature of a run-time image of the secure content driver.

6. A method comprising:
- establishing security authentication from a content decryption component, such that a content driver is verified as a secure content driver, wherein the content driver and the content decryption component are located within a kernel application space, wherein the kernel application space is modified for registering the secure content driver with the content decryption component in order for the secure content driver to receive security identity authentication, and wherein the content decryption component is tamper-resistant;
  
  when establishment of security authentication is successful, receiving access to a callback function in order to receive clear, decrypted content streams from the content decryption component;
  
  receiving a stream of encrypted content;
  
  while establishing integrity authentication of a run-time image of the secure content driver, streaming the encrypted content to the content decryption component; and
  
  when security authentication is successfully established, receiving clear, decrypted content from the content decryption component via the received callback function,wherein establishing integrity authentication further comprises;
  
  decrypting the encrypted content stream received from the secure content driver;
  
  while decrypting the received encrypted content stream, performing a hash value calculation of code segments that perform functionality of the secure content driver while loaded in memory;
  
  selecting a stored digital signature of the run-time image of the secure content driver;
  
  decrypting the digital signature to reveal a run-time hash value;
  
  comparing the computed hash value with the run-time hash value of the secure content driver; and
  
  while the calculated hash value matches the run-time hash value of the secure content driver, repeating the decryption, the performing, the selecting and the comparing until decryption of the received encrypted content stream is complete.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein establishing security verification further comprises:
    - receiving a request for authorization information from the content decryption component;
      
      transmitting the requested authorization information to the content decryption component; and
      
      when security authentication is successfully established, receiving notification of successful security authentication from the content decryption component, such that, the content driver is established as the secure content driver.
  - 8. The method of claim 6, wherein establishing security authentication further comprises:
    - once security authentication is established, providing content decryption component with a memory location wherein the secure content driver is loaded at run-time; and
      
      providing the content decryption component with a function entry point for receiving the stream of encrypted content.
  - 9. The method of claim 6, wherein receiving encrypted content further comprises:
    - receiving encrypted content from a content source reader; and
      
      receiving a direction from a content driver to stream the encrypted content to the content decryption component.

10. A computer readable storage medium including program instruction that directs a computer to function in a specified manner when executed by a processor, the program instructions comprising:
- performing security authentication of a content driver by a content decryption component in order to verify an identity of the content driver as a secure content driver, wherein the content driver and the content decryption component are located within a kernel application space, wherein the kernel application space is modified for registering the secure content driver with the content decryption component in order for the secure content driver to receive security identity authentication, and wherein the content decryption component is tamper-resistant;
  
  receiving an encrypted content stream from the secure content driver;
  
  performing integrity authentication of a run-time image of the secure content driver; and
  
  while integrity authentication of the secure content driver is verified, streaming decrypted content to the secure content driver to enable playback of the decrypted content to a user,wherein performing integrity authentication further comprises;
  
  decrypting the encrypted content stream received from the secure content driver;
  
  while decrypting the received encrypted content stream, performing a hash value calculation of code segments that perform functionality of the secure content driver while loaded in memory;
  
  selecting a stored digital signature of the run-time image of the secure content driver;
  
  decrypting the digital signature to reveal a run-time hash value;
  
  comparing the computed hash value with the run-time hash value of the secure content driver; and
  
  while the calculated hash value matches the run-time hash value of the secure content driver, repeating the decryption, the performing, the selecting and the comparing until decryption of the received encrypted content stream is complete.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer readable storage medium of claim 10, wherein performing security authentication further comprises:
    - locating authorization information of the secure content driver;
      
      decrypting the authorization information received from the secure content driver; and
      
      authenticating an identity of the secure content driver based on the decrypted authorization information.
  - 12. The computer readable storage medium of claim 11, wherein authenticating the identity further comprises:
    - calculating a hash value of a static image of the secure content driver prior to loading the secure content driver into memory;
      
      selecting a stored digital signature of the static image;
      
      decrypting the stored digital signature to retrieve a pre-calculated hash value of the secure content driver;
      
      comparing the pre-calculated hash value with the calculated hash value; and
      
      when the calculated hash value matches the pre-calculated hash value of the secure content driver, notifying the secure content driver of successful security authentication.
  - 13. The computer readable storage medium of claim 10, wherein performing security authentication further comprises:
    - once security authentication of the content driver is established, determining a run-time at memory location of the secure content driver; and
      
      establishing a function entry point for receiving the stream of encrypted content from the secure content driver.
  - 14. The computer readable storage medium of claim 10, further comprising:
    - receiving a content decryption key in order to enable decryption of encrypted content streams received from the secure content driver;
      
      receiving a digital signature of a static image of the secure content driver; and
      
      receiving a digital signature of a run-time image of the secure content driver.

15. A computer readable storage medium including program instruction that directs a computer to function in a specified manner when executed by a processor, the program instructions comprising:
- establishing security authentication from a content decryption component, such that a content driver is verified as a secure content driver, wherein the content driver and the content decryption component are located within a kernel application space, wherein the kernel application space is modified for registering the secure content driver with the content decryption component in order for the secure content driver to receive security identity authentication, and wherein the content decryption component is tamper-resistant;
  
  when establishment of security authentication is successful, receiving access to a callback function in order to receive clear, decrypted content streams from the content decryption component;
  
  receiving a stream of encrypted content;
  
  while establishing integrity authentication of a run-time image of the secure content driver, streaming the encrypted content to the content decryption component; and
  
  when security authentication is successfully established, receiving clear, decrypted content from the content decryption component via the received callback function,wherein establishing integrity authentication further comprises;
  
  decrypting the encrypted content stream received from the secure content driver;
  
  while decrypting the received encrypted content stream performing a hash value calculation of code segments that perform functionality of the secure content driver while loaded in memory;
  
  selecting a stored digital signature of the run-time image of the secure content driver;
  
  decrypting the digital signature to reveal a run-time hash value;
  
  comparing the computed hash value with the run-time hash value of the secure content driver; and
  
  while the calculated hash value matches the run-time hash value of the secure content driver, repeating the decryption, the performing, the selecting and the comparing until decryption of the received encrypted content stream is complete.
- View Dependent Claims (16, 17, 18)
- - 16. The computer readable storage medium of claim 15, whereinestablishing security verification further comprises:
    - receiving a request for authorization information from the content decryption component;
      
      transmitting the requested authorization information to the content decryption component; and
      
      when security authentication is successfully established, receiving notification of successful security authentication from the content decryption component, such that the content driver is established as the secure content driver.
  - 17. The computer readable storage medium of claim 15, wherein establishing security authentication further comprises:
    - once security authentication is established, providing content decryption component with a memory location wherein the secure content driver is loaded at run-time; and
      
      providing the content decryption component with a function entry point for receiving the stream of encrypted content.
  - 18. The computer readable storage medium of claim 15, wherein receiving encrypted content further comprises:
    - receiving encrypted content from a content source reader; and
      
      receiving a direction from a content driver to stream the encrypted content to the content decryption component.

19. An apparatus, comprising:
- a processor having circuitry to execute instructions;
  
  a content play-back interface coupled to the processor, the content play-back interface to receive encrypted content, and to enable play-back of the received encrypted content to a user; and
  
  a storage device coupled to the processor, having sequences of instructions stored therein, which when executed by the processor cause the processor to;
  
  perform security authentication of a content driver by a content decryption component in order to verify an identity of the content driver as a secure content driver, wherein the content driver and the content decryption component are located within a kernel application space, wherein the kernel application space is modified for registering the secure content driver with the content decryption component in order for the secure content driver to receive security identity authentication, and wherein the content decryption component is tamper-resistant,receive an encrypted content stream from the secure content driver,perform integrity authentication of a run-time image of the secure content driver, andwhile integrity authentication of the secure content driver is verified, stream decrypted content to the secure content driver to enable playback of the decrypted content to a user,wherein the instruction to perform integrity authentication further comprises the processor to;
  
  decrypt the encrypted content stream received from the secure content driver,while decrypting the received encrypted content stream, perform a hash value calculation of code segments that perform functionality of the secure content driver while loaded in memory,select a stored digital signature of the run-time image of the secure content driver,decrypt the digital signature to reveal a run-time hash value,compare the computed hash value with the run-time hash value of the secure content driver, andwhile the calculated hash value matches the run-time hash value of the secure content driver, repeat the decryption, the performing, the selecting and thecomparing until decryption of the received encrypted content stream is complete.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The apparatus of claim 19, wherein the instruction to perform security authentication further comprises the processor to:
    - locate authorization information of the secure content driver,decrypt the authorization information received from the secure content driver, andauthenticate an identity of the secure content driver based on the decrypted authorization information.
  - 21. The apparatus of claim 20, wherein the instruction to perform security authentication further comprises the processor to:
    - calculate a hash value of a static image of the secure content driver prior to loading the secure content driver into memory,select a stored digital signature of the static image,decrypt the digital signature to retrieve a pre-calculated hash value of the secure content driver,compare the pre-calculated hash value with the calculated hash value, andwhen the calculated hash value matches the pre-calculated hash value of the secure content driver, notify the secure content driver of successful security authentication.
  - 22. The apparatus of claim 19, wherein the instruction to perform security authentication further comprises the processor to:
    - once security authentication of the content driver is established, determine a run-time at memory location of the secure content driver, andestablish a function entry point for receiving the stream of encrypted content from the secure content driver.
  - 23. The apparatus of claim 19, wherein the processor is further caused to:
    - receive a content decryption key in order to enable decryption of encrypted content streams received from the secure content driver,receive a digital signature of a static image of the secure content driver, andreceive a digital signature of a run-time image of the secure content driver.
  - 24. The apparatus of claim 19, wherein the processor is further caused to:
    - establish security authentication from a content decryption component, such that a content driver is verified as a secure content driver,when establishment of security authentication is successful, receive access to a callback function in order to receive clear, decrypted content streams from the content decryption component,receive a stream of encrypted content,stream the encrypted content to the content decryption component, andwhen security authentication is successfully established, receive clear, decrypted content from the content decryption component via the received callback function.
  - 25. The apparatus of claim 19, wherein the instruction to establish security verification further comprises the processor to:
    - receive a request for authorization information from the content decryption component,transmit the requested authorization information to the content decryption component, andwhen security authentication is successfully established, receive notification of successful security authentication from the content decryption component, such that the content driver is established as the secure content driver.
  - 26. The apparatus of claim 19, wherein the instruction to establish security authentication further comprises the processor to:
    - once security authentication is established,provide content decryption component with a memory location wherein the secure content driver is loaded at run-time, andprovide the content decryption component with a function entry point for receiving the stream of encrypted content.
  - 27. The apparatus of claim 19, wherein the instruction to receive encrypted content further comprises the processor to:
    - receive encrypted content from a content source reader, andreceive a direction from a content driver to stream the encrypted content to the content decryption component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Joshi, Ajit P., Jutzi, Curtis E., Mangold, Richard P.
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US09/895,057
Publication Number

US 20030005301A1
Time in Patent Office

2,413 Days
Field of Search

713/176, 713/150, 713/164, 705/57, 380/211, 380/201, 707/57, 726/26, 726/27, 726/29
US Class Current

726/26
CPC Class Codes

H04N 21/4405   involving video stream decr...

H04N 21/4424   Monitoring of the internal ...

H04N 21/443   OS processes, e.g. booting ...

H04N 7/1675   Providing digital key or au...

Apparatus and method for enabling secure content decryption within a set-top box

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

221 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for enabling secure content decryption within a set-top box

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

221 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links