Remote access to local content using transcryption of digital rights management schemes
First Claim
1. A method for controlling access to a service over a network, said method comprising:
- receiving a network-service credential at a sink device, wherein said network-service credential is issued by a provider of said service and includes a value to indicate that said sink device is enrolled in said network, wherein the value is selected from the group including a name of the service provider and an Internet Protocol (IP) address of the service provider;
identifying a device-manufacturer credential that is stored in a non-volatile memory of said sink device and that identifies a manufacturer of said device;
storing said network-service credential in said non-volatile memory on said sink device to replace the device-manufacturer credential, wherein the existence of said network-service credential in said non-volatile memory binds said sink device to said network and prevents said sink device from accessing other networks besides the network;
said sink device presenting said network-service credential to the provider of said service, wherein said provider uses said network-service credential to authenticate and authorize said sink device, wherein upon authorization said device is provided access to said service;
receiving from the sink device over a Wide Area Network (WAN) a request for an item of content available on a source device that is located in a Local Area Network (LAN), and forward the request for the item of content to the source device;
exchanging messages to authenticate the sink device, the exchanged messages for verifying the presence of said network-service credential in a non-volatile memory of the sink device;
after the sink device is authenticated, receiving a communication sent from the source device over the LAN, the communication sent according to a first digital rights management protocol and including both the item of content and rights objects that define rules governing usage of the item of content;
transcrypting the communication into a second digital rights management protocol such that the rights objects are retained; and
transmitting the communication that is wrapped in the second digital rights management protocol and that contains both the item of content and the rights objects over the WAN to the authenticated sink.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and devices allowing distribution of content that resides in a source device on a local area network (LAN) are described. A gateway between the LAN and a wide area network (WAN) receives from a sink device a request for an instance of content. The request is sent over the WAN. Distribution of the item of content within the LAN uses a first digital rights management (DRM) protocol that prevents the item of content from being distributed outside the LAN. For the item of content, the gateway converts from the first DRM protocol to a second DRM protocol that can be used for transmitting content over the WAN. The item of content can then be forwarded to the sink device according to the second DRM protocol.
182 Citations
14 Claims
-
1. A method for controlling access to a service over a network, said method comprising:
-
receiving a network-service credential at a sink device, wherein said network-service credential is issued by a provider of said service and includes a value to indicate that said sink device is enrolled in said network, wherein the value is selected from the group including a name of the service provider and an Internet Protocol (IP) address of the service provider; identifying a device-manufacturer credential that is stored in a non-volatile memory of said sink device and that identifies a manufacturer of said device; storing said network-service credential in said non-volatile memory on said sink device to replace the device-manufacturer credential, wherein the existence of said network-service credential in said non-volatile memory binds said sink device to said network and prevents said sink device from accessing other networks besides the network; said sink device presenting said network-service credential to the provider of said service, wherein said provider uses said network-service credential to authenticate and authorize said sink device, wherein upon authorization said device is provided access to said service; receiving from the sink device over a Wide Area Network (WAN) a request for an item of content available on a source device that is located in a Local Area Network (LAN), and forward the request for the item of content to the source device; exchanging messages to authenticate the sink device, the exchanged messages for verifying the presence of said network-service credential in a non-volatile memory of the sink device; after the sink device is authenticated, receiving a communication sent from the source device over the LAN, the communication sent according to a first digital rights management protocol and including both the item of content and rights objects that define rules governing usage of the item of content; transcrypting the communication into a second digital rights management protocol such that the rights objects are retained; and transmitting the communication that is wrapped in the second digital rights management protocol and that contains both the item of content and the rights objects over the WAN to the authenticated sink. - View Dependent Claims (2)
-
-
3. A system, comprising:
-
a device circuitry configured to receive a network service credential at a device, wherein said network service credential indicates that said device is enrolled in a network, and wherein said network service credential contains at least one value selected from the group including a service provider name and service provider address; the device circuitry configured to identify a location on a non-volatile memory of said device, the identified location storing a device-manufacturer credential that identifies a manufacturer of said device; the device circuitry configured to store said credential in the identified location to replace the device-manufacturer credential, wherein the presence of said network service credential enrolls said device in said network and prevents, according to an authorization scheme, said device from accessing other networks besides the network; the device circuitry configured to present said network service credential before accessing content associated with the enrolled network; a gateway having a first gateway interface for coupling to a first network and a second gateway interface for coupling to a second different network, the gateway interfaces for providing the first network access to the second network; and the gateway having a circuitry configured to; receive over the second interface a request for a content item available on a source device that is located in the first network, and forward the request for the content item to the source device; receive over the first interface a communication sent from the source device, the communication sent according to a first digital rights management protocol and including both the content item and rights objects that define rules governing usage of the content item; transcrypt the communication into a second digital rights management protocol such that the rights objects are retained; and transmit the communication that is wrapped in the second digital rights management protocol and that contains both the content item and the rights objects over the second interface relay an authorization message between the networks using the gateway interfaces, the authorization message associated with the request for the content item;
while relaying the authorization message, inspect the authorization message to learn a decryption key included in the authorization message; and
retain the learned decryption key for later use,receive a different authorization message associated with a different request for the same or another content item, the different request originating from a different sink device and received over the second gateway interface; and perform authorization for the different sink device and handle distribution of the learned decryption key to the different sink device. - View Dependent Claims (4)
-
-
5. An apparatus, comprising:
-
a sink device; a source device; a bus; one or more processors coupled to said bus; and a memory unit coupled to said bus, said memory unit containing instructions that when executed by the processors are operable to; receive a network service credential sent from an issuing device operated by a service provider that controls access to a service, the network service credential logically associating the network service credential with the service provider through inclusion of a name or address of the service provider in the network service credential; identify, in a non-volatile memory of said apparatus, a location corresponding to device-manufacturer credential that identifies a manufacturer of said apparatus; store said network service credential in the identified location in the non-volatile memory, wherein the presence of said network service credential in the identified location binds said apparatus to said network, wherein the presence of the network service credential in the identified location controls whether the apparatus is authorized to transfer content between the network and another network; and present said network service credential to said service provider for allowing said service provider to authenticate and authorize said apparatus to access the service based on the network service credential; receive a request from the sink device for a content item; identify a subnet to which the sink device belongs, and identify a network service credential stored on the sink device; compare the identified subnet to a subnet to which the apparatus belongs, and compare the identified network service credential to the stored network service crendential; determine that the sink device is a household device if the subnets match and the network service credentials match; determine that the sink device is a mobile device if the subnets are different but the network service credentials match; determine that the sink device is a visitor device if the subnets match but the network service credentials do not match; determine that the sink device is a foreign device if the subnets are different and the network service credentials are different; provide the sink device access to the content item according to whether the sink device is a household device, a mobile device, or a visitor device; and wherein the source device outputs content associated with the service after authentication and authorization is successful, the source device outputting the content encrypted with a first digital rights management protocol, and wherein the gateway transcrypts the content to encrypt with a second different digital rights management protocol. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A gateway, comprising:
-
a sink device; a source device; a bus; one or more processors; and a memory unit coupled to said bus, said memory unit containing instructions that when executed by the processors are operable to; receive a network service credential sent from an issuing device operated by a service provider that controls access to a service, the network service credential logically associating the network service credential with the service provider through inclusion of a name or address of the service provider in the network service credential; identify a location in a non-volatile memory of a device for storing a device-manufacturer credential that identifies a manufacturer of said device; store the received credential in the identified location in the memory to replace the device-manufacturer credential, the presence of the credential in the identified location controlling whether the gateway is authorized to transfer data between the device and a remote network; receive a request from the sink device for a content item; identify a subnet to which the sink device belongs, and identify a network service credential stored on the sink device; compare the identified subnet to a subnet to which the gateway belongs, and compare the identified network service credential to the stored network service credential; determine that the sink device is a household device if the subnets match and the network service credentials match; determine that the sink device is a mobile device if the subnets are different but the network service credentials match; determine that the sink device is a visitor device if the subnets match but the network service credentials do not match; determine that the sink device is a foreign device if the subnets are different and the network service credentials are different; provide the sink device access to the content item according to whether the sink device is a household device, a mobile device, or a visitor device; and wherein the source device outputs content associated with the service after authentication and authorization is successful, the source device outputting the content encrypted with a first digital rights management protocol, and wherein the gateway transcrypts the content to encrypt with a second different digital rights management protocol. - View Dependent Claims (13, 14)
-
Specification