Remote access to local content using transcryption of digital rights management schemes

US 7,500,269 B2
Filed: 03/07/2005
Issued: 03/03/2009
Est. Priority Date: 01/07/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling access to a service over a network, said method comprising:

receiving a network-service credential at a sink device, wherein said network-service credential is issued by a provider of said service and includes a value to indicate that said sink device is enrolled in said network, wherein the value is selected from the group including a name of the service provider and an Internet Protocol (IP) address of the service provider;

identifying a device-manufacturer credential that is stored in a non-volatile memory of said sink device and that identifies a manufacturer of said device;

storing said network-service credential in said non-volatile memory on said sink device to replace the device-manufacturer credential, wherein the existence of said network-service credential in said non-volatile memory binds said sink device to said network and prevents said sink device from accessing other networks besides the network;

said sink device presenting said network-service credential to the provider of said service, wherein said provider uses said network-service credential to authenticate and authorize said sink device, wherein upon authorization said device is provided access to said service;

receiving from the sink device over a Wide Area Network (WAN) a request for an item of content available on a source device that is located in a Local Area Network (LAN), and forward the request for the item of content to the source device;

exchanging messages to authenticate the sink device, the exchanged messages for verifying the presence of said network-service credential in a non-volatile memory of the sink device;

after the sink device is authenticated, receiving a communication sent from the source device over the LAN, the communication sent according to a first digital rights management protocol and including both the item of content and rights objects that define rules governing usage of the item of content;

transcrypting the communication into a second digital rights management protocol such that the rights objects are retained; and

transmitting the communication that is wrapped in the second digital rights management protocol and that contains both the item of content and the rights objects over the WAN to the authenticated sink.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices allowing distribution of content that resides in a source device on a local area network (LAN) are described. A gateway between the LAN and a wide area network (WAN) receives from a sink device a request for an instance of content. The request is sent over the WAN. Distribution of the item of content within the LAN uses a first digital rights management (DRM) protocol that prevents the item of content from being distributed outside the LAN. For the item of content, the gateway converts from the first DRM protocol to a second DRM protocol that can be used for transmitting content over the WAN. The item of content can then be forwarded to the sink device according to the second DRM protocol.

182 Citations

14 Claims

1. A method for controlling access to a service over a network, said method comprising:
- receiving a network-service credential at a sink device, wherein said network-service credential is issued by a provider of said service and includes a value to indicate that said sink device is enrolled in said network, wherein the value is selected from the group including a name of the service provider and an Internet Protocol (IP) address of the service provider;
  
  identifying a device-manufacturer credential that is stored in a non-volatile memory of said sink device and that identifies a manufacturer of said device;
  
  storing said network-service credential in said non-volatile memory on said sink device to replace the device-manufacturer credential, wherein the existence of said network-service credential in said non-volatile memory binds said sink device to said network and prevents said sink device from accessing other networks besides the network;
  
  said sink device presenting said network-service credential to the provider of said service, wherein said provider uses said network-service credential to authenticate and authorize said sink device, wherein upon authorization said device is provided access to said service;
  
  receiving from the sink device over a Wide Area Network (WAN) a request for an item of content available on a source device that is located in a Local Area Network (LAN), and forward the request for the item of content to the source device;
  
  exchanging messages to authenticate the sink device, the exchanged messages for verifying the presence of said network-service credential in a non-volatile memory of the sink device;
  
  after the sink device is authenticated, receiving a communication sent from the source device over the LAN, the communication sent according to a first digital rights management protocol and including both the item of content and rights objects that define rules governing usage of the item of content;
  
  transcrypting the communication into a second digital rights management protocol such that the rights objects are retained; and
  
  transmitting the communication that is wrapped in the second digital rights management protocol and that contains both the item of content and the rights objects over the WAN to the authenticated sink.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising distributing a received decryption key to the sink device after the sink device is authenticated.

3. A system, comprising:
- a device circuitry configured to receive a network service credential at a device, wherein said network service credential indicates that said device is enrolled in a network, and wherein said network service credential contains at least one value selected from the group including a service provider name and service provider address;
  
  the device circuitry configured to identify a location on a non-volatile memory of said device, the identified location storing a device-manufacturer credential that identifies a manufacturer of said device;
  
  the device circuitry configured to store said credential in the identified location to replace the device-manufacturer credential, wherein the presence of said network service credential enrolls said device in said network and prevents, according to an authorization scheme, said device from accessing other networks besides the network;
  
  the device circuitry configured to present said network service credential before accessing content associated with the enrolled network;
  
  a gateway having a first gateway interface for coupling to a first network and a second gateway interface for coupling to a second different network, the gateway interfaces for providing the first network access to the second network; and
  
  the gateway having a circuitry configured to;
  
  receive over the second interface a request for a content item available on a source device that is located in the first network, and forward the request for the content item to the source device;
  
  receive over the first interface a communication sent from the source device, the communication sent according to a first digital rights management protocol and including both the content item and rights objects that define rules governing usage of the content item;
  
  transcrypt the communication into a second digital rights management protocol such that the rights objects are retained; and
  
  transmit the communication that is wrapped in the second digital rights management protocol and that contains both the content item and the rights objects over the second interfacerelay an authorization message between the networks using the gateway interfaces, the authorization message associated with the request for the content item;
  
  while relaying the authorization message, inspect the authorization message to learn a decryption key included in the authorization message; and
  
  retain the learned decryption key for later use,receive a different authorization message associated with a different request for the same or another content item, the different request originating from a different sink device and received over the second gateway interface; and
  
  perform authorization for the different sink device and handle distribution of the learned decryption key to the different sink device.
- View Dependent Claims (4)
- - 4. The system of claim 3, wherein the network service credential contains both the name and address of the service provider.

5. An apparatus, comprising:
- a sink device;
  
  a source device;
  
  a bus;
  
  one or more processors coupled to said bus; and
  
  a memory unit coupled to said bus, said memory unit containing instructions that when executed by the processors are operable to;
  
  receive a network service credential sent from an issuing device operated by a service provider that controls access to a service, the network service credential logically associating the network service credential with the service provider through inclusion of a name or address of the service provider in the network service credential;
  
  identify, in a non-volatile memory of said apparatus, a location corresponding to device-manufacturer credential that identifies a manufacturer of said apparatus;
  
  store said network service credential in the identified location in the non-volatile memory, wherein the presence of said network service credential in the identified location binds said apparatus to said network, wherein the presence of the network service credential in the identified location controls whether the apparatus is authorized to transfer content between the network and another network; and
  
  present said network service credential to said service provider for allowing said service provider to authenticate and authorize said apparatus to access the service based on the network service credential;
  
  receive a request from the sink device for a content item;
  
  identify a subnet to which the sink device belongs, and identify a network service credential stored on the sink device;
  
  compare the identified subnet to a subnet to which the apparatus belongs, and compare the identified network service credential to the stored network service crendential;
  
  determine that the sink device is a household device if the subnets match and the network service credentials match;
  
  determine that the sink device is a mobile device if the subnets are different but the network service credentials match;
  
  determine that the sink device is a visitor device if the subnets match but the network service credentials do not match;
  
  determine that the sink device is a foreign device if the subnets are different and the network service credentials are different;
  
  provide the sink device access to the content item according to whether the sink device is a household device, a mobile device, or a visitor device; and
  
  wherein the source device outputs content associated with the service after authentication and authorization is successful, the source device outputting the content encrypted with a first digital rights management protocol, and wherein the gateway transcrypts the content to encrypt with a second different digital rights management protocol.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The apparatus of claim 5, wherein said network service credential logically associates the apparatus with the service provider by including an Internet Protocol (IP) address that corresponds to a network associated with the network service credential.
  - 7. The apparatus of claim 5, wherein said network service credential logically associates the network service credential with the service provider by including a sixteen Byte name of the service provider.
  - 8. The apparatus of claim 5, wherein said network service credential logically associates a home network that includes the apparatus with the service provider by including a subscriber identifier that is defined by the service provider and that includes a medium access control address of a broadband modem that provides the apparatus access from the home network to the Internet.
  - 9. The apparatus of claim 5, wherein the apparatus operates in a home network comprising a plurality of network devices coupled to a local gateway, said local gateway couplable via the Internet to a remote server for said provider, wherein said apparatus enrolls with said local gateway which enrolls with said remote server.
  - 10. The apparatus of claim 5, wherein said apparatus is also associated with an Internet Protocol (IP) address, wherein said apparatus IP address is used in combination with said network service credential to determine whether access to said service is permitted.
  - 11. The apparatus of claim 5, wherein the network service credential is stored in a portion of said non-volatile memory that is initially used for storing a manufacturer-device certificate.

12. A gateway, comprising:
- a sink device;
  
  a source device;
  
  a bus;
  
  one or more processors; and
  
  a memory unit coupled to said bus, said memory unit containing instructions that when executed by the processors are operable to;
  
  receive a network service credential sent from an issuing device operated by a service provider that controls access to a service, the network service credential logically associating the network service credential with the service provider through inclusion of a name or address of the service provider in the network service credential;
  
  identify a location in a non-volatile memory of a device for storing a device-manufacturer credential that identifies a manufacturer of said device;
  
  store the received credential in the identified location in the memory to replace the device-manufacturer credential, the presence of the credential in the identified location controlling whether the gateway is authorized to transfer data between the device and a remote network;
  
  receive a request from the sink device for a content item;
  
  identify a subnet to which the sink device belongs, and identify a network service credential stored on the sink device;
  
  compare the identified subnet to a subnet to which the gateway belongs, and compare the identified network service credential to the stored network service credential;
  
  determine that the sink device is a household device if the subnets match and the network service credentials match;
  
  determine that the sink device is a mobile device if the subnets are different but the network service credentials match;
  
  determine that the sink device is a visitor device if the subnets match but the network service credentials do not match;
  
  determine that the sink device is a foreign device if the subnets are different and the network service credentials are different;
  
  provide the sink device access to the content item according to whether the sink device is a household device, a mobile device, or a visitor device; and
  
  wherein the source device outputs content associated with the service after authentication and authorization is successful, the source device outputting the content encrypted with a first digital rights management protocol, and wherein the gateway transcrypts the content to encrypt with a second different digital rights management protocol.
- View Dependent Claims (13, 14)
- - 13. The gateway of claim 12, wherein the processors are further operable to determine whether the content item is to be provided to mobile devices, and if the content item is to be provided to mobile devices, authorizing the sink to access the content item if the sink is determined to be a household device or a mobile device.
  - 14. The gateway of claim 12, wherein the processors are further operable to determine whether the content item is to be provided to visitor devices, and if the content item is to be provided to visitor devices, authorizing the sink to access the content item if the sink is determined to be a household device, a mobile device, or a visitor device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Huotari, Allen J., Baugher, Mark John
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US11/075,197
Publication Number

US 20060156416A1
Time in Patent Office

1,457 Days
Field of Search

726/27, 726/26, 726/3, 713/153
US Class Current

726/27
CPC Class Codes

H04L 2463/101   applying security measures ...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

Remote access to local content using transcryption of digital rights management schemes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

182 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Remote access to local content using transcryption of digital rights management schemes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

182 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others