US20100046752A1 - System and Method for Security Processing Media Streams - Google Patents

System and Method for Security Processing Media Streams Download PDF

Info

Publication number
US20100046752A1
US20100046752A1 US12/575,053 US57505309A US2010046752A1 US 20100046752 A1 US20100046752 A1 US 20100046752A1 US 57505309 A US57505309 A US 57505309A US 2010046752 A1 US2010046752 A1 US 2010046752A1
Authority
US
United States
Prior art keywords
receiver
security
media streams
encryption
stream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/575,053
Inventor
James William Fahrny
Charles Compton
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Comcast Cable Communications LLC
Original Assignee
Comcast Cable Holdings LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=34807779&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20100046752(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Comcast Cable Holdings LLC filed Critical Comcast Cable Holdings LLC
Priority to US12/575,053 priority Critical patent/US20100046752A1/en
Publication of US20100046752A1 publication Critical patent/US20100046752A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the present invention relates to a system and a method for security processing media streams.
  • Conventional implementations of media e.g., video, audio, video plus audio, and the like
  • program stream delivery systems e.g., cable, satellite, etc.
  • a headend where the media programming originates (i.e., is encoded and compressed, groomed, statmuxed, and otherwise appropriately processed)
  • a network e.g., cable or satellite
  • STB set top box
  • STB set top box
  • Conventional headends and STBs employ particular matching encryption/decryption and compression/decompression technologies.
  • the encryption/decryption and compression/decompression technologies in the particular conventional system are fixed and often proprietary to the vendor.
  • conventional media service processing and delivery systems typically implement security processes in connection with individual implementations of point of deployment, CableCard, Smartcard, etc. systems.
  • aspects of the present invention generally provides an improved system and method for security processing digital media streams.
  • the improved system and method for security processing media streams of the present invention may be compatible with previously used (i.e., legacy) systems and methods using all levels of media stream processing and delivery service (i.e., basic to high-end) as well as adaptable to future implementations, and that is flexible, renewable, re-configurable, and supports simultaneous multiple security systems and processes.
  • a system for multi-stream security processing and distributing digital media streams comprises a headend, a network, and at least one receiver.
  • the headend may be configured to generate encrypted digital media streams.
  • the network may be coupled to the headend and configured to receive the encrypted digital media streams.
  • the at least one receiver may be coupled to the network and configured to receive the encrypted digital media streams and present a decrypted version of the encrypted digital media streams.
  • At least one of the headend and the at least one receiver comprises a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
  • the headend may utilize the security processor of the present invention to encrypt the digital media streams and the one or more receivers may use a conventional approach to decrypt the digital media streams.
  • the headend may utilize a conventional approach to encrypt the digital media streams and one or more of the receivers may use the security processor of the present invention to decrypt the digital media streams.
  • the headend may utilize the security processor of the present invention to encrypt the digital media streams and one or more of the receivers may use the security processor of the present invention to decrypt the digital media streams.
  • the headend generally encodes, compresses, grooms, statmuxs, and otherwise appropriately processes the digital media streams.
  • the receivers may, in one example, be implemented as set top boxes (STBs).
  • the receiver (receiving device) may be implemented as a television, high definition television (HDTV), monitor, host viewing device, MP3 player, audio receiver, radio, personal computer, media player, digital video recorder, game playing device, etc.
  • HDMI high definition television
  • MP3 player audio receiver
  • radio personal computer
  • media player digital video recorder
  • game playing device etc.
  • a method of multi-stream security processing and distributing digital media streams comprises generating encrypted digital media streams at a headend.
  • the method further comprises coupling a network to the headend and receiving the encrypted digital media streams at the network.
  • the method yet further comprises coupling at least one receiver to the network and receiving the encrypted digital media streams at the receiver, and presenting a decrypted version of the encrypted digital media streams using the receiver.
  • At least one of the headend and the at least one receiver comprises a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
  • a security processor configured to provide at least one of simultaneous multiple media transport stream decryption and encryption processing.
  • the security processor comprises a controller and a plurality of digital stream engines.
  • the digital stream engines may be selectively parallel coupled by the controller for simultaneous operation in response to a predetermined security configuration.
  • FIG. 1 is a diagram a media stream security processor according to aspects of the present invention
  • FIG. 2 is a diagram of a media processing and delivery system implementing aspects of the present invention.
  • FIG. 3 is a diagram of another media processing and delivery system implementing aspects of the present invention.
  • the improved system and method for security processing digital media streams may be implemented in connection with a cable (or satellite) television delivery system.
  • digital media streams e.g., media streams that include video, audio, video plus audio, and the like in any appropriate format or protocol such as Motion Picture Expert Group (MPEG), MPEG-2, MPEG-4, Windows Media 9 , Real Media, etc. streams
  • MPEG Motion Picture Expert Group
  • MPEG-2 MPEG-2
  • MPEG-4 Windows Media 9
  • Real Media 9 Real Media 9
  • Real Media 9 Real Media 9
  • the present invention may be implemented in connection with any appropriate media stream delivery system to meet the design criteria of a particular application.
  • the present invention may dis-aggregate (i.e., separate, break apart, etc.) content security algorithms (i.e., routines, processes, operations, etc.) that are typically proprietary from the respective infrastructure components (e.g., media stream delivery system headend components and set top boxes (STBs), and the like).
  • content security algorithms i.e., routines, processes, operations, etc.
  • STBs set top boxes
  • the dis-aggregation provided by the present invention may dramatically lower the cost for infrastructure owners (e.g., media stream delivery system vendors, providers, operators, etc.) to switch (i.e., change, migrate, transition, evolve, upgrade, shift, modify, etc.) between different content security systems and methods.
  • the dis-aggregation may provide for the manufacture and distribution of digital media stream delivery devices that are compatible with past (or legacy), present and future infrastructure, regardless of specific content security systems and methods that are used in the infrastructure.
  • the dis-aggregation provided by the present invention may include dis-aggregation of security features that generally use hardware re-configuration from the security features that can be renewed in software.
  • the present invention may provide more efficient manufacturing and distribution, and may enable new business models, including the retail availability of extremely low cost customer premises equipment (CPE, such as STBs, host digital devices, etc.).
  • CPE customer premises equipment
  • the present invention may provide flexibility to enable infrastructure transitions between different content security systems and method, including transitions from ‘legacy’ (i.e., past or previous implementation, earlier generation, backward compatible with older, etc.) systems that generally use proprietary content security.
  • the present invention may provide for ease in introducing new conditional access systems (CASs) into a media stream vendor (provider) network that has legacy hardware and software.
  • CASs conditional access systems
  • media stream vendor provider
  • the present invention may provide the multisystem operator (MSO) (i.e., the media stream provider) the ability to support legacy systems and make a transition to a new CAS or to an alternative proprietary CAS, as desired, thereby making a more smooth and cost effective transition that may be amortized over a longer time period.
  • MSO multisystem operator
  • the present invention may also provide media stream processing and delivery service providers the ability to transition from any rights management system or process to any appropriate CAS.
  • the present invention may provide a renewable and re-configurable security system and method that may be used to encrypt content and services in a cable headend (e.g., servers, processors, etc.).
  • the present invention may also be used to decrypt content and services in the receiving devices (e.g., STBs, viewing devices, etc.).
  • the present invention may provide flexible support for encryption and decryption of multiple CASs, Digital Rights Management, and the like.
  • the present invention may provide support for authentication of devices.
  • the present invention generally provides novel and improved concepts in renewability and hardware re-configuration for conditional access and digital rights management systems.
  • the present invention may use a highly secure role-based authentication process (i.e., method, routine, steps, blocks, operation, etc.) to configure and renew the overall security system, and security key (i.e., code, authorization, etc.) management techniques.
  • the role-based authentication of the present invention may provide a logon to the security processor to enable access to certain functions as a user for media stream decryption and encryption.
  • the role-based authentication of the present invention generally enables an Administrator, Supervisor, or other authorized user to logon with a different password or key to enable the configuration, re-configuration, and renewability of the software and hardware.
  • the present invention may be used to decrypt any appropriate media streams in home STB, host digital television devices, and the like.
  • the present invention may support encryption and decryption of legacy (i.e., past, prior, previously implemented, etc.) CASs, a digital video broadcasting-common scrambling algorithm (DVB-CSA) CAS system, Digital Rights Management, and the like for video, audio, video plus audio, etc., and for newly developed CASs.
  • legacy i.e., past, prior, previously implemented, etc.
  • DVD-CSA digital video broadcasting-common scrambling algorithm
  • Digital Rights Management Digital Rights Management
  • the commercial value of the present invention may be very large since the present invention may enable all of the consumer electronics industry to innovate new types of products for MSOs, and all media stream processing and delivery equipment companies are potential customers for the present invention.
  • the present invention may lower the overall cost of producing STBs and digital televisions, thereby providing significant cost and time savings to the MSOs and customers of the MSOs. By providing dramatically lower costs as well as increased innovation and new business models, the present invention may provide the user significant commercial advantages when compared to conventional approaches.
  • the present invention generally provides an improved system and method to securely configure, renew, and re-configure (using role-based authentication) an encryption/decryption apparatus to support both proprietary, legacy CASs, other proprietary CAS implementations (e.g., apparatuses from vendors such as NDS, Nagravision, Irdeto, Canalplus, etc.), DVB-CSA implementations, and one or more CAS systems using novel and unique transport encryption algorithms and novel and unique security key management techniques.
  • the present invention generally provides novel concepts in the ability to securely configure, renew, and re-configure media stream distribution system products to support both proprietary, legacy conditional access systems (CASs), other proprietary CAS implementations (e.g., NDS/Nagravision, Irdeto, Canalplus, DVB-CSA implementations, etc.), and one or more new CAS systems using new transport encryption algorithms and new key hierarchy techniques.
  • CASs legacy conditional access systems
  • other proprietary CAS implementations e.g., NDS/Nagravision, Irdeto, Canalplus, DVB-CSA implementations, etc.
  • new transport encryption algorithms and new key hierarchy techniques e.g., a single, proprietary system that is expensive and difficult to change (e.g., upgrade, modify, transition, evolve, replace, etc.).
  • FIG. 1 a diagram illustrating a media stream system (i.e., processor, apparatus, circuit, transceiver, etc.) 100 of the present invention is shown.
  • the system 100 may be implemented in connection with a digital media stream distribution system (described in more detail in connection with FIG. 2 ).
  • the system 100 is generally implemented as a security processor (or processing system) that provides at least one security feature (e.g., encryption, decryption, authentication, security key management, copy protection, digital rights management, etc.) to at least one digital media input/output stream.
  • the system 100 may be implemented as a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
  • the system 100 generally comprises a security processor 102 , a random access memory (RAM) 104 , and a flash memory 106 .
  • the RAM 104 and the flash 106 are generally implemented as secure (i.e., intruder resistant) memories.
  • the RAM 104 and the flash 106 may be implemented external to the processor 102 . Such an implementation may provide easy physical access for changing the RAM 104 and the flash 106 in implementations where such a feature is desired.
  • the processor 102 may have an input 110 that may receive a stream (e.g., IN), an output 112 that may present (i.e., transmit, broadcast, send, etc.) a stream (e.g., OUT), an input/output 114 that may couple (i.e., connect, hook up, wire, interface, etc.) the processor 102 and the RAM 104 , an input/output 116 and an input/output 118 that each may couple the processor 102 and a headend (described in connection with FIG. 2 ), and an input/output 120 that may couple the processor 102 and the flash 106 .
  • a stream e.g., IN
  • an output 112 that may present (i.e., transmit, broadcast, send, etc.) a stream (e.g., OUT)
  • an input/output 114 that may couple (i.e., connect, hook up, wire, interface, etc.) the processor 102 and the RAM 104
  • the streams IN and OUT may be implemented as digital media streams that may be in an encrypted or in a clear (i.e., unencrypted or decrypted) state.
  • the streams IN and OUT are each generally implemented as a digital media signal stream (e.g., an MPEG, MPEG-2, etc. stream or other transport stream).
  • the stream OUT may be implemented as a decrypted (and decompressed) version of the stream IN.
  • the stream OUT may be implemented as an encrypted (and compressed) version of the stream IN.
  • the streams OUT and IN may both may be implemented as a encrypted (and compressed) streams.
  • the streams IN and OUT may be implemented having any appropriate format and protocol to meet the design criteria of a particular application.
  • the input/output 116 may be configured to perform interfacing between the headend (e.g., headend 202 of FIG. 2 ) and the processor 102 that corresponds to (or is related to) firmware downloads that are authenticated.
  • the input/output 118 may be configured to perform interfacing between the headend and the processor 102 that corresponds to (or is related to) configuration and key loading that is authenticated.
  • the security processor 102 generally comprises an engine 130 (described in more detail below), an automatic resource (or re-hosting) manager (ARM) processor (or controller) 132 , transport stream encryption/decryption engine configuration logic 134 , secure RAM 136 , read only memory (ROM) 138 , and at least one of a random number generator 150 , a hardware multiplier 152 , a dynamic feedback arrangement scrambling technique (DFAST) algorithm 154 (i.e., a RAM or ROM that contains the appropriate algorithm), and a hash generation algorithm 156 (e.g., a SHA-1, an MD5, and the like) algorithm (i.e., a RAM or ROM that contains the appropriate algorithm).
  • DFAST dynamic feedback arrangement scrambling technique
  • the engine 130 is generally implemented as a digital media stream encryption/decryption engine.
  • the stream engine 130 may receive the stream IN and present the stream OUT.
  • the engine 130 is generally coupled (i.e., connected, wired, hooked up, interfaced, etc.) to the controller 132 and the logic 134 .
  • the engine 130 generally comprises at least one digital media stream encryption/decryption engine 140 (e.g., engines 140 a - 140 n ). When multiple devices 140 are implemented, the engines 140 are generally configured to be coupled in parallel.
  • the engines 140 are generally selectively parallel coupled by the controller 132 in response to a predetermined security configuration.
  • the ARM processor (or controller) 132 may be coupled to the logic 134 , the RAM 136 , the firmware 138 , the generator 150 , the multiplier 152 , the DFAST algorithm 154 , and a hash generation algorithm 156 .
  • the RAM 104 and the flash 106 are generally coupled to the ARM processor 132 .
  • the RAM 104 and the flash 106 may be implemented to provide secure, readily swappable upgrades to the system 100 .
  • the controller 132 generally controls the operation of the system 100 in response to at least one (one or more) algorithms (e.g., routines, methods, processes, steps, blocks, procedures, etc.
  • the predetermined security configuration that may be stored (i.e., saved, held, etc.) in at least one of the RAM 104 , the flash 106 , the logic 134 , the RAM 136 , the ROM 138 , the generator 150 , the multiplier 152 , the DFAST algorithm 154 , and the hash 156 , as well as internally in connection with the processor 132 .
  • the ARM processor (or controller) 132 generally provides for secure downloads, RSA (named after the three inventors —Ron Rivest, Adi Shamir and Leonard Adleman) key management, multiple key management, digital signatures, and the like, and may include transport stream encryption/decryption logic.
  • the devices e.g., the logic 134 , the RAM 136 , the ROM 138 , the generator 150 , the multiplier 152 , the algorithm 154 , the hash 156 , etc. may be coupled in parallel.
  • the controller 132 generally couples and controls the appropriate engine or engines 140 and the other devices (e.g., the logic 134 , the RAM 136 , the ROM 138 , the generator 150 , the multiplier 152 , the algorithm 154 , the hash 156 , etc.) to meet the design criteria (i.e., the predetermined, desired security configuration) of a particular application.
  • the design criteria i.e., the predetermined, desired security configuration
  • the system 100 architecture may be defined in terms of a set of security elements (SEs, e.g., interconnection and interaction of the stream engines 140 , the logic 134 , the RAM 136 , etc. as controlled via the processor 132 ) and descriptions of how the SEs are used (i.e., implemented, employed, utilized, etc.) to meet design criteria of particular applications.
  • SEs security elements
  • the system 100 may provide transport media stream security service for a range of security environments from the most basic in which the only service is a low-end digital video service, to a multi-play high end environment with digital video, digital recording, data, and multimedia services.
  • the system 100 generally provides elements that may be configured in parallel (e.g., the engines 140 , etc.), to encrypt a series of security streams (e.g., the stream IN when implemented in connection with a headend) that are sent out to the network (e.g., the stream OUT) and also (e.g., when implemented in connection with a STB or host device) be used to decrypt services (e.g., the stream IN) on a single end-user device for subscriber services (e.g., a clear, decrypted, viewable version of the stream OUT).
  • a series of security streams e.g., the stream IN when implemented in connection with a headend
  • decrypt services e.g., the stream IN
  • subscriber services e.g., a clear, decrypted, viewable version of the stream OUT.
  • a so-called “hash” is generally a function (or process) that converts an input (e.g., the input stream, IN) from a large domain into an output in a smaller set (i.e., a hash value, e.g., the output stream, OUT).
  • Various hash processes differ in the domain of the respective input streams and the set of the respective output streams and in how patterns and similarities of input streams generate the respective output streams.
  • DES Data Encryption Standard
  • Any 56-bit number can be implemented as a DES key.
  • the relatively short key length renders DES vulnerable to brute-force attack wherein all possible keys are tried one by one until the correct key is encountered (i.e., the key is “broken”).
  • the engine 140 a may be implemented as a DES/3-DES stream engine that operates via (i.e., through, using, etc.) a legacy system Cipher Block Chaining (CBC) mode.
  • the legacy CASs use 56-bit DES in CBC mode for the MPEG-2 transport security.
  • the legacy system also uses DFAST scrambling on the DES CBC initialization vector as well as certain DES keys.
  • Triple DES (3-DES) i.e., application of DES encryption three times using three different keys
  • the legacy CAS also sends an increment value in the Out Of Band (OOB) channel that is used mathematically with a content key to generate a final DES working key for encrypting or decrypting the MPEG stream packets.
  • OOB Out Of Band
  • the working key is generally changed on a variable frequency as set (i.e., predetermined, selected, etc.) by the headend.
  • the engine 140 b may be implemented as a DES/3-DES stream engine that operates via an alternative legacy system Electronic Code Book (ECB) mode.
  • the alternative legacy CAS uses a 56-bit DES in ECB mode for the MPEG-2 transport security.
  • the alternative legacy CAS also uses triple DES encryption on the DES keys and to protect entitlements.
  • the alternative legacy CAS also sends a value in the OOB channel that is used mathematically with the content key to generate a final DES working key for encrypting or decrypting the MPEG stream packets.
  • the working key is generally changed on a variable frequency that is predetermined by the headend.
  • the engine 140 c may be implemented as an OpenCable (SCTE-41) Copy Protection mode stream engine that uses 56-bit DES in ECB) mode for the MPEG-2 transport security.
  • the OpenCable (SCTE-41) Copy Protection also uses a variation of the CAS DFAST scrambling on the DES keys, which are calculated and sent across the CableCARD interface to the host device.
  • the DES Copy Protection key that is used in connection with the OpenCable (SCTE-41) Copy Protection is generally changed on a variable period, and the variable period is generally predetermined by variables in the CableCARD.
  • an engine 140 may be implemented as a CAS DES mode digital video stream security processing engine.
  • the CAS DES mode may implement a standard (i.e., existing, currently implemented, etc.) algorithm for encryption such as DES ECB.
  • the methods used to manage and verify the entitlements may be standardized such that multiple media service vendors are enabled to produce the corresponding system 100 .
  • the corresponding unit key for entitlement management messages (EMMs), category keys, content keys and a working key may be generated.
  • Predetermined information e.g., a random number, a system seed key, a vendor selected code, etc.
  • the engine 140 d may be implemented as a unique and novel advanced encryption standard (AES) mode stream engine that uses the standard AES algorithm for transport decryption and encryption.
  • AES advanced encryption standard
  • the methods used to manage and verify the entitlements may be standardized so that multiple media service vendors are enabled to produce the corresponding system 100 .
  • Predetermined techniques e.g., methods, routines, steps, processes, algorithms, etc.
  • Predetermined information may be mathematically paired with the keys to provide protection for the overall security of the system 100 and the predetermined information may be standardized for the system 100 .
  • an engine 140 may be implemented as a Copy Protection/Digital Video Recorder (DVR) mode stream engine.
  • the OpenCable (SCTE-41) Copy Protection system may be modified to support AES and the existing DES encryption algorithm for the DVR and Copy Protection security.
  • the OpenCable (SCTE-41) Copy Protection uses a variation on the CAS DFAST scrambling on the DES keys, which are calculated and sent across the CableCARD interface to the respective host device.
  • AES is used as an alternative algorithm, the 128-bit key can be scrambled by the DFAST algorithm and sent from the CableCARD to the host device.
  • AES is generally a much more secure algorithm to use for the storing of digital content in a digital video recording when compared to DES and therefore may be preferable for DVR applications.
  • the engine 140 e may be implemented as a Common Scrambling Algorithm (CSA) stream engine.
  • the engine 140 e may be implemented using a DVB-CSA Standard Mode as implemented by vendors such as NDS and Nagravision.
  • DVB-CSA CASs use a 40-bit CSA for the MPEG-2 transport security.
  • DVB-CSA also uses triple DES encryption for the CSA keys.
  • DVB-CSA CASs also use a value that is combined mathematically (e.g., via the multiplier 152 ) with the content key to generate a final CSA working key for encrypting or decrypting the MPEG stream packets.
  • the working key is generally changed on a variable frequency that is predetermined by the headend.
  • an engine 140 may be implemented as a unique and novel CAS CSA mode stream engine.
  • the CAS CSA mode may use the standard CSA algorithm for transport encryption and decryption.
  • the methods used to manage and verify the entitlements may be predetermined and standardized such that multiple vendors may produce and support the system 100 .
  • Predetermined techniques may be implemented to generate the unit key for EMMs, category keys, content keys and a respective working key.
  • Predetermined information e.g., user selected codes
  • the engine 140 n may be implemented as a Digital Rights Management (DRM) digital media stream engine.
  • DRM Digital Rights Management
  • the present invention may provide a system and a method for a DRM stream and license file processing using at least one standard algorithm (e.g., DES, AES, CSA, etc.) for transport encryption and decryption.
  • the methods used to manage and verify the entitlements in the rights licenses may be predetermined and standardized such that multiple vendors may produce and support the system 100 .
  • Predetermined techniques may be implemented to generate the unit key for the rights entitlements (i.e., license files).
  • the implementations of category keys, content keys and the working key are not typically part of the standard DRM solution.
  • Predetermined information may be mathematically paired with the keys to provide protection for the overall security of the DRM solution of the present invention and the information may be standardized.
  • the DRM solution implemented using the present invention may be configured to support various DRM security implementations including, but not limited to, Windows DRM and Real Networks DRM.
  • a number of features implemented via the security processor 100 may be implemented in hardware (e.g., the configuration logic 134 ).
  • the respective hardware is generally re-configurable instead of software renewable.
  • the extraction of the content key from the entitlement control message (ECM) and the modification performed on the content key may be implemented in hardware to provide improved performance (e.g., faster processor 100 operation, better reliability, etc.).
  • the content key configuration is generally used for all of the transport decryption engines defined in the security system 100 to load the final working keys.
  • the configuration logic When implemented in hardware, the configuration logic generally provides support to mathematically pair the content key with the modifier value, at a predetermined frequency using a predefined mathematical function.
  • the mathematical functions that may be implemented in connection with the security system 100 e.g., via the multiplier 152 ) generally include Boolean XOR, Simple Add, Multiply, and any other appropriate functions to meet the design criteria of a particular application.
  • the present invention may provide for securely upgrading all or part of the various software components of key management logic via renewable software (e.g., software that is implemented in connection with the RAM 104 , the flash 106 , RAM 136 , the ROM 138 , etc.).
  • renewable software e.g., software that is implemented in connection with the RAM 104 , the flash 106 , RAM 136 , the ROM 138 , etc.
  • the present invention may process and validate unit keys via unit key logic.
  • the unit key logic may be protected in the security architecture of the system 100 (e.g., secure RAM 104 , secure flash 106 , etc.).
  • a respective remote device not shown
  • the unit key logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • the present invention may provide for securely processing and validating EMMs via EMM Logic.
  • the EMM logic is generally protected in the security architecture of the system 100 .
  • the EMM logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • the present invention may provide for securely processing and validating category keys via category key logic.
  • the category key logic is generally protected in the security architecture of the system 100 .
  • the category key logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • the present invention may provide for securely processing and validating an entitlement control message (ECM) via ECM key logic.
  • ECM key logic is generally protected in the security architecture of the system 100 .
  • the ECM key logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • the present invention may provide for securely processing and validating the working keys via working keys logic.
  • the working keys logic is generally protected in the security architecture of the system 100 .
  • the working keys logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • the system 100 generally supports at least one of highly secure and authenticated configuration, re-configuration, and renewability using role-based authentication. At least one of configuration, renewability, and re-configuration of the present invention is generally performed after a remote authentication occurs.
  • a logon request is generally made from the headend to perform the configuration change via a cryptographic ignition key split (CIK).
  • the CIK generally permits the headend to login to the system 100 in a supervisor role.
  • the re-configuration request is generally performed from the data sent in the corresponding message.
  • software downloads may be performed to upgrade key logic or to modify hardware configurations of the transport decryption.
  • the configuration, renewal and re-configuration are complete, the headend may present a logoff request.
  • the present invention generally provides for authentication via a number of processes.
  • the system 100 may generate a predetermined bit-width (in one example, up to 4096-bit, however, any appropriate bit-width may be implemented) RSA keys and securely storing the private key for use in digital signatures.
  • the system 100 processor e.g., the processor 132
  • the system 100 may generate digital signatures securely without exposing the respective private key.
  • the system 100 may verify digital signatures on signed messages and certificates received for authentication.
  • the present invention generally provides for generating SHA-1 hash values and for generating Message Digest 5 (MD5) hash values for use in digital signatures (e.g., via the hash generator 156 ).
  • the present invention generally provides for generation of and verification of digital signatures (e.g., via the ARM processor 132 ).
  • Public key signatures for the present invention may be generated and verified using the RSA signature algorithm described in FIPS-PUB 180-1, “Secure Hash Standard”.
  • the present invention generally provides for generation of and verification of standard and virtual public key infrastructure/information (PKI).
  • PKI public key infrastructure/information
  • the present invention generally provides support for a predetermined number (e.g., up to a 4 tier, greater than 4 tier, etc.) of standard PKI chain of X.509 certificates.
  • the present invention generally provides support for the secure storage and usage of one RSA private key up to 4096-bits in size. However, any appropriate size may be implemented to meet the design criteria of a particular application.
  • Virtual PKI is a method in which certificates are not installed from a true external PKI chain.
  • Data elements for the Validity Period, the CA certificate, the Distinguished Name and the related extensions may be sent to the system 100 at initialization time.
  • the present invention generally processes the data elements to digitally sign certificates internally for use in later authentication purposes on a network.
  • Certificate validation generally includes validation of a linked chain of certificates from the end entity certificates to a valid Root. For example, the signature on the device certificate is verified with the Issuing CA Certificate and then the signature on the manufacturer CA certificate is verified with the Root CA certificate.
  • the Root CA certificate is generally self-signed and the Root CA certificate is generally received from a trusted source in a secure way.
  • the public key present in the Root CA Certificate is generally used to validate the signature on the Root CA certificate.
  • the present invention generally provides for the support of the exact rules for certificate chain validation that generally fully comply with IETF RFC 3280, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile”, and may be referred to as “Certificate Path Validation” rules.
  • the present invention generally provides for the generation of a predetermined number (e.g., in one example, an up to 384-bit, however any appropriate bit-size may be implemented) elliptic curve (EC, i.e., growth) keys and for securely storing the private key for use in digital signatures.
  • the processor of the present invention e.g., ARM processor 132
  • the processor of the present invention may generate EC-DSA digital signatures securely without exposing (i.e., revealing) the respective private key.
  • the ARM processor 132 may verify EC-DSA digital signatures on signed messages and certificates received for authentication.
  • the present invention generally provides for strong (i.e., highly random, non-deterministic, etc.) random number generation (e.g., via the generator 150 ).
  • the generator 150 may produce true-random seeds (e.g., seeds generated per RFC 1750 and FIPS 140-2).
  • the present invention may, implement a per-device secret (e.g., a vendor selected code or random number generator) installed at manufacture time and used in the random number generation process.
  • the present invention generally provides for support of simultaneous multiple media transport streams decryption and encryption processing (i.e., multi-stream security).
  • the transport encryption/decryption engines e.g., the engines 140
  • the transport encryption/decryption engines generally support at least two or more simultaneous transport stream decryption and encryption processes, and each respective algorithm (e.g., DES, AES, CSA, etc.) depending on overall gate count of the system 100 .
  • the present invention may easily implement parallel devices (e.g., parallel coupled stream engines 140 ) and thus increase multiple transport stream encryption and decryption.
  • Parallel devices may also be used to implement multiple key management schemes for conditional access and for digital rights management.
  • the system 100 may be utilized in the headend of the media stream distribution system for transport stream encryption in highly parallel configurations.
  • the present invention generally provides for the headend implementation in a more cost effective manner than conventional approaches.
  • the present invention generally provides for support of at least 2 streams of high definition (HD) transport decryption and encryption at a rate of approximately 19.4 megabits per second.
  • the present invention may be configured to support any appropriate number of streams of transport decryption and encryption at any appropriate rate.
  • the present invention generally provides for support session based transport decryption and encryption in the development of video on demand (VOD) security. Similarly, the present invention generally provides for support of real-time session based VOD key management.
  • VOD video on demand
  • the present invention generally provides support for all related (or corresponding) manufacturing and operational considerations.
  • the present invention may provide support for passage mode partial encryption and decryption in all of the transport encryption engines for all algorithms implemented via the apparatus 100 .
  • the distribution system 200 generally comprises a headend 202 , a network 204 , at least one set top box (STB) 206 (generally a plurality of STBs 206 a - 206 n ), and at least one respective receiving device (i.e., receiver, transceiver, etc.) 208 (generally a plurality of devices 208 a - 208 n ).
  • STB set top box
  • the distribution system 200 is generally implemented as a media service provider/subscriber system wherein the provider (or vendor) generally operates the headend 202 and the network 204 , and also provides a subscriber (i.e., client, customer, service purchaser, user, etc.) with the STB 206 .
  • the STB 206 is generally located at the subscriber location (not shown, e.g., home, tavern, hotel room, business, etc.) and the receiving device 208 is generally provided by the client.
  • the device 208 is generally implemented as a television, high definition television (HDTV), monitor, host viewing device, MP3 player, audio receiver, radio, personal computer, media player, digital video recorder, game playing device, etc.
  • the device 208 may be implemented as a transceiver having interactive capability in connection with the STB 206 , the headend 202 , or both the STB 206 and the headend 202 .
  • the headend 202 is generally electrically coupled to the network 204
  • the network 204 is generally electrically coupled to the STB 206
  • each STB 206 is generally electrically coupled to the respective device 208 .
  • the electrical coupling may be implemented as any appropriate hard-wired (e.g., twisted pair, untwisted conductors, coaxial cable, fiber optic cable, hybrid fiber cable, etc.) or wireless (e.g., radio frequency, microwave, infrared, etc.) coupling and protocol (e.g., HomePlug, HomePNA, IEEE 802.11(a-b), Bluetooth, HomeRF, etc.) to meet the design criteria of a particular application.
  • the distribution system 200 is illustrated showing one STB 206 Coupled to a respective one device 208
  • each STB 206 may be implemented having the capability of coupling more than one device 208 (not shown).
  • the headend 202 generally comprises a plurality of devices 210 (e.g., devices 210 a - 210 n ) that are implemented as data servers, computers, processors, security encryption and decryption apparatuses or systems, and the like configured to provide video and audio data (e.g., movies, music, television programming, and the like), processing equipment (e.g., provider operated subscriber account processing servers), television service transceivers (e.g., transceivers for standard broadcast television and radio, digital television, HDTV, audio, MP3, text messaging, gaming, etc.), and the like.
  • the headend 202 may generate and present (i.e., transmit, provide, pass, broadcast, send, etc.) the stream IN.
  • At least one of the devices 210 may be implemented as the security system 100 as described above in connection with FIG. 1 .
  • the device 210 that is implemented as a security system 100 may receive clear or encrypted video and audio data and present clear or encrypted (and compressed or uncompressed) video and audio data.
  • the network 204 is generally implemented as a media stream distribution network (e.g., cable, satellite, and the like) that is configured to selectively distribute (i.e., transmit and receive) media service provider streams (e.g., standard broadcast television and radio, digital television, HDTV, audio, MP3, text messaging, games, etc.) for example, as the stream IN to the STBs 206 and to the receivers 208 , for example as the stream OUT.
  • media service provider streams e.g., standard broadcast television and radio, digital television, HDTV, audio, MP3, text messaging, games, etc.
  • the stream IN is generally distributed based upon (or in response to) subscriber information.
  • the level of service the client has purchased e.g., basic service, premium movie channels, etc.
  • the type of service the client has requested e.g., standard TV, HDTV, interactive messaging, etc.
  • the like may determine the media streams that are sent to (and received from) a particular subscriber.
  • the STB 206 is generally implemented as an STB having multiple stream capability (e.g., standard broadcast television and radio, digital television, audio, MP3, high definition digital television (HDTV), text messaging, etc.).
  • the STB 106 generally comprises at least one respective security processor 212 .
  • the security processor 212 may be implemented as the security processor (or system) 100 .
  • the processor 212 may receive encrypted (and compressed) video and audio data (e.g., the stream IN) and present clear video and audio data (e.g., the stream OUT) to the receiver 208 .
  • the security processor (or system) 100 may be implemented in connection with the device 208 .
  • the device (e.g., transceiver) 208 may send an encrypted or a clear media stream to the headend 202 via the STB 206 and the network 204 .
  • the system 100 of the present invention may be implemented in any of the headend 202 , the STB 206 , and the receiving device 208 , alone or in combination.
  • the distribution system 200 ′ generally comprises the headend 202 , the network 204 , and at least one of the receiving device (i.e., receiver, transceiver, etc.) 208 (generally a plurality of the devices 208 a - 208 n ).
  • the receiving device 208 is generally coupled directly to the network 204 and receives the signal IN.
  • the system 200 ′ may be implemented having at least one STB 206 coupled to the network 204 and with at least one receiver 208 coupled thereto, as well as having at least one device 208 that is directly coupled to the network 204 .
  • the improved system and method of the present invention may ease the difficulty in introducing new conditional access systems into an MSO network due the legacy hardware and software already deployed. In contrast, the time and expense of performing a transition to a new conditional access system can be extremely prohibitive particularly if the transition must occur in a short time period when conventional approaches are used.
  • the present invention may provide an MSO the ability to support legacy systems and make a transition to a new CAS or alternative proprietary CAS as desired, thereby facilitating a more smooth and cost effective transition that may be able to be amortized over a longer time period.
  • the present invention may provide support for the parameters of retail distribution.
  • the present invention generally provides an improved system and an improved method for a configurable, renewable, and re-configurable security system and method used to encrypt/decrypt media streams in a digital media stream distribution system (e.g., in a headend, in a STB, in host digital television devices, and the like).
  • the present invention may provide support for encryption and decryption of legacy CASs, the DVB-CSA CAS proprietary systems, Digital Rights Management for media (e.g., video, audio, video plus audio, etc.), Video On Demand, and newly developed conditional access systems.
  • the present invention may provide support for authentication of devices and generally provides novel concepts in renewability and hardware re-configuration for media conditional access systems.
  • the present invention may provide for use of a highly secure role-based authentication to securely configure and renew the overall security system and key management techniques in a digital media stream processing environment.

Abstract

A system for multi-stream security processing and distributing digital media streams includes a headend, a network, and at least one receiver. The headend is generally configured to generate encrypted digital media streams. The network may be coupled to the headend and configured to receive the encrypted digital media streams. The at least one receiver may be coupled to the network and configured to receive the encrypted digital media streams and present a decrypted version of the encrypted digital media streams. At least one of the headend and the at least one receiver include a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.

Description

  • This application is a continuation application of copending application Ser. No. 10/767,980, filed Jan. 29, 2004, having the same title, herein incorporated by reference for all purposes.
    • FIELD
  • The present invention relates to a system and a method for security processing media streams.
    • BACKGROUND
  • Conventional implementations of media (e.g., video, audio, video plus audio, and the like) program stream delivery systems (e.g., cable, satellite, etc.) include a headend where the media programming originates (i.e., is encoded and compressed, groomed, statmuxed, and otherwise appropriately processed), a network (e.g., cable or satellite) for delivery of the media programming to the client (i.e., customer, user, buyer, etc.) location, at least one set top box (STB) at the client location for conversion (e.g., decryption and decompression) of the media programming stream, and at least one respective viewing device such as a television (TV) or monitor that is connected to the STB.
  • Conventional headends and STBs employ particular matching encryption/decryption and compression/decompression technologies. However, there is little standardization of particular matching encryption/decryption across media program stream delivery system vendors. The encryption/decryption and compression/decompression technologies in the particular conventional system are fixed and often proprietary to the vendor. Furthermore, conventional media service processing and delivery systems typically implement security processes in connection with individual implementations of point of deployment, CableCard, Smartcard, etc. systems.
  • Transitions to upgrades in encryption/decryption and compression/decompression technologies are, therefore, expensive and difficult for the media program stream delivery system vendors to implement. As such, customers can be left with substandard service due to the lack of standardization and the reduced competition that the lack of standardization has on innovation in media service delivery. The lack of standardization also restricts the ability of media service providers to compete. For example, customers may have viewing devices that could take advantage of the improved technologies, however, media stream delivery system upgrades may be impossible, impracticable, or not economically feasible for vendors using conventional approaches. A significant level of customer dissatisfaction may result.
  • As a result, it would be desirable to have an improved system and method for security processing media streams that addresses the above indicated problems with conventional approaches as well as providing additional improvements.
    • SUMMARY
  • Aspects of the present invention generally provides an improved system and method for security processing digital media streams. The improved system and method for security processing media streams of the present invention may be compatible with previously used (i.e., legacy) systems and methods using all levels of media stream processing and delivery service (i.e., basic to high-end) as well as adaptable to future implementations, and that is flexible, renewable, re-configurable, and supports simultaneous multiple security systems and processes.
  • According to aspects of the present invention, a system for multi-stream security processing and distributing digital media streams is provided. The system comprises a headend, a network, and at least one receiver. The headend may be configured to generate encrypted digital media streams. The network may be coupled to the headend and configured to receive the encrypted digital media streams. The at least one receiver may be coupled to the network and configured to receive the encrypted digital media streams and present a decrypted version of the encrypted digital media streams. At least one of the headend and the at least one receiver comprises a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
  • For example, in one implementation the headend may utilize the security processor of the present invention to encrypt the digital media streams and the one or more receivers may use a conventional approach to decrypt the digital media streams. In another example, the headend may utilize a conventional approach to encrypt the digital media streams and one or more of the receivers may use the security processor of the present invention to decrypt the digital media streams. In yet another example, the headend may utilize the security processor of the present invention to encrypt the digital media streams and one or more of the receivers may use the security processor of the present invention to decrypt the digital media streams. In all of the implementations, the headend generally encodes, compresses, grooms, statmuxs, and otherwise appropriately processes the digital media streams. The receivers may, in one example, be implemented as set top boxes (STBs). In other examples, the receiver (receiving device) may be implemented as a television, high definition television (HDTV), monitor, host viewing device, MP3 player, audio receiver, radio, personal computer, media player, digital video recorder, game playing device, etc.
  • Also according to aspects of the present invention, a method of multi-stream security processing and distributing digital media streams is provided. The method comprises generating encrypted digital media streams at a headend. The method further comprises coupling a network to the headend and receiving the encrypted digital media streams at the network. The method yet further comprises coupling at least one receiver to the network and receiving the encrypted digital media streams at the receiver, and presenting a decrypted version of the encrypted digital media streams using the receiver. At least one of the headend and the at least one receiver comprises a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
  • Further, according to aspects of the present invention, for use in a system for multi-stream security processing and distributing digital media streams, a security processor configured to provide at least one of simultaneous multiple media transport stream decryption and encryption processing is provided. The security processor comprises a controller and a plurality of digital stream engines. The digital stream engines may be selectively parallel coupled by the controller for simultaneous operation in response to a predetermined security configuration.
  • The above features, and other features and advantages of aspects of the present invention are readily apparent from the following detailed descriptions thereof when taken in connection with the accompanying drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram a media stream security processor according to aspects of the present invention;
  • FIG. 2 is a diagram of a media processing and delivery system implementing aspects of the present invention; and
  • FIG. 3 is a diagram of another media processing and delivery system implementing aspects of the present invention.
    •  DETAILED DESCRIPTION
  • With reference to the Figures, illustrative preferred embodiments of the present invention will now be described in detail. In one example, the improved system and method for security processing digital media streams (e.g., media streams that include video, audio, video plus audio, and the like in any appropriate format or protocol such as Motion Picture Expert Group (MPEG), MPEG-2, MPEG-4, Windows Media 9, Real Media, etc. streams) of the present invention may be implemented in connection with a cable (or satellite) television delivery system. However, the present invention may be implemented in connection with any appropriate media stream delivery system to meet the design criteria of a particular application. The present invention may dis-aggregate (i.e., separate, break apart, etc.) content security algorithms (i.e., routines, processes, operations, etc.) that are typically proprietary from the respective infrastructure components (e.g., media stream delivery system headend components and set top boxes (STBs), and the like).
  • The dis-aggregation provided by the present invention may dramatically lower the cost for infrastructure owners (e.g., media stream delivery system vendors, providers, operators, etc.) to switch (i.e., change, migrate, transition, evolve, upgrade, shift, modify, etc.) between different content security systems and methods. The dis-aggregation may provide for the manufacture and distribution of digital media stream delivery devices that are compatible with past (or legacy), present and future infrastructure, regardless of specific content security systems and methods that are used in the infrastructure.
  • The dis-aggregation provided by the present invention may include dis-aggregation of security features that generally use hardware re-configuration from the security features that can be renewed in software. The present invention may provide more efficient manufacturing and distribution, and may enable new business models, including the retail availability of extremely low cost customer premises equipment (CPE, such as STBs, host digital devices, etc.).
  • The present invention may provide flexibility to enable infrastructure transitions between different content security systems and method, including transitions from ‘legacy’ (i.e., past or previous implementation, earlier generation, backward compatible with older, etc.) systems that generally use proprietary content security. The present invention may provide for ease in introducing new conditional access systems (CASs) into a media stream vendor (provider) network that has legacy hardware and software. The transition time and expense of performing a transition to a new CAS can be extremely prohibitive using conventional approaches particularly when the transition should be performed in a short time period. The present invention may provide the multisystem operator (MSO) (i.e., the media stream provider) the ability to support legacy systems and make a transition to a new CAS or to an alternative proprietary CAS, as desired, thereby making a more smooth and cost effective transition that may be amortized over a longer time period. The present invention may also provide media stream processing and delivery service providers the ability to transition from any rights management system or process to any appropriate CAS.
  • The present invention may provide a renewable and re-configurable security system and method that may be used to encrypt content and services in a cable headend (e.g., servers, processors, etc.). The present invention may also be used to decrypt content and services in the receiving devices (e.g., STBs, viewing devices, etc.). The present invention may provide flexible support for encryption and decryption of multiple CASs, Digital Rights Management, and the like. The present invention may provide support for authentication of devices. The present invention generally provides novel and improved concepts in renewability and hardware re-configuration for conditional access and digital rights management systems.
  • The present invention may use a highly secure role-based authentication process (i.e., method, routine, steps, blocks, operation, etc.) to configure and renew the overall security system, and security key (i.e., code, authorization, etc.) management techniques. The role-based authentication of the present invention may provide a logon to the security processor to enable access to certain functions as a user for media stream decryption and encryption. In the same way, the role-based authentication of the present invention generally enables an Administrator, Supervisor, or other authorized user to logon with a different password or key to enable the configuration, re-configuration, and renewability of the software and hardware.
  • The present invention may be used to decrypt any appropriate media streams in home STB, host digital television devices, and the like. The present invention may support encryption and decryption of legacy (i.e., past, prior, previously implemented, etc.) CASs, a digital video broadcasting-common scrambling algorithm (DVB-CSA) CAS system, Digital Rights Management, and the like for video, audio, video plus audio, etc., and for newly developed CASs.
  • The commercial value of the present invention may be very large since the present invention may enable all of the consumer electronics industry to innovate new types of products for MSOs, and all media stream processing and delivery equipment companies are potential customers for the present invention. The present invention may lower the overall cost of producing STBs and digital televisions, thereby providing significant cost and time savings to the MSOs and customers of the MSOs. By providing dramatically lower costs as well as increased innovation and new business models, the present invention may provide the user significant commercial advantages when compared to conventional approaches.
  • The present invention generally provides an improved system and method to securely configure, renew, and re-configure (using role-based authentication) an encryption/decryption apparatus to support both proprietary, legacy CASs, other proprietary CAS implementations (e.g., apparatuses from vendors such as NDS, Nagravision, Irdeto, Canalplus, etc.), DVB-CSA implementations, and one or more CAS systems using novel and unique transport encryption algorithms and novel and unique security key management techniques.
  • The present invention generally provides novel concepts in the ability to securely configure, renew, and re-configure media stream distribution system products to support both proprietary, legacy conditional access systems (CASs), other proprietary CAS implementations (e.g., NDS/Nagravision, Irdeto, Canalplus, DVB-CSA implementations, etc.), and one or more new CAS systems using new transport encryption algorithms and new key hierarchy techniques. In contrast, conventional systems and methods for digital media stream security typically are implemented using a single, proprietary system that is expensive and difficult to change (e.g., upgrade, modify, transition, evolve, replace, etc.).
  • Referring to FIG. 1, a diagram illustrating a media stream system (i.e., processor, apparatus, circuit, transceiver, etc.) 100 of the present invention is shown. The system 100 may be implemented in connection with a digital media stream distribution system (described in more detail in connection with FIG. 2). The system 100 is generally implemented as a security processor (or processing system) that provides at least one security feature (e.g., encryption, decryption, authentication, security key management, copy protection, digital rights management, etc.) to at least one digital media input/output stream. The system 100 may be implemented as a security processor that may be configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
  • The system 100 generally comprises a security processor 102, a random access memory (RAM) 104, and a flash memory 106. The RAM 104 and the flash 106 are generally implemented as secure (i.e., intruder resistant) memories. In one example, the RAM 104 and the flash 106 may be implemented external to the processor 102. Such an implementation may provide easy physical access for changing the RAM 104 and the flash 106 in implementations where such a feature is desired.
  • The processor 102 may have an input 110 that may receive a stream (e.g., IN), an output 112 that may present (i.e., transmit, broadcast, send, etc.) a stream (e.g., OUT), an input/output 114 that may couple (i.e., connect, hook up, wire, interface, etc.) the processor 102 and the RAM 104, an input/output 116 and an input/output 118 that each may couple the processor 102 and a headend (described in connection with FIG. 2), and an input/output 120 that may couple the processor 102 and the flash 106.
  • The streams IN and OUT may be implemented as digital media streams that may be in an encrypted or in a clear (i.e., unencrypted or decrypted) state. The streams IN and OUT are each generally implemented as a digital media signal stream (e.g., an MPEG, MPEG-2, etc. stream or other transport stream). In one example, the stream OUT may be implemented as a decrypted (and decompressed) version of the stream IN. In another example, the stream OUT may be implemented as an encrypted (and compressed) version of the stream IN. In yet example, the streams OUT and IN may both may be implemented as a encrypted (and compressed) streams. However, the streams IN and OUT may be implemented having any appropriate format and protocol to meet the design criteria of a particular application. The input/output 116 may be configured to perform interfacing between the headend (e.g., headend 202 of FIG. 2) and the processor 102 that corresponds to (or is related to) firmware downloads that are authenticated. The input/output 118 may be configured to perform interfacing between the headend and the processor 102 that corresponds to (or is related to) configuration and key loading that is authenticated.
  • The security processor 102 generally comprises an engine 130 (described in more detail below), an automatic resource (or re-hosting) manager (ARM) processor (or controller) 132, transport stream encryption/decryption engine configuration logic 134, secure RAM 136, read only memory (ROM) 138, and at least one of a random number generator 150, a hardware multiplier 152, a dynamic feedback arrangement scrambling technique (DFAST) algorithm 154 (i.e., a RAM or ROM that contains the appropriate algorithm), and a hash generation algorithm 156 (e.g., a SHA-1, an MD5, and the like) algorithm (i.e., a RAM or ROM that contains the appropriate algorithm).
  • The engine 130 is generally implemented as a digital media stream encryption/decryption engine. The stream engine 130 may receive the stream IN and present the stream OUT. The engine 130 is generally coupled (i.e., connected, wired, hooked up, interfaced, etc.) to the controller 132 and the logic 134. The engine 130 generally comprises at least one digital media stream encryption/decryption engine 140 (e.g., engines 140 a-140 n). When multiple devices 140 are implemented, the engines 140 are generally configured to be coupled in parallel. The engines 140 are generally selectively parallel coupled by the controller 132 in response to a predetermined security configuration.
  • The ARM processor (or controller) 132 may be coupled to the logic 134, the RAM 136, the firmware 138, the generator 150, the multiplier 152, the DFAST algorithm 154, and a hash generation algorithm 156. The RAM 104 and the flash 106 are generally coupled to the ARM processor 132. The RAM 104 and the flash 106 may be implemented to provide secure, readily swappable upgrades to the system 100. The controller 132 generally controls the operation of the system 100 in response to at least one (one or more) algorithms (e.g., routines, methods, processes, steps, blocks, procedures, etc. of the predetermined security configuration) that may be stored (i.e., saved, held, etc.) in at least one of the RAM 104, the flash 106, the logic 134, the RAM 136, the ROM 138, the generator 150, the multiplier 152, the DFAST algorithm 154, and the hash 156, as well as internally in connection with the processor 132.
  • The ARM processor (or controller) 132 generally provides for secure downloads, RSA (named after the three inventors —Ron Rivest, Adi Shamir and Leonard Adleman) key management, multiple key management, digital signatures, and the like, and may include transport stream encryption/decryption logic. The devices (e.g., the logic 134, the RAM 136, the ROM 138, the generator 150, the multiplier 152, the algorithm 154, the hash 156, etc.) may be coupled in parallel. The controller 132 generally couples and controls the appropriate engine or engines 140 and the other devices (e.g., the logic 134, the RAM 136, the ROM 138, the generator 150, the multiplier 152, the algorithm 154, the hash 156, etc.) to meet the design criteria (i.e., the predetermined, desired security configuration) of a particular application.
  • The system 100 architecture may be defined in terms of a set of security elements (SEs, e.g., interconnection and interaction of the stream engines 140, the logic 134, the RAM 136, etc. as controlled via the processor 132) and descriptions of how the SEs are used (i.e., implemented, employed, utilized, etc.) to meet design criteria of particular applications. The system 100 may provide transport media stream security service for a range of security environments from the most basic in which the only service is a low-end digital video service, to a multi-play high end environment with digital video, digital recording, data, and multimedia services. The system 100 generally provides elements that may be configured in parallel (e.g., the engines 140, etc.), to encrypt a series of security streams (e.g., the stream IN when implemented in connection with a headend) that are sent out to the network (e.g., the stream OUT) and also (e.g., when implemented in connection with a STB or host device) be used to decrypt services (e.g., the stream IN) on a single end-user device for subscriber services (e.g., a clear, decrypted, viewable version of the stream OUT).
  • A so-called “hash” is generally a function (or process) that converts an input (e.g., the input stream, IN) from a large domain into an output in a smaller set (i.e., a hash value, e.g., the output stream, OUT). Various hash processes differ in the domain of the respective input streams and the set of the respective output streams and in how patterns and similarities of input streams generate the respective output streams.
  • Data Encryption Standard (DES) is a fixed-key-length security algorithm that employs 56-bit length keys. Any 56-bit number can be implemented as a DES key. The relatively short key length renders DES vulnerable to brute-force attack wherein all possible keys are tried one by one until the correct key is encountered (i.e., the key is “broken”).
  • In one example, the engine 140 a may be implemented as a DES/3-DES stream engine that operates via (i.e., through, using, etc.) a legacy system Cipher Block Chaining (CBC) mode. The legacy CASs use 56-bit DES in CBC mode for the MPEG-2 transport security. The legacy system also uses DFAST scrambling on the DES CBC initialization vector as well as certain DES keys. Triple DES (3-DES) (i.e., application of DES encryption three times using three different keys) is also used to protect certain structures and the key inside entitlements. The legacy CAS also sends an increment value in the Out Of Band (OOB) channel that is used mathematically with a content key to generate a final DES working key for encrypting or decrypting the MPEG stream packets. The working key is generally changed on a variable frequency as set (i.e., predetermined, selected, etc.) by the headend.
  • In one example, the engine 140 b may be implemented as a DES/3-DES stream engine that operates via an alternative legacy system Electronic Code Book (ECB) mode. The alternative legacy CAS uses a 56-bit DES in ECB mode for the MPEG-2 transport security. The alternative legacy CAS also uses triple DES encryption on the DES keys and to protect entitlements. The alternative legacy CAS also sends a value in the OOB channel that is used mathematically with the content key to generate a final DES working key for encrypting or decrypting the MPEG stream packets. The working key is generally changed on a variable frequency that is predetermined by the headend.
  • In one example, the engine 140 c may be implemented as an OpenCable (SCTE-41) Copy Protection mode stream engine that uses 56-bit DES in ECB) mode for the MPEG-2 transport security. The OpenCable (SCTE-41) Copy Protection also uses a variation of the CAS DFAST scrambling on the DES keys, which are calculated and sent across the CableCARD interface to the host device. The DES Copy Protection key that is used in connection with the OpenCable (SCTE-41) Copy Protection is generally changed on a variable period, and the variable period is generally predetermined by variables in the CableCARD.
  • In one example, an engine 140 (not shown) may be implemented as a CAS DES mode digital video stream security processing engine. The CAS DES mode may implement a standard (i.e., existing, currently implemented, etc.) algorithm for encryption such as DES ECB. The methods used to manage and verify the entitlements may be standardized such that multiple media service vendors are enabled to produce the corresponding system 100. The corresponding unit key for entitlement management messages (EMMs), category keys, content keys and a working key may be generated. Predetermined information (e.g., a random number, a system seed key, a vendor selected code, etc.) may be mathematically paired with the keys to provide protection for the overall security of the system 100 and the predetermined information may be standardized for the system 100.
  • In one example, the engine 140 d may be implemented as a unique and novel advanced encryption standard (AES) mode stream engine that uses the standard AES algorithm for transport decryption and encryption. The methods used to manage and verify the entitlements may be standardized so that multiple media service vendors are enabled to produce the corresponding system 100. Predetermined techniques (e.g., methods, routines, steps, processes, algorithms, etc.) may be implemented to generate the unit key for EMMs, category keys, content keys and a working key. Predetermined information (e.g., a vendor selected code) may be mathematically paired with the keys to provide protection for the overall security of the system 100 and the predetermined information may be standardized for the system 100.
  • In another example, an engine 140 (not shown) may be implemented as a Copy Protection/Digital Video Recorder (DVR) mode stream engine. The OpenCable (SCTE-41) Copy Protection system may be modified to support AES and the existing DES encryption algorithm for the DVR and Copy Protection security. The OpenCable (SCTE-41) Copy Protection uses a variation on the CAS DFAST scrambling on the DES keys, which are calculated and sent across the CableCARD interface to the respective host device. When AES is used as an alternative algorithm, the 128-bit key can be scrambled by the DFAST algorithm and sent from the CableCARD to the host device. AES is generally a much more secure algorithm to use for the storing of digital content in a digital video recording when compared to DES and therefore may be preferable for DVR applications.
  • In one example, the engine 140 e may be implemented as a Common Scrambling Algorithm (CSA) stream engine. The engine 140 e may be implemented using a DVB-CSA Standard Mode as implemented by vendors such as NDS and Nagravision. DVB-CSA CASs use a 40-bit CSA for the MPEG-2 transport security. DVB-CSA also uses triple DES encryption for the CSA keys. DVB-CSA CASs also use a value that is combined mathematically (e.g., via the multiplier 152) with the content key to generate a final CSA working key for encrypting or decrypting the MPEG stream packets. The working key is generally changed on a variable frequency that is predetermined by the headend.
  • In another yet example, an engine 140 (not shown) may be implemented as a unique and novel CAS CSA mode stream engine. The CAS CSA mode may use the standard CSA algorithm for transport encryption and decryption. The methods used to manage and verify the entitlements may be predetermined and standardized such that multiple vendors may produce and support the system 100. Predetermined techniques may be implemented to generate the unit key for EMMs, category keys, content keys and a respective working key. Predetermined information (e.g., user selected codes) may be mathematically paired with these keys to protect the overall security of the new CAS systems and the predetermined information may be standardized for the system 100.
  • In one example, the engine 140 n may be implemented as a Digital Rights Management (DRM) digital media stream engine. The present invention may provide a system and a method for a DRM stream and license file processing using at least one standard algorithm (e.g., DES, AES, CSA, etc.) for transport encryption and decryption. The methods used to manage and verify the entitlements in the rights licenses may be predetermined and standardized such that multiple vendors may produce and support the system 100. Predetermined techniques may be implemented to generate the unit key for the rights entitlements (i.e., license files). The implementations of category keys, content keys and the working key are not typically part of the standard DRM solution. Predetermined information (e.g., user selected codes) may be mathematically paired with the keys to provide protection for the overall security of the DRM solution of the present invention and the information may be standardized. The DRM solution implemented using the present invention may be configured to support various DRM security implementations including, but not limited to, Windows DRM and Real Networks DRM.
  • In one example, to improve performance, a number of features implemented via the security processor 100 may be implemented in hardware (e.g., the configuration logic 134). The respective hardware is generally re-configurable instead of software renewable. For instance, the extraction of the content key from the entitlement control message (ECM) and the modification performed on the content key may be implemented in hardware to provide improved performance (e.g., faster processor 100 operation, better reliability, etc.). The content key configuration is generally used for all of the transport decryption engines defined in the security system 100 to load the final working keys. When implemented in hardware, the configuration logic generally provides support to mathematically pair the content key with the modifier value, at a predetermined frequency using a predefined mathematical function. The mathematical functions that may be implemented in connection with the security system 100 (e.g., via the multiplier 152) generally include Boolean XOR, Simple Add, Multiply, and any other appropriate functions to meet the design criteria of a particular application.
  • The present invention may provide for securely upgrading all or part of the various software components of key management logic via renewable software (e.g., software that is implemented in connection with the RAM 104, the flash 106, RAM 136, the ROM 138, etc.). The present invention may process and validate unit keys via unit key logic. The unit key logic may be protected in the security architecture of the system 100 (e.g., secure RAM 104, secure flash 106, etc.). When a respective remote device (not shown) completes a logon process (described below), the unit key logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • The present invention may provide for securely processing and validating EMMs via EMM Logic. The EMM logic is generally protected in the security architecture of the system 100. When the remote device completes the logon process, the EMM logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • The present invention may provide for securely processing and validating category keys via category key logic. The category key logic is generally protected in the security architecture of the system 100. When the remote device completes the logon, the category key logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • The present invention may provide for securely processing and validating an entitlement control message (ECM) via ECM key logic. The ECM key logic is generally protected in the security architecture of the system 100. When the remote device completes the logon, the ECM key logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • The present invention may provide for securely processing and validating the working keys via working keys logic. The working keys logic is generally protected in the security architecture of the system 100. When the remote device completes the logon, The working keys logic may be upgraded in a secure manner using a signed code image to protect the integrity of the upgrade.
  • The system 100 generally supports at least one of highly secure and authenticated configuration, re-configuration, and renewability using role-based authentication. At least one of configuration, renewability, and re-configuration of the present invention is generally performed after a remote authentication occurs. A logon request is generally made from the headend to perform the configuration change via a cryptographic ignition key split (CIK). The CIK generally permits the headend to login to the system 100 in a supervisor role. When the login is completed, the re-configuration request is generally performed from the data sent in the corresponding message. When the login is completed successfully, software downloads may be performed to upgrade key logic or to modify hardware configurations of the transport decryption. When the configuration, renewal and re-configuration are complete, the headend may present a logoff request.
  • The present invention generally provides for authentication via a number of processes. For RSA key management and generation, the system 100 may generate a predetermined bit-width (in one example, up to 4096-bit, however, any appropriate bit-width may be implemented) RSA keys and securely storing the private key for use in digital signatures. The system 100 processor (e.g., the processor 132) may generate digital signatures securely without exposing the respective private key. The system 100 may verify digital signatures on signed messages and certificates received for authentication.
  • The present invention generally provides for generating SHA-1 hash values and for generating Message Digest 5 (MD5) hash values for use in digital signatures (e.g., via the hash generator 156). The present invention generally provides for generation of and verification of digital signatures (e.g., via the ARM processor 132). Public key signatures for the present invention may be generated and verified using the RSA signature algorithm described in FIPS-PUB 180-1, “Secure Hash Standard”.
  • The present invention generally provides for generation of and verification of standard and virtual public key infrastructure/information (PKI). The present invention generally provides support for a predetermined number (e.g., up to a 4 tier, greater than 4 tier, etc.) of standard PKI chain of X.509 certificates. The present invention generally provides support for the secure storage and usage of one RSA private key up to 4096-bits in size. However, any appropriate size may be implemented to meet the design criteria of a particular application.
  • Virtual PKI is a method in which certificates are not installed from a true external PKI chain. Data elements for the Validity Period, the CA certificate, the Distinguished Name and the related extensions may be sent to the system 100 at initialization time. The present invention generally processes the data elements to digitally sign certificates internally for use in later authentication purposes on a network.
  • Certificate validation generally includes validation of a linked chain of certificates from the end entity certificates to a valid Root. For example, the signature on the device certificate is verified with the Issuing CA Certificate and then the signature on the manufacturer CA certificate is verified with the Root CA certificate. The Root CA certificate is generally self-signed and the Root CA certificate is generally received from a trusted source in a secure way. The public key present in the Root CA Certificate is generally used to validate the signature on the Root CA certificate. The present invention generally provides for the support of the exact rules for certificate chain validation that generally fully comply with IETF RFC 3280, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile”, and may be referred to as “Certificate Path Validation” rules.
  • The present invention generally provides for the generation of a predetermined number (e.g., in one example, an up to 384-bit, however any appropriate bit-size may be implemented) elliptic curve (EC, i.e., growth) keys and for securely storing the private key for use in digital signatures. The processor of the present invention (e.g., ARM processor 132) may generate EC-DSA digital signatures securely without exposing (i.e., revealing) the respective private key. The ARM processor 132 may verify EC-DSA digital signatures on signed messages and certificates received for authentication.
  • The present invention generally provides for strong (i.e., highly random, non-deterministic, etc.) random number generation (e.g., via the generator 150). In one example, the generator 150 may produce true-random seeds (e.g., seeds generated per RFC 1750 and FIPS 140-2). In another example, the present invention may, implement a per-device secret (e.g., a vendor selected code or random number generator) installed at manufacture time and used in the random number generation process.
  • The present invention generally provides for support of simultaneous multiple media transport streams decryption and encryption processing (i.e., multi-stream security). The transport encryption/decryption engines (e.g., the engines 140) generally support at least two or more simultaneous transport stream decryption and encryption processes, and each respective algorithm (e.g., DES, AES, CSA, etc.) depending on overall gate count of the system 100. The present invention may easily implement parallel devices (e.g., parallel coupled stream engines 140) and thus increase multiple transport stream encryption and decryption. Parallel devices (e.g., the logic 134, the RAM 136, the ROM 138, the generator 150, the multiplier 152, the algorithm 154, the hash 156, etc.) may also be used to implement multiple key management schemes for conditional access and for digital rights management.
  • The system 100 may be utilized in the headend of the media stream distribution system for transport stream encryption in highly parallel configurations. The present invention generally provides for the headend implementation in a more cost effective manner than conventional approaches.
  • In one example, the present invention generally provides for support of at least 2 streams of high definition (HD) transport decryption and encryption at a rate of approximately 19.4 megabits per second. However, the present invention may be configured to support any appropriate number of streams of transport decryption and encryption at any appropriate rate.
  • The present invention generally provides for support session based transport decryption and encryption in the development of video on demand (VOD) security. Similarly, the present invention generally provides for support of real-time session based VOD key management.
  • The present invention generally provides support for all related (or corresponding) manufacturing and operational considerations. The present invention may provide support for passage mode partial encryption and decryption in all of the transport encryption engines for all algorithms implemented via the apparatus 100.
  • Referring to FIG. 2, a diagram illustrating a media stream processing and distribution system 200 implemented in connection with the present invention is shown. The distribution system 200 generally comprises a headend 202, a network 204, at least one set top box (STB) 206 (generally a plurality of STBs 206 a-206 n), and at least one respective receiving device (i.e., receiver, transceiver, etc.) 208 (generally a plurality of devices 208 a-208 n). The distribution system 200 is generally implemented as a media service provider/subscriber system wherein the provider (or vendor) generally operates the headend 202 and the network 204, and also provides a subscriber (i.e., client, customer, service purchaser, user, etc.) with the STB 206. The STB 206 is generally located at the subscriber location (not shown, e.g., home, tavern, hotel room, business, etc.) and the receiving device 208 is generally provided by the client. The device 208 is generally implemented as a television, high definition television (HDTV), monitor, host viewing device, MP3 player, audio receiver, radio, personal computer, media player, digital video recorder, game playing device, etc. The device 208 may be implemented as a transceiver having interactive capability in connection with the STB 206, the headend 202, or both the STB 206 and the headend 202.
  • The headend 202 is generally electrically coupled to the network 204, the network 204 is generally electrically coupled to the STB 206, and each STB 206 is generally electrically coupled to the respective device 208. The electrical coupling may be implemented as any appropriate hard-wired (e.g., twisted pair, untwisted conductors, coaxial cable, fiber optic cable, hybrid fiber cable, etc.) or wireless (e.g., radio frequency, microwave, infrared, etc.) coupling and protocol (e.g., HomePlug, HomePNA, IEEE 802.11(a-b), Bluetooth, HomeRF, etc.) to meet the design criteria of a particular application. While the distribution system 200 is illustrated showing one STB 206 Coupled to a respective one device 208, each STB 206 may be implemented having the capability of coupling more than one device 208 (not shown).
  • The headend 202 generally comprises a plurality of devices 210 (e.g., devices 210 a-210 n) that are implemented as data servers, computers, processors, security encryption and decryption apparatuses or systems, and the like configured to provide video and audio data (e.g., movies, music, television programming, and the like), processing equipment (e.g., provider operated subscriber account processing servers), television service transceivers (e.g., transceivers for standard broadcast television and radio, digital television, HDTV, audio, MP3, text messaging, gaming, etc.), and the like. In one example, the headend 202 may generate and present (i.e., transmit, provide, pass, broadcast, send, etc.) the stream IN. At least one of the devices 210 (e.g., device 210 x), may be implemented as the security system 100 as described above in connection with FIG. 1. The device 210 that is implemented as a security system 100 may receive clear or encrypted video and audio data and present clear or encrypted (and compressed or uncompressed) video and audio data.
  • The network 204 is generally implemented as a media stream distribution network (e.g., cable, satellite, and the like) that is configured to selectively distribute (i.e., transmit and receive) media service provider streams (e.g., standard broadcast television and radio, digital television, HDTV, audio, MP3, text messaging, games, etc.) for example, as the stream IN to the STBs 206 and to the receivers 208, for example as the stream OUT. The stream IN is generally distributed based upon (or in response to) subscriber information. For example, the level of service the client has purchased (e.g., basic service, premium movie channels, etc.), the type of service the client has requested (e.g., standard TV, HDTV, interactive messaging, etc.), and the like may determine the media streams that are sent to (and received from) a particular subscriber.
  • The STB 206 is generally implemented as an STB having multiple stream capability (e.g., standard broadcast television and radio, digital television, audio, MP3, high definition digital television (HDTV), text messaging, etc.). The STB 106 generally comprises at least one respective security processor 212. The security processor 212 may be implemented as the security processor (or system) 100. The processor 212 may receive encrypted (and compressed) video and audio data (e.g., the stream IN) and present clear video and audio data (e.g., the stream OUT) to the receiver 208. In one example (not shown), the security processor (or system) 100 may be implemented in connection with the device 208. The device (e.g., transceiver) 208 may send an encrypted or a clear media stream to the headend 202 via the STB 206 and the network 204. As such, the system 100 of the present invention may be implemented in any of the headend 202, the STB 206, and the receiving device 208, alone or in combination.
  • Referring to FIG. 3, a diagram illustrating a media stream processing and distribution system 200′ implemented in connection with the present invention is shown. The distribution system 200′ generally comprises the headend 202, the network 204, and at least one of the receiving device (i.e., receiver, transceiver, etc.) 208 (generally a plurality of the devices 208 a-208 n). The receiving device 208 is generally coupled directly to the network 204 and receives the signal IN.
  • In yet another example (not shown), the system 200′ may be implemented having at least one STB 206 coupled to the network 204 and with at least one receiver 208 coupled thereto, as well as having at least one device 208 that is directly coupled to the network 204. The improved system and method of the present invention may ease the difficulty in introducing new conditional access systems into an MSO network due the legacy hardware and software already deployed. In contrast, the time and expense of performing a transition to a new conditional access system can be extremely prohibitive particularly if the transition must occur in a short time period when conventional approaches are used. The present invention may provide an MSO the ability to support legacy systems and make a transition to a new CAS or alternative proprietary CAS as desired, thereby facilitating a more smooth and cost effective transition that may be able to be amortized over a longer time period. The present invention may provide support for the parameters of retail distribution.
  • As is readily apparent from the foregoing description, then, the present invention generally provides an improved system and an improved method for a configurable, renewable, and re-configurable security system and method used to encrypt/decrypt media streams in a digital media stream distribution system (e.g., in a headend, in a STB, in host digital television devices, and the like). The present invention may provide support for encryption and decryption of legacy CASs, the DVB-CSA CAS proprietary systems, Digital Rights Management for media (e.g., video, audio, video plus audio, etc.), Video On Demand, and newly developed conditional access systems. The present invention may provide support for authentication of devices and generally provides novel concepts in renewability and hardware re-configuration for media conditional access systems. The present invention may provide for use of a highly secure role-based authentication to securely configure and renew the overall security system and key management techniques in a digital media stream processing environment.
  • While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the invention.

Claims (22)

1. A receiver, comprising:
a security processor configured to provide at least one of encryption and decryption processing of digital media streams, the security processor being operative to store downloaded software and to securely configure at least one of encryption and decryption based on the downloaded software,
wherein said receiver is configured to receive encrypted digital media streams and to present a decrypted version of the encrypted digital media.
2. The receiver of claim 1 wherein the encrypted digital media streams comprise at least one of a video stream, and audio stream, and a video plus audio stream.
3. The receiver of claim 1 wherein the security processor comprises a plurality of digital stream encryption/decryption engines that are selectively parallel coupled by a controller for simultaneous operation in response to a predetermined security configuration.
4. The receiver of claim 3 wherein the security configuration comprises at least one of Data Encryption Standard (DES), Triple DES (3-DES), Advanced Encryption Standard (AES), and Common Scrambling Algorithm (CSA).
5. The receiver of claim 3 wherein the security configuration comprises at least one of a secure download, RSA key management, multiple security key management, authentication, copy protection, and digital signatures.
6. The receiver of claim 3 wherein the security processor further comprises at least one of a memory containing a hash, engine encryption/decryption configuration logic, a random number generator, a multiplier, and a memory containing a dynamic feedback arrangement scrambling technique (DFAST) algorithm coupled in parallel to the controller and configured to provide multiple key management for at least one of conditional access and digital rights management.
7. The receiver of claim 3 wherein the security processor further comprises at least one of a swappable random access memory (RAM) and a swappable flash memory containing the predetermined security configuration.
8. The receiver of claim 3 wherein the security processor provides role-based authentication that is used by an authorized user for at least one of configuration, reconfiguration, and renewal.
9. The receiver of claim 1, wherein the receiver is at least one of a set top box (STB), and a receiver or transceiver for at least one of digital television, high definition digital television (HDTV), audio, MP3, text messaging, and game digital streams.
10. The receiver of claim 1, wherein the receiver is a set top box (STB) and the receiver is coupled to a second receiving device including the security processor, and wherein the second receiving device is configured to receive and decrypt the encrypted digital media streams using the security processor.
11. The receiver of claim 1, wherein the security processor is configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
12. A method of multi-stream security processing and distributing digital media streams, the method comprising:
generating encrypted digital media streams;
transmitting the encrypted digital media streams to a receiver via a distribution network; and
transmitting software to the receiver over the distribution network, wherein the software comprises instructions for the receiver to reconfigure a security processor to provide at least one of encryption and decryption processing of the digital media streams by the security processor.
13. The method of claim 12 wherein the media streams are at least one of a video stream, and audio stream, and a video plus audio stream.
14. The method of claim 12 wherein the security processor comprises a plurality of digital stream encryption/decryption engines that are selectively coupled by a controller for simultaneous operation in response to a predetermined security configuration.
15. The method of claim 14 wherein the security configuration comprises at least one of Data Encryption Standard (DES), Triple DES (3-DES), Advanced Encryption Standard (AES), and Common Scrambling Algorithm (CSA).
16. The method of claim 14 wherein the security configuration comprises at least one of a secure download, RSA key management, multiple security key management, authentication, copy protection, and digital signatures.
17. The method of claim 14 wherein the security processor further comprises at least one of a memory containing a hash, engine encryption/decryption configuration logic, a random number generator, a multiplier, and a memory containing a dynamic feedback arrangement scrambling technique (DFAST) algorithm coupled to the controller and configured to provide multiple key management for at least one of conditional access and digital rights management.
18. The method of claim 14 wherein the security processor further comprises at least one of a swappable random access memory (RAM) and a swappable flash memory containing the predetermined security configuration.
19. The method of claim 12 wherein the security processor provides role based authentication that is used by an authorized user for at least one of configuration, reconfiguration, and renewal.
20. The method of claim 12, wherein the security processor is configured to provide at least one of simultaneous multiple encryption and simultaneous multiple decryption processing of the digital media streams.
21. A headend device, comprising:
a processor; and
memory storing computer executable instructions that, when executed by the processor, configure the headend device to perform:
transmitting software to a receiver over a distribution network, wherein the software contains instructions that cause the receiver to reconfigure a security processor to provide at least one of encryption and decryption processing of digital media streams.
22. The headend device of claim 21 wherein the media streams are at least one of a video stream, and audio stream, and a video plus audio stream.
US12/575,053 2004-01-29 2009-10-07 System and Method for Security Processing Media Streams Abandoned US20100046752A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/575,053 US20100046752A1 (en) 2004-01-29 2009-10-07 System and Method for Security Processing Media Streams

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/767,980 US7620179B2 (en) 2004-01-29 2004-01-29 System and method for security processing media streams
US12/575,053 US20100046752A1 (en) 2004-01-29 2009-10-07 System and Method for Security Processing Media Streams

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/767,980 Continuation US7620179B2 (en) 2004-01-29 2004-01-29 System and method for security processing media streams

Publications (1)

Publication Number Publication Date
US20100046752A1 true US20100046752A1 (en) 2010-02-25

Family

ID=34807779

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/767,980 Active 2028-05-01 US7620179B2 (en) 2004-01-29 2004-01-29 System and method for security processing media streams
US12/575,053 Abandoned US20100046752A1 (en) 2004-01-29 2009-10-07 System and Method for Security Processing Media Streams

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/767,980 Active 2028-05-01 US7620179B2 (en) 2004-01-29 2004-01-29 System and method for security processing media streams

Country Status (6)

Country Link
US (2) US7620179B2 (en)
EP (1) EP1714486A4 (en)
JP (1) JP4861834B2 (en)
KR (1) KR20070027509A (en)
CA (1) CA2554682C (en)
WO (1) WO2005072225A2 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100064144A1 (en) * 2008-09-10 2010-03-11 Atmel Corporation Data security
US20130074168A1 (en) * 2011-09-15 2013-03-21 Verizon Patent And Licensing Inc. Streaming video authentication
US8520018B1 (en) * 2013-01-12 2013-08-27 Hooked Digital Media Media distribution system
WO2012173680A3 (en) * 2011-06-14 2014-04-24 Sony Corporation Tv receiver device with multiple decryption modes
US9189067B2 (en) 2013-01-12 2015-11-17 Neal Joseph Edelstein Media distribution system
US10231033B1 (en) 2014-09-30 2019-03-12 Apple Inc. Synchronizing out-of-band content with a media stream
US10545569B2 (en) 2014-08-06 2020-01-28 Apple Inc. Low power mode
US10708391B1 (en) * 2014-09-30 2020-07-07 Apple Inc. Delivery of apps in a media stream
US10817307B1 (en) 2017-12-20 2020-10-27 Apple Inc. API behavior modification based on power source health
US11088567B2 (en) 2014-08-26 2021-08-10 Apple Inc. Brownout avoidance
US11363133B1 (en) 2017-12-20 2022-06-14 Apple Inc. Battery health-based power management

Families Citing this family (61)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701528B1 (en) 2000-01-26 2004-03-02 Hughes Electronics Corporation Virtual video on demand using multiple encrypted video segments
US8140859B1 (en) 2000-07-21 2012-03-20 The Directv Group, Inc. Secure storage and replay of media programs using a hard-paired receiver and storage device
US7457414B1 (en) 2000-07-21 2008-11-25 The Directv Group, Inc. Super encrypted storage and retrieval of media programs with smartcard generated keys
US7912220B2 (en) * 2001-02-05 2011-03-22 Broadcom Corporation Packetization of non-MPEG stream data in systems using advanced multi-stream POD interface
US7409562B2 (en) * 2001-09-21 2008-08-05 The Directv Group, Inc. Method and apparatus for encrypting media programs for later purchase and viewing
US7797552B2 (en) 2001-09-21 2010-09-14 The Directv Group, Inc. Method and apparatus for controlling paired operation of a conditional access module and an integrated receiver and decoder
US7685434B2 (en) * 2004-03-02 2010-03-23 Advanced Micro Devices, Inc. Two parallel engines for high speed transmit IPsec processing
JP4724655B2 (en) * 2004-04-30 2011-07-13 富士通セミコンダクター株式会社 Security chip and information management method
US8312267B2 (en) 2004-07-20 2012-11-13 Time Warner Cable Inc. Technique for securely communicating programming content
US8266429B2 (en) 2004-07-20 2012-09-11 Time Warner Cable, Inc. Technique for securely communicating and storing programming material in a trusted domain
US7937593B2 (en) * 2004-08-06 2011-05-03 Broadcom Corporation Storage device content authentication
US20060031873A1 (en) * 2004-08-09 2006-02-09 Comcast Cable Holdings, Llc System and method for reduced hierarchy key management
US8099369B2 (en) * 2004-12-08 2012-01-17 Ngna, Llc Method and system for securing content in media systems
US7383438B2 (en) * 2004-12-18 2008-06-03 Comcast Cable Holdings, Llc System and method for secure conditional access download and reconfiguration
EP2395424B1 (en) * 2005-01-18 2013-07-31 Certicom Corp. Accelerated verification of digital signatures and public keys
US7933410B2 (en) * 2005-02-16 2011-04-26 Comcast Cable Holdings, Llc System and method for a variable key ladder
US20060200412A1 (en) * 2005-02-23 2006-09-07 Comcast Cable Holdings, Llc System and method for DRM regional and timezone key management
US9325944B2 (en) 2005-08-11 2016-04-26 The Directv Group, Inc. Secure delivery of program content via a removable storage medium
US20070239605A1 (en) * 2006-04-06 2007-10-11 Peter Munguia Supporting multiple key ladders using a common private key set
US8127130B2 (en) * 2006-04-18 2012-02-28 Advanced Communication Concepts, Inc. Method and system for securing data utilizing reconfigurable logic
US8275132B2 (en) * 2006-05-15 2012-09-25 Buchen Neil B System and method for dynamically allocating stream identifiers in a multi-encryption transport system
US8996421B2 (en) 2006-05-15 2015-03-31 The Directv Group, Inc. Methods and apparatus to conditionally authorize content delivery at broadcast headends in pay delivery systems
US8775319B2 (en) 2006-05-15 2014-07-08 The Directv Group, Inc. Secure content transfer systems and methods to operate the same
US7992175B2 (en) 2006-05-15 2011-08-02 The Directv Group, Inc. Methods and apparatus to provide content on demand in content broadcast systems
US8095466B2 (en) 2006-05-15 2012-01-10 The Directv Group, Inc. Methods and apparatus to conditionally authorize content delivery at content servers in pay delivery systems
US8001565B2 (en) 2006-05-15 2011-08-16 The Directv Group, Inc. Methods and apparatus to conditionally authorize content delivery at receivers in pay delivery systems
US9225761B2 (en) 2006-08-04 2015-12-29 The Directv Group, Inc. Distributed media-aggregation systems and methods to operate the same
US9178693B2 (en) 2006-08-04 2015-11-03 The Directv Group, Inc. Distributed media-protection systems and methods to operate the same
US8520850B2 (en) * 2006-10-20 2013-08-27 Time Warner Cable Enterprises Llc Downloadable security and protection methods and apparatus
US8732854B2 (en) 2006-11-01 2014-05-20 Time Warner Cable Enterprises Llc Methods and apparatus for premises content distribution
US8621540B2 (en) 2007-01-24 2013-12-31 Time Warner Cable Enterprises Llc Apparatus and methods for provisioning in a download-enabled system
KR101344124B1 (en) * 2007-05-09 2014-01-15 소니 주식회사 Interface adapter device and digital television receiver device
US20090060182A1 (en) * 2007-09-04 2009-03-05 Thomas Killian Apparatus and method for enhancing the protection of media content
US7934083B2 (en) * 2007-09-14 2011-04-26 Kevin Norman Taylor Configurable access kernel
US7961878B2 (en) 2007-10-15 2011-06-14 Adobe Systems Incorporated Imparting cryptographic information in network communications
US9247422B2 (en) * 2007-11-30 2016-01-26 Google Technology Holdings LLC Content communication over a wireless communication link
US9219603B2 (en) * 2008-01-09 2015-12-22 International Business Machines Corporation System and method for encryption key management in a mixed infrastructure stream processing framework
US20090238069A1 (en) * 2008-03-19 2009-09-24 Himax Technologies Limited Device and method for controlling program stream flow
US20110113457A1 (en) * 2008-04-25 2011-05-12 Synoro Media, Inc. Distributed platform of television broadcasting system structure based on internet protocol network
US9602864B2 (en) 2009-06-08 2017-03-21 Time Warner Cable Enterprises Llc Media bridge apparatus and methods
US9866609B2 (en) 2009-06-08 2018-01-09 Time Warner Cable Enterprises Llc Methods and apparatus for premises content distribution
US9906838B2 (en) 2010-07-12 2018-02-27 Time Warner Cable Enterprises Llc Apparatus and methods for content delivery and message exchange across multiple content delivery networks
CN102387407A (en) * 2010-08-31 2012-03-21 国基电子(上海)有限公司 System and method for realizing broadcasting network conditional access (CA)
FR2970134B1 (en) 2010-12-29 2013-01-11 Viaccess Sa METHOD FOR TRANSMITTING AND RECEIVING MULTIMEDIA CONTENT
FR2970099B1 (en) 2010-12-29 2013-01-11 Viaccess Sa METHOD FOR LOADING A CODE OF AT LEAST ONE SOFTWARE MODULE
US8649518B1 (en) * 2012-02-09 2014-02-11 Altera Corporation Implementing CSA cryptography in an integrated circuit device
US9565472B2 (en) 2012-12-10 2017-02-07 Time Warner Cable Enterprises Llc Apparatus and methods for content transfer protection
US20140282786A1 (en) 2013-03-12 2014-09-18 Time Warner Cable Enterprises Llc Methods and apparatus for providing and uploading content to personalized network storage
US9066153B2 (en) 2013-03-15 2015-06-23 Time Warner Cable Enterprises Llc Apparatus and methods for multicast delivery of content in a content delivery network
US10368255B2 (en) 2017-07-25 2019-07-30 Time Warner Cable Enterprises Llc Methods and apparatus for client-based dynamic control of connections to co-existing radio access networks
US9313568B2 (en) 2013-07-23 2016-04-12 Chicago Custom Acoustics, Inc. Custom earphone with dome in the canal
US9621940B2 (en) 2014-05-29 2017-04-11 Time Warner Cable Enterprises Llc Apparatus and methods for recording, accessing, and delivering packetized content
US11540148B2 (en) 2014-06-11 2022-12-27 Time Warner Cable Enterprises Llc Methods and apparatus for access point location
US9935833B2 (en) 2014-11-05 2018-04-03 Time Warner Cable Enterprises Llc Methods and apparatus for determining an optimized wireless interface installation configuration
US9986578B2 (en) 2015-12-04 2018-05-29 Time Warner Cable Enterprises Llc Apparatus and methods for selective data network access
US9918345B2 (en) 2016-01-20 2018-03-13 Time Warner Cable Enterprises Llc Apparatus and method for wireless network services in moving vehicles
US10492034B2 (en) 2016-03-07 2019-11-26 Time Warner Cable Enterprises Llc Apparatus and methods for dynamic open-access networks
US10164858B2 (en) 2016-06-15 2018-12-25 Time Warner Cable Enterprises Llc Apparatus and methods for monitoring and diagnosing a wireless network
US10645547B2 (en) 2017-06-02 2020-05-05 Charter Communications Operating, Llc Apparatus and methods for providing wireless service in a venue
US10638361B2 (en) 2017-06-06 2020-04-28 Charter Communications Operating, Llc Methods and apparatus for dynamic control of connections to co-existing radio access networks
US11025424B2 (en) * 2019-02-19 2021-06-01 Arris Enterprises Llc Entitlement management message epoch as an external trusted time source

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4860353A (en) * 1988-05-17 1989-08-22 General Instrument Corporation Dynamic feedback arrangement scrambling technique keystream generator
US5054067A (en) * 1990-02-21 1991-10-01 General Instrument Corporation Block-cipher cryptographic device based upon a pseudorandom nonlinear sequence generator
US5784095A (en) * 1995-07-14 1998-07-21 General Instrument Corporation Digital audio system with video output program guide
US5982363A (en) * 1997-10-24 1999-11-09 General Instrument Corporation Personal computer-based set-top converter for television services
US6016348A (en) * 1996-11-27 2000-01-18 Thomson Consumer Electronics, Inc. Decoding system and data format for processing and storing encrypted broadcast, cable or satellite video data
US20010046299A1 (en) * 1995-04-03 2001-11-29 Wasilewski Anthony J. Authorization of services in a conditional access system
US20020002674A1 (en) * 2000-06-29 2002-01-03 Tom Grimes Digital rights management
US6424717B1 (en) * 1995-04-03 2002-07-23 Scientific-Atlanta, Inc. Encryption devices for use in a conditional access system
US20020136406A1 (en) * 2001-03-20 2002-09-26 Jeremy Fitzhardinge System and method for efficiently storing and processing multimedia content
US20030123667A1 (en) * 2001-12-28 2003-07-03 Cable Television Laboratories, Inc. Method for encryption key generation
US20030195855A1 (en) * 2002-04-16 2003-10-16 Microsoft Corporation Digital rights management (DRM) encryption and data-protection for content on device without interactive authentication
US20030219127A1 (en) * 2002-05-24 2003-11-27 Russ Samuel H. Apparatus for entitling remote client devices
US20040057579A1 (en) * 2002-09-20 2004-03-25 Fahrny James W. Roaming hardware paired encryption key generation
US20040098591A1 (en) * 2002-11-15 2004-05-20 Fahrny James W. Secure hardware device authentication method
US6976163B1 (en) * 2000-07-12 2005-12-13 International Business Machines Corporation Methods, systems and computer program products for rule based firmware updates utilizing certificate extensions and certificates for use therein
US7069452B1 (en) * 2000-07-12 2006-06-27 International Business Machines Corporation Methods, systems and computer program products for secure firmware updates
US7165175B1 (en) * 2000-09-06 2007-01-16 Widevine Technologies, Inc. Apparatus, system and method for selectively encrypting different portions of data sent over a network
US7191332B1 (en) * 2003-05-20 2007-03-13 Sprint Communications Company L.P. Digital rights management for multicasting content distribution
US7350082B2 (en) * 2001-06-06 2008-03-25 Sony Corporation Upgrading of encryption
US7403619B2 (en) * 1999-12-22 2008-07-22 Smardtv Sa Interface module and decoder for host
US7607022B1 (en) * 1999-06-11 2009-10-20 General Instrument Corporation Configurable encryption/decryption for multiple services support

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055314A (en) * 1996-03-22 2000-04-25 Microsoft Corporation System and method for secure purchase and delivery of video content programs
WO2001026372A1 (en) * 1999-10-06 2001-04-12 Thomson Licensing S.A. Method and system for handling two ca systems in a same receiver
EP1243130B1 (en) * 1999-11-19 2007-03-21 SmarDTV S.A. Digital television methods and apparatus
JP2002314969A (en) * 2001-04-10 2002-10-25 Matsushita Electric Ind Co Ltd Video data reproducer
MXPA04002726A (en) 2001-09-25 2005-10-05 Thomson Licensing Sa Ca system for broadcast dtv using multiple keys for different service providers and service areas.
WO2005029849A1 (en) * 2003-09-19 2005-03-31 Matsushita Electric Industrial Co., Ltd. Digital television receiver module and digital television receiver using the same

Patent Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4860353A (en) * 1988-05-17 1989-08-22 General Instrument Corporation Dynamic feedback arrangement scrambling technique keystream generator
US5054067A (en) * 1990-02-21 1991-10-01 General Instrument Corporation Block-cipher cryptographic device based upon a pseudorandom nonlinear sequence generator
US20010046299A1 (en) * 1995-04-03 2001-11-29 Wasilewski Anthony J. Authorization of services in a conditional access system
US6424717B1 (en) * 1995-04-03 2002-07-23 Scientific-Atlanta, Inc. Encryption devices for use in a conditional access system
US5784095A (en) * 1995-07-14 1998-07-21 General Instrument Corporation Digital audio system with video output program guide
US6016348A (en) * 1996-11-27 2000-01-18 Thomson Consumer Electronics, Inc. Decoding system and data format for processing and storing encrypted broadcast, cable or satellite video data
US5982363A (en) * 1997-10-24 1999-11-09 General Instrument Corporation Personal computer-based set-top converter for television services
US6271837B1 (en) * 1997-10-24 2001-08-07 General Instrument Corporation Personal computer-based set-top converter for television services
US7607022B1 (en) * 1999-06-11 2009-10-20 General Instrument Corporation Configurable encryption/decryption for multiple services support
US7403619B2 (en) * 1999-12-22 2008-07-22 Smardtv Sa Interface module and decoder for host
US20020002674A1 (en) * 2000-06-29 2002-01-03 Tom Grimes Digital rights management
US6976163B1 (en) * 2000-07-12 2005-12-13 International Business Machines Corporation Methods, systems and computer program products for rule based firmware updates utilizing certificate extensions and certificates for use therein
US7069452B1 (en) * 2000-07-12 2006-06-27 International Business Machines Corporation Methods, systems and computer program products for secure firmware updates
US7165175B1 (en) * 2000-09-06 2007-01-16 Widevine Technologies, Inc. Apparatus, system and method for selectively encrypting different portions of data sent over a network
US20020136406A1 (en) * 2001-03-20 2002-09-26 Jeremy Fitzhardinge System and method for efficiently storing and processing multimedia content
US7350082B2 (en) * 2001-06-06 2008-03-25 Sony Corporation Upgrading of encryption
US20030123667A1 (en) * 2001-12-28 2003-07-03 Cable Television Laboratories, Inc. Method for encryption key generation
US20030195855A1 (en) * 2002-04-16 2003-10-16 Microsoft Corporation Digital rights management (DRM) encryption and data-protection for content on device without interactive authentication
US20030219127A1 (en) * 2002-05-24 2003-11-27 Russ Samuel H. Apparatus for entitling remote client devices
US20040057579A1 (en) * 2002-09-20 2004-03-25 Fahrny James W. Roaming hardware paired encryption key generation
US20040098591A1 (en) * 2002-11-15 2004-05-20 Fahrny James W. Secure hardware device authentication method
US7191332B1 (en) * 2003-05-20 2007-03-13 Sprint Communications Company L.P. Digital rights management for multicasting content distribution

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"CableLabs® Glossary" published 10/8/2003 as verified by the Internet Archive (65 pages) http://web.archive.org/web/20031008130925/http://www.cablelabs.com/news/glossary.html *
"OpenCable(TM) Multi-Stream CableCARD Interface Specification OC-SP-MC-IF-IO1-030905" ©2003 Cable Television Laboratories Inc. (138 pages) http://www.cablelabs.com/specifications/archives/OC-SP-MC-IF-I01-030905.pdf *
Darren Murph. "Ask Engadget HD: What is switched digital video (SDV)?" posted 7/2/08 (3 pages) http://www.engadget.com/2008/07/02/ask-engadget-hd-what-is-switched-digital-video-sdv/ *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100064144A1 (en) * 2008-09-10 2010-03-11 Atmel Corporation Data security
US8782433B2 (en) * 2008-09-10 2014-07-15 Inside Secure Data security
WO2012173680A3 (en) * 2011-06-14 2014-04-24 Sony Corporation Tv receiver device with multiple decryption modes
CN104303511A (en) * 2011-06-14 2015-01-21 索尼公司 TV receiver device with multiple decryption modes
US20130074168A1 (en) * 2011-09-15 2013-03-21 Verizon Patent And Licensing Inc. Streaming video authentication
US9098678B2 (en) * 2011-09-15 2015-08-04 Verizon Patent And Licensing Inc. Streaming video authentication
US8520018B1 (en) * 2013-01-12 2013-08-27 Hooked Digital Media Media distribution system
US9189067B2 (en) 2013-01-12 2015-11-17 Neal Joseph Edelstein Media distribution system
US10983588B2 (en) 2014-08-06 2021-04-20 Apple Inc. Low power mode
US10545569B2 (en) 2014-08-06 2020-01-28 Apple Inc. Low power mode
US11088567B2 (en) 2014-08-26 2021-08-10 Apple Inc. Brownout avoidance
US10708391B1 (en) * 2014-09-30 2020-07-07 Apple Inc. Delivery of apps in a media stream
US10231033B1 (en) 2014-09-30 2019-03-12 Apple Inc. Synchronizing out-of-band content with a media stream
US11190856B2 (en) 2014-09-30 2021-11-30 Apple Inc. Synchronizing content and metadata
US11722753B2 (en) 2014-09-30 2023-08-08 Apple Inc. Synchronizing out-of-band content with a media stream
US10817307B1 (en) 2017-12-20 2020-10-27 Apple Inc. API behavior modification based on power source health
US11363133B1 (en) 2017-12-20 2022-06-14 Apple Inc. Battery health-based power management

Also Published As

Publication number Publication date
CA2554682C (en) 2014-07-08
EP1714486A2 (en) 2006-10-25
US7620179B2 (en) 2009-11-17
WO2005072225A3 (en) 2006-09-08
JP2007524301A (en) 2007-08-23
EP1714486A4 (en) 2007-09-05
US20050169468A1 (en) 2005-08-04
CA2554682A1 (en) 2005-08-11
WO2005072225A2 (en) 2005-08-11
JP4861834B2 (en) 2012-01-25
KR20070027509A (en) 2007-03-09

Similar Documents

Publication Publication Date Title
US7620179B2 (en) System and method for security processing media streams
US7383438B2 (en) System and method for secure conditional access download and reconfiguration
US20220021930A1 (en) Reduced Hierarchy Key Management System and Method
US7933410B2 (en) System and method for a variable key ladder
US10848806B2 (en) Technique for securely communicating programming content
KR100408225B1 (en) Improved conditional access and content security method
JP4358226B2 (en) Mechanism for remote control of client devices
US20030108199A1 (en) Encrypting received content
US8160248B2 (en) Authenticated mode control
WO2008139335A1 (en) Transferring digital data
KR100950596B1 (en) Broadcasting receiving apparatus based on downloadable conditional access system and method for reinforcing security thereof
Diehl et al. Protection in Broadcast

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION