WO1999019822A2 - System and method for discovering compromised security devices - Google Patents
System and method for discovering compromised security devices Download PDFInfo
- Publication number
- WO1999019822A2 WO1999019822A2 PCT/US1998/019352 US9819352W WO9919822A2 WO 1999019822 A2 WO1999019822 A2 WO 1999019822A2 US 9819352 W US9819352 W US 9819352W WO 9919822 A2 WO9919822 A2 WO 9919822A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authorized
- clients
- security devices
- illicitly
- client
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000001010 compromised effect Effects 0.000 title claims abstract description 37
- 238000001514 detection method Methods 0.000 claims abstract description 16
- 238000013475 authorization Methods 0.000 claims description 72
- 230000005540 biological transmission Effects 0.000 claims description 51
- 239000000463 material Substances 0.000 claims description 41
- 238000012546 transfer Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 abstract description 9
- 230000007246 mechanism Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000006854 communication Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000003860 storage Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000002224 dissection Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/173—Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
- H04N7/17345—Control of the passage of the selected programme
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/109—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
- H04N21/26606—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/43—Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
- H04N21/442—Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
- H04N21/44236—Monitoring of piracy processes or activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/16—Analogue secrecy systems; Analogue subscription systems
- H04N7/167—Systems rendering the television signal unintelligible and subsequently intelligible
- H04N7/1675—Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
Definitions
- This invention relates to a data delivery system in which data is encrypted and served to multiple clients that are authorized to decrypt the data. More particularly, this invention relates to systems and methods for discovering authorized clients that have been compromised and are illicitly transferring decryption capabilities to unauthorized clients so that the unauthorized clients can decrypt the data.
- a slightly more difficult problem concerns the broadcast or multicast delivery of data over a unidirectional network from one source to many receivers.
- Well-known systems of this type include broadcast and cable television, radio, satellite entertainment, and network multicasting.
- One common technique used in cable and satellite television is to scramble the data prior to transmission.
- Authorized users are equipped with cable decoders or satellite descramblers to descramble the data after transmission.
- the descramblers are usually implemented as hardware devices having a decoding chip or software code for decrambling the data transmission. Unauthorized users who intercept the data transmission are prevented from decoding the data because they do not possess the descrambler.
- Cryptographic solutions can also be used to protect broadcast data delivery.
- the data is encrypted at the content provider prior to transmission and broadcast in the encrypted format.
- Authorized users are given keying materials before or during the broadcast for use in decrypting the data. Unauthorized users can eavesdrop on the data transmissions, but are unable to decrypt the data into meaningful information without access to the keying materials. As a result, the data transmissions are secure.
- the decoding capabilities are implemented in hardware- or software-based security devices located at the authorized users' residents. Due to this isolation, the security devices are susceptible to being compromised. Despite the best devised plans, protection schemes will inevitably be attacked by pirates who attempt to circumvent the protection schemes for purposes of illegal gain. With sufficient time and resources, a pirate masquerading as an authorized user can patiently reverse engineer a descrambling code or deduce cryptographic keying material. Once the security device is compromised, the pirate can illicitly sell the decoding information to unauthorized users for illegal profit, allowing the unauthorized users to receive the data transmission.
- This inventors have developed a system and method which addresses the problems of pirate attacks.
- a data delivery system has a content server or other mechanism for delivering encoded content to multiple authorized clients.
- the content is encrypted using a cryptographic keying material, although other encoding protocols may be used.
- the authorized clients are equipped with security devices having decoding capabilities, such as decryption keying materials, to decode the content. Unauthorized clients are prevented from decoding the content because they are not supplied with the decoding capabilities.
- a traitor detection system is provided to discover an identity of an authorized client that has been compromised and is illicitly transferring decoding capabilities to unauthorized clients.
- the traitor detection system generates different decoding capabilities and creates an association file which relates the decoding capabilities to different authorized clients.
- the decoding capabilities are traced to determine which of them is illicitly transferred to an illegitimate user.
- the traitor detection system consults the association file to identify one or more of the authorized clients that were supplied with the illicitly transferred decoding capabilities as a possible source of the illicit transfer. The process is repeated for the identified clients with a new set of decoding capabilities to successively narrow the field of possible pirating clients, until the compromised security device is identified.
- the number of decoding capabilities for each detection cycle can be varied from two at the low end, to one-per-client at the high end. With two-per-cycle, the population of clients is successively reduced by half with detection occurring at log base two of the number of clients. This approach requires more detection cycles to identify the compromised security device, but involves less generation and distribution of decoding capabilities for each cycle. At one-per-client, the compromised security device can be found in one detection cycle, but at a tradeoff in that the amount of decoding capabilities sent along with the data transmission is quite large.
- the data transmission is segmented into M blocks. For each transmission block, the traitor detection system supplies N different keys to N groups of authorized security devices. The keys enable the security devices to receive that block of the data transmission.
- Fig. 1 is a diagrammatic illustration of a data delivery system for sending data over a network to multiple authorized clients according to one implementation.
- Fig. 1 also shows an illicit transfer of decoding capabilities from an authorized client to an unauthorized client.
- Fig. 2 is a block diagram of a server computing unit.
- Fig. 3 is a block diagram of an authorized client computing unit.
- Fig. 4 is a block diagram of a cryptographic unit resident at the client.
- Fig. 5 is a flow diagram showing steps in one method for discovering an identity of an authorized client that is illicitly transferring authorization keys to unauthorized clients.
- Fig. 6 is a flow diagram showing steps in another method for discovering an identity of a compromised client.
- Fig. 7 is a diagrammatic illustration of a data transmission delivered according to the Fig. 6 method. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
- This invention concerns techniques for discovering an identity of authorized clients that have been compromised and are illicitly transferring decoding capabilities to unauthorized clients.
- the decoding capabilities are described in a preferred implementation of cryptographic technologies having keying materials for encryption and decryption of data.
- the following discussion assumes that the reader is familiar with cryptography.
- the reader is directed to a text written by Bruce Schneier and entitled, "Applied Cryptography: Protocols, Algorithms, and Source Code in C,” published by John Wiley & Sons, copyright 1994 (second edition 1996), which is hereby incorporated by reference.
- the invention is described in the context of an exemplary system architecture for delivery of content to broadcast-enabled personal computers (PCs).
- data can be served from multiple servers concurrently over a data network, such as the Internet, to a broadcast station where it is transmitted over a broadcast network to the broadcast-enabled PCs.
- the invention may be implemented in other system architectures.
- the invention can be implemented in the context of conventional cable or RF television distribution architecture in which content is broadcast from a station to multiple televisions.
- the invention can be implemented in a conventional network architecture in which content is sent from a server to multiple clients using, for example, a multicast protocol.
- Fig. 1 shows an exemplary data delivery system 20 in which content is delivered from multiple content servers 22(1), 22(2), ..., 22(K) to multiple clients 24(1), 24(2), 24(3), ..., 24(M).
- the content servers 22(1)-22(K) are connected to a broadcast center 26 via a bi-directional data network 28 which enables two-way communication between the content servers 22(1)-22(K) and the broadcast center 26.
- the content servers serve content in the form of audio, video, animation, bit maps or other graphics, applications or other executable code, text, hypermedia, or other types of data.
- the bi-directional data network 28 represents various types of networks, including the Internet, a LAN (local area network), a WAN (wide area network), and the like.
- the data network 28 can be implemented in a number of ways, including wire-based technologies (e.g., fiber optic, cable, wire, etc.) and wireless technologies configured for two-way communication (e.g., satellite, RF, etc.).
- the data network 28 can further be implemented using various available switching technologies (e.g., ATM (Asynchronous
- Transfer Mode Ethernet, etc.
- different data communication protocols e.g., TCP/IP, IPX, etc.
- the broadcast center 26 receives the data served from the content servers 22(1)- 22(K) over the network 28 and broadcasts the data over a broadcast network 30 to the clients 24(1)-24(M).
- the broadcast network 30 can be implemented in a variety of ways, including satellite, radio, microwave, cable, and the like.
- the broadcast center 26 includes a router 32, a signal generator 34, and a broadcast transmitter 36.
- the router 32 is coupled to the bi-directional data network 28 to receive the data served over the network 28 from the content servers 22(1)-22(K).
- the router 32 is a final node of the data network 28 in which data communication is bidirectional to that point and unidirectional past that point.
- the router 32 is preferably configured as a bridge-router between the traditional data network 28 and the broadcast network 30.
- a bridge-router is capable of supporting video and audio broadcast transmission.
- the router 32 converts the data from a network packet format to a format appropriate for broadcast transmission.
- the signal generator 34 generates a broadcast signal with the data embedded thereon to carry the data over the broadcast network 30.
- the broadcast signal is passed to the transmitter 36 where it is broadcast over the broadcast network 30 to the clients 24(1)-24(M).
- the clients might still be able to communicate with the broadcast center 26 or content servers 22(1)-22(K) using a different back channel, such as a connection to the data network 28, but this aspect is not shown in the drawings.
- the data is encrypted at the content servers 22(1)-22(K) prior to transmission to ensure secure delivery over the data network 28 and broadcast network 30.
- the data can be encrypted at the broadcast center 26 prior to broadcast transmission.
- Authorized clients 24(1)-24(K) are provided with decryption capabilities, represented by a key 38, to decrypt the data.
- the decryption capabilities are described below in more detail with reference to Fig. 3.
- the clients 24(1)-24(M) can be implemented in a number of ways, including desktop computers, laptop computers, televisions with set-top boxes, and computer enhanced television units.
- the clients are broadcast- enabled PCs which are described below in more detail with reference to Fig. 3.
- An unauthorized client 39 is also shown in Fig. 1.
- the unauthorized client 39 can be similar to an authorized client in every respect, except that the unauthorized client is not legitimately equipped with the decryption capabilities. Instead, the unauthorized client 39 obtains the decryption capabilities through illegal transfer from one of the authorized clients 24(1)-24(M).
- Fig. 2 shows an exemplary implementation of a content server 22(1) that is configured to both serve the content in an encrypted format and to supply the keying material.
- the content server 22(1) generates the keying materials used to encrypt the content and transmits the keying materials ahead of the content to the authorized clients 24(1)-24(M).
- different servers might be employed to separate the functions of key generation and management and content serving.
- the keying materials might be supplied in other ways besides transmission over the networks. For instance, authorization keys which permit access to the data transmission stream might be supplied routinely (e.g., once a week) on a disk to the authorized users.
- the content server 22(1) includes a server computer 40 having a processor 42 (e.g., Pentium® Pro microprocessor from Intel Corporation), volatile memory 44 (e.g., RAM), and program memory 46 (e.g., ROM, flash, disk drive, floppy disk drive, CD-ROM, etc.).
- the computer 40 is configured, for example, as a personal computer or workstation running a multitasking, disk-based operating system, such as Windows® NT from Microsoft Corporation.
- the server computer 40 is connected to the data network 28 via a network connection 48.
- the content server 22(1) has multiple storage disks 50 which are implemented as a disk array to store various forms of content.
- the content server 22(1) is shown configured as continuous media file server which serves video and audio data files from a disk array of storage disks 50. However, the content server 22(1) may also be configured to serve other forms of data.
- the server 22(1) is illustrated with two software programs: a key generator 52 and a key/client associator 54. Each program is stored in program memory 46, loaded into volatile memory 44 when launched, and executed on the processor 42.
- the key generator 52 produces cryptographic keys that are used to encrypt the data served by the server 22(1) and to decrypt the data when it reaches the clients. More particularly, the key generator 52 creates two tiers of random symmetric keys. The keys in the first tier are called “session keys" and are used to encrypt the data being served. The session keys are given out just before the data transmission. The keys in the second tier are referred to as "authorization keys" and are used to encrypt the session keys. The authorization keys are distributed to authorized clients well ahead of the data transmission.
- the encryption key can be calculated from the decryption key, and vice versa. In many cases, the encryption key and the decryption key are the same. The symmetric key must be known to both the sender and receiver, but otherwise kept secret. Once the symmetric key is divulged, any party can encrypt or decrypt messages. Examples of suitable symmetric ciphers include DES (Data Encryption
- the data is encrypted by a symmetric encryption algorithm "E” using the session key "Ksession” as follows:
- the session key "Ksession” is then encrypted by a symmetric encryption algorithm “E” using the authorization key "Kauthorization” as follows:
- the authorization keys are preferably distributed to the authorized clients 24 in encrypted format using the authorized clients' public keys of asymmetric key pairs.
- An "asymmetric" key algorithm involves two separate keys, a public key and a private key. The keys are based upon a mathematical relationship in which one key cannot be calculated (at least in any reasonable amount of time) from the other key. The public key is distributed to other parties and the private key is maintained in confidence by the holder. The asymmetric public and private keys ensure two results. First, only the holder of the private key can decrypt a message that is encrypted with the corresponding public key. Second, if another party decrypts a message using the public key, that party can be assured that the message was encrypted by the private key and thus originated with someone (and presumably the holder) of the private key.
- An example asymmetric cipher is the well-known RSA cryptographic algorithm named for the creators Rivest, Shamir, and Adleman.
- the server encrypts the authorization key in an asymmetric encryption algorithm "E” using the public key of the authorized client 24(1) "Kpub_24(l), as follows:
- FIG. 3 shows an exemplary configuration of an authorized client 24(1) implemented as a broadcast-enabled computer. It includes a central processing unit 60 having a processor 62 (e.g., x86 or Pentium® microprocessor from Intel Corporation), volatile memory 64 (e.g., RAM), and program memory 66 (e.g., ROM, Flash, disk drive, floppy disk drive, CD-ROM, etc.).
- the client 24(1) has one or more input devices 68 (e.g., keyboard, mouse, etc.), a computer display 70 (e.g., VGA, SVGA), and a stereo I/O 72 for interfacing with a stereo system.
- input devices 68 e.g., keyboard, mouse, etc.
- a computer display 70 e.g., VGA, SVGA
- stereo I/O 72 for interfacing with a stereo system.
- the client 24(1) includes a digital broadcast receiver 74 (e.g., satellite dish receiver, RF receiver, microwave receiver, multicast listener, etc.) and a tuner 76 which tunes to appropriate frequencies or addresses of the broadcast network 30 (Fig. 1).
- the tuner 76 is configured to receive digital broadcast data in a particularized format, such as MPEG-encoded digital video and audio data, as well as digital data in many different forms, including software programs and programming information in the form of data files.
- the client 24(1) also has a modem 78 which provides dial-up access to the data network 28 to provide a back channel or direct link to the content servers 22. In other implementations of a back channel, the modem 78 might be replaced by a network card, or an RF receiver, or other type of port/receiver which provides access to the back channel.
- the client 24(1) runs an operating system which supports multiple applications.
- the operating system is preferably a multitasking operating system which allows simultaneous execution of multiple applications.
- the operating system employs a graphical user interface windowing environment which presents the applications or documents in specially delineated areas of the display screen called "windows."
- One preferred operating system is a Windows® brand operating system sold by Microsoft Corporation, such as Windows® 95 or Windows® NT or other derivative versions of Windows®. It is noted, however, that other operating systems which provide windowing environments may be employed, such as the Macintosh operating system from Apple Computer, Inc. and the OS/2 operating system from IBM.
- the client 24(1) is illustrated with a key listener 80 to receive the authorization and session keys transmitted from the server.
- the keys received by listener 80 are used by the cryptographic security services implemented at the client to enable decryption of the session keys and data.
- Cryptographic services are implemented through a combination of hardware and software.
- a secure, tamper-resistant hardware unit 82 is provided external to the CPU 60 and two software layers 84, 86 executing on the processor 62 are used to facilitate access to the resources on the cryptographic hardware 82.
- the software layers include a cryptographic application program interface (CAPI) 84 which provides functionality to any application seeking cryptographic services (e.g., encryption, decryption, signing, or verification).
- One or more cryptographic service providers (CSPs) 86 implement the functionality presented by the CAPI to the application.
- the CAPI layer 84 selects the appropriate CSP for performing the requested cryptographic function.
- the CSPs 86 perform various cryptographic functions such as encryption key management, encryption/decryption services, hashing routines, digital signing, and authentication tasks in conjunction with the cryptographic unit 82.
- a different CSP might be configured to handle specific functions, such as encryption, decryption, signing, etc., although a single CSP can be implemented to handle them all.
- the CSPs 86 can be implemented as dynamic linked libraries (DLLs) that are loaded on demand by the CAPI, and which can then be called by an application through the CAPI 84.
- DLLs dynamic linked libraries
- Fig. 4 shows the cryptographic unit 82 in more detail. It includes a logic unit 90, a secure non- volatile memory 92, and an interface 94 to the client. These components are constructed with tamper-resistant integrated circuit chips that are hardened against external scanning and are constructed using semiconductor processes that render it difficult to reverse engineer through layer-by-layer dissection.
- the interface 94 is preferably a high speed interface, such as a PCI bus connection. Other high speed connections include VLB and 1394 serial connections. The connection between the cryptographic unit 82 and client CPU 60 does not need to be secure.
- a public/private key pair Internal to the cryptographic hardware 82 is a public/private key pair which is randomly generated during manufacturing.
- a private key 96 is confidentially maintained within the device and never exposed, while a public key 98 can be exported to the client.
- Each client security device has its own public/private key pair which can be used as a means for identification of the client for purposes of distributing authorization keys.
- the public/private key pair are shown stored in memory 92, although the private key may be hardcoded into the unit.
- the public key is signed by the manufacturer to produce a signature 100 which can be exported for purposes of authenticating the hardware unit. Both the public key 98 and the manufacture signature 100 can be passed to the client CPU 60.
- the cryptographic unit 82 has an asymmetric key cryptographic cipher 102 which provides cryptographic functions involving the public/private key pair, such as decryption of an authorization key 104 for a data transmission.
- the asymmetric cipher 102 is implemented in hardware as part of the logic unit 94.
- a suitable asymmetric cipher is the RSA algorithm.
- the cryptographic unit 82 also has a high speed symmetric key cryptographic cipher 106 implemented in the logic unit 94.
- the symmetric cipher 104 is used to decrypt session keys 108 and the data itself. Symmetric ciphers offer suitable real-time speed for bulk decryption of data, whereas asymmetric ciphers are too slow for general bulk decryption.
- a suitable symmetric cipher is the Triple-DES Cipher-Block- Chaining algorithm, although other ciphers are acceptable (e.g., IDEA, RC4, etc.).
- the key listener 80 invokes the CAPI 84 and CSP 86 to perform the decryption of the authorization key.
- the authorization key is passed in its encrypted format from the CSP 86 through to the cryptographic unit 82.
- the asymmetric cipher 102 uses the confidential private key 96 (i.e., "Kpri_24(l)") to decrypt the authorization key according to a decryption function "D," as follows:
- the authorization key 104 is stored in secure memory 92 and subsequently used to decrypt the data.
- the client CPU 60 cannot read or access the authorization key 104; rather, the authorization key is maintained in confidence within the tamper-resistant hardware unit 82.
- the symmetric cipher 106 Upon receipt of the encrypted session key, the symmetric cipher 106 is invoked to decrypt the session key.
- the symmetric cipher 106 uses the authorization key 104 to decrypt the session key as follows:
- the session key 108 is likewise stored in secure memory 92. As the client receives the encrypted data, the data is directly passed to the cryptographic unit 82 in an encrypted format. The symmetric cipher 106 uses the session key 108 to decrypt the data as follows:
- any server can generate keys for any client without intervention by a central authority. Because each server 22(1)-22(K) is independent and generates their own symmetric keys, the compromise of one server's keys does not jeopardize any other server.
- authorization keys to distribute session keys, the server has tremendous flexibility to assign what session keys the client can receive. In the case of subscription services, for example, the content server can establish a set of transmissions that the client is authorized to receive, while holding out other transmissions that the client is not authorized to receive.
- the data delivery system 20 can be configured to provide one authorization key for each data transmission (e.g., one key per television show or movie), or one authorization key for several transmissions (e.g., one key for four movies), or one authorization key for a period of time (e.g., one key per day or week). Since the private key, authorization key, and session key are kept confidential in the cryptographic unit 82 and the decryption is performed in the unit, the client CPU 60 is unable to obtain the keys and share them with others.
- one authorization key for each data transmission e.g., one key per television show or movie
- one authorization key for several transmissions e.g., one key for four movies
- one authorization key for a period of time e.g., one key per day or week
- the cryptographic units may be compromised in a manner that permits the pirating user to transfer the authorization keys to unauthorized clients, such as client 39 in Fig. 1.
- unauthorized clients such as client 39 in Fig. 1.
- the system operators often learn of the illegal activity. For instance, undercover law enforcement agencies or private investigators might covertly purchase authorization keys on a black market or from a broker of stolen goods. The existence of pirated keys reveals that a client has been compromised; but this knowledge does not, unfortunately, lead to identification of the specific client because many authorized clients receive the same authorization keys.
- Fig. 5 shows exemplary steps in a method for discovering an identity of an authorized client that is known to be compromised as illicitly transferring authorization keys to unauthorized clients.
- the steps are implemented in hardware and software resident at either the content server, the authorized clients, or the unauthorized clients, as identified in the figure. The steps are described with reference to Figs. 1-4.
- the key generator 52 in server 22(1) generates one or more session keys and multiple authorization keys for a single data transmission (step 120 in Fig. 5).
- the key/client associator 54 relates the different authorization keys to different authorized clients (step 122).
- the key /client associator 54 constructs a key /client association table 56 which inherently associates through its data structure the authorization keys and clients.
- the table 56 can be organized with a key data field to hold the authorization keys and a client data field to information identifying the client, such as a client ID or the client's public key.
- the content server 22(1) generates two authorization keys, assigning the first authorization key to one half of the clients and the second authorization key to the other half of the clients.
- the content server can generate one authorization key for every client, to provide a one-to-one correspondence between the keys and clients.
- the authorization keys are distributed to the clients well ahead of any data transmission.
- the authorization keys are preferably encrypted using the public keys of the associated clients, although they may be delivered on a storage medium or the like directly to the appropriate authorized clients.
- the server encrypts the data with the one or more session keys (step 126) and then encrypts the session keys with the authorization keys (step 128).
- the encrypted session keys are transmitted over the networks to the authorized clients 24(1)-24(M) just before the data transmissions.
- the cryptographic unit 82 uses the authorization key it was assigned to decrypt the one or more session keys (step 132 in Fig. 5). The cryptographic unit 82 then uses the session keys to decrypt the data (step 134).
- the server operator can trace the authorization key to the client(s) that were assigned the authorization key (step 140 in Fig. 5).
- the server cross- references the discovered authorization key via the key/client association file to identify the authorized client(s) that received the authorization key.
- the process either narrows the population of suspect clients, or precisely identifies the traitor client (step 142 in Fig. 5). For example, if the clients are split into two groups, each with a different authorization key, the process will halve the population of possible traitors with each cycle. For precise identification, the process requires a number of iterations equal to log base two of the number of clients in the population.
- the key/client associator 54 associates the N authorization keys with N separate groups of clients (step 156 in Fig. 6).
- the first set of N authorization keys are distributed to the respective groups of clients (step 158 in Fig. 6).
- the server also delivers the first block of the data transmission (step 160).
- the clients use the authorization keys to decrypt the session keys for the first block of the data transmission to enable the client to receive and decrypt the first block of data.
- the first N authorization keys cannot be used, however, to decrypt session keys belonging to subsequent blocks in the data transmission.
- the server operator learns that one of the N keys has been illicitly transferred from an authorized client to one or more unauthorized clients (step 162 in Fig. 6).
- the server analyzes which one of the N groups of authorized clients was sent the suspect key.
- the identified group includes the compromised client, while the rest of the N groups of clients are eliminated.
- the process is then repeated for the identified group for the next i th block in the data transmission (step 164 in Fig. 6).
- Fig. 7 shows an example of this method in which a data transmission 170 is destined to 10,000 authorized clients, one of which is believed to be compromised.
- the key generator produces ten new authorization keys and assigns them to ten groups of 100 clients within the population. Again, one of the ten keys is found to be illegally conveyed and the suspect group is noted. The second iteration narrows the population of potential traitors to 100.
- the key generator produces ten new authorization keys and assigns them to ten groups of 10 clients within the reduced population. The third iteration narrows the population of potential traitors to 10.
- the key generator produces ten new authorization keys and assigns each one to one client in the suspect population. When one of these keys is transferred illegally, the operator can pinpoint the compromised client and initiate legal proceedings against that user. Accordingly, by properly selecting the number of segments M and the number of keys N for each segment, the operator can precisely identify the compromised client during a single data transmission.
- the implementation described above employs a security device based on cryptographic functions.
- This invention may also be utilized in connection with security devices that employ other types of encoding/decoding technologies.
- the authorized clients might be given authorization passwords or numbers for use in receiving broadcast content.
- the authorized client might be supplied with descrambling codes, or the like, to enable receipt of a scrambled data transmission.
- the invention has been described in language more or less specific as to structural and methodical features. It is to be understood, however, that the invention is not limited to the specific features described, since the means herein disclosed comprise preferred forms of putting the invention into effect. The invention is, therefore, claimed in any of its forms or modifications within the proper scope of the appended claims appropriately interpreted in accordance with the doctrine of equivalents.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2000516305A JP2003502719A (en) | 1997-10-14 | 1998-09-16 | System and method for discovering security devices |
EP98963737A EP1031206A2 (en) | 1997-10-14 | 1998-09-16 | System and method for discovering compromised security devices |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US94943897A | 1997-10-14 | 1997-10-14 | |
US08/949,438 | 1997-10-14 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO1999019822A2 true WO1999019822A2 (en) | 1999-04-22 |
WO1999019822A3 WO1999019822A3 (en) | 1999-06-17 |
Family
ID=25489083
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1998/019352 WO1999019822A2 (en) | 1997-10-14 | 1998-09-16 | System and method for discovering compromised security devices |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1031206A2 (en) |
JP (1) | JP2003502719A (en) |
WO (1) | WO1999019822A2 (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1054315A2 (en) * | 1999-05-20 | 2000-11-22 | Nec Corporation | System and program for preventing unauthorized copying of software |
WO2001017252A1 (en) * | 1999-08-29 | 2001-03-08 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
EP1101331A1 (en) * | 1999-06-29 | 2001-05-23 | Samsung Electronics Co., Ltd. | Apparatus for securing user's information in a mobile communication system connected to the internet and method thereof |
WO2001047271A2 (en) * | 1999-12-22 | 2001-06-28 | Irdeto Access B.V. | Method for operating a conditional access system for broadcast applications |
WO2002003694A1 (en) * | 2000-07-06 | 2002-01-10 | At-Sky (Sas) | System for controlling online and offline access to digital data using a software key server |
FR2811503A1 (en) * | 2000-07-07 | 2002-01-11 | Innovatron Sa | Multimedia delivery system tattoos client ID data in transmission improves traceability |
EP1208667A1 (en) * | 1999-09-02 | 2002-05-29 | Cryptography Research Inc. | Method and apparatus for preventing piracy of digital content |
GB2353682B (en) * | 1999-07-15 | 2004-03-31 | Nds Ltd | Key management for content protection |
US6731758B1 (en) | 1999-08-29 | 2004-05-04 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US6880081B1 (en) | 1999-07-15 | 2005-04-12 | Nds Ltd. | Key management for content protection |
US6920221B1 (en) | 1999-08-29 | 2005-07-19 | Intel Corporation | Method and apparatus for protected exchange of status and secret values between a video source application and a video hardware interface |
US6947558B1 (en) | 1999-08-29 | 2005-09-20 | Intel Corporation | Stream cipher having a shuffle network combiner function |
US7003107B2 (en) | 2000-05-23 | 2006-02-21 | Mainstream Encryption | Hybrid stream cipher |
GB2419222A (en) * | 2004-10-15 | 2006-04-19 | Zootech Ltd | Copy deterrent for an audiovisual product |
US7068786B1 (en) | 1999-08-29 | 2006-06-27 | Intel Corporation | Dual use block/stream cipher |
US7103184B2 (en) | 2002-05-09 | 2006-09-05 | Intel Corporation | System and method for sign mask encryption and decryption |
US7245720B2 (en) | 1999-12-22 | 2007-07-17 | Irdeto Access B.V. | Method for controlling the use of a program signal in a broadcast system, and control device for a receiver for carrying out such a method |
US7415110B1 (en) | 1999-03-24 | 2008-08-19 | Intel Corporation | Method and apparatus for the generation of cryptographic keys |
US7505593B2 (en) | 2002-12-09 | 2009-03-17 | International Business Machines Corporation | Method for tracing traitors and preventing piracy of digital content in a broadcast encryption system |
WO2009101540A1 (en) * | 2008-02-11 | 2009-08-20 | Nokia Corporation | Method, apparatus and computer program product for providing mobile broadcast service protection |
US8161296B2 (en) * | 2005-04-25 | 2012-04-17 | Samsung Electronics Co., Ltd. | Method and apparatus for managing digital content |
US20150156078A1 (en) * | 2013-12-03 | 2015-06-04 | Red Hat, Inc. | Method and system for dynamically shifting a service |
US9520993B2 (en) | 2001-01-26 | 2016-12-13 | International Business Machines Corporation | Renewable traitor tracing |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2856539A1 (en) * | 2003-06-17 | 2004-12-24 | France Telecom | Broadcasted information encryption and/or decryption tracing method, involves implementing secret cryptographic function by multiple decoders, each including memory storing mathematical description of function |
JP2005079864A (en) * | 2003-08-29 | 2005-03-24 | Toshiba Corp | Broadcast device, receiving device, broadcast method and receiving method |
JP2006311625A (en) * | 2006-08-18 | 2006-11-09 | Toshiba Corp | Broadcast device, receiving device, broadcast method and receiving method |
JP2010104035A (en) * | 2010-01-25 | 2010-05-06 | Toshiba Corp | Receiver, and receiving method |
JP2010119138A (en) * | 2010-02-15 | 2010-05-27 | Toshiba Corp | Receiving device and method |
JP6018880B2 (en) * | 2012-11-05 | 2016-11-02 | 日本放送協会 | ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION PROGRAM, AND DECRYPTION PROGRAM |
-
1998
- 1998-09-16 WO PCT/US1998/019352 patent/WO1999019822A2/en not_active Application Discontinuation
- 1998-09-16 EP EP98963737A patent/EP1031206A2/en not_active Withdrawn
- 1998-09-16 JP JP2000516305A patent/JP2003502719A/en not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
CHOR B ET AL: "Tracing traitors" ADVANCES IN CRYPTOLOGY - CRYPTO '94. 14TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE. PROCEEDINGS, ADVANCES IN CRYPTOLOGY - CRYPTO '94. 14TH INTERNATIONAL CRYPTOLOGY CONFERENCE PROCEEDINGS, SANTA BARBARA, CA, USA, 21-25 AUG. 1994, pages 257-270, XP002097845 ISBN 3-540-58333-5, 1994, Berlin, Germany, Springer-Verlag, Germany * |
Cited By (52)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7415110B1 (en) | 1999-03-24 | 2008-08-19 | Intel Corporation | Method and apparatus for the generation of cryptographic keys |
EP1054315A3 (en) * | 1999-05-20 | 2002-09-11 | Nec Corporation | System and program for preventing unauthorized copying of software |
US7334265B1 (en) | 1999-05-20 | 2008-02-19 | Nec Corporation | System and program for preventing unauthorized copying of software |
EP1054315A2 (en) * | 1999-05-20 | 2000-11-22 | Nec Corporation | System and program for preventing unauthorized copying of software |
EP1101331A1 (en) * | 1999-06-29 | 2001-05-23 | Samsung Electronics Co., Ltd. | Apparatus for securing user's information in a mobile communication system connected to the internet and method thereof |
EP1101331A4 (en) * | 1999-06-29 | 2005-07-06 | Samsung Electronics Co Ltd | Apparatus for securing user's information in a mobile communication system connected to the internet and method thereof |
US6880081B1 (en) | 1999-07-15 | 2005-04-12 | Nds Ltd. | Key management for content protection |
US8054978B2 (en) | 1999-07-15 | 2011-11-08 | Nds Limited | Key management for content protection |
US7382884B2 (en) | 1999-07-15 | 2008-06-03 | Nds Ltd. | Key management for content protection |
US7263611B2 (en) | 1999-07-15 | 2007-08-28 | Nds Ltd. | Key management for content protection |
US7188242B2 (en) | 1999-07-15 | 2007-03-06 | Nds Ltd. | Key management for content protection |
GB2353682B (en) * | 1999-07-15 | 2004-03-31 | Nds Ltd | Key management for content protection |
US7068786B1 (en) | 1999-08-29 | 2006-06-27 | Intel Corporation | Dual use block/stream cipher |
US7043021B2 (en) | 1999-08-29 | 2006-05-09 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
EP1835739A2 (en) | 1999-08-29 | 2007-09-19 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US6920221B1 (en) | 1999-08-29 | 2005-07-19 | Intel Corporation | Method and apparatus for protected exchange of status and secret values between a video source application and a video hardware interface |
US6947558B1 (en) | 1999-08-29 | 2005-09-20 | Intel Corporation | Stream cipher having a shuffle network combiner function |
US6947561B1 (en) | 1999-08-29 | 2005-09-20 | Intel Corporation | Method and apparatus for protecting copy control information provided to a video recording device |
US6956949B1 (en) | 1999-08-29 | 2005-10-18 | Intel Corporation | Method and apparatus for authenticating an hierarchy of video receiving devices |
US6477252B1 (en) * | 1999-08-29 | 2002-11-05 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
WO2001017252A1 (en) * | 1999-08-29 | 2001-03-08 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US7426274B2 (en) | 1999-08-29 | 2008-09-16 | Intel Corporation | Method and apparatus for generating pseudo random numbers in a video device having an embedded cipher unit |
EP1835739A3 (en) * | 1999-08-29 | 2009-11-25 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US6731758B1 (en) | 1999-08-29 | 2004-05-04 | Intel Corporation | Digital video content transmission ciphering and deciphering method and apparatus |
US9569628B2 (en) | 1999-09-02 | 2017-02-14 | Cryptography Research, Inc. | Specialized circuitry for cryptographic authentication and other purposes |
US7039816B2 (en) | 1999-09-02 | 2006-05-02 | Cryptography Research, Inc. | Using smartcards or other cryptographic modules for enabling connected devices to access encrypted audio and visual content |
EP1208667A1 (en) * | 1999-09-02 | 2002-05-29 | Cryptography Research Inc. | Method and apparatus for preventing piracy of digital content |
EP1208667A4 (en) * | 1999-09-02 | 2005-07-06 | Cryptography Res Inc | Method and apparatus for preventing piracy of digital content |
WO2001047271A2 (en) * | 1999-12-22 | 2001-06-28 | Irdeto Access B.V. | Method for operating a conditional access system for broadcast applications |
AU776108B2 (en) * | 1999-12-22 | 2004-08-26 | Irdeto Access B.V. | Method for operating a conditional access system for broadcast applications |
JP4818559B2 (en) * | 1999-12-22 | 2011-11-16 | イルデト・ベー・フェー | How to operate a conditional access system to the broadcasting sector |
US7155611B2 (en) * | 1999-12-22 | 2006-12-26 | Irdeto Access, B.V. | Method of operating a conditional access system for broadcast applications |
JP2003518843A (en) * | 1999-12-22 | 2003-06-10 | イルデト・アクセス・ベー・フェー | How to operate a conditional access system to the broadcasting sector |
US7245720B2 (en) | 1999-12-22 | 2007-07-17 | Irdeto Access B.V. | Method for controlling the use of a program signal in a broadcast system, and control device for a receiver for carrying out such a method |
WO2001047271A3 (en) * | 1999-12-22 | 2002-01-17 | Irdeto Access Bv | Method for operating a conditional access system for broadcast applications |
CN100366083C (en) * | 1999-12-22 | 2008-01-30 | 耶德托存取公司 | Method for operating conditional access system for broadcast applications |
US7103181B2 (en) | 2000-05-23 | 2006-09-05 | Mainstream Encryption | State-varying hybrid stream cipher |
US7003107B2 (en) | 2000-05-23 | 2006-02-21 | Mainstream Encryption | Hybrid stream cipher |
WO2002003694A1 (en) * | 2000-07-06 | 2002-01-10 | At-Sky (Sas) | System for controlling online and offline access to digital data using a software key server |
FR2811505A1 (en) * | 2000-07-06 | 2002-01-11 | At Sky | ONLINE AND OFFLINE DIGITAL DATA ACCESS CONTROL SYSTEM USING SOFTWARE KEY SERVER |
FR2811503A1 (en) * | 2000-07-07 | 2002-01-11 | Innovatron Sa | Multimedia delivery system tattoos client ID data in transmission improves traceability |
US11108569B2 (en) | 2001-01-26 | 2021-08-31 | International Business Machines Corporation | Renewable traitor tracing |
US9520993B2 (en) | 2001-01-26 | 2016-12-13 | International Business Machines Corporation | Renewable traitor tracing |
US7103184B2 (en) | 2002-05-09 | 2006-09-05 | Intel Corporation | System and method for sign mask encryption and decryption |
US7505593B2 (en) | 2002-12-09 | 2009-03-17 | International Business Machines Corporation | Method for tracing traitors and preventing piracy of digital content in a broadcast encryption system |
US7793351B2 (en) | 2004-10-15 | 2010-09-07 | Zoo Digital Limited | Copy deterrent for an audiovisual product |
GB2419222B (en) * | 2004-10-15 | 2007-05-30 | Zootech Ltd | Copy deterrent for an audiovisual product |
GB2419222A (en) * | 2004-10-15 | 2006-04-19 | Zootech Ltd | Copy deterrent for an audiovisual product |
US8161296B2 (en) * | 2005-04-25 | 2012-04-17 | Samsung Electronics Co., Ltd. | Method and apparatus for managing digital content |
WO2009101540A1 (en) * | 2008-02-11 | 2009-08-20 | Nokia Corporation | Method, apparatus and computer program product for providing mobile broadcast service protection |
US20150156078A1 (en) * | 2013-12-03 | 2015-06-04 | Red Hat, Inc. | Method and system for dynamically shifting a service |
US9936008B2 (en) * | 2013-12-03 | 2018-04-03 | Red Hat, Inc. | Method and system for dynamically shifting a service |
Also Published As
Publication number | Publication date |
---|---|
JP2003502719A (en) | 2003-01-21 |
WO1999019822A3 (en) | 1999-06-17 |
EP1031206A2 (en) | 2000-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO1999019822A2 (en) | System and method for discovering compromised security devices | |
CN1146185C (en) | Protecting information in system | |
US7480385B2 (en) | Hierarchical encryption key system for securing digital media | |
US7466826B2 (en) | Method of secure transmission of digital data from a source to a receiver | |
RU2433548C2 (en) | Method of descrambling scrambled content data object | |
JP4976107B2 (en) | Method for scrambling and descrambling a unit of data | |
EP1560361B1 (en) | A secure key authentication and ladder system | |
US6550008B1 (en) | Protection of information transmitted over communications channels | |
JP4818559B2 (en) | How to operate a conditional access system to the broadcasting sector | |
KR100898437B1 (en) | Process of symmetric key management in a communication network, communication device and device for processing data in a communication network | |
US20060184796A1 (en) | System and method for a variable key ladder | |
JPH11513159A (en) | Method and apparatus for operating a transaction server in an owned database environment | |
US20060047976A1 (en) | Method and apparatus for generating a decrpytion content key | |
US6516414B1 (en) | Secure communication over a link | |
JP4447908B2 (en) | Local digital network and method for introducing new apparatus, and data broadcasting and receiving method in the network | |
US7415440B1 (en) | Method and system to provide secure key selection using a secure device in a watercrypting environment | |
KR102286784B1 (en) | A security system for broadcasting system | |
US20220417001A1 (en) | System and method for securely delivering keys and encrypting content in cloud computing environments | |
EP1387522A2 (en) | Apparatus and method for securing a distributed network | |
US9124770B2 (en) | Method and system for prevention of control word sharing | |
Tunstall et al. | Inhibiting card sharing attacks | |
JP2006129535A (en) | Scramble broadcasting system of stream media data | |
JP2004172870A (en) | Scramble broadcasting system for streamed-media data | |
Doumbia et al. | Setup-box based on Embedded DaVinci Platform | |
MXPA00007094A (en) | Method and apparatus for conveying a private message to selected members |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): JP |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
AK | Designated states |
Kind code of ref document: A3 Designated state(s): JP |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 2000 516305 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1998963737 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1998963737 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 1998963737 Country of ref document: EP |