MOLLER ARIEH (IL)
SOLOW HILLEL (IL)
WAISBARD EREZ (IL)
MOLLER ARIEH (IL)
SOLOW HILLEL (IL)
| US20030172262A1 |
| 1. | CLAIMS At a content provider providing content for broadcast to a plurality of mobile devices, a method for distributing keys for decrypting content, the method comprising: providing a plurality of encrypted decryption keys, the encrypted decryption keys being encrypted according to/§]yj^(gρ^(CEK)), where: /and g are encryption functions; /SMK *s an encryption function encrypting gpκ(CEK) according to a key, SKM; gp£(CEK) is an encryption function encrypting CEK according to a key PK; and CEK is a content encryption key enabling decryption of the content for a single cryptoperiod; transmitting the plurality of encrypted decryption keys to the plurality of mobile devices; and at an appropriate time relative to broadcast of the content encrypted according to key CEK, transmitting the key SKM to the plurality of mobile devices, thereby enabling the plurality of mobile devices to decrypt /gjyg^gpj^CEK)) and derive gρj£(CEK). |
| 2. | The method according to claim 1 and further comprising sending a second key SKM2 immediately prior to the onset of a second cryptoperiod, thereby enabling the plurality of mobile devices to decrypt/g]yj^2(gpj^(CEK2)) and derive gpj^(CEK2), where CEK2 is a second content encryption key enabling decryption of content in the second cryptoperiod. |
| 3. | The method according to either claim 1 or claim 2 and wherein the transmitting the plurality of encrypted decryption keys is performed at a time well before broadcast of content encrypted according to key CEK. |
| 4. | The method according to claim 1 and wherein the transmitting the plurality of encrypted decryption keys is performed prior to transmitting the key SKM. |
| 5. | The method according to claim 1 and wherein the appropriate time relative to broadcast of the content encrypted according to key CEK is a function of at least: a number of mobile devices comprised within the plurality of mobile devices; and an amount of bandwidth available to the content provider for sending the plurality of encrypted decryption keys to the plurality of mobile devices. |
| 6. | The method according to claim 1 and wherein /$]yiκ *s a symmetric encryption function. |
| 7. | The method according to claim 1 and wherein SKM is a shared key. |
| 8. | The method according to claim 1 and wherein ./gMK 1S a stream cipher. |
| 9. | The method according to claim 1 and wherein/g]y[£ is a block cipher. |
| 10. | The method according of claim 1 and wherein the appropriate time is a very short time before a start of the broadcast. |
| 11. | The method according to claim 1 and wherein SKM is broadcast as a portion of a broadcast stream comprising the content encrypted according to key CEK. |
| 12. | The method according to claim 2 and is a symmetric encryption function. |
| 13. | The method according to either of claim 2 or claim 12 and wherein SKM2 is a shared key. |
| 14. | The method according to either of claim 2 or claim 12 and wherein /SMK.2 is a stream cipher. |
| 15. | The method according to either of claim 2 or claim 12 and wherein /SMK is a block cipher. |
| 16. | The method according to claim 1 and wherein gp^ is an asymmetric encryption function. |
| 17. | The method according to claim 1 and wherein PK is a public key of an individual mobile device among the plurality of mobile devices. |
| 18. | The method according to claim 1 and wherein a device private key corresponding to PK is stored in a protected memory in the mobile device. |
| 19. | The method according to claim 1 and wherein the content for broadcast comprises one of: live multicast content; and unicast streamed content. |
| 20. | At a mobile device operative to receive and display content, a method for receiving keys from a content provider, the keys operative for decrypting the content, the method comprising: receiving a plurality of encrypted keys well in advance of broadcast of the content, the encrypted keys encrypted according where: /and g are encryption functions; /SMK *s an encryption function encrypting gρj^(CEK) according to a key, SKM; gρjς(CEK) is an encryption function encrypting CEK according to a key PK; and CEK is a content encryption key enabling decryption of the content for a single cryptoperiod; prior to broadcast of the content encrypted according to key CEK, receiving the key SKM; decrypting /SMK(&PK(CEK)) according to the key SKM, thereby deriving gpK(CEK); utilizing a device private key to decrypt gpj^(CEK), thereby deriving CEK; utilizing CEK to decrypt the content. |
| 21. | The method according to claim 20 and further comprising sending a second key SKM2 immediately prior to the onset of a second cryptoperiod, thereby enabling the plurality of mobile devices to and derive gpκ(CEK2), where CEK2 is a second content encryption key enabling decryption of content in the second cryptoperiod. |
| 22. | The method according to either of claim 20 or claim 21 and wherein /SMK .*s a symmetric encryption function. |
| 23. | The method according to claim 20 and wherein SKM is a shared key. |
| 24. | The method according to claim 20 wherein/^jyj^ is a stream cipher. |
| 25. | The method according to claim 20 and wherein/gjyjjς is a block cipher. |
| 26. | The method according to claim 20 and wherein SKM is broadcast as a portion of a broadcast stream comprising the content encrypted according to key CEK. |
| 27. | The method according to claim 21 and wherein/gjyg^ is a symmetric encryption function. |
| 28. | The method according to according to either claim 21 or claim 27 and wherein SKM2 is a shared key. |
| 29. | The method according to according to either claim 21 or claim 27 and wherein/§]y[jζ2 is a stream cipher. |
| 30. | The method according to according to either claim 21 or claim 27 and wherein /sMK2 1S a block cipher. |
| 31. | The method according to according to either claim 21 or claim 27 and wherein SKM2 is broadcast as a portion of a broadcast stream comprising the content encrypted according to key CEK2. |
| 32. | The method according to claim 20 and wherein gpy^ is an asymmetric encryption function. |
| 33. | The method according to claim 20 and wherein PK is a public key of an individual mobile device among the plurality of mobile devices. |
| 34. | The method according to claim 20 and wherein the device private key corresponding to PK is stored in a protected memory in the mobile device. |
| 35. | Apparatus for distributing keys for decrypting content, the apparatus comprising: a decryption key provider which provides a plurality of encrypted decryption keys, the encrypted decryption keys being encrypted according to /SMK(£PK(CEK))> where: /and g are encryption functions; /SMK ^s m encryption function encrypting gρ^(CEK) according to a key, SKM; gj)jς(CEK) is an encryption function encrypting CEK according to a key PK; and CEK is a content encryption key enabling decryption of the content for a single cryptoperiod; a transmitter for transmitting the plurality of encrypted decryption keys to the plurality of mobile devices; and a transmitter for transmitting the key SKM to the plurality of mobile devices at an appropriate time relative to broadcast of the content encrypted according to key CEK, thereby enabling the plurality of mobile devices to decrypt /SMK(gPK(CEK)) md derive SPκ(CEK) . |
| 36. | A mobile device operative to receive and display content and to receive keys from a content provider, the keys operative for decrypting the content, the mobile device comprising: a first receiver operative to receive a plurality of encrypted keys well in advance of broadcast of the content, the encrypted keys encrypted according to /SMK(gPK(CEK))> where: /and g are encryption functions; /SMK *s an encryption function encrypting gpg^(CEK) according to a key, SKM; gpκ(CEK) is an encryption function encrypting CEK according to a key PK; and CEK is a content encryption key enabling decryption of the content for a single cryptoperiod; a second receiver operative to receive the key SKM prior to broadcast of the content encrypted according to key CEK; a decryptor which decrypts /SMK(SPK(CEK)) according to the key SKM5 thereby deriving gpK(CEK); a device private key with which the device decrypts gρj^(CEK), thereby deriving CEK; a decryptor operative to utilize decrypted key CEK to decrypt the content. |
FIELD OF THE INVENTION
The present invention relates to key distribution, and more particularly, key distribution for content on mobile devices.
BACKGROUND OF THE INVENTION
In a broadcast environment, audiovisual data is typically broadcast by satellite, by cable, or by other appropriate broadcast medium, to an integrated receiver / decoder (IRD), also known as a set top box (STB). Many STBs further comprise storage devices and software drivers, enabling a user to digitally record content on the storage devices. Such STBs are typically known as Personal Video Recorders (PVRs) or Digital Video Recorders (DVRs). Broadcast of content is typically accompanied with the broadcast of control data, to ensure that only authorized viewers view content.
Typically, in order for a viewer to be able to view a service, the viewer needs to be authorized to view. Once the viewer is authorized to view the service, the viewer is enabled to decrypt encrypted packets comprising content broadcast on the service. For example, if a football game is to be broadcast on channel 101 at 11:00 AM Sunday January 1 , the viewer needs to be authorized to view channel 101 before 11:00 AM Sunday January 1 in order to view the game. As the game is broadcast, the viewer receives encrypted packets comprising the broadcast content of the game. Being authorized to view channel 101 , the viewer' s STB is able to decrypt the packets and display the game. With the advent of so called 2G and 3 G mobile telephone technology, mobile devices, such as, and without limiting the generality of the foregoing, mobile telephones, now provide the ability to transfer both voice data (a telephone call) and non- voice data, for example, and without limiting the generality of the foregoing, downloading information, exchanging email, and instant messaging. 2G and 3 G mobile telephone technology has also enabled broadcast of live content and streaming stored content to mobile devices. Content Providers, interested in controlling content, and thereby ensuring revenue, are concerned that
control data accompany live and streamed content which is delivered to mobile devices.
The Open Mobile Alliance (OMA, see www.openmobilealliance.org) is a standards organization formed to facilitate global user adoption of mobile data services by specifying market driven mobile service enablers that ensure service interoperability across devices, geographies, service providers, operators, and networks, while allowing businesses to compete through innovation and differentiation. OMA has developed a family of specifications for content delivery and content protection on mobile devices. OMA Specification OMA-DRM-DRM-V2_0-20041210-C describes
Digital Rights Management (DRM) in OMA. OMA specification OMA-DRM- ARCH- V2_0-20040820-C describes the architecture of DRM within OMA.
Typically, on OMA enabled devices, a consumer wishing to view content must receive, on his device, a rights object well in advance of the broadcast of the content. Once the consumer possesses the rights object, the consumer's device receives a decryption key, enabling decryption of the content. Typically, due to bandwidth considerations and the numbers of devices, the decryption key is distributed to the devices well in advance of broadcast.
Key management is described at length in chapter 8 of Applied Cryptography, by Bruce Schneier, John Wiley & Sons, Inc., 1996.
In systems that include secure communications, including conditional access systems as are well known in the art, there is a well-known problem of
"hackers" who attempt to access secured communications in an unauthorized manner.
Conditional access systems typically include an ICAM (Integrated Conditional Access Module), typically comprised in a set top box (STB), in communication with a security element such as a smart card. (It is appreciated that some prior art systems may perform similar functions without having an ICAM). In prior art systems, as is well known in the art, the ICAM receives an Entitlement Control Message (ECM), typically but not necessarily by broadcast. The ECM includes information necessary to generate a Control Word (CW) used for descrambling content such as broadcast content. The ICAM passes the ECM to a secure computation unit, typically comprising a removable security element such as a
smart card, where the ECM is processed, typically using a secret cryptographic function, to obtain the CW. The smart card then passes the CW back to the ICAM, which in turn passes the CW to other components of the STB for use in descrambling the content. Examples of such systems are described in US Patents 5,282,249 and 5,481,609 to Cohen et al and in US Patent 6,178,242 to Tsuria, the disclosures of which are hereby incorporated herein by reference. A typical pay television conditional access system is the VideoGuard™ system, commercially available from NDS Ltd., One London Rd., Staines, Middlesex, TW 18 4EX, United Kingdom.
One particular hacker attack and a system for frustrating such a hacker attack is described in US Patent 5,590,200 to Nachman et al, the disclosure of which is hereby incorporated herein by reference.
Briefly, the system of Nachman et al is intended to frustrate a particular type of hacker attack known as "the McCormac hack". The McCormac hack, simply stated, is the redistribution of key data from a datastream between a decoder and a legitimate smartcard, in order to enable any decoder with a suitable pseudo-smartcard in the card slot to decode a channel. Thus given an adequate communications network, such as the Internet, a single subscription could provide keys for an unlimited number of individuals. The effect for a broadcaster would be devastating.
Examples of another system designed to frustrate the McCormac hack are described in PCT application PCT/IL/0200691, filed 21 August 2002, and published in the English language on 20 March 2003, as PCT Published Patent Application WO 03/024104 of NDS Ltd.; and corresponding US Patent Application 10/480,413 of Halperin, et al., published as US Published Patent Application 2004/0213406 on 28 Oct.2004. The disclosures of WO 03/02410 and corresponding US Patent Application 10/480,413 are hereby incorporated herein by reference.
Those skilled in the art will appreciate that the McCormac hack can also be performed in a non-smart card environment, and that the above discussion is not meant to be limiting.
Published PCT application WO 99/45711 of NDS limited, and corresponding US Patent 6,587,561, to Sered et al. describes a key delivery method for use in an encoded communications system in which at least one encoded item including a first item encoded with a first item control word is sent in a ' -
communication stream from a sender to a receiver, the method including transmitting an item entitlement control message (IECM) including item control information, transmitting a stream entitlement control message (SECM) including stream control information, and combining at least part of the item control information and at least part of the stream control information to produce the first item control word.
The disclosures of all references mentioned above and throughout the present specification, as well as the disclosures of all references mentioned in those references, are hereby incorporated herein by reference.
SUMMARY OF THE INVENTION
The present invention seeks to provide an improved scheme of content protection key distribution for mobile devices.
There is thus provided in accordance with a preferred embodiment of the present invention providing a plurality of encrypted decryption keys, the encrypted decryption keys being encrypted according to ι /g ] y jj ς(gρ j ς(CEK)), where/ and g are encryption functions, /gMK * s an encryption function encrypting gp j ς(CEK) according to a key, SKM, gp j ς(CEK) is an encryption function encrypting
CEK according to a key PK, and CEK is a content encryption key enabling decryption of the content for a single crypto-period, transmitting the plurality of encrypted decryption keys to the plurality of mobile devices, and at an appropriate time relative to broadcast of the content encrypted according to key CEK, transmitting the key SKM to the plurality of mobile devices, thereby enabling the plurality of mobile devices to decrypt/g ] y [ κ(gρκ(CEK)) and derive gp j ^(CEK). Further in accordance with a preferred embodiment of the present invention sending a second key SKIVE immediately prior to the onset of a second crypto-period, thereby enabling the plurality of mobile devices to decrypt /SMκ2(SPκ(CEK2)) and derive gp j ^(CEK2), where CEK2 is a second content encryption key enabling decryption of content in the second crypto-period. Still further in accordance with a preferred embodiment of the present invention the transmitting the plurality of encrypted decryption keys is performed at a time well before broadcast of content encrypted according to key CEK.
Additionally in accordance with a preferred embodiment of the present invention the transmitting the plurality of encrypted decryption keys is performed prior to transmitting the key SKM.
Moreover in accordance with a preferred embodiment of the present invention the appropriate time relative to broadcast of the content encrypted according to key CEK is a function of at least a number of mobile devices included within the plurality of mobile devices, and an amount of bandwidth available to the content provi der for sending the plurality of encrypted decryption keys to the plurality of mobile devices.
Further in accordance with a preferred embodiment of the present invention/g ] yg£ is a symmetric encryption function.
Still further in accordance with a preferred embodiment of the present invention SKM is a shared key. Additionally in accordance with a preferred embodiment of the present invention/g jyjj ς is a stream cipher.
Moreover in accordance with a preferred embodiment of the present invention/g j yoς is a block cipher.
Further in accordance with a preferred embodiment of the present invention the appropriate time is a very short time before a start of the broadcast.
Still further in accordance with a preferred embodiment of the present invention SKM is broadcast as a portion of a broadcast stream including the content encrypted according to key CEK.
Additionally in accordance with a preferred embodiment of the present invention/g]y|]£2 is a symmetric encryption function.
Moreover in accordance with a preferred embodiment of the present invention SKM2 is a shared key.
Further in accordance with a preferred embodiment of the present invention/g ] y [ ^2 is a stream cipher. Still further in accordance with a preferred embodiment of the present invention/g j yg^ is a block cipher.
Additionally in accordance with a preferred embodiment of the present invention gp^ is an asymmetric encryption function.
Moreover in accordance with a preferred embodiment of the present invention PK is a public key of an individual mobile device among the plurality of mobile devices.
Further in accordance with a preferred embodiment of the present invention a device private key corresponding to PK is stored in a protected memory in the mobile device.
Still further in accordance with a preferred embodiment of the present invention the content for broadcast includes one of live multicast content, andunicast streamed content.
There is also provided in accordance with another preferred embodiment of the present invention receiving a plurality of encrypted keys well in advance of broadcast of the content, the encrypted keys encrypted according to where /and g are encryption functions, /gMK * s an encryption function encrypting gρ j ς(CEK) according to a key, SKM, gρ j ^(CEK) is an encryption function encrypting CEK according to a key PK, and CEK is a content encryption key enabling decryption of the content for a single crypto-period, prior to broadcast of the content encrypted according to key CEK, receiving the key SKM, decrypting according to the key SKM, thereby deriving gρκ(CEK), utilizing a device private key to decrypt gρ^(CEK), thereby deriving CEK, utilizing CEK to decrypt the content. Further in accordance with a preferred embodiment of the present invention sending a second key SKM2 immediately prior to the onset of a second crypto-period, thereby enabling the plurality of mobile devices to decrypt /SMK2(spκ(CEK2)) and derive gp^(CEK2), where CEK2 is a second content encryption key enabling decryption of content in the second crypto-period. Still further in accordance with a preferred embodiment of the present invention/g j y jjζ ; is a symmetric encryption function.
Additionally in accordance with a preferred embodiment of the present invention SKM is a shared key.
Moreover in accordance with a preferred embodiment of the present invention/gMK is a stream cipher..
Further in accordance with a preferred embodiment of the present invention/g j ^ is a block cipher.
Still further in accordance with a preferred embodiment of the present invention SKM is broadcast as a portion of a broadcast stream including the content encrypted according to key CEK.
Additionally in accordance with a preferred embodiment of the present invention/sjyQQ 1S a symmetric encryption function.
Moreover in accordance with a preferred embodiment of the present invention SKM2 is a shared key. Further in accordance with a preferred embodiment of the present is a stream cipher.
Still further in accordance with a preferred embodiment of the present invention /SMK2 * S a block cipher.
Additionally in accordance with a preferred embodiment of the present invention SKM2 is broadcast as a portion of a broadcast stream including the content encrypted according to key CEK2.
Moreover in accordance with a preferred embodiment of the present invention gp^ is an asymmetric encryption function.
Further in accordance with a preferred embodiment of the present invention PK is a public key of an individual mobile device among the plurality of mobile devices.
Still further in accordance with a preferred embodiment of the present invention the device private key corresponding to PK is stored in a protected memory in the mobile device. There is also provided in accordance with still another preferred embodiment of the present invention a decryption key provider which provides a plurality of encrypted decryption keys, the encrypted decryption keys being encrypted according to/ §] y [ ^(gρ j ^(CEK)), where/and g are encryption &nctions,/g ] y [ κ is an encryption function encrypting gp J^(CEK) according to a key, SKM, gp j ^(CEK) is an encryption function encrypting CEK according to a key PK, and CEK is a content encryption key enabling decryption of the content for a single crypto-period, a transmitter for transmitting the plurality of encrypted decryption keys to the plurality of mobile devices, and a transmitter for transmitting the key SKM to the plurality of mobile devices at an appropriate time relative to broadcast of the content encrypted according to key CEK, thereby enabling the plurality of mobile devices to decrypt
/SMK(SPK( CEK )) and derive gpκ( CEK )-
There is also provided in accordance with still another preferred embodiment of the present invention a first receiver operative to receive a plurality of encrypted keys well in advance of broadcast of the content, the encrypted keys encrypted according to/g ] y [j ^(g | )g_(CEK)), where /and g are encryption functions, /sMK * s an encryption function encrypting gρjς(CEK) according to a key, SKM, gρ j ^(CEK) is an encryption function encrypting CEK according to a key PK, and
CEK is a content encryption key enabling decryption of the content for a single crypto-period, a second receiver operative to receive the key SKM prior to broadcast of the content encrypted according to key CEK, a decryptor which decrypts according to the key SKM, thereby deriving gρ j ς(CEK), a device private key with which the device decrypts gp j ς(CEK), thereby deriving CEK, a decryptor operative to utilize decrypted key CEK to decrypt the content.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which: Fig. 1 is a simplified illustration of a system wherein a content provider provides content to a plurality of mobile devices, the system constructed and operative in accordance with a preferred embodiment of the present invention;
Fig. 2 is a simplified depiction of a timeline relating content distribution events with session key management events within the system of Fig. 1 ; Fig. 3 is a simplified depiction of a timeline relating arrival at one of the plurality of mobile devices of secret key material packets and decryption of session keys within the system of Fig. 1; and
Fig. 4 is a simplified flow chart illustration of a preferred method of implementation of the system of Fig. 1.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Reference is now made to Fig. 1, which is a simplified pictorial illustration of a system wherein a content provider provides content to a plurality of mobile devices, the system constructed and operative in accordance with a preferred embodiment of the present invention. In Fig. 1 the content provider distributes content and control data to a plurality of mobile devices. Mobile devices referred to herein typically include any appropriate device implementing a standard which enables downloading content. For example, and without limiting the generality of the foregoing, ITU IMT 2000, UMTS 5 EDGE, and GPRS are such standards. Reference is now made to Fig. 2, which is a simplified depiction of a timeline relating content distribution events with session key management events within the system of Fig. 1. Encrypted key material 200 is preferably delivered to a mobile device (not depicted) preferably well in advance of a broadcast start time 210. Encrypted key material is preferably delivered to the mobile device as an OMA rights obj ect. The encrypted key material 200 preferably comprises a plurality of preferably doubly encrypted content keys, as explained below. Slightly before a first content key is needed for use, an encrypted first content key is preferably sent for decryption 220 to a mechanism depicted in Fig.2 as session key derivation 230. The mechanism of session key derivation 230 is described in greater detail with reference to Fig. 3. The session key derivation 230 mechanism is preferably either located on the mobile device, in a SIM (subscriber identity module) of the mobile device, or in some other appropriate add-on component which is operatively associated with the mobile device, via, for example, and without limiting the generality of the foregoing, USB, SDIO (Secure Digital Cards), MMC (Multi Media Cards), and so forth. Each of the plurality of content keys preferably comprises an OMA standard permission, which is preferably returned 240 to the mobile device after decryption by the session key derivation mechanism 230.
"Rights objects" are defined in OMA standards as, "a collection of permissions and other attributes which are linked to DRM content". "Permissions" are defined as "actual usages or activities allowed by a rights issuer over DRM content". The term "DRM content" refers to a digital work, such as, but not limited to, a ring tone, a screen saver or game, live broadcasts and streamed content, and
combinations of such digital works. The digital work as DRM content is consumed according to a set of permissions in the rights object. Throughout the present disclosure, the terms "content" and "DRM content" are used interchangeably. Throughout the present disclosure, the term "broadcast", in all of its grammatical forms, is understood to include both broadcast content as well as streamed content, where streamed content includes both unicast and multicast content.
Before a second content key is needed for use, an encrypted second content key is preferably sent for decryption 250 to the session key derivation mechanism 230. A decrypted second OMA permission is preferably returned 260 to the mobile device by the session key derivation mechanism 230. The cycle of encrypted keys being sent for decryption and returning decrypted OMA standard permissions preferably continues until slightly before the broadcast ends 270. Finally, a last content key is needed for use. An encrypted last content key is preferably sent for decryption 280 to the session key derivation mechanism 230. A last OMA standard permission is preferably returned 290 to the mobile device by the session key derivation mechanism 230.
Reference is now made to Fig. 3, which is a simplified depiction of a timeline relating arrival at one of the plurality of mobile devices of secret key material (SKM) packets and decryption of session keys within the system of Fig. 1. In advance of a transmission to the mobile device, the content is preferably segmented into a series of crypto-periods. During each crypto-period, a new key is used to decrypt content. The new key is a content encryption key (CEK). Thus, the timeline in Fig. 3 is depicted as divided into segments, each segment preferably defined by a new CEK: CEK 1; CEK 2; ...; and CEK n. It is appreciated that a broadcaster is therefore able to refresh CEK frequently.
Each OMA standard rights object comprising a CEK required to view the content is preferably distributed well in advance of broadcast time. The CEK is preferably delivered encrypted where/and g are encryption functions, /preferably utilizes a symmetric encryption scheme, such as, and without limiting the generality of the foregoing, AES. g preferably utilizes an asymmetric encryption scheme, such as, and without limiting the generality of the foregoing,
RSA. Those skilled in the art will appreciate that other encryption schemes may be
more efficient or secure, and for that reason, preferred embodiments of the present invention are preferably not dependent on particular encryption schemes. For example, and without limiting the generality of the foregoing, it may be desirable to use an appropriate stream cipher rather than AES. As noted above, gp^CEK) preferably represents asymmetric encryption of the CEK. PK is the public key of the individual device to which the CEK is sent. As the content provider must send out the CEK for each crypto-period to each individual device, within the plurality of devices, a very large number of individually encrypted CEKs must preferably be transmitted. Therefore, the transmission of the keys is preferably performed well in advance of the broadcast start 210 (Fig.2). Nevertheless, it is desirable that CEK only become available close to the time it is actually needed, and therefore, it is distributed encrypted as gp^- (CEK).
Those skilled in the art will appreciate that due to bandwidth limitations, it would be impossible to distribute a very large number of individually encrypted CEKs except well in advance of the broadcast start 210 (Fig. 2).
It is appreciated that a device private key used to decrypt ^w-(CEK) is highly secret. The device private key is, accordingly, stored in a protected memory in the device. If the private key becomes known, then there remains no protection for encrypted content. At most, OMA rights may be revoked, as per the OMA standards. However, due to the secrecy of the device private key, if encrypted keys are intercepted, there is no point in distributing the intercepted encrypted keys in advance of broadcast, as, without the device private key, the encrypted keys are useless.
On the other hand,/^^, preferably represents symmetric encryption.
SKM, or secret key material, is preferably a shared key used to encrypt gp^(CEK). However, the shared key SKM is preferably only broadcast a very short time before it is needed. Since SKM preferably comprises a shared key, very little bandwidth need be used to transmit SKM. Those skilled in the art will appreciate that sending SKM a limited number of times a very short time before broadcast start 210 (Fig. 2) preferably increases the likelihood that all of the individual devices within the plurality of mobile devices which need to receive SKM in time for use, will actually
receive the SKM. Alternatively, the SKM is sent in the broadcast stream with the content, and not sent separately such that it appears at the correct time. It is appreciated that: in order to retrieve the CEK, the device preferably needs both the SKM and PK; and unwrapping an outer layer of encryption,,/^ * ^ preferably can only be performed once the SKM has arrived, thereby preferably eliminating the possibility of unauthorized decryption and distribution of the CEK well in advance of the use of the CEK. Those skilled in the art will appreciate that CEK may not be the actual content encryption key. Rather, decrypting gw(CEK) may provide a value which the device uses to derive the actual content encryption key.
Reference is now made to Fig. 4, which is a simplified depiction of a timeline relating arrival of secret key material packets and decryption of session keys within the system of Fig. 1. Actions depicted in Fig.4 are depicted in two columns, a left column and a right column. The left column depicts actions of the content provider. The right column depicts actions which occur at the device. Time flows from the top of Fig.4 to the bottom. Well in advance of broadcast of the content, the content provider preferably sends a plurality of encrypted keys in the form ^SKM^PK^"^"^' as described above (step 400). As discussed above, each key preferably comprises a session key which has been encrypted using the public key of the device. The public key encrypted session key is preferably further encrypted with a shared key. A resultant shared key encrypted, public key encrypted session key for each crypto-period is preferably sent to a plurality of devices. At at least one of the plurality of devices, the encrypted keys are preferably received well in advance of broadcast time (step 410).
Just before the broadcast begins, the content provider preferably sends a first shared key to the plurality of devices (step 420). The at least one of the plurality of devices preferably receives the first shared key preferably just before the broadcast begins, and decrypts 430). The device then preferably uses its own private key immediately to decrypt the public key encrypted session key, thereby deriving the now unencrypted session key
CEK (step 440). With CEK 5 the device is able to render the content viewable (step 450).
Steps 420 - 450 are then preferably repeated with a second key, and for each subsequent key, up to, and including a final key (steps 460 - 470). Those skilled in the art will appreciate that further encrypted key material comprising OMA rights objects may preferably be delivered to the mobile device before steps 400 - 470 occur, while steps 400 - 470 occur, or after steps 400 - 470 occur.
Those skilled in the art will appreciate that the method described hereinabove can be applied within any appropriate technological framework, and not just OMA. References to OMA are not meant to be limiting.
It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined only by the claims which follow:
Next Patent: IMPROVED CIPHER SYSTEM