Claims
- 1. In an interactive information services system for providing at least one of video, audio, and data (program) requested by a customer from a service provider (SP) and for transmitting the requested program in program bearing packets to a set top unit (STU) associated with the customer, apparatus positioned between the SP and the STU for ensuring that only the customer has access to said program, said apparatus comprising:
means for receiving program bearing packets in a first network protocol from a first data link and removing said packets from said first network protocol; means for adding conditional access to said program bearing packets; and, means for re-encapsulating said program bearing packets in a second network protocol and outputting said program bearing packets over a second data link.
- 2. An apparatus as recited in claim 1, wherein said second network protocol comprises one of said first network protocol and an other network protocol.
- 3. An apparatus as recited in claim 1, wherein said means for receiving program bearing packets comprises:
a receiver for receiving program bearing packets from said first data link; a buffer for storing the received program bearing packets in said first network protocol; and, a processor for removing said program bearing packets from said network protocol in accordance with a protocol mapping function.
- 4. An apparatus as recited in claim 1, wherein said means for re-encapsulating said program comprises:
a processor for mapping said program bearing packets to said network protocol in accordance with a protocol mapping function; a buffer for storing a portion of said program bearing packets in said second network protocol; and, a transmitter for outputting said program bearing packets over said second data link.
- 5. An apparatus as recited in claim 1, wherein said means for applying conditional access comprises:
means for selecting program bearing packets comprising a program requested by the customer; means for encrypting said selected program bearing packets according to a first encryption algorithm using a first key; means for encrypting said first key according to a second encryption algorithm using a second key; means for providing the encrypted said first key to the customer; means for encrypting said second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within the STU associated with the customer; and, means for providing the encrypted said second key to the customer.
- 6. An apparatus as recited in claim 5 further comprising a means for acquiring said public-key from a public-key database maintained by a conditional access authority.
- 7. An apparatus as recited in claim 5, wherein said means for encrypting said selected program bearing packets comprises at least one processor implementing a DES encryption algorithm.
- 8. An apparatus as recited in claim 5, wherein said means for encrypting said first key comprises at least one processor implementing a Triple-DES encryption algorithm.
- 9. An apparatus as recited in claim 5, wherein said means for encrypting said second key comprises a processor implementing an RSA algorithm.
- 10. An apparatus as recited in claim 5, wherein said means for applying conditional access further comprises means for hashing said first key concatenated with said second key according to a hashing function such that the STU can determine the authenticity of said first key.
- 11. An apparatus as recited in claim 5, wherein said means for hashing comprises a processor implementing a Message Digest 5 hashing function.
- 12. An apparatus as recited in claim 5, wherein said means for applying conditional access further comprises means for providing a digital signature based on said second key concatenated with a private key corresponding to a public key associated with said SP such that the STU can verify the source of said second key.
- 13. An apparatus as recited in claim 12, wherein said means for providing a digital signature comprises a processor implementing an RSA algorithm.
- 14. An apparatus as recited in claim 12, wherein said public key and the corresponding private key are associated with a plurality of SPs.
- 15. An apparatus as recited in claim 1, wherein said means for applying conditional access comprises:
means for selecting program bearing packets comprising a program requested by the customer; means for encrypting said selected program bearing packets according to a first encryption algorithm using a first key; means for encrypting said first key according to a second encryption algorithm using a second key; means for hashing said first key concatenated with said second key according to a hashing function such that the STU can determine the authenticity of said first key; means for providing the encrypted said first key and the hash of said first key concatenated with said second key to the customer over the digital network; means for encrypting said second key according to a third encryption algorithm using a third key corresponding to a private key stored within the STU associated with the customer; means for providing a digital signature based on said second key such that the STU can verify the source of said second key; and, means for providing the encrypted said second key and the digital signature to the customer.
- 16. An apparatus as recited in claim 15, wherein said means for encrypting said selected program bearing packets comprises at least one processor implementing a DES encryption algorithm.
- 17. An apparatus as recited in claim 15 wherein said means for encrypting said first key comprises at least one processor implementing a Triple-DES encryption algorithm.
- 18. An apparatus as recited in claim 15, wherein said means for hashing comprises a processor implementing a Message Digest 5 hashing function.
- 19. An apparatus as recited in claim 15, wherein said third encryption algorithm comprises a public-key encryption algorithm and further wherein said third key comprises a public-key corresponding to said private key stored within the STU.
- 20. An apparatus as recited in claim 19, wherein said means for encrypting said second key comprises a processor implementing an RSA algorithm.
- 21. An apparatus as recited in claim 15, wherein said means for providing a digital signature comprising a processor implementing an RSA algorithm.
- 22. An apparatus as recited in claim 1, wherein said first network protocol comprises one of fiber-distributed data interface (FDDI), SONET-ATM, UNISON-1, and DS-3.
- 23. An apparatus as recited in claim 1, wherein said second network protocol comprises one of fiber-distributed data interface (FDDI), SONET-ATM, UNISON-1, and DS-3.
- 24. In a digital video delivery system, wherein a plurality of programs are stored at a server in a transport packet format and delivered in a first protocol format to a network for delivery to a subscriber, a method for linking the server to the network and applying conditional access to the transport packets comprising:
selecting program bearing packets comprising a program requested by the customer; encrypting said selected program bearing packets according to a first encryption algorithm using a first key; encrypting said first key according to a second encryption algorithm using a second key; providing the encrypted said first key to the customer; encrypting said second key according to a public-key encryption algorithm using a public key corresponding to a private key stored within the STU associated with the customer; and, providing the encrypted said second key to the customer.
- 25. A method as recited in claim 24 further comprising the step of acquiring said public-key from a public-key database maintained by a conditional access authority.
- 26. A method as recited in claim 24, wherein said step of encrypting said selected program bearing packets comprises a DES encryption algorithm.
- 27. A method as recited in claim 24, wherein said step of encrypting said first key comprises a Triple-DES encryption algorithm.
- 28. A method as recited in claim 24, wherein said step of encrypting said second key comprises an RSA algorithm.
- 29. A method as recited in claim 24, wherein said step of applying conditional access further comprises the step of hashing said first key concatenated with said second key according to a hashing function such that the STU can determine the authenticity of said first key.
- 30. A method as recited in claim 24, wherein said step of hashing comprises a Message Digest 5 hashing function.
- 31. A method as recited in claim 24, wherein said step of applying conditional access further comprises the step of providing a digital signature based on said second key concatenated with a private key corresponding to a public key associated with said SP such that the STU can verify the source of said second key.
- 32. A method as recited in claim 31, wherein said step of providing a digital signature comprises an RSA algorithm.
- 33. A method as recited in claim 31, wherein said public key and the corresponding private key are associated with a plurality of SPs.
- 34. In a digital video delivery system, wherein a plurality of programs are stored at a server in a transport packet format and delivered in a first protocol format to a network for delivery to a subscriber, a method for linking the server to the network and applying conditional access to the transport packets comprising:
receiving transport packets embedded in a first network level protocol; removing the transport packets from said first network level protocol; for each transport packet, determining if conditional access should be added; applying conditional access to said packets; and, outputting the packets in one of the first network protocol and a second network protocol.
- 35. In a digital information delivery system wherein a plurality of programs are stored in a transport packet format and are delivered to a network for transmission to an authorized customer, a method for applying conditional access to the transport packets comprising the steps of:
(a) selecting packets comprising a program requested by a customer; (b) encrypting the program bearing transport packets according to a first encryption algorithm using a first key; (c) outputting the encrypted transport packets for delivery to the authorized customer over the digital network; (d) encrypting said first key according to a second encryption algorithm using a second key; (e) generating a message authentication code comprising a hash of said first key and said second key according to a hashing function; (f) providing the encrypted said first key and said message authentication code to the authorized customer ver the digital network; (g) encrypting said second key according to a third encryption algorithm using a third key; (h) applying a digital signature to the encrypted said second key such that the authorized customer can verify the origin of the encrypted said second key; and, (i) providing the encrypted and digitally signed said second key to the authorized customer over the digital network.
- 36. A method as recited in claim 35, wherein the packets are encrypted according to a DES algorithm.
- 37. A method as recited in claim 35, wherein the first keys are encrypted according to a Triple-DES algorithm.
- 38. A method as recited in claim 35, wherein the second keys are encrypted according to a public-key cryptographic technique.
- 39. A method as recited in claim 38, wherein the public-key cryptographic technique implements an RSA algorithm.
- 40. A method as recited in claim 35, wherein the application of the message authentication code comprises the steps of
concatenating the first key and the second key; and, hashing the concatenated keys in accordance with a hashing function to produce said message authentication code.
- 41. A method as recited in claim 40, wherein the hashing function comprises a Message Digest 5 function.
- 42. A method as recited in claim 35, wherein step (h) further comprises the steps of:
(i) hashing a message that is comprised of the second key; (ii) encrypting the hash message with a public-key encryption algorithm using a private key associated with the SP, wherein the private key has a corresponding public key that is provided to the STU; and, (iii) transmitting the encrypted hashed message to the authorized customer.
- 43. In a digital transmission system wherein groups of program bearing packets are transmitted over a digital network between a service provider at a transmission site and a customer having a reception site, a method of selectively providing conditional access to the program within said program bearing packets comprising the steps of:
at the transmission site:
(a) selecting packets bearing a particular program that are to be delivered to at least one selected customer; (b) encrypting at least a portion of the selected packets with a first key using a first encryption algorithm; (c) encrypting said first key with a second key using a second encryption algorithm; (d) generating a message authentication code for the first key comprising a hash of a concatenation of said second key with said first key according to a hashing function; (e) generating an entitlement control message comprising a concatenation of said message authentication code and said first key; (f) generating a digital signature for said second key comprising a hash of said second key according to a hashing function and encrypting said hash of said second key with a private key associated with the SP, said private key having a public-key counterpart, in accordance with a public key encryption algorithm; (g) forming an entitlement management message comprising said encrypted key and said digital signature; (h) encrypting at least a portion of said entitlement management message with a public key according to a public-key encryption algorithm, wherein said public key is associated with said at least one selected customer; (i) multiplexing said selected program bearing packets, said entitlement control messages, and said entitlement management message into said digital network for reception by said at least one customer's reception site; at the reception site:
(j) receiving said selected program bearing packets, said entitlement control messages, and said entitlement management messages at said at least one customer's reception site; (k) recovering said second key from said entitlement management message by:
decrypting said encrypted portion of said entitlement management message using a private-key corresponding to said public key associated with said at least one selected customer; retrieving said digital signature portion and decrypting said digital signature portion with a public-key counterpart to said private key associated with the SP; retrieving said second key and hashing said second key; authenticating said second key when said digital signature is equivalent to said hashed second key; (l) recovering said first key from said entitlement control messages by:
decrypting said first key with said second key; concatenating said first key and said second key; generating a hash value by hashing said concatenated first key and said second key; authenticating said first key when said hash value is equivalent to said message authentication code contained in said entitlement control message; and, (m) decrypting said selected packets bearing said particular program with said first key.
- 44. A method as recited in claim 43 further comprising the step of, at the transmission site, acquiring the public-key corresponding to said at least one customer from a public-key database maintained by a conditional access authority.
- 45. A method as recited in claim 43, wherein said first encryption algorithm comprises a DES encryption algorithm.
- 46. A method as recited in claim 43, wherein said second encryption algorithm comprises a Triple-DES encryption algorithm.
- 47. A method as recited in claim 43, wherein said public-key encryption algorithm comprises an RSA encryption algorithm.
- 48. A method as recited in claim 43, wherein said hashing function comprises a Message Digest 5 hashing function.
- 49. A method as recited in claim 43 further comprising the step of periodically changing said first key.
- 50. A method as recited in claim 43 further comprising the step of periodically changing said second key.
- 51. In a digital transmission system wherein a plurality of service providers (SPs) transmit program bearing packets over a digital network for delivery to at least one selected customer, wherein the SPs add conditional access levels to program bearing packets by (a) encrypting a portion of said program packets with a first key using a first encryption algorithm; (b) encrypting said first key with a second key using a second encryption algorithm; (c) encrypting a portion of the second key with a public key using a public-key encryption algorithm, wherein said public key is associated with said at least one selected customer and wherein said public key has a private key counterpart; and, (d) providing said program bearing packets, said first key, and said second key to said at least one customer, a method of recovering the program bearing packets at said at least one customer's reception site, comprising the steps of:
(a) receiving said selected program bearing packets, said first key, and said second key at said at least one customer's reception site; (b) decrypting the encrypted said second key using said private-key corresponding to said public key associated with said at least one selected; (c) decrypting said first key with said second key; and, (d) recovering said program bearing packets by decrypting said encrypted portion of said program bearing packets with said first key.
- 52. In a digital transmission system wherein a plurality of service providers (SPs) transmit program bearing packets over a digital network for delivery to at least one selected customer, wherein the plurality of SPs add conditional access levels to program bearing packets by (a) encrypting a portion of said program packets with a first key using a first encryption algorithm; (b) encrypting said first key with a second key using a second encryption algorithm and appending a message authentication code to said first key; (c) encrypting a portion of the second key with a public key using a public-key encryption algorithm, wherein said public key is associated with said at least one selected customer and wherein said public key has a private key counterpart, and appending a digital signature to said second key; and, (d) providing said program bearing packets, said first key and said appended message authentication code, and said second key and said appended digital signature to said at least one customer, a method of recovering the program bearing packets by said at least one customer's reception site, comprising the steps of:
(a) receiving said selected program bearing packets, said first key and said appended message authentication code, and said second key and said appended digital signature at said at least one customer's reception site; (b) decrypting the encrypted said second key using a private-key corresponding to said public key associated with said at least one selected customer with said inverse of said public-key encryption algorithm; (c) authenticating said second key for use in decryption by matching the appended digital signature with a digital signature stored at the customer's reception site that corresponds to at least one of said plurality of SPs; (d) decrypting said first key with said second key; (e) authenticating said first key for use in decryption by matching the appended message authentication code with a message authentication code generated at the customer's reception site; and, (f) decrypting said encrypted portion of said program bearing packets with said first key.
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority of earlier filed U.S. provisional application Serial No. ______, filed Dec. 4, 1995, entitled “An Apparatus for Providing Conditional Access in Connection-Oriented, Interactive Networks With a Multiplicity of Service Providers.” (Attorney Docket No.: T-598).
Provisional Applications (1)
|
Number |
Date |
Country |
|
60007962 |
Dec 1995 |
US |
Continuations (1)
|
Number |
Date |
Country |
Parent |
08580759 |
Dec 1995 |
US |
Child |
09135615 |
Aug 1998 |
US |