1. Field of Invention
This invention pertains to a method and system in which content is sent or can be utilized only by sinks that are within a specified maximum distance from a source.
2. Description of the Prior Art
The fundamental problem addressed by the invention is that there is currently no way to guarantee (with high confidence) that a content sink device (e.g., television) is actually within the same users home, business, or other geographically-limited region as the content source device (e.g., a set-top box) to which the content owner desires to limit the distribution, reproduction, or playback of his content. For example, generally, if the source and the sink are connected through the Internet then they might be on opposite sides of the earth.
A case of special concern involves the use of Digital Transmission Content Protection (DTCP) (http://www.dtcp.com) protocol for copy protection over IEEE 1394, USB, MOST, and IP networks. DTCP only “secures” the link between the (5C) source and sink; there is no built-in notion of proximity between the source and sink devices. Part of the problem is solved by the (5C) standard, which guarantees (with high confidence) that a receiver is actually authorized to decode/store/playback (5C) encoded content. However, it is possible that the authorized (5C) receiver may be located too far away from the (5C) source, according to the content owner. So the (5C) standard per se does not solve the problem of limiting the geographic diffusion of content. Techniques that attempt to identify the receiving content user, for example by having the user enter a PIN or insert a smart card into the receiver are helpful in limiting the undesired diffusion of content, but do not address the fundamental problem that the receiving user may have placed the receiving device “too far away” from the potential content source. There are many known ways of determining the geographic location of an object.
“Triangulation” has been used for many years to establish the location of objects that emit electromagnetic radiation. This involves the use of two or more receivers with directional antennae and a geographic information database, such as a map. Given the known locations and directions of maximal received signal strength at the receivers, it is easy to find the transmitter location as the point at which lines drawn on the map from each receiver to “infinity” in the direction of maximal signal strength, intersect. In this case, the cooperation of the transmitter is not necessary, and, in fact, triangulation is often employed to locate unauthorized transmitters. A triangulation-based approach may serve the purpose of this invention, but only if the content receiver emits electromagnetic radiation, and two or more triangulation receivers are available.
More recently, it has become common for receivers to establish their positions using a Global Positioning System (GPS), which relies on measuring the differential delays of several signals transmitted from an array of GPS satellites. If the content receiver includes a GPS receiver and “return-channel” transmitter, it can convey its location back to the content source. The content source may be assumed to include a GPS receiver and/or a geographic database and means for calculating its distance from the content receiver. However, GPS does not work reliably indoors, and a receiver may be set with an incorrect location code as well.
Localization techniques that use so-called “ultra-wideband (UWB) radio” have also recently been described. For example, see U.S. Pat. No. 6,002,708: “SPREAD SPECTRUM LOCALIZERS”, assigned to Aether Wire & Location, Inc.
Techniques are also known whereby proximity of receivers to transmitters is established using Round-Trip Time (RTT) measurements between a transmitted signal from the source to the sink and the corresponding return signal. In the case of a single cooperating transmitter-receiver pair, this RTT measurement may be sufficient to establish that the receiving device is “close enough” to the transmitting device that the receiving device should be authorized to decode/store/playback a specified amount of content.
One proposed, anti-diffusion solution involves the source setting the “Time to Live” (TTL) field to three in (IP) packets. This assumes that packets will traverse no more than three routers within a home network, else it is assumed that they have left the bounds of the home (some research shows that packets must typically traverse six routers to get beyond the ISP to which the home network is connected) and the third router encountered by the packet should “kill” (i.e., discard) it. A second potential solution is the measurement of RTT using DTCP-level ping messages.
Another proposed solution is to require that the Wired Equivalency Protocol (WEP) be employed on (partly or wholly) wireless local networks. This addresses the cases of “unintentional sharing” of content that may occur simply by virtue of an unintended receiver being within range of a wireless content source due to:
The article http://www.spectrum.ieee.om/WEBONLY/publicfeature/iul03/e911.html describes a number of localization techniques, including other “old” techniques like LORAN not referenced above. It specifically mentions Aether Wire & Location Inc. (Nicasio, Calif.), whose patent is referenced above.
International Patent Application number WO 03/075125 A2 assigned to Enterasys Networks, mentions the use of RTT, among other mechanisms, as a means to authenticate receiving devices in a “location aware data network”.
International Patent Application WO 01/93434 A2, assigned to XtremeSpectrum, describes the use of RTT and triangulation to enable/disable a function in a remote device in a network comprising devices that communicate over a UWB wireless medium.
U.S. patent application 20020136407 by Denning, et. al., describes a system/method in which data may only be decrypted at (a) specified geographic location(s). Location information is typically supplied by the GPS.
The invention pertains to a system and method which rely on techniques that based on certain characteristics of localized networks (e.g., but not limited to, home networks) to limit content diffusion to a desired distance from the source. These techniques are used to authorize reception by sinks within an allowed distance from the source, and prevent reception at a greater distance; the latter specifically includes reception over “long-range” external networks such as the Internet, to which localized networks may be connected.
Several techniques may be employed, in some cases (but not necessarily) in combination, with each other or with the RTT measurement technique.
A. Pinging to Measure Round-Trip Time (RTT).
As indicated above, a potential content receiver must return a response to a “ping” (i.e., “did you hear this?”) message from a potential content source to that source. The source then attempts to establish that the potential sink is either “close enough” or “too far away” based on the RTT between the sending of the ping by it and the time that the response to the ping is received by the potential source from the sink.
When this technique is used, before transfer of data is permitted over a DTCP link an RTT determination must be made The RTT is determined empirically from the time it takes to complete a secure authenticated handshake (that shall contain a nonce) between the source and sink devices. There is no limit on the number of retries that a source device can make to determine an RTT value. For reasonable network topologies and configurations, the impact to consumer-perceptible performance of conducting multiple RTT measurements should be taken into consideration. The term “nonce” is defined as a random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing liveness and thus detecting and protecting against replay attacks.
Alternatively, RTT can be measured at the Medium Access Control (MAC) protocol level. Particularly in the case of a wireless network, it is likely that the potential content source will need to retry the ping message (possibly, many times), to establish an RTT value that reliably discriminates between local and distant sinks. For example, in a wireless network the mean RTT may be 100–200 ms, whereas the minimum of a wired network may be a few milliseconds (ms), but the spread in RTT values for the wireless network will potentially encompass values ranging from less than that of a wired network, to a much larger value, e.g., 1 s, so that multiple ping trials will likely be needed to get an RTT value that demonstrates that the sink is not too far away (i.e., a value less than that for a fast wired connection through the Internet).In general, the potential content source must be prepared to ping the potential content sink once (where “once” in this context includes a possibly large number of re-tries) per content exchange session, although it may prove sufficient to ping only once for multiple content exchange sessions, if the content exchange protocol, e.g., DTCP, allows the content receiver to remain authorized over multiple sessions.
In general, if a single RTT meets the designated criteria, the sink may be considered to be within the desired distance of the source.
B. “The Beacon” Technique
A potential content receiver must demonstrate, by referring to a piece of information that the receiver receives from a beacon (i.e., transmitter of the piece of information), to that potential source of the content which it desires to receive, that it is within an acceptable physical distance from the potential content source, by acknowledging reception of that piece of information within an acceptable amount of time. In this technique, the potential receiver should reply with a message saying the equivalent of “I received your message AND here is a piece of information that proves that I correctly understood its content”. The return time is determined empirically from the time it takes to complete a secure authenticated handshake. The authentication preferably includes the exchange a nonce between the source and sink devices. As discussed above, a “nonce” is an example of the aforementioned “piece of information” sent by the potential content source. For those scenarios in which it is desired to limit the diffusion of content to a highly-localized geographic area such as a home, the electromagnetic energy emitted by the beacon may be so small as to be “inherently local”, i.e., it can only be received within (or very nearly within) the bounds of that highly-localized area.
Preferably, with this technique, the beacon sends a test signal (such as a PING) along a path that includes at least in part a transmission media having a limited range. The return is either over a wired or wireless path.
C. Localization Protocol with Decrypt Key
In another embodiment, a source and a potential sink can exchange data signals over a first data communication channel and an encryption key or other signal is which is sent over a second channel that has a limited range. An acknowledgement from the potential sink that the key is received is also an automatic indication that the potential sink is within the desired range and, accordingly, that the content can be sent. As an example of this technique, using the 5C protocol, a sequence of messages is exchanged between a potential source and sink for the purposes of “discovery” (i.e., source and sink “discover” that they are connected by a network), and authentication (i.e., that the sink is indeed a device that should be allowed to receive the (5C) content). Next, if authentication is successful, a session key is sent from the source to the sink, allowing the sink to decrypt the content. In one embodiment of the invention, the discovery and authentication messages may be sent over the content transfer network connecting the potential source and sink, whereas the session key may be sent over the beacon (which may be e.g., an RF, power line, infrared, or other beacon). Sending the session key over the beacon provides added confidence that the sink must be close enough, as the content cannot be reproduced at the sink without the session key.
If the potential content receiver is too far from the source, i.e., outside the range 28 of the access point 24, then it will not be able to receive the ping, and so will not return a response. If it is close enough, it will return a ping response which indicates that it has not only received a ping, but a ping from that particular source, by including, for example, a nonce in its response. The reply from the sink does not have to come in a beacon reply. The reply could be sent over the general network (including for example, a wired or wireless channel). The content is then sent to the sink using either the same channel as the one used for the PING, the channel used for the PING response, or a different channel.
The beacon generating the ping signal is either the source 22, the access point 24, or some other transmitter. The beacon can also sends its PING signal in other form, for example as a light beam, such as a laser beam, an IR beam, etc.
The operation of systems 10 and 20 are contrasted in
As illustrated in
In another embodiment of the invention, two different channels, one being a general channel, having, for instance, a high data capacity, and the second channel having a limited range. However, in this embodiment, some critical data is sent to the sink over the second channel. This critical data is selected to include information without which the content is useless, even if it is successfully transmitted.
In step 310 the sender looks for an acknowledgement that the key has been received. If no such signal is received, the process ends. If a correct acknowledgment signal is received, then in step 312 encrypted content is transmitted. This transmission may be on the general channel or on the limited range channel. In step 314 the content is then decrypted by the sink using the key sent in step 308.
Of course, a combination of any two, or all three techniques may be used as well. A system 30 if this kind is shown in
At the sink, the content receiver 50 receives the messages, and sends them to the sink control 45. This latter system generates appropriate responses which are returned through the authentication transmitter 52 and channel 56 and authentication receiver 44. Channel 56 could be a wired (e.g. 1394) or wireless (e.g., 802.11) transmission medium.
As part of the initial messages, a PING signal may be transmitted as well (several times, if necessary), and the resultant RTT can be analyzed to determine if the distance between the source and the sink is not too big.
Once the source 32 and sink 34 exchange the appropriate handshake protocol and authentication is successful, a session key is sent from the source to the sink. In one embodiment of the invention, the discovery and authentication messages may be sent over the content channel 56, whereas the session key sent over a limited range localization medium, such as a beacon (which may be e.g., an RF, power line, infrared, or other beacon, as discussed above). Sending the session key over the beacon provides added confidence that the sink must be close enough, as the content cannot be reproduced at the sink without the session key. The key is initiated by source control 36 and transmitted through a localization transmitter 38 and channel 54, and received by the localization receiver 46 and the sink control 45. Sink control 45 generates an appropriate acknowledge signal sent over localization transmitter 48 and channel 54 to the soucer 32 through localization receiver 40.
To provide a further level of confidence that the sink is close enough, additional pinging may also be sent from the source to the sink across the limited range channel 54 and the resultant RTT is again measured and used to determine or confirm that the source and sink are close enough, geographically.
In another embodiment, the original handshake protocol takes place over the channel 56 and content is transmitted over the limited range channel 54.
In yet another embodiment, all communications between the source and the sink take place over the limited range channel 54 and the channel 56 is not used. Content exchange takes place over the short wireless medium such as 802.11. In such a case, all localization and authentication messages may flow over that medium.
In still another embodiment, several different paths are provided as a means of defining the limited range channel, with some of the messages being transmitted over one “subchanel” and data being transmitted over a different subchannel. For example, PING signals may be transmitted over a wireless means (e.g., 802.11 or bluetooth) while content is transmitted using a power line. In another embodiment, content flows over 802.11 wireless line while, pinging and RTT measurement may be undertaken via another limited range medium, such as power line. Various other combinations of channel usage may be employed by the system as well.
In the embodiments described above, a single beacon is used to transmit messages and content to a sink. In yet another embodiment, multiple beacons, not necessarily co-located with (a) potential content source(s). In such cases, the mode of operation described above in conjunction with the description of
Numerous modifications may be made to the invention without departing from its scope as defined in the appended claims.
This application claims priority to provisional application Ser. No. 60/516,538 filed Oct. 31, 2003, and incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
6002708 | Fleming et al. | Dec 1999 | A |
6405033 | Kennedy, III et al. | Jun 2002 | B1 |
6636740 | Ramesh | Oct 2003 | B1 |
6826699 | Sun | Nov 2004 | B1 |
6925410 | Narayanan | Aug 2005 | B1 |
6934851 | Epstein | Aug 2005 | B1 |
6940120 | Hashimoto et al. | Sep 2005 | B1 |
6970131 | Percy et al. | Nov 2005 | B1 |
6999533 | Murthy et al. | Feb 2006 | B1 |
7031294 | Aiello et al. | Apr 2006 | B1 |
7038619 | Percy et al. | May 2006 | B1 |
20020136407 | Denning et al. | Sep 2002 | A1 |
Number | Date | Country |
---|---|---|
WO-0193434 | Dec 2001 | WO |
WO-03075125 | Sep 2003 | WO |
Number | Date | Country | |
---|---|---|---|
20050160450 A1 | Jul 2005 | US |
Number | Date | Country | |
---|---|---|---|
60516538 | Oct 2003 | US |