Patent Grant
8806526
This disclosure relates to securing broadcasts in a system, and to a security central processing unit with a secure connection to a broadcast head-end.
Advances in electronics and communications technologies driven by consumer demand can result in the widespread adoption of data-driven devices, including those for handling and converting third party media content. Third party media providers, such as satellite and cable companies, may desire to have their content handled securely such that the content is not copied or used outside of certain permission levels.
The systems and methods may be better understood with reference to the following drawings and description. In the figures, like reference numerals designate corresponding parts throughout the different views.
A system and method can send messages securely from a broadcast head-end to a security processor, e.g., of an information appliance device, without passing through a host computer of the information appliance device. The messages can include instructions to the security processor, e.g., to address a hacking or cloning situation in the information appliance device.
In operation, the display device 102 may be utilized to play video streams, which may be received from broadcast head-ends and/or from one or more local sources, such as the AV player device 124. The display device 102 may, for example, receive TV broadcasts via the TV antenna 108 from the terrestrial-TV head end 104; cable-TV broadcasts, which may be communicated by CATV head-end 110 via the CATV distribution network 112; satellite TV broadcasts, which may be received via the satellite receiver 116; and/or Internet multimedia broadcasts, which may be communicated by the broadband-TV head-end 118 via the broadband network 120. TV head-ends may utilize various formatting schemes in TV broadcasts. The display device 102 may be operable to directly process multimedia/TV broadcasts to enable playing of corresponding video and/or audio data.
Additionally or alternatively, another device, for example the set-top box 122, may be utilized to perform processing operations and/or functions, which may be operable to extract video and/or audio data from received media streams, and the extracted audio/video data may then be played back via the display device 102. The display device 102 may also be utilized to display video data inputted from the local sources, such as the AV player device 124. In this regard, the AV player device 124 may read and/or process multimedia data stored into multimedia storage devices, such as DVD or Blu-ray discs, and may generate corresponding video data that may be displayed via the display device 102.
The display 102, set-top box 122 and/or AV player device 124, or other information appliance device, may include suitable logic, circuitry, interfaces and/or code which may enable processing TV and/or multimedia streams/signals received from one or more broadcast head-ends, to enable generation of video, audio and/or other data that may be played via the display device 102. The display 102, set-top box 122 and/or AV player device 124 may perform at least some of the video/audio processing, and/or may also provide additional functions, such as encryption and/or access control related functions, such as digital right management (DRM) related processing.
The processing system 200 can securely handle data signals by passing messages of the data signals directly from the broadcast head-end to the first processing unit 210 or the second processing unit 220 of the information appliance device, without passing through the host computer 270 of the information appliance device. This can provide an advantage, for example, if the host computer 270 or other components of the information appliance device is hacked or cloned.
In a security-based broadcast system, the head-end may want to provide security controls to a set-top box 122, or other information appliance device, which is suspected of being hacked. In the case that the host computer 270 is compromised, there may be little the head-end can do, as the other processors in the processing system 200 cannot receive messages from the head-end without intervention by the host computer 270. If the host computer 270 is not trusted, there may be no secure connection with the head-end without tying messages to electronic counter measures (ECMs). Although the first processing unit 210 and the second processing unit 220 can include security functionality, security processor often rely on the host computer 270 for direction, e.g., for key processing. Messages may be encrypted to the host computer 270, but if the host computer 270 fails to deliver the messages and is not tied to keys, the head-end may not be able to deliver the desired control to the information appliance device.
To securely send messages from the head-end to the second processing unit 220, the CA decrypt module 250 can receive and decrypt messages in the data signals sent from the head-ends to the information appliance device. The CA decrypt module 250 sends the decrypted messages to the transport CPU 260 to parse the messages and flag packets to be sent to the second processing unit 220, but not the host CPU 270. The transport CPU 260 may detect the message, for example, by looking for patterns in the messages after decryption. Other ways to detect the messages can include, for example, including identifying message start codes in the messages to be send directly to the second processing unit 220. The message can include instructions to the second processing unit 220 to shut down the information appliance device to address a hacking or cloning situation, or other instructions such as to reset the information appliance device without shutting it down. The transport CPU 260 can provide access of the head-end message to the second processing unit 220 while prohibiting access of the message to the host CPU 270.
A protected region 280 of memory 230 may be allocated, e.g., by the first processing unit 210, to store the message or packets only accessible to the first processing unit 210, the second processing unit 220 and the transport CPU 260, but not accessible to the host CPU 270 and without involving the host CPU 270. The protected region 280 can be protected with protection hardware 240 that includes, e.g., an address range checker, to ensure that only the transport CPU 260, the first processing unit 210 and second processing unit 220 may access the protected region 280, and not the host CPU 270. The protection hardware 240 can be controlled by the first processing unit 210 to physically block the host computer 270 access to protected region 280 where sensitive data is stored. While the host computer 270 is not allowed access to this region, the protection hardware 240 allows the transport CPU 260, the first processing unit 210 and the second processing unit 240 to write and read messages to/from the protected region 280.
Additionally or alternatively, the transport CPU 260 can communicate the secure message directly to the second processing unit 220, e.g., via a dedicated channel 290, e.g., without involving the memory 230 and the host computer 270. The transport CPU 260 can directly write the message to an internal memory of the second processing unit 220. The internal memory of the second processing unit 220 is protected from modifications, e.g., using checkers. The message can include instructions from the head-end to reset or shut down the device, e.g., set-top box 122. The second processing unit 220 can execute the instructions. The host computer 270, which could be hacked, does not interfere with execution of the instructions since it never receives the message.
A base layer of video and audio data can include the ES; the raw compressed data. The ES data can be assembled into large variable-sized packets called PES, with a header, and then those packets can be parsed into fixed-lengths, e.g., 188-byte packets, called transport packets, with each transport packet having a header, e.g., 4 byte or more depending on the fields it contains. The transporting can be implemented with an MPEG-2 transport layer or other transport formats. File formats can use a different packet format but at the base layer there is ES data. The messages can be included in these headers. Carrying the messages in the video and audio ES layers can have the advantage that once the video/audio is encrypted by CA, the messages are not visible, and therefore cannot be removed from the stream.
If the packet is a head-end message that denies access to the host CPU 270, the transport CPU 260 can write the message to the protected region 280 of memory 230 (350). The transport CPU 260 can also interrupt the second processing unit 220, e.g., security CPU B, to make the second processing unit 220 aware of the message (360). The second processing unit 220 can read the message and processes it by executing instructions in the message, e.g., to thwart a hacking or cloning situation (370). If the message does not deny access to the host CPU 270, the message is not stored to the protected region 280 and the host computer 270 can access the message (380).
A benefit of this approach is that the head-end can send messages to a security processor to configure the information appliance device, without relying on the host CPU 270 to process those messages. The head-end messages can travel directly to the first processing unit 210 and the second processing unit 220, and bypass the host CPU 270. Two security CPUs can be used for the first processing unit 210 and the second processing unit 220, e.g., in a multi-trust system. The first processing unit 210 can include a traditional security CPU with access to high value secrets, and which normally receives commands from the host CPU 270. The second processing unit 220 can include an intermediate level security CPU. The first processing unit 210 can control the protected region 280 of memory 230 and the second processing unit 220 can perform actions based on the secure messages. Actions based on the messages can include shutting down the information appliance device that was hacked or cloned. Additionally or alternatively, more or less security CPUs may be used.
In a broadcast system 100 that includes two-way communications between the head-end and the information appliance device, the head-end may instruct the second processing unit 220 to return information to the head-end without the return information passing through the host computer 270 of the information appliance device. For example, the CATV head-end 110 may instruct the security CPU B of the set-top box 122 to return one-time programmable (OTP) configuration information or other settings. The OTP configuration information can indicate information about a compromised set-top box to allow traitor tracing, e.g., the identification of a set-top box that is performing cloning. Security CPU B can form a message including the OTP configuration information and send it back to the head-end without involving the host computer 270.
While various embodiments have been described, it will be apparent that many more embodiments and implementations are possible. Accordingly, the systems and methods are not to be restricted except in light of the attached claims and their equivalents.
This application claims priority to U.S. Provisional Application Ser. No. 61/684,484, filed Aug. 17, 2012, which is incorporated herein by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7113523 | Kubota et al. | Sep 2006 | B1 |
| 7698718 | Dellow et al. | Apr 2010 | B2 |
| 7840489 | Candelore | Nov 2010 | B2 |
| 7965839 | Candelore | Jun 2011 | B2 |
| 8032761 | Rodgers et al. | Oct 2011 | B2 |
| 8156345 | Rodgers et al. | Apr 2012 | B2 |
| 8413256 | Gonzalez et al. | Apr 2013 | B2 |
| 20060259965 | Chen | Nov 2006 | A1 |
| 20070005506 | Candelore | Jan 2007 | A1 |
| 20070266438 | Rodgers et al. | Nov 2007 | A1 |
| 20080086628 | Rodgers et al. | Apr 2008 | A1 |
| 20090208006 | Candelore | Aug 2009 | A1 |
| 20090285401 | Moroney et al. | Nov 2009 | A1 |
| 20100005484 | Candelore et al. | Jan 2010 | A1 |
| 20100058485 | Gonzalez | Mar 2010 | A1 |
| 20100100940 | Reynolds | Apr 2010 | A1 |
| 20100158480 | Jung et al. | Jun 2010 | A1 |
| 20100255772 | Hellman | Oct 2010 | A1 |
| 20100299750 | Chen | Nov 2010 | A1 |
| 20110191572 | Taylor et al. | Aug 2011 | A1 |
| 20110197069 | Rodgers et al. | Aug 2011 | A9 |
| 20110314145 | Raleigh et al. | Dec 2011 | A1 |
| 20120030391 | Rodgers et al. | Feb 2012 | A1 |
| 20120131606 | Lejeune et al. | May 2012 | A1 |
| 20120180097 | Addington et al. | Jul 2012 | A1 |
| 20120196565 | Raleigh | Aug 2012 | A1 |
| 20120197792 | Raleigh | Aug 2012 | A1 |
| 20120201133 | Raleigh | Aug 2012 | A1 |
| 20120203677 | Raleigh | Aug 2012 | A1 |
| 20120216034 | Chen et al. | Aug 2012 | A1 |
| 20120216038 | Chen et al. | Aug 2012 | A1 |
| 20120224688 | Rodgers et al. | Sep 2012 | A1 |
| 20120224689 | Rodgers | Sep 2012 | A1 |
| 20120226900 | Rodgers et al. | Sep 2012 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20140053186 A1 | Feb 2014 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61684484 | Aug 2012 | US |
