1. Field of the Invention
The present invention relates to a system and a method for Digital Rights Management (DRM) regional and timezone encryption/decryption key management.
2. Background Art
Websites are generally accessible globally. The Uniform Resource Locator (URL, World Wide Web address) for a Website can usually be accessed from anywhere at any time. However, some streaming video media (i.e., broadcast content) have Digital Rights Management (DRM) requirements to limit the accessibility based on, for example, geographic regions such as municipality (i.e., city) and based on timezone.
In one example, news broadcasts are appropriately be viewed by select, usually local, municipalities and regions. In another example, certain sports broadcasts are “blacked out” regionally due to poor local ticket sales. In yet another example, other broadcasts are controlled by timezone. Election results are a timezone example.
Broadcast content pulls (or distributions) are known based on the regional and timezone DRM requirements. Certain content is to be distributed only to certain locations. In conventional approaches to DRM management based on the regional and timezone DRM requirements, authentications flow all the way to the respective video source. As such, conventional approaches to DRM management are extremely inefficient.
Thus, it would be desirable to have a system and a method for DRM regional and timezone key management that addresses the inefficiencies of conventional approaches and provides further enhancements to media stream distribution.
The present invention generally provides new and innovative systems and techniques for Digital Rights Management (DRM) regional and timezone encryption/decryption key management that addresses authentication and localization substantially simultaneously without pre-positioning the content type to all locations.
According to the present invention, a cryptographic media stream system for ensuring media stream content is only consumed in authorized regions is provided. The system comprises at least one encryption/decryption key source configured to provide at least one of a regional key and a timezone key, where the regional key and the timezone key are globally unique keys, a media encryption engine that receives an unencrypted media stream and encrypts the encrypted media stream, and a media decryption engine that receives the encrypted media stream, and decrypts the encrypted media stream in response to at least one of the regional keys and the timezone keys. A simplistic way to understand the present invention is that a single key is formed by combining the regional key, the timezone key and another system key into a single master key. The media stream content can generally only be unlocked with the “master key” that is a combination of the multiple types of information contained in the respective keys.
Also according to the present invention, a method of ensuring media stream content is only consumed in authorized regions is provided. The method comprises providing at least one of a regional key and a timezone key using at least one encryption/decryption key source, wherein the regional key and the timezone key are globally unique keys, receiving an unencrypted media stream and encrypting the encrypted media stream using a media encryption engine, and receiving the encrypted media stream, and decrypting the encrypted media stream in response to at least one of the regional key and the timezone key using a media decryption engine.
Further, according to the present invention, a system for distribution, reception and display of media streams and for ensuring media stream content is only consumed in authorized regions is provided. The system comprises a source for information regarding a subscriber for authentication, at least one encryption/decryption key source configured to provide at least one of a regional key and a timezone key, wherein the regional key and the timezone key are globally unique keys, a media encryption engine that receives an unencrypted media stream and encrypts the encrypted media stream, and a media decryption engine that receives the encrypted media stream, and decrypts the encrypted media stream in response to at least one of the regional key and the timezone key, and validates the location of the subscriber for region and timezone using credentials.
The above features, and other features and advantages of the present invention are readily apparent from the following detailed descriptions thereof when taken in connection with the accompanying drawings.
With reference to the Figures, the preferred embodiments of the present invention will now be described in detail. In one example, the present invention may be implemented in connection with a cable television transmission and reception system. In another example, the present invention may be implemented in connection with a satellite (i.e., “dish”) broadcast television transmission and reception system (not shown). However, the present invention may be implemented in connection with any appropriate media stream transmission and reception (i.e., distribution) system to meet the design criteria of a particular application.
In the description below, the abbreviations, acronyms, terms, etc. may be defined as follows:
The Digital Rights Management (DRM) regional and timezone encryption/decryption key management of the present invention is generally implemented as a cryptographic system and method that may ensure that content (e.g., media streams, broadcasts, etc.) including video can only be consumed (e.g., viewed, observed, listened to, watched, recorded, played, etc.) in the appropriate (e.g., authorized, allowed, permitted, etc.) regions (e.g., municipalities, cities, states, and the like) and timezones of the distribution area (e.g., country, state, territory, etc.). There can be certain types of distributed media content such as sports events and election coverage that are generated and distributed with at least one of regional restrictions and timezone restrictions.
Multiple System Operators (MSOs) generally adhere to programming contracts and regulations that may include regional and timezone related media stream content distribution limitations. Such limitations may include, time restriction on election coverage, time restriction on information distribution to widely dispersed corporate locations, regional “black out” of sporting events due to ticket sales below a predetermined level (e.g., less than a sellout), and the like.
In streaming media and DRM technology, there are generally no inherent methods to meet the regional restriction and timezone restriction requirements placed on certain types of content. When content is placed on centralized streaming servers or delivered in real-time, the present invention generally provides a cryptographic method that generally ensures that MSOs are meeting the contract obligations based on keys that are generated and distributed corresponding to the regional content. Globally unique IDs for timezone and region may be used to generate a key for encryption at the source and the same globally unique IDs are used at the sink i.e., (receiving) device to decrypt the content for user consumption.
The DRM regional and timezone encryption/decryption key management of the present invention may provide a new, more secure, and simplified method to deliver specialized keys and license files for decrypting content and program media streams in streaming media applications. The new key management of the present invention may dramatically reduce the complexity that is implemented to restrict content keys to a region or to a timezone. The DRM regional and timezone encryption/decryption key management system and method of the present invention may be a significant portion of a new streaming media DRM system that generally ensures that regional content is only decrypted and viewed in the permitted region and timezone as required by content contracts. The DRM regional and timezone key management system and method of the present invention generally provides more efficient distribution and operations of certain types of content for streaming applications when compared to conventional approaches.
The DRM regional and timezone encryption/decryption key management of the present invention may provide flexibility and help to simplify the Impulse Pay Per View (IPPV), Video On Demand (VOD) and broadband streaming media security in a distribution system headend. The simplified key management structure of the present invention may be applied to the IPPV and VOD technologies and any appropriate broadband streaming media security and thereby standardize the overall approach to security for VOD and the like when executed through a DRM server.
The commercial value of Reduced DRM Regional and Timezone Key Management of the present invention may be very large since the present invention generally supports the Computer and Consumer Electronics (CE) industry to innovate new types of streaming services for MSOs. All CE and computer companies are potential customers for the present invention. The present invention may lower the overall cost of managing head-ends, set-tops and digital televisions, lower the cost and ease the operational complexities for Streaming Media and VOD applications, thereby providing the MSOs substantial cost savings when compared to conventional approaches. By enabling dramatically lower costs as well as increased innovation and new business models, the DRM Regional and Timezone Key Management of the present invention may improve the competitive position of cable based media distribution versus alternative video providers such as DBS and emerging telco-based video systems.
The present invention generally provides an improved system and method for generating encryption/decryption keys (e.g., DRM regional keys), and encrypting content that generally binds (i.e., associates, connects, relates, etc.) the media stream content to respective regions and timezones in the region (i.e., country, territory, user type, etc.) of interest. The system and method of the present invention generally ensure that content (e.g., data in a media stream) in the region (typically a geographic region such a metropolitan area, a state, a timezone, and the like) of interest is generally decrypted for display by consumers in specific regions and timezones in accord with MSO content contracts.
Referring to
The controller 100 generally comprises at least one key source 102 (e.g., key sources 102a-102n), a combiner/multiplexer 104, an Exclusive OR (e.g., EXOR) block (i.e., at least one of a circuit, gate, firmware, software, and the like that is configured to perform a logic EXOR operation) 106, and an encryption engine 108. The key sources 102 generally provide respective encryption/decryption keys. In one example, the key sources 102 may be implemented as key generator memory having keys stored therein (e.g., look up tables, LUT), and the like), a combination of a key generator and a memory, etc. However, the key sources 102 may be implemented as any appropriate key generator or source to meet the design criteria of a particular application.
The combiner/multiplexer 104 generally has a plurality of inputs that may receive keys (e.g., RID, TID, SK, OK, and the like) from respective key sources 102, and output that may present one or more of the keys RID, TID, SK, and OK to a first input of the EXOR block 106 in response to an encryption control signal (e.g., ES). The combiner/multiplexer 104 may select or combine one or more of the keys RID, TID, SK, and OK for presentation to the EXOR block 106 in response to the encrypt stream control signal ES.
The EXOR block 106 may a second input that may receive at least one key modifier (e.g., OK/M), and an output that may present at least one of the keys RID, TID, SK, and OK, the encryption control signal ES, and the least one key modifier OK/M to an input 120 of the encryption engine 108. The EXOR block 106 may further combine at least one of the keys RID, TID, SK, and OK, and the least one key modifier OK/M, generally in response to the encryption control signal ES.
The encryption engine 108 may have an input 122 that may receive an unencrypted media stream (e.g., CONTENT_IN) from at least one (and generally a plurality of) media content sources (not shown), and an output 124 that may present an encrypted media stream (e.g., CONTENT_OUT) in response to the media stream CONTENT_IN and at least one of the keys RID, TID, SK, and OK, the encryption control signal ES, and the least one key modifier OK/M. The encrypted media stream signal CONTENT_OUT generally includes an encrypted version of the clear media stream signal CONTENT_IN and at least one of the keys RID, TID, SK, and OK, the encryption control signal ES, and the least one key modifier OK/M.
The key RID may be implemented as a region identification key (i.e., a key that is associated with a particular region, generally a geographic region). The key TID may be implemented as a timezone identification key (i.e., a key that is associated with a particular timezone). The source seed key SK may be generated by the proprietor of the media stream distribution system where the controller 100 is implemented for use in generation of additional keys (e.g., OK and OK/M) for use in DES, 3-DES, or any other appropriate encryption process.
In one example, the other keys OK may be keys that correspond to a user profile that may include demographic information such as age, gender, incarceration status, employment identification, video viewing habits, income range, product purchase interests, broadband subscriber status, phone subscriber status (e.g., standard telephone service, cellular telephone service, DSL service, fax line service, etc.), geographic location, state, place of birth, and the like. In another example, the other keys OK may be keys that correspond to time of day, sales status of a sporting event (e.g., all local tickets sold out or not sold out), etc.
In one example, the other keys and modifiers OK/M may be implemented as a video on demand (VOD) key. In another example, the other keys and modifiers OK/M may be implemented as an impulse pay per view (IPPV) key. In yet another example, the other keys and modifiers OK/M may be implemented as a working key. However, the keys OK and OK/M may be implemented as any appropriate encryption/decryption key to meet the design criteria of a particular application.
Referring to
The controller 200 generally comprises at least one key source 202 (e.g., key sources 202a-202n), a combiner/multiplexer 204, an Exclusive OR (e.g., EXOR) block (i.e., at least one of a circuit, gate, firmware, software, and the like that is configured to perform a logic EXOR operation) 206, and a decryption engine 208. The combiner/multiplexer 204 generally has a plurality of inputs that may receive keys (e.g., RID, TID, DLK, OK, and the like) from respective key sources 202, and output that may present one or more of the keys RID, TID, DLK, and OK to a first input of the EXOR block 106 in response to an decryption control signal (e.g., DD). The key sources 202 are generally implemented as memories where the respective keys are loaded (e.g., when authentication certificates are installed) and stored. However, the sources 202 may be implemented as any appropriate key source to meet the design criteria of a particular application.
The combiner/multiplexer 204 may select or combine one or more of the keys RID, TID, DLK, and OK for presentation to the EXOR block 206 in response to the decrypt stream control signal DD. In one example, the control signal DD may br implemented as the control signal ES. In another example, the control signal DD may br implemented as a key signal that is provided to respective authorized users via the media stream CONTENT_OUT.
The EXOR block 206 may a second input that may receive the at least one key modifier OK/M, and an output that may present at least one of the keys RID, TID, DLK, and OK, the control signal DD, and the least one key modifier OK/M to an input 220 of the encryption engine 208. The EXOR block 206 may further combine at least one of the keys RID, TID, DLK, and OK, and the least one key modifier OK/M, generally in response to the decryption control signal DD.
The decryption engine 208 may have an input 222 that may receive an encrypted media stream (e.g., the media stream CONTENT_OUT) via the CDN to the subscriber and an output 124 that may present a decrypted (e.g., clear) media stream (e.g., CONTENT_IN) in response to the media stream CONTENT_OUT and at least one of the keys RID, TID, DLK, and OK, the decryption control signal DD, and the least one key modifier OK/M. The clear media stream CONTENT_IN is generally presented to at least one receiver (e.g., television, high definition television, personal computer and monitor, and the like) at the user location.
Referring to
The system 300 generally comprises a national server 302 coupled to a plurality of hubs 304 (e.g., hubs 304a-304n). The hubs 304 are each generally coupled to respective regional servers 306 (e.g., servers 306a-306n) that generally distributes media streams to respective regions a-n (e.g., to city_a-city_n, timezone_a-timezone_n, etc.). Each regional server 306 may be coupled to a respective workstation 308 (e.g., workstations 308a-308n). Each workstation 308 may be coupled to a respective router 310 (e.g., routers 310a-310n). Each router 310 may be coupled to a respective authentication server 312 (e.g., authentication servers 312a-312n). Each authentication server 312 is generally coupled to at least one client (customer) location device (e.g., a STB, a receiver, a personal computer and monitor, etc.) 314. A such, hubs 304, servers 306, workstations 308, routers 310, servers 312, and receivers 314 are successively downstream from the preceding elements.
The system 300 generally provides media streams (e.g., media streams that include video, audio, video plus audio, and the like in any appropriate format or protocol such as Motion Picture Expert Group (MPEG), MPEG-2, MPEG-4, Windows Media 9, Real Media, etc. streams) across a plurality (i.e., at least two) regions having varying distribution implementations. The present invention may further be implemented in connection with any appropriate newly developed video compression and transport protocol. For example, media stream assets may be segregated for the various regions that comprise the system 300 (e.g., respective regions related to, corresponding to, associated with, etc. each of the servers 302, 306, and 312).
The system 300 is generally implemented such that each respective region a-n is presented respective media stream assets that are the encrypted media stream CONTENT_OUT including keys and control signals (e.g., DD, ES, RIDa, TIDa, DLKa, OKa and OK/Ma to region a; DD, ES, RIDb, TIDb, DLKb, OKb and OK/Mb to region b; and so on). The national server 302 is generally configured to distribute proper (i.e., respective) media stream assets to the regional servers 306 via hubs 204 in response to the appropriate keys and ids (e.g., DD, ES, RID, TID, DLK, OK and OK/M). As such, the system 300 generally ensures that the media stream content is decrypted in the respective regions a-n by users (i.e., clients, customers, etc.) having appropriate keys and ids for the content, and region (e.g., timezone, city, voting area, etc.).
Each of the region and timezone IDs (e.g., the identifiers associated with or implemented as the keys RID and TID, respectively) are generally implemented as a globally unique ID and are generally globally unique with respect to all other IDs that may be used in key generation through the system of encryption and decryption (i.e., the controllers 100 and 200, respectively).
The controller 100 may be implemented in connection with the server 302. At least one of the system (or controller) 100 and the system (or controller) 200 may be implemented in connection with at least one of the servers 306 and 312. Content with known headers that are encrypted in the content may be presented as the media stream CONTENT_OUT such that the decryption may be performed and values checked to ensure that the proper key (e.g., the respective keys ES and DD) was generated on both ends of the media stream distribution system and that the regional IDs (e.g., RIDa-RIDn) and timezone IDs (e.g., TIDa-TIDn) are matching. Error messages may be displayed to the end subscriber when a failure occurs rather than displaying to the subscriber streaming video comprising a set of random blocks and pixels encrypted with the wrong key. The technology implemented using the present invention generally ensures that content encrypted at the source can only be decrypted by end-users (subscribers) in the regions and timezones as permitted by the content contracts agreed to by MSOs.
The encryption system (i.e., controller) 100 and the decryption system (i.e., controller) 200 of the present invention may be implemented in any appropriate level of servers of the system 300. In one example, an encryption controller 100 may be implemented in connection with the server 302 and a decryption controller 200 may be implemented in connection with at least one of the servers 306 and 312, and the receivers 314. The keys (e.g., RID, TID, and so forth) are generally distributed to respective regions (e.g., RIDa to region a, RIDb to region b, and so forth) per the respective MSO contracts. In another example, encryption controller 100 may be implemented in connection with the server 306. In yet another example, the encryption controller 100 may be implemented in connection with the server 312. The decryption controller 200 may be implemented in connection with at least one of the servers and the receivers 314 that are downstream from the controller 100.
The present invention generally ensures, through security technology, that regional and timezone specifications for content contracts can be met. The present invention generally performs a DRM regional and timezone Key Management process as follows.
As is readily apparent from the foregoing description, then, the present invention generally provides an improved system and an improved method using new and innovative systems and techniques for DRM regional and timezone key management that addresses authentication and localization substantially simultaneously without pre-positioning the content type to all locations.
While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the invention.