System and Method for Securely Partitioning a Media Library

Abstract

A system and method for securely partitioning a media library of a media-on-demand system is provided. Middleware instances are created for each user group defined in the media-on-demand system. Users or clients that are part of a particular user group can only access content that has been registered with the associated middleware instance. A common media server can service multiple middleware instances reducing hardware resources and administration costs. Only content that has been registered with the middleware associated with a particular user group is viewable by the user thus providing a more secure media library.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

Further features and advantages of the present invention will become apparent from the following detailed description, taken in combination with the appended drawings, in which:

FIG. 1 is a block diagram schematically illustrating a media-on-demand system as known in the art;

FIG. 2 is a block diagram schematically illustrating a media-on-demand system in accordance with an embodiment of the present invention;

FIG. 3 is a flow diagram of how content is ingested into the media-on-demand system as shown in FIG. 2 in connection with an embodiment of the present invention; and

FIG. 4 is a flow diagram of how content is accessed by a user/client from the media-on-demand system as shown in FIG. 2 in connection with an embodiment of the present invention.

It will be noted that throughout the appended drawings, like features are identified by like reference numerals.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention provides system and methods that enable media-on-demand library to be partitioned to ensure secure access to assets of the media library. Embodiments of the present invention are described below, by way of example only, with reference to FIGS. 2-4.

The present invention provides for securing a media library of a media-on-demand (MoD) system by defining unique middleware instances for user groups. Users or clients that are part of a particular user group can only access content that has been registered with the associated middleware instance. The media library resides on a common media server which can service multiple middleware instances reducing hardware resources and administration costs. The media server may comprise a plurality of clusters, wherein each cluster comprises a plurality of hardware and software devices for storing the media.

A user/client can only request content from the associated middleware instance to which it is granted access. The middleware also provides the interface to the MoD system for the user/client and controls access to content. In addition, middleware facilities features such as network monitoring and billing.

When a request for content from the user/client is received at the middleware instance, the middleware requests entitlement from an entitlement manager. The entitlement manager may include an encryption engine if required. The encryption & entitlement manager provides credentials or decryption keys to the user so that the content can be decrypted. The decryption key for a given media asset is common for all the user groups. The entitlement would generally be common for all user groups, but in principle could be different for each user group. For example, user group 1 might be entitled to watch a movie, where as group 2 would be entitled to watch and record the movie. Once entitlement has been provided the user can then request that the content be streamed from the media server and decrypt the content. Entitlement and encryption have been identified as one system for illustrative purposes. A person of ordinary skill in the art would understand that entitlement and encryption may be implemented separately by various methods.

Multiple middleware instances are created dependent on the number of user groups defined by the administrator. Each middleware instance may correspond to a class of user with a different subscriptions, but have access to shared media servers, digital rights servers and authentication servers.

The media may be streamed to the user/client by any number of protocols such as Motion Picture Experts Group Transport Stream (MPEG-TS), Motion Picture Experts Group Program Stream (MPEG-PS), Hypertext Transfer Protocol (HTTP), Multimedia Message Service (MMS), Real Time Transport Protocol (RTP), Real Time Streaming Protocol (RTSP), Real Time Control Protocol (RTCP) or proprietary protocols for example Real Networks Real Data Transport (RDT) or Windows Media Advanced Streaming Format (ASF) depending on the system architecture.

It should also be understood that the media-on-demand system may be resident on a single network or have components distributed to other adjoining networks. For example, the media server 30 may be located on a different network separate from the encryption & entitlement manager 20. The media server 30 may comprise one or more clusters of hardware and software devices that may act together to store media and to deliver requested content.

FIG. 2 illustrates MoD system in accordance with an embodiment of the present invention. In this embodiment there are three user groups or classes, known as #1, #2, #3, but the invention should be understood to include embodiments with any number two or more of user groups or classes. The administrator 50 creates a middleware instance for each user group or class defined in the MoD system. In this example, three middleware instances (42, 44 & 46) are shown to represent three distinct user groups. The user groups may be based upon characteristics such as subscription levels defined by pricing, service offerings, or capabilities of the access device or access network. Alternatively, in an enterprise MoD environment, the groups may be defined for organizational classes such as for example managers, helpdesk staff and human resources.

Each of the middleware instances can access the shared resources of the system such as the encryption & entitlement manager 20 and media server 30. The users/clients 60 of the system only have access to the particular middleware #1, #2 or #3 (42, 44 & 46) instance associated with their associated user group providing control over the content that is available to the users.

Alternatively, the user/clients 60 may not be restricted to a single middleware instance but may be granted access different middleware instances to access different content types or content provider. The user/client 60 would log into a particular middleware instance to access content associated with the respective middleware instance.

Referring also to FIG. 3, when new content is available the administrator 50 is informed by the media source 10 by a content available message or advertisement at step 301. The administrator 50 must make a determination as to which user groups will have access to the media. The determination involves the application of rules such as business rules which may for example be determined by subscriptions or content pricing in a consumer environment or defined by business groups or management levels in a business or enterprise environment. In this example, the user groups associated with middleware#244 and middleware#346 are identified as required to have access to the content. The administrator assigns the classes to the content at step 302 for registration with the desired middleware instance. Each related middleware instance, middleware#244 and middleware#346 are informed that the content is available and that the metadata is provided at step 303 and 303′ respectively.

The ingestion of the content into the MoD system must then be initiated by one of the middleware instances which can be determined by a various methods. For example, the lowest identified (numbered) middleware instance may be responsible for initiating content ingestion. The command may be provided as part of the metadata at step 303′ to middleware#346 or issued separately. The selected middleware, middleware#346, sends an ingest content message at step 305 to the encryption & entitlement manager 20.

Registration continues with each middleware instance then sends a request to the media source for the metadata associated with the content and the media source provides the metadata at steps 304 and 304′. It should also be understood that metadata may be provided alternatively by the administrator 50 directly rather than the media source either at steps 303 and 303′ or steps 304 and 304′.

The encryption & entitlement manager 20 creates entitlement policies for the specific content at step 306. Separate entitlement polices may be created for each middleware instances. The entitlement policy defines the rights period to access the content in addition to defining what can be done with the content such as recording or copying. The rights period may be a defined by parameters such as hours of availability, length of time that the content is available such as 24 hours or number of viewings allowed. For example, users/clients accessing middleware#244 may be able to only view the content, where as users/clients accessing middleware#346 may be able to view and record content which would require a different entitlement policy. Therefore, step 306 may receive additional requests from middleware#244 and middleware#346 prior to step 306 for creation of middleware specific entitlement policies.

Alternatively the administrator 50 may define the entitlement policies directly with the entitlement & encryption manager 20. In addition, the encryption & entitlement manager 20 may provide a more general entitlement to some or all of the media library, at some earlier time, such as when the user/client 60 logs into the middleware 40. In an embodiment, the middleware 40 can instruct the encryption & entitlement manager 20 to deliver appropriate entitlement information to the user/client 60, after the middleware 40 has approved the request for a particular media asset.

The middleware#346 then sends a request to the media source to send the content at step 307. The content is sent at step 308 to the encryption & entitlement manager 20. The media server 30 is then sent a request by the middleware#346 to ingest the content at step 309 and the encryption & entitlement manager 20 is requested to send the content at step 310 to the media server. The content is encrypted and sent at step 311 from the encryption & entitlement manager 20 to the media server 30. In another embodiment the encryption & entitlement manager 20, may be distributed or located after the media server 30. Content would then be encrypted as it is streamed in real-time to the user/client.

It should also be understood that the ingest content message may be sent from the middleware to the media source 10, as an instruction for the media source to push the content into the MoD system.

In this example the client/user may be part of a user group associated with middleware#244. Availability of the new content is then advertised to the user/clients 60 through the broadband network 55 by the middleware#244 by an update menu message at step 312 via a menu or directory update. The menu may be simply a directory displayed to the user of available content or take the form of a programming guide or searching interface.

Accordingly, the user/client associated with the middleware#346 that was used to ingest the content may now access the content; a user/client associated with the middleware#244 that ingested the metadata but was not used to ingest the content may now also access the content; but a user/client associated with middleware#142 will remain unaware of the content and will not be able to access or request the content.

FIG. 4 shows how a client/user 60 would access content stored on the media server 30. The user/client 60 may be embodied in dedicated hardware such as a set-top box or by software residing on any broadband communication access device such as a personal computer or mobile phone able to access a broadband network 55. The login procedure may require user input comprising some form of identification or a password through the broadband network 55 to provide an added level of security.

At step 401 the client 60 must login to the middleware#244 to access the on-demand system. The client then sends a media request at step 402 to the middleware#244. The media request may be a request for a specific piece of content such as a video program. The middleware#244 authorizes the request at step 403. The authorization of the request may include communication with an authentication system (not shown). At step 404 the middleware 40 then sends an entitlement authorization to the encryption & entitlement manager 20. The encryption & entitlement manager 20 provides entitlement keys or certificates at step 405 which allow the user/client 60 to access and decode the requested content.

The entitlement may be defined for s specific period of time, for example allowing a program to be viewed for limited period, such as 24 hours. Entitlement may also include identification of what the user/client can do with the content such as playback, record, copy or moved to other devices.

The user/client 60 can then send a streaming request at step 406 to the media server 30 which will then stream the required content to the user/client 60 at step 407. If the user/client 60 requests content from a middleware instance which is it not defined as part of the user group, for example middleware#142 or middleware#346, the request will be denied. The request to access content cannot be spoofed because middleware#142 does not know about the content an cannot generate a legal send entitlement request to the encryption & entitlement manager 20 to access the content.

The user/client 60 may unlock or access the content only after reception of associated certificate or key sent by the encryption & entitlement manager. The certificate or key is only sent when the encryption & entitlement manager 20 is instructed to do so by the associated middleware. The middleware effectively controls access to the content as the respective user groups are only aware of content registered with the respective middleware instance. Flags or permissions do not have to directly associated with the content allowing the content stored on the media server to be administered more easily from a shared resource.

In another embodiment, the user/client 60 requests for content at step 402 made via the middleware instance may be performed by securing dialogs facilitated by the encryption & entitlement manager 20 or an authentication server (not shown). Further, the middleware instances 42, 44, 46 and the encryption & entitlement manager 20 may be associated with an authentication server (not shown). The authentication server would be used to secure the entitlement authorization message at step 404. Thus, advantageously, a chain of trust is established: the content is secured by certificates and keys held in the encryption & entitlement manager 20; the user/client 60 is authenticated with the authentication server to make content requests 402; the middleware instances are authenticated with the authentication server to send entitlement requests 404; and the content may be unlocked only by the certificates and keys sent by the encryption & entitlement server 20. In this manner, the send entitlement message 404 cannot be spoofed by an unauthorized user or hacker.

In an alternative embodiment, multiple administrators 50 may be defined for the MoD system. Each administrator is involved in the flow only for assets for which they are authorized to manage. Unique media sources may be associated with individual administrators and middleware instances. The middleware instances may also be controlled by multiple administrators to provide access to the media assets dependent on the network configuration. The embodiment would be applicable where specific administrators are directly responsible for specific content providers available to the users of the MoD system.

The embodiments of the invention described above are intended to be illustrative only. The scope of the invention is therefore intended to be limited solely by the scope of the appended claims.

Claims

1. A method of partitioning a media-on-demand library comprising the steps of: defining a plurality of user groups;defining a plurality of middleware instances, each instance associated with one of the plurality of user groups;registering streaming media content of the library with at least one of the plurality of middleware instances;directing a request from a user to the appropriate middleware instance; andwherein the user can only access content registered with the middleware instance of the respective user group.

2. The method of claim 1 wherein the step of registering the streaming media content further comprises the step of ingesting streaming media content into the media-on-demand library under the direction of a selected one of the plurality of middleware instances.

3. The method of claim 2 further comprising the step of creating one or more entitlement policies to the streaming media content under the control of the selected one of the plurality of middleware instances.

4. The method of claim 2 further comprising the step of creating an entitlement policy to the streaming media content for each of the plurality of middleware instances, wherein the creation of each entitlement policy is performed under the control of the respective middleware instance.

5. The method of claim 2 wherein the step of ingestion further comprises encrypting the streaming media content before storing the encrypted content in the library.

6. The method of claim 1 wherein the step of directing a request to the middleware instance further comprises authenticating the user identity and middleware instance by an authentication server.

7. The method of claim 1 wherein the step of registering further comprises receiving metadata associated with the streaming media content.

8. The method of claim 1 wherein individual administrators are assigned to each one of the plurality of middleware instances and each middleware instances is associated with streaming media from unique content sources.

9. A method of providing access to a media-on-demand library, the method comprising the steps of: receiving a request for streaming media content stored in the media-on-demand library from a user at one of a plurality of middleware instances;verifying at the one of the plurality of middleware instances that the user requesting the streaming media content is part of a user group associated with the middleware instance;providing to the user an entitlement policy to the streaming media content; andwherein the user can only access content registered with the respective middleware instance.

10. The method of claim 9 further comprising the step of streaming the requested streaming media content from a media server to the user.

11. The method of claim 9 wherein the step of verifying further comprises authenticating the credentials of the one of the plurality of middleware instances with an authentication server.

12. The method of claim 9 wherein the step of providing to the user the entitlement policy, further comprises providing a decryption key to decrypt the streaming media content.

13. The method of claim 9 wherein the entitlement policy is unique to the respective middleware instance.

14. A media-on-demand system comprising: a library containing streaming media content; anda plurality of middleware instances, each instance being associated with a respective user group, at least part of the streaming media content is registered with each of the plurality of middleware instances, and wherein users of the user groups can only access content registered with the respective middleware instances.

15. The system of claim 14 further comprising an entitlement manager for providing an entitlement policy to users of the user group of the respective middleware instance to access streaming media content.

16. The system of claim 15 wherein a selected one of the plurality of middleware instances controls the ingestion of streaming media content into the library and controls creation of entitlement policies.

17. The system of claim 15 wherein a selected one of the plurality of middleware instances controls the ingestion of the streaming media content in to the library and each of the plurality of middleware instances controls creation of their respective entitlement policy.

18. The system of claim 14 further comprising an encryption manager for encrypting the streaming media content and providing decryption keys to the users associated with respective plurality of middleware instances.

19. The system of claim 15 further comprising an authentication server for authenticating the credentials of middleware instances and users.

20. The system of claim 14 wherein the library further comprises common media servers accessible by all of the plurality of middleware instances.