HK1145376B

HK1145376B - Method and apparatus for security in a data processing system

Info

Publication number: HK1145376B
Application number: HK10111748.0A
Authority: HK
Inventors: 菲利普‧米凯尔‧霍克斯; 詹姆斯‧森普尔; 格雷戈里‧G‧罗斯
Original assignee: 高通股份有限公司
Priority date: 2003-07-08
Filing date: 2010-12-16
Publication date: 2012-09-07

Description

Security method and apparatus in a data processing system

This application is a divisional application entitled "security method and apparatus in a data processing system", filed on 8.7.2004, application number 200480019592.6.

Technical Field

The present invention relates generally to data processing systems, and more particularly to a security method and apparatus in a data processing system.

Background

The security of data processing and information systems, including communication systems, contributes to accountability, fairness, accuracy, confidentiality, operability, and many other desired criteria. Encryption, or in general the field of cryptography, is used in electronic commerce, wireless communication, broadcasting and has an unlimited range of applications. In electronic commerce, encryption is used to prevent fraud and to verify financial transactions. Encryption is used to verify the identity of a participant in a data processing system. Encryption is also used to prevent hacking, protect web pages, and prevent access to secure documents.

Symmetric encryption systems, commonly referred to as cryptosystems, use the same key to encrypt and decrypt messages. However, asymmetric encryption systems encrypt a message using a first key (i.e., a public key) and decrypt it using a different key (i.e., a private key). Asymmetric cryptographic systems are also referred to as public key cryptographic systems. In a symmetric cryptosystem, there is a problem in securely providing a key from a sender to a receiver.

Therefore, there is a need to securely and efficiently provide a key between a sender and a receiver.

Disclosure of Invention

Embodiments disclosed herein address the above stated needs by providing a security method for use in a data processing system.

In one aspect, a method for providing an access key for receiving a broadcast service in a terminal storing a private key, includes: distributing a public key corresponding to the private key; receiving a key encrypted with the public key; decrypting the key with the private key; receiving the access key encrypted with the key; decrypting the access key with the key. Another method for providing an access key for receiving a broadcast service in a terminal storing a private key, comprising: distributing a public key corresponding to the private key; receiving the access key encrypted with the public key; decrypting the access key with the private key. Another method for providing an access key to receive a broadcast service in a terminal storing a key, comprising: distributing a public key corresponding to the private key; encrypting the key with the public key; sending the encrypted key; receiving the access key encrypted with the key; decrypting the access key with the key.

In another aspect, a method for distributing an access key for providing a broadcast service from a content provider, includes: receiving a public key corresponding to the private key; encrypting a key using the public key; sending the encrypted key; encrypting the access key using the key; transmitting the encrypted access key. Another method for distributing an access key for providing a broadcast service from a content provider, comprising: receiving a public key corresponding to the private key; encrypting the access key using the public key; transmitting the encrypted access key. Another method for distributing an access key for providing broadcast services from a content provider having a private key stored therein, comprising: distributing a public key corresponding to the private key; receiving a key encrypted with the public key; decrypting the key using the private key; encrypting the access key using the key; transmitting the encrypted access key.

In another aspect, an apparatus for providing an access key to receive a broadcast service in a terminal storing a private key, includes: means for distributing a public key corresponding to the private key; means for receiving a key encrypted with the public key; means for decrypting the key with the private key; means for receiving the access key encrypted with the key; means for decrypting the access key with the key. Another apparatus for providing an access key to receive a broadcast service in a terminal storing a private key, comprising: means for distributing a public key corresponding to the private key; means for receiving the access key encrypted with the public key; means for decrypting the access key with the private key. Another apparatus for providing an access key to receive a broadcast service in a terminal storing a key, comprising: means for receiving a public key corresponding to the private key; means for encrypting the key using the public key; means for sending the encrypted key; means for receiving the access key encrypted with the key; means for decrypting the access key with the key.

In another aspect, an apparatus for distributing an access key for providing a broadcast service from a content provider, includes: means for receiving a public key corresponding to the private key; means for encrypting a key using the public key; means for sending the encrypted key; means for encrypting the access key using the key; means for transmitting the encrypted access key. Another apparatus for distributing an access key to provide a broadcast service from a content provider, comprising: means for receiving a public key corresponding to the private key; means for encrypting the access key using the public key; means for transmitting the encrypted access key. Another apparatus for distributing an access key to provide a broadcast service from a content provider storing a private key, comprising: means for distributing a public key corresponding to the private key; means for receiving a key encrypted with the public key; means for decrypting the key using the private key; means for encrypting the access key using the key; means for transmitting the encrypted access key.

In another aspect, a machine-readable medium for providing an access key for receiving a broadcast service in a terminal storing a private key, comprising: code for distributing a public key corresponding to the private key; code for receiving a key encrypted with the public key; code for decrypting the key with the private key; code for receiving the access key encrypted with the key; code for decrypting the access key with the key. Another machine-readable medium for providing an access key for receiving a broadcast service in a terminal storing a private key, comprising: code for distributing a public key corresponding to the private key; code for receiving the access key encrypted with the public key; code for decrypting the access key with the private key. Another machine-readable medium for providing an access key for receiving a broadcast service in a terminal storing a key, comprising: code for receiving a public key corresponding to the private key; code for encrypting the key using the public key; code for transmitting the encrypted key; code for receiving the access key encrypted with the key; code for decrypting the access key with the key.

In another aspect, a machine-readable medium for distributing an access key for providing broadcast services from a content provider, comprising: code for receiving a public key corresponding to the private key; code for encrypting a key using the public key; code for transmitting the encrypted key; code for encrypting the access key using the key; code for transmitting the encrypted access key. Another machine-readable medium for distributing an access key for providing broadcast services from a content provider, comprising: code for receiving a public key corresponding to the private key; code for encrypting the access key using the public key; code for transmitting the encrypted access key. Another machine-readable medium for distributing an access key for providing broadcast services from a content provider having a private key stored therein, comprising: code for distributing a public key corresponding to the private key; code for receiving a key encrypted with the public key; code for decrypting the key using the private key; code for encrypting the access key using the key; code for transmitting the encrypted access key.

According to another aspect of the present invention, there is provided a method of broadcasting encrypted multimedia content over-the-air from a content provider to a plurality of authorized terminals, comprising:

each terminal transfers the unique public key to the content provider over the air, wherein

Each terminal having a mobile device and a secure processing unit securely storing a unique private key, the unique private key corresponding to the unique public key and being inaccessible to the mobile device of the respective terminal;

the secure processing unit provides greater secure key storage capability than the mobile device,

the secure processing unit having processing power sufficient to decrypt a broadcast access key and generate a short-term key;

the secure processing unit does not have sufficient processing power to decrypt the multimedia content, an

The content provider encrypting the broadcast access key with the unique public key of each of the terminals to authorize the terminals to receive the encrypted multimedia content;

each terminal receiving a respective encrypted broadcast access key from a content provider over the air and providing the respective encrypted broadcast access key to a security processing unit of the terminal, wherein the security processing unit of the terminal decrypts the encrypted broadcast access key using a unique private key of the security processing unit and securely stores the broadcast access key;

each terminal receiving encrypted multimedia content and short-term key information broadcast over-the-air from the content provider to the plurality of terminals, wherein the multimedia content is encrypted using a short-term key and the short-term key is generated using a broadcast access key and the short-term key information;

each terminal providing the short-term key information to a security processing unit of the terminal, wherein the security processing unit generates the short-term key using the broadcast access key and the short-term key information and provides the short-term key to a mobile device of the terminal; and

the mobile device of each terminal decrypts the multimedia content using the short-term key.

According to yet another aspect of the present invention, there is provided an integrated circuit for a mobile station, comprising:

a module for forwarding the unique public key to the content provider over the air,

a module for securely storing a unique private key that corresponds to the unique public key and that is inaccessible to the user, wherein the module for securely storing has processing power sufficient to decrypt the broadcast access key and generate a short-term key, but not sufficient processing power to decrypt the multimedia content, wherein the content provider encrypts the broadcast access key with the unique public key to authorize the integrated circuit that securely stores the corresponding unique private key to receive the encrypted multimedia content;

means for receiving over the air respective encrypted broadcast access keys from the content providers,

means for decrypting the encrypted broadcast access key and securely storing the broadcast access key, wherein the securely stored broadcast access key is inaccessible to the user;

means for receiving encrypted multimedia content and short-term key information broadcast over-the-air from the content provider to a plurality of mobile stations, wherein the multimedia content is encrypted using a short-term key and the short-term key is generated using a broadcast access key and the short-term key information;

means for generating the short-term key using the securely stored broadcast access key and the broadcast short-term key information; and

means for decrypting the multimedia content using the short-term key, wherein the means for securely storing provides greater secure key storage capability than the means for decrypting the media content.

According to yet another aspect of the present invention, there is provided an apparatus for receiving encrypted multimedia content broadcast over-the-air from a content provider to a plurality of authorized devices, comprising:

a mobile device configured to:

the unique public key is transferred over the air to the content provider,

decrypting the multimedia content using a short-term key, wherein the multimedia content is encrypted using the short-term key, and the short-term key is generated using the broadcast access key and the short-term key information; and

a secure processing unit configured to:

securely storing a unique private key corresponding to the unique public key and inaccessible to the mobile device, wherein the secure processing unit provides greater secure key storage capacity than the mobile device, the secure processing unit has sufficient processing capacity to decrypt a broadcast access key and generate a short-term key but does not have sufficient processing capacity to decrypt multimedia content, and the content provider encrypts the broadcast access key with the unique public key to authorize a device having the secure processing unit securely storing the corresponding unique private key to receive the encrypted multimedia content;

the respective encrypted broadcast access keys are received from the content provider over the air,

decrypting the encrypted broadcast access key and securely storing the broadcast access key, wherein the securely stored broadcast access key is not accessible to the user;

receiving short-term key information broadcast over-the-air from the content provider to the plurality of devices,

the short-term key is generated using a securely stored broadcast access key and broadcast short-term key information.

In the above embodiments, the key may be a registration key or a temporary key.

Drawings

Various embodiments are described in detail below with reference to the drawings, wherein like reference numerals represent like elements, and wherein:

FIG. 1A is a schematic diagram of a cryptographic system;

FIG. 1B is a schematic diagram of a symmetric cryptographic system;

FIG. 1C is a schematic diagram of an asymmetric cryptographic system;

FIG. 1D is a schematic diagram of a PGP encryption system;

FIG. 1E is a schematic diagram of a PGP decryption system;

fig. 2 is a schematic diagram of a spread spectrum communication system supporting a plurality of users;

fig. 3 illustrates a simplified system for implementing BCMCS;

fig. 4 illustrates a terminal capable of subscribing to BCMCS to receive multimedia content;

FIGS. 5A and 5B illustrate provisioning of keys in the UIM;

FIG. 6 illustrates provisioning of an access key in a UIM;

FIG. 7 illustrates an exemplary method for provisioning keys in a UIM;

FIG. 8 illustrates another exemplary method for provisioning keys in a UIM; and

fig. 9 illustrates an exemplary method for provisioning an access key in a UIM.

Detailed Description

In the following description, specific details are given to provide a thorough understanding of the embodiments. However, it will be understood by those of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits may be shown in block diagrams in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, structures and techniques may be shown in detail in order not to obscure the embodiments.

It is also noted that the embodiments may be described as a process which is depicted as a flowchart, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. When the operation is completed, the process ends. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to the function returning to the calling function or the main function.

Wireless communication systems are widely deployed to provide various types of communication such as voice, data, and so on. These systems may be based on Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), or other modulation techniques.

A System may be designed to support one or more standards, such as "TIA/EIA-95-BMobject State-B enzyme State Compatibility Standard for Dual-ModeWideband Spread Spectrum Cellular System" (IS-95 Standard); TDMA-based "Global System for Mobile" (GSM) communication standards; the third generation wireless service "Universal Mobile Telecommunications Services" (UMTS) standard based on the GSM communication standard; the General Packet Radio System (GPRS) communication standard, which is an evolution step from GSM to UMTS; the standards provided by the organization entitled "third Generation partnership Project" (3 GPP), which is included in a suite of documents including documents Nos.3G TS 25.211, 3G TS 25.212, 3G TS25.213, and Nos.3G TS 25.214, 3G TS 25.302(W-CDMA standard); the standard provided by an organization named "third Generation Partnership project 2" (3rd Generation Partnership project 2, 3GPP2), which IS incorporated in "TR-45.5 Physical layer Standard for cdma2000Spread Spectrum Systems" (IS-2000 standard).

Each standard defines the data handling of wireless communications between infrastructure elements such as base stations and customer premises equipment such as mobile devices. For purposes of illustration, the following discussion considers a spread spectrum communication system consistent with a CDMA2000 system. However, other embodiments may incorporate other standards/systems.

A cryptographic system is a method of disguising a message to enable a particular group of users to extract the message. Fig. 1A shows a basic cryptographic system 10. Cryptography is the technique of creating and using cryptographic systems. Cryptanalysis is a technique to break cryptographic systems, i.e. to receive and understand a message when you are not in a particular group of users allowed to access the message. The original message is referred to as a plaintext message or plaintext. The encrypted message is referred to as ciphertext, wherein encryption includes any means of converting plaintext into ciphertext. Decryption includes any method of converting ciphertext into plaintext, i.e., a method of recovering the original message. As shown in fig. 1A, a plaintext message is encrypted to form a ciphertext. The ciphertext is then received and decrypted, thereby recovering the plaintext. Although the terms "plaintext" and "ciphertext" are generally directed to data, the concept of encryption may be applied to any digital information, including audio and video data represented in digital form. Although portions of the description of the invention provided herein use the terms "plaintext" and "ciphertext" consistent with cryptography, these terms do not exclude other forms of digital communication.

The cryptographic system is based on secrets. A group of entities shares a secret if an entity outside the group cannot obtain the secret without significant resources. The secret serves as a secure connection between the group of entities. A cryptographic system may be a set of algorithms, where each algorithm is tagged, referred to as a key. Symmetric encryption systems use the same key to encrypt and decrypt messages. A symmetric encryption system 20 is shown in fig. 1B, where encryption and decryption use the same private key.

In contrast, asymmetric encryption systems encrypt a message using a first key, referred to as the public key, and decrypt it using a different key, referred to as the private key. Fig. 1C shows an asymmetric encryption system 30 in which one key is used for encryption and the other key is used for decryption. Asymmetric cryptographic systems are also referred to as "public key" cryptographic systems. The public key is public and can be used to encrypt any message, however, only the private key can be used to decrypt messages encrypted with the public key.

In symmetric cryptosystems, the secure provision of keys from a sender to a receiver presents problems. In one solution, a trust history may be used to provide this information, or a more efficient and reliable solution may use a public key cryptosystem, such as the public key cryptosystem (RSA) defined by Rivest, Shamir, and Adleman, which will be discussed below. The RSA system is used in a common security tool named PGP.

PGP combines the features of symmetric and asymmetric encryption. Fig. 1D and 1E illustrate a PGP cryptosystem 50 in which a plaintext message is encrypted and recovered. In fig. 1D, the plaintext message may be compressed to save modem transmission time and hard disk space. In addition to the encryption and decryption processes, compression adds another level of translation, thereby enhancing cryptographic security. Most cryptanalysis techniques employ patterns found in the plaintext to break the ciphertext. Compression reduces these patterns in the plaintext, thereby enhancing resistance to cryptanalysis.

Thereafter, the PGP creates a session key, which is a one-time key. The key is a random number and may be generated by any random event, such as random movement of the mouse and keystrokes while typing. The session key works with a secure encryption algorithm to encrypt plaintext to obtain ciphertext. After encrypting the data, the session key is encrypted with the public key of the receiving party. The public-key encrypted session key is transmitted to the recipient along with the ciphertext.

For decryption, as shown in fig. 1E, the PGP copy of the receiving party recovers the temporary session key using the private key, and then the PGP decrypts the regular encrypted ciphertext using the temporary session key. The combination of encryption methods takes advantage of the convenience of public key encryption and the speed of symmetric encryption. Symmetric encryption is typically much faster than public key encryption. Public key encryption provides a solution to the key distribution and data transfer problem. By combining, performance and key distribution can be improved without significantly sacrificing security.

The PGP stores the key in two files; one file stores the public key and one file stores the private key. These files are called key rings (keyrings). In application, the PGP encryption system adds the public key of the intended recipient to the public key ring of the sender. The sender's private key is stored in the sender's private key ring.

As described above, the method of distributing keys for encryption and decryption may be very complicated. The "key exchange problem" is guaranteed first: keys are exchanged so that the sender and the receiver can perform encryption and decryption, respectively, and both the sender and the receiver can encrypt and decrypt messages for bidirectional communication. In addition, it is desirable to perform key exchange to prevent interception by unwanted third parties.

Fig. 2 is an example of a communication system 200 that supports multiple users and is capable of implementing at least some aspects and embodiments of the present invention. System 200 provides communication for a plurality of cells 202A-202G, each of which is serviced by a corresponding base station 204A-204G, respectively.

Terminals 206 in the coverage area may be fixed (i.e., stationary) or mobile. As shown in fig. 2, terminals 206 are dispersed throughout the system. Each terminal 206 communicates with at least one and possibly more base stations 204 on the downlink or uplink at any given moment, depending on, for example, whether soft handoff is employed or whether the terminal is designed and operated to receive multiple transmissions (concurrently or sequentially) from multiple base stations. Soft handoff in CDMA communication systems is well known in the art and is described in detail in U.S. patent No.5,101,501, entitled method and system for providing soft handoff in a CDMA cellular telephone system, which is assigned to the assignee of the present invention. The downlink refers to transmission from the base station to the terminal, and the uplink refers to transmission from the terminal to the base station. It should be noted that various other infrastructure elements besides base stations may be implemented, depending on the system configuration and/or the standards supported by the system. Furthermore, although the terminal may be a mobile telephone, a personal digital assistant, or some other mobile or fixed station, for purposes of illustration, the embodiments will be described below using a mobile station.

The growing demand for wireless data transmission and the expansion of services available through wireless communication technologies has led to the development of specific data services. According to one embodiment, the system 200 supports high speed multimedia broadcast services, hereinafter referred to as High Speed Broadcast Services (HSBS). An example application of HSBS is video streaming of movies, sporting activities, etc. The HSBS service is a packet data service based on internet protocol (). The service provider may specify the availability of such high-speed broadcast services to the user. A user who desires the HSBS service subscribes to receive the service and can discover a broadcast service schedule through advertisement, Short Management System (SMS), Wireless Application Protocol (WAP), and the like. The Base Station (BS) transmits the HSBS-related parameters in an overhead message. When the MS wishes to receive the broadcast session, the MS reads the overhead messages and learns the appropriate configuration. The MS then tunes to the frequency containing the HSBS channel and receives the broadcast service content.

For HSBS services, there are a number of possible subscription/revenue models, including free access, controlled access, and partially controlled access. For free access, the mobile station receives the service without subscribing. The BS broadcasts unencrypted content that the interested mobile stations are able to receive. Revenue for the service provider may be generated by advertisements transmitted simultaneously in the broadcast channel. For example, an upcoming movie clip may be delivered, for which the movie company will pay the service provider.

For controlled access, the MS user subscribes to the service and pays a corresponding fee to receive the broadcast service. Non-subscribing users cannot access content broadcast by the HSBS. Thus, controlled access is achieved by encrypting the HSBS transmission/content so that only the subscribing user can decrypt, view and/or process the content. This may use a wireless encryption key exchange procedure. This scheme provides strong security and prevents theft of service.

The hybrid access scheme is referred to as partially controlled access, providing HSBS services as subscription-based services, which are encrypted with intermittent unencrypted advertisement transmissions. These advertisements are intended to encourage subscription to the encrypted HSBS service. The MS may learn the schedule of these unencrypted segments through external means.

In one embodiment, the system 200 supports a particular broadcast service, referred to as a broadcast/multicast service (BCMCS), sometimes referred to as a multimedia broadcast/multicast service (MBMS). BCMCS is described in detail in U.S. patent application No.10/233,188, filed on 8/28/2002. Generally, BCMCS is an Internet Protocol (IP) based packet data service. Fig. 3 illustrates a simplified network 300 for implementing BCMCS. In network 300, content source 310 provides video/audio information to Packet Data Service Network (PDSN) 330. The video and audio information may be from a television program or video transmission. The information is provided as packet data, such as IP packets. PDSN 330 processes the IP packets for distribution within the Access Network (AN). As shown, AN is defined as the portion of the network 300 that includes AN infrastructure element 340, such as a base station, that communicates with a plurality of terminals 350, such as mobile stations.

For BCMCS, CS310 provides unencrypted content. Infrastructure element 340 receives the information stream from PDSN 330 and provides the information to user terminals within network 300 over a designated channel. To control access, a content encryptor (not shown) encrypts content from the CS310 using an encryption key and then provides it to the PDSN 330. Since the content encryptor may be implemented together with or separately from the CS310, the content encryptor and the CS310 will be referred to as a content provider hereinafter. Note that the content provider may also include other elements and/or entities, such as a subscription manager, a key generator, or a key manager. The subscribed users are then provided with decryption keys so that the IP packets can be decrypted.

More specifically, fig. 4 illustrates a terminal 400 capable of subscribing to BCMCS to receive broadcast content. The terminal 400 includes an antenna 410 coupled to a receive circuit 420. The terminal 400 receives a transmission from a content provider (not shown) through an infrastructure element (not shown). The terminal 400 includes a Mobile Equipment (ME)440 and a User Identity Module (UIM)430 coupled to a receive circuit 420. Note that for purposes of illustration, UIM430 and ME 440 are separate, but in some embodiments, UIM430 and ME 440 may be integrated together as one secure processing unit. In addition, although the present embodiment is described with reference to the UIM, other Integrated Circuit cards or security processing units may be used, such as Universal Integrated Circuit Card (UICC), Subscriber Identity Module (SIM), or Universal Subscriber Identity Module (USIM).

Generally, UIM430 applies an authentication procedure for security of BCMCS transmissions and provides various keys to ME 440. ME 440 performs the actual processing including, but not limited to: the BCMCS content stream is decrypted using the key provided by UIM 430. UIM430 is trusted to securely store and process secret information (e.g., encryption keys) that should be kept secret for a long period of time. Since UIM430 is a secure unit, the secrets stored therein do not necessarily require the system to change the secret information often.

UIM430 may include a processing Unit referred to as Secure UIM Processing Unit (SUPU) 432 and a Secure Memory storage Unit referred to as Secure UIM Memory Unit (SUMU) 434. Within UIM430, SUMU 434 stores the secret information in a manner that prevents unauthorized access to the information. If secret information is obtained from UIM430, access will require a very large amount of resources. Further, within UIM430, SUPU 432 performs calculations on values that may be external and/or internal to UIM 430. The results of the calculations may be stored in SUMU 434 or transmitted to ME 440.

UIM430 may be a fixed unit or integrated in terminal 400. Note that UIM430 may also include a non-secure memory and a processor (not shown) for storing information including telephone numbers, e-mail address information, web page or URL address information, and/or scheduling functions. Other embodiments may provide a removable and/or reprogrammable UIM. Generally, the SUPU 432 does not have a strong processing capability for functions such as decryption of BCMCS broadcast contents, which is beyond the scope of security and key procedures. However, other embodiments may implement a UIM with greater processing capabilities.

Although UIM430 is a secure element, non-subscribers may also access data in ME 440, thus making it insecure. Any information transferred to the ME 440 or processed by the ME 440 is only securely in a secret state for a short period of time. Therefore, it is desirable that any secret information, such as a key, shared with the ME 440 can be changed from time to time.

More specifically, BCMCS content is typically encrypted using a unique and often changing temporary encryption key, referred to as a short-term key (SK). In order to decrypt the broadcast content at a particular time, the ME 440 must know the current SK. The SK is used to decrypt the broadcast content for a short period of time, so it can be assumed that the SK has a certain amount of intrinsic monetary value for the user. For example, the intrinsic monetary value may be a portion of the registration cost. Here, different content types may have different intrinsic monetary values. Assuming that the cost of a non-subscriber to obtain SK from the subscriber's ME 440 exceeds the intrinsic monetary value of the SK, the cost of illegally obtaining SK exceeds the reward and there will be no benefit. Therefore, it is not necessary to protect SK in ME 440. However, if the intrinsic value of the broadcast is greater than the cost of illegitimately obtaining the key, it would be advantageous for the non-subscribers to obtain the key from the ME 440. Therefore, the ME 440 will not hold secrets with a lifetime longer than the SK lifetime.

In addition, the channel over which the content provider transmits the data is considered insecure. Therefore, in BCMCS, SK is not transmitted over the air. It is derived by UIM430 or ME 440 from the name broadcast access key BAK) and SK information (SKI) broadcast with the encrypted content. BAK may be used and then updated over a certain period of time, such as a day, week, or month. Within each period of updating the BAK, a shorter interval is provided during which SK changes. The content provider may use cryptographic functions to determine the two values SK and SKI so that SK may be determined from BAK and SKI. In one embodiment, SKI may comprise SK, which is encrypted using BAK as a key. Alternatively, the SK may be the result of applying a cryptographic hash function to the concatenation of SKI and BAK. Here, SKI may be some random value.

To gain access to the BCMCS, a user registers and subscribes to the service. In one embodiment of the registration process, the content provider and UIM430 agree on a registration key or Root Key (RK) that is a security association between the user and the content provider. Registration may occur when a user subscribes to a broadcast channel provided by a content provider or prior to subscription. A single content provider may provide multiple broadcast channels. The content provider may choose to associate all channel users with the same RK or require users to register for each channel and associate the same user with different RKs on different channels. Multiple content providers may choose to use the same registration key or require the user to register and acquire different RKs.

The RK is then stored as a secret in UIM 430. The RK is unique for a given UIM, i.e., each user is assigned a different RK. However, if a user has multiple UIMs, then these UIMs may be configured to share the same RK, depending on the policy of the content provider. The content provider may then send UIM430 further secret information, such as BAK encrypted with RK. UIM430 may be able to recover the original BAK value from the BAK encrypted with the RK. Since ME 440 is not a secret unit, UIM430 typically does not provide BAK to ME 440.

The content provider also broadcasts SKI, which is combined with BAK in UIM430 to derive SK. The UIM430 then transmits the SK to the ME 340, which the ME 440 uses to decrypt the encrypted broadcast transmissions received from the content provider. In this way, the content provider can efficiently distribute new SK values to subscribed users.

As described above, controlled access may be achieved by provisioning BAK to UIM 430. However, the broadcast service faces a problem in determining how to provision BAK in UIM 430. In one embodiment, a public key cryptosystem is implemented to provision BAK in UIM 430. This assumes that: the terminal or content provider possesses a private key KPI and is able to distribute a public key KPU corresponding to the private key.

For example, fig. 5A shows provisioning of the RK in UIM430 when the terminal possesses the private key, and fig. 5B shows provisioning of the RK in UIM430 when the content provider possesses the private key. Here, various known algorithms and/or protocols may be used to establish a private key and distribute a public key corresponding to the private key. If a terminal is established with a private key, the private key may be securely stored and processed in a secure processing unit, such as UIM 430. Likewise, other encryption functions E and decryption functions D may be used to implement a public key encryption system.

In FIG. 5A, the content provider encrypts the RK using the KPU and encrypts the RKPU (RK) is sent to UIM 430. UIM430 decrypts the encrypted RK using the KPI to enable((RK)) ═ RK. The recovered RK may then be securely stored in SUMU 434. In FIG. 5B, UIM430 encrypts the RK using the KPU and encrypts the RK(RK) to the content provider. Here, SUPU 432 of UIM430 may perform encryption and decryption as necessary. Similarly, UIM430 may generate a RK value for secure storage in SUMU 434. Alternatively, the RK may be provided in SUMU 434 in advance, e.g., at the time of manufacture. The content provider decrypts the encrypted RK using the KPI to enable the content provider to decrypt the RKOnce the RK is provided as described above, the BAK may be encrypted using the RK as described above and sent from the content provider to the terminal.

In another embodiment, the Temporary Key (TK) is used to encrypt the BAK, rather than the RK. The temporary key may be used to further prevent unauthorized users from accessing the broadcast content. If the RK is provided in UIM430, the content provider may send the TK to UIM430 by encrypting the TK using the RK. The content provider then sends the BAK encrypted with the current value of TK so that UIM430 can decrypt the encrypted BAK using only the current value of TK. However, in some cases, the RK is available and/or a temporary key is desired. For example, if a user wishes to subscribe to a short or fixed period of time to receive a particular broadcast service, a temporary key may be preferred. Thus, a public key cryptosystem may be used to provide TK.

If the terminal possesses the private key, the content provider may encrypt the TK using the KPU and encrypt the encrypted TK(TK) is sent to UIM430, and UIM430 then decrypts the encrypted TK to enableThe recovered RK may be securely stored in SUMU 434. If the content provider owns the private key, UIM430 will encrypt the TK using the KPU and will encrypt the TK(TK) is sent to a content provider, which then decrypts the encrypted TK so that it is available for useHere, SUPU 432 of UIM430 may perform decryption and encryption as necessary. In addition, if the terminal possesses the private key, the content provider may generate TK, and if the content provider possesses the private key, UIM430 may generate TK. Once the value of TK is provided, BAK may be encrypted using TK in a similar way as encryption using RK and sent from the content provider to the terminal.

Fig. 6 illustrates another embodiment in which BAK is provided directly using a public key cryptosystem. Here, the terminal possesses a private key, and the content provider encrypts the BAK using the KPU and encrypts the encrypted BAK(BAK) is sent to UIM 430. UIM430 decrypts encrypted BAK so thatSUPU 432 of UIM430 may perform decryption as necessary.

Accordingly, BAK may be provisioned in UIM430 by various methods. In particular, fig. 7 shows an example method 700 for providing BAK in a terminal when the terminal possesses a private key. Method 700 begins when the UIM of the terminal distributes a public key corresponding to the private key (710). Upon receiving the public key (715), the content provider encrypts the RK using the public key (725). The encrypted RK is sent to the UIM (735). The UIM receives the encrypted RK (740) and decrypts the encrypted RK using the private key (750). The recovered RK is stored in a secure memory, such as SUMU 434. At the content provider, BAK is encrypted using RK (745) and the encrypted BAK (ebak) is then sent to the terminal (755). The UIM then receives the EBAK (760) and decrypts the EBAK using the RK (770).

Fig. 8 shows another example method 800 for provisioning a BAK in a terminal when a content provider possesses a private key. Method 800 begins when a content provider distributes a public key corresponding to the private key (805). Upon receiving the public key (810), the UIM of the terminal encrypts the RK using the public key (820). The RK is stored in secure memory, such as SUMU 434. The encrypted RK is sent to the content provider (830). The content provider receives the encrypted RK (835) and decrypts the RK using the private key (845). The content provider encrypts the BAK using RK (855), and then sends the encrypted BAK (ebak) to the terminal (865). The UIM then receives the EBAK (870) and decrypts the EBAK using the RK (880).

Fig. 9 shows another example method 900 for providing BAK when a terminal possesses a private key. Method 900 begins when the UIM distributes a public key corresponding to a private key (910). After receiving the public key (915), the content provider encrypts the BAK using the public key (925). The Encrypted BAK (EBAK) is sent to the UIM (935). The UIM receives the EBAK (940) and decrypts the EBAK using the private key (950).

Once the BAK is provided in the terminal, the SK may be used to encrypt the broadcast content, and the terminal can derive the SK based on the BAK to view/process the encrypted broadcast content.

In methods 700 and 800, more than one RK value may be provisioned in the UIM because the content provider may choose to associate users with the same RK for all channels or require users to register for each channel and associate the same user with different RKs. In addition, although the method is described with reference to the RK, other keys, such as TK, may be provided in a manner similar to the RK. In addition, other access keys besides BAK may also be provided by the RK and TK. Similarly, method 900 may be used to provide other access keys in addition to BAK.

As described above, by providing an access key such as BAK using the public key cryptography system, it is not necessary to provide a pre-shared key such as RK or TK, which generally involves a complicated procedure. Also, the user may wish to transfer a legacy SIM card or a detachable UIM (R-UIM) to a new broadcast-capable terminal. The conventional SIM/R-UIM can be used for normal mobile services and functions required for broadcasting can be incorporated into the terminal. The public key cryptosystem for providing BAK enables a new terminal to easily share a key with a network.

In addition, distribution of public keys is easier than distribution of symmetric keys. The second entity cannot decrypt messages addressed to the first entity even if the public key associated with the first entity is known. This enables the public key to be distributed/transmitted unencrypted. In addition, all other entities may use a single public key corresponding to the private key owned by the first entity when communicating with the first entity. Similarly, the first entity only needs to store one key to decrypt messages from other entities. If a symmetric key is used, then when sending data (e.g., BAK) to the first entity, which requires the first entity to store the symmetric key for each entity with which it communicates, it is necessary (or at least preferred) for different entities to use different symmetric keys.

In addition, the first entity is not compromised even if the public key corresponding to the private key owned by the first entity is known. However, compromising the symmetric key owned by the first entity may compromise the security of the first entity. Thus, when symmetric keys such as RK are widely shared, a single public key of a terminal/UIM can be distributed to multiple content providers without special attention.

Finally, it is to be noted that embodiments may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine readable medium such as SUMU 434 or other medium (not shown). A processor, such as SUPU 434 or other processor (not shown), may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program expressions. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

Therefore, the above-described embodiments are merely examples and should not be construed as limiting the present invention. The description of the embodiments is illustrative and not limiting of the scope of the claims. Likewise, the present concepts may be readily applied to other types of apparatuses and many alternatives, modifications, and variations will be apparent to those skilled in the art.

Claims

1. A method of broadcasting encrypted multimedia content over-the-air from a content provider to a plurality of authorized terminals, comprising:

each terminal receiving encrypted multimedia content and short-term key information broadcast over-the-air from the content provider to the plurality of authorized terminals, wherein the multimedia content is encrypted using a short-term key and the short-term key is generated using a broadcast access key and the short-term key information;

2. The method of broadcasting encrypted multimedia content of claim 1, wherein the short-term key is accessible to a user.

3. The method of broadcasting encrypted multimedia content according to claim 2, wherein the short-term key is changed by the content provider according to a rate related to a registration fee.

4. The method of broadcasting encrypted multimedia content according to claim 1, wherein said secure processing unit is detachable from said terminal.

5. The method of broadcasting encrypted multimedia content of claim 1, wherein the short-term key information is a short-term key encrypted with the broadcast access key.

6. The method of broadcasting encrypted multimedia content according to claim 1, wherein the short-term key is generated by applying a cryptographic hash function to the concatenation of the short-term key information and a broadcast access key.

7. The method of broadcasting encrypted multimedia content of claim 6, wherein the short-term key information is a random value.

8. The method of broadcasting encrypted multimedia content according to claim 1, wherein the at least one terminal comprises a mobile station.

9. An integrated circuit for a mobile station, comprising:

a module for securely storing a unique private key, the unique private key corresponding to the unique public key and being inaccessible to the user, wherein the module for securely storing the unique private key has processing power sufficient to decrypt the broadcast access key and generate a short-term key, but does not have processing power sufficient to decrypt the multimedia content, wherein the content provider encrypts the broadcast access key with the unique public key to authorize the integrated circuit securely storing the corresponding unique private key to receive the encrypted multimedia content;

means for decrypting the multimedia content using the short-term key, wherein the means for securely storing a unique private key provides greater secure key storage capability than the means for decrypting the multimedia content.

10. The integrated circuit of claim 9, wherein the short-term key is user accessible.

11. The integrated circuit of claim 9, wherein the short-term key information is a short-term key encrypted with the broadcast access key.

12. The integrated circuit of claim 9, wherein the short-term key is generated by applying a cryptographic hash function to the concatenation of the short-term key information and a broadcast access key.

13. The integrated circuit of claim 12, wherein the short-term key information is a random value.

14. An apparatus for receiving encrypted multimedia content broadcast over-the-air from a content provider to a plurality of authorized devices, comprising:

a mobile device configured to:

the unique public key is transferred over the air to the content provider,

a secure processing unit configured to:

receiving short-term key information broadcast over-the-air from the content provider to the plurality of authorized devices,

15. The apparatus of claim 14, wherein the short-term key is accessible to a user.

16. The apparatus of claim 14, the short-term key information is a short-term key encrypted with the broadcast access key.

17. The apparatus of claim 14, wherein the short-term key is generated by applying a cryptographic hash function to the concatenation of the short-term key information and a broadcast access key.

18. The apparatus of claim 17, wherein the short-term key information is a random value.