[go: up one dir, main page]

HK1106648A - Method and device for authorising conditional access - Google Patents

Method and device for authorising conditional access Download PDF

Info

Publication number
HK1106648A
HK1106648A HK07112137.2A HK07112137A HK1106648A HK 1106648 A HK1106648 A HK 1106648A HK 07112137 A HK07112137 A HK 07112137A HK 1106648 A HK1106648 A HK 1106648A
Authority
HK
Hong Kong
Prior art keywords
entitlement
product identifier
mode
value
product
Prior art date
Application number
HK07112137.2A
Other languages
Chinese (zh)
Inventor
杰拉尔德.J.德克
沃纳.S.斯特里登
阿尔伯特-詹.波斯查
Original Assignee
耶德托存取公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 耶德托存取公司 filed Critical 耶德托存取公司
Publication of HK1106648A publication Critical patent/HK1106648A/en

Links

Description

Method and apparatus for authorizing conditional access
Technical Field
The invention relates to a method of granting conditional access to an encrypted digital data product, comprising:
storing in the security device at least one set of entitlements (entitlements), each entitlement including a product identifier and expiry information,
receiving entitlement control messages using control words from a decoder system comprising means for decrypting encrypted digital data products, each entitlement control message comprising a product identifier, an
In the first mode, in response to an entitlement control message including a product identifier, if the product identifier corresponds to the product identifier in a stored entitlement that includes expiry information indicating that the entitlement is valid, returning at least one control word, and
in the second mode, also in response to an entitlement control message including a product identifier, if the product identifier corresponds to the product identifier in a stored entitlement that includes expiry information indicating that the entitlement has expired, and if the counter is at a value between the initial value and a predetermined value, the counter is incrementally adjusted to said predetermined value and at least one control word is returned.
The invention also relates to a system for authorizing conditional access to an encrypted digital data product, comprising:
an authorization apparatus comprising a secure memory for storing at least one set of entitlements, each entitlement comprising a product identifier and expiry information; and an interface for interfacing to a decoder system comprising means for decrypting encrypted digital data products, the interface enabling an authorisation device to receive entitlement control messages comprising respective product identifiers,
wherein the authorization means is arranged to operate in one of at least a first and a second mode,
wherein in the first mode the authorisation device is responsive to an entitlement control message received via the interface comprising a product identifier, to return at least one control word if the product identifier corresponds to the product identifier in a stored entitlement comprising expiry information indicating that the entitlement is valid, and
wherein in the second mode, the authorisation device is also responsive to an entitlement control message received via the interface including a product identifier, if the product identifier corresponds to the product identifier in a stored entitlement including expiry information indicating that the entitlement has expired, and if the counter is at a value between the initial value and a predetermined value, the counter is incrementally adjusted to said predetermined value and at least one control word is returned.
The invention also relates to a digital message.
The invention also relates to a computer program.
Background
Examples of embodiments of such a method and system are known from EP-a 1-1094667. This document describes a method for operating a conditional access system for broadcast applications. The conditional access system comprises a plurality of users, each user having a terminal, including a conditional access module and a security means for storing entitlements, each entitlement representing a service that a user receiving the entitlement is allowed to view. Entitlement Management Messages (EMMs) are sent to a secure device or group of secure devices, said EMMs each providing an entitlement and a corresponding expiry date. The entitlements are periodically refreshed according to their expiration date by sending EMMs that update the expiration date. By sending a set of extension EMMs to the overall security device, expiry of entitlements due to failure to receive refresh EMMs is avoided. Each extension EMM indicates to the security device that all entitlements within a predetermined first period of time (i.e. an expiry date within a specified number of days) may remain valid for a predetermined second period of time. In this way, the rights of all smart cards are extended for the second period of time.
A problem of the known method is that it is very unsuitable for avoiding "blanking-outs" if the user's device is switched off for a longer time. Because EMMs (including extension EMMs) are sent infrequently, a terminal that is off for a long time will only start decoding the broadcast signal after it has been turned on and remains on for a relatively long time to receive refresh EMMs (extension EMMs if the first time period has not elapsed). This problem becomes more serious at the beginning of the deployment of broadcast services for mobile telephone handsets, since these devices are often switched off for a relatively long time in order to save battery power.
Disclosure of Invention
It is an object of the present invention to provide a method, system, digital message and computer program of the above-mentioned type which help to avoid the occurrence of long periods of time where access to encrypted digital data products is not possible due to expired rights not being updated in a timely manner.
This object is achieved by means of a method according to the invention, which is characterized in that: upon receipt of an entitlement control message including a product identifier corresponding to the product identifier in the stored entitlement including expiry information indicating expiry of the entitlement, the counter is set to an initial value to commence operation in the second mode.
A secure device is a device with properties that make it tamper-resistant (tamper-proof) and/or tamper-resistant (tamper-event), which properties may be implemented in software or hardware. Thus, the security device includes features for preventing unauthorized persons from altering the data stored therein. The expiry information may simply represent a point in time, the relationship between which and the current time or date indicated by a timing system in the security device or decoder system gives an indication of expiry or validity. In this case, the expiration information indicating that the right is valid corresponds to an indication of a certain point in time in the future.
Since the operation of the second mode starts after receiving the entitlement control message, any blanking will last as long as normal, since the start of decryption is often delayed until the decoder system receives a control word from the authorization device in response to the first entitlement control message. The product identifier corresponding to the product identifier in the stored entitlement that includes expiry information indicating that the entitlement has expired triggers a change to the second mode of operation. Thus, the counter is initialized only when needed. The extension of the expiry right is only a limited period of use, because it is adjusted stepwise, i.e. incremented or decremented towards a predetermined value, and the control word is only provided when the counter is between the initial value and the predetermined value. Therefore, conditional access cannot be avoided for a long period of time.
In one embodiment, the initial value is based on a value stored in the security device.
Thus, the availability of the second mode of operation is not dependent on the receipt of a particular message within a particular time period. The initial value defines the length of a grace period that can begin even if no external communication is received for a long period of time.
In one embodiment, the initial value is obtained by searching for data stored in the secure device and representing a multi-decoder mode, and by multiplying the first value by a multiple derived from such data (if such data is found).
This allows for a longer grace period for secure devices that are authorized to operate in multi-decoder mode. Such a device is suitable for use in conjunction with a personal video recorder or an integrated receiver decoder with time-shifting capability.
In one embodiment, the counter is adjusted by a predetermined amount by the control word returned in the second mode.
This embodiment takes into account the so-called non-pagelocked mode of operation that occurs in an integrated receiver decoder when looking for the correct Entitlement Control Message (ECM) stream. In such a mode the security device is provided to a number of different ECMs until it starts to return control words. The above-described features of the method prevent the counter from reaching the predetermined value too quickly in the non-pagelocked mode of operation.
In one embodiment, operation in the second mode is initiated only upon determining that each entitlement in the stored set of entitlements includes expiration information indicating the expiration of the corresponding entitlement.
Therefore, the following two cases are distinguished: a situation where an entitlement has expired because the user is no longer authorized to access the associated product; a situation where all entitlements have expired because the security device cannot receive updated expiration information. It should be noted that the security device may store several sets of rights. For example, smart cards typically include a plurality of sectors. The rights within a sector in this specification generally correspond to a set of rights.
In one embodiment, in at least the first and second modes, the expiry information included in an entitlement in the set of stored entitlements is updated in response to an entitlement management message of a first type identifying a product corresponding to a product identifier included in the entitlement and forwarded from the decoder system to the secure device.
This limits the amount of time spent in the second mode of operation. The counter does not reach the predetermined value as quickly.
In one embodiment, an entitlement is deleted from the stored set of entitlements upon receipt of an entitlement management message of a second type identifying a product corresponding to a product identifier included in the entitlement and forwarded from the decoder system to the secure device.
This prevents the second mode of operation from becoming persistent in the event that one entitlement expires, since the user is no longer allowed access to the associated product.
In an embodiment, wherein the decoder system comprises a tuner for retrieving entitlement management messages on a certain communication channel, the method comprises providing a request to the decoder system to set the tuner to the certain communication channel after the second mode of operation has started.
This ensures that there is sufficient time to receive any Entitlement Management Messages (EMMs) that delete or modify entitlements in the stored set of entitlements. The amount of time spent in the second mode of operation is further limited.
One embodiment includes switching from operation in the second mode to operation in the first mode upon determining that each stored entitlement in the group includes expiration information indicating that the entitlement is valid.
Thus, the predetermined counter value is not reached as quickly. In addition, continuous operation is ensured, since the supply of control words is stopped when the counter reaches a predetermined value, while the second mode is still maintained.
In one embodiment, the initial value is a value derived based on a message forwarded from the decoder system to the security device or a value stored in the security device and modified in response to a message forwarded to the security device by the decoder system.
The message provides a means for re-initializing the initial values. This allows for a potentially unlimited number of extended periods of non-use of the security device without blanking when use is resumed.
According to another aspect, the system according to the invention is characterized in that: the authorisation device is configured, on receipt of an entitlement control message including a product identifier corresponding to a product identifier in a stored entitlement including expiry information indicating expiry of the entitlement, to set the counter to an initial value to commence operation in the second mode.
The initial value may be based on a value stored in the secure device or based on a value included in the entitlement control message. In this way, it is ensured that decryption is started quickly, but the fact that security device intervention is required ensures that access is still dependent on authorization.
In one embodiment, the authorization apparatus is configured to perform the method according to the invention.
Embodiments of the system further comprise: a system for communicating to an authorizing means via a decoder system and a network link connected to the decoder system an entitlement message conveying information representative of the new counter value and formatted to cause the authorizing means to establish an initial value based on the new counter value.
This allows for a potentially unlimited number of extended periods of non-use of the security device without blanking when use is resumed.
According to another aspect of the present invention there is provided a digital message transmitted over a data link from a server to at least one of a decoder system and an authorisation device included in the definition of a system according to the present invention, the digital message conveying information representative of a new counter value and being formatted to cause the authorisation device to establish an initial value on the basis of the new counter value.
According to another aspect of the invention, the computer program comprises a set of instructions capable, when included in a machine-readable medium, of causing a system having information processing capabilities to perform a method according to the invention.
Drawings
The invention will now be explained in more detail with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a head-end system comprising components of a conditional access system;
figure 2 schematically illustrates a receiver/decoder in combination with other parts of a conditional access system; and
fig. 3 is a flow diagram illustrating steps in a method of granting conditional access.
Detailed Description
The head-end system 1 shown as an example in fig. 1 is adapted to generate an encrypted digital data product and entitlement messages for use in decrypting the encrypted digital data product. In one embodiment, the encrypted digital data product is a file that is provided with separate information that implements a Digital Rights Management (DRM) system. Such information specifies the type of use that may be made of the encrypted data product. The files may be recorded on a data carrier such as an optical or magnetic disc. Alternatively, they may be downloaded by the receiver via a communications network, including, for example, a cellular mobile telephone network, a satellite network, and/or a cable or terrestrial broadcast network. In another embodiment, as shown in FIG. 1, an encrypted digital data product includes a set of one or more digital data streams comprised of digital data packets including a header and a payload. The header contains an identification number indicating the data flow to which the packet belongs. In a common embodiment, which is used herein for illustration, the digital data product is a product that includes one or more MPEG-2 transport streams. The form of such a data stream is known per se, for example from the international standard ISO/IEC 13818-1. An encrypted product comprising encrypted Transport Stream (TS) packets of one or more streams is provided to the receivers in unicast, multicast or broadcast form over a cellular mobile telephone network, in which case the TS packets are transmitted, for example, in the form of Internet Protocol (IP) packets, and any one or more of a satellite, cable or terrestrial broadcast network.
The headend system shown in fig. 1 complies with the Simulcrypt standard for digital video broadcasting. Digital data streams belonging to a program, such as video and audio components, comprising one or more elementary content data streams are obtained from the storage system 2. A program is herein a series of data streams. These data streams provided with a time base have a common time base intended for synchronous presentation as indicated by the timing information in the elementary streams.
The multiplexing system 3 performs time multiplexing of the input data stream and provides the MPEG-2 transport stream as output. An MPEG-2 transport stream is formed of a series of TS packets. The payload of each packet carries one or more data units belonging to a single elementary stream.
In addition to the elementary streams from the storage system 2, the multiplexing system 3 receives a Program Specific Information (PSI) stream from a PSI generator 4, an Entitlement Control Message (ECM) stream from an ECM generator 5, and an Entitlement Management Message (EMM) stream from an EMM generator 6. The conditional access provider (CA provider) operates a custom PSI generator 7 which provides program specific information to the PSI generator 4. Conditional access systems (not shown) of several other CA providers may be included in the head-end system 1, and thus PSI generator 4 and custom PSI generator 7 are present. The illustrated system relating to a conditional access system of a CA provider comprises a custom PSI generator 7, an ECM generator 5 and an EMM generator 6.
The head-end system 1 further comprises a Control Word (CW) generator 8 for generating a sequence of encryption keys, herein referred to as control words. The network management system 9 controls the operation of the various components.
The control words generated by the CW generator 8 are provided to a synchronization system 10. The synchronization system 10 provides control words to the ECM generator which in turn receives ECMs. Each ECM includes at least one set of key information enabling an authorisation device of the conditional access system to obtain a control word from it. The ECM's are provided in individually identified TS packet streams in multiplexed output generated by the multiplexing system. They are linked to the programs they provide access to by means of program specific information included in the multiplex.
The synchronization system 10 also provides control words to a scrambling system 11, the scrambling system 11 scrambling at least portions of the payload of at least some of the MPEG-2 TS packets obtained by the output of the multiplexing system 2. One function performed by the synchronization system 10 is to synchronize the ECM stream with the scrambled MPEG-2 transport stream. In one embodiment, the synchronization is achieved by time stamps in the MPEG-2 TS packets, thereby providing TS packets carrying ECMs and scrambled TS packets carrying content data with a common time base. The synchronization may be affected by the order of multiplexing of the TS packet stream carrying the ECM with the TS packet stream carrying the scrambled content data and the system for maintaining the order of the TS packets in the multiplexing. It can be seen that in other embodiments, the key message is played out on a separate channel, and the reference time is used to synchronize the key message stream with the TS packet stream carrying the content data.
In the illustrated embodiment, the ECM carries data representing the control word and encrypted under the session key. The ECM generator 5 obtains a session key from the EMM generator 6, the EMM generator 6 including the session key in the key-carrying EMM, said session key being addressed to the user and the user group or, more precisely, obtaining an access token addressed to the user. EMMs of all types to be discussed herein are transmitted to the subscribers in a known manner within the MPEG-2 transport stream generated by the multiplexing system 3.
The scrambling system 11 scrambles at least a portion of the payload of the TS packets. Different control word values are used for successive program segments corresponding to the control word period. Data in the ECM (including synchronization information) links the encrypted control word with the associated control word period to enable the receiver to obtain the correct control word value for decrypting a certain program segment. The same is true for encrypted digital data products that include files rather than data streams. The file may also be divided into an ordered sequence of segments, with successive segments being encrypted under different control word values.
The multiplexed output produced by the multiplexing system 3 comprises a plurality of sets of data streams corresponding to respective programs. Each set of data streams corresponding to one program is encrypted independently of the other programs and has its own sequence of ECMs. ECMs associated with different programs may be carried in one TS packet stream (i.e. in packets having a common packet identifier in the header). Each ECM carries a product identifier unique to the programme and associated with the set of key information in the ECM, together with a set of key information enabling the control word to be retrieved.
Figure 2 illustrates in a very simplified manner a user device 12 comprising a receiver/decoder 13. It should be appreciated that the systems and methods described herein are particularly adaptable for implementing user equipment included in a mobile device, such as a cellular telephone handset (not shown). This is because the user equipment does not need to be continuously in a mode where it receives data (in particular EMMs and ECMs) from the head. The effect is to conserve battery power in the mobile device.
In the illustrated embodiment, the receiver/decoder 13 comprises a network interface 14 and a tuner/demodulator 15 for implementing a physical link to the head-end system 1. This embodiment is suitable for transmission over satellite, cable or terrestrial broadcast links. In other embodiments, as described above, the link is established over a cellular telephone network, in which case the physical interface to the network is different.
The demultiplexer 16 filters out TS packets belonging to the program under the direction of the processing unit 17. In a known manner, the program map table in the digital data stream obtained from the tuner/demodulator 15 contains packet identification number values corresponding to those in the headers of the TS packets belonging to said program and to the ECM and EMM streams. Thus, EMM, ECM and TS packets are obtained with at least partially scrambled payloads.
The receiver/decoder 13 comprises an interface 18 to an authorisation device, i.e. an access token in the form of a smart card 19. The smart card 19 is only one example of such an authorization device. In other embodiments, a combination of a conditional access module and a smart card is used. In another embodiment, the functionality of the smart card 19 is provided on a sector of a Subscriber Identity Module (SIM) card of a mobile telephone handset. In yet another embodiment, the functionality of the smart card 19 is embodied in an access token comprising a software module for execution by the processing unit 17 or another processor within the receiver/decoder 13. In such embodiments, code and/or data encryption and decryption (encryption) techniques are used to securely bypass attempts by code reverse engineering the executable code of the system and software modules comprising the processing unit 17. A separate physical authorization device may also be omitted. In a typical situation, additional protection hardware components will be provided to protect the memory and data processing unit of the authorization device, such as the processing unit 20 and the non-volatile memory 21 of the smart card 19, shown here as separate components.
In the illustrated embodiment, the interface 18 of the receiver/decoder 13 cooperates with the interface 22 of the smart card 19, the smart card 19 thus being a separate portable authorization device.
Fig. 3 illustrates an example of a method performed by the smart card 19 acting as an authorization means of the conditional access system. The computer program code stored in the smart card 19 configures the smart card 19 to perform the described method, the smart card 19 storing the entitlement table 23 in its memory 21. Each entry in the table 23 corresponding to an entitlement includes a product identifier and data representing a point in time, such as a date and optionally a time.
It should be noted that the smart card 19 may store several tables, such as the displayed table 23. This is the case when the smart card 19 comprises a plurality of sectors. Each table 23 thus forms a separate set of entitlements, each set typically belonging to a different CA provider.
Table 23 is populated with entries responsive to EMMs of the first type. These EMMs are also generated by the EMM generator 6 of the conditional access system. They include data representing the product identifier and associated expiration information. Upon reception of an EMM of the second type, which is forwarded by the receiver/decoder 13 to the smart card 19 and represents the product concerned, the rights are removed from the table 23. In order to obtain EMMs of the first and second type and EMMs carrying the key, the processing unit 17 provides appropriate tuning commands to the tuner/demodulator and/or demultiplexer 16. The latter intervention is necessary because EMMs are usually sent on separate channels (i.e. in TS packet streams individually identified in multiplexing). In embodiments where the EMM is received out-of-band, another type of command is issued by the processing unit to another type of tuning means (not shown).
The EMMs of the first type comprise EMMs updating the expiry information included in the entitlements already stored in table 23, which are sent to the receiver/decoder 13 at intervals of more than 15 minutes. Therefore, the receiver/decoder 13 must be switched on and tuned for a considerable period of time to ensure that a complete update of the rights in the table 23 is obtained. If the user device 12 is used only for a short period of time, it is likely that not all rights in the table 23 are updated. The CA provider may also choose to grant rights for a short period of time for security reasons. This also increases the likelihood that one or more of the entitlements in table 23 will expire before an EMM of the first type of renewal entitlement is forwarded to the smart card 19.
In order to allow continued access to the program even when the rights for the program have expired, the smart card 19 can implement a so-called grace period. For the duration of the grace period, the smart card 19 operates in a mode referred to herein as a second mode of operation, which is distinct from the first or normal mode of operation.
The detailed embodiment of the method used by the smart card 19 as shown in fig. 3 is used here only as an example. In a first step 24, the smart card 19 receives an ECM. The ECM is forwarded by the receiver/decoder 13 to the smart card 19 via the interfaces 18, 22. It includes a product identifier and at least one set of encryption key information corresponding to control words used by descrambler 25 to decrypt program stream segments corresponding to control word periods. In a second step 26, the smart card 19 retrieves the product identification number from the ECM.
In a third step 27, the smart card 19 checks whether there is an entitlement comprising the corresponding product identifier in the table 23. Regardless of whether the smart card 19 is operating in the first mode or the second mode, if the product identification number in the ECM corresponds to the product identification number in the entitlement in the table 23, the smart card 19 only decrypts and returns the control word in the EMC. Thus, if no such entitlement is present, the method starts again with the first step 24, in which the next ECM is received.
If the right identified in the ECM is found, the smart card 19 checks at least the validity of the right. In the illustrated embodiment, the smart card 19 checks the validity of all entitlements included in the table 23, at least if the entitlement corresponding to the identified product has expired. In a fourth step 28, a validity check is performed. In one embodiment, the smart card 19 employs a real-time clock, and the expiration information included in each entitlement indicates a point in time. Thus, it is determined whether the expiry information indicates expiry of the entitlement or is valid by comparison with the current time value derived from the real-time clock. In another embodiment, the current time is the time derived by the smart card 19 from a time stamp in the ECM. In another embodiment, the expiry information is a count value that is adjusted by a predetermined amount as each ECM is received and processed to generate a control word for decrypting the segment of the product identified in the entitlement.
In the illustrated embodiment, if the smart card 19 is in the normal operating mode and the entitlement including a product identifier corresponding to the product identifier in the ECM has expired, but not all other entitlements, the ECM is no longer processed. The first step 24 is performed for the next ECM. If, on the other hand, the smart card 19 is in normal operation mode and the entitlement including a product identifier corresponding to the product identifier in the ECM includes expiry information indicating that the entitlement is valid, then a step 29 of decrypting the set of key information in the ECM is performed, followed by a step 30 of returning a clear control word in the message to the descrambler 25.
In the illustrated embodiment, if the entitlement including a product identifier corresponding to the product identifier in the ECM includes expiry information indicating that the entitlement has expired, and if all other entitlements in the table 23 have likewise expired, the smart card enters the second mode of operation. The grace period begins. Incidentally, in another embodiment, the grace period has already begun if only the entitlement for the product identified in the ECM has expired. In yet another embodiment, the expired entitlements may have a threshold number above which the smart card 19 begins operating in the second mode.
To begin operation in the second mode, the counter 31 is set to an initial value (step 32). In a variant, the initial value is derived from a value encoded in the ECM received in the first step 24. In this embodiment the ECM is thus used as a digital message sent from the head-end system 1 to the smart card 19 and conveys information representing the new counter value. The ECM has a suitable format to cause the smart card 19 to establish an initial value for the counter 31 on the basis of the new counter value. In another embodiment, the initial value is based on a value stored in the memory 21 of the smart card 19. The values stored in the memory 21 are programmed at initialization of the smart card 19. To avoid having to return to the smart card 19, the value stored in the memory 21 is updated after receiving an EMM of the third type. In one embodiment, a new value is encoded in the EMM in place of the value stored in memory 21. The head-end system 1 therefore sends a digital data message in the form of an EMM of the third type to prompt the smart card 19 to replace the stored value with the new value.
In some embodiments, user equipment 12 includes functionality to decrypt multiple programs substantially simultaneously. These embodiments include personal video recorders and set-top boxes or digital televisions with time-shifting capabilities. A single smart card 19 is used to authorize decryption of each of these programs if the appropriate entitlement is present, i.e. the entitlement to grant access to a plurality of encrypted programs. In this case, the initial value is obtained by multiplying by an integer representing the number of products that can be decrypted simultaneously.
While the smart card 19 is operating in the second mode, the smart card checks (step 33) whether the counter 31 has a value between the initial value and a predetermined final value (nil in this example). If so, the counter is adjusted by a predetermined amount (step 34), provided steps 35, 36 of decrypting the control word and returning the control word to the receiver/decoder 13 are also performed. The counter 31 is decremented only when a control word is returned. The effect is that the counter 31 does not reach the value nil very quickly when the smart card is operating in the non-pagelocked mode. In the non-page-lock mode, the processing unit 17 of the receiver/decoder 13 does not filter the ECMs fetched by the demultiplexer with the product identifiers, but provides ECMs comprising different product identifiers.
The smart card 19 remains in the second mode of operation until all entitlements included in the table 23 are deleted or provided with new expiry information indicating that the entitlements are valid. Then, if it is determined after the execution of third step 27 that the expiry information in all entitlements of the table indicates that the entitlement in question is valid, the smart card 19 switches from the second mode of operation to the first mode of operation. Information representative of the current value of the counter 31 is stored in the memory 21 (not explicitly shown in fig. 3).
In at least one embodiment, after commencing operation in the second mode, the smart card 19 issues a request to the receiver/decoder 13 to remain tuned to the channel (i.e. elementary stream) over which the EMMs of the second type are transmitted. In one embodiment, the request specifies a time period or set of product identifiers to ensure that the receiver/decoder 13 remains tuned long enough. In another embodiment, an error message is returned to the receiver/decoder 13 at the step 32 of setting the counter, the error message causing an output on a user interface of the receiver/decoder 13. The output forms a request to the user not to turn off the user device for a certain period of time.
It is thus ensured that the rights stored in the table 23 are updated while the smart card 19 continues to authorize decryption of the product the user wants. Blanking is prevented. The net effect is to avoid a situation where a telephone call is made to a help desk or a user management center to renew the rights.
The invention is not limited to the embodiments described in detail herein, but may be varied within the scope of the appended claims. For example, where a digital data product is encrypted using an asymmetric cipher, the ECM will include a key that forms a key pair with the key used to encrypt the digital data product or a portion of the digital data product. The descrambler 25 may be included in the smart card 19 or in a separate conditional access module between the smart card 19 and the receiver/decoder 13. In an embodiment implementing a DRM system, the smart card 19 issues a decryption key in the digital rights management object in response to a request including a product identification number, the request corresponding to an ECM. The digital rights management object includes a key corresponding to the control word in the embodiments described in detail herein.

Claims (15)

1. A method of authorizing conditional access to an encrypted digital data product, comprising:
storing in the security device (19, 21) at least one set (23) of entitlements, each entitlement comprising a product identifier and expiry information,
using the control word to receive entitlement control messages from a decoder system (13) comprising means (25) for decrypting the encrypted digital data product, each entitlement control message comprising a product identifier, an
In the first mode, in response to an entitlement control message including a product identifier, if the product identifier corresponds to a product identifier in a stored entitlement that includes expiry information indicating that the entitlement is valid, returning at least one control word, and
in the second mode of operation, the first mode of operation,
also in response to an entitlement control message including a product identifier, if the product identifier corresponds to the product identifier in a stored entitlement including expiry information indicating expiry of the entitlement, and if the counter (31) is at a value between the initial value and a predetermined value, then incrementally adjusting said counter (31) to said predetermined value and returning at least one control word, characterised in that:
upon receipt of an entitlement control message including a product identifier corresponding to a product identifier in a stored entitlement including expiry information indicating expiry of the entitlement, the counter (31) is set to an initial value to commence operation in the second mode.
2. A method according to claim 1, wherein the initial value is based on a value stored in the secure device (19, 21).
3. A method according to claim 1 or 2, wherein said initial value is obtained by searching for data stored in said secure device (19, 21) indicative of a multi-decoder mode, and if such data is found, by multiplying the first value by a multiple derived from such data.
4. A method according to any one of claims 1 to 3, wherein in the second mode the counter is adjusted by a predetermined amount as each control word is returned.
5. The method according to any of the preceding claims, wherein operation in the second mode is started only after determining that each entitlement in the stored set of entitlements (23) comprises expiry information indicating expiry of the respective entitlement.
6. The method according to any of the preceding claims, wherein, in at least the first and second modes, the expiry information included in the entitlements of the stored entitlements group (23) is updated in response to an entitlement management message of a first type identifying a product corresponding to a product identifier included in the entitlements and forwarded by the decoder system (13) to the secure device (19).
7. A method according to any preceding claim, wherein an entitlement is deleted from the stored set of entitlements (23) upon receipt of an entitlement management message of a second type identifying a product corresponding to a product identifier included in the entitlement and forwarded by the decoder system (13) to the secure device (19).
8. A method according to any one of the preceding claims, wherein the decoder system (13) comprises a tuner (15-17) for retrieving entitlement management messages on a certain communication channel, the method comprising providing the decoder system (13) with a request to set the tuner (15-17) to the certain communication channel after the start of operation in the second mode.
9. A method according to any preceding claim, comprising switching from operation in the second mode to operation in the first mode upon determining that each stored entitlement in the set (23) includes expiry information indicating that the entitlement is valid.
10. A method according to any one of the preceding claims, wherein the initial value is a value based on a message forwarded from the decoder system (13) to the secure device (19), or a value stored in the secure device (19) and modified in response to a message forwarded by the decoder system (13) to the secure device (19).
11. A system for authorizing conditional access to an encrypted digital data product, comprising:
-authorisation means (19) comprising a secure memory (21) for storing at least one set (23) of entitlements, each entitlement comprising a product identifier and expiry information; and an interface (22) for interfacing to a decoder system (13) including means (25) for decrypting an encrypted digital data product, the interface (22) enabling said authorisation means (19) to receive entitlement control messages including respective product identifiers,
wherein the authorization means (19) is arranged to operate in one of at least a first and a second mode,
wherein in a first mode said authorisation device (19) is responsive to an entitlement control message received via said interface (22) including a product identifier, to return at least one control word if the product identifier corresponds to a product identifier in a stored entitlement including expiry information indicating that the entitlement is valid, and
wherein in a second mode said authorisation device (19) is also responsive to an entitlement control message received via the interface (22) including a product identifier, if the product identifier corresponds to the product identifier in a stored entitlement including expiry information indicating expiry of the entitlement, and if the counter (31) is at a value between the initial value and a predetermined value, progressively adjusting said counter (31) to said predetermined value and returning at least one control word characterised in that,
the authorization means (19) is configured to: upon receipt of an entitlement control message including a product identifier corresponding to the product identifier in a stored entitlement including expiry information indicating expiry of the entitlement, the counter (31) is set to an initial value to commence operation in the second mode.
12. The system according to claim 11, wherein the authorization means (19) is configured to perform the method according to any one of claims 1-10.
13. A system according to claim 11 or 12, further comprising a system (6, 7) for communicating an entitlement message to the authorisation device (19) via the decoder system (13) and a network link to the decoder system (13), carrying information representative of the new counter value and arranged in a format to cause the authorisation device (19) to establish an initial value on the basis of the new counter value.
14. A digital message for transmission over a data link from a server (1) to at least one of a decoder system (13) and an authorizing means (19) as defined in any one of claims 11-13, carrying information representative of a new counter value and being arranged in a format to cause the authorizing means (19) to establish an initial value on the basis of the new counter value.
15. A computer program comprising a set of instructions capable, when embodied in a machine-readable medium, of causing a system having information processing capabilities to perform a method according to any one of claims 1-10.
HK07112137.2A 2006-03-31 2007-11-08 Method and device for authorising conditional access HK1106648A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP06112126.5 2006-03-31

Publications (1)

Publication Number Publication Date
HK1106648A true HK1106648A (en) 2008-03-14

Family

ID=

Similar Documents

Publication Publication Date Title
JP5313447B2 (en) Method and apparatus for authorizing conditional access
US7383561B2 (en) Conditional access system
US8472624B2 (en) Generating a scrambled data stream
JP5795709B2 (en) Supplying control word to receiver
EP1853000A1 (en) Subscriber authorization method and system, and authorization controlling system and terminal device thereof
US20120008773A1 (en) Providing control words to a receiver
CN102349306B (en) Method and device for reception of control words, and device for transmission thereof
CN1930880A (en) Conditional access system
EP1206877A1 (en) System and method for securing on-demand delivery of pre-encrypted content using ecm suppression
US8707346B2 (en) Method and apparatus for digital broadcasting service
US9100677B2 (en) Server, client device, method for generating a transport stream thereof and processing the transport stream thereof
CN100373946C (en) An authorization system and method
WO2012172442A1 (en) Secure fast channel changing
KR100718452B1 (en) EMM Transmission System and its method using out-of-band channel
HK1106648A (en) Method and device for authorising conditional access
CN1741608A (en) Method for realizing machine-card separation in digital TV system
CN102761778B (en) A kind of data encrypting and deciphering system and method based on bidirectional terminal
Tranter Access, Simulcrypt and Encryption Systems
HK1060003A (en) Secure packet-based data broadcasting architecture