[go: up one dir, main page]

HK1057667B - Method for storing encrypted data - Google Patents

Method for storing encrypted data Download PDF

Info

Publication number
HK1057667B
HK1057667B HK03108382.6A HK03108382A HK1057667B HK 1057667 B HK1057667 B HK 1057667B HK 03108382 A HK03108382 A HK 03108382A HK 1057667 B HK1057667 B HK 1057667B
Authority
HK
Hong Kong
Prior art keywords
data
key
decoder
security module
storing unit
Prior art date
Application number
HK03108382.6A
Other languages
German (de)
French (fr)
Chinese (zh)
Other versions
HK1057667A1 (en
Inventor
Nicolas Christophe
Original Assignee
Nagravision S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nagravision S.A. filed Critical Nagravision S.A.
Priority claimed from PCT/IB2002/000106 external-priority patent/WO2002056592A1/en
Publication of HK1057667A1 publication Critical patent/HK1057667A1/en
Publication of HK1057667B publication Critical patent/HK1057667B/en

Links

Description

The present invention relates to data encryption, in particular the transmission of encrypted data over open networks.
Where it is desired to ensure that only the intended recipient (s) can exploit data transmitted over open networks (cable, satellite, over-the-air or the Internet), the most appropriate means is to encrypt such data and to ensure that only the authorised recipient (s) have the means to decrypt it.
Despite the algorithms used, it is generally accepted that it is possible for a third party with significant computing power to decrypt this data.
This is why current systems incorporate a mechanism for frequent key changes, which discourages attackers from attacking each other, with each attack therefore only affecting a small portion of the data and allowing the user to access, after decryption, only a few seconds of transmission.
Err1:Expecting ',' delimiter: line 1 column 126 (char 125)
The advent of storage facilities and the possibility of viewing (or exploiting) this data at any time has somewhat changed the situation.
In order to further satisfy customers, it is now possible to send encrypted data over a distribution network with a large number of users, data which is stored in the storage unit of the user's unit.
This security module is usually in the form of a smart card with keys in its memory for decrypting data.
Err1:Expecting ',' delimiter: line 1 column 149 (char 148)
Err1:Expecting ',' delimiter: line 1 column 158 (char 157)
Err1:Expecting ',' delimiter: line 1 column 237 (char 236)
Err1:Expecting ',' delimiter: line 1 column 153 (char 152)
For information, the size of a film in encrypted form is about 1 Giga Oct; in decrypted and decompressed form, the same can be 10 Giga Oct.
Err1:Expecting ',' delimiter: line 1 column 279 (char 278)
Err1:Expecting ',' delimiter: line 1 column 249 (char 248)
In order to allow a product to be stored on a hard disk and viewed later, a first approach was described in FR-A-2 732 537. The problem this document seeks to solve is the limited validity of the keys transmitted with the data. Therefore, the proposed solution is to decrypt the file containing the keys (CW) and re-encrypt them with a local key to allow the use of the data at all times.
The variant described in document EP-A-0 912 052 varies in the sense that the local re-encryption key is stored in a smart card.
Document EP-A-1 122 910 (corresponding to document WO-A-00/22777) describes decoding received encrypted data in a decoder and re-encrypting and over-encrypting it before storage.
These three documents do not address the problem of data vulnerability when stored on an easily accessible medium.
Err1:Expecting ',' delimiter: line 1 column 210 (char 209)
This is achieved by a method of storing data extracted from an encrypted data stream sent to a decoder connected to a security module and connected to a storage unit (DB), the method of re-encrypting, without intermediate decryption, in the decoder the encrypted data sent to the decoder before transferring them to the storage unit (DB) by at least one unique key (K1, K2).
Err1:Expecting ',' delimiter: line 1 column 195 (char 194)
Err1:Expecting ',' delimiter: line 1 column 155 (char 154)
Since the decoder is not considered to be inviolable, a key contained in a security module may be used instead of or in addition to the first key.
The present invention will be better understood in the light of the figures annexed, taken as a non-exhaustive list, in which: Figure 1 shows the different components of a decoder,Figure 2 shows the operations according to the invention.
Figure 1 shows the flow of EF into the STB decoder for processing. The data to be stored is isolated in the format specific to the data for storage, and sent to an encryption module before being transferred. This module uses the K1 key provided by the SM security module, usually in the form of a chip card, connected to the decoder. This card is considered to be inviolable and the various exchanges between the latter and the STB decoder are encrypted by a key specific to these two elements.
The K1 key issued by the SM security module can be combined with a second K2 key specific to the decoder, so moving the SM security module with the data content stored in DB does not allow the data to be decrypted.
These keys are unique, i.e. each decoder or security module uses a different key. Depending on the generation mode chosen, this key is generated randomly during a startup phase or sent by the system management center.
Figure 2 shows in diagrammatic form the same processing with the input EF flow passing through a first Sdata filter, which isolates data for storage and directs data for other purposes to other processing via the EX output.
A first NK(K1) encryption step is then performed with a first K1 key from the SM security module. These data are then sent to a second NK(K2) encryption module fed by a second K2 key from the STB decoder.
These keys, provided by the STB decoder and the SM security module, are used in some order.
In one embodiment, the encryption module is located directly in the interface between the decoder and the storage module, so that this encryption is performed at a low logical level and independently of the decoder's central management program.
According to another form of the invention, the SM security module has encryption means that are sufficiently powerful to receive the data stream to be encrypted and return the data in encrypted form.
The data encryption can be performed first on the basis of a first K1 key from the SM security module and then on the basis of a second K2 key from the STB decoder.
So it will be necessary to combine these three elements to make decryption possible.
This principle can be extended to any element capable of storing a private key, which is then used for a new data encryption layer.
Err1:Expecting ',' delimiter: line 1 column 286 (char 285)
According to our invention, at least one step of over-encryption is subjected to a key contained in the security module (SM) where the rights for the use of the data are also located. When decrypting data stored on the storage media, the K1 key is only provided to the decryption module if the verification on the right of use is positive. Thus, DB data only return to the form as sent as long as the user has the right of use.
In this embodiment, DB data is accompanied by a clear description of the permissions required for this data.

Claims (7)

  1. A storing method of data extracted from an encrypted data stream sent to a decoder (STB) connected to a security module (SM) and connected to a storing unit (DB). this method consisting in re-encrypting, without previous decryption, in the decoder the encrypted data sent to the decoder before they are transferred to the storing unit (DB) by at least one specific key (K1, K2).
  2. A method according to Claim 1, characterised in that it consists in using as a single key a key (K1) specific to the security module (SM).
  3. A method according to Claim 1, characterised in that it consists in using as a single key a key (K2) specific to the decoder (STB).
  4. A method according to Claim 1, characterised in that it consists in successively encrypting the data by several keys, either the key (K1) of the security module and the key (K2) of the decoder or inversely.
  5. A method according to Claims 1 to 4, characterised in that it consists in encrypting the data destined to the storing unit (DB) by an encryption key (K3) contained in the storing unit (DB).
  6. A method according to one of the Claims 1 or 2, characterised in that the data to be encrypted are sent to the security module (SM) to be encrypted, the encrypted data are then directed towards the storing unit (DB).
  7. A method according to one of the Claims 1 to 3, characterised in that it consists in executing the encryption or the decryption in a low level interface located between the storing unit (DB) and the decoder (STB).
HK03108382.6A 2001-01-16 2002-01-15 Method for storing encrypted data HK1057667B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CH612001 2001-01-16
CH01/0061 2001-01-16
PCT/IB2002/000106 WO2002056592A1 (en) 2001-01-16 2002-01-15 Method for storing encrypted data

Publications (2)

Publication Number Publication Date
HK1057667A1 HK1057667A1 (en) 2004-04-08
HK1057667B true HK1057667B (en) 2005-02-18

Family

ID=

Similar Documents

Publication Publication Date Title
EP1606905B1 (en) Protected return path from digital rights management dongle
JP4703791B2 (en) Data re-encryption apparatus and method
EP2494486B1 (en) System for protecting an encrypted information unit
KR101496424B1 (en) User-based content key encryption for DRM systems
EP1852799B1 (en) Device-independent management of cryptographic information
JP2005505069A (en) Memory encryption
WO2000022777A1 (en) Method and device for protecting digital data by double re-encryption
AU770758B2 (en) Method for distributing keys among a number of secure devices, method for communicating with a number of secure devices, security system, and set of secure devices
JP2004171207A (en) Data protection/storage method and server
US20020021804A1 (en) System and method for data encryption
CA2432445C (en) Method for storing encrypted data
US20040117639A1 (en) Secure driver
ES2274557T3 (en) SYSTEM TO PROVIDE ENCRYPTED DATA, SYSTEM TO DESCRIBE ENCRYPTED DATA AND METHOD TO PROVIDE A COMMUNICATIONS INTERFACE IN SUCH DESCRIBER SYSTEM.
KR100977969B1 (en) How to send and receive data on the network
US20020001388A1 (en) High speed copy protection method
HK1057667B (en) Method for storing encrypted data
US8582763B2 (en) Method and apparatus for decoding broadband data
WO2010040477A1 (en) Method and device for authorising access to data
Reiher et al. Adapting encrypted data streams in open architectures
EP3639176A1 (en) Combined hidden dynamic random-access devices utilizing selectable keys and key locators for communicating randomized data together with sub-channels and coded encryption keys
GB2316278A (en) Data Encryption
HK1175547A (en) System for protecting an encrypted information unit
HK1175547B (en) System for protecting an encrypted information unit
HK1102252B (en) Digital audio/video data processing unit and method for controlling access to said data
HK1110670B (en) Device-independent management of cryptographic information