HK1092298A - Apparatus and method for a secure broadcast system - Google Patents

Description

Apparatus and method for secure broadcast system

Cross Reference to Related Applications

This patent application claims priority from provisional application No.60/485,791, entitled "Apparatus and Method for a Secure Broadcast System," filed on 8/7/2003 and assigned to the present assignee and is expressly incorporated by reference.

Technical Field

The present invention relates generally to secure communication systems, and more particularly to access key management for multimedia broadcast services in a mobile environment.

Background

Wireless communication systems are widely deployed to provide various types of communication such as voice, data, and so on. These systems may be based on Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), or other modulation techniques.

A system may be designed to support one or more standards such as "TIA/EIA-95-B mobile station-base station compatibility standard for dual-mode wideband spread spectrum cellular systems" (IS-95 standard); TDMA-based "global system for mobile" (GSM) communication standards; the "universal mobile telecommunications service" (UMTS) standard, which is a third generation wireless service based on the GSM communication standard; the General Packet Radio System (GPRS) communication standard as an intermediate step in the evolution of GSM to UMTS; the standards provided by the alliance, known as the "third generation partnership project" (3GPP) (W-CDMA standards) are included in a group of documents including documents nos. 3G TS 25.211, 3G TS 25.212, 3G TS 25.213 and 3G TS 25.214, 3G TS 25.302; the Standard (IS-2000 Standard) provided by the alliance entitled "third Generation partnership project 2" (3GPP2) IS incorporated in the "TR-45.5 Physical Layer Standard for cdma2000 Spread Spectrum Systems (TR-45.5 Physical Layer Standard for cdma2000 Spread Spectrum Systems)". Each standard specifies how to handle wireless communication data between an infrastructure element, such as a base station, and a user terminal device, such as a mobile device.

The increasing demand for wireless data transmission and the expanded services that wireless communication technologies can provide has led to the development of specific data services. In one embodiment, the system may be configured to support multimedia broadcast services (hereinafter referred to as "broadcast services"). Similar to television and/or radio broadcasts, broadcast services may be used to wirelessly transmit multimedia content streams from content providers to user terminal devices. A content stream may be considered herein to correspond to a television channel or a radio station. Examples of multimedia content streams include audio and/or video data, such as movies, sporting events, news, and various other programs and/or files. Typically, the service provider indicates to the user whether such broadcast services are available. A user who wants to get a broadcast service may receive parameters related to the broadcast service in an overhead message sent by the infrastructure element. When a user wishes to receive certain content streams, the user terminal device reads the overhead messages and learns the appropriate configuration. The user terminal device then tunes to the channel or frequency containing the content stream and receives the broadcast service.

There are several subscription/revenue (subscription/revenue) modes for broadcast services, including free access, controlled access, and partially controlled access. For free access, the user receiving the service does not require a subscription. The content is broadcast out without encryption so that the user terminal device of the interested user can receive and view the content. The revenue for the service provider may be generated via advertisements that can also be transmitted in the broadcast channel. For example, a movie clip of a movie to be shown may be delivered, and its fee paid to the service provider by the movie studio.

In controlled access, a user is required to subscribe to and be authorized to receive broadcast services by paying a fee. This controlled access is achieved by encrypting the broadcast service delivery or content by means of an encrypted access key so that only subscribed users can decrypt and view the content. Here, the encryption of the broadcast content may be based on a symmetric or asymmetric cryptographic system. In a symmetric cryptosystem, the same key is used for encryption/decryption, and in an asymmetric cryptosystem, different keys are used for encryption/decryption.

Cryptography is well known to those skilled in the art and will not be described in detail. The hybrid access scheme or partially controlled access scheme provides a broadcast service as a subscription-based service, which is encrypted with intervening unencrypted advertisements. The purpose of these advertisements may be to encourage people to subscribe to encrypted broadcast services.

For controlled or partially controlled broadcast services, there are problems in providing access keys securely by a content provider to one or more recipients. There is therefore a need for a secure method of providing an access key to an end user device. More specifically, the provision of access keys needs to be compatible with existing standards and corresponding infrastructure as well as with continuously evolving standards and corresponding infrastructure.

Disclosure of Invention

Embodiments disclosed herein address the above stated needs by securely providing an access key to an end user device.

In one embodiment, a method for secure processing in a device that securely stores a key, comprises: receiving a plurality of queries from a network; generating a plurality of encryption keys based on the key and the plurality of challenges; and generating an access key based on the plurality of encryption keys. The method may further comprise generating a plurality of authentication responses using the plurality of challenges and the secret key; and sending at least one authentication response to the network. Generating the access key may include generating a broadcast access key; and wherein the method further comprises: receiving encrypted broadcast content; and decrypting the broadcast content based on the broadcast access key. The decryption of the content may include: generating a temporary decryption key based on each challenge and the broadcasted access key; and decrypting the broadcast content using the temporary decryption key.

In another embodiment, an apparatus for secure processing in a device having a module for securely storing a key, comprises: means for generating a plurality of encryption keys based on a plurality of challenges received from the network and the key; and means for generating an access key based on the plurality of encryption keys.

In yet another embodiment, a machine-readable medium for use in a device that securely stores a key and receives a plurality of challenges from a network is disclosed. The machine-readable medium includes code for generating a plurality of encryption keys based on the plurality of challenges and the key; and code for generating an access key based on the plurality of encryption keys.

In the above embodiment, a 128-bit subscriber authentication key may be stored as the key in the subscriber identity module of the mobile phone using the global system for mobile communications standard. The 128-bit subscriber authentication key may also be stored as a key in the universal subscriber identity module of a mobile phone using universal mobile telecommunications system standards. In addition, multiple 64-bit encrypted keys may be generated, and a 128-bit broadcast access key may be generated with two encryption keys.

In another embodiment, an apparatus for a mobile phone, comprises: an Integrated Circuit Card (ICC) configured to securely store a key and generate a plurality of encryption keys based on the key and a plurality of challenges received from a network; and a processor coupled to the ICC and configured to generate an access key based on the plurality of encryption keys. The ICC can be a Subscriber Identity Module (SIM) of a mobile phone using a global system for mobile communications standard. The SIM may store a 128-bit subscriber authentication key as the key and generate a 64-bit encryption key. The ICC can also be a Universal Subscriber Identity Module (USIM) of a mobile phone using universal mobile telecommunications system standards. The USIM may store a 128-bit subscriber authentication key as the key and generate a 64-bit encryption key in a mode that is backward compatible with the SIM. The processor may use two encryption keys to generate a 128-bit broadcast access key.

Drawings

Various embodiments will be described in detail below with reference to the following drawings, wherein like reference numerals represent like elements, and wherein:

fig. 1 is an example of wireless communication capable of supporting broadcast services;

fig. 2 shows a simplified network for implementing MBMS;

fig. 3 shows a terminal capable of subscribing to MBMS for receiving multimedia content;

FIG. 4 is a simplified example of an example of a GSM system;

fig. 5 is an example of a system for broadcast services with an authenticating network and a terminal; and

fig. 6 illustrates a method of security processing in a device that reliably stores a key.

Detailed Description

In the following description, specific details are given to provide a thorough understanding of the embodiments. However, it will be apparent to one of ordinary skill in the art that the embodiments may be practiced without the specific details. For example, circuits may be shown in block diagrams in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, structures and techniques may be shown in detail in order not to obscure the embodiments.

It is also noted that the embodiments may be described as a process which is depicted as a flowchart, a flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. Additionally, the order of the operations may be rearranged. When the operation is completed, the process terminates. A process may correspond to a method, a function, a program, a routine, a subprogram, and so on. When a process corresponds to a function, its termination corresponds to the return of this function to the calling function or the main function.

Moreover, as disclosed herein, a storage medium may represent one or more devices for storing data, including Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media, optical storage media, flash memory devices, and/or other machine-readable media for storing information. The term "machine-readable medium" includes, but is not limited to portable or fixed storage devices, optical storage devices, wireless channels and various other mediums capable of storing, containing or carrying command(s) and/or data.

Fig. 1 illustrates an example of a wireless communication network 100 capable of supporting broadcast services. Network 100 may include one or more communication systems that support different standards. In more detail, the network 100 includes a plurality of service areas 102A-102G, each of which is serviced by a respective infrastructure element 104A-104G. The infrastructure units 104A to 104G communicate with user terminal devices (hereinafter referred to as "terminals") 106A to 106J, and these user terminal devices 106A to 106J are within the service areas 102A to 102G of the infrastructure units 104A to 104G, respectively. Depending on the type of communication system, the infrastructure elements 104A-104G may include base stations, base transceiver stations, gateways, or other devices that communicate with the terminals 106A-106J. Terminals 106A-106J may be, but are not limited to, mobile (including cellular and personal communication services) telephones, wireline telephones, wireless handsets, Personal Digital Assistants (PDAs), various computers (including laptops and desktops), or other data transceivers. As shown in fig. 1, the terminals 106A-106J may be hand-held, mobile, portable, such as mounted in a vehicle (including cars, trucks, boats, trains, and planes), or stationary (stationary).

In one embodiment, the network 100 supports a broadcast service known as multimedia broadcast/multicast service (MBMS), or sometimes referred to as broadcast/multimedia service (BCMCS). Generally, MBMS is an Internet Protocol (IP) based packet data service. The service provider may indicate the availability of MBMS to the user. Users who desire MBMS may receive the service and discover the broadcast service schedule via broadcasts, such as advertisements, Short Message System (SMS), and Wireless Application Protocol (WAP). The infrastructure element conveys MBMS-related parameters in an overhead message. When the user wishes to receive the broadcast session, the terminal 106 reads the overhead message and learns the appropriate configuration. The terminal 106 then tunes to the frequency containing the MBMS channel and receives the broadcast service content.

Fig. 2 shows a simplified network 200 for implementing MBMS. In the network 200, a Content Source (CS)210 provides video and/or audio information to a Packet Data Serving Network (PDSN) 230. The video and audio information may be from broadcast programs or radio transmissions. The information is provided as packet data, such as IP packets. PDSN 220 processes IP packets for distribution within the Access Network (AN). As illustrated, AN is defined as a portion of network 200, including infrastructure element 240 in communication with a plurality of terminals 250.

For MBMS, the CS 210 provides unencrypted content. Infrastructure element 240 receives the information stream from PDSN 230 and provides the information on a designated channel to subscriber terminals within network 200. To control access, content from the CS 210 is encrypted by a content encryptor (not shown) using an encryption key before being provided to the PDSN 220. Although the content encryptor may be implemented together with or separately from the CS 210, the content encryptor and the CS 210 are hereinafter referred to as a content provider. The subscriber is provided with a decryption key to enable decryption of the IP data packet.

In more detail, fig. 3 shows a terminal 300 capable of subscribing to MBMS for receiving multimedia content. The terminal 300 comprises an antenna 310 connected to a receiving circuit 320. The terminal 300 receives a transmission from a content provider (not shown) via an infrastructure element (not shown). The terminal 300 includes a mobile device 340 and a Universal Integrated Circuit Card (UICC)330 connected to receive circuitry 320. It should be noted that in some terminals, UICC330 and ME340 may be implemented together in one secure processing unit. Furthermore, although the embodiment will be described using a UICC, other integrated circuits and/or secure processing units, such as a User Identity Module (UIM), a Subscriber Identity Module (SIM) or a universal SIM, may be implemented within one terminal.

Generally, UICC330 performs authentication procedures for the security of MBMS transmissions and provides various keys to ME 340. ME340 performs substantial processing including, but not limited to, decrypting the MBMS content data stream using a key provided by UICC 330. UICC330 is said to be able to securely store and process secret information (such as encryption keys) that should be kept secret for a long time. Since UICC330 is a secure unit, there is no need for the system to constantly change the secret information stored therein. UICC330 may include a processing unit referred to as a Secure UICC Processing Unit (SUPU)332 and a secure memory storage unit referred to as a Secure UICC Memory Unit (SUMU) 334. Within UICC330, SUMU334 stores secret information in a manner that prevents unauthorized access to the information. This access would require a large amount of resources if the secret information was obtained from UICC 330. Also within UICC330, SUPU 332 computes values that may be outside UICC330 and/or within UICC 330. The results of the calculations may be stored in SUMU334 or transmitted to ME 340.

In one embodiment, UICC330 is a fixed unit or integrated within terminal 300. Note that UICC330 can also include non-secure memory and processing (not shown) for storing information including phone numbers, e-mail address information, web page or URL address information, and/or scheduling functions, etc. Alternative embodiments may provide a removable and/or reprogrammable UICC. Typically, the SUPU 332 does not have significant processing capabilities for functions other than security and key procedures, such as allowing encryption of broadcast content for MBMS. However, alternative embodiments may implement a UICC with greater processing power.

When UICC330 is a secure unit, the data in ME340 can be accessed by non-subscribed users and is assumed to be insecure. All information transferred to the ME340 or processed by the ME340 has a short privacy time. Therefore, it is desirable to change all secret information, such as keys shared with the ME340, on a regular basis.

In more detail, MBMS content is encrypted with a unique and frequently changing temporary encryption key, called the short-term key (SK). In order to decrypt the broadcast content at a particular time, the ME340 must know the current SK. This SK is used to decrypt the broadcast content in a short time, so that the SK can be considered to have some intrinsic monetary value to the user. For example, this intrinsic monetary value may be a portion of the registration cost. Here, different content types may have different intrinsic monetary values. Assuming that the cost of a non-subscriber to obtain SK from the ME340 of a subscriber exceeds the intrinsic monetary value of SK, the cost of illegally obtaining SK outweighs the return and thus there is no profit. Therefore, SK in ME340 does not have to be protected. However, if the broadcast has an intrinsic value greater than the cost of illegally obtaining this key, then the non-subscriber will receive revenue from the ME 340. Thus, ideally, the ME340 would not store secrets with a lifetime longer than the SK lifetime.

Furthermore, the channel used by the content provider (not shown) for data transmission is considered insecure. Therefore, SK is not transmitted over the air. The SK is derived either by the UICC330 or by the ME340 from an access key called the Broadcast Access Key (BAK) and SK information (SKI) broadcast with the encrypted content. BAK may be used for a certain time, such as a day, a week, or a month, and may be updated. Within each cycle of updating the BAK, a shorter interval is provided during which SK is changed. The content provider may use a cryptographic function to determine the two values SK and SKI, thereby enabling the SK to be determined from the BAK and SKI. In one embodiment, SKI may contain SK encrypted with BAK as a key. Alternatively, SK may be the result of applying a cryptographic hash (hash) function to the concatenation of SKI and BAK. Here, SKI may be some random value.

To access the MBMS, the user registers and subscribes to the service. In one embodiment of the registration process, the content provider and UICC330 agree on a registration key or Root Key (RK) to be used as a secure association between the user and the content provider. The registration may occur when the user subscribes to a broadcast channel provided by the content provider or may occur prior to the subscription. A single content provider may provide multiple broadcast channels. The content provider may choose to associate the same RK for all channels with the user or require the user to register for each channel and associate different RKs on different channels with the same user. Multiple content providers may choose to use the same registration key or require the user to register and obtain different RKs.

If possible, the RK is kept as a secret in UICC 330. The RK is unique for a given UICC, i.e. each user is assigned a different RK. But if the user has multiple UICCs, then these UICCs can be configured to share the same RK, depending on the policy of the content provider. The content provider may then send UICC330 another secret information, such as BAK encrypted with RK. UICC330 can recover the value of the original BAK from the encrypted BAK using RK. Since ME340 is not a secret unit, UICC330 does not provide BAK to ME 340.

The content provider also broadcasts SKI, which is combined with BAK in UICC330 to derive SK. The UICC330 then transmits the SK to the ME340, and the ME340 decrypts the encrypted broadcast transmission received from the content provider using the SK. In this way, the content provider can efficiently distribute new values of SK to subscribing users.

As described, controlled access may be achieved by providing provisioning for the RK in SUMU334 of UICC 330. However, in the existing infrastructure of some systems, due to the cost and/or inconvenience of replacing an existing UICC, SIM, UIM or other integrated circuit card, an appropriate value of RK cannot be kept in a secure unit such as UICC 330.

For example, in the GSM system, the Subscriber Identity Module (SIM) is a secure element and contains subscriber identification data about the subscriber that can be used to access the network. For purposes of explanation, fig. 4 shows a simplified example of a GSM system 400 for authenticating a subscriber to allow access to a network. System 400 includes a Home Location Register (HLR)410, a Visitor Location Register (VLR)420, and a terminal such as mobile device 430. Note that system 400 also includes other elements, but GSM systems are well known to those skilled in the art and will not be described in detail.

HLR 410 is a subscriber database for mobile systems. HLR 410 is maintained by the terminal's home carrier and contains important subscriber information for billing and for network authentication. VLR 420 is also a database and contains temporary subscriber information, such as the current location of the terminal, to manage requests from subscribers outside the coverage area of the local system. When a subscriber places a call and the subscriber's terminal is outside the home area, VLR 420 communicates with HLR 410 to obtain the information needed to handle the call, including the information needed to authenticate the subscriber.

The terminal 430 includes a SIM module 432 that securely contains a subscriber authentication key (K) for authenticating the subscriber. Here, a challenge-handshake authentication protocol, referred to as Authenticated Key Agreement (AKA), is generally used for GSM authentication. In AKA, the network sends a challenge message to the subscriber terminal, which responds with a value obtained using a one-way hash function. Here, the challenge message may be a random value. The network checks the response by comparing this random value with its expected hash value. If the values match, the authentication is confirmed. When this response is generated, a key for securing subsequent communications is also generated.

In more detail, in the GSM system, VLR 420 requests authentication parameters from HLR 410. HLR 410 sends the VLR a 128-bit random number RAND, a signed Response (RES) and an encryption key (Kc). Both RES and Kc are generated from the subscriber authentication keys K and RAND by using different algorithms. Using this authentication triplet (RAND, RES, Kc), a challenge message is issued by sending a random number RAND to the terminal 430. This received RAND is passed to the SIM432, and the SIM432 uses RAND and K to generate RES and Kc. The generated RES is returned to VLR 420, VLR 420 checks whether there is a match with the two RES values. If the two values match, the subscriber is authenticated and both the terminal and the network start encrypting/decrypting using Kc.

While the GSM SIM securely contains a subscriber authentication key (K) for authenticating the subscriber, it does not allow the provision of another key, such as the RK. I.e. the existing GSM SIM cannot be changed. Thus, one way to deliver BAK for broadcast services may be to encrypt the BAK with Kc instead of RK. The content provider will send a message containing RAND and BAK encrypted with Kc. The terminal receives the message and forwards the RAND to the SIM as if it were a normal GSM authentication. Thus, RES and Kc are generated by the SIM by using RAND and K. Here, the RES generated by the SIM may be discarded. This prevents an attacker from sending the same RAND and recording the returned RES for illegal access. Kc can be used to decrypt this encrypted BAK.

But Kc is typically a 64-bit key, whereas some broadcast services, such as MBMS, are designed to provide 128-bit security. Therefore, it is necessary to use a key longer than 64 bits to encrypt the BAK. BAK is therefore encrypted with multiple triplets.

Fig. 5 shows an example broadcast service system 500 with a network 510 performing authentication and with a terminal 520. The network 510 includes one or more content providers and other infrastructure elements necessary for broadcast services. Terminal 520 includes ICC 522 coupled to a processor 524. In a GSM system, network 510 may include a VLR and an HLR, and ICC 522 is the SIM module described in fig. 4. Typically, the network 510 sends a challenge message for performing authentication. The terminal 520 uses this inquiry message to generate a BAK for controlled access. That is, ICC 522 of terminal 510 securely stores a key for generating BAK. The operation of the system 500 will now be described with reference to fig. 6.

Fig. 6 illustrates a method 600 for security processing in a device, such as a terminal 620, that securely stores keys, such as subscriber authentication keys, in a security element, such as ICC 622. In method 600, the device receives a plurality of queries from a network (610). The multiple queries may be in one message or multiple messages. A plurality of encryption keys is generated based on the key and the plurality of challenges (620). An access key is then generated based on the plurality of encryption keys (630). In system 500, ICC 522 is configured to generate the encryption key, for example, because the key should remain within ICC 522. The processor 524 is configured to generate the access key based on the encryption keys.

The access key is generated using a plurality of encryption keys because the access key is typically longer than the encryption key. For example, in GSM for MBMS, the encryption key is 64 bits and the access key is 128 bits. In this case, the access key may be generated using two encryption keys. An access key may be generated from the plurality of encryption keys using any known technique. In one embodiment, the access key is generated by concatenating a plurality of encryption keys. In an alternative embodiment, the access key is generated by applying a hash function to a plurality of encryption keys. The hash function may include SHA-1 to mix the plurality of encryption keys.

For authentication, the method 600 may further include generating a plurality of authentication responses using the plurality of challenge messages and the key, as described with reference to fig. 4. Thereafter, at least one of these authentication responses is returned to the network by a transmitter (not shown) implemented in the terminal 520, and all authentication responses not sent to the network may be discarded.

Accordingly, after generating the access key, method 600 may further include receiving encrypted broadcast content based on the access key and decrypting the broadcast content. For example, in MBMS, the access key is BAK and SKI is used to generate SK. In this case, the method 600 may further include generating a temporary encryption/decryption key, such as SK, based on each challenge message and the current BAK. The current SK can thus be used to decrypt the encrypted content and to view/process the encrypted content.

Thus, the embodiments described herein allow for the secure provision of access keys for broadcast services. It is noted herein that although the embodiments have been described with reference to MBMS, the scope of the present invention is also applicable to broadcast services other than MBMS and various systems requiring controlled access. Similarly, the access key may be shorter or longer than 128 bits. Furthermore, the embodiments may also be applied to systems other than the GSM system. For example, a UMTS system has a USIM similar to a GSM SIM and has a backward compatible mode that allows it to function as a GSM SIM.

Furthermore, the embodiments may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine-readable medium (not shown). The processor may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of commands, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network passing, etc. Further, the machine-readable medium may be embodied in an article of manufacture for use by a computer system and may contain the machine-readable code module therein.

Finally, it should be noted that the above-mentioned embodiments are only examples and should not be construed as limiting the invention. The embodiments are described for purposes of illustration and are not intended to limit the scope of the claims. It is therefore evident that the present teachings may be applied to other types of apparatuses and that many alternatives, modifications, and variations will be apparent to those skilled in the art.

Claims (34)

1. A method of secure processing in a device that securely stores a secret key, the method comprising:

receiving a plurality of queries from a network;

generating a plurality of encryption keys based on the key and the plurality of challenges; and

an access key is generated based on the plurality of encryption keys.

2. The method of claim 1, further comprising:

generating a plurality of authentication responses using the plurality of challenges and the secret key; and

at least one authentication response is sent to the network.

3. The method of claim 2, further comprising:

any authentication response not sent to the network is discarded.

4. The method of any of the preceding claims, wherein receiving a plurality of queries comprises:

a plurality of random values are received.

5. The method of any one of the preceding claims, wherein the access key is longer than the encryption key.

6. The method of claim 5, wherein generating the access key comprises:

concatenating the plurality of encryption keys.

7. The method of claim 5, wherein generating the access key comprises:

applying a hash function to the plurality of encryption keys.

8. The method of claim 7, wherein the hash function includes SHA-1 to mix the plurality of encryption keys.

9. The method of any of the preceding claims, wherein storing the key comprises:

a 128-bit subscriber authentication key is stored as the key in a subscriber identity module of a mobile phone using the global system for mobile communications standard.

10. The method of claim 9, wherein generating the plurality of encryption keys comprises generating 64-bit encryption keys; and

wherein generating the access key comprises generating a 128-bit broadcast access key using two encryption keys.

11. The method of claim 1 or any one of claims 2 to 8 when dependent on claim 1, wherein storing the key comprises:

a 128 bit subscriber authentication key is stored as the key in a universal subscriber identity module of a mobile phone using universal mobile telecommunications system standards.

12. The method of claim 11, wherein generating the plurality of encryption keys comprises generating a plurality of 64-bit encryption keys; and

wherein generating the access key comprises generating a 128-bit broadcast access key using two encryption keys.

13. The method of any of the preceding claims, wherein generating the access key comprises generating a broadcast access key; and wherein the method further comprises:

receiving encrypted broadcast content; and

decrypting the broadcast content based on the broadcast access key.

14. The method of claim 13, wherein the decrypting of the content comprises:

generating a temporary decryption key based on each challenge and the broadcast access key; and

decrypting the broadcast content using the temporary decryption key.

15. Apparatus for a mobile telephone, comprising:

an Integrated Circuit Card (ICC) configured to securely store a key and to generate a plurality of encryption keys based on the key and a plurality of challenges received from a network; and

a processor coupled to the ICC and configured to generate an access key based on the plurality of encryption keys.

16. The apparatus of claim 15, further comprising:

a transmitter coupled to the ICC; wherein the ICC generates a plurality of authentication responses using the plurality of challenges and the key; and wherein the transmitter is configured to send at least one authentication response to the network.

17. The apparatus of claim 15 or claim 16, wherein the challenge comprises a random value.

18. An apparatus as claimed in claim 15 or any of claims 16 to 17, wherein the ICC is a Subscriber Identity Module (SIM) of a mobile telephone using the global system for mobile communications standard.

19. The apparatus of claim 18, wherein the SIM stores a 128-bit subscriber authentication key as the key and generates a plurality of 64-bit encryption keys; and wherein the processor generates a 128-bit broadcast access key using the two encryption keys.

20. An apparatus as claimed in claim 15 or any of claims 16 to 17, wherein the ICC is a universal subscriber identity module (USM) for a mobile telephone using the universal mobile telecommunications system standard.

21. The device of claim 20, wherein the USIM stores a 128-bit subscriber authentication key as the key and generates a plurality of 64-bit encryption keys; and wherein the processor generates a 128-bit broadcast access key using the two encryption keys.

22. The apparatus of claim 15 or any of claims 16 to 21, wherein the receiver receives encrypted broadcast content; and wherein the processor generates a broadcast access key to decrypt the broadcast content.

23. Apparatus for secure processing in a device having a module for securely storing a key, the apparatus comprising:

a module that generates a plurality of encryption keys based on a plurality of challenges received from a network and the keys; and

a module that generates an access key based on the plurality of encryption keys.

24. The apparatus of claim 23, further comprising:

a module for generating a plurality of authentication responses using the plurality of challenges and the secret key; and

means for sending at least one authentication response to the network.

25. The apparatus of claim 24, further comprising:

means for discarding any authentication response not sent to the network.

26. The apparatus of claim 23 or any one of claims 24 to 25, wherein the means for generating the access key comprises:

means for concatenating the plurality of encryption keys.

27. The apparatus of claim 23 or any one of claims 24 to 25, wherein the means for generating the access key comprises:

means for applying a hash function to the plurality of cryptographic keys.

28. The apparatus of claim 23 or any one of claims 24 to 27, wherein the means for generating the access key generates a broadcast access key; and wherein the apparatus further comprises:

means for receiving encrypted broadcast content; and

means for decrypting the broadcast content based on the broadcast access key.

29. An article of manufacture for a computer system implemented as a system for securely storing a cryptographic key and receiving a plurality of challenges from a network, the article of manufacture comprising a machine-readable medium having thereon a machine-readable code module, comprising:

a machine-readable code module embodied in the machine-readable medium for generating a plurality of cryptographic keys based on the plurality of challenges and the key; and

a machine-readable code module embodied in the machine-readable medium for generating an access key based on the plurality of encryption keys.

30. The article of manufacture of claim 29, further comprising:

a machine-readable code module embodied in the machine-readable medium for generating a plurality of authentication responses using the plurality of challenges and the secret key; and

a machine readable code module embodied in the machine readable medium for sending at least one authentication response to the network.

31. The article of claim 30, further comprising:

a machine readable code module embodied in the machine readable medium for discarding any authentication response not sent to the network.

32. The article of manufacture of claim 29, wherein the machine-readable code module for generating the access key comprises:

a machine-readable code module embodied in the machine-readable medium for concatenating the plurality of encrypted keys.

33. The article of manufacture of claim 29, wherein the machine-readable code module for generating the access key comprises:

a machine-readable code module embodied in the machine-readable medium for applying a hash function to the plurality of cryptographic keys.

34. The article of manufacture of claim 29, wherein the system receives encrypted broadcast content, wherein the machine-readable code module for generating an access key generates a broadcast access key; and the product further comprises:

a machine-readable code module embodied in the machine-readable medium for decrypting the broadcast content based on the broadcast access key.