HK1149673B - Method and apparatus for security in a data processing system - Google Patents

Description

Method and apparatus for security in a data processing system

The present application is a divisional application of the chinese patent application entitled "method and apparatus for security in a data processing system" as filed on application No. 02810587.7 on 3/28/2002.

Background

Priority requirements under 35 U.S.C. § 120

This patent application claims priority from U.S. provisional application No. 60/279,970, filed on 3/28/2001, assigned to the assignee of the present invention and hereby incorporated by reference.

Pending patent application reference

The present invention is related to the following patent applications of the U.S. patent and trademark office:

"METHOD AND APPARATUS FOR OVERHEAD MESSAGING IN A WIRELESS COMMUNICATIONSYSTEMS" by Nikolai Leung, having attorney docket number 010439, also filed herewith, assigned to the assignee of the present invention and hereby expressly incorporated herein by reference;

"METHOD AND APPARATUS FOR OUT-OF-BAND TRANSMISSION OF BROADCAST SERVICE OPTIONIN A WIRELESS COMMUNICATION SYSTEM" filed concurrently herewith and having attorney docket number 010437, assigned to the assignee OF the present invention and hereby expressly incorporated by reference;

"METHOD AND APPARATUS FOR BROADCAST SIGNALING IN A WIRELESS COMMUNICATIONSYSTEMS" by Nikolai Leung, having attorney docket number 010438, also filed herewith, assigned to the assignee of the present invention and hereby expressly incorporated herein by reference;

the "METHOD and apparatus FOR TRANSMISSION FRAMING IN A WIRELESS COMMUNICATION SYSTEM" by Raymond Hsu, having attorney docket number 010498, filed herewith, assigned to the assignee of the present invention and hereby incorporated by reference;

the "METHOD and apparatus FOR DATA transfer IN A WIRELESS COMMUNICATION SYSTEM" by Raymond Hsu, having attorney docket number 010499, also filed herewith, assigned to the assignee of the present invention and specifically incorporated herein by reference; and

the "METHOD and apparatus FOR the synthesis of IN A WIRELESS COMMUNICATION SYSTEM" by Raymond Hsu, having attorney docket number 010500, filed herewith, is assigned to the assignee of the present invention and is hereby expressly incorporated by reference.

FIELD

The present invention relates to data processing systems, and more particularly, to a method and apparatus for security in a data processing system.

Background

Security in data processing and information systems, including communication systems, has an impact on the overage of liability, fairness, accuracy, confidentiality, operability, and other required criteria. The general field of encryption, or cryptography, is that used in e-commerce, wireless communications, broadcasting, and has an unlimited range of applications. In electronic commerce, encryption is used to prevent fraud and to verify financial transactions. In a data processing system, encryption is used to identify the identity of a participant. Encryption is also used to prevent modification, protect web pages, and prevent access to confidential files.

Asymmetric encryption systems, commonly referred to as cryptosystems, use the same key (i.e., a secret key) to encrypt and decrypt messages. While asymmetric encryption systems encrypt messages using a first key (i.e., a public key) and decrypt messages using a different key (i.e., a private key). Asymmetric cryptography is also referred to as public key cryptography. A problem exists in symmetric cryptosystems with respect to the security of secret keys from a sender to a recipient. Furthermore, there is a problem when keys or other cryptographic mechanisms are frequently updated. In a data processing system, the method of securely updating keys incurs processing time, memory storage, and other processing overhead. In a wireless communication system, updating keys uses valuable bandwidth for transmission.

The prior art does not provide a way for a large number of users to update keys in order to have them access to encrypted broadcasts. There is therefore a need for a secure and efficient method of updating keys in a data processing system. Furthermore, there is a need for a secure and efficient method of updating keys in a wireless communication system.

Summary of the invention

Embodiments disclosed herein address the above stated needs by providing a method for security in a data processing system.

In one aspect, a method for secure transmission includes determining a registration key specific to a participant in a transmission, determining a first key, encrypting the first key with the registration key, determining a second key, encrypting the second key with the first key, and updating the first and second keys.

In another aspect, a method of securely receiving a transmission includes receiving a registration key specific to a participant in the transmission, receiving a first key, decrypting the first key with the registration key, receiving a second key, decrypting the second key with the first key, receiving a broadcast stream, and decrypting the broadcast stream using the second key.

In yet another aspect, a wireless communication system supporting broadcast service options has an infrastructure element comprising receiving circuitry; a user identification unit operable to reproduce a short time key for decrypting the broadcast message; and a mobile equipment unit adapted to decrypt the broadcast message using the short time key. The user identification unit comprises a processing unit operable to decrypt the key information; and a memory storage unit for storing the registration key.

Brief Description of Drawings

FIG. 1A is a diagram of a cryptographic system.

FIG. 1B is a diagram of a symmetric cryptographic system.

FIG. 1C is a diagram of an asymmetric cryptographic system.

Fig. 1D is a PGP encryption system diagram.

Fig. 1E is a PGP decryption system diagram.

Fig. 2 is a diagram of a spread spectrum communication system supporting a number of users.

Fig. 3 is a block diagram of a communication system supporting broadcast transmissions.

Fig. 4 is a block diagram of a mobile station in a wireless communication system.

Fig. 5 is a model describing updating of keys for controlling broadcast access in a mobile station.

FIG. 6 is a model describing cryptographic operations in a UIM.

Figures 7A-7D illustrate one method of implementing secure encryption in a wireless communication system that supports broadcast transmissions.

Fig. 7E is a timing diagram of a key update period for security options in a wireless communication system supporting broadcast transmissions.

Fig. 8A to 8D illustrate an application of a security encryption method in a wireless communication system supporting broadcast transmission.

Detailed Description

The word "exemplary" is used herein exclusively to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

Wireless communication systems are widely deployed to provide various types of communication such as voice, data, and so on. These systems may be based on Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), or some other modulation technique. CDMA systems provide certain advantages over other types of systems, including an increase in system capacity.

A system may be designed to support one or more standards such as the "TIA/EIA-95-B mobile station-base station compatibility standard for dual-mode wideband spread spectrum cellular systems," referred to herein as the IS-95 standard; the standards provided by the association entitled "third generation partnership project" and referred to herein as 3GGP, and embodied in a set of files including file numbers 3G TS 25.211, 3G TS 25.212, 3G TS 25.213, and 3G TS 25.214, 3G TS25.302, referred to herein as the W-CDMA standard; the standard provided by the association entitled "third generation partnership project 2," referred to herein as the 3GGP2 standard, and the TR-45.5, referred to herein as the cdma2000 standard, formerly known as IS-2000 MC. The standards cited above are specifically incorporated herein by reference.

Each standard specifically defines the processing of transmitted data from a base station to a mobile station and vice versa. The following discussion considers, as an example embodiment, a spread spectrum communication system of a cdma2000 system that conforms to a protocol. Further embodiments may incorporate other standards/systems. Still other embodiments may apply the security methods disclosed herein to any type of data processing system that uses a cryptographic system.

A cryptographic system is a method of concealing a message and thus allowing a particular group of users to retrieve the message. Fig. 1A illustrates a basic cryptographic system 10. Cryptography is the technology by which cryptographic systems are created and used. Cryptanalysis is a technique to break cryptographic systems, i.e. to receive and learn about a message when you are not in a particular group of users who are allowed to access the message. The original message is referred to as a plaintext message or plaintext. An encrypted message is referred to as ciphertext, where encryption includes any means of converting plaintext into ciphertext. Decryption includes any means of converting ciphertext into plaintext, i.e., rendering the original message. As shown in fig. 1A, a plaintext message is encrypted to form ciphertext. Then, the ciphertext is received and decrypted to reproduce the plaintext. While the terms plaintext and ciphertext generally refer to data, the concept of encryption may be applied to any digital form, including audio and video data represented in digital form. While the description of the invention provided herein uses the terms plaintext and ciphertext consistent with cryptography, these terms do not exclude other forms of digital communication.

Cryptographic systems are based on secrets. A group of entities shares a secret and if one is outside the group, the secret cannot be obtained without a considerable amount of resources. The role of this secret is to act as a security association between groups of entities.

A cryptographic system may be a collection of algorithms, where each algorithm is marked and the mark is referred to as a key. Symmetric encryption systems, often referred to as cryptosystems, use the same key (i.e., a secret key) to encrypt and decrypt messages. In fig. 1B, a symmetric encryption system 20 is shown, where both encryption and decryption utilize the same private key.

In contrast, asymmetric encryption systems encrypt a message using a first key (i.e., a public key) and decrypt a message using a different key (i.e., a private key). Fig. 1C shows an asymmetric encryption system 30 in which one key is provided for encryption and a second key is provided for decryption. Asymmetric cryptography is also referred to as public key cryptography. The public key is published and can be used to encrypt any message, however, only messages encrypted with the public key can be decrypted using the private key.

A problem exists in symmetric cryptosystems with respect to the security of secret keys from a sender to a recipient. In one solution, a messenger (courier) may be used to provide the information, or a more efficient and more reliable solution may use a public key cryptosystem, such as the one defined by Rivest, Shamir, and adleman (rsa) discussed below. The RSA system is used in a popular security tool called Pretty GoodPrivacy (PGP), which is described further below. For example, a cryptographic system originally recorded changes letters in the plain text by shifting each letter by n in the alphabet, where n is a predetermined constant integer value. In such a scheme, "D" is used instead of "a", and so on, where a given encryption scheme may incorporate several different values of n. In this encryption scheme, "n" is a key. The encryption scheme is provided to the intended recipient prior to receiving the ciphertext. In this way, only those who know the key can decrypt the ciphertext to reproduce the plaintext. However, by computing the key with knowledge of the encryption, unintended parties may also intercept the ciphertext and decrypt it, creating security issues.

More sophisticated and advanced cryptographic systems use policy keys (strategic keys) that prevent unintended community interception and decryption. Conventional cryptographic systems use an encryption function E and a decryption function D such that:

d _ K (E _ K (P)) ═ P, for any plaintext P (1)

In public key cryptosystems, E _ K is conveniently calculated from a known "public key Y" which is calculated in turn from K. Y is published so that anyone can encrypt the message. The decryption function D _ K is calculated from the public key Y, but only with knowledge of the private key K. Without the private key K, the unintended recipient is unable to decrypt the ciphertext so produced. In this manner, only the recipient that generated K can decrypt the message.

RSA is a public key cryptosystem defined by Rivest, Shamir and Adleman. As an example, consider a plaintext as up to 2⁵¹²Is a positive integer of (1). The key is a quadruplet of numbers (p, q, e, d) giving p a 256-bit prime number and q 258-bitsPrime numbers, and d and e are large numbers with (de-1) divisible by (p-1) (q-1). Further, the decryption function is defined as:

E_K(P)＝P^e mod pq，D_K(C)＝C^d mod pq (2)

however, E _ K is conveniently calculated from the (pq, E) pair, and D _ K is not calculated from the (pq, E) pair in a simple method. Thus, the recipient who generated K can publish (pq, e). When the recipient is a person who is able to read the message, it is possible to send him a secret message.

PGP combines features from symmetric and asymmetric encryption. Fig. 1D and 1E illustrate a PGP cryptosystem 50 in which a plaintext message is encrypted and reproduced. In fig. 1D, the plaintext message is compressed to save modem transmit time and disk space. Compression enhances cryptographic security by adding additional levels of translation to the encryption and decryption processes. Most cryptanalysis techniques exploit the patterns found in the clear to reveal the password. Compression reduces these patterns in the plaintext, thereby increasing resistance to cryptanalysis. Note that one embodiment does not compress plaintext or other messages that are too short for compression, or that are not compressed well without compression.

The PGP then creates a session key, which is only a one-time key. This key is a random number that can be generated from any random event such as random movement of the mouse and typing keystrokes. The session key works with a secure encryption algorithm to encrypt plaintext to produce ciphertext. Once the data is encrypted, the session key is encrypted into the recipient's public key. The public key, which encrypts the session key, is sent to the recipient along with the ciphertext.

For decryption as shown in fig. 1E, the recipient's PGP copy uses the private key to reproduce the temporary session key, and the PGP then uses the temporary key to decrypt the encrypted ciphertext in the conventional manner. The combination of encryption methods takes advantage of the convenience of public key encryption and the speed of symmetric encryption. Symmetric encryption is generally much faster than public key encryption. Public key encryption in turn provides a solution to the key distribution and data transmission problems. In combination, performance and key distribution is improved without sacrificing any security.

A key is a value that works with a cryptographic algorithm to produce a particular ciphertext. Keys are basically extremely large numbers. The size of the key is measured in bits. In public key cryptography, security increases with key size, however, public key size and symmetric encryption private key size are generally irrelevant. When the public and private keys are mathematically related, knowing only the public key creates difficulties in deriving the private key. Deriving the private key is possible as long as there is sufficient time and computational power, making the choice of key size an important security issue. The goal is to have a secure large key while keeping the key small enough for it to be processed quickly. Additional considerations are the intended interceptor, particularly what is the importance of the message to the third party, and how much of the resources the third party is to use to decrypt.

In terms of cryptography, a large key will be secure over a longer period of time. The key is stored in encrypted form. PGP stores keys in two files among others: one for the public key and one for the private key. These files are called key rings (keyring). In application, the PGG encryption system adds the public key of the intended recipient to the sender's public key ring. The sender's private key is stored in the sender's private key ring.

As discussed in the examples given above, the method of assigning keys for encryption and decryption can be complex. The "key exchange problem" involves first ensuring that keys are exchanged so that both the sender and the receiver can perform encryption and decryption, respectively, and for two-way communications so that both the sender and the receiver can encrypt and decrypt messages. Furthermore, it is desirable to perform key exchange in order to prevent interception by unintended third parties. Finally, an additional consideration is authentication, which provides assurance to the recipient that the message is encrypted by the intended sender, rather than by a third party. In a private key exchange system, a secret exchange of keys may provide improved security based on successful key exchange and efficient authentication. Note that private key encryption schemes implicitly provide authentication. The following assumption in a private key cryptosystem is that only the intended sender has the key to encrypt the message for delivery to the intended recipient. While public key cryptography methods solve a decisive aspect of the "key exchange problem", especially during key exchange, analysis can be prevented even in the presence of passive eavesdropping, they do not solve all the problems associated with key exchange. In particular, since the key is considered "public knowledge" (especially with RSA), it is desirable that some other entity provide authentication when the key alone (sufficient to encrypt the message) is not proof of the sender's particular unique identity, and also does not possess enough of the corresponding decryption key to establish the recipient's identity.

One solution is to design a key distribution authority that guarantees that the listed keys are actually those of a given entity, sometimes calling a trusted authority, certificate authority or third party escrow (escrow) agent. In general, the authority does not actually generate keys, but does ensure that the maintained and advertised lists of keys and associated identities that are referenced by the sender and recipient are correct and uncompromised. Another approach relies on the user distributing and tracking the keys and trust of each other user in a non-formal distribution. Under RSA, if a user wishes to send proof of their identity in addition to the encrypted message, the signature is encrypted with a private key. The receiver can verify the content of the information decryption using the inverse RSA algorithm so that only the sender can encrypt the plaintext by using the secret key. Typically, an encrypted "signature" is a "message digest" that includes a unique mathematical "summary" of a secret message (if the signature is static over multiple messages, once known, a previous recipient can impersonate and use it). Thus, in theory, only the sender of a message can generate a valid signature for that message, thereby authenticating it for the recipient.

A cryptographic hash function is often used to compute the message digest. The cryptographic hash function computes a value (with a fixed number of bits) from any input, regardless of the length of the input. One characteristic of a cryptographic hash function is: given an output value, it is difficult to computationally determine the input that will produce that output. An example of a cryptographic hash function is SHA-1 as described in "secure hash Standard" (FIPS PUB 180-1, published by Federal Information Processing Standards publications (FIPS PUBS) and published by the national institute of Standards and Technology).

Fig. 2 is an example of a communication system 100, the communication system 100 supporting a number of users and capable of implementing at least some aspects and embodiments of the present invention. Any of a variety of algorithms and methods may be used to schedule transmissions in system 100. System 100 provides communication for a number of cells 102A through 102G, each of which is served by a respective base station 104A through 104G. It should be understood that the term "base station 104" as used throughout this specification refers to "base stations 104A, 104B, 104C, 104D, 104E, 104F, and 104G". The use of "base station 104" is merely for brevity. In the exemplary embodiment, some base stations 104 have multiple receive antennas, while others have only one receive antenna. Similarly, some base stations 104 have multiple transmit antennas, while other base stations have only a single transmit antenna. There is no limitation on the combination of the transmit antenna and the receive antenna. Thus, it is possible for the base station 104 to have multiple transmit antennas and a single receive antenna, or to have multiple receive antennas and a single transmit antenna, or to have both single or multiple transmit and receive antennas.

Terminals 106 in the coverage area may be fixed (i.e., stationary) or mobile. As shown in fig. 2, the various terminals 106 are dispersed throughout the system. It should be understood that the term "terminal 106" as used throughout this specification refers to "terminals 106A, 106B, 106C, 106D, 106E, 106F, and 106G". The use of "terminal 106" is merely for brevity. Each terminal 106 communicates with at least one base station 104 and possibly more base stations 104 on the downlink and uplink at any given moment, e.g., depending on whether soft handoff is used and whether the terminal is designed and operated to receive multiple transmissions (simultaneously or sequentially) from multiple base stations. Soft handoff IN CDMA communication SYSTEMs known IN the art is described IN U.S. patent No. 5,101,501, entitled "METHOD AND SYSTEM FOR PROVIDING a software IN a CDMA CELLULAR TELEPHONE SYSTEM," which is assigned to the assignee of the present invention.

The downlink or FL refers to transmission from the base station to the terminal, and the uplink or RL refers to transmission from the terminal to the base station. In the exemplary embodiment, some terminals 106 have multiple receive antennas and others have only one receive antenna. In fig. 2, base station 104A transmits data on the downlink to terminals 106A and 106J; base station 104B transmits data to terminals 106B and 106J, base station 104C transmits data to terminal 106C, and so on.

The increasing demand for wireless data transmission and service expansion available via wireless communication technologies has led to the development of specific data services. One such service is referred to as High Data Rate (HDR). An exemplary HDR service IS proposed in "EIA/TIA-IS 856 cdma2000 High Rate Packet Data air interface Specification," referred to as the "HDR Specification". In general, HDR traffic is an overlay (overlay) of a voice communication system, which provides an efficient method of transmitting data packets in a wireless communication system. The limited bandwidth available for radio transmission becomes a very scarce resource when the amount of data transmitted and the number of transmissions increase. Therefore, there is a need for an efficient and fair method of scheduling transmissions in a wireless communication system that optimally uses the available bandwidth. In an exemplary embodiment, the system 100 shown in fig. 2 is compliant with a CDMA type system with HDR service.

According to an example embodiment, the system 100 supports a high speed multimedia broadcast service known as High Speed Broadcast Service (HSBS). Examples of applications of HSBS are video streaming of movies, sports activities, etc. The HSBS service is a packet data service according to the Internet Protocol (IP). According to an example embodiment, a service provider indicates the availability of such high-speed broadcast services to users. A user desiring HSBS service signs up to receive the service and may discover the broadcast service schedule through advertisement, Short Management System (SMS), Wireless Application Protocol (WAP), etc. The Base Station (BS) sends parameters related to the HSBS in an overhead message. When a Mobile Station (MS) wishes to receive a broadcast session, the MS reads the overhead message and ascertains the appropriate configuration. The MS then tunes to the frequency containing the HSBS channel and receives the broadcast service content.

The service under consideration is a high-speed multimedia broadcast service. This service is also known as High Speed Broadcast Service (HSBS) in the file. One such example is a video stream of a movie, sporting event, or the like. This service is likely to be an Internet Protocol (IP) based packet data service.

The service provider will indicate the availability of such high-speed broadcast services to the users. A user of a mobile station wishing to receive such a service will sign up to receive the service and may discover the broadcast service schedule through advertisements, smstap, etc. The Base Station (BS) will send the parameters related to the broadcast service in an overhead message. A mobile station wishing to listen to a broadcast session will read these messages to determine the appropriate configuration, tune to the frequency containing the high speed broadcast channel, and begin receiving broadcast service content.

There are several possible subscription/revenue models for HSBS services, including free access, controlled access, and partially controlled access. For free access, the user does not need to sign up to receive the service. The BS broadcasts the unencrypted content that the interested mobile stations can receive. Revenue for the service provider may be generated by advertisements that are also transmitted in the broadcast channel. For example, an upcoming movie-clip may be sent and the movie theatre may pay for the service provider.

For controlled access, the MS user subscribes to a service agreement and pays a corresponding fee to receive the broadcast service. The unsubscribed subscriber is unable to receive the HSBS service. Controlled access may be obtained by encrypting HSBS transmissions/content so that only subscribers may decrypt the content. This may use an over-the-air encryption key exchange procedure. This scheme provides greater security and protection against theft of traffic.

A hybrid access scheme known as partially controlled access provides the HSBS service as a subscription-based service, which is encrypted with unencrypted advertisement transmissions in between. The intent of these advertisements is to encourage subscription to encrypted HSBS services. The MS may know the schedule of these unencrypted portions by external means.

In fig. 3, a wireless communication system 200 is shown in which video and audio information is provided to a Packetized Data Service Network (PDSN)202 by a Content Server (CS) 201. The video and audio information may be from a television program or radio transmission. The information is provided as packetized data, such as in IP packets. The PDSN 202 processes IP packets for distribution in AN Access Network (AN). As shown, the AN is defined as some portion of a system that includes a BS 204 in communication with a plurality of MSs 206. The PDSN 202 is coupled to the BS 204. For HSBS service, BS 204 receives the information stream from PDSN 202 and provides the information to subscribers in system 200 on designated channels. To control access, the content is encrypted by the CS 201 before being provided to the PDSN 202. The encryption key is provided to the subscriber so that the IP packets can be decrypted.

Fig. 4 details an MS 300 similar to MS 206 of fig. 3. MS 300 has an antenna 302 coupled to receive circuitry 304. The MS 300 receives a transmission from a BS (not shown) similar to the BS 204 of fig. 3. The MS 300 includes a User Identity Module (UIM)308 and a Mobile Equipment (ME) 306. The receive circuitry is coupled to the UIM 308 and the ME 306. UIM 308 applies the authentication procedure for the security sent by the HSBS and provides various keys to ME 306. ME306 may be coupled to processing unit 312. The ME306 performs basic processing including, but not limited to, decryption of HSBS content streams. ME306 includes a memory storage unit MEM 310. In an example embodiment, data in ME306 processes (not shown) and data in ME memory storage unit MEM 310 may be easily accessed by an un-subscribed user through the use of limited resources, so ME306 is said to be insecure. Any information passed to ME306 or processed by ME306 is only securely kept secret for a short amount of time. Therefore, any secret information, such as a key, that is required to be shared with ME306 is constantly changed.

UIM 308 is trusted to store and process secret information, such as encryption keys, that should be kept secret for a longer period of time. When UIM 308 is a secure element, the secrets stored therein do not necessarily require the system to change the secret information often. UIM 308 includes a processing unit referred to as Secure UIM Processing Unit (SUPU)316 and a memory storage unit referred to as secure UIM memory storage unit (SUMU)314 that is trusted to be secure. In UIM 308, SUMU 314 stores secret information in such a manner as to discourage unauthorized access to the information. If the secret information is obtained from UIM 308, then access will require a significant amount of resources. Also within UIM 308, SUPU316 performs computations of values that may be external to UIM 308 and/or may be internal to UIM 308. The results of the calculations may be stored in SUMU 314 or passed to ME 306. An entity with a significant amount of resources may only obtain the calculations performed with the SUPU316 from the UIM 308. Similarly, the design specifies the output from the SUPU316 to be stored in SUMU 314 (but not to ME 306), resulting in a significant amount of resources required for unauthorized interception. In one embodiment, UIM 308 is a fixed unit in MS 300. Note that in addition to the secure memory and processing in UIM 308, UIM 308 may include non-secure memory and processing (not shown) for storing information including telephone numbers, e-mail address information, web page or URL address information, and/or scheduling functions, etc.

Further embodiments may provide a removable and/or reprogrammable UIM. In an example embodiment, the SUPU316 does not have significant processing power for functions beyond security and key procedures (such as allowing encryption of HSBS's broadcast content). Further embodiments may implement a UIM with greater processing power.

The UIM is associated with a particular user and is used primarily to verify that the MS 300 is entitled to privileges given to the user, such as access to a mobile telephone network. Thus, rather than the user being associated with the MS 300, the UIM 308 is associated. The same user may be associated with multiple UIMs 308.

Broadcast services face a problem in determining how to assign keys to subscribers. In order to decrypt the broadcast content at a particular time, the ME must know the current decryption key. To avoid theft of traffic, the encryption key should be changed frequently, e.g., every minute. These encryption keys are referred to as short-term keys (SK). A short amount of time of broadcast content is decrypted using SK, so SK can be assumed to have some amount of monetary value inherent to a user. This intrinsic monetary value may be part of the registration fee, for example. It is assumed that the cost of the non-subscriber obtaining SK from the memory storage unit MEM 310 of the subscriber exceeds the monetary value inherent to SK. That is, SK is obtained (unlawfully) at a cost that is outweighed by the benefits, so there is no profit. Therefore, SK in the memory storage unit MEM 310 does not need to be protected. However, if the lifetime of the secret key is longer than the lifetime of the SK, the cost of obtaining this secret key (illegally) is less than profitable. In this case it is advantageous to obtain such a key from the memory storage unit MEM 310. Ideally, therefore, the memory storage unit MEM 310 will not store secrets having a lifetime longer than that of SK.

It is not safe to consider the channel used by the CS (not shown) that allocates SK to the various subscriber units. Thus, when assigning a given SK, the CS wishes to use a technique that hides the SK values from non-subscribing users. In addition, the CS assigns SK to each of a large number of potential subscribers for processing according to the respective ME in a fairly short time frame. Known key delivery security methods are slow and require the delivery of a large number of keys and are generally not feasible for the required standards. The exemplary embodiment is a feasible way to distribute decryption keys to a large group of subscribers in small time frames, in such a way that non-subscribers cannot obtain decryption keys.

In an example embodiment, the MS 300 supports HSBSs in a wireless communication system. To gain access to the HSBS, the user must register and then subscribe to the service. Once the subscription is initiated, the various keys are periodically updated. During the registration process, the CS and UIM 308 agree on a Registration Key (RK) that is a security association between the user and the CS. The CS may then send the UIM further secret information encrypted with the RK. The RK is kept as a secret in the UIM 308 and is unique for a given UIM, i.e., different RKs are assigned to individual users. The registration process alone does not provide the user with access to the HSBS. After registration, the user signs up for a service appointment, as described above. During the subscription process, the CS sends the value of the public Broadcast Access Key (BAK) to the UIM 308. The CS sends the MS 300, and in particular UIM 308, the value of BAK encrypted using the RK unique to UIM 308. UIM 308 is capable of reproducing the original BAK value from a version encrypted using the RK. BAK serves as a security association between the CS and the group of subscribers. The CS then broadcasts data that invokes SK information (SKI) that is combined with the BAK in the UIM 308 to derive the SK. The UIM 308 then passes the SK to the ME 306. In this way, the CS can efficiently assign new values of SK to ME of subscribers.

The following paragraphs discuss the registration process in more detail. When a user registers with a given CS, UIM 308 and the CS (not shown) set up a security association. I.e. the UIM 308 and the CS agree on a secret key RK. The RK is unique to each UIM 308, although if a user has multiple UIMs, these UIMs may share the same RK according to the policy of the CS. This registration may occur when the user signs up with a broadcast channel provided by the CS, or may occur prior to the sign-up. A single CS may provide multiple broadcast channels. The CS may select users associated with all channels having the same RK or require users to register for each channel and be associated with the same user on different channels with different RKs. Multiple CSs may choose to use the same registration key or require the user to register and get a different RK for each CS.

Two common scenarios for setting up such security associations include the Authentication Key Agreement (AKA) method (as used in 3 GGP) and the Internet Key Exchange (IKE) method as used in IPsec. In either case, the UIM memory storage unit SUMU 314 includes a secret key referred to as an A-key. The AKA method is described as an example. In the AKA method, the a-key is a secret known only to the UIM and to a Trusted Third Party (TTP), which may comprise more than one entity. In general, the TTP is a mobile service provider with which a user is registered. All communications between the CS and the TTP are secure and the CS trusts that the TTP will not facilitate unauthorized access to the broadcast service. When the user registers, the CS informs the TTP that the user wishes to register for the service and provides authentication of the user request. The TTP computes the RK from the Registration Key Information (RKI) called by the a-key and additional data using a function (similar to a cryptographic hash function). The TTP passes the RK, RKI, and other data not related to this submission to the CS over a secure channel. The CS sends the RKI to the MS 300. The receiver circuit 304 passes the RKI to the UIM 308 and possibly to the ME 306. The UIM 308 calculates the RK from the RKI and the A-key stored in the UIM memory storage unit SUMU 314. The RK is stored in UIM memory storage unit SUMU 314 and is not provided directly to ME 306. Alternate embodiments may use the IKE case or some other method to establish the RK. The RK serves as a security association between the CS and the UIM 308.

In the AKA method, RK is a shared secret between CS, UIM and TTP. Thus, as used herein, the AKA method implies that any security association between CS and UIM includes TTP. When the CS trusts the TTP not to help unauthorized access to the broadcast channel, the TTP is not considered a security breach (deciphering) in any security association. As described above, if a key is shared with ME306, the key is required to be changed often. This is due to the risk that non-subscribers access the information stored in the memory storage unit MEM 310 and thus allow access to controlled or partially controlled services. The ME306 stores SK (key information for decrypting broadcast content) in the memory storage unit MEM 310. The CS must send enough information for the user to compute the SK. If the ME306 of the subscriber can compute SK from this information, the other information needed to compute SK may not be secret. In this case, it is assumed that the ME306 of the non-subscriber can also calculate SK from this information. Therefore, the SK value must be calculated in the SUPU316 using a secret key shared by the CS and SUMU 314. The CS and SUMU 314 share an RK value, however, each user has a unique RK value. It is not enough time for the CS to encrypt the SK with each RK value and to send these encrypted values to each subscriber. Some other technique is required.

The following paragraphs discuss the subscription process in detail. To ensure efficient distribution of security information SK, the CS periodically distributes a public Broadcast Access Key (BAK) to each subscribing user UIM 308. For each subscriber, the CS encrypts the BAK using the corresponding RK to get a value called BAKI (BAK information). The CS sends the corresponding BAKI to the MS 300 of the subscriber. For example, BAK may be sent as an IP packet encrypted using the RK corresponding to each MS. In an example embodiment, the BAKI is an IPSec packet. In an example embodiment, the BAKI is an IPSec packet that contains BAK encrypted using RK as a key. Since RK is a per-user key, CS must send BAK to each subscriber individually; thus, BAK is not transmitted on the broadcast channel. MS 300 passes the BAKI to UIM 308. SUPU316 uses the RK values stored in SUMU 314 to compute the BAK and BAKI values. The value of BAK is then stored in SUMU. In an example embodiment, the BAKI includes a Security Parameter Index (SPI) value that instructs the MS 300 to pass the BAKI to the UIM 308 and instructs the UIM 308 to decrypt the BAKI using the RK.

The period required to update the BAK is sufficient to allow the CS to send the BAK individually to each subscriber without significant overhead. Since the untrusted ME306 may keep secrets for a long time, the UIM 308 does not provide the BAK to the ME 306. BAK functions as a security association between CS and the subscriber group of HSBS services.

The following paragraphs discuss how the SK is updated after a successful subscription process. In each cycle of updating the BAK, a short-term time interval is provided during which the SK is distributed over the broadcast channel. The CS uses a cryptographic function to determine both SK and SKI (SK information) values, such that SK can be determined from BAK and SKI. For example, SKI may be an encrypted SK using BAK as a key. In an example embodiment, SKI is an IPSec packet that includes SK encrypted using BAK as a key. SK, on the other hand, may be the result of applying a cryptographic hash function to the concatenation of blocks SKI and BAK.

Some portions of SKI may be predictable. For example, a portion of SKI may be derived from a system time period during which the SKI is valid. It is not necessary that this portion, denoted as SKI _ a, be transmitted to MS 300 as part of the broadcast service. The remainder of SKI, SKI _ B, may be unpredictable. It is not necessary to transmit SKI _ B to MS 300 as part of the broadcast service. MS 300 reproduces SKI from SKI _ A and SKI _ B and provides SKI to UIM 308. The SKI may be reproduced in UIM 308. For each new SK, the value of SKI must be changed. Thus, when a new SK is computed, SKI _ A and/or SKI _ B must both change. The CS transmits SKI _ B to the BS for broadcast transmission. The BS broadcasts SKI _ B, which is detected by antenna 302 and passed to receive circuitry 304. The receiving circuit 304 provides SKI _ B to the MS 300, where the MS 300 reproduces SKI. MS 300 provides SKI to UIM 308, where UIM 308 gets SK using BAK stored in SUMU 314. The UIM 308 then provides the SK to the ME 306. ME306 stores SK in memory storage unit MEM 310. The ME306 decrypts the broadcast transmissions received from the CS using the SK.

In an example embodiment, the SKI also includes a Security Parameter Index (SPI) value that instructs the MS 300 to pass the SKI to the UIM 308 and instructs the UIM 308 to decrypt the SKI using the BAK. After decryption, the UIM 308 passes the SK to the ME306, where the ME306 decrypts the broadcast content using the SK.

When SKI _ B is to be sent, the CS and BS agree on certain criteria. The CS may require a reduction in the intrinsic monetary value in each SK by changing the SK frequently. In this case, the requirements for changing SKI _ B data are balanced against the available bandwidth optimization. SKI _ B may be transmitted on a channel other than the broadcast channel. When the user "tunes" to the broadcast channel, the receiving circuit 304 gets information to look up the broadcast channel from the "control channel". It may be desirable to allow fast access when a user "tunes" to a broadcast channel. This requires ME306 to obtain SKI in a short amount of time. However, the ME306 already knows SKI _ A, and the BS must provide SKI _ B to the MS 300 in this short amount of time. For example, the BS may frequently transmit SKI _ B on the control channel (along with information used to find the broadcast channel), or frequently transmit SKI _ B on the broadcast channel. The more frequently the BS "refreshes" the value of SKI _ B, the faster the MS 300 can access the broadcast message. The requirement to refresh SKI _ B data is balanced with the available bandwidth optimization. Balancing, as sending SKI _ B too frequently may result in an unacceptable amount of bandwidth being used in the control channel and the broadcast channel.

This paragraph discusses encryption and transmission of broadcast content. The CS encrypts the broadcast content using the current SK. The exemplary embodiment uses an encryption algorithm such as the Advanced Encryption Standard (AES) cipher algorithm. In an example embodiment, the encrypted content is then transmitted over IPsec packets according to an Encapsulating Security Payload (ESP) transmission mode. The IPsec packet also includes an SPI value that instructs 306 to decrypt the received broadcast content using the current SK. The encrypted content is transmitted over a broadcast channel.

Receive circuitry 304 provides RKI and BAKI directly to 308. In addition, receive circuitry 304 provides SKI _ B to the appropriate portion of MS 300 where it is combined with SKI _ A to obtain SKI. The SKI is provided to UIM 308 by the relevant parts of MS 300. UIM 308 computes RK from RKI and the A key, decrypts the BAKI using RK to obtain BAK, and computes SK using SKI and BAK to generate SK for use by ME 306. The ME306 decrypts the broadcast content using the SK. The UIM 308 of the exemplary embodiment does not have sufficient capability to decrypt the broadcast content in real-time, and therefore passes the SK to the ME306 to decrypt the broadcast content.

FIG. 5 illustrates the transmission and processing of keys RK, BAK, and SK according to an example embodiment. As shown, upon registration, MS 300 receives the RKI and passes it to UIM 308, where SUPU316 calculates the RK using the RKI and the A key and stores the RK in UIM memory SUMU 314. The MS 300 periodically receives the BAKI, which contains BAK encrypted using a RK value specific to UIM 308. The encrypted BAKI is decrypted by SUPU316 to reproduce the BAK and store it in UIM memory SUMU 314. The MS 300 further periodically receives SKI _ B combined with SKI _ a to form SKI. SUPU316 calculates SK from SKI and BAK. The SK is provided to the ME306 for decrypting the broadcast content.

In an example embodiment, it is not necessary to encrypt and send the CS key to the MS; CS may use another method. The key information generated by the CS for transmission to each MS provides sufficient information for the MS to calculate the key. As shown in the system 350 of FIG. 6, the RK is generated by the CS, but RK information (RKI) is sent to the MS. The information sent by the CS is sufficient for the UIM to derive the RK, wherein the RK is derived from the sent information from the CS using a predetermined function. The RKI includes sufficient information for the MS to determine the original RK from the a-key and other values such as system time, a predetermined common function using reference d1, where:

RK ═ d1 (a-key, RKI) (3)

In the exemplary embodiment, function d1 defines a cryptographic type function. According to one embodiment, the RK is determined to be:

RK ═ SHA' (a-key | | | RKI) (4)

Where "|" represents the concatenation of blocks containing the A-key and RKI, and SHA' (X) represents the last 128-bit output of the secure hash algorithm SHA-1 given input X. In further embodiments, the RK is determined to be:

RK ═ AES (A-Key, RKI) (5)

Therein AES (X, Y) denotes the encryption of a 128-bit block RKI using a 128-bit a-key. In yet another embodiment according to the AKA protocol, RK is determined as the output of the 3GGP key generation function f3, where RKI comprises the RAND value and suitable values of AMF and SQN as defined by the standard.

BAK is handled differently because multiple users with different RK values must compute the same BAK value. The CS may determine the BAK using any technique. However, the value of the BAKI associated with a particular UIM 308 must be an encryption of the BAK at the unique RK associated with that UIM 308. SUPU316 decrypts the BAKI using the RK stored in SUMU 314 as a function of reference d2, according to:

BAK＝d2(BAKI，RK) (9)

in further embodiments, the CS may compute the BAKI by applying a decryption process to the BAK using the RK, and the SUPU316 derives the BAK by applying an encryption process to the BAKI using the RK. This may be considered equivalent to the CS encrypting BAK and the SUPU316 decrypting BAKI. Further embodiments may implement any number of key combinations in addition to or instead of those shown in fig. 6.

SK is processed in a similar manner as RK. First, SKI is obtained from SKI _ A and SKI _ B (SKI _ B is information transmitted from CS to MS). SK is then derived from SKI and BAK (stored in SUMU 314) using a predetermined function referenced d3, according to:

SK＝d3(BAK，SKI) (6)

in one embodiment, function d3 defines a cryptographic type function, and in the exemplary embodiment, SK is calculated as:

SK＝SHA(BAK||SKI) (7)

in yet another embodiment, SK is calculated as:

SK＝AES(BAK||SKI) (8)

one method of providing security for broadcast messages is shown in fig. 7A-7D. Fig. 7A illustrates a registration process 400 in which a subscriber negotiates a registration with a CS at step 402. At step 404, the registration provides the UIM with a unique RK. At step 406, the UIM stores the RK in a secure memory storage unit (SUMU). Fig. 7B illustrates a subscription procedure between the CS and the MS. At step 422, CS generates BAK for BAK time period T1. BAK is valid for the entire BAK time period T1, where BAK is updated periodically. At step 424, the CS authorizes the UIM to access Broadcast Content (BC) during BAK timer period T1. At step 426, the CS encrypts the BAK using each individual RK for each subscriber. The encrypted BAK is called BAKI. The CS then sends the BAKI to the UIM at step 428. At step 430, the UIM receives the BAKI and performs decryption using the RK. The decrypted BAKI produces the originally produced BAK. At step 432, UIM stores BAK in SUMU. The UIM then receives the broadcast session and is able to decrypt the Encrypted Broadcast (EBC) using the BAK to access the BC.

Fig. 7C illustrates a method of updating a key for secure encryption in a wireless communication system supporting a broadcast service. Method 440 implements the time periods as given in fig. 7E. BAK with time period T1 is periodically updated. When BAK is calculated and T1 expires, a timer T1 is started. A variable is used to compute SK, referred to as SK _ RAND, which has a periodically updated time period T2. When SK _ RAND is generated and T2 expires, a timer T2 is started. In one embodiment, the SK, having a period T3, is further periodically updated. When each SK is generated and time T3 expires, a timer T3 is started. The SK _ RAND is generated at the CS and provided to the MS periodically. The MS and CS use the SK _ RAND to generate SK, as described in detail below.

The first timer t1 is reset when the applicable value of BAK is updated. The length of time between two BAK updates is the BAK update period. In an example embodiment, the BAK update period is a month, however, alternate embodiments may implement any period of time required for the system to operate optimally or to meet various system standards.

With continued reference to fig. 7C, at step 442 the method 440 starts a timer T2 to start the SK _ REG time period T2. At step 444, the CS generates SK _ RAND and provides the value to the transmit circuitry for transmission throughout the system. A timer T3 is started at step 446 to start the SK time period T3. The CS then encrypts the BC using the current SK at step 448. The encrypted product is the EBC, which the CS provides to the transmit circuitry for transmission in the system. If the timer t2 expires at decision block 450, processing returns to step 442. When T2 is less than T2, if timer T3 expires at decision block 452, processing returns to step 446; otherwise processing returns to 450.

Fig. 7D illustrates an operation of the MS accessing the broadcast service. At step 462, method 460 first synchronizes timers t2 and t3 with the value at CS. At step 464, the UIM of the MS receives the SK _ RAND generated by the CS. At step 466, the UIM generates SK using the SK _ RAND, BAK, and time measurements. The UIM passes the SK to the ME of the MS. The UIM then decrypts the received EBC using SK to obtain the original BC at step 468. When the timer t2 expires at step 470, processing returns to step 462. When the timer T2 is less than T2, if the timer T2 expires at step 472, a timer T3 is started at step 474 and returns to 466.

When the user signs up for a broadcast service for a particular BAK update period, the CS sends the appropriate information BAKI (corresponding to the BAK encrypted with the RK). This typically occurs before the beginning of this BAK update period, or when the MS first tunes to a broadcast channel during the BAK update period. This may be initiated by the MS or CS according to a variety of criteria. Multiple BAKI may be sent and decrypted simultaneously.

Note that when expiration of the BAK update period is imminent, the MS may request an updated BAK from the CS if the MS has signed up for the next BAK update period. In a further embodiment, the CS sends the BAK upon expiration of the timer, i.e. upon satisfaction of the BAK update period, using the first timer t 1.

Note that it is possible for a user to receive BAK during a BAK update period, where, for example, a subscribing user joins a business in the middle of a month when a BAK update is performed monthly. Furthermore, the time periods of BAK and SK updates may be synchronized so that all subscribers are updated at a given time.

Fig. 8A illustrates a registration process in a wireless communication system 500, according to an example embodiment. The CS 502 negotiates with each subscriber, i.e., the MS 512, to generate a specific RK for each subscriber. The RK is provided to SUMU units in the UIM of each MS. As shown, CS 502 generates a signature stored in UIM₁SUMU in 512₁RK in 510₁. Similarly, CS 502 generates and stores in UIM separately₂SUMU in 522₂520 and UIM_NSUMU in 532_NRK in 530₂And RK_N。

Fig. 8B illustrates a subscription process in system 500. The CS 502 further includes a plurality of encoders 504. Each of the encoders 504 receives one of the unique RKs and the BAK value generated in the CS 502. The output of each encoder 504 is a BAKI that is specifically encoded for the subscribing user. UIM (such as UIM) at each MS₁512) The BAKI is received. Each UIM includes SUPU and SUMU, such as SUPU₁514 and UIM₁SUMU of 512₁510. The SUPU includes a decoder, such as decoder 516, that reproduces the BAK by applying the RK of the UIM. The process is repeated at each subscriber.

Key management and updating is shown in fig. 8C, where the CS applies a function 508 to generate a value of SK _ RAND to compute SK, which is a temporary value used by the CS and MS. In particular, function 508 applies the BAK value, SK _ RAND and a time factor. While the embodiment illustrated in FIG. 8C applies a timer to determine when to update SK, further embodiments may use further measures to provide periodic updates, e.g., the occurrence of errors or other events. The CS provides the SK _ RAND value to each subscriber, where the function 518 residing in each UIM applies the same function as the function 508 of the CS. Function 518 operates on SK _ RAND, BAK, and timer values to produce memory locations (such as ME) stored in ME₁540 MEM₁542) SK in (1).

Fig. 8D illustrates BC processing after registration and subscription. The CS 502 includes an encoder 560 that encodes the BC using the current SK to produce the EBC. The EBC is then sent to the subscriber. Each MS includes an encoder, such as encoder 544, which uses SK to acquire BC from the EBC.

While the present invention has been described with respect to an exemplary embodiment of a wireless communication system supporting a one-way broadcast service, the encryption method and key management described above may be further applied to other data processing systems, including a multimedia animation type (multi-cast type) broadcast system. Still further, the present invention may be applied to any data processing system in which multiple subscribers access a single transmitted secure message over an unsecure channel.

Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.

Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a field programmable gate array logic (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (18)

1. A method for secure transmission, the method comprising the steps of:

determining a registration key specific to a mobile station participating in the transmission;

determining a first key;

encrypting the first key with the registration key;

transmitting the encrypted first key to the mobile station participating in the transmission;

determining a second key, the second key for decryption of content on a broadcast channel;

encrypting the second key with the first key;

encrypting a broadcast stream of information with the second key;

transmitting the encrypted second key and the broadcast stream of encrypted information;

updating the first key after a first time period has elapsed; and

updating the second key after a second time period has elapsed, wherein the second key is determined based on two parts, a first part being the first key and a second part comprising a part known to the mobile station participating in the transmission and a part transmitted on the broadcast channel, wherein the first part and the second part are concatenated using a cryptographic hash function to determine the second key, and wherein the second time period is less than the first time period.

2. The method of claim 1, wherein updating the first key further comprises the steps of:

the updated first key is encrypted with the registration key.

3. The method of claim 1, wherein the broadcast stream of information comprises video information.

4. The method of claim 1, wherein the broadcast stream of information comprises internet protocol packets.

5. The method of claim 2, further comprising the steps of:

calculating registration key information; and

the registration key information is transmitted to enable calculation of the registration key from the registration key information and a secret key.

6. The method of claim 5, further comprising the steps of:

calculating first key information including the updated and encrypted first key; and

wherein transmitting the encrypted first key includes transmitting the first key information.

7. The method of claim 6, further comprising the steps of:

calculating second key information including the updated and encrypted second key; and

wherein transmitting the encrypted second key includes transmitting the second key information.

8. A method for securely receiving a transmission, the method comprising the steps of:

receiving a registration key specific to a mobile station participating in the transmission;

receiving a first key encrypted with the registration key;

decrypting the first key with the registration key;

receiving an encrypted second key, the second key for decrypting content on the broadcast channel;

decrypting a second key with the first key;

receiving a broadcast stream of encrypted information;

decrypting a broadcast stream of information using the second key;

receiving an updated first key after a first time period has elapsed; and

determining an updated second key after a second time period has elapsed, wherein the second key is determined based on two parts, a first part being the first key and a second part comprising a part known to the mobile station participating in the transmission and a part transmitted on the broadcast channel, wherein the first part and the second part are concatenated using a cryptographic hash function to determine the second key, and wherein the second time period is less than the first time period.

9. The method of claim 8, further comprising the steps of:

storing the first key in a secure memory storage unit; and

storing the second key in a memory storage unit.

10. The method of claim 8, wherein:

the step of receiving an encrypted first key comprises receiving first key information comprising an updated and encrypted first key; and

the step of receiving an encrypted second key comprises receiving second key information comprising an updated and encrypted second key.

11. An infrastructure element in a wireless communication system supporting a broadcast service option, comprising:

receiving circuitry for receiving a registration key specific to a mobile station participating in a transmission, receiving a broadcast access key encrypted with the registration key, receiving an encrypted short-time key for decryption of content on a broadcast channel, receiving a broadcast stream of encrypted information, receiving an updated broadcast access key after a first time period has elapsed and receiving a second portion for updating the short-time key after a second time period has elapsed, wherein the second time period is less than the first time period;

a subscriber identification unit operable to render an updated short time key for decrypting broadcast messages, wherein the short time key is determined based on two parts, a first part being the broadcast access key and a second part containing a part known to the mobile stations participating in the transmission and a part transmitted on the broadcast channel, and wherein the first part and the second part are concatenated using a cryptographic hash function to determine the short time key, the subscriber identification unit comprising:

a processing unit operable to decrypt a broadcast access key with the registration key and to decrypt a short-time key with the broadcast access key;

a memory storage unit for storing the registration key and the broadcast access key; and

a mobile device unit adapted to decrypt the broadcast message using the short time key.

12. The infrastructure element of claim 11, wherein the short time key is processed by the subscriber identification unit and communicated to the mobile device unit.

13. The infrastructure element of claim 11, wherein the memory storage unit is a secure memory storage unit.

14. The infrastructure element of claim 11, wherein the short-time key is updated at the first time period.

15. The infrastructure element of claim 14, wherein the broadcast access key is updated at the second time period.

16. The infrastructure element of claim 11, wherein the broadcast service option is a video service.

17. A wireless communication system, comprising:

means for determining a registration key specific to a mobile station participating in the transmission;

means for determining a first key;

means for encrypting the first key with the registration key;

means for transmitting an encrypted first key to the mobile station participating in the transmission;

means for determining a second key for decrypting content on a broadcast channel;

means for encrypting the second key with the first key;

means for encrypting a broadcast stream of information with the second key;

means for transmitting the encrypted second key and the broadcast stream of encrypted information;

means for updating the first key after a first time period has elapsed; and

means for updating the second key after a second time period has elapsed, wherein the second key is determined based on two parts, a first part being the first key and a second part comprising a part known to the mobile station participating in the transmission and a part transmitted on the broadcast channel, wherein the first part and the second part are concatenated using a cryptographic hash function to determine the second key, and wherein the second time period is less than the first time period.

18. An infrastructure element comprising:

means for receiving a registration key specific to a mobile station participating in the transmission;

means for receiving a first key encrypted with the registration key;

means for decrypting a first key with the registration key;

means for receiving an encrypted second key, the second key for decrypting content on the broadcast channel;

means for decrypting a second key with the first key;

means for receiving a broadcast stream of encrypted information;

means for decrypting a broadcast stream of information using the second key;

means for receiving an updated first key after a first time period has elapsed; and

means for determining an updated second key after a second time period has elapsed, wherein the second key is determined based on two parts, a first part being the first key and a second part comprising a part known to the mobile station participating in the transmission and a part transmitted on the broadcast channel, wherein the first part and the second part are concatenated using a cryptographic hash function to determine the second key, and wherein the second time period is less than the first time period.