HK1104888B - Method and apparatus for managing traffic keys during a multi-media session - Google Patents
Method and apparatus for managing traffic keys during a multi-media session Download PDFInfo
- Publication number
- HK1104888B HK1104888B HK07113171.7A HK07113171A HK1104888B HK 1104888 B HK1104888 B HK 1104888B HK 07113171 A HK07113171 A HK 07113171A HK 1104888 B HK1104888 B HK 1104888B
- Authority
- HK
- Hong Kong
- Prior art keywords
- datagram
- key
- encrypted
- time slice
- component
- Prior art date
Links
Abstract
The present invention provides methods, apparatuses, and systems for delivering protected multimedia content to a receiving device. Portions of protected multi-media content and associated key information are inserted in a same time slice burst. Multi-media content is processed into a plurality of content datagrams, in which each content datagram is associated with a corresponding component. Key information may be processed as a keystream that is logically separate from the components. A content datagram may be encrypted with an associated key. A receiving device receives the time slice burst with the plurality of content datagrams and associated key datagrams of the keystream. The receiving device consequently decrypts the plurality of content datagrams. Also, key information may be processed as key datagrams that are included with at least one component, in which each component comprises an associated plurality of content datagrams.
Description
Technical Field
The present invention relates to the delivery of protected multimedia content. In particular, the present invention provides an apparatus and method for providing an encryption key with associated content.
Background
Video streaming, data streaming, and broadband digital broadcast programs are prevalent in wireless network applications, such as Internet Protocol (IP) multicast services. To support these wireless applications, wireless broadcast systems simultaneously transmit data content supporting data services to multiple wireless terminals. Digital media content or other data is broadcast via a variety of application protocols, transport protocols, and network protocols. For example, broadcast systems provide IP datacasting in which audio video services are transmitted, whereby MPEG4-AVC video, MPEG4-AAC audio and ancillary data components are packetized and compressed into RTP and/or ALC. The packets are then formatted into UDP and IP and transmitted over MPE in MPEG2-TS format (e.g., DVB-H). In the packet switched domain, a multimedia session refers to one or more session components (audio, video and auxiliary data in the above case) that are logically bound together. The parts of the multimedia session are transmitted during a common start time and end time. However, in a broadcast environment, all receivers capable of receiving broadcast signals may receive data carried by the broadcast signals. It is important that the content vendor limits access to the multimedia content so that only authorized receivers can display the multimedia content to the user.
To enhance revenue collection, users are typically allowed access to premium multimedia services only when the user subscribes to the service or purchases the service (e.g., pay per view). However, if the content vendor does not actively control access, the user may access the content without payment if the protection mechanism is overridden.
What is needed is an apparatus, method and system that provides sufficient control steps to effectively limit access to multimedia content.
Disclosure of Invention
In one aspect of the invention, methods, apparatuses and systems are provided for delivering protected multimedia content to a receiving device. The partially protected multimedia content and the associated key information are inserted into the same time slice burst. Accordingly, the key information may be frequently changed during the maintenance of synchronization with the multimedia content. In one embodiment of the present invention, a communication system transmits time slice bursts from a transmitting apparatus to a receiving device, the communication system including a DVB-H system, a DVB-T system, an ATSC system, and an ISDB-T system.
Through one aspect of the invention, multimedia content is split into multiple components. Multimedia content is processed into a plurality of content datagrams, where each datagram is associated with a respective component. Although the key information is inserted into the same time slice burst as the associated multimedia content, the key information is processed into at least one keystream that is logically independent of the components. The key stream includes a plurality of key datagrams, each key datagram containing a key associated with at least one content datagram. The content datagram may be encrypted with an associated key. A receiving device receives a time slice burst containing a plurality of content datagrams and associated key datagrams for at least one key stream. Whereby the receiving device decrypts the plurality of content datagrams.
According to another aspect of the present invention, key information is processed into a key datagram that is included in at least one component. Each component includes a plurality of associated content datagrams. The content datagram may be encrypted with an associated key.
According to another aspect of the invention, the static security data is transmitted to the receiving device by transmitting the static security data separately from the time slice bursts carrying the content information and associated key information. In one embodiment of the invention, a transmitting device transmits static security data in an Electronic Service Guide (ESG).
According to another aspect of the invention, key datagrams have a higher priority than content datagrams. Thus, the receiving device may process the key datagram to extract the key prior to sending and decrypting the associated content datagram to the message stack.
According to another aspect of the invention, the key is encrypted at an encryption level. The encrypted key may be further encrypted with an additional level of encryption. The receiving device processes the encrypted key to obtain a decrypted key. Subsequently, the receiving apparatus decrypts the received content using the decrypted key.
According to another aspect of the invention. A new security plug-in software module is configured at the receiving device to replace the existing security plug-in software module. In one embodiment of the invention, the new security plug-in software module is configured as an installation package, which is encrypted as a protected message. The receiving device receives the protected message over a communication channel. The receiving device decrypts the protected message to obtain the installation package. Whereby the new software plug-in module is installed by executing the installation package.
According to one aspect of the present invention there is provided a method of transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising: (A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content; (B) transmitting the encrypted first datagram of the first component in a time slice burst; and (C) transmitting first key information in the time slice burst, wherein the first key information contains the first key.
According to one aspect of the present invention there is provided an apparatus for transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising: means for encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content; means for sending the encrypted first datagram of the first component in a time slice burst; and means for sending first key information in the time slice burst, wherein the first key information includes the first key.
According to one aspect of the present invention there is provided a method of receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising: (A) receiving a time slice burst comprising an encrypted first datagram and first key information, the encrypted first datagram being associated with a first component of the multimedia session, the encrypted first datagram comprising multimedia content; (B) determining a first key from the first key information; and (C) decrypting the encrypted first datagram with the first key.
According to one aspect of the present invention there is provided an apparatus for receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising: means for receiving a time slice burst comprising an encrypted first datagram and first key information, the encrypted first datagram being associated with a first component of the multimedia session, the encrypted first datagram comprising multimedia content; a module for determining a first key from the first key information; and means for decrypting the encrypted first datagram with the first key.
According to one aspect of the present invention there is provided a method of transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising: (A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content; (B) transmitting the encrypted first datagram in a time slice burst; and (C) transmitting a respective datagram including the first key in the time slice burst, the respective datagram being included in the first component.
According to an aspect of the present invention, there is provided a method of transmitting data during a multimedia session comprising a plurality of components, comprising: (A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content; (B) transmitting the encrypted first datagram in a time slice burst; (C) transmitting a respective datagram and including the first key in the respective datagram, the respective datagram being included in another component in the time slice burst; (D) encrypting a second datagram with a second key and including the encrypted second datagram in other components of the multimedia session, the second datagram containing multimedia content; (E) transmitting the encrypted second datagram in the time slice burst; and (F) sending an association datagram in the time slice burst and including the second key in the association datagram, the association datagram being included in the first component.
According to an aspect of the present invention, there is provided a method of transmitting data during a multimedia session, comprising: (A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, the first datagram containing multimedia content; (B) including the first key in the first datagram; and (C) transmitting the first datagram in a time slice burst.
According to one aspect of the present invention there is provided an apparatus for transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising: means for encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content; means for transmitting the encrypted first datagram in a time slice burst; and means for sending a respective datagram including the first key in the time slice burst, the respective datagram being included in the first component.
According to one aspect of the present invention there is provided a method of receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising: (A) receiving encrypted first datagrams and corresponding datagrams in a time slice burst, the encrypted first datagrams and corresponding datagrams included in a first component of the multimedia session, the encrypted first datagrams containing multimedia content; (B) determining a first key from the respective datagram; and (C) decrypting the encrypted first datagram with the first key.
According to an aspect of the present invention, there is provided a method of receiving data over a communication system during a multimedia session, comprising: (A) receiving first, second, third, and fourth encrypted datagrams in a time slice burst, the first and fourth encrypted datagrams included in a first component of the multimedia session, the second and third encrypted datagrams included in a second component of the multimedia session, the first and second encrypted datagrams containing multimedia content; (B) determining a first key from the third datagram; (C) decrypting the first encrypted datagram with the first key; (D) determining a second key from the fourth datagram; and (E) decrypting the second encrypted datagram with the second key.
According to an aspect of the present invention, there is provided a method of receiving data during a multimedia session comprising a plurality of media components, comprising: (A) receiving a first datagram in a time slice burst, the first datagram being included in a first component of the multimedia session, the first datagram containing multimedia content; (B) determining a first key from the first datagram; and (C) decrypting the first datagram with the first key.
According to one aspect of the present invention there is provided an apparatus for receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising: means for receiving a first encrypted datagram and a corresponding datagram in a time slice burst, the first encrypted datagram and the corresponding datagram being included in a first component of the multimedia session, the first encrypted datagram containing multimedia content; means for determining a first key from the respective datagram; and means for decrypting the first encrypted datagram with the first key.
According to an aspect of the present invention, there is provided an apparatus for transmitting data during a multimedia session comprising a plurality of media components, comprising: a first interface for obtaining multimedia content datagrams encrypted with respective keys, the encrypted multimedia content datagrams containing multimedia content during the multimedia session; a second interface for obtaining the respective key; a transport interface for including the encrypted multimedia content datagrams in time slice bursts; and a processor for instructing the transmission interface to include key information in the time slice burst with the encrypted multimedia content datagrams, the key information including the respective key.
According to an aspect of the present invention, there is provided an apparatus for transmitting data during a multimedia session comprising a plurality of media components, comprising: means for encrypting a plurality of multimedia content datagrams, each multimedia content datagram being encrypted with an associated key, each associated key being included in key information; and means for transmitting a plurality of encrypted multimedia content datagrams with the key information in a time slice burst.
According to an aspect of the present invention, there is provided an apparatus for receiving data during a multimedia session, comprising: means for receiving a time slice burst during the multimedia session, the time slice burst comprising a plurality of multimedia content datagrams and key information, each multimedia content datagram being encrypted by an associated key included in the key information; means for determining an associated key for each of the multimedia content datagrams; and means for decrypting each of the multimedia content datagrams with the associated key.
According to an aspect of the present invention there is provided a method of providing data via a communication system during a multimedia session comprising a plurality of media components, comprising: (A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, the first datagram including multimedia content; (B) transmitting the encrypted first datagram in a time slice burst; (C) transmitting first key information in the time slice burst, wherein the first key information comprises the first key; (D) receiving a time slice burst with the first datagram and the first key information encrypted; (E) determining the first key from the first key information; and (F) decrypting the encrypted first datagram with the first key.
Drawings
A more complete understanding of the present invention and the advantages thereof may be acquired by referring to the following description taken in conjunction with the accompanying drawings, in which like reference numbers indicate like parts, and wherein:
FIG. 1 illustrates Internet Protocol (IP) service transport utilizing time slice transport, according to an embodiment of the present invention;
FIG. 2 illustrates a protocol stack supporting multimedia data transmission according to an embodiment of the present invention;
fig. 3 illustrates a component configuration of a multimedia session according to an embodiment of the present invention;
FIG. 4 illustrates a component configuration of a displayed multimedia session according to an embodiment of the present invention;
FIG. 5 illustrates a variation of the constituent configuration shown in FIG. 4, in accordance with embodiments of the present invention;
FIG. 6 illustrates a variation of the constituent configuration shown in FIG. 4, in accordance with embodiments of the present invention;
FIG. 7 illustrates a variation of the constituent configuration shown in FIG. 4, in accordance with embodiments of the present invention;
FIG. 8 illustrates a variation of the constituent configuration shown in FIG. 4, in accordance with embodiments of the present invention;
FIG. 9 illustrates a variation of the constituent configuration shown in FIG. 4, in accordance with embodiments of the present invention;
fig. 10 illustrates a component configuration of a multimedia session according to an embodiment of the present invention;
FIG. 11 illustrates a variation of the constituent configuration shown in FIG. 10, in accordance with embodiments of the present invention;
FIG. 12 illustrates a variation of the constituent configuration shown in FIG. 10, in accordance with embodiments of the present invention;
FIG. 13 illustrates a variation of the constituent configuration shown in FIG. 10, in accordance with embodiments of the present invention;
FIG. 14 illustrates a variation of the constituent configuration shown in FIG. 10, in accordance with embodiments of the present invention;
FIG. 15 illustrates a variation of the constituent configuration shown in FIG. 10, in accordance with embodiments of the present invention;
FIG. 16 illustrates a variation of the constituent configuration shown in FIG. 10, in accordance with embodiments of the present invention;
fig. 17 shows the steps of receiving a multimedia session according to an embodiment of the invention;
FIG. 18 illustrates a flow diagram of the architecture shown in FIG. 17, according to an embodiment of the invention;
fig. 19 illustrates a protected content delivery system supporting DVB-H IPDC (IP datacasting) service, according to the prior art;
fig. 20 illustrates a system for supporting DVB-H IPDC service according to an embodiment of the present invention;
fig. 21 is a flow chart illustrating transmission of data for a DVB-H IPDC service in the system shown in fig. 20 according to an embodiment of the present invention;
fig. 22 illustrates a system for supporting DVB-H IPDC service according to an embodiment of the present invention;
fig. 23 illustrates a system for supporting DVB-H IPDC service according to an embodiment of the present invention;
fig. 24 illustrates an apparatus supporting a transport module as shown in fig. 20, 22 and 23, according to an embodiment of the present invention;
fig. 25 illustrates an apparatus for receiving a multimedia broadcast and applying an IPSec key according to an embodiment of the present invention;
fig. 26 illustrates an apparatus for receiving a multimedia broadcast and decrypting an IPSec key according to an embodiment of the present invention; and
FIG. 27 illustrates a system for configuring a security plug-in software module, according to an embodiment of the invention.
Detailed Description
In the following description of the various embodiments, reference is made to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration embodiments in which the invention may be practiced. It is to be understood that other embodiments may be utilized and structural and functional modifications may be made without departing from the spirit of the present invention.
Fig. 1 illustrates Internet Protocol (IP) service transport using time slice transport according to an embodiment of the present invention. The base station broadcasts data packets for a plurality of IP services using data streams 101, 103, 105 and 107. In this embodiment, the base station may support the functions typically undertaken by a Base Transceiver Station (BTS), a Base Station Controller (BSC), a combination of a BTS and a BSC, and a third generation (3G) design Node B of a base transceiver station. Data transmission is substantially continuous, such that datagrams for an IP service are continuously transmitted over a data stream.
To mitigate the loss of data packets, the base station maps data streams 101, 103, 105, and 107 into data packet bursts 109, 111, 113, and 115, respectively, in which bursts are transmitted over the wireless channel instead of data streams 101, 103, 105, and 107. Each data stream (101, 103, 105 and 107) and thus each burst (109, 111, 113 and 115) supports at least one data service. In this way, each burst may support multiple data services (e.g., a set of related data services).
Typically, the data rates associated with bursts 109, 111, 113, and 115 are greater than the data rates associated with data streams 101, 103, 105, and 107, and therefore, a corresponding number of datagrams may be transmitted in a shorter time. In this embodiment, the respective continuous data rates of the data streams 101, 103, 105 and 107 are close to 100 Kbit/sec. Typically, the respective data rates of bursts 109, 111, 113 and 115 are close to 4Mbit/sec (but may exceed 10Mbit/sec) in about 1 second. However, other embodiments may use different data rates for data flow 101-.
In this embodiment, the full data rate capacity is allocated to a burst at a given time. As shown in fig. 1, bursts 109, 111, 113, and 115 are staggered in time. Idle time intervals, during which no data packets for a particular data service are sent, occur between successive transmissions of a burst, such as burst 109. The wireless broadcast system can utilize the idle time interval during which the wireless terminal can be instructed to transmit to another base station to complete the handover. The other base station may transmit the same data as the base station previously serving the wireless terminal using a different center frequency and a different phase shift. The use of time slices enables the terminal to reduce the loss of electrical energy provided by the power supply (typically a battery).
Typically, bursts are transmitted periodically by the base station. For example, a subsequent burst may occur T seconds after burst 109, i.e., a burst is sent every T seconds. The wireless terminal may maintain accurate timing, for example using the Global Positioning System (GPS), to determine the absolute time at which each burst occurs. In another embodiment, the wireless terminal is provided with information regarding the time period of each burst, informing the wireless terminal of the subsequent burst. According to an embodiment of the invention, the time period information includes a real-time parameter (corresponding to "delta-t" in DVB-H) indicating the time interval from the start of a time slice burst to the start of a time slice burst of the next same service, and is displayed in the header of the MPE unit. The time period may be included in an IP packet, a multiprotocol encapsulation frame, any other packet frame, and a third generation (3G) or General Packet Radio Service (GPRS) channel or modulation data (e.g., transmitter parameter signaling). Alternatively, the wireless terminal may detect the occurrence of a burst by receiving a signal preamble, which may be a data sequence known in advance by the wireless terminal. In another embodiment, a wireless terminal may receive an overhead message on an overhead channel from a base station. The overhead message may include timing information regarding the occurrence of the burst. The overhead channel may be logically or physically distinct from a downlink radio channel supporting burst transmissions.
Bursts 109, 111, 113 and 115 may be formatted using multi-protocol encapsulation according to european standard EN 301192 "Digital Video Broadcasting (DVB), part 7 of the DVB specification for digital broadcasting". The encapsulation may conform to an Internet Protocol (IP) standard.
In another embodiment of the present invention, digital video broadcasting (DVB-H) provides mobile media services for wireless terminals, such as handheld wireless units. In this embodiment, the DVB-H system is compatible with DVB-T (digital video broadcasting-terrestrial) and supports enhancements for better supporting the operation of wireless handheld terminals. DVB-H systems support Internet Protocol (IP) based data services in which information can be transmitted as IP datagrams. The DVB-H system incorporates a number of enhancements (to the DVB-T system) that facilitate access to IP-based DVB services at wireless handheld wireless terminals. (alternative embodiments of the present invention support a variety of digital video systems including DVB-T, ATSC and ISDB-T.) DVB-H enhances the physical layer based on the DVB-T physical layer, with many enhancements to the service layer aimed at improving battery life and reception in a handheld environment. DVB-H enhancements thus complement existing digital terrestrial services and provide service providers with the possibility to expand to the wireless handheld market.
Fig. 2 illustrates an Internet Protocol (IP) stack 200 supporting multimedia data transmission according to an embodiment of the present invention. Digital media content or other data is broadcast using various application protocols, transport protocols, and network protocols. The IP datacast supports audiovisual services with MPEG4-AVC video 201, MPEG4-AAC audio 203 and auxiliary data 205 components through the IP stack 200. Each component (201, 203 or 205) is processed by encoder 207, encoder 209 or encoder 211 to obtain a packet that conforms to the real-time protocol (RTP) layer 213 format. Subsequently, the packet (datagram) is processed by a UDP (user datagram protocol) layer 215 and a network protocol (layer) 217. Datagrams are associated with time-slice bursts by formatting the time-slice bursts using a multiprotocol encapsulation (typically corresponding to the link layer of the OSI), which may be in accordance with, for example, european standard EN 301192 "Digital Video Broadcasting (DVB), part 7 of the DVB specification for digital broadcasting". The encapsulation may conform to an Internet Protocol (IP) standard.
A multimedia session is typically associated with one or more session components (in the above case: audio, video and auxiliary data) that are logically bound together. The portions of the session are transmitted during a common start time and end time. The start time and/or the end time may be defined or undefined.
Fig. 3 shows a component configuration 300 of a multimedia session 301 according to an embodiment of the invention. Component 303 corresponds to a plurality of datagrams (including datagrams 309 and 315); component 305 corresponds to a plurality of datagrams (including datagrams 311 and 317); component 307 corresponds to a plurality of datagrams (including datagrams 313 and 319). Components 303, 305 and 307 are sent within IP packets that are encapsulated for underlying bearer level messaging. Each component 303, 305 and 307 has a defined source IP address, destination IP address and port for use in IP packets carrying data associated with the component. The different components may have independently defined source IP addresses, destination IP addresses, and ports. In a variation on the embodiment, the multimedia session may have a different number of components.
Although the exemplary component configuration 300 shows datagram alignment between components 303, 305 and 307, the present embodiment also supports configurations in which datagrams are not aligned and the number of datagrams per component is different from other components. For example, the number of datagrams in the audio component is typically smaller than the number of datagrams in the video component in a given time interval.
Fig. 4 shows a component configuration 400 for a multimedia session 401 according to an embodiment of the invention. The components 403, 405 and 407 are encrypted with the same key, which is periodically in the keystream 409 during the multimedia session 401And is changed by nature. (in FIGS. 4 to 16, with E)iKey K for representationiEncrypted datagrams. (keystream 409 is a logical channel that includes key information and is separate from the media components.) similarly, a datagram associated with the jth component and encrypted with the ith key associated with the jth component is denoted as Eji). This embodiment supports different encryption methods applied to components 403, 405, or 407, including:
● IPSEC-ESP (called IP level encryption; see RFC for IPSEC-ESP)
● application Session packet payload encryption (e.g., SRTP or DCF of OMA DRM 1.0 or 2.0)
● encryption technique
The above-described encryption methods may be applied alone or in combination during multimedia session 401. Components 403, 405, and 407 correspond to a plurality of different content datagrams. Keystream 409 comprises a plurality of associated datagrams, each associated datagram corresponding to a key. Encryption is typically performed on an individual datagram (e.g., packet) basis. For example, using the key k1Content datagrams 415, 425, 427, 435, and 437 are encrypted (corresponding to associated datagram 411) using key k2Content datagram 417 is encrypted (corresponding to associated datagram 413).
The keystream 409 utilizes transport protocols such as RTP, ALC/FLUTE, UHTTP, DVBSTP, IP with payload, and UDP with payload. Typically, the key transmitted in keystream 409 is protected by another key that the authorized receiver has, which receiver uses to access the content of keystream 409, and thus components 403, 405, and 407, bearing the key. Optionally, the transport of keystream 409 is synchronized with components 403, 405, and 407, e.g., using RTP timestamps in the RTP control protocol.
Fig. 5 illustrates a variation of the composition configuration shown in fig. 4, according to an embodiment of the present invention. Ingredient configuration 500 is similar to ingredient configuration 400. Multimedia session 501 includes components 503, 505, and 507 and keystream 509. Component 505 is encrypted with a key from keystream 509, but components 503 and 507 are not.
FIG. 6 illustrates a variation of the composition configuration shown in FIG. 4, according to an embodiment of the present invention. Ingredient configuration 600 is similar to ingredient configuration 400. However, keystream 609 includes three columns of keys 611, 613, and 615 corresponding to components 306, 605, and 607, respectively. The keys may be changed periodically but independently during the multimedia session 601, but may remain synchronized with each other.
FIG. 7 illustrates a variation of the composition configuration shown in FIG. 4, according to an embodiment of the present invention. The component configuration 700 is similar to the component configuration 600 except that the keys of each component are carried by different key streams and these key streams change during the multimedia session 701. Rather than having one keystream, component configuration 700 utilizes three keystreams 709, 711, and 713. Keystreams 709, 711, and 713 correspond to components 703, 705, and 707, respectively.
FIG. 8 illustrates a variation of the composition configuration shown in FIG. 4, according to an embodiment of the present invention. In component configuration 800, component 805 is encrypted with a key from keystream 809. However, keystream 809 provides the key currently applied to decrypted component 805 and the key that will subsequently be applied to decrypted component 805. In the example shown in FIG. 8, key k is1(corresponding to datagram 811) is currently applied, and key k is2(corresponding to datagram 813) and key k3(corresponding to datagram 815) is to be applied subsequently. Although components 803 and 807 are not encrypted during multimedia session 801, components 803 and 807 may be encrypted by variations of the present embodiment. Possession of the key to be applied subsequently allows the receiver device to smooth the key transition during the multimedia session 801. For example, the receiver device may configure the IP stack with the new key to reduce interruptions in decrypting the content datagrams.
FIG. 9 illustrates a variation of the composition configuration shown in FIG. 4, according to an embodiment of the present invention. Keystream 909 includes the key currently being applied to encrypted component 905, and subsequently when the keyThe conversion is a key to be applied when performed within a predetermined incremental time of the current time. For example, prior to the key conversion 951, the keystream 909 includes the key k1(corresponding to datagram 911) and k2(corresponding to datagram 913), keystream 909 includes only key k after key conversion 9512(corresponding to datagram 915). Like component configuration 800, component configuration 900 helps the receiver device smooth out the effects of key transitions.
Fig. 10 shows a component configuration 1000 of a multimedia session 1001, according to an embodiment of the invention. However, in contrast to the component configurations 400 to 900, the keys are carried in one or more components without a separate key stream to send the keys. In component configuration 1000, component 1005 includes a content datagram (e.g., content datagram 1011) and a datagram 1009, datagram 1009 providing key k used to encrypt components 1003, 1005, and 10071。
FIG. 11 illustrates a variation of the composition configuration shown in FIG. 10, according to an embodiment of the present invention. In component configuration 1100, component 1107 provides key k1(corresponding to datagram 1109) and key k2(corresponding to datagram 1111), key k1And a secret key k2Is applied to component 1105 during multimedia session 1101. In the example shown in fig. 11, components 1103 and 1107 are not encrypted with the key provided by component 1107.
FIG. 12 illustrates a variation of the composition configuration shown in FIG. 10, according to an embodiment of the present invention. The composition configuration 1200 is similar to the composition configuration 1100. However, during the multimedia session 1201, the key is applied to the component carrying the key information (component 1205) and to the other components (component 1203). However, in the example shown in fig. 12, the component 1207 is not encrypted.
FIG. 13 illustrates a variation of the composition configuration shown in FIG. 10, according to an embodiment of the present invention. In the composition configuration 1300, each of the compositions 1303, 1305, and 1307 carries a key that is applied to the composition during the multimedia session 1301. For example, the key k11(corresponding to datagram 1309) and k12(corresponding to datagram 1311) is applied to component 1303. Secret keyKey k21(corresponding to datagram 1313) and key k22(corresponding to datagram 1315) is applied to component 1305. Key k31(corresponding to datagram 1317) and key k32(corresponding to datagram 1319) is applied to component 1307.
FIG. 14 illustrates a variation of the composition configuration shown in FIG. 10, according to an embodiment of the present invention. In the component configuration 1400, each component 1403, 1405 and 1407 carries a key that is applied to the other components during the multimedia session 1401. For example, the key k11(corresponding to datagram 1413 and carried by component 1405) and key k12(corresponding to datagram 1419 and carried by component 1407) is applied to component 1403. Key k21(corresponding to datagram 1417 and carried by component 1407) and key k22(corresponding to datagram 1411 and carried by component 1403) is applied to component 1405. Key k31(corresponding to datagram 1409 and carried by component 1403) and key k32(corresponding to datagram 1415 and carried by component 1405) is applied to component 1407.
FIG. 15 illustrates a variation of the composition configuration shown in FIG. 10, according to an embodiment of the present invention. In component configuration 1500, the key information is carried in a content datagram rather than in a separate datagram. For example, the key k1Included in a content datagram 1509 in a coherent part (or with a dedicated header) 1511, a key k2Included in a content datagram 1513 in a coherent portion (or with a dedicated header) 1515. Key k1And k2Is applied to the datagrams in components 1503, 1505, and 1507.
FIG. 16 illustrates a variation of the composition configuration shown in FIG. 10, according to an embodiment of the present invention. Component configuration 1600 is similar to component configuration 800, both of which provide a current key and a subsequent key. For example, component 1605 carries key k1(corresponding to datagram 1609) and key k2(corresponding to datagram 1611) where key k is used during multimedia session 16011Is currently applied to components 1603 and 1607, while key k is2Is subsequently applied. Likewise, key k2(corresponding to datagram 1613) and key k3(corresponding to datagram 1615) is then carried in component 1605. As with component configuration 800, component configuration 1600 facilitates smooth key transitions for receiver devices.
Fig. 17 shows a framework 1700 for receiving a multimedia session according to an embodiment of the invention. In architecture 1700, a receiving device receives a time-sliced burst of data 1701 that includes an IP session component and a keystream associated with the session component. A plurality of content datagrams 1705, 1707, and 1709 correspond to component 1, component 2, and component 3, respectively. The plurality of datagrams 1711 correspond to a keystream. Time slice burst 1701 is stored in temporary buffer 1713 before forwarding datagrams (packets) to IP stack 1721. First, the receiving device extracts the key (corresponding to datagram 1717) for the received time slice burst 1701 from temporary buffer 1713. The receiving device then installs the extracted key into the IPSec Security Association (SA) database 1719. And, the receiving device extracts the remaining datagrams 1715 from the temporary buffer and forwards to the IP stack 1721. After decryption, the processed datagrams are passed to application 1723 for rendering multimedia content. Thus, the IP stack 1721 does not discard the content datagram (unless the receiving device does not receive the corresponding key in the current time slice or a previous time slice burst). This process is repeated for the next received time slice burst 1703.
Fig. 18 shows a flow diagram 1800 of the architecture shown in fig. 17, according to an embodiment of the invention. In step 1801, the receiving device receives a time slice burst over a communication channel (e.g., a wireless channel). In step 1803, the receiving device separates components (e.g., audio components and video components) from the received time slice burst. In step 1805, the receiving device extracts the associated key set from the keystream. The extracted key may be applied to content datagrams contained in the time slice burst or in subsequent time slice bursts. Also, the present embodiment supports a configuration in which different datagrams in a time slice burst use different keys. In step 1807, the extracted key is applied to an IPSec Security Association (SA) database (e.g., SA DB 1719 shown in fig. 17). In step 1809, the content datagram is extracted from the buffer (e.g., temporary buffer 1713). In step 1811, the content datagrams are sent to the IP stack (e.g., stack 1721). The content datagrams are then decrypted and sent to the corresponding application.
Fig. 19 shows a system 1900 for protected content delivery supporting DVB-H IPDC (IP datacasting) services, according to the prior art. System 1900 uses the data broadcast specification defined in "temporary DVB-H IP: IP datacasting reference specification: IPDC of the imt interface specification "(DVB file a80, 4 months 2004) provides protected content delivery for DVB-H services. According to this specification, in the SA carousel (SA carousel)1921, the security association data part is transmitted in an electronic service directory (ESG) as a DRM-protected SA file 1919 and an IPSec policy file 1911 (provided by a Digital Rights Manager (DRM) by performing a protection function). Since carousel data is typically updated infrequently (e.g., once a day), system 1900 does not provide an effective solution for key transfer, particularly when one or more keys are updated or changed frequently.
The encryption module 1903 encrypts the multimedia content 1901 (corresponding to an IP datagram) using the IPSec key and sends it (performed by the transmission system 1925) as time slice packets (after multiprotocol encapsulation, FEC encoding, and time slice burst formation) to the receiving device 1926. The Rights Object (RO)1923 (provided by the rights object generating unit 1922) is transmitted to the sink device 1926 through an interactive channel, wherein the sink device 1926 is provided with means for two-way communication, such as a mobile phone function. A user of a receiving device 1926 may subscribe to a service (content) and may therefore receive a corresponding Rights Object (RO)1933 that enables the user to decrypt the content of the subscribed service. In the present embodiment, typically, the Rights Object (RO)1933 does not include the IPSec key 1905.
The receiving device 1926 processes the time slice bursts with a burst processing module 1927. Decryption module 1929 decrypts the received packet using the key provided by key extraction module 1931 to obtain content 1935. The key is determined from a Rights Object (RO). Typically, the keys are transferred as DRM protected SA files in the SA carousel. The Rights Object (RO) enables the receiving device 1926 to extract the key.
Fig. 20 shows a system 2000 supporting DVB-H IPDC service according to an embodiment of the invention. The encryption module 2003 encrypts the multimedia content 2001 (corresponding to the content datagram) using the IPSec key 2005. Delivery system 2025 obtains encrypted content datagrams from encryption module 2003 and the corresponding keys from DRM 2009. Delivery system 2025 forms a corresponding datagram that includes the key corresponding to the encrypted content datagram. Transmission system 2025 inserts the encrypted content datagrams and the corresponding datagrams into a time slice burst that is transmitted over a communication channel to receiving device 2026. Although the wireless module is not explicitly shown in fig. 20, the present embodiment may provide wireless signal capability to transmit time-sliced bursts over a wireless channel to the receiving device 2026.
The receiving device 2026 processes the received time slice burst, wherein the encrypted content datagrams and corresponding datagrams (including the corresponding keys used to encrypt the received content datagrams) are separated by a burst processing module 2027. In this embodiment, the receiving device 2026 comprises a broadband receiver for receiving DVB signals containing time slice bursts and a transceiver for bi-directional communication in a wireless network. The two-way communication supports user service subscriptions, OMA messaging, and security plug-in module installation. The present embodiment supports different signal configurations in which the keys are included in a separate key stream or in the multimedia component as described above for fig. 4 to 16. Key extraction module 2031 extracts keys from the respective datagrams for decryption by decryption module 2029. The decryption module provides the decrypted content 2035 to an application (not shown) so that the content can be rendered.
In addition, rights management object 2023 (determined by rights object generator 2022) is separately sent to receiving device 2026 in response to the service order. Thus, the receiving device 2026 receives the rights object 2033 to determine whether the receiving device 2026 is permitted to process the received content.
Fig. 21 shows a flow diagram 2100 for transmitting data for a DVB-H IPDC service in a system 2000, according to an embodiment of the invention. In step 2101, a transmitting device (e.g., transmission system 2025) determines whether the obtained content datagram is included in the current time slice burst. If not, then in step 2109, a time slice burst (containing the previously obtained content datagram and associated key) is sent to the receiving device.
If the obtained content datagram is included in the current time slice burst, a corresponding key is determined in step 2103, and the content datagram is encrypted with the key in step 2105. In step 2107, the encrypted content datagram and corresponding key information (corresponding to the corresponding datagram that may be included in the multimedia component or in the keystream) is inserted within the current time slice burst.
Fig. 22 shows a system 2200 for supporting DVB-H IPDC service according to an embodiment of the invention. In fig. 22, cells 2201, 2203, 2205, 2222, 2223, 2227, 2229, 2231, 2233, and 2235 correspond to the cells 2001, 2003, 2005, 2022, 2023, 2037, 2029, 2031, 2033, and 2035 shown in fig. 20. Like system 2000, system 2200 transmits content datagrams and corresponding key information in the same time slice burst. The key information is provided by key message generator 2206 to delivery system 2225. The key message generator may further encrypt the key, thereby causing the delivery system 2225 to send the encrypted key information to the receiving device 2226. The DRM 2209, together with the rights object generator 2222, provides a rights object 2233 corresponding to a desired DVB-H IPDC service to the receiving device 2226.
IPSec policy files 2211 (which may include security association information) are sent in SA carousel 2221 separate from service and key messages that are multiplexed and sent using IPDC time slices. In this embodiment, the SA carousel 2221 is transmitted as part of an Electronic Service Guide (ESG).
Fig. 23 shows a system 2300 for supporting DVB-H IPDC service according to an embodiment of the invention. The system 2300 supports Conditional Access (CA) that can provide a second level of encryption using a corresponding private key. (as will be discussed in fig. 26, the IPSec key may be encrypted by a Digital Rights Management (DRM) and CA module.) the receiving apparatus 2326 includes a receiver section and a terminal section. The receiver section performs burst processing, demultiplexing, and key management. The receiver section further includes a CA plug-in mounting unit and a key decryption unit. The DRM 2351 sends the CA plug-in installation package 2353 to the DRM 2314, causing a new CA plug-in module to be installed at the receiving device 2326, as will be further described in fig. 27. The key decryption is performed in a secure processing environment. In addition to decryption (corresponding to decryption module 2329) and content reproduction (corresponding to content 2335), the terminal part also performs key management and key decryption.
Encryption of key 2305 (used by encryption module 2303 to encrypt content 2301) is performed by key encryption module 2311. Key encryption module 2311 includes CA module 2308 and DRM 2309. Thus, key encryption module 2311 may provide two levels of encryption. Transport system 2325 adds the encrypted key information and content datagrams in the same time slice burst.
Accordingly, decryption of the received key information is performed by key decryption module 2317. Key decryption module 2317 includes DRM 2314 and CA module 2315. Key decryption module 2317 performs two levels of decryption corresponding to the two levels of encryption. Time slice burst processing module 2327 decrypts the received content datagrams using the decrypted keys provided by key manager 2313. The received content datagram is decrypted by the decryption module 2329 of the terminal part. Key manager 2313 receives the key information demultiplexed by module 2327 and forwards the key information to key decryption module 2317 (associated with the trusted environment) for DRM and CA decryption.
In this embodiment, the Rights Object (RO) is sent from DRM 2309 to DRM 2314 as an OMA DRM 2 message (according to the recommended open mobile alliance digital rights management version 2.0). Typically, the Rights Object (RO) is transmitted separately from the time slice burst.
Fig. 24 illustrates an apparatus 2400 for supporting the delivery systems (e.g., 2025, 2225, and 2325) illustrated in fig. 20, 22, and 23, in accordance with an embodiment of the present invention. In the present embodiment, device 2400 typically performs functions associated with a link layer (layer two of the OSI protocol model). Processor 2405 obtains encrypted datagrams from an encryption module (not shown) via encryption interface 2401 and corresponding key information from a key generator (not shown) via key interface 2403. Transmit interface 2407 encodes the datagrams for forward error correction at the receiving device, performs multi-protocol encapsulation, and formats the time slice bursts in the encoded datagrams. (in this embodiment, the datagram includes both a content datagram and a corresponding datagram containing a key).
Fig. 25 illustrates an apparatus 2500 for receiving multimedia broadcasts and receiving devices applying IPSec keys, such as receiving devices 1926, 2026, 2226, and 2326 shown in fig. 19, 20, 22, and 23, respectively, according to an embodiment of the present invention. Apparatus 2500 processes time slice bursts, such as time slice bursts 2501 and 2503, to extract content datagrams and associated keystream. In the embodiment shown in fig. 25, time slice burst 2501 or time slice burst 2503 contains content datagrams (e.g., content datagrams 2505, 2507, and 2509) and corresponding key datagrams (e.g., corresponding datagram 2511) having ESP encapsulated IP packets that include service content and the key datagrams include UDP key messages. The keys in the UDP key message may be protected with DRM.
The device 2500 is capable of distinguishing between service content and key messages. Thus, receiver module 2551 separates the key datagrams and the content datagrams. In this embodiment, key datagrams are given higher priority than content datagrams by a transmitting device (not shown). In the present embodiment, the priority associated with the datagram is indicated in a certain field, for example, a type of service (ToS) field, or in a differentiated services field. Thus, key datagrams are sent to IP stack 2553 before corresponding content datagrams, thereby allowing more time to be allocated for key processing by key decryption module 2555. The key decryption module obtains the encrypted key from IP stack 2553 through key manager 2559.
The embodiments shown in fig. 17 and 25 place keys and associated content datagrams within the same time slice burst. However, in another embodiment, the keys within a time slice burst are associated with decrypting content datagrams contained in the next time slice burst, thus allowing more time for key processing.
The decrypted key is handed to IPSec module 2557 so that the associated content datagram in IP stack 2553 can be decrypted and presented to client 2561.
Fig. 26 illustrates apparatus 2600 for receiving a multimedia broadcast and decrypting received IPSec key 2601, according to an embodiment of the present invention. Key manager 2653 sends the encrypted IPSec key to DRM server 2655 to decrypt the second level encryption using the public decryption algorithm and private key 2603. DRM server 2655 returns second-level decrypted key 2607 to key manager 2653. If the key manager 2653 determines that the key is encrypted by the first level of encryption, the key manager 2653 sends the key decrypted by the second level to the CA plug-in module 2657. CA plug-in module 2657 utilizes a secret decryption algorithm and private key 2605 to decrypt the second-level decrypted key 2607. In an embodiment of the invention, the secured decryption algorithm corresponds to the DVB Common Scrambling Algorithm (CSA), which is available from the European Telecommunications Standards Institute (ETSI). CA plug-in module 2657 returns decrypted key 2609 to key manager 2653, and key manager 2653 forwards decrypted key 2609 to IP stack 2651.
In this embodiment, CA plug-in module 2657 performs a first level of decryption, which is optional and based on an operator-specific CA method that includes an associated private key and an associated decryption algorithm. The second level encryption is based on an open standard, such as OMA DRM 2. Since the first level of encryption is optional, key manager 2653 determines whether first level encryption is applied to key 2607 that is decrypted by the second level. If so, key manager 2653 sends key 2607 decrypted by the second level to CA plug-in software module 2657. If not, key manager 2653 sends second-level decrypted key 2607 directly to IP stack 2651 because second-level decrypted key 2607 has been completely decrypted.
In this embodiment, key manager 2653 determines whether key 2603 decrypted by the second level has been encrypted by the first level by checking an associated encryption indicator (not shown), such as a header or message field. If key 2607 decrypted by the second level has been encrypted by the first level, the associated encryption indicator indicates 'Yes'; if key 2607 decrypted by the second level is not encrypted by the first level, 'No' is indicated. If the key 2607 decrypted by the second stage has already been encrypted by the first stage, then the associated encryption indicator is not encrypted by the first stage.
Fig. 27 illustrates a system 2700 for configuring a security plug-in software module 2701 at a receiving device 2750, according to an embodiment of the invention. The security plug-in software module 2701 is formatted as an installation package 2705 (e.g., a Symbian-supported SIS file). The installation package 2705 is protected, forming a protected packet 2707, and is transmitted to the receiving device through a transmission mechanism. The present embodiment supports different communication channels in the transfer mechanism, including wireless communication channels where the receiving device is a wireless terminal. The received protected packets 2707 are sent directly to the application installer 2751, which is a trusted application. Application installer 2751 extracts new security plug-in software module 2701 from protected packet 2707 and replaces current security plug-in software module 2755 currently installed in receiving device 2750 with new plug-in software module 2701. To extract a new security plug-in software module 2701, receiving device 2750 receives rights object 2703, which is processed by DRM 2753. Accordingly, DRM 2753 indicates to application installer 2751 that a replacement of the security plug-in software module is permitted.
In embodiments of the present invention, the component configurations shown in fig. 3 through 16 may be combined with the systems shown in fig. 20, 22, and 23.
As will be appreciated by one skilled in the art, the exemplary embodiments disclosed herein may be implemented using a computer system having an associated computer-readable medium including instructions for controlling the computer system. The computer system may include at least one computer, such as a microprocessor, digital signal processor, and associated peripheral circuits.
While the invention has been described with respect to specific examples including preferred modes of carrying out the invention, those skilled in the art will appreciate that there are numerous variations and permutations of the above described systems and techniques that fall within the spirit and scope of the invention as set forth in the appended claims.
Claims (74)
1. A method of transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising:
(A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content;
(B) transmitting the encrypted first datagram of the first component in a time slice burst; and
(C) transmitting first key information in the time slice burst, wherein the first key information contains the first key.
2. The method as recited in claim 1, wherein (C) comprises:
(i) including the first key information in a respective datagram in a first keystream of the multimedia session; and
(ii) transmitting the respective datagrams of the first keystream in the time slice burst.
3. The method as recited in claim 1, further comprising:
(D) encrypting a second datagram with a second key and including the encrypted second datagram in the first component of the multimedia session, wherein the encrypted second datagram contains multimedia content;
(E) transmitting the encrypted second datagram in the time slice burst; and
(F) transmitting second key information in the time slice burst, wherein the second key information contains the second key.
4. The method as recited in claim 2, further comprising:
(D) encrypting a second datagram with the first key and including the encrypted second datagram in a second component of the multimedia session, wherein the encrypted second datagram contains multimedia content; and
(E) transmitting the encrypted second datagram in the time slice burst.
5. The method as recited in claim 2, further comprising:
(D) transmitting a second datagram of a second component in said time slice burst without encrypting said second datagram.
6. The method as recited in claim 2, further comprising:
(D) encrypting a second datagram with a second key and including the encrypted second datagram in a second component of the multimedia session, wherein the second datagram contains associated multimedia content;
(E) transmitting the encrypted second datagram in the time slice burst; and
(F) including the second key in an associated datagram of the first keystream in the time slice burst.
7. The method as recited in claim 2, further comprising:
(D) encrypting a second datagram with a second key and including the encrypted second datagram in a second component of the multimedia session, wherein the encrypted second datagram contains associated multimedia content;
(E) transmitting the encrypted second datagram in the time slice burst; and
(F) including the second key in an associated datagram of a second keystream in the time slice burst.
8. The method of claim 2, wherein the first key stream includes a subsequent key that is applied to the encryption of the first component at a subsequent time.
9. The method of claim 2, wherein the first key stream includes a subsequent key that is applied to encryption of the first component at a subsequent time.
10. The method as recited in claim 1, further comprising:
(D) encrypting the first key information before transmitting the first key information.
11. The method as set forth in claim 1, wherein (a) through (C) are performed in a communication system selected from the group consisting of a digital video broadcasting-handheld (DVB-H) system, a digital video broadcasting-terrestrial (DVB-T) system, an Advanced Television Systems Committee (ATSC) system, and an integrated services digital broadcasting-terrestrial (ISDB-T) system.
12. The method of claim 1, wherein the first datagram comprises an Internet Protocol (IP) packet.
13. The method of claim 1, wherein the first key comprises an internet protocol security (IPSec) key.
14. An apparatus for transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising:
means for encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content;
means for sending the encrypted first datagram of the first component in a time slice burst; and
means for transmitting first key information in the time slice burst, wherein the first key information comprises the first key.
15. The apparatus as recited in claim 14, wherein the means for transmitting the first key information in the time slice burst comprises:
means for including the first key information in a respective datagram in a first keystream of the multimedia session; and
means for transmitting the respective datagrams of the first keystream in the time slice burst.
16. The apparatus as recited in claim 14, further comprising:
a module that encrypts a second datagram with a second key and includes the encrypted second datagram in the first component of the multimedia session, wherein the encrypted second datagram contains multimedia content;
means for transmitting the encrypted second datagram in the time slice burst; and
means for transmitting second key information in the time slice burst, wherein the second key information comprises the second key.
17. A method of receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising:
(A) receiving a time slice burst comprising an encrypted first datagram and first key information, the encrypted first datagram being associated with a first component of the multimedia session, the encrypted first datagram comprising multimedia content;
(B) determining a first key from the first key information; and
(C) decrypting the encrypted first datagram with the first key.
18. The method as recited in claim 17, wherein (B) comprises:
(i) processing a respective datagram that includes the first key information, the respective datagram being included in a first keystream associated with the multimedia session.
19. The method as recited in claim 17, further comprising:
(D) receiving an encrypted second datagram and second key information in the time slice burst, the encrypted second datagram being included in the first component of the multimedia session, the second datagram containing multimedia content;
(E) determining a second key from the second key information; and
(F) decrypting the encrypted second datagram with the second key.
20. The method as recited in claim 18, further comprising:
(D) receiving an encrypted second datagram in the time slice burst, the encrypted second datagram being included in another component of the multimedia session, the encrypted second datagram containing multimedia content; and
(E) decrypting the encrypted second datagram with the first key.
21. The method as recited in claim 18, further comprising:
(D) receiving a second datagram in the time slice burst, the second datagram being included in another of the plurality of media components, the second datagram being unencrypted.
22. The method as recited in claim 18, further comprising:
(D) receiving in the time slice burst an encrypted second datagram and an associated datagram, the encrypted second datagram being included in another of the plurality of media components, the encrypted second datagram containing multimedia content, the associated datagram being included in the first keystream;
(E) determining a second key from the associated datagram; and
(F) decrypting the encrypted second datagram with the second key.
23. The method as recited in claim 18, further comprising:
(D) receiving in the time slice burst an encrypted second datagram and an associated datagram, the encrypted second datagram being included in another one of the plurality of media components, the encrypted second datagram containing multimedia content, the associated datagram being included in another keystream;
(E) determining a second key from the associated datagram; and
(F) decrypting the encrypted second datagram with the second key.
24. The method of claim 18, wherein the first key stream includes a subsequent key that is applied to decrypt the first component at a subsequent time.
25. The method of claim 18, wherein the first key stream includes a subsequent key that is applied to decrypt the first component at a subsequent time.
26. The method as recited in claim 17, further comprising:
(D) decrypting the first key prior to performing (C).
27. The method as recited in claim 17, wherein (a) through (C) are performed in a communication system selected from the group consisting of a DVB-H system, a DVB-T system, an ATSC system and an ISDB-T system.
28. The method of claim 17, wherein the first datagram comprises an IP packet.
29. The method of claim 17, wherein the first key comprises an IPSec key.
30. An apparatus for receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising:
means for receiving a time slice burst comprising an encrypted first datagram and first key information, the encrypted first datagram being associated with a first component of the multimedia session, the encrypted first datagram comprising multimedia content;
a module for determining a first key from the first key information; and
means for decrypting the encrypted first datagram with the first key.
31. The apparatus of claim 30, wherein the means for determining a first key from the first key information comprises:
means for processing a respective datagram that includes the first key information, the respective datagram being included in a first keystream associated with the multimedia session.
32. The apparatus as recited in claim 30, further comprising:
a module that receives an encrypted second datagram and second key information in the time slice burst, the encrypted second datagram being included in the first component of the multimedia session, the second datagram containing multimedia content;
a module for determining a second key from the second key information; and
a module for decrypting the encrypted second datagram with the second key.
33. A method of transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising:
(A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content;
(B) transmitting the encrypted first datagram in a time slice burst; and
(C) transmitting a respective datagram including the first key in the time slice burst, the respective datagram being included in the first component.
34. The method as recited in claim 33, further comprising:
(D) encrypting a second datagram with a second key and including the encrypted second datagram in the first component;
(E) transmitting the encrypted second datagram in the time slice burst; and
(F) transmitting an association datagram including the second key in the time slice burst, the association datagram being included in the first component.
35. The method as recited in claim 33, further comprising:
(D) encrypting a second datagram with the first key and the encrypted second datagram being included in a second component of the multimedia session;
(E) transmitting the encrypted second datagram in the time slice burst.
36. The method as recited in claim 33, further comprising:
(D) other datagrams of other composition are sent in the time slice burst, while other datagrams are unencrypted.
37. The method as recited in claim 36, further comprising:
(E) encrypting a second datagram with the first key and including the encrypted second datagram in a second component of the multimedia session; and
(F) transmitting the encrypted second datagram in the time slice burst.
38. The method as recited in claim 33, further comprising:
(D) encrypting a second datagram with a second key and including the encrypted second datagram in a second component of the multimedia session, wherein the second datagram contains multimedia content;
(E) transmitting the encrypted second datagram in the time slice burst; and
(F) transmitting a further datagram, the second key being included in the further datagram, the further datagram being included in the second component.
39. The method as recited in claim 33, further comprising:
(D) a subsequent datagram is sent that includes a subsequent key that is subsequently applied to encrypt the first component, and the subsequent datagram is included in the first component.
40. A method as claimed in claim 39, wherein the subsequent key is subsequently applied to encrypt another component.
41. The method as recited in claim 33, wherein (a) through (C) are performed in a communication system selected from the group consisting of a DVB-H system, a DVB-T system, an ATSC system and an ISDB-T system.
42. The method of claim 33, wherein the first datagram comprises an IP packet.
43. The method of claim 33, wherein the first key comprises an IPSec key.
44. A method of transmitting data during a multimedia session comprising a plurality of components, comprising:
(A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content;
(B) transmitting the encrypted first datagram in a time slice burst;
(C) transmitting a respective datagram and including the first key in the respective datagram, the respective datagram being included in another component in the time slice burst;
(D) encrypting a second datagram with a second key and including the encrypted second datagram in other components of the multimedia session, the second datagram containing multimedia content;
(E) transmitting the encrypted second datagram in the time slice burst; and
(F) sending an association datagram in the time slice burst and including the second key in the association datagram, the association datagram being included in the first component.
45. A method of transmitting data during a multimedia session, comprising:
(A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, the first datagram containing multimedia content;
(B) including the first key in the first datagram; and
(C) the first datagram is sent in a time slice burst.
46. The method as recited in claim 45, further comprising:
(D) encrypting a second datagram with the first key and including the encrypted second datagram in another component of the multimedia session, the second datagram containing multimedia content; and
(E) transmitting the encrypted second datagram in the time slice burst.
47. An apparatus for transmitting data over a communication system during a multimedia session comprising a plurality of media components, comprising:
means for encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, wherein the first datagram contains multimedia content;
means for transmitting the encrypted first datagram in a time slice burst; and
means for sending a respective datagram including the first key in the time slice burst, the respective datagram being included in the first component.
48. A method of receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising:
(A) receiving encrypted first datagrams and corresponding datagrams in a time slice burst, the encrypted first datagrams and corresponding datagrams included in a first component of the multimedia session, the encrypted first datagrams containing multimedia content;
(B) determining a first key from the respective datagram; and
(C) decrypting the encrypted first datagram with the first key.
49. The method as recited in claim 48, further comprising:
(D) receiving an encrypted second datagram and a further datagram in the time slice burst, the encrypted second datagram being included in the first component, the encrypted second datagram containing multimedia content;
(E) determining a second key from the further datagram; and
(F) decrypting the encrypted second datagram with the second key.
50. The method as recited in claim 48, further comprising:
(D) receiving an encrypted second datagram in the time slice burst, the encrypted second datagram being included in another component of the multimedia session, the encrypted second datagram containing multimedia content; and
(E) decrypting the encrypted second datagram with the first key.
51. The method as recited in claim 48, further comprising:
(D) receiving a second datagram in the time slice burst, the second datagram being included in another component of the multimedia session, the second datagram being unencrypted.
52. The method as recited in claim 51, further comprising:
(E) receiving a third datagram in the time slice burst, the third datagram being included in an additional component of the multimedia session, the third datagram containing multimedia content; and
(F) decrypting the third datagram with the first key.
53. The method as recited in claim 48, further comprising:
(D) receiving an encrypted second datagram and a further datagram in the time slice burst, the encrypted second datagram and the further datagram being included in another component of the multimedia session, the encrypted second datagram containing multimedia content;
(E) determining a second key from the further datagram; and
(F) decrypting the encrypted second datagram with the second key.
54. The method as recited in claim 48, further comprising:
(D) receiving a subsequent datagram including a subsequent key, the subsequent datagram being included in the first component, and decrypting the first component using the subsequent key.
55. The method as recited in claim 54, further comprising:
(E) the second component is decrypted using the subsequent key.
56. The method of claim 48, wherein (A) through (C) are performed in a communication system selected from the group consisting of a DVB-H system, a DVB-T system, an ATSC system, and an ISDB-T system.
57. The method of claim 48 wherein the first datagram comprises an IP packet.
58. The method of claim 48, wherein the first key comprises an IPSec key.
59. A method of receiving data over a communication system during a multimedia session, comprising:
(A) receiving first, second, third, and fourth encrypted datagrams in a time slice burst, the first and fourth encrypted datagrams included in a first component of the multimedia session, the second and third encrypted datagrams included in a second component of the multimedia session, the first and second encrypted datagrams containing multimedia content;
(B) determining a first key from the third datagram;
(C) decrypting the first encrypted datagram with the first key;
(D) determining a second key from the fourth datagram; and
(E) decrypting the second encrypted datagram with the second key.
60. A method of receiving data during a multimedia session comprising a plurality of media components, comprising:
(A) receiving a first datagram in a time slice burst, the first datagram being included in a first component of the multimedia session, the first datagram containing multimedia content;
(B) determining a first key from the first datagram; and
(C) the first datagram is decrypted with the first key.
61. The method as recited in claim 60, further comprising:
(D) receiving a second encrypted datagram in the time slice burst, the second encrypted datagram being included in another component, the second encrypted datagram containing multimedia content; and
(E) decrypting the second encrypted datagram with the first key.
62. An apparatus for receiving data over a communication system during a multimedia session comprising a plurality of media components, comprising:
means for receiving a first encrypted datagram and a corresponding datagram in a time slice burst, the first encrypted datagram and the corresponding datagram being included in a first component of the multimedia session, the first encrypted datagram containing multimedia content;
means for determining a first key from the respective datagram; and
means for decrypting the first encrypted datagram with the first key.
63. An apparatus for transmitting data during a multimedia session comprising a plurality of media components, comprising:
a first interface for obtaining multimedia content datagrams encrypted with respective keys, the encrypted multimedia content datagrams containing multimedia content during the multimedia session;
a second interface for obtaining the respective key;
a transport interface for including the encrypted multimedia content datagrams in time slice bursts; and
a processor for instructing the transmission interface to include key information in the time slice burst with the encrypted multimedia content datagrams, the key information including the respective key.
64. The apparatus of claim 63, wherein the processor further forms a keystream separate from the plurality of media components, and wherein the keystream comprises the key information.
65. The apparatus of claim 63, wherein the processor further includes the key information in a same component as the encrypted multimedia content datagram.
66. The apparatus of claim 63, wherein the processor further includes the key information in a different component than the encrypted multimedia content datagram.
67. The apparatus as recited in claim 63, further comprising:
a radio module for modulating a wireless signal with the time slice burst.
68. An apparatus for transmitting data during a multimedia session comprising a plurality of media components, comprising:
means for encrypting a plurality of multimedia content datagrams, each multimedia content datagram being encrypted with an associated key, each associated key being included in key information; and
means for transmitting a plurality of encrypted multimedia content datagrams in time slice bursts with the key information.
69. The apparatus as recited in claim 68, further comprising:
means for encrypting the key information.
70. The apparatus as recited in claim 68, further comprising:
means for obtaining the plurality of multimedia content datagrams corresponding to a plurality of components, each component being associated with a type of multimedia content during the multimedia session.
71. An apparatus for receiving data during a multimedia session, comprising:
means for receiving a time slice burst during the multimedia session, the time slice burst comprising a plurality of multimedia content datagrams and key information, each multimedia content datagram being encrypted by an associated key included in the key information;
means for determining an associated key for each of the multimedia content datagrams; and
means for decrypting each of the multimedia content datagrams with the associated key.
72. The apparatus as defined in claim 71, wherein the means for determining the association key comprises:
means for decrypting the associated key prior to performing means for decrypting each of the multimedia content datagrams.
73. The apparatus as recited in claim 71, further comprising:
means for separating a plurality of multimedia content datagrams for each respective component associated with a type of multimedia content during the multimedia session.
74. A method of providing data over a communication system during a multimedia session comprising a plurality of media components, comprising:
(A) encrypting a first datagram with a first key and including the encrypted first datagram in a first component of the multimedia session, the first datagram including multimedia content;
(B) transmitting the encrypted first datagram in a time slice burst;
(C) transmitting first key information in the time slice burst, wherein the first key information comprises the first key;
(D) receiving a time slice burst with the first datagram and the first key information encrypted;
(E) determining the first key from the first key information; and
(F) decrypting the encrypted first datagram with the first key.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US10/888,349 | 2004-07-09 | ||
| US10/888,349 US20060018470A1 (en) | 2004-07-09 | 2004-07-09 | Managing traffic keys during a multi-media session |
| PCT/IB2005/001899 WO2006008596A1 (en) | 2004-07-09 | 2005-07-01 | Managing traffic keys during a multi-media session |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1104888A1 HK1104888A1 (en) | 2008-01-25 |
| HK1104888B true HK1104888B (en) | 2013-05-31 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11627119B2 (en) | Fine grain rights management of streaming content | |
| US7606559B2 (en) | System, and associated terminal, method and computer program product for forwarding content and providing digital rights management of the same | |
| WO2010068779A2 (en) | Trust establishment from forward link only to non-forward link only devices | |
| EP1766843B1 (en) | Methods and devices for managing traffic keys during a multi-media session | |
| US8379864B2 (en) | Software plug-in framework to modify decryption methods in terminals | |
| KR100893321B1 (en) | Method for receiving a time slice burst of data | |
| KR100895027B1 (en) | Software plug-in framework that transforms decryption methods at terminals | |
| HK1104888B (en) | Method and apparatus for managing traffic keys during a multi-media session | |
| HK1229574A1 (en) | Method and apparatus for fine grain rights management of streaming content | |
| HK1120685A (en) | Fine grain rights management of streaming content |