HK1113446B - Method for managing digital rights in broadcast/multicast service - Google Patents
Method for managing digital rights in broadcast/multicast service Download PDFInfo
- Publication number
- HK1113446B HK1113446B HK08103495.6A HK08103495A HK1113446B HK 1113446 B HK1113446 B HK 1113446B HK 08103495 A HK08103495 A HK 08103495A HK 1113446 B HK1113446 B HK 1113446B
- Authority
- HK
- Hong Kong
- Prior art keywords
- service
- domain
- key
- terminal
- broadcast
- Prior art date
Links
Description
Technical Field
The present invention relates to digital rights management (digital rights management), and more particularly, to a method for managing digital rights in a broadcast/multicast service of a mobile communication terminal.
Background
In general, a broadcast/multicast service refers to a service for providing a mobile communication terminal with a radio broadcast or a variety of additional information, etc. The broadcast/multicast service is a new type of service that includes a broadcast service in which a provider provides useful information to all clients subscribed to its service, and a multicast service for providing information only to a specific group of clients that have previously subscribed to a specific topic or content.
Since the broadcast/multicast service can simultaneously provide the same information to a plurality of clients, efficient network resource management allows high bandwidth applications to be provided. In addition, since the broadcast/multicast service provides various types of high-speed services according to the request of the client, it is possible to meet the demand and demand of the growing client.
In order to reliably protect and systematically manage rights related to content provided through broadcast/multicast services, service protection and content protection functions are required. Digital Rights Management (DRM), which is being actively discussed recently, is applied to a broadcast/multicast service to allow protection of content provided through the broadcast/multicast service.
By converting content into packet-type encrypted data using an encryption technique, the DRM can previously intercept unauthorized (or illegal) use of the content and thereafter allow a user who has completed an authentication and confirmation step for authorization to access the original content.
Therefore, in the related art method for managing digital rights in a broadcast/multicast service, each terminal using the service receives a Rights Object (RO) for using the service from a rights issuing server (rights issuer: RI), and then decodes encrypted service data or content using the received RO. Here, the RO may be encrypted by using a public key of each terminal.
That is, the RI transmits the RO encrypted by using the public key of each terminal to the terminals using the broadcast/multicast service. For example, if K number of terminals use the broadcast/multicast service, the RI generates ROs each of which is encrypted by using a public key of each of the K number of terminals, and must repeatedly transmit the generated ROs to all the terminals.
However, in the method for managing digital rights in a broadcast/multicast service, if there are many terminals using the service, the RI must generate/manage ROs encrypted using a public key of each terminal one by one, which results in an increased operation load and inefficient network operation and management.
Disclosure of Invention
Technical problem
An important aspect of the present invention is that the present inventors have recognized some of the disadvantages of the prior art as described above. Accordingly, the present inventors provide the following solutions to the above-described drawbacks.
An object of the present invention is to provide a method for managing digital rights for a broadcast/multicast service, which can effectively manage digital rights with respect to a group of mobile communication terminals using the same service.
Another object of the present invention is to provide a method for managing digital rights for a broadcast/multicast service, which can efficiently manage digital rights for a group of mobile communication terminals using the same service group.
Technical scheme
To achieve these and other advantages and in accordance with the purpose of the present invention, as embodied and broadly described herein, there is provided a method of managing digital rights in a broadcast/multicast service that simultaneously provides the same service data to one or more terminals, wherein a Rights Issuer (RI) transmits the same Rights Object (RO) and an encryption key for decoding the RO to a terminal using the same service, the terminal decoding encrypted service data, which the terminal has received from a broadcast/multicast server, using the transmitted RO and the encryption key.
According to a first aspect of the present invention, a method of managing digital rights in a broadcast/multicast service that simultaneously provides encrypted service data to one or more terminals, comprises: receiving, by the RI, a public key from a specific terminal that has requested service registration; transmitting a domain key for a specific domain to the terminal if the RI receives a subscription request for the specific domain from the terminal; and transmitting a domain rights object for service data provided to the domain from the RI to the terminal.
According to a second aspect of the invention, a method of managing digital rights in a broadcast/multicast service, comprises: receiving, by the RI, a registration request and a public key from a specific terminal; transmitting a domain key for a specific service domain to the terminal if the RI receives a subscription request for the service domain from the terminal; and encrypting, by the RI, the service domain rights object for the service domain using the domain key and then transmitting the encrypted service domain rights object to the terminal.
According to a third aspect of the present invention, a method of managing digital rights in a broadcast/multicast service, comprises: receiving, by the RI, a registration request and a public key from a specific terminal; encrypting a domain key for a specific service domain using the public key and then transmitting the encrypted domain key to the terminal if the RI receives a subscription request related to the specific service domain from the specific terminal; encrypting, by the RI, a service domain rights object for the service domain using the domain key and then transmitting the encrypted service domain rights object to the terminal; and encrypting, by the RI, the service data encryption key using the key message encryption key included in the service domain rights object and then transmitting the encrypted service data encryption key to the terminal.
According to a fourth aspect of the present invention, a method of managing digital rights in a broadcast/multicast service, comprises: receiving, by the RI, a registration request and a public key from a specific terminal; transmitting a domain key for a specific service package (bundle) to the terminal if the RI receives a subscription request related to the service package from the terminal; and encrypting, by the RI, the service package rights object for the service package using the domain key and then transmitting the encrypted service package rights object to the terminal.
According to a fifth aspect of the present invention, a method of managing digital rights in a broadcast/multicast service, comprises: receiving, by the RI, a registration request and a public key from a specific terminal; encrypting a domain key for a specific service package using the public key and then transmitting the encrypted domain key to the terminal if the RI receives a subscription request related to the service package from the terminal; encrypting, by the RI, a service package rights object for the service package using the domain key and then transmitting the encrypted service package rights object to the terminal; and encrypting, by the RI, the service data encryption key using the key message encryption key included in the service pack rights object and then transmitting the encrypted service data encryption key to the terminal.
According to a sixth aspect of the present invention, there is provided a method of managing digital rights in a broadcast/multicast service providing the same service data to one or more terminals, the method comprising: transmitting its public key to the RI by the terminal to request service registration; subscribing to a specific domain by the terminal, and receiving a domain key for the domain from the RI; obtaining, by the terminal, a domain rights object encrypted using the domain key from the RI; if the terminal receives the encrypted data service, checking whether there is a service data encryption key for decoding the service data; if it is checked that the terminal has the service data encryption key therein, the service data encryption key is detected, thereby decoding the service data.
The above and other objects, features, aspects and advantages of the present invention will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention.
In the drawings:
fig. 1 is a block diagram illustrating a structure of a broadcast/multicast service system according to the present invention;
FIG. 2 is an exemplary diagram illustrating an example of a service package;
FIG. 3 is an exemplary diagram illustrating an exemplary operating scheme based on a service domain in accordance with the present invention;
fig. 4 is a signal flow diagram illustrating a first embodiment of a method for managing digital rights in accordance with the present invention;
fig. 5 is a signal flow diagram illustrating a second embodiment of a method for managing digital rights in accordance with the present invention;
FIG. 6 depicts a key hierarchy for service protection in accordance with the present invention;
FIG. 7 illustrates the difference between service protection and content protection in accordance with the present invention;
FIG. 8 presents an exemplary key hierarchy for service protection and content protection in accordance with the present invention;
FIG. 9 illustrates service protection function blocks and interfaces between them according to an example of the invention; and
fig. 10 shows a table for explaining these interfaces according to the present invention and mapping them to BCAST reference points.
Detailed Description
Embodiments of an exemplary method for managing digital rights in a broadcast/multicast service according to the present invention will now be explained with reference to the accompanying drawings.
Generally, in digital rights management, in order to share a content rights object and a content encryption key, various devices (including terminals) use a concept called a domain.
The use of the domain allows the content and the content rights object to be shared among a variety of devices owned by one user, and the access-allowed device may be used by a device that does not allow access to the content publisher or the rights publisher to obtain the content and the content rights object. For example, a portable music playback apparatus without wireless internet capability may be connected to a Personal Computer (PC) that allows internet access, thereby obtaining content and content rights objects. Thus, the rights issuer manages the domain to handle the join request and retains the requests of the devices belonging to the domain.
The present invention may provide certain types of broadcast domains. All terminals subscribing to a service or service package share a common group key. The Service Encryption Key (SEK) or Program Encryption Key (PEK) will then be encrypted using this public group key. This type of broadcast domain is called a service domain. That is, a set (or group) of terminals subscribing to a service or service package and sharing a common encrypted key is called a service domain. A selectively combined set (or group) of one or more services is referred to herein as a service bundle.
A terminal in a service domain may share content and services with any other terminal in the same service domain, but subject to rights specified by the content or service provider. The advantage of the service domain is that the traffic change in SEK consumes very little bandwidth.
In the present invention, the RI transmits a key message related to a service domain, which is a group of terminals using the same service or service package, to the terminal.
Here, the key message refers to a means of information on a right to use the service domain, which is transmitted from the Right Issuer (RI) to the terminal (device) (when joining). A non-limiting example may be a service domain rights object (i.e. rights object: RO). Hereinafter, the present invention will simply refer to "rights objects" merely for convenience. It will be apparent that other types of key messages or other notification methods may be used.
Each terminal having received the domain Rights Object (RO) decodes the domain RO corresponding to its domain by using the domain key belonging thereto. Here, the RI issues some rights objects equal to the number of service domains regardless of the number of terminals using the service or service package. Terminals belonging to the same domain share the same domain key with each other.
In the present invention, the RI receives a public key from a terminal requesting service registration, encrypts a domain key corresponding to a domain that the terminal intends to use using the public key, and then transmits the encrypted domain key. The RI then transmits a domain Rights Object (RO) encrypted by using the domain key. Here, the domain RO contains a service data encryption key for decoding encrypted service data received from the broadcast/multicast server.
In the present invention, the RI receives a public key from a terminal requesting service registration. The RI then encrypts a domain key corresponding to the domain that the terminal wants to use, using the public key. The RI then transmits the encrypted domain key to the terminal. In addition, the RI encrypts the domain RO containing the key message encryption key using the domain key and then transfers the encrypted domain RO to the terminal. The RI also encrypts a service data encryption key for decoding service data received from the broadcast/multicast server using the key message encryption key and then transmits the encrypted service data encryption key to the terminal.
Fig. 1 is a block diagram illustrating an exemplary structure of a broadcast/multicast service system according to the present invention. The broadcast/multicast service system may roughly include a terminal 10, a broadcast/multicast (BCAST) server 20 for providing a service to the terminal 10, and a Rights Issuer (RI)30 for managing a Rights Object (RO) to allow the terminal 10 to use the service.
Here, the RI 30 may transmit the RO to the terminal 10, or the BCAST server 20 may receive the RO from the RI 30 and then transmit the received RO to the terminal 10.
The present invention can classify the terminal according to the service or service package used. The service pack is framed as one pack by combining one or more services (contents) which are independent of each other. Here, a set (or group) of terminals subscribing to a service or service package and sharing a common encrypted key is referred to as a service domain. Likewise, a collection (or group) of one or more services that are selectively combined is referred to as a service package. Here, one terminal may belong to one or more service domains.
Fig. 2 is an exemplary diagram illustrating a service package concept.
Referring to fig. 2, it is assumed that a service package 1 is a package containing service 1 and service 2, a service package 2 is a package containing service 1 and service 3, a service package 3 contains service 1, and a service package 4 is a package containing service 3 and service 4. A terminal subscribed to the service package 1 may use the services 1 and 2, and a terminal subscribed to the service package 4 may use the services 3 and 4. It should be noted that a group of multiple terminals may use one or more services within a service package.
Therefore, the RI 30 does not issue an RO for each terminal 10, but issues an RO for a service domain to which the terminal 10 belongs. That is, the domain ROs received from the RI 30 by the terminals 10 belonging to the same service domain are the same. The domain RO is encrypted using a domain key corresponding to each domain, and thus, the terminals belonging to the same domain can share the domain key for decoding the RO.
Fig. 3 illustrates an example operational scenario based on a service domain in accordance with the present invention. Here, the first terminal 11 and the second terminal 12 subscribe to the first service package, and the third terminal 13 subscribes to the second service package.
First, the first and second terminals 11 and 12 receive a domain key for a first service domain from an RI (not shown) to have the domain key, and the third terminal 13 receives and has a domain key for a second service domain.
The RI or the broadcast/multicast server 20 may transmit the service domain RO to each of the terminals 11, 12, and 13. Fig. 3 shows an example where the broadcast/multicast server 20 receives an RO for each service domain from the RI (not shown) and then transfers the received RO to each of the terminals 11, 12, and 13.
Then, each of the terminals 11, 12, and 13, which has received the domain RO, decodes the domain RO by using the domain key each of the terminals 11, 12, and 13 has. That is, among the received two domain ROs, the first terminal 11 and the second terminal 12 may decode the first service domain RO, and the third terminal 13 may decode the second service domain RO.
As described in the foregoing, in the present invention, the RI or the broadcast/multicast server issues a certain number of domain ROs equal to the number of service domains regardless of the number of terminals using the service, and each terminal decodes only the domain RO that it can decode using its domain key of the domain RO. Therefore, the service system according to the present invention can maintain security for services (contents) and at the same time efficiently use a network between a server and a terminal.
Fig. 4 is a signal flow diagram illustrating a first embodiment of an exemplary method for managing digital rights (copyrights) in accordance with the present invention. In particular, fig. 4 illustrates a process for a terminal of a hierarchical structure with reference to a security key to receive a domain RO and service data.
As illustrated in fig. 4, the first layer is used to allow service registration to be performed between the terminal 10 and the RI 30 (S11). It should be noted that the above-described device registration may be performed in an offline manner or in an online manner. Examples of ways to be online include using a broadcast or interactive channel.
The public key of the terminal 10 can be transferred to the RI 30 via the first layer and a security algorithm used between the terminal 10 and the RI 30 is negotiated. Here, RI background (context) may be generated in the terminal 10. The RI context may contain information negotiated when the terminal 10 registers with the RI 30, in particular, RI ID, certificate of RI, version, security algorithm, and other information.
The second layer, which serves as a domain management layer, is used to subscribe to and leave (terminate) a particular service domain. Here, before using the second layer, the terminal 10 may receive a service guide containing information (service information, domain information, etc.) describing broadcast/multicast services that the terminal 10 may use.
After confirming a service available in the terminal 10 via the service guide, the user requests a domain subscription from the RI 30 using the terminal 10 (S13), and the RI 30 transmits a domain key encrypted by using a public key to the terminal 10 (S15). When requesting the domain subscription, the terminal 10 transmits a service ID or service package ID, a terminal digital signature, etc. as parameter types.
As a result of the domain subscription, a domain background is generated in the terminal 10. The domain context contains information related to a domain key, a domain ID, domain validity, and the like.
When the terminal requests a domain departure (termination) from the RI 30, the RI 30 deletes the corresponding terminal 10 from the list of terminals belonging to the domain, and the terminal 10 deletes (terminates) its relationship with the domain.
The third layer is used as an RO management layer. The RI 30 uses the third layer to deliver a service domain RO to the terminal 10 (S17). Here, the domain RO contains one or more service data encryption keys (e.g., SEK: service encryption key), which are encrypted using the domain key.
The RI 30 may directly transmit the service domain RO to the terminal 10 or may transmit it to the terminal 10 via the broadcast/multicast server 20. That is, the RI 30 transmits the service domain RO to the broadcast/multicast server 20, and the broadcast/multicast server 20, which has received the RO, transmits the corresponding RO to the terminal 10. Here, the RO transmitted from the RI 30 may be transmitted to the terminal 10 via the broadcast/multicast server 20. The transmission of the RO to the terminal 10 directly or via the broadcast/multicast server 20 may be selectively used according to need. If the RI 30 can be provided with the necessary functions performed by the broadcast/multicast server 20, the RI 30 can directly transmit the RO to the terminal 10.
The fourth layer is used as a service encryption layer. The broadcast/multicast server 20 transmits the service data encrypted using the service data encryption key to the terminal 10 via the fourth layer (S19). The terminal 10 receives an RO related to a specific service domain and service data encrypted using a specific service data encryption key, and decodes the service data using the RO. A method of decoding the service data by the terminal will be explained later.
Accordingly, since the service data encryption key for decoding the service data has been encrypted using the domain key, the terminal having the same domain key can obtain the service data encryption key to thereby execute the service data.
Fig. 5 is a signal flow diagram illustrating a second embodiment of an exemplary method for managing digital rights in accordance with the present invention. A procedure for receiving the domain RO and the service data by the terminal is described with reference to a hierarchical structure of security keys.
In particular, in a second embodiment of the present invention, a key message encryption key (e.g., TEK: traffic encryption key) used to derive a service data encryption key is used in addition to one or more service data encryption keys (e.g., SEK: service encryption key) of the first embodiment to maintain the service data to provide additional protection and security.
Thus, in addition to the shared Public Key (PK), there is a specific relationship for certain security keys (i.e. domain keys SEK, TEK) used by the device (terminal) and the Rights Issuer (RI). That is, the domain key is used to encrypt and decrypt a Rights Object (RO) including one or more SEKs, which are used for TEK encryption and decryption, and TEK is used for content encryption and decryption.
As illustrated in fig. 5, first, when the terminal 10 requests registration to the RI 30 on the first layer (S21), a security algorithm to be used between the terminal 10 and the RI 30 is negotiated. It should be noted that the above-described device registration may be performed in an offline manner or in an online manner. Examples of ways to be online include using a broadcast or interactive channel.
As a result of the registration request, an RI background is generated in the terminal 10. The RI context contains information related to the RI ID, the RI's certificate, version, security algorithms, and other information.
Before performing operations on the second layer, the terminal 10 may receive a service guide related to a broadcast/multicast service that may be used thereby.
On the second layer, the terminal 10 requests subscription to a service domain for providing a specific service or service package from the RI 30 (S23). The RI 30 transmits the domain key encrypted using the public key of the terminal 10 to the terminal 10 (S25). When requesting the domain subscription, the terminal 10 transmits a service ID or service package ID, a terminal digital signature, etc. to the RI 30.
Accordingly, the domain background is generated in the terminal 10 that has received the domain key from the RI 30. The domain context contains information related to a domain key, a domain ID, domain validity, and the like. When the terminal 10 requests subscription to one or more service domains, the number of domain keys and domain IDs the terminal 10 can have will be equal to the number of domains.
The third layer is used as an RO management layer. The RI 30 transfers the service domain RO to the terminal 10 via the third layer (S27). Here, since the domain RO contains one or more service data encryption keys (e.g., SEK: service encryption key) encrypted using the domain key, only the terminal belonging to the service domain having the domain key can decode the service data encryption key.
The RI 30 may directly transmit the RO to the terminal 10 as in the first embodiment, or may transmit it to the terminal 10 via the broadcast/multicast server 20. If the RI 30 is provided with the necessary capability of the broadcast/multicast server 20, the RO can be directly delivered to the terminal 10.
The fourth layer is used as a key transport layer. The RI 30 transmits a service data encryption key (e.g., TEK: traffic encryption key) encrypted using a key message encryption key to the terminal 10 via the fourth layer. Therefore, only those terminals having the key message encryption key can decode the service data encryption key.
The service data encryption key may be transmitted to the terminal 10 via the broadcast/multicast server 20 and via the RI 30. Here, the RI 30 transmits the service data encryption key to the broadcast/multicast server 20, and the broadcast/multicast server 20 then transmits the corresponding service data encryption key to the terminal 10. If the RI 30 is provided with the necessary capabilities of the broadcast/multicast server 20, the TEK may be directly transmitted to the terminal 10.
The fifth layer is used as a service encryption layer. The broadcast/multicast server 20 transmits the service data encrypted using the service data encryption key to the terminal 10 via the fifth layer (S31).
The hierarchy of security keys according to the invention may have other structures than those shown in the first and second embodiments for the service domain.
The present invention may be further understood by reference to fig. 6, which depicts a key hierarchy for service protection in accordance with the present invention. That is, fig. 6 shows a key hierarchy for service protection by domain according to the present invention.
Layer 1 enables device (terminal) registration. The keying material and metadata obtained during the enrollment phase will enable the device to decrypt and verify the rights object and subsequently access the content.
Fig. 6 shows a scenario in which a device registers its public key with a Rights Issuer (RI) via device registration, and the rights issuer encrypts a Service Encryption Key (SEK) using the device public key. Here, not only the device but also another domain may register with the rights issuer. To do so, a domain may register a "public key of a device in the domain" or a "domain key" with a rights issuer.
Layer 2 performs service group management functions. OMA DRM join/leave domain protocols may be used for devices with access to an interaction channel. This layer transmits the Service Encryption Key (SEK) as a domain key. The Service Encryption Key (SEK) may be updated via generation of a new domain or via a domain upgrade.
Layer 3 implements the rights management function. A Rights Object (RO) that can be protected by a service key (e.g. SEK) contains a traffic key (e.g. TEK) that is required to decrypt (part of) the service, and an identifier that allows linking the traffic key with the encrypted content and domain. The key period (i.e., lifetime) of the traffic key may be relatively short to avoid real-time distribution attack.
The idea behind layer 3 is to provide enhanced security, scalability and richer use case support. The specification for layer 3 will ensure that these requirements are met.
It should be noted that the structural framework does not exclude solutions comprising changing security elements such as key derivation.
Since the execution of layer 2 may be disturbed by unexpected situations, layer 3 should be implemented to be executed after a reasonable time delay from the layer 2 step.
Layer 4 uses the service key to implement encryption of the broadcast content. The encryption may be performed at the network layer (i.e., IP), transport layer (e.g., UDP), or session layer (e.g., RTP).
The invention may be further understood by reference to fig. 7 to 10 and the following description.
The service and content protection function allows both content and services delivered within the mobile broadcast service to be protected in a BDS-agnostic way (BDS-agnostic way). Fig. 7 illustrates the difference between service protection and content protection.
Service protection has the purpose of allowing access to the service, i.e. a defined (audio-visual) data set for a specified amount of time. Service protection assumes that there is no responsibility for the content after it has been released to the user terminal, which does not provide any technical means to protect the content outside the bit pipe that implements access control.
Content protection has the purpose of guaranteeing individual pieces of content. The content may or may not have post-delivery usage rights associated therewith.
Service protection unrelated to content protection is intended for subscription management. Without content protection, the rights to use the content may typically be free of charge, or in accordance with applicable regulations, business models, or other requirements, but these considerations are beyond these limits. The content protection process delivers post-delivery usage rights that specify how the content may be used in terms of rights and restrictions.
Fig. 8 shows a key hierarchy for service protection and content protection.
Layer 1 performs authentication. This keying material and metadata obtained during the user identification (SI) or device registration phase will allow the user or device to be authenticated and subsequently access the content and be reliably stored within the terminal or smart card. Here, the smart card may be a USIM/(R-) UIM. This keying material obtained in layer 1 and used to protect long-term key delivery in layer 2 is referred to as a user management key or rights encryption key.
Layer 2 performs long-term key message (LTKM) delivery. This layer carries either a Service Encryption Key (SEK) or a Program Encryption Key (PEK). The service or program encryption key is an intermediate key, i.e. it does not encrypt the content directly, but instead protects a sequence of Traffic Encryption Keys (TEKs). To manage and protect service subscriptions, the SEK or PEK will be updated with a crypto period that is typically longer than the TEK traffic key.
Layer 3 performs short-term key messaging over a broadcast or interactive channel. The TEK, encrypted by SEK or PEK, or the necessary data that can be used to derive the service key, is sent to the terminal together with the identifier that allows linking the service key with the encrypted content.
The idea behind layer 3 is to provide enhanced security, scalability and richer use case support. The specification for layer 3 will ensure that these ideas are met.
Layer 4 or protection performs broadcast content encryption with the short-term service key. The encryption may be performed at the network layer (i.e., IP), transport layer (e.g., UDP), session layer (e.g., RTP), or content layer for the service protection (AU encryption).
Fig. 9 shows service protection function blocks and interfaces between them. Since the features shown in fig. 9 will be understood by those skilled in the art, a detailed explanation is omitted only for the sake of brevity.
Fig. 10 shows a table that explains these interfaces and maps them to BCAST reference points:
file application/streaming application functionality
A file application/stream application function (FA/SA) in the BSA is responsible for receiving files and streams from Content Creation and transmitting the files and streams having attributes and additional information to BCAST Service Distribution/modification (BCAST Service Distribution/addition).
SP management function
The service protection management function (SP-M) in the BSM is responsible for registration, LTKM delivery over the interaction channel. A long-term key message containing the SEK is transmitted from the SP-M to the SP-C. Broadcast-only terminals require an out-of-band channel to initiate requests for registration and long-term key messaging, and broadcast-only terminals receive responses for registration and this long-term key messaging on the broadcast channel.
The SP-M also handles STKM delivery and security group management. The STKM transmitted from the SP-M to the SP-KD is allocated to the SP-C via a broadcast channel. The security group management scheme may be used for efficient broadcast and revocation (revocation) procedures of long-term key messages. The SP-M is responsible for the domain management. The terminal can join or leave the domain using the SP-M.
SP Key distribution function
The service protection key distribution function (SP-KD) in BSD/a is responsible for broadcasting LTKM and STKM. The terminal may obtain TEK from STKM for decrypting encrypted services. The STKM, LTKM and registration keying material are sent from the SP-M to the SP-KD for distribution to the terminal. The SP-KD is also used to transmit STKM, LTKM and keying material over the broadcast channel for broadcast-only terminals.
SP encryption function
A service protection encryption function (SP-E) in the BSD/a is responsible for encrypting services for transmission over the broadcast channel. The TEK transmitted from the SP-M is used for encryption service. The format of the encrypted service depends on the particular service protection system.
SP decryption function
A service protection decryption function (SP-D) in the terminal is responsible for decrypting the encrypted service using the TEK extracted from the STKM. The STKM is transmitted from the SP-M to the SP-KD, and the SP-C receives the STKM from the SP-KD via a broadcast channel.
SP client function
The service protection client function (SP-C) is either in the terminal only or in both the terminal and the smart card. The SP-C is responsible for registering and obtaining the LTKM and STKM. After registration, the SP-C obtains the REK, SMK, or GMK, which originated from the registration. The LTKM contains the SEK used to encrypt the STKM. The SP-C also obtains TEK by decrypting STKM using SEK, and the TEK is sent to SP-D for decrypting the encrypted service.
The invention provides a broadcast-multicast service method, which comprises the following steps: receiving a request from a terminal to join a service domain having a common group key; transmitting encryption of one or more secure encryption keys using a common group key to a joining-requesting terminal; and allowing the terminal to share the same content and the same service with one or more other devices within the service domain.
The allowing step may further comprise: a rights object is transmitted that includes one or more service encryption keys, where each rights object is encrypted using the public group key. The service domain may include at least one service or a service package including a plurality of services. Each service may include a service encryption key. Each service encryption key is used to encrypt one or more traffic encryption keys. The traffic encryption key is used to encrypt service data of the same content and the same service.
Furthermore, the present invention provides a method for managing digital rights for a broadcast-multicast service, the method comprising: receiving a request from a terminal to join a service domain sharing a common group key; and transmitting a key message having one or more service encryption keys encrypted using the common group key to the terminal joining the service domain, so as to allow the terminal to share the same content and the same service with at least one other device within the service domain.
The key message may be a rights object. The service domain may include at least one service or a service package having a plurality of services. Each service may include a service encryption key. Each service encryption key is used to encrypt one or more traffic encryption keys. The traffic encryption key is used to encrypt service data or content.
In addition, the present invention provides a method for managing digital rights for a broadcast-multicast service, the method comprising: receiving a public group key when joining a service domain; receiving a rights object comprising one or more service encryption keys, wherein each rights object is encrypted using the public group key; and receiving the service data and decrypting the received service data using the received rights object.
The service domain includes at least one service or a service package including a plurality of services. Each service may include a service encryption key. Each service encryption key is used to encrypt one or more traffic encryption keys. The traffic encryption key is used to encrypt service data or content.
Furthermore, the present invention provides a method for managing digital rights for a broadcast-multicast service, the method comprising: negotiating a registration procedure between the device and the rights issuing server; performing a service domain joining procedure between the device and the rights issuing server based on the negotiated registration procedure to allow the device to share a domain key with respect to all devices that have joined the service domain; providing the device with a right to use the service domain by including one or more service data encryption keys that have been encrypted using the domain key; and allowing the device to access the contents of the service data transmitted from the rights issuing server by allowing the service data to be decrypted using the service data encryption key and the domain key.
The providing step further comprises: a service data encryption key is sent from the rights issuing server to the device, the service data encryption key having been encrypted using the key message encryption key.
The present invention provides a system for digital rights management for broadcast-multicast services, the system comprising: a content provider server adapted to provide broadcast-multicast service content; a device adapted to receive the broadcast-multicast service content after joining a service domain, the service domain sharing a domain key related to all devices that have joined the service domain; and a rights issuer server adapted to cooperate with the content provider server and the device to allow the device to join the service domain and properly decrypt content provided from the content provider by using the service encryption key and the service encryption key.
The service data encryption key may be transmitted from the rights issuer server to the device via the broadcast-multicast server.
The present invention provides a method for digital rights management for broadcast-multicast services, the method comprising: performing a service domain join procedure between the device and the rights issuer based on the negotiated registration procedure to allow the device to share a domain key; sending at least one rights object from the rights issuer to the device, the rights object being encrypted using the domain key and containing at least one service encryption key; the content of the broadcast-multicast service is used on the device when performing decryption using the traffic encryption key encrypted with the service encryption key.
The present invention provides a terminal supporting digital rights management for a broadcast-multicast service, the terminal comprising: a transceiver adapted to transmit and receive signals and information; and a processor cooperating with the transceiver and adapted to perform the steps of: receiving a request from a terminal to join a service domain having a common group key; encryption of one or more service encryption keys using a common group key is transmitted to a joining-requesting terminal to allow sharing of the same content and the same service with one or more other devices within the service domain.
The present invention provides a terminal supporting digital rights management for a broadcast-multicast service, the terminal comprising: a transceiver adapted to send and receive signals and information with a network; and a processor configured with the transceiver and adapted to perform the steps of: sending a request to the network to join a service domain that shares a common group key; and receiving a key message having one or more service encryption keys encrypted using a common group key over the network to allow sharing of the same content and the same service as at least one other device within the service domain.
The present invention provides a terminal supporting digital rights management for a broadcast-multicast service, the terminal comprising: a transceiver adapted to send and receive signals and information with a network; and a processor, coupled to the transceiver, and adapted to perform the steps of receiving a public group key when joining a service domain; receiving a rights object comprising one or more service encryption keys, wherein each rights object is encrypted using a common group key; and receiving the service data and decrypting the received service data using the received rights object.
The present invention provides a terminal supporting digital rights management for a broadcast-multicast service, the terminal comprising: a transceiver adapted to send and receive signals and information with a network; and a processor configured with the transceiver and adapted to perform the steps of: negotiating a registration procedure with an entitlement publication server for the network; performing a service domain joining procedure based on the negotiation registration procedure with the right issuing server to allow sharing of a domain key with respect to all devices that have joined the service domain; receiving a right to use the service domain, which includes one or more service data encryption keys that have been encrypted by a rights issuing server using the domain key; and accessing the contents of the service data transmitted from the right issuing server by performing decryption of the service data using the service data encryption key and the domain key.
The present invention provides a terminal supporting digital rights management for a broadcast-multicast service, the terminal comprising: a transceiver adapted to transmit and receive signals and information by means of a network having a rights issuer server and a content provider server; and a processor configured with the transceiver and adapted to perform the steps of: receiving contents of the broadcast-multicast service after joining a service domain sharing a domain key with respect to all devices that have joined the service domain; cooperating with the rights issuer server and the content provider server to allow joining the service domain; and appropriately decrypting the content provided from the content provider using the service encryption key and the traffic encryption key.
The present invention provides a terminal supporting digital rights management for a broadcast-multicast service, the terminal comprising: a transceiver adapted to transmit and receive signals and information via a network; and a processor configured with the transceiver and adapted to perform the steps of: the negotiation-based registration procedure performs a service domain join procedure with the rights issuer to allow sharing of the domain key; receiving at least one rights object from a rights issuer, the rights object having been encrypted by the rights issuer using a domain key and containing at least one service encryption key; and using the contents of the broadcast-multicast service when performing decryption by using the traffic encryption key encrypted with the service encryption key.
To implement the features described above, the present invention may employ various types of hardware and/or software components (modules). For example, different hardware modules may contain the various circuits and components necessary to perform the steps of the methods described above. Furthermore, different software modules (executed by processors and/or other hardware) may contain various codes and/or protocols necessary to perform the steps of the present method.
As described above, in the method for managing digital rights in a broadcast/multicast service according to the present invention, an RI issues a domain RO for each service domain regardless of the number of terminals participating in the service, so as to enable a reduction in the load of the RI.
Further, in the method of managing digital rights in a broadcast/multicast service according to the present invention, ROs are issued per domain unit, so that each terminal using the service can receive an RI in a short time and can use a network very efficiently.
As the present invention may be embodied in several forms without departing from the spirit or essential characteristics thereof, it should also be understood that the above-described embodiments are not limited by any of the details of the foregoing description, unless otherwise specified, but rather should be construed broadly within its spirit and scope as defined in the appended claims, and therefore all changes and modifications that fall within the metes and bounds of the claims, or equivalence of such metes and bounds are therefore intended to be embraced by the appended claims.
Claims (16)
1. A method of managing digital rights in a broadcast/multicast service providing the same service data to one or more terminals, comprising:
transmitting, by the terminal, its public key to the rights issuer to request registration;
subscribing, by a terminal, to a specific domain, and receiving, from a rights issuer, a domain key for a service package for the domain, the specific domain corresponding to a service package including a plurality of services that share a common domain key for each service package;
obtaining, by the terminal, a domain rights object from a rights issuer, the domain rights object including another key encrypted using the domain key;
receiving, by the terminal, a service data encryption key encrypted using the other key;
and the combination of (a) and (b),
receiving service data and decoding the service data using the received service data encryption key.
2. The method of claim 1, wherein the domain key is encrypted using a public key of the terminal.
3. The method of claim 1, wherein obtaining, by the terminal, a domain rights object comprises:
if a domain subscribed by the terminal is a service domain, a service domain rights object for the corresponding service domain is obtained.
4. The method of claim 1, wherein the domain rights object contains a service data encryption key.
5. The method of claim 1, wherein the decoding of the service data comprises:
detecting the service data encryption key;
detecting the domain key if the service data encryption key is encrypted using the domain key;
detecting a public key used for encrypting the detected domain key;
decoding the domain key using the detected public key;
decoding the service data encryption key using the decoded domain key; and
decoding the service data using the decoded service data encryption key.
6. The method of claim 1, wherein the decoding of the service data comprises:
detecting the service data encryption key;
detecting the other key if the service data encryption key is encrypted using the other key and the other key is contained in the domain rights object;
detecting the domain key into which another key is encrypted;
detecting a public key used for encrypting the detected domain key;
decoding the domain key using the detected public key;
decoding the other key using the decoded domain key;
decoding the service data encryption key using the decoded other key; and
decoding the service data using the decoded service data encryption key.
7. A method for digital rights management for broadcast-multicast services, the method being performed by a terminal, the method comprising:
performing a registration procedure with a network, a public key of the terminal being shared during the registration procedure being performed via a broadcast channel or an interaction channel;
sending a request message to the network to join a service domain, the service domain indicating a group of terminals subscribing to at least one service bundle comprising a plurality of services, the at least one service bundle sharing a single domain key for each service bundle;
receiving a domain key for a corresponding service package from the network, the domain key having been encrypted by using the public key;
receiving a service domain Rights Object (RO) including a plurality of Service Encryption Keys (SEKs) or a plurality of Procedure Encryption Keys (PEKs) from the network, each SEK or PEK being encrypted with the received domain key, and the service domain RO being broadcasted to a plurality of terminals joining the service domain via a broadcast channel or directly transmitted to the plurality of terminals joining the service domain via the interaction channel;
receiving a Traffic Encryption Key (TEK) encrypted by using the SEK from the network, the TEK being broadcast via the broadcast channel or directly transmitted via the interaction channel; and the number of the first and second electrodes,
receiving service data of the broadcast-multicast service from the network, the service data being encrypted using the TEK.
8. The method of claim 7, further comprising: decrypting the received service data by using the TEK.
9. The method according to claim 7, the public domain key and the serving domain RO being received from a rights issuer RI of the network.
10. The method of claim 9, the request message is a domain subscription request message for requesting subscription to a service domain to provide a specific service or service package from the RI.
11. The method of claim 10, when requesting subscription to the service domain, at least one of a service ID or a service package ID, a terminal ID, and a terminal design signature is transmitted to the RI.
12. A method for digital rights management for broadcast-multicast services, the method being performed by a network, the method comprising:
performing a registration procedure with a terminal, a public key of the terminal being shared during the registration procedure being performed via a broadcast channel or an interaction channel;
receiving a request message from the network to join a service domain, the service domain corresponding to a service bundle comprising a plurality of services, the service bundle sharing a common domain key;
transmitting a public domain key for a service package to the terminal, the public domain key being encrypted using the public key;
transmitting a service domain Rights Object (RO) including a plurality of Service Encryption Keys (SEKs) to the terminal, each SEK being encrypted with the transmitted public domain key, and the service domain RO being broadcasted to a plurality of terminals joining the service domain via a broadcast channel or directly transferred to the plurality of terminals joining the service domain via the interaction channel;
transmitting a Traffic Encryption Key (TEK) encrypted by using one of the plurality of SEKs to the terminal, the TEK being broadcast via the broadcast channel or directly transmitted via the interaction channel; and the number of the first and second electrodes,
transmitting service data of the broadcast-multicast service to the terminal, the service data being encrypted by using the TEK.
13. The method of claim 12, the public domain key and the serving domain RO are sent from a rights issuer RI of the network.
14. The method of claim 13, the request message is a domain subscription request message for requesting subscription to a service domain to provide a specific service or service package from the RI.
15. The method of claim 14, when a subscription is requested to the service domain, at least one of a service ID or a service package ID, a terminal ID, and a terminal design signature is received by the RI.
16. The method of claim 12, wherein the TEK is sent to the terminal through a BCAST server of the network.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US64399705P | 2005-01-14 | 2005-01-14 | |
| US60/643,997 | 2005-01-14 | ||
| KR1020050029717A KR100811046B1 (en) | 2005-01-14 | 2005-04-09 | Method for managing digital rights of broadcast/multicast service |
| KR10-2005-0029717 | 2005-04-09 | ||
| PCT/KR2006/000158 WO2006075900A1 (en) | 2005-01-14 | 2006-01-13 | Method for managing digital rights in broadcast/multicast service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1113446A1 HK1113446A1 (en) | 2008-10-03 |
| HK1113446B true HK1113446B (en) | 2011-12-16 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101061666B (en) | Method for managing digital rights in broadcast/multicast services | |
| CA2719975C (en) | Method and apparatus for providing broadcast service using encryption key in a communication system | |
| CA2623089C (en) | Method and apparatus for providing a digital rights management engine | |
| JP5489301B2 (en) | Encryption key distribution method in mobile broadcast system, method for receiving distribution of encryption key, and system therefor | |
| JP2008524914A5 (en) | ||
| CN101141246A (en) | A service key acquisition method and a subscription management server | |
| JP5367133B2 (en) | Broadcast service / content protection method and system in portable broadcast system, and short-term key message generation method therefor | |
| KR20060105862A (en) | Method and device for protecting content supporting broadcast service between service provider and multiple terminals | |
| KR100663443B1 (en) | Structure and interworking method and device for service protection and system | |
| CN101207794A (en) | Digital Rights Management Encryption and Decryption Method for IPTV System | |
| KR20060105934A (en) | Method and apparatus for sharing digital rights management content between service provider and terminal supporting broadcast service, and system therefor | |
| CN101202883B (en) | A Digital Rights Management System for IPTV System | |
| KR20130096575A (en) | Apparatus and method for distributing group key based on public-key | |
| HK1113446B (en) | Method for managing digital rights in broadcast/multicast service | |
| WO2007055534A1 (en) | Method for transmitting/receiving encryption information in a mobile broadcast system, and system therefor | |
| CN101568070B (en) | Mobile terminal management system and method |