[go: up one dir, main page]

HK1226576B - Method for controlling access to broadcast content - Google Patents

Method for controlling access to broadcast content Download PDF

Info

Publication number
HK1226576B
HK1226576B HK16114802.1A HK16114802A HK1226576B HK 1226576 B HK1226576 B HK 1226576B HK 16114802 A HK16114802 A HK 16114802A HK 1226576 B HK1226576 B HK 1226576B
Authority
HK
Hong Kong
Prior art keywords
receiver
use code
verification
portable device
current location
Prior art date
Application number
HK16114802.1A
Other languages
German (de)
French (fr)
Chinese (zh)
Other versions
HK1226576A1 (en
Inventor
David Servignat
José-Emmanuel Pont
Frédéric Thomas
Scott Jantz
Nir Livay
Original Assignee
Nagravision S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nagravision S.A. filed Critical Nagravision S.A.
Publication of HK1226576A1 publication Critical patent/HK1226576A1/en
Publication of HK1226576B publication Critical patent/HK1226576B/en

Links

Description

Introduction
The present invention relates to the field of controlling access to audiovisual content broadcast to a receiver, particularly control relating to the location of the receiver.
State of the art
There are several applications that require the geolocation of a receiver within the field of audiovisual content distribution. A first reason is the blackout function, which prevents receivers in certain regions from accessing the content. This function was introduced by sports event organizers to prohibit access to the event for receivers located in the same region as the event. This is done to encourage interested people to attend the event in person rather than watching it on a television screen.
A second reason is the "account packing" function, that is to say, offering a second or third content receiver at a reduced price. The condition is that these receivers remain in the same household to benefit from the discount. It is tempting to take a second receiver at a discounted price and install it at a friend's place. Knowing the location of the receivers allows verifying whether the condition of proximity between the receivers is respected.
A third reason closely related to the "blackout" function is the management of broadcasting rights by territory. A service provider acquires the broadcasting rights for a specific territory. However, a broadcasted signal cannot follow arbitrary borders, and the signal overflows beyond the authorized area. Therefore, the operator is required, in order to comply with its legal obligations, to implement technical means to prevent receivers outside its area from accessing the content. This is why, according to the prior art (for example, US 6,317,500), it has been proposed to integrate a geolocation system into receivers in order to control access to the content.
The drawback of these systems is that receiving signals from geolocation satellites is generally not possible indoors or in apartments. The purpose of the present invention is to provide a solution to this problem.
Document FR2861237A1 describes a method for controlling access to distributed digital encrypted data assigned to at least one user device and associated with an access control message comprising a plurality of conditional access criteria. The method comprises the following steps: a - defining a plurality of geographical areas and identifying each area by a geographical reference, b - associating the access control message with at least one reference of a geographical area defined in step a), c - calculating the actual geographical position of the user equipment by means of an external positioning system and transmitting this position to the equipment, d - determining the area or areas where the user equipment is actually located, based on the calculated actual position from step c), e - managing access to the data according to the access conditions of the user equipment in the area or areas determined in step d).
Brief description of the invention
The objective of the present invention is to provide a location verification method that cannot be bypassed by simply transmitting a location from a portable device located far away from the receiver, particularly to prevent a portable device located within the authorized area from being used to obtain the location and transmit it to verification means when the receiver is outside the authorized area.
In the context of the present invention, a method for controlling access to content broadcast to a receiver is proposed, as defined in claim 1, and a system for receiving audiovisual content, as defined in claim 8.
Brief description of the figures
This application will be better understood with the detailed description based on the figures: Figure 1 illustrates the system of the invention; Figure 2 illustrates the communication operation between an intelligent accessory and a management center; Figure 3 illustrates data exchange using SMS technology; Figure 4 illustrates the elements in the data exchange using SMS technology; Figure 5 illustrates the display of an identification code on the receiver's screen.
Detailed description
Several implementation methods are proposed within the scope of this application. The common points are: a set-top box (STB) receiver receives broadcasted data for which geographical access control is desired; a screen (SCR) is connected to the receiver and allows displaying the broadcasted data; a portable device that is not permanently connected to the receiver, is able to acquire a location. This location can be a geo-location (GPS) or the reception of an identifier transmitted by a local antenna. This antenna can be a mobile phone antenna (GSM) or a DVB-H type broadcasting antenna; verification means, which contain one or more reference locations, and which allow checking whether the current location,As acquired by the portable device, is in an authorized area. These reference data may be specific to a user, a group of users, or all receivers of an operator. A transmission by the portable device of the acquired location to the verification means to perform the verification described above; security means, related to the receiver, for authorizing or denying access to the broadcast data, depending on the result of the verification performed by the verification means; a unique code, unique in the sense that it will not be reused during subsequent location verifications, is transmitted from the receiver to the portable device.This latter method associates location data with a unique code, the verification means being capable of verifying the authenticity of the said unique code received along with the location data. This code is unique per verification process, meaning that it can also be unique per receiver or may be the same at a given time across multiple receivers.
The user's STB receiver includes means for receiving a broadcast audiovisual data stream. The receiver can support several types of reception, such as cable, satellite, terrestrial, or IP-based streaming. All these streams have in common the fact that the same stream is broadcast to many receivers, which is why the implementation of access authorization verification is performed at the receiver level. The scope of the present application also covers on-demand transmission such as VOD (Video On Demand) and Replay TV. Preferably, the receiver includes security means that can take various forms: a dedicated circuit,Mounted on the receiver's printed circuit board and performing all security operations. This circuit contains a secure memory that stores the user's keys and rights. A silicon area of a specialized circuit. The specialized circuit integrates all the receiver's functions, including selecting a stream among multiple streams, separating audio and video streams, decompression, and display management. A section of this circuit is reserved for security operations and contains a secure memory that stores data specific to a user. An independent module, such as a dongle or a smart card, comprising processing means and at least one secure memory.This module is connected, for example, via a USB connector or ISO 7816. The receiver filters the access control system management messages and sends them to the independent module. This module processes them and returns the keys or useful information for the receiver's operation, which is a software module. The central unit of the receiver can handle multiple contexts, and the security function is a software program executed by the same central unit that manages the receiver. A special section of memory is reserved for this program, and access to other programs running on the receiver is limited.
A receiver is identified by a unique UA number. This number is preferably stored permanently in the receiver's memory so that it cannot be modified without authorization. This number is not necessarily secret and is generally printed on the back of the receiver.
According to a specific form, the receiver is a module that connects to a port on the screen. A well-known example is the PCMCIA module, but other types of connections (such as USB, Firewire) are also possible. In this case, the power is supplied by the screen, and the interaction with the user goes through the connector and uses the screen's means (remote control). These modules are known as CAMs (Conditional Access Modules).
Unique code
This unique code is at least unique per verification session and will not be reused in a subsequent verification phase. It can be generated by the management center and sent in the invitation message of a verification, or it can be generated by the recipient, such as a random number. In this case, it will also be unique per recipient.
This code is then transmitted to the portable device. This can be done either through the screen (displaying the code on the screen and retyping it into the portable device) or directly transmitted via local communication means of the portable device.
This unique code must be verifiable by the verification means. For this purpose, these verification means also receive the generated unique code in order to compare it with the one transmitted along with the current location. Alternatively, the verification means do not receive the unique code but can verify the authenticity of said code through the receiver's private key. In this case, the verification means contain the receiver's private key and a method for identifying the receiver in order to retrieve its key. By decrypting the received unique code with the private key of the supposed receiver who generated this unique code, the verification means can check whether the decrypted code complies with the rules established and known to both the receiver and the verification means. For example, the unique code may be the result of encrypting the current date using the receiver's private key. The verification means receive the unique code and the receiver's identifier. Using this identifier, the private key is retrieved and applied to the unique code. The result of the decryption should have the format of a date (e.g., year, month, day) for the code to be considered authentic.
Several variations of this unique code are provided within the scope of the invention: this code is included in the invitation message and therefore generated at the management center. The invitation message can be general, meaning that the unique code will be the same for all recipients, or individually addressed, allowing the generation of a unique code per recipient by the management center. If the verification means are located at the management center, the unique code is directly transmitted to these means. This code is generated by the recipient. It can be a random number or data such as the time or date combined with a personal key.For example, the date and time are encrypted by this key and form the code. The management center, after receiving the message from the smart device containing the code and the location, can verify the received code by decrypting it using the receiver's private key. This key is found by identifying the smart device and the receiver it is associated with. Once the receiver is known, the corresponding private key, which is stored in the management center's database, is retrieved. Once the code is decrypted, it is possible to check that the date and time correspond to a time window following the message sent by the management center, and therefore validate the unique code.
In the case of sending this code to the screen, the display of this code can be in alphanumeric or graphical form. In this case, the code is in the form of a barcode or QR code image, and the smart accessory includes a camera to read this code. This image can contain many pieces of information such as the receiver's identifier or security means, the date and/or time, and a unique code. This image is captured by the camera of the smart accessory and converted by the accessory into a data string. This string is then associated with the location data, which are transmitted to the management center. The management center will also verify that the string corresponds to the image displayed by the receiver, in addition to the location.
First method of realization
This first mode is characterized in that the current location, obtained by the portable device, is transmitted to the receiver. It is illustrated by figures 1 and 2. The local device can be the receiver's RMT remote control (or the SCR screen in the case of the CAM module), and the communication can simply be an infrared link. The remote control can also have another communication channel such as Bluetooth or NFC. Once the location is acquired and temporarily stored in the remote control, the user approaches the receiver and initiates the transfer of this location to the STB receiver. The unique code previously received is attached to the location data. To secure this location, the data sent by the remote control can further be encrypted by a key previously loaded into both the receiver and the remote control. Thus, a pair is created which prevents any other remote control from being used for this purpose.
In the mode using a smart accessory SP, the principle is the same: namely, the accessory acquires the current location (either via GPS, an antenna ID, or through transmitter triangulation such as in mobile phone networks) and transmits it to the STB receiver via local communication means, using the unique code previously received. In one embodiment, the exchanged data are secured by encryption. The encryption key can be loaded via a prior connection by the smart accessory to a management center during an initialization procedure. During this procedure, the smart accessory receives an invitation to identify the receiver, for example, by indicating its identifier. The management center then searches its database for the encryption key corresponding to the receiver and sends it to the smart accessory. The latter stores this key and uses it to transmit the location data to the receiver.
The management center can also send an application that loads onto the smart accessory and will handle the location acquisition and sending of these data to the receiver. This application will have the receiver's personal encryption key hidden within it.
This localization operation is triggered by an invitation message sent by the management center to the receivers it is connected to. The message can be sent within the broadcast signal BS or addressed to a receiver via a direct connection (for example, using the IP protocol). This message triggers the acquisition of the unique code as described above.
The invitation message may also include a maximum duration that is stored by the receiver, preferably in its security means. This information allows verifying the time it took to obtain a response from the portable device. Upon receiving the location data and the unique code, the time between the appearance of the message and the reception of the data is calculated and compared to the maximum duration. If this calculated duration exceeds the maximum duration, the verification leads to the rejection of the current location.
It may happen that the invitation message arrives at an inconvenient time, and the window inviting the user to verify contains a "postpone" option. For example, the user can postpone this verification for 30 minutes. Once the time has expired and the user is ready to perform the verification, the receiver transmits the unique code. Without entering this code, the location tracking by the portable device cannot begin. Therefore, it is not possible to use the 30-minute delay period to move the portable device to another area. Once the location is established by the portable device, the data are sent to the receiver along with the previously entered unique code. The receiver can then check that the received code is the same as the one displayed with the invitation and calculate the current duration. If the code is correct and the duration does not exceed the maximum duration contained in the message, the location is accepted.
Once this step is completed, the receiver has two options: either perform the verification themselves or delegate the verification to the management center.
In the first case, this means that the verification means are contained within the receiver. These means are placed along with the security means. The receiver has previously transmitted the unique code to these verification means. The verification means have a memory containing location data defining at least one authorized area. These data can be in the form of a surface defined by geolocation positions or a set of antenna identifiers in the case of location based on antenna identifiers. The verification means check whether the unique code received from the portable device is valid, and if so, verify that the current location received from the portable device is within the authorized area. If so, the receiver continues to operate normally. If not, the receiver may take various actions such as sending a message to a management center (this message including the receiver's identifier and the type of problem detected), or blocking, limiting, or degrading the receiver's functionalities (for example, by blocking HD content and allowing SD content).
In order to perform this verification, the verification means must have access to the authorization area. This information can be contained in the invitation message or already present in the verification means, for example, loaded during an initialization phase or upon receiving a configuration message such as an EMM (Entitlement Management Message).
In the second case, the receiver may have a communication means with the management center, for example through an IP connection. The current location and the unique code received from the portable device are sent to the management center along with the receiver's identifier. The management center includes verification means that, for the received identifier, will retrieve the authorized area and check whether the current location is within this area as well as verify the unique code.
The management center may take several actions in case the current location is outside the authorized area: mark this identifier as blocked and stop sending messages containing the keys that allow the receiver to continue receiving; the keys are periodically renewed and receivers must receive the new keys to access the content, and/or send a block message, either through the broadcast channel or through the IP channel; this message is processed by the receiver's security means, which will then stop providing decryption keys to the receiver's decoder.
Conversely, if the location is within the area, the management center can also send an EMM message that will renew the expiration date of the reception rights. This message can be sent immediately after verification or later when the encryption system keys for the content change.
Second mode of implementation
This second mode is characterized by the fact that the current location, obtained by the portable device, is directly transmitted to the management center along with the unique code. For this purpose, the portable device includes means for location and remote communication with the management center, for example via the Wi-Fi network or 3G/4G. This will then be referred to as a smart accessory.
This mode is preferably associated with a specific application loaded in the smart accessory that performs the location acquisition operation and data transmission. This location is triggered in the same way as before, that is, by transmitting the unique code from the receiver to the portable device according to one of the modes described above.
The management center may take several actions if the current location is outside the authorized area: mark this identifier as blocked and no longer send messages containing the keys that allow the receiver to continue receiving; the keys are periodically renewed and receivers must receive the new keys to access the content, and/or send a block message, either through the broadcast channel or through the IP channel; this message is processed by the receiver's security means, which will stop providing decryption keys to the receiver's decoder.
Conversely, if the location is within the area, the management center can also send an EMM message that will renew the expiration date of the reception rights.
Third mode of implementation
This third mode is based on the intrinsic localization of a message received by the MC management center. It is illustrated by Figures 3 and 4. It includes all the explanations from the previous modes regarding the mode in which the portable device communicates directly with the management center. For this purpose, the portable device can be a simple mobile phone without any additional features.
The particularity is that the portable device can be a mobile phone without location means. It will not need to acquire its location. It is only required to send an SMS message to the management center, containing for example the receiver's identifier or an identification code displayed on the screen and included in the invitation message. This information is even unnecessary because the management center, by knowing the phone number, can retrieve the associated receiver's identifier. The code can be generated according to the embodiments described above.
The mobile phone sends message 3 to the management center using the nearest communication tower CT. The communication tower CT relays message 4 to the management center, adding service data such as the CT tower's identifier.
When the management center receives message 4, it extracts the service data to identify the tower that served as the first relay for the message sent by the mobile phone. This identifier becomes the current location as described in relation to the above-mentioned modes. The phone number associated with the message allows retrieving the receiver's identifier and therefore its authorization area(s) data.
The same options discussed previously regarding the management center's response are applicable here. The EMM message (for example, a block or renewal message) is illustrated by reference 5 in figures 3 and 4.
Independent GPS Module
Within the scope of this invention, an independent GPS module with self-power supply is proposed, including means for wireless communication with the receiver (such as Bluetooth). The position of such a module should be near a window or placed outside, which may make power supply through the network difficult. Therefore, it is proposed that this GPS module be powered by a battery, a power source, and/or a solar sensor. An important point is that this module can be in standby mode most of the time. According to one embodiment, the said module may include a clock that will wake up the module at a given time.According to a first embodiment, the receiver is constantly listening for messages transmitted by the said module. A message will include the location and may also include a module identifier. According to this method, the module regularly transmits its current location. This information is stored in the receiver, and when a verification is requested by the management center, the last received location is used. In order to optimize the GPS module's standby time, the management center, in its verification request message, can indicate when the next verification will take place. This allows the receiver,When communicating with the GPS module, indicate to it when it needs to wake up. Therefore, the GPS module can be in sleep mode (with power consumption compatible with a solar sensor) for several days. A short time before the message from the management center arrives, the GPS module's clock wakes up the module, and a location is acquired and transmitted to the receiver.
According to another embodiment, activation of the GPS module is initiated by pressing a button. When the receiver displays the verification message, the user presses the GPS module activation button, which powers the module. The module then activates the GPS chip, acquires the location, and transmits it to the receiver. Afterwards, the module returns to standby mode.
In these implementation methods, the module does not receive a unique code from the receiver. The short range of the wireless transmission is relied upon to ensure proximity. However, it is still possible to store a unique encryption key in both the module and the receiver for this specific pair. Thus, even if a third party intercepts the message transmitted by the GPS module, another receiver will not be able to understand it, as the location data are encrypted using the encryption key specific to a single module/receiver pair.
The various methods and explanations above ensure that the receiver is located in a place compatible with reception rights.

Claims (11)

  1. A method for controlling access to content broadcast to a receiver, said receiver being part of a geographical access control system, said receiver comprising verification means and security means, the method comprising the steps:
    - receiving a verification invitation message by the receiver,
    - generating a single-use code by the receiver,
    - transmitting said single-use code to said verification means of the receiver,
    - transmitting said single-use code to a portable device,
    - acquiring a current location by the portable device,
    - transferring the current location and said single-use code from the portable device to the verification means of said receiver,
    - verifying the single-use code received by the verification means, and if the code is correct,
    - extracting in a memory of the verification means, a set of location data defining at least one zone,
    - verifying by the verification means that the current location is included in said zone, and if so, transmitting, by the verification means, an authorisation message for receiving the audiovisual content to the security means of said receiver
    - authorising or prohibiting, by the security means, the access to the content broadcast to the receiver based on the verification result.
  2. The method according to claim 1, characterised in that the invitation message comprises a maximum duration, the verification of the single-use code further comprises a step of calculating a duration between the appearance of the invitation message and the reception of the current location and of said single-use code by the verification means and verifying that this calculated duration is less than or equal to said maximum duration.
  3. The method according to one of claims 1 or 2, characterised in that the receiver displays the single-use code on a screen linked to said receiver, the portable device comprising means for acquiring this single-use code.
  4. The method according to claim 3, characterised in that the receiver displays an alphanumeric image on the screen representing the single-use code, the portable device comprising a keyboard for the input of said single-use code.
  5. The method according to claim 3, characterised in that the receiver displays an image representing the single-use code, and comprising the following steps:
    - acquiring the image by an optical reading device of said portable device,
    - converting the image to obtain the single-use code in order to be added to the current location.
  6. The method according to claim 1, characterised in that the receiver comprises short-range local communication means with the portable device, the single-use code being sent via said means.
  7. The method according to one of claims 1 to 6, wherein the portable device is a smart accessory comprising a GPS and having local communication means with said receiver, said communication means using an encryption key to secure the exchanges of messages, characterised in that it comprises the steps, executed by the smart accessory:
    - downloading and loading an application into a memory of said smart accessory,
    - accessing a management centre and identifying the receiver to said management centre,
    - finding an encryption key corresponding to said receiver in a database of said management centre,
    - transmitting by the management centre the encryption key to said smart accessory,
    - using said encryption key for encrypting and/or signing the current location data.
  8. A system for receiving an audiovisual broadcast content formed by a receiver (STB) comprising verification means and security means, a screen (SCR) connected to said receiver and a portable device (SP, RMT) comprising means for acquiring a current location, and transferring said current location to the receiver (STB), the receiver comprising means for generating and transmitting a single-use code to said portable device upon receiving a verification invitation message, the portable device comprising means for receiving said single-use code and for composing and transmitting to the receiver a message comprising the current location and said single-use code, said verification means comprising means for verifying the single-use code and a memory comprising a set of location data defining at least one authorisation zone, said verification means comprising means for verifying whether the current location is included in said zone and if so, for transmitting an authorisation message for receiving the audiovisual content to the security means, said security means comprising means for authorising or prohibiting the access to the content broadcast to the receiver based on the verification result.
  9. The system according to claim 8, characterised in that the receiver comprises means for generating the single-use code, said single-use code being transmitted to the screen and to the verification means.
  10. The system according to claim 8 or 9, characterised in that the portable device (SP) comprises an optical reading device, said use code being displayed on the screen (SCR) in the form of an image, said optical reading device comprising means for acquiring the image and converting it to obtain the single-use code.
  11. The system according to claim 8 or 9, characterised in that the portable device is a remote control (RMT) linked to said receiver (STB) or a smart phone (SP).
HK16114802.1A 2013-09-13 2014-09-04 Method for controlling access to broadcast content HK1226576B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US61/877,297 2013-09-13
EP13186380.5 2013-09-27

Publications (2)

Publication Number Publication Date
HK1226576A1 HK1226576A1 (en) 2017-09-29
HK1226576B true HK1226576B (en) 2020-08-21

Family

ID=

Similar Documents

Publication Publication Date Title
US11039189B2 (en) Method for controlling access to broadcast content
US9077856B2 (en) Method for local conditional access for mobile equipments
EP2802152B1 (en) Method for secure processing a stream of encrypted digital audio / video data
US20140040941A1 (en) Two-Dimensional Barcode System
US20050089168A1 (en) Method and system for conditional access
US9900638B2 (en) Pay-per-view sharing
JP2009503714A (en) Method for signaling geographical constraints
EP1878231B1 (en) Conditional access method and system for broadcast services
CN101635825B (en) Monitoring usage of encrypted broadcast services
CN101321261B (en) Front-end system, user terminal and authorization management information distribution method
EP2341699A1 (en) Device and method for capturing data relating to at least one advertisement
MX2007003000A (en) Method for managing means for accessing conditional access data.
US9602874B2 (en) Method for secure transfer of messages
CN103763583A (en) Method and system for authenticating satellite digital on-demand services
CN101631227A (en) System and method of enabling decryption of encrypted services
HK1226576B (en) Method for controlling access to broadcast content
HK1226576A1 (en) Method for controlling access to broadcast content
CN104104996A (en) Program stream decryption method, device and terminal
US12015831B2 (en) Multimedia content secure access
BR112016005574B1 (en) METHOD FOR CONTROLLING ACCESS TO TRANSMITTED CONTENT AND SYSTEM FOR RECEIVING TRANSMITTED CONTENT
KR20100046428A (en) Method and apparatus for acquiring encryption key for providing premium channel
CN102695098A (en) Telecast watching permission authorizing system