公开(公告)号：WO2012021662A2

公开(公告)日：2012-02-16

申请号：PCT/US2011/047313

申请日：2011-08-10

Applicant: GENERAL INSTRUMENT CORPORATION ,  NAKHIJIRI, Madjid F. ,  CHAN, Tat Keung ,  MEDVINSKY, Alexander

Inventor： NAKHIJIRI, Madjid F. ,  CHAN, Tat Keung ,  MEDVINSKY, Alexander

IPC: H04L29/06

CPC classification number: H04L63/0884 ,  H04L9/0844 ,  H04L9/321 ,  H04L9/3271 ,  H04L63/067 ,  H04L63/0892 ,  H04L63/105 ,  H04L63/166

Abstract: A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/ authorization evidence, AE, when a successful authentication/ authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Abstract translation: 提供了一种通信系统的认证和授权方法。 本文公开了当客户端和认证服务器之间的成功认证/授权完成时，用于创建加密证据的系统和方法，称为认证/授权证据。 有多种生成AE的方法。 例如，AE可以是在认证信令期间交换的数据或由其产生的数据。 一个独特之处在于，AE来自认证过程，并被用作以下TLS交换的先前状态。 创建AE的示例如下：EAP认证通常导致扩展主会话密钥（EMSK）。 EMSK可用于创建证据主密钥（EMK），然后可用于为各种服务器创建AE。

公开(公告)号：WO2011130713A1

公开(公告)日：2011-10-20

申请号：PCT/US2011/032789

申请日：2011-04-15

Applicant: GENERAL INSTRUMENT CORPORATION ,  QIU, Xin ,  MEDVINSKY, Alexander ,  MOSKOVICS, Stuart, P. ,  NAKANISHI, Greg, N. ,  PASION, Jason, A. ,  WANG, Fan ,  YAO, Ting

Inventor： QIU, Xin ,  MEDVINSKY, Alexander ,  MOSKOVICS, Stuart, P. ,  NAKANISHI, Greg, N. ,  PASION, Jason, A. ,  WANG, Fan ,  YAO, Ting

IPC: H04L9/08 ,  H04L29/06

CPC classification number: H04L63/062 ,  H04L9/006 ,  H04L9/0825 ,  H04L9/0866 ,  H04L9/0891 ,  H04L63/0823

Abstract: A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto. A new data generation module is configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type, (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key. A data output module is configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type.

Abstract translation: 用于为启用网络的设备生成新的身份数据的系统包括被配置为从白名单中提取属性的白名单阅读器。 对于白名单中指定的每个设备，白名单包括先前分配的第一类型的标识符。 先前分配的第一类型的标识符被链接到先前在每个相应设备中提供的标识数据。 数据检索模块被配置为从白名单读取器接收第一类型的标识符，并且基于每个标识符检索与之相关联的之前提供的标识数据记录中的每一个。 新的数据生成模块被配置为（i）获得与先前在白名单上指定的设备中提供的身份数据和第一类型的相应标识符相关联的加密密钥，（ii）生成新的身份数据记录，每个连接到 新的标识符和（iii）使用密码密钥之一加密每个新的身份数据记录，并将每个新的身份数据记录链接到与每个相应密码密钥对应的第一类型的标识符。 数据输出模块被配置为将加密的新身份数据记录及其各自的新标识符及其各自先前分配的第一类型的标识符加载到外部源上。

公开(公告)号：WO2008008621A2

公开(公告)日：2008-01-17

申请号：PCT/US2007/072174

申请日：2007-06-27

Applicant: GENERAL INSTRUMENT CORPORATION ,  MORONEY, Paul ,  MEDVINSKY, Alexander

Inventor： MORONEY, Paul ,  MEDVINSKY, Alexander

IPC: G06Q99/00

CPC classification number: G06F21/10 ,  G06F2221/0753 ,  G06F2221/0755 ,  G06F2221/0777

Abstract: The present invention discloses an apparatus and method for transferring digital content data. In one example, original digital content data stored on a first device in an encrypted state is transcoded (after being decrypted) to create a modified version of the original digital content data. The modified version of the original digital content data is then encrypted with a new content key. The modified version and at least one content key generator are transferred to a second device, where the at least one content key generator is used to recreate the new content key for enabling (and decrypting) the modified version of the original digital content data at the second device. Notably, the original digital content data stored in the first device is disabled contemporaneously with the transfer of the modified version and the at least one content key generator to the second device. Afterwards, the disabled original digital content data is re-enabled on the first device, and disabled on the second device.

Abstract translation: 本发明公开了一种用于传送数字内容数据的装置和方法。 在一个示例中，以加密状态存储在第一设备上的原始数字内容数据被转码（在被解密之后），以创建原始数字内容数据的修改版本。 然后用新的内容密钥对原始数字内容数据的修改版本进行加密。 修改版本和至少一个内容密钥生成器被传送到第二设备，其中使用至少一个内容密钥生成器来重新创建新的内容密钥，以便在（或）解密）原始数字内容数据的修改版本 第二设备 值得注意的是，存储在第一设备中的原始数字内容数据与修改版本和至少一个内容密钥生成器的传送同时被禁用到第二设备。 之后，禁用的原始数字内容数据在第一个设备上重新启用，并在第二个设备上禁用。

公开(公告)号：WO2005008442A2

公开(公告)日：2005-01-27

申请号：PCT/US2004/022727

申请日：2004-07-02

Applicant: GENERAL INSTRUMENT CORPORATION ,  MEDVINSKY, Alexander

Inventor： MEDVINSKY, Alexander

IPC: G06F

CPC classification number: G06F21/725 ,  G06F21/10 ,  G06F21/335 ,  H04L9/083 ,  H04L9/3213

Abstract: A ticket-based secure time protocol is used to provide client devices, or users, with secure time signals. In a preferred embodiment, the secure time signals are provided by a secure time server so that multiple clients can be time-synchronized. Ticket-based authentication uses digital certificates and public key cryptography, such as Elliptic Curve Cryptography (ECC) to reduce key administration overhead and decryption processing. Standard authentication architectures and approaches, such as Kerberos, can be used for some aspects of the invention. A preferred embodiment uses Request and Reply messages that provide added security and functionality, such as authentication, sequence-checking and verification of target destination.

Abstract translation: 基于故障单的安全时间协议用于为客户端设备或用户提供安全的时间信号。 在优选实施例中，安全时间信号由安全时间服务器提供，使得多个客户端可以是时间同步的。 基于票证的认证使用数字证书和公钥密码学，如椭圆曲线密码学（ECC）来减少重要的管理开销和解密处理。 诸如Kerberos的标准认证体系结构和方法可以用于本发明的一些方面。 一个优选实施例使用请求和应答消息来提供附加的安全性和功能，诸如认证，序列检查和目标目的地的验证。

公开(公告)号：WO2003098867A3

公开(公告)日：2003-11-27

申请号：PCT/US2003/001955

申请日：2003-01-22

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： PETERKA, Petr ,  MEDVINSKY, Alexander ,  CHEN, Kuang-Ming

IPC: H04L29/06

Abstract: A method and system for transmitting content from a content provider to a caching server and then from the caching server to a viewer. The method comprises encrypting the content with a pre-encryptor application before the content is transmitted to the caching server. The pre-encryptor application uses a pre-encryption subkey provided by a key storage service to perform the pre-encryption. The key storage service is a stand-alone component of the system and generates, stores, and distributes the pre-encryption subkeys.

公开(公告)号：WO2003084123A1

公开(公告)日：2003-10-09

申请号：PCT/US2003/009078

申请日：2003-03-20

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： MEDVINSKY, Alexander

IPC: H04L9/00

CPC classification number: H04L63/061 ,  H04L63/0807

Abstract: The present invention reduces the exposure of keying material to intermediary devices in a communication channel between first and second servers. In one embodiment(100), a second server receives a first half of media stream keys from a first server. The second server uses a Kerberos-based Application Request and tickets to communicate the second half of the media stream keys to the first server. Using this approach, the exposure of the media stream keys is reduced to only the servers.

Abstract translation: 本发明减少了在第一和第二服务器之间的通信信道中的密钥材料对中间设备的暴露。 在一个实施例（100）中，第二服务器从第一服务器接收媒体流密钥的前半部分。 第二个服务器使用基于Kerberos的应用程序请求和故障单将媒体流密钥的后半部分传送到第一个服务器。 使用这种方法，媒体流密钥的曝光仅减少到服务器。

公开(公告)号：WO2003067801A3

公开(公告)日：2003-08-14

申请号：PCT/US2003/000084

申请日：2003-01-02

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： MEDVINSKY, Alexander

IPC: H04L9/00

Abstract: A method and system for providing a client (102) with a copy of the authorization data that can be accessed and used by the client. The method is well­suited to key management protocols that utilize the concept of tickets. Two copies of the authorization data, a client copy and a server copy, are included within and forwarded to the client where the client is requesting a ticket for a specific application server (106). The client is capable of accessing the client copy of the authorization data such that the client can verify requests, and determine authorization of use for content and/or services requested.

公开(公告)号：WO2002062054A3

公开(公告)日：2002-08-08

申请号：PCT/US2001/051051

申请日：2001-10-26

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： PETERKA, Petr ,  MORONEY, Paul ,  SPRUNK, Eric ,  MEDVINSKY, Alexander

IPC: H04L29/06

Abstract: According to one embodiment of the invention, a free preview of a program can be provided to client computers in a multicasting system. This can allow viewers in the multicasting system to view a first portion of the program before deciding whether to order the program content. According to another embodiment, various distribution methods can be accomplished using encyrption keys to distribute program content. According to yet another embodiment, an initial viewing period can be provided to allow negotiation of the encryption keys. According to another embodiment, rules and conditions for providing content in a multicasting environment can be utilized.

公开(公告)号：WO2014182858A2

公开(公告)日：2014-11-13

申请号：PCT/US2014/037216

申请日：2014-05-07

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： MEDVINSKY, Alexander ,  STRATER, Jay

IPC: H04N21/414

CPC classification number: G06F21/44 ,  G06F2221/2129 ,  H04N21/41407 ,  H04N21/4147 ,  H04N21/4325 ,  H04N21/4334

Abstract: A method for authorizing media content transfer between a home media server and a client device and provisioning DRM credentials on the client device, the method comprising receiving a service authorization credential at a client authorization server from a PKI provisioning server, wherein the service authorization credential is associated with a client device, and sending a validation response from the client authorization server to the PKI provisioning server if the client authorization server determines that the service authorization credential was previously provided by the client authorization server to the client device, wherein the validation response releases the PKI provisioning server to send DRM credentials to the client device.

Abstract translation: 一种用于授权家庭媒体服务器和客户端设备之间的媒体内容传送并在客户端设备上提供DRM凭证的方法，所述方法包括从PKI配置服务器在客户端授权服务器处接收服务授权凭证，其中服务授权凭证是 如果所述客户端授权服务器确定所述服务授权凭证以前由所述客户端授权服务器提供给所述客户端设备，则所述验证响应从所述客户端授权服务器发送到所述PKI配置服务器，其中所述验证响应发布 PKI配置服务器向客户端设备发送DRM凭证。

公开(公告)号：WO2009129017A1

公开(公告)日：2009-10-22

申请号：PCT/US2009/037612

申请日：2009-03-19

Applicant: GENERAL INSTRUMENT CORPORATION ,  ZHANG, Jiang ,  CHEN, Peter ,  MEDVINSKY, Alexander

Inventor： ZHANG, Jiang ,  CHEN, Peter ,  MEDVINSKY, Alexander

IPC: H04L9/00

CPC classification number: G06F21/76 ,  G06F12/1466 ,  G06F21/73 ,  G06F2221/2129

Abstract: A method, device and system for authenticating a programmable hardware device, such as a programmable hardware chip, and a command received by the programmable hardware device. A secure processor or other trusted source authenticates the programmable hardware chip by verifying, with the secure processor's own verification key, a random number sent to the programmable hardware chip and encrypted using a verification key embedded within the programmable hardware chip, since the nature of the encryption is such that only the original logic function that includes the verification key can encrypt the data correctly. A command received by the programmable hardware chip is authenticated by verifying that a command authentication token received by the programmable hardware chip is generated using the correct command authentication key and consequently verifying that the command is received from the secure processor, as only the party who has the command authentication key can encrypt the data correctly.

Abstract translation: 用于认证可编程硬件设备（诸如可编程硬件芯片）和由可编程硬件设备接收的命令的方法，设备和系统。 安全处理器或其他可信源通过使用安全处理器自己的验证密钥验证发送到可编程硬件芯片的随机数并使用嵌入在可编程硬件芯片内的验证密钥进行加密来验证可编程硬件芯片，因为 加密只有包含验证密钥的原始逻辑功能才能正确加密数据。 由可编程硬件芯片接收的命令通过验证使用正确的命令认证密钥生成由可编程硬件芯片接收到的命令认证令牌，从而验证从安全处理器接收到该命令的认证，只有具有 命令认证密钥可以正确加密数据。