公开(公告)号：WO2014070800A1

公开(公告)日：2014-05-08

申请号：PCT/US2013/067353

申请日：2013-10-29

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： SPRUNK, Eric, J. ,  DEPIETRO, Mark, G. ,  MEDVINSKY, Alexander ,  MORONEY, Paul ,  QIU, Xin

IPC: G06F21/12

CPC classification number: H04N21/2351 ,  G06F21/10 ,  G06F21/105 ,  G06F21/121 ,  G06F21/57 ,  G06F21/629 ,  H04L63/126 ,  H04N21/4353 ,  H04N21/4431 ,  H04N21/4433 ,  H04N21/64715

Abstract: A system for securely authenticating software Application Program Interfaces (APIs) includes a handshake protocol that is provided to validate whether the parties involved are licensed to use the system which includes rights to Intellectual Property (IP) and corresponding obligations. The handshake is a Challenge-Response protocol that includes several steps. First, a Claimant sends a request to a Verifier requesting access to a function through an API. The Verifier reacts to the request by outputting a Challenge that is sent to the Claimant. The Challenge is also retained by the Verifier for use in its internal calculation to verify the Claimant's response. The Claimant next processes the Challenge using components under the license, known as Hook IP, and issues a Response to the Verifier. The Verifier compares the possibly-correct Candidate Response from the Claimant to the known-correct Target Response and if a match occurs the Verifier allows the Claimant access to the API.

Abstract translation: 用于安全认证软件的系统应用程序接口（API）包括一个握手协议，用于验证所涉各方是否被许可使用包括知识产权（IP）权利和相应义务的系统。 握手是一个挑战 - 响应协议，包括几个步骤。 首先，索赔人通过API向验证者发送请求访问功能的请求。 验证者通过输出发送给索赔人的质询来对请求做出反应。 验证者也保留挑战，用于内部计算，以验证索赔人的回应。 索赔人接下来使用许可证下的组件（称为Hook IP）处理挑战，并向验证者发出响应。 验证者将来自索赔人的可能正确的候选响应与已知正确的目标响应进行比较，如果匹配发生，则验证者允许Claimant访问API。

公开(公告)号：WO2008134476A1

公开(公告)日：2008-11-06

申请号：PCT/US2008/061512

申请日：2008-04-25

Applicant: GENERAL INSTRUMENT CORPORATION ,  PETERKA, Petr ,  MEDVINSKY, Alexander ,  MORONEY, Paul

Inventor： PETERKA, Petr ,  MEDVINSKY, Alexander ,  MORONEY, Paul

IPC: H04N7/16

CPC classification number: H04N21/440281 ,  G06F21/10 ,  G06F2221/0784 ,  G06F2221/2137 ,  G06F2221/2151 ,  H04N21/4147 ,  H04N21/4408 ,  H04N21/4627 ,  H04N21/8456

Abstract: A process may be utilized by a DVR. The process characterizes a set of content as a plurality of segments as the set of content is received. Each of the segments has a segment length according to a predetermined time interval. Further, the process encrypts each of the segments with a corresponding content encryption key to generate a plurality of encrypted segments. The corresponding content encryption key for each of the segments is generated by the DRM component. In addition, the process stores each of the encrypted segments for playback with trick play features in accordance with an expiration content rule having a time limit on the temporary playability of the set of content.

Abstract translation: DVR可以利用进程。 当接收到内容集合时，该过程将一组内容表征为多个段。 每个段具有根据预定时间间隔的段长度。 此外，该过程使用对应的内容加密密钥来加密每个段，以生成多个加密段。 每个段的相应内容加密密钥由DRM组件产生。 此外，该过程根据具有对该组内容的临时可播放性具有时间限制的过期内容规则，将每个加密段用于播放特技播放特征。

公开(公告)号：WO2007001462A2

公开(公告)日：2007-01-04

申请号：PCT/US2005/041756

申请日：2005-11-17

Applicant: GENERAL INSTRUMENT CORPORATION ,  SPRUNK, Eric, J. ,  MEDVINSKY, Alexander

Inventor： SPRUNK, Eric, J. ,  MEDVINSKY, Alexander

IPC: H04L9/00

CPC classification number: H04L9/0822 ,  H04L9/0841 ,  H04L2209/60

Abstract: The present invention discloses an apparatus and method for providing a secure move of a content decryption key within or between domains. Namely, the present invention addresses the single copy usage rule by restricting the movement of the decryption key instead of restricting the movement of the encrypted content itself.

Abstract translation: 本发明公开了一种用于提供域内或域之间的内容解密密钥的安全移动的装置和方法。 即，本发明通过限制解密密钥的移动而不是限制加密内容本身的移动来解决单一复制使用规则。

公开(公告)号：WO2004066586A2

公开(公告)日：2004-08-05

申请号：PCT/US2004/000817

申请日：2004-01-14

Applicant: GENERAL INSTRUMENT CORPORATION ,  MEDVINSKY, Alexander

Inventor： MEDVINSKY, Alexander

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  G06F21/10 ,  G06F21/31 ,  G06F2221/2113 ,  G06F2221/2129 ,  H04L63/10 ,  H04L63/105 ,  H04L2463/101

Abstract: A system for rating security levels a device according to the characteristics of functions executing within secure hardware components in the device. The security level of a host is placed in a digital certificate along with a corresponding private key at the time of manufacture of a device. The digital certificate can be provided to an inquiring device so that more comprehensive systme-wide security levels can be communicated and maintained. Where a network uses ticket-based key management protocols, the security rating, or level, is transferred from the certificate to an issued ticket. Inquiring devices can then check security levels of target devices by using certificates or tickets and perform transfers or grant authorizations accordingly. In a preferred embodiment a security ratings system uses six levels of security. The levels are structured to include characteristics about a device’s processing. That is, the levels provide information on the amount and type of sensitive processing that can occur in non-secure (or low security) circuitry or components within a device. This gives a bette indication of how prone a device is to threats that may be of particular concern in content delivery networks. Additional qualifiers can be optionally used to provide further information about a security level. For example, the degree of handling time management processing within secure hardware and whether a particular codec, watermarks of fingerprings are supported within secure hardware can each be represented by a policy qualifier.

Abstract translation: 根据在设备中的安全硬件组件内执行的功能的特性来对设备进行安全级别评估的系统。 在制造设备时，主机的安全级别与相应的私钥一起放置在数字证书中。 数字证书可以提供给查询设备，以便可以传达和维护更全面的系统级的安全级别。 如果网络使用基于票证的密钥管理协议，则安全评级或级别将从证书转移到颁发的机密。 然后，查询设备可以通过使用证书或票证来检查目标设备的安全级别，并相应地执行转移或授权。 在优选实施例中，安全评级系统使用六级安全性。 这些级别的结构包括有关设备处理的特性。 也就是说，这些级别提供关于可以在非安全（或低安全性）电路或设备内的组件中发生的敏感处理的数量和类型的信息。 这给出了设备对内容传送网络中可能特别关注的威胁的倾向。 可以选择使用其他限定词来提供有关安全级别的进一步信息。 例如，安全硬件内的处理时间管理处理程度以及特定的编解码器，指纹的水印在安全硬件中是否被支持都可以由策略限定符表示。

公开(公告)号：WO2004056037A1

公开(公告)日：2004-07-01

申请号：PCT/US2003/039294

申请日：2003-12-10

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： MEDVINSKY, Alexander

IPC: H04L9/08

CPC classification number: H04L9/0836 ,  H04L9/0822 ,  H04L9/0891 ,  H04L2209/60

Abstract: An improved subset-difference method is provided. The improved method uses the value of a current content key to help generate the requisite difference keys. The requisite difference keys are then used to encrypt the next content key which will be delivered only to users who are supposed to remain in the group. Users who have the current content key are then able to generate the requisite difference keys which they can then use to decrypt the next content key. Using the decrypted next content key, the users are then able to continue to receive contents. Since previously revoked users do not have the current content key, they are unable to determine the next content key and thus are prevented from receiving future contents.

Abstract translation: 提供了一种改进的子集差异法。 改进的方法使用当前内容密钥的值来帮助生成必需的差分密钥。 然后使用必要的差分密钥对下一个内容密钥进行加密，该内容密钥将仅被传递给应该保留在该组中的用户。 具有当前内容密钥的用户然后能够生成必需的差分密钥，然后它们可以用于解密下一个内容密钥。 使用解密的下一个内容密钥，用户然后能够继续接收内容。 由于先前撤销的用户没有当前的内容密钥，所以它们不能确定下一个内容密钥，因此被阻止接收将来的内容。

公开(公告)号：WO2003045036A2

公开(公告)日：2003-05-30

申请号：PCT/US2002/036806

申请日：2002-11-15

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： MEDVINSKY, Alexander ,  PETERKA, Petr ,  MORONEY, Paul ,  SPRUNK, Eric

IPC: H04L29/06

CPC classification number: H04L63/04 ,  G06Q20/367 ,  H04L63/062 ,  H04L63/08 ,  H04L2463/101

Abstract: A digital rights management architecture for securely delivering content to authorized consumers. The architecture includes a content provider and a consumer system for requesting content from the content provider. The content provider generates a session rights object having purchase options selected by the consumer. A KDC thereafter provides authorization data to the consumer system. Also, a caching server is provided for comparing the purchase options with the authorization data. The caching server forwards the requested content to the consumer system if the purchase options match the authorization data. Note that the caching server employs real time streaming for securely forwarding the encrypted content, and the requested content is encrypted for forwarding to the consumer system. Further, the caching server and the consumer system exchange encrypted control messages (and authenticated) for supporting transfer of the requested content. In this manner, all interfaces between components are protected by encryption and/authenticated.

Abstract translation: 数字版权管理架构，用于将权限安全地传递给授权消费者。 该架构包括内容提供商和用于从内容提供商请求内容的消费者系统。 内容提供商生成具有由消费者选择的购买选项的会话权限对象。 KDC此后向消费者系统提供授权数据。 此外，还提供了一个缓存服务器，用于将购买选项与授权数据进行比较。 如果购买选项与授权数据匹配，则缓存服务器将所请求的内容转发到消费者系统。 请注意，缓存服务器采用实时流式传输安全地转发加密的内容，并且所请求的内容被加密以转发到消费者系统。 此外，缓存服务器和消费者系统交换加密的控制消息（并被认证）以支持所请求内容的传送。 以这种方式，组件之间的所有接口都受到加密和/或认证的保护。

公开(公告)号：WO2014152060A1

公开(公告)日：2014-09-25

申请号：PCT/US2014/026900

申请日：2014-03-13

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： OKIMOTO, John, I. ,  MEDVINSKY, Alexander ,  VINCE, Lawrence, D.

IPC: H04L29/06 ,  H04N21/6334 ,  H04N21/6377

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0869 ,  H04L9/14 ,  H04L63/0442 ,  H04L63/062 ,  H04L63/166 ,  H04L2209/601 ,  H04L2463/062 ,  H04N21/26606 ,  H04N21/63345 ,  H04N21/835

Abstract: In accordance with a method for communicating a control word (CW) from a client such as an encryptor to a server such as the entitlement control message generator (ECMG) of a conditional access system (CAS), communication is established between the client and server over a secure connection. A control word to be encrypted is received by the client and encrypted using a first and second key. The first key is a global secret key (GSK) that is known to the client and the server without being communicated over the secure connection. The second key is a control word encryption key (CWEK) that is derived from a locally generated client nonce (CN) and a server nonce (SN) obtained from the server over the secure connection. The encrypted control word (ECW) is sent to the server over the secure connection.

Abstract translation: 根据用于将诸如加密器的客户端的控制字（CW）传送到诸如条件访问系统（CAS）的授权控制消息发生器（ECMG）的服务器的方法，在客户机和服务器之间建立通信 通过安全连接。 要被加密的控制字由客户端接收并使用第一和第二密钥进行加密。 第一个关键是全球秘密密钥（GSK），客户端和服务器都是已知的，而不通过安全连接进行通信。 第二个关键是从通过安全连接从服务器获得的本地生成的客户端随机数（CN）和服务器随机数（SN）导出的控制字加密密钥（CWEK）。 加密控制字（ECW）通过安全连接发送到服务器。

公开(公告)号：WO2013106530A1

公开(公告)日：2013-07-18

申请号：PCT/US2013/020971

申请日：2013-01-10

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： MEDVINSKY, Alexander ,  CHAN, Tat Keung ,  SPRUNK, Eric J.

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/12

CPC classification number: H04L9/0891 ,  H04L9/12 ,  H04L9/3268

Abstract: In one embodiment, a method includes receiving a revocation request for revoking a model type of a device. A first computing device determines a list of device unit identifiers (UIDs) that are associated with the model type from a database. The device UIDs are for devices of the model type manufactured by a first entity. The method adds the list of device UIDs to a device revocation list and outputs the device revocation list to revoke a validity of secure information associated with devices associated with the list of device UIDs.

Abstract translation: 在一个实施例中，一种方法包括接收用于撤销设备的模型类型的吊销请求。 第一计算设备确定与数据库中的模型类型相关联的设备单元标识符（UID）的列表。 设备UID用于由第一实体制造的型号类型的设备。 该方法将设备UID的列表添加到设备撤销列表，并输出设备撤销列表以撤销与设备UID列表相关联的设备相关联的安全信息的有效性。

公开(公告)号：WO2013096123A1

公开(公告)日：2013-06-27

申请号：PCT/US2012/069764

申请日：2012-12-14

Applicant: GENERAL INSTRUMENT CORPORATION

Inventor： TANG, Polly ,  MEDVINSKY, Alexander ,  PETERKA, Petr

IPC: G06Q20/12

CPC classification number: G06Q20/1235

Abstract: An embodiment of the present invention provides a method of transferring content within a system having a credit managing device, a content providing device and a user device. The method includes: registering the user device with the credit managing device; providing a universal credit to the user device from the credit managing device; providing encrypted content and a pre -rights generator from the content providing device to the user device at a first time without consuming the universal credit; generating a decryption key from the pre-rights generator a second time after the first time; and decrypting, via the decryption key, the encrypted content at the user device and consuming a portion of the universal credit.

Abstract translation: 本发明的实施例提供了一种在具有信用管理装置，内容提供装置和用户装置的系统内传送内容的方法。 该方法包括：向信用管理装置注册用户装置; 从信用管理设备向用户设备提供通用信用; 在第一时间从内容提供设备向用户设备提供加密内容和预对应生成器，而不消耗普遍信用; 在第一次之后第二次从预权产生器生成解密密钥; 以及经由所述解密密钥解密所述用户设备处的加密内容并消耗所述通用信用的一部分。

公开(公告)号：WO2013081757A1

公开(公告)日：2013-06-06

申请号：PCT/US2012/062546

申请日：2012-10-30

Applicant: GENERAL INSTRUMENT CORPORATION ,  OKIMOTO, John I. ,  MEDVINSKY, Alexander ,  QIU, Xin

Inventor： OKIMOTO, John I. ,  MEDVINSKY, Alexander ,  QIU, Xin

IPC: H04N21/258 ,  H04N21/266 ,  H04N21/4623

CPC classification number: H04N21/25841 ,  H04N21/25816 ,  H04N21/26613 ,  H04N21/4623

Abstract: A method, a digital content consumption device, and a conditional access system are disclosed. A network interface may receive in a digital content consumption device a public key message that includes an encrypted key. A processor may decrypt the encrypted key using a secret key to produce the transmitted public key, identify a region descriptor in the public key message, and determine the secret key based on the region descriptor.

Abstract translation: 公开了一种方法，数字内容消费装置和条件访问系统。 网络接口可以在数字内容消费设备中接收包括加密密钥的公开密钥消息。 处理器可以使用秘密密钥来解密加密的密钥，以产生所传送的公共密钥，识别公开密钥消息中的区域描述符，并且基于区域描述符确定秘密密钥。