CA 02447265 2003-11-05
BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates generally to broadcast systems with end-user television
decoders and Set Top Boxes (STB), and more specifically to a system which
securely manages the end-user rights and privileges. This system is used in
broadcast and interactive television services to control and restrict the
usage of the
television's content and services.
2. Description of the Prior Art
Broadcast systems must be capable of preventing piracy theft of the content
and
managing the privileges of the paying customers. Multi-channel television
systems such as Direct Broadcast Satellite systems (DBS) and cable TV systems
have historically restricted access to content by encrypting content and
selectively
authorizing the customers channels. This authorization is either at
initialization or
specific addressed messages as needed.
Controlling the access of end-user receivers is described in the article "A
single
conditional access system for satellite, cable and terrestrial TV" published
in
IEEE Transactions on Consumer Electronics, Vo1.35, No. 3., August 1989, pages
464-468.
Prior art which describe the encryption of the content and the transfer of the
Condifional Access control sages is found in the Victor Patent USA
6,487,720.
harrvdna,e-tvinteractive.com 2
confidential
file#0327401r4
CA 02447265 2003-11-05
To prevent unauthorized television program signal decoding, the video signal
is
encrypted (scrambled) at the uplink or head end facility. Conditional Access
(CA) Systems enforce the content access, by encryption or scrambling the
content. The CA System uses control messages to transfer content decryption
information keys. These information keys for the decoder are provided only to
authorized end-users.
The digital television international standard, MPEG-2 (ISO/IEC 13818 series
1994), contains features to help operators prevent the theft of content.
o Feature # 1; Copyright Descriptor. A copyright ID is obtained fiom
Registration Authorities. The audio and video components
individually, and at the higher systems Layer, can be identified by a
number which is managed by registered agencies.
o Feature #2; Entitlement Control Messages (ECM) and Entitlement
Management Messages (EMM). These are messages which along with
the infrastructure send the descrambling information to remote set top
boxes to provide user access rights.
To prevent piracy theft of the content, the access rights are typically
implemented
in a tamper resistant environment. Some implementations have used STB smart
cards for the combination of flexibility of algorithm changes and tamper
resistance.
MPEG-2 ECM and EMM message process;
The video/audio service is encrypted (scrambled) by using a control word.
The control word is eixrypted with a service key and sent to all users in an
ECM
message. The control word is changed rapidly every few seconds.
The service key is encrypted from a key in the operators data base of the
subscribers contracted services and is sent via an EMM message. A service key
is
sent to each user and may take an hour or more subject to the quantity of
users.
The receiver decodes the EMM message using the key stored in the user Set Top
Box or smart card to obtain the deciphered service key.
The service key is then used to continuously descramble the control word. The
control word is then used to decipher the video/audio.
The European Broadcasting Union established a Digital Video Broadcasting
Project Oi~ce which addressed the Conditional Access System used by operators
to control subscribers access to services, programs and events. The primary
objective was to decouple the MPEG-2 decoding from the access control. This
initiative included specifications for a Common Scrambling system and
Conditional Access Decoder Common Interface. A North American initiative,
OpenCable, is also defining standard based protocol for the MPEG-2 transport
ham~e-tvinteractive.com 3
confidential
file#0327401r4
CA 02447265 2003-11-05
stream which describe the encryption of the content and the transfer of the
Conditional Access control messages.
Content of interest to end-users may include subscription TV services, a pay
per
view event, and an interactive TV service or event
Access rights have historically been the right of an end-user to view and
possibly
record a video segment. However, the nature of the historic "access right" is
limited and there exists the need for new and different types of restrictions
and
privileges, such as:
o Viewing and playing rights.
o the right to record the display during viewing and playing.
o the right to record and play back more than once.
o the right to record, view or play based upon some parameter such
as a time period, quantity of views/plays.
o The right to participate based upon some other independent
promotion, such as advertising viewing
o Different levels of play or participation subject to contract
provisions such as prizing, age or geography
Interactive TV (iT~ services will include the requirement for simultaneous
privilege management of multiple resources which are independently owned It
will also include new types of privileges not previously contemplated in
broadcast
systems. Specialized multiple privileges will be required for linear
video/audio
picture-irrpicture or overlays onto the iTV on-screen display. These iTV
transactions and usage rights will require more complex rights and privilege
management than historic broadcast television. iTV will include the need to
manage the rights and privileges of more than one service or resource and the
independent rules or conditions associated with those services. The invention
is
intended both to i.) address the additional scope required for appropriate
commercial management of digital television services and ii.) to be an
additional
security and management overlay which operates as an independent security
layer
from the existing prior art of MPEG-2 conditional access systems. The RPM
system invention provides another layer of content protection in the event the
MPEG-2 payload has been successfully breached by unauthorized users.
harrydna,e-tvinteractive.com 4
confidential
file#0327401 r4
CA 02447265 2003-11-05
3. Objectives of the invention
There is a need for the invention, a Rights and Privilege Management (RPM)
System, to be added to digital television services for the management of new
types of conditional privileges that are new in scope compared to historical
conditional ac~.ss systems.
The RPM System invention preferred embodiment is to co-exist with prior art
scrambling or conditional access systems. The invention can operate
independently of other security fimctions. The RPM System is not intended to
encrypt the MPEG-2 video streams.
It is an objective of the invention to provide an extra layer of content
protection if
a scenario develops where the primary MPEG-2 conditional access system is
breached, fails or is bypassed.
It is an objective of the system to support appropriate identification and
authentication of the end user's associated privileges and conditions while
preventing unauthorized access or copying of the content.
It is an objective of the invention that the system provide for a secure
mechanism
for authorizing t<ansactions.
It is an objective of the invention that the invention support access right
requirements for regulatory jurisdictional control based upon legal or
commercial
requirements which may inch~de age or geographical determinations.
An objective of the invention is to allow for the privileges to be updated
dynamically and to have a priority mechanism for faster updates.
The invention must be ~pable of being loaded and activated into a variety of
TV
decoders and Set Top Boxes which have different capabilities and constraints.
The invention must be capable of being loaded and activated into a variety of
broadcast systems which have different broadcast and different return path
capabilities and constraints.
It is an objective that control messages can be dynamically sent b~ the TV
decoders and Set Top Boxes application which manage the application life cycle
and parameters.
hamd(a~e-tvinteractive.com
confidential
file#0327401r4
CA 02447265 2003-11-05
Description of the Invention
The invention is an interactive digital TV security system which manages the
subscribers rights and privileges to play or view a service. It is
contemplated that
within the right are many privilege levels or options. Some of the privileges
will
be time based The invention, a Rights and Privilege Management System (RPM
System), is independent of third party conditional access systems.
The RPM System includes three subsystems shown in Fig. 1, housed in a secure
environment at the satellite uplink or cable TV headend facility;
~ RPM Collector
~ RPM Operations Control
~ Administrators Terminal
The RPM System includes within the subscriber's digital TV decoder a software
application (the RPM Application). The RPM Application has an overnding
permission function, which based upon the subscriber/user's profile, will
manage
the privileges and viewing rights by controlling; the user's on-screen-display
and
sound functions or television decoder functionality.
The subscribers rights and privilege's data information is collected from the
subscriber contracts into the inventions RPM Collector, and is to be
transmitted
along with other control messages, preferably, in a secure mode to the TV
decoder's RPM Application.
The TV decoder activates the invention's RPM Application, upon power-up. This
RPM Application is a small memory footprint application which in addition to
the
logic and management functions, maintains the unidue subscriber/user's RPM
Control Table .
Upon receipt the RPM Control Table is stored in the decoders non-volatile
m~noxy.
The RPM Application will perform an "integrity test", every time period T= x
minutes, in order to ensure that the RPM Control Table data has maintained
integrity (from attack). In the preferred embodiment the integrity test
includes a
CRC-16 detect test check, but subject to the commercial needs and decoder
constraints this integrity test may be implemented in a different ways
(example
CRC-32 detect, simple checksum, or cryptographic checksums such as
modification detection codes or message authentication codes). The detection
testing may involve the use of curnent secret keys and offset parameters on
the
detect codes. If the integrity test fails then the RPM Application proceeds
into
the "potential signal theft mode".
harryd(a7e-tvinteractive.com
confidential
file#0327401r4
CA 02447265 2003-11-05
The RPM Application performs a correlation test of the user's current service
against the pern~ission infom~ation stored in the RPM Control Table. If the
correlation test fails then the RPM Application proceeds into the 'potential
signal
theft mode".
The RPM Application receives the updated RPM Control Table data concerning
the users privileges and rights from the RPM Collector via a communications
network infrastructure. The communication infrastructure used is subject to
the
network architecture and availability of network bandwidth.
In the case of one way satellite availability, the infom~ation will be updated
via
the satellite transponder forward hnission. In the case of digital cable TV,
both the carried analog signals and digital signals will also be managed via
the
decoder RPM Control Table which can be updated in either the forward in-band
or out-of band paths.
The inventions RPM Operations Control subsystem manages the flow of
information to the TV decoders. The RPM Operations Control has an event table
and parameter/message table which is modified by the Admin Terminal. The
RPM Operations Control handles all security, keys and cipher suites for
messaging with the TV decoders and Set Top Boxes.
The subscribers rights and privilege's data information is collected from the
subscriber contracts database into the inventions RPM Collector. The RPM
Collector formats the subscriber's contracted rights and privileges
infom~ation for
use by the RPM Operations Control. The Operations Control formats all
messages into a part of a digital data stream structure. A digital data stream
structure is used for each frequency interval which the TV decoder's receive
tuner
can select. In the case of satellite, each frequency interval is a
transponder, or if
in the case of cable TV's forward path then into each MPEG-2 multiplex
transport
stream.
The bandwidth and bit rate needed to support the updating of the RPM Control
Table is dynamically adjusted for each >ransponder or mux transport stream.
The data payload for the RPM Control Table varies and is subject to the
requirements of the service's privileges offered
The basic fiulctions requires;
~ Unique TV decoder address
~ Subscribers privileges as contracted or purchased (bit map for the
transport structure)
The data for the basic fimctions of the may require as little as 10-50 kilo
bits per
second of the typical digital transponder 40Mbps data stream.
harryd~a~,e-tvinteractive.com 7
confidential
file#0327401r4
CA 02447265 2003-11-05
Other optional conditions of services can be added to the RPM Control Table;
~ Validating subscriber applications including game count
entitlements.
~ Validating start and stop time periods of a service.
~ Complementing the conditional access system.
The RPM Control Table data unique to each subscriber or group of subscribers
is
transmitted sequentially to each TV decoder or group of decoders by cycling
through all of the subscriber's decoder addresses with its own message.
In addition, some special control messages require transmission;
~ Universal messages to all decoders, Activate or De-activate the TV
decoder RPM Application.
~ Universal messages to all decoders, Exit, Suspend or Terminate
from the TV decoder RPM Application.
~ Individual decoder messages, Activate or De-activate the TV
decoder RPM Application.
~ Individual decoder, Reset the decoder control table.
~ Group messages, such as bouquet offering or regional black-out.
~ Time sensitive messages which require immediate >zansmission
with retransnnissions.
~ Media fingerprint keys to be sent to the RPM Control Table.
Once the RPM Application places the TV decoder or Set Top Box into the
"potential signal theft mode" an escalation process starts. Initial state is
orr
screen-display text based warnings increasing up to a state of a complete TV
display shut down. In addition, decoder boxes with an unrecognized decoder
address can be escalated into a permanent disabled state.
All messages are sent to the TV decoder box using a security scheme which in
the
preferred embodiment uses a Public Key Infiastsuctune with digital
certificates but
in the alternate may include:
~ Shared secret enciphered messages
~ A hopping algorithm used to change the MPEG-2 PID to hide the
message
~ Third Party encrypted Password to encrypt the message or cipher
keys
Third Party ECM/EMM access used to encrypt the message or
cipher keys
If in the case a media security fingerprint is available then the RPM Control
Table
will have a matching key to enable the service. (eg. if the VBI is available
and
carries a security key then the RPM Control Table would require a matching
key).
harryd(a~e-tvinteractive.com
confidential
file#0327401r4
