Abstract: In accordance with a method for communicating a control word (CW) from a client such as an encryptor to a server such as the entitlement control message generator (ECMG) of a conditional access system (CAS), communication is established between the client and server over a secure connection. A control word to be encrypted is received by the client and encrypted using a first and second key. The first key is a global secret key (GSK) that is known to the client and the server without being communicated over the secure connection. The second key is a control word encryption key (CWEK) that is derived from a locally generated client nonce (CN) and a server nonce (SN) obtained from the server over the secure connection. The encrypted control word (ECW) is sent to the server over the secure connection.

Abstract: In accordance with a method for communicating a control word (CW) from a client such as an encryptor to a server such as the entitlement control message generator (ECMG) of a conditional access system (CAS), communication is established between the client and server over a secure connection. A control word to be encrypted is received by the client and encrypted using a first and second key. The first key is a global secret key (GSK) that is known to the client and the server without being communicated over the secure connection. The second key is a control word encryption key (CWEK) that is derived from a locally generated client nonce (CN) and a server nonce (SN) obtained from the server over the secure connection. The encrypted control word (ECW) is sent to the server over the secure connection.

Abstract: A method, a digital content consumption device, and a conditional access system are disclosed. A network interface may receive in a digital content consumption device a public key message that includes an encrypted key. A processor may decrypt the encrypted key using a secret key to produce the transmitted public key, identify a region descriptor in the public key message, and determine the secret key based on the region descriptor.

Abstract: The present invention discloses an apparatus and method for defining and enforcing rules of transition between two security domains, e.g., a transport domain and a persistent security domain. In turn, a border guard, e.g., a security device, is provided between these two domains that enforce rules for transition between the two security domains. This novel approach of defining a transport domain and a persistent security domain simplifies the classification of the digital content and its movement through the system. Namely, the border guard once established between the two systems can enforce DRM rules associated with how contents are moved between the two domains.

Abstract: The present invention discloses a system and method for providing a secured system time reference to a subscriber device, e.g., a set top box or a receiver. In one embodiment, the system time reference is provided in a secure system time message that is broadcasted to a plurality of subscriber devices. Each subscriber device has a security device or software application that is capable of determining whether the received system time reference is legitimate. If the system time reference is determined to be legitimate, a local time reference is synchronized with said received system time reference.

Abstract: A method for authorizing a computer program having a number of features for use with a product includes: receiving license data generated using a first key, the license data specifying a unique identifier associated with the product and specifying at least one feature authorized for use with the product; using a second key associated with the first key, obtaining the unique identifier from the license data; retrieving a product identifier from the product; determining whether the unique identifier corresponds to the product identifier; and based on the determination, authorizing use of the at least one feature with the product.

Abstract: A system is described for uniquely mating components of a communication network such as a smartcard and a set-top box. When mated, the smartcard and set-top box are tied together and have a single identity. Further, the smartcard operates properly only when inserted into an authorized set-top box. Exchanges of information between both components are secured by encryption and authentication to guard against piracy of the exchanged information. The system provides the same authentication key to the set-top box and the smartcard. This key is used for authenticating communication between the set-top box and the smartcard. First, the authentication key is encrypted by a set-top box mating key. The set-top box employs this mating key to decrypt the authentication key. After it is derived, the authentication key is stored in the set-top box's memory. Further, the same authentication key is encrypted by a smartcard mating key.

Abstract: An encryption renewal system for generating entitlement control messages, the system being secured by physical separation of components. The encryption renewal system has a first computing platform for performing non-secure tasks associated with one or more control messages that transmit one or more keys to a subscriber; and a second computing platform physically separate from the first computing platform containing one or more application specific integrated circuit chip for generating the one or more control messages. In addition, a method by the encryption renewal system is used to register an off-line encryption device in order to begin encrypting clear content.

Abstract: Streaming content is encrypted by segmenting the content into a plurality of crypto periods, and by encrypting the content for each of a plurality of crypto periods with a different cryptographic key. The crypto periods are based on either (i) fixed time intervals, (ii) a fixed number of packets, (iii) a fixed marker count, or (iv) a pseudo random number of packets. Methods are provided for determining how to record the key changing criteria, and how to convey this information to VOD servers.

Abstract: A system is described for uniquely mating components of a communication network such as a smartcard and a set-top box. When mated, the smartcard and set-top box are tied together and have a single identity. Further, the smartcard operates properly only when inserted into an authorized set-top box. Exchanges of information between both components are secured by encryption and authentication to guard against piracy of the exchanged information. The system provides the same authentication key to the set-top box and the smartcard. This key is used for authenticating communication between the set-top box and the smartcard. First, the authentication key is encrypted by a set-top box mating key. The set-top box employs this mating key to decrypt the authentication key. After it is derived, the authentication key is stored in the set-top box's memory. Further, the same authentication key is encrypted by a smartcard mating key.

Abstract: A method of delivering content from a head end to subscriber terminals within one or more cable systems. Such content may be video, audio or the like. The method includes the step of encrypting the content offline to form pre-encrypted content, generating an encryption record containing parameters employed for encrypting the content. Based on the encryption record, a control message for permitting access to the pre-encrypted content is generated using a periodical key provided by the first cable system. The pre-encrypted content and associated control message is thereafter forwarded to the first subscriber terminal for decryption of the content. For a second subscriber terminal within a second cable system, the pre-encrypted content is retrofitted with a second control message permitting the pre-encrypted content to be decrypted by the second subscriber terminal.

Abstract: An encryption renewal system for generating entitlement control messages, the system being secured by physical separation of components. The encryption renewal system has a first computing platform for performing non-secure tasks associated with one or more control messages that transmit one or more keys to a subscriber; and a second computing platform physically separate from the first computing platform containing one or more application specific integrated circuit chip for generating the one or more control messages. In addition, a method by the encryption renewal system is used to register an off-line encryption device in order to begin encrypting clear content.