Abstract: Encrypted data transmitted over a data network is decrypted in accordance with a cipher decryption process using a Control Word transmitted with the data. The process is arranged to automatically identify the mode by which the data has been encrypted by identifying (66) the length of the Control Word transmitted with the encrypted data. The Control Word length may be identified (64) from metadata explicitly stating the length, or by analysis of the message in which the Control Word is conveyed. Different encryption modes using Control Words of different lengths can thus be identified, allowing the receiver to identify (67) which of a plurality of decryption modes available to the receiver should be used (69) to decrypt the data.

Abstract: Data messages having secure data location addresses other than a predefined set are handled by a user terminal (14) in the normal way by setting up a secure tunnel (181) to a server specified in the data message (16). As this would prevent any proxy server from performing any processing on the content of the data message, messages that require the proxy to perform process on the data messages are processed separately. Data messages (251) incorporating secure media access locators identifying a predefined set of known media servers are identified by a message processing function (41, 410, 44) and passed to a proxy server over a connection between the user terminal and the proxy which does not tunnel past the proxy server, such that the proxy server may generate a redirected media access locator for return to the user terminal (14).

Abstract: Data messages having secure data location addresses other than a predefined set are handled by a user terminal (14) in the normal way by setting up a secure tunnel (181) to a server specified in the data message (16). As this would prevent any proxy server from performing any processing on the content of the data message, messages that require the proxy to perform process on the data messages are processed separately. Data messages (251) incorporating secure media access locators identifying a predefined set of known media servers are identified by a message processing function (41, 410, 44) and passed to a proxy server over a connection between the user terminal and the proxy which does not tunnel past the proxy server, such that the proxy server may generate a redirected media access locator for return to the user terminal (14).

Abstract: A media asset location request redirection system causes a user terminal (11) to redirect first media asset location data (22) relating to a first content delivery network (16) such that the media asset location request is directed to a second content delivery platform (17), by means of a proxy redirection server (18) which translates the first media asset location data (21, 251) into second media asset location data (26) relating to the second content delivery network. Use of the proxy redirection server (18) is controlled by an authentication process, in which the user terminal (11) and proxy redirection server (18) perform a mutual authentication process to determine whether the redirection server (18) should accept the request for a media asset location.

Abstract: An asset location request redirection system (18) receives first asset location data (251) from a user terminal. The first asset location data relates to a first content delivery network, and the redirection system (18) generates a signed second asset location data (26) for return to the user terminal, allowing it to retrieve content from a second content delivery network. The second content delivery network uses authentication data (36, 37) in the signed second asset location to determine whether the asset location request is authentic and to be met. Such data may include confirmation that the requesting terminal has passed a validity check (35), and that the signed location data has not exceeded an expiry date.