Abstract: A network trace utility is provided. The network trace utility receives and copies packets in a secure session of (at least) two-way network communication between a client and a server. The network trace utility receives an administrator password, and uses a hash of the administrator password to decrypt the first session key. The network trace utility then decrypts one or more additional session keys, each one using the preceding session key. Then, the network trace utility decrypts the machine key using one of the session keys. A hash of the machine key is used to decrypt additional packets in the secure session. The network trace utility enables the contents of one or more additional packets in the secure session to be displayed to the user.

Abstract: In a communication system, second encryption information is generated using first encryption information when data to be transmitted is generated. The data is encrypted using the second encryption information and third encryption information. A signal including the encrypted data and the first encryption information is generated and transmitted.

Abstract: A unified system of programming communication. The system encompasses the prior art (television, radio, broadcast hardcopy, computer communications, etc.) and new user specific mass media. Within the unified system, parallel processing computer systems, each having an input (e.g., 77) controlling a plurality of computers (e.g., 205), generate and output user information at receiver stations. Under broadcast control, local computers (73, 205), combine user information selectively into prior art communications to exhibit personalized mass media programming at video monitors (202), speakers (263), printers (221), etc. At intermediate transmission stations (e.g., cable television stations), signals in network broadcasts and from local inputs (74, 77, 97, 98) cause control processors (71) and computers (73) to selectively automate connection and operation of receivers (53), recorder/players (76), computers (73), generators (82), strippers (81), etc.

Abstract: A third-party can subscribe to one or more electronic message group lists without joining the group lists by creating a trust relationship between the subscriber and a group list member. In particular, the subscriber can send a trust indicator to the group member, who can then determine whether to accept the trust indicator for all or specific groups that are associated with the group member, as appropriate. In at least one embodiment, the group member can send a trust indicator acceptance message to the subscriber that identifies the group member, and any or all group lists associated with the group member. The subscriber can then receive messages directed to the trusted group member or group lists, and can send group messages to the group lists subject to a receive setting associated with the group lists or group members of the group lists.

Abstract: Multicast networks are partitioned into hierarchical security domains. Each security domain may comprise one or more lower security domains. Each security domain includes a security broker that distributes a group key and translates multicast data destined to the security domain, if necessary. A primary security broker at the second level of the hierarchical multicast system distributes the top security key to all peer members, including all peer security domain brokers to establish trust relationships. For each security domain boundary with security domain border routers, a multicast virtual link in configured that connects the security domain border routers and the security broker for the security domain to reduce the latency in forwarding multicast data. It can also make the backbone of the security domain contiguous so that multicast data can travel unchanged across the backbone. The multicast data is forwarded to the security domain through the security broker with security translation.

Abstract: A mechanism for enabling efficient encryption and integrity validation of network files. When a request to read a file stored in a local network file system is received, the local network file system examines cryptographic attributes associated with the file to determine if the file is encrypted or integrity-verified. If the cryptographic attributes indicate the file is encrypted, the local network file system omits the encryption of the file by the local network file system prior to passing the file to the remote network file system. If the cryptographic attributes indicate the file is integrity-verified, the local network file system omits the integrity-verification of the file by the local network file system prior to passing the file to the remote network file system. The local network file system then transmits the file to the remote network file system.

Abstract: A method of authorizing printing of a publication at a printer by a publisher in a network is provided, in which an alias identity of a user is created from both a sensing device identity and an application identity when the user interacts with a printed application tag associated with the publication using the sensing device, the publication is addressed to the user by the alias identity, the publication is signed using a private key of the publisher, the signed publication is sent to the printer, and it is confirmed that the signed publication may be printed at the printer by verifying the private key signature.

Abstract: An end user computer is assigned a multicast content distribution group by a network service intelligence platform. The network service intelligence platform authenticates a token sent by the user and signed by a third part content controller, and provides the user with credentials for joining the group. The credentials include an authorization key as well as identifications of the user and the requested content. The credentials are encrypted and authenticated by the third party content controller. The user includes the encrypted and authenticated credentials in a join request sent to a network resource, such as an edge router. After verifying the credentials, the network resource adds the end user computer to the multicast group.

Abstract: Embodiments of the invention are directed to a detection system, method and apparatus that identifies and eradicates fraudulent requests on a network. Embodiments of the detection system comprise at least one router, a server, and an activity monitoring system. The activity monitoring system comprises a route arbiter and a traffic analyzer, wherein the route arbiter monitors the activity on the router. The route arbiter continuously monitors the router and firewall device to determine if abnormal activity or traffic patterns are emerging. If a determination is made that abnormal activity or abnormal traffic patterns exist, the activity monitoring system responds by blocking the activity or redirecting the traffic.

Abstract: A unified system of programming communication. The system encompasses the prior art (television, radio, broadcast hardcopy, computer communications, etc.) and new user specific mass media. Within the unified system, parallel processing computer systems, each having an input (e.g., 77) controlling a plurality of computers (e.g., 205), generate and output user information at receiver stations. Under broadcast control, local computers (73, 205), combine user information selectively into prior art communications to exhibit personalized mass media programming at video monitors (202), speakers (263), printers (221), etc. At intermediate transmission stations (e.g., cable television stations), signals in network broadcasts and from local inputs (74, 77, 97, 98) cause control processors (71) and computers (73) to selectively automate connection and operation of receivers (53), recorder/players (76), computers (73), generators (82), strippers (81), etc.

Abstract: Method and apparatus providing program information to client devices for at least one multicast stream of digital content is described. In one embodiment, session description messages for the at least one multicast stream of digital content are generated. Each of the session description messages includes at least one content access parameter. The at least one content access parameter may include digital rights management (DRM) data, channel key identification data associated with the at least one channel of the at least one multicast stream of digital content, and/or data indicative of whether each session description message is associated with a channel, a program, or a program segment. Each of the session description messages is signed using a cryptographic key. The session description messages are then multicasted to the client devices using a predefined multicast address.

Abstract: A unified system of programming communication. The system encompasses the prior art (television, radio, broadcast hardcopy, computer communications, etc.) and new user specific mass media. Within the unified system, parallel processing computer systems, each having an input (e.g., 77) controlling a plurality of computers (e.g., 205), generate and output user information at receiver stations. Under broadcast control, local computers (73, 205), combine user information selectively into prior art communications to exhibit personalized mass media programming at video monitors (202), speakers (263), printers (221), etc. At intermediate transmission stations (e.g., cable television stations), signals in network broadcasts and from local inputs (74, 77, 97, 98) cause control processors (71) and computers (73) to selectively automate connection and operation of receivers (53), recorder/players (76), computers (73), generators (82), strippers (81), etc.

Abstract: A geospatial decision management system (GDMS) can save the overall state of a user's experience at one point in time within a GDMS session so that the user can restore the overall state at a later time, such as by restoring a geospatial browser view (e.g., camera settings for rending the map on the display screen, layer state information, map location) and restoring the states of one or more instances of geospatially-referenced tools that were active at the time of the state save. Upon restore, the browser and tools are initialized with their saved states so that the user is presented with the same functionality, data, and browser view that were displayed and accessible at the time of the state save. Saved states are transportable and can also be sequenced and animated to allow presentation of a slide show of individual GDMS views.

Abstract: A conditional access system (CAS) computer in a downloadable CAS receives a downloadable management certificate (DMC) and determines, using the DMC, security information including a DMC key size and an expiration time of a DMC subordinate certificate authority (sub-CA) certificate, for the client device. The CAS computer then determines whether the DMC is valid based on the expiration time of the DMC sub-CA certificate. If the DMC is determined to be valid, the CAS server sends a cryptographic identity for the client device and a CAS client to the client device protected using the DMC. At a later time, if the DMC key size is considered to be still sufficiently secure, the validity of the DMC is extended by issuing a new DMC sub-CA certificate with the same public key as the original DMC sub-CA certificate.

Abstract: A method for rejoining a second group of nodes with a first group of nodes is described. A first state of a first group key associated with a first group of nodes is received. The first state of the first group key is multicast to a second group of nodes. The first group key is rekeyed to a second group key associated with the second group of nodes. A second state of the second group key is multicast to the second group of nodes. A third state of a third group key associated with the first group of nodes is received. A rekey command is multicast to the second group of nodes if the third state is different from the second state. The second group key is rekeyed to the third group key.

Abstract: A semiconductor integrated circuit for the processing of conditional access television signals, the circuit including an input interface for receiving encrypted television signals and an output interface for output of decrypted television signals. Control signals broadcast with the television signals include control words and common keys. The common keys are received in encrypted form, encrypted according to a secret key unique to each semiconductor integrated circuit. The input interface is connected to a decryption circuit whereby the only manner of providing the common keys to the circuit are in encrypted form encrypted according to the secret key. Due to the monolithic nature of the circuit, no secrets are exposed and the system is secure.

Abstract: Method and system for virtual multicast networking, which can provide multicasting application service on non-multicast network that does not support multicast, are provided.

Abstract: A method for offloading encryption and decryption of a message received at a message server to one or more end devices that are remote from the message server. An encrypting end device remote from the message server encrypts a message using cryptographic context and transmits the cryptographic context and encrypted message to the message server for storage at the message server. The message server stores the encrypted message as received without decrypting the message. The message server sends the stored cryptographic context and the encrypted message to a decrypting end device in response to the decrypting end device sending a request for the message server to transmit the encrypted message to the decrypting end device. The decrypting end device uses the cryptographic context to decrypt the encrypted message and then presents the decrypted message to a user of the decrypting end device.

Abstract: A system and method for exchanging a transformed message with enhanced privacy is presented. A set of input messages is defined. A set of output messages is defined. A message is selected from the input messages set. One or more words in the selected message are efficiently transformed directly into a transformed message different from the selected message, wherein the transformed message belongs to the set of output messages, at least one component of the selected message is recoverable from the transformed message, and the cost of determining whether the transformed message belongs to the input messages set or the output messages set exceeds a defined threshold.

Abstract: A system for key management for a plurality of nodes includes: a first key generation device (130) for generating a first set of secret keys for secure communication between the plurality of nodes; a second key generation device (130) for generating a second set of secret keys that is different from the first set of secret keys for secure communication between the plurality of nodes; and key distribution apparatus (140) coupled to the first and second key generation devices for authenticating the plurality of nodes and selectively distributing the first and second sets of secret keys to the plurality of nodes.

Abstract: The claimed invention relates to system and method for providing encrypted content via a distribution network 630 with efficient key distribution and distribution network assignment. The claimed invention assigns users to content-specific distribution network in which the content is broadcast. This makes the content access much more efficient by conducting the authorization at the time of joining the content-specific distribution network and providing the content to entitled users through broadcasting. The claimed invention provides additional security by removing a user from the content-specific distribution network when his entitlement is no longer valid.

Abstract: A method of broadcasting a scrambled multimedia programme, by way of a broadband network, in which before transmitting a license key: —a network head carries out a step of authenticating a terminal, and—if the terminal has been successfully authenticated, the network head sends the terminal a license transmission message containing the license key or cryptogram of the license key, by way of a point-to-point link, and—if the terminal is not successfully authenticated, the network head acts (at 200) in such a way as to prevent the complete descrambling by this terminal of the scrambled multimedia programme broadcast.

Abstract: The present invention is a platform of software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment.

Abstract: A sending device exchanges handshake signals with a receiving device prior to the delivery of compressed digital audio data. The sending and receiving devices are remotely connected using a data network. In one embodiment of the present invention, the sending device sends an access code to the receiving device. The access code is an encrypted data of two components: a digital data associated with the sending device and a digital data associated with the receiving device. The receiving device decrypts the access code. The receiving device stores the compressed digital audio data in its memory if the decrypted access code contains the correct components.

Abstract: A system and method for generating a set of IP addresses for access multi-homing in an Internet access network. A generating host obtains from the network a set of IPv6 subnet prefixes for a plurality of available Internet Service Providers, ISPs. The generating host generates a single IPv6 interface identifier from the subnet prefixes and cryptographically binds the subnet prefixes with the single IPv6 interface identifier. A remote peer verifies that all of the IP addresses belong together by independently generating the IPv6 interface identifier from the same set of subnet prefixes and comparing the result with the IPv6 interface identifier generated by the generating host.

Abstract: A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

Abstract: A method of managing a key of a user for a broadcast encryption. The method includes forming a tree comprising m hierarchies by repeating a process of setting a ith level comprising groups into which at least one node is grouped in a unit of ni, and setting a i+1th level comprising the groups of the ith level that are re-grouped in a unit of ni+1 until i is from “1” to “m”. The method further includes mapping users on at least one node of the tree and message providers on the mth hierarchy, going down from the mth hierarchy to the first hierarchy to map key encryption keys with respect to the i+1th level connected to the ith level, and transmitting the message using the key encryption keys.

Abstract: The invention provides a method and system for a network which includes a plurality of nodes, preferably routers, a shared network segment for communication between the nodes, and several multicast channels in the shared network segment on which the nodes, preferably routers, can send multicast messages to the other nodes. A specific multicast channel is provided on which the nodes can send specific start multicast messages to other nodes, wherein a node which starts a protocol application, preferably a routing protocol application such as Open Shortest Path First (OSPF) protocol, is adapted to send a multicast start message on the specific multicast channel. Another node, preferably a router, receiving this start message is adapted to validate the authenticity of the start message and to send a response message.

Abstract: A unified system of programming communication. The system encompasses the prior art (television, radio, broadcast hardcopy, computer communications, etc.) and new user specific mass media. Within the unified system, parallel processing computer systems, each having an input (e.g., 77) controlling a plurality of computers (e.g., 205), generate and output user information at receiver stations. Under broadcast control, local computers (73, 205), combine user information selectively into prior art communications to exhibit personalized mass media programming at video monitors (202), speakers (263), printers (221), etc. At intermediate transmission stations (e.g., cable television stations), signals in network broadcasts and from local inputs (74, 77, 97, 98) cause control processors (71) and computers (73) to selectively automate connection and operation of receivers (53), recorder/players (76), computers (73), generators (82), strippers (81), etc.

Abstract: A method of digital rights management for a broadcast-multicast service, the method comprising receiving a request from a terminal to join a service domain having a common group key; transmitting encryption of one or more service encryption keys using the common group key to the terminal that requested to join; and allowing the terminal to share the same contents and the same services with one or more other devices within the service domain.

Abstract: Method and device for authenticating a legal neighbor in group key management (GKM) are disclosed. The method includes: members on a local network that needs the automatic GKM service store a group shared key and a group authentication algorithm; an authenticating member receives a first authentication value and authentication information of an authenticated member sent from the authenticated member, where the first authentication value is calculated by the authenticated member by using the group shared key and the authentication information of the authenticated member according to the group authentication algorithm; the authenticating member calculates a second authentication value by using the authentication information of the authenticated member and the group shared key according to the group authentication algorithm; the authenticating member authenticates the authenticated member as a legal neighbor when confirming that the first authentication value is the same as the second authentication value.

Abstract: A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

Abstract: A system, method and computer program product are provided. In use, a peer-to-peer wireless network is advertised utilizing a granting node. Further, a requesting node is provided for connecting to the peer-to-peer wireless network. Thereafter, such requesting node is redirected to a portal. To this end, a software application is capable of being downloaded to the requesting node via the peer-to-peer wireless network utilizing the portal.

Abstract: Embodiments of methods and apparatus for providing an access profile system associated with a broadband wireless access network are generally described herein. Other embodiments may be described and claimed.

Abstract: Methods and apparatus for efficient revocation of receivers. In one implementation, a method of broadcast encryption includes: assigning a respective master key to each of a plurality of receivers, where each master key can be used to derive two or more of a plurality of sub keys; revoking one or more receivers, leaving one or more unrevoked receivers; for each master key of an unrevoked receiver, selecting the sub key that can be derived by that master key and derived by the most other master keys but not derived by a master key of any of the one or more revoked receivers; for each selected sub key, encrypting one ciphertext using that selected sub key; and sending the encrypted ciphertexts to the plurality of receivers.

Abstract: The present invention uses a group key management scheme for admission control while enabling various conventional approaches toward establishing peer-to-peer security. Various embodiments of the invention can provide peer-to-peer confidentiality and authenticity, such that other parties, such as group members, can not understand communications not intended for them. A group key may be used in combination with known unicast security protocols to establish, implicitly or explicitly, proof of group membership together with bi-lateral secure communication.

Abstract: A method of managing a user key for a broadcast encryption. The method includes assigning numbers to respective users and arranging the users on a ring-shaped structure in order to map hash chains onto the respective nodes of a ring-shaped structure. The method further includes making random node keys correspond to the respective nodes, one by one, constructing the hash chains from the corresponding node keys using a hash function, and successively mapping the constructed hash chains onto the nodes of the ring-shaped structure.

Abstract: According to one embodiment, a digital stream, inclusive of an Internet Protocol (IP) datagram, is transmitted to a digital device. IP datagram comprises an IP header and a body segmented including a plurality of packets in an MPEG format such as MPEG-2 or MPEG-4 for example. The plurality of packets comprises (i) a first packet including a payload having content and a header that comprises a first packet identifier to indicate a type of the content contained in the payload of the first packet, and (ii) a second packet including a payload and a secondary packet identifier to indicate that its payload includes content duplicative of the content contained in the first packet. The second packet precedes the first packet in the digital stream. Upon detecting the presence of duplicative content, the duplicative content is recovered, but the content contained in the payload of the first packet is disregarded.

Abstract: A system, method and media for dynamically redacting data based on the evaluation of one or more policies. In one embodiment, the method comprises receiving a request to access one or more resources, receiving responses from the one or more resources and assembling a result set which includes several portions of data, determining current access policies for the requestor to the one or more resources, and redacting from the result set a portion of the data that the requestor is not permitted to receive, based on the current access policies.

Abstract: An efficient multicast key management is achieved by using seals. A security server generates a seal. In one embodiment, the seal contains a key. In another embodiment, the seal contains information for generating a key. An application server requests the seal from the security server and broadcasts the seal to a plurality of recipients. A recipient wishing to encrypt or decrypt a data stream transmits the received seal to the security server to be opened. If the recipient is authorized, the security server transmits a permit to the authorized recipient. In one embodiment, the recipient generates a key from the permit. In another embodiment, the permit is the key. If the recipient is a sender, the recipient encrypts data using the key and broadcasts the same encrypted data stream to all receivers. If the recipient is a receiver, the recipient decrypts an encrypted data stream using the key. In one embodiment, a seal with a corresponding offset value is sent periodically in a data stream.

Abstract: A data distribution system is provided which supplies customers with an executable for requested secured data files to provide the customer with fulfillment software, obviating the need for the customer to download fulfillment software prior to requesting secure data. The data distribution system is characterized by server technology which can dynamically encrypt secured data files just prior to a customer request to download the data file. A framework for building a universal data distribution infrastructure is provided which employs Requesters.

Abstract: A system and process for network-based, interactive, multi-media learning is presented. The learning system and process employs high quality, low latency audio/video links over a multicast network (such as Internet2), as well as an interactive slideshow that allows annotations to be added by both the presenter and lecture participants, a question management feature that allows participants to submit questions and receive answers during the lecture or afterwards, and a complete archiving of the data streams and metadata associated with the foregoing features.

Abstract: A system for managing a distributed MetaHop that is administered, managed, and monitored as a single entity. If a new gateway is added to a MetaHop, the gateway can be provisioned with membership credentials by an administrator who indicates relatively basic information for the new gateway to join the MetaHop. Once provisioned with relatively basic information, the new gateway can be shipped to a relatively remote site where it automatically seeks out an entry point to the MetaHop. After connecting to an entry point (or entry points), the new gateway is automatically provisioned with any other information used to join the MetaHop. In one embodiment, the joined gateway is automatically enabled to forward traffic. In another embodiment, a new gateway is disabled for traffic forwarding until the administrator enables it for such forwarding on the MetaHop.

Abstract: Provided are a method, system, and program for authenticating a node requesting another node to perform work on behalf of yet another node. A plurality of agent nodes in the network are associated with a multi-node, wherein the agent nodes are associated with machines in the network capable of performing operations on behalf of the multi-node. A target node receives a request from a calling node for the target node to perform operations on behalf of the multi-node, wherein the target node is one of the agent nodes associated with the multi-node. The target node determines whether the calling node is one of the agent nodes associated with the multi-node and determines whether the calling node is capable of authenticating with a server. The target node performs the operations requested by the calling node in response to determining that the calling node is associated with the multi-node and is capable of authenticating with the server.

Abstract: A routing system, method, and apparatus for determining the best path for a router to transmit traffic to a specific destination on a network. As desired, the routing determination can be based, at least in part, on an analysis of the network load and an analysis of the availability of links between the autonomous systems. The routing system can be used in conjunction with a detection system that identifies and eradicates fraudulent requests on the network. The detection system can include at least one router and an activity monitoring system, comprising a route arbiter and a traffic analyzer. The route arbiter continuously monitors activity on the router to determine if abnormal activity or traffic patterns are emerging. If a determination is made that abnormal activity or abnormal traffic patterns exist, the activity monitoring system responds by blocking the activity or redirecting the traffic.

Abstract: A decryption apparatus stores secret keys, each of which is specified by two nodes in tree structure in first memory, one of the two nodes indicated by ciphertext index information item of the decryptable ciphertext being an ancestor node of leaf and the other of the two nodes being a node which is not an ancestor node of leaf, and stores an identifier of decryption apparatus corresponding to a leaf in a tree structure in a second memory. The decryption apparatus acquires a plurality of ciphertexts, each ciphertext including a ciphertext index information item indicating two nodes in the tree structure which correspond to a decryption key for decrypting the respective ciphertext, and acquires a decryptable ciphertext from the plurality of ciphertexts. Further, the decryption apparatus selects, from the stored secret keys, a secret key corresponding to the respective ciphertext, and derives a decryption key from the selected secret key to decrypt the decryptable ciphertext by using the derived decryption key.

Abstract: Methods, components and systems for implementing secure and efficient broadcast encryption schemes with configurable and practical tradeoffs among a pre-broadcast transmission bandwidth t, a key storage cost k, and a key derivation cost c, in which the schemes use subtree difference and key decomposition to generate secondary keys, use the secondary keys to encrypt the broadcast and generate ciphertexts, and use the RSA encryption scheme to implement derivability between the primary keys and the secondary keys. To decrypt the broadcast, a privileged user uses one of its primary keys to derive a secondary key, which is used to decrypt the broadcast. The product of key derivation costc and the key storage cost k is at most (2a?log a?2)loga n, when n is the number of users, 1?b?log n, a=2b, and revoked users r<n/3.

Abstract: A method for registering a new member in group key management is disclosed. An agent is deployed on the local network that requires the automatic group key management service; the agent receives an original registration request message sent by a new member in the local network, encapsulates the original registration request message and an information indicating the new member into a first request message, and sends the first request message to a Group Controller Key Server (GCKS); and the agent receives a first response message returned by the GCKS, extracts the information indicating the new member and the original response message carrying the processing result of request from the first response message, and sends the original response message to the new member according to the information indicating the new member. Apparatuses and system for registering a new member in group key management are also disclosed.

Abstract: A mobile terminal is configured to acquire an encryption key to decrypt a pay channel encrypted with a smartcard profile by the mobile terminal in a Multimedia Broadcast/Multicast Service (MBMS) mobile broadcast system. The mobile terminal is configured to purchase a specific pay channel, determine validity of an encryption key, store a range of a valid encryption key identification value, and initialize a reference Time Stamp (TS) value. The mobile terminal also; extracts an encryption key identification value and a TS value from a last received Short Term Key Message (STKM), when a view request for the specific pay channel is created; and determines that an encryption key is valid, when the extracted TS value satisfies the reference TS and the extracted encryption key identification value falls within a range of the valid encryption key identification value, and extracts and acquires an encryption key from the STKM.

Abstract: An enabling key block (EKB) used in an encrypted key distributing tree structure is generated by forming a simplified 2-branch or multi-branch type tree with a terminal node or leaf which is capable of decrypting on the basis of a key corresponding to a node or a leaf of the simplified tree. Further, the EKB includes a tag for indicating a position of an encrypted key in the tree. The tag not only discriminates position but also stores data for judging the presence of encrypted key data within the EKB. As such, a considerable reduction in data quantity is realized, and the decrypting process in a device is also simplified.