Abstract: A method and system for attaching a title key to encrypted content for synchronized transmission to, or storage by, a recipient is provided. Specifically, under the present invention, an elementary media stream is parceled into content units that each include a content packet and a header. The content packets are encrypted with one or more title keys. Once the content packets have been encrypted, the title keys are themselves encrypted with a key encrypting key. The encrypted title keys are then attached to the corresponding encrypted content packets for synchronized transmission to a recipient.

Abstract: The present invention provides a method, system and program product for modifying content usage conditions during broadcast content distribution. Specifically, the present invention allows protected (e.g., encrypted, secured, etc.) content to be received along with content usage conditions, an encrypted combination of the content usage conditions and a title key (e.g., a MAC), and a key management block. Using the key management block, a key encrypting key can be determined for decrypting the combination. Once the combination is decrypted, the content usage conditions can be modified (e.g., edited, added to, etc.).

Abstract: Cross-bar segment routing and access table address remapping functions are combined within a cross-bar of a system-on-a-chip. In this manner, address remapping may occur prior to segment routing. One or more access table caching registers may be included for each master port. The caching registers may allow for a rapid lookup of one or more access table entries associated with each master, as well as allow for the simultaneous lookup by multiple masters without adding ports to the access table. A segment identifier may be stored in the caching registers to indicate how to route a matching request to the appropriate slave segment.

Abstract: The preferred embodiment of the present invention provides an improved transport demultiplexor that can receive and filter different data types before sending the data to system memory. The preferred embodiment provides a string comparator to facilitate real time filtering of continuous incoming data before loading the data into system memory. The string comparator preferably uses a bit-maskable matching filter that filters system data in real time as the data is being delivered to system memory. When data matching the filter is located, the destination address of that data is determined and delivered to the processor. This allows the processor to quickly locate the desired data and thus facilitates the real time processing of that data.

Abstract: Techniques are provided for re-mapping and interleaving transport packets of multiple transport streams for processing by a single transport demultiplexor. At least one PID re-map table is employed having re-map values indexed by n possible PID values of transport packets associated with at one transport stream of the multiple transport streams. The n possible PID values is less than or equal to the number of PID values which can be handled by the single transport demultiplexor, and is less than all possible PID values of transport packets within the multiple transport streams. The PID values within at least one transport stream are compared with the n possible PID values of the PID re-map table, and when a match is found, the table is indexed using the matching entry and a re-map value is generated therefrom. The re-map value replaces the original PID value within the transport packet.

Abstract: Cross-bar segment routing and access table address remapping functions are combined within a cross-bar of a system-on-a-chip. In this manner, address remapping may occur prior to segment routing. One or more access table caching registers may be included for each master port. The caching registers may allow for a rapid lookup of one or more access table entries associated with each master, as well as allow for the simultaneous lookup by multiple masters without adding ports to the access table. A segment identifier may be stored in the caching registers to indicate how to route a matching request to the appropriate slave segment.

Abstract: A method and system for attaching a title key to encrypted content for synchronized transmission to, or storage by, a recipient is provided. Specifically, under the present invention, an elementary media stream is parceled into content units that each include a content packet and a header. The content packets are encrypted with one or more title keys. Once the content packets have been encrypted, the title keys are themselves encrypted with a key encrypting key. The encrypted title keys are then attached to the corresponding encrypted content packets for synchronized transmission to a recipient.

Abstract: Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

Abstract: A method and system for attaching a title key to encrypted content for synchronized transmission to, or storage by, a recipient is provided. Specifically, under the present invention, an elementary media stream is parceled into content units that each include a content packet and a header. The content packets are encrypted with one or more title keys. Once the content packets have been encrypted, the title keys are themselves encrypted with a key encrypting key. The encrypted title keys are then attached to the corresponding encrypted content packets for synchronized transmission to a recipient.

Abstract: A data authentication technique is provided for a data access control function of an integrated system. The technique includes passing a data request from a functional master of the integrated system through the data access control function, and responsive to the data request, selectively authenticating requested data. The selective authentication, which can occur transparent to the functional master initiating the data request, includes employing integrity value generation on the requested data when originally stored and when retrieved, in combination with encryption and decryption thereof to ensure the authenticity of the requested data. As an enhancement, cascading integrity values may be employed to facilitate data authentication.

Abstract: A method, system and program product for managing a size of a key management block (KMB) during content distribution is provided. Specifically, a first KMB corresponding to a first subtree of devices is received along with content as encrypted with a title key. If a size of the first KMB exceeds a predetermined threshold, a second subtree will be created. A second KMB corresponding to the second subtree of devices will then be generated. The second KMB contains an entry revoking the entire first subtree of devices and, as such, is smaller than the first KMD. Any compliant devices from the first subtree are migrated to the second subtree.

Abstract: A technique is provided for facilitating secure operation of an integrated system. The technique includes passing a request for data through a data access controller incorporated within the integrated system, and selectively qualifying the request in accordance with a security state of the controller. The security state of the controller is one state of multiple possible security states, including a null state and a secured state. In the secured state, the controller replaces a standard boot code address associated with a request for boot code with a substitute boot code address. The substitute boot code address addresses an encrypted version of boot code, which is then decrypted by the controller employing a master key set held at the controller. When transitioning to the null state, the master key set is erased.

Abstract: Positive negative and mixed digital filtering over an arbitrary variable length bit string of a datastream by evaluating bits, bytes or any other desired granularity in accordance with a mask, a filter and a not match byte. Results are accumulated over a plurality of data blocks by ANDing of compare result values similarly representing match and not match results identically depending on the not match bit except where negayive logic has been applied over an entire data block. The preferred form of the digital filter is particularly adapted to be MPEG-2 compliant.

Abstract: The preferred embodiment of the present invention provides an improved transport demultiplexor that can receive and filter different data types before sending the data to system memory. The preferred embodiment provides a string comparator to facilitate real time filtering of continuous incoming data before loading the data into system memory. The string comparator preferably uses a bit-maskable matching filter that filters system data in real time as the data is being delivered to system memory. When data matching the filter is located, the destination address of that data is determined and delivered to the processor. This allows the processor to quickly locate the desired data and thus facilitates the real time processing of that data.

Abstract: Method, system and computer products are provided for re-mapping and interleaving transport packets of multiple transport streams for processing by a single transport demultiplexor. The re-mapping and interleaving technique ensures unique identification of transport packets associated with multiple transport streams to be multiplexed onto a transport channel for demultiplexing by a single transport demultiplexor. At least one PID re-map table is employed having re-map values indexed by n possible PID values of transport packets associated with at one transport stream of the multiple transport streams. The n possible PID values is less than or equal to the number of PID values which can be handled by the single transport demultiplexor, and is less than all possible PID values of transport packets within the multiple transport streams.

Abstract: Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

Abstract: In a transport stream demultiplexor device receiving an input transport stream comprising a plurality of data packets and including a filter device for removing one or more predetermined packets to form a partial transport stream, a real-time data remultiplexing system and method comprising: a device for detecting presence of a gap in the partial transport stream where predetermined packets have been removed and generating a signal indicating the gap location; a device for directly retrieving packet data having new content from a memory storage device, and storing the retrieved packet data into a staging buffer device for queued storage prior to insertion into the partial transport stream; and, a multiplexor device responsive to the flag for pulling a queued data packet from the staging buffer device and inserting the pulled packet into the gap as the partial transport stream is being transported on a real-time basis.

Abstract: Copy protection is provided at a mass storage device provided in or connected to a decoder for receiving digital transmissions of audio and video program material by virtual scrambling of blocks of data. Non-sequential storage locations for blocks of data are defined in accordance with a key and the file allocation table is encrypted and stored. Thus blocks of data remain intact and need not be decrypted upon playback, reducing processing time, while the program is effectively protected from reassembly without decryption of the file allocation table. The key(s) may be maintained internally within the decoder and need not be shared, thus avoiding a need for user identification and/or authentication. Software for encryption, including keys may be downloaded to the decoder through the same transmission link used for transmission of data files that may be encrypted in response to control signals or flags transmitted with data files to be protected.

Abstract: An access control function for an integrated system is provided which determines data access based on the master id of a requesting master within the system and the address of the data. The access control function can be inserted, for example, into the data transfer path between bus control logic and one or more slaves. In addition to determining whether to grant access to the data, the access control function can further qualify the access by selectively implementing encryption and decryption of data, again dependent on the data authorization level for the particular functional master initiating the request for data.

Abstract: A transport demultiplexor system and queue remultiplexing methodology includes: a packet buffer for receiving data packets belonging to an input transport stream, each packet having a corresponding identifier identifying a program to which the packet belongs; a data unloader device for pulling successive packets from the packet buffer for storage in a memory storage device, and writing the pulled packets into contiguous address locations in the memory; and, a remultiplexor mechanism for generating an address offset associated with a next data packet pulled from the packet buffer to be stored in memory and writing it to a new memory location that is offset from a memory location assigned to a previously pulled packet, the offset defining a memory gap in the memory storage device capable of being filled new data content.