Abstract: Apparatuses, computer readable media, and methods establishing and maintaining trust between security devices for distributing media content are provided. Two security devices bind to establish an initial trust so that security information can be exchanged. Subsequently, trust is refreshed to verify the source of a message is valid. In an embodiment, the security devices may comprise a security processor and a system on a chip (SoC) in a downloadable conditional access system. Trust may be refreshed by a security device inserting authentication information in a message to another security device, where authentication information may assume different forms, including a digital signature (asymmetric key) or a hash message authentication code (HMAC). Trust may also be refreshed by extracting header information from the message, determining state information from at least one parameter contained in the header information, and acting on message content only when the state information is valid.

Abstract: Systems and methods for controlling the use of audio, video and audiovisual content are provided. A data structure includes content usage rights for multiple release windows. The usage rights may be encoded in the content or otherwise bound to the content. Playback devices are configured to access the appropriate usage rights and control usage in accordance with the usage rights.

Abstract: Systems and methods for controlling the use of audio, video and audiovisual content are provided. A data structure includes content usage rights for multiple release windows. The usage rights may be encoded in the content or otherwise bound to the content. Playback devices are configured to access the appropriate usage rights and control usage in accordance with the usage rights.

Abstract: A system and method are disclosed for creating a secure video content path, or a protected media content bus, within an unsecure personal computer. A portable security module, or electronic key safe, may be inserted into a personal computer that has different internal components for processing secure and unsecured content. The security module may establish a secure encrypted link with a secure video processor of the personal computer, and may use the personal computer's network interface to request authority to receive secured content. The security module may provide content keys to the secure video processor to access secured content received over an external network.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: A system and method are disclosed for creating a secure video content path, or a protected media content bus, within an unsecure personal computer. A portable security module, or electronic key safe, may be inserted into a personal computer that has different internal components for processing secure and unsecured content. The security module may establish a secure encrypted link with a secure video processor of the personal computer, and may use the personal computer's network interface to request authority to receive secured content. The security module may provide content keys to the secure video processor to access secured content received over an external network.

Abstract: The disclosure relates to processing content with watermarks to generate watermarked versions. In some aspects, each version may be different. Groups of fragments may be combined to generate a unique stream by pulling fragments from two or more of the groups of fragments. Further, fragmenting may be performed before watermarking, and fragments may be pulled and watermarked upon request.

Abstract: A system and method are disclosed for creating a secure video content path, or a protected media content bus, within an unsecure personal computer. A portable security module, or electronic key safe, may be inserted into a personal computer that has different internal components for processing secure and unsecured content. The security module may establish a secure encrypted link with a secure video processor of the personal computer, and may use the personal computer's network interface to request authority to receive secured content. The security module may provide content keys to the secure video processor to access secured content received over an external network.

Abstract: A multi-hierarchical key system is provided such that users receive timely key renewals when required so that access to authorized content is not disrupted. Timely renewals of keys may occur continuously for various services while minimizing network traffic. The multi-hierarchical key system may be used in an adaptive streaming environment.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: A technique for securely transferring content from a first device in a first layer to a second device in a second layer. In one embodiment, the first device is a device in a trusted domain and the second device is outside of the trusted domain. Transfer of protected content to another device may require authentication of the receiving device. A rights file which specifies the rights of the receiving device to use the protected content, according to its security level is also transferred. These rights may concern, e.g., the number of times the receiving device may transfer the protected content to other devices, the time period within which the receiving device may play the protected content, etc. The higher the security level of the receiving device, the more rights accorded thereto. A minimum security level requirement may be imposed in order for protected content to be transferred to a device.

Abstract: A security system is disclosed in which a device-specific key value is provided to a security processing device, and then used to derive additional derived keys for use in secured communications. In response to identifying a compromise of the derived keys, the system can be instructed to derive new or replacement derived keys for use in the secured communications. In some embodiments, the security system can be used in a video reception device, to decrypt encrypted video content.

Abstract: Systems and methods for controlling the use of audio, video and audiovisual content are provided. Usage rights and entitlement translation permit numerous devices to store and view media content. The usage rights may be encoded in the content or otherwise bound to the content. Security packages may be created by mapping Conditional Access System entitlements to DRM in hardware security elements. Playback devices are configured to access the translated usage rights and verify rights prior to the viewing of media.

Abstract: Apparatuses, computer readable media, and methods establishing and maintaining trust between security devices for distributing media content are provided. Two security devices bind to establish an initial trust so that security information can be exchanged. Subsequently, trust is refreshed to verify the source of a message is valid. In an embodiment, the security devices may comprise a security processor and a system on a chip (SoC) in a downloadable conditional access system. Trust may be refreshed by a security device inserting authentication information in a message to another security device, where authentication information may assume different forms, including a digital signature (asymmetric key) or a hash message authentication code (HMAC). Trust may also be refreshed by extracting header information from the message, determining state information from at least one parameter contained in the header information, and acting on message content only when the state information is valid.

Abstract: Systems and methods for controlling the use of audio, video and audiovisual content are provided. A data structure includes content usage rights for multiple release windows. The usage rights may be encoded in the content or otherwise bound to the content. Playback devices are configured to access the appropriate usage rights and control usage in accordance with the usage rights.

Abstract: The roaming hardware paired encryption key generation coalesces a content variable with a network, or subnet, address to generate an encryption key. The source generates a content identification that is unique to the content being encryption and the network, or subnet, address is coalesced with the content indentification to generate a unique encryption key for the content being encrypted. The encrypted digital content is transmitted to the destination devices identified by the network, or subnet address, along with the content identification. At the destination, the destination devices regenerate the encryption by coalescing the content identification and the network, or subnet, address in the same manner as ciphertext is decrypted into plaintext.

Abstract: The present secure hardware device authentication method further protects the data within the secure hardware device by authenticating the trusted software object prior to allowing the trusted software object to access protected data within the secure hardware device. Authenticating the trusted operating system prior to granting access to the secure hardware device prevents an unauthorized individual from tampering with the trusted software object after the computer system is initialized. The method of authentication may include authentication of the certificate appended to the trusted software object or may be a request for a signed message from the trusted software object. If the trusted software object is not authenticated, access to the secure hardware device is denied.

Abstract: The roaming hardware paired encryption key generation coalesces a content variable with a network, or subnet, address to generate an encryption key. The source generates a content identification that is unique to the content being encrypted and the network, or subnet, address is coalesced with the content identification to generate a unique encryption key for the content being encrypted. The encrypted digital content is transmitted to the destination devices identified by the network, or subnet address, along with the content identification. At the destination, the destination devices regenerate the encryption by coalescing the content identification and the network, or subnet, address in the same manner as coalesced at the source device. After regenerating the encryption key, the ciphertext is decrypted into plaintext.

Abstract: A method for generating an encryption key wherein combinations of a host identification and a content identification are concatenated to produce the encryption key. The content identification is unique to each block of plaintext to be transmitted over an unsecured interface to a storage device. The content identification is appended to the resulting ciphertext for transmission to the storage device. The ciphertext is retrieved by the host device wherein the host identification and appended content identification are used to recreate the encryption key and thus decrypt the ciphertext. Also using a time variable to generate the encryption key provides a method for limiting the duration during which the ciphertext can be decrypted.