Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: A method for tracing traitor receivers in a broadcast encryption system. The method includes using a false key to encode plural subsets representing receivers in the system. The subsets are derived from a tree using a Subset-Cover system, and the traitor receiver is associated with one or more compromised keys that have been obtained by a potentially cloned pirate receiver. Using a clone of the pirate receiver, the identity of the traitor receiver is determined, or the pirate receiver clones are rendered useless for decrypting data using the compromised key by generating an appropriate set of subsets.

Abstract: A forensic media key block (MKB) is provided to a clone device, either a software- or hardware-implemented clone, that has gained access to one or more compromised device keys of unknown identity from a set of the device keys in a digital content guard system. Media keys in the forensic MKB are selectively marked as “revoked” and then the ability of the clone to decrypt the MKB to successfully play content is observed. In this way the identity of the compromised key or keys is eventually learned, and the system can then revoke the compromised key or keys system-wide.

Abstract: A method and system for producing, e.g., tamper-resistant software such that the software is fault intolerant, thereby complicating hacking attacks, includes undertaking several iterations of forward plain text chaining and backward plain text chaining through the blocks. Essentially, during forward chaining a block is scrambles using a single round of an appropriate algorithm such as DES, and then it is XORed with the plain text of the next block. The result of the XOR is then scrambled, and then XORed with the plain text of the next block, and so on. At the end of the stream, the process is repeated in reverse, from last block to first. The cycles are repeated for the desired number of rounds, e.g., 16.

Abstract: An encryption key matrix has rows grouped into segments, with a set of one segment per column establishing a slot. Slots are assigned to device manufacturers, with the keys of the slots then being assigned to decryption devices made by the respective manufacturer. In generating the slots, the number “q” of segments in a column is first defined such that a predetermined maximum number of devices can be revoked devices (in that all the keys held by the device are revoked) while ensuring that a good device remains a functional device with a probability of at least (1?Q), wherein Q is a predefined device confidence. Once the number “q” of segments has been defined, the slots themselves are defined in a provably non-discriminatory fashion using an error-correcting code such as a Reed-Solomon code.

Abstract: A method (and system) for storing information in a recoverable manner on an untrusted system, includes sending, by a client, a request to a recovery server for recovery of a failed database, determining whether the request is legitimate, based on the determining, sending a local key to the client, decrypting by the client the failed database with the local key, to recover the failed database, and re-encrypting the recovered database with a new key.

Abstract: Sets of encryption keys useful by devices for decrypting encrypted content are defined using an error-correcting code such as a Reed-Solomon code to define vectors of length “n” over an alphabet of (0, . . . , N?1), wherein “n” is the number of columns in a key matrix and “N” is the number of rows in the matrix. Each vector represents a set of keys that can be assigned to a device. With this invention, overlap between sets of keys can be minimized to minimize the possibility that the key set of an innocent device might be inadvertently revoked when the key set of a compromised device is revoked. Also, only the generating matrix of the error-correcting code and the index of one set of keys need be stored in memory, since all previously defined key sets can be regenerated if need be from just the generating matrix and index.

Abstract: A system for protecting content on recordable media for, e.g., DVD audio disks, flash memory media, or other media includes providing a media key block (MKB) on each media, with each MKB including 25,000 encryptions of a media key by 25,000 or so device keys. Each authorized player in the system has a single device key from among the system device keys with which to decrypt the media key. To avoid a coincidence attack in which a hacker can learn the MKB and associated media key and then guess at a device key without knowing its position in the MKB, the media key is XORed with a number representing each position in the MKB, and only then encrypted with the device key corresponding to that position.

Abstract: A system and method for enabling broadcast programs to be copied once only by consumer recorders includes writing a unique media identification on each blank disk to which content is to copied in a read-only area of the disk before it is initially recorded. Also, a one-way key management media key block is written to the disk. A content key is derived by combining a media key, derived from the media key block, with the media identification. Additionally, to facilitate copying the content one time only, an exchange key is established between the recorder and a sender such as a satellite receiver or a disk player that is associated with the recorder, and the exchange key is modified with special numbers representing control commands including copy once and copy no more. The exchange key is then encrypted using the content key and then hashed with a nonce to render a bus content key. The bus content key is then used to encrypt the data for copying the data to a disk.

Abstract: A system and method for enabling broadcast programs to be copied once only by consumer recorders includes writing a unique media identification on each blank disk to which content is to copied in a read-only area of the disk before it is initially recorded. Also, a one-way key management media key block is written to the disk. A content key is derived by combining a media key, derived from the media key block, with the media identification. Additionally, to facilitate copying the content one time only, an exchange key is established between the recorder and a sender such as a satellite receiver or a disk player that is associated with the recorder, and the exchange key is modified with one or more special numbers representing control commands including copy once and copy no more. The modified exchange key is then encrypted using the content key to render an encrypted modified exchange key, and the encrypted modified exchange key is then hashed with a nonce to render a bus content key.

Abstract: A system, method, business method, and computer program product for conducting electronic transactions with a potentially untrusted server while maintaining user anonymity and transaction privacy, yet allowing the server to verify the user is a valid subscriber entitled to participate in the transaction. Anonymous service requests are sent to the server. The server transmits responses that have been encrypted such that only valid subscribers can decrypt them. Broadcast encryption schemes that enable selective revocation of misbehaving subscribers will tip off requestors that the server is trying to identify them. Transaction and content quantity can be monitored for usage-based billing while maintaining anonymity. Each content item may be uniquely encrypted with a content key that is then encrypted by a session key and included in encrypted form with a response, to reduce the computational workload.

Abstract: Software intrusion is proactively detected using a dynamically evolving audit log wherein log entries are generated in the audit log and key values are evolved based upon a one-way function depending on both the previous log entry and the previous key. The audit log with the generated log entries and the final key value is transmitted to a clearinghouse that detects software intrusion by analyzing these values. In an effort to reduce the size of the log to be transmitted, the log entries are assigned identical values, thereby only needing to transmit one log entry and the last key value to the clearinghouse.

Abstract: A system, method, and computer program product to prepare files for transmission in a broadcast encryption system to prevent piracy and enable traitor tracing. Typically, each file in a group of original files is modified to include variations of critical file segments. A file identifier denotes which set of variations corresponds to which file. The group of files is then broadcast with individualized codes that enable particular authorized receivers to properly process the modified files. The modifications in a pirated version of a file can identify which traitorous receivers contributed to its piracy; such receivers may be subject to legal action and selective cryptographic revocation. The invention minimizes the likelihood of falsely concluding an innocent receiver is traitorous yet can identify large groups of colluding attackers with only a small increase in broadcast bandwidth overhead.

Abstract: A system and method for permitting the rental of digitized content such as music from a kiosk includes a flash memory device that is insertable into the kiosk. The kiosk derives a content key from a media key block and a media ID on the flash memory device, and then encrypts the content using the content key and records the content on the flash memory device. The flash memory device can then be removed and engaged with a player-recorder which decrypts the content and plays the content. When it is desired to check the content back in, the flash memory device is engaged with the kiosk and the content is erased. Importantly, the media ID of the flash memory device is altered during check in, such that if the user saved the content prior to check in, the content, if recorded back onto the flash memory device after check in, could not be decrypted.

Abstract: A system, method, and computer program product enabling individual user devices to authenticate and validate a digital message sent by a distribution center, without requiring transmissions to the distribution center. The center transmits the message with an appended modulus that is the product of two specially selected primes. The transmission also includes an appended authentication value that is based on an original message hash value, a new message hash value, and the modulus. The new message hash value is designed to be the center's public RSA key; a corresponding private RSA key is also computed. Individual user devices combine a digital signet, a public modulus, unique hardware-based secret numbers, and an original message hash to compute a unique integrity value K. Subsequent messages are similarly processed to determine new integrity values K′, which equal K if and only if new messages originated from the center and have not been corrupted.

Abstract: A digital broadcast system provides secure transmission of digital programs to in-home digital devices even when some of the devices are unauthorized. A matrix of device keys Sj,i is provided, wherein “i” is a key index variable indicating a position in a key dimension of the matrix and “j” is a sets index variable indicating a position in a sets dimension of the matrix. Each in-home device is assigned plural dev ice keys from the matrix, with one and only one device key for each key index variable “i” being assigned to a device. To generate a session key for a broadcast program, session numbers xi are encrypted with all device keys Sj,i to generate a session key block which is decrypted by the in-home devices and used to generate a session key for decrypting the program.

Abstract: A system and method for updating old blank media onto which newer content is sought to be copied, to reduce the risk of unauthorized copying of new content onto old unupdated media. A computer system executes a method in which one or more calculate media key commands (CMKC) are written onto a blank recording medium, with the CMKCs defining an old media key. One or more CMKCs defining a new media key is associated with broadcast content, with the new CMKCs effectively revoking one or more device keys of a suspected pirate device. A legitimate player/recorder can decrypt the media keys from both the medium and the content, and then encrypt the content using the new media key and encrypt the first unconditional CMKC in the new CMKCs with the old media key. The encrypted content and the (now conditional) CMKC are recorded on the medium.

Abstract: A system and method for enabling authorized music from a CD or DVD to be compressed by a user for the user's own use, but to prevent the recompression of unauthorized music from, e.g., the Internet, includes hashing the music during recording with a cryptographic hash, and then signing the hash with a digital signature derived from the hash. Subsequent unauthorized compression and recompression will destroy the digital signature. Accordingly, music to be recorded is hashed to obtain a test digital signature and if, after hashing, the test digital signature matches the digital signature accompanying the music, compression and recording are allowed to proceed.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: A method for tracing traitor receivers in a broadcast encryption system. The method includes using a false key to encode plural subsets representing receivers in the system. The subsets are derived from a tree using a Subset-Cover system, and the traitor receiver is associated with one or more compromised keys that have been obtained by a potentially cloned pirate receiver. Using a clone of the pirate receiver, the identity of the traitor receiver is determined, or the pirate receiver clones are rendered useless for decrypting data using the compromised key by generating an appropriate set of subsets.