Abstract: A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

Abstract: A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

Abstract: A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

Abstract: A method for providing privacy during delivery of ABR media content to a plurality of ABR OTT client devices includes receiving, at a network node that includes a Controlled Cache, an ABR manifest for an ABR media asset. The ABR manifest includes a segmentation-units index. Responsive to receiving a request for the ABR media asset from an ABR OTT client device, the method sends to the ABR OTT client device a custom manifest having a number of segmentation-units in segments that is customized for an ABR playback session. A network node, which can be one of an origin server, an edge server and a Just-In-Time Packager (JIT-P), and a computer program product for providing privacy during delivery are also shown.

Abstract: A method and a user device are disclosed for securing streaming content decryption. The method includes receiving at the user device a manifest for requested content, the manifest providing a Content Encryption Key (CEK) that is encrypted using a first public Key Encryption Key (KEK), a corresponding first private KEK being stored in secure storage on the user device; decrypting, inside a secure processing zone on the user device, the CEK using the first private KEK to create a decrypted content key; decrypting, inside the secure processing zone, requested content using the decrypted content key to form decrypted content; and providing the decrypted content to a decoder on the mobile user device.

Abstract: A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

Abstract: A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

Abstract: A media distribution system and method with sample variants for normalized encryption involves encrypting a main track of a media content asset using a first encryption scheme and encrypting a sample variant track of the media content asset using a second encryption scheme, and performing at least one of: storing the encrypted main track and encrypted sample variant track of the media content asset packaged in a storage format, and transmitting the encrypted main track and the encrypted sample variant track in a distribution container format to an edge media router (EMR) device configured to repackage the media content asset into a delivery container format without reencrypting the media content asset.

Abstract: A method, device and computer program for providing privacy during delivery of ABR media content to an ABR OTT client device are shown. The method receives an ABR manifest for an ABR media asset; the ABR manifest includes a segmentation-units index that points to segmentation-units in the ABR media asset. Using the segmentation-units index and a customization process, randomized byte-range requests for portions of the ABR media asset are produced and sent. Responsive to receiving the randomized byte-ranges, the ABR media asset is reassembled in order and provided to a media player in the client device.

Abstract: A method and apparatus for managing entitlements in a broadcast stream are disclosed. The method includes receiving a manifest containing program information for a program in the broadcast stream, with the program information providing a program entitlement block. The method uses entitlements specified in the program entitlement block to enforce entitlements for the program.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: A client device for media playback includes a user-installable media client application which implements the client-side of a digital rights management (DRM) system. The client device employs secure boot and verifies the user-installed application. The application is hardened against reverse engineering, and it utilizes a special API provided by the client device to tie into the secure boot, bridging the gap between the secure boot and the client-side of the DRM system contained within the application.

Abstract: A system and method for distributing content in a network architecture using a common intermediary mezzanine distribution format (CMZF). A media content asset may be processed for packaging in a CMZF container structure configured to carry each bitrate representation of the media content in a valid CMZF stream scheme, the media content encrypted in one or more encryption schemes. The CMZF formatted media content may be provided to an origin server for file-based distribution over a network which is of one of the following types; unmanaged network, managed network, or a combination thereof, and/or to a streaming network node for stream-based distribution over a over a network which is of one of the following types; unmanaged network, managed network, or a combination thereof. In one embodiment, the CMZF container structure may be based on an MPEG-TS format extended to facilitate carriage of ISOBMFF track and track metadata data objects in PES payload in additional elementary streams.

Abstract: A system and method for facilitating fast channel change in a streaming media network comprises receiving media content assets packaged in a common mezzanine distribution format (CMZF) container structure, wherein the media content asset is provided as CMZF-formatted media content in a CMZF stream scheme. Upon receipt, the CMZF-packaged media content assets are transformatted into corresponding CMZF segments stored in a local cache corresponding to a plurality of media channels. Responsive to a channel change request from a user equipment (UE) device, a unicast or multicast burst is sent comprising Reliable User Datagram Protocol (R-UDP) packets or Real-time Transport Protocol (RTP)-encapsulated partial or full virtual segments (R-SEG) generated from the CMZF segments corresponding to the requested channel.

Abstract: A method for providing privacy during delivery of ABR media content to a plurality of ABR OTT client devices includes receiving, at a network node that includes a Controlled Cache, an ABR manifest for an ABR media asset. The ABR manifest includes a segmentation-units index. Responsive to receiving a request for the ABR media asset from an ABR OTT client device, the method sends to the ABR OTT client device a custom manifest having a number of segmentation-units in segments that is customized for an ABR playback session. A network node, which can be one of an origin server, an edge server and a Just-In-Time Packager (JIT-P), and a computer program product for providing privacy during delivery are also shown.

Abstract: A method, device and computer program for providing privacy during delivery of ABR media content to an ABR OTT client device are shown. The method receives an ABR manifest for an ABR media asset; the ABR manifest includes a segmentation-units index that points to segmentation-units in the ABR media asset. Using the segmentation-units index and a customization process, randomized byte-range requests for portions of the ABR media asset are produced and sent. Responsive to receiving the randomized byte-ranges, the ABR media asset is reassembled in order and provided to a media player in the client device.

Abstract: A system and method for facilitating content delivery with end-to-end encryption in a network architecture using a common intermediary mezzanine distribution format (CMZF). An edge media router (EMR) device is provided in one embodiment that is configured to receive a media content asset packaged in a CMZF container structure, wherein the media content asset is provided as CMZF-formatted media content in a CMZF stream scheme. The CMZF container structure, configured to facilitate carriage of ISOBMFF track and track metadata data objects as well as sample variants in PES payload in additional elementary streams, is operative to carry each bitrate representation of the media content asset encrypted in one or more encryption schemes at a headend. Upon receipt, the EMR device is configured to repackage the media content asset to generate one or more output formats without reencrypting the media content asset for storage at a storage node and/or for downstream delivery.

Abstract: A client device for media playback includes a user-installable media client application which implements the client-side of a digital rights management (DRM) system. The client device employs secure boot and verifies the user-installed application. The application is hardened against reverse engineering, and it utilizes a special API provided by the client device to tie into the secure boot, bridging the gap between the secure boot and the client-side of the DRM system contained within the application.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: Methods and apparatus for sharing entropy between an entropy broker and various devices wherein the entropy broker receives a communication from a client. Responsive to determining that the client provided entropy, the entropy broker tests the provided entropy for randomness and stores provided entropy that passes verification and responsive to determining that the client requested entropy, the entropy broker adds the client to an entropy queue.