Abstract: The systems disclosed here provide a complete standards-based end-to-end scalable system for storage, delivery and in-home distribution of digital content over IP networks using standard protocols such as Real-time Transport Protocol (“RTP”) or IP-encapsulated MPEG-2 Transport Stream, or traditional MPEG-2 networks. Mechanisms are provided for receiving content from one security domain, re-encrypting that content uniquely for a receiving device, persistently storing that content, and playing back that content at a later time to and within another security domain. The systems also provide the ability to stream the persistently-stored content from the initial receiving device to another device that has been authenticated as part of a, e.g., home network. This allows a media server, e.g., a dual-tuner set-top box (“STB”) with hard drive, to deliver recorded content to any TV in the house by streaming to media clients such as STBs.

Abstract: In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device.

Abstract: A method is provided for viewing a bookmarked video clip. The method includes establishing communication over a broadband network with a first network element on which at least one bookmark resides. The bookmark includes metadata identifying a bookmarked video clip of a video program and specifies a network address at which the bookmarked video clip is located. Upon user request, metadata associated with a specified bookmark is received. Communication is established with a second network element on which the specified bookmarked video clip is located using the network address of the specified bookmarked video clip provided in the metadata. The bookmarked video clip is received from the second network element. The bookmarked video clip is encrypted in accordance with a digital rights management scheme. The bookmarked video clip is decrypted and rendered.

Abstract: A method is provided for creating an encrypted data file from a data file having a sample entry box and a media data box. The sample entry box has description information therein. The media data box includes media data therein. The method includes: receiving the data file; encrypting the media data within the media data box with an encryption key; replacing the sample entry box with an encoded box; creating a sinf box within the encoded box; creating a form a box within the sinf box; and creating an schm box within the sinf box. The schm box indicates the type of formatting of the encrypted media data. The encoded box does not include an initial counter that may be used to decrypt the encrypted media data.

Abstract: A method of viewing a content item is provided. The method includes receiving an encrypted content item and a network address of a key management system from a primary client device over a communications network. A session key is obtained over the communications network and the primary client device is notified that the session key has been obtained. An encrypted version of a content key is received over the communication network to decrypt the content item and content rights that determine access to the content item. The content rights restrict the content item from being rendered unless it is rendered in coordination with the rendering of the content item by the primary client device. The encrypted version of a content key is decrypted with the session key. The content item is rendered in accordance with the content rights by decrypting the content item with the content key.

Abstract: Systems and methods for secure content distribution to playback devices connected to a local network via a residential gateway using secure links are disclosed. One embodiment of the invention includes a content server, a rights management server, a residential gateway configured to communicate with the content server and the rights management server via a network, and a playback device configured to communicate with the residential gateway via a local network.

Abstract: Systems and methods are disclosed that authenticate devices or users, and enable playback of secured streaming content through a media player. In one embodiment, the invention is a system for receiving secure content over an unmanaged network, including a security application configured operate on a user device with access to a network, where the security application is configured to receive a request for playlist data from the media player, send a playlist request to a content server, receive playlist data from the content server, send playlist data to a media player, receive a security access request from the media player, send a security access request to a security server, receive security access data from the security server; and send security access data to a media player.

Abstract: An embodiment of the present invention provides a method of transferring content within a system having a credit managing device, a content providing device and a user device. The method includes: registering the user device with the credit managing device; providing a universal credit to the user device from the credit managing device; providing encrypted content and a pre-rights generator from the content providing device to the user device at a first time without consuming the universal credit; generating a decryption key from the pre-rights generator a second time after the first time; and decrypting, via the decryption key, the encrypted content at the user device and consuming a portion of the universal credit.

Abstract: In a method for encrypting content, the content is received in a device and at least a portion of the content is stored to thereby associate the content with one of a first copy control state and a second copy control state. The method includes creating at least one of a first content pre-key using a local storage key unique to the device as a key to encrypt the content ID of the content and a second content pre-key using the first content pre-key as a key to encrypt the first copy control state, creating a content encryption key using one of the first content pre-key as a key to encrypt the first copy control state and the second content pre-key as a key to encrypt the second copy control state, and encrypting the content using the content encryption key.

Abstract: A method and apparatus are for transferring a client device certificate and an associated encrypted client private key to a client device from a secure device. The secure device receives over a secure connection, a secure device certificate, a secure device private key and a plurality of client device certificates. Each client certificate is associated with a bootstrap public key but is not assigned to any particular client device. A plurality of encrypted client private keys is also received. Each of the encrypted client private keys comprises a client private key associated with one of the client device certificates encrypted with the bootstrap public key. The plurality of client device certificates is stored. The encrypted client private keys are stored in double encrypted protected form. A client device certificate and an associated encrypted client private key are transferred to a client device that has successfully registered with the secure device.

Abstract: A digital rights management system (DRM) for restricting and permitting content access in a digital content distribution network such as a network used to deliver television programming. The DRM uses distributed authentication and provisioning so that the potentially many different entities involved in the content distribution network can have localized management and control. Distributed authentication can use single or multiple instances of authentication services. A ticket granting service (TGS) is used to allow clients to request services. In one approach, multiple authentication services use a common key that is known to the TGS. In another approach, unique keys are provided to each authentication service and these keys are communicated to the TGS. Distributed provisioning allows different entities to grant access rights or other resources. Provisioning service (PS) processes can execute at multiple different physical locations.

Abstract: In a method for communicating media content stored on a digital video recorder (DVR) protected by a first DRM system to a portable multimedia device (PMD) using a second DRM system, in which the first DRM system differs from the second DRM system, a request for communication of a media content item stored on the DVR to the PMD is received. In addition, a portable content key is employed to encrypt the media content item to a PMD format suitable content version and the encrypted PMD format suitable content version is communicated to the PMD along with a portable content identifier (ID).

Abstract: A session rights object and authorization data are used for defining a consumer's access right to a media content stream. The access rights are determined at a caching server remotely located from the consumer rather than locally at the end user site. In a first aspect, in a computing network having a content provider, a key distribution center, a caching server and a client, a method for controlling client access to a real-time data stream from the caching server, is disclosed.

Abstract: A method, device and system for controlling JTAG interface enablement within a communication device. The JTAG interface can be selectively enabled based on the receipt of an encrypted access token generated by an access token server. The access token server generates the access token in response to an end user providing appropriate device-specific information. The access token includes appropriate information that, upon appropriate authentication and decryption, can temporarily device bind the boot code image of the device in a manner that enables the JTAG interface. Alternatively, the access token includes appropriate information that instructs the general purpose processor to choose between JTAG interface enablement information and JTAG interface disablement information for use with the boot code image of the device. The access token can include expiration information that causes an enabled JTAG interface to revert back to its disabled status upon expiration of the access token.

Abstract: A domain controller is provided for use with a content source and a media device. The content source can provide encrypted content and rights data corresponding to the encrypted content. The media device can provide a request for the encrypted content and the rights data. The domain controller includes a communication portion, a digital rights management portion and a memory portion. The communication portion can engage in a first bi-directional communication with the content source and can engage in a second bi-directional communication with the media device. The digital rights management portion can receive the rights data. The memory portion can store the encrypted content. The second bi-directional communication includes an authorization and authentication communication between the communication portion and the media device, a secure move message exchange between the communication portion and the media device and a content download from the communication portion to the media device.

Abstract: A Service Key Delivery (SKD) system for delivering a service keys to client devices in a communications network. The delivered service keys are operable to be used to decrypt an encrypted key operable to be used to decrypt an encrypted digital content. The SKD system includes a data input interface for receiving a distribution time frame for the keys and a listing of client device identifications. The SKD system also includes a scheduling module to partition at least part of the distribution time frame into a number of time slots in which the number may be based on a variety of factors. The scheduling module assigns the time slots in the partitioned part of the distribution time frame to the client devices based on the identifications in the listing. The SKD system also includes a message generator configured to send key delivery messages to the client devices.

Abstract: A method is provided by which a client device obtains authorized access to content delivered over a content delivery network. The method includes receiving an entitlement management message (EMM). The EMM includes at least one cryptographic key and a device registration server certificate ID (DRSCID) identifying a currently valid device registration server (DRS) public key certificate. The DRSCID obtained from the EMM is compared to a stored DRSCID value. An entitlement control message (ECM), which includes an encrypted traffic key for decrypting content, is received. If the DRSCID obtained from the EMM is determined to match the stored DRSCID, the traffic key is decrypted with the cryptographic key or a key derived from the cryptographic key to thereby access the content.

Abstract: A device is provided for use with a digital content provider and a content purchaser. The content provider can provide digital content and a first digital key, wherein the digital content has quantified digital rights associated therewith. The device includes a receiving portion, a security portion, a content database, an interface portion and a transmitting portion. The receiving portion can receive the digital content and the first digital key. The security portion can access the digital content with the first digital key. The content database can store the digital content. The interface portion can offer to the content purchaser the digital content and can enable the content purchaser to purchase the digital content in accordance with purchased quantified digital rights. The security portion can further encrypt the digital content with a second digital key such that the content purchaser may use the purchased digital content.

Abstract: An aspect of the present invention provides a method of communicating within a system having a first device, a second device, a key distribution device and an interactive service portal device. The method includes: storing a tag within the interactive service portal device; associating the tag with the first device; registering the first device with the key distribution device; associating, by way of the key distribution device, an encryption key with the first device; accessing, by way of the second device, the tag; providing information to the second device; and establishing secure bi-directional interactive communication, corresponding to the tag, between the first device and the second device based on a relationship between the information and the encryption key.

Abstract: A device configured to communicate with a second device may register a second device using one of multiple registration modes including a domain-registration mode, a device-registration mode, and a no-registration mode. The domain-registration mode allows the second device to register with the device and at least one other device registered with the device, the device-registration mode allows the second device to register with the device and with no other devices, and the no-registration mode does not allow any device to register with the device. The device receives a selection of one of the multiple registration modes and places the device in the selected registration mode.