Abstract: The present invention discloses an apparatus and method for reserving a set of requested rights. In one example, the digital rights data associated with digital content information is found in a remaining rights file using a license index. A portion of the digital rights data is subsequently reserved. A determination is made as to whether a content download associated with the digital content information is successful. If the content download is unsuccessful, then the reserved portion of the digital rights data is cancelled. Alternatively, if the content download is successful, then the remaining rights file is updated to reflect a use of the portion of the digital rights data.

Abstract: A system provides improved security in a streaming media decoder includes decryption of encoded media information at the media layer, within a decoder component of a playback device. A content source, such as an MPEG-4 media stream from a network, or a file on a local storage device, etc. that contain packetized content, and supplies encrypted and encoded media information. For example, digital sound and image information can be conveyed for presentation. A reassembler component is used to initiate decryption of a nominal amount of information needed to perform further processing at the QuickTime player. Encrypted access units are sent from the reassembler to the decoder, where the decoder causes decryption of the access unit information. This approach prevents decrypted, encoded information from being transferred from the reassembler to the decoder. Such decrypted and encoded information is especially susceptible to copying.

Abstract: The present invention discloses an apparatus and method for obtaining rights management data for broadcast or multicast content. In one embodiment, a broadcast trigger message is obtained from a broadcast source. At least one content license identifier from said broadcast trigger message is obtained. Afterwards, at least one content license file associated with said at least one content license identifier is requested. Notably, the broadcast trigger message is shared by all endpoint devices while the content license file is uniquely adapted for the requesting endpoint device.

Abstract: A digital rights management architecture for securely delivering content to authorized consumers. The architecture includes a content provider and a consumer system for requesting content from the content provider. The content provider generates a session rights object having purchase options selected by the consumer. A KDC thereafter provides authorization data to the consumer system. Also, a caching server is provided for comparing the purchase options with the authorization data. The caching server forwards the requested content to the consumer system if the purchase options match the authorization data. Note that the caching server employs real time streaming for securely forwarding the encrypted content, and the requested content is encrypted for forwarding to the consumer system. Further, the caching server and the consumer system exchange encrypted control messages (and authenticated) for supporting transfer of the requested content.

Abstract: A method and apparatus are provided for enabling a Universal Plug and Play (UPnP) device to be automatically provisioned to access services without the need for manual interaction. In accordance with the invention, when a UPnP device needs to be provisioned, it automatically obtains pre-provisioning information from a provisioning device on the home network, and uses the pre-provisioning information to interact with the provisioning device to cause the UPnP device to be provisioned. The provisioning enables the UPnP device to access services, including digital rights management (DRM) services, over a network.

Abstract: A method for securely streaming real-time content from a caching server to an authorized client. The method includes the steps of encrypting an RTSP (real-time streaming protocol) message having a header and a payload, the RTSP message being encrypted in its entirety; and providing a first clear header for the encrypted RTSP message. Further, the method includes the steps of encrypting an RTCP (real-time control protocol) message having a header and a payload, the RTCP message being encrypted in its entirety; and providing a second clear header for the encrypted RTCP message. Thereafter, the encrypted RTSP message and the first clear header are transmitted, and the encrypted RTCP message and the second clear header are transmitted in order to securely stream the real-time content from the caching server to the authorized client.

Abstract: Method, apparatus, and computer readable medium for distributing content to a client device is described. One aspect of the invention relates to distributing pre-encrypted content. In one example, pre-encrypted content is received at a server. Pre-encryption key data associated with the pre-encrypted content is obtained. The pre-encrypted content is decrypted using the pre-encryption key data to produce portions of clear content. The portions of clear content are then re-encrypted as each portion is produced in accordance with unique key data to produce re-encrypted content. The re-encrypted content is distributed from the server towards a client device.

Abstract: Method and apparatus for transferring protected content between digital rights management systems is described. One aspect of the invention relates to importing content from an upstream digital rights management (DRM) system into a device in a downstream DRM system. Data is received that associates at least one device in the downstream DRM system with a rights issuer module (RIM). Authenticity of the data is verified as originating from an entity in a trust hierarchy of the device. If the data is authentic and the device is one of the at least one device associated with the RIM, a ciphertext version of the content and a corresponding content license is accepted from the RIM.

Abstract: The systems disclosed here provide a complete standards-based end-to-end scalable system for storage, delivery and in-home distribution of digital content over IP networks using standard protocols such as Real-time Transport Protocol (“RTP”) or IP-encapsulated MPEG-2 Transport Stream, or traditional MPEG-2 networks. Mechanisms are provided for receiving content from one security domain, re-encrypting that content uniquely for a receiving device, persistently storing that content, and playing back that content at a later time to and within another security domain. The systems also provide the ability to stream the persistently-stored content from the initial receiving device to another device that has been authenticated as part of a, e.g., home network. This allows a media server, e.g., a dual-tuner set-top box (“STB”) with hard drive, to deliver recorded content to any TV in the house by streaming to media clients such as STBs.

Abstract: Described herein are embodiments that provide an approach to cryptographic key management for a digital rights management (DRM) architecture that includes multiple levels of key management for minimizing bandwidth usage while maximizing security for the DRM architecture. In one embodiment, there is provided a data structure for cryptographic key management that includes a public/private key pair and three additional layers of symmetric keys for authorizing access to a plurality of contents.

Abstract: Method and apparatus providing program information to client devices for at least one multicast stream of digital content is described. In one embodiment, session description messages for the at least one multicast stream of digital content are generated. Each of the session description messages includes at least one content access parameter. The at least one content access parameter may include digital rights management (DRM) data, channel key identification data associated with the at least one channel of the at least one multicast stream of digital content, and/or data indicative of whether each session description message is associated with a channel, a program, or a program segment. Each of the session description messages is signed using a cryptographic key. The session description messages are then multicasted to the client devices using a predefined multicast address.

Abstract: The present invention discloses an apparatus and method for distributing channel key data to an endpoint device. In one example, the present invention provides channel key data to at least one endpoint device prior to the endpoint device being tuned to at least one channel associated with the channel key data. The endpoint device is then informed of the expiration time of the channel key data and is subsequently, upon request, provided the replacement channel key data on a optimized basis (e.g. randomized or utilizing some other optimization algorithm) prior to the expiration time of the original channel key data.

Abstract: A system that allows service providers, consumer electronic (CE) manufacturers or standards bodies to define flexible security policies (110) for the execution of downloaded applications (120) on digital television (DTV) receivers (160). The current receiver environment in which a software application is to be run is evaluated. For example, environmental factors such as time of day, date, channel currently tuned in, parental lockout status, grouping of major and minor virtual channels, and so forth, may be considered. An access controller (168) determines if the receiver's environmental factors satisfy the conditions for granting a permission to a downloadable application to allow access to the receiver functions (161), receiver resources and user private data. The security policy can be modified by installing or downloading a new security policy (110), or modified by a user with the provision of an appropriate interface. A Java code-implemented embodiment is disclosed.

Abstract: A method (300) for distributing data (25), within a network (11), between a source consumer (50) and a destination consumer (250). The data (25) originates from, and is protected by predetermined intellectual property rights of, a third party (20). The method (300) includes: specifying (302) a first access condition associated with the data, the access condition based on the predetermined intellectual property rights; based on a request requesting transfer of the data from the source consumer to the destination consumer, and based on a service ticket issued by an authority associated with the source consumer, arranging (304) for authentication of the destination consumer; and after authentication of the destination consumer, based on a second access condition issued by an authority associated with the source consumer, arranging (306) for transfer of the data, via the network in a peer-to-peer manner, from the source consumer to the destination consumer.

Abstract: A copyright protection method (150) and apparatus (190) employs (151) a first protection scheme (160) within a single authorized domain (195), in which all interfaces (194a-c) are protected with digital rights management system and employs (152) a second protection scheme (170) for use in inter-domain file transfers. The method (150) and apparatus (190) may employ (153) a third protection scheme (180) for external outputs (197a-c) not protected by a digital rights management system. The first protection scheme (160) includes specifying (161) whether a copy of files is allowed to be stored anywhere within the single authorized domain; specifying (162) whether files may be stored only on specific devices within the single authorized domain; or specifying (163) how many simultaneous rendering devices are permitted when rendering files.

Abstract: Management of rights to content is provided within an authorized domain. In a single authorized domain, where a plurality of domain interfaces are protected using a common rights management system, a copy of particular content may be allowed to be provided on all devices or only on specific devices coupled to the domain via the interfaces. Copy protection information, for outputs to external devices not protected by the common rights management system, is also specified. Rules can be provided for specifying whether particular content may be copied or moved to another protected domain. A number of rendering devices permitted to render the content simultaneously may be specified. Content rules are provided for use in managing rights to content within an authorized domain. Such rules can be associated with content that is persistently stored by a consumer device, as well as with content that is only rendered by a consumer device.

Abstract: A system for processing copy control information in a digital rights management system in standard languages such as XML, XrML and ODML. Concise and descriptive schemas are provided that provide differing levels of compactness and readability. In one embodiment, default values are used so that all attribute values do not have to be provided by a digital rights management definition author. Abbreviated descriptive names can be used along with value aliases to provide readily understandable definitions.

Abstract: A system provides improved security in a streaming media decoder includes decryption of encoded media information at the media layer, within a decoder component of a playback device. A content source, such as an MPEG-4 media stream from a network, or a file on a local storage device, etc. that contain packetized content, and supplies encrypted and encoded media information. For example, digital sound and image information can be conveyed for presentation. A reassembler component is used to initiate decryption of a nominal amount of information needed to perform further processing at the QuickTime player. Encrypted access units are sent from the reassembler to the decoder, where the decoder causes decryption of the access unit information. This approach prevents decrypted, encoded information from being transferred from the reassembler to the decoder. Such decrypted and encoded information is especially susceptible to copying.

Abstract: A digital rights management system (DRM) for restricting and permitting content access in a digital content distribution network such as a network used to deliver television programming. The DRM uses distributed authentication and provisioning so that the potentially many different entities involved in the content distribution network can have localized management and control. Distributed authentication can use single or multiple instances of authentication services. A ticket granting service (TGS) is used to allow clients to request services. In one approach, multiple authentication services use a common key that is known to the TGS. In another approach, unique keys are provided to each authentication service and these keys are communicated to the TGS. Distributed provisioning allows different entities to grant access rights or other resources. Provisioning service (PS) processes can execute at multiple different physical locations.

Abstract: A system for determining whether a client is authorized to access content in a communication network is disclosed. The system includes a computer software product containing programming instructions for defining content access rules in connection with accessing the content and for identifying client selections related to the content. The computer software product further includes programming instructions for providing client entitlement data. The computer software product further includes programming instructions for comparing the client entitlement data with the content access rules and the client selections to determine whether the client is authorized to access the content. Optionally, the computer software product also includes programming instructions that allow additional rules to be added to the content access rules. These additional rules can be added by other parties that are involved in the process of providing the requested content to the client.