Abstract: When displaying display items representing a set of content items including items protected by a number of different digital rights management systems on the display of a content access system, the set of display items representing the content items includes icons associated at least with the display items for each protected content item. The icons indicate whether a respective content item is protected by a digital rights management system and, if so, which digital rights management system is employed to protect the respective content item, whether an executable digital rights management module for accessing the respective protected content item is accessible to the user, and whether the user is entitled to access the respective protected content item. The icons also serve as user controls either for accessing information regarding acquisition of, or initiating actual acquisition of, the digital rights management module, access rights, or both.

Abstract: For conditional access purposes a stream is used in which at least two different decryption algorithms are needed for decryption of packets that encode different interspersed parts of the same signal for (quasi-)continuous rendering (such as an audio or video signal). Information is included in the stream to indicate dynamically which decryption algorithm should be used for which packets. In this way, it is possible for example to use a more robust algorithm with a less frequently changing key and a less robust algorithm with a more frequently changing key, interspersed with one another for the same signal. Also, different algorithms may be used for transcrypted and not transcrypted-packets of the same signal for example when an alternative is needed for the original encryption algorithm that was used for the non-transcrypted packets.

Abstract: A transmitter (110) which transmits a signal (120) for reception by a receiving device (130). The transmitter is arranged to insert into the signal an indication of a geographical region where the signal physically can be received. Preferably the geographical region is indicated in the signal using geometrical shapes. The receiving device receives one or more signals, each of the signals carrying an indication of a respective geographical region where the respective signal physically can be received, and is arranged to determine its locale from said indications. The receiver can compute the intersection of the sets of geometrical shapes carried in the various signals it received as the geographical region it is in. Based on its determined locale the receiver can restrict access to content, if such content is restricted to certain regions.

Abstract: The present invention relates to a method, a system and a central device for secure content distribution among devices in a network. The invention is based on the idea that an authorized domain is set up with a central device administering the network. When a device enters the network, the central device registers the entering device and issues at least one certificate to the entering device. The registration to ensure that the entering device is an authorized device, meaning that an authorized device manufacturer has provided the device. Due to network security, non-authorized devices are not accepted in the network. Content is distributed among the devices in the network based on authentication by means of the at least one certificate issued to each device. The distribution of content from a first device to a second device is enabled by the first device authenticating the second device, by means of the at least one certificate of the second device and vice versa.

Abstract: In whilelist-based authentication, a first device (102) in a system (100) authenticates itself to a second device (103) using a group certificate identifying a range of non-revoked device identifiers, said range encompassing the device identifier of the first device (102). Preferably the device identifiers correspond to leaf nodes in a hierarchically ordered tree, and the group certificate identifies a node (202-207) in the tree representing a subtree in which the leaf nodes correspond to said range. The group certificate can also identify a further node (308, 310, 312) in the subtree which represents a sub-subtree in which the leaf nodes correspond to revoked device identifiers. Alternatively, the device identifiers are selected from a sequentially ordered range, and the group certificate identifies a subrange of the sequentially ordered range, said subrange encompassing the whitelisted device identifiers.

Abstract: A certifying authority provides a method for whitelist-based controlling of authentication of a first device (102) in a system (100) to a second device (103). The method comprises issuing to the first device (102) a group certificate identifying a range of non-revoked device identifiers, said range encompassing the device identifier of the first device (102). Preferably the device identifiers correspond to leaf nodes in a hierarchically ordered tree, and the group certificate identifies a node (202-207) in the tree representing a subtree in which the leaf nodes correspond to said range. The group certificate can also identify a further node (308, 310, 312) in the subtree which represents a sub-subtree in which the leaf nodes correspond to revoked device identifiers. Alternatively, the device identifiers are selected from a sequentially ordered range, and the group certificate identifies a subrange of the sequentially ordered range, said subrange encompassing the whitelisted device identifiers.

Abstract: A method of controlling access to a content item in a domain comprising a set of mutually authenticated devices, the method comprising deriving one or more domain-specific rights from a right associated with the content item, the one or more domain-specific rights being bound to the domain and allowing the devices in the domain aces to the content item. Also system comprising a set of mutually authenticated devices, said set making up a domain, the system comprising a central rights manager arranged for executing said method.

Abstract: A system (100) comprising a plurality of interconnected devices (101-105) and being arranged to provide the devices (101-105) conditional access to protected content items, characterized in that the system (100) is arranged to restrict the number of simultaneous sessions involving said protected content items to a predetermined total limit. Preferably the system (100) restricts the number of content items that can be accessed simultaneously to the predetermined limit. Security modules (300) such as smart cards can be used for this purpose. Each security module (300) may be arranged to restrict the number of content items to which it provides access simultaneously to an individual limit which can change over time. The system restricts the sum of the individual limits to the predetermined total limit. If the limit is reached, further sessions may he refused or allowed at reduced quality level.

Abstract: A conditional access system comprising a plurality of devices interconnected in a network, the devices being grouped in a first group and a second group, the devices of the first group operating in accordance with a first security framework and the devices of the second group operating in accordance with a second security framework, each device operating using a particular middleware layer, said middleware layer being arranged to authenticate another middleware layer of another device, said middleware layer being authenticated by the security framework in accordance with which the device operates.