STEGANOGRAPHIC TECHNIQUES FOR SECURELY DELIVERING ELECTRONIC DIGITAL RIGHTS MANAGEMENT CONTROL INFORMATION OVER INSECURE COMMUNICATION CHANNELS
Electronic steganographic techniques can be used to encode a rights management control signal onto an information signal carried over an insecure communications channel. Steganographic techniques ensure that the digital control information is substantially invisibly and substantially indelibly carried by the information signal. These techniques can provide end-to-end rights management protection of an information signal irrespective of transformations between analog and digital. An electronic appliance can recover the control information and use it for electronic rights management to provide compatibility with a Virtual Distribution Environment. In one example, the system encodes low data rate pointers within high bandwidth time periods of the content signal to improve overall control information read/seek times.
Latest INTERTRUST TECHNOLOGIES CORP. Patents:
- Systems and methods for conducting transactions and communications using a trusted third party
- SYSTEMS AND METHODS FOR WATERMARKING SOFTWARE AND OTHER MEDIA
- Trusted infrastructure support systems, methods and techniques for secure electronic commerce transaction and rights management
- MATCHING AND RECOMMENDING RELEVANT VIDEOS AND MEDIA TO INDIVIDUAL SEARCH ENGINE RESULTS
- SECURE PROCESSING UNIT SYSTEMS AND METHODS
This application is related to commonly assigned copending application Ser. No. 08/388,107 of Ginter et al., filed 13 Feb. 1995, entitled “SYSTEMS AND METHODS FOR SECURE TRANSACTION MANAGEMENT AND ELECTRONIC RIGHTS PROTECTION” (attorney reference number 895-13). We incorporate by reference, into this application, the entire disclosure of this prior-filed Ginter et al. patent application just as if its entire written specification and drawings were expressly set forth in this application.FIELD OF THE INVENTION
The present inventions relate generally to computer security, and more particularly to steganographic techniques for hiding or encoding electronic control information within an information signal carried by an insecure communications channel. Still more particularly, the present inventions relate to systems, methods and techniques that substantially invisibly and/or indelibly convey, over analog or other insecure communications channels, digital rights management control information for use within a virtual distribution environment electronic rights management system.BACKGROUND AND SUMMARY OF THE INVENTION
The world is becoming digital. Digital signals are everywhere—in our computers, television sets, VCRs, home stereos, and CD players. Digital processing—which operates on information “bits” (numerical “on” or “off” values)—provides a degree of precision and protection from noise that cannot be matched by the older, “analog” formats we have used since the beginning of the electronic age.
Despite the clear advantage of digital communications, the older “analog” domain remains significant. Many of our most important information delivery mechanisms continue to be based on analog—not digital—signaling. In fact, most of our electronic entertainment, news, sports and music program material comes to us in the form of analog signals. For example:
- Television remains largely analog. Although the distribution of television programming to local cable systems is increasingly digital and most modern television sets include digital signal processing circuits, the local cable television “head end” continues to send television signals to the subscriber's set top box and television in analog—not digital—form. It will cost a great deal to convert local cable distribution from analog to digital. In the United States, for example, the widespread conversion from analog to digital television is projected to take no less than 15 years and perhaps even longer.
- In radio broadcasting, too, analog communication continues to reign supreme. Thousands of radio stations broadcast music, news and other programs every day in analog form. Except for a few experimental digital systems, practically all radio broadcasting is carried over analog communications channels.
- The movies and videos we rent at the local video tape rental store are analog.
- Commercially available music tape cassettes are recorded in analog formats.
Moreover, the “real world” is analog. Everything digital must ultimately be turned into something analog if we are to experience it; and conversely, everything analog must be turned into something digital if the power of modern digital technology will be used to handle it. Modern digital technology also allows people to get better quality for less money.
Despite the pervasiveness of analog signals, existing methods for managing rights and protecting copyright in the analog realm are primitive or non-existent. For example:
- Quality degradation inherent in multigenerational analog copying has not prevented a multi-billion dollar pirating industry from flourishing.
- Some methods for video tape copy and pay per view protection attempt to prevent any copying at all of commercially released content, or allow only one generation of copying. These methods can generally be easily circumvented.
- Not all existing devices respond appropriately to copy protection signals.
- Existing schemes are limited for example to “copy/no copy” controls.
- Copy protection for sound recordings has not been commercially implemented.
A related problem relates to the conversion of information between the analog and digital domains. Even if information is effectively protected and controlled initially using strong digital rights management techniques, an analog copy of the same information may no longer be securely protected.
For example, it is generally possible for someone to make an analog recording of program material initially delivered in digital form. Some analog recordings based on digital originals are of quite good quality. For example, a Digital Versatile Disk (“DVD”) player may convert a movie from digital to analog format and provide the analog signal to a high quality analog home VCR. The home VCR records the analog signal. A consumer now has a high quality analog copy of the original digital property. A person could re-record the analog signal on a DVD-R (a Digital Versatile Disk appliance and media supporting both read and write operations). This recording will in many circumstances have substantial quality—and would no longer be subject to “pay per view” or other digital rights management controls associated with the digital form of the same content.
Since analog formats will be with us for a long time to come, rightsholders such as film studios, video rental and distribution companies, music studios and distributors, and other value chain participants would very much like to have significantly better rights management capabilities for analog film, video, sound recordings and other content. Solving this problem generally requires a way to securely associate rights management information with the content being protected.
People have for many years been using various techniques allowing digital information to, in effect, ride “piggyback” on analog information signals. For example, since the 1960s, it has been common to digitally encode text information such as subtitles into otherwise unused portions of analog television signals (e.g., within the so-called “Vertical Blanking Interval”).
Unfortunately, sending digital information using such known digital encoding techniques is problematic because the digital information is not persistent. It is relatively easy to strip out or eliminate digital information encoded using prior techniques commonly employed for superimposing digital signals onto an analog information signal. Analog communications channels may commonly be subjected to various signal processing that may (intentionally or unintentionally) strip out digital information added to the analog signal—defeating any downstream system, process or technique that depends on the presence and readability of the digital information. For example, the television vertical blanking signal—along with any signal components disposed within the vertical blanking interval—is typically routinely eliminated whenever a video signal is processed by a computer.
Attempting to use insecure techniques for providing rights management is at best ineffective, and can be worse than no rights management at all. Unscrupulous people can strip out insecure control information altogether so that the corresponding information signal is subject to no controls at all—for example, defeating copy protection mechanisms and allowing users to avoid paying for rights usage. More nefariously, an unscrupulous person could alter an insecure system by substituting false control information in place of the proper information. Such substitutions could, for example, divert payments to someone other than legitimate rights holders—facilitating electronic fraud and theft.
Prior, insecure techniques fail to solve the overall problem of how to provide and securely manage advanced automatic electronic rights management for analog and other information signals conveyed over an insecure communications channel. The lack of strong rights management for analog signals creates a huge gap in any comprehensive electronic rights management strategy, and makes it possible for consumers and others to circumvent—to at least some extent—even the strongest digital rights management technologies. Consequently, there is a real need to seamlessly integrate analog delivery models with modern electronic digital rights management techniques.
The present inventions solve these and other problems by providing “end to end” secure rights management protection allowing content providers and rights holders to be sure their content will be adequately protected—irrespective of the types of devices, signaling formats and nature of signal processing within the content distribution chain. This “end to end” protection also allows authorized analog appliances to be easily, seamlessly and cost-effectively integrated into a modern digital rights management architecture.
The present inventions may provide a Virtual Distribution Environment (“VDE”) in which electronic rights management control information may be delivered over insecure (e.g., analog) communications channels. This Virtual Distribution Environment is highly flexible and convenient, accommodating existing and new business models while also providing an unprecedented degree of flexibility in facilitating ad hoc creation of new arrangements and relationships between electronic commerce and value chain participants—regardless of whether content is distributed in digital and/or analog formats.
The present inventions additionally provide the following important and advantageous features:
- An indelible and invisible, secure technique for providing rights management information.
- An indelible method of associating electronic commerce and/or rights management controls with analog content such as film, video, and sound recordings.
- Persistent association of the commerce and/or rights management controls with content from one end of a distribution system to the other—regardless of the number and types of transformations between signaling formats (for example, analog to digital, and digital to analog).
- The ability to specify “no copy/one copy/many copies” rights management rules, and also more complex rights and transaction pricing models (such as, for example, “pay per view” and others).
- The ability to fully and seamlessly integrate with comprehensive, general electronic rights management solutions (such as those disclosed in the Ginter et al. patent specification referenced above).
- Secure control information delivery in conjunction with authorized analog and other non-digital and/or non-secure information signal delivery mechanisms.
- The ability to provide more complex and/or more flexible commerce and/or rights management rules as content moves from the analog to the digital realm and back.
- The flexible ability to communicate commerce and/or rights management rules implementing new, updated, or additional business models to authorized analog and/or digital devices.
Briefly, the present inventions use “steganography” to substantially indelibly and substantially invisibly encode rights management and/or electronic commerce rules and controls within an information signal such as, for example, an analog signal or a digitized (for example, sampled) version of an analog signal.
The Greek term “steganography” refers to various “hidden writing” secret communication techniques that allow important messages to be securely carried over insecure communications channels. Here are some examples of steganography:
- In ancient Persia an important message was once tattooed on a trusted messenger's shaved scalp. The messenger then allowed his hair to grow back—completely hiding the message. Once the messenger made his way to his destination, he shaved his hair off again—exposing the secret message so the recipient could read it on the messenger's shaved scalp. See Kahn, David, The Codebreakers page 81 et seq. and page 513 et seq. (Macmillan 1967). This unusual technique for hiding a message is one illustration of “steganography.”
- Another “steganographic” technique encodes a secret message within another, routine message. For example, the message “Hey Elmer, Lisa Parked My Edsel” encodes the secret message “HELP ME”—the first letter of each word of the message forming the letters of the secret message (“Hey Elmer, Lisa Parked My Edsel”). Variations on this technique can provide additional security, but the basic concept is the same—finding a way to hide a secret message within information that can or will be sent over an insecure channel.
- Invisible ink is another commonly used “steganography” technique. The secret message is written using a special disappearing or invisible ink. The message can be written on a blank piece of paper, or more commonly, on the back or front of the piece of paper carrying a routine-looking or legitimate letter or other written communication. The recipient performs a special process on the received document (e.g., exposing it to a chemical or other process that makes the invisible ink visible) so that he or she can read the message. Anyone intercepting the paper will be unable to detect the secret message—or even know that it is there—unless the interceptor knows to look for the invisible message and also knows how to treat the paper to make the invisible ink visible
The present inventions use steganography to ensure that encoded control information is both substantially invisible and substantially indelible as it passes over an insecure communications channel. At the receiving end, a secure, trusted component (such as a protected processing environment described in Ginter et al.) recovers the steganographically-encoded control information, and uses the recovered information to perform electronic rights management (for example, on analog or other information signals carried over the same channel).
One specific aspect provided by the present inventions involve steganographically encoding digital rights management control information onto an information signal such as, for example, an analog or digitized television, video or radio signal. The steganographic encoding process substantially inextricably intertwines the digital control information with images, sounds and/or other content the information signal carries—but preferably without noticeably degrading or otherwise affecting those images, sounds and/or other content. It may be difficult to detect (even with educated signal processing techniques) that the analog signal has been steganographically encoded with a rights management control signal, and it may be difficult to eliminate the steganographically encoded control signal without destroying or degrading the other information or content the signal carries.
The present inventions also provide a secure, trusted protected processing environment to recover the steganographically-encoded control signal from the information signal, and to enforce rights management processes based on the recovered steganographically encoded control signal. This allows the information signal delivery mechanism to be fully integrated (and made compatible) with a digital virtual distribution environment and/or other electronic rights management system.
In accordance with yet another aspect provided by this invention, steganographically encoded, digital rights management control information may be used in conjunction with a scrambled and/or encrypted information signal. The scrambling and/or encryption can be used to enforce the rights management provided in accordance with the steganographically encoded rights management control information. For example, the control signal can be steganographically decoded and used to control, at least in part, under what circumstances and/or how the information signal is to be descrambled and/or decrypted.
In accordance with yet another feature provided by the invention, digital certificates can be used to securely enforce steganographically encoded rights management control information.
In accordance with still another feature provided by the invention, steganography is used to encode an information signal with rights management control information in the form of one or more protected organizational structures having association with electronic controls. The electronic controls may, for example, define permitted and/or required operation(s) on content, and consequences of performing and/or failing to perform such operations. The organizational structure(s) may identify, implicitly or explicitly, the content the electronic controls apply to. The organizational structure(s) may also define the extent of the content, and semantics of the content.
The type, amount and characteristics of the steganographically encoded rights management control information are flexible and programmable—providing a rich, diverse mechanism for accommodating a wide variety of rights management schemes. The control information can be used to securely enforce straightforward secure rights management consequences such as “copy/no copy/one copy” type controls—but are by no means limited to such. models. To the contrary, the present invention can be used to enable and enforce much richer, more complex rights management models—including for example those involving usage auditing, automatic electronic payment, and the use of additional electronic network connections. Moreover, the rights management control arrangements provided by the present invention are infinitely extensible and scaleable—fully accommodating future models as they are commercially deployed while preserving full compatibility with different (and possibly more limited) rights management models deployed during earlier stages.
The organizational structure(s) may be steganographically encoded in such a way that they are protected for purposes of secrecy and/or integrity. The employed steganographic techniques may provide some degree of secrecy protection—or other security techniques (e.g., digital encryption, digital seals, etc.) may be used to provide a desired or requisite degree of security and/or integrity protection for the steganographically encoded information.
In one example, the organizational structure(s) may comprise digital electronic containers that securely contain corresponding digital electronic control information. Such containers may, for example, use cryptographic techniques. In other examples, the organizational structure(s) may define associations with other electronic control information. The other electronic control information may be delivered independently over the same or different communications path used to deliver the organizational structure(s).
In one example, the steganographic techniques employed may involve applying the organizational structure information in the form of high frequency “noise” to an analog information signal. Spectral transforms may be used to apply and recover such steganographically-encoded high frequency “noise.” Since the high frequency noise components of the information signal may be essentially random, adding a pseudo-random steganographically encoded control signal component may introduce substantially no discernible information signal degradation, and may be difficult to strip out once introduced (at least without additional knowledge of how the signal was incorporated, which may include a shared secret).
In accordance with another aspect provided by the invention, a steganographic encoding process analyzes an information signal to determine how much excess bandwidth is available for steganographic encoding. The steganographic encoding process may use variable data rate encoding to apply more control information to parts of an information signal that use much less than all of the available communications channel bandwidth, and to apply less control information to parts of an information signal that use nearly all of the available communications channel bandwidth.
In accordance with still another aspect provided by the invention, multiple organizational structures may be steganographically encoded within a given information signal. The multiple organizational structures may apply to different corresponding portions of the information signal, and/or the multiple organizational structures may be repetitions or copies of one another to ensure that an electronic appliance has “late entry” and/or error correcting capability and/or can rapidly locate a pertinent organizational structure(s) starting from any arbitrary portion of the information signal stream.
In accordance with yet another aspect provided by this invention, an organizational structure may be steganographically encoded within a particular portion of a content-carrying information signal to which the organizational structure applies—thereby establishing an implicit correspondence between the organizational structure and the identification and/or extent and/or semantics of the information content to which the organizational structure applies. The correspondence may, for example, include explicit components (e.g., internally stated start/end points), with the storage or other physical association determined by convenience (i.e., it may make sense to put the organizational structure close to where it is used, in order to avoid seeking around storage media to find it).
In accordance with yet another aspect provided by this invention, pointers can be steganographically encoded into parts of an information signal stream that has little excess available bandwidth. Such pointers may be used, for example, to direct an electronic appliance to portions of the information signal stream having more available bandwidth for steganographic encoding. Such pointers may provide improved steganographic decode access time—especially, for example, in applications in which the information signal stream is stored or otherwise available on a random access basis.
These and other features and advantages provided by this invention may be better and more completely understood by referring to the following detailed description of presently preferred example embodiments in conjunction with the drawings, of which:
In this example, a provider 60 delivers an information signal 70 to multiple electronic appliances 100(1), . . . , 100(N). In this particular example, provider 60 is shown as being a television broadcaster that delivers an analog television information signal 70 over a wireless or cable communications path, and appliances 100(1), . . . , 100(N) are shown as being home color television sets 106. As made clear by
The provider 60 encodes the electronic rights management control information 126 onto information signal 70 using steganographic techniques that make the control information both:
- substantially invisible, and
- substantially indelible.
The control information 126 is substantially indelibly encoded because, in this example, it is substantially inextricably intertwined with the television images and/or sound—and can't easily be eliminated from information signal 70 without destroying the images, sound or other information carried by the information signal. For example, steganographically encoding rights management control information will generally survive compression and decompression of a digitized analog signal, and will also survive repeated analog/digital/analog conversion sequences.
Even though the steganographically encoded control information 126 is substantially indelible, the television viewer is not bothered by the steganographically encoded information because the steganographically encoded rights management control information is, in this example, also encoded substantially invisibly. In fact, the viewer may not be able to see the steganographic control information at all—and it may have no effect whatsoever on his or her viewing experience (other than in terms of the effect is has on associated rights management processes). The control information 126 is shown in dotted lines on the
Since indelibility of the steganographic encoding provides persistence, indelibility may be more important than invisibility in at least some applications. For example, it may be desirable in some applications to use a shared secret to decode and then remove the steganographically encoded control information 126 before presenting the information signal (or its content) to the user. The steganographically encoded information need not be particularly invisible in this scenario. Even though someone with knowledge of the shared secret can remove the steganographically encoded information, it may nevertheless remain substantially indelible to anyone who doesn't know the shared secret required to remove it.Organization Structures
The organizational structure(s) may be encoded in such a way that they are protected for purposes of secrecy, authenticity and/or integrity. The employed steganographic technique may provide such protection, or another security technique may be used in conjunction with steganography to provide a desired or requisite degree of protection depending on the application. Containers 136 may, for example, use mathematical techniques called “encryption” that help guarantee the integrity and/or secrecy of the control information 126 they contain.Example Rights Management Component
Each of the
The ability to securely deliver digital control information to such protected processing environments as embodied with components 124 is important at least because it increases flexibility and enhances functionality. For example, different digital control information can be delivered for the same or different electronic content. As one specific example, one set of rules may apply to a particular television program, another set of rules might apply to a particular film, and a still different set of rules could apply to a particular musical work. As yet another example, different classes of users of the same electronic content can receive different control information depending upon their respective needs.
Rights management components 124 are able to steganographically decode the control information 126 carried by the information signal 70. Components 124 use the decoded control information 126 to electronically manage rights. For example, components 126 may use the decoded control information 126 to control how the images and/or sound carried by information signal 70 may be used.
In one example, digital rights management component 124 may comprise or include one or more integrated circuit chips as shown in
The analog-to-digital converter (ADC) 130 shown in
The present inventions may be used with all sorts of different kinds of electronic appliances 100 each of which may include a rights management component 124.
FIG. 1Ashows an example media player 102 capable of playing Digital Versatile Disks (DVDs) 104 on a home color television set 106. For example, media player 102 may provide analog output signals to television set 106, and may also process digitized video and/or audio analog signals stored on optical disk 104. Rights management component 124A provides digital rights protection based on steganographically encoded controls 126. FIG. 1Bshows an example set top box 108 that can receive cable television signals (for example, via a satellite dish antenna 110 from a satellite 112) for performance on home television set 106. Set top box 108 shown in FIG. 1Bmay receive television signals from antenna 110 in analog scrambled or unscrambled form, and provide analog signals to television 106. Rights management component 124B provides digital rights protection based on steganographically encoded controls 126. FIG. 1Cshows an example radio receiver 114 that receives radio signals and plays the radio sound or music on a loud speaker 116. The radio receiver 114 of FIG. 1Cmay receive analog radio signals, and provide analog audio signals to loud speaker 116. Rights management component 124C provides digital rights protection based on steganographically encoded controls 126. FIG. 1Dshows an example video cassette recorder 118 that can play back video and sound signals recorded on a video cassette tape 120 onto television 106. In FIG. 1D, the video tape 120 may store video and audio signals in analog form, which VCR 118 may read and provide to television 106 in analog form. Rights management component 124D provides digital rights protection based on steganographically encoded controls 126. FIG. 1Eshows an example television camera that can capture video images and produce video signals for recording on a video cassette tape 120 and play back on television set 106. The FIG. 1Ecamcorder 122 may generate analog video and audio signals for storage onto video tape 120, and/or may provide analog signals for processing by television 106. Rights management component 124E provides digital rights protection based on steganographically encoded controls 126.
Different rights holders want different types of rights management and control. For example, some rights holders may be completely satisfied with a relatively simple “copy/no copy/one copy” rights management control model, whereas other rights holders may desire a richer, more complex rights management scheme. The present inventions flexibly accommodate a wide variety of electronic rights management techniques—giving rightsholders extreme flexibility and programmability in defining, for example, commerce and rights management models that far exceed the simple “copy/no copy, one copy.” Assuming a closed appliance, that is, one lacking at least an occasional connection to a payment method (e.g., Visa, MasterCard, American Express, electronic cash, Automated Clearinghouses (ACHs) and/or a Financial Clearinghouse that serves as the interface for at least one payment method), the following are non-limiting examples of steganographically encoded rights controls and associated consequences that can be accommodated by the present invention:
- Limiting use of a given property to a specified number of times this property can be used on a given appliance;
- Prohibiting digital to analog and analog to digital conversions;
- Ensuring that one analog or digital appliance will communicate the protected property only to another appliance that is also VDE enabled and capable of enforcing the controls associated with that property;
- Time-based rental models in which a consumer may “perform” or “play” the property an unlimited number of times in a given interval (assuming the appliance has a built-in secure time clock, can operatively connect itself to such a clock, or otherwise receive time from a reliable source);
- Enforcing an expiration date after which the property cannot be performed (also assuming access to a reliable time source);
- Associating different control sets with each of several properties on a single physical media. In one example, a “trailer” might have unlimited copying and use associated while a digital film property may have an associated control set that prevents any copying;
- Associating multiple control sets with a given property regardless of media and whether the appliance is closed or has an occasionally connected communications “backchannel.”
An even more flexible and diverse array of rights controls and associated consequences are enabled by the present inventions if at least one appliance is connected to some form of communications “backchannel” between the appliance and some form of payment method. This backchannel may be a telephone call, the use of a modem, a computer data network, such as the Internet, a communications channel from a settop box to the head end or some other point on a cable TV distribution system, or a hybrid arrangement involving high bandwidth-distribution of analog properties with a slower return channel, a phone line and modem—just to name a few examples. Non-limiting examples of such more rights controls and associated consequences enabled by the present invention include the following:
- Associating with a given property in analog format new, independently delivered controls obtained from a rightsholder or other authorized source;
- A broad range of usage-based pricing models, including pay-per-view or pay-per-use;
- Creating. permissions enabling excerpting of properties in analog formats, maintaining persistent control over those excerpts, and charging for those excerpts;
- Pay-per-use models in which a customer pays a specified price for each use of the property and/or different unit prices depending on the number of uses. In one example, the customer might pay $3.99 for the first viewing and $2.99 for each subsequent viewing; and,
- Controls that prevent an analog property being converted to digital format and then being transmitted or communicated except in a container with controls and/or with a pointer to a source of controls, that apply in a digital environment.
In a more secure example, the incoming analog signal is scrambled, and the
End to End Protection
The steganographic techniques provided by the present invention ensure that the electronic controls 126 persist in the signal A delivered from appliance 100A to appliance 106B—and from appliance 106B to still other appliances. Because of the substantial indelibility characteristics of the steganographically encoded control information 126, this information persists in the signal as stored on recording medium 104, in copies of the recorded signal produced by replaying the medium, and in further downstream versions of the signal.
This persistence will, for example, survive conversion from analog to digital format (e.g., sampling or “digitizing”), storage, and subsequent conversion from digital to analog format. For example, because the steganographically encoded control information 126 is substantially indelibly, substantially inextricably intertwined and integrated with the information signal A, the digitized version of the information signal that appliance 100A records on medium 104 will also contain the steganographically encoded control information 126. Similarly, when appliance 100A plays back the recording from medium 104, it will reproduce information signal A along with the steganographically encoded control information 126. The steganographically encoded control information 126 thus persists irrespective of digitization (or other processing) of signal A. In some cases, lossy compression techniques used on the data may remove high frequency noise—thereby potentially damaging the steganographic channel. When these lossy compression techniques are used or may be encountered, the steganographic encoding function should be matched to the compression algorithm(s) using conventional signal analysis techniques to avoid this consequence.
Similarly, appliance 106B may output further copies or versions of signal A in analog form and/or digital form. Because of its inherently persistent characteristics, the steganographically encoded control information 126 will be present in all subsequent versions of the signal outputted by appliance 106B—be they in analog format, digital format, or any other useful format.
Degrading a digital signal carrying control information is fatal—the rights management system typically may no longer function properly if even a single bit is altered. To avoid this, the preferred embodiment provides redundancy (repeating pointers and the organizational structures and/or any control information incorporated into the organizational structures), and also uses conventional error correction coding such as, for example, Reed-Solomon (or similar) error correcting codes. Additionally, because the steganographically encoded control information 126 is substantially inextricably intertwined with the desired content carried by information signal A, any process that degrades the steganographically encoded control information 126 will also tend to degrade the information signal's desired content. Although the steganographically encoded information may degrade (along with the content) in multi-generation “copies” of the signal, degraded copies may not be commercially significant since the information content of the signal will be similarly degraded due to the substantially inextricable intertwining between the steganographically encoded control information 126 and the content carried by signal A. The refresh circuit shown in
- a first “trailer” 272 may be associated with control information 126(1),
- a second trailer 274 may be associated with control information 126(2),
- a title section 276 may be associated with control information 126(3),
- the first five minutes of the movie may be associated with control information 126(4), and
- the rest of the movie may be associated with control information 126(5).
Control information portions 126(1), 126(2), 126(3), 126(4) and 126(5) may all be different. For example, control information 126(1) may permit the user to copy trailer 272, whereas control information 126(4) may prohibit the user from copying the first five minutes 278 of the film.
As shown in
A steganographic encode block 406 may be used to steganographically encode digital control information 126, in clear text form and/or after encryption by a conventional digital encryption block 414 based on an encryption key Keys Steganographic information can be combined with a pseudo-random data stream (e.g. exclusive-or'd into the output of a DES engine)—in effect shuffling around the noise in the signal rather than replacing noise with the signal, per se. When protection is desired, the values in the pseudo-random stream can be protected by encryption (e.g. the key that initializes the DES engine should be protected). When the steganographic channel is “public” (e.g., unencrypted), the stream should be readily reproducible (e.g. by using one of a preset collection of values shared by every device). A small portion (a “public header”—see Ginter et al.) is always detectable using a shared preset value (that does not need to be protected, distinguishing it from the private header keys), may be provided to ensure that the rights management technology can be activated properly. Since the rights management component 124 at the receiving side needs to know how to descramble the signal, there normally will be an indication in the “public header” that names a key that will be used to unlock the private header (and so on, as described, for example, in Ginter et al.). Some publicly available, agreed upon preset values may be used to extract the “public header” information from the steganographically encoded channel.
Steganographic encode block 406 may be any conventional steganographic encoding arrangement capable of steganographically encoding a digital signal onto information signal 70. Steganographic encode step 406 may be based on a key Kc—allowing the same basic steganographic encoding and decoding transformations to be used by a wide variety of different appliances while still maintaining individuality and secrecy through the use of different steganographic keys.
In one example, the steganographic encoding step 406 may introduce the (encrypted) digital control information into the high frequency spectrum portion of the spectrally transformed information signal 70. The spectrally transformed signal with steganographic encoding is shown in the
The amount of amplitude modification performed by steganographic encode step 406 may be limited in this example to ensure that the resulting steganographically encoded signal does not exceed the available channel bandwidth. See, for example,
- J. Millen, “Covert Channel Capacity,” IEEE Symposium on Security and Privacy (1987).
- R. Browne, “An Entropy Conservation Law for Testing the Completeness of Covert Channel Analysis,” Fairfax 94, pp 270-281 (1994).
- Moskovitz et al., “The Channel Capacity of a Certain Noisy Timing Channel,”, IEEE Trans. on Information Theory v IT-38 no. 4, pp. 1330-43, (1992).
- Venkatraman, et al., “Capacity Estimation and Auditability of Network Covert Channels,”, Oakland 95, pp. 186-298.
The following equations show the relationship between total bandwidth, bandwidth available for steganographic encoding, and the data rate of the steganographically encoded signal:
where Δt=tn+1−tn, and
B is a function of time in bits/second.
In the above expressions, the function S corresponds to an area under a curve resulting from the product of B (bandwidth) and t (time). The parameter delta t refers to the “granularity” of the analog-to-digital conversion (i.e., 1/sampling rate).
Steganographic encode block 406 can use an encoding rate and characteristic that ensures the steganographically encoded signal bandwidth doesn't exceed the total bandwidth available in the communication channel. Typically, the amount of bandwidth available for steganographic encoding may be on the order of on the average of 0.1% of the total transmission channel bandwidth—but as mentioned above, this bandwidth available for steganographic encoding may be unequally distributed with respect to time within the information signal stream 70 and may depend on the content of the information signal.
In this example, steganographic encode block 406 analyzes the content (e.g., by performing statistical weighted averaging), and provides a responsive variable steganographic encoding rate. For example, steganographic encoding block 406 can use a high data rate during example time periods “II” and “IV” in which the information signal 70 has characteristics that allow high steganographic rate encoding without the resulting signal exceeding the available overall channel bandwidth. Encoding block 406 can use a low data rate during time periods “I” and “III” in which the information signal 70 has characteristics that do not allow high data rate steganographic encoding without exceeding available overall channel bandwidth. Steganographic encoding block 406 may use any number of different variable rates to accommodate different relationships between information signal 70 characteristics and available channel bandwidth.
Referring again to
This signal may be further scrambled and/or encrypted (e.g., based on a scrambling and/or encryption key Keyd) before being converted to analog form (shown in Graph A6) by a conventional digital-to-analog conversion block 412 (if necessary). Signal scrambling may be independent of steganographically encoded control information. For example, a good way to support existing devices is to not scramble the signal, and to use legislative means to ensure that each new device manufactured is equipped with rights management technology. Scrambling/encrypting of content, can be used to enforce use of rights management. If legislative means can enforce the use of rights management technology, encryption or scrambling of content may not be necessary (although a decision to provide cryptographic protection for the control information is independent of this factor and must be evaluated in light of protecting the rights management system). Rights holders can choose an enticement technique(s) based on their business model(s). The benefit of scrambling is that it provides technical means for enforcing rights management. The benefit of unscrambled content is support of hundreds of millions of devices in the installed base—with the promise that new devices (potentially including computers) will enforce the control information even though they don't “have to” from a technical perspective.
The resulting steganographically encoded information signal 70 may then be transmitted over an insecure communications channel. Digital-to-analog conversion step 412 may be omitted if a digital communications channel (e.g., an optical disk, a digital satellite link, etc.) is available to deliver the signal.
The resulting digitized signal provided by
In a further example shown in
An optical disk player 102 with random access capability may “seek” to the place at which the closest organizational structure 136 is stored on the disk 104, and rapidly read the organizational structure off of the disk in less time than might be required to read an organizational structure that steganographic encode block 406 encodes at a lower data rate during times when the content bandwidth occupies most of the available channel bandwidth. In such arrangements, the process of reading a pointer 800, “seeking” to a position on the medium specified by the pointer, and then reading an organization structure 136 steganographically encoded at a high data rate may provide overall faster access times than if the organizational structure was itself encoded at a lower data rate within the parts of the information signal stream used in this example to encode only pointers.
Detailed Example Electronic Appliance Architecture
A main system bus 206 may couple rights management component 124 to a main system microprocessor 208 and various system components such as, for example, a CD-ROM decoder 210, a control and audio block 212, a video decoder 214, a digital output protection block 216, and a communications system 218. In this example, main microprocessor 208 controls the overall operations of appliance 100, with rights management component 124 performing security-related functions such as rights management and steganographic decoding.
The video output of CD-ROM decoder 210 may be decompressed by MPEG-2 video decoder 214 and applied via an NTSC and/or PAL encoder 230 to television 106. (In another example, the output could be in a non-interlaced format such as RGB rather than in interlaced formats such as NTSC and PAL.) Meanwhile, control and audio block 212 (which may operate in conjunction with its own buffer memory 232) may receive digitized audio information recorded on optical disk 204 via DSP 224 and CD-ROM decoder 210. Control and audio block 212 may provide this audio output to audio processing block 234 for output to loudspeakers 116. Control and audio block 212 may also provide an interface to the user via an infrared sensor 236 (for a remote control, for example), front-panel user controls 238 and/or an LED display 240.
In this example, security microprocessor 200 within rights management component 124 receives the digitized video and/or audio that DSP 224 reads from optical disk 104 via pickup 220 and RF amp 222. Security microprocessor 200 steganographically decodes this digitized analog information signal to recover the digital control information 126 encoded onto the information signal. Security microprocessor 200 also performs rights management functions based on the digital control information 126 it recovers. In addition, if desired security microprocessor may remove the steganographic encoding from a received digitized analog signal (since it shares a secret such as the steganographic encoding key Keyc with the steganographic encoding point, it can remove the steganographic encoding) and/or steganographically encode a signal with received, augmented and/or new rights management control information.
In this example, microprocessor 200 may selectively control cryptography engine 204 to decrypt encrypted content provided by optical disk 104—thus enforcing the rights management activities provided in accordance with electronic controls 126. Security component 124 may also control digital output protection block 216 in accordance with rights management control information 126—thus, selectively permitting digital appliance 100 to output content in digital form. Rights management component 124 may take other steps (e.g., watermarking and/or fingerprinting information before releasing it) to provide a degree of copy protection and/or quality degradation to prevent or discourage someone from creating an unlimited number of high quality copies of the content of optical disk 104. Rules contained in the control information can also govern how other parts of the system behave. For example, the control information could specify that no sound can be played unless the content is paid for. Another property may specify that certain copy protection schemes should be turned on in the NTSC encoder. Still another might disable the digital outputs of the device altogether, or unless an additional fee is paid.
Rights management component 124 (protected processing environment 138) may, in this particular example, communicate over a network 144 (such as, for example, the Internet or other data communications path) with other rights management related entities, such as, for example, clearinghouses and repositories. This “back channel” allows rights management component 124 to, for example, report usage and payment information and/or to retrieve additional rights management control information 126 to augment or supplement the control information it steganographically decodes.Example Control Steps
If protected processing environment 138 encounters a pointer (“yes” exit to decision block 318), then the protected processing environment determines whether it already has received the corresponding organizational structure pointed to by the received pointer (
If protected processing environment 138 has received no organizational structures or pointers (“no” exits to each of decision blocks 308, 312, 318), then the protected processing environment may determine whether there is any bandwidth available to carry control information. For example, some types of content stored on optical disk 104 may take up substantially all available channel bandwidths so that no bandwidth remains for steganographic encoding. If there is no available bandwidth for steganographic encoding (“no” exit to decision block 324), then the protected processing environment 138 may return to the “apply rules” block 302 and repeat steps 304-324 to wait until bandwidth is available for steganographic encoding. On the other hand, if there is bandwidth available and still no steganographically encoded information has appeared (“yes” exit to decision block 324,
As mentioned above, protected processing environment 138 may also perform any or all of the
- steganographically decode the signal using shared secrets to obtain the control information;
- modify the control information to the extent authorized by the control information;
- remove the steganographic encoding from the signal based on the shared secret; and
- steganographically encode the signal with the modified control information.
In this example, an example set top box user appliance 108 may receive the distributed steganographically encoded analog signal A′. Set top box 108 may include a rights management component 124 as described above, and may perform rights management operations and/or processes in response to and based on steganographically encoded control information 126.
Set top box 108 in this example may output the steganographically encoded analog signal (or a facsimile of it) to additional user electronic appliances such as, for example, a television set 106, a digital optical recording device (e.g., DVD-R) 102, and/or a video tape recorder 118. Each of these additional appliances 106, 102, 118 may include a rights management component 124 that performs electronic rights management based on the steganographically encoded control information 126. Any recordings made by recording devices 102, 118 may also be steganographically encoded.
In this example, digital television 106B includes an analog output that may provide analog television signals to additional devices, such as, for example, an analog video cassette recorder 118. In this example, the rights management component 124C within digital television 106B may steganographically encode the analog television signal A with controls 126 and associated organizational structure(s) 136 before releasing the analog signal to the outside world.
While the invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not to be limited to the disclosed embodiment, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
30. A rights management method performed by an electronic appliance comprising a processor and a non-transitory computer-readable storage medium storing instructions that, when executed by the processor, cause the electronic appliance to perform the method, the method comprising:
- receiving, at an interface of the electronic appliance, from a communications channel, an information signal, the information signal comprising a first pointer, the first pointer indicating a location of first control information governing use of the information signal;
- retrieving the first control information using the first pointer;
- receiving a request to use the information signal; and
- governing use of the information signal based on the first control information.
31. The method of claim 30, wherein the location of the first control information is a location in the information signal.
32. The method of claim 31, wherein the location in the information signal is a location where the communications channel has high available bandwidth.
33. The method of claim 30, wherein the location of the first control information is a remote location from the electronic appliance.
34. The method of claim 30, wherein the location of the first control information is a location on a storage medium associated with the electronic appliance storing, at least in part, the information signal.
35. The method of claim 30, wherein the information signal further comprises a second pointer encoded in one or more second locations in the information signal where the communication channel has low available bandwidth, the second pointer indicating a location of second control information governing use of the information signal.
36. The method of claim 35, wherein the method further comprises retrieving the second control information using the second pointer.
37. The method of claim 36, wherein the method further comprises governing, by the rights management component, use of the information signal based on the second control information.
38. The method of claim 35, wherein the first control information and second control information are configured to govern use of the information signal according to one or more rules.
39. The method of claim 35, wherein the first control information is configured to govern use of the information signal according to a first set of rules and the second control information is configured to govern use of the information signal according to a second set of rules different from the first set of rules.
40. The method of claim 30, wherein the first pointer is steganographically encoded in the information signal.
41. The method of claim 30, wherein the first pointer is included in a secure container encoded in the information signal at the one or more first locations.
42. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor included in an electronic appliance, cause the electronic appliance to:
- receive an information signal from a communications channel, the information signal comprising a first pointer encoded in one or more first locations in the information signal where the communications channel has low available bandwidth, the first pointer indicating a location of first control information governing use of the information signal;
- retrieve the first control information using the first pointer;
- receive a request to use the information signal; and
- govern use of the information signal based on the first control information.
43. The non-transitory computer-readable storage medium of claim 42, wherein the location of the first control information is a location in the information signal.
44. The non-transitory computer-readable storage medium of claim 43, wherein the location in the information signal is a location where the communications channel has high available bandwidth.
45. The non-transitory computer-readable storage medium of claim 42, wherein the location of the first control information is a remote location from the electronic appliance.
46. The non-transitory computer-readable storage medium of claim 42, wherein the location of the first control information is a location on a storage medium associated with the electronic appliance storing, at least in part, the information signal.
47. The method of claim 42, wherein the information signal further comprises a second pointer encoded in one or more second locations in the information signal where the communication channel has low available bandwidth, the second pointer indicating a location of second control information governing use of the information signal.
48. The non-transitory computer-readable storage medium of claim 47, wherein the instructions further cause the processor to retrieve the second control information using the second pointer.
49. The non-transitory computer-readable storage medium of claim 48, wherein the instructions further cause the processor to govern use of the information signal based on the second control information.
50. The non-transitory computer-readable storage medium of claim 47, wherein the first control information and second control information are configured to govern use of the information signal according to one or more rules.
51. The non-transitory computer-readable storage medium of claim 47, wherein the first control information is configured to govern use of the information signal according to a first set of rules and the second control information is configured to govern use of the information signal according to a second set of rules different from the first set of rules.
52. The non-transitory computer-readable storage medium of claim 42, wherein the first pointer is steganographically encoded in the information signal.
53. The non-transitory computer-readable storage medium of claim 42, wherein the first pointer is included in a secure container encoded in the information signal at the one or more first locations.
International Classification: H04L 29/06 (20060101);