WO2003039067A1 - Method and apparatus for encrypting media stream packets either dynamically or statically by a proxy and a pre-processor - Google Patents

Method and apparatus for encrypting media stream packets either dynamically or statically by a proxy and a pre-processor Download PDF

Info

Publication number
WO2003039067A1
WO2003039067A1 PCT/SE2002/001830 SE0201830W WO03039067A1 WO 2003039067 A1 WO2003039067 A1 WO 2003039067A1 SE 0201830 W SE0201830 W SE 0201830W WO 03039067 A1 WO03039067 A1 WO 03039067A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
packets
media stream
proxy
encrypted
Prior art date
Application number
PCT/SE2002/001830
Other languages
French (fr)
Inventor
Henrik Carlsson
Dag Helstad
Christer ÖSTERLIND
Tomas Sparr
Original Assignee
Kreatel Communications Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kreatel Communications Ab filed Critical Kreatel Communications Ab
Publication of WO2003039067A1 publication Critical patent/WO2003039067A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a method defined in the preamble of claim 1.
  • the present invention also relates to an apparatus defined in the preamble of claim 5.
  • DVB-CA Digital Video Broadcasting
  • the decryption uses a separate processing unit on a smart card, which makes the decryption expensive.
  • One object of the present invention is to provide such an improved method and apparatus, which has configurable requirements on CPU utilisation on both the client and the server, and which is built on open standards.
  • this object is accomplished by providing a method and apparatus as defined in the characterising parts of the independent claims 1 and 5.
  • Fig 1 is a block diagram of an encryption system
  • Fig 2 is a flowchart showing the steps performed when the media stream is encrypted.
  • the media stream is a Moving Picture Experts Group Transport Stream (MPEG-2 TS), which refers to the family of digital video compression standards and file formats developed by this group.
  • MPEG-2 TS Moving Picture Experts Group Transport Stream
  • MPEG-2 TS achieves high compression rate by for most of the frames storing only the changes from one frame to another instead of each entire frame.
  • MP3 MPEG-1 Audio Layer-3
  • MPEG-2 PS MPEG-2 Packet Stream
  • a content protection pre-processor is represented by 1.
  • the pre-processor 1 is connected to a database 6 from which it gets the MPEG-2 TS to process.
  • a server 2 connected to an encryption proxy 3 gets the pre-processed MPEG-2 TS from the database 6.
  • the pre-processor 1 and the encryption proxy 3 are both connected to an encryption scheme 5, from which they get information concerning the encryption.
  • a client 4 communicates with the encryption proxy 3 over a network 1, e.g. Internet.
  • Fig 1 illustrates one example of the architecture of the encryption system. The person skilled in the art understands, however, that any other constellation of the parts in the system is possible.
  • some TS packets are statically, e.g. on disk, encrypted and some are dynamically, real time, encrypted.
  • the static encryption can e.g. be done by the content owner before delivering the content to operators, which reduces the risk of "in-house theft" at the operator site.
  • the pre-processor 1 analyses the MPEG-2 TS and selects the TS packets which are to be statically encrypted, encrypts these and marks at the same time the TS packets which are to be dynamically encrypted. This processing is performed only once per title, e.g. once per film when the media stream is a video stream and once per audio track when the media stream is an audio stream.
  • the encryption proxy 3 encrypts the TS packages marked by the pre-processor 1 for dynamic encryption.
  • the dynamic encryption is, however, performed once per session. This means that even if the static encryption is cracked, watching e.g. a movie is made impossible by the dynamic encryption.
  • the encryption scheme 5 contains all necessary information the pre-processor 1 and the encryption proxy 3 need in order to perform the encryption of the media stream.
  • the content owner supplies the information stored in the encryption scheme 5.
  • Typical information in the encryption scheme 5 is what and when to encrypt and what algorithm to use.
  • the combination of the pre-processor 1 and the encryption proxy 3 makes the inventive system flexible, with full control over what to encrypt and when (static or dynamic).
  • the system can e.g. be optimised for a low CPU usage, high security or low cost etc.
  • the flexibility of the system lead to that different kinds of encryption algorithms may be used, in which all packets, some packets or no packets at all can be encrypted.
  • the pre-processor 1 marks the packets (a sub set of the total number of packets) to encrypt dynamically meaning that not all encryption need to be done in real time, there are small requirements on CPU utilisation on the host running the encryption proxy 3. The requirements on CPU are configurable through the encryption scheme 5.
  • the server 2 stores the pre-processed MPEG-2 TS and creates indices.
  • the server 2 is a Video-on-Demand (VoD) server.
  • NoD gives a user the possibility to order a movie or other program content for immediate viewing on e.g. the TN.
  • the client 4 e.g. a Set-Top-Box (STB) client, comprises a web browser allowing the user to choose e.g. a movie.
  • STB Set-Top-Box
  • the client 4 then orders the chosen movie from the NoD server 2 via the encryption proxy 3. Since the encryption proxy 3 handles all communication with the client, the inventive system is independent of the server.
  • the preferred embodiment of the inventive method is based on the MPEG-2 standard for scrambling encryption of TS packet content.
  • the type of encryption used is fully configurable and a matter of agreement between the client 4 and the encryption proxy 3.
  • the client 4 and the encryption proxy 3 negotiate about a set of encryption algorithms to use among multiple encryption algorithms.
  • a two-bit bit field "transport scrambling control" in the TS header is used to indicate which kind of encryption that is used within the set of encryption algorithms according to the agreement between the client 4 and the encryption proxy 3. Multiple sets of mappings between transport scrambling control values and encryption algorithms may be supported.
  • the client 4 gets the information of which set to use from the (URL) accessed or from the ticket received when ordering the NoD.
  • the inventive method is applicable on all kinds of decryption key distributions.
  • the client 4 may negotiate with the encryption proxy 3 about what key distribution to use and how many packets which are to be dynamically encrypted by the encryption proxy 3.
  • the client 4 may e.g. request encryption of only a subset of the packets marked for dynamic encryption due to small CPU resources.
  • the encryption proxy 3 can, however, deny such a request for less encryption.
  • the negotiation between the client 4 and the encryption proxy 3 may be encrypted in order to obtain a high security level.
  • Another alternative is to use an encryption algorithm in the encryption scheme 5 that is adapted to certain kinds of clients, e.g. encrypt as few packets as possible (usually around 1/10) in order to reduce the CPU load of the client.
  • a preferred embodiment of the present invention is shown in fig 2 and the procedure for encrypting an MPEG-2 transport stream is as follows:
  • the pre-processor 1 analyses the MPEG-2 TS 6 and selects the TS packets for static and dynamic encryption according to the information in the encryption scheme 5 (step 21).
  • the packets selected for static encryption are encrypted at once, while the packets selected for dynamic encryption only are marked by the pre-processor 1 ;
  • the server 2 stores the pre-processed TS on its format (step 22).
  • the stored, partly encrypted, TS is streamed to the encryption proxy 3 (step 23).
  • the request is initiated by e.g. a user choosing a movie from a web page.
  • the client 4 and the encryption proxy 3 negotiate about which encryption set to use, before the TS is streamed to the encryption proxy 3;
  • the encryption proxy 3 encrypts the TS packets marked for dynamic encryption by the pre-processor 1, which, however, may be modified according to the negotiation between the client 4 and the encryption proxy 3 (step 24). The encryption proxy 3 then streams the encrypted TS on to the client 4 over the network 7 (step 25);
  • the client 4 decrypts all encrypted packets (step 26).

Abstract

Method and apparatus for encrypting a media stream sent from a server (2) via an encryption proxy (3) to a client (4), connected to the encryption proxy (3) over a network (7), where packets of the media stream are either statically encrypted by a pre-processor (1) or dynamically encrypted by the encryption proxy (3). The pre-processor (1) selects which packets of the media stream that are to be statically encrypted and which packets that are to be dynamically encrypted as defined in an encryption scheme (5).

Description

METHOD AND APPARATUS FOR ENCRYPTING MEDIA STREAM PACKETS EITHER DYNAMICALLY OR STATICALLY BY A PROXY AND A PRE¬ PROCESSOR
The present invention relates to a method defined in the preamble of claim 1.
5 The present invention also relates to an apparatus defined in the preamble of claim 5.
In order to send a media stream, such as video or audio, from a server over a network to a client, it is necessary for the content owner to protect the content from being accessed, re-distributed, manipulated or illegally copied.
10
A commonly used encryption scheme for conditional access in digital satellite and terrestrial broadcasting is Digital Video Broadcasting (DVB-CA). DVB is designed to work in simplex networks. Scrambled media stream content is multiplexed with a key distribution stream. The access decision is distributed to clients connected in the
15 network. Frequent attacks of the system based on reverse engineering and information leaks from insiders have forced the content distributors to refine their protection in steps. The drawback is the difficulties in handling backward comparability when upgrading systems that has been compromised. The relative complexity of distribution content keys in a simplex network and the access processing taking place at the
20 client makes the system very resource (CPU) demanding. The decryption uses a separate processing unit on a smart card, which makes the decryption expensive.
There is, therefore, a need for an improved method and apparatus, which encrypts a media stream sent over a network. 25
One object of the present invention is to provide such an improved method and apparatus, which has configurable requirements on CPU utilisation on both the client and the server, and which is built on open standards.
30 In accordance with the preferred embodiment of the present invention, this object is accomplished by providing a method and apparatus as defined in the characterising parts of the independent claims 1 and 5.
The details of the preferred embodiment of the invention are set forth in the accom- 35 panying drawings and the description below. Other features and advantages of the invention will become apparent from the description, the drawings and the claims. In the drawings:
Fig 1 is a block diagram of an encryption system
Fig 2 is a flowchart showing the steps performed when the media stream is encrypted.
In a preferred embodiment of the present invention, the media stream is a Moving Picture Experts Group Transport Stream (MPEG-2 TS), which refers to the family of digital video compression standards and file formats developed by this group.
MPEG-2 TS achieves high compression rate by for most of the frames storing only the changes from one frame to another instead of each entire frame. The person skilled in the art understands, however, that the invention is applicable on other media streams as well, such as MPEG-1 Audio Layer-3 (MP3) and MPEG-2 Packet Stream (MPEG-2 PS).
In fig 1 a content protection pre-processor is represented by 1. The pre-processor 1 is connected to a database 6 from which it gets the MPEG-2 TS to process. A server 2 connected to an encryption proxy 3 gets the pre-processed MPEG-2 TS from the database 6. The pre-processor 1 and the encryption proxy 3 are both connected to an encryption scheme 5, from which they get information concerning the encryption. A client 4 communicates with the encryption proxy 3 over a network 1, e.g. Internet. Fig 1 illustrates one example of the architecture of the encryption system. The person skilled in the art understands, however, that any other constellation of the parts in the system is possible.
In order to accomplish a method that has small requirements on CPU utilisation on both the client 4 and the server 2, some TS packets are statically, e.g. on disk, encrypted and some are dynamically, real time, encrypted.
The static encryption can e.g. be done by the content owner before delivering the content to operators, which reduces the risk of "in-house theft" at the operator site.
The pre-processor 1 analyses the MPEG-2 TS and selects the TS packets which are to be statically encrypted, encrypts these and marks at the same time the TS packets which are to be dynamically encrypted. This processing is performed only once per title, e.g. once per film when the media stream is a video stream and once per audio track when the media stream is an audio stream. The encryption proxy 3 encrypts the TS packages marked by the pre-processor 1 for dynamic encryption. The dynamic encryption is, however, performed once per session. This means that even if the static encryption is cracked, watching e.g. a movie is made impossible by the dynamic encryption.
"Which packets that are to be statically encrypted and which are to be dynamically encrypted is specified in the encryption scheme 5. The encryption scheme 5 contains all necessary information the pre-processor 1 and the encryption proxy 3 need in order to perform the encryption of the media stream. The content owner supplies the information stored in the encryption scheme 5. Typical information in the encryption scheme 5 is what and when to encrypt and what algorithm to use.
The combination of the pre-processor 1 and the encryption proxy 3 makes the inventive system flexible, with full control over what to encrypt and when (static or dynamic). The system can e.g. be optimised for a low CPU usage, high security or low cost etc. The flexibility of the system lead to that different kinds of encryption algorithms may be used, in which all packets, some packets or no packets at all can be encrypted.
Since the pre-processor 1 marks the packets (a sub set of the total number of packets) to encrypt dynamically meaning that not all encryption need to be done in real time, there are small requirements on CPU utilisation on the host running the encryption proxy 3. The requirements on CPU are configurable through the encryption scheme 5.
The server 2 stores the pre-processed MPEG-2 TS and creates indices. In the preferred embodiment of the invention the server 2 is a Video-on-Demand (VoD) server. NoD gives a user the possibility to order a movie or other program content for immediate viewing on e.g. the TN. The client 4, e.g. a Set-Top-Box (STB) client, comprises a web browser allowing the user to choose e.g. a movie. The client 4 then orders the chosen movie from the NoD server 2 via the encryption proxy 3. Since the encryption proxy 3 handles all communication with the client, the inventive system is independent of the server.
The preferred embodiment of the inventive method is based on the MPEG-2 standard for scrambling encryption of TS packet content. The type of encryption used is fully configurable and a matter of agreement between the client 4 and the encryption proxy 3. The client 4 and the encryption proxy 3 negotiate about a set of encryption algorithms to use among multiple encryption algorithms. A two-bit bit field "transport scrambling control" in the TS header is used to indicate which kind of encryption that is used within the set of encryption algorithms according to the agreement between the client 4 and the encryption proxy 3. Multiple sets of mappings between transport scrambling control values and encryption algorithms may be supported. The client 4 gets the information of which set to use from the (URL) accessed or from the ticket received when ordering the NoD.
The inventive method is applicable on all kinds of decryption key distributions. The client 4 may negotiate with the encryption proxy 3 about what key distribution to use and how many packets which are to be dynamically encrypted by the encryption proxy 3. The client 4 may e.g. request encryption of only a subset of the packets marked for dynamic encryption due to small CPU resources. The encryption proxy 3 can, however, deny such a request for less encryption. The negotiation between the client 4 and the encryption proxy 3 may be encrypted in order to obtain a high security level. Another alternative is to use an encryption algorithm in the encryption scheme 5 that is adapted to certain kinds of clients, e.g. encrypt as few packets as possible (usually around 1/10) in order to reduce the CPU load of the client.
A preferred embodiment of the present invention is shown in fig 2 and the procedure for encrypting an MPEG-2 transport stream is as follows:
1. The pre-processor 1 analyses the MPEG-2 TS 6 and selects the TS packets for static and dynamic encryption according to the information in the encryption scheme 5 (step 21). The packets selected for static encryption are encrypted at once, while the packets selected for dynamic encryption only are marked by the pre-processor 1 ;
2. The server 2 stores the pre-processed TS on its format (step 22). Upon request from the client 4, the stored, partly encrypted, TS is streamed to the encryption proxy 3 (step 23). The request is initiated by e.g. a user choosing a movie from a web page. The client 4 and the encryption proxy 3 negotiate about which encryption set to use, before the TS is streamed to the encryption proxy 3;
3. The encryption proxy 3 encrypts the TS packets marked for dynamic encryption by the pre-processor 1, which, however, may be modified according to the negotiation between the client 4 and the encryption proxy 3 (step 24). The encryption proxy 3 then streams the encrypted TS on to the client 4 over the network 7 (step 25);
4. The client 4 decrypts all encrypted packets (step 26).

Claims

Claims
1. Method of encrypting a media stream sent from at least one server (2) via an encryption proxy (3) to a client (4), connected to the encryption proxy (3) over a network (7), characterised in, that packets of the media stream are either statically encrypted or dynamically encrypted and that those packets of the me- dia stream which are to be statically encrypted and those packets which are to be dynamically encrypted are selected initially as defined in an encryption scheme (5).
2. Method according to claim 1, characterised in, that the method comprises the steps of:
selecting the packets for static encryption and encrypting these and selecting the packets for dynamic encryption and marking these;
storing the pre-processed media stream;
streaming the stored media stream upon request;
encrypting the packets marked for dynamic encryption and streaming the me- dia stream on;
decrypting all encrypted packets.
3. Method according to any of the claims 1 or 2, characterised in, that the static encryption is made once per media stream and that the dynamic encryption is made once per session.
4. Method according to any of the preceding claims, characterised in, that which encryption algorithm to use is negotiated in order to handle different kinds of clients (4).
5. Apparatus of encrypting a media stream sent from at least one server (2) via an encryption proxy (3) to a client (4), connected to the server (2) over a network (7), characterised in, that a pre-processor (1) is arranged to statically encrypt a first selection of packets of the media stream and to mark a second selection of packets of the media stream for dynamic encryption, that an encryption proxy (3) is arranged to dynamically encrypt the second selection of packets and that the pre-processor (1) is arranged to select which packets that are to be statically encrypted and which packets that are to be dynamically encrypted as defined in an encryption scheme (5).
6. Apparatus according to claim 5, characterised in, that the server (2) is arranged to store the pre-processed media stream and to stream the pre-processed media stream to the encryption proxy (3) upon request from the client (4), that the encryption proxy (3) is arranged to encrypt the packets marked for .dynamic encryption by the pre-processor (1) and to stream the media stream on to the client (4) and that the client (4) is arranged to decrypt all encrypted packets.
7. Apparatus according to claims 5 or 6, characterised in, that the pre-processor (1) is arranged to make the static encryption once per media stream and that the encryption proxy (3) is arranged to make the dynamic encryption once per session.
8. Apparatus according to any of claims 5 — 7, characterised in, that the client '(4) and the encryption proxy (3) are arranged to negotiate about which encryp- tion algorithm to use in order to handle different kinds of clients (4).
PCT/SE2002/001830 2001-11-01 2002-10-09 Method and apparatus for encrypting media stream packets either dynamically or statically by a proxy and a pre-processor WO2003039067A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0103623-5 2001-11-01
SE0103623A SE521906C2 (en) 2001-11-01 2001-11-01 Method and device for encrypting multimedia content

Publications (1)

Publication Number Publication Date
WO2003039067A1 true WO2003039067A1 (en) 2003-05-08

Family

ID=20285829

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2002/001830 WO2003039067A1 (en) 2001-11-01 2002-10-09 Method and apparatus for encrypting media stream packets either dynamically or statically by a proxy and a pre-processor

Country Status (2)

Country Link
SE (1) SE521906C2 (en)
WO (1) WO2003039067A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999048296A1 (en) * 1998-03-16 1999-09-23 Intertrust Technologies Corporation Methods and apparatus for continuous control and protection of media content
US6055314A (en) * 1996-03-22 2000-04-25 Microsoft Corporation System and method for secure purchase and delivery of video content programs
WO2000048375A1 (en) * 1999-02-11 2000-08-17 Loudeye Technologies, Inc. Media distribution system
WO2000064111A1 (en) * 1999-04-16 2000-10-26 Unifree, L.L.C. Media file distribution with adaptive transmission protocols
EP1111838A2 (en) * 1999-12-21 2001-06-27 Xerox Corporation System and method for cryptographically protecting data

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055314A (en) * 1996-03-22 2000-04-25 Microsoft Corporation System and method for secure purchase and delivery of video content programs
WO1999048296A1 (en) * 1998-03-16 1999-09-23 Intertrust Technologies Corporation Methods and apparatus for continuous control and protection of media content
WO2000048375A1 (en) * 1999-02-11 2000-08-17 Loudeye Technologies, Inc. Media distribution system
WO2000064111A1 (en) * 1999-04-16 2000-10-26 Unifree, L.L.C. Media file distribution with adaptive transmission protocols
EP1111838A2 (en) * 1999-12-21 2001-06-27 Xerox Corporation System and method for cryptographically protecting data

Also Published As

Publication number Publication date
SE0103623L (en) 2003-05-02
SE0103623D0 (en) 2001-11-01
SE521906C2 (en) 2003-12-16

Similar Documents

Publication Publication Date Title
EP1444561B1 (en) Method, apparatus and system for securely providing digital content
US7328345B2 (en) Method and system for end to end securing of content for video on demand
KR100843346B1 (en) Integrity protection of streamed content
US6073122A (en) Cryptographic method and apparatus for restricting access to transmitted programming content using extended headers
EP2044568B1 (en) Method and apparatus for securely moving and returning digital content
US20060200412A1 (en) System and method for DRM regional and timezone key management
US8724808B2 (en) Method for secure distribution of digital data representing a multimedia content
US20130283051A1 (en) Persistent License for Stored Content
US20040151315A1 (en) Streaming media security system and method
RU2329613C2 (en) Method of safe data transfer on peer-to-peer principle and electronic module to implement this method
AU2002351508A1 (en) Method, apparatus and system for securely providing material to a licensee of the material
KR20040088365A (en) Scalable, error resilient drm for scalable media
CN101142777A (en) Videonline security network architecture and methods therefor
WO2006109913A1 (en) Broadcasting content protection/management system
US8081756B2 (en) Implementation of media-protection policies
EP1903799B1 (en) A method for realizing preview of iptv programs, an encryption apparatus, a right center system and a user terminal
KR20090090332A (en) Method of controlling the access to a scrambled digital content
CA2593952C (en) Method and apparatus for providing a border guard between security domains
EP1595383B1 (en) Methods and apparatus for integrating one-way and two-way security systems to enable secure distribution of encrypted services
EP2403244A1 (en) Secure encryption method for electronic content distribution
WO2003039067A1 (en) Method and apparatus for encrypting media stream packets either dynamically or statically by a proxy and a pre-processor
US9294788B2 (en) Method, cryptographic system and security module for descrambling content packets of a digital transport stream
WO2000067483A1 (en) Method and apparatus for access control of pre-encrypted on-demand television services
Hwang et al. Protection of MPEG‐2 Multicast Streaming in an IP Set‐Top Box Environment
EP1499062A1 (en) Individual video encryption system and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP