WO2006056549A2 - Broadcast encryption with dual size trees - Google Patents

Broadcast encryption with dual size trees Download PDF

Info

Publication number
WO2006056549A2
WO2006056549A2 PCT/EP2005/056010 EP2005056010W WO2006056549A2 WO 2006056549 A2 WO2006056549 A2 WO 2006056549A2 EP 2005056010 W EP2005056010 W EP 2005056010W WO 2006056549 A2 WO2006056549 A2 WO 2006056549A2
Authority
WO
WIPO (PCT)
Prior art keywords
key
keys
receiver devices
link
new
Prior art date
Application number
PCT/EP2005/056010
Other languages
French (fr)
Other versions
WO2006056549A3 (en
Inventor
Jeffrey Bruce Lotspiech
Original Assignee
International Business Machines Corporation
Ibm United Kingdom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation, Ibm United Kingdom Limited filed Critical International Business Machines Corporation
Publication of WO2006056549A2 publication Critical patent/WO2006056549A2/en
Publication of WO2006056549A3 publication Critical patent/WO2006056549A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • This invention relates generally to data encryption and more specifically to the encryption of broadcast programs such that unauthorized clone receivers cannot easily decrypt the programs.
  • Broadcast encryption schemes enable a center to deliver encrypted data to a large set of users so that only a particular subset of privileged users can decrypt it. Such schemes are useful in pay-TV systems, the distribution of copyrighted material on encrypted media, and internet multicasting.
  • authorized pay-per-view customers are provided with so-called "set top boxes" that decrypt the programs in accordance with decryption algorithms inside the boxes.
  • Various billing schemes may be tied to the set-top boxes or other customer identification to ensure that authorized customers are billed for the programs they receive. While effective for blocking access to many non-paying customers, such boxes can be cloned using relatively sophisticated cloning techniques, then sold to people who can then use the clones to watch and/or copy for free the otherwise pay-per-view programs.
  • U.S. Pat. No. 6118873 provides an encryption system for the secure broadcasting of programs, including updates to authorized in-home digital video devices. That patent discloses a system for encrypting broadcast music, videos, and other content. As set forth therein, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented. As disclosed in the patent, authorized player-recorders are issued software-implemented device keys from a matrix of device keys termed a media key block.
  • the keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Although two devices might share the same key from the same column, the chances that any two devices share exactly the same set keys from all the columns of the matrix are very small when keys are randomly assigned.
  • the keys are used to decrypt content.
  • NNL NNL subset-difference method
  • these key trees are "32-bit trees". That means there are 2 32 nodes in the tree, and therefore that all the calculations can be performed with 32-bit integer arithmetic, which is a natural number for modern processors.
  • a 32-bit binary tree has 2 31 leaf nodes; therefore such a tree can support more than two billion individual devices. Two billion seems like a lot of devices, but if a content protection scheme becomes ubiquitous, such that every potential receiver device imaginable supports it, it is not sufficient. Larger key trees are required to support more devices.
  • a 40-bit tree supports more than enough devices (over 500 billion), but requires awkward 5-byte integer calculations in each device. Even worse, the number of keys that need to be stored in a tree-based scheme is a function of the height of the tree, so that the larger tree requires every device to implement more secure storage for keys.
  • the following dilemma has heretofore faced designers of content protection schemes based on broadcast encryption: should they risk the convenient 32-bit tree size and hope that their scheme is not too successful, or should they propose a more awkward, expensive scheme whose extra capacity might never be needed. It would be a disaster if a 32-bit tree overflows, because historically one would have to deploy a new, incompatible scheme once it became necessary to support more than two billion devices.
  • a method for extending a key management scheme comprising: selectively issuing at least one link key to extend initial keys; and modifying new receiver devices to process the extended keys.
  • the key management scheme is used for broadcast encryption.
  • the at least one link key is issued when the total number of receiver devices exceeds the number of receiver devices supported by the key management scheme using the initial keys.
  • new media key blocks include at least one media key encrypted with the at least one link key.
  • the modified receiver devices selectively validate non-revoked extended keys using the new media key blocks.
  • the at least one link key can be revoked.
  • the initial keys are 32-bit keys.
  • the extended keys are 40-bit keys.
  • existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
  • an initial key tree is the sub-tree of an extended key tree that is processed first.
  • a system for extending a key management scheme comprising: at least one link key selectively issued to extend initial keys; and new receiver devices modified to process the extended keys.
  • the key management scheme is used for broadcast encryption.
  • the at least one link key is issued when the total number of receiver devices exceeds the number of receiver devices supported by the key management scheme using the initial keys.
  • new media key blocks include at least one media key encrypted with the at least one link key.
  • the modified receiver devices selectively validate non-revoked extended keys using the new media key blocks.
  • the at least one link key can be revoked.
  • the initial keys are 32-bit keys.
  • the extended keys are 40-bit keys.
  • existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
  • an initial key tree is the sub-tree of an extended key tree that is processed first.
  • a system for extending a key management scheme comprising: means for selectively issuing at least one link key to extend initial keys; and means for modifying new receiver devices to process the extended keys.
  • a third aspect there is provided computer program product comprising a machine readable medium having tangible program instructions thereon for extending a key management scheme, the instructions comprising code means including: a first code means for selectively issuing at least one link key to extend initial keys; and a second code means for modifying new receiver devices to process the extended keys.
  • the preferred embodiment of the invention selectively issues at least one link key to extend initial keys when the number of devices that can be supported by the initial keys is exceeded, and new receiver devices are modified to process the extended keys using new media key blocks that include at least one media key encrypted with the link key. New receivers validate the extended keys using the new media key blocks.
  • Link keys can be revoked like other keys, though a unique syntax for link key revocation may be preferred.
  • Initial keys are typically 32-bit keys, and link keys may be 8-bit keys so that 40-bit extended keys are created.
  • existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
  • the extended key tree may be designed such that the initial key tree is the sub-tree processed first, for simplicity.
  • Figure 1 is a diagram of an initial key and an extended key, according to an embodiment of the invention.
  • Figure 2 is a flowchart of a method of extended key management, according to an embodiment of the invention.
  • the preferred embodiment of the present invention alleviates the previously mentioned dilemma faced by designers of successful content protection schemes, wherein the risk of overflowing the maximum manageable number of keys must be balanced against message complexity and device storage requirements.
  • the preferred embodiment of the present invention allows a large tree to appear to be a smaller tree at first. Later, if the larger tree becomes necessary it can be deployed in a compatible way. Thus, the maximum number of devices initially supported by a tree can be extended. In other words, the media key blocks from the smaller trees can be read by the devices in the larger tree, and vice versa. Thus, it is no longer necessary to design for the maximum-size possible tree.
  • the embodiment extends the initial media key block with an additional key called the link key.
  • the link key is not assigned to any device in the initial tree. However, it will be given to every new device if the tree ever needs to be extended, as described in Figure 2.
  • a media key block normally contains the encryptions of the media key in various device keys (the specific set of device keys naturally depends on which compromised devices need to be excluded) .
  • the initial media key blocks (the blocks using the old key) contain these encryptions in the normal way.
  • the initial media key blocks also contain one other encryption: the encryption of the media key in the link key. Later, if additional devices are needed, they can process the old media key blocks and calculate the media key, because the new devices will have the link key.
  • the old devices are designed so that they ignore any part of the media key block that they do not understand.
  • This is notably the normal practice today, in media key blocks produced by the 4C Entity as part of the well-known CPRM (Content Protection for Recordable Media) scheme. It certainly does not present any problem to the old devices, as ignoring things is always easy.
  • the new media key blocks can have additional records, ignored by the old devices, that are processed only by the new devices based on the larger tree. The old devices continue to process their records correctly.
  • the initial 32-bit tree is designed as the leftmost sub-tree of the larger eventual tree. If the tree is processed left-to-right bottom-to-top, which is the normal way, then all of the instructions for the old devices are naturally processed in the first part of the media key block. Thus it is not even necessary to define new records: the old devices are satisfied by the first part of the record, and never get to the further instructions (those using 5-byte instead of 4-byte integers, for example) for the new devices. Nonetheless, this processing order and tree design is not an essential part of the invention, but it is a simple elegant solution.
  • link key is compromised? In that instance, old media key blocks can be read by the compromised devices, but then this is always true for any device key.
  • a compromised link key it is a simple matter to define a new link key for new blocks, and make sure that all new devices have all link keys for backward compatibility. Any number of link keys may distributed.
  • the link key when the initial tree is the leftmost sub-tree of the larger tree, the link key has a very natural meaning: it is the root key of the sub-tree in the larger tree. Thus, it can be revoked in the same way any compromised key is revoked.
  • link key(s) are revoked they are revoked with a special syntax that is unique to link key revocation.
  • link key it is highly unlikely that a link key will be compromised while the tree is still small, because the link key is a secret that never leaves the licensing agency until new devices (i.e. beyond the previous maximum number of supported devices) are needed.
  • the link key will have to be broken by cryptanalysis, not reverse-engineering, and hackers rarely try to break systems that way.
  • a general purpose computer may be programmed according to the inventive steps herein.
  • the invention can also be embodied as an article of manufacture - a machine component - that is used by a digital processing apparatus to execute the present logic.
  • This invention may be realized in a critical machine component that causes a digital processing apparatus to perform the inventive method steps herein.
  • the invention may be embodied by a computer program that is executed by a processor within a computer as a series of computer-executable instructions. These instructions may reside, for example, in RAM of a computer or on a hard drive or optical drive of the computer, or the instructions may be stored on a DASD array, magnetic tape, electronic read-only memory, or other appropriate data storage device.

Abstract

A method, system, and computer program product for broadcast encryption key management. The invention eliminates the need for pre-specification of a maximum number of keys that can be employed in a given broadcast encryption system by enabling an initial key to be extended by a link key. New receiver devices are modified to validate the extended keys, while older devices ignore them and process initial keys as usual. Compromised link keys can be revoked, though revocation preferably uses a unique syntax for link key revocation.

Description

BROADCAST ENCRYPTION WITH DUAL SIZE TREES
Field of the Invention
This invention relates generally to data encryption and more specifically to the encryption of broadcast programs such that unauthorized clone receivers cannot easily decrypt the programs.
Background of the Invention
Broadcast encryption schemes enable a center to deliver encrypted data to a large set of users so that only a particular subset of privileged users can decrypt it. Such schemes are useful in pay-TV systems, the distribution of copyrighted material on encrypted media, and internet multicasting. In one exemplary scenario, authorized pay-per-view customers are provided with so-called "set top boxes" that decrypt the programs in accordance with decryption algorithms inside the boxes. Various billing schemes may be tied to the set-top boxes or other customer identification to ensure that authorized customers are billed for the programs they receive. While effective for blocking access to many non-paying customers, such boxes can be cloned using relatively sophisticated cloning techniques, then sold to people who can then use the clones to watch and/or copy for free the otherwise pay-per-view programs.
Similarly, movie studios are reluctant to distribute protected content via high-definition DVD unless some assurance is provided that only DVD players and recorders made by manufacturers who have agreed to content protection protocols can view or copy the content, and unauthorized recipients can be somehow neutralized. While it is occasionally possible to discover a single receiver or player, most remain undetected in users' homes, leading to a loss of revenue for the broadcasters. This loss of revenue is a growing problem, particularly with the growth of in-home digital video devices, because digital copies are perfect copies. Indeed, the growth of digital video has led to the introduction of a new digital bus standard referred to both as "Firewire" and "IEEE 1394", which has been proposed to standardize the interconnections between a user's digital television, digital video cassette recorder, digital video disk player, and set-top box. Cellular phones may also be receiver devices.
Because millions of receiver devices might conceivably use the same decryption keys, it is not feasible to individually reprogram each authorized device with new decryption keys. Indeed, the only feasible way to reprogram millions of in-home decryption receivers of encrypted broadcast programs is to broadcast a new encryption key, but then the unauthorized clones also receive the broadcast of the new key, leading to the classic broadcast encryption conundrum: how can authorized receivers be efficiently reprogrammed with new decryption keys while disenfranchising unauthorized clones?
Accordingly, U.S. Pat. No. 6118873 provides an encryption system for the secure broadcasting of programs, including updates to authorized in-home digital video devices. That patent discloses a system for encrypting broadcast music, videos, and other content. As set forth therein, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented. As disclosed in the patent, authorized player-recorders are issued software-implemented device keys from a matrix of device keys termed a media key block. The keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Although two devices might share the same key from the same column, the chances that any two devices share exactly the same set keys from all the columns of the matrix are very small when keys are randomly assigned. The keys are used to decrypt content.
In the event that a device (i.e. its keys) becomes compromised, deliberately or by mistake, it is necessary to revoke the keys of that device. Revoking a set of keys effectively renders the compromised device (and any clones thereof) inoperable to play or record content that is produced after the revocation. The presence of more than a few "rogue" manufacturers (i.e., manufacturers who legally or illegally obtain keys but who in any case make many unauthorized devices having the keys) can be problematic. It is therefore desirable to account for potentially many rogue manufacturers by executing a large number of device revocations. However, since in the patented system more than one device can share any particular key with the compromised device, revoking a set of device keys might result in revoking keys held by some innocent devices. It is desirable to further reduce the chances of accidentally revoking a "good" device, preferably to zero. It is also desirable to minimize the number and length of key management messages and the amount of storage required by each device. The latest broadcast encryption technologies designed to meet these goals are based on trees of keys. The so-called Logical Key Hierarchy key management system was originally developed independently by Wallner and Wong, cited above. Later, there was the much more concise subset-difference tree, developed at IBM by Naor, Naor, and Lotspiech
(NNL), who also describe related traitor tracing schemes (i.e. determining the keys of rogue receivers to enable their revocation while avoiding impacting innocent devices that may share some of the same keys) . Most recently, there was an improvement on the NNL subset-difference method by Shamir and Halevy, cited above, that reduced the number of keys required in the device.
It is very convenient if these key trees are "32-bit trees". That means there are 232 nodes in the tree, and therefore that all the calculations can be performed with 32-bit integer arithmetic, which is a natural number for modern processors. A 32-bit binary tree has 231 leaf nodes; therefore such a tree can support more than two billion individual devices. Two billion seems like a lot of devices, but if a content protection scheme becomes ubiquitous, such that every potential receiver device imaginable supports it, it is not sufficient. Larger key trees are required to support more devices.
For example, a 40-bit tree supports more than enough devices (over 500 billion), but requires awkward 5-byte integer calculations in each device. Even worse, the number of keys that need to be stored in a tree-based scheme is a function of the height of the tree, so that the larger tree requires every device to implement more secure storage for keys. Thus, the following dilemma has heretofore faced designers of content protection schemes based on broadcast encryption: should they risk the convenient 32-bit tree size and hope that their scheme is not too successful, or should they propose a more awkward, expensive scheme whose extra capacity might never be needed. It would be a disaster if a 32-bit tree overflows, because historically one would have to deploy a new, incompatible scheme once it became necessary to support more than two billion devices.
Summary of the Invention In a first aspect, there is provided a method for extending a key management scheme, comprising: selectively issuing at least one link key to extend initial keys; and modifying new receiver devices to process the extended keys. Preferably, the key management scheme is used for broadcast encryption.
Preferably, the at least one link key is issued when the total number of receiver devices exceeds the number of receiver devices supported by the key management scheme using the initial keys.
Preferably, new media key blocks include at least one media key encrypted with the at least one link key.
Preferably, the modified receiver devices selectively validate non-revoked extended keys using the new media key blocks.
Preferably, the at least one link key can be revoked.
Preferably, the initial keys are 32-bit keys.
Preferably, the extended keys are 40-bit keys.
Preferably, existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
Preferably, an initial key tree is the sub-tree of an extended key tree that is processed first.
In a second aspect, there is provided a system for extending a key management scheme, comprising: at least one link key selectively issued to extend initial keys; and new receiver devices modified to process the extended keys.
Preferably, the key management scheme is used for broadcast encryption.
Preferably, the at least one link key is issued when the total number of receiver devices exceeds the number of receiver devices supported by the key management scheme using the initial keys.
The system of claim 11 wherein new media key blocks include at least one media key encrypted with the at least one link key.
Preferably, the modified receiver devices selectively validate non-revoked extended keys using the new media key blocks.
Preferably, the at least one link key can be revoked. Preferably, the initial keys are 32-bit keys.
Preferably, the extended keys are 40-bit keys.
Preferably, existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
Preferably, an initial key tree is the sub-tree of an extended key tree that is processed first.
There may be provided a system for extending a key management scheme, comprising: means for selectively issuing at least one link key to extend initial keys; and means for modifying new receiver devices to process the extended keys.
In a third aspect, there is provided computer program product comprising a machine readable medium having tangible program instructions thereon for extending a key management scheme, the instructions comprising code means including: a first code means for selectively issuing at least one link key to extend initial keys; and a second code means for modifying new receiver devices to process the extended keys.
It is thus desired to provide a system, method, and computer program product for extending a broadcast encryption key management scheme. The preferred embodiment of the invention selectively issues at least one link key to extend initial keys when the number of devices that can be supported by the initial keys is exceeded, and new receiver devices are modified to process the extended keys using new media key blocks that include at least one media key encrypted with the link key. New receivers validate the extended keys using the new media key blocks. Link keys can be revoked like other keys, though a unique syntax for link key revocation may be preferred. Initial keys are typically 32-bit keys, and link keys may be 8-bit keys so that 40-bit extended keys are created.
In an exemplary embodiment, existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility. The extended key tree may be designed such that the initial key tree is the sub-tree processed first, for simplicity. Brief Description of the Drawings
There will now be described a preferred embodiment of the present invention, by way of example only, with reference to the accompanying drawings in which:
Figure 1 is a diagram of an initial key and an extended key, according to an embodiment of the invention.
Figure 2 is a flowchart of a method of extended key management, according to an embodiment of the invention.
Detailed Description of the Preferred Embodiment
The preferred embodiment of the present invention alleviates the previously mentioned dilemma faced by designers of successful content protection schemes, wherein the risk of overflowing the maximum manageable number of keys must be balanced against message complexity and device storage requirements. The preferred embodiment of the present invention allows a large tree to appear to be a smaller tree at first. Later, if the larger tree becomes necessary it can be deployed in a compatible way. Thus, the maximum number of devices initially supported by a tree can be extended. In other words, the media key blocks from the smaller trees can be read by the devices in the larger tree, and vice versa. Thus, it is no longer necessary to design for the maximum-size possible tree.
Referring now to Figure 1, the embodiment extends the initial media key block with an additional key called the link key. The link key is not assigned to any device in the initial tree. However, it will be given to every new device if the tree ever needs to be extended, as described in Figure 2. A media key block normally contains the encryptions of the media key in various device keys (the specific set of device keys naturally depends on which compromised devices need to be excluded) . The initial media key blocks (the blocks using the old key) contain these encryptions in the normal way. In addition, the initial media key blocks also contain one other encryption: the encryption of the media key in the link key. Later, if additional devices are needed, they can process the old media key blocks and calculate the media key, because the new devices will have the link key.
What happens to the old devices after the tree needs to expand and new media key blocks are produced based on the larger tree? Preferably, the old devices are designed so that they ignore any part of the media key block that they do not understand. This is fortunately the normal practice today, in media key blocks produced by the 4C Entity as part of the well-known CPRM (Content Protection for Recordable Media) scheme. It certainly does not present any problem to the old devices, as ignoring things is always easy. Thus, the new media key blocks can have additional records, ignored by the old devices, that are processed only by the new devices based on the larger tree. The old devices continue to process their records correctly.
In a preferred embodiment, the initial 32-bit tree is designed as the leftmost sub-tree of the larger eventual tree. If the tree is processed left-to-right bottom-to-top, which is the normal way, then all of the instructions for the old devices are naturally processed in the first part of the media key block. Thus it is not even necessary to define new records: the old devices are satisfied by the first part of the record, and never get to the further instructions (those using 5-byte instead of 4-byte integers, for example) for the new devices. Nonetheless, this processing order and tree design is not an essential part of the invention, but it is a simple elegant solution.
What happens if the link key is compromised? In that instance, old media key blocks can be read by the compromised devices, but then this is always true for any device key. In the event of a compromised link key, it is a simple matter to define a new link key for new blocks, and make sure that all new devices have all link keys for backward compatibility. Any number of link keys may distributed. In the preferred embodiment above, when the initial tree is the leftmost sub-tree of the larger tree, the link key has a very natural meaning: it is the root key of the sub-tree in the larger tree. Thus, it can be revoked in the same way any compromised key is revoked. However, it is within the scope of this invention that if the link key(s) are revoked they are revoked with a special syntax that is unique to link key revocation. Of course, it is highly unlikely that a link key will be compromised while the tree is still small, because the link key is a secret that never leaves the licensing agency until new devices (i.e. beyond the previous maximum number of supported devices) are needed. The link key will have to be broken by cryptanalysis, not reverse-engineering, and hackers rarely try to break systems that way.
A general purpose computer may be programmed according to the inventive steps herein. The invention can also be embodied as an article of manufacture - a machine component - that is used by a digital processing apparatus to execute the present logic. This invention may be realized in a critical machine component that causes a digital processing apparatus to perform the inventive method steps herein. The invention may be embodied by a computer program that is executed by a processor within a computer as a series of computer-executable instructions. These instructions may reside, for example, in RAM of a computer or on a hard drive or optical drive of the computer, or the instructions may be stored on a DASD array, magnetic tape, electronic read-only memory, or other appropriate data storage device.

Claims

1. A method for extending a key management scheme, comprising: selectively issuing at least one link key to extend initial keys; and
modifying new receiver devices to process the extended keys.
2. The method of claim 1 wherein the at least one link key is issued when the total number of receiver devices exceeds the number of receiver devices supported by the key management scheme using the initial keys.
3. The method of claim 1 or claim 2 wherein new media key blocks include at least one media key encrypted with the at least one link key; and wherein the modified receiver devices selectively validate non-revoked extended keys using the new media key blocks.
4. The method of any preceding claim wherein existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
5. A system for extending a key management scheme, comprising:
at least one link key selectively issued to extend initial keys; and
new receiver devices modified to process the extended keys.
6. The system of claim 5 wherein the at least one link key is issued when the total number of receiver devices exceeds the number of receiver devices supported by the key management scheme using the initial keys.
7. The system of claim 5 or claim 6 wherein new media key blocks include at least one media key encrypted with the at least one link key; and wherein the modified receiver devices selectively validate non-revoked extended keys using the new media key blocks.
8. The method of any of claims 5 to 7, wherein existing receiver devices ignore the at least one link key and continue to process only initial keys to provide backward compatibility.
9. A computer program comprising computer code to, when loaded into a computer system and executed thereon, cause said computer system to perform all the steps of the method as claimed in any of claims 5 to 8.
PCT/EP2005/056010 2004-11-24 2005-11-16 Broadcast encryption with dual size trees WO2006056549A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/904,735 US8090105B2 (en) 2004-11-24 2004-11-24 Broadcast encryption with dual tree sizes
US10/904,735 2004-11-24

Publications (2)

Publication Number Publication Date
WO2006056549A2 true WO2006056549A2 (en) 2006-06-01
WO2006056549A3 WO2006056549A3 (en) 2007-02-22

Family

ID=35457611

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2005/056010 WO2006056549A2 (en) 2004-11-24 2005-11-16 Broadcast encryption with dual size trees

Country Status (3)

Country Link
US (1) US8090105B2 (en)
TW (1) TW200633456A (en)
WO (1) WO2006056549A2 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9520993B2 (en) * 2001-01-26 2016-12-13 International Business Machines Corporation Renewable traitor tracing
US9729316B2 (en) * 2008-02-27 2017-08-08 International Business Machines Corporation Unified broadcast encryption system
KR20140028342A (en) * 2012-08-28 2014-03-10 삼성전자주식회사 Method of managing keys for broadcast encryption and method of transmitting messages using broadcast encryption
US9306743B2 (en) * 2012-08-30 2016-04-05 Texas Instruments Incorporated One-way key fob and vehicle pairing verification, retention, and revocation
US9680646B2 (en) * 2015-02-05 2017-06-13 Apple Inc. Relay service for communication between controllers and accessories
US10467384B2 (en) 2016-05-18 2019-11-05 International Business Machines Corporation Subset-difference broadcast encryption with blacklisting

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4888801A (en) * 1988-05-02 1989-12-19 Motorola, Inc. Hierarchical key management system
US20030081786A1 (en) * 2001-10-26 2003-05-01 Toshihisa Nakano Key management apparatus
GB2400526A (en) * 2003-04-08 2004-10-13 Hewlett Packard Development Co Cryptographic key update management

Family Cites Families (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4881264A (en) 1987-07-30 1989-11-14 Merkle Ralph C Digital signature system and method based on a conventional encryption function
US4944009A (en) 1988-02-25 1990-07-24 Massachusetts Institute Of Technology Pseudo-random sequence generator
US6307936B1 (en) * 1997-09-16 2001-10-23 Safenet, Inc. Cryptographic key management scheme
US6118873A (en) 1998-04-24 2000-09-12 International Business Machines Corporation System for encrypting broadcast programs in the presence of compromised receiver devices
US6735312B1 (en) 1999-05-11 2004-05-11 Lucent Technologies Inc. Cryptographic method for restricting access to transmitted programming content using ƒ-redundant establishment key combinations
US6263435B1 (en) 1999-07-06 2001-07-17 Matsushita Electric Industrial Co., Ltd. Dual encryption protocol for scalable secure group communication
US6751634B1 (en) 1999-08-26 2004-06-15 Microsoft Corporation Method and system for detecting object inconsistency in a loosely consistent replicated directory service
JP2001352321A (en) 2000-04-06 2001-12-21 Sony Corp Information processing system, information processing method, and information recording medium, and program providing medium
JP2001358707A (en) 2000-06-15 2001-12-26 Sony Corp Information processing system and method using cryptographic key block and program providing medium
US6956951B2 (en) * 2000-07-13 2005-10-18 Fujitsu Limited Extended key preparing apparatus, extended key preparing method, recording medium and computer program
JP4595182B2 (en) 2000-09-07 2010-12-08 ソニー株式会社 Information recording apparatus, information reproducing apparatus, information recording method, information reproducing method, information recording medium, and program providing medium
US7010125B2 (en) 2001-01-26 2006-03-07 Interntional Business Machines Corporation Method for tracing traitor receivers in a broadcast encryption system
US9520993B2 (en) * 2001-01-26 2016-12-13 International Business Machines Corporation Renewable traitor tracing
US7039803B2 (en) 2001-01-26 2006-05-02 International Business Machines Corporation Method for broadcast encryption and key revocation of stateless receivers
US7043637B2 (en) 2001-03-21 2006-05-09 Microsoft Corporation On-disk file format for a serverless distributed file system
KR100929336B1 (en) 2001-03-29 2009-12-03 파나소닉 주식회사 Data protection system that protects your data by encrypting it
CN1666460A (en) * 2002-05-09 2005-09-07 松下电器产业株式会社 Public key certificate revocation list generation apparatus, revocation judgement apparatus, and authentication system
KR100924773B1 (en) 2002-09-16 2009-11-03 삼성전자주식회사 Method for encrypting and decrypting metadata and method for managing metadata and system thereof
JP2004140667A (en) 2002-10-18 2004-05-13 Canon Inc Information processing method
AU2003275695A1 (en) * 2002-11-20 2004-06-15 Sony Corporation Recording system and method, recording device and method, input device and method, reproduction system and method, reproduction device and method, recording medium, and program
US7451310B2 (en) 2002-12-02 2008-11-11 International Business Machines Corporation Parallelizable authentication tree for random access storage
JP2004242287A (en) 2003-01-14 2004-08-26 Canon Inc Information processing method and apparatus, computer program, and computer readable storage medium
US7584466B1 (en) * 2003-06-16 2009-09-01 Hewlett-Packard Development Company, L.P. Management tree management in a mobile handset
JP3817249B2 (en) * 2004-04-28 2006-09-06 株式会社エヌ・ティ・ティ・ドコモ Mobile device and communication control method
US7721085B1 (en) * 2004-09-21 2010-05-18 Hewlett-Packard Development Company, L.P. Encryption of hierarchically structured information
KR100636228B1 (en) * 2005-02-07 2006-10-19 삼성전자주식회사 Method for key-managing using hierarchical node topology and method for registering/deregistering a user using the same
JP2008103936A (en) * 2006-10-18 2008-05-01 Toshiba Corp Secret information management device, and secret information management system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4888801A (en) * 1988-05-02 1989-12-19 Motorola, Inc. Hierarchical key management system
US20030081786A1 (en) * 2001-10-26 2003-05-01 Toshihisa Nakano Key management apparatus
GB2400526A (en) * 2003-04-08 2004-10-13 Hewlett Packard Development Co Cryptographic key update management

Also Published As

Publication number Publication date
WO2006056549A3 (en) 2007-02-22
US20060109985A1 (en) 2006-05-25
US8090105B2 (en) 2012-01-03
TW200633456A (en) 2006-09-16

Similar Documents

Publication Publication Date Title
US7047421B2 (en) Data signal with a database and a compressed key
US7845015B2 (en) Public key media key block
US7617536B2 (en) Unauthorized device detection device, unauthorized device detection system, unauthorized device detection method, program, recording medium, and device information update method
US20070033394A1 (en) System for identification and revocation of audiovisual titles and replicators
US7536016B2 (en) Encrypted content data structure package and generation thereof
US7260715B1 (en) Method and apparatus for revocation list management
JP2011055541A (en) Apparatus and method for iterative cryptographic block
WO2001015162A2 (en) Methods and systems of protecting digital content
JP2002537724A (en) Method and apparatus for creating an encrypted payload data stream and method and apparatus for decrypting an encrypted payload data stream
US9058837B2 (en) Method and apparatus for managing contents
WO2006056549A2 (en) Broadcast encryption with dual size trees
KR101022465B1 (en) Method of copying and decrypting encrypted digital data and apparatus therefor
US7085929B1 (en) Method and apparatus for revocation list management using a contact list having a contact count field
US20050125356A1 (en) Method and apparatus for decrypting encrypted data by suing copy control information and computer readable recording medium for storing program for implementing the apparatus and method
RU2313137C2 (en) Method and device for copying an av-stream
US20070143216A1 (en) Data Signal with a Database and a Compressed Key

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05804613

Country of ref document: EP

Kind code of ref document: A2