[go: up one dir, main page]

HK1026314B - System for securely broadcasting data signals and system for decrypting encrypted data signals - Google Patents

System for securely broadcasting data signals and system for decrypting encrypted data signals Download PDF

Info

Publication number
HK1026314B
HK1026314B HK00105413.8A HK00105413A HK1026314B HK 1026314 B HK1026314 B HK 1026314B HK 00105413 A HK00105413 A HK 00105413A HK 1026314 B HK1026314 B HK 1026314B
Authority
HK
Hong Kong
Prior art keywords
key
common
string
users
encrypted
Prior art date
Application number
HK00105413.8A
Other languages
Chinese (zh)
Other versions
HK1026314A1 (en
Inventor
西蒙‧保罗‧艾诗利‧里克斯
安德鲁‧奥格斯丁‧瓦吉斯
Original Assignee
曼德波特有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP98202914A external-priority patent/EP0984629B1/en
Application filed by 曼德波特有限公司 filed Critical 曼德波特有限公司
Publication of HK1026314A1 publication Critical patent/HK1026314A1/en
Publication of HK1026314B publication Critical patent/HK1026314B/en

Links

Description

System for secure broadcasting of data signals and system for decrypting encrypted data signals
Technical Field
The invention relates to a system for broadcasting data signals in an encrypted manner, comprising means for encrypting the data signals using a first key, means for transmitting the encrypted data signals to subscribers, means for decrypting the encrypted data signals at each subscriber using the first key, means for encrypting the first key using a second key, the second key being different for a group of subscribers of common interest for different types of programs, means for transmitting the encrypted first key to all subscribers, and means for decrypting the encrypted first key using the second key at each subscriber.
Background
Such a system can be used, for example, in a pay-tv system. A system of this type is disclosed in US-A-4531020. For security reasons, it is desirable to be able to change the second key quickly. In existing systems this requires a large amount of data to be allocated to the users in the system. Allocating large amounts of data for changing the key reduces the bandwidth utilization for transmitting program signals and the like. Changing the second key can only be done once a month, so infrequently or even less frequently.
Disclosure of Invention
It is an object of the invention to propose a system of the above-mentioned type in which the second key can be changed relatively quickly without the need to distribute large amounts of data.
According to one aspect of the present invention there is provided a system for broadcasting a data signal in a secure manner, comprising: means for encrypting the data signal using a first key; means for encrypting the first key using a second key, the second key being different for each group of users who are interested in a class of programs in common; broadcasting the encrypted first key to all the user's devices; and means for broadcasting the encrypted data signal to the users, wherein the users have means for decrypting the encrypted data signal using a first key and also have means for decrypting the encrypted first key using a second key, characterized in that the second key is a combination of a key common to all users and a differential key unique to each type of program, means are provided in the system for encrypting the common key and for broadcasting the encrypted common key to all users, wherein each user has means for decrypting the encrypted common key.
In this way, the second key can be changed very quickly by changing the common key, since it is common to all users, only one key needs to be assigned for the entire system.
The system preferably includes means for changing the common key at a relatively high rate.
The system of the invention also has the advantage that different key hierarchies can be used for authorization and security. The second key is different for each group of users at the authorization level, the users in each group having a common interest in a certain type of program, e.g. sports, movies, etc. The difference in the second key is obtained by providing a different differential key for each program or for a single program or the like. The security architecture can however be designed to exclude pirated smart cards as much as possible. According to the invention, the means for encrypting and decrypting a common key comprise a string of encryption and decryption means, respectively, each latter encryption and decryption means operating in a manner common to a smaller number of users.
In this way it is relatively easy to find a user with a pirated smart card inserted.
The invention further provides a system for decrypting an encrypted data signal in a broadcast system having a plurality of subscribers, comprising: means for decrypting the encrypted data signal using the first key; means for decrypting at each user the encrypted first key with a second key, the second key being different for each group of users who are interested in a common type of program, characterized in that the second key is a combination of a key common to all users and a differential key unique to each type of program, in that a combination device is provided for combining the differential and common keys to obtain the second key, and means for decrypting at each user the encrypted common key are also provided.
The invention will be further explained below with the aid of two embodiments of the invention which are shown diagrammatically in the drawing.
Drawings
Fig. 1 shows a first embodiment of a broadcast data signal system of the present invention.
Fig. 2 shows a second embodiment of a system for decrypting an encrypted data signal in a second embodiment of the inventive broadcasting system.
Characters E and D in the reference numerals of the specification and drawings indicate an encryption side and a decryption side, respectively, P' is used to indicate an encrypted version of P, and so on.
Detailed Description
Referring to fig. 1, a system for broadcasting data signals in an encrypted manner is shown in a very schematic way. The data transmitted by broadcast may be a television program signal or any other data signal. The data is fed to a first encryptor or encryptor 1E which encrypts the data with a first key or control word CW and feeds the encrypted data signal. The encrypted data signal is transmitted to all users in the system, the method of which need not be further explained. Broadcast transmission may be accomplished via satellite, antenna, cable, or any other suitable method. The control word CW is encrypted in a second encryptor 2E with a second key P + D, the encrypted control word CW' also being broadcast. The second key P + D is different for each group of users, each user of the group having a common interest in a category of programs such as sports programs, movies, entertainment and the like. This means that a different second key is required for each different program or for example for each different movie. This difference is obtained by combining a common key P, which is identical for all users in the system, with a differential key D, which is unique for each type of program. The common key P and the differential key D are combined in a combining means 3E receiving the common key P and the differential key D. The differential key D is encrypted in the encryptor 4E with a group key G common to a group of users, for example 256 users. The encrypted secret key D' is also transmitted.
The common key P is encrypted in a further encryptor 5E with a key H which is common to a group of users which is considerably larger than the number of users having the same key G. Users with the same key H may be referred to as a supergroup. The encrypted common key P' is also transmitted.
The first key CW' encrypted at the receiving side, i.e. at each user, is received and decrypted in a decryptor or decryption device 2D with the second key P + D to derive the first key CW which decrypts the encrypted data in decryptor 1D so that the user can see his authorized program or movie or other. The differential key D' is decrypted in the decryptor 4D with the group key G to obtain the differential key D, and this key D is combined with the common key P in the combination means 3D to obtain the second key P + D. The common key P is obtained by decrypting the encrypted common key P' with the supergroup key H in the decryptor 5D.
As indicated by the dashed line, the system may be divided into an authorization portion below the dashed line, which is designed to manage authorization, i.e. to provide the user with authorization to view different types of programs, movies or others. In this section the first key CW is changed rapidly, for example every 10 seconds. The differential key D is changed at a slow rate, for example once every month.
In the secure part, the common key P can also be changed rapidly, for example every 10 seconds, so that the second key required to decrypt the first key CW' is changed at a relatively high rate. This improves the security of the system without requiring a large-scale secondary program-related key database to be distributed to all user groups.
Furthermore, the security part can be designed to exclude pirated smart cards as much as possible. This means that the supergroup key H used to encrypt and decrypt the common key is available through a string of encryption and decryption devices 6E, 7E and 6D, 7D respectively, where the key used by each subsequent encryption and decryption device is common to a smaller number of users. This means that each subsequent encryption and decryption device operates in a way that is common to a smaller number of users. In the embodiment shown, the supergroup key H is encrypted and decrypted by the encryption and decryption means, respectively, with a group key G that is common to a group of 256 users. The group key G uses a card key x in the encryption and decryption means 7E, 7D, respectivelyiEncryption and decryption are performed. It should be noted that the encryption and decryption device string may contain more or less stages, depending on, for example, the overall size of the system.
If a pirated smart card is found, the card key x can be quickly determinediIs in which group of 256 users. The pirated smart card can be switched off by changing the group key G of this group.
In the system described above, the smart card may have memory partitioned by zones, which are used by different service providers. In which case each service provider runs its own authorization and security architecture. Fig. 2 shows the receiving side at a subscriber in another embodiment of the system of the invention, in which a smart card with several zones is applied, each service provider being able to use its own authorisation system, using a group key G, a second key and a first key CW combined from a common key P and a differential key D. Separate from this authority there is a security hierarchy common to all zones using the same key hierarchy as shown in fig. 1, however a separate group key GS is used to locate the pirated smart card if it is discovered.
In the figure, block 8 represents the means for supplying and modifying the first key CW and the differential key D, and block 9 represents the supply and modification of the keys P, H, G and XiThe apparatus of (1). The key is practically availableWhich is generated and modified in any suitable manner. Also, the keys are typically stored in memory on the user side. In addition to the above-described parts, the existing conditional access module and the decoder itself can be used by the user.
It should be noted that encryption and decryption algorithms using keys are applied at all levels in the system described above. However, at least for the differential key D and the key H and the algorithms used in the devices 7E, 7D, encryption and decryption algorithms that do not use keys may also be applied. In such systems, if the operator wishes to use another algorithm for security reasons, the algorithm itself needs to be modified.
It will be seen that any suitable encryption and decryption algorithm, whether key based or not, may be employed in the system described above. The invention is not limited to the application of a specific algorithm. Moreover, decryption may include any suitable authentication algorithm. The combining function for combining the keys P and D to obtain the second key P + D may also be any suitable method and is not limited to a pure addition of P and D. It will further be appreciated that the encryption and decryption means may be implemented in any suitable way, for example using a microprocessor and suitable software. The special words "means, encryptor, decryptor, encrypting means and decrypting means" as used in the description and in the claims should not be construed as being limited to physical means only. On the contrary, it is obvious to the person skilled in the art that: the encryption and decryption functions can be implemented in various ways in software or hardware.
The invention is not limited to the embodiments described above, but several methods of implementation are possible within the scope of the claims.

Claims (8)

1. A system for broadcasting a data signal in a secure manner, comprising: means for encrypting the data signal using a first key; means for encrypting the first key using a second key, the second key being different for each group of users who are interested in a class of programs in common; broadcasting the encrypted first key to all the user's devices; and means for broadcasting the encrypted data signal to the users, wherein the users have means for decrypting the encrypted data signal using a first key, and further have means for decrypting the encrypted first key using a second key, characterized in that the second key is a combination of a key common to all users and a differential key unique to each type of program, means are provided in the system for encrypting the common key and for broadcasting the encrypted common key to all users, wherein each user has means for decrypting the encrypted common key.
2. A system as claimed in claim 1, characterised in that it includes means for changing the common key at a high rate relative to the differential key.
3. The system according to claim 1, characterized in that it comprises: means for changing the differential key at a low rate relative to the common key, means for encrypting the differential key, and means for broadcasting the encrypted key to a user having means for decrypting the encrypted differential key.
4. A system according to any one of the preceding claims, wherein the means for encrypting the common key comprises a string of encryption devices, each subsequent encryption device in the string operating in a manner that is common and unique to a fewer number of users than a preceding encryption device in the string in order to encrypt the key used by the preceding encryption device in the string.
5. The system of claim 4, wherein the plurality of encryption devices in the string use one key that is common and unique to a fewer number of users than each subsequent encryption device in the string, wherein a first encryption device in the string uses a card key to encrypt a base set key.
6. The system of claim 3,
the means for encrypting the common key comprises a string of encryption devices, each subsequent encryption device in the string operating in a manner common and unique to a fewer number of users than a preceding encryption device in the string to encrypt a key used by the preceding encryption device in the string, wherein a plurality of encryption devices in the string use one key common and unique to a fewer number of users than each subsequent encryption device in the string, wherein a first encryption device in the string encrypts a base set key using a card key,
wherein said base set key is used as a third key by said encryption means for differential keys.
7. A system for decrypting an encrypted data signal in a broadcast system having a plurality of subscribers, comprising: means for decrypting the encrypted data signal using the first key; -means for decrypting at each user the encrypted first key with a second key, said second key being different for each group of users who are interested in a common type of program, characterized in that said second key is a combination of a key common to all users and a differential key unique to each type of program, means being provided for decrypting at each user the encrypted common key in addition to a combination device for combining the differential and common keys to obtain the second key.
8. The system of claim 7, wherein the means for decrypting the common key comprises a string of decryption devices, each subsequent decryption device using a key that is common and unique to a fewer number of users, wherein a first decryption device in the string uses the card key to decrypt the group key.
HK00105413.8A 1998-09-01 2000-08-30 System for securely broadcasting data signals and system for decrypting encrypted data signals HK1026314B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP98202914.2 1998-09-01
EP98202914A EP0984629B1 (en) 1998-09-01 1998-09-01 System for broadcasting data signals in a secure manner

Publications (2)

Publication Number Publication Date
HK1026314A1 HK1026314A1 (en) 2000-12-08
HK1026314B true HK1026314B (en) 2007-08-24

Family

ID=

Similar Documents

Publication Publication Date Title
JP4628509B2 (en) A system for broadcasting data signals in a secure manner
CN100366083C (en) Method of operation of conditional access system for broadcast applications
EP1346573B1 (en) Conditional access system
EP0713621B1 (en) Method and apparatus for uniquely encrypting a plurality of services at a transmission site
EP1023795B1 (en) Control for a global transport data stream
US4887296A (en) Cryptographic system for direct broadcast satellite system
EP1271951A1 (en) Conditional access system for digital data by key decryption and re-encryption
EP0179612B1 (en) Cryptographic system for direct broadcast satellite network
Lee Key distribution and management for conditional access system on DBS
US6766024B1 (en) Data communication system
US7487349B2 (en) Method for securing a ciphered content transmitted by a broadcaster
HK1026314B (en) System for securely broadcasting data signals and system for decrypting encrypted data signals
CA2557502C (en) Method for securing encrypted content broadcast by a broadcaster
HK1108595A (en) Method for operating a conditional access system for broadcast applications
HK1026324B (en) Data communication system
MXPA99008047A (en) System to transmit data signals in a secure form