Patent application number | Description | Published |
20080219436 | METHOD AND APPARATUS FOR PROVIDING A DIGITAL RIGHTS MANAGEMENT ENGINE - A method receives a set of data. Further, the method receives a traffic key. In addition, the method determines a traffic protection group for the set of data. The method also encrypts the set of data according to the traffic key to generate an encrypted set of data. Finally, the method provides the encrypted set of data through a network to a device. | 09-11-2008 |
20080267398 | METHOD AND APPARATUS FOR ASSISTING WITH CONTENT KEY CHANGES - A process may be utilized by the DVR. The process receives a plurality of segments of a set of content and a plurality of corresponding content rule sets. Further, the process provides one or more instructions to record and encrypt the plurality of segments of the set of content on a storage medium. In addition, the process provides the plurality of content rule sets to the DRM component to be inserted into a locally generated and secured content license associated with the encryption of the set of content. The secured content license includes a master key and a list of the plurality of corresponding content rule sets that have been received in order of reception. The process receives a plurality of marker tokens from the DRM component in order to facilitate trick mode playback. | 10-30-2008 |
20080267399 | Method and Apparatus for Secure Content Recording - A method is provided that establishes a secure tunnel with a content acquisition processor that acquires encrypted content from a content source and decrypts the encrypted content to obtain content. The content acquisition processor is not trusted for providing digital rights management. Further, the method transmits a request through the secure tunnel to the content acquisition processor to re-encrypt the content with a content encryption key so that re-encrypted content is generated and stores the re-encrypted content on a storage medium. The request includes the content encryption key. | 10-30-2008 |
20080267411 | Method and Apparatus for Enhancing Security of a Device - A method is provided that authenticates a data transfer module. Further, the method establishes a secure tunnel between a first processor, which receives a copy protection key from the data transfer module, and a second processor, which receives the copy protection key from the first processor through the secure tunnel. In addition, the method receives, at the second processor, encrypted content from the data transfer module. The method also decrypts, at the second processor, the encrypted content with the copy protection key to generate decrypted content. | 10-30-2008 |
20080270308 | Method and Apparatus for Providing a Secure Trick Play - A process may be utilized by a DVR. The process characterizes a set of content as a plurality of segments as the set of content is received. Each of the segments has a segment length according to a predetermined time interval. Further, the process encrypts each of the segments with a corresponding content encryption key to generate a plurality of encrypted segments. The corresponding content encryption key for each of the segments is generated by the DRM component. In addition, the process stores each of the encrypted segments for playback with trick play features in accordance with an expiration content rule having a time limit on the temporary playability of the set of content. | 10-30-2008 |
20080270311 | Method and Apparatus for Composing a Digital Rights Management License Format - A process composes a content license for a set of content. The content license has a static portion and a dynamic portion. Further, the process inserts a master key into the static portion. In addition, the process inserts a plurality of content rule sets of values into the dynamic portion and composes a unique content encryption key for each segment of content associated with one of the content rule sets of values as each of the content rule sets of values is sequentially received during recording of the content. The unique content encryption key is based on the master key and at least a subset of the content rule set of values for a corresponding segment of the content. The unique content encryption key is utilized for encryption of each segment of the content to generate a plurality of encrypted content segments for storage on the storage medium. | 10-30-2008 |
20080271153 | Method and Apparatus for Handling of Content that includes a Mix of CCI Segments - A process is provided. The process stores, on a first device, each segment of a set of content having corresponding copy control information. Further, the process receives, from a second device, a request for a copy of the set of content. In addition, the process analyzes a list of the copy control information associated with each segment of the set of content. The process also establishes a restriction indicator, based on the request for the copy of the set of content, for one or more segments of the set of content having a corresponding copy control information value. Finally, the process provides to the second device, the content, the list of copy control information, and the restriction indicator for the one or more segments. | 10-30-2008 |
20090165111 | METHOD AND APPARATUS FOR SECURE MANAGEMENT OF DEBUGGING PROCESSES WITHIN COMMUNICATION DEVICES - A method, device and system for securely managing debugging processes within a communication device, such as a set top box or other multimedia processing device. For example, a security processor (SP) within the communication device manages the lifetime (LT) of any access token issued for use in activating debugging privileges within the communication device. The security processor authenticates an issued access token and securely delivers appropriate debug authorization information to the device controller. The security processor uses its secure, internal timer to count down the lifetime and update the remaining lifetime of the issued access token during the processing of each command by the security processor. In addition to securely managing the issuance of the access token and it's remaining lifetime, the updating process reduces any impact on the normal communications within the device. The method overcomes the issue of the communication device not having a secure internal clock. | 06-25-2009 |
20090249080 | METHODS, APPARATUS AND SYSTEM FOR AUTHENTICATING A PROGRAMMABLE HARDWARE DEVICE AND FOR AUTHENTICATING COMMANDS RECEIVED IN THE PROGRAMMABLE HARDWARE DEVICE FROM A SECURE PROCESSOR - A method, device and system for authenticating a programmable hardware device, such as a programmable hardware chip, and a command received by the programmable hardware device. A secure processor or other trusted source authenticates the programmable hardware chip by verifying, with the secure processor's own verification key, a random number sent to the programmable hardware chip and encrypted using a verification key embedded within the programmable hardware chip, since the nature of the encryption is such that only the original logic function that includes the verification key can encrypt the data correctly. A command received by the programmable hardware chip is authenticated by verifying that a command authentication token received by the programmable hardware chip is generated using the correct command authentication key and consequently verifying that the command is received from the secure processor, as only the party who has the command authentication key can encrypt the data correctly. | 10-01-2009 |
20090323954 | INTERNET PROTOCOL TELEPHONY SECURITY ARCHITECTURE - A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers. The secure devices, such as the CTA, can communicate with other secure devices by establishing signaling and bearer channels that are encrypted with session specific symmetric keys derived from a symmetric key distributed by a signaling controller. | 12-31-2009 |
20100058047 | ENCRYPTING A UNIQUE CRYPTOGRAPHIC ENTITY - A method of encrypting a unique cryptographic entity (UCE), where a client device receives a global-key (GK-) encrypted UKD comprising a GK-encrypted UCE and a GK-encrypted unit key number (UKN). The client device verifies that the GK-encrypted UKN is the same as a pre-provisioned value and then decrypts the GK-encrypted UKD using a global key (GK). The client device then re-encrypts the decrypted UKD using a device user key (DUK) to determine a DUK-encrypted UCE and a DUK-encrypted UKN. The DUK-encrypted UKN is verified as not equal to the GK-encrypted UKN. The DUK-encrypted UKN is then appended to the DUK-encrypted UCE to form a DUK-encrypted UKD and stored in a memory. | 03-04-2010 |
20100071040 | SECURE SERVER CERTIFICATE TRUST LIST UPDATE FOR CLIENT DEVICES - A method, a network element, and a client device for creating a trusted connection with a network are disclosed. A client device | 03-18-2010 |
20100083386 | Tokenized Resource Access - A method and system for unlocking diagnostic functions in a hardware device for a user. The method obtains a signed permission object for the hardware device, and validates the signed permission object. A memory of the hardware device stores a device identifier and a last recorded sequence number. The signed permission object includes a sequence number and is associated with an expiration counter having an initial value that indicates a lifetime for the signed permission object. When the signed permission object is valid, the method updates the expiration counter to decrease the lifetime of the signed permission object, stores the sequence number associated with the signed permission object as the last recorded sequence number in the hardware device, and unlocks the diagnostic functions for the user based on the signed permission object. | 04-01-2010 |
20100138903 | Ticket-Based Implementation of Content Leasing - The present invention is a method and system for accessing digital content stored on a computing device. An agreement between a subscriber and a content provider allows the subscriber to lease the digital content from the content provider, and download the digital content from a content server operated by the content provider. The method retrieves a service ticket for the computing device, and retrieves content rights for the digital content. The service ticket includes authorization data, and a session key, where the authorization data include authorized subscription services for the computing device. The content rights include required subscription services for the digital content and are delivered authenticated with the session key. The method allows access to the digital content when the authorized subscription services included with the authorization data match the required subscription services included with the content rights. | 06-03-2010 |
20100162414 | Digital Rights Management for Differing Domain-Size Restrictions - A digital rights management system includes a domain authority controller that manages different domain-size restrictions for different content sources. A subdomain is created for each content source and has a corresponding domain-size restriction. Different domain-size restrictions for the content sources are stored along with the number of devices registered for each subdomain. A domain authority controller is operable to register a device with a subdomain if the corresponding domain-size restriction is not violated. A device is allowed to use content from a content source if it is registered with the subdomain for the content source. | 06-24-2010 |
20100169646 | SECURE AND EFFICIENT DOMAIN KEY DISTRIBUTION FOR DEVICE REGISTRATION - A domain key is securely distributed from a device in an existing network to a device outside the network. Each device generates the session key on its own using the first random number, the second random number, the Personal Identification Number, and the same key generation function. The device in the existing network sends the domain key encrypted with the session key to the other device. | 07-01-2010 |
20100215171 | TRANSPORT PACKET DECRYPTION TESTING IN A CLIENT DEVICE - In a method for testing a transport packet decrypting module of a client device, a first decryption operation of the transport packet decrypting module is implemented on a test encrypted control word using a content decryption key ladder to derive a test control word, a second decryption operation of the transport packet decrypting module is implemented on one or more test transport packets using the test control word via a predetermined content decryption algorithm, the KIV is derived from the decrypted transport packets, and the derived KIV is compared with a value stored in the client device to verify whether the transport packet decrypting module of the client device is functioning properly. | 08-26-2010 |
20100217964 | METHOD AND APPARATUS FOR CONTROLLING ENABLEMENT OF JTAG INTERFACE - A method, device and system for controlling JTAG interface enablement within a communication device. The JTAG interface can be selectively enabled based on the receipt of an encrypted access token generated by an access token server. The access token server generates the access token in response to an end user providing appropriate device-specific information. The access token includes appropriate information that, upon appropriate authentication and decryption, can temporarily device bind the boot code image of the device in a manner that enables the JTAG interface. Alternatively, the access token includes appropriate information that instructs the general purpose processor to choose between JTAG interface enablement information and JTAG interface disablement information for use with the boot code image of the device. The access token can include expiration information that causes an enabled JTAG interface to revert back to its disabled status upon expiration of the access token. | 08-26-2010 |
20100313014 | DOWNLOADABLE SECURITY BASED ON CERTIFICATE STATUS - A conditional access system (CAS) computer in a downloadable CAS receives a downloadable management certificate (DMC) and determines, using the DMC, security information including a DMC key size and an expiration time of a DMC subordinate certificate authority (sub-CA) certificate, for the client device. The CAS computer then determines whether the DMC is valid based on the expiration time of the DMC sub-CA certificate. If the DMC is determined to be valid, the CAS server sends a cryptographic identity for the client device and a CAS client to the client device protected using the DMC. At a later time, if the DMC key size is considered to be still sufficiently secure, the validity of the DMC is extended by issuing a new DMC sub-CA certificate with the same public key as the original DMC sub-CA certificate. | 12-09-2010 |
20100318791 | CERTIFICATE STATUS INFORMATION PROTOCOL (CSIP) PROXY AND RESPONDER - Systems and methods are disclosed for providing certificate status information about a certificate includes receiving, at a Certificate Status Information Protocol (CSIP) proxy device the certificate identity information about the certificate of the second device. Then determining, using the CSIP proxy device, whether the certificate status information is stored in a CSIP proxy device memory. If the certificate status information is not stored in the CSIP proxy device memory, creating a CSIP request based on the certificate identity information and sending the CSIP request, including the certificate identity information, to a CSIP responder computer outside the local network domain. If the certificate status information is stored in the CSIP proxy device memory, sending the certificate status information to the first device. Also, a system and method are disclosed for using a CSIP responder computer. | 12-16-2010 |
20110119739 | SECURE CONSUMER PROGRAMMING DEVICE - A method is provided for operating a consumer programming device that provisions consumer electronic devices. The method includes receiving over a communication link a first enable message that authorizes the consumer programming device to make available one or more resources which enable it to provide services to consumer electronic devices. Services are provided to consumer electronic devices up until all the resources have been exhausted. Additional consumer electronic devices are provided with services only if a second enable message is received over the communication link. | 05-19-2011 |
20110138177 | ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) SYSTEM - A method is provided for updating network-enabled devices with new identity data. The method includes requesting new identity data for a plurality of network-enabled devices and receiving notification that the new identity data is ready to be delivered to the plurality of network-enabled devices. A software object is delivered to the plurality of network-enabled devices over a first communications network. Each of the software objects is configured to cause the network-enabled devices to download the new identity data to the respective network-enabled device over a second communications network and install the new identity data at a time based at least in part on information included with the software object. | 06-09-2011 |
20110158411 | REGISTERING CLIENT DEVICES WITH A REGISTRATION SERVER - In a method of registering a plurality of client devices with a device registration server for secure data communications, a unique symmetric key is generated for each of the client devices using a cryptographic function on a private key of the device registration server and a respective public key of each of the client devices, and a broadcast message containing the public key of the device registration server is sent to the client devices, in which the client devices are configured to generate a respective unique symmetric key from the public key of the device registration server and its own private key using a cryptographic function, and in which the unique symmetric key generated by each client device matches the respective unique symmetric key generated by the device registration server for the respective client device. | 06-30-2011 |
20110161645 | CONTENT SECURING SYSTEM - In a method for securing content in a system containing a security processor configured to control access to the content by a main processor, in which main processor being configured to send heartbeats to the security processor, a determination as to whether at least one heartbeat was received within a predicted time interval is made and in response to a determination that at least one heartbeat was not received with the predicted time interval, access to the content by the main processor is ceased. | 06-30-2011 |
20110161660 | TEMPORARY REGISTRATION OF DEVICES - In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device. | 06-30-2011 |
20110161661 | ENHANCED AUTHORIZATION PROCESS USING DIGITAL SIGNATURES - A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete. | 06-30-2011 |
20110213957 | LAYERED PROTECTION AND VALIDATION OF IDENTITY DATA DELIVERED ONLINE VIA MULTIPLE INTERMEDIATE CLIENTS - A method is provided for securely delivering identity data units over a communications network to a client device. The method includes receiving a selection from a customer identifying a final zipped package to be unpacked. The final zipped package is unpacked to obtain a common package and a digital signature file signed by an entity generating identity data requested by the customer. The digital signature in the digital signature file is verified and the common package is unpacked to obtain a plurality of outer packages and an encrypted symmetric key. The symmetric key is decrypted with a private key associated with the customer and each of the outer packages is decrypted with the symmetric key to obtain a plurality of identity data units. | 09-01-2011 |
20110213969 | DYNAMIC CRYPTOGRAPHIC SUBSCRIBER-DEVICE IDENTITY BINDING FOR SUBSCRIBER MOBILITY - A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party. | 09-01-2011 |
20110258434 | ONLINE SECURE DEVICE PROVISIONING WITH UPDATED OFFLINE IDENTITY DATA GENERATION AND OFFLINE DEVICE BINDING - A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto. A new data generation module is configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type, (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key. A data output module is configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type. | 10-20-2011 |
20110258685 | ONLINE SECURE DEVICE PROVISIONING FRAMEWORK - A method for updating network-enabled devices with new identity data includes generating a plurality of new identity data records and loading the new identity data records onto an update server. A request is received at the update server for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier. The previously assigned identifier is linked to a new identifier that is linked to one of the new identity data records. One or more new identity data records are securely delivered to the network-enabled device. | 10-20-2011 |
20120042160 | SYSTEM AND METHOD FOR COGNIZANT TRANSPORT LAYER SECURITY (CTLS) - A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers. | 02-16-2012 |
20120089839 | ONLINE SECURE DEVICE PROVISIONING WITH ONLINE DEVICE BINDING USING WHITELISTS - One or more servers are provided including a session manager, authentication module, authorization module, encryption module, database, and protocol handler. The session manager is configured to receive requests for new identity data from network-enabled devices. Each request is authenticated first by the update server via its authentication module by validating the signature of the request message as well as the certificate chain trusted by the update server. The authorization module is configured to determine if the network-enabled devices specified on a whitelist are authorized to be provisioned with new identity data. The database is configured to receive new identity records generated by an identity data generation system. Each of the new identity records includes a new identifier. The new identifier is not associated or linked to any previously assigned/used identifiers and identity data, thus all the new identity records are generated independently and then loaded to the update server. | 04-12-2012 |
20120155647 | CRYPTOGRAPHIC DEVICES & METHODS - A client device which utilizes a unit derivation key (UDK), a current unit key, a current unit key index (UKI) and a received UKI. The client device includes a processor to receive the received UKI, compare the received UKI with a current UKI, if the received UKI is not equivalent to the current UKI, utilize the UDK, the current unit key and the received UKI to derive a new unit key. A headend facility (HF) device which utilizes a current unit key and a current unit key index (UKI). A key infrastructure center (KIC) device which utilizes a derivation key. | 06-21-2012 |
20120213370 | SECURE MANAGEMENT AND PERSONALIZATION OF UNIQUE CODE SIGNING KEYS - A method and system generates and distributes unique cryptographic device keys. The method includes generating at least a first device key and encrypting the first device key with a first encrypting key to produce a first encrypted copy of the device key. The method also includes encrypting the first device key with a second encrypting key to produce a second encrypted copy of the device key. The second encrypting key is different from said first encrypting key. The first and second encrypted copies of the device keys are associated with a device ID identifying a computing device being manufactured. The second encrypted copy of the device key is loaded onto the computing device. The first encrypted copy of the device key and the device ID with which it is associated are stored onto at least one server for subsequent use after the computing device has been deployed to a customer. | 08-23-2012 |
20120303951 | METHOD AND SYSTEM FOR REGISTERING A DRM CLIENT - A client, method and system for registering a DRM client is disclosed. The method ( | 11-29-2012 |
20120304311 | Tokenized Resource Access - A method and system for unlocking diagnostic functions in a hardware device for a user. The method obtains a signed permission object for the hardware device, and validates the signed permission object. A memory of the hardware device stores a device identifier and a last recorded sequence number. The signed permission object includes a sequence number and is associated with an expiration counter having an initial value that indicates a lifetime for the signed permission object. When the signed permission object is valid, the method updates the expiration counter to decrease the lifetime of the signed permission object, stores the sequence number associated with the signed permission object as the last recorded sequence number in the hardware device, and unlocks the diagnostic functions for the user based on the signed permission object. | 11-29-2012 |
20130091353 | APPARATUS AND METHOD FOR SECURE COMMUNICATION - A method and apparatus are for transferring a client device certificate and an associated encrypted client private key to a client device from a secure device. The secure device receives over a secure connection, a secure device certificate, a secure device private key and a plurality of client device certificates. Each client certificate is associated with a bootstrap public key but is not assigned to any particular client device. A plurality of encrypted client private keys is also received. Each of the encrypted client private keys comprises a client private key associated with one of the client device certificates encrypted with the bootstrap public key. The plurality of client device certificates is stored. The encrypted client private keys are stored in double encrypted protected form. A client device certificate and an associated encrypted client private key are transferred to a client device that has successfully registered with the secure device. | 04-11-2013 |
20130132722 | SYSTEM AND METHOD FOR AUTHENTICATING DATA - Systems and methods for authenticating data and timeliness are disclosed. A method for authentication can comprise processing a data block to determine a first secret element, generating a second secret element based upon the first secret element, generating a non-secret element based upon the second secret element, and comparing the non-secret element to a nonce associated with the first secret element to determine authentication. | 05-23-2013 |
20130139198 | DIGITAL TRANSPORT ADAPTER REGIONALIZATION - A method, a digital content consumption device, and a conditional access system are disclosed. A network interface may receive in a digital content consumption device a public key message that includes an encrypted key. A processor may decrypt the encrypted key using a secret key to produce the transmitted public key, identify a region descriptor in the public key message, and determine the secret key based on the region descriptor. | 05-30-2013 |
20130159193 | METHOD AND APPARATUS FOR DELIVERING CONTENT IN A COMMUNICATION SYSTEM - An embodiment of the present invention provides a method of transferring content within a system having a credit managing device, a content providing device and a user device. The method includes: registering the user device with the credit managing device; providing a universal credit to the user device from the credit managing device; providing encrypted content and a pre-rights generator from the content providing device to the user device at a first time without consuming the universal credit; generating a decryption key from the pre-rights generator a second time after the first time; and decrypting, via the decryption key, the encrypted content at the user device and consuming a portion of the universal credit. | 06-20-2013 |
20130185551 | REVOCATION LIST UPDATE FOR DEVICES - In one embodiment, a method includes receiving a revocation request for revoking a model type of a device. A first computing device determines a list of device unit identifiers (UIDs) that are associated with the model type from a database. The device UIDs are for devices of the model type manufactured by a first entity. The method adds the list of device UIDs to a device revocation list and outputs the device revocation list to revoke a validity of secure information associated with devices associated with the list of device UIDs. | 07-18-2013 |
20140029747 | SYSTEM AND METHOD FOR TRANSCODING CONTENT - A system is provided for use with secure content in a first format. The system includes a conditional access device, a transcoding device and a media processor. The conditional access device is operable to receive the secure content and can generate a second secure content based on the secure content. The conditional access device can further provide the second secure content to the transcoding device. The transcoding device can transcode the second secure content into transcoded content of a second format, can secure the transcoded content as secure transcoded content and can provide the secure transcoded content to the media processor | 01-30-2014 |
20140045450 | Apparatus and Method for Secure Private Location Information Transfer - An apparatus includes an emergency services location module, operatively coupled to location hardware. The emergency services location module is operative to receive a session certificate from an emergency services network entity in response to the apparatus placing an emergency services call or sending an emergency services message. The emergency services location module validates the session certificate to validate that the emergency services network entity is authorized to receive location information, and sends location information obtained from the location hardware to the emergency services network entity, in response to validating the session certificate. The emergency services location module may also be operative to override a user privacy setting that prevents location information from being sent from the apparatus, in response to determining that the session certificate is valid. The emergency services location module may also encrypt the location information prior to sending the location information to the emergency services network entity. | 02-13-2014 |
20140082358 | EFFICIENT KEY GENERATOR FOR DISTRIBUTION OF SENSITIVE MATERIAL FROM MULITPLE APPLICATION SERVICE PROVIDERS TO A SECURE ELEMENT SUCH AS A UNIVERSAL INTEGRATED CIRCUIT CARD (UICC) - A method provides end-to-end security for transport of a profile to a target device (e.g., a mobile computing device) over at least one communications network that includes a plurality of nodes. In accordance with the method, the profile is encrypted for transport between the target device and an initial node of the network through which the profile is transported. The encryption is an end-to-end inner layer encryption performed prior to hop-to-hop encryption. The encrypting uses a public key of a public, private key pair. The private key is derivable from a seed securely provisioned in the target device using a public key algorithm. The encrypted profile is transmitted over the communications network to the target device. | 03-20-2014 |
20140082359 | EFFICIENT KEY GENERATOR FOR DISTRIBUTION OF SENSITIVE MATERIAL FROM MULTIPLE APPLICATION SERVICE PROVIDERS TO A SECURE ELEMENT SUCH AS A UNIVERSAL INTEGRATED CIRCUIT CARD (UICC) - A method provides end-to-end security for transport of a profile to a target device (e.g., a mobile computing device) over at least one communications network that includes a plurality of nodes. In accordance with the method, the profile is encrypted for transport between the target device and an initial node of the network through which the profile is transported. The encryption is an end-to-end inner layer encryption performed prior to hop-to-hop encryption. The encrypting uses a public key of a public, private key pair. The private key is derivable from a seed securely provisioned in the target device using a public key algorithm. The encrypted profile is transmitted over the communications network to the target device. | 03-20-2014 |
20140123172 | CHALLENGE-RESPONSE CABLE SET-TOP-BOX SYSTEM TO SECURELY AUTHENTICATE SOFTWARE APPLICATION PROGRAM INTERFACES (APIs) - A system for securely authenticating software Application Program Interfaces (APIs) includes a handshake protocol provided between a Conditional Access System (CAS) and Middleware running on a Set-Top-Box. The handshake is a Challenge-Response protocol that includes several steps. The CAS or the Middleware can either act as a Claimant or Verifier in Challenge-Response process. First, a Claimant sends a request to a Verifier requesting access to a function F through the API. The Verifier reacts to the request by outputting a Challenge that is sent to the Claimant The Challenge is also retained by the Verifier for use in its internal calculation to verify the Claimant's response. The Claimant next processes the Challenge using components under a patent License Agreement, known as Hook IP, and issues a Response to the Verifier. The Verifier can then verify the Response to allow the Claimant access to the API. | 05-01-2014 |
20140123220 | BUSINESS METHOD INCLUDING CHALLENGE-RESPONSE SYSTEM TO SECURELY AUTHENTICATE SOFTWARE APPLICATION PROGRAM INTERFACES (APIs) - A system for securely authenticating software Application Program Interfaces (APIs) includes a handshake protocol that is provided to validate whether the parties involved are licensed to use the system which includes rights to Intellectual Property (IP) and corresponding obligations. The handshake is a Challenge-Response protocol that includes several steps. First, a Claimant sends a request to a Verifier requesting access to a function through an API. The Verifier reacts to the request by outputting a Challenge that is sent to the Claimant. The Challenge is also retained by the Verifier for use in its internal calculation to verify the Claimant's response. The Claimant next processes the Challenge using components under the license, known as Hook IP, and issues a Response to the Verifier. The Verifier compares the possibly-correct Candidate Response from the Claimant to the known-correct Target Response and if a match occurs the Verifier allows the Claimant access to the API. | 05-01-2014 |
20140201518 | FRAMEWORK FOR PROVISIONING DEVICES WITH EXTERNALLY ACQUIRED COMPONENT-BASED IDENTITY DATA - A method is provided for updating identity data on devices. The method provides for acquiring a device comprising a component associated with a component identifier and having a One Time Programmable Key installed on the component, submitting the component identifier and the One Time Programmable Key to an External Trust Authority, receiving new identity data tied to the component identifier from the External Trust Authority that is encrypted with the One Time Programmable Key, loading the new identity data onto an Update Server, receiving a request at the Update Server from the device that requests new identity data, and providing the new identity data upon receipt of the request, upon which the device decrypts and installs the identity data using the One Time Programmable Key installed on the component within the device. | 07-17-2014 |
20140281497 | ONLINE PERSONALIZATION UPDATE SYSTEM FOR EXTERNALLY ACQUIRED KEYS - A method is provided for updating identity data on network-enabled devices. The method provides for providing certificate signing requests and/or device identifiers to an external trust authority, which in response generates digital certificates and/or key pairs. The generated digital certificates and/or key pairs can be provided to a network-enabled device in response to an update request. | 09-18-2014 |
20140281502 | METHOD AND APPARATUS FOR EMBEDDING SECRET INFORMATION IN DIGITAL CERTIFICATES - A method and system is provided for embedding cryptographically modified versions of secret in digital certificates for use in authenticating devices and in providing services subject to conditional access conditions. | 09-18-2014 |
20140281537 | PROTECTION OF CONTROL WORDS EMPLOYED BY CONDITIONAL ACCESS SYSTEMS - In accordance with a method for communicating a control word (CW) from a client such as an encryptor to a server such as the entitlement control message generator (ECMG) of a conditional access system (CAS), communication is established between the client and server over a secure connection. A control word to be encrypted is received by the client and encrypted using a first and second key. The first key is a global secret key (GSK) that is known to the client and the server without being communicated over the secure connection. The second key is a control word encryption key (CWEK) that is derived from a locally generated client nonce (CN) and a server nonce (SN) obtained from the server over the secure connection. The encrypted control word (ECW) is sent to the server over the secure connection. | 09-18-2014 |
20140337927 | AUTHORIZATION OF MEDIA CONTENT TRANSFER BETWEEN HOME MEDIA SERVER AND CLIENT DEVICE - A method for authorizing media content transfer between a home media server and a client device and provisioning DRM credentials on the client device, the method comprising receiving a service authorization credential at a client authorization server from a PKI provisioning server, wherein the service authorization credential is associated with a client device, and sending a validation response from the client authorization server to the PKI provisioning server if the client authorization server determines that the service authorization credential was previously provided by the client authorization server to the client device, wherein the validation response releases the PKI provisioning server to send DRM credentials to the client device. | 11-13-2014 |
20150082035 | METHOD OF PROVISIONING PERSISTENT HOUSEHOLD KEYS FOR IN-HOME MEDIA CONTENT DISTRIBUTION - A method of providing a household key to a client device, comprising receiving a key request including a subscriber identifier at an update server from a client device, and determining whether the subscriber identifier has previously been associated with a household encryption key. The household encryption key can be configured to be used by the client device to encrypt recordings of media content it makes and/or decrypt recordings of media content it previously made or that it receives from another client device that encrypted the recording using the household key. If the subscriber identifier has previously been associated with a household encryption key, the update server retrieves the household key and sends it to the client device. If the subscriber identifier has not previously been associated with a household encryption key, the update server retrieves a new household key from a pool, associates the new household key with the subscriber identifier, and sends it to the client device. | 03-19-2015 |