TW200806036A - Selective and persistent application level encryption for video provided to a client - Google Patents

Abstract

A system, apparatus, and method are directed towards allowing ingestion of encrypted content into such as a VOD server, or PVR, or the like by selectively encrypting portions of a content stream based on various selection rules. In one embodiment, the selection rules include leaving selected portions of the content stream unencrypted, including packets that include a PES header; or video packets that include various trick play data such as picture start, GOP start, sequence start, sequence end data; PIDs associated with a PAT, PMT, or the like; while other portions of the content stream may be encrypted, including video and/or audio PIDs, or other video and/or audio portions. In still another embodiment, Entitlement Control Messages (ECMs) may be inserted that employ an encryption/decryption key rotation scheme, such as odd and/or even scrambling control bit structures, which may also be rotated based on a variety of conditions.

Description

200806036 IX. Description of the invention: [Technical field to which the invention pertains] Cross-Reference to Related Applications This application claims the provisional application Serial No. 60/757,055 (named 5 Selective And Persistent Application Level Encryption)

For Video Provided To A Client,,, on January 6, 2006, the benefits of the application. The benefit of the earlier filing date of this application is claimed under 35 u s c. U9(e) and 37 C.F.R. §1.78, and is further incorporated herein by reference. 10 FIELD OF THE INVENTION The present invention relates generally to computational security, and more particularly, but not exclusively, to selectively encrypting content based on a selection criterion, including maintaining a trick play guest' and keeping the relevant streaming data clear (in the Clear). t Tltr 15 BACKGROUND OF THE INVENTION Recent advances in the telecommunications and electronics industries, and in particular the improvements in digital compression technology, network and hard disk drive capacity, have led to the growth of new digital services offered to users' homes. For example, such advances have provided hundreds of cable television channels to users, by compressing digital data and digital video, transmitting the compressed digital signal through 20 known coaxial electrical television channels, and then to the user The signals are decompressed in the receiver. One of the technologies of recent interest that has received widespread attention includes a video on demand (VOD) system in which a user can communicate with a service operator to request media content, the requested content being routed (r〇 Uted) to the user's family to entertain 5 200806036 music. The service sponsor typically obtains content from an upstream content provider (e.g., a content owner, a scatterer, or the like). However, in order to prevent this content from being used unauthorizedly, a service provider, content provider, owner, etc. may use a service called conditional access (conditi〇nal 5 access). Conditional access enables a provider to be restricted to selected ones of the selected users. This can be obtained, for example, by encrypting the content. A content provider, content owner, or the like may wish to encrypt the content as early as possible within a distributed stream to protect the privacy of the content. However, today's users may desire to perform various actions on the content, 10 including fast forward, fast reverse, and the like through a portion of the content. This "trick plays" is generally managed by generating additional file information from the content. The generation of such trick play files may be difficult when the content is encrypted. Therefore, the present invention is related to such Considered and other considerations. 15 [^^明内^!] SUMMARY OF THE INVENTION A server device for managing content encryption, comprising a transceiver for receiving and transmitting information between another computing device a processor for communicating with the transceiver; and a memory device for communicating with the processor and for storing data and machine instructions, the machine instructions causing the processor to perform a plurality of operations, The operations include: receiving an unencrypted content stream; selectively encrypting at least a portion of the unencrypted content stream, and simultaneously selecting a selection based on causing at least the trick play data in the unencrypted content stream to be unencrypted a criterion of keeping at least another portion of the unencrypted content stream unencrypted; and inserting an authorization control message (ECM) into the selectively encrypted BRIEF DESCRIPTION OF THE DRAWINGS BRIEF DESCRIPTION OF THE DRAWINGS The non-limiting and non-exhaustive embodiments of the present invention are described with reference to the following drawings in which like reference numerals refer to the The invention is described with reference to the accompanying drawings, in which: FIG. 1 Figure 2 shows an embodiment of a 15 server device that can be included in a system embodying the present invention; Figure 3 shows a client device that can be included in a system embodying the present invention. Embodiments; FIG. 4 illustrates a functional diagram generally showing an embodiment of a transport packet for encrypting possible spurious control; 20 FIG. 5 illustrates an embodiment of a selectively encrypted portion of a transport stream generally shown Functional diagram; Figure 6 illustrates a logic flow diagram generally showing one embodiment of a procedure for selectively encrypting a portion of a transport stream in accordance with the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT The present invention will now be described more fully hereinafter with reference to the accompanying drawings in which FIG. The form is implemented and should not be construed as being limited to the implementations set forth herein; rather, such embodiments may be provided such that the disclosure is thorough and comprehensive, and Those skilled in the art will be able to convey the scope of the present invention. In other aspects, the present invention may be embodied as a method or apparatus. Thus, the present invention may employ an entire hardware embodiment, an entire software embodiment, or a combination of software and hardware layers. The form of the embodiment is therefore not to be construed as limiting. Within the meaning of this specification and the patent application, the following words have the meanings expressly stated herein unless otherwise clearly stated. The phrase 'in an embodiment', as used herein, does not necessarily denote the same embodiment, although 15 may represent the same embodiment. As used herein, the word "or," is an operation containing an "or", And equivalent to the word "and/or, unless the context clearly dictates. The word "based on, is not unique, and is based on additional factors not described unless the context clearly dictates otherwise." In addition, throughout the specification, “a,, and “the,” meaning includes plural references. "In..., the meaning 20 includes "in," and "on,". Briefly stated, the present invention relates to allowing ingestion of encrypted content such as a VOD server, personal video recording. System, device and method for PVR or other digital program devices. The inhalation of pVRs, V0Ds and the like includes the generation of a trick play index (generally impossible to generate by conventional 8 200806036 video scrambling or encryption technology). Various selection criteria for selectively encrypting portions of a content stream. For example, in an embodiment, the selection criteria include: keeping the selected portion clear or unencrypted, including having a packetized primary stream ( PES) header packet, or video packet with 5 various tricks (such as image start, image group (5) (10)) start, sequence start, sequence end data, or the like). Another selection criterion can be used. The packet identifier (piD) associated with a program association table (PAT), a program map table (ρΜτ), or the like remains clear. Based on the selection criteria, the content stream is Portions may be selectively encrypted, including but not limited to the following: video and/or audio PID or other video and/or audio portions. In yet another embodiment, the selection criteria may indicate random video and/or Or the audio payload can be encrypted while other video and/or audio payloads can remain unencrypted (in clarity). These selection criteria can be used, for example, to support instant decryption such as video box (STB). Activities, or similar activities, are considered resource-constrained. In addition, in one embodiment, the selective encryption is at a transport stream (TS) packet level. The present invention can insert an Entitlement Control Message (ECM) packet into a content stream that can be rotated using an encryption/decryption record. For example, in one embodiment, the present invention can use even and/or odd scrambling control bits. It can be used to indicate a selective rotation, or to change one type or use of encryption, and associated encryption records. And in an embodiment, the ECM can include two gold sums, one for gold Yuyi Current Encryption Week (cryptoperiod), and another key is used for the next encryption cycle. The ECM transmission can be offset by a negative half encryption 200806036 period within a content stream, wherein the ECMs are inserted a predetermined number of times per second. In one embodiment, the predetermined number of times per second is based on (at least in part) a program clock reference (PCR). In an embodiment, the ECM can be inserted into a transport stream (at approximately The I-frame header is followed by 5. 5 Then the selectively encrypted content stream can be used to generate a trick play file, such as a fast forward file, a fast reverse file, etc. In addition, the selectively encrypted content The stream can be used to generate a corresponding index file that represents the content stream and the location of the content frame within the trick play files. By using the selectively encrypted content stream, the index file can be easily generated without re-indexing the content stream, thereby reducing the overall processing cost, time, and the possibility of reprocessing the content stream. Moreover, the present invention is capable of performing selective encryption prior to inhalation to a v〇D servo or the like, further enhancing the security of the content. In addition, the present invention is capable of applying this selective encryption to a broadcast environment including a broadcast environment having a PVR such as an STB or the like.

Figure 1 shows a functional block diagram of one embodiment of a work environment 100 in which the present invention can be implemented. The operating environment 100 is merely an example of a suitable operating environment' and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Therefore, the environment and configuration well known to /, K can be used without departing from the scope or spirit of the invention. The operating environment 100 includes a content providing server 101, a VOD k11 encryption server (SES) 102, a network 105, and a client device 106. 10 200806036 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . The SES 102 also communicates with the content providing server 101. The content providing server 101 essentially includes any computing device that can be configured for use by the producer, the exhibitor, and the owner of the media content (which can be distributed to the client device 106). This includes, but is not limited to, the following: mobile images, movies, video, music, pay-per-view (ppv), interactive media, audio, still images, text, graphics, and for a client device (eg, / Private five ▲ one / ~ user's other forms of digital content. Content mention 0 t, Servo & 1G1 may also include obtaining from the _ content owner to copy and distribute the η合w 催q~ commercial 仃, system and its Similarly, the content providing server 101 can obtain the right to copy and distribute from one or more content owners. The inner valley provides the feeding service H1G1 repackable, storage and scheduling content for continuous sale, distribution, and authorization to other content. Provider, client device 1-6, or the like. _ In an embodiment, the content providing server 1-1 can provide unencrypted content - to the SES 102 for selective encryption of the content In another embodiment, Na 102 can provide the selected force σ dense content to the content providing feeder 101. The content providing server 101 can receive the selectively encrypted internal 20 string Stream is provided to the customer 106. In an embodiment, the encrypted content stream can be transmitted to the client device 106 in a broadcast manner, wherein the client device 106 can then be enabled to decrypt the received content stream. 101-like devices include personal power monthly desktop information, multi-processor systems, microprocessor-based or programmable 11 200806036 consumer electronics, network PCs, servers, and the like. Figure 2 illustrates SES 1〇2 in more detail. However, in short, SES 102 essentially includes any computing device configured to receive unencrypted content and provide a stream of selectively encrypted content. In an embodiment The SES 5 102 can receive unencrypted content from the content providing server 101. However, the invention is not limited thereto and the SES 102 can also receive unencrypted content from various other sources, including, for example, from a different content provider. A portable storage medium on the network 105, or the like. In any case, 'in one embodiment, 1 〇 2 can provide selective encryption of content to the inside 10 The provider 101 is distributed to the client 106. In another embodiment, the SES 102 can provide selective encryption of content to the client 106, or the like. In an embodiment, the SES 102 can use a program (in conjunction with the following) The procedure 600 described in the figure is substantially similar. Although the SES 102 and the content providing server 101 are illustrated as being different, the invention is not limited thereto, and in an embodiment, without departing from the invention In scope or spirit, the SES 102 and content providing server 101 can be integrated into a single computing device or even distributed to more than two computing devices. The network 105 is configured to enable various computing devices to transmit/receive messages 20 Information, such as files, content streams or the like. Network 1〇5 is enabled to use any form of computer readable media to transfer information from one electronic device to another. Moreover, the network 1〇5 can include the Internet, in addition to regional networks (LANs), wide area networks (WANs), and direct connections (such as through a universal serial bus (USB) port), and others. The form of the computer can be 12 200806036 read media or a combination thereof. On a set of interconnected LANs (including those based on different architectures and protocols), a router acts as a link between the LANs, thereby enabling messages to be sent from one LAN to another. Moreover, the communication links in the LANs generally include twisted pairs or coaxial power connections, and the communication links between the five channels can use analog telephone lines, full or partial dedicated digital lines (including ΤΙ, T2, T3 and T4), Integrated Services Digital Network (ISDN), Digital Subscriber Line (DSL), wireless link (including satellite links), or other communication links known to those of ordinary skill in the art. In addition, remote terminals and other related electronic devices can be remotely connected to a LAN or WAN via a modem and a temporary telephone 10 bond. The network 105 can further utilize a plurality of access technologies 'including 2nd generation (2G), 3rd generation (3G) radio access, WLAN, wireless router (WR) networks and the like for cellular systems. Access technologies such as 2G, 3G, and future access networks can provide varying degrees of mobility across the wide range of computing devices. For example, Network 1〇5 can enable radio access via a 15-wire grid, such as Global System for Mobile Communications (GSM), General Packet Radio Service (GpRS), Enhanced Data gsm Environment (EDGE), Broadband Code Division Multiple Access (WCDMA), and the like. In essence, the network 1 〇 5 includes any communication method by which information can be transferred between one computing device and another computing device. In addition, the communication medium generally implements computer readable instructions, data structures, program modules, or other data, data signals, or other transmission mechanisms within a modulated data signal (eg, a carrier), and includes any information. Delivery media. The words "modulated data signal," and "carrier signal, including a signal having - or more of its feature set, or within the signal are encoded by the code, 200806036, instructions, data, and the like. By. By way of example, communication media includes wired media (e.g., twisted pair, coaxial cable, fiber optic, waveguide), as well as other wired and wireless media (e.g., audio, RF, infrared, and other wireless media). 5 Although the present invention illustrates that content is sent to the client through the network 105

106 is set, but the invention is not limited thereto. For example, the content may also be provided by substantially any other content delivery medium (including but not limited to the following: CD, DVD, magnetic tape, electronic memory device, or the like). An embodiment of a client device 106 is described in greater detail below in conjunction with FIG. However, 15 20 any computing device that receives content from another computing device over a network, such as content providing server 101, SES 102, or the like. Client device 106 may also include any computing device capable of receiving the content using other mechanisms, including but not limited to the following: CD, DVD, magnetic tape, electronic memory device, or the like. The set of such devices may include devices that are generally connected to a wired communication medium, such as a personal computer, a multi-processor system, a microprocessor-based or programmable consumer electronics product, a network PC, or a group of such devices. It can also include a general use-wireless communication medium, such as a mobile phone, a smart phone, a pager, a _, a device, an infrared (10) device, (3), an in-person dream, or a plurality of shovel devices. Dismissal 1 and similar devices. The client device 106 can also be any device that is connected to the wired or wireless PDA media, such as a PDA, a small PC, or a portable configuration to receive and play any other device through a wired and/or greenless media. Similarly, the customer device 106 can enjoy the content using any of a variety of devices, including the following but not limited to the following: a computer display system, an audio system, a jukebox, a video on demand (STB), a A television, video display device, or the like. Client device 106 can include a client application configured to enable an end user to receive media and play the accepted content. The client application may also provide other actions, including but not limited to the following; enabling other components of the client device to perform, interface with another component, device, terminal user, and the like. In one embodiment, the client application can selectively encrypt the decrypted 10 content. For example, client device 106 can receive encrypted content from content providing server 101, and/or selectively encrypted content from SES 102. The client application can then enable decryption of the selectively encrypted content for use by client device 106. However, the client application can also be configured to ensure protection of the decrypted content by continuously selecting at least a portion of the exposed unencrypted content. In an embodiment, the client application may also use a program substantially similar to the one described below in connection with Figure 6, to perform at least some of its actions. Illustrative Server Environment 20 FIG. 2 shows an embodiment of a server device in accordance with an embodiment of the present invention. Server device 200 can include more components than the components being displayed. However, the elements shown are sufficient to disclose an illustrative embodiment for practicing the invention. For example, server device 200 can represent SES 102 of Figure 1. 15 200806036 The server device 200 includes a processing unit 212, a video display adapter 214, and a large-capacity memory, all of which communicate with each other through the bus bar 222. The mass storage device typically includes RAM 216, r〇m 232, and one or more permanent mass storage devices (e.g., hard disk drive 228), magnetic tape drives, optical disk drives, and/or floppy disk drives. The mass storage device stores an operating system 22 for controlling the operation of the server device 200. Any general operating system can be used. A basic input/output system ("dress 8,") 218 is also provided for controlling the low-level operation of the server device 200. As depicted in Figure 2, the server is loaded

Communicate with the Internet, or some other communication network (such as network 105 in Figure 1) for various communication protocols including the TCP/IP 10 protocol. The network interface unit 21 is sometimes referred to as a transceiver, a transceiver, a network interface card (NIC), and the like. Server device 200 may also include an SMTP processing application for transmitting and receiving email. The server device 2 can also include an HTTP processing application for receiving and processing HTTP requests, and an HTTP processing application for handling secure connections. The HTTP processing application can initiate communication with an external application in a secure manner. The server device 200 can also include an input/output interface 224 for communicating with external devices, such as a mouse, keyboard, scanner, or other input device not shown in FIG. Similarly, the server device 200 can further include additional mass storage devices such as a CD_R〇M/D VD-ROM disc drive 226 and a hard drive 22-8. The hard disk drive 228 can be used by the server device 200 to store, among other things, applications, databases, and the like. 0 16 200806036 The large-capacity memory as described above illustrates another type of computer readable. Media, ie computer storage media. Computer storage media may include non-permanent, permanent, removable, and non-removable methods implemented in any method or technology for storing information (eg, computer readable instructions, data structures, program modules, or other materials). Remove the media. Examples of computer storage media include: RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disc (DVD) or other optical storage device, magnetic box, magnetic tape, disk storage or other A magnetic storage device, or any other medium used to store the desired information, and accessed by a computing device.亥Hidden Valley § Remembrance also stores code and information. One or more applications 250 are loaded into the mass storage and executed on the operating system 22A. Examples of applications include e-mail programs, schedulers, calendars, transcoders, database programs, word processing programs, spreadsheet programs, and more. The mass storage device may further include an application such as a selective encryption element (SEC) 254. The SEC 254 can be configured to receive unencrypted content and selectively encrypt at least a portion of the content based in part on a selection criterion. In an embodiment, SEC 254 provides a stream of selectively encrypted content. In an embodiment, SEC 254 may use a substantially similar sequence to program 600 of Figure 6 to perform at least some of its actions. In one embodiment, the selectively encrypted content stream is a Moving Picture Experts Group (MPEG) content stream, such as a transport stream. In short, Μ P E G is a coding and compression standard for digital broadcast content. MPEG provides compression for TV quality transmission of video broadcast content 17 200806036 Support. Moreover, MPEG provides compressed audio, control, and even user-wide content. One embodiment of the MPEG-2 standard is described in IS〇/IEc 13818_7 (available within the International Standards Organization (ISO)), which is incorporated herein by reference. 5 MPEG content stream includes a packetized primary stream (PES), which typically includes fixed (or variable size) blocks or maps of an integer number of primary stream (ES) access units. frame. An ES is generally a basic component of an MPEG content stream and includes digital control data, digital audio, digital video, and other digital content (synchronous or asynchronous). A set of tightly coupled PES packets that substantially refer to the same time 10 reference contains an MPEG program stream (PS). Each PES packet can also be decomposed into a fixed-size transport packet called an MPEG transport stream (a MPEG transport stream). A far MPEG transport stream forms a common method of combining one or more content streams, which may include Independent time base. Moreover, the MPEG frame includes an intraframe (I-frame), a forward prediction frame (p-frame), and a 15-way prediction frame (B-frame). The SEC 254 can utilize at least a portion of various encryption techniques to selectively encrypt at least a portion of the content stream, including but not limited to the following: Advanced Encryption Standard (AES), RSA Labs Inc. (" RSA's") RC6, IBM's MARS, TwoFish, Serpent, 2〇CAST-256, International Data Encryption Algorithm (IDEA), Data Encryption Standard (DES), Triple DES, DES-EDE2, DES-EDE3 , DESX, DES-XEX3, RC2, RC5, Blowfish, Diamon2, TEA, SAFER, 3-WAY, GOST, SHARK, CAST-128, Square, Skipjack, Panama, ARC4, SEAL, WAKE, Sapphire II, 18 200806036 5 BlumBlumShub , RSA, DSA, ElGamal, Nyberg-Rueppel (NR), BlumGoldwasser, Rabin, Rabin-Williams (RW), LUC, LUCELG, ECDSA, ECNR, ECIES, ECDHC, ECMQVC, and/or any other encryption algorithm. And the SEC 254 can perform this encryption on-the-fly. • In addition, the SEC 254 can selectively encrypt a portion of the content stream using an encryption technique and encrypt another portion of the content stream using a different encryption technique. The SEC 254 may further use different content encryption keys for different portions of the selectively encrypted content stream. In an embodiment, the SEC 254 may use a key rotation mechanism in which the special encryption theory may rotate between different records at any time. For example, in one embodiment, the SEC 254 can use two encryption keys (based on an even or an odd 15 • scrambling control bit). In an embodiment, SEC 254 may selectively modify a transport packet header to indicate that the scrambling control bit is even or odd. A SEC 254 can then use a gold input to selectively encrypt at least a portion of the content stream, and then switch the scrambling control bit at other times to indicate that a different encryption key is being used. In an embodiment, the SEc 254 can be switched or rotated randomly between the gold records. In another embodiment, SEC 254 may rotate between gold inputs based on a predetermined period of time, event, or the like. Thus, in an embodiment, two encryption keys can be used; one of the gold balances can be used for a current add-on add-on cycle, and another key is used for the selectively encrypted Content stream (10) - encryption period. Referring to Fig. 4, Fig. 4 illustrates an embodiment of a transmission packet in which the controller does not disturb the control bit. As shown, the value 铋 special wheel packet 4A includes the payload 402 19 200806036 and the header 404. In general, payload 4〇2 may include approximately 184 bytes of material, such as video content, audio content, trick play material, or the like. However, the invention is not limited to this equivalent. The header 404 can be a four-byte (32-bit) header, which can include various fields (including the same 5-step byte, indicating how a payload can be processed) A bit, a PID indicating which stream a packet belongs to, a suitability field control bit, a contiguous bit, and a scrambling control bit 4〇6). As further shown, by transmitting the packets 400B and 400C, by changing the scrambling control bit 406, the present invention shows whether the payload uses an even encryption gold (400B), an odd encryption 10 key (400Q). Encrypted, or not encrypted (4〇〇A) The SEC 254 may provide content keys and program attribute information, rights and authorizations in an Authorization Control Message (ECM) to access the content or the like. In other words, the ECM generally includes 15 packets of information to determine a control word (CW) (used to decrypt the content, also referred to as content record). In general, the streaming content A portion of the CW is selectively encrypted using the CW. The CW can be encrypted with a service key and provided within the ECM message. The service key can then be encrypted using a 〆 encryption key that can be assigned to a user. Encrypted and transmitted within a message frame, packet, or the like. For example, in one embodiment, the service record can be sent within an authorization message (emm). In an embodiment The EMM may also include a user related information such as subscription information. Additional information, or the like. In an embodiment, the ECMs may be inserted into the selectively encrypted inner valley stream such that transmissions thereof may be offset by a negative half encryption period. Moreover, the ECM may be based on each The second is a predetermined number of times (based on a pcR) is inserted. Example 20 200806036 For example, in an embodiment, the ECMs may be inserted between about 5-25 times per second. However, the present invention is not limited thereto. And other frequencies can be used. SEC 254 can further insert an ECM into each frame (i_frame) header, to the 5 pre-predictive frame (P-frame) header or even to bi-directional prediction. Frame (B-frame) at least one packet after the header. In any case, the SEC 254 is configured to be able to transmit the ECMs substantially for each of the appropriate encryption periods for the selectively encrypted content. The SEC 254 may be used in part based on one or more selection criteria to selectively add portions of the cryptographic content stream. These selection criteria may be based on a condition, event, or its like. Dynamically modified. For example, in an embodiment, if舄With increased security, Belle SEC 254 can use the following selection criteria: a selection criterion that increases the strength of an encryption key, a selection criterion for rotating the key more frequently, and an increase in the number of selectively encrypted portions. The criterion 15 is selected or the like. The # selection criterion may also be (at least in part) a type based on a portion of the content stream. Thus, for example, the selection criteria may indicate that the selection is steep, the transmission is in a transmission. The packet hierarchy occurs. The selection criteria may further indicate that portions of the content stream may not be encrypted, or remain clear. The portions include, for example, a packet containing a PES header, including trick play data ( For example, video packets such as image start data, G〇p start, sequence start, phase end, or the like). In an embodiment, the selection criteria may indicate that pAT, lion, and/or PMT are kept clean and encrypted. In another embodiment, the selection criteria may indicate: video and/or tone 21 200806036 The packet needs to be encrypted, randomly encrypted, selectively encrypted based on a condition, or the like. In another embodiment, the selection criteria may indicate that the encryption is selectively applied to at least a portion of the video primary stream (ES), the audio ES, the digital data ES, and any combination, and/or video, audio. , any part of the primary stream of data. The selection criteria can further include: selectively encrypting an I-frame, a P-frame, at least a portion of the B-frame, and any combination of P, B, and I frames while leaving the other portion clear, Or its similar. Figure 5 can be used to illustrate an example of selectively encrypting a stream of content streams in accordance with the present invention. Shown are unencrypted content stream 500A and selectively encrypted content stream 500B. The unencrypted content stream 500A includes (between other components) a PAT/PMT header 502, a PES header 506, trick play data 508 and 520, audio data 512 and 516, and a video material 514 packet. Described in the figure is an ECM 510 that has been inserted to selectively encrypt the content stream 500B. The selectively encrypted content stream 500B is meant to illustrate one embodiment of the unencrypted content stream 500A after applying a set of possible selection criteria. When using at least some of the selection criteria identified above, the selectively encrypted content stream 500B illustrates that the PAT/PMT 502 remains unencrypted, and the PES header 506 and trick play material 508 remain unencrypted. In addition, at least some of the audio data and/or video data packets may be encrypted. Thus, as shown, the 'audio material 512 packet remains unencrypted, and the audio material 518 and video material 515 are encrypted. It should be clear that Figure 5 is only an example, and that other and/or different elements of a content stream may be added 22 200806036 or remain unencrypted based on the selection criteria used. In another embodiment, the present invention can modify the PMT to include various encryption information. In short, the PMT can include a program component identifier for a packet within a content stream, such as an audio component, a video component, an auxiliary (aux) resource, a program clock reference, and the like. A PMT may also include encrypted information about an ECM message. For example, in an embodiment, the pmt can be selectively modified to include conditional access (CA) information. In an embodiment

The CA information in g may specify a system identifier associated with a certificate authority, a content provider, a v〇D selective encryption server, or the like. In another eleventh embodiment, the PMT can also be modified to include a PiD associated with the ECM stream. In another embodiment; the PMT can also be modified to include a stream descriptor, such as where the ECM stream is a pES stream (eg, a stream type PES privacy), or the like . Illustrative Client 15 Figure 3 shows a _real_ of a computing device in accordance with an embodiment of the present invention. The client device can include more elements than the ones shown. However, the components are fully exposed to practice the invention. For example, the client device 3 can represent the client device of FIG. The client device 300 includes a processing unit 312, video display adapters 314, 2, and a large body, each of which is configured to communicate with each other through the bus bar 322. The memory device generally includes a RAM 316, a ROM 332, and One or more water-capacity storage devices (eg, hard disk drive 328, tape drive, disk drive, and/or floppy disk drive). The mass storage device stores an operating system 32 for controlling the operation of the client device 〇0. Any general operating system can be used by 23 200806036. A basic input/output system ("BIOS") 318 is also provided for controlling the low level operation of client device 3 (10). As depicted in Figure 3, the client device 3 can also communicate with the Internet, or some other communication network (e.g., the first interface) through the network interface unit 310 (which is configured for various communication protocols including TCP/IP protocols). The network 105 of Figure 5 communicates. Network interface unit 310 is sometimes referred to as a transceiver, transceiver, or network interface card (NIC). The Otani 1 § Remembrance described above illustrates another computer readable medium, namely a known storage medium. The computer storage medium may include non-permanent, permanent, removable in any method or technique for storing δίΐ (eg, a fine-readable instruction, a data structure, a program, or a program). And non-removable media. Examples of computer storage media include · p, AM, rqm, EEPROM, flash memory or other memory technology, CD_R〇M, digital video disc (DVD) or other optical storage device, magnetic A cartridge, magnetic tape, disk storage or other magnetic storage device, or any other medium used to store the desired information 15 and accessible by a computing device. The client device 300 may also include for transmitting and receiving electronic mail. An SMTP processing application, a _HTTp processing application for receiving and processing Ηττρ requests, and a 11711 processing application for handling secure connections. The HTTP processing application can be initialized in a secure manner with an external 20 application. The client device 300 can also include an input/output interface 324 for communicating with external devices, such as a handheld remote control device, a mouse, A keyboard, a scanner, or other input device not shown in Fig. 3. Similarly, the client device 300 may further include additional such as CD_R〇M/D VD_R〇M disc player 3% and 24 200806036 hard disk drive 328. A mass storage device. The hard disk drive 328 can be used to store, among other things, applications, databases, client device information, policies, and the like. The large-capacity memory also stores code and Data. One or more application 5 programs 350 are loaded into the mass memory and executed on an operating system 320. Examples of applications may include the following but are not limited to the following: transcoders, schedulers, calendars, Database program, word processing program, τττρ program, audio player, video player, v〇D player, decoder, decryptor, PPV player, an STB interface program, a TV interface program, video 10 camera The mass storage device may further include an application such as Customer Selective Cryptographic Element (CSEC) 352, which may be from another computing device (eg, server 102, Figure 1) For server 1〇1 or even another network device, portable storage device or the like) is downloaded. In at least one embodiment, CSEC 352 can be configured to perform SEC 254 with Figure 2 substantially 15 A similar action is taken. That is, the CSEC 352 can receive unencrypted content (clear content) and selectively encrypt at least a portion of the content. In an embodiment, the 'CSEC 352 can use the program 6 described below. A similar procedure to selectively encrypt at least a portion of the content within client device 300. 20 Generalized Operations The operation of some aspects of the present invention is now described with respect to FIG. Figure 6 illustrates a logic flow diagram that generally shows an embodiment of a program that selectively encrypts - transmits a portion of a stream in accordance with the present invention. The program deletion of Fig. 6 can be implemented (for example) in SES 1〇2 of Fig. 1 and/or 25 200806036 CSEC 352 of Fig. 3. After the start block, the program_ begins in block 602 where the unencrypted content stream is received. In an embodiment, the unencrypted content stream is received from, for example, a content provider, an m storage device, or the like. However, the invention is not limited thereto, and the unencrypted content stream may also be received within a client device due to decrypting a stream of content for playback, or the like. Processing then proceeds to block 604 which determines one or more encryption selection criteria. Such selection criteria may include at least some of the above described simplifications, including keeping the trick play material clear (not encrypted), keeping the PES header packet clear, or the like. Processing then proceeds to decision block 606 to determine whether the current portion of one of the unencrypted content streams needs to be encrypted based in part on one or more of the determined selection criteria. A determination as to whether to encrypt a portion of the content stream may (in some 15 cases) cause the buffer to store at least some of the content stream. For example, where content spans more than one packet, multiple packets may be buffered to determine if they are encrypted. For example, as shown in Figure 5, trick play material 520 is displayed spanning multiple packets. Thus, in one embodiment, multiple packets may be examined in order to determine whether to encrypt. In any case of 2 months, the current portion (e.g., one or more packets) needs to be selectively encrypted, and processing proceeds to 608; otherwise, processing proceeds to block 61. Within block 610, the current portion remains unencrypted and processing continues to block 61. In block 608, the current portion of the content stream is selectively encrypted. The encryption can use various encryption techniques, including the rotation of the encryption key, 26 200806036, changing one of the strengths of encryption, or the like, as described above. Moreover, as described above, in an embodiment, the selective encryption may result in selective addition, more than one packet within the inner valley stream. Selective encryption may further include modifying a scrambling control bit within a header to indicate that a different 5 encryption key is used, encryption is performed, or the like. Processing then continues to block 612. Within block 612, based in part on the above discussion, one or more ECMs can be inserted into the selectively encrypted content stream. Processing then proceeds to decision block 614' where a determination is made as to whether the current portion of the content stream includes a ρ ΜΤ 10 header. If included, the process branches to block 618; otherwise, processing continues to block 616. In block 618, the edge PMT header can be modified by inserting conditional access information and/or additional information. Processing then proceeds to block 616. Program 600 then proceeds to block 616 where the portion of the content stream that is selectively encrypted can be forwarded, thereby enabling instant encryption in one embodiment. In one embodiment, the selectively encrypted content stream can be forwarded to a client device, such as client device 1 of Figure 1. In another embodiment, the selectively encrypted content stream can be forwarded to another program, a storage device, or the like. 20 Processing continues to decision block 62, where a determination is made as to whether there is an additional portion of the content stream to be evaluated. If so, then processing proceeds to block 622 where a portion of the content_stream is received and the processing loops back to decision step 606 to apply the (etc.) selection encryption selection criteria. However, if, in decision block 620, there is no longer any portion of the content stream to be selected, then the program _ returns to a call spear sequence to perform other actions. It will be understood that each block of the flow description and combinations of blocks within the flow description can be implemented by computer program instructions. The program instructions 5 can be provided to the processor to generate a machine such that "the instructions are generated on the processor to implement the device specified in the process block." The program instructions are executable by the processor to cause a series of operational steps to be performed by the processor, thereby generating a computer-implemented sequence for causing instructions executed on the processor to be provided for implementation in the (etc.) 10 process The steps of the specified actions within the blocks. Accordingly, the blocks of the process descriptions support a combination of means for performing the specified actions 'for performing the steps of the specified actions, and for performing the The program instruction device of the specified action, it should also be understood that each block in the flow description, and the combination of the blocks of the flow description 15, can be implemented by a specific purpose hardware-based system, and the specified action is performed. Or the 'or the specific purpose of the hardware and computer refers to the above description, examples and materials to provide a complete description of the composition and use of the composition of the present invention because there is no deviation The spirit and scope = 2〇 invention, many embodiments of the present invention can be made, and therefore the present invention resides in the scope of the appended patent application force of Π.] [Brief Description of the drawings

1 is a functional block diagram showing an example of an environment for practicing the present invention; & 28 200806036 FIG. 2 shows a server device that can be included in a system embodying the present invention. Embodiments; Figure 3 shows an embodiment of a client device that can be included in a system embodying the present invention; 5 Figure 4 illustrates an implementation of a transport packet that is generally shown for encrypting possible scrambling control. Functional diagram of an example; Figure 5 illustrates a functional diagram generally showing an embodiment of a selectively encrypted portion of a transport stream; Figure 6 illustrates a general display of selectively encrypting a portion of a 10 stream in accordance with the present invention. A logic flow diagram of an embodiment of a program. [Main component symbol description] 101... content providing server

102.. .5.S 105.. . Network 106.300.. Client device 200.. Server device 210, 310... Network interface unit 212, 312 · · Processing unit 214, 314... Video display Adapter

216 ^ 316...RAM

218,318··-BIOS 220,320...Operating system 222,322...Bus line 224,324...Input/output interface 226,326".CD-ROM/DVD-ROM drive 29 200806036 228,328". Machine 232, 332··.ROM 250,350...application

254.. .5.C 352...CSEC 400A,400B,400C···Transport packet 402.. payload 404.. .header 406.. .Irrigation IL control bit 500A... unencrypted content string Stream 500B... Streaming content 502 with selective force density...PAT/PMT header 506.. .PES header 508,520... Stunt play material

510.. .ECM 512,516,518···Audio Materials 514,515···Video Materials 600...Programs 603~622...Step 30

Claims (1)

200806036 X. Patent Application Range: 1. A server device for managing content encryption, comprising: a transceiver for receiving and transmitting information between another computing device; a processor for communicating with the transceiver And a memory that communicates with the processor and is used to store data 'and machine instructions that cause the processor to perform a plurality of operations, including: ^ receiving an unencrypted content Streaming; selectively encrypting at least a portion of the unencrypted content stream, and maintaining the unencrypted content stream based on a selection criterion that causes at least trick play data in the unencrypted content stream to be unencrypted At least another portion of the encryption is not encrypted; and an authorization control message (ECM) is inserted into the selectively encrypted content stream. The server device of claim 1, wherein the selecting the φ criterion further comprises: indicating that a portion of the unencrypted content stream includes an image start data, an image group start data, and a At least one of the sequence start, or sequence end material, causes the portion of the unencrypted content stream to not be encrypted within the selectively encrypted content stream. The server device of claim 1, wherein if the content stream portion comprises a packet identifier associated with at least one of a program association table or a program mapping table, the content stream is caused to be streamed. This portion is not encrypted within the selectively encrypted content stream. 4. The server device of claim 1, wherein the selection 31 200806036 further includes at least one criterion: indicating that at least a portion of a video payload or an audio payload is in the selectively encrypted content string The stream is encrypted. 5. The server device of claim 1, wherein the operations further comprise: generating at least one trick play index file using the unencrypted trick play data in the selectively encrypted content stream, The trick play index file represents a location of a content frame of the trick play data in the selectively encrypted content stream. The server apparatus of claim 1, wherein selectively encrypting at least a portion of the unencrypted content stream further comprises: using a key rotation mechanism, wherein the selectively encrypted content stream At least a first portion is selectively encrypted using a first encryption key, and at least a second portion of the selectively encrypted content stream is selectively encrypted using a 15th encryption key. 7. The server device of claim 1, wherein the selection criterion further comprises the following indication: a content stream packet including at least a portion of a packetized primary stream header is not encrypted. 8. A system for managing content encryption over a network, comprising a content server configured to provide unencrypted content over the network; an encryption server configured to receive from the content server Unencrypted content, and performing the following actions, including: selectively encrypting at least a portion of the unencrypted content, wherein at least 32 of the unencrypted content associated with at least a portion of the trick play material 2008 200836 10 15 Another portion remains unencrypted; and an authorization control message (ECM) is inserted into the selectively encrypted content stream, wherein the ECM includes at least one encryption key associated with the selectively encrypted portion of the content. 9. The secret of claim 8, wherein at least a portion of the trick play material is not encrypted comprises: causing at least a portion of the image start material or sequence material to be unencrypted. 1. The system of claim 8, wherein the selective encryption further comprises at least one of a U-packeted Least Stream (PES) header or a packet identifier, the packet being unencrypted. The identifier is associated with at least one of a - 关联 association table or a program map table. 11. The system of claim 8 wherein the selective encryption step comprises: randomly encrypting at least some of the video or audio payload while causing other video or audio payloads to be in the selectively encrypted content. Not encrypted. 12. The system of claim 8, wherein the act of the cryptographic server further comprises: generating a stunt file based on the unencrypted trick play data in the selectively encrypted content; And using the stunt (four) material to enable the client device to perform at least one of a fast forward or a fast reverse of the inner valley. 13. The system of claim 8, wherein the ECM further comprises at least two encryption keys, wherein at least one encryption key is associated with a first secret period, and at least - the second gold record and the first The second encryption cycle is related. 33 200806036 14. A method for protecting a media content through a network, comprising: receiving an unencrypted media content stream; selectively encrypting at least a portion of the unencrypted media content stream while streaming the media content The media trick play data within the media has a portion of the media content stream that is not encrypted; and the stream of selectively encrypted media content is transmitted through the network to at least one client device. The method of claim 14, wherein the selectively encrypting comprises: causing at least two encryption keys, and randomly switching between the at least two encrypted 10 keys, the at least Two encryption keys are used to selectively encrypt the at least a portion of the unencrypted media content stream. The method of claim 14, wherein the selective encryption further comprises selectively modifying a transport packet header to indicate whether it is an encryption control bit. 15 17. A modulated data signal configured to include program instructions for performing the method of the method of φ of claim 14 of the patent application. . 18. A computer readable storage medium having computer executable instructions stored thereon for securely managing content that, when installed on a computing device, cause the computing device to perform the following The method includes: receiving an unencrypted content stream; selectively encrypting at least a portion of the unencrypted content stream while causing a portion of the content stream associated with the media trick play material in the media content stream to not Encrypted; and 34 200806036 stores the selectively encrypted content stream. The computer readable storage medium of claim 18, wherein the computer readable storage medium is located in a client computing device. 20. The computer readable storage medium of claim 18, wherein 5 the media trick play material is not encrypted further comprises: causing the image to start, the image group start, the data, and the sequence start At least one of the sequence end data ^ is not encrypted within the selectively encrypted content stream. 35