[go: up one dir, main page]

WO2007080566A2 - Authentication in a network - Google Patents

Authentication in a network Download PDF

Info

Publication number
WO2007080566A2
WO2007080566A2 PCT/IL2006/000808 IL2006000808W WO2007080566A2 WO 2007080566 A2 WO2007080566 A2 WO 2007080566A2 IL 2006000808 W IL2006000808 W IL 2006000808W WO 2007080566 A2 WO2007080566 A2 WO 2007080566A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
smart card
top box
set top
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IL2006/000808
Other languages
French (fr)
Other versions
WO2007080566A3 (en
Inventor
Leonid Dorrendorf
David Paluy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Synamedia Ltd
Original Assignee
NDS Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NDS Ltd filed Critical NDS Ltd
Publication of WO2007080566A2 publication Critical patent/WO2007080566A2/en
Publication of WO2007080566A3 publication Critical patent/WO2007080566A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to authentication in a home network environment.
  • Standard authentication is provided by, for example, a user typing a secret Personal Identification Number (PIN), to provide a proof of identity. Such authentication is generally considered insecure.
  • PIN Personal Identification Number
  • Other well-known types of authentication use a secret key stored on a secure device, such as a smart card, in combination with a cryptographic signing algorithm.
  • EAP protocol a widely accepted family of authentication protocols.
  • the presentation is available on the World Wide Web at: csr.bu.edu/aswn2004/slides/Monday/Session2/pasquale.pdf;
  • a description of a Microsoft implementation of the EAP protocol with smart cards, available on the World Wide Web at: support.microsoft.corn/?kbid 259880;
  • DSS Digital Signature Standard
  • FIPS-186-2 Federal Information Processing Standard Publication
  • the present invention in preferred embodiments thereof, includes an authentication system including a set top box with a smart card.
  • the authentication system is part of a home network, preferably including one or more • other devices.
  • the authentication system preferably provides authentication services to the other device(s) on the home network, and to other devices located outside the home network, on the World Wide Web.
  • the authentication system preferably provides varying levels of authentication security.
  • the other device is an internet- connected personal computer (PC).
  • the PC communicates with the set top box via Ethernet.
  • the PC sends an authentication request to the set top box, to perform a cryptographic function on an input.
  • the set top box preferably fulfills the request in combination with the smart card, comprised within the set top box.
  • the cryptographic function is preferably a digital signature on a result of applying a hash function to contents of a document.
  • the cryptographic functions mentioned above use one or more secret keys, belonging to the smart card and set top box pair.
  • the functions also preferably require the existence of a public key infrastructure, to allow members of the public to verify the identity of the secret key owner, which is the smart card and set top box pair.
  • the present invention in preferred embodiments thereof, uses set top box secrets in combination with smart card secrets. Schemes using a double secret are typically more secure than schemes using a single secret.
  • the present invention typically provides a higher level of security than the security level provided by a smart card alone, or an equivalent electronic security device such as a "dongle" alone.
  • secret in all its grammatical forms is used throughout the present specification and claims interchangeably with the terms “secret token”, “secret key” and “private key” in all their grammatical forms.
  • a set top box interacting with a smart card for providing authentication services to a device, the device being external to the set top box, the set top box and the device being operatively associated, the set top box including a smart card receptacle for receiving the smart card therein, a smart card I/O port operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, a device I/O port to communicate with the device and receive a request from the device for an authentication service, and an authentication processor, operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on
  • the authentication module is operative to authenticate the result of the at least first part of the authentication service performed by the smart card.
  • the authentication module is operative to perform the second part of the authentication service prior to the request module requesting the smart card to perform the at least first part of the authentication service. Moreover in accordance with a preferred embodiment of the present invention the authentication module uses a secret to perform the authentication. Further in accordance with a preferred embodiment of the present invention the authentication module authenticates using an RSA signature.
  • the authentication module authenticates using an ElGamal signature.
  • the authentication module authenticates using a Fiat-Shamir signature.
  • a system for providing authentication services to a device including a smart card operative to perform authentication services, and a set top box including a device I/O port to communicate with the device and receive a request from the device for an authentication service, a smart card receptacle, for receiving the smart card therein, a smart card I/O port, operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, and an authentication processor operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the at least first
  • the authentication module is operative to authenticate the result of the at least first part of the authentication service performed by the smart card.
  • the authentication module is operative to perform the second part of the authentication service prior to the request module requesting the smart card to perform the at least first part of the authentication service.
  • the authentication module uses a secret to perform the authentication. Further in accordance with a preferred embodiment of the present invention the authentication module authenticates using an RSA signature.
  • the authentication module authenticates using an ElGamal signature. Additionally in accordance with a preferred embodiment of the present invention the authentication module authenticates using a Fiat- Shamir signature.
  • a method for providing authentication services to the device including the set top box receiving a request from the device to perform an authentication service, the set top box requesting the smart card to perform at least a first part of the authentication service, the set top box receiving from the smart card a result of the at least first part of the authentication service performed by the smart card, and the set top box transferring to the device a result of the authentication process based on the result of the at least first part of the authentication service received from the smart card.
  • the set top box performs a second part of the authorization service.
  • the smart card performs the at least first part of the authentication service, and provides the result of the performing the at least first part of the authentication request to the set top box. Additionally in accordance with a preferred embodiment of the present invention the smart card performs the at least first part of the authentication service using a secret.
  • a set top box interacting with a smart card for providing authentication services to a device, the device being external to the set top box, the set top box and the device being operatively associated, the set top box including a smart card receptacle for receiving the smart card therein, a smart card I/O port operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, a device I/O port operative to communicate with the device and receive a request from the device for an authentication service, and an authentication processor, operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform a first part of the authentication service, an authentication module to perform a second part of the authentication service, and a transfer module to transfer to the device, via the device I/
  • a system for providing authentication services to a device including a smart card operative to perform authentication services, and a set top box including a device I/O port operative to communicate with the device and receive a request from the device for an authentication service, a smart card receptacle, for receiving the smart card therein, a smart card I/O port, operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, and an authentication processor operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform a first part of the authentication service, an authentication module to perform a second part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result
  • a method for providing authentication services to the device including the set top box receiving a request from the device to perform an authentication service, the set top box requesting the smart card to perform a first part of the authentication service, the set top box receiving from the smart card a result of the first part of the authentication service performed by the smart card, the set top box performing a second part of the authorization service, and the set top box transferring to the device a result of the authentication process based on a result of the first part of the authentication service received from the smart card, and a result of the second part of the authentication service performed by the set top box.
  • FIG. 1 is a simplified, partly pictorial, partly functional block diagram, illustration of an authentication system constructed and operative in accordance with a preferred embodiment of the present invention
  • Fig. 2 is a simplified functional block diagram illustration depicting in more detail a preferred method of operation of the system of Fig. 1;
  • Fig. 3 is a simplified functional block diagram illustration depicting an alternative preferred method of operation of the system of Fig. 1; and
  • Fig. 4 is a simplified flowchart illustration of a preferred method for providing authentication by the system of Fig. 1.
  • authentication is the process by which a first computer, computer program, or computer user, attempts to confirm that a second computer, computer program, or computer user from whom the first party has received some communication is, or is not, the claimed second party.
  • Digital signing based on a private key is a typical and accepted method of authentication.
  • Digital signing schemes which are based on modular multiplication are generally considered to be strong schemes. Examples of digital signing schemes based on modular multiplication are RSA, ElGamal, and Fiat- Shamir.
  • Authentication in a home environment is useful in many different situations, including but not limited to, the examples listed below.
  • (a) Purchasing digital content over the internet, wherein the authentication is of the identity of a purchaser.
  • the entity seeking to verify the identity of a purchaser may be a broadcaster providing digital services, or a commercial entity using Digital Rights Management (DRM).
  • DRM Digital Rights Management
  • the authentication allows digital content to be delivered to the purchaser via a set top box, as in cases of Impulse Pay Per View and Video On Demand, and digital content is allowed to be delivered to a PC.
  • FIG. 1 is a simplified, partly pictorial, partly functional block diagram, illustration of an authentication system 10 constructed and operative in accordance with a preferred embodiment of the present invention.
  • Fig. 1 depicts the system 10 in a typical example setting.
  • the system 10 preferably includes a set top box 125 having a smart card receptacle 129 for receiving a smart card 130.
  • the set top box 125 is typically operatively connected to, and in communication with, the smart card receptacle 129, which communicates with the smart card 130.
  • the set top box 125 is also generally operatively connected to a home communication network 110, and to a television display 127.
  • a first user 100 is depicted using a device 105, the device being connected to the home network 110.
  • the home network 110 is also connected to the World Wide Web 115.
  • the device 105 is depicted as a personal computer (PC), connected by the home network 110 both to the World Wide Web 115 and to the set top box 125.
  • the device 105 and the set top box 125 are located, by way of a non-limiting example, in different rooms of a house.
  • the device 105 and the set top box 125 are not necessarily located on a home network, and can be located, by way of a non-limiting example, across the World Wide Web from each other.
  • the set top box 125 is preferably implemented in any suitable combination of software and hardware, as is well known in the art.
  • the set top box 125 preferably comprises suitable conventional components (not shown), as are well known in the art, as well as additional components described herein.
  • the set top box 125 and the television display 127 are depicted as being housed in separate housings. Persons skilled in the art will appreciate that the set top box 125 and the television display 127 can also be within a single housing. Persons skilled in the art will appreciate that the system 10 operates independently of the set top box 125 and the television display 127 being used for other purposes, such as, by way of a non-limiting example, television signal descrambling.
  • the device 105 has hardware and software components enabling communication via the home network 110 to the set top box 125, and enabling request of digital signatures.
  • the user 100 wishes to authenticate a transaction, for example, but not limited to, payment for a software purchase and download of the purchased software from a commercial site (not shown) on the World Wide Web 115.
  • the device 105 preferably sends an authentication request 120, through the home network 110, to the set top box 125.
  • the set top box 125 receives the authentication request 120, and sends the authentication request 120 to the smart card 130.
  • the smart card 130 performs authentication as per the authentication request 120, sending an authenticated authentication request 135 back to the set top box 125.
  • the set top box 125 performs an additional authentication on the authenticated authentication request 135, producing a twice-authenticated authentication request 140, and sends the twice-authenticated authentication request 140, via the home network 110, back to the device 105.
  • the order of authentication can be different, that is, the set top box 125 can perform the first authentication, and the smart card 130 can perform the second authentication.
  • the set top box 125 transfers the authenticated authentication request 135, via the home network 110, to the device 105 without performing the additional authentication request performed by the set top box 125.
  • Fig. 2 is a simplified functional block diagram illustration depicting in more detail a preferred method of operation of the system 10 of Fig. 1.
  • Fig. 2 depicts the device 105, in communication with the set top box 125, which is in communication with the smart card 130.
  • the set top box 125 also preferably includes: a device I/O port 200 for communication between the device 105 and the set top box 125, an authentication processor 210 for processing authentication requests from the device 105, a smart card I/O port 220, for communicating between the smart card 130 and the set top box 125, and a smart card receptacle 129 for receiving the smart card 130.
  • the authentication processor 210 is preferably operative to communicate with both the device I/O port 200 and the smart card I/O port 220. .
  • the authentication processor 210 also preferably includes: a receive module 205, for receiving and processing authentication requests from the device I/O port 200, a request module 215, for sending authentication requests to the smart card I/O port 220, a transfer module 225, and an authentication module 230.
  • the transfer module 225 is preferably operative to: receive and process results received from the smart card FO port 220, send authentication requests to the authentication module 230, receive results from authentication module 230, and send results to the device I/O port 200.
  • the device 105 sends the authentication request 120, via the home network 110 (Fig. 1), to the device I/O port 200 comprised in the set top box 125.
  • the authentication request 120 may comprise many forms of digital content, including but not limited to, an arbitrary token, and a result of a hash function of a file or document.
  • the device I/O port 200 included in the set top box 125 is a home network port..
  • the device I/O port 200 sends the authentication request 120 to the receive module 205 included in and operatively controlled by an authentication processor 210.
  • the authentication processor 210 causes the receive module 205 to send the authentication request 120 to the request module 215, also included in and operatively controlled by the authentication processor 210.
  • the authentication processor 210 causes the authentication request 120 to be sent from the request module 215 to the smart card I/O port 220. It is appreciated that the smart card I/O port 220 is operatively connected to the smart card receptacle 129, and the smart card receptacle 129 is operative to communicate with the smart card 130. The smart card I/O port 220 sends the authentication request 120 to the smart card 130 via the smart card receptacle 129. The smart card 130 performs a first authentication as a result of the authentication request 120, producing the authenticated authentication request 135.
  • the smart card 130 uses a smart card secret and smart card processing capability to produce the authenticated authentication request 135. It is to be appreciated that the smart card authentication secrets can be securely set and updated by authorized entities on the World Wide Web or by a provider of digital services to the set top box.
  • the authentication by way of a non-limiting example, is preferably performed by applying an RSA signature to the authentication request 120, producing the authenticated authentication request 135. It is to be appreciated that authentication can be performed by other asymmetric signature schemes which enable multiple signing, such as ElGamal and Fiat Shamir.
  • the smart card 130 sends the authenticated authentication request 135 back to the smart card I/O port 220, via the smart card receptacle 129.
  • the smart card I/O port 220 then sends the authenticated authentication request 135 to the transfer module 225.
  • the transfer module 225 authenticates the authenticated authentication request 135, using the authentication module 230 to produce the twice-authenticated authentication request 140.
  • the authentication module 230 preferably performs the authentication based on a secret comprised within the set top box 125.
  • the authentication is preferably performed by applying an RSA signature to the authenticated authentication request 135.
  • the transfer module 225 then transfers the twice-authenticated authentication request 140 to the device I/O port 200, and the device I/O port 200 sends the twice-authenticated authentication request 140 to the device 105 via the home network 110 (Fig. 1).
  • an alternative preferred embodiment of the present invention may comprise the authentication module 230 performing the first authentication, and the smart card 130 performing the second authentication. Such an alternative preferred embodiment is described in more detail below with reference to Fig. 3.
  • the authentication processor 210 causes the transfer module 225 to directly transfer the authenticated authentication request 135 to the device I/O port 200 without an authentication being performed by the authentication module 230.
  • the device I/O port 200 then sends the authenticated authentication request 135 to the device 105 via the home network 110 (Fig. 1).
  • the smart card 130 and the set top box 125 preferably comprise secrets.
  • the secrets are preferably, although not necessarily, separate from secrets used for television signal descrambling.
  • new set top boxes which include a unique secret, are well known in the art. Modern set top boxes are also equipped with cryptographic hardware and software, implementing, for example, and without limiting the generality of the foregoing, hash functions, and symmetric and non-symmetric encryption.
  • the smart card 130 may optionally be used to store secret tokens received from external entities which request authentication. If the smart card 130 stores the secret tokens, the smart card 130 preferably allocates an area of NVEAM for storing the secret tokens. The secret tokens can be then requested and used by the external entities as a means to prove the external entities' identity to a third party.
  • the smart card 130 and the set top box 125 comprise software and hardware capable of computing cryptographic functions without interrupting their central task, which is descrambling scrambled video and providing conditional access services. Smart cards with the mathematical processing power required for the cryptographic functions are commonplace. It is to be appreciated that authentication based on applying an RSA signature, combining a smart card secret and a set top box secret without sharing them, is particularly secure. A message, to which an RSA signature is applied in turn by the smart card 130 using the smart card 130 private key and by the set top box 125 using the set top box 125 private key, is verified by a public key which combines the smart card 130 and the set top 125 box public keys.
  • the RSA-signed twice-authenticated authentication request 140 is equal to RS A S2 (RS A 81 (M)).
  • RSA P1 RSA P2 (RSA S2 (RSA S1 (M))
  • RSA P i(RSA sl (M)) M.
  • a preferred embodiment of the present invention improves the security provided by the above scheme even further, by using a multi-signature authentication scheme.
  • M is preferably modified prior to the first authentication operation by appending additional data fields to M.
  • some are constants fields, and some are randomly generated fields.
  • the constant fields are verified by the party requesting the authentication, after the party verifies the authentication signature.
  • the use of the constant and the random fields contributes to the security of the signature scheme, by preventing known types of attacks on asymmetrical signature schemes.
  • M is modified prior to the first authentication operation by concatenating the following string to M (the double pipe indicates the concatenation operation): Time Stamp
  • FIG. 3 is a simplified functional block diagram illustration depicting an alternative preferred method of operation of the system of Fig. 1.
  • Fig. 3 depicts a set top box 305 which is substantially the same as the set top box 125 of Fig. 2, except that the set top box 305 preferably includes an authentication processor 310 having the authentication module 230 disposed between the receive module 205 and the request module 215.
  • the operation of the set top box 305 depicted in Fig. 3 is substantially the same as the operation of the set top box 125 depicted in Fig. 2, except for the following differences.
  • the receive module 205 sends the authentication request 120 to the authentication module 230.
  • the authentication module 230 authenticates the authentication request 120, producing an authenticated authentication request 320.
  • the authentication module 230 sends the authenticated authentication request 320 to the request module 215.
  • the request module 215 sends the authenticated authentication request 320 to the smart card 130 via the smart card I/O port 220 and the smart card receptacle 129.
  • the smart card 130 performs a second authentication on the authenticated authentication request 320, producing a twice-authenticated authentication request 330.
  • the twice-authenticated authentication request 330 is transferred back to the device 105 similarly to the preferred method described with reference to Fig. 2, that is, the smart card 130 sends the twice-authenticated authentication
  • Fig. 4 is a simplified flowchart illustration of a preferred method for providing authentication by the system of Fig. 1. The method of Fig. 4 is self-explanatory in light of the above discussion of Figs. 1 - 3.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Facsimiles In General (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

A set top box interacting with a smart card for providing authentication services to an external device, the set top box including a smart card receptacle for receiving the smart card therein, a smart card I/O port operative to communicate with the smart card, a device I/O port to communicate with, and receive a request from, the device for an authentication service, and an authentication processor including a receive module to receive the request from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the at least first part of the authentication service performed by the smart card. Related apparatus and methods are also described.

Description

AUTHENTICATION IN A NETWORK
FIELD OF THE INVENTION
The present invention relates to authentication in a home network environment.
BACKGROUND OF THE INVENTION
Standard authentication, as is well known in the art, is provided by, for example, a user typing a secret Personal Identification Number (PIN), to provide a proof of identity. Such authentication is generally considered insecure. Other well-known types of authentication use a secret key stored on a secure device, such as a smart card, in combination with a cryptographic signing algorithm.
The following references are believed to represent the state of the art:
U.S. Patent 5,231,668 to Kravitz;
A presentation entitled "Set-Top Boxes - Xilinx Solutions for the Broadcast Chain", describing a commercially available set top box which includes RSA capabilities. The presentation is available on the World Wide Web at: www.xilinx.com/esp/dvt/prof.bi'dcst/collateral/settopbox.pdf;
A presentation describing smart cards using a protocol known as the EAP protocol (a widely accepted family of authentication protocols). The presentation is available on the World Wide Web at: csr.bu.edu/aswn2004/slides/Monday/Session2/pasquale.pdf; A description of a Microsoft implementation of the EAP protocol with smart cards, available on the World Wide Web at: support.microsoft.corn/?kbid=259880;
An article on the subject of multi-signatures and their security entitled "The Security of Practical Two-Party RSA Signature Schemes", by Mihir Bellare and Ravi Sandhu, available on the World Wide Web at: www.cs.ucsd.edu/users/mihir/papers/splitkey.pdf; "Digital multisignatures", by Colin Boyd, in "Cryptography and Coding", (HJ.Beker and F.C.Piper Eds.), Oxford University Press, 1989, pp 241- 246;
"Multisignatures based on zero knowledge schemes", by Colin Boyd, in "Electronics Letters", 27, 22, October 1991, pp 2002-2004; and
"Digital Signature Standard (DSS)", a Federal Information Processing Standard Publication (FIPS-186-2), available on the World Wide Web at: csrc.nist.gov/publications/fips/fipsl86-2/fipsl86-2-changel.pdf.
The disclosures of all references mentioned above and throughout the present specification, as well as the disclosures of all references mentioned in those references, are hereby incorporated herein by reference.
SUMMARY OF THE INVENTION
The present invention, in preferred embodiments thereof, includes an authentication system including a set top box with a smart card. The authentication system is part of a home network, preferably including one or more other devices. The authentication system preferably provides authentication services to the other device(s) on the home network, and to other devices located outside the home network, on the World Wide Web. The authentication system preferably provides varying levels of authentication security.
By way of a non-limiting example, the other device is an internet- connected personal computer (PC). The PC communicates with the set top box via Ethernet. The PC sends an authentication request to the set top box, to perform a cryptographic function on an input. The set top box preferably fulfills the request in combination with the smart card, comprised within the set top box.
The cryptographic function is preferably a digital signature on a result of applying a hash function to contents of a document.
The cryptographic functions mentioned above use one or more secret keys, belonging to the smart card and set top box pair. The functions also preferably require the existence of a public key infrastructure, to allow members of the public to verify the identity of the secret key owner, which is the smart card and set top box pair.
The present invention, in preferred embodiments thereof, uses set top box secrets in combination with smart card secrets. Schemes using a double secret are typically more secure than schemes using a single secret.
The present invention, in preferred embodiments thereof, typically provides a higher level of security than the security level provided by a smart card alone, or an equivalent electronic security device such as a "dongle" alone.
An increasing percentage of set top boxes deployed in homes are equipped with unique secret keys for security purposes.
The term "signing" in all its grammatical forms is used throughout the present specification and claims interchangeably with the term "authentication" and its corresponding grammatical forms. 0808
The term "secret" in all its grammatical forms is used throughout the present specification and claims interchangeably with the terms "secret token", "secret key" and "private key" in all their grammatical forms.
There is thus provided in accordance with a preferred embodiment of the present invention a set top box interacting with a smart card for providing authentication services to a device, the device being external to the set top box, the set top box and the device being operatively associated, the set top box including a smart card receptacle for receiving the smart card therein, a smart card I/O port operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, a device I/O port to communicate with the device and receive a request from the device for an authentication service, and an authentication processor, operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the at least first part of the authentication service performed by the smart card. Further in accordance with a preferred embodiment of the present invention the authentication processor further includes an authentication module to perform a second part of the authentication service.
Still further in accordance with a preferred embodiment of the present invention the authentication module is operative to authenticate the result of the at least first part of the authentication service performed by the smart card.
Additionally in accordance with a preferred embodiment of the present invention the authentication module is operative to perform the second part of the authentication service prior to the request module requesting the smart card to perform the at least first part of the authentication service. Moreover in accordance with a preferred embodiment of the present invention the authentication module uses a secret to perform the authentication. Further in accordance with a preferred embodiment of the present invention the authentication module authenticates using an RSA signature.
Still further in accordance with a preferred embodiment of the present invention the authentication module authenticates using an ElGamal signature.
Additionally in accordance with a preferred embodiment of the present invention the authentication module authenticates using a Fiat-Shamir signature.
There is also provided in accordance with another preferred embodiment of the present invention a system for providing authentication services to a device, the device being external to the system, the system including a smart card operative to perform authentication services, and a set top box including a device I/O port to communicate with the device and receive a request from the device for an authentication service, a smart card receptacle, for receiving the smart card therein, a smart card I/O port, operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, and an authentication processor operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the at least first part of the authentication service performed by the smart card. . Further in accordance with a preferred embodiment of the present invention the authentication processor further includes an authentication module to perform a second part of the authentication service.
Still further in accordance witihi a preferred embodiment of the present invention the authentication module is operative to authenticate the result of the at least first part of the authentication service performed by the smart card.
Additionally in accordance with a preferred embodiment of the present invention the authentication module is operative to perform the second part of the authentication service prior to the request module requesting the smart card to perform the at least first part of the authentication service.
Moreover in accordance with a preferred embodiment of the present invention the authentication module uses a secret to perform the authentication. Further in accordance with a preferred embodiment of the present invention the authentication module authenticates using an RSA signature.
Still further in accordance with a preferred embodiment of the present invention the authentication module authenticates using an ElGamal signature. Additionally in accordance with a preferred embodiment of the present invention the authentication module authenticates using a Fiat- Shamir signature.
There is also provided in accordance with still another preferred embodiment of the present invention, in an environment including a set top box interacting with a smart card and a device operatively associated with the set top box, the device being external to the set top box, a method for providing authentication services to the device, the method including the set top box receiving a request from the device to perform an authentication service, the set top box requesting the smart card to perform at least a first part of the authentication service, the set top box receiving from the smart card a result of the at least first part of the authentication service performed by the smart card, and the set top box transferring to the device a result of the authentication process based on the result of the at least first part of the authentication service received from the smart card. Further in accordance with a preferred embodiment of the present invention the set top box performs a second part of the authorization service.
Still further in accordance with a preferred embodiment of the present invention the smart card performs the at least first part of the authentication service, and provides the result of the performing the at least first part of the authentication request to the set top box. Additionally in accordance with a preferred embodiment of the present invention the smart card performs the at least first part of the authentication service using a secret.
There is also provided in accordance with another preferred embodiment of the present invention a set top box interacting with a smart card for providing authentication services to a device, the device being external to the set top box, the set top box and the device being operatively associated, the set top box including a smart card receptacle for receiving the smart card therein, a smart card I/O port operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, a device I/O port operative to communicate with the device and receive a request from the device for an authentication service, and an authentication processor, operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform a first part of the authentication service, an authentication module to perform a second part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the first part of the authentication service performed by the smart card, and a result of the second part of the authentication service performed by the authentication module.
There is also provided in accordance with still another preferred embodiment of the present invention a system for providing authentication services to a device, the device being external to the system, the system including a smart card operative to perform authentication services, and a set top box including a device I/O port operative to communicate with the device and receive a request from the device for an authentication service, a smart card receptacle, for receiving the smart card therein, a smart card I/O port, operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, and an authentication processor operatively connecting the device I/O port and the smart card I/O port, the authentication processor including a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform a first part of the authentication service, an authentication module to perform a second part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the first part of the authentication service performed by the smart card, and a result of the second part of the authentication performed by the authentication module.
There is also provided in accordance with another preferred embodiment of the present invention, in an environment including a set top box interacting with a smart card and a device operatively associated with the set top box, the device being external to the set top box, a method for providing authentication services to the device, the method including the set top box receiving a request from the device to perform an authentication service, the set top box requesting the smart card to perform a first part of the authentication service, the set top box receiving from the smart card a result of the first part of the authentication service performed by the smart card, the set top box performing a second part of the authorization service, and the set top box transferring to the device a result of the authentication process based on a result of the first part of the authentication service received from the smart card, and a result of the second part of the authentication service performed by the set top box.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which: Fig. 1 is a simplified, partly pictorial, partly functional block diagram, illustration of an authentication system constructed and operative in accordance with a preferred embodiment of the present invention;
Fig. 2 is a simplified functional block diagram illustration depicting in more detail a preferred method of operation of the system of Fig. 1; Fig. 3 is a simplified functional block diagram illustration depicting an alternative preferred method of operation of the system of Fig. 1; and
Fig. 4 is a simplified flowchart illustration of a preferred method for providing authentication by the system of Fig. 1.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
By way of introduction, in a computer environment, authentication is the process by which a first computer, computer program, or computer user, attempts to confirm that a second computer, computer program, or computer user from whom the first party has received some communication is, or is not, the claimed second party.
. Digital signing based on a private key is a typical and accepted method of authentication. Digital signing schemes which are based on modular multiplication are generally considered to be strong schemes. Examples of digital signing schemes based on modular multiplication are RSA, ElGamal, and Fiat- Shamir.
Authentication in a home environment is useful in many different situations, including but not limited to, the examples listed below.
(a) Purchasing digital content over the internet, wherein the authentication is of the identity of a purchaser. The entity seeking to verify the identity of a purchaser may be a broadcaster providing digital services, or a commercial entity using Digital Rights Management (DRM). In case of a broadcaster or a commercial entity using DRM, the authentication allows digital content to be delivered to the purchaser via a set top box, as in cases of Impulse Pay Per View and Video On Demand, and digital content is allowed to be delivered to a PC.
(b) Client identification by entities providing discounts, other promotional actions benefiting the home-network user, and targeted advertising.
(c) Security services enabling a user to access internet sites, such as, for example, and without limiting the generality of the foregoing, "cookie" certification, and user identification.
(d) Securing the use of licensed software. "Dongles" have been used for this purpose in the past, but securing by use of a smart card and a set top box has an advantage of being provided by hardware which already exists in a user's home.
(e) Authentication of a user to an Internet Service Provider. (f) Authentication of a user to a broadcaster head-end, for example, and without limiting the generality of the foregoing, during callbacks. Reference is now made to Fig. 1 which is a simplified, partly pictorial, partly functional block diagram, illustration of an authentication system 10 constructed and operative in accordance with a preferred embodiment of the present invention. Fig. 1 depicts the system 10 in a typical example setting. The system 10 preferably includes a set top box 125 having a smart card receptacle 129 for receiving a smart card 130. The set top box 125 is typically operatively connected to, and in communication with, the smart card receptacle 129, which communicates with the smart card 130. The set top box 125 is also generally operatively connected to a home communication network 110, and to a television display 127.
A first user 100 is depicted using a device 105, the device being connected to the home network 110. The home network 110 is also connected to the World Wide Web 115. By way of a non-limiting example, the device 105 is depicted as a personal computer (PC), connected by the home network 110 both to the World Wide Web 115 and to the set top box 125. The device 105 and the set top box 125 are located, by way of a non-limiting example, in different rooms of a house.
Persons skilled in the art will appreciate that the device 105 and the set top box 125 are not necessarily located on a home network, and can be located, by way of a non-limiting example, across the World Wide Web from each other.
The set top box 125 is preferably implemented in any suitable combination of software and hardware, as is well known in the art. The set top box 125 preferably comprises suitable conventional components (not shown), as are well known in the art, as well as additional components described herein.
The set top box 125 and the television display 127 are depicted as being housed in separate housings. Persons skilled in the art will appreciate that the set top box 125 and the television display 127 can also be within a single housing. Persons skilled in the art will appreciate that the system 10 operates independently of the set top box 125 and the television display 127 being used for other purposes, such as, by way of a non-limiting example, television signal descrambling.
The device 105, has hardware and software components enabling communication via the home network 110 to the set top box 125, and enabling request of digital signatures.
The operation of the system of Fig. 1 will now be described in more detail.
The user 100 wishes to authenticate a transaction, for example, but not limited to, payment for a software purchase and download of the purchased software from a commercial site (not shown) on the World Wide Web 115.
In order to provide authentication, the device 105 preferably sends an authentication request 120, through the home network 110, to the set top box 125. The set top box 125 receives the authentication request 120, and sends the authentication request 120 to the smart card 130. The smart card 130 performs authentication as per the authentication request 120, sending an authenticated authentication request 135 back to the set top box 125.
The set top box 125 performs an additional authentication on the authenticated authentication request 135, producing a twice-authenticated authentication request 140, and sends the twice-authenticated authentication request 140, via the home network 110, back to the device 105.
Persons skilled in the art will appreciate that the order of authentication can be different, that is, the set top box 125 can perform the first authentication, and the smart card 130 can perform the second authentication. In accordance with an alternative preferred embodiment of the present invention (not depicted in Fig. 1) the set top box 125 transfers the authenticated authentication request 135, via the home network 110, to the device 105 without performing the additional authentication request performed by the set top box 125. Reference is now made to Fig. 2, which is a simplified functional block diagram illustration depicting in more detail a preferred method of operation of the system 10 of Fig. 1. Fig. 2 depicts the device 105, in communication with the set top box 125, which is in communication with the smart card 130.
The set top box 125 also preferably includes: a device I/O port 200 for communication between the device 105 and the set top box 125, an authentication processor 210 for processing authentication requests from the device 105, a smart card I/O port 220, for communicating between the smart card 130 and the set top box 125, and a smart card receptacle 129 for receiving the smart card 130. The authentication processor 210 is preferably operative to communicate with both the device I/O port 200 and the smart card I/O port 220. . The authentication processor 210 also preferably includes: a receive module 205, for receiving and processing authentication requests from the device I/O port 200, a request module 215, for sending authentication requests to the smart card I/O port 220, a transfer module 225, and an authentication module 230. The transfer module 225 is preferably operative to: receive and process results received from the smart card FO port 220, send authentication requests to the authentication module 230, receive results from authentication module 230, and send results to the device I/O port 200.
The operation of the system depicted in Fig. 2 will now be described. The device 105 sends the authentication request 120, via the home network 110 (Fig. 1), to the device I/O port 200 comprised in the set top box 125. The authentication request 120 may comprise many forms of digital content, including but not limited to, an arbitrary token, and a result of a hash function of a file or document. The device I/O port 200 included in the set top box 125 is a home network port.. The device I/O port 200 sends the authentication request 120 to the receive module 205 included in and operatively controlled by an authentication processor 210. The authentication processor 210 causes the receive module 205 to send the authentication request 120 to the request module 215, also included in and operatively controlled by the authentication processor 210. The authentication processor 210 causes the authentication request 120 to be sent from the request module 215 to the smart card I/O port 220. It is appreciated that the smart card I/O port 220 is operatively connected to the smart card receptacle 129, and the smart card receptacle 129 is operative to communicate with the smart card 130. The smart card I/O port 220 sends the authentication request 120 to the smart card 130 via the smart card receptacle 129. The smart card 130 performs a first authentication as a result of the authentication request 120, producing the authenticated authentication request 135.
The smart card 130 uses a smart card secret and smart card processing capability to produce the authenticated authentication request 135. It is to be appreciated that the smart card authentication secrets can be securely set and updated by authorized entities on the World Wide Web or by a provider of digital services to the set top box.
The authentication, by way of a non-limiting example, is preferably performed by applying an RSA signature to the authentication request 120, producing the authenticated authentication request 135. It is to be appreciated that authentication can be performed by other asymmetric signature schemes which enable multiple signing, such as ElGamal and Fiat Shamir.
The smart card 130 sends the authenticated authentication request 135 back to the smart card I/O port 220, via the smart card receptacle 129. The smart card I/O port 220 then sends the authenticated authentication request 135 to the transfer module 225.
The transfer module 225 authenticates the authenticated authentication request 135, using the authentication module 230 to produce the twice-authenticated authentication request 140. The authentication module 230 preferably performs the authentication based on a secret comprised within the set top box 125. The authentication is preferably performed by applying an RSA signature to the authenticated authentication request 135. The transfer module 225 then transfers the twice-authenticated authentication request 140 to the device I/O port 200, and the device I/O port 200 sends the twice-authenticated authentication request 140 to the device 105 via the home network 110 (Fig. 1).
It is to be appreciated that, whereas the smart card 130 performed a first authentication and the authentication module 230 performed a second .
authentication, an alternative preferred embodiment of the present invention may comprise the authentication module 230 performing the first authentication, and the smart card 130 performing the second authentication. Such an alternative preferred embodiment is described in more detail below with reference to Fig. 3. In accordance with an alternative preferred embodiment of the present invention, the authentication processor 210 causes the transfer module 225 to directly transfer the authenticated authentication request 135 to the device I/O port 200 without an authentication being performed by the authentication module 230. The device I/O port 200 then sends the authenticated authentication request 135 to the device 105 via the home network 110 (Fig. 1).
It is to be appreciated that the smart card 130 and the set top box 125 preferably comprise secrets. For security reasons, the secrets are preferably, although not necessarily, separate from secrets used for television signal descrambling. Persons skilled in the art will appreciate that new set top boxes which include a unique secret, are well known in the art. Modern set top boxes are also equipped with cryptographic hardware and software, implementing, for example, and without limiting the generality of the foregoing, hash functions, and symmetric and non-symmetric encryption. It is to be appreciated that the smart card 130 may optionally be used to store secret tokens received from external entities which request authentication. If the smart card 130 stores the secret tokens, the smart card 130 preferably allocates an area of NVEAM for storing the secret tokens. The secret tokens can be then requested and used by the external entities as a means to prove the external entities' identity to a third party.
It is to be appreciated that the smart card 130 and the set top box 125. comprise software and hardware capable of computing cryptographic functions without interrupting their central task, which is descrambling scrambled video and providing conditional access services. Smart cards with the mathematical processing power required for the cryptographic functions are commonplace. It is to be appreciated that authentication based on applying an RSA signature, combining a smart card secret and a set top box secret without sharing them, is particularly secure. A message, to which an RSA signature is applied in turn by the smart card 130 using the smart card 130 private key and by the set top box 125 using the set top box 125 private key, is verified by a public key which combines the smart card 130 and the set top 125 box public keys.
For example, given the authentication request 140 termed "M" for purpose of abbreviation, the smart card 130 private key Sl, and the set top box 125 private key S2, the RSA-signed twice-authenticated authentication request 140 is equal to RS AS2(RS A81(M)).
In order to verify the twice-authenticated authentication request 140, the RSA function is applied in reverse order, using the smart card 130 public key Pl, and the set top box 125 public key P2, as follows: RSAP1(RSAP2(RSAS2(RSAS1(M)))) = RSAPi(RSAsl(M)) = M. Persons skilled in the art will appreciate that a message decrypted by using the public keys of the smart card 130 and the set top box 125 is authenticated as having been signed by both the smart card 130 and the set top box 125.
A preferred embodiment of the present invention improves the security provided by the above scheme even further, by using a multi-signature authentication scheme. The multi-signature authentication scheme uses a single public key P3, equal to the modular product of Pl and P2, for authentication of the signature created by the smart card 130 and the set top box 125, as follows: RSAP3(RSAS2(RSAS1(M))) = RSAP1(RSAP2(RSAS2(RSAS1(M))))
Figure imgf000017_0001
Persons skilled in the art will appreciate that M is preferably modified prior to the first authentication operation by appending additional data fields to M. Of the data fields, some are constants fields, and some are randomly generated fields. The constant fields are verified by the party requesting the authentication, after the party verifies the authentication signature. The use of the constant and the random fields contributes to the security of the signature scheme, by preventing known types of attacks on asymmetrical signature schemes.
In a preferred embodiment of the present invention, M is modified prior to the first authentication operation by concatenating the following string to M (the double pipe indicates the concatenation operation): Time Stamp || set top box ID || smart card ID || 8 Zero bytes || 8 Random bytes.
Reference is now made to Fig. 3, which is a simplified functional block diagram illustration depicting an alternative preferred method of operation of the system of Fig. 1.
Fig. 3 depicts a set top box 305 which is substantially the same as the set top box 125 of Fig. 2, except that the set top box 305 preferably includes an authentication processor 310 having the authentication module 230 disposed between the receive module 205 and the request module 215. The operation of the set top box 305 depicted in Fig. 3 is substantially the same as the operation of the set top box 125 depicted in Fig. 2, except for the following differences.
The receive module 205 sends the authentication request 120 to the authentication module 230. The authentication module 230 authenticates the authentication request 120, producing an authenticated authentication request 320.
The authentication module 230 sends the authenticated authentication request 320 to the request module 215.
The request module 215 sends the authenticated authentication request 320 to the smart card 130 via the smart card I/O port 220 and the smart card receptacle 129.
The smart card 130 performs a second authentication on the authenticated authentication request 320, producing a twice-authenticated authentication request 330.
The twice-authenticated authentication request 330 is transferred back to the device 105 similarly to the preferred method described with reference to Fig. 2, that is, the smart card 130 sends the twice-authenticated authentication
request 330 back to the smart card I/O port 220, the smart card I/O port sends the twice-authenticated authentication request 330 to the transfer module 225, the transfer module 225 sends the twice-authenticated authentication request 330 to the device I/O port 200, and the device I/O port 200 sends the twice-authenticated authentication request 330 to the device 105 via the home network 110 (Fig. 1). Reference is now made to Fig. 4 which is a simplified flowchart illustration of a preferred method for providing authentication by the system of Fig. 1. The method of Fig. 4 is self-explanatory in light of the above discussion of Figs. 1 - 3.
It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable sub-combination.
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined only by the claims which follow:

Claims

What is claimed is:CLAIMS
1. A set top box interacting with a smart card for providing authentication services to a device, the device being external to the set top box, the set top box and the device being operatively associated, the set top box comprising: a smart card receptacle for receiving the smart card therein, a smart card I/O port operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, a device I/O port to: communicate with the device; and receive a request from the device for an authentication service, and an authentication processor, operatively connecting the device I/O port and the smart card I/O port, the authentication processor comprising: a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the at least first part of the authentication service performed by the smart card.
2. The set top box according to claim 1, wherein the authentication processor further comprises an authentication module to perform a second part of the authentication service.
3. The set top box according to claim 2, wherein the authentication module is operative to authenticate the result of the at least first part of the authentication service performed by the smart card.
4. The set top box according to claim 2, wherein the authentication module is operative to perform the second part of the authentication service prior to the request module requesting the smart card to perform the at least first part of the authentication service.
5. The set top box according to any of claims 2 - 4, wherein the authentication module uses a secret to perform the authentication.
6. The set top box according to claim 5, wherein the authentication module authenticates using an RSA signature.
7. The set top box according to claim 5, wherein the authentication module authenticates using an ElGamal signature.
8. The set top box according to claim 5, wherein the authentication module authenticates using a Fiat-Shamir signature.
9. A system for providing authentication services to a device, the device being external to the system, the system comprising: a smart card operative to perform authentication services, and a set top box comprising: a device I/O port to: communicate with the device; and receive a request from the device for an authentication service, a smart card receptacle, for receiving the smart card therein, a smart card I/O port, operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, and an authentication processor operatively connecting the device I/O port and the smart card I/O port, the authentication processor comprising: a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform at least a first part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on a result of the at least first part of the authentication service performed by the smart card.
10. The system according to claim 9, wherein the authentication processor further comprises an authentication module to perform a second part of the authentication service.
11. The system according to claim 10, wherein the authentication module is operative to authenticate the result of the at least first part of the authentication service performed by the smart card.
12. The system according to claim 10, wherein the authentication module is operative to perform the second part of the authentication service prior to the request module requesting the smart card to perform the at least first part of the authentication service.
13. The system according to any of claims 10 - 12, wherein the authentication module uses a secret to perform the authentication.
14. The system according to claim 13, wherein the authentication module authenticates using an RSA signature.
15. The system according to claim 13, wherein the authentication module authenticates using an ElGamal signature.
16. The system according to claim 13, wherein the authentication module authenticates using a Fiat-Shamir signature.
17. In an environment comprising a set top box interacting with a smart card and a device operatively associated with the set top box, the device being external to the set top box, a method for providing authentication services to the device, the method comprising: the set top box receiving a request from the device to perform an authentication service, the set top box requesting the smart card to perform at least a first part of the authentication service, the set top box receiving from the smart card a result of the at least first part of the authentication service performed by the smart card, and the set top box transferring to the device a result of the authentication process based on the result of the at least first part of the authentication service received from the smart card.
18. The method according to claim 17, wherein the set top box performs a second part of the authorization service.
19. The method according to any of claims 17 - 18, wherein the smart card performs the at least first part of the authentication service, and provides the result of the performing the at least first part of the authentication request to the set top box.
20. The method according to claim 19, wherein the smart card performs the at least first part of the authentication service using a secret.
21. A set top box interacting with a smart card for providing authentication services to a device, the device being external to the set top box, the set top box and the device being operatively associated, the set top box comprising: ' a smart card receptacle for receiving the smart card therein, a smart card I/O port operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, a device I/O port operative to: communicate with the device; and receive a request from the device for an authentication service, and an authentication processor, operatively connecting the device I/O port and the smart card I/O port, the authentication processor comprising: a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card
I/O port, to perform a first part of the authentication service, an authentication module to perform a second part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on: a result of the first part of the authentication service performed by the smart card; and a result of the second part of the authentication service performed by the authentication module.
22. A system for providing authentication services to a device, the device being external to the system, the system comprising: a smart card operative to perform authentication services, and a set top box comprising: a device I/O port operative to: communicate with the device; and receive a request from the device for an authentication service, a smart card receptacle, for receiving the smart card therein, a smart card I/O port, operatively connected to the smart card receptacle, the smart card I/O port being operative to communicate with the smart card, and an authentication processor operatively connecting the device I/O port and the smart card I/O port, the authentication processor comprising: a receive module to receive the request for the authentication service from the device I/O port, a request module to request the smart card, via the smart card I/O port, to perform a first part of the authentication service, . an authentication module to perform a second part of the authentication service, and a transfer module to transfer to the device, via the device I/O port, a result of the authentication service based on: a result of the first part of the authentication service performed by the smart card; and a result of the second part of the authentication performed by the authentication module.
23. In an environment comprising a set top box interacting with a smart card and a device operatively associated with the set top box, the device being external to the set top box, a method for providing authentication services to the device, the method comprising: the set top box receiving a request from the device to perform an authentication service, the set top box requesting the smart card to perform a first part of the authentication service, the set top box receiving from the smart card a result of the first part of the authentication service performed by the smart card, the set top box performing a second part of the authorization service, and the set top box transferring to the device a result of the authentication process based on: a result of the first part of the authentication service received from the smart card; and a result of the second part of the . authentication service performed by the set top box.
PCT/IL2006/000808 2006-01-09 2006-07-12 Authentication in a network Ceased WO2007080566A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL173039A IL173039A0 (en) 2006-01-09 2006-01-09 Authentication with a smart card and a set top box on a network
IL173039 2006-01-09

Publications (2)

Publication Number Publication Date
WO2007080566A2 true WO2007080566A2 (en) 2007-07-19
WO2007080566A3 WO2007080566A3 (en) 2007-09-13

Family

ID=38256700

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2006/000808 Ceased WO2007080566A2 (en) 2006-01-09 2006-07-12 Authentication in a network

Country Status (2)

Country Link
IL (1) IL173039A0 (en)
WO (1) WO2007080566A2 (en)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7398549B2 (en) * 2001-05-18 2008-07-08 Imprivata, Inc. Biometric authentication with security against eavesdropping

Also Published As

Publication number Publication date
WO2007080566A3 (en) 2007-09-13
IL173039A0 (en) 2007-07-04

Similar Documents

Publication Publication Date Title
US12244739B2 (en) Confidential authentication and provisioning
JP7119040B2 (en) Data transmission method, device and system
US12353519B2 (en) Digital rights management authorization token pairing
CN101421968B (en) Authentication system for networked computer applications
TW453089B (en) Protecting information in a system
US7200230B2 (en) System and method for controlling and enforcing access rights to encrypted media
US20030140257A1 (en) Encryption, authentication, and key management for multimedia content pre-encryption
US8565420B2 (en) Source centric sanction server and methods for use therewith
CN101573910A (en) Apparatus and method for generating and distributing access permissions to digital objects
US20220171832A1 (en) Scalable key management for encrypting digital rights management authorization tokens
Chang et al. An efficient multi-server password authenticated key agreement scheme using smart cards with access control
US20060129812A1 (en) Authentication for admitting parties into a network
KR101255987B1 (en) Paring method between SM and TP in downloadable conditional access system, Setopbox and Authentication device using this
WO2007080566A2 (en) Authentication in a network
KR20220143557A (en) Encryption device, authentication method of system including the same and method of generating signature
KR101282416B1 (en) DCAS, SM, TP and method for certificating security
US20100329460A1 (en) Method and apparatus for assuring enhanced security
EP4654050A1 (en) License server, client device and provisioning server for dynamic drm and related methods
Wong et al. A Web-based secure system for the distributed printing of documents and images
WO2025242540A1 (en) License server, client device and provisioning server for dynamic drm and related methods
HK40050571A (en) Processing method, device, electronic equipment and computer storage medium of coupon
WO2005055516A1 (en) Method and apparatus for data certification by a plurality of users using a single key pair
EP2493115A2 (en) Sanctioned client device and methods for content protection
MXPA99011219A (en) Conditional access system for set-top boxes
KR20060063876A (en) Authentication to get subscribers into the network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06766130

Country of ref document: EP

Kind code of ref document: A2