The disclosure addresses security profiles, such as a security profile for a computing device that may control various aspects of access to content; for instance, the security profile may detail the strength of passwords, keys, and/or other hardware/software aspects that determine who can access a particular piece of content, and when, how, and where the content is accessible. For instance, a security profile may be as simple as requiring a single password of a predetermined strength (e.g., based on the length of the password, mixture of alphanumeric characters, etc.) to allow a user to access the computing device. In other cases, multiple passwords of a predetermined strength may be required (e.g., a password dynamically generated by a security token in addition to a standard static password) for access to the computing device. The security token may also store cryptographic keys (e.g., digital signatures, biometric data, etc.) that serve as authorization credentials. The security token itself may be tamper resistant and may require an additional personal identification number (PIN) to show an electronic key.
In yet other cases, the disclosure addresses the strength of a security profile associated with a computing device. The strength of a security profile may relate to where authentication credentials are stored within the memory of a secure computing device. In these cases, the ease with which the authentication credentials may be accessed and modified may ultimately determine the strength of the security profile.
Personal computers (PCs) and many mobile devices have security profiles that are considered somewhat less secure than devices such as, for example, digital set-top boxes for cable, satellite, and Internet Protocol television (IPTV) systems. Different device classes (e.g., PC versus set top box) may have distinct security capabilities. For example, the PC hardware platform may have no inherent security features. In contrast, the set-top box may be manufactured with special purpose security hardware. Moreover, the user experience anticipated by each device may also limit security capabilities. For example, a set-top box user may not be expected to repeatedly input user credentials. The combination of these and other factors may result in disparate security challenge mechanisms and capabilities resulting in a corresponding set of security profiles. The security profile assigned to a device may lend itself to the quality and integrity of the security services delivered by the device. For example, the security features in a set-top box may be far superior to security features in a PC and, therefore, trust in a device's capability to deliver content as planned by deterring abuse may vary.
Pursuant to the disclosure, some devices have lower security profiles for a variety of reasons having to do with how easily hacked the device is, including the fact that many of the cryptographic security keys associated with the device may not be adequately protected because they are stored in random access memory (RAM), the certificates may be burned into read-only memory (ROM), the media access control (MAC) address may be easily modified, there are no hardware roots of trust or any method to store a key and identity securely, and/or the devices may be susceptible to large-scale cloning. For example, PCs and other devices may lack hardware security features accessible to third-party application developers targeting those devices. In fact, most PCs may lack hardware security systems and, therefore, persistent and volatile storage components may be rooted in protection mechanisms that may have weak resistance to reverse engineering. Meanwhile, some mobile phones may possess strong hardware cryptographic modules. However, access to these modules by third-parties may be non-existent, inferior, or hidden from user-space interfaces. One of the highest priorities for content distribution systems is to ensure that devices logging in to a customer account are paying for services and not stealing these services. With the less secure profiles of devices such as those mentioned above, ensuring that each user is obtaining legitimate services is very difficult to do, especially without a national billing and account management system. In fact, as mentioned above, many consumer devices may be easily cloned and run on someone else's account in a different part of the country when the billing system and account management are different entities.
Therefore, improved and/or alternative methods/systems are needed to enable devices to access content.