The present invention relates to encrypting and decrypting media files having two portions: a media data portion and a meta data portion, having information related to the media data. For purposes of discussion, a non-limiting example of MPEG 4 files will be described herein.
MPEG-4 is a collection of methods defining compression of audio and visual (AV) digital data, i.e., media data. It was introduced in late 1998 and designated a standard for a group of audio and video coding formats and related technology agreed upon by the Moving Picture Experts Group (MPEG) under the formal standard ISO/IEC 14496—Coding of audio-visual objects. Uses of MPEG-4 include compression of AV data for web (streaming media) and compact disk (CD) distribution, voice (telephone, videophone) and broadcast television applications.
A person may transfer digital media data to another person with rights regarding the use of the digital media data. These digital rights govern the use of the digitized content, non-liming examples of which include constraints that may be placed on copying ability, number of plays and the time period of usage. To further ensure that only the intended recipient will have access to the digital media data, the digital media data may be encrypted. There are many known encryption algorithms for use with digital media data. Further, media data that has been encoded with the MPEG 4 encoding standard may be encrypted. This will be described in greater detail below with reference to FIGS. 1-5.
FIG. 1 illustrates an example prior art media delivery system 100.
As illustrated in the figure, system 100 includes a transmission side 102, a receiving side 104 and a communication network 106. Transmission side 102 includes a content source 108, an encoder 110, an encryptor 112, a digital rights management (DRM) device 114 and a transmitter 116. Receiving side 106 includes a receiver 118, a decryptor 120, a DRM device 122, a decoder 124 and a media player 126.
Communication between any of the elements of media delivery system 100 may be accomplished by way of any known communication media. Signals typically embody computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and include any information-delivery media. Non-limiting examples of communications media between any of the elements of media delivery system 100 include wired media, such as wired networks and direct-wired connections, and wireless media such as acoustic, radio-frequency, infrared, etc. The term “tangible computer-readable media” as used herein includes both storage and communications media.
Further, in some embodiments at least one of the elements of media delivery system 100 may be implemented as tangible computer-readable media for carrying or having computer-executable instructions or data structures stored thereon. Such tangible computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer. Non-limiting examples of tangible computer-readable media include physical storage and/or memory media such as RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. When information is transferred or provided over a network or another communications connection (hardwired and/or wireless, or a combination of hardwired or wireless) to a computer, the computer properly views the connection as a tangible computer-readable medium. Thus, any such connection is properly termed a tangible computer-readable medium. Combinations of the above should also be included within the scope of tangible computer-readable media.
Network 106 is arranged to permit communication between transmission side 102 and receiving side 104.
Content source 108 provides media content data. Encoder 110 is arranged to receive uncompressed content 128 and output compressed content 130. Encryptor 112 is arranged to receive compressed content 130. DRM device 114 is arranged to output a content key 132 and an encrypted content key 134. Encryptor 112 is additionally arranged to receive content key 132 and to output encrypted compressed content 136. Transmitter 116 is arranged to receive encrypted compressed content 136 and encrypted content key 134 and to output encrypted compressed content and encrypted content key 138.
Encrypted compressed content and encrypted content key 138 on transmission side 102 corresponds to encrypted compressed content and encrypted content key 140 on receiving side 104. Encrypted compressed content 136 on transmission side 102 corresponds to encrypted compressed content 142 on receiving side 104. Encrypted content key 134 on transmission side 102 corresponds to encrypted content key 144 on receiving side 104. Content key 132 on transmission side 102 corresponds to content key 146 on receiving side 104. Compressed content 130 on transmission side 102 corresponds to compressed content 148 on receiving side 104. Uncompressed content 128 on transmission side 102 corresponds to uncompressed content 150 on receiving side 104.
Network 106 is arranged to receive encrypted compressed content and encrypted content key 138 and to output encrypted compressed content and encrypted content key 140.
Receiver 118 is arranged to receive encrypted compressed content and encrypted content key 140, to output encrypted compressed content 142 and to output encrypted content key 144. DRM device 122 is arranged to receive encrypted content key 144 and output content key 146. Decryptor 120 is arranged to receive encrypted compressed content 142 and content key 146 and output compressed decrypted content 148. Decoder 124 is arranged to receive compressed decrypted content 148 and output uncompressed decrypted content 150. Media player 126 is arranged to receive uncompressed decrypted content 150.
In operation, transmission side 102 creates media content as an MPEG 4 data file. Non-limiting examples of types of creation include: creating media content as a signal for wired transmission, such as over the Internet or over a telephone line; creating media content as a signal for wireless transmission including broadcast to television; and storing media content on a tangible readable medium that may be read by a tangible medium reader such as a computer.
Network 106 may therefore be any system or arrangement that enables transmission of the MPEG 4 file from transmission side 102 to receiving side 106. Non-limiting examples of types of networks include a wired network, such as the Internet or a telephone network and a cable or satellite broadcast network.
Receiving side 104 decodes a MPEG 4 data file into the original media content for use by a media player. Non-limiting examples of types of MPEG 4 media players include: audio, video and data players.
Returning to transmission side 102, content source 108 may be any source that is capable of generating digital data—including digital audio and digital video (digital AV data). The digital data is provided as a stream of digital bits. This digital stream may be very large. So large, in fact, that transmission or storage may take too much time, energy and (digital storage) space to manage. Accordingly, a compression of the data is used to manage data for transmission or storage. The digital data created by content source 108 is provided as uncompressed content 128 to encoder 110.
Encoder 110 encodes uncompressed content 128, i.e., arranges uncompressed content 128 into an MPEG 4 file having a media data portion and a metadata portion. The media data portion is normally a compressed version of uncompressed content 128. The metadata portion includes information on the arrangement of the compressed version of uncompressed content 128. The metadata portion enables an MPEG 4 decoder to recognize the MPEG 4 file and decompress the compressed version of uncompressed content 128 to retrieve the original uncompressed content 128.
In accordance with the ISO standard for MPEG 4, when uncompressed media data is encoded, it is arranged as a structured data file having a media data portion and a metadata portion. The media data portion includes a compressed form of the uncompressed media data. The metadata is used by an MPEG 4 decoder to decompress the compressed form of the uncompressed media data to recreate the uncompressed media data. The MPEG 4 file is structured as a sequence of objects; some of which may contain other objects. The sequence of objects in the file contains exactly one presentation metadata wrapper (the Movie Box). It is a top level box in the file and usually easy to locate. This will be described in greater detail below with reference to FIG. 2.
FIG. 2 is a representation of an example prior art MPEG4 file 200. File 200 includes a ftyp box 202, a mdat box 204, and a moov box 206. Moov box 206 includes a trak box 208 and a trak box 210. Trak box 208 includes a mdia box 212, which includes a minf box 214, which includes a stbl box 216, which includes a stsd box 218, which includes an MP4V box 220. Trak box 210 includes a mdia box 222, which includes a minf box 224, which includes a stbl box 226, which includes a stsd box 228, which includes an MP4A box 230.
A ftyp box, such as ftyp box 202, provides information related to a file type and compatibility. A mdat box, such as mdat box 204, is the media data container having the digital media data therein. A moov box, such as moov box 206, is a container for the metadata for the media presentation. A trak box, such as trak box 208 and a trak box 210, is a container for an individual track or stream. A mdia box, such as mdia box 212 and mdia box 222, is a container for the media information in a track. A minf box, such as minf box 214 and minf box 224, is a media information container. A stbl box, such as stbl box 216 and stbl box 226, is a sample table box, which is a container for a time/space map. A stsd box, such as stsd box 218 and stsd box 228, contains sample descriptions such as codec types, initialization, etc. In this example, stsd box 218 includes an MP4V box 220 that indicates that the compressed media data within trak 208 is video data that has been compressed with the MPEG 4 standard, whereas stsd box 228 includes an MP4A box 230 that indicates that the compressed media data within trak 210 is audio data that has been compressed with the MPEG 4 standard.
Returning to FIG. 1, after encoder 110 encodes uncompressed content 128, the MPEG 4 file is output as compressed content 130. At this point, the compressed file may be delivered to transmitter 116 for transmission through network 106 to receiving side 104. However, in some cases, the person creating compressed content 130 may want to prevent others from gaining access thereto. Accordingly, compressed content 130 may be encrypted prior to transmission. This is accomplished by way of encryptor 112 and DRM device 114.
To encrypt compressed content 130, DRM device 114 provides content key 132 to encryptor 112. Encryptor 112 may use content key 132 to encrypt compressed content 130 by any encryption method known by the encryptor 112 and decryptor 120. A non-limiting encryption method that will be used for purposes of discussion hereinafter is the Advanced Encryption Standard (AES), which is a symmetric-key encryption standard. This will be described in greater detail below with reference to FIG. 4.
DRM device 114 is used manage the digital rights information of the content within the media data, i.e., the DRM information. Non-limiting examples of DRM information may include restrictions on the number of times that media content may be played, restrictions on the number of times that media content may be copied or transferred, restrictions on devices that media content is allowed to be copied or transferred to, and restrictions on the length of time that media content can be used from when it was first downloaded or first viewed. DRM device 114 may manage the DRM information by attaching the DRM information to the media data. An authorized receiver of the media data (and DRM information) will have only the conditional access to the media data as defined in the DRM information. DRM device 114 will additionally perform a hand-shake 152 with DRM device 122 on receiver side 104. A non-limiting example of the hand-shake 152 includes exchanging authentications such as with the Public Key Infrastrucuture (PKI) and establishing a session key between DRM Device 114 and DRM Device 122. As a result of hand-shake 152, in this example, receiving side 104 will be an authorized receiver of the media data, and will therefore have the digital rights to access the content as defined in the DRM information. Further, during hand-shake 152, DRM device 114 will provide to DRM device 122 a key needed to decrypt encrypted content key 144.
In accordance with the MPEG 4 standard, when an MPEG 4 media data media data file is encrypted, the media data is encrypted and metadata is changed somewhat. This will now be described in greater detail below with reference to FIG. 3.
FIG. 3 is a representation of an example prior art encrypted MPEG4 file 300. File 300 includes ftyp box 202, an mdat box 322 and moov box 206. Moov box 206 includes a trak box 208 and trak box 210. Trak box 208 includes mdia box 212, which includes minf box 214, which includes stbl box 216, which includes stsd box 218, which includes an encv box 302, which includes a sinf box 304, which includes a form a box 306, a schm box 308 and an imif box 310. Trak box 210 includes mdia box 222, which includes minf box 224, which includes stbl box 226, which includes stsd box 228, which includes an enca box 312, which includes a sinf box 314, which includes a form a box 318, a schm box 316 and an imif box 320.
File 300 has similarities with file 200 of FIG. 2. The differences are easy to note. File 300 includes encv box 302 in place of mp4v box 220 of file 200. File 300 additionally includes enca box 312 in place of mp4a box 230 of file 200. Encv box 302 indicates that track 208 corresponds to encrypted video data, where enca box 312 indicates that trak 210 corresponds to encrypted audio data. A sinf box, such as sinf box 304 and sinf box 314, provides information related to the protection scheme. A form a box, such as form a box 306 and 318, is the original format box having information related to the original format of the compressed digital media data within mdat box 322. An imif box, such as imif box 310 and imif box 320, has additional information for Intellectual Property Management Protection, which may include an initial counter. In this example, an initial counter will be located in DRM device 122. A schm box, such as schm box 308 and a schm box 316, is a scheme type box having information related to the protection scheme. In this example, as indicated above, the protection scheme is AES. Finally, mdat box 322 includes encrypted media data corresponding to the nonencrypted data within mdat box 204 of FIG. 2.
Encryptor 112 creates file 300 from compressed content 130 by using content key 132. However, returning to FIG. 2, encryptor 112 does not encrypt the metadata of file 200, i.e., all the boxes with the exception of mdat box 204. Accordingly, encryptor 112 is able to determine where the media data is located, i.e. the location of mdat box 204, and only encrypt the media data. Encryptor 112 encrypts only the media data of an MPEG 4 file by using a counter to determine the location of the media data. This will be described in greater detail with reference to FIG. 4.
FIG. 4 is an exploded view of encryptor 112 of example prior art media delivery system 100 of FIG. 1.
As illustrated in FIG. 4, encryptor 112 is arranged to receive unencrypted data 402 corresponding to mdat box 204 (from compressed content 130), an initial counter 404 (from compressed content 130) and content key 132. Encryptor 112 is arranged to output encrypted compressed content 136.
Further, in some embodiments encryptor 112 may be implemented as tangible computer-readable media for carrying or having computer-executable instructions or data structures stored thereon.
In an example embodiment, encryptor 112 performs AES counter mode encryption. In other embodiments, other modes of AES encryption may be performed. In still other embodiments, other encryption methods may be used.
In the example embodiment, wherein encryptor 112 performs AES counter mode encryption, content key 132 is used to encrypt blocks of data as the key stream and then the key stream is used to XOR with the unencrypted data 402. The initial block is encrypted using initial counter 404. Subsequent blocks are encrypted with subsequent increments of initial counter 404. The resulting output is a plurality of encrypted blocks of data as encrypted compressed content 136.
Returning to FIG. 1, once file 300 is created, encryptor 112 provides encrypted compressed content 136 to transmitter 116 for transmission as encrypted compressed content 138. Further, DRM device provides encrypted key 134 to transmitter 116 for transmission to receiving side 104. The encrypted key 134 is encrypted using the key exchanged between the DRM Server 114 and the DRM Client 122 through handshake 152. Encrypted content key 134 is the counterpart to content key 132 that will enable decryptor 120 to decrypt file 300. This will be described in greater detail below. Any known content key exchange method may be used.
Receiver 118 receives encrypted compressed content and encrypted content key 140, provides encrypted content key 144 to DRM device 122 and provides encrypted compressed content 142 to decryptor 120.
Having already completed a hand-shake with DRM device 114, DRM device 122 has a key for decrypting encrypted content key 144. When decryptor 120 receives content it parses the file. Returning to FIG. 3, if decryptor 120 identifies the content is an encrypted compressed content, for example it contains an encv box 302, then decryptor 120 will decrypt the file. To decrypt the file, decryptor 120 will first find the sinf box inside the encv box and identify the protection scheme to locate the corresponding DRM device 122. DRM device 122 will further decrypt the encrypted content key 144 and identify the initial counter, for example from imif box 310 of encrypted media file 142 (or imif box 320 for trac 210), or inform decryptor 120 how to identify the initial counter from encrypted media file 142. Later DRM device 122 provides content key 146, and the initial counter if needed, to decryptor 120.
Decryptor 120 only decrypts the encrypted media data of an MPEG 4 file by using content key 146 and the initial counter from DRM Client 122 or from encrypted media file 142, for example from imif box 310. In fact, decryptor 120 is very similar to encryptor 112, with the exception that the XOR devices perform an exclusive OR operation on the key stream and the encrypted data (as opposed to the non encrypted data as discussed above with reference to FIG. 4.). This will be described in greater detail with reference to FIG. 5.
FIG. 5 is an exploded view of decryptor 120 of example prior art media delivery system 100 of FIG. 1.
As illustrated in FIG. 5, decryptor 120 is arranged to receive encrypted data 502 corresponding to mdat box 322 (from encrypted compressed content 142), an initial counter 504 (from encrypted compressed content 142) and content key 146. Encryptor 120 is arranged to output decrypted compressed content 148.
Further, in some embodiments decryptor 120 may be implemented as tangible computer-readable media for carrying or having computer-executable instructions or data structures stored thereon.
In an example embodiment, decryptor 120 performs AES counter mode decryption. In other embodiments, other modes of AES decryption may be performed. In still other embodiments, other decryption methods may be use.
In the example embodiment, wherein decryptor 112 performs AES counter mode decryption, content key 146 is used to encrypt blocks of data to generate the key stream and then uses the key stream to XOR with encrypted data 502. The initial block is encrypted using initial counter 504. Subsequent blocks are encrypted with subsequent increments of initial counter 504. The resulting output is a plurality of decrypted blocks of data as decrypted compressed content 148.
Once decrypted, decryptor 120 provides compressed content 148 to decoder 124. Decoder 124 converts compressed content 148 to uncompressed content 150. In particular, using the MPEG 4 standard, decoder 124 uses the metadata within file 200 to decompress the media data within mdat box 204. As a result, uncompressed content 150 corresponds to the original uncompressed stream of data, i.e., uncompressed content 128 on the transmission side.
Media play 126 may then use uncompressed content 128. Non-limiting examples of use of uncompressed data include displaying a video, playing audio, or executing a program.
What is needed is a system and method for providing additional protection to a delivery of media data files.