The present invention relates generally to the field of data communication and more specifically to digital rights management functions for securely communicating content between components of a network.
Conventional digital rights management systems for securing content transmitted through communication networks, such as the Internet, are becoming well known. Rights management systems are needed because a fundamental problem facing content providers is how to prevent the unauthorized use and distribution of digital content. Content providers are concerned with getting compensated for their content and depriving authorized consumers of such content.
Many digital right management schemes are typically implemented using “encryption/decryption” of the digital content. Encryption is the conversion of data into an unintelligible form, e.g., ciphertext, that cannot be easily understood by unauthorized clients. Decryption is the process of converting encrypted content back into its original form such that it becomes intelligible. Simple ciphers include the rotation of letters in the alphabet, the substitution of letters for numbers, and the “scrambling” of voice signals by inverting the side-band frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital information content.
In order to easily recover the encrypted information content, the correct decryption key is required. The key is a parameter to both the encryption and decryption algorithms, where a different value of a key produces an unpredictably different result during both the encryption and decryption processes. The larger the key size, the more difficult it becomes to correctly guess the value of the key and thus decode the communications without the knowledge of the key. Generally, there are two types of key schemes for encryption/decryption systems, namely (1) PKS (public key systems) or asymmetric systems which utilize two different keys, one for encryption, or signing, and one for decryption, or verifying; and (2) nonpublic key systems that are known as symmetric, or secret key, systems in which typically the encryption and decryption keys are the same. With both public and secret keys systems, key management is employed to distribute keys and properly authenticate parties for receiving the keys.
One related art key management system developed at MIT is known as the Kerberos protocol. Kerberos is a key management protocol, allowing a party to establish shared session keys with different network services by using a KDC (key distribution center) and the concept of tickets. A ticket is used to securely pass to a server a session key along with the identity of the client for whom the ticket was issued. A ticket is tamperproof and can be safely stored by the clients, allowing servers to remain stateless (a server can re-learn the session key each time that the client passes it the ticket). Thus, the concept of tickets improves scalability of servers in terms of the number of clients that they can support. Disadvantageously, Kerberos is relatively complex and includes many different options, which are not always applicable to particular applications. Moreover, modifying such a complex system is no option because such modifications to an unfamiliar system adds the risk of introducing additional errors. Another disadvantage of Kerberos is that it does not specify the details of performing key management between a client and a server once a ticket is obtained (only some basic building blocks are provided).
A growing interest in streaming distribution of multimedia content over Internet Protocol (IP) networks has resulted in a growing need for key management systems. One such streaming distribution system is the Aerocast Network™ developed by Aerocast, Inc. of San Diego, Calif. As discussed with reference to FIG. 1, although the existing phase 1 Aerocast Network facilitates delivery of content, it lacks security and key management for the network.
FIG. 1 is a block diagram of a network 100 (by Aerocast) for facilitating streaming of content over a communication network. Among other components, network 100 includes a content provider 102 for generating content intended for a consumer 116, Internet 114 through which content is streamed, and a central server 104 to which content provider 102 publishes its contents. Central server 104 contains a database 108 for storing content information, and a search engine 110 for searching database 108. Network 100 further comprises a provisioning center 106, and caching servers 112, 113 and 115.
In operation, consumer 116 wishing to access content by content provider 102, streams the content from the closest caching server, in this case, caching server 115. In conventional systems without caching servers, consumer 116 desiring such content streams obtains content directly from content provider 102. Not only does this result in poor content quality, delays associated with inadequate bandwidth may result. By using the caching servers, network 100 avoids disadvantages associated with direct streaming of digital content from content provider 202. Caching servers 112, 113 and 115 may be local DSL (digital subscriber line) providers, for example.
Network 100 provides a further advantage. When searching for content, consumer 116 need not search any and all databases on Internet 114. All content providers (including content provider 102) on network 100 publish descriptions of their content to a single central database 108. For video content for example, such descriptions may include the movie name, actors, etc. In this manner, when content is desired, consumer 116 uses search engine 110 to search database 108. When the content is found, database 108 thereafter provides a link to content provider 202 having the desired content. Content provider 102 is then accessed by consumer 116 to view a more detailed description and other metadata that is associated with the content.
A mechanism is provided whereby consumer 116 provides a list of caching servers closest to it to content provider 102. In response to consumer 116's request, content provider 102 selects the appropriate caching server closest to consumer 116 for streaming the content. It should be observed, however, that in today's Aerocast network content is streamed in the clear by network 100. Disadvantageously, because it is unprotected, the content may be intercepted by an unauthorized consumer resulting in substantial losses to content providers and consumers.
Other disadvantages of network 100 include a lack of authentication, privacy, message integrity and persistent protection.
Therefore, there is a need to resolve the aforementioned problems and the present invention meets this need.