This invention is related in general to digital rights management and more specifically to a system using a distributed approach to provide authentication, provisioning, access, authorization and other aspects of digital rights management in a widespread distribution system such as digital cable television.
Digital rights management (DRM) systems attempt to ensure that content creators, publishers, distributors and other commercial handlers of content can restrict access and control delivery and presentation of content. A DRM system also helps ensure that viewers, or users, of the content receive what they expect to receive, i.e., that for which they have paid, subscribed or licensed. However, difficulties arise when trying to implement efficient DRM in a huge, multi-user, multi-provider, system that includes many entities desiring to act without centralized restrictions. Such a system is found, for example, in a digital cable television network. Such a network may have dozens of content providers, hundreds and thousands of distribution entities, and millions of end users.
One traditional approach to authentication and access of services (or content) via a digital network is Kerberos. Kerberos is an authentication service developed by the Massachusetts Institute of Technology. Information on Kerberos can be found in RFC 1510 and at other sources, e.g., at http://nii.isi.edu/publications/kerberos-neuman-tso.html, or at http://nii.isi.edu/info/kerberos/. Kerberos uses an authentication server to generate session keys so that a user who requests access to content from another supplier (e.g., a server computer) is provided with a session key and ticket. The user sends the session key and ticket to the server computer so that the desired content (or service) can be obtained.
An approach with a single centralized Kerberos-based Authentication Server and a single centralized Provisioning Server works well for small networks (e.g., campus or corporate local area networks (LANs)) but it is not suitable for a very large network where access grants must come from multiple entities. For example, in a digital cable television network localized distribution occurs at headends, secondary headends, primary nodes and other nodes. Operators at the headends and nodes may have a need to grant or revoke access, change access rights, etc., without going to a central authority. Other entities involved in the system such as broadband operators and content providers may also desire such abilities.
Also, different subscription programs may require different provisioning. For example, cable service providers offer subscriptions that include different content and channels that vary among different physical geographic areas, logical viewer groupings, etc. These subscription programs can change with respect to other programs as, for example, where a local sporting event is blacked out in the city hosting the event. Subscribers may bundle different programs and channels into a given package subscription, etc. Thus, any DRM system must be able to be localized for certain purposes and must be able to handle different access and provisioning rules.
Although the Kerberos architecture provides a general mechanism, called realms, for handling distributed authentication, this mechanism does not adequately address, or improve upon, the deficiencies noted herein for Digital Rights Management systems.
Thus, it is desirable to provide a system that improves upon shortcomings in the prior art.