1. Field of the Invention
The present invention relates generally to broadcast data encryption that uses encryption keys.
2. Description of the Related Art
The above-referenced applications disclose a system for encrypting publicly sold music, videos, and other content. As set forth therein, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented.
In the encryption method disclosed in the above-referenced patent, authorized player-recorders are issued software-implemented device keys from a matrix of device keys. Specifically, the matrix of device keys includes plural rows and columns of keys, and each authorized player-recorder is issued a single key from each column. Each column might contain many thousands of rows. The keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Although two devices might share the same key from the same column, the chances that any two devices share exactly the same set keys from all the columns of the matrix are very small when keys are randomly assigned.
Using any one of its device keys, an authorized player-recorder can decrypt a media key that in turn can be used to decrypt content that is contained on, e.g., a disk and that has been encrypted using the media key. Because the player-recorder is an authorized device that is programmed to follow content protection rules, it then plays/copies the content in accordance with predefined rules that protect copyright owners' rights in digitized, publicly sold content.
In the event that a device (and its keys) becomes compromised, deliberately or by mistake, it is necessary to revoke the keys of that device. The above-referenced documents describe how to do this. Revoking a set of keys effectively renders the compromised device (and any clones thereof) inoperable to play content that is produced after the revocation. Of course, since more than one device can share any particular key with the compromised device, revoking a set of device keys will result in revoking some keys held by innocent devices. When a small number of revocations occur this is not a problem, however, since only one key in a set is required for decryption, and it will be recalled that the chances that an innocent device shares an entire set of keys with any other device is very small. Accordingly, it is unlikely that revoking the set of keys of a compromised device will result in rendering an innocent device unable to decrypt content.
One way to assign device keys is, for each device, to simply pick a key at random from every column. The present invention recognizes that this approach might not afford as much security as might be hoped if device keys are assigned to “bad” device manufacturers. More specifically, a “bad” manufacturer might be one who deliberately divulges the keys that have been assigned to its devices or through malfeasance permits such divulgation or discovery. In any case, if a single manufacturer compromises a large number of device keys, it will readily be appreciated that a large number of revocations must occur, increasing the likelihood of crippling an innocent device, which might eventually break the entire system.
The present invention further understands that to address the above concerns, each manufacturer can be given keys from only a fraction of the key matrix. While technically sound, the above approach can be made to appear that some manufacturers might be receiving “better” keys than others. The present invention makes the critical observation that key assignments should be made in a way that provably is benign, in that it does not assume a priori that any manufacturer is “bad” or that the assignment scheme otherwise discriminates against a manufacturer for any reason, including size. Moreover, the present invention understands that a key assignment method should be able to account for a predefined total number of revoked devices that an encryption system can tolerate over the lifetime of the system. as well as being capable of being “tuned” in the event that some input parameters of the assignment method require changing over the lifetime of the system. The present invention has made the critical observations noted above and has provided the below solutions to one or more of the observations.