1. Technical Field
The invention relates to the storing and viewing of television program material in a computer environment. More particularly, the invention relates to the secure storage, distribution, and maintenance of information in a distributed self-maintaining database management system in a computer environment.
2. Description of the Prior Art
A classic tension exists in the design of automated data processing systems between pure client-server based systems, such as computer mainframe systems or the World Wide Web, and pure distributed systems, such as Networks of Workstations (NOWS) that are used to solve complex computer problems, such as modeling atomic blasts or breaking cryptographic keys.
Client-server systems are popular because they rely on a clean division of responsibility between the server and the client. The server is often costly and specially managed, since it performs computations or stores data for a large number of clients. Each client is inexpensive, having only the local resources needed to interact with the user of the system. A network of reasonable performance is assumed to connect the server and the client. The economic model of these systems is that of centralized management and control driving down the incremental cost of deploying client systems.
However, this model has significant costs that must be considered. For instance, the incremental cost of adding a new client system may be quite high. Additional network capacity must be available, sufficient computing resources must be available to support that client, including storage, memory and computing cycles, and additional operational overhead is needed for each client because of these additional resources. As the central servers become larger and more complex they become much less reliable. Finally, a system failure of the server results in all clients losing service.
Distributed systems are popular because the resources of the system are distributed to each client, which enables more complex functionality within the client. Access to programs or data is faster since they are located with the client, reducing load on the network itself. The system is more reliable, since the failure of a node affects only it. Many computing tasks are easily broken down into portions that can be independently calculated, and these portions are cheaply distributed among the systems involved. This also reduces network bandwidth requirements and limits the impact of a failed node.
On the other hand, a distributed system is more complex to administer, and it may be more difficult to diagnose and solve hardware or software failures.
Television viewing may be modeled as a client-server system, but one where the server-to-client network path is for all intents and purposes of infinite speed, and where the client-to-server path is incoherent and unmanaged. This is a natural artifact of the broadcast nature of television. The cost of adding another viewer is zero, and the service delivered is the same as that delivered to all other viewers.
There have been, and continue to be, many efforts to deliver television programming over computer networks, such as the Internet, or even over a local cable television plant operating as a network. The point-to-point nature of computer networks makes these efforts unwieldy and expensive, since additional resources are required for each additional viewer. Fully interactive television systems, where the viewer totally controls video streaming bandwidth through a client settop device, have proven even more uneconomical because dedication of server resources to each client quickly limits the size of the system that can be profitably built and managed.
However, television viewers show a high degree of interest in choice and control over television viewing. Currently, the majority of Digital Video Recorders (DVR) are client settop devices that provide television viewers with the choice and control over television viewing that they desire. These are products that receive and record to a hard drive, a large amount of audio/video content (television broadcasts, satellite-TV broadcasts, cable-TV broadcasts, and direct downloads of program materials via the Internet).
DVR systems may receive and store A/V content which is of substantial commercial value—first-run and pay-per-view movies, special sporting events, and so forth. The right to record and view such material is usually granted under a license of some sort, and such use-licenses typically have limits. The person buying a use-license to such material is typically not granted permission to make or distribute copies of the material, and in some cases is not permitted to record and replay (“time-shift”) the material at all. In many DVR products, the right to use the DVR features themselves (e.g., program guides, programmed or manual recordings, time-shifting, etc.) is subject to a monthly or other service fee.
Because of the commercial value of this content, DVR systems may be an attractive target for people who seek to avoid the licensing and service fees, or who wish to make copies of the content recorded on the system. Many of the methods by which subversion can be accomplished, involve making changes to the software and data stored on the DVR. A “pirate” might, for example, try to modify or “patch” the DVR software so that it would allow recording of “non-recordable” programs, preserve recordings past the expiration date specified in a viewing license, or access the DVR software features without receiving a “your bill has been paid and your account is up-to-date” authorization from the DVR service provider. A pirate might also wish to install new software which would “read back” a recorded program from the DVR's disk, and transfer the content to another disk or to another computer so that the content could be posted on the Internet or used to manufacture unauthorized DVD or Video CD images.
In order to deter such attacks, it is necessary to prevent the DVR from executing any software which has been modified by an unauthorized party. In order to do this, the DVR must have a way of examining each piece of software it is asked to execute and determine with high precision whether the software is “authorized and not modified”.
It would be advantageous to provide a cryptographically signed filesystem that enables a client system to check if valid software and data are being used with high reliability and acceptable performance. It would further be advantageous to provide a cryptographically signed filesystem that enables a server to create secure software and data packages for transmission to client systems.