1. Field of the Invention
The invention generally concerns protecting digital information that is provided to users of a network by network service providers and more specifically concerns protecting the information against the class of attacks termed replay attacks, that is, attacks which work by replaying decryption information that the user received while he was subscribed to a service to decrypt information from the service after he has dropped his subscription.
2. Description of the Prior Art: FIG. 1
FIG. 1 shows how network service providers currently protect information which they distribute as part of a service from being viewed by network users who have not paid for the service. A service provider 105 employs network 111 to provide instances of services to a device 113 which is in the possession of a service subscriber who has subscribed for a period of time to one or more services provided by service provider 105. Device 113 may take many forms. For example, if service provider 105 is a Community Antenna Television (CATV) broadcaster and network 111 is a CATV network, device 113 may be a set-top box; if service provider 105 is providing the service over the Internet, the device 113 may be a personal computer. As used here, an instance of a service is a single one of the items provided by the service. For example, if the subscriber has subscribed for a service that offers a series of baseball games, each of the games is a single instance of the service.
Service provider 105 ensures that only subscribers to a service are able to view instances of the service by using encryption techniques as shown in FIG. 1. The techniques require two transactions: a first transaction 101 takes place at the beginning of each subscription period, typically at the beginning of each month; the second transaction 103 takes place each time an instance of a service is distributed over network 111. In transaction 101, service provider 105 reads a subscriber data base 107 to determine for each subscriber which services the subscriber is to receive in the coming subscription period. When service provider 105 has determined what services the subscriber is entitled to, service provider 105 makes at least two entitlement messages (EMMs) and sends them to the subscriber's device 113. There are two kinds of EMM: a decryption EMM (DEMM) 108 which contains a session key (SK) 10 that will be used later to decrypt instances of one or more services to which the subscriber is entitled, and an authorization EMM (AEMM) 109 which contains a specification of the services the subscriber is entitled to. The specification appears in FIG. 1 as AL 112. Each subscription period, the subscriber receives DEMMs 108 and AEMMs 109 as required for the services the subscriber has subscribed to. Service subscriber device 113 stores the session keys 110 and the authorization information (AI) 112 received in the EMMs in secure memory 114. The saved information from the EMMs appears in FIG. 1 as SEMI 115.
A transaction 103 occurs each time service provider 105 sends an instance of the service to subscribers. What service provider 105 sends is of course an encrypted instance 117 of the service. In association with encrypted service instance 117, service provider 105 sends a series of entitlement control messages (ECMs) 119. Each ECM 119 corresponds to a part of encrypted service instance 117. An ECM 119 contains two kinds of information: one kind identifies the service that encrypted service instance 117 is an instance of; the other, shown in FIG. 1 as decryption information (DI) 120, is information which, when combined with the session key 110 stored in SEMI 115, permits decryption of encrypted service instance 117 in service subscriber device 113. When service subscriber device 113 receives ECM 119, it provides it to secure processor 116, which takes ECM 119 and SEMI 115 and uses the information contained therein as inputs to entitlement check module 121. Entitlement check module 121 first determines whether service instance 117 is an instance of one of the services currently authorized in SEMI 115 for the user. If it is, entitlement check module 121 employs decryption information 120 and session key 110 to obtain instance key (IK) 123. Instance key 123 is often termed a control word in the arts to which the invention pertains. IK 123 is then used in decrypter 125 to decrypt encrypted service instance 117. Decrypted service instance 127 is thereupon provided to the user. The use of a series of ECMs 119 with a single service instance 117 ensures that instance key 123 will change repeatedly while the service instance 117 is being broadcast and thereby reduces the incentive to a subscriber to make a copy of instance key 123 and distribute it electronically to others who would like to watch service instance 117 but have not paid for it. For further details on the kinds of systems just described, see Specification des systemes de la famille MAC/paquets, Document Technique 3258, Bruxelles: Centre technique de l'UER/EBU, October 1986.
As is the case with any encryption scheme, the encryption scheme of FIG. 1 may be subject to various attacks by users who want access to an instance of a service but do not want to pay the subscription price for it. One such attack is the replay attack outlined above. There are two variants of the attack. In the first variant, the pirate orders all services for the first month. The result is a transaction 101 in which the pirate receives EMMs for month one authorizing the full set of services. The pirate saves the AEMM 109 for that month. The second month, the pirate orders just enough services to receive a DEMM 108 with a session key 110 for the desired service. The pirate allows session keys 110 to be processed by his subscriber device 113, but instead of providing the new month's AEMM 109, he provides the saved AEMM 109. At this point SEMI 115 has the session key for the second month together with the authorization information for the first month, and the pirate can thus decrypt instances of services in the second month even though he has not paid for them for that month.
In the second variant, the pirate has the minimum subscription for the first month. He records instances of an encrypted digital service that he has not subscribed to together with the ECMs 119 belonging to the instances. He also saves the current month's DEMM 108. The next month the pirate orders a subscription that includes the service that provided the copied instances. When the pirate receives the AEMM 109 for the next month, he provides it together with last month's DEMM 108 to subscriber device 113. Having done this, the pirate also provides one of the saved instances of the digital service together with its ECMs 119 to subscriber device 113. Since SEMI 115 in subscriber device 113 now has both a session key 110 for the digital service to which the saved instance belongs and an authorization for that service, subscriber device 113 is able to use the ECMs 119 to decrypt the saved instance. It is an object of the invention disclosed herein to provide apparatus and methods for preventing such replay attacks.