1. Field of the Invention
In general, the present invention provides a method, system and program product for managing a size of a key management block (KMB) during content distribution. Specifically, the present invention provides replacement of a KMB corresponding to a first subtree of devices with a smaller KMB corresponding to a second subtree of devices.
2. Background Art
In the distribution of digital content, content such as video and audio data is typically transmitted from a content source to a content recipient. In one common implementation, content is prepared and encrypted by a content owner (e.g., a cable television network), and then delivered to a content service provider (e.g., a cable service provider). The service provider will then deliver the encrypted content to subscribing customers. An emerging technology in the field of content distribution is known as broadcast encryption, which is where encrypted content and all information necessary to access the content are delivered via one-way communication. That is, the recipient need not hold follow-up communications with the source. In this technology, the content is encrypted with a title key, which itself is encrypted with a key encrypting key. The key encrypting key is stored in a protected form within a key management block (KMB) that is transmitted with the content. Compliant receiver devices (e.g., set-top boxes, DVD players, etc.) will be able to process the KMB to recover the key encrypting key so that the title key can be decrypted and the content accessed.
In general, the KMB includes a protected transformation of the key encrypting key that can only be decrypted with device keys from compliant receiver devices. To this extent, the key encrypting key can take many forms within the KMB. For example, the key encrypting key can be encrypted multiple times (i.e., once for each set of valid device keys). In addition, the KMB includes entries of revoked devices. Specifically, if a receiver device was determined to be non-compliant or a circumvention device, an entry would be generated in the KMB revoking the device. This entry would prevent the revoked device from being able to recover the key encrypting key.
Problems arise, however, when the size of a KMB grows. In particular, in commonly used methods such as the Naor-Naor-Lotspiech tree algorithm, each time a device is revoked, it is placed into a revocation entry in the KMB (each entry could revoke more than one device). As the number of revocation entries increase, the size of the KMB is increased. Since the KMB must be transmitted and processed to recover the key encrypting key, the larger the KMB, the longer it will take to access the content. To this extent, the time period from when the receiver device begins receiving content to when the content can be decrypted is known as acquisition time (e.g., the time period from when the TV channel is changed until when the picture is displayed). Thus, as the KMB becomes larger, the acquisition time increases, which can cause great frustration to a consumer.
Previous attempts to reduce the acquisition time involved increasing the bandwidth allocated to transmission of a KMB. However, as known in the art, larger bandwidth comes at a premium. Although, the Naor-Naor-Lotspiech tree algorithm referenced above helps reduce the bandwidth requirement (i.e., only 12 bytes per revocation are required), significant space within the KMB can still be occupied by revoked devices.
Accordingly, there exists a need for a method, system and program product for managing a size of a KMB. Specifically, a need exists for determining when a size of a first KMB corresponding to a first subtree of devices exceeds a predetermined threshold. A further need exists for a second smaller KMB to be implemented when the predetermined threshold is reached. Still yet, a need exists for compliant devices to be migrated from the first subtree to the second subtree.