The past decade has been marked by a technological revolution driven by the convergence of the data processing industry with the consumer electronics industry. The effect has, in turn, driven technologies that have been known and available but relatively quiescent over the years. A major one of these technologies is Internet related distribution of documents. The Web or Internet, which had quietly existed for over a generation as a loose academic and government data distribution facility, reached, “critical mass” and commenced a period of phenomenal expansion. With this expansion, businesses and consumers have direct access to all matter of documents and media through the Internet.
With the advent of consumer digital technology, content such as music and movies are no longer bound to the physical media that carry them. Advances in consumer digital technology present new challenges to content owners such as record labels, studios, distribution networks, and artists who want to protect their intellectual property from unauthorized reproduction and distribution. Recent advances in broadcast encryption offer an efficient alternative to more traditional solutions based on public key cryptography. In comparison with public key methods, broadcast encryption requires orders of magnitude less computational overhead in compliant devices. Compliant devices are those which follow the key management protocol defined to govern the behavior of devices participating in a particular content protection system, and which have not been altered or used in attacks designed to compromise that system. In addition, broadcast encryption protocols are one-way, not requiring any low-level handshakes, which tend to weaken the security of copy protection schemes. However, by eliminating two-way communications, the potentially expensive return channel on a receiver may be eliminated, lowering overhead costs for device manufacturers and users.
IBM has developed a content protection system based on broadcast encryption called eXtensible Content Protection, referred to as “xCP.” xCP supports a trusted domain called a ‘cluster’ that groups together a number of compliant devices. Content can freely move among these devices, but it is useless to devices that are outside the cluster. Other examples of broadcast encryption applications include Content Protection for Recordable Media (CPRM) media, Content Protection for Pre-Recorded Media (CPPM) media, and Advanced Access Content System (AACS) next-generation media.
Broadcast encryption schemes bind a piece of content to a particular entity, such as a piece of media (e.g. a compact disk or DVD), a server, a group of authorized devices, or a user. Broadcast encryption binds the content by using a media key block (also known as a key management block KMB or session key block) that allows compliant devices to calculate a cryptographic key (the media or management key) using their internal device keys while preventing circumvention (non-compliant) devices from doing the same. One example of a binding scheme is binding to a specific receiver in standard PKI applications wherein content is encrypted with a session key, which is then encrypted with a receiver's public key. The content can only be retrieved with the receiver's private key. Another example of a binding scheme is binding to a specific media in CPRM and AACS Media wherein content is encrypted with a title key, which is then encrypted with a key resulting from a one-way function of a media identifier and a media key (calculated from the media key block described above). A third example of a binding scheme is binding to a specific group of devices in a user's domain, as in xCP Cluster Protocol, wherein content is encrypted with a title key, which is then encrypted with a key resulting from a one-way function of the user's cluster authorization table and binding ID and the user's current management key (calculated from the user's current media key block).
Broadcast encryption does not require authentication of a device and can be implemented with symmetric encryption, allowing it to be much more efficient than public key cryptography. After calculating a media key by processing the media key block (KMB), the scheme uses the media key to bind the content to an entity with a binding identifier, resulting in the binding key. An indirection step occurs when a title key is then chosen and encrypted or decrypted with the binding key, resulting in an encrypted title key or an encrypted indirected key. The content itself may then be encrypted with the title key and the encrypted content may be stored with the encrypted title key. A compliant device that receives the encrypted content and the encrypted title key may use the same KMB and the binding identifier to decrypt the encrypted title key and then to use that title key to decrypt the content. The compliant device first must reproduce the binding key using the KMB, the binding identifier and its device keys, and then decrypt the title key from the encrypted title key using the binding key. Once the compliant device has the title key, it may decrypt the content itself. A circumvention device will not have device keys that can be used to process the KMB and thus will not be able to reproduce the binding key or be able to decrypt the content. Also, if the content has been copied to a different entity with a different identifier by a non-compliant device, the compliant device with valid device keys will not be able to calculate the correct binding key because the binding identifier is different than the original one.
Under prior art systems, all content would be encrypted with a title key which would itself be encrypted with the binding key. Said content items are owned by a single participant in this key management binding scheme, and is responsible for the re-encryption of said title keys when indirections change that result in a new binding key. For example, the introduction of a new device into an existing network cluster causes an update to an authorization table, i.e. an indirection mechanism on the binding key. Ideally, implementations using broadcast encryption perform a re-encryption procedure on all title keys affected by the binding change. Optimally, re-encryption of said title keys occurs in a timely manner so as not to delay a user's access to associated content. Implementations typically attempt to re-encrypt affected title keys immediately, or without regard to use patterns. If the number of content items affected is large, as can often be the case for devices with entertainment content, the operation is time consuming and causes delay to the user. Additionally, devices that manage content can go offline or be disconnected from the network, either as a matter of normal use or due to some device failure. These failures can occur while rebinding title keys. When the device becomes reconnected, it is responsible for recovering and continuing to rebind the title keys it managed at the point it failed with no loss of content.
The present invention is directed to solving this problem by providing a means to manage title keys by establishing logical partitions of title keys with the same binding information. The method of the present invention provides a means that supports delayed and background processing of title keys when binding information changes. The present invention also supports proper accounting for devices required to recover rebinding processing when devices fail or go offline unexpectedly during said processing.
Therefore, there is a need for an effective and efficient system of managing encrypted content using logical partitions.