In order to take advantage of expanding utilities for transmission or transfer of a data stream, such as can be provided by high-capacity portable storage devices and by high-speed data transmission channels, users who need mass data transfer capabilities require that a high degree of security be provided. Security measures help to prevent such activities as tampering with data, eavesdropping, and data piracy.
Data piracy can be particularly damaging for providers of entertainment that is transmitted as a data stream, such as providers of TV and video programs and providers of digital motion pictures. Unless stringent security measures are followed, digital contents of such copyrighted materials could be illegally copied and distributed, resulting in the loss of substantial investment to the rightful owners. The need for data security is becoming more acute as the digital motion picture industry evolves. Conventional methods for distributing film copies to local theaters are expected to change as motion pictures are prepared and distributed digitally. Whether distributed using transmission by satellite or cable or over dedicated, high-speed phone lines, or distributed using a portable, high-capacity storage medium such as DVD device, it is anticipated that digitization of motion picture material will begin to replace current film-based distribution. This development presents substantial potential risks to the entertainment industry that must be countered with security measures so that only qualified sites have access to the entertainment material.
Digitization of motion picture images presents special challenges for ensuring data security. One aspect of the security problem is file size. A digitized, full-length feature film can be of the order of a few terabytes of data, before compression. Even with advanced data compression techniques, the amount of data for a standard movie is substantial. Because of the amount of data, and because of the risks in allowing a decrypted or unencrypted copy to be available for access, there are advantages to high-speed or real-time decryption techniques that would provide rapid decryption of a digital data stream for movie projection or viewing (and also allow time for data decompression).
For maximum security, an ideal goal would be to have video data, motion image data or motion picture data (also interchangeably referred to herein as digital motion image data and applicable to digital movies or motion pictures, whether to be viewed on TV or at motion picture theaters or on the computer) encrypted under all conditions, even during film editing and preparation processes. In this way, wherever the motion picture would be handled or transmitted, from initial filming and editing stages through viewing at the theater, the digital data for the motion picture would not be available in plaintext (unencrypted) form. At the same time, however, any encryption scheme would need to allow access to one or more individual frames, such as for editing purposes.
An important aspect of the security problem is the need to distribute a motion picture, as a digital data stream, to thousands of sites within the same time period. This means that solutions for data encryption/decryption, compression/decompression, and overall distribution must be robust. These solutions must also allow for the “staggered show-time” arrangements used by many theaters and must be capable of handling difficulties such as equipment problems that might require restarting or pausing momentarily, again requiring individual frame addressability and re-synchronization of a decryption scheme. As used herein the term encryption involves transforming data in order to conceal its meaning and is thus distinguishable from other well-known encodings such as compression and image processing used to affect color size or density of the image.
Considering the size of files for video and digital motion pictures, conventional encryption approaches are not well-suited to the difficult task of maintaining encryption security while, at the same time, allowing individual frame access. For example, the simple approach of encrypting a digital motion picture as a single block makes operations such as individual frame editing, fast-forward operations, staggered display, and related frame-based activity difficult to support or infeasible. Thus, the approach of parsing the data into blocks makes sense; however, if the same encryption key applies to each block, system security may not be adequate. Therefore, it is recognized that a flexible solution for encoding data in discrete blocks that still provides data security is needed.
It is instructive to observe that, at a base level, encryption algorithms themselves require handling of plaintext data (that is, data that is to be encrypted to form ciphertext data) in discrete blocks. For example, DES encryption operates on a 64-bit unit of data at a time. Encryption methods may re-use the same key for each encryption or may use different keys for different data blocks. Using multiple keys, as will be described subsequently, allows advantages by more securely encrypting the data.
As an overview, there are two general types of encryption schemes:                (1) Private or symmetric encryption. Symmetric algorithms use the same key for encryption and decryption. Anyone who has possession of the private key can decrypt the data. The National Bureau of Standards Data Encoding Standard (DES), as disclosed in U.S. Pat. No. 3,962,539 (Ehrsam et al.) is a well-known example of a symmetric encryption scheme.        (2) Public, or asymmetric encryption. Asymmetric algorithms use different keys for encryption and decryption. Data is encrypted using a public key, accessible to anyone. However, data can only be decrypted by someone who holds a private key. RSA, as disclosed in U.S. Pat. No. 4,405,829 (Rivest et al.) is a well known public key encryption scheme.        
In general, symmetric encryption is faster than asymmetric and thus is a more likely candidate for motion picture encryption and encryption/decryption for similar data streams. However, a drawback with symmetric encryption is the requirement that a symmetric key must be securely distributed to each intended recipient. The risk of allowing unintended access to other recipients must be minimized.
There are a number of conventional solutions for distribution and management of keys used for decryption of large files. For example, it is known to take advantage of the strengths of both symmetric and asymmetric algorithms for this purpose, first using asymmetric encryption to distribute a symmetric key or keys, then using these keys for fast decryption. A key is a series of bits or a number that is required in order to decrypt the encrypted data
A conventional solution for efficient decryption of a sizable data stream is to provide multiple keys, where keys are mapped to identified blocks in the data stream. As an example of one key management approach used for a stream cipher, U.S. Pat. No. 6,052,466 (Wright) discloses the use of multiple private keys for encryption when negotiating a key exchange for a public key encryption scheme. A sequence of identical private keys is generated at both sending and receiving sites, based on initial key generation information transferred using public key methods. To synchronize keys to the data stream, each member of the sequence of generated keys is indexed to a predetermined, fixed location on a page within the data stream. Re-synchronization is thereby provided in the event of data packet loss. While the direct key-to-page mapping scheme used in the Wright patent has advantages for reducing problems due to packet loss and re-synchronization, no attempt is disclosed to provide any measure of security by requiring rearrangement of keys or manipulation of page boundaries. The method disclosed in the Wright patent also has other inherent disadvantages for secure data transfer such as is required for digital motion pictures. For instance, index information for using the keys is encoded within the ciphertext message itself, rather than provided separately. In addition, the same communication channel is used for key exchange and ciphertext data transmission. This use of the same channel means that anyone who can access the communication channel has access to the encrypted data as well as to the information needed for decryption.
Similarly, for a radio communications channel, U.S. Pat. No. 5,185,796 (Wilson) discloses providing encryption key information interleaved with the transmitted data, a security scheme optimized to allow re-synchronization in the event of signal loss. Keys themselves are not transmitted, however, but are stored at sending and receiving sites. Methods such as those disclosed in U.S. Pat. Nos. 6,052,466 and 5,185,796 are suitable for some types of data transfer applications. With respect to delivery or transmission of digital motion picture information, however, these methods do not provide the most advantageous solutions. For maximum data security and for overall decryption speed, it is preferable to provide both keys or key generation data and key indexing and synchronization information separately from the data stream. When multiple keys are used with motion picture and video data, some correspondence between the encryption of data in blocks and the individual motion picture or video frames (not addressed in the above-mentioned disclosures) would be advantageous, as is described subsequently.
As an example of handling data in blocks, U.S. Pat. No. 6,021,391 (Shyu) discloses a method for encryption of a data stream by handling individual data segments of arbitrary length. Each individual data segment can then be separately encrypted, using a separate key and algorithm, which are specified in a segment header that is part of the data stream. Here again, the encryption key and encryption algorithm are identified in the data stream itself, which can be viewed as a disadvantage when contrasted with a strategy of providing an encryption key separately. For the same reasons discussed above, clear identification of a data segment header may be useful in some applications, but may be disadvantageous for a data stream representing video or audio data, such as in a motion picture application.
Other solutions have been proposed to make encryption of a data stream more efficient or more secure. Among examples of key management and usage solutions for efficient reusability of a symmetric key is U.S. Pat. No. 5,438,622 (Normile et al.) which discloses a method for providing an offset value that can be encrypted by a transmitted system and then used to specify a “deferred” starting point within a key for encryption/decryption. The key itself is generated from a secret key and an initialization vector. Given the offset value, a decryption processor can use that portion of the key indicated by the offset value for decryption. This method makes it difficult for an unauthorized listener to decode repeated patterns, since a variable offset value can be applied to the same key multiple times, effectively changing the key, since different parts of the key are used with each encryption. It is instructive to note that, with this method, the offset value is applied to the key that is generated in a transmitter/receiver, requiring that a substantial portion of the generated key be discarded with each encryption/decryption operation. Moreover, since some portion of the key may be the same with each encryption operation, it is less likely that this method is more secure than simply providing a different key altogether.
As an example in which blocks of video data are encrypted, U.S. Pat. No. 6,021,199 (Ishibashi) discloses a method for encryption of an MPEG 2 video data stream. MPEG 2 (a standard of the Motion Picture Experts Group) stores video data as a series of frames, for which an I-frame serves as a reference frame. Other MPEG frames (P- and B-dependent frames) require reference to an I-frame (an intra-coded stand alone frame) in order to be correctly interpreted. In the Ishibashi patent, only these essential I-frames of the data stream are encrypted, which effectively precludes use of any of the other video data in the data stream until decryption of the I-frames is performed. While this method has merit, it can be objected that frame boundaries would remain obvious in the ciphertext data stream, which is a disadvantage from a data security perspective. It would be most advantageous to mask any defining frame header or synchronization character within the ciphertext data stream and to securely encrypt all data in the data stream. Notably, the overall security of this method relies on encryption of I-frames only. While this selective encryption simplifies the effort and minimizes the time required for encryption, it has a disadvantage, since unauthorized decryption of a single I-frame would allow access to other P- and B-frames as well.
Copy protection schemes for distribution of recorded media do not suggest satisfactory solutions to the requirements for secure storage and distribution of motion picture data and other data streams. Schemes such as are disclosed in U.S. Pat. No. 6,028,932 (Park) or U.S. Pat. No. 5,963,909 (Warren et al.), for example, disable or constrain playback or copying but are impractical for digital motion picture applications since they require some advance knowledge of the specific destination hardware. Pay-per-view schemes, such as is disclosed in U.S. Pat. No. 6,016,348 (Blatter et al.) provide decryption codes for conditional access to video programming using an insertable ISO 7816-3 compliant smart card; however, this arrangement is limited to providing data access and algorithm identification.
Thus, it can be seen that while conventional approaches address some of the needs for secure encryption and for distribution and synchronization of encryption keys provided to receiver sites, existing methods do not provide data encryption solutions that are well-suited to the security requirements for high-volume, data stream distribution, such as is needed by providers of digital motion pictures. Moreover, conventional methods are not well-suited to the specific requirements for frame-by-frame access of a digital motion picture data stream that allows editing, restart, and fast-forward functions. Therefore, there is a need for a secure encryption apparatus and method for synchronizing multiple encryption keys with individual blocks in a data stream, where the apparatus and method are readily adaptable to digital motion picture applications.