1. Field of Invention
The present invention relates generally to the field of content and/or data delivery over a network. More particularly, the present invention relates in one exemplary aspect to provisioning a consumer premises device (e.g., set-top box) in a network having download capability; e.g., such as for conditional access, digital rights management, or trusted domain functionality.
2. Description of Related Technology
Recent advances in digital information processing have made a wide range of services and functions available for delivery to consumers at their premises for very reasonable prices or subscription fees. These services and functions include digital programming (movies, etc.), digital video-on-demand (VOD), personal video recorder (PVR), Internet Protocol television (IPTV), digital media playback and recording, as well high-speed Internet access and IP-based telephony (e.g., VoIP). Other services available to network users include access to and recording of digital music (e.g., MP3 files), as well local area networking (including wire-line and wireless local area networks) for distributing these services throughout the user's premises, and beyond.
Currently, many of these services are provided and delivered to the user via a wide variety of different equipment environments including, inter alia, cable modems, WiFi hubs, Ethernet hubs, gateways, switches and routers, computers, servers, cable set-top boxes, PSTNs, cellular telephones/smartphones, PDAs, and portable digital music devices such as the Apple iPod™. Additionally, the services associated with such technology are typically provided by multiple vendors including e.g., a cable service provider (e.g., MSO), cellular service provider (CSP), wireless service provider (WSP), VoIP service provider, music download service, Internet service provider (ISP), PSTN telephone service, etc.
The myriad of services, equipment and providers can easily create confusion and economic inefficiency for someone using many of these services on a regular basis. In particular, a user may have to pay for each service or equipment separately, thus eliminating any economies of scale based on integration. Additionally, the equipment or services may not interoperate with one another, thus reducing the overall utility provided to the user, and increasing their frustration level. These problems are particularly acute when the number of different services utilized (and hence number of service providers) is high.
Some improvements in digital service integration have been made over time. For example, cable system subscribers (such as those of the Assignee hereof) can now access VOD, PVR, PPV and broadcast services simultaneously, as well a Internet access via cable modem, and even digital telephony (e.g., VoIP). However, these functions are still substantially disparate in terms of their hardware and software environments (i.e., the user must have a cable modem, set-top box, VoIP telephony unit, PC, etc.), and “cross-over” between the environments (e.g., moving content or data from one environment to the other) is quite limited.
Moreover, the movement of content delivered by these services within the user's premises (or even outside) is substantially frustrated, largely due to concerns relating to protection of valuable (e.g., copyrighted) content and surreptitious reproduction and distribution. Such unauthorized reproduction and distribution not only detracts from the network operator's revenue and commercial viability, but also that of the content source (e.g., movie studio, recording studio/artist, etc.).
Moreover, the lack of a comprehensive and effective scheme for control of content within the user domain effectively precludes content providers from releasing new content over cable or satellite networks contemporaneous with its availability over retail or rental outlets, due in large part to unauthorized access, reproduction and distribution concerns. Stated simply, new release content availability over cable typically lags that of rental/retail, due primarily to the lack of an effective control mechanism for the content once it is delivered to the user domain.
A number of existing technologies have heretofore been employed by network operators in order to attempt to frustrate surreptitious access, copying and distribution of valuable content.
Conditional Access
For example, so-called Conditional access (CA) technologies are typically incorporated into content-based networks, such technologies including the digital encoding of various types of data including audio and video programming and music. Conditional access can generally be defined as the control of when and how a user may view and use the associated programming or information. Different types of conditional access may be desirable in a network delivery system in order to, e.g., accommodate improvements in the technology over time, as well as different conditional access attributes such as security and category of programming or user access level.
A variety of traditional methods of conditional access exist including, e.g., “Powerkey™”, VideoGuard®, and DigiCipher®. A generalized conditional access model is also provided by the well-known DVB (Digital Video Broadcasting) Specification TS 101 197 V1.2.1 (02/02), DVB SimulCrypt; Part 1: “Head-end architecture and synchronization”, and TS 103 197 V1.2.1 (02/02): “Head-end Implementation of SimulCrypt”, each incorporated herein by reference in its entirety. These can be implemented using, for example, the so-called “CableCARD™” plug-in security module access technology (also known as a “a point-of-deployment (POD) module”). See, e.g., the CableCARD-Host interface specification, which defines the interface between a digital cable receiver or STB (Host device) and the CableCARD device provided by the MSO/cable operator. CableCARD was developed to satisfy certain security requirements to allow retail availability of host devices, e.g., set-top boxes, digital cable ready televisions, DVRs, personal computers (PCs), integrated digital televisions, etc., for receiving cable services. The CableCARD, comprising a PCMCIA device, can be inserted into a host device, allowing a viewer to receive cable systems' secure digital video services, e.g., pay per view TV, electronic program guides, premium subscription channels, etc.
Encryption
In many content-based networks (e.g., cable television systems), the client device or consumer premises equipment (CPE) receives, through the cable TV network, programming content which may be encrypted, e.g., in accordance with the Data Encryption Standard (DES) technique or Advanced Encryption Standard (AES), to secure its delivery.
DES is a well-known symmetrical cipher that utilizes a single key for both encryption and decryption of messages. Because the DES algorithm is publicly known, learning the DES key would allow an encrypted message to be read by anyone. As such, both the message sender and receiver must keep the DES key a secret from others. A DES key typically is a sequence of eight bytes, each containing eight bits. To enhance the DES integrity, the DES algorithm may be applied successive times. With this approach, the DES algorithm enciphers and deciphers data, e.g., three times in sequence, using different keys, resulting in a so-called triple DES (3DES) technique.
The Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by many entities including the U.S. government. It is used worldwide, as is the case with its predecessor, DES. AES was adopted by National Institute of Standards and Technology (NIST) and was codified as US FIPS PUB 197 in November 2001.
AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. The key is expanded using the well-known Rijndael key schedule. Most of AES calculations are performed in a special finite field. AES typically operates on a 4×4 array of bytes, termed the state.
AES provides a much higher level of encryption than DES or 3DES, and hence is increasingly being integrated into applications where strong protection is desired, including the delivery of content over cable or other content-based networks.
In contrast to the DES or AES techniques, a public key encryption technique, e.g., an RSA technique (named for its developers, Rivest, Shamir, and Adleman), uses two different keys. A first key, referred to as a private key, is kept secret by a user. The other key, referred to as a public key, is available to anyone wishing to communicate with the user in a confidential manner. The two keys uniquely match each other, collectively referred to as a “public \-private key pair.” However, the private key cannot be easily derived from the public key.
“Trusted Domains”
Another related approach for content protection comprises the creation and enforcement of a “trusted domain” or TD. Specifically, such a “trusted domain” (TD) comprises an area (physically or virtually) within which programming or other content is protected from unauthorized access, distribution and copying. For example, in a cable network, a trusted domain may include not only the network portion where programming content traditionally is secured by, and within total control of, a cable operator (including, e.g., the headend, HFC delivery network, etc.,) but also user devices or customer premises equipment (CPE) at subscribers' premises which are capable of receiving and securely storing programming content. Using the trusted domain approach, the network operator can guarantee certain subscriber access, distribution, and usage policy enforcement with respect to content held within the domain. For example, a digital representation of a movie held within an operator's TD (e.g., on a hard drive of a user device) cannot be distributed over the Internet, wireless network, etc. in viewable form, and cannot become a source for duplication of multiple viewable copies.
One exemplary approach of implementing a trusted domain, described in co-owned and co-pending U.S. patent application Ser. No. 11/006,404 filed Dec. 7, 2004 and entitled “Technique For Securely Communicating And Storing Programming Material In A Trusted Domain”, (issued as U.S. Pat. No. 8,312,267), which is incorporated herein by reference in its entirety, comprises using two cryptographic elements (e.g., encryption keys), associated with a user and his/her client device(s), respectively, that control access to content stored in the client device(s) within the domain.
The trusted domain is preserved with respect to the stored content so long as the content remains encrypted and continues to be managed under the above-described key management methodology, regardless of which device stores the content. Once the content itself is decrypted, e.g., by a conditional access (CA) mechanism when data is sent from the SDVR CPE to a television monitor for display, the decrypted content is no longer within the trusted domain.
Digital Rights Management (DRM) and Steganograhy
Another approach used to control the distribution and use of protected content within a content-based network is to employ so-called digital rights management (DRM). For example, Media rights management systems such as the Microsoft Windows® Media Digital Rights Manager (DRM), may be used as well. The Windows® Media Player Version 9 comprises audio and video codecs, the Windows Media Encoder, Windows Media Server, Windows Media Software Development Kit (SDK), Digital Rights Management (DRM) technology, and an extensibility model that allows integration into third-party solutions.
According to one such DRM approach, a digital media or content file is encrypted and locked with a “license key.” The license key is stored in a license file or other data structure which is distributed separately from the media or content. A user can obtain the encrypted media file by, e.g., downloading it from a web site, purchasing it on a physical media, etc. To play the digital media file, the user must first acquire the license file including the license key for that media file.
Another approach to DRM (see, e.g., the RealNetworks “Helix” Platform and Community approach) comprises encrypting a content file (typically performed by the system operator) to create a secured content file, thereby requiring a cryptographic key to access the content in the file. The key is included within a retailer's database, and the secured content file is distributed to users by, e.g., Internet connection or offline distribution of CDs. The retailer itself sets usage rules and policies for licensing the content. A user contacts the retailer's web server, such as via a trusted software client, in order to obtain a license to access the encrypted content. The retailer's web server requests certain rights from the operator's license server, the latter which creates a license containing the key for the requested content file.
Related to DRM is the practice of steganography. Steganography is the art and science of including hidden data in such a way that no one apart from the intended recipient or sender knows of the existence of the data; this is in contrast to cryptography, where the existence of the data itself is not disguised, but the content is obscured. For example, digital steganographic data may included within the recorded data/content, such as digital watermarking data.
Emerging Technologies and Provisioning Requirements
More recently, emerging technologies have focused on so-called “downloadable” conditional access systems (DCAS), which are intended to be implemented in next-generation two-way, cable-ready digital TV sets, set-top boxes and/or other related devices. This “download” approach would enable cable operators to download conditional access software directly to TV sets, set-top boxes and other digital entertainment devices in the subscribers' premises, and would be especially suited to interactive services such as VOD, PVR, etc. This would also obviate the physical CableCARD form factor.
With the so-called FCC “navigation order” (Further Notice of Proposed Rulemaking (“FNPRM”), FCC 00-341, adopted Sep. 14, 2000; released Sep. 18, 2000; relating to, inter alia, the adoption of unidirectional plug and play, cable system operators are also required to support digital cable-ready devices on their systems. Downwloadable conditional access (CA) functionality is one proposed conditional access technology that also meets this requirement. In addition to the requirements imposed by FCC 03-225, it is also desirable to support bi-directional cable-ready devices on its systems, as well as “separable security” functionality (i.e., the CA functionality is physically, or at least logically) separable from the host device. Ideally, such enhanced functionality would also allow both basic bi-directional functions (so-called single-stream devices) as well as the use of more advanced multi-stream devices such as digital video recorders (DVRs). It is also desirable to allow download-enabled devices to participate (ad hoc or otherwise) in the operator's trusted domain (TD).
In recent years, numerous systems for providing interconnectivity among devices in a premises (e.g., home, enterprise, university, etc.) have been developed, allowing premises networks to include DSTBs, personal computers, cellphones, PDA devices, etc. Because of the increasing popularity of premises networking and the demand for seamless interconnectivity between heterogeneous hardware/software environments (e.g., “plug and play”), there is a growing need for a strategy that enables a user to perform authorized transfer of protected content, e.g., transferring content from their cable system CPE to other devices in a premises network, or even outside of the network, and at the same time prevent unauthorized distribution and reproduction of the protected content. The foregoing CA, DRM, steganographic, and trusted domain technologies, while providing some degree of protection, simply do not support such control and protection within the increasingly complex user domain.
Specifically, these techniques do not support cryptographic key management and distribution systems that operate with both legacy or new CA systems, and are not under direct network operator (e.g., MSO) control. They also accordingly do not support advanced provisioning techniques which would allow the operator to maintain configuration control and databases (e.g., address allocation, billing, etc.), device enablement/deactivation, and so forth.
Moreover, such existing techniques often cannot be smoothly integrated with retail (third party) devices, and are typically quite platform specific. They are often also specific to the content delivery mode (i.e., VOD, broadcast, broadcast-switched, and other content delivery paradigms).
These existing techniques also will not support seamless transition between independent implementations of CA, trusted domain, and DRM security features and policies, and are not standardized to any significant degree.
Prior art conditional access (CA) systems such as the Scientific Atlanta “Powerkey” approach described above have no authentication entity or “proxy” that can authenticate CPE or other connected devices in anticipation of providing download services, and hence by nature are highly localized. Generally speaking, any “trusted domains” that might be established are not extendable beyond the CPE on the client side of the delivery network.
Moreover, the aforementioned DCAS and other such “downloadable” CA approaches require special provisioning capabilities not present in such prior art devices or systems. This stems largely from the fact that a unique, secure entity (e.g., the SM or secure microprocessor) is resident on each DCAS host, and the ability to download common and personalized images to this device requires specific controls and protocols, which also extend into the network operator's billing and content provisioning systems. For example, the DCAS approach provides the capability to simultaneously support multiple CA system instances and servers within the same network topology. That is, a given host could have access to one or more CA systems, and the provisioning system must be able to direct the host to the desired CA system based on considerations including e.g., compatibility, host capability, service profile, and other administrative and operational considerations. New administrative policies to provide device revocation, and to monitor and control the state of a specific host given its key status (as reported by e.g., a trusted authority) must be supported also. The provisioning system must also be able to support configuration control for each CA, DRM, and TD/ASD host in the network.
A variety of different approaches to network device provisioning are known in the prior art. For example, U.S. Pat. No. 5,982,412 to Nulty issued Nov. 9, 1999 entitled “Coaxial testing and provisioning network interface device” discloses a broadband network for providing broadband signals, such as cable television signals, to a subscriber location that includes a network interface device installed at the subscriber's end of the broadband network. The network interface device includes circuitry that provides for the selective provisioning of services to the subscriber location from the broadband network and a test circuit that can be selectively connected for testing signals appearing on the broadband network.
U.S. Pat. No. 6,009,103 to Woundy issued Dec. 28, 1999 entitled “Method and system for automatic allocation of resources in a network” discloses a method and system for automatically allocating network resources such as IP addresses to control access to the network by utilizing at least one DHCP server, and a common network database formed from a LDAP directory for storing respective user configuration parameters, hardware address registration, and current binding information. A DHCP server can add new hardware address registrations to the LDAP using an “unregistered” service class. The DHCP server sends a DHCP reply tailored for unregistered devices, such as by allocating a privately-allocated IP address with no Internet access, or an IP address for a self-provisioning web server. A DHCP server views IP address allocation as indefinite, while a user will view an IP address allocation as having a short duration. Thus, if the IP network configuration does not change, the user terminal will continue to receive the same allocated IP address due to the DHCP server's perception of an indefinite lease.
U.S. Pat. No. 6,233,687 to White issued May 15, 2001 entitled “Method and apparatus for providing configuration information in a network” discloses a method and apparatus for providing message authentication between a first device (such as a provisioning server) and a plurality of other devices (such as cable modems) without need to share a secret key between the first device and the plurality of second devices.
U.S. Pat. No. 6,657,991 to Akgun, et al. issued Dec. 2, 2003 and entitled “Method and system for provisioning network addresses in a data-over-cable system” discloses a method and system for provisioning network addresses in a data-over-cable system. Provisioning of network addresses allows multiple “always-on” network devices with multiple associated devices to be used on a data-over-cable system with a limited public network address pool. The “always-on” network devices provide services, such as, Voice over Internet Protocol (“VoIP”), that typically require instant access to data-over-cable system. Network devices such as “always-on” cable modems may allocated private network addresses (e.g., Internet Protocol addresses) on the data-over-cable system. The private network addresses are not addressable outside the data-over-cable system. Other network devices associated with the cable modems, such as customer premise equipment, may be allocated public network addresses (e.g., Internet Protocol Addresses) on the data-over-cable system. The public network addresses are addressable outside the data-over-cable system. The network address provisioning is accomplished by selecting a private network address marker and a public network address marker for selected network devices and using an extended Address Resolution Protocol table to determine a device type. The private network address marker or public network address marker is added to a Dynamic Host Configuration Protocol message field by a cable modem termination system. A Dynamic Host Configuration Protocol server uses the private or public address marker to allocate a private network address or a public network address on the data-over-cable system.
U.S. Pat. No. 7,092,397 to Chandran, et al. issued Aug. 15, 2006 entitled “Method and apparatus for mapping an MPLS tag to a data packet in a headend” discloses a method of using DOCSIS 1.1 features to allow the addition of ISPs and QOS levels to a single cable modem without having to modify the CMTS is described in the various figures. Instead of using the SID of a data packet to determine the VPN tag of a data packet (DOCSIS 1.0), a service flow is used to identify the appropriate tag. This is done using the DOCSIS 1.1 configuration file. By doing so, the need for creating additional sub-interfaces in the cable modem interface does not arise. Instead, the configuration is modified at the provisioning server, i.e., the DHCP/TFTP server.
U.S. Pat. No. 7,107,326 to Fijolek, et al. issued Sep. 12, 2006 entitled “Method and system for integrating IP address reservations with policy provisioning” discloses a method and system for policy provisioning and access managing on a data-over-cable system. One method includes receiving a first message on a first network device such as a CMTS from a second network device and marking the first message with an identifier of a network access device. The method further includes intercepting the first message on a third network device prior to a first protocol network server such as a Dynamic Host Configuration Protocol (“DHCP”) server receives the first message. When the third network device intercepts the first message, the third network device determines the identity of the second network device. Based on the identity of the second network device and using the identifier of the network access device, the third network device manages an assignment of configuration parameters for the second network device.
U.S. Pat. No. 7,154,912 to Chong, et al. issued Dec. 26, 2006 entitled “System and method for provisioning broadband service in a PPPoE network using a list of stored domain names” discloses a modem that includes a list of the multiple domain names. Each of the domain names is associated with a different Broadband Service Node (BSN). A PPPoE session is established, and an authentication request, containing the identifier and a generic password, is transmitted from a modem to multiple domain names over the PPPoE network. Subsequently, authorization is received from at least one of the domain names. The authorization preferably comprises at least one static Internet Protocol (IP) address. The modem then obtains full configuration details from an Internet Service Provider (ISP). A system and a computer program product for provisioning broadband service in a Point-to-Point Protocol Over Ethernet (PPPoE) network is also disclosed.
United States Patent Application Publication No. 20020129358 to Buehl, et al. published Sep. 12, 2002 entitled “Cable billing systems and methods enabling independence of service marketing and provisioning from billing and collection of revenue” discloses systems and methods that divide the billing function of a billing system from the provisioning function of a service in digital cable systems. Because the billing system is only responsible for billing, rather than the provisioning of services, new services may be added to cable systems without the task of configuring the billing system specifically for new services added to the system. The services are implemented using an offering package created by the service, where the offering package contains billing related information forwarded to the billing system to bill for the service.
United States Patent Application Publication No. 20030048380 to Tamura published Mar. 13, 2003 entitled “Self provisioning Set-Top Box” discloses a self provisioning television Set-Top Box. The STB has an interface that couples the STB to a service provider and incorporates a cable modem. A programmed processor boots from a boot ROM and carries out a process for self provisioning in the event the STB is new and not set up to use the current service provider. The process includes initiating communication with the service provider using the cable modem and sending equipment identifying information including a Set-Top Box serial number and a smart card identifier to the service provider. The service provider replies with system specific information including an application server identifier from the service provider. The STB then sends a user profile to the service provider, and the service provider replies by sending account information including an account identifier.
United States Patent Application Publication No. 20030069965 to Ma, et al. published Apr. 10, 2003 entitled “Provisioning per cable modem” discloses a method and apparatus for provisioning on a per cable modem level includes associating any customer provided equipment behind a gateway cable modem to the same internet service provider as the cable modem.
United States Patent Application Publication No. 20040260798 to Addington, et al. published Dec. 23, 2004 entitled “Systems and methods for distributing software for a host device in a cable system” discloses systems and methods that may be used for provisioning, configuring, and controlling a host embodied in a cable set top box or other digital device attached to a digital communication network, such as cable distribution network. A services system maintains various host files for various types of hosts that a cable subscriber may purchase and connect to the cable network. The Services Server interacts with the host using the host files. The host files may be downloaded from the host manufacturer into a database that distributes the modules as required to the various enhanced services systems. The host may be purchased by the cable subscriber and provisioning may be initiated by the retailer at the time of purchase using a provisioning network interacting with the appropriate cable system serving the subscriber.
United States Patent Application Publication No. 20050015810 to Gould, et al. published Jan. 20, 2005 entitled “System and method for managing provisioning parameters in a cable network” discloses a system and method for managing provisioning parameters in a cable network. A dynamic TFTP (DTFTP) server and a CMTS manage the provisioning of devices in a cable network. The DTFTP server and the CMTS share common provisioning parameters. A provisioning parameter has a name and a value. When changes are made in the value of a provisioning parameter that is also used by a CMTSs supported by that DTFTP server, the DTFTP server securely communicates the new provisioning parameter values to each such CMTS. In one embodiment, the DTFTP server pushes the new provisioning parameter values to the CMTSs. In another embodiment, a poller pulls the provisioning parameters from the DTFTP server to a central datastore where changes in provisioning parameters used by the CMTSs supported by the DTFTP are identified. The changed provisioning parameter values are pushed from the central datastore to the CMTSs.
Despite the foregoing, there is a need for improved apparatus and methods for provisioning network devices or CPE (such as for example DSTBs used in a cable or satellite network) that specifically is compatible and complementary to the operation of so-called “downloadable” conditional access, DRM or TD systems (e.g., a DCAS system). Such improved provisioning apparatus and methods would ideally include the ability to rapidly and seamlessly add new CPE/host devices to the operator's network, and configure them with the necessary firmware, etc. to enable operation with the “download” CA/DRM/TD environments previously described. Moreover, the network operator would also ideally be able to remotely provision the hosts if desired, and deactivate the hosts remotely as well.
Such improved provisioning apparatus and methods would also ideally be delivery-mode agnostic; i.e., they would be compatible with VOD, broadcast, broadcast-switched, and other content delivery paradigms, and would further allow for an interoperable architecture with components from different network, secure component, and CPE vendors, in effect standardizing many aspects of device provisioning, billing, and content control.