This invention relates in general to encrypted broadcast messaging systems, and more specifically to a method and apparatus for conveying a private message, such as a session crypto-key, to selected members of a group in an encrypted broadcast messaging system; however, the present invention may also be utilized to encrypt and securely transmit digital content, such as audio, video, multimedia, and software objects over insecure channels.
Modern encrypted broadcast messaging systems can convey an encrypted message to a plurality of subscriber devices (SDs) through well-known encrypted broadcast techniques. Broadcast encrypted messages have typically been used for delivery of encrypted video, encrypted audio, and encrypted data. Popularly, such systems operate on a subscription basis. Such systems also can deliver a message conveying a session crypto-key to a group of subscriber devices through well-known group messaging techniques. A session typically lasts for the payment period of the subscription. Group messages have proven to be a highly efficient tool for conveying information to large groups of subscribers through a single broadcast transmission. One example of such a commercial application is the satellite transmission of premium programming such as video and audio products.
A limitation of prior art encrypted broadcast messaging systems has been an inability to deliver a private message containing, for example, a session crypto-key efficiently and privately only to a selected sub-group of members of the group using a current session crypto-key, the separate session crypto-key typically being the crypto-key for the next subscription payment period. That is, all subscriber devices capable of receiving and decrypting an encrypted group message using a current session crypto-key have been able to decrypt a subsequent transmission of a separate session crypto-key intended only for selected members of the group. To prevent excluded members of the group from receiving and decrypting such a separate session crypto-key intended for the rest of the group, addressing capability was built into subscriber devices limiting capture of the information in a message containing the separate session crypto-key only to addressed subscriber devices. Continuing with the commercial example, the excluded members would represent subscribers that have accounts that are past due. This type of operation has worked reasonably well for many systems, but does not work as well for preventing unauthorized pirate reception using tampered subscriber devices or purpose-built devices having the addressing capability overridden. As an alternative approach some subscriber devices have incorporated a second unique individual crypto-key, allowing individual transmissions of any message, including a separate session crypto-key, encrypted uniquely to each of the plurality of selected subscriber devices in the group. This has worked reasonably well for small groups and in groups whose members substantially change authorization to receive, but transmitting a session crypto-key to each of the individuals of a large group generates a lot of traffic and is inefficient.
Thus, what is needed is a method and apparatus for conveying a private message only to selected member subscriber devices of a group. Preferably, the method and apparatus will retain the high efficiency characteristics of prior art group broadcast encrypted messaging techniques, while adding a significant degree of exclusion of members of the group not selected as well as other unauthorized recipients.
An aspect of the present invention is a method in an encrypted broadcast messaging system for conveying a private message to selected subscriber devices of a group of subscriber devices, all subscriber devices of the group having at least a first and second management crypto-keys. Of course, each subscriber may possess more than two crypto-keys, but two keys are required to achieve the minimum gain in efficiency offered by this invention. The method comprises the step of determining the collection (the Union) of management crypto-keys held by the selected subscriber devices and for each subscriber device having at least one crypto-key from the Union and not selected to received the private message a Residuum of crypto-keys in the Union not held by the subscriber device. Unique sets of management crypto-keys are assigned and pre-programmed into the subscriber devices of the group such that each of any two subscriber devices in the group has at least one management crypto-key from the management crypto-keys assigned to the group that the other subscriber device does not have, each management crypto-key being unique from all other crypto-keys. Pre-programming of management crypto-keys is desirable to prevent possible eavesdropping, lessen the traffic load on the communication channel, and reduce the lead time prior to delivering a private message, but pre-programming is not required. The method further comprises the step of decomposing the private message into message-parts, at least one message-part for each of the subscriber devices of the group not selected, that is, to be excluded, the message-part being associated to the excluded subscriber device and the management crypto-keys held by it. Each message-part is intended to be encrypted using management crypto-keys held by the selected subscriber devices and not held by the associated excluded subscriber device. The method further comprises the step of encrypting the message-parts, each message-part being encrypted using at least one of the intended management crypto-keys, by encrypting a copy of each message-part. The method further comprises the step of delivering the necessary encrypted message-parts to at least the selected subscriber devices of the group, the message-parts delivered and the message-parts necessary to form the private message by a subscriber being identified in delivery or determined in reception. The method further comprises the step of decrypting at least one of encrypted message-parts received by the selected subscriber devices using an intended management crypto-key. The method further comprises the step of choosing by the selected subscriber devices sufficient decrypted message-parts to form the private message from the identified necessary message-parts and the message-parts received, and forming the private message by combining.
Another aspect of the present invention is a subscriber device in an encrypted broadcast messaging system for obtaining a private message delivered to selected member subscriber devices of a group. The subscriber device comprises a receiving interface for receiving a message-part encrypted using a management crypto-key. The subscriber device further comprises a processing system coupled to the receiving interface for processing the message-parts. The processing comprises decrypting the message-parts using an intended management crypto-key, choosing from the at least one decrypted message-parts at least one message-part sufficient to re-compose the private message, and forming a private message by combining the chosen message-parts.
Another aspect of the present invention is a group manager (GM) for delivering a private message only to selected member subscriber devices of a group. The group manager comprises a source interface for receiving subscriber authorizations. The authorizations identify the subscriber devices to be selected to receive a private message, the private message being provided by the source. The group manager further comprises a processing system coupled to the source interface for processing the authorizations into key-sets and for decomposing the private message into message-parts and for encrypting the message-parts according to the key-sets. The processing system further forms the message-parts and key-sets into messages that can be utilized by subscriber devices in the group, identifying the message-parts delivered and message-parts necessary to form the private message. The processing system comprises a conventional computer system and storage, with mass storage for larger systems. The computer system performs the processing preferably utilizing a group database stored in the mass media storage recording the association of the management crypto-keys to each of the subscriber devices in the group, from which sets of management crypto-keys are identified. These key-sets, the Union of management crypto-keys of all selected subscriber devices and the Residua of management crypto-keys one Residuum for each excluded subscriber device, along with the associated crypto-keys, are used to perform encryption processing utilizing encryption programming also stored in the mass media storage. Residuum is the sub-set of the Union which does not intersect the set of management crypto-keys held by the excluded subscriber device. The group manager also comprises a distribution interface coupled to the processing system for delivering the message-part messages to a distribution communication network.
A further aspect of the present invention is a method in an encrypted broadcast messaging system for conveying a private message to selected subscriber devices of a group of subscriber devices wherein the method further comprises a pre-combining step and a supplying step. The encrypting step further comprises the step of pre-combining the decomposed message-parts into first resultant message-parts, one for each of the plurality of management crypto-keys held by the selected members, prior to encrypting. The encrypting step further comprises the step of supplying prior to encrypting to at least those of the selected member subscriber devices that cannot form the private message from the first resultant message-parts alone, second resultant message-parts. Second resultant message-parts are formed by pre-combining the decomposed message-parts in combination sufficient to allow all selected subscriber devices to form the private message by combining received resultant message-parts. The set of second resultant message-parts may be empty.
A further aspect of the present invention in the group manager for delivering a private message to selected member subscriber devices of a group is additional processing of the message-parts to pre-combine the decomposed message-parts into first resultant message-parts, one resultant for each of the management crypto-keys in the Union, prior to encrypting. The additional processing further comprises supplying prior to encrypting to those of the selected member subscriber devices that cannot form the private message from the first resultant message-parts alone, second resultant message-parts. Second resultant message-parts are formed by pre-combining the decomposed message-parts in combination sufficient to allow all selected subscriber devices to re-compose the private message by combining received resultant message-parts.
In the preferred embodiment of the present invention, a management key is a message which is transmitted to the authorized and intended subscribers in a secure broadcast transmission. However, the present invention may be utilized for the secure transmission of digital content, including, but not limited to, audio products, video products, multimedia products and software objects such as data and programs. In order to implement such an embodiment it will be necessary to segment the digital content into subparts, and then encrypt each subpart utilizing different secret crypto keys.
In alternative embodiments, the present invention may utilize security devices other than, or in combination with, private crypto keys. For example, alternative security devices may be utilized. Such security devices include security protocols, security algorithms, mathematical functions, methods of processing, software security devices, hardware security devices, any combination software-hardware security devices, hash functions, serial numbers, clock values, initial values, random variables, initialization vectors, and any security value determined by cyclic process. In such an implementation, the present invention is directed to a method of securely broadcasting a message from a message source over an insecure communication channel to included communicants, but not to excluded communicants. The method is composed of a number of method steps. First, a set of private security devices is provided. The set may include one or more of the above-identified security devices. Next, a subset of the security devices is provided to each communicant. For example, one communicant may be given a particular public key-private key pair and a particular mathematical function, while another communicant may be given a hash function and a shared-secret key. All that is required is that each communicant have a unique subset of the security devices taken from the set of available security devices, as compared to all other communicants. Next, the included communicants and excluded communicants are identified. As a practical matter, the excluded communicants may be subscribers that are past due on their accounts, or subscribers which have not paid for a particular type of premium service. Then, particular ones of the private security devices are selected from the set of available private security devices through a combination of (1) analysis of the security device allocation among the included communicants and excluded communicants, and (2) potential decomposition of the message. Then, the particular selected ones of the private security devices are utilized to encrypt particular portions-of the message. The encrypted form of the message is then communicated over an insecure communication channel. Then the included communicants are allowed to utilize the particular ones of the private security devices, which are in their possession, to decrypt the message. Those excluded communicants are not able to decrypt the message, since they lack one or more of the security devices necessary to decrypt or decipher one or more of the message subparts.
The foregoing and additional objectives are achieved as follows.
The above as well as additional objectives, features, and advantages will become apparent in the following description.