By way of introduction, content issued by a content provider is typically encrypted using a cryptographic key. The cryptographic key is typically changed periodically and frequently, every cryptoperiod, in order to prevent key attacks leading to gaining unauthorized access to the content. In order to efficiently store a collection of keys that change over time, it is generally necessary to generate the keys by deriving a series in a one-way manner. As will be explained in more detail below, only the last issued key needs to be retained by the content consuming device and previous keys can then be derived from the last issued key. An example of key generation is described in section 7.3 of a document entitled “DRM Specification, Approved Version 2.0—3 Mar. 2006” issued by the Open Mobile Alliance of 4275 Executive Square, Suite 240, La Jolla, Calif. 92037, USA or via the website at www.openmobilealliance.org.
Reference is now made to FIGS. 1 and 2. FIG. 1 is a partly pictorial, partly block diagram view of a hash-chain 10 used in key-production. FIG. 2 is a partly pictorial, partly block diagram view of keys 12 being issued after a subscription.
The hash-chain 10 has a root key 14, which is input to the function f, thereby producing a key Xi. The key Xi is in turn input to the function f, thereby producing a key Xi−1. The process is then continued until the hash-chain 10 is large enough for the needs of the application giving keys 12 (for example, but not limited to, keys X0, X1, X2, X3 and so on) whereby one of the keys 12 is generally issued at a time. The function f, is typically a cryptographic one-way function.
The root key 14 of the series of the hash-chain 10 is generally kept by the deriving side, for example, but not limited to, a broadcasting Headend or the Rights Issuer. The Rights Issuer then issues keys periodically, typically starting from the last key in the series, X0 in the example of FIG. 1, and then continuing issuing new keys back one-by-one towards the root key 14 so that the order of issuance is in the opposite direction to the order of derivation.
The first key issued to the subscribers is the key X0. The key X0 is suitable as a decryption key for content issued in the first time period (January). Similarly, in the next time period (February), the key X1 is issued to the subscribers to decrypt content issued in February. In the following time period (March), a key X2 is issued to the subscribers to decrypt content issued in March, and so on. It will be appreciated that when the subscribers hold key X1, the subscribers no longer need to hold the key X0, as the key X0 can be determined from the key X1 using the function f. Similarly, when the subscribers hold the key X2, the subscribers no longer need to hold the keys X1 and X0, as the keys X1 and X0 can be determined from the key X2 using the function f.
Reference is now made to FIG. 2. A subscriber (not shown) subscribes in March and receives the key X2 in March, the key X3 in April and the key X4 in May.
Reference is now made to FIG. 3, which is a partly pictorial, partly block diagram view of prior keys 16 being generated from a current key 18. In June, the subscriber receives the key X5. The keys X0, X1, X2, X3 and X4 can all be determined from the key X5 using the function f. The keys X0 and X1 allow the subscriber to decrypt content issued in January and February, respectively. However, the subscriber only began subscribing in March. Therefore, the subscriber is gaining free access to the January and February content.
Therefore, when derived keys are shared by many clients, for example, but not limited to, access keys to a service that is broadcast and stored, then everyone included in the subscription for a service receives all the current keys, but have the ability to derive all the past keys, even for periods for which the clients were not subscribed.
The following reference is also believed to represent the state of the art:
Israel unpublished patent application 174494 of NDS Limited entitled “Period Keys”.
The disclosures of all references mentioned above and throughout the present specification, as well as the disclosures of all references mentioned in those references, are hereby incorporated herein by reference.