`
`
`Exhibit 10
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 2 of 13
`Case 5‘16'°”'°°349'”C D°°””"e”‘lllfllillflllllllllllllflllllllllllfllllllmfllllflllfllllflllllllllll
`
`US006148081A
`
`United States Patent
`
`[19]
`
`[11] Patent Number:
`
`6,148,081
`
`Szymanski et al.
`
`[45] Date of Patent:
`
`*Nov. 14, 2000
`
`[54] SECURITY MODEL FOR INTERACTIVE
`TELEVISION APPLICATIONS
`
`[75]
`
`Inventors: Steven Szymanski, San Jose; Jean
`Rene Menand; Vincent Dureau, both
`of Palo Alto, all of Calif.; Suresh N.
`Chari, Elmsford, NY
`
`5,536,260 12/1996 Hu .
`5,625,693
`4/1997 Rohatgietal.
`5,920,626
`7/1999 Durden et al.
`.......................... .. 380/10
`
`FOREIGN PATENT DOCUMENTS
`
`97/24832
`98/00972
`
`7/1997 WIPO .
`1/1998 WIPO .
`
`[73] Assignee: 0penTV, Inc., Mountain View, Calif.
`[ * ] Notice:
`This patent is subject to a terminal dis-
`claimer.
`
`t£gC:‘Z1?Z1:;:l:lE)fd(1:'Jf£ann
`fhtltoggex Agent’ or Firm_B' N061 Kivhn; Conley’ Rose &
`y
`
`[21] Appl. No.: 09/196,964
`
`[22l
`
`Ffledi
`
`N0V- 20: 1998
`
`Related U-S- Applicatiml Data
`.
`.
`.
`.
`.
`C°m1nuat1°n‘1n‘p‘“t Of apphcatlon N0‘ 09/087>386> May
`29, 1998, Pat. No. 6,038,319.
`
`[63]
`
`Int. Cl.7 ...................................................... .. H04L 9/32
`[51]
`
`[52] US, Cl,
`................ .,
`380/33; 455/13
`
`[58] Field of Search
`380/5, 7, 10, 23,
`380/233, 236, 235, 20’ 259, 33; 348/3;
`455/13
`
`[56]
`
`References Cited
`
`4,995,080
`5,046,090
`
`Us‘ PATENT DOCUMENTS
`2/1991 Bestler et al.
`.
`9/1991 Walker et al.
`
`............................ .. 380/5
`
`[57]
`
`ABSTRACT
`.
`.
`.
`.
`.
`A system and method implemented in an interactive televi-
`sion system for restricting or controlling the access rights of
`interactive television applications and carousels. The system
`broadcasts modules from a broadcast station to a plurality of
`receiving stations, which execute applications containing the
`modules.
`In one embodiment,
`the applications utilize a
`.
`.
`.
`.
`.
`.
`credential consisting of a producer identification number
`(ID) and an application ID for each of the grantor and
`grantee applications, an expiration date, a set of permission
`data, a producer certificate and a signature. An application
`r(e1que%tii(1igbaccess and a ca(riousel gréinting. access may Ee
`1 enti e
`y respective pro ucer an
`app ication IDs. T e
`credential utilizes public key encryption to ensure the integ-
`rity of the credential. The producer and application IDs may
`be replaced with Wildcards so that rights may be granted to
`a group of producers or applications.
`
`26 Claims, 4 Drawing Sheets
`
`
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 3 of 13
`Case 5:16—cv—OO349—NC Document 19-13 Filed 04/11/16 Page 3 of 13
`
`U.S. Patent
`
`Nov. 14,2000
`
`Sheet 1 of4
`
`6,148,081
`
`SOURCE
`11
`
`
`
`COMPRESSION
`PACKETIZATION
`1§
`12
`
`
`
`
`11
`
`
`
`
`SOURCE
`
`11
`
`SOURCE
`
`FIG. 1
`
`BROAD-
`CAST
`
`SIGNAL
`
`I
`
`, _ _ _ . . _ _ _ _ _ _ _ _ _ . _ _ . . . . . _ _ _ _ _ _ _ _ . . _ __,
`I RE_C—E|VER
`
`TO TV L_-_..-
`
`
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 4 of 13
`Case 5:16—cv—OO349—NC Document 19-13 Filed 04/11/16 Page 4 of 13
`
`U.S. Patent
`
`Nov. 14,2000
`
`Sheet 2 of4
`
`6,148,081
`
`TRANSMISSION
`
`ORDER
`
`DIRECTORY
`
`CAROUSEL
`MODULES
`
`DIRECTORY
`
`.
`
`-
`
`MODULE 1
`
`MODULE 15
`
`MODULE 2
`
`::{>
`
`DIRECTORY
`
`MODULE N
`
`MODULE 16
`
`MODULE N
`
`DIRECTORY
`
`MODULE 1
`
`FIG. 3
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 5 of 13
`Case 5:16—cv—OO349—NC Document 19-13 Filed 04/11/16 Page 5 of 13
`
`U.S. Patent
`
`Nov. 14,2000
`
`Sheet 3 of4
`
`6,148,081
`
`51‘
`
`DATA
`
`52.
`
`Q
`
`
`
`DATA
`5€3_a
`
`DATA
`56b
`
`'
`
`'
`
`'
`
`DATA
`H
`éx @
`
`CRC
`3
`
`
`
`
`
`
`
`FIG. 5
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 6 of 13
`Case 5:16—cv—OO349—NC Document 19-13 Filed 04/11/16 Page 6 of 13
`
`U.S. Patent
`
`Nov. 14, 2000
`
`Sheet 4 0f 4
`
`6,148,081
`
`
`
`
`70\\
`
`
`
`PRODJD
`Z1
`
`EXR
`
`ACCESS
`DATA
`
`77
`
`
`
`
`
`SIGNED
`
`SIGNED
`Z2
`
`FIG. 6b
`
`
`
`73a
`
`73b
`
`73c
`
`/60
`
`
`
`
`
`
`
`
`
`
` 66
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PRODJD
`_6_1
`
`APPJD
`
`PRODJD
`
`APPJD
`
`EXR
`§§
`
`ACCESS
`DATA
`§§
`
`CERT.
`
`SIGNED
`
`QGNED
`§Z
`
`FIG. 6a
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 7 of 13
`Case 5:16-cv-OO349-NC Document 19-13 Filed 04/11/16 Page 7 of 13
`
`6,148,081
`
`2
`
`1
`SECURITY MODEL FOR INTERACTIVE
`TELEVISION APPLICATIONS
`
`This application is a continuation-in-part application of
`application Ser. No. 09/087,386, filed May 29, 1998, now
`U.S. Pat. No. 6,038,319,
`issued Mar. 14, 2000, entitled
`“Security Model for Sharing in Interactive Television Appli-
`cations.”
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`The invention relates to interactive television systems and
`more particularly to means for enforcing security in regard
`to interactive television applications which may access other
`modules or take some action which is restricted.
`
`2. Description of the Related Art
`Interactive television systems enable television sets to be
`used to provide various new means for providing services to
`viewers. Interactive television systems are capable of dis-
`playing text and graphic images in addition to typical video
`program streams. Interactive television systems are also
`capable of registering viewer actions or responses. Proposed
`features of interactive television include a variety of
`marketing, entertainment and educational capabilities such
`as allowing a user to interact with televised programs by
`ordering advertised products or services, competing against
`contestants in a game show, or requesting specialized infor-
`mation regarding particular programs.
`Typically, a broadcast service provider generates an inter-
`active television signal for transmission to a viewer’s tele-
`vision. The interactive television signal includes an interac-
`tive portion consisting of application code or control
`information, as well as an audio-video portion consisting of
`a television program. The broadcast service provider com-
`bines the audio-video and interactive portions into a single
`signal for transmission to a receiver connected to the user’s
`television. The signal
`is generally compressed prior to
`transmission and transmitted through typical broadcast
`channels, such as cable television (CATV) lines or direct
`satellite transmission systems.
`The interactive functionality of the television is controlled
`by a set-top box connected to the television. The set-top box
`receives the signal
`transmitted by the broadcast service
`provider, separates the interactive portion from the audio-
`video portion and decompresses the respective portions of
`the signal. The set-top box uses the interactive information,
`for example, to execute an application while the audio-video
`information is transmitted to the television. The set-top box
`may combine the audio-video information with interactive
`graphics or audio generated by the interactive application
`prior to transmitting the information to the television. The
`interactive graphics and audio may present additional infor-
`mation to the viewer or may prompt the viewer for input.
`The set-top box may provide viewer input or other infor-
`mation to the broadcast service provider via a modem
`connection.
`
`Interactive television applications consist of one or more
`program modules. If the application has more than one
`module,
`the set of modules forming the application is
`typically self-contained. That is, all of the code needed by
`the application is in that set of modules. The first module is
`a directory module which identifies all of the modules which
`are part of the application. The entire set of modules, which
`is listed in the directory module,
`is transmitted via the
`broadcast channel to the set-top box and the application is
`executed. (The set of modules may be referred to as a
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`carousel, as explained below.) If a first interactive television
`application has completed execution and a second is to be
`executed, the directory and other modules of the second
`application are transmitted to the set-top box and the second
`application is executed. The entire set of modules used by
`the second application are transmitted even though some of
`the modules might be identical to modules used by the first
`application.
`It may be advantageous to design software applications in
`a modular fashion so that modules may be shared between
`applications. The advantages of modularity may include
`conserving the limited amount of memory in a set-top box
`which can be used for interactive applications, reducing the
`time required to download applications from a broadcast
`station to a set-top box or reducing the amount of application
`code which must be written by allowing modules to be
`shared. Because the components of an application may
`reside in different carousels, it would be desirable to ensure
`the security of the respective modules and accordingly
`restrict access to authorized modules.
`
`It would also be advantageous to provide a mechanism for
`allowing applications to interact with each other in a con-
`trolled manner, even when they do not share modules. For
`example,
`if one application transfers control
`to another
`application and the second application stalls, the first appli-
`cation may need to terminate the second application in order
`to regain control. It would therefore be desirable to provide
`a system which can verify the first application’s access
`rights and determine whether to allow the first application to
`take such an action. Further,
`it would be desirable to
`implement
`these features in a way that minimizes the
`overhead associated with the system.
`
`SUMMARY OF THE INVENTION
`
`The invention comprises a system and method for restrict-
`ing or controlling the access rights of interactive television
`applications. (“Access rights” is used here to refer to the
`right of an application to share program modules, control
`other applications, use system resources or take some other
`action.) One embodiment of the invention provides means in
`an interactive television system to verify the credentials of
`certain applications which attempt to take actions which
`may affect other applications. The system is implemented in
`order to ensure the security, safety and authority of the
`respective applications with respect to certain operations.
`The system utilizes a credential consisting of various pieces
`of information to identify an application and its respective
`privileges, rights and restrictions.
`In one embodiment, the credential contains a producer
`identification number (ID) and an application ID for the
`application, an expiration date, a list of rights, a producer
`certificate and a signature. The producer and application IDs
`uniquely identify the application. The list of rights identifies
`the application’s ability to exercise restricted rights, such as
`accessing another application’s modules or terminating the
`other application’s execution. The restricted rights may
`pertain to any operation performed by applications in the
`system. The expiration date sets a time limit beyond which
`the credential is no longer valid. The credential utilizes
`public key encryption (described in more detail below) for
`security. The producer certificate is the producer’s public
`key. The entire credential is signed with the producer’s
`private key so that the integrity of the credential can be
`verified.
`
`In one embodiment, a credential may be used to provide
`a mechanism by which a first application may grant permis-
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 8 of 13
`Case 5:16—cv—OO349—NC Document 19-13 Filed 04/11/16 Page 8 of 13
`
`6,148,081
`
`3
`sion to a second application to share its code or take an
`action with respect to the first application. The owner of the
`first application has an ID which identifies it in the creden-
`tial. Likewise, the second application has an ID which is
`listed in the credential as the application being granted the
`permission. The owners of both the first and second appli-
`cations have assigned specific IDs to the applications, each
`ID being unique among the applications of that owner. The
`owner also has its own ID which is unique among owners
`(producers). Any given application can therefore be identi-
`fied by its owner and application IDs. Thus, any given
`application can grant particular permissions to a specific
`application owned by a specific owner. The producer and
`application IDs of the applications may be replaced with
`wildcards so that a single application may grant certain
`permissions to a group of owners or applications.
`In one embodiment, the credential may be used to control
`the actions of a first application which do not affect other
`applications. For example, an application may attempt to
`access private, restricted data stored in a set-top box. The
`set-top box may be configured to allow access to the
`locations in memory corresponding to the restricted data
`only when presented with a valid credential indicating a
`right to access the data. In another embodiment, the system
`may be configured to restrict access to other system
`resources such as the return path to the broadcast station.
`The system may check an application’s credential(s) before
`it begins execution or when access to the return path is
`requested. Access is permitted if a valid credential indicates
`permission to use the return path. The credentials may be
`used to control any number of functions of an application
`and there may be many variations in the implementation of
`the mechanism which is used to validate the credentials.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Other objects and advantages of the invention will
`become apparent upon reading the following detailed
`description and upon reference to the accompanying draw-
`ings in which:
`FIG. 1 is a block diagram illustrating the distribution of
`interactive television applications and television programs
`from their sources to a series of viewers.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`FIG. 2 is a block diagram of a set-top box used in one
`embodiment of the invention.
`
`45
`
`FIG. 3 is an illustration of the component modules of a
`carousel and the transmission order of the modules in one
`embodiment of the invention.
`
`FIG. 4 is a block diagram illustrating the manner in which
`the data comprising a module is packetized in one embodi-
`ment of the invention.
`
`50
`
`FIG. 5 is a diagrammatic representation of the signal
`transmitted from the broadcast station to a receiving station
`in one embodiment of the invention.
`
`FIG. 6a is a block diagram illustrating the data structure
`of a credential used in one embodiment of the invention.
`
`FIG. 6b is a block diagram illustrating the data structure
`of a credential used in another embodiment of the invention.
`
`While the invention is susceptible to various modifica-
`tions and alternative forms, specific embodiments thereof
`are shown by way of example in the drawings and will
`herein be described in detail.
`It should be understood,
`however, that the drawings and detailed description thereto
`are not intended to limit the invention to the particular form
`disclosed, but on the contrary, the intention is to cover all
`modifications, equivalents and alternatives falling within the
`
`55
`
`60
`
`65
`
`4
`spirit and scope of the present invention as defined by the
`appended claims.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`One embodiment of the invention is described below. In
`
`this embodiment, an interactive television receiver accepts
`an audio-video-interactive signal via a broadcast channel
`such as direct satellite transmission. (“Direct” satellite trans-
`mission as used herein contemplates transmissions received
`by the interactive television receiver, more particularly by its
`antenna, directly from the satellite.) The audio-video-
`interactive signal contains television programs or similar
`audio-video content, as well as interactive content such as
`control signals or interactive applications. (“Broadcast” is
`used herein to refer to transmission of a single signal to all
`subscribing receivers.) The interactive television receiver is
`also configured to receive audio-video-interactive signals
`via a non-broadcast channel such as a modem. The interac-
`
`tive television receiver is configured to separate the audio-
`video content from the interactive content of the audio-
`
`is
`video-interactive signal. The audio-video content
`processed for display as a television program, while the
`interactive content
`is processed for execution by the
`receiver. The interactive content may enable the receiver to
`perform a variety of functions, including generating audio or
`graphics which are combined with the television program
`for display.
`If the interactive content comprises an
`application,
`the application may consist of several sub-
`components, or modules. The modules can contain any type
`of data, such as application code, raw data or graphical
`information.
`
`The modules which form the interactive application usu-
`ally belong to a single set of modules referred to as a
`carousel. A carousel can generally be defined as a set of
`modules which are owned by the same producer and have
`the right to access each other. The modules are referred to as
`a carousel because they are typically transmitted to the
`interactive television receiver in a cyclic manner. An appli-
`cation is a carousel which contains a “top-level” program.
`It may be desirable to allow an application to access
`modules of another carousel (for sharing of data, transferring
`control of applications or other purposes). An application or
`module of one carousel can interact with modules of another
`
`carousel or with the interactive television system by employ-
`ing “credentials.” The credentials are sets of data which can
`be used to identify and verify the privileges and limitations
`of particular modules. The privileges and limitations may
`relate to whether a module is authorized to interact with the
`other modules or take some action which is otherwise
`
`restricted, such as accessing restricted areas of memory. The
`credentials may utilize wildcards to grant privileges to a
`number of modules without having to maintain a list of all
`the involved modules.
`
`Referring to FIG. 1, a block diagram illustrating the
`distribution of interactive television applications and tele-
`vision programs from their sources to a series of viewers is
`shown. Broadcast station 10 has several program sources 11.
`These sources may include remote broadcast network feeds,
`videotape recorders, computers, data storage devices, and
`the like. Sources 11 may provide interactive or control
`information, audio information and/or video information
`which is to be included in the interactive television signal.
`The information provided by sources 11 is typically com-
`pressed by compression units 12 in order to conserve
`bandwidth. Any of a number of compression algorithms,
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 9 of 13
`Case 5:16—cv—OO349—NC Document 19-13 Filed 04/11/16 Page 9 of 13
`
`6,148,081
`
`5
`
`such as one of the Motion Picture Expert Group (MPEG)
`compression standards, may be used. The choice of an
`appropriate compression algorithm will depend on the type
`of information to be compressed and the transmission
`medium, among other things. Time stamps may also be
`added to, for example, synchronize associated audio and
`video signals. Some information may not be easily or
`effectively compressed, so some of the information may be
`routed directly from the source to packetization unit 13
`without compressing the information. Packetization units 13
`accept the compressed (or uncompressed) information and
`format it into packets for transmission over the broadcast
`channel. The packetization of the information will be
`described in more detail below. The packets are fed into
`multiplexing unit 14, which intersperses the packets prior to
`transmission. The interspersed packets are then broadcast to
`the receiving stations 20. (Although only one receiving
`station is shown in the figure, it is contemplated that the
`audio-video-interactive signal is broadcast to a group of
`subscribing receiving stations.) In the figure,
`the audio-
`video-interactive signal is depicted as being transmitted via
`satellite broadcast through antenna 15.
`The broadcast signal is relayed by communications sat-
`ellite 18 and received by receiving station 20. Although the
`figure illustrates a satellite transmission, it is contemplated
`that any broadcast medium (e.g., CATV or direct satellite
`transmission) may be used. (It should be noted that alternate
`embodiments of the invention may be implemented using
`point-to-point or other types of data distribution systems.)
`Receiving station 20 is contemplated to be one of a number
`of such stations which are subscribers of the broadcast
`
`service provider operating broadcast station 10. The broad-
`cast signal is collected by receiving antenna 21 and fed to
`receiver 22, which in this embodiment is contemplated to be
`a set-top box. Set-top box 22 processes the packetized signal
`to reconstruct the television programs and interactive appli-
`cations embodied in the signal. The reconstructed applica-
`tions are executed in the set-top box, while the reconstructed
`television programs are passed to the television, where they
`are displayed. The interactive applications may generate
`graphics or audio which are combined with the television
`program prior to being displayed.
`In addition to the broadcast channel between the broad-
`
`there may be other
`cast station and receiving station,
`channels, such as a modem channel (which may also be
`referred to as an http, or hypertext
`transfer protocol,
`channel.) These types of channels serve two functions in the
`system: they allow the set-top box to provide feedback to the
`broadcast station; and they provide an alternate path for
`programs and applications from sources 12 to be delivered
`to receiving station 20.
`Referring to FIG. 2, a block diagram of a set-top box 22
`is shown. The broadcast signal is received and fed into tuner
`31. Tuner 31 selects the channel on which the broadcast
`
`audio-video-interactive signal is transmitted and passes the
`signal to processing unit 32. (Tuner 31 may be replaced by
`other means, all collectively referred to herein as input ports,
`for receiving signals from various signal sources.) Process-
`ing unit 32 demultiplexes the packets from the broadcast
`signal if necessary and reconstructs the television programs
`and/or interactive applications embodied in the signal. The
`programs and applications are then decompressed by
`decompression unit 33. The audio and video information
`associated with the television programs embodied in the
`signal
`is then conveyed to display unit 34, which may
`perform further processing and conversion of the informa-
`tion into a suitable television format, such as NTSC or
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`HDTV audio/video. Applications reconstructed from the
`broadcast signal are routed to random access memory
`(RAM) 37 and are executed by control unit 35.
`Control unit 35 may include a microprocessor, micro-
`controller, digital signal processor (DSP), or some other type
`of software instruction processing device. RAM 37 may
`include memory units which are static (e.g., SRAM),
`dynamic (e.g., DRAM), volatile or non-volatile (e.g.,
`FLASH), as required to support the functions of the set-top
`box. When power is applied to the set-top box, control unit
`35 executes operating system code which is stored in ROM
`36. The operating system code executes continuously while
`the set-top box is powered in the same manner the operating
`system code of a typical personal computer (PC) and enables
`the set-top box to act on control information and execute
`interactive and other applications. The set-top box also
`includes modem 38. Modem 38 provides both a return path
`by which viewer data can be transmitted to the broadcast
`station and an alternate path by which the broadcast station
`can transmit data to the set-top box.
`it is
`Although the term “set-top box” is used herein,
`understood that this term refers to any receiver or processing
`unit for receiving and processing a transmitted signal and
`conveying the processed signal
`to a television or other
`monitor. The set-top box may be in a housing which
`physically sits on top of a television, it may be in some other
`location external to the television (e.g., on the side or back
`of the television or remotely located from the television), or
`it may be incorporated into the television itself. Set-top box
`22 serves to demodulate the signal received from broadcast
`station 10 and to separate the components of the signal, such
`as different television programs and interactive applications.
`Similarly,
`television 23 may be a television or a video
`monitor employing any suitable television format (e.g.,
`NTSC or HDTV), or it may be replaced by other devices,
`such as a video recorder.
`
`The receiving station is operatively connected to the
`broadcast station by a broadcast channel. This broadcast
`channel could utilize various transmission media and is
`
`contemplated to include media such as coaxial cable and
`free space (e.g., as used for direct satellite transmissions.)
`The broadcast channel forms a transmission path between
`the broadcast station and the receiving station. The broadcast
`station and receiving station are also connected by a return
`path. The return path typically consists of a pair of modems,
`one in the receiving station and one in the broadcast station,
`each connected to a standard telephone line. Other means for
`establishing a return path, e.g., using a portion of the
`bandwidth of the transmission path, are also contemplated.
`Referring to FIG. 3, an application or carousel consists of
`a series of modules, one of which is a directory module. The
`directory module has a unique identifier so that it can be
`identified during transmission without further information.
`The directory module contains an entry for each of the
`modules in the application and any module which does not
`have a corresponding entry in the directory module is not
`recognized by the application. The directory module con-
`tains enough information to allow the interactive television
`receiver to access all of the parts (i.e., modules) of the
`application which may be necessary for execution of the
`program. The directory module must be accessed before the
`other modules of the application so that the remainder of the
`modules can be properly interpreted. The directory module
`may be transmitted several times during the cycle in which
`the modules of the application are transmitted in order to
`ensure that it is available for essentially random access to the
`other modules.
`
`
`
`Case 5:16-cv-00349-NC Document 19-13 Filed 04/11/16 Page 10 of 13
`Case 5:16-cv-OO349-NC Document 19-13 Filed 04/11/16 Page 10 of 13
`
`6,148,081
`
`7
`the applications have a
`The directory modules of all
`common format. The format consists of three parts: a portion
`having fixed-length components; a portion having variable-
`length components; and a portion having certification infor-
`mation. The fixed-length portion contains data on the appli-
`cation and each of the modules in the application. The
`variable-length portion contains string data on the module
`names and the hash of the modules. The certification portion
`contains the producer certificate and directory signature.
`In one embodiment, an application includes at least one
`module which is downloaded and executed automatically.
`Other modules containing data or additional code may not
`be needed immediately, so they may be downloaded after
`execution of the application begins. The downloading of
`these modules may be subject
`to timing constraints,
`however, so the interactive television system is configured to
`take these constraints into account and deliver the modules
`
`10
`
`15
`
`in a timely manner. If necessary, one of these modules may
`be multiplexed with other modules or data to be sure it is
`received when needed.
`
`20
`
`Referring to FIG. 4, each of the modules 51 has a data
`segment 52 and a CRC segment 53. The data segment 52 of
`the directory module is described above. The data segment
`52 of the remainder of the modules can contain any type of
`data, such as application code or raw data. The CRC
`segment 53 of each of the modules is used for error control
`and is computed for the entire module 51. Each of the
`modules 51 has a unique identifier.
`Before the modules 51 are transmitted, they are formatted
`into transmission units 54. For the purposes of discussion,
`items referenced by the same number but different letters
`(e.g., 54a, 54b, 54c) will be collectively referred to by the
`number only (e.g., 54). Each of the transmission units 54
`contains header information 55, which uniquely identifies
`that transmission unit 54 within the stream of transmission
`
`units, and data 56 which comprises a portion of the module
`being transmitted. The header 55 contains information such
`as the module ID, module offset and size, which allow the
`transmission units 54 to be reconstructed into a complete
`module 51. The transmission units 54 comprising a particu-
`lar module 51 may be interleaved with other transmission
`units 54 in the transmission stream. The last transmission
`unit 54 for a module 51 carries the CRC 53.
`
`The format of the transmission units 54 is dependent upon
`the transmission medium, but typically employs a series of
`packets of fixed length (the last packet may be padded to
`obtain the proper length.) The first packet 58 in the series
`carries the header information for the transmission unit 54.
`
`This header packet 58 is a special packet which can generate
`an interrupt in the CPU and which contains information to
`enable the CPU to determine whether the module 51 should
`
`be decoded and where it should be loaded into memory. The
`header packet 58 in a direct satellite transmission utilizes an
`auxiliary type packet which can generate an interrupt. The
`remainder of the packets 58 in a direct satellite transmission
`utilize a basic type packet which simply carries the trans-
`mission unit data.
`The audio-video-interactive transmission from the broad-
`
`cast station to the interactive television receiver comprises a
`series of transmission units. The transmission units which
`
`form a given module are typically time multiplexed with
`other information. This information may consist of trans-
`mission units of another module or compressed audio or
`video. The transmission units which are received by the
`interactive television receiver are reconstructed into their
`
`respective application modules.
`
`8
`Referring to FIG. 5, a diagrammatic representation of the
`signal transmitted from broadcast station 10 to receiving
`station 20 is shown. The packets of several program sources
`may be multiplexed into a single transmission stream if
`necessary. These packets may contain data for various
`applications or television programs. The illustrated trans-
`mission stream includes audio (A) and video (V) packets of
`a television program, as well as packets of two interactive
`application modules (M1, M2.) The packets are formatted as
`explained above to enable reconstruction of the packets into
`the respective programs and modules. It should be noted that
`several modules can be simultaneously transmitted by com-
`bining their packets in the transmission signal. The figure
`illustrates the time multiplexing of the packets of the mod-
`ules and the television program. The modules need not
`belong to the same carousel to be transmitted together. It can
`be seen from the figure that there are typically more packets
`of video data for a particular television program than audio
`data for that program as a result of the greater amount of
`video data which typically must be transmitted.
`The broadcast signal is received by set-top box 22. Set-top
`box 22 may also have a modem connection for receiving an
`http signal. Set-top box 22 is contemplated to include a
`module management unit which is configured to detect
`packets corresponding to modules which are required for
`execution of an interactive television application. The mod-
`ules are not necessarily required to begin execution of the
`respective application, but may be requested by the appli-
`cation after it begins execution.
`Set-top box 22 demultiplexes the packets, separating the
`packets containing module data from packets containing
`audio and video for television programs. The module man-
`agement unit detects module packets and determines
`whether these packets correspond to modules needed by the
`executing application. The set-top box then reconstructs the
`modules from the corresponding packets and reconstructs
`the television programs from the packets containing the
`associated audio and video data. As explained above, the
`modules are stored in RAM 37, where they are available for
`use by applicat