4,736,422
`[11] Patent Number:
`[19]
`United States Patent
`
`Mason
`[45] Date of Patent:
`Apr. 5, 1988
`
`[54] ENCRYPTED BROADCAST TELEVISION
`SYSTEM
`
`[75]
`
`Inventor: Arthur G. Mason, Hampshire, United
`Kingdom
`
`[73] Assignee:
`
`Independent Broadcasting Authority,
`London, England
`
`[21] Appl. No.:
`
`705,422
`
`[22] PCT Filed:
`
`Jul. 2, 1984
`
`[86] PCT No.:
`
`PCI‘/GB84/00237
`
`§ 371 Date:
`
`Feb. 22, 1985
`
`§ 102(e) Date:
`
`Feb. 22, 1985
`
`[87] PCT Pub. No.: W085/00491
`
`PCT Pub. Date: Jan. 31, 1985
`
`Foreign Application Priority Data
`[30]
`Jun. 30, 1983 [GB] United Kingdom ............... .. 8317796
`Jul. 22, 1983 [GB] United Kingdom ............... .. 3319317
`
`Int. Cl.‘ ...................... .. H04N 7/167; H04L 9/02
`[51]
`[52] U.S. Cl. ...................................... .. 380/20; 380/21;
`380/10
`[58] Field of Search ....................... 358/114, 122, 123;
`178/22.13, 22.08
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`4,292,650 9/1981 Hendrickson .
`4,352,011
`9/1982 Guillou .
`4,388,643
`6/1983 Aminetzah ..................... .. 178/22.13
`4,484,027 11/1984 Lee et al.
`............... ..
`4,531,020 7/1985 Wechselberger et al.
`..... .. 358/123
`7/1985 Bluestein et al.
`.............. .. 178/22.08
`4,531,021
`
`4,536,791
`8/1985 Campbell et al.
`....
`..... 380/10
`................. .. 380/20
`4,613,901
`9/1986 Gilhousen et al.
`
`OTHER PUBLICATIONS
`W0, Al, 83/01881 (Communications Satellite Corpora-
`tion), 26 May 1983; see p. 4, Line 1-p. 8, Line 7; p. 9,
`Lines 25-29.
`'
`
`EP, Al, 0014654 (Telediffusion de France), 20 Aug.
`1980, see p. 7, Line 1l—p. 8, Line 26.
`W0, Al, 83/04154 (Telease), 24 Nov. 1983, see p. 4,
`Line 5—p. 7, Line 25.
`
`Primary Examiner—Stephen C. Buczinski
`Assistant Examiner--Melissa L. Koltak
`
`[57]
`
`ABSTRACT
`
`A conditional access system for transmitting and receiv-
`ing scrambled television signals over-air includes means
`for addressing each of the receiving apparatus with an
`over-air signal whereby to permit reception and de-
`scrambling of the signal. The transmitter is provided
`with means for assembling a cipher block of information
`including a first key for use in descrambling the televi-
`sion signal and information relating to a plurality of
`users, and means for encyphering the cipher block with
`a second key which is common to the plurality of users.
`On reception a receiver applies the second, common
`keys to the received cipher block, recovers the first key
`for use in descrambling the signal and the information
`relating to the respective user and descrambles the tele-
`vision signal. Further, it is proposed to transmit a fur-
`ther key in encrypted form and to use the first key to
`decrypt the further key which is then used to descram-
`ble the television signal. This provides a three level key
`system which is very secure but by using a common
`second key for a plurality of users, the time to access
`each user is short.
`
`23 Claims, 5 Drawing Sheets
`
`TRANSMITTER
`sm) é
`
`P
`
`TELEWON
`70 WW A
`
`77
`
`5535/0/v KEYs
`CHANGED
`EVERY FEW
`-_co/v
`
`TER/NG LEVEL or
`SIGNAL rs
`
`KEY s
`
`Ts
`
`5 E P!Ts+$+P)
`
`KEY P
`
`PER/00 KEY P"
`CHANGED
`EACH PER/0D
`
`74
`
`T/ERM3 LEVEL 0/:
`
`CLLSTOMER Tc
`
`SI-MRED
`
`17
`
`Tc
`
`1
`
`D/S77?/BUT/UN
`KEY 0
`
`Kg’
`
`E=ENCRYPT/ON
`E'7=-DECRYPT/0N
`
`DWP’ %
`76
`
`RECEIVER
`
`23
`
`TELEV/S/0N
`
`
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page 1
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 1
`
`

`
`U.S. Patent
`
`Apr. 5, 1988
`
`Sheet 1 of 5
`
`4,736,422
`
`zqasmHut
`
`§,§m
`
`cm
`
`Emomm
`
`qmzfima_.
`
`
`
`amt\§.m\_.w
`
`828%
`
`qmmzfiomExQSQMQ.w#23
`
`QQEMQ.:6Km
`
`UsEmaSam:
`
`
`
`usmsfluznmt
`
`QREEEQQ
`
`qmmqmm
`
`\<QRbm\&.PQQ
`
`Q
`
`.-w>sE\_m:.n:9&m.t§\m2§t2.
`
`mézum
`
`qmmzfiuWExzommmm
`
`
`
`
`
`ZQREQQZMHW
`
`IIIIII
`
`IaJumuasumqEmamm_em9QEx
`
`
`
`>\©Rn\\§6mQ11-m
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 2
`
`
`
`
`

`
`PSU
`
`2Mab
`
`/U3794
`
`22A,
`
`
`
`52gE...Em8mommmmmwmmmzqmmmmnézm
`
`
`
`
`
`.mm%E5
`
`QE:
`
`:E&8%mmmmcEsmmaxi
`
`.
`
`Am.
`
` %%I105,%Q8W.WW.W.Wm.mEx%§mNW.
`
`
`2o\.SmEEq
`
`gmrmsmemtmAqsmmmES5www5wm_.!||aE%Smmuqmmmsin;
`
`,NGQ
`
`PMC Exhibit 213
`
`Apple v PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 3
`
`

`
`U.S. Patent
`
`Apr. 5, 1988
`
`Sheet 3 of 5
`
`4,736,422
`
`787 Bl T PLA/NTEXT BLOCK
`
`I 64 B/TE
`
`
`
`
`M/N/MUM OI/ERLAP
`OF E BLOCKS
`76 B/73
`
`
`
`75t$TAGE
`
`
`M/N/MUM OVERLAP
`OF E BLOCKS
`75 8/75
`
`
`
`
`
`
`87 Bl T INTERMEDIATE STAGE
`
`
`
`
`64 B/TE1|
`
`64 B/TE
`
`
`n 7
`
`
`
`
`64 B/T E
`
`
`2'75/STAGEI
`
`
`187 B/T C/PHERTEXT BLOCK
`
`E=64 B/T BLOCK ENCRYPT/ON ALGORITHM
`
`/‘7G.3c7.
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 4
`
`

`
`%SU
`
`r._M
`
`.115,
`
`hS
`
`2M6
`
`m829828%\:\\Smzo
`
`mmtmwemxmm:amflmammPE:
`
`
`
`zotginmdzorammé5.EM.mmqmhe
`4>§.§%2m.mmtwamm.m.Hmmflmm:
`
`
`
`4.,..miqmsmmts
`
`Bmm:mmfimQmd
`QM;umxmmmtmsmm
`
`938..§\m
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 5
`
`
`

`
`U.S. Patent
`
`Apr. 5,1988
`
`
`
`Sheet 5 of5
`
`4,736,422
`
`‘“"TD0/dm/*2)
`
`CUS7DMERS x,y,z
`SHARE KEY odd
`
`{Y2}
`0
`new '
`
`X BECOMES A P/RATE
`AND /S EL/M/NATED
`
`Uz
`
`Uy
`
`THE BROADCASTER /5
`SURE THAT YAND 2
`HAVE RECE/VED anew
`BECAUSE THEY HAVE
`BOTH SENT TWO
`SUBSCR/PT/ONS
`
`Dneww’
`
`_
`
`Ho .4.
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 6
`
`

`
`ENCRYPFED BROADCAST TELEVISION SYSTEM
`
`1
`
`4,736,422
`
`2
`of an embodiment thereof given by way of example, in
`which:
`'
`
`5
`
`10
`
`15
`
`FIG. 1 shows a block diagram of an encryption sys-
`tem;
`The present invention relates to the broadcasting of a
`FIG. 2 shows the structure of one part of one of the
`television signal in scrambled form and more particu-
`larly to a system for enabling the scrambled television
`signals sent in the system shown in FIG. 1;
`signal to be descrambled by authorised viewers only.
`FIGS. 3a and 3b show diagrammatically two ways of
`It has already been proposed to broadcast scrambled
`implementing a part of FIG. 2; and
`television signals. It has also been proposed to transmit
`FIG. 4 shows a method of replacing shared distribu-
`with the scrambled television signal the key for de-
`tion keys.
`scrambling the signal but the key is encrypted by a
`A preferred embodiment of the present invention will
`further key, an identification key, which is unique to
`be described in relation to an over-air addressing DBS
`television encryption system as shown in FIG. 1. A
`each viewer. In order to decrypt the key the viewer
`subscriber cannot make use of a conditional access tele-
`must use his identification key signal and await the
`broadcast encrypted key.
`vision programme without being in possession of the
`This is acceptable as long as the number of viewers is
`key that was used for the signal encryption. Further-
`not considerable but where one is broadcasting to a
`more, this key must be kept secret from the customer.
`considerable number of viewers, for example with satel-
`Since the broadcast signal, in this case the satellite sig-
`lite broadcasting, it can take a considerable time to
`nal, is common to all subscribers, it follows that the key
`access all the viewers with their own encrypted key 20 which is used to cipher the television signal must also be
`signal to enable them to descramble the broadcast tele-
`common to everyone. It is generally regarded as inse-
`vision signal. While this problem can be overcome by
`cure to have the same key held in millions of receivers
`leaving the receiving apparatus powered up continu-
`for long periods of time. This is because the key might
`ously, this is not a convenient or inexpensive solution to
`be discovered by one subscriber who could then distrib-
`the problem. Furthermore, when the receiver is first 25 ute it to others customers, who would use it to obtain
`purchased a long waiting time results.
`free television programmes. The only way to avoid this
`problem is to change this key, which we call the session
`It is an object of the present invention to provide a
`system for sending encrypted programme entitlements
`key (S), at very frequent intervals. The session key (S) is
`also known in other references as the central word
`together with a period key to one of a large number of
`viewers in such a way that he can relatively quickly 30 (CW) or the initialisation word (I) or indeed the service
`access the encrypted entitlements and period key which
`key (S). The session key interval may be of the order of
`enablehimto decypher the scrambled teleivision signal.
`one to ten seconds to avoid long access times when
`The period key (P) is also known as the authorisation
`different channels are selected. Clearly the only way to
`key (A), but it will be called the period key here.
`send a new session key, that changes every few seconds,
`The present invention provides for sending to a plu- 35 is with the broadcast signal. The session key is not sent
`rality of viewers their individual programme entitle-
`with the television signal in the clear—-it is encrypted
`ment and the period key, encrypted together as one
`with another key that is stored in the receiver. Ulti-
`cipher text block by means of a single distribution key
`mately, there will have to be a key stored in each re-
`which is used by each viewer to obtain the necessary
`ceiver that has to be kept secret from the user. One way
`information for descrambling the television signal. 40 to achieve this secrecy is to ‘bury’ the key in an inte-
`Hence the distribution key and the cipher text block is
`grated circuit or some device which cannot easily be
`shared between the plurality of viewers. The sharing of
`broken open. Since it is not possible to send new secu-
`information in this way enables a reduction in the total
`rity devices to each customer at regular very short
`means of bits that have to be transmitted without com-
`intervals—it follows that the key stored in each device
`promising the security. The reduction of bits occurs
`must be unique to each subscriber for reasons of system
`because in a shared block, only one period key needs to
`security. The customer unique key that is stored in the
`be sent and its overhead is shared. If the cipher text
`security device will be called the distribution key (D).
`block was not shared a separate period key, which
`Since there are a huge number of distribution keys,
`needs to be a large number of bits, would have to be
`using this key to distribute the session key to each cus-
`appended to each viewers entitlements for reasons of
`tomer is impractical. This is because the time taken to
`security.
`send the session key would be much longer than the one
`The present invention also provides a secure scram-
`second duration for which the session key is valid. In
`bling system for apparatus for transmitting a scrambled
`order to overcome this problem a period key (P) is
`information signal comprising means for generating a
`introduced. The key is available for some period "which
`first encryption signal (S), first encryption means for
`is defined by the broadcaster—-the period may be as
`little as one hour or as much as one month. the duration
`encrypting the information signal in accordance with
`of the period is a compromise between security and the
`the encrypting key signal (S), means for generating a
`second encryption key signal (P), second encryption
`operational difficulties in receiving the key. The period
`means for encrypting the first encryption key signal in
`key is common to all subscribers and is used to carry the
`accordance with the second encryption key signal (P),
`session key. The period key is itself carried by the cus-
`tomer distribution keys which are stored in each re-
`means for generating a third encryption key (D), third
`ceiver.
`encryption means for encrypting the second encryption
`key signal (P) in accordance with the third encryption
`FIG. 1 shows schematically how a practical system
`key signal (D), and means for transmitting the scram-
`might be implemented. An information signal A, in this
`case a television signal, is to be scrambled for transmis-
`bled information signal and at least the encrypted sec-
`ond encryption scrambling key signal.
`sion. Firstly a session key S is generated by suitable
`Features and advantages of the present invention will
`circuitry 10 and this key S is used to scramble the signal
`become more apparent from the following description
`A in accordance with the key S as represented by the
`
`45
`
`50
`
`55'
`
`65
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 7
`
`

`
`4,736,422
`
`10
`
`15
`
`30
`
`35
`
`3
`4
`10-5. In fact some 1000 customers could share the same
`block 11. So that the key S can be securely sent to a
`receiver, it is also scrambled in a circuit 12 in accor-
`key with negligible effect upon the system security.
`dance with a further scrambling routing identified by a
`We propose to send the period key and the entitle-
`second key P generated by suitable circuitry 14. Both
`ment signals indicative of each of a plurality of subscrib-
`ers in one block as shown in FIG. 2. In the numerical
`the session key S and the second key P are changed at
`intervals but the second key need be changed at less
`example shown below a block size of 510 bits is used.
`frequent intervals than the session key S.
`A BCH error correcting code is defined by the block
`Finally, the second key P is scrambled in a circuit 16
`to allow correct reception at a specified bit error rate.
`by a third key, the distribution key D, generated by a
`The BCH code requires several bits within the block to
`circuit 17. The scrambled information signal, the scram-
`be used for error correction leaving the remainder for
`bled session key and the scrambled second key are then
`use as a message which contains the following informa-
`tion:
`transmitted using any suitable equipment.
`In a receiver, the reverse operation is carried out. It is
`(i) A period key of about 56 bits. The period key bits
`first necessary for a customer to decrypt the second key
`could be evenly distributed throughout the message
`P using his distribution key D before the session key S
`block. However, this is not really necessary because
`can be recovered for decrypting the information signal.
`of the nature of the block encryption algorithm
`which is used.
`Thus a first decryption circuit 20 responsive to distribu-
`(ii) A byte of about 8 bits for each customer in the block.
`tion key D is provided for decrypting the second key P
`and a second decryption circuit 21 responsive to the
`A number of customers have bytes in the one block.
`The following represents an example of the proposal.
`second key P is provided for decrypting the session key 20
`(i) no. of bits per block: N=510
`S which is then used in a third decryption circuit 23 for
`(ii) no. of bits for error correction: E= 136
`decrypting the information signal A.
`(iii) no. of bits for the message: M=374
`Different customers may require different entitle-
`(iv) no. of bits for period key: P= 56
`ments to the service. Furthermore, the entitlement may
`take different forms, e.g. a simple indication of whether 25 With this arrangement if each customer used 8 bits
`a basic subscription has been paid or note, or they may
`then 46 customers could each share the block. In prac-
`indicate an over-air credit payment or they may simply
`tice a mode word of 6 bits and a date stamp of 24 bits is
`indicate a tier level to which the viewer subscribes. The
`also included which is shared by the plurality of cus-
`tomers. This allows 36 customers to share the block
`entitlements are represented by a small number of bits
`which gives a cycle time of 10 minutes for 15 million
`which are preferably sent together with the period key
`subscribers when a data rate of about 350K Bits/sec is
`(P) in a shared cipher text block. The example described
`below makes use of the entitlement bits for tiering.
`used. However, the technique may be generalised to
`However, the mode of use of the entitlement bits does
`any number of bits.
`not affect the principle of showing a distribution key
`The block is encrypted using an algorithm which has
`and an encrypted cipher text block together between a
`the properties of error extensions. Such an algorithm
`plurality of viewers.
`can be constructed from a block or feedback cipher
`The tiering level of the signal (Ts) is sent with the
`arrangement which has the property that if one bit of
`the cipher text is falsified the resulting plain text mes-
`session key. The tiering level requested by the customer
`sage will loock look completely random even when the
`(Tc) is sent to him with the period key using his distri-
`correct distribution key is used to decrypt the block.
`bution key. The security device compares Ts and To
`and decides whether the session key can be released for
`This also means that there does not exist a unique set
`of 56 bits in the ciphered message to which the distribu-
`the purpose of deciphering the television signal (A).
`The session key (S) is used to encipher the television
`tion key could be applied in order to recover the period
`signal. It is sent together with the tiering level of the
`key. In order to find the period key, without knowledge
`programme (Ts) by encrypting these signals with the
`of the distribution key, either an exhaustive search of
`the 374 bits is needed or the encryption algorithm needs
`period key P(T;+S+P). The reason for duplicating the
`period key (P) in the message, before encryption with
`to be broken. After deciphering the message, each secu-
`the same key P, will be described later. More than one
`rity device looks in the correct place within the block
`for the customer entitlement bits that are intended for
`session key may be sent if more than one operator is
`that receiver. Clearly this function must be buried in the
`broadcasting simultaneously on the same satellite signal.
`security device along with the distribution key.
`This may happen for instance if one operator provides
`the television programme and another organisation
`The block or feedback cipher should have the follow-
`provides a data service. (The symbol ‘+’ means that the
`ing property. If one bit of the cipher text is altered, a
`bits of the signals are appended together.)
`number of bits of the plain text will be altered, under the
`The main problem with this system is the time taken
`same key, and these altered bits will be evenly distrib-
`to send the signal D(Tc+P) to each customer. If a
`uted over the plain text message.
`unique key D is defined for each subscriber the cycle
`FIG. 3a shows schematically how long blocks may
`be ciphered using a number of 64 bit sub-blocks. Each
`time of this validation signal, after error correction has
`been applied, can take many hours.
`sub-block is a 64 bit block cipher.
`We propose reducing the validation cycle time by
`The essential features is to overlap the sub-blocks and
`sharing the same distribution key D between a number
`form an intermediate stage. The final cipher text block
`of customers. This still offers excellent system security
`is guaranteed to have the properties described above by
`reversing the direction in which the sub-blocks are over-
`since, if the number of customers sharing the same key
`is small, the probability of finding another customer
`lapped during the second stage. The same technique of
`with the same key as ones own is tiny. For example, if
`forming an intermediate stage and reversing the direc-
`20 customers share each key and there are 20 million
`tion in which the algorithm is performed for the second
`subscribers in the system,
`the probability of finding
`stage can be applied to cipher feed back in order to
`another customer with the same key as ones own is
`achieve the necessary cipher text properties. Cipher
`
`45
`
`50
`
`55
`
`65
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 8
`
`

`
`4,736,422
`
`5
`feedback is a well known technique and the technique
`of reciphering the cipher text in the reverse direction is
`shown in FIG. 3b.
`The proposed system of sharing a distribution key
`between several subscribers suffers from the problem
`that if one customer becomes a pirate, removal of the
`key affects the other customers who also share that key.
`There are basically two methods of overcoming this
`problem which are described below.
`Instead of storing just one secret distribution key,
`each customer has a plurality of keys e.g. two, stored in
`his receiver. The first key would be common to a first
`set of customers while the second key would be com-
`mon to a second set of customers. One one member of
`the first set can be in the second set. Each customer is
`then given a unique combination of two keys from the
`total number of keys available. The total number of
`combinations far exceeds the total number of keys avail-
`able.
`
`A pirate is eliminated by removing both of his keys
`from the cycle. Since the customers who share his two
`keys all have another but different key remaining, they
`are able to continue. This results from the fact that the
`pirate is the only customer who is a member of both
`shared key sets.
`It can be shown mathematically, that because the
`number of combinations is huge, the probability of dis-
`abling honest customers after many pirate combinations
`have been removed is small.
`Instead of storing two distribution keys which are
`both shared, two keys may be stored via the receiver
`and used in the following way.
`The first key is the shared distribution key and the
`second is a unique key which is not shared and it is
`different for each customer. When a pirate is detected a
`new shared distribution key (DNEW) is sent to each of
`the remaining honest customers by encrypting it with
`their personal Unique key (U); see FIG. 3. Hence if X,
`Y and Z share a block which is normally encrypted
`with the shared Distribution key (Doug) and X be-
`comes a pirate; customers Y and Z are send DNEW by
`transmitting Uy (DNEW) and U2 (DNEW). Clearly the
`format for the transmission of U(D) is much less effi-
`cient than the shared distribution key cycle D(M+P)
`but this is not important because the second cycle only
`includes a very small number of customers. A broad-
`caster can be sure that his customer has received this
`new shared distribution key (D) by transmitting the
`U(D) signal until his customer has returned say two
`subscription payments. Since the cycle time of the U(D)
`signals will be very small, probably less than one min-
`ute, and because the customer has returned more than
`one subscription payment—the broadcaster can be con-
`fident that his customer will have received the new
`shared key. This confidence relies upon the assumption
`that each subscriber will be watching television for
`more than one minute during a subscription period for
`which he has paid.
`The idea of transmitting a small U(D) cycle for a long
`period of time allows the cycle time/data capacity to
`expand to cater for an emergency update and then con-
`tract again afterwards. Hence the average cycle time/-
`data capacity stays approximately constant during the
`lifetime of the system; it is illustrated in FIG. 3. In order
`to maximise the efficiency of the system the same tech-
`nique can be applied to reconfigure into new shared
`blocks those customers who have become the only
`members of an old shared block. This is achieved by
`
`6
`sending new addresses to old customers using the same
`method described above.
`is contained within the en-
`The information that
`crypted block not only contains the new shared distri-
`bution key D and the new address (a), but also the U
`key. The encrypted block then takes the form U(D-
`+a+U). The U key is sent in the encrypted block for
`the purpose of checking that the information has been
`received correctly. Provided that the secret U key is
`also found in the message after decryption, the remain-
`der of the information is accepted.
`The above described system makes use of storing of
`the secret distribution keys in a user held security de-
`vice. Since the copying of the contents of the security
`device is likely to represent a weak link in the system,
`re-issue of the security device from time to time might
`be required by‘ the broadcaster. Therefore, an altema-
`tive approach is to mount the security device in such a
`way that is can be re-issued periodically at little ex-
`pense. Such a device could be a security microproces-
`sor mount in a SMART card.
`If it is required to remove a key before the re-issue
`date, the broadcaster simply contacts the other custom-
`ers who share that key and sends them a new SMART
`card. Since the number of customers who share the
`removed key is very small (approx. 36) this practice
`unlikely to cause much of a problem. Furthermore, the
`broadcaster might offer one month’s free viewing to
`compensate for the inconvenience caused to the honest
`key holders.
`Modifications to the above described system may be
`made which will improve the practicality of the system.
`For example, the period key that is sent in the validation
`cycle may be the key for the next period. Although this
`key may be received quickly it should not be able to be
`used straight away. This would mean that a new cus-
`tomer may have to wait for several weeks before he
`could receive television programmes. In order to over-
`come this problem the current period key is sent en-
`crypted with the next period key-—-PN15XT(PcURRE_;vT).
`Provided the customer is permitted to receive pro-
`gramme during the next month, say, he may begin view-
`ing from the time he has received his validation signal.
`A further modification is to send a known code en-
`crypted with the period key. This signal is useful for the
`purpose of deciding whether the period key has been
`received correctly and that the encrypted block has not
`been falsified. The code could be made secret by using
`the period key for the special code. The receiver finds a
`binary word that it thinks is the period key by decrypt-
`ing the signal D(T¢+ P). Provided the period key P has
`been received without error, using it to decrypt the
`signal P(P) or P(Ts+S+P) will reveal the same period
`key P. this can be checked by comparing the received P
`key value with the value of the P key contained in the
`message Ts+S+P. If the comparison is negative the
`receiver makes the decision to interrogate the address
`cycle again. The check also ensures that the signal
`P(Ts+S+P) as well as the signal P(T¢+P) is a valid
`signal.
`The encryption system signals may be formatted into
`a data frame in a packet system such as is proposed for
`the sound for the European Satellite Broadcast signal
`standard. A sync word and address word are needed to
`locate the various signals. the security device uses the
`address word to find the particular 510 bit block, in the
`long validation cycle, that is intended for that receiver.
`
`S
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`65
`
`PMC Exhibit 213
`
`Apple v. PM
`|PR2016-0075
`
`Page
`
`PMC Exhibit 2133
`Apple v. PMC
`IPR2016-00753
`Page 9
`
`

`
`4,736,422
`
`7
`A method of synchronising the key changes may be
`achieved in a packet multiplexing system by having two
`signals. The first is a frame counter on line 625 which
`represents a clock. Keys arrive asynchronously and are
`changed during line 625 at specified times. A second
`signal is sent in the packet multiplex which labels the
`transmitted keys with the time that they are to be acti-
`vated. An alternative approach, which eliminates the
`need for a time label, is to transmit the keys synchro-
`nously with the television signal. There are two keys
`that need to be changed—the period key and the session
`key.
`What is claimed is:
`1. Apparatus for transmitting a scrambled informa-
`tion signal, togther with a key required at a receiver to
`enable descrambling of the scrambled information sig-
`nal to occur, to entitled receivers, comprising:
`means for scrambling an input information signal A to
`produce a scrambled information signal S(A);
`means for generating a first encryption key P re-
`quired at a receiver to enable descrambling of the
`scrambled information signal S(A) to occur;
`means for defining groups of entitled receivers;
`means for generating a plurality of distribution keys
`D, each distribution key being generated for a par-
`ticular group of entitled receivers;
`means for generating a plurality of receiver entitle-
`ment signals Tc, each receiver entitlement signal
`being representative of the level of entitlement of a
`respective receiver to descramble scrambled infor-
`mation signals;
`means for assembling data blocks, adapted to assem-
`ble for each group of entitled receivers a data block
`comprising the first encryption key P appended to
`the receiver entitlement signals Tc for the receivers
`in the respective group, the receiver entitlement
`signal Tc for a particular receiver in a group being
`included in the respective data block at a predeter-
`mined location therein;
`first encryption means for encrypting each data block
`using one of the distribution keys, the first encryp-
`tion means being adapted to encrypt a data block
`relating to a given group of entitled receivers using
`a particular distribution key to enable the receivers
`in a group to use the same particular distribution
`key to recover the first encryption key P; and
`means for transmitting the scrambled information
`signal S(A) and the encrypted data blocks.
`2. Apparatus according to claim 1, wherein the data
`block assembling means is adapted to assemble a data
`block omitting a receiver entitlement signal in respect of
`a first receiver belonging to the group to which the data
`block relates when said receiver is no longer entitled to
`recover the information signal A; and
`the first encryption means is adapted to encrypt data
`blocks relating to said group but omitting a re-
`ceiver entitlement signal
`in respect of said first
`receiver using a distribution key DNEW different
`from that used to encrypt data blocks relating to
`said group but including a receiver entitlement
`signal in respect of said first receiver.
`3. Apparatus according to claim 2, and comprising
`means for producing a unique key U for each receiver,
`second encryption means for encrypting distribution
`keys D, one at a time, using said unique keys U, one at
`a time, and means for transmitting the encrypted distri-
`bution keys U(D); wherein the second encryption
`means is arranged to encrypt a distribution key DNE»/a
`
`l0
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`65
`
`8
`plurality of times using each of a plurality of unique
`keys U in turn, the plurality of unique keys U relating to
`entitled receivers in a group omitting a first receiver no
`longer entitled to recover the information signal A,
`when the distribution key DNEW is used by the first
`encryption means to encrypt a data block relating to
`said group but omitting a receiver entitlement signal in
`respect of said first receiver.
`4. Apparatus according to claim 1, wherein the algo-
`rithm used in the encryption means has the property
`that if any part of the encrypted signal is altered an
`approximately random decrypted signal results when
`the encrypted signal is decrypted with the correct dis-
`tribution key to make any of the received signals use-
`less.
`5. Apparatus according to claim 1, further comprising
`means for generating a second encryption key S, third
`encryption means for encrypting the second encryption
`key S using the first encryption key P, and means for
`transmitting the encrypted second encryption key P(S),
`and wherein the means for scrambling the input infor-
`mation signal uses the second encryption key S to con-
`trol the scrambling of the information signal.
`6. Apparatus according to claim 5, wherein the means
`for generating a second encryption key S is arranged to
`alter the second encryption key S at a first frequency
`and the means for generating a first encryption key P is
`arranged to alter the first encryption key at a second
`frequency lower than the first frequency.
`7. Apparatus according to claim 5, further comprising
`means for generating signals T5 indicative of a parame-
`ter of the input information signal, said third encryption
`means encrypts said signals Ts, either alone or ap-
`pended to the second encryption key S, using the first
`encryption key P, and the means for transmitting the
`encrypted second encryption key S transmits the en-
`crypted Ts signals.
`8. Apparatus according to claim 6, further comprising
`means for generating signals T5 indicative of a parame-
`ter of the input information signal, said third encryption
`means encrypts said signals T5, either alone or ap-
`pended to the second encryption key S, using the first
`encryption key P, and the means for transmitting the
`encrypted second encryption key S transmits the en-
`crypted Ts signals.
`9. Apparatus according to claim 7, further comprising
`means for generating a CODE signal, and wherein said
`third encryption means encrypts said CODE signal,
`either alone or appended to a signal orvencryption key
`generated in the transmitter, using the first encryption
`key P, and the means for transmitting the se