(19)
`
`(12)
`
`Europäisches Patentamt
`
`European Patent Office
`
`Office européen des brevets
`
`*EP001418756A2*
`EP 1 418 756 A2
`
`(11)
`
`EUROPEAN PATENT APPLICATION
`
`(43) Date of publication:
`12.05.2004 Bulletin 2004/20
`
`(21) Application number: 03104017.3
`
`(22) Date of filing: 29.10.2003
`
`(84) Designated Contracting States:
`AT BE BG CH CY CZ DE DK EE ES FI FR GB GR
`HU IE IT LI LU MC NL PT RO SE SI SK TR
`Designated Extension States:
`AL LT LV MK
`
`(30) Priority: 29.10.2002 US 284049
`
`(71) Applicant: General Instruments, Motorola Inc
`Horsham PA 19044 (US)
`
`(72) Inventors:
`• Chen, Annie On-yee
`92014, Del Mar (US)
`• Tang, Lawrence W
`92128, San Diego (US)
`
`(51) Int Cl.7: H04N 7/167, H04N 7/16
`
`• Murphy, Patrick
`92123, San Diego (US)
`• Okimoto, John I
`92128, San Diego (US)
`• Cochran, Keith R.
`San Diego 92108 (US)
`• Hutchings, George T
`18901, Doylestown (US)
`
`(74) Representative: McCormack, Derek James et al
`Motorola
`European Intellectual Property Operations
`Midpoint
`Alencon Link
`Basingstoke Hampshire RG21 7PL (GB)
`
`(54) Method and system for encrypting material for distribution
`
`(57)
`Streaming content is encrypted by segmenting
`the content into a plurality of crypto periods, and by en-
`crypting the content for each of a plurality of crypto pe-
`riods with a different cryptographic key. The crypto pe-
`riods may be based on either (i) fixed time intervals, (ii)
`
`a fixed number of packets, (iii) a fixed marker count, or
`(iv) a pseudo random number of packets. Methods are
`provided for determining how to record the key changing
`criteria, and how to convey this information to video on
`demand (VOD) servers.
`
`Printed by Jouve, 75001 PARIS (FR)
`
`EP1 418 756A2
`
`1
`
`APPLE 1006
`
`

`

`1
`
`EP 1 418 756 A2
`
`2
`
`Description
`
`TECHNICAL FIELD OF THE INVENTION
`
`[0001] The invention relates to a method and a sys-
`tem for encrypting material such as video material for
`distribution. In particular, it relates conditional access
`and copy protection techniques, and more particularly
`to such techniques for interactive, on-demand digital
`program content such as video-on-demand (VOD) pro-
`gramming distributed via cable and satellite networks.
`
`BACKGROUND
`
`[0002] Recent advances in cable and satellite distri-
`bution of subscription and "on-demand" audio, video
`and other content to subscribers have given rise to a
`growing number of digital set-top boxes (sometimes re-
`ferred to as Digital Consumer Terminals or "DCTs") for
`decoding and delivering digitally broadcast program-
`ming. These set-top boxes often include additional cir-
`cuitry to make them compatible with older analog en-
`coding schemes for audio/video distribution. As the mar-
`ket for digital multimedia content of this type grows and
`matures, there is a corresponding growth of demand for
`new, more advanced features.
`[0003] Video-on-demand (hereinafter VOD) and au-
`dio-on-demand are examples of features made practical
`by broadband digital broadcasting via cable and satel-
`lite. Unlike earlier services where subscribers were
`granted access to scheduled encrypted broadcasts (e.
`g., movie channels, special events programming, pay
`per view purchases, etc.), these on-demand services
`permit a subscriber to request a desired video, audio or
`other program at any time and to begin viewing the con-
`tent at any point therein. Upon receiving the request for
`programming (and, presumably, authorization to bill the
`subscriber's account), the service provider then trans-
`mits the requested program to the subscriber's set-top
`box for viewing/listening. The program material is typi-
`cally "streamed" to the subscriber in MPEG format for
`immediate viewing/listening, but can also be stored or
`buffered in the set-top box (typically on a hard-disk drive
`or "HDD") for subsequent viewing/listening.
`[0004] The Motion Picture Association of America
`(hereinafter MPAA) is a trade association of the Ameri-
`can film industry, whose members include the industry's
`largest content providers (i.e., movie producers, studi-
`os). The MPAA requires protection of VOD content from
`piracy. Without adequate security to protect their con-
`tent, its member content providers will not release their
`content (e.g., movies) for VOD distribution. Without up-
`to-date, high-quality content, the VOD market would be-
`come non-viable.
`[0005] Access control methods, which may include
`encryption, are continually evolving to keep pace with
`the challenges of video-on-demand (VOD) and other
`consumer-driven interactive services. With VOD, head-
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`2
`
`end-based sessions are necessarily becoming more
`personalized. In this scenario, video streams are indi-
`vidually encrypted and have their own set of unique
`keys.
`[0006] One key area of concern, especially for direct
`content providers and movie companies, is VOD copy
`protection. The method by which content is produced
`and delivered to consumers is constantly changing. Un-
`der the newest scenarios, content delivery can occur
`over data backbones, satellite networks and the Inter-
`net, increasing the potential for hackers to get digitally
`perfect copies of the VOD content. As the VOD industry
`develops and adapts to the piracy threat by providing
`more sophisticated encryption schemes, piracy be-
`comes more difficult, but the potential gain to the video
`"pirate" for achieving successful encryption breaches
`(successful content copying) remains a considerable at-
`traction to hackers.
`[0007] Assuming that physical security and network
`security measures are adequate at the movie company,
`the VOD encoding company and at the MSO (Multiple
`System Operator) or satellite operator's facilities, the
`primary points of VOD vulnerability to piracy occur when
`VOD content is transmitted over widely accessible com-
`munication networks such as a satellite channel, the In-
`ternet or a cable system. Such transmissions can occur
`between the movie company and the VOD encoder, be-
`tween the VOD encoder and the MSO or satellite oper-
`ator, and between the MSO or satellite operator and the
`VOD customer. Because of the ease with which such
`transmissions can be intercepted, these are the points
`where the risk of piracy is the greatest.
`
`SUMMARY OF THE INVENTION
`
`[0008] According to the invention, techniques are pro-
`vided to pre-encrypt VOD material with a changing cryp-
`tographic key and to convey this information to VOD
`servers so that the VOD servers can send out the cor-
`responding ECMs (Entitlement Control Messages)
`when the encrypted content is delivered to a consumer's
`digital set top.
`[0009] Further according to the invention, multiple en-
`cryption keys are added when pre-encrypting VOD ma-
`terial. More specifically, methods are provided for deter-
`mining when to change encryption keys; how to record
`the key changing criteria, and how to convey this infor-
`mation to the VOD servers.
`[0010] Further according to the invention, streaming
`content is encrypted by segmenting the content into a
`plurality of crypto periods, and encrypting the content
`for each of a plurality of crypto periods with a different
`cryptographic key. The crypto periods may be estab-
`lished as follows:
`
`1) Fixed crypto period: Define a crypto time interval
`and change the key each time the crypto time-inter-
`val passes.
`
`

`

`3
`
`EP 1 418 756 A2
`
`4
`
`2) Fixed number of packets: Determine a number
`of content packets "n" corresponding to a suitable
`time interval and change the cryptographic key eve-
`ry "n" packets.
`3) Fixed "marker" count: Using a suitable MPEG-II
`field type as a "marker", such as an I-frame header,
`change the cryptographic key every time "n" mark-
`ers have passed in the stream, where "n" is selected
`to produce a suitable crypto period. The MPEG-II I-
`frame header is one example of a suitable "marker."
`Alternatively, any other suitable, recurring MPEG-II
`encoding element could be used as a stream "mark-
`er" to delimit segments of the MPEG-II stream.
`4) Random crypto period: Change the crypto-period
`randomly within upper and lower constraints on the
`crypto period, using a pseudo-random algorithm.
`Calculate a number of packets for each crypto pe-
`riod and change the key after that number of pack-
`ets. Generate an index file indicating at which pack-
`et numbers the encryption key should be changed.
`
`ECM
`
`5
`
`10
`
`EMM
`
`15
`
`20
`
`cific encryption key is valid.
`
`Entitlement Control Message. Entitlement
`Control Messages are private conditional
`access information which specify control
`words and possibly other, typically stream-
`specific, scrambling and and/or control pa-
`rameters.
`
`Entitlement Management Message. Condi-
`tional access messages used to convey en-
`titlements or keys or other parameters to
`users, or to invalidate or delete entitlements
`or keys. For example, an EMM can be used
`in combination with an ECM to determine
`an encryption key. Without the EMM, the
`key cannot be derived. The following cate-
`gories of EMM are possible:
`
`EMM-G: EMM for the whole audience
`EMM-S: Shared EMM between the ele-
`ments of a group.
`EMM-U: EMM for a single client.
`
`[0011] The invention is particularly useful for generat-
`ing rapidly changing encryption keys, and for methods
`of communicating how and when to change the keys in
`the context of, for example, the MediaCipher-II condi-
`tional access (CA) system available from the Broadband
`Communications Sector of Motorola, Inc., Horsham,
`Pennsylvania, USA. Motorola's MediaCipher-II system
`is capable of changing keys at rates (crypto periods)
`which are measured in fractions of a second, rather than
`several seconds.
`
`GLOSSARY
`
`[0012] Unless otherwise noted, or as may be evident
`from the context of their usage, any terms, abbrevia-
`tions, acronyms or scientific symbols and notations
`used herein are to be given their ordinary meaning in
`the technical discipline to which the invention most near-
`ly pertains. The following glossary of terms is intended
`to lend clarity and consistency to the various descrip-
`tions contained herein, as well as in prior art documents:
`
`CA
`
`CAS
`
`Conditional Access. A means by which ac-
`cess to content is granted only if certain pre-
`requisite conditions are met (e.g., payment
`of a subscription fee, time-dependent li-
`cense, etc.)
`
`Conditional Access System. A means of al-
`lowing system users to access only those
`services that are authorized to them, com-
`prises a combination of authentication and
`encryption to prevent unauthorized recep-
`tion
`
`CP
`
`Crypto Period. A period covering a portion
`of an encrypted stream during which a spe-
`
`25
`
`ER
`
`Encryption Record. Contains information
`about how specific program content is en-
`crypted, and rules for decoding.
`
`30
`
`35
`
`40
`
`45
`
`ERS
`
`Internet
`
`Encryption Renewal System. A system by
`which a conditional access license is re-
`newed.
`
`The Internet (upper case "I") is the vast col-
`lection of inter-connected networks that all
`use the TCP/IP protocols. The Internet now
`connects many independent networks into
`a vast global internet. Any time two or more
`networks are connected together, this re-
`sults in an internet (lower case "i"; as in in-
`ternational or inter-state).
`
`MPAA
`
`Motion Picture Association of America
`
`MPEG
`
`Moving Pictures Experts Group
`
`MPEG-II MPEG-2 is the standard for digital televi-
`sion (officially designated as ISO/IEC
`13818, in 9 parts).
`
`Multiple System Operator. A company that
`owns multiple cable systems.
`
`Program Clock Reference. PCR informa-
`tion is embedded into MPEG-II streams to
`accurately synchronize a program clock on
`the receiving system to the MPEG-II
`stream.
`
`50
`
`MSO
`
`PCR
`
`55
`
`3
`
`

`

`5
`
`EP 1 418 756 A2
`
`6
`
`VOD
`
`Video-On-Demand. The service of provid-
`ing content through subscriber selection off
`a large menu of options, available to a view-
`er at any time.
`
`[0013] Embodiments of the present invention will now
`be described by way of example with reference to the
`accompanying drawings, in which:
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0014] Figure 1 is a block diagram of a system for de-
`livering pre-encrypted video content, in accordance with
`the invention.
`[0015] Figure 2A is a diagram showing a changing-
`key encryption scheme for pre-encrypted content using
`a fixed crypto period, in accordance with the invention.
`[0016] Figure 2B is a diagram showing a changing-
`key encryption scheme for pre-encrypted content using
`a crypto period based on a fixed number of packets, in
`accordance with the invention.
`[0017] Figure 2C is a diagram showing a changing-
`key encryption scheme for pre-encrypted content using
`a crypto period delimited by a fixed number of MPEG-II
`I-frames, in accordance with the invention.
`[0018] Figure 2D is a diagram showing a changing-
`key encryption scheme for pre-encrypted content using
`a "random" crypto period, in accordance with the inven-
`tion.
`
`DETAILED DESCRIPTION OF EMBODIMENTS OF
`THE INVENTION
`
`[0019] The invention relates to conditional access and
`copy protection techniques and more particularly to
`such techniques for interactive, on-demand digital pro-
`gram content such as video-on-demand (VOD) pro-
`gramming distributed via cable and satellite networks.
`[0020]
`In order to protect against interception and
`copying of digital program content, a pre-encryption pro-
`cedure is employed whereby server-based VOD con-
`tent is stored in an encrypted form, then delivered di-
`rectly to viewers without further encryption processing.
`The VOD content is encrypted at the point where it is
`encoded, and is distributed to content resellers (e.g.,
`MSO's, satellite operators, etc.) in encrypted form. Con-
`tent encoders generally do not distribute directly to end-
`users (viewers). Typically, encryption is accomplished
`separately and uniquely for each reseller.
`[0021] Figure 1 is a block schematic diagram of a sys-
`tem 100 for delivery of pre-encrypted program content,
`within which an embodiment of the present invention
`can be incorporated. The system 100 is suitably a con-
`ditional access system (CAS) which is a system for
`granting conditional access to certain digital content
`(movies, etc.), the "conditions" being licensing condi-
`tions (fee paid, access granted starting on date xx/xx/
`xx at xx:xx until yy/yy/yy at yy:yy, etc.). It is noted that
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`4
`
`although the entire system 100 is not typically included
`in one CAS, it could be.
`[0022] At a content encoder's location 110, master
`content 112 (e.g., movies and other program content) is
`encoded into digital form via a suitable (e.g., MPEG-II)
`encoder 114. This content is then encrypted in an en-
`cryption system 116, to be "encrypted content." A con-
`tent authorization system 118 is used to, e.g., manage,
`renew and verify valid licensing for the encrypted con-
`tent. This can permit, for example, encryption by the en-
`cryption system 116 only if valid licensing exists for any
`particular destination. At a minimum, system 118 will
`control whether encryption can occur, independently of
`content destination. The encryption system 116 can
`generate a "personalized" encryption for each destina-
`tion content reseller (e.g., MSO). Such a feature is not,
`however, required. Instead, the same encryption proc-
`ess could be used for a plurality of different MSOs. The
`encrypted content is transmitted via a transmitter (XMIT)
`120 over a suitable transmission medium 140 to a re-
`ceiver 132 at a reseller's location 130. The transmission
`medium is shown as being a satellite, but it can be the
`Internet, a cable network, or any other suitable delivery
`mechanism.
`[0023] The receiver 132 receives the encrypted con-
`tent and stores it in a VOD server 134 from which it can
`be re-transmitted to end-users. A system manager 136
`(e.g., computer system that controls operation of a re-
`seller's various transmission and communications re-
`sources) communicates with the encryption system 116
`to make requests for program content, and to receive
`encryption records (ER) defining how the requested pro-
`gram content is encrypted/encoded and to receive en-
`titlement control messages (ECMs) associated with the
`encryption of the program content. Typically, the encryp-
`tion system 116 and the system manager 136 are parts
`of an ECM Renewal System (ERS) by which authoriza-
`tions to distribute/decode program content are man-
`aged and renewed. It should be appreciated, however,
`that the ECM renewal can be separate from the other
`functions included in encryption system 116. As an ex-
`ample, a centralized ERS can be provided. It is also not-
`ed that the System Manager 136 would typically be pro-
`vided by the VOD vendor, although it may be provided
`by others.
`[0024] At the reseller's (e.g., MSO's) location, a user
`authorization system 138 ("VOD Auth.") receives re-
`quests from end users for program content, and verifies
`that appropriate authorizations are in place for the end
`user to view the requested content. If the appropriate
`authorizations are in place, then the user authorization
`system 138 instructs the VOD server 134 to deliver the
`requested (encrypted) content to the user's VOD play-
`back device 150 (e.g., set-top box) and generates an
`Entitlement Management Message (EMM) for the re-
`quested content for delivery to the VOD playback device
`150, along with the requested content. In an alternate
`embodiment, the EMM is sent well in advance, e.g., from
`
`

`

`7
`
`EP 1 418 756 A2
`
`8
`
`the CAS.
`[0025] An ECM contains encryption information spe-
`cific to the program content which, in combination with
`a valid EMM, can be used to derive a decryption key for
`decrypting the content. ECMs are typically embedded
`within the program content, and due to the encryption
`mechanisms employed cannot be used to derive valid
`encryption keys absent a valid EMM for the content.
`EMMs may also include conditional access information,
`such as information about when, how many times, and
`under what conditions the content may be viewed/
`played.
`[0026] Those skilled in the art will appreciate that
`when the inventive concepts are used with pre-encrypt-
`ed content, ECM authorizations will change over time.
`Thus, ECM data embedded in the content will need to
`be updated with "renewed" ECMs, or ECMs with author-
`izations based on subscriber specific rights (for example
`to copy one or more times). With multiple key changes
`in the content, the server (which "plays out" the content
`with the ECMs) must know when to switch ECM sets
`from one crypto period to the next. Several methods to
`accomplish this synchronization are disclosed herein. It
`should also be appreciated that the decoder will decrypt
`(if it has the proper ECMs) by looking at the transport
`scrambling control bits in the MPEG packet headers.
`[0027] A technique that can be used to improve the
`security of encrypted streaming content such as VOD
`content is to change the cryptographic keys (encryption
`keys) at a plurality of points within the content. In order
`to make it more difficult for "pirates" to steal these keys,
`it is desirable to use as many different cryptographic
`keys as possible to encrypt one item of content. How-
`ever, this creates a number of new issues:
`
`1) Determining the number of sets of cryptographic
`keys that should be employed to encrypt one item
`of content, and determining an upper limit on how
`frequently keys can be changed.
`
`2) Determining how and where, within the program
`content, to effect the cryptographic key changes,
`and how to encode those key changes.
`
`3) Determining how to communicate the crypto-
`graphic key sets to VOD servers.
`
`4) Determining how to synchronize cryptographic
`key changes with the corresponding ECMs when
`the content is streamed to the consumer at time of
`purchase..
`
`5) Determining how to handle the ECM renewal
`process.
`
`[0028] The inventive technique addresses these is-
`sues by defining a cryptographic key change methodol-
`ogy that permits rapid key changes with straightforward,
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`5
`
`simple key change synchronization at the time of de-
`cryption. This is accomplished, in part, by taking advan-
`tage of the MPEG-II data stream structure.
`[0029] Present encryption schemes employ a simple,
`conventional two-key encryption technique to encrypt
`VOD content. Both keys taken together are essentially
`a single "cryptographic key set" used to encrypt the en-
`tire content. For example, symmetric (i.e., private) keys
`can be used for encryption. In an alternate implementa-
`tion, one of the keys can comprise a "public key", and
`be delivered with the content. The other key is required
`in combination with the public key to decrypt the content,
`and is delivered as part of a successful authorization or
`licensing process. Neither key is useful absent the other
`key. Although a public key implementation is possible,
`a private key approach is currently the preferred imple-
`mentation.
`[0030] A problem with encrypting the VOD content
`with a single set of keys is that an aggressive "attack"
`using exhaustive cryptographic "cracking" techniques
`(e.g., a "brute force" approach) could discover a set of
`keys that will decode the content. Once broken, the con-
`tent can be reproduced "in the clear" (i.e., unencrypted),
`thereby completely thwarting the security offered by the
`encryption scheme. As is well known in the art, key size
`is a factor in minimizing the likelihood of a successful
`brute force attack.
`[0031] For highest security and greatest protection
`against cryptographic "cracking" attacks by "pirates", it
`is highly desirable to increase the number of separate
`cryptographic keys used by changing the keys at nu-
`merous points during the encryption process. The great-
`er the number of "crypto periods" (separately encrypted
`segments of the content), the more difficult it becomes
`to "crack" the encryption scheme. If, for example, cryp-
`tographic keys were to be changed every 0.5 seconds
`within a VOD stream (i.e., a crypto period of 0.5 sec-
`onds), then the would-be "pirate" would be forced to
`crack the encryption scheme for each and every 0.5 sec-
`onds of content. Each successful breach of encryption
`security would only produce 0.5 seconds of "clear" (un-
`encrypted) content. For a 90 minute movie, this would
`require 10,800 separate successful breaches of the en-
`cryption scheme. Given the time and effort required to
`accomplish each breach, this presents a formidable bar-
`rier to piracy.
`[0032] The inventive technique maintains all crypto-
`graphic keys separate from the encoded/encrypted con-
`tent. A set of ECMs (Entitlement Control Messages)
`conveying information about a set of keys is multiplexed
`into the VOD stream by the VOD server when delivering
`the VOD content to an end user's VOD playback device
`(e.g. set-top box). A separate EMM (Entitlement Man-
`agement Message) from an authorization system is de-
`livered to the VOD playback device. The EMM contains
`the remaining information required to decode/decrypt
`the VOD content.
`[0033] There are two points in the streaming VOD de-
`
`

`

`9
`
`EP 1 418 756 A2
`
`10
`
`livery process that dictate the practical upper limit on
`how frequently keys can be changed within VOD con-
`tent: the VOD server and the set-top box. Since the con-
`tent can be encoded "off-line", in a non real-time fashion,
`there is virtually no practical limit to how frequently cryp-
`tographic keys can be changed on the encoding/encryp-
`tion side of the process. However, the VOD server and/
`or the set-top box may operate in real-time. VOD server
`limitations on how frequently ECMs can be multiplexed
`into the VOD stream to the set-top box set a first upper
`limit on key change frequency. The rate at which the set-
`top box can switch encryption keys as a part of its de-
`cryption process sets a second upper limit. The maxi-
`mum rate at which cryptographic keys can be changed
`is determined by the smaller of these two upper limits.
`[0034] The inventive technique for implementing rap-
`id cryptographic key changes uses any of four different
`basic schemes (techniques, methodologies) for break-
`ing up (subdividing, segmenting, sectioning) the content
`to be encoded/encrypted into a plurality of "crypto peri-
`ods", covered by different cryptographic keys. These
`are:
`
`1) Fixed crypto period: Define a crypto time interval
`and change the key each time the crypto time-inter-
`val passes.
`
`2) Fixed number of packets: Determine a number
`of content packets "n" corresponding to a suitable
`time interval and change the cryptographic key eve-
`ry "n" packets.
`
`3) Fixed "marker" count: Using a suitable MPEG-II
`field type as a "marker", such as an I-frame header,
`change the cryptographic key every time "n" mark-
`ers have passed in the stream, where "n" is selected
`to produce a suitable crypto period. The MPEG-II I-
`frame header is one example of a suitable "marker."
`Alternatively, any other suitable, recurring MPEG-II
`encoding element could be used as a stream "mark-
`er" to delimit segments of the MPEG-II stream.
`
`4) Random crypto period: Change the crypto-period
`randomly within upper and lower constraints on
`crypto period, using a pseudo-random algorithm.
`Calculate a number of packets for each crypto pe-
`riod and change the key after that number of pack-
`ets. Generate an index file indicating at which pack-
`et numbers the encryption key should be changed.
`It is noted that instead of using a packet count to
`define each crypto period, a time interval could be
`used.
`
`[0035] For the sake of ensuring clarity of the terminol-
`ogy used herein, to "encode" does not necessarily mean
`to "encrypt." All encryption is encoding, of a sort. The
`conversion to MPEG is an encoding process. The proc-
`ess of securing with cryptographic keys is encryption.
`
`Both encoding and encryption are performed on the pro-
`gram content. The data stream which is segmented, and
`for which keys are changing, is essentially the encrypted
`(e.g., by 116) data stream, which has previously been
`encoded (e.g., by 114).
`[0036] Figures 2A-2D illustrate these four schemes
`for breaking up the content to be encoded/encrypted in-
`to a plurality "crypto periods."
`
`5
`
`10
`
`Fixed crypto period
`
`[0037] Under this encoding/encryption scheme, the
`encoding system picks (selects) a suitable time interval
`(crypto period) consistent with the known performance
`limitations of elements of the VOD delivery and playback
`infrastructure. Assuming MPEG-II encoding, the encod-
`ing/encryption system can use the PCR (Program Clock
`Reference) headers embedded in an MPEG-II stream
`of an item of program content to determine the exact
`amount of program time that has passed at any point in
`the stream. An initial cryptographic key is generated and
`encryption of the stream begins with the initial key.
`When analysis of the PCR information in the MPEG-II
`stream indicates that the crypto period has passed, a
`new key is generated and encryption resumes at the
`next MPEG-II "packet" using the new key. This new key
`is used until the PCR information once again indicates
`that the crypto period has passed since the key was
`changed, and the process repeats until the end of the
`stream, generating a new encryption key for each sub-
`sequent segment of the stream equivalent to a crypto
`period of program time. Each encryption key is saved
`for encoding into a set of ECMs for the encoded/encrypt-
`ed program content. Alternatively, ECMs may be gen-
`erated and saved as content is encrypted. The ECM set
`is provided to the VOD reseller (e.g., MSO) upon com-
`pletion of licensing/authorization of rights to the program
`content. An encryption record (ER) is also generated,
`describing the scheme by which the program content
`was encoded/encrypted and the number of associated
`ECMs. In another approach, the ERS can take the orig-
`inal ECM set and "retrofit" (i.e., modify) it for each VOD
`reseller's conditional access system. The ER conveys
`information which permits such an implementation.
`[0038] Figure 2A illustrates this fixed crypto period
`encoding scheme 200a, showing an encoded/encrypt-
`ed MPEG-II stream 202, divided into a plurality of seg-
`ments 204. Each segment corresponds to a series of
`MPEG-II packets covered by a crypto period defined by
`a fixed time interval ΔT. Each segment 204 is encrypted
`according to a different encryption key, used to generate
`an ECM 206 associated with each separately encrypted
`crypto period. The ECMs 206 are maintained separately
`from the encrypted MPEG-II stream 202.
`
`Fixed number of packets
`
`[0039]
`
`In a manner similar to that of the fixed crypto
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`6
`
`

`

`11
`
`EP 1 418 756 A2
`
`12
`
`period scheme, this scheme initially determines a suit-
`able crypto period. However, unlike the fixed crypto pe-
`riod scheme, the "fixed number of packets" scheme then
`examines the encoding of the MPEG-II stream for an
`item of program content to determine a suitable number
`"n" of MPEG-II packets which correspond to a crypto
`period. A sufficient extra number of packets in "n" is al-
`lowed to account for any variability inherent to MPEG-II
`encoding and to ensure that no MPEG-II segment of "n"
`packets will exceed the VOD distribution/playback sys-
`tem's key processing capabilities. It should be appreci-
`ated that the streaming content being encrypted com-
`prises a sequence of packets. An initial key is chosen,
`and encryption of the MPEG-II stream begins, changing
`the key after each "n" MPEG-II packets in the stream.
`The number of packets per time interval can vary dra-
`matically.
`[0040] As in the fixed crypto period scheme, the en-
`cryption key for each "n" packets is saved for encoding
`into a set of ECMs (ECM1, ECM2 ...) for the encoded/
`encrypted program content. Alternatively, as noted
`above, the ECMs can be generated (e.g., in real time)
`and saved as content is encrypted. The ECM set is pro-
`vided to the VOD reseller (e.g., MSO) upon completion
`of licensing/authorization of rights to the program con-
`tent, and an encryption record (ER) is also generated,
`describing the scheme by which the program content
`was encoded/encrypted and the number of associated
`ECMs. As previously indicated, the ERS could take the
`original ECM set and modify it for each VOD reseller's
`CAS.
`[0041] Figure 2B illustrates an encoding scheme
`200b that uses a fixed number of MPEG-II packets per
`crypto interval. An encoded/encrypted MPEG-II stream
`202 is divided into segments of "n" MPEG-II packets
`each, where "n" represents the number of MPEG-II
`packets that correspond to a suitable period of program
`time to be used as a crypto period. Each segment 204
`is encrypted according to a different encryption key,
`used to generate an ECM 206 associated with each sep-
`arately encrypted crypto period. The ECMs 206 are
`maintained separately from the encrypted MPEG-II
`stream 202.
`
`Fixed "marker" count
`
`[0042]
`In this scheme, using a suitable, recurring ele-
`ment of MPEG-II encoding as a stream segment delim-
`iter (marker), a number "n" of stream segments is deter-
`mined that correspond to a suitable crypto period. The
`stream is then encrypted in "crypto segments" defined
`by "n" markers. The markers can optionally be transmit-
`ted "in the clear", (i.e., unencrypted) to facilitate decod-
`ing/decryption. Each crypto segment is encrypted using
`a different cryptographic key.
`[0043]
`In a manner like that of the "fixed number of
`packets" scheme, the encryption key for each "n" pack-
`ets is saved (or generated and then saved) for encoding
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`7
`
`into a set of ECMs for the encoded/encrypted program
`content. The ECM set is provided to the VOD reseller
`(e.g., MSO) upon completion of licensing/authorization
`of rights to the program content, and an encryption
`record (ER) is also generated, describing the scheme
`by which the program content was encoded/encrypted
`and the number of associated ECMs.
`[0044] Figure 2C illustrates an encoding scheme
`200c that uses MPEG-II "markers" 208 to delimit crypto
`intervals in the MPEG-II stream. An encoded/encrypted
`MPEG-II stream 202 is divided into a plurality of seg-
`ments 204 delimited by a number "n" of "markers" 208.
`Each segment corresponds to a series of MPEG-II pack-
`ets delimited by "n" markers 208 ("n" = 2 in the figure).
`A marker 208 can be any suitable recurring element of
`MPEG-II encoding, such as an I-frame header (shown
`in the Figure, as "I"). The number "n" is chosen such that
`each segment corresponds roughly to a suitable amount
`of program time for a crypto period. The markers 208
`are transmitted "in the clear" to facilitate their identifica-
`tion during the decoding/decryption process. Each seg-
`ment 204 is encrypted according to a different encryp-
`tion key, used to generate an ECM 206 associated with
`each separately encrypted crypto period. The ECMs
`206 are maintained separately from the encrypted
`MPEG-II stream 202.
`
`"Random" crypto period
`
`[0045] Using this scheme, suitable upper and lower
`limits are selected for crypto periods within the perform-
`a