Space-efficient methods of defining a key allocation scheme within a broadcast encryption system are provided. In some embodiments, a descriptor is received. The descriptor includes a plurality of subset definitions and a plurality of pointers. A data segment is resolved from each of the plurality of pointers. The resulting data segments are assembled into a plurality of variant definitions. A media key block is generated from the plurality of subset definitions and the plurality of variant definitions.

A method and system for datacasting and content management. Such a system may have, as its core, a dashboard system for managing data feeds. A dashboard system may receive data feeds from one or more associated devices, such as the hardware devices of first responders or other public safety officers, and may aggregate and prioritize them. The dashboard system may then manage, prioritize and encrypt the video, files and other data in preparation for broadcast over the television or satellite transmitter, via, for example, a television broadcasting station, and may then broadcast the video, files, or other data to a plurality of users. Alerts and notifications may be created, files attached and links to video streams distributed over this same broadcast network. The broadcasting system may be able to send multiple streams of content simultaneously, may be able to target specific users to be broadcast to, and may be able to incorporate data from public data sources, such as public security cameras.

Aspects of the subject disclosure may include, for example, authenticating a user device based on communication over a data plane of a network, generating a decryption key, transmitting the decryption key to the user device, and transmitting encrypted content to the user device. The encrypted content may be accessible at the user device via the encryption key, potentially as a function of location and/or time. Other embodiments are disclosed.

A system and method are provided for generating a Short Term Key Message (STKM) for protection of a broadcast service being broadcasted to a terminal in a mobile broadcast system. The method includes transmitting, by a Broadcast Service Subscription Management (BSM) for managing subscription information, at least one key information for authentication of the broadcast service to a Broadcast Service Distribution/Adaptation (BSD/A) for transmitting the broadcast service, generating, by the BSD/A, a Traffic Encryption Key (TEK) for deciphering of the broadcast service in the terminal and inserting the TEK into a partially created STKM, and performing, by the BSD/A, Message Authentication Code (MAC) processing on the TEK-inserted STKM using the at least one key information, thereby generating a completed STKM.

Technology permitting secure storage and transmission of data stream as well as tiered access to multiple data stream according to permission. Data streams may be encrypted using symmetric encryption performed with varying symmetric keys according to a key stream of symmetric keys. Native data may be discarded for safety. Whole or partial key streams may be encrypted using the public keys of authorized entities having permission to access respective data streams or portions thereof. Only the corresponding private keys can decrypt the encrypted key streams required to decrypt the encrypted data streams. Thus rigorous access control is provided. IT personnel accessing data stream files on a server or intruders maliciously obtaining files will not be able to derive the data stream. Sensitive data streams may be stored using cloud services despite inherent risks.

Described is a system for mobile proactive secret sharing amongst a set of servers. A First protocol distributes a block of secret data among the set of servers, the block of secret data including shares of data. Each server holds one share of data encoding the block of secret data. A Second protocol periodically refreshes shares of data such that each server holds a new share of data that is independent of the previous share of data. A Third protocol reveals the block of secret data. Shares of data are periodically erased to preserve security against the adversary. The Second protocol provides statistical security or non-statistical security against the adversary.

In exemplary embodiments of the present invention, a V2V unit in a vehicle (OBE) can, for example, store a plurality of years of encrypted certificates. The certificates can, for example, be programmed at an OBE factory using a secure server, and access to all certificates can be locked until an unlock key is computed for a given window (certificate validity period). An in-vehicle satellite receiver can then receive, over, for example, a dedicated satellite control channel, unlock codes for a current time window and a next time window, and provide them to the V2V device. Using those unlock codes, the V2V device (OBE) can compute an unlock key from an unlock code provided by the satellite receiver. In this manner an in-vehicle device may be directly messaged, but only to unlock one or more certificates at a controlled time. Without the received lock codes, the stored certificates are not useable.

Techniques are described by which decryption key rotation may be accomplished to support the protection of live streaming content. During playback of content using a decryption key, the client begins acquisition of a second stream of the same content (including a new decryption key) such that the client can transition playback of the content from the first stream to the second with few or no visible artifacts from the viewer's perspective.

The disclosed embodiments illustrate methods and systems for identifying a targeted content item for a user. The method includes receiving one or more encrypted first attributes of the user, and a first key. Thereafter, one or more content items are encrypted using the first key. The one or more content items are stored in a data structure such that the one or more content items are indexed in the data structure according to one or more second attributes of the one or more content items. Thereafter, at least one encrypted content item is retrieved from the data structure based on the one or more encrypted content items, the indexing of the one or more content items, and the one or more encrypted first attributes. The at least one encrypted content item is decrypted to generate the targeted content item.

A technique to manage members of a group of decoders having access to broadcast data, each group member sharing a common broadcast encryption scheme (BES) comprising the steps of, in a stage for a decoder to become a group member, receiving keys pertaining to the position in the group according to the BES, receiving a current group access data comprising a current group access key, and in a stage of accessing broadcast data, using the current group access data to access the broadcast data, and in a stage of renewing the current group access key, sending a first group message comprising at lease a next group access key encrypted so that only non-revoked decoders can access it, said group message being further encrypted by the current group access key, updating the current group access key with the next group access key.