A device (40) for generating a watermarked stream (39), comprising: at least one input interface (41) configured to receive encrypted control messages (20) and conditional access streams (30) including a main stream (33) and protected watermarking data streams (35) from which a watermarking information (38) can be embedded in said watermarked stream (39); a security module (43) configured to process said control messages (20) and to control access to said conditional access streams (30); a descrambler (45) configured to remove protection applied on at least some of said conditional access streams (30); a watermarking unit (47) configured to generate the watermarked stream (39) from said conditional access streams (30) by selectively processing said watermarking data streams (35) depending on access data (AC, AR) included in some of said control messages (20).

A communication system and method of operating the same includes a conditional access module and a customer service module customer service request signal. A handler receives the customer service request signal. The handler determines a communication path to the conditional access module through a connection pool and assigns the communication path for the customer service request signal. The handler communicates the request through the communication path and returns the path to the connection pool when communicating is complete.

Both fingerprinting and watermark decoding processes are applied to received items of audio-visual content. Further processing is applied as well. This further processing depends on output data from the watermark decoding process, and can cause two items of seemingly-identical audio-visual content to be further-processed in different ways.

In one embodiment, a consumer device is assigned, at a broadcast headend to one of at least two groups of consumer devices, the two groups including a first group of consumer devices which is required to play content of a second type in order to view content of a first type and a second group of consumer devices which is not required to play content of the second type in order to view content of the first type. A video broadcast stream is sent from the broadcast headend to the consumer device, the video broadcast stream comprising content of the first type sent associated with a first packet ID (PID) and content of the second type sent associated with a second PID, wherein the first PID and the second PID are processed at the consumer device at the same time. An entitlement management message (EMM) is sent from the broadcast headend to the consumer device according to its group of consumer devices, the EMM being of one of a first type of EMM for devices of the first device type and a second type of EMM for devices of the second device type. An entitlement control message (ECM) stream is sent from the broadcast headend to the consumer device, the ECM stream including comprising three types of ECMs: ECM_P_i_start which enables the consumer device to produce a control word which decrypts a first portion of the content of the first type; ECM_A_(i−1) which enables the consumer device to produce a control word which decrypts content of the second type; and ECM_P_i_rest which enables the consumer device to produce a control word which decrypts a second portion of the content of the first type. Related hardware, systems and methods are also described.

A method for determining an identifier of a conditional access card used in a conditional access system, in which the conditional access card autonomously modulates the timing of data packets sent by the conditional access card, to form a timing sequence that corresponds to the identifier of the card. The sequence is generated by a predefined non-linear function stored on the conditional access card, and the predefined non-linear function depends on both the identifier of the conditional access card and a non-linear random sequence that is known to the conditional access card and a monitoring station that receives transmissions from the conditional access card.

A method for determining an identifier of a conditional access card used in a conditional access system, in which the conditional access card autonomously modulates the timing of data packets sent by the conditional access card, according to a sequence that depends on the identifier of the card. The sequence is generated by a predefined non-linear function stored on the conditional access card, and the predefined non-linear function depends on both the identifier of the conditional access card and a non-linear random sequence that is known to the conditional access card and a monitoring station that receives transmissions from the conditional access card.

A system that incorporates teachings of the present disclosure may include, for example, a gateway comprising a controller to receive from a communication device a request for media content, receive a key and a record associated with the communications device from an interactive television system, wherein the record comprises a list of entitled media content, determine whether the requested media content is in the list of entitled media content, retrieve the requested media content from the interactive television system when the requested media content is determined to be in the list of entitled media content, encrypt the retrieved media content utilizing the key, and transmit the encrypted media content to the communications device. Other embodiments are disclosed.

A technique to manage members of a group of decoders having access to broadcast data, each group member sharing a common broadcast encryption scheme (BES) comprising the steps of, in a stage for a decoder to become a group member, receiving keys pertaining to the position in the group according to the BES, receiving a current group access data comprising a current group access key, and in a stage of accessing broadcast data, using the current group access data to access the broadcast data, and in a stage of renewing the current group access key, sending a first group message comprising at lease a next group access key encrypted so that only non-revoked decoders can access it, said group message being further encrypted by the current group access key, updating the current group access key with the next group access key.

A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.

A system, a computer readable storage medium, and methods for delivering content from a zero-knowledge edge server node in a content delivery network to an end user device, ensuring content control by a content provider (i.e. reduce piracy) while ensuring privacy of an end user device. One method includes publicizing that a particular content is available for download from the server node; initiating with the server node a communication session using a zero-knowledge protocol between the end user device and the server node operating in zero knowledge; downloading, while in the communication session, the particular content from the server node to the end user device; and receiving a response message from the end user device, including an indication of a content media player application, using the particular content, successfully executed at the end user device. The indication can be accompanied by a cryptographically verifiable proof of integrity.