Devices, servers, systems and methods for content protection are provided. Disclosed embodiments improve temporal granularity of controlling access to the protected content and increase resilience against attacks attempting to prevent re-evaluation of conditions of access. Enforcement of re-evaluation may be based on the receipt and/or verification of tokens. In some embodiments, re-evaluation is enforced by periodically rendering content keys required for content decryption unuseable and/or clearing content keys already in use.

Some implementations include methods for generating a portable entitlement for a digital asset and may include generating a portable entitlement to a digital asset based on a request initiated by a first user having an entitlement to the digital asset, the portable entitlement to enable the first user to access the digital asset using a second computing device of a second user, the request initiated using a first computing device of the first user, the portable entitlement having a limited lifetime; and terminating the second computing device from accessing the digital asset based on one or more of determining that a proximity between the first and second computing devices violate the distance threshold and the lifetime of the portable entitlement has expired.

Video content is processed for delivery using an automated process that allows for convenient packaging of encrypted or digital rights management (DRM) protected content in a manner such that the packaged content can be efficiently stored in a content delivery network (CDN) or other content source for subsequent re-use by other media clients without re-packaging, and without excessive storage of unused content data.

A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.

A method of transmitting entitlement messages to content consumption devices in a access control system, the method comprising periodically transmitting entitlement messages to content consumption devices in a access control system and periodically extending an expiry time comprised in the entitlement messages. The entitlement messages comprise indicator data indicating to the content consumption devices that subsequent entitlement messages loaded into a content consumption device after a first entitlement message is loaded into the content consumption device shall not be used by the content consumption device to access protected media content.

Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user's premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported. A network security architecture comprising an authentication proxy (AP), provisioning system (MPS), and conditional access system (CAS) is also disclosed, which can interface with a trusted authority (TA) for cryptographic element management and CPE/user device authentication.

Systems and methods are disclosed herein for optimizing bandwidth for broadcast transmission. The disclosed techniques herein provide for receiving first and second content for transmission to subscriber devices on a first and second channels. The system then determines whether the first and second content contain a common segment. If so, the system updates metadata schema (e.g., homogeneous channel descriptor, homogeneous switch descriptor) to indicate there is a common segment. The system may generate a transport stream during multiplexing of the first and second channels based on the updated metadata schema. The transport stream, for a time duration based on the at least one common segment, includes a first audio feed of the first content and a first video feed of the first content to be provided on the second channel. The system then transmits the transport stream to the one or more subscriber devices.

The present invention provides methods, apparatuses, and systems for delivering protected streaming content to a receiving device. In an aspect of the present invention, a broadcaster provides streaming content. To ensure viewers are properly authorized, the streaming content is encrypted with a traffic key. The traffic key is provided to the users via a key stream message, which is encrypted with a service key. The user obtains at least one rights object from a rights issuers and the at least one rights object includes the service key so that the streaming content may be used. The at least one rights object also contains information regarding usage rights that may be configured by the rights issuer so that, depending on the user and/or the receiving device, different rights may be available. The key stream message may include a program category variable value that indicates the type of content and in conjunction with the rights object, determines what usage rights exist for the streaming content.

Methods and systems for accessing content are provided. A non-tunable device (e.g., a device without the capability to tune to a particular channel) can access a particular channel via a tunable device (e.g., a device with the capability to tune to the particular channel). A computing device can facilitate content tuning. In an aspect, the non-tunable device can transmit a request for content to the computing device. The request for content can comprise a title of the content, a type of content, channel information, and the like. Upon receiving the request for content, the computing device can determine the characteristics of the non-tunable device such as device type, device capabilities, location, and identify all the tunable devices capable of communicating with the non-tunable device. Entitlement information can be provided to the one or more tunable devices. The entitlement information can facilitate access to the requested content by the non-tunable device.

A system and method for securely and bi-directionally transmitting information including conditional access private data between a client and a headend is disclosed. In an exemplary embodiment, the method includes: establishing a hypertext transfer protocol secure (HTTPs) connection, establishing a hypertext transfer protocol secure (HTTPs) connection; upgrading the HTTPs connection to a persistent bi-directional connection, accepting a first message from a client via the web socket connection, wherein the first message comprises an identifier of the client, parsing the message for the identifier of the client, associating the identifier of the client with the secure web socket connection, and transmitting a second message notifying the headend of the secure web site that connection, the message comprising the identifier of the client.