Systems and methods for securing communications in a playback device using a key base and at least one key contribution in accordance with embodiments of the invention are disclosed. In one embodiment, a process includes generating a key base using a decryption key and at least one key contribution, where the decryption key can be recovered using the key base and the at least one key contribution, receiving the key base, receiving the at least one key contribution, sending the key base to a decryption module, sending the key contribution to a control module, performing a control feature on the piece of content using the control module, providing the key contribution to the decryption module when the control feature is performed, generating the decryption key using the key base and the at least one key contribution, and accessing at least a portion of the piece of content.

A device (40) for generating a watermarked stream (39), comprising: at least one input interface (41) configured to receive encrypted control messages (20) and conditional access streams (30) including a main stream (33) and protected watermarking data streams (35) from which a watermarking information (38) can be embedded in said watermarked stream (39); a security module (43) configured to process said control messages (20) and to control access to said conditional access streams (30); a descrambler (45) configured to remove protection applied on at least some of said conditional access streams (30); a watermarking unit (47) configured to generate the watermarked stream (39) from said conditional access streams (30) by selectively processing said watermarking data streams (35) depending on access data (AC, AR) included in some of said control messages (20).

A device (40) for generating a watermarked stream (39), comprising: at least one input interface (41) configured to receive encrypted control messages (20) and conditional access streams (30) including a main stream (33) and protected watermarking data streams (35) from which a watermarking information (38) can be embedded in said watermarked stream (39); a security module (43) configured to process said control messages (20) and to control access to said conditional access streams (30); a descrambler (45) configured to remove protection applied on at least some of said conditional access streams (30); a watermarking unit (47) configured to generate the watermarked stream (39) from said conditional access streams (30) by selectively processing said watermarking data streams (35) depending on access data (AC, AR) included in some of said control messages (20).

A multimedia content processing device for processing multimedia contents implementing a plurality of virtual machines is provided. The device is able to receive encrypted multimedia content, protected by a content protection system, and provide the multimedia content in decrypted form to a user device, including an access controller authorizing the provision of the decrypted multimedia content to the user device, a first securer for executing security services having a first associated level of security and a second securer for executing services having an associated level of security lower than the first level of security. The device includes a hypervisor able to control the execution of at least three groups of virtual machines, the groups of virtual machines being executed in a strictly separate manner, including, the first two groups being dedicated to executing services with a level of security lower than the first level of security and the third group of virtual machines able to implement security services with a first level of security and to act as trusted third parties for services of the first and second groups of virtual machines.

A multimedia content processing device for processing multimedia contents implementing a plurality of virtual machines is provided. The device is able to receive encrypted multimedia content, protected by a content protection system, and provide the multimedia content in decrypted form to a user device, including an access controller authorizing the provision of the decrypted multimedia content to the user device, a first securer for executing security services having a first associated level of security and a second securer for executing services having an associated level of security lower than the first level of security. The device includes a hypervisor able to control the execution of at least three groups of virtual machines, the groups of virtual machines being executed in a strictly separate manner, including, the first two groups being dedicated to executing services with a level of security lower than the first level of security and the third group of virtual machines able to implement security services with a first level of security and to act as trusted third parties for services of the first and second groups of virtual machines.

In one embodiment, a consumer device is assigned, at a broadcast headend to one of at least two groups of consumer devices, the two groups including a first group of consumer devices which is required to play content of a second type in order to view content of a first type and a second group of consumer devices which is not required to play content of the second type in order to view content of the first type. A video broadcast stream is sent from the broadcast headend to the consumer device, the video broadcast stream comprising content of the first type sent associated with a first packet ID (PID) and content of the second type sent associated with a second PID, wherein the first PID and the second PID are processed at the consumer device at the same time. An entitlement management message (EMM) is sent from the broadcast headend to the consumer device according to its group of consumer devices, the EMM being of one of a first type of EMM for devices of the first device type and a second type of EMM for devices of the second device type. An entitlement control message (ECM) stream is sent from the broadcast headend to the consumer device, the ECM stream including comprising three types of ECMs: ECM_P_i_start which enables the consumer device to produce a control word which decrypts a first portion of the content of the first type; ECM_A_(i−1) which enables the consumer device to produce a control word which decrypts content of the second type; and ECM_P_i_rest which enables the consumer device to produce a control word which decrypts a second portion of the content of the first type. Related hardware, systems and methods are also described.

Techniques for a smartphone-based conditional access (CA) system are described. In some embodiments, a headend in the CA system obtains a security profile associated with a pair of receiving devices used by a user, e.g., a first device (e.g., a smartphone) and a second device (e.g., a set-top-box or a TV). The headend dynamically regulates user access to requested media content during each entitlement period by assigning and distributing separate keys to the first and second device based on the security profile. The headend also uses the distributed keys to protect the media content before broadcasting. On the receiving end, one receiving device receives the media content and determines whether it is decryptable by the device. If decryptable, the receiving device (e.g., the set-top-box/TV) decrypts the media content using the keys assigned by the headend. Otherwise, the receiving device forwards the media content to the pairing device for decryption.

Techniques for a smartphone-based conditional access (CA) system are described. In some embodiments, a headend in the CA system obtains a security profile associated with a pair of receiving devices used by a user, e.g., a first device (e.g., a smartphone) and a second device (e.g., a set-top-box or a TV). The headend dynamically regulates user access to requested media content during each entitlement period by assigning and distributing separate keys to the first and second device based on the security profile. The headend also uses the distributed keys to protect the media content before broadcasting. On the receiving end, one receiving device receives the media content and determines whether it is decryptable by the device. If decryptable, the receiving device (e.g., the set-top-box/TV) decrypts the media content using the keys assigned by the headend. Otherwise, the receiving device forwards the media content to the pairing device for decryption.

A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.

In one form, the present teachings provide a method and apparatus for broadcasting an event. The method includes receiving data related to an event via an uplink. Another aspect of the method includes determining whether the data is broadcast on a recurring basis. The method also includes determining whether a transponder channel associated with multiplexed program channels has any unused data or bandwidth to broadcast a portion of the data along with the multiplexed program channels. Additionally, the method includes broadcasting the portion of the data in a data stream.