An external trusted time source is implemented over a network for conditional access system (CAS)/digital rights management (DRM) client devices. A client device includes untrusted software and a trusted execution environment (TEE) for processing an entitlement management message (EMM) that includes an epoch sequence number (ESN) transmitted from an EMM server using a first network connection. A remaining client key set (CKS) lifetime value is stored and updated in the TEE based on the ESN processed.

Techniques for a smartphone-based conditional access (CA) system are described. In some embodiments, a headend in the CA system obtains a security profile associated with a pair of receiving devices used by a user, e.g., a first device (e.g., a smartphone) and a second device (e.g., a set-top-box or a TV). The headend dynamically regulates user access to requested media content during each entitlement period by assigning and distributing separate keys to the first and second device based on the security profile. The headend also uses the distributed keys to protect the media content before broadcasting. On the receiving end, one receiving device receives the media content and determines whether it is decryptable by the device. If decryptable, the receiving device (e.g., the set-top-box/TV) decrypts the media content using the keys assigned by the headend. Otherwise, the receiving device forwards the media content to the pairing device for decryption.

Techniques for a smartphone-based conditional access (CA) system are described. In some embodiments, a headend in the CA system obtains a security profile associated with a pair of receiving devices used by a user, e.g., a first device (e.g., a smartphone) and a second device (e.g., a set-top-box or a TV). The headend dynamically regulates user access to requested media content during each entitlement period by assigning and distributing separate keys to the first and second device based on the security profile. The headend also uses the distributed keys to protect the media content before broadcasting. On the receiving end, one receiving device receives the media content and determines whether it is decryptable by the device. If decryptable, the receiving device (e.g., the set-top-box/TV) decrypts the media content using the keys assigned by the headend. Otherwise, the receiving device forwards the media content to the pairing device for decryption.

The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing, and/or printing of electronic data files.

Devices, servers, systems and methods for content protection are provided. Disclosed embodiments improve temporal granularity of controlling access to the protected content and increase resilience against attacks attempting to prevent re-evaluation of conditions of access. Enforcement of re-evaluation may be based on the receipt and/or verification of tokens. In some embodiments, re-evaluation is enforced by periodically rendering content keys required for content decryption unuseable and/or clearing content keys already in use.

Devices, servers, systems and methods for content protection are provided. Disclosed embodiments improve temporal granularity of controlling access to the protected content and increase resilience against attacks attempting to prevent re-evaluation of conditions of access. Enforcement of re-evaluation may be based on the receipt and/or verification of tokens. In some embodiments, re-evaluation is enforced by periodically rendering content keys required for content decryption unuseable and/or clearing content keys already in use.

A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.

A broadcast receiving includes a broadcast receiver that receives a broadcast wave of a digital broadcasting service; a separator that separates coded program video data, program-cooperation data, and screen layout control information, from the broadcast wave; a video decoder that decodes the coded program video data to reproduce program video information; a cooperation information generator that interprets the program-cooperation data to generate program-cooperation information; and a control unit that, when an instruction to display a given screen is input while the presentation processor divides video display region into sub-regions based on the screen layout control information, places the program video information in one of the sub-regions, places the program-cooperation information in another sub-region, and outputs the data of the video display region as the video information, outputs information of the given screen as the video information without dividing the video display region based on the screen layout control information.

A broadcast receiving includes a broadcast receiver that receives a broadcast wave of a digital broadcasting service; a separator that separates coded program video data, program-cooperation data, and screen layout control information, from the broadcast wave; a video decoder that decodes the coded program video data to reproduce program video information; a cooperation information generator that interprets the program-cooperation data to generate program-cooperation information; and a control unit that, when an instruction to display a given screen is input while the presentation processor divides video display region into sub-regions based on the screen layout control information, places the program video information in one of the sub-regions, places the program-cooperation information in another sub-region, and outputs the data of the video display region as the video information, outputs information of the given screen as the video information without dividing the video display region based on the screen layout control information.

The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing, and/or printing of electronic data files.