Apparatus for managing members of at least one group of decoders having access to broadcast data

Abstract

A technique to manage members of a group of decoders having access to broadcast data, each group member sharing a common broadcast encryption scheme (BES) comprising the steps of, in a stage for a decoder to become a group member, receiving keys pertaining to the position in the group according to the BES, receiving a current group access data comprising a current group access key, and in a stage of accessing broadcast data, using the current group access data to access the broadcast data, and in a stage of renewing the current group access key, sending a first group message comprising at lease a next group access key encrypted so that only non-revoked decoders can access it, said group message being further encrypted by the current group access key, updating the current group access key with the next group access key.

Claims

1. A management system for managing a population of decoders having access to transmitted data, each decoder being temporarily assigned to a position in a group of decoders and sharing a common broadcast encryption scheme, the management system being adapted to: revoke at least one decoder from the group; declare the position of the revoked decoder as vacated; renew a current group access key for the group using a global group addressed message comprising at least a next group access key encrypted using the broadcast encryption scheme so that only the decoders corresponding to non-revoked positions can decrypt it, whereby the at least one revoked decoder is incapable of correctly decrypting the global group addressed message, said group message being further encrypted by the current group access key; and reuse a position vacated by a revoked decoder by making said next group access key the current group access key and by marking the vacated position in the group as available and making another decoder a member of the group.

2. The system of claim 1, wherein the another decoder is made a member of the group by: allocating an available position in the group to the another decoder; marking the position as not available in a system database; and sending, in a message to the another decoder, keys pertaining to said position into the group according to the broadcast encryption scheme, as well as a current group access key common to said group, said message being encrypted with a key that is unique to the another decoder.

3. The system of claim 2, wherein the selection of an available position starts with a position adjacent of an already allocated position so as to concentrate all used positions in a consecutive manner.

4. The system of claim 2, wherein the selection of an available position starts with a position between two already allocated positions so as to concentrate all used positions in a consecutive manner.

5. The system of claim 1, wherein the global group addressed message further comprises group access data comprising a session key, said session key being used to access audio/video data pertaining to the group.

6. The system of claim 1, wherein the system is further adapted to send a second group message comprising a session key, said second group message being encrypted by the current group access key, said session key being usable by the decoders to access audio/video data pertaining to the group.

7. The system of claim 1, wherein the global group addressed message further comprises a cryptogram for each non-revoked decoder, each cryptogram being encrypted with a key unique to a respective decoder in addition to being encrypted with the current group access key.

8. A broadcast management system comprising: a plurality of decoders having access to transmitted data, each decoder being temporarily assigned to a position in a group of decoders and sharing a common broadcast encryption scheme; and a management center being configured for communication with the plurality of decoders, the management center being adapted to: revoke at least one decoder from the group, declare the position of the revoked decoder as vacated, renew a current group access key for the group using a global group addressed message comprising at least a next group access key encrypted using the broadcast encryption scheme so that only the decoders corresponding to non-revoked positions can decrypt it, whereby the at least one revoked decoder is incapable of correctly decrypting the global group addressed message, said group message being further encrypted by the current group access key, and reuse a position vacated by a revoked decoder by making said next group access key the current group access key and by marking the vacated position in the group as available and making another decoder a member of the group; wherein each of the plurality of decoders is adapted to: access transmitted data using the current group access data, and in the non-revoked decoders, decrypt the global group addressed message using the current group access key, decrypt the result using broadcast encryption keys pertaining to the position in the group and update the next group access key.

9. The system of claim 8, wherein the another decoder is made a member of the group by: allocating an available position in the group to the another decoder; marking the position as not available in a system database; and sending, in a message to the another decoder, keys pertaining to said position into the group according to the broadcast encryption scheme, as well as a current group access key common to said group, said message being encrypted with a key that is unique to the another decoder.

10. The system of claim 9, wherein the selection of an available position starts with a position adjacent of an already allocated position so as to concentrate all used positions in a consecutive manner.

11. The system of claim 9, wherein the selection of an available position starts with a position between two already allocated positions so as to concentrate all used positions in a consecutive manner.

12. The system of claim 8, wherein the global group addressed message further comprises group access data comprising a session key, said session key being used to access audio/video data pertaining to the group.

13. The system of claim 8, wherein the system is further adapted to send a second group message comprising a session key, said second group message being encrypted by the current group access key, said session key being usable by the decoders to access audio/video data pertaining to the group.

14. The system of claim 8, wherein the global group addressed message further comprises a cryptogram for each non-revoked decoder, each cryptogram being encrypted with a key unique to a respective decoder in addition to being encrypted with the current group access key.

Description

BRIEF DESCRIPTION OF THE FIGURES

(1) The present application will be better understood thanks to the attached figures, in which:

(2) FIG. 1 illustrates a broadcast encryption tree

(3) FIG. 2 illustrates the case with the terminal T2

(4) FIG. 3 illustrates the case for excluding terminals

(5) FIG. 4 illustrates the chaining of the group key

DETAILED DESCRIPTION

(6) The present application comprises two parts, the group key chaining and key distribution allowing an efficient revocation mechanism.

(7) When a group access key is to be renewed, the message containing the new group access key is sent to the decoders of that group. The message is broadcasted so all decoders, even not belonging to that group can receive this message and the encryption will determine which decoders can really obtain the new group access key.

(8) Let us take the example with a group of 256 decoders and two decoders should be revoked. Each decoder contains at least a master group key and a personal key. The new group access key is encrypted by the current group access key and by the keys only available in the decoders that are not revoked.

(9) A simple example using a trivial broadcast encryption scheme can be to create firstly a cryptogram containing the new group access key and encrypted by the current group access key. This cryptogram CT is then encrypted with a decoder personal key. The message will then comprises 254 cryptograms, each being encrypted by a personal key of the non-revoked decoders. Of course, the inverse method is also applicable, the new group access key is firstly encrypted by the personal key of a non-revoked decoder and then encrypted by the current group access key.

(10) For the next renewal of the group access key, so-called further next group access key, even if the revoked decoders still contain the master group key and their personal key, the next message will contain the further next group access key encrypted by the master key only and by the next group access key. Since the revoked decoders have not been able to access to the next group access key, this further next group access key is also not accessible for these decoders even if they have the master group key.

(11) According to another example, the further next group access key is simply encrypted by the next group access key.

(12) The second part of the invention is to propose a scheme that reduces greatly the size of the message when a revocation is to be carried out. One can imagine a group of 5000 decoders and only one is to be revoked. In this case, with the example above, the next group access key should be duplicated 4999 times, each time associated with the personal key of the non-revoked decoders.

(13) The FIG. 4 illustrates the process of revocation. The top part shows the audio/video product (could be one channel or a group of channels) encrypted by the key successively K.sub.1, K.sub.2 and K.sub.3. It is to be noted that this key (K.sub.1, K.sub.2 or K.sub.3) could be used to decrypt directly the audio/video product or serving as decryption key to decrypt the messages (ECM) containing the keys to decrypt the audio/video product.

(14) In the example of the FIG. 4, during the first time period, the decoders T1, T2, T3 and T4 are part of the group. The group access key C.sub.1 is the current one when the message K.sub.1C.sub.2 is arrived, containing the next group access key C.sub.2 and the key K.sub.1 to access the audio/video product. In fact, the product key K.sub.1 will arrive before this key is used to decrypt the product. The decoders will store the current product key K.sub.1 and when the next is received, the product key K.sub.2, ready to be applied at the time the product swap from K.sub.1 to K.sub.2.

(15) During the second time period, the group access key C.sub.3 is sent to the non-revoked decoders. These decoders are T1, T2 and T4. The message K.sub.2C.sub.3 is encrypted by the current group access key C.sub.2 and the keys pertaining to the non-revoked decoders T1, T2 and T4. The decoder T3, having the current group access key C.sub.2, cannot decrypt this message and have access to the group access key C.sub.3.

(16) During the third time period, the message carrying the next group access key C.sub.4 can be simply encrypted by the current group access key C.sub.3. The position into the group of formerly T3 can be reallocated (to a decoder T30) by transmitting the current group access key C.sub.3 and the key or keys previously distributed to the decoder T3. This reallocation can be executed only after the group access key C.sub.3 is active i.e. after the transmission of the message K.sub.2C.sub.3.

(17) The group is organized by the management system and each position into the group is associated with a position status. This status can comprises three states, namely “free”, “allocated” and “transitional”. At the creation of a group, all positions are marked “free”. When a position is allocated to a member, this position is marked “allocated”. As soon as a member is withdrawn of the group, the position is marked “transitional”. This state indicates that the position was used before and special care is to be taken while reallocating this position. This position can be reallocated as soon as the group access key has been renewed into the members of this group at the exception of this specific member. The time between the revocation of the member until the group access key is changed for all other members is the so-called “quarantine” period. After this quarantine period, the position is virtually “free” and can be reused.

(18) The management of the database of the management center regularly checks the status of the “transitional” positions and checks whether the group access key is no longer present into the revoked decoder attached to that position. In this case, the position can be modified from “transitional” to “free”.

(19) In the case that no regular scan of the database is carried out, the status of a specific position is determined when a new member is to be inserted into that group. This is why in the case that the position has the state “transitional”, a further check is carried out to determine if the quarantine period is over.

(20) The renewal message of the group access key is formed by the group access data (CGD) which includes at least the group access key (CGK). This key can be used to decrypt the entitlement messages (ECM) related to the services for which the group of decoders has access. As a consequence, the group access key serves for the chaining mechanism and to access the services.

(21) According to another embodiment, the group access data comprises a session key SK. This session key SK will serves to access the services and decrypt the entitlement messages (ECM) related to these services.

(22) According to another embodiment, when the group access data comprising the new group access key is received and stored in the non-revoked decoders, another message is sent to the decoders containing the session key SK. This message is then encrypted by the group access key, thus only the non-revoked decoders can decrypt and obtain this session key SK.

(23) Personal Key Distribution

(24) Although the group access key can be distributed according to any broadcast encryption scheme as described above, in order to efficiently generate a revocation message, the present invention will now describe an efficient way to organize the key distribution. The main property of an ideal Broadcast Encryption system can be summarized for the purpose of this invention:

(25) Assuming each terminal in the system has been provisioned with a unique set of secrets, a server, knowing the secrets of each terminal, may encrypt a single message in a way that is both efficient (the message is small) and that can be decrypted by authorized terminals but not by excluded (revoked) terminals even if all revoked terminals collude together.

(26) Proposed Scheme

(27) A particular scheme is considered here to illustrate the working principle of the invention. It is described in [3], however, it is to be noted that due to its severe lack in collusion resistance its use is not recommended in practice and it is only used here for its simplicity and for illustrative purposes.

(28) Assuming the following conventions: n is the total population of terminals in the broadcast encryption scheme r is the number of terminals revoked in an encrypted message log is the logarithm base 2 k is the size in bytes of keys in the system (value assumed here is 128 bits=16 bytes)

(29) Then: each terminal must store (log(n)+1)*k bytes of key material the size of the encrypted message is at most: n/8+k+payload size bytes the terminal must perform at most r*(log(n)−1) crypto operations to retrieve the message encryption key

DESCRIPTION

(30) The mechanism operates on a population of n=2.sup.m terminals. A binary tree of keys is built as illustrated in the FIG. 1 for this population using a one way function to derive the key of each branch from the key of the node above.

(31) The f(K,n) function is a public one-way function (e.g. hash primitive) that derives a key from its two parameters.

(32) Each Terminal is assigned a leaf key, as depicted above, however, this key is not given to the terminal, instead, each terminal is given the key of all the other terminals in the group, or the means to compute them. For instance, as illustrated in the FIG. 2, the keys provided to terminal T.sub.2 are K.sub.10, K.sub.3 and K.sub.2.

(33) Using K.sub.3, T.sub.2 can compute K.sub.7 and K.sub.8, and using K.sub.2, it can compute K.sub.11 to K.sub.14, through K.sub.5 and K.sub.6.

(34) When joining the group, each terminal then effectively receives log.sub.2(n) keys, plus an additional Group key K.sub.G used for addressing a message to all members of the group.

(35) Once this is in place, any message that must be sent to the group or subset of the group is encrypted in the following way: If the message is targeted to all terminals in the group, it is encrypted with the Group key, K.sub.G which is known to all terminals If the message is targeted to a subset of the terminals in the group, a key is built by hashing together the keys assigned to each excluded terminals, and the message is encrypted with this key: K=Hash(K.sub.a, KB, . . . , K.sub.z).

(36) For example, if terminals T.sub.0 and T.sub.6 are excluded, keys K.sub.7 and K.sub.13 are hashed together to compute a key and the message is encrypted with it.

(37) Since T.sub.0 and T.sub.6 do not know their respective keys, they can not compute the final key, while all the other terminals in the group can compute these keys and thus access the content of the message.

(38) The resulting encrypted message is essentially the same size as the original, only padding and the use of a session key slightly increase its size.

(39) In addition to the message itself, some signaling must be added so that receiving terminals know whether they are excluded or not and how to compute the keys. This is done using a bitmap where each bit corresponds to a terminal and indicates whether that terminal is included in the recipient or not. The bitmap may be compressed under certain conditions.

(40) Limitations

(41) Some mechanism must be introduced to reach an addressable population of tens of millions while keeping the number of revoked terminals to a minimum (and thus the bandwidth to an acceptable level).

(42) The first goal is easily met by splitting the total population into a number of subsets of the adequate size and managing each subset as an independent population.

(43) The second goal is more difficult to meet without a dedicated mechanism for revoked population control. The Dynamic Group Management mechanism described below proposes to solve this problem.

(44) Dynamic Group Management

(45) Principle

(46) The principle of operation is the following: The content is put up for sale in packages, typically by grouping a number of services in independent products. The unit of sale, and thus the unit of control, is the product. For each product, the population of terminals subscribed to this product is split in a number of groups, for which an independent Broadcast Encryption system is generated (for instance using methods well-known in the art). The number of groups is proportional with the actual population of subscribers for this product (population divided by the group size), not with the total population of terminals. Upon subscribing to a product, a slot is allocated to the terminal in one of the groups associated to this product (a new group is created if needed). The unique set of keys corresponding to this slot is sent to the terminal using a message addressed to this particular terminal. An additional key is also provided, the Group Access Key, which use is described below On a regular basis (e.g. every day), a Positive Addressing message is generated for each group of terminals of each product. This PA message contains all the keys required to access the content of the product over the next period of control (e.g. the next week or month). This PA message is encrypted using the Broadcast Encryption primitive for this group of terminals, and is further over-encrypted with the Group Access Key. Upon cancellation of a subscription by the user, the terminal is put in the list of revoked terminals for its group (for this particular product). In the next PA message, those terminals that are revoked may decrypt the first layer of encryption using the Group Access Key, however, they are not capable of decrypting the underlying message, by virtue of the Broadcast Encryption scheme. As a consequence, these terminals cannot retrieve the content keys for the next period of control and are thus unable to access the content. Furthermore, they cannot retrieve the next Group Access Key which is covered by the Broadcast Encryption and are thus effectively definitively excluded from this group. As soon as the last Group Access Key given to a revoked terminal is replaced by a new one, the slot of the revoked terminal may be assigned to a new subscribing terminal.

(47) The diagram of the FIG. 4 illustrates the principle:

(48) T.sub.n indicates a terminal, the solid arrows indicate the ability of the targeted terminal to access the message in the middle layer of the diagram. This message is the PA message addressing a subset of the terminal population with the Broadcast Encryption scheme, containing the Service Keys K.sub.n and over encrypted with the Group Access Key C.sub.n.

(49) Benefits

(50) Using Dynamic Groups provides three majors benefits: The first benefit is that the number of the PA EMM generated for any Product is directly proportional to the number of subscribers to that product, not to the total population of subscribers. Thus, if a product is purchased by a minority, the PA bandwidth required to maintain it is small. The second benefit is that the population of receivers targeted by any PA EMM is extremely homogeneous: indeed, all receivers have purchased that product and only a small percentage of them have cancelled it. This means that the addressing bit field, which indicates which receivers in the PA Group are revoked is essentially composed of bits set to ‘1’ and thus can be compressed. A simple and efficient compression algorithm will provide a compression ratio of 1/14 for a 0% revocation rate, 1/6 for a 2% revocation rate and still 1/3 for a 5% revocation rate. The third benefit is that slots in the group are recycled: when a terminal is excluded from the group, its slot is reassigned to a new terminal, constantly keeping the number of revoked slots in the group to a minimum (no more than 2%-3% in the ideal case). Fourth benefit is that any broadcast encryption method can be used, such as previously known in the art, as well as new ones, hence improving even more the efficiency (bandwidth, terminal key storage and/or encryption/decryption complexity) of the entire system.

(51) All these put together allow for a very efficient use of the broadcast bandwidth.

REFERENCES

(52) [1] Dan Boneh, Craig Gentry, Brent Waters: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. CRYPTO 2005 [2] Dalit Naor, Moni Naor, Jeffery Lotspiech: Revocation and Tracing Schemes for Stateless Receivers. CRYPTO 2001 [3] OMA DRM v2.0 Extensions for Broadcast Support, OMA-TS-DRM_XBS-V1_0-20081209-C.pdf, Chapter C. 17 [4] Cecile Delerablee et al. “Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption keys”, Pairing 2007 [5] WO 2007/138204 A1 (France Telecom, Delerablee Cecile) “Cryptographic Method with Integrated Encryption and Revocation, System, Device and Programs for Implementing this Method” [6] Pan Wang et al. “Storage-Efficient Stateless Group Key Revocation”, ISC 2004 [7] Masafumi Kusakawa et al. “Efficient Dynamic Broadcast Encryption and Its Extension to Authenticated Dynamic Broadcast Encryption”, CANS 2008 [8] US 2004/114762 (General Instrument Corp., Alexander Medvinsky) “Subset Difference Method for Multi-Cast Rekeying” [9] FR 2 850 822 A1 (CANAL PLUS TECHNOLIES [FR]) “Système de télévision a péage, procédéde révocation dans un tel système, décodeur et cartes à puces associés, et message transmis à un tel décodeur”.