METHOD AND DEVICE ALLOWING AN ACCESS CONTROL SYSTEM TO BE APPLIED TO THE PROTECTION OF STREAMED VIDEO

Abstract

Some embodiments are directed to a method and to a device allowing an access control system to be applied to the protection of streamed video. The inventive system and associated method allow an existing access control system of Marlin type to be used innovatively based on the execution of two successive operation phases allowing DRM rights to be acquired followed by the delivery of content and the decryption thereof.

Claims

1. A system for managing digital rights and for streaming digital content over an Internet data communication network, the Internet network being structured according to a multicast routing mode, the system comprising: a digital rights management device, including: at least one module for encrypting an item of digital content, capable of being linked to a source of streamed digital content via the Internet data communication network, and capable of receiving the streamed digital content from the source of digital content; a module for storing cryptographic encryption keys and content identifiers, linked to the encryption module; a module for interfacing with a customer relationship management system; at least one module for creating and managing action tokens, linked to the interfacing module; at least one module for managing digital rights and access to the digital content, linked to the module for storing cryptographic encryption keys and content identifiers and to the module for creating and managing action tokens; the module for managing digital rights and access to the digital content including a database for storing objects and transactions linked to the digital rights; a client device for accessing the streamed digital content, linked to the digital rights management device via the Internet data communication network and including: a module for accessing, parsing and playout of the streamed digital content; a user interface module, linked to the module for creating and managing action tokens; a client module for managing digital rights, linked to the module for accessing, parsing and playout of the streamed digital content, to the user interface module and to the module for managing digital rights and access to the digital content; each module being formed from a software component, from a hardware component or from an assembly of software and hardware components.

2. The system according to claim 1, wherein the module for encrypting an item of digital content comprises a first sub-module for scrambling digital content and a second sub-module for generating entitlement control messages, linked to the first sub-module, the first sub-module for scrambling digital content being capable of encrypting the digital content via a secret cryptographic encryption key, the second sub-module for generating entitlement control messages being capable of encrypting each of the secret cryptographic encryption keys and thus of obtaining, for each encrypted secret cryptographic encryption key, an entitlement control message.

3. The system according to claim 2, wherein the first sub-module for scrambling digital content is a multiplexer.

4. The system according to claim 1, wherein the digital rights management device includes a first, front-end module for creating and managing action tokens and a second, back-end module for creating and managing action tokens, linked to the first, front-end module.

5. The system according to claim 1, wherein the digital rights management device includes a first, front-end module for managing digital rights and access to the digital content and a second, back-end module for managing digital rights and access to the digital content, linked to the first, front-end module.

6. The system according to claim 1, wherein the Internet data communication network is a network compliant with the IP television standard, and in that the streamed digital content is a streamed television audiovisual stream.

7. The system according to claim 1, wherein the digital rights management device and the client device form a client-server architecture, at least one of the modules of the digital rights management device being a server.

8. A method for acquiring digital rights, implemented by the system according to claim 1, the method comprising: transmitting, by the user interface module, a digital rights update request, the update request including an identifier of the client device, and a digital rights management (DRM) identifier; transmitting, by the module for creating and managing action tokens, subsequent to the reception of the digital rights update request, a request to retrieve the digital rights of the user, the request being transmitted on the basis of the identifier of the client device; transmitting, by the interfacing module, the request to the customer relationship management system; receiving, by the module for creating and managing action tokens, via the interfacing module, the digital rights of the user transmitted by the customer relationship management system; transmitting, by the module for creating and managing action tokens, the received digital rights to the module for managing digital rights and access to the digital content; translating, by the module for managing digital rights and access to the digital content, the digital rights into objects linked to the digital rights; assigning, by the module for managing digital rights and access to the digital content, a unique transaction identifier specific to each object generated; transmitting, by the module for creating and managing action tokens, for each object generated, an action token containing a list of actions that must be performed in order to retrieve this object, along with the unique transaction identifier relating to this object, to the user interface module; transmitting, by the user interface module, for each object generated, an instruction including the action token and the unique transaction identifier relating to this object, to the client module for managing digital rights; transmitting, by the client module for managing digital rights, for each object generated, an instruction including the action token and the unique transaction identifier relating to this object, to the module for managing digital rights and access to the digital content; retrieving, by the module for managing digital rights and access to the digital content, for each object relating to a received action token, the object, on the basis of the unique transaction identifier and of the list of actions relating to this object; transmitting, by the module for managing digital rights and access to the digital content, a request to translate the digital rights management (DRM) identifier into a cryptographic encryption key, to the module for storing cryptographic encryption keys and content identifiers; subsequent to the translation, by the module, of the digital rights management (DRM) identifier into a cryptographic encryption key, transmitting, by the module for managing digital rights and access to the digital content, for each object relating to a received action token, the object to the client module for managing digital rights, the or each object transmitted including the cryptographic encryption key.

9. A method for transmitting streamed digital content over an Internet data communication network, the Internet network being structured according to a multicast routing mode, the method being implemented by a system for managing digital rights and for streaming digital content over an Internet data communication network, the Internet network being structured according to a multicast routing mode, the system comprising: a digital rights management device, including: at least one module for encrypting an item of digital content, capable of being linked to a source of streamed digital content via the Internet data communication network, and capable of receiving the streamed digital content from the source of digital content; a module for storing cryptographic encryption keys and content identifiers, linked to the encryption module; a module for interfacing with a customer relationship management system; at least one module for creating and managing action tokens, linked to the interfacing module; at least one module for managing digital rights and access to the digital content, linked to the module for storing cryptographic encryption keys and content identifiers and to the module for creating and managing action tokens; the module for managing digital rights and access to the digital content including a database for storing objects and transactions linked to the digital rights; a client device for accessing the streamed digital content, linked to the digital rights management device via the Internet data communication network and including: a module for accessing, parsing and playout of the streamed digital content; a user interface module, linked to the module for creating and managing action tokens; a client module for managing digital rights, linked to the module for accessing, parsing and playout of the streamed digital content, to the user interface module and to the module for managing digital rights and access to the digital content; each module being formed from a software component, from a hardware component or from an assembly of software and hardware components; the method including a sub-method for acquiring digital rights according to claim 8, the method comprising: transmitting, by the source of digital content, an item of streamed digital content, to the module for encrypting an item of digital content, via the Internet data communication network; encrypting, by the module for encrypting an item of digital content, the item of digital content, via a secret cryptographic encryption key; transmitting, by the module for encrypting an item of digital content, access criteria required for a given channel, to the module for storing cryptographic encryption keys and content identifiers, the channel containing all or part of the item of digital content; translating, by the module for storing cryptographic encryption keys and content identifiers, the required access criteria into a specific content identifier and into a specific content key; transmitting, by the module for storing cryptographic encryption keys and content identifiers, the specific content identifier and the specific content key, to the module for encrypting an item of digital content; inserting, by the module for encrypting an item of digital content, the specific content identifier and the specific content key into the encrypted item of digital content, a multiplexed data stream being obtained upon completion of this insertion step, the multiplexed data stream containing the encrypted item of digital content, the specific content identifier and the specific content key; transmitting, by the module for encrypting an item of digital content, the multiplexed data stream to the access, parsing and playout module of the client device, via the Internet data communication network; retrieving, by the access, parsing and playout module, the specific content identifier contained in the multiplexed data stream, and transmitting of the digital content identifier to the client module for managing digital rights; verifying, by the client module for managing digital rights, whether an object corresponding to the specific content identifier exists and, if required, the delivery of a right to access, parse and play out the digital content to the access, parsing and playout module.

10. A computer program product that can be downloaded from a communication network and/or recorded on a medium that can be read by computer and/or run by a processor, characterized in that it comprises program instructions, the program instructions being suitable for implementing the steps of the method for acquiring digital rights according to claim 8 when the program product is run on a computer.

11. A recording medium on which a computer program, including program code instructions for implementing the steps of the method for acquiring digital rights according to claim 8, is recorded.

12. A computer program product that can be downloaded from a communication network and/or recorded on a medium that can be read by computer and/or run by a processor, characterized in that it comprises program instructions, the program instructions being suitable for implementing the steps of the method for transmitting digital content according to claim 9 when the program product is run on a computer.

13. A recording medium on which a computer program, including program code instructions for implementing the steps of the method for transmitting digital content according to claim 9, is recorded.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0133] Other features and advantages of the proposed technique will become more clearly apparent upon reading the following description of one preferred embodiment, provided by way of simple illustrative and non-limiting example, and from the appended drawings, in which:

[0134] FIG. 1 illustrates the inventive system;

[0135] FIG. 2 illustrates the operation of the inventive system in the phase of acquiring DRM rights;

[0136] FIG. 3 illustrates the operation of the inventive system in the phase of delivering and decrypting the streamed content;

[0137] FIG. 4 illustrates a software and hardware architecture implementing the invention.

DETAILED DESCRIPTION

[0138] Some embodiments can include the modules discussed below.

[0139] The modules come under three categories: a “Back-End System” category (12), a “Front-End System” category (13) and a “Client” category (14); these interface with a fourth category, namely an “External System” category (11).

[0140] The “External System” category includes the following elements:

[0141] The CDN (Content Delivery Network) Source (111): The CDN source delivers the audiovisual content to the inventive system. The audiovisual content is acquired in the form of a clear (intelligible) signal from various types of content providers (for example satellite links, content aggregators, direct broadcaster links, etc.). The content is delivered to the head end in the form of an MPEG stream (MPEG single program transport stream multicast) with various bit rates and various video encoding formats (MPEG/AVC). This information passes through a plurality of Internet traffic content exchange points.

[0142] The CRM System (112): The customer relationship management system manager subscribers, their subscriptions, their bundles and commercial offers, the devices used by subscribers for accessing content and the entitlements of subscribers. The CRM System (112) provides the information required for the billing process. The CRM System (112) is used by the operational and commercial services of the operator in order to assign content access rights to clients and to manage their technical data and their billing data. The CRM System (112) is also referred to by the acronym “SMS” (subscriber management system). The CRM System (112) may be hosted at the premises of an external service provider or, otherwise, hosted by the entity using the inventive system.

[0143] The “Back-End System” category includes the following elements:

[0144] The Scrambler (121): A scrambler is a multiplexer having the capability to scramble an incoming MPEG transport stream. A typical scrambler uses TS packet scrambling with CW rotation and AES-128 encryption of the audio, video signal and subtitle content. Another exemplary embodiment is the use of DVB-CSA. In order to allow fast scrolling (forwards or backwards) through content, certain content portions may be left unencrypted (PUSI packets or, for example, 5% of the packets).

[0145] The ECM Generator (122): this generates ECMs (entitlement control messages) in order for the multiplexer to insert these ECMs into the scrambled transport stream. The interface between the scrambler (121) and the ECM generator (122) is defined by the head-end SimulCrypt standard (ETSI TS 103 197). The ECMs contain the DRM content identifier corresponding to a given bundle. The ECM generator (122) uses a Key Server (124) in order to obtain the content key corresponding to the DRM content identifier received from the scrambler (121).

[0146] The DRM Back-End System (123): this is a database storing DRM objects and transactions that must be retrieved by DRM clients. Each DRM object is for example a licence for accessing an item of digital content, a subscription node or else a link between a DRM user and a digital content identifier. Thus, the DRM Back-End System (123) groups together both the technical information relating to the DRM objects (DRM users, subscription nodes, content identifiers) and the associated business logic information (bundles, devices). The DRM Back-End System (123) provides the DRM Front-End System (132) with all of the data required to generate DRM elements such as licences, nodes and links.

[0147] The Key Server (124): this manages the content identities and content keys of all of the DRM bundles. The Key Server (124) provides secure database services to the other components of the system when these other components of the system need to access content keys corresponding to specific content identifiers.

[0148] The Token Back-End System (125) is the core of the business logic of the back-end system. The Token Back-End System (125) generates action tokens (lists of operations) for the DRM Clients (142), indicating to the DRM Clients (142) on which data the DRM Clients (142) should interrogate the DRM Front-End System (132). The Token Back-End System (125) applies the CRM data to the subscriber packet data in order to generate the transactions for retrieving DRM objects corresponding to the subscriptions in the DRM Back-End System (123). Based on the CRM data, the Token Back-End System (125) also manages the current status of the content-playout device of the subscriber. The Token Back-End System (125) also manages the bundle data in the database of the DRM Back-End System (123).

[0149] The CRM Module (126) is the portion of the inventive system that is responsible for communicating with the CRM System (112). The CRM Module (126) is a content provider abstraction layer allowing the integration of different CRM systems. It is enough that a minimum set of required operations is supported for it to be possible to use any CRM system to manage the subscriber bundle data.

[0150] The “Front-End System” category includes the following elements:

[0151] The Content Delivery Network (CDN) (131) for IPTV channels: The channels are delivered to operators in a scrambled multicast UDP MPEG SPTS format. This content delivery takes place via multiple Internet exchange points. The operators receive all of the IPTV traffic at their premises through the use of a protocol-independent multicast (PIM) router or dynamically subscribe to the required content via the IGMP (Internet Group Management Protocol) using a head-end PIM router.

[0152] The DRM Front-End System (132) is a DRM server provided by Intertrust (the DRM Front-End System (132) is also called the Bluewhale Server). The DRM Front-End System (132) is responsible for secure communication with the DRM Clients (142). The DRM Front-End System (132) uses the DRM Back-End System (123) to retrieve the business data required to generate the DRM objects required by the DRM Clients (142).

[0153] The Token Front-End System (133) is an HTTP proxy server that can be accessed via the Internet. The Token Front-End System (133) provides secure access to the services provided by the Token Back-End System (125) for User Interface (UI) Applications (143).

[0154] The “Client System” category includes the following elements:

[0155] The IPTV Client (141) is part of the application stack of the playout device of the subscriber. The IPTV Client (141) is responsible for access to IPTV content, and for parsing the content (media parsing). The IPTV Client (141) is also responsible for the playout of the content. The IPTV Client (141) handles the incoming IPTV streams and the encoding thereof. The IPTV Client (141) uses the DRM Client (142) to obtain the keys required to descramble the content.

[0156] The DRM Client (142) is a software library provided by Intertrust (known to those skilled in the art as the Wasabi/ExpressPlay SDK). The DRM Client (142) is embedded within the device used by the subscriber to access content. The DRM Client (142) communicates confidentially with the DRM Front-End System (132) in order to obtain the DRM licences and objects and provides an application programming interface (API) to the media playout subsystem allowing the content rights to be checked in relation to available licences. The DRM objects are retrieved from “action tokens” generated by the Token Back-End System (125) and are delivered to the DRM Client (142) by the UI Application (143).

[0157] The User Interface (UI) Application (143) is a high-level user interface that is present in the device used by the subscriber for accessing content (for example his or her phone or tablet). Periodically, or in response to the actions of the subscriber, the User Interface (UI) Application (143) contacts the Token Front-End System (133) in order to retrieve an “action token” for DRM rights. The action token is subsequently passed on to the DRM Client (142) library which performs the rights retrieval operation. The User Interface (UI) Application (143) provides the user with an interface allowing content to be viewed (for example browsing through IPTV channels) and allowing the local management of DRM authorizations in the DRM Client (142) library.

DESCRIPTION OF ONE PARTICULAR EMBODIMENT

[0158] In this embodiment, the system described above operates in two phases:

DRM Rights Acquisition Phase

[0159] 1. The UI application (143) triggers a DRM rights update (21) by sending the device ID and the DRM ID to the token portal (133) of the inventive system. [0160] 2. The request (22) is transmitted by the token portal (133) to the token back-end (125). [0161] 3. Based on the device ID, the token back-end (125) interrogates (23) the CRM module (126) in order to retrieve the rights of the user. [0162] 4. The request (24) is transmitted by the CRM module (126) to the external subscriber management system (112). [0163] 5. The rights information retrieved (25) by the token back-end (125) is sent to the DRM server (123). Said rights information (25) is translated into DRM objects by the DRM back-end (123). The DRM back-end assigns a unique identifier (ID) to each DRM object retrieval transaction for a DRM client. [0164] 6. The UI application (143) instructs (26) the DRM client (142) to retrieve the DRM objects by creating an action token (27) containing the actions that must be carried out and passing it, along with their respective IDs, to the DRM front-end (132). [0165] 7. The DRM client (142) contacts the DRM server (123) via the DRM front-end (132) for each of the specified actions by sending a transaction ID (28) in the action token (27). [0166] 8. The DRM front-end (132) retrieves, from the DRM back-end (123), the DRM object corresponding to the DRM client (142) based on the transaction ID (28). [0167] 9. In order to construct a licence for the DRM content, the DRM back-end (123) contacts the key server (124) in order to translate the content ID (29) into a key, which forms part of the licence.

[0168] Content Delivery and Decryption Phase [0169] 1. The unencrypted content (31) is delivered by the CDN source (111) to the scrambler (121) via a multicast single-program transport stream (referred to as MPEG-TS over UDP). [0170] 2. The scrambler (121) contacts (32) the ECM generator (122) in order to construct an ECM datum containing the control word (33) and the access criteria required for a given channel. [0171] 3. The ECM generator (122) uses a key server (124) in order to translate the access criterion into a specific content ID and into a specific content key. [0172] 4. The scrambler (121) inserts the ECM (33) thus constructed into the stream of encrypted information, thus obtaining a multiplexed datum (34) sent to the CDN (131). [0173] 5. The stream of encrypted information (35) is delivered to the IPTV client (141) via the content delivery network (CDN) (131). [0174] 6. The client device (14) retrieves the ID of the content from the ECM data and consults (36) the DRM client (142) in order to check whether a licence exists for this content ID. If such is the case, the rights are granted.

OTHER FEATURES AND ADVANTAGES

[0175] A practical application of the inventive system is typically implemented on a hardware device, the hardware architecture of which is illustrated by FIG. 4. A processor 41, for example a microprocessor, is connected to a data input and output interface means 42 and to a memory 43 in which the processor reads the instructions encoding a program 44 implementing the inventive process. The memory 43 is also used to read and write data, encrypted messages and keys.

[0176] A significant advantage of the inventive system with respect to the prior art is the following: Through the implementation of a purely software-based DRM solution for IPTV streams, the invention eliminates the drawbacks of the prior art. First and foremost, the inventive system makes use of DRM concepts such as the decoupling of content protection from the control of access rights. Thus, it becomes possible for network operators to avail themselves of a unified content protection solution that can be applied to their broadcast mode as well as to multiscreen content delivery systems. The use of a purely software-based solution allows the deployment of STBs without card readers, which are less expensive. The use of a purely software-based solution also makes it possible to avoid dependence on a specific CAS provider. The invention also has an additional advantage: the cost of a smart card (currently borne by the subscriber) is also avoided. A further advantage of the invention is the fact that the inventive system is based on a novel combination of traditional concepts and on a novel combination of traditional building blocks—such as ECMs and SimulCrypt DVB scrambling, which is compatible with any standard hardware scrambler. Thus, the deployment of an IPTV network by an operator is faster than the deployment of a streamed DRM solution. Advantageously, the invention allows operators wishing to deploy a multiscreen solution to avail themselves of a unified DRM system, using shared software and hardware components, allowing the management of rights on a wide range of devices belonging to consumers. Those operators already operating IPTV networks may thus easily deploy a DRM solution based on familiar concepts using the head-end scramblers and content delivery means that they already have in operation.

[0177] Some embodiments therefore efficiently and definitively address or overcome all of the drawbacks of the related art.

METHOD AND DEVICE ALLOWING AN ACCESS CONTROL SYSTEM TO BE APPLIED TO THE PROTECTION OF STREAMED VIDEO

Inventors

Cpc classification

Classification Explorer

H04L63/0428

ELECTRICITY

Classification Explorer

H04N7/1675

ELECTRICITY

Classification Explorer

H04L2463/101

ELECTRICITY

Classification Explorer

H04L9/14

ELECTRICITY

Classification Explorer

H04N21/4405

ELECTRICITY

Classification Explorer

H04N21/26606

ELECTRICITY

Classification Explorer

H04N21/2347

ELECTRICITY

Classification Explorer

H04N21/4623

ELECTRICITY

Classification Explorer

H04L65/611

ELECTRICITY

Classification Explorer

H04L63/068

ELECTRICITY

Classification Explorer

G06F21/10

PHYSICS

Classification Explorer

H04L63/062

ELECTRICITY

Classification Explorer

H04L2209/603

ELECTRICITY

Classification Explorer

H04L65/612

ELECTRICITY

Classification Explorer

H04L65/765

ELECTRICITY

Classification Explorer

H04L9/0894

ELECTRICITY

Classification Explorer

H04N21/4627

ELECTRICITY

Classification Explorer

H04N21/47202

ELECTRICITY

Classification Explorer

H04N21/63345

ELECTRICITY

Classification Explorer

H04N21/2351

ELECTRICITY

Classification Explorer

H04N21/2541

ELECTRICITY

Classification Explorer

H04L65/1069

ELECTRICITY

International classification

Classification Explorer

H04N21/2347

ELECTRICITY

Classification Explorer

H04N21/4627

ELECTRICITY

Classification Explorer

H04N21/235

ELECTRICITY

Classification Explorer