The assignee for this patent application is
Reporters obtained the following quote from the background information supplied by the inventors: "Sharing content securely between devices implies ciphering content with one or several ciphering keys, depending on the kind of cryptographic scheme. The use of one shared encryption/decryption key typically refers to a symmetric encryption scheme, whereas the asymmetric scheme implies the use of pairs of private and public keys for each device. The public key of the receiving device can be freely exchanged to any device and therefore can be used by a sending device to encrypt a message to be sent to the receiving device. The latter will use his corresponding private key to decrypt the message which cannot be decrypted by the other devices given that the process is not reversible, i.e. the encrypted message cannot be decrypted by using the public key of the sending device. This cryptographic scheme is based on algorithm implying mathematical problems which are easy to solve in a way, but which are very difficult in the reverse way. As shared key generation process, Diffie-Hellman method allows two parties to jointly establish a shared secret key over an insecure communication channel and then to use this key to encrypt subsequent communications according to a symmetric cryptographic scheme.
"In general, keys can be perfectly secured when they are exchanged, outside of the devices, by means of secure network protocols and these keys can also be perfectly secured inside these devices, by hardware key paths. The problem occurs when linking both of these parts, i.e. at the interface between each of these devices and the network paths linking them. All communications between two devices or systems require that transferred data travel down though the sending system's network stack, across the physical layer, and then up through the receiving system's network stack. The traditional way of linking the secure network protocol and the hardware key path implies extracting the clear key from the network stack then injecting it in the hardware key path. This way of doing exposes the clear key used to perform cryptographic operations onto the content in the RAM memory of the device. Therefore, there is a risk that this key can be accessed within the device, before being injected in the hardware key path, by malicious person wanting to intercept the exchanged messages between two devices."
In addition to obtaining background information on this patent application, VerticalNews editors also obtained the inventor's summary information for this patent application: "In order to solve the above-mentioned problem, the present invention aims to suggest a method for securely transferring content between devices within a network managed by a management center. The devices can be storing and communication means, set-top-boxes, gateways, television systems or any other of devices able to exchange data within a network. Such a network can be a local network (e.g. a home domain), a wide network such as Internet or any other kind of network suitable for connecting communication devices. Each device of the network is preloaded with a pre-initialized secret value pre-stored in a secure memory of a chip within the device. This is typically achieved during the manufacturing of the chips which are then implemented into the devices. Assigning a secret value to each chipset is generally performed by a personalization authority, so that nobody else knows this secret value.
"The management center is used to initiate the communications of devices through the network by providing them with activation data which are then used by these devices for communicating each others. To this end, the management center has, for each of the devices of the network, a device key K and a device value V, which are personal data belonging to each device (i.e. unique to each device). These personal data have been previously transmitted to the management center by the personalization authority. The device value V is the result of a preliminary cryptographic operation made onto the device key K by means of the secret value S corresponding to the same device.
"The method firstly comprises an activation phase (i.e. an initialization phase) for activating all the devices of the network wanting to send or mutually exchange a content CT, this method comprising the steps of: generating a network key KN, calculating, for each of said devices, an encrypted network key KN' which is the result of the encryption of the network key KN by means of the corresponding device key K, transmitting, to each of said devices, its device value V and its encrypted network key KN'.
"Secondly, the method comprises a key recovering phase which is performed at each of the devices wanting to communicate with each others. This key recovering phase comprises the following two steps: performing a first cryptographic operation for obtaining the device key K from the received device value V and from the secret value S of said device, performing a second cryptographic operation for obtaining the network key KN from the received encrypted network key KN' and from the device key K.
"Finally, the method comprises a transferring phase for transferring a content CT from a sending device to at least one receiving device. The transferring phase comprises the steps of: generating a random value RV at one of said devices acting as a sending device, performing, at the sending device, a third cryptographic operation for generating a content key Kc from said random value RV and from the network key KN, encrypting the content CT either with said content key Kc or with said random value RV, and respectively sending the encrypted content CT' either with the random value RV or with the content key Kc to at least one of said devices acting as a receiving device.
"In other words, the two last steps could be also formulated by two alternatives as follows: encrypting the content CT with said content key Kc, then sending the encrypted content CT' and the random value RV to at least one of said devices acting as a receiving device, or encrypting the content CT with said random value RV, then sending the encrypted content CT' and the content key Kc to at least one of said devices acting as a receiving device.
"According to an embodiment of the invention, the method further comprises the steps of: performing, at the receiving device, the same third cryptographic operation for generating the content key Kc from the received random value RV and from the network key KN, decrypting, at the receiving device, the encrypted content CT' by means of the content key Kc.
"According to a preferred embodiment of the present invention, the device value V, assigned to each device, is stored upon receipt into a secure memory of the device. Advantageously, this secure memory is located within a monolithic chip which performs all the cryptographic operations at the device. Thus the encryption/decryption of the content and the first, second and third cryptographic operations are performed within a single chip, i.e. a monolithic chip, in each device. According to the present method, any data entering into this chip (or going out of this chip) is not sufficient for decrypting a content encrypted by this chip. Therefore, any piracy of the communications going in and out of this chip does not allow a malicious person to descramble the contents encrypted by a sending device in accordance with the present method. Indeed, the key which protects the content never appears in clear, neither in the RAM of one the devices, nor through the network.
"Moreover, the present method allows to encrypt/decrypt the content with a single content key, namely according to a symmetric encryption/decryption scheme. Accordingly, this method provides a fast and efficient cryptographic process that saves both time and computing resources to all devices of the network.
"Advantageously, the content and the cryptographic data (cryptographic 'material') exchanged between the devices of the network does not transit through the management center, but is directly sent from the sending device to the recipients. Other advantages and embodiments will be presented in the following detailed description.
"The present invention also suggests a system for transferring content between devices within a network managed by a management center. It further suggests a device for exchanging content with other identical devices within a network managed by a management center.
BRIEF DESCRIPTION OF THE DRAWINGS
"The present invention will be better understood thanks to the attached figures in which:
"FIG. 1 is a bloc diagram showing the main players of the method of the present invention and the main operations performed within each of them in order to initiate data transmitting and to securely exchange content between the devices of the network,
"FIG. 2 refers to a variant of FIG. 1 which depicts only the differences with respect to FIG. 1, so that the elements which do not differ from FIG. 1 have not been shown for the sake of simplification."
For more information, see this patent application: BIEBER, Yann. Method, System and Device for Securely Transferring Content between Devices within a Network. Filed
Keywords for this news article include: Nagravision S.A, Information Technology, Information and Cryptography, Information and Data Encoding and Encryption.
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- National Retail Federation Reduces Sales Forecast
- Sporty Ford Fiesta Fires on All 3 Cylinders
- Pandora Tumbles in Late Trading
- Citigroup Unit Paying $5 Million to Settle SEC Charges
- Execs Help Entrepreneurs, Get Chevy Volts
- Amazon Hiring on Calif.'s Central Coast
- Small Firms Take Out the Trash in Jersey
- Obama Seeks Help From Central American Leaders
- CalPERS Still Profiting From Tainted Investments
- 'Big Bang' Writers Hit Comic-Con