CA-3062231-C - PRE-ENTITLEMENT ENFORCEMENT

Abstract

A method of transmitting entitlement messages to content consumption devices in a access control system, the method comprising periodically transmitting entitlement messages to content consumption devices in a access control system and periodically extending an expiry time comprised in the entitlement messages. The entitlement messages comprise indicator data indicating to the content consumption devices that subsequent entitlement messages loaded into a content consumption device after a first entitlement message is loaded into the content consumption device shall not be used by the content consumption device to access protected media content.

Inventors

• Didier Hunacek
• Jean-Bernard Fischer

Assignees

• NAGRAVISION SA

Dates

Publication Date

20260505

Application Date

20180503

Priority Date

20170505

Claims (20)

1. 26 CLAIMS: 1. An access control module comprising: circuitry configured to: receive a first entitlement message, which is a security message transmitted periodically, wherein the first entitlement message comprises 5 entitlement data comprising an expiry time, access data enabling access to protected media content until the expiry time and an indicator data, determine whether an entitlement message is a first received entitlement message by verifying if entitlement data has already been stored, 10 store entitlement data of the first entitlement message into a memory, receive access information comprising a current time and a descrambling key, compare the current time with the expiry time and decrypt the descrambling key with a decryption key of the access data, and grant access to the protected content in response of a positive comparison, 15 receive a subsequent entitlement message, update the expiry time based on the expiry time including in the subsequent entitlement messages if the subsequent entitlement message includes an expiry time identifier that matches an expiry time identifier included in the indicator data included in the first entitlement message, the expiry time identifier being a counter value, and 20 reject the subsequent entitlement message if entitlement data of the first entitlement message has been stored into the memory and if the subsequent entitlement message does not include the expiry time identifier that matches the expiry time identifier included in the indicator data of the first entitlement message.
2. 2. The access control module according to claim 1, wherein entitlement data 25 comprises an identifier specific to the expiry time. 85695327 27
3. 3. The access control module according to claim 2, wherein the circuitry is further configured to: store verification data enabling verification of the identifier in a one-time programmable memory; prior to using entitlement data to access media content, determine 5 if the identifier of the entitlement data matches the verification data; and prevent use of the entitlement data to access media content if the identifier of the entitlement data does not match the verification data.
4. 4. The access control module according to claim 3, wherein the circuitry is further 10 configured to: irreversibly physically alter the one-time programmable memory when storing data in the one-time programmable memory.
5. 5. A content consumption device comprising: the access control module according to claim 3; 15 a receiver to receive protected content and entitlement messages; a descrambler to descramble the protected content using control data derived from the access data; and a video processor to generate a video signal from the descrambled content.
6. 6. The access control module according to claim 1, wherein the circuitry is further 20 configured to store the entitlement data in volatile memory.
7. 7. The access control module according to claim 1, wherein the circuitry is further configured to: store the entitlement data in a one-time programmable memory; and prevent use of entitlement data comprising indicator data not stored in the one25 time programmable memory. 85695327 28
8. 8. The access control module according to claim 1, wherein the circuitry is configured to: determine, at the time of receiving the entitlement data, if the received entitlement data was received after previous entitlement data comprising indicator data has been stored in the access co 5 ntrol module; and prevent storing of or to delete the entitlement data in response to the determination if the determination is affirmative.
9. 9. An access control module comprising: circuitry configured to: 10 receive a first entitlement message, which is a security message transmitted periodically, wherein the first entitlement message comprises entitlement data comprising an expiry time, access data enabling access to protected media content until the expiry time and an indicator data, determine whether an entitlement message is a first received entitlement 15 message by verifying if entitlement data has already been stored, and in response to a positive determination store entitlement data and the indicator data of the first entitlement message into a memory, receive access information comprising a current time and a descrambling key, compare the current time with the expiry time and decrypt the descrambling key 20 with a decryption key of the access data, and grant access to the protected content in response of a positive comparison, receive a subsequent entitlement message, update the expiry time stored in the memory with the expiry time included in the subsequent entitlement messages if the subsequent entitlement message indicator data 25 of the subsequent entitlement message is at least the same of the stored indicator data, and reject the subsequent entitlement message otherwise. 85695327 29
10. 10. The access control module according to claim 9, wherein the entitlement data includes an identifier specific to the expiry time.
11. 11. The access control module according to claim 10, wherein the circuitry is further configured to: store verification data enabling data enabling verification of the identifier 5 in a onetime programmable memory; prior to using entitlement data to access media content, determine if the identifier of the entitlement data matches the verification data; and prevent use of the entitlement data to access media content if the identifier of the 10 entitlement data does not match the verification data.
12. 12. The access control module according to claim 11, wherein the circuitry is further configured to: irreversibly physically alter the one-time programmable memory when storing data in the one-time programmable memory. 15
13. 13. A content consumption device comprising: the access control module according to claim 11; a receiver to receive protected content and entitlement messages; a descrambler to descramble the protected content using control data derived from the access data; and 20 a video processor to generate a video signal from the descrambled content.
14. 14. The access control module according to claim 9, wherein the circuitry is further configured to store the entitlement data in volatile memory.
15. 15. The access control module according to claim 9, wherein the circuitry is further configured to: 25 store the entitlement data in a one-time programmable memory; and 85695327 prevent use of entitlement data comprising indicator data not stored in the onetime programmable memory.
16. 16. The access control module according to claim 9, wherein the circuitry is configured to: determine, at the time of receiving the entitlement data, 5 if the received entitlement data was received after previous entitlement data comprising indicator data has been stored in the access control module; and prevent storing of or to delete the entitlement data in response to the determination if the determination is affirmative. 10
17. 17. An access control method, comprising: receiving, by circuitry, a first entitlement message, which is a security message transmitted periodically, wherein the first entitlement message comprises entitlement data comprising an expiry time, access data enabling access to protected media content until the expiry time and an indicator data; 15 determining, by the circuitry, whether an entitlement message is a first received entitlement message by verifying if entitlement data has already been stored, and in response to a positive determination storing, by the circuitry, entitlement data and the indicator data of the first entitlement message into a memory; receiving, by the circuitry, access information comprising a current time and a 20 descrambling key; comparing, by the circuitry, the current time with the expiry time and decrypt the descrambling key with a decryption key of the access data, and grant access to the protected content in response of a positive comparison; receiving, by the circuitry, a subsequent entitlement message; 25 updating, by the circuitry, the expiry time stored in the memory with the expiry time included in the subsequent entitlement messages if the subsequent entitlement 85695327 31 message indicator data of the subsequent entitlement message is at least the same of the stored indicator data; and rejecting, by the circuitry, the subsequent entitlement message otherwise.
18. 18. The access control method according to claim 17, wherein the entitlement data includes an identifier specific 5 to the expiry time.
19. 19. The access control method according to claim 18, further comprising: storing verification data enabling data enabling verification of the identifier in a one-time programmable memory; prior to using entitlement data to access media content, determining if the 10 identifier of the entitlement data matches the verification data; and preventing use of the entitlement data to access media content if the identifier of the entitlement data does not match the verification data.
20. 20. The access control method according to claim 19, further comprising: irreversibly physically altering the one-time programmable memory when storing 15 data in the one-time programmable memory.

Description

PRE-ENTITLEMENT ENFORCEMENT FIELD 5 The present disclosure relates to granting access to broadcast media content, in particular although not exclusively, using entitlements installed in a content consumption device upon first activation of the content consumption device. BACKGROUND Conditional Access Systems CASs enable broadcast service providers, in particular digital broadcast service providers, to restrict content, for example subscription channels, services or broadcast events or programs, to subscribers of a service offering. The content is broadcast in scrambled form together with an encrypted Control Word CW that 15 enable a receiver, for example a set-top box STB, to descramble the content and enable it to be viewed. The CW is typically distributed in the content stream in an Entitlement Control Message ECM containing the encrypted CW, the date and/or time and an indication of the entitlement, for example subscription level, required to view the content. ACAS also typically transmits an Entitlement Management Message EMM that comprises 20 a decryption key for decrypting the CW and set up the entitlement conditions (e.g. corresponding subscription level/ package, expiry date, etc.) in the STB that govern the access to the content. Alternatively, an EMM comprises the rights and the decryption key is stored in the STB separately, for example at manufacturing time or by way of a smart card or firmware update. The CW is changed by the CAS at short intervals, for example 25 every two seconds, so that failure to correctly decrypt the CW when the required entitlement is not present or has expired leads to failure of the descrambling. In this way, the content is accessible substantially only when the required entitlement is valid in the STB. A CAS typically uses a smart card that can be inserted into the STB and comprises subscriber details that can provide access to the CW in clear form and hence enable 30 descrambling. More recently, some STBs implement a CAS without the need for a smart card, with content consumption entitlement being handled in a software environment that may be remotely configurable. Many different CAS implementations exist, using different standards depending on geographical location, for example the DVB standard, which is mainly applicable in Europe. When a user buys a new smartcard, the smart card often comes with a routine for setting up one or more default entitlements once installed. The entitlements provide access to a 1 certain service offering, for example access to all channels provided by the service provider for a limited duration from the time the smart card is first installed. This enables a new customer to sample the offering and provide access during a set-up period of the account. To this end, the smart card is configured to set up an entitlement on activation, 5 with an expiry date a pre-defined period after the date of activation. As this mechanism remains latent in the smart card, it represents a security vulnerability in terms of a route of attack by which the attacker re-runs the pre-entitlement set up periodically to renew the expiry date of the pre-entitlement. While this risk may be acceptable in the context of a smart card, which can be provided with strong security, it is even more pertinent in the 10 context of a CAS relying on STBs without a smartcard. Such devices would rely on running the pre-entitlement setup routine in software and would therefore be even more vulnerable to this type of attack. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1A shows a schematic representation of a conditional access system; Figure 1 B shows schematic representation of a pre-entitlement message Figure 2 shows a block diagram of a content consumption device according to an embodiment; Figure 3 shows a method of transmitting entitlement messages to content consumption devices according to an embodiment; Figure 4 shows a first method of storing received entitlement information; Figure 5 shows a second method of storing received entitlement information; Figure 6 shows a method of using a stored entitlement to access protected media 25 content; Figure 7 shows a method of transmitting adjusted entitlement messages to content consumption devices according to an embodiment; Figure 8 shows a further method of transmitting adjusted entitlement messages to content consumption devices according to an embodiment; and Figure 9 shows a block diagram of one implementation of a computing device. DETAILED DESCRIPTION OF THE DRAWINGS In overview, methods of transmitting an entitlement message and an access control 35 module ACM are disclosed, which enable an access control system ACS to provide a preentitlement functionality along the lines described above. The methods enable a new content consumption device incorporating the ACM (or a new ACM) to provide a user with 2 a default entitlement to access content on first use for a limited period of time, with improved security, based on entitlement