Search

US-12619744-B2 - Secure content distribution and decryption

US12619744B2US 12619744 B2US12619744 B2US 12619744B2US-12619744-B2

Abstract

In various examples, an encrypted file such as one representing an encrypted game build may be distributed with an encrypted content-encryption key that was used to encrypt the file and/or an identifier associated with a key-encryption key that was used to encrypt the content-encryption key. An authorized recipient may extract the encrypted content-encryption key and the identifier from the encrypted file, use the identifier to retrieve a corresponding key-encryption key, use the key-encryption key to decrypt the encrypted content-encryption key, and use the decrypted content-encryption key to decrypt the file. Taking an encrypted game build for cloud gaming as an example, a cloud gaming platform may decrypt, attach, and mount the build (e.g., as a block device or other virtual data disk) using the decrypted content-encryption key. Accordingly, the game build may be installed and executed without the need to distribute the game build to the end user.

Inventors

  • Maxim Paklin
  • Michael Beiter
  • Bojan Vukojevic

Assignees

  • NVIDIA CORPORATION

Dates

Publication Date
20260505
Application Date
20231220

Claims (18)

  1. 1 . One or more hardware processors comprising processing circuitry to: retrieve a private key-encryption key using a key identifier extracted from an encrypted file in response to determining that a flag in a filename of the encrypted file indicates the encrypted file is encrypted; extract an encrypted content-encryption key from the encrypted file; decrypt the encrypted content-encryption key using the private key-encryption key to generate a decrypted content-encryption key; and decrypt the encrypted file using the decrypted content-encryption key.
  2. 2 . The one or more headware processors of claim 1 , wherein the processing circuitry is further to extract the key identifier that uniquely identifies the private key-encryption key from the encrypted file.
  3. 3 . The one or more headware processors of claim 1 , wherein the processing circuitry is further to extract the key identifier for the private key-encryption key from within the filename of the encrypted file.
  4. 4 . The one or more headware processors of claim 1 , wherein the processing circuitry is further to extract the encrypted content-encryption key from metadata of the encrypted file.
  5. 5 . The one or more headware processors of claim 1 , wherein the encrypted file is an encrypted disk file representing an encrypted application build, and the processing circuitry is further to receive, at a content distribution platform, the encrypted application build via a developer portal.
  6. 6 . The one or more headware processors of claim 1 , wherein the encrypted file represents an application build, and the processing circuitry is further to use a provision manager of a cloud content distribution platform to: retrieve the private key-encryption key, extract the encrypted content-encryption key from the encrypted file, and pass the encrypted content-encryption key to a virtual machine allocated for the application build.
  7. 7 . The one or more headware processors of claim 1 , wherein the encrypted file is an encrypted disk file representing an application build, and the processing circuitry is further to use a virtual machine allocated for the application build to decrypt the encrypted content-encryption key using the private key-encryption key.
  8. 8 . The one or more headware processors of claim 1 , wherein the encrypted file is an encrypted disk file representing an application build, and the processing circuitry is further to use a virtual machine allocated for the application build to decrypt the encrypted disk file using the decrypted content-encryption key.
  9. 9 . The one or more headware processors of claim 1 , wherein the encrypted file is an encrypted disk file representing an application build, decrypting the encrypted disk file using the decrypted content-encryption key generates a decrypted disk file, and the processing circuitry is further to use a virtual machine allocated for the application build to mount the decrypted disk file.
  10. 10 . The one or more headware processors of claim 1 , wherein the one or more headware processors are comprised in at least one of: a system for performing simulation operations; a system for performing digital twin operations; a system for performing light transport simulation; a system for performing deep learning operations; a system for performing real-time streaming; a system for generating or presenting one or more of augmented reality content, virtual reality content, or mixed reality content; a system implemented using an edge device; a system implemented using a robot; a system for generating synthetic data; a system for generating synthetic data using AI; a system incorporating one or more virtual machines (VMs); a system implemented at least partially in a data center; or a system implemented at least partially using cloud computing resources.
  11. 11 . A system comprising one or more hardware processors to decrypt an encrypted file using a content-encryption key, wherein the content-encryption key is extracted from the encrypted file and decrypted using a key-encryption key corresponding to a key identifier extracted from the encrypted file in response to determining that a flag in a filename of the encrypted file indicates the encrypted file is encrypted.
  12. 12 . The system of claim 11 , wherein the one or more hardware processors are further to extract the key identifier for the key-encryption key from a within the filename of the encrypted file.
  13. 13 . The system of claim 11 , wherein the one or more hardware processors are further to extract an encrypted version of the content-encryption key from metadata of the encrypted file.
  14. 14 . The system of claim 11 , wherein the encrypted file is an encrypted disk file representing an encrypted application build, and the one or more hardware processors are further to receive, at a content distribution platform, the encrypted application build via a developer portal.
  15. 15 . The system of claim 11 , wherein the encrypted file represents an application build, and the one or more hardware processors are further to use a provision manager of a content distribution platform to: retrieve the key-encryption key, extract an encrypted version of the content-encryption key from the encrypted file, and pass the encrypted version of the content-encryption key to a virtual machine allocated for the application build.
  16. 16 . The system of claim 11 , wherein the system is comprised in at least one of: a system for performing simulation operations; a system for performing digital twin operations; a system for performing light transport simulation; a system for performing deep learning operations; a system for performing real-time streaming; a system for generating or presenting one or more of augmented reality content, virtual reality content, or mixed reality content; a system implemented using an edge device; a system implemented using a robot; a system for generating synthetic data; a system for generating synthetic data using AI; a system incorporating one or more virtual machines (VMs); a system implemented at least partially in a data center; or a system implemented at least partially using cloud computing resources.
  17. 17 . A method comprising: extracting an encrypted content-encryption key from an encrypted file; generating a decrypted content-encryption key based at least on decrypting the encrypted content-encryption key using a key-encryption key corresponding to a key identifier extracted from the encrypted file in response to determining that a flag in a filename of the encrypted file indicates the encrypted file is encrypted; and decrypting the encrypted file using the decrypted content-encryption key.
  18. 18 . The method of claim 17 , wherein the method is performed by at least one of: a system for performing simulation operations; a system for performing digital twin operations; a system for performing light transport simulation; a system for performing deep learning operations; a system for performing real-time streaming; a system for generating or presenting one or more of augmented reality content, virtual reality content, or mixed reality content; a system implemented using an edge device; a system implemented using a robot; a system for generating synthetic data; a system for generating synthetic data using AI; a system incorporating one or more virtual machines (VMs); a system implemented at least partially in a data center; or a system implemented at least partially using cloud computing resources.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 18/391,179 filed on Dec. 20, 2023, the contents of which are incorporated by reference in their entirety. BACKGROUND Content encryption often plays an important role in data distribution networks such as Content Distribution Networks (CDNs). Generally, CDNs may be responsible for distributing various types of digital content, such as websites, videos, and/or applications. By encrypting data, CDNs can protect data from disclosure or interception, prevent unauthorized tampering, guard against potential attacks, safeguard sensitive user information, and/or ensure compliance with data security standards and regulations. As such, encryption can provide an important security measure that promotes data privacy, integrity, and compliance, enhancing the overall trust and reliability of CDNs and other data distribution networks. Public-private key encryption, also known as asymmetric encryption, typically operates using a pair of keys-a public key and a private key. The public key is openly shared and is used to encrypt data, while the private key is kept confidential and is used for decryption. When someone wishes to send an encrypted message to another party, they can use the recipient's public key to encrypt the message. This encrypted data can only be decrypted by the recipient who holds the corresponding private key, ensuring that the message remains confidential and secure during transmission. In conventional CDNs, whichever entity owns or manages the encryption process (e.g., the content owner) typically uses one key pair (e.g., whether one version or some number of different versions used in parallel) for all its encryption needs, and all the data is encrypted and decrypted using the same key pair. There is often a central repository where the key pair is stored and managed. However, that central repository can become a focal point for an attacker, potentially compromising data security. As such, there is a need for improved techniques for content encryption and distribution. SUMMARY Embodiments of the present disclosure relate to secure content encryption and distribution. Systems and methods are disclosed that encrypt, distribute, and/or decrypt content with an attached encrypted content key that was used to encrypt the content and/or an identifier for a key-encryption key that was used to encrypt the content key. In contrast to conventional systems, such as those described above, embodiments of the present disclosure are directed to a solution for secure content distribution in which the content (e.g., a file or container, such as one representing a data disk) may be encrypted using a (e.g., randomly generated) content-encryption key, that content-encryption key may be encrypted using a key-encryption key (e.g., public key of a public-private key pair), the encrypted content-encryption key may be attached to (encoded with) the encrypted content as metadata, and an identifier for the key-encryption key (e.g., the public-private key pair) may be included in the filename of the encrypted content. As such, the encrypted content may be distributed with the (e.g., encrypted) content-encryption key and the identifier for the key-encryption key. Accordingly, an authorized recipient may use the identifier to retrieve the key-encryption key (e.g., the corresponding private key of the public-private key pair), which itself may be used to decrypt the content-encryption key, and the decrypted content-encryption key may be used to decrypt the content. Taking an encrypted game build for cloud gaming as an example, a game developer may encrypt a game build (e.g., as an encrypted disk image) and distribute the encrypted build through an interface such as a developer portal of a cloud gaming platform, which may distribute the encrypted build to various data centers and/or geographic zones of the cloud gaming platform. When an authorized cloud gaming user initiates gameplay of the game corresponding to that build, the cloud gaming platform may allocate a virtual machine for the game on a server in a data center, decrypt, attach, and mount the build (e.g., as a block device or other virtual data disk) using the decrypted content-encryption key extracted from the encrypted game build. Accordingly, the game build may be installed and hosted for the cloud gaming user without the need to distribute the game build to the end user-thereby avoiding the risk of exposing the game build data to unauthorized tampering and/or redistribution. BRIEF DESCRIPTION OF THE DRAWINGS The present systems and methods for secure content encryption and distribution are described in detail below with reference to the attached drawing figures, wherein: FIG. 1 is a block diagram of an example content distribution system, in accordance with some embodiments of the present disclosure; FIG. 2 is a block diagram of an example game distribution syst