Search

US-12621131-B2 - System and method for securely delivering keys and encrypting content in cloud computing environments

US12621131B2US 12621131 B2US12621131 B2US 12621131B2US-12621131-B2

Abstract

A cloud-based system and method for encrypting media content is disclosed. The system comprises a key server microservice, for receiving control word requests and for generating encoded control words and a software encryption microservice, communicatively coupled to the key server microservices, the encryption microservice for receiving the media content, for generating the control word requests, for receiving the encoded control words, and for white-box encrypting the media content according to the generated encoded control words.

Inventors

  • Rafie Shamsaasef
  • Lawrence COOK

Assignees

  • ARRIS ENTERPRISES LLC

Dates

Publication Date
20260505
Application Date
20240813

Claims (20)

  1. 1 . A system, including a hardware processor and a memory accessible by said hardware processor, encrypting media content, comprising: a key server service, receiving control word requests and generating encoded control words according to entitlement information; and a software encryption service, communicatively coupled to the key server service, the software encryption service receiving the media content, generating the control word requests, receiving the encoded control words, and white-box encrypting the media content according to the generated encoded control words; wherein the key server service and the encryption service are hosted in a cloud hosted by a first entity.
  2. 2 . The system of claim 1 , wherein the cloud is a private cloud hosted by said first entity.
  3. 3 . The system of claim 1 , wherein: the cloud comprises a private cloud hosted by a first entity and a public cloud hosted by a second entity; and the key server service is hosted in the private cloud and the software encryption service is hosted in the public cloud.
  4. 4 . The system of claim 1 , wherein the encoded control words are provided from the key server service to the software encryption service via a first communication path independent from a second communication path in which the media content is received.
  5. 5 . The system of claim 1 , wherein the key server service further generates entitlement control information authorizing access to the media content and further provides the entitlement control information to the software encryption service for distribution.
  6. 6 . The system of claim 1 , wherein: the media content is received from a media content provider; the key server service hosted in said cloud further comprises: a media content information interface hosted in said cloud: said media content information interface receiving entitlement information having an encrypted control word; said media content information interface receiving media content information; an entitlement management information handler hosted in said cloud: said entitlement management information handler receiving entitlement information having the encrypted control word; said entitlement management information handler decrypting the encrypted control word; and a control word generator hosted in said cloud accepting the entitlement information from the entitlement management information handler and generating the encoded control words according to the entitlement information.
  7. 7 . The system of claim 6 , wherein: the key server service includes: a security abstraction layer, for interfacing with a secure processor for decrypting the encrypted control word.
  8. 8 . A method for encrypting media content, including a hardware processor and a memory accessible by said hardware processor, comprising: receiving, in a key server service hosted in a cloud computing environment, a request to generate an encoded control word for encrypting media content; generating, in the key server service, the encoded control word according to entitlement information; transmitting the encoded control word to a software encryption service hosted in the cloud; and white-box encrypting the media content according to the encoded control word in the software encryption service hosted by a first entity.
  9. 9 . The method of claim 8 , wherein the cloud is a private cloud hosted by said first entity.
  10. 10 . The method of claim 8 , wherein: the cloud comprises a private cloud hosted by a first entity and a public cloud hosted by a second entity; and the key server service is hosted in the private cloud and the software encryption service is hosted in the public cloud.
  11. 11 . The method of claim 8 , wherein: the method further comprises: receiving a media content stream having the media content in the software encryption service; and wherein the encoded control words are provided from the key server service to the software encryption service via a first communication path independent from a second communication path in which the media content stream is received.
  12. 12 . The method of claim 8 , wherein: the method further comprises: receiving media content information; receiving entitlement information having an encrypted control word; decrypting the encrypted control word; and the encoded control word is generated according to the received entitlement information, the media content information, and the decrypted control word.
  13. 13 . The method of claim 12 , wherein the encrypted control word is decrypted via a media provider specific hardware security module.
  14. 14 . The method of claim 8 , wherein: the method further comprises: receiving media content information; generating said entitlement information including the control word; and wherein generating, in the key server service, the encoded control word according to said entitlement information comprises: generating the encoded control word according to the generated said entitlement information.
  15. 15 . A method for encrypting media content, including a hardware processor and a memory accessible by said hardware processor, comprising: transmitting, to a key server service hosted in a cloud computing environment, a request to generate an encoded control word for encrypting media content; receiving the encoded control word to a software encryption service hosted in the cloud, the encoded control word generated by the key server service according to entitlement information; and white-box encrypting the media content according to the encoded control word in the software encryption service hosted by a first entity.
  16. 16 . The method of claim 15 , wherein the cloud is a private cloud hosted by said first entity.
  17. 17 . The method of claim 15 , wherein: the cloud comprises a private cloud hosted by a first entity and a public cloud hosted by a second entity; and the key server service is hosted in the private cloud and the software encryption service is hosted in the public cloud.
  18. 18 . The method of claim 15 , wherein: the method further comprises: receiving a media content stream having the media content in the software encryption service; and wherein the encoded control words are provided from the key server service to the software encryption service via a first communication path independent from a second communication path in which the media content stream is received.
  19. 19 . The method of claim 18 , wherein: the encoded control word is generated according to received entitlement information, media content information and an encrypted control word received by the key server service, the encrypted control word decrypted by the key server service.
  20. 20 . The method of claim 19 , wherein the encrypted control word is decrypted via a media provider specific hardware security module of the key server service.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS The present application is a continuation of U.S. patent application Ser. No. 17/848,089 filed Jun. 23, 2022, which claims priority to U.S. Provisional App. No. 63/214,132 filed Jun. 23, 2021, the content of which is incorporated herein by reference in its entirety. BACKGROUND 1. Field The present disclosure relates to systems and methods for encrypting media content, and in particular to a system and method for securely encrypting media content in cloud computing environments. 2. Description of the Related Art Content distribution systems (CDS) for dissemination of media programs are known in the art. Such systems usually comprise specialized equipment at the content or service provider. Security of on-premises equipment also typically relies on equipment being supported by servers being isolated with no external access. Before transmission of such media programs, content protection is typically employed to prevent unauthorized reception. Such protection is provided by content protection systems that typically use hardware accelerated services of a specific vendor's Hardware Security Module (HSM). There is a desire to increase the flexibility of such content distribution systems to support differing content protection schemes, and also to virtualize key elements of the CDS. Unfortunately, typical CDSs are hard to virtualize and inflexible. The rigid structure of discrete function on-premises equipment presents architectural security challenges making migration to public or even hybrid cloud environments difficult. For example, CASs with proprietary secrets must be implemented in HSMs or isolated servers to maintain sufficient security making it difficult to virtualize in the public or hybrid cloud. Also, Conditional Access (CA) applications deployed in the cloud typically lack provisions to secure secret data and code statically or at runtime. Key delivery messages and mechanisms are typically tightly coupled with actual content encryption and are localized making distribution difficult. A modular microservice architecture is needed to accommodate the cloud virtualized environment. SUMMARY To address the requirements described above, this document discloses a system and method for encrypting media content. In one embodiment, the system comprises a key server microservice, for receiving control word requests and for generating encoded control words and a software encryption microservice, communicatively coupled to the key server microservices, the encryption microservice for receiving the media content, for generating the control word requests, for receiving the encoded control words, and for white-box encrypting the media content according to the generated encoded control words. In this embodiment, the key server microservice and the encryption microservice are hosted in a cloud. Another embodiment is evidenced by a method for encrypting media content. The method comprises receiving, in a key server microservice hosted in the cloud, a request to generate an encoded control word for encrypting media content; generating, in the key server microservice, the encoded control word according to entitlement information; transmitting the encoded control word to a software encryption microservice hosted in the cloud; and white-box encrypting the media content according to the encoded control word in the software encryption microservice. In another embodiment, the method is evidence by transmitting, to a key server microservice hosted in the cloud, a request to generate an encoded control word for encrypting media content; receiving the encoded control word to a software encryption microservice hosted in the cloud, the encoded control word generated by the key server microservice according to entitlement information; and white-box encrypting the media content according to the encoded control word in the software encryption microservice. Still another embodiment is evidenced by one or more processors, communicatively coupled to one or more memories that store processor instructions for commanding the processors to perform the foregoing operations. The features, functions, and advantages that have been discussed can be achieved independently in various embodiments of the present invention or may be combined in yet other embodiments, further details of which can be seen with reference to the following description and drawings. BRIEF DESCRIPTION OF THE DRAWINGS Referring now to the drawings in which like reference numbers represent corresponding parts throughout: FIG. 1 is a diagram illustrating an exemplary content distribution system; FIG. 2 is a diagram of a cloud-based content distribution system; FIG. 3 is a diagram illustrating exemplary operations that can be used for secure cloud-based encryption of media content; FIG. 4 is a diagram illustrating the architecture of the cloud-based content distribution system; FIGS. 5A and 5B are diagrams of a cryptographic system processin