Title of Invention	A DEVICE AND METHOD FOR RENDERING AND PROVIDING CONTENT MATERIAL AND A RECOVERY MEDIUM THEREOF
Abstract	An encryption system prevents a replay attack by providing a secure item that is unique for each recording of copy-protected content material. A memory element is provided in the recording medium that is readable but not writeable by external devices, and whose content changes each time material is recorded onto the medium. The content of this memory element is used to form a unique encryption key that is used to encrypt the content encryption key. This unique encryption of the content encryption key is further encrypted using a public key that corresponds to a private key of the intended rendering device. Although the unique encryption key is determinable by reading and processing the content of the memory element, the decryption of the content encryption key requires both the unique encryption key and the private key of the intended rendering device. Because the unique encryption key is based on a content value of the memory element that is unique to each recording to the recording medium, a subsequent replay attack will not provide the same unique encryption key used to originally encrypt the content encryption key. Consequently used to encrypt the content encryption key, the rendering device will be unable to decrypt the content encryption key, and thereby will be unable to decrypt the content material.

Title of Invention

A DEVICE AND METHOD FOR RENDERING AND PROVIDING CONTENT MATERIAL AND A RECOVERY MEDIUM THEREOF

Abstract

An encryption system prevents a replay attack by providing a secure item that is unique for each recording of copy-protected content material. A memory element is provided in the recording medium that is readable but not writeable by external devices, and whose content changes each time material is recorded onto the medium. The content of this memory element is used to form a unique encryption key that is used to encrypt the content encryption key. This unique encryption of the content encryption key is further encrypted using a public key that corresponds to a private key of the intended rendering device. Although the unique encryption key is determinable by reading and processing the content of the memory element, the decryption of the content encryption key requires both the unique encryption key and the private key of the intended rendering device. Because the unique encryption key is based on a content value of the memory element that is unique to each recording to the recording medium, a subsequent replay attack will not provide the same unique encryption key used to originally encrypt the content encryption key. Consequently used to encrypt the content encryption key, the rendering device will be unable to decrypt the content encryption key, and thereby will be unable to decrypt the content material.

Full Text	This application claims the benefit of U.S. Provisional Application No. 60/126,169, filed 03/25/99, Attorney Docket PHA 23,637P. BACKGROUND OF THE INVENTION 1. Field of the Invention This invention relates to the field of electronic security, and in particular to the encryption and decryption of copy-protected content material. 2. Description of Related Art Digital recording techniques are commonly used to record copy-protected content material, such as audio and video recordings. Subsequent digital copies of such digital recordings are virtually indistinguishable from the original, and offer the same quality as the original. As the ease of illicitly providing high-quality reproductions of copy-protected content material increases, the need for preventing such reproductions increases. At the same time, however, a legitimate purchaser of such copy-protected content material expects to be able to make copies of the content material for his or her own use. A number of "policy groups", such as the SDMI (Secure Digital Music Initiative), and others, have been formed in an attempt to reach an equitable compromise between the opposing needs of the owners or vendors of the copy-protected material and the purchasers of copies of the copy-protected material. As a result of the actions of these policy groups, a variety of encryption and decryption techniques have been developed, and continue to be developed, to limit the number of times that a copy of copy-protected content material can be made, or to limit the number of times that a copy may be played-back, or to place an expiration time on a copy. Similarly, encryption and decryption techniques have been developed that limit the type of actions than can be applied to the copy. For example, a copy may have a limit to the number of times that it can be copied, independent of the number of times that it can be played-back. A "copy-once, play-always" authorization would allow for an infinite number of play-backs, but only one copy; a "copy-never, play-10" authorization would allow for ten play-backs, and no copies of this copy. For ease of reference, the term "rendering" is used herein to identify either a recording function or a playback function. For example, a recorder renders the material to a recording medium, a CD-player renders the material to an audio system, a DVD-player renders the material to an audio-visual system, and so on. In addition to limiting the number and type of renderings, the device that provides the limited-use copy may also limit the number of limited-use copies of the copy-protected material that are simultaneously available at any given time. That is, for example, if the number of limited-use copies at any given time is limited to ten, the compliant recorder will not provide an eleventh copy until at least one of the first ten copies is "checked-in", and marked as being expired, if not already so marked. In a typical embodiment of a limited-use copy, the copy contains a counter or ticket that stores, in a secure manner, an indication of the authorized rights, and a compliant playback device updates the counter with each rendering or each passage of time, as appropriate for the particular authorized right. In the typical embodiment, the device that provides the limited-use copy and the device that renders the material share a cryptographic key or set of keys that are used to prevent the rendering of the material on an illicit device, and to prevent a modification to the authorization parameters. Typically, the content material is encrypted using a symmetric key, and this key is communicated to the rendering device in an encrypted form, using an asymmetric public key that corresponds to a private key that is associated with the rendering device. In this manner, only the intended rendering device is able to decrypt the encrypted content material. This asymmetric public key is also used to encrypt the authorization rights associated with the encrypted content material. By limiting the number of simultaneously authorized copies, a compliant provider of the copies cannot be efficiently utilized for an illicit mass production. By limiting the number of times that a copy of copy-protected material can be rendered, the resale value of such a limited-use copy is substantially reduced, thereby diminishing the incentive to illicitly reproduce and sell these copies. At the same time, the purchaser of the original copy of the content material is provided virtually unlimited reproduction rights. The burden on the user of re-recording the expired copies from the original purchased copy is viewed to be minimal, particularly if the number of times that the copy can be rendered before expiring is reasonably high, the number of simultaneous copies is reasonably high, and the effort required for the re-recording is low. The use of an expiration time, in lieu of an expiration based on the number of renderings, can also be used to minimize the resale value of each copy, yet allow the purchaser substantially unlimited reproduction rights. A time-based system based on real time (clock time), however, is not often effective for copy protection, because many illicit copies could be made in a relatively short amount of time, and, conversely, most purchasers would be dissatisfied with a time limit that was not related to whether the material was being rendered during that time. Typically, time-based systems are based on a duration of time that the material is actually rendered, rather than real (clock) time. Another scenario for the use of time-limited or usage-limited copies of copyprotected material is for the legitimate vendors of the copy-protected material to sell time-limited or usage-limited copies directly, potentially at a lower cost than the above referenced copies that allow for unlimited reproductions. For example, a limited-use copy may be provided via a download from the Internet, or via a broadcast from a provider, such as a cable or satellite television program provider, with an option to purchase an unlimited-use copy. Or, limited-use copies can be provided as rental items, such as a single-use rental of a video recording that does not require the return of the recording within a limited time period. These and other scenarios for the use of limited-use copies of copy-protected content material can be expected to become increasingly common. One known method of overcoming a limited-use copy protection scheme is termed a "replay attack". In this method, a bit-for-bit copy is made of the limited-use copy while it contains its full allocation of authorized usage or time, and stored in an archive. Although this copy cannot typically be used in a non-compliant rendering device, because the material is stored in a secured form, this copy can be used, or replayed, on a compliant device by re-recording the bit-by-bit copy of the maximum allocated copy back onto the recording medium. Thus, even though the resale value of a limited-use copy of content material will be lower than the value of an unlimited-use copy, a counterfeiter may choose to provide such illicit limited-use copies, because of the ease of creating the copies, and the ease of overcoming the limited-use copy protection scheme. BRIEF SUMMARY OF THE INVENTION It is an object of this invention to provide an encryption method that precludes a replay attack on a limited-use protection scheme. It is a further object of this invention to provide a recording medium having properties that preclude a replay attack. It is a further object of this invention to provide a system that provides limited-use copies of copyprotected material that precludes a replay attack. These objects and others are achieved by providing an encryption system having a secure item that is substantially unique for each recording of a copy of copyprotected content material. A memory element is provided in the recording medium that is readable but not writeable by external devices, and whose content changes each time material is recorded onto the medium. In a preferred embodiment, the content of this memory element is used to form a unique encryption key that is used to encrypt the encryption key that is used to encrypt the content material. This unique encryption of the content encryption key is further encrypted using a public key that corresponds to a private key of the intended rendering device. Although the unique encryption key is determinable by reading and processing the content of the externally read-only memory element, the decryption of the content encryption key requires both the unique encryption key and the private key of the intended rendering device. Because the unique encryption key is based on a content value of the read-only memory element that is unique to each recording to the recording medium, a subsequent illicit re-recording of the original encrypted content material onto the recording medium (a replay attack) will not provide the same unique encryption key as the unique encryption key used to originally encrypt the content encryption key. Because the unique encryption key of the replay attack differs from the original unique encryption key used to encrypt the content encryption key, the rendering device will be unable to decrypt the content encryption key, and thereby will be unable to decrypt the content material, and the replay attack will fail. BRIEF DESCRIPTION OF THE DRAWING The invention is explained in further detail, and by way of example, with reference to the accompanying drawing wherein: FIG. 1 illustrates an example block diagram of an encryption system that provides a copy of copy-protected material that precludes replay attacks in accordance with this invention. It should be noted that the number U can be the collection of all tags in the entire memory thus creating a single key KU for the entire contents of the media. Alternatively the number U and corresponding key KU can be for a single "disk sector" so that each section of the media can be separately rewritten without affecting the other sections of the media. To prevent a replay attack, the recording indicator 310 is configured to be externally readable, but not externally controllable. That is, at each occurrence of a write access to the memory 320, the content recording indicator 310 changes in a manner that is not externally controllable. In this manner, if the legitimate contents in the medium 300 are copied to an archive, and then subsequently re-recorded on the medium 300 from the archive, the recording indicator 310 will, via the modifier 315, contain a different value IT (not illustrated) in the recording indicator 310 than the value U that had been in the recording indicator 310 when the legitimate contents were stored in the medium 300- Note that this value U1 in the recording indicator 310 will be different than the original value U, regardless of whether a total bit-by-bit copy of medium 300 is archived, including a copy of the original value U. That is, because the recording indicator 310 is not externally controllable, the original value U cannot be rewritten into the recording indicator 310. In this manner, because a copy of the original contents of the medium 300 can be distinguished from the original contents, by comparing the original value U with the copy-produced new value IT, a replay attack can be prevented. To facilitate this replay defense, the original value U must be reliably and securely communicated to the rendering device 400 that enforces this defense. Any number of techniques may be employed to securely communicate the original value U. For example (not illustrated), the original value U could be "digitally signed" by content provider 200, and this digitally signed information stored in the medium 300. A compliant rendering device 400 will verify that the digitally signed information is authentic, and then compare the digitally signed original value U to the current value of the value U in the recording indicator 310. If the current value U matches the digitally signed value U, the rendering device 400 is assured that the encrypted content material 321 from the memory 320 is the encrypted content material 221 that was originally stored in the memory 320. If the current value U does not match the digitally signed value U, the rendering device 400 recognizes the attempted replay attack, and precludes a rendering of the content material. In a preferred embodiment, as illustrated in FIG. 1, the value U 311 is used by the content provider 200 to encrypt an item when the encrypted content material 221 is originally recorded, and the value U 312 is subsequently used by the rendering device 400 to decrypt the item. If the value U 311 changes between the time the encrypted content material 221 is originally recorded and the time the rendering device reads the current value U 312, the rendering device 400 will be unable to properly decrypt the item that was encrypted based on the original value U 311. If, on the other hand, the value U 311 that is used by the content provider 200 is the same as the value U 312 that is used by the rendering device 400, the rendering device 400 will properly decrypt the item that was encrypted based on the value U 312. In the example of FIG. 1, the aforementioned item that is encrypted based on the value 311 is a content key 202 that is used to encrypt, and subsequently decrypt the encrypted content material 221, In the example embodiment of FIG. 1, an encrypter 220 is illustrated for providing the encrypted content material EKC(CM) 221 based on the content key KC. A key generator 210 creates a key KU 212 from the value U 311, typically via a hashing function. In a preferred embodiment wherein the recording indicator 310 is embodied within the disk sector tag for each written sector, the key generator 210 creates the key KU 212 by iteratively hashing the unique value in each disk sector tag corresponding to the encrypted content material memory 320, and optionally, as discussed below, the unique value in each disk sector tag corresponding to the rendering rights memory 350. An encrypter 230 uses the key KU 212 to encrypt the content key KC 202 to provide an encrypted content key EKU(KC) 231. At the rendering device 400, this encrypted content key EKU(KC) is shown as reference item 431, A key generator 410, similar to key generator 210, is used to generate a key KU 412, based on the value U 312 in the recording indicator 310 at the time that the medium 300 is read by the rendering device 400. A decrypter 430 decrypts the encrypted content key EKU(KC) 431 using this key KU 412. If the value U 312 corresponds to the original value U 311 that was used in the encryption of the content key KC 202, the decrypter 430 will provide a content key KC 402 that matches the content key KC 202. A decrypter 420 uses the decrypted content key KC 402 to decrypt the encrypted content material EKC(CM) 321 from the memory 320 of the medium 300. If the value U 312 does not correspond to the original value U 311, the rendering device key KU 412 will not match the original key KU 212, the decrypted content key KC 402 will not match the original content key 202, and therefore the decrypted content material CM 401 will not match the original content material 201, and will be substantially unrenderable. Also illustrated in the example embodiment of FIG, 1, the content provider 200 includes an optional encrypter 240 that further encrypts the encrypted content key EKU(KC) 231 using a public key KP 204 that is associated with the rendering device 400. In this manner, the encrypted content key EKU(KC) 231 cannot be decrypted by a device other than the intended receiving device 400, thereby preventing a rendering of the content material 201 by other devices. This doubly encrypted key EKP(EKU(KC)) 241 is in a memory 340 of the medium 300. The corresponding rendering device 400 contains a decrypter 440 that decrypts the doubly encrypted key EKP(EKU(KC)) 341 from the memory 340 using a private key Kp 404 corresponding to the public key KP 204 of a public-private key pair. This decrypter 440 provides the aforementioned encrypted content key EKU(KC) 431. For completeness, FIG. 1 illustrates an authorization module 450 in the rendering device 400 that enforces the limited rendering rights discussed in the Background of the Invention, above. Copending U.S. patent application, "Usage Dependent Ticket to Protect Copy-protected Material", U.S. serial number , filed ___ for Michael Epstein, Attorney Docket PHA (Disclosure 700657), presents a method and system for allocating and enforcing limited rights to each copy of encrypted content material that is stored on a recording medium, and is incorporated by reference herein. As applied to this invention, the content provider 200 includes a rights allocator 250 that stores allocated rights 251 on the recording medium 300. These allocated rights 251 are based on a usage parameter 352 of the medium 300 at the time that the encrypted content material 221 is recorded to the medium 300. The rights 251 may be encoded, for example, as a ticket that is "punched" by a modifier 355 each time the medium is accessed 499 by a rendering device 400, or as a counter that is decremented, and so on. In accordance with another aspect of this invention, the recording indicator 310 may be configured to change its stored value U whenever the memory area 350 that contains the rights are written to from an external source, such as the content provider 200, or by an illicit attempt to modify the rights stored by the content provider 200. As discussed above, if the retrieved value U 312 differs from the original value U 311, the decrypted content material 401 will not match the original content material 201, and will be virtually unrenderable. If the rights in the memory 350 and the encrypted content material in the memory 320 have not been externally changed, the decrypted content material 401 will match the original content material 201 and will be renderable. An authorization module 450 prevents the rendering 401', however, if the usage 353 of the medium 300 has exceeded the rights 351 allocated to the medium 300, via the gate 490. The rendering module 480 represents the components that render the decrypted content material 401, such as an audio system, an audio-video system, a computer system, and the like. The gate 490 represents any of a variety of means commonly available for inhibiting the production of the rendered material 401' from the content material 401 by the authorization module 450. The foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within the spirit and scope of the following claims. WE CLAIM : 1. A recording medium (300) characterized in that a first memory (320) that is configured to stores encrypted content material (221) via a first write operation (299), a recording indicator (310) generates and stores a unique identifier (311) at each occurrence of the first write operation (299), and a second memory (340) stores, via a second write operation, a secure item (241) based on the unique identifier (311) when the encrypted content material (221) is stored. 2. The recording medium (300) as claimed in claim 1, wherein the secure item (241) comprises an encrypted key (231) that facilitates a decryption of the encrypted content material (221), the encrypted key (231) being dependent upon the unique identifier (311). 3. The recording medium (300) as claimed in claim 1, wherein the recording indicator (310) comprises a counter configured to be incremented by a recording device when the recording device records the encrypted content material (221). 4. A rendering device (400) that is configured to render content material (401) corresponding to encrypted content material (321) that is contained on a recording medium (300), the recording medium (300) characterized in that it comprises a recording indicator (310) that generates and stores an original unique number and subsequently a current unique number in response to first write operations of the encrypted content material written into the recording medium,(311), the rendering device (400) characterized in that it comprises : one or more decrypters (420, 430,440) configured to decrypt the encrypted content material (321) based on a current unique number (312) of the recording indicator (310), such that one or more decrypters (420, 430, 440) provide the content material (401) only when the unique number (312) of the recording indicator (310) corresponds to the original value (311) of the recording indicator (310), and a renderer (480) that is configured to render the content material (401). 5. The rendering device (400) as claimed in claim 4, comprising: an authorization device (450) configured to control the renderer (480) based on a usage-measure (353) associated with the recording medium (300) and a validity period (351) associated with the content material (401). 6. The rendering device (400) as claimed in claim 4, comprising : a key generator (410) that creates a unique key (412) based on the current value (312) generated by and stored in the recording indicator (310), and wherein the one or more decrypters (420, 430, 440) are configured to decrypt the encrypted content material (321) based on the unique key (412) based on the current value (312) of the recording indicator (310). 7. The rendering device (400) as claimed in claim 6, wherein the one or more decrypters (420, 430,440) comprises : a first decrypter (440) that decrypts a doubly encrypted content key (341) based on a private key (404) of the rendering device (400) to provide a singly encrypted content key (431), a second decrypter (430) that decryptes the singly encrypted content key (431) based on the unique key (412) that is based on the current value (312) of the recording indicator (310) to provide a content key (402), and a third decrypter (420) that decrypts the encrypted content material (321) based on the content key (402) to provide the content material (401). 8. A provider (200) of content material (201) comprising: a recorder configured to record encrypted content material (221) and a corresponding secure item (241) on a recording medium (300), said recorder characterized in that it comprises: a first input for receiving content material; a second input for receiving a content key; a first encrypter for encrypting the content material based on the content key; means for writing the encrypted content material on the recording medium in a first writing operation; a third input for receiving a unique identifier from the recording medium in response to the first writing operations said recording medium characterized in that it has a recording indicator for generating and storing a unique identifier at each occurrence of a first writing operation; a second encrypter for generating the secure item based on the unique identifier received from the recording medium; and means for writing the secure item on the recording medium in a second writing operation. 9. The provider (200) as claimed in claim 8, comprising : an allocator (250) that is configured to allocate rendering rights (251) associated with the encrypted content material (221), and wherein the recorder is configured to record the rendering rights (251) on the recording medium (300). 10. The provider (200) as claimed in claim 8, the secure item (241) corresponds to an encryption of the content key (202) based on the value (311) of the recording indicator (310). 11. The provider (200) as claimed in claim 8, comprising: a key generator (410) that generates a unique key (212) based on the unique identifier, and one or more encrypters (220,230,240) configured to encrypt the content key based on the unique key (212) to produce the secure item (241). 12. The provider (200) as claimed in claim 8, wherein : the content key is encrypted based on a unique key (212) that is dependent upon a value (311) of the recording indicator (310) to produce a singly encrypted content key (231), and the singly encrypted content key (231) is encrypted based on a public key (204) that is associated with a rendering device (400) to produce a ddUbly encrypted content key (241) corresponding to the secure item (241). 13. A method of providing content material (201), the method comprising the steps of: recording encrypted content material (221) on a recording medium (300) in a first write operation the encrypted content material (221) being dependent upon the content material (201) and a content key (202), and recording a secure item (241) on the recording medium (300) in a second write operation the secure item (241) being dependent upon a unique number generated by and stored in the recording medium upon each first write operation. 14. The method as claimed in claim 13, wherein the method comprises recording rendering rights (251) associated with the encrypted content material (221) on the recording medium (300). 15. The method as claimed in claim 13, comprising generating a unique key (212) that is based on the recording indicator (310), encrypting the content key (202) using the unique key (212) to produce the secure item (241). 16. The method as claimed in claim 13, wherein the method comprises generating a unique key (212) based on the unique number encrypting the content key (202) using the unique key (212) to produce a singly encrypted content key (231), and encrypting the singly encrypted content key (231) using a public key (204) associated with a rendering device (400) to produce the secure item (241). 17. A method of rendering content material (401) from a recording medium (300) that comprises encrypted content material (321), an encrypted content key (341), and a unique number generated by and stored on the recording medium each time the encrypted content material is recorded on the recording medium, the method comprising the steps of : determining a unique key (412) based on the recording indicator (310), decrypting the encrypted content key (341) based on the unique key (412) to provide a content key (402), decrypting the encrypted content material (321) based on the content key (402) to provide the content material (401), and rendering the content material (401). 18. The method as claimed in claim 17, wherein the recording medium (300) also comprises rendering rights (351), and rendering the content material (401) is dependent upon the rendering rights (351) 19. The method as claimed in claim 17, wherein decrypting the encrypted content key (341) comprises: decrypting the encrypted content key (341) based on a private key (404) to provide a singly encrypted content key (431), and decrypting the singly encrypted content key (431) based on the unique key (412) to provide the content key (402).

Full Text

This application claims the benefit of U.S. Provisional Application No. 60/126,169, filed 03/25/99, Attorney Docket PHA 23,637P.
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to the field of electronic security, and in particular to the encryption and decryption of copy-protected content material.
2. Description of Related Art
Digital recording techniques are commonly used to record copy-protected content material, such as audio and video recordings. Subsequent digital copies of such digital recordings are virtually indistinguishable from the original, and offer the same quality as the original.
As the ease of illicitly providing high-quality reproductions of copy-protected content material increases, the need for preventing such reproductions increases. At the same time, however, a legitimate purchaser of such copy-protected content material expects to be able to make copies of the content material for his or her own use. A number of "policy groups", such as the SDMI (Secure Digital Music Initiative), and others, have been formed in an attempt to reach an equitable compromise between the opposing needs of the owners or vendors of the copy-protected material and the purchasers of copies of the copy-protected material. As a result of the actions of these policy groups, a variety of encryption and decryption techniques have been developed, and continue to be developed, to limit the number of times that a copy of copy-protected content material can be made, or to limit the number of times that a copy may be played-back, or to place an expiration time on a copy. Similarly, encryption and decryption techniques have been developed that limit the type of actions than can be applied to the copy. For example, a copy may have a limit to the number of times that it can be copied, independent of the number of times that it can be played-back. A "copy-once, play-always" authorization would allow for an infinite number of play-backs,

but only one copy; a "copy-never, play-10" authorization would allow for ten play-backs, and no copies of this copy. For ease of reference, the term "rendering" is used herein to identify either a recording function or a playback function. For example, a recorder renders the material to a recording medium, a CD-player renders the material to an audio system, a DVD-player renders the material to an audio-visual system, and so on. In addition to limiting the number and type of renderings, the device that provides the limited-use copy may also limit the number of limited-use copies of the copy-protected material that are simultaneously available at any given time. That is, for example, if the number of limited-use copies at any given time is limited to ten, the compliant recorder will not provide an eleventh copy until at least one of the first ten copies is "checked-in", and marked as being expired, if not already so marked.
In a typical embodiment of a limited-use copy, the copy contains a counter or ticket that stores, in a secure manner, an indication of the authorized rights, and a compliant playback device updates the counter with each rendering or each passage of time, as appropriate for the particular authorized right. In the typical embodiment, the device that provides the limited-use copy and the device that renders the material share a cryptographic key or set of keys that are used to prevent the rendering of the material on an illicit device, and to prevent a modification to the authorization parameters. Typically, the content material is encrypted using a symmetric key, and this key is communicated to the rendering device in an encrypted form, using an asymmetric public key that corresponds to a private key that is associated with the rendering device. In this manner, only the intended rendering device is able to decrypt the encrypted content material. This asymmetric public key is also used to encrypt the authorization rights associated with the encrypted content material.
By limiting the number of simultaneously authorized copies, a compliant provider of the copies cannot be efficiently utilized for an illicit mass production. By limiting the number of times that a copy of copy-protected material can be rendered, the resale value of such a limited-use copy is substantially reduced, thereby diminishing the incentive to illicitly reproduce and sell these copies. At the same time, the purchaser of the original copy of the content material is provided virtually unlimited reproduction rights. The burden on the user of re-recording the expired copies from the original purchased copy is viewed to be minimal, particularly if the number of times that the copy can be rendered before expiring is reasonably high, the number of simultaneous copies is reasonably high, and the effort required for the re-recording is low. The use of an expiration time, in lieu of an expiration based on the number of renderings, can also be used to minimize the resale value of each

copy, yet allow the purchaser substantially unlimited reproduction rights. A time-based system based on real time (clock time), however, is not often effective for copy protection, because many illicit copies could be made in a relatively short amount of time, and, conversely, most purchasers would be dissatisfied with a time limit that was not related to whether the material was being rendered during that time. Typically, time-based systems are based on a duration of time that the material is actually rendered, rather than real (clock)
time.
Another scenario for the use of time-limited or usage-limited copies of copyprotected material is for the legitimate vendors of the copy-protected material to sell time-limited or usage-limited copies directly, potentially at a lower cost than the above referenced copies that allow for unlimited reproductions. For example, a limited-use copy may be provided via a download from the Internet, or via a broadcast from a provider, such as a cable or satellite television program provider, with an option to purchase an unlimited-use copy. Or, limited-use copies can be provided as rental items, such as a single-use rental of a video recording that does not require the return of the recording within a limited time period. These and other scenarios for the use of limited-use copies of copy-protected content material can be expected to become increasingly common.
One known method of overcoming a limited-use copy protection scheme is termed a "replay attack". In this method, a bit-for-bit copy is made of the limited-use copy while it contains its full allocation of authorized usage or time, and stored in an archive. Although this copy cannot typically be used in a non-compliant rendering device, because the material is stored in a secured form, this copy can be used, or replayed, on a compliant device by re-recording the bit-by-bit copy of the maximum allocated copy back onto the recording medium. Thus, even though the resale value of a limited-use copy of content material will be lower than the value of an unlimited-use copy, a counterfeiter may choose to provide such illicit limited-use copies, because of the ease of creating the copies, and the ease of overcoming the limited-use copy protection scheme.
BRIEF SUMMARY OF THE INVENTION
It is an object of this invention to provide an encryption method that precludes a replay attack on a limited-use protection scheme. It is a further object of this invention to provide a recording medium having properties that preclude a replay attack. It is a further

object of this invention to provide a system that provides limited-use copies of copyprotected material that precludes a replay attack.
These objects and others are achieved by providing an encryption system having a secure item that is substantially unique for each recording of a copy of copyprotected content material. A memory element is provided in the recording medium that is readable but not writeable by external devices, and whose content changes each time material is recorded onto the medium. In a preferred embodiment, the content of this memory element is used to form a unique encryption key that is used to encrypt the encryption key that is used to encrypt the content material. This unique encryption of the content encryption key is further encrypted using a public key that corresponds to a private key of the intended rendering device. Although the unique encryption key is determinable by reading and processing the content of the externally read-only memory element, the decryption of the content encryption key requires both the unique encryption key and the private key of the intended rendering device. Because the unique encryption key is based on a content value of the read-only memory element that is unique to each recording to the recording medium, a subsequent illicit re-recording of the original encrypted content material onto the recording medium (a replay attack) will not provide the same unique encryption key as the unique encryption key used to originally encrypt the content encryption key. Because the unique encryption key of the replay attack differs from the original unique encryption key used to encrypt the content encryption key, the rendering device will be unable to decrypt the content encryption key, and thereby will be unable to decrypt the content material, and the replay attack will fail.
BRIEF DESCRIPTION OF THE DRAWING
The invention is explained in further detail, and by way of example, with reference to the accompanying drawing wherein:
FIG. 1 illustrates an example block diagram of an encryption system that provides a copy of copy-protected material that precludes replay attacks in accordance with this invention.

It should be noted that the number U can be the collection of all tags in the entire memory thus creating a single key KU for the entire contents of the media. Alternatively the number U and corresponding key KU can be for a single "disk sector" so that each section of the media can be separately rewritten without affecting the other sections of the media.
To prevent a replay attack, the recording indicator 310 is configured to be externally readable, but not externally controllable. That is, at each occurrence of a write access to the memory 320, the content recording indicator 310 changes in a manner that is not externally controllable. In this manner, if the legitimate contents in the medium 300 are copied to an archive, and then subsequently re-recorded on the medium 300 from the archive, the recording indicator 310 will, via the modifier 315, contain a different value IT (not illustrated) in the recording indicator 310 than the value U that had been in the recording indicator 310 when the legitimate contents were stored in the medium 300- Note that this value U1 in the recording indicator 310 will be different than the original value U, regardless of whether a total bit-by-bit copy of medium 300 is archived, including a copy of the original value U. That is, because the recording indicator 310 is not externally controllable, the original value U cannot be rewritten into the recording indicator 310. In this manner, because a copy of the original contents of the medium 300 can be distinguished from the original contents, by comparing the original value U with the copy-produced new value IT, a replay attack can be prevented.
To facilitate this replay defense, the original value U must be reliably and securely communicated to the rendering device 400 that enforces this defense. Any number of techniques may be employed to securely communicate the original value U. For example (not illustrated), the original value U could be "digitally signed" by content provider 200, and this digitally signed information stored in the medium 300. A compliant rendering device 400 will verify that the digitally signed information is authentic, and then compare the digitally signed original value U to the current value of the value U in the recording indicator 310. If the current value U matches the digitally signed value U, the rendering device 400 is assured that the encrypted content material 321 from the memory 320 is the encrypted content material 221 that was originally stored in the memory 320. If the current value U does not match the digitally signed value U, the rendering device 400 recognizes the attempted replay attack, and precludes a rendering of the content material.
In a preferred embodiment, as illustrated in FIG. 1, the value U 311 is used by the content provider 200 to encrypt an item when the encrypted content material 221 is

originally recorded, and the value U 312 is subsequently used by the rendering device 400 to decrypt the item. If the value U 311 changes between the time the encrypted content material 221 is originally recorded and the time the rendering device reads the current value U 312, the rendering device 400 will be unable to properly decrypt the item that was encrypted based on the original value U 311. If, on the other hand, the value U 311 that is used by the content provider 200 is the same as the value U 312 that is used by the rendering device 400, the rendering device 400 will properly decrypt the item that was encrypted based on the value U 312. In the example of FIG. 1, the aforementioned item that is encrypted based on the value 311 is a content key 202 that is used to encrypt, and subsequently decrypt the encrypted content material 221,
In the example embodiment of FIG. 1, an encrypter 220 is illustrated for providing the encrypted content material EKC(CM) 221 based on the content key KC. A key generator 210 creates a key KU 212 from the value U 311, typically via a hashing function. In a preferred embodiment wherein the recording indicator 310 is embodied within the disk sector tag for each written sector, the key generator 210 creates the key KU 212 by iteratively hashing the unique value in each disk sector tag corresponding to the encrypted content material memory 320, and optionally, as discussed below, the unique value in each disk sector tag corresponding to the rendering rights memory 350.
An encrypter 230 uses the key KU 212 to encrypt the content key KC 202 to provide an encrypted content key EKU(KC) 231. At the rendering device 400, this encrypted content key EKU(KC) is shown as reference item 431, A key generator 410, similar to key generator 210, is used to generate a key KU 412, based on the value U 312 in the recording indicator 310 at the time that the medium 300 is read by the rendering device 400. A decrypter 430 decrypts the encrypted content key EKU(KC) 431 using this key KU 412. If the value U 312 corresponds to the original value U 311 that was used in the encryption of the content key KC 202, the decrypter 430 will provide a content key KC 402 that matches the content key KC 202. A decrypter 420 uses the decrypted content key KC 402 to decrypt the encrypted content material EKC(CM) 321 from the memory 320 of the medium 300. If the value U 312 does not correspond to the original value U 311, the rendering device key KU 412 will not match the original key KU 212, the decrypted content key KC 402 will not match the original content key 202, and therefore the decrypted content material CM 401 will not match the original content material 201, and will be substantially unrenderable.
Also illustrated in the example embodiment of FIG, 1, the content provider 200 includes an optional encrypter 240 that further encrypts the encrypted content key

EKU(KC) 231 using a public key KP 204 that is associated with the rendering device 400. In this manner, the encrypted content key EKU(KC) 231 cannot be decrypted by a device other than the intended receiving device 400, thereby preventing a rendering of the content material 201 by other devices. This doubly encrypted key EKP(EKU(KC)) 241 is in a memory 340 of the medium 300. The corresponding rendering device 400 contains a decrypter 440 that decrypts the doubly encrypted key EKP(EKU(KC)) 341 from the memory 340 using a private key Kp 404 corresponding to the public key KP 204 of a public-private key pair. This decrypter 440 provides the aforementioned encrypted content key EKU(KC) 431.
For completeness, FIG. 1 illustrates an authorization module 450 in the rendering device 400 that enforces the limited rendering rights discussed in the Background of the Invention, above. Copending U.S. patent application, "Usage Dependent Ticket to
Protect Copy-protected Material", U.S. serial number , filed ___ for
Michael Epstein, Attorney Docket PHA (Disclosure 700657), presents a method and
system for allocating and enforcing limited rights to each copy of encrypted content material that is stored on a recording medium, and is incorporated by reference herein. As applied to this invention, the content provider 200 includes a rights allocator 250 that stores allocated rights 251 on the recording medium 300. These allocated rights 251 are based on a usage parameter 352 of the medium 300 at the time that the encrypted content material 221 is recorded to the medium 300. The rights 251 may be encoded, for example, as a ticket that is "punched" by a modifier 355 each time the medium is accessed 499 by a rendering device 400, or as a counter that is decremented, and so on. In accordance with another aspect of this invention, the recording indicator 310 may be configured to change its stored value U whenever the memory area 350 that contains the rights are written to from an external source, such as the content provider 200, or by an illicit attempt to modify the rights stored by the content provider 200. As discussed above, if the retrieved value U 312 differs from the original value U 311, the decrypted content material 401 will not match the original content material 201, and will be virtually unrenderable. If the rights in the memory 350 and the encrypted content material in the memory 320 have not been externally changed, the decrypted content material 401 will match the original content material 201 and will be renderable. An authorization module 450 prevents the rendering 401', however, if the usage 353 of the medium 300 has exceeded the rights 351 allocated to the medium 300, via the gate 490. The rendering module 480 represents the components that render the decrypted content material 401, such as an audio system, an audio-video system, a computer system, and the like. The gate 490 represents any of a variety of means commonly available for inhibiting the

production of the rendered material 401' from the content material 401 by the authorization
module 450.
The foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within the spirit and scope of the following claims.

WE CLAIM :
1. A recording medium (300) characterized in that
a first memory (320) that is configured to stores encrypted content material (221) via a first write operation (299),
a recording indicator (310) generates and stores a unique identifier (311) at each occurrence of the first write operation (299), and
a second memory (340) stores, via a second write operation, a secure item (241) based on the unique identifier (311) when the encrypted content material (221) is stored.
2. The recording medium (300) as claimed in claim 1, wherein
the secure item (241) comprises an encrypted key (231) that facilitates a decryption of the encrypted content material (221), the encrypted key (231) being dependent upon the unique identifier (311).
3. The recording medium (300) as claimed in claim 1, wherein the recording indicator (310) comprises a counter configured to be incremented by a recording device when the recording device records the encrypted content material (221).
4. A rendering device (400) that is configured to render content material (401) corresponding to encrypted content material (321) that is contained on a recording medium (300), the recording medium (300) characterized in that it comprises a recording indicator (310) that generates and stores an original unique number and subsequently a current unique number in response to first write operations of the encrypted content material written into the recording medium,(311), the rendering device (400) characterized in that it comprises :
one or more decrypters (420, 430,440) configured to decrypt the encrypted content

material (321) based on a current unique number (312) of the recording indicator (310), such that one or more decrypters (420, 430, 440) provide the content material (401) only when the unique number (312) of the recording indicator (310) corresponds to the original value (311) of the recording indicator (310), and
a renderer (480) that is configured to render the content material (401).
5. The rendering device (400) as claimed in claim 4, comprising:
an authorization device (450) configured to control the renderer (480) based on a usage-measure (353) associated with the recording medium (300) and a validity period (351) associated with the content material (401).
6. The rendering device (400) as claimed in claim 4, comprising :
a key generator (410) that creates a unique key (412) based on the current value (312) generated by and stored in the recording indicator (310), and
wherein
the one or more decrypters (420, 430, 440) are configured to decrypt the encrypted content material (321) based on the unique key (412) based on the current value (312) of the recording indicator (310).
7. The rendering device (400) as claimed in claim 6, wherein
the one or more decrypters (420, 430,440) comprises :
a first decrypter (440) that decrypts a doubly encrypted content key (341) based on a private key (404) of the rendering device (400) to provide a singly encrypted content key (431),
a second decrypter (430) that decryptes the singly encrypted content key (431) based on the unique key (412) that is based on the current value (312) of the recording indicator (310) to provide a content key (402), and

a third decrypter (420) that decrypts the encrypted content material (321) based on the content key (402) to provide the content material (401).
8. A provider (200) of content material (201) comprising:
a recorder configured to record encrypted content material (221) and a corresponding secure item (241) on a recording medium (300), said recorder characterized in that it comprises:
a first input for receiving content material;
a second input for receiving a content key;
a first encrypter for encrypting the content material based on the content key; means for writing the encrypted content material on the recording medium in a first writing operation;
a third input for receiving a unique identifier from the recording medium in response to the first writing operations said recording medium characterized in that it has a recording indicator for generating and storing a unique identifier at each occurrence of a first writing operation;
a second encrypter for generating the secure item based on the unique identifier received from the recording medium; and means for writing the secure item on the recording medium in a second writing operation.
9. The provider (200) as claimed in claim 8, comprising :
an allocator (250) that is configured to allocate rendering rights (251) associated with the encrypted content material (221), and
wherein
the recorder is configured to record the rendering rights (251) on the recording medium (300).

10. The provider (200) as claimed in claim 8,
the secure item (241) corresponds to an encryption of the content key (202) based on the value (311) of the recording indicator (310).
11. The provider (200) as claimed in claim 8, comprising:
a key generator (410) that generates a unique key (212) based on the unique identifier, and
one or more encrypters (220,230,240) configured to encrypt the content key based on the unique key (212) to produce the secure item (241).
12. The provider (200) as claimed in claim 8, wherein :
the content key is encrypted based on a unique key (212) that is dependent upon a value (311) of the recording indicator (310) to produce a singly encrypted content key (231), and
the singly encrypted content key (231) is encrypted based on a public key (204) that is associated with a rendering device (400) to produce a ddUbly encrypted content key (241) corresponding to the secure item (241).
13. A method of providing content material (201), the method comprising the steps of:
recording encrypted content material (221) on a recording medium (300) in a first write
operation the encrypted content material (221) being dependent upon the content material (201) and a content key (202), and
recording a secure item (241) on the recording medium (300) in a second write operation the secure item (241) being dependent upon a unique number generated by and stored in the recording medium upon each first write operation.
14. The method as claimed in claim 13, wherein the method comprises
recording rendering rights (251) associated with the encrypted content material (221) on the recording medium (300).

15. The method as claimed in claim 13, comprising
generating a unique key (212) that is based on the recording indicator (310), encrypting the content key (202) using the unique key (212) to produce the secure item (241).
16. The method as claimed in claim 13, wherein the method comprises
generating a unique key (212) based on the unique number
encrypting the content key (202) using the unique key (212) to produce a singly encrypted content key (231), and
encrypting the singly encrypted content key (231) using a public key (204) associated with a rendering device (400) to produce the secure item (241).
17. A method of rendering content material (401) from a recording medium (300) that
comprises encrypted content material (321), an encrypted content key (341), and a unique
number generated by and stored on the recording medium each time the encrypted content
material is recorded on the recording medium, the method comprising the steps of :
determining a unique key (412) based on the recording indicator (310),
decrypting the encrypted content key (341) based on the unique key (412) to provide a content key (402),
decrypting the encrypted content material (321) based on the content key (402) to provide the content material (401), and
rendering the content material (401).
18. The method as claimed in claim 17, wherein
the recording medium (300) also comprises rendering rights (351), and rendering the content material (401) is dependent upon the rendering rights (351)

19. The method as claimed in claim 17, wherein
decrypting the encrypted content key (341) comprises:
decrypting the encrypted content key (341) based on a private key (404) to provide a singly encrypted content key (431), and
decrypting the singly encrypted content key (431) based on the unique key (412) to provide the content key (402).

Documents:

abs-in-pct-712-che.jpg

in-pct-2000-0712-che abstract-duplicate.pdf

in-pct-2000-0712-che claims-duplicate.pdf

in-pct-2000-0712-che description (complete)-duplicate.pdf

in-pct-2000-712-che-abstract.pdf

in-pct-2000-712-che-assignment.pdf

in-pct-2000-712-che-claims.pdf

in-pct-2000-712-che-correspondence others.pdf

in-pct-2000-712-che-correspondence po.pdf

in-pct-2000-712-che-description complete.pdf

in-pct-2000-712-che-drawings.pdf

in-pct-2000-712-che-form 1.pdf

in-pct-2000-712-che-form 19.pdf

in-pct-2000-712-che-form 26.pdf

in-pct-2000-712-che-form 3.pdf

in-pct-2000-712-che-form 5.pdf

in-pct-2000-712-che-other documents.pdf

in-pct-2000-712-che-pct.pdf

« Previous Patent

Next Patent »

Patent Number

222526

Indian Patent Application Number

IN/PCT/2000/712/CHE

PG Journal Number

47/2008

Publication Date

21-Nov-2008

Grant Date

14-Aug-2008

Date of Filing

23-Nov-2000

Name of Patentee

KONINKLIJKE PHILIPS ELECTRONICS N.V.

Applicant Address

Groenewoudseweg 1, NL-5621 BA Eindhoven,

Inventors:

#	Inventor's Name	Inventor's Address
1	Michael, A EPSTEIN	Prof. Holstlaan 6, NL-5656 AA Eindhoven,

PCT International Classification Number

G11B 20/00

PCT International Application Number

PCT/EP2000/002597

PCT International Filing date

2000-03-22

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	60/126,169	1999-03-25	U.S.A.
2	09/454,349	1999-12-03	U.S.A.