U.S. Patent: 6009171 - Apparatus, method and computer program product for protecting copyright data within a computer system

Back to EveryPatent.com

United States Patent	*6,009,171*
Ciacelli , et al.	December 28, 1999

Apparatus, method and computer program product for protecting copyright data within a computer system

Abstract

Apparatus, method and computer program product are provided for digitally processing an encrypted data stream scrambled, for example, according to content scrambling system (CSS) technology. This digital processing insures against communication of clear data within the computer system from a central processing unit (CPU) to any accessible structure, such as memory or a system bus. Descrambling of the (CSS) scrambled data stream occurs within a module executing on the CPU, which is followed by re-encryption of the data prior to transfer from the CPU. By so processing the data, integrity of copyrighted material is maintained, while allowing for software descrambling of the CSS encrypted data stream. Various techniques for establishing the encryption/decryption algorithm pair employed are described. Decryption of the re-encrypted data can occur at a receiving software module and/or a receiving hardware device, such as a decoder.

Inventors:	Ciacelli; Mark Louis (Endicott, NY); Urda; John William (Endwell, NY); Lam; Wai Man (Mohegan Lake, NY); Kouloheris; Jack Lawrence (Ossining, NY); Fetkovich; John Edward (Endicott, NY)
Assignee:	International Business Machines Corporation (Armonk, NY)
Appl. No.:	881139
Filed:	June 24, 1997

Intern'l Class: H04N 007/167

Field of Search: 380/3,4,49,5,10 369/84

References Cited U.S. Patent Documents

5029207	Jul., 1991	Gammie.
5138659	Aug., 1992	Kelkar et al.
5177786	Jan., 1993	Kang.
5426699	Jun., 1995	Wunderlich et al.
5442701	Aug., 1995	Guillou et al.
5521978	May., 1996	Oguro.
5535275	Jul., 1996	Sugisaki et al.
5574787	Nov., 1996	Ryan.
5600721	Feb., 1997	Kitazato	380/20.
5867579	Feb., 1999	Saito	380/25.
5910987	Jun., 1999	Ginter et al.	380/24.

Other References

"Sonic DVD Creator--Blueprint for DVD Premastering", Sonic Solutions, Apr. 1996, (pp. 2-10).

Primary Examiner: Swann; Tod R.
Assistant Examiner: Jack; Todd
Attorney, Agent or Firm: Heslin & Rothenberg, P.C.

Claims

We claim:

1. Apparatus for processing a scrambled data stream within a computer system having a central processing unit (CPU) coupled to receive the scrambled data stream, comprising:

descrambling means within the central processing unit for descrambling the received, scrambled data stream to produce a clear data stream;

re-encryption means within the central processing unit for re-encrypting the clear data stream to produce an encrypted data stream, wherein said scrambled data stream is produced from a different encryption algorithm than said encrypted data stream;

means for transferring the encrypted data stream from the central processing unit to a second structure of the computer system, said second structure being coupled to the CPU; and

decryption means coupled to the second structure for receiving the encrypted data stream therefrom and for decrypting the encrypted data stream to produce said clear data stream, wherein said clear data stream is unexposed when transferred from the central processing unit to said second structure coupled to the CPU, while said descrambling means within the central processing unit accomplishes descrambling of the received scrambled data stream.

2. The apparatus of claim 1, wherein said scrambled data stream comprises a scrambled, encoded data stream and wherein said apparatus further comprises a decoder coupled to said decryption means for decoding a clear, encoded data stream produced by said decryption means.

3. The apparatus of claim 2, wherein said clear, encoded data stream comprises a video data stream and wherein said decoder comprises an MPEG video decoder.

4. The apparatus of claim 2, wherein said scrambled, encoded data stream comprises a CSS scrambled, MPEG encoded data stream, and wherein said descrambling means comprises means for CSS descrambling the scrambled, encoded data stream within the CPU and said decoder comprises means for MPEG decoding said clear, encoded data stream.

5. The apparatus of claim 2, wherein said decoder comprises a decoding hardware device and said decryption means resides within said decoding hardware device.

6. The apparatus of claim 1, wherein said re-encryption means further comprises means for providing a key for use in re-encrypting the clear data stream, and wherein said decryption means includes means for employing the key in decrypting the encrypted data stream.

7. The apparatus of claim 6, wherein said re-encryption means further comprises means for encrypting said key to produce an encrypted key, and for multiplexing the encrypted key and the encrypted data stream into a multiplexed data stream for transfer to said second structure coupled to the CPU, and wherein said decryption means further comprises means for demultiplexing said multiplexed data stream to obtain said encrypted key and said encrypted data stream, and wherein said decryption means further comprises means for decrypting said encrypted key.

8. The apparatus of claim 1, further comprising means for selecting an encryption/decryption algorithm pair for use by said re-encryption means and said decryption means.

9. The apparatus of claim 8, wherein said means for selecting comprises means for downloading a decryption algorithm of said selected encryption/decryption algorithm pair from said re-encryption means to said decryption means, said means for downloading including means for encrypting the decryption algorithm for transfer between the re-encryption means and the decryption means.

10. The apparatus of claim 8, wherein said means for selecting comprises means for selecting said encryption/decryption algorithm pair from a plurality of encryption/decryption algorithm pairs at said re-encryption means and said decryption means, and wherein said means for selecting comprises means for noticing the decryption means which decryption algorithm of said plurality of encryption/decryption algorithm pairs corresponds with an encryption algorithm employed by said re-encryption means.

11. The apparatus of claim 1, wherein said decryption means comprises a decryption module disposed within the central processing unit, and said second structure coupled to the CPU comprises memory.

12. Apparatus for processing a data stream within a computer system having a central processing unit (CPU) coupled to receive the data stream, said apparatus comprising:

encryption means within the CPU for encrypting identified copyright data within the data stream to produce therefrom encrypted data;

means for transferring the encrypted data from the central processing unit to a structure of the computer system coupled thereto, wherein said copyright data is only transferred from the central processing unit as said encrypted data; and

decryption means coupled to said structure receiving the encrypted data, said decryption means comprising means for decrypting the encrypted data.

13. The apparatus of claim 12, further comprising means for identifying within the central processing unit said copyright data of the data stream, said means for identifying providing said identified copyright data to said encryption means.

14. The apparatus of claim 13, wherein the data stream comprises a scrambled, encoded data stream, and wherein said apparatus further comprises descrambling means for descrambling the scrambled, encoded data stream within the central processing unit to produce a clear, encoded data stream, and wherein said means for identifying comprises means for examining the clear, encoded data stream to identify copyright data for encryption by said encryption means.

15. The apparatus of claim 12, wherein said decryption means comprises a microcode decryption device.

16. The apparatus of claim 12, wherein said data stream comprises a scrambled data stream, and wherein said apparatus further comprises means for descrambling the scrambled data stream prior to said encrypting of the identified copyright data by said encryption means, wherein said scrambled data stream is produced from a different encryption algorithm than said encrypted data produced by said encryption means.

17. The apparatus of claim 12, wherein said encryption means further comprises means for providing a key for use in said encrypting of the identified copyright data and for use by said decryption means for decrypting the encrypted data.

18. The apparatus of claim 17, wherein said encryption means further comprises means for encrypting said key to produce an encrypted key, and for multiplexing the encrypted key and the encrypted data into a multiplexed data stream for transfer to said structure coupled to the CPU, and wherein said decryption means further comprises means for demultiplexing said multiplexed data stream to obtain said encrypted key and said encrypted data, and wherein said decryption means further comprises means for decrypting said encrypted key.

19. The apparatus of claim 12, further comprising means for selecting an encryption/decryption algorithm pair for use by said encryption means and said decryption means from a plurality of predefined encryption/decryption algorithm pairs, said selected encryption/decryption algorithm pair comprising an encryption algorithm and a corresponding decryption algorithm, said encryption algorithm being employed by said encryption means, and said corresponding decryption algorithm being employed by said decryption means.

20. A method for processing a scrambled data stream within a computer system having a central processing unit and a structure coupled thereto, said method comprising:

(a) receiving the scrambled data stream at the central processing unit (CPU);

(b) descrambling the scrambled data stream within a module executing on the central processing unit to produce clear data;

(c) re-encrypting the clear data within the central processing unit, said re-encrypting producing at least partially encrypted data;

(d) subsequent to said re-encrypting, transferring the at least partially encrypted data from the central processing unit to a second structure of the computer system, said second structure being coupled to the central processing unit; and

(e) subsequent to said transferring, retrieving and decrypting the at least partially encrypted data to produce clear data, wherein said clear data is unexposed when transferred from the central processing unit to the structure coupled thereto, while said descrambling occurs within the module executing on the central processing unit, and wherein the scrambled data stream is produced from a different encryption algorithm than employed by said re-encrypting (c) to produce said at least partially encrypted data.

21. The method of claim 20, wherein the scrambled data stream comprises a scrambled, encoded data stream, and wherein said decrypting (e) comprises producing clear, encoded data, and wherein said method further comprises decoding said clear, encoded data to produce said clear data.

22. The method of claim 21, wherein said scrambled, encoded data stream comprises a CSS scrambled, MPEG encoded data stream, and wherein said descrambling (b) comprises CSS descrambling said scrambled, encoded data stream within the CPU, and said decoding comprises MPEG decoding said clear, encoded data to produce said clear data.

23. The method of claim 20, wherein said re-encrypting (c) includes employing a key in re-encrypting the clear data, and wherein said method further comprises providing said key for said decrypting (e), said decrypting employing said key in decrypting the at least partially encrypted data.

24. The method of claim 23, wherein said re-encrypting (c) includes encrypting said key to produce an encrypted key, and multiplexing the encrypted key and the at least partially encrypted data into a multiplexed data stream, and wherein said decrypting (e) further comprises demultiplexing said multiplexed data stream to obtain said encrypted key and said at least partially encrypted data, and said decrypting (e) further comprises decrypting said encrypted key and employing said key in decrypting said at least partially encrypted data.

25. The method of claim 20, further comprising selecting an encryption/decryption algorithm pair for use by said re-encrypting (c) and said decrypting (e), said selecting comprising choosing said selected encryption/decryption algorithm pair from a plurality of predefined encryption/decryption algorithm pairs.

26. The method of claim 25, wherein said re-encrypting (c) accomplishes said selecting and said re-encrypting further comprises downloading a decryption algorithm of the selected encryption/decryption algorithm pair for use by said decrypting (e).

27. The method of claim 20, wherein said decrypting (e) comprises decrypting the at least partially encrypted data within the central processing unit, and wherein said structure coupled to the central processing unit comprises a memory structure, said retrieving (e) comprising retrieving said at least partially encrypted data from said memory structure.

28. A method for processing a data stream within a computer system having a central processing unit and a structure outside the central processing unit coupled thereto, said method comprising:

(a) receiving the data stream at the central processing unit (CPU);

(b) encrypting identified copyright data within the data stream to produce encrypted data;

(c) subsequent to said encrypting (b), transferring the encrypted data from the central processing unit to the structure coupled thereto, wherein said copyright data is only transferred from the central processing unit as said encrypted data; and

(d) retrieving the encrypted data from the structure coupled to the CPU and decrypting the encrypted data to produce clear data, said decrypting occurring after transfer of the encrypted data to the structure outside the central processing unit, wherein said clear data is unexposed within the computer system when transferred between the central processing unit and the structure coupled thereto.

29. The method of claim 28, further comprising identifying within the central processing unit said copyright data of the data stream for use by said encrypting (b).

30. The method of claim 29, wherein said data stream comprises a scrambled data stream, and said method further comprises descrambling the scrambled data stream prior to said identifying of the copyright data, and wherein said scrambled data stream is produced from a different encryption algorithm than employed by said encrypting (b).

31. The method of claim 28, wherein said encrypting (b) includes employing a key in encrypting said identified copyright data and providing said key to said decrypting (d).

32. The method of claim 31, wherein said encrypting (b) further comprises encrypting said key to produce an encrypted key, and multiplexing the encrypted key and the encrypted data into a multiplexed data stream for transfer to said structure coupled to the CPU, and wherein said decrypting (d) further comprises demultiplexing said multiplexed data stream to obtain said encrypted key and said encrypted data, and wherein said decrypting (d) further comprises decrypting said encrypted key for use in decrypting said encrypted data.

33. The method of claim 28, further comprising selecting an encryption/decryption algorithm pair from a plurality of predefined encryption/decryption algorithm pairs, and wherein said encrypting (b) comprises employing an encryption algorithm of said selected encryption/decryption algorithm pair in encrypting said identified copyright data, and said decrypting (d) comprises employing a corresponding decryption algorithm of said selected encryption/decryption algorithm pair for use in decrypting the encrypted data.

34. A computer program producing comprising a computer usable medium having computer readable program code means therein for use in processing a scrambled data stream within a computer system having a central processing unit and a structure coupled thereto, said computer readable program code means in said computer program product comprising:

computer readable program code means for causing a computer to affect receiving of the scrambled data stream at the central processing unit and for descrambling the scrambled data stream within the central processing unit to produce clear data, and for re-encrypting the clear data within the central processing unit to produce at least partially encrypted data;

computer readable program code means for causing a computer to affect transferring of said at least partially encrypted data from the central processing unit to the structure coupled thereto; and

computer readable program code means for causing a computer to affect retrieving of the at least partially encrypted data from the structure coupled to the CPU and for decrypting the at least partially encrypted data, said decrypting producing clear data, wherein said clear data is unexposed when transferred from the central processing unit to the structure coupled thereto, while said descrambling occurs within the central processing unit.

35. The computer readable program code means of claim 34, wherein the scrambled data stream comprises a scrambled, encoded data stream, and wherein said computer readable program code means in said computer program product further comprises computer readable program code means for causing a computer to affect decoding of clear, encoded data produced by said computer readable program code means for decrypting the at least partially encrypted data.

36. The computer readable program code means of claim 35, wherein said scrambled, encoded data stream comprises a CSS scrambled, MPEG encoded data stream and wherein said computer readable code means for descrambling said scrambled, encoded data stream comprises computer readable program code means for causing a computer to affect CSS descrambling of the scrambled, encoded data stream, and wherein said computer readable program code means for decoding comprises computer readable program code means for causing a computer to affect MPEG decoding of said clear, encoded data stream.

37. A computer program product comprising a computer useable medium having computer readable program code means therein for use in processing a data stream within a computer system having a central processing unit and a structure outside the central processing unit coupled thereto, said computer readable program code means in said computer program product comprising:

computer readable program code means for causing a computer to affect receiving of the data stream at the central processing unit and encrypting of identified copyright data within the data stream to produce encrypted data;

computer readable program code means for causing a computer to affect transferring of the encrypted data from the central processing unit to the structure outside the central processing unit; and

computer readable program code means for causing a computer to affect retrieving and decrypting of the encrypted data after transfer to the structure outside the central processing unit, wherein clear data is unexposed within the computer system when transferred between the central processing unit and the structure coupled thereto.

38. The computer readable program code means of claim 37, further comprising computer readable program code means for causing a computer to affect identifying said copyright data of the data stream for encrypting.

39. The computer readable program code means of claim 37, wherein said computer readable program code means for encrypting the identified copyright data includes computer readable program code means for causing a computer to affect said encrypting using a key and for providing said key to said computer readable program code means for decrypting the encrypted data.

40. The computer readable program code means of claim 39, wherein said computer readable program code means for encrypting comprises computer readable program code means for causing a computer to affect encrypting of said key to produce an encrypted key, and for multiplexing the encrypted key and the encrypted data into a multiplexed data stream for transfer to said structure coupled to the CPU, and wherein said computer readable program code means for decrypting comprises computer readable program code means for causing a computer to affect demultiplexing of the multiplexed data stream to obtain said encrypted key and said encrypted data, and for decrypting the encrypted key for use in decrypting the encrypted data.

41. The computer readable program code means of claim 37, further comprising computer readable program code means for causing a computer to affect selecting an encryption/decryption algorithm pair for use in encrypting said identified copyright data and decrypting said encrypted data, said selected encryption/decryption algorithm pair being selected from a plurality of predefined encryption/decryption algorithm pairs, and further comprising computer readable program code means for causing a computer to affect noticing of a corresponding decryption algorithm of the selected encryption/decryption algorithm pair to said computer readable program code means for decrypting the encrypted data.

Description

TECHNICAL FIELD

The present invention relates in general to apparatus and method for protecting digital video/audio data and, more particularly, to an apparatus, method and computer program product for encryption/decryption of data within a computer system for communication from a CPU to an accessible internal structure, such as memory or a bus, without exposing the data in unscrambled form at the accessible structure.

BACKGROUND OF THE INVENTION

Within the past decade, the advent of world-wide electronic communications systems has enhanced the way in which people can send and receive information. In particular, the capabilities of real-time video and audio systems have greatly improved in recent years. In order to provide services such as video-on-demand, video conferencing, and digital video disc (DVD) motion pictures, an enormous amount of bandwidth is required. In fact, bandwidth is often the main inhibitor in the effectiveness of such systems.

In order to overcome the constraints imposed by existing technology, compression systems have emerged. These systems reduce the amount of video and audio data which must be transmitted by removing redundancy in the picture sequence. At the receiving end, the picture sequence is uncompressed and may be displayed in real time.

One example of an emerging video compression standard is the Moving Picture Experts Group ("MPEG") standard. Within the MPEG standard, video compression is defined both within a picture and between pictures. Video compression within a picture is accomplished by conversion of the digital image from the time domain to the frequency domain by a discrete cosine transform, quantization, variable length coding, and Huffman coding. Video compression between pictures is accomplished via a process referred to as "motion estimation", in which a motion vector plus difference data is used to describe the translation of a set of picture elements from one picture to another. The ISO MPEG2 standard specifies only the syntax of bitstream and semantics of the decoding process. The particular choice of coding parameters and tradeoffs in performance versus complexity is left to the system developers.

Digital Versatile Disc (DVD) is an emerging technology which due to its nature, requires extensive encryption in order to protect the data, such as a motion picture, against unauthorized copying.

DVD is a specification for the content of video, audio and other compressed data to be used as playback video, audio and, for example, subtitle data by a DVD decoder. The DVD video data is specified in the Moving Picture Experts Group (MPEG) standard (ISO/IEC 13818-2). As well as being represented by this standard, the data is also encrypted using the industry's Content Scrambling System (CSS), which produces an encrypted, encoded data stream for DVD playback. The data stream can be decrypted by hardware licensed to perform CSS decryption. Conventionally, CSS decryption occurs at a PCI card, which also conventionally includes MPEG decompression of the encrypted, encoded data signal.

The present invention is directed in one particular aspect to improving upon this conventional DVD processing of the encrypted, encoded data stream.

DISCLOSURE OF THE INVENTION

Briefly summarized, this invention comprises in a first aspect apparatus for processing a scrambled data stream within a computer system having a central processing unit (CPU) coupled to receive the scrambled data stream. The apparatus includes a descrambling means within the central processing unit to descramble the received, scrambled data stream and thereby produce a clear data stream. Re-encryption means also within the central processing unit re-encrypts the clear data stream to produce an encrypted data stream, wherein the scrambled data stream is produced from a different encryption algorithm than the encrypted data stream. Means are provided for transferring the encrypted data stream from the central processing unit to a second structure of the computer system, the second structure being coupled to the CPU. Decryption means coupled to the second structure receives the encrypted data stream for decrypting and produces the clear data stream therefrom, wherein the clear data stream is unexposed when transferred from the central processing unit to the second structure coupled to the CPU, while the descrambling means within the central processing unit accomplishes software descrambling of the received, scrambled data stream.

In another aspect, apparatus is provided for processing a data stream within a computer system having a central processing unit coupled to receive the data stream. The apparatus includes encryption means within the CPU for encrypting identified copyright data within the data stream to produce therefrom encrypted data. Means are provided for transferring the encrypted data from the central processing unit to a structure of the computer system coupled thereto, wherein the copyright data is only transferred from the CPU as said encrypted data. Decryption means are coupled to the structure receiving the encrypted data for decrypting the encrypted data.

Various enhancements to each of the aspects summarized above are also described and claimed. In addition, corresponding methods and computer program products are presented and claimed.

To restate, in accordance with this invention clear data, whether compressed or uncompressed, is not allowed to be resident in an accessible computer system structure, such as a host memory buffer or system bus to prevent theft of the clear data. The invention is particularly applicable to MPEG encoded and CSS encrypted video data such as employed by digital video disc (DVD) technology. The decryption techniques presented herein allow for subsequent changes, for example, through the flexibility of downloading new microcode, of an encryption/decryption algorithm pair. In addition, the particular scrambling/descrambling algorithm employed may vary. The concept is to initiate the descrambling process by host software, rescramble the data at the central processing unit using a different encryption technique, and then complete the descrambling at the receiving module, whether the receiving module comprises an additional software module executing on the central processing unit or a receiving hardware device, such as a decoder resident on a system bus coupled to the central processing unit. The rescrambling subsequent to primary software descrambling of the received encrypted data may be complete or partial. At the receiving module, the rescrambled data can be decrypted for display, output via an audio card, or undergo further processing.

BRIEF DESCRIPTION OF THE DRAWINGS

The above-described objects, advantages and features of the present invention, as well as others, will be more readily understood from the following detailed description of certain preferred embodiments of the invention, when considered in conjunction with the accompanying drawings in which:

FIG. 1 depicts one embodiment of a computer system employing encryption/decryption apparatus in accordance with the present invention;

FIG. 2 is a flowchart of one embodiment for accomplishing encryption/decryption processing in accordance with the present invention;

FIG. 3 is a block diagram of one embodiment for updating keys within the encryption and decryption modules and/or devices of an apparatus in accordance with the present invention; and

FIG. 4 is a representation of one embodiment of DVD disc data stream processing using microcode in accordance with the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

Generally stated, the present invention comprises an apparatus, method and computer program product for processing a data stream scrambled, for example, by employing content scrambling system (CSS) technology. As one aspect, the invention comprises descrambling a received CSS encrypted signal at a central processing unit without subsequently exposing a clear copy of the descrambled data in any accessible structure outside the CPU, such as memory or a system bus. This insures that information to be protected, such as security data or copyrighted material (herein collectively referred to as "copyright data"), will not be exposed at a point where illegal copying of the original data stream is feasible (e.g., during data transfer) while still allowing software descrambling of the CSS encrypted stream. In a specific example discussed herein, the encrypted stream might also comprise an encoded stream of video/audio data compressed employing the Moving Picture Experts Group (MPEG) standard (IOS/IEC 13818-2).

In accordance with the present invention, a primary software module within a central processing unit conducts CSS descrambling and then encrypts the data stream using a selected encryption/decryption algorithm before sending any copyright data to a software module and/or hardware device outside the CPU, for example, through memory or a system bus. The external software module and/or hardware device receiving the re-encrypted data stream then decrypts the stream and processes it, e.g., for display in the case of video data or output to an audio card in the case of audio data.

Briefly summarized, the processing involved herein includes determining at the primary software module whether data needs to be protected during subsequent transmission from the computer system's CPU. If "yes", then the primary module communicates to the software module and/or hardware device ultimately to receive the stream of data to establish an encryption/decryption algorithm pair. This communication may involve downloading the decryption algorithm into the receiving software module and/or hardware device or signaling the decrypting software/hardware which decryption algorithm from a plurality of predefined encryption/decryption algorithm pairs is to be used. The primary module uses the selected encryption algorithm to re-encrypt the descrambled data for transfer through any accessible structure, such as memory and/or system buses, to the receiving software module and/or hardware device which is to accomplish the final decryption. The receiving module, which may also be located within the central processing unit, then decrypts the data and performs conventional processing thereon. As an alternative example, the re-encrypted data from the central processing unit may be sent through system memory and/or a system bus to a video decoder for descrambling and then decoding of the data, e.g., for display.

FIG. 1 depicts one embodiment of a computer system to employ apparatus in accordance with the present invention. A primary software module 10 and a secondary (or receiving) processing software module 20 are each executed within the computer system's central processing unit (CPU). A processing unit hardware device 30 (such as a decoder) resides on one of the buses 26 of the computer system. Communication between primary software module 10 and software module 20 and/or processing hardware 30 requires data transfer through memory 25 and/or system bus 26, both located outside the CPU 11. Software module 10 contains a data processing module 21 and an encryption module 22. Data processing module 21 comprises any conventional processing to be done to the data stream, and in accordance with the present invention, also includes descrambling (such as CSS descrambling) of a received encrypted, original data stream. Processing module 20 contains a decryption module 23 and a processing module 24, while processing hardware device 30 includes a decryption device 27 and a data processing device 28.

Original data arrives at the central processing unit 11, for example, from an external storage device or from a computer system network. This data may contain a portion which needs to be protected from illegal copying. This portion is denoted "copyright data" herein to distinguish it from the original data. If the entire original data needs to be protected, then the copyright data is equivalent to the original data. The original data is first transferred to the input of module 10 for processing by data processing 21. Again, for example, this may include descrambling of CSS encrypted original data. The identified copyright data is then re-encrypted by encryption module 22 using a different encryption algorithm, i.e., an encryption algorithm other than CSS encryption. The original data passing through module 10 can comprise an unencrypted data stream or an encrypted data stream. In the first case, processing module 21 processes the original data and encryption module 22 performs an encryption algorithm to encrypt any copyright data. By way of example, the encryption algorithm could be of the type described in B. Schneier, Applied Cryptography, John Wiley & Sons Inc., 2nd Ed. (1996).

In the second case, processing module 21 can decrypt the original data, after which encryption module 22 would re-encrypt the copyright portion of it using a selected encryption algorithm, which again can be of the type described in Applied Cryptography. This procedure is called trans-encryption. Alternatively, processing module 21 can choose not to decrypt the original data and module 22 could then encrypt on top of the originally encrypted copyright data. This procedure is referred to as layer-encryption. Advantageously, trans-encryption allows the encryption algorithm employed within the computer system in accordance with this invention to be different from that employed by the original data, e.g., CSS encryption. Layer-encryption allows multiple encryption algorithms to be employed, thereby enhancing security.

The encrypted copyright data can be transferred to/through system memory 25 and/or system bus 26 for ultimate receipt by secondary processing module 20 and/or processing hardware device 30. As noted above, module 20 has a decryption module 23 and a data processing module 24, while hardware device 30 contains a decryption device 27 and a data processing device 28. Decryption module 23 and/or device 27 decrypts the data encrypted by encryption module 22. The decrypted data is then processed by the data processing module 24 and/or data processing device 28, respectively.

The encryption/decryption algorithm pair employed by encryption module 22 and decryption module 23 (and/or device 27) can be a default algorithm pair predefined in the design stage of modules 10 & 20 and/or hardware device 30. Alternatively, the algorithm pair can be a downloadable algorithm.

For example, there can be multiple encryption algorithms built into encryption module 22 and multiple decryption modules built into decryption module 23 and/or decryption device 27. Only one matched pair will be used at any given time. Before encryption, the encryption module 22 sends a signal to module 23 and/or device 27 to notice them which particular algorithm module 22 will employ. This signal can be in the form of a software parameter, or a software or a hardware interrupt. The decryption module 23 and/or decryption device 27 then employs the corresponding decryption algorithm of the selected encryption/decryption algorithm pair. Since no actual algorithm content is passed between the modules and devices, the actual encryption algorithm employed will not be known unless reverse engineering is performed within the software modules and/or the hardware devices.

Alternatively, encryption module 22 and decryption module 23 (or decryption device 27) can be predefined at the design stage to include a resident encryption/decryption routine. Before encryption, module 22 would decide on an actual encryption and decryption algorithm pair to be used. Module 22 would use the resident encryption algorithm to encrypt the actual decryption routine of the selected algorithm pair to be used by the decryption module 23 and/or decryption device 27. The encryption module 22 then transmits the encrypted version of the actual decryption algorithm to module 23 and/or device 27. Upon receipt of this information, the decryption module 23 and/or device 27 employs the resident decryption algorithm to decrypt the downloaded decryption algorithm. Module 23 then uses the descrambled decryption algorithm as a procedure call, while device 27 could load the algorithm into a programmable circuit within device 27. After completing downloading of the actual decryption algorithm, module 22 uses the actual encryption algorithm to encrypt the data, and module 23 and/or device 27 employs the downloaded decryption routine to decrypt the data. If an update of the encryption/decryption routine is desired, then a different encryption/decryption algorithm pair is selected and encryption module 22 downloads the corresponding decryption algorithm into the decryption module 23 and/or decryption device 27.

After decryption is performed, the receiving data processing module 24 and/or device 28 performs any required data processing, such as MPEG decoding of a clear, compressed video/audio data signal.

FIG. 2 depicts a flowchart of one embodiment of processing to establish encryption and decryption procedures to secure the data in accordance with the present invention using the apparatus of FIG. 1. This processing flow is started when original data enters the input of software module 10 (FIG. 1). Module 10 initially determines whether the received data needs to be protected 50. If "no", then module 22 communicates the data directly to secondary module 20 and/or device 30 at step 60. For example, in a DVD application, module 10 can examine the Copy Generation Management System (CGMS) data. If the received data needs to be protected, then at step 51 processing communicates from module 22 to decryption module 23 and/or decryption device 27 that decryption is needed prior to use of the data.

Next, processing determines whether a decryption algorithm needs to be downloaded (step 52). If "no", meaning that a default decryption algorithm is to be used, processing proceeds directly to step 54. Otherwise, the algorithm is downloaded into decryption module 23 and/or decryption device 27 at step 53.

After establishing the decryption algorithm, encryption module 22 communicates a key to decryption module 23 and/or decryption device 27 (step 54), and uses the key and the encryption algorithm to encrypt the copyright data (step 55). The encrypted key and encrypted data can be sent as a single bitstream, or separately, to module 23 and/or device 27 by way of system memory and/or a system bus. At step 56, the decryption module 23 and/or decryption device 27 uses the chosen or the downloaded algorithm to decrypt the data. Module 22 then determines whether the encryption key should be updated 57. If "no", the encryption and decryption processing steps 55 & 56 are repeated. If desired, the same encryption key can be used until the end of the data stream transmission. Otherwise, return is made to step 54 for communication of a new encryption key to module 23 and/or device 27.

FIG. 3 depicts one embodiment of apparatus/processing for updating encryption keys pursuant to steps 54 through 57 of FIG. 2. Within module 22 there is a key generation module 79, a key encryption module 80, a data encryption module 81 and a data multiplexer module 82. Key generation module 79 generates an original key which is encrypted by module 80 and also used by module 81 to encrypt the original data. Data multiplexer 82 combines the encrypted key and the encrypted data into one data stream, which is then transmitted through memory and/or system bus 83 to the decryption module 23 and/or decryption device 27. The decryption module 23 and decryption device 27 contains a data demultiplexer module/device 84, a key decryption module/device 85 and a data decryption module/device 86. The data demultiplexer module/device 84 decouples the received data stream into the encrypted data and the encrypted key. The key is then decrypted by key decryption module/device 85 to produce the original key. Data decryption module 86 uses the original key to decrypt the encrypted data.

FIG. 4 depicts a further embodiment of processing in accordance with the present invention. In this embodiment, rescrambling of the data stream is employed after CSS decryption, along with subsequent descrambling of the re-encrypted stream prior to decompression decoding in a decoder chip. The processings described are preferably accomplished within on-chip microcode.

More particularly, a bit stream is read from a DVD disc 100 into a host processor 110 where a central processing unit conducts DVD descrambling using licensed DVD keys 112. An optional tamper resistance algorithm 114 can be employed to protect the subsequent encryption process. The clear, encoded bit stream is then rescrambled 116 using any available encrypting/decrypting algorithm, i.e., other than CSS encoding. This rescrambled data is delivered to the decoder, for example, an MPEG video decoder 128. Descrambling occurs within decoder 128 subsequent to a microcode load 124 containing the corresponding bit stream descrambling microcode. The exact portions of the stream which are scrambled and then descrambled, as well as the algorithm used, may vary from release to release of the code. The data stream may comprise an MPEG video data stream 118 wherein in one embodiment one or more fields of each picture 120 are scrambled in accordance with bit stream rescramble 116 processing such that the data stream is at least partially re-encrypted subsequent to the DVD descrambling processing 112. A decryption key 122 as well as the microcode load 124 are sent along with the video data stream to bit stream descramble logic 126 within the video decoder 128.

Those skilled in the art will note from the above discussion that in accordance with this invention, clear data (uncompressed or compressed) is never resident in an accessible computer system structure, such as a host memory buffer or system bus, thereby inhibiting theft of the clear data. The invention is particularly applicable to MPEG encoded and CSS encrypted video data such as employed by digital video disc technology. The decryption techniques presented herein allow for subsequent changes, e.g., through the flexibility of new microcode loads, of a decryption algorithm which may have been broken. In addition, the particular scrambling/descrambling algorithm employed by the rescrambling technique of the present invention may vary. The concept is to begin the descrambling process by host software, rescramble the data at the CPU using a different encryption technique, and then complete the descrambling at the receiving module, whether the receiving module comprises an additional software module or a receiving hardware device, such as a decoder. The rescrambling subsequent to primary software descrambling of the received encrypted data may be complete or partial. For example, in one embodiment, certain MPEG data can be scrambled by the host software. The host would then transmit the appropriate descrambling microcode loads or a single microcode load with an appropriate key or keys to the receiving module or receiving hardware device. At the receive module, the microcode performs the inverse of the scrambling algorithm used by the host. The key may be static or accumulated.

Further, those skilled in the art will note that the present invention can be included in an article of manufacture (e.g., one or more computer program products) having, for instance, computer useable media. The media has embodied therein, for instance, computer readable program code means for providing and facilitating the capabilities of the present invention. The articles manufactured can be included as part of the computer system or sold separately.

The flow diagrams depicted herein are provided by way of example. There may be many variations to these diagrams or the steps or operations described herein without departing from the spirit of the invention. For instance, in certain cases the steps may be performed in differing order, or steps may be added, deleted or modified. Further, although described principally herein with reference to a single primary module, a single receiving processing module, and a single processing hardware device, multiple modules and devices of each type may be employed as apparatus in accordance with the present invention. All these variations are considered to comprise part of the present invention as recited in the appended claims.

While the invention has been described in detail herein in accordance with certain preferred embodiments thereof, many modifications and changes therein may be effected by those skilled in the art. Accordingly, it is intended by the appended claims to cover all such modifications and changes as fall within the true spirit and scope of the invention.

Top

Intern'l Class:	H04N 007/167
Field of Search:	380/3,4,49,5,10 369/84