MXPA06009708A - Secure negotiation and encryption module - Google Patents

Abstract

A digital subscriber communication terminal includes an adaptive output interface having a device key set, which, along with a subscriber device coupled to the adaptive output interface, determines a"shared secret."The adaptive output interface uses the"shared secret"to encrypt content and transmits the content to the subscriber device coupled to the adaptive output interface. The digital subscriber communications terminal includes a processor, a memory having an encrypted device key set and an encrypted device key set decryptor stored therein and a secure element having a key decryptor. The secure element is adapted to receive the encrypted device key set decryptor and use the key decryptor to decrypt the encrypted device key set decryptor. The device key set decryptor is provided to the processor, which decrypts the encrypted device key set using the device key set decryptor, and the device key set is loaded into the adaptive output interface.

Description

SAFE NEGOTIATION AND ENCRYPTED MODULE Field of the Invention The present invention relates in general to cable television and more particularly to a subscriber's digital communication terminal adapted to transmit protected digital content to a subscriber's device.

BACKGROUND OF THE INVENTION Subscriber television systems typically employ a receiver, an overlay terminal, or a digital communication terminal with the subscriber (DSCT), wherein the client receives and decodes the programming transmitted to the user from a central facility (commonly referred to in the industry as "main end"), through a wired infrastructure such as a cable or a wireless network. Typically, the digital communication terminal of the subscriber includes a receiver, a decoder, and processing circuitry. The digital communication terminal of the subscriber has the ability to receive the programming information through the network and transform the received signal into a format that can be presented to the viewer through the deployment of the television. Currently, the subscriber's television systems often transmit high-quality digital content to the subscriber's DSCT. Many subscribers have digital equipment such as personal computers that they can use to copy digital content, virtually free of errors. In order to protect the copyright of the digital content, it is desirable to have a measure to avoid the uncontrolled copying of the digital content received in the DSCT.

BRIEF DESCRIPTION OF THE DRAWINGS The preferred embodiment of the invention, as defined in the claims, will be better understood by referring to the following drawings. The components within the drawings are not necessarily at scale one in relation to the other, instead some emphasis was treated to clearly illustrate the principles of the present invention. Figure 1 is a block diagram illustrating the architecture of the cable television system, in accordance with one embodiment. Figure 2 is a block diagram illustrating a DSCT, in accordance with one embodiment. Figure 3 is a block diagram of a secure element in a DSCT, in accordance with one modality. Figure 4 is a flow diagram illustrating the procedure for loading a group of keys of the device, in accordance with a modality. Figure 5 is a flow diagram illustrating the process for transmitting content to a subscriber device, in accordance with one embodiment.

Detailed Description of the Invention Figure 1 is a block diagram illustrating the architecture of a subscriber's television system (STS), where a preferred embodiment of the invention resides, among others. The subscriber's television system 1 00 includes a central distribution point, or main end 102 connected through a network 104 with the digital subscriber communication terminal 1 06 (DSCT). The main end 102 is responsible for, among other things, scheduling the distribution and providing control functions to the DSCT 1 06. The control functions include the assignment of ownership of the program to the DSCT 106, that is, it grants the DSCT authorization to have access to the programs. The network 104 may be a wired network or a wireless network. Wired networks include, among others, fiber optic networks, coaxial cable networks and / or a combination of fiber and coaxial cable. Wireless networks include satellite networks and microwave networks, among others. The network 1 04 includes many intermediate devices (not shown) for a two-way communication between the main end 102 and the DSCT 1 06. The in-band communication is transmitted downstream on multiple quadrature amplitude modulation (QAM) channels from the main end 102 to the DSCT 106. The network 104 also includes a bi- directional quadrature phase shift key communication channel (QPSK), on which the information is exchanged between the main end 102 and the DSCT 1 06. The exchange of information with the use of the QPSK channel of the network 104 is independent of the QAM channel, with which the DSCT 106 is tuned. The DSCT 106 receives the digital content from the main end 102. Typically, digital content is encrypted with the use of encryption techniques well known to those skilled in the art. The United States Patent entitled "Conditional Access System", Patent No. 6,510,519, which is incorporated herein by reference in its entirety, provides details of an acceptable example, among others, to encrypt and decrypt the content in a subscriber's television system. Among other things, in such an example, the DSCT 106 receives long-term ownership and keys from the leading end. The entitlements grant the DSCT the right to access the selected digital content. When the DSCT 106 is entitled to access the selected content, the long-term keys are used to decrypt the encrypted content, to which the DSCT 1 06 is entitled to access. In order to have access to a particular program / service carried in the digital content, the DSCT 106 must have the correct ownership for the particular program / service and the necessary long-term key. The DSCT 1 06 provides the digital content to the subscriber device 108, as examples, without limitation to a high definition television (HDTV) 108, a digital audio equipment, and other devices adapted to receive the digital content, such as a digital recorder . Those skilled in the art will appreciate that in alternative modalities the DSCT can be located in a variety of equipment, including, but not limited to, a computer, a TV, a monitor or an MPEG decoder, among others. With reference to Figure 2, the DSCT 106 preferably includes a common conductor 21 1, a user interface 202, a processor 204, a memory 206, a secure element 208, a transceiver 21 0, a tuner 212, a demultiplexer 214, a cryptographic device 216, a converter 21 8, and an adaptive output interface 220 (AOI). User interfaces are well known to those skilled in the art, non-limiting examples of user interfaces include key keys and combined infrared / remote detector / peer pairs. A subscriber uses the user interface 202 to enter commands such as selecting a "program channel". It should be noted that a digital program can be, and often is carried along with other digital programs in a transport stream and the transport stream is transmitted at a particular frequency over one of the QAM channels in the network 104, as a communication in band from the main end 1 02 to the DSCT 106. In a cable network, only an analog program is transmitted at a specific frequency through a 6-megahertz wide frequency band. On the other hand, digital programs are compressible, and a single 6-megahertz frequency band can carry multiple digital programs. For purposes of this description, a "program channel" refers to a stream of digital content, which may or may not be multiplexed with other digital content. For purposes of this description, the digital content is described in terms of Motion Pictures Experts Group (MPEG) protocols, which are well known to those skilled in the art. However, the MPEG content is used for illustrative purposes only and is a non-limiting example of digital content. The embodiments of the present invention are intended to encompass all forms of digital content. Once the subscriber has selected a program channel, the processor 204 uses the MPEG tables, such as network information tables and other system tables, which are stored in memory 206, to determine the frequency band that carries the channel of the selected program. In addition to the tables, the memory 206 also includes a set of encrypted device keys (EDKS) 228 and a decryptor of the device encrypted key group (EDKSD) 230, both described in detail below. The transceiver 210 is used for a two-way communication with the main end 102. The transceiver 210 receives the out-of-band communication, such as ownership management messages (EMM), which have, among other things, long-term keys and entitlements for the services offered by the STS 1 00 included therein. The processor 204 instructs the tuner 212 to tune the frequency band carried by the selected program. The frequency tuner carries the transport stream 222, and the tuner 212 provides the demultiplexer 214 with the transport stream 222. The demultiplexer 214 analyzes the transport tables from the transport stream 222 and provides the transport tables to the processor 204. The transport tables include conditional access tables (CAT), program association tables (PAT), and transport tables. program copy (PMT), which are well known to those skilled in the art. The transport stream 222 also includes entitlement control (ECM) messages, which are associated with an encrypted program.

The entitlement control messages provide the decryption information for the program to which they are associated, and the demultiplexer analyzes the ECMs from the transport stream 222 and provides the ECMs to the secure element 208. With the use of the transport tables, the processor 204 instructs the demultiplexer to analyze the selected program from the transport stream 222. The selected program is carried in a stream of packets, which are identified with packet identifiers (PID). The processor 204 determines the PIDs of the packets carrying the selected program, and the demultiplexer 214 analyzes the received packets having PI D coincident with the cryptographic device 216. The cryptographic device 216 receives a string of control words from the secure element 208. Each control word is used to decrypt a portion of the selected program. Typically, each control word in the control word string is used to decrypt a minute or less of a program. The cryptographic device 216 provides the deciphered output of the converter 21 8 and the adaptive output interface 220 (AOI). Converter 21 8 converts digital content from a digital format to a format for a non-digital subscriber device, such as a analog TV that includes analog stereo, or in an analog stereo system, or a radio frequency (RF) output ). The AOI 220 is in a two-way communication with the subscriber's device 1 08 through a communication link 224, and supports the issuance of the content in accordance with the standards, such as, without limitation, to an "interface" of digital video (DVI) ", a" digital transmission content protection (DTCP) ", and a" high bandwidth digital content protection (HCDP) ". A digital video interface (DVI) and an IEEE 1 394 interface (firewall) are two non-limiting examples of the interfaces used in the AOI 220. In one embodiment, the AOl 220 is incorporated into an ASIC. The AOI can be implemented in software, in hardware or in a combination thereof. In another preferred embodiment, the AO1 is implemented in software or firmware, which is stored in a memory and executed by an appropriate instruction execution system (microprocessor). When implemented in hardware, as in an alternative mode, the AOl can be implemented with any or a combination of the following technologies, which are well known in the art: a discontinuous logic circuit having logical gateways to implement the functions logic over data signals, a specific application integrated circuit having appropriate logical gateways, a programmable gateway array (PGA), a programmable field gateway array (FPGA), etc. The AOl 220 includes a group of device keys (DKS) 226. Typically, the DKS 226 is loaded into the AOl 220 during the start of the DSCT 1 06. However, the DKS 226 can also be loaded into the AOl 220 as necessary. The AO1 220 includes a network monitoring module (NMM) 232, which determines whether or not the subscriber's device is coupled with the communication link 224. When the NMM 232 determines that the subscriber's device is coupled with the communication link 224, the NMM 232 and the subscriber's device establish communication with the use of protocols well known to those skilled in the art, but not limited to a "Extended Display Identification Data (EDID) (Extended Display Identification Data) With the use of the information from the DKS 226, the NMM 232 determines whether the subscriber's device is authorized to receive the digital content.A device of the authorized subscriber It will include the group of keys of the device, which is typically provided to the device during its manufacture. a consortium of digital content providers or manufacturer consortium provides the device key groups to the "authorized" manufacturers of the digital subscriber devices. The "consortium" determines the person who is authorized to receive the key groups of the device. Unauthorized manufacturers do not provide the key groups of the device. The consortium establishes protocols by which the NMM uses the device's key groups to determine "shared secrets" and the protocols for encrypting / decrypting the content. Non-limiting examples of the protocols used in the NMM include High Bandwidth Digital Content Protection (CDP), Digital Transmission Content Protection (DTCP), and a CableCARD OpenCable Copy Protection System. Other details can be found in the specifications, such as revision 1 .1 HDCP, which can be downloaded from www.diqital-cp.com and is incorporated here as a reference, and such as version 1.3 of the specification. DCTP, which can be downloaded from www.dtcp.com and which is also incorporated here as a reference. The AO1 220 communicates with the subscriber's device 1 08, and together they use elements of the DKS 226 and the corresponding private information for the subscriber's device 1 08, and determine the "shared secret". The shared secret after use in the encryption of the digital content transmitted from the AOl 220 to the subscriber's device 108. The shared secret can be used to encrypt digital content, or alternatively, can be used to generate control words to encrypt digital content. The digital content is encrypted with the use of encryption algorithms well known to those skilled in the art, such as, but not limited to, a Data Encryption Standard (DES), the Triple Data Encryption Standard (3DES). , among other. With reference to Figure 3, the secure element 208 includes a processor 302 and a memory 304, the processor 302 and the memory 304 are housed in a tamper-resistant package 306, which protects the content of the secure element 208 from an unrestricted access. authorized. The memory 304 that only has access to the processor 302, includes entitlements 308, keys 31 0 and private keys 312. Typically, keys 310 include public keys (asymmetric) belonging to the main end 102 and symmetric keys, such as, without limitation, long-term keys provided by the main end 1 02. Public keys are generally used, among other things, to verify the digital signature of a message that has been signed with a corresponding private key.

The public key / private key pairs are well known to those skilled in the art and will not be described in detail. The RSA is a non-limiting example of an encryption scheme that uses public key / asymmetric private key pairs. Briefly described, asymmetric key pairs such as public key / private key pairs are used to digitally encrypt and sign the content. The content encrypted by a public key of a public key / private key pair can only be decrypted by the corresponding private key. The digitally signed content with a private key can be verified with a corresponding public key. Private keys are kept private / secure, and public keys are distributed. The symmetric keys included in the keys 31 0, in general, are used among other things, the processing of the content of an ECM to generate a control word. The entitlements 308 copy the permissions granted to the programs / services provided by the STS 100. For example, when a subscriber selects a certain program, such as a pay-per-view movie, the processor 302 determines whether the DSCT 106 has the permission granted. to access the particular program when reviewing entitlements 308. The processor 302 generates control words to decipher the particular program, when and only when, the entitlements 308 indicate that the DSCT 106 has been granted with permission to access the selected program. The secure element 208 receives from the demultiplexer 214 a string of entitlement control messages (ECM), which are associated with the program and the ECMs include a decoder to generate control words associated with the selected program. The processor 302 determines whether the DSCT 1 06 is authorized to access the selected program with the use of the entitlements 308, and when so, the processor 302 uses a long-term key from the keys 31 0 to generate the control word with the use of the decoder included in the ownership control messages. The control word is then provided to the cryptographic device 216.

The private keys 312 belong to the DSCT 1 06 and are never shared with any other processor other than the processor 302. The private keys 312 are provided to the memory 304 during the manufacture of the secure element 208, and the device that is provided with the private keys does not retain a copy of any of the private keys. The private keys 312 include a plurality of private keys such as a private message key (MPK) 314 and a private key deciphering key (KDPK) 316. The leading end 1 02 often sends messages such as ownership handling messages ( EMM) to the DSCT 1 06 and often, the contents of the EMMs are encrypted with the use of the public key corresponding to the MPK 314. The processor 302 uses the MPK 314 to decrypt the message content. Typically, EMMs include one of the 31 0 keys or instructions for adding a title or removing a title, or deleting one of the keys 31 0. In that case, the EMM or a selected portion thereof is provides the secure element 208 for the processor 204. The processor 302 uses the MPK to decrypt the EMM (or a portion thereof) and change the entitlements 308 or add or delete a key 310. In general, there is no observable output from the secure element 208 when processing an EMM or a portion of an EMM. Sometimes, the secure element 208 does not emit the decrypted content. When it does, the secure element 208 receives from the processor 204 a block of the encrypted content and the processor 302 uses the KDPK 31 6 to decrypt the block. The decrypted block is output to the processor 204. In general, the decrypted block includes complete content material. The material of the content is what is sought to be protected through encryption and the completion takes the total size of the block to a desired size for encryption. Among other things, the KDPK 31 6 is used to decrypt the EDKSD 230. In a preferred embodiment, during the manufacture of the DSCT 106, the secure element 208 is securely provided with the KDPK 316 by a key granting authority. The key granting authority retains a copy of the public key corresponding to KDPK 316, but does not retain a copy of KDPK 316. The key granting authority, which also has authority from the "consortium" to install the key groups of the key. device in the DSCT, generates a key, a decipher of the device key group (DKSD), and uses the key DKSD to encrypt a group of keys of the device, which is then stored in the memory 206 as the key group 228 of the device. encrypted device (EDKS). The key granting authority then uses the public key corresponding to KDPK 232 to encrypt the DKSD key, and the encrypted key is stored in memory 206 as EDKSD 230. The key granting authority then destroys the copy of the DKSD. Because the DSCT 1 06 is the only device that has the private key (KDPK 316), the DSCT 1 06 is the only device that can decrypt the EDKSD 230 and therefore, the only device that can decrypt the EDKS 228. In an alternative mode, the key granting authority uses the asymmetric keys to encrypt / decrypt the key group of the device. In that case, the key granting authority generates an encryption key to encrypt the group of keys of the device and a decryption key to decrypt the group of keys of the device. The key granting authority then encrypts the key group of the device, which is stored in the memory 206 as the EDKS 228, with the use of the encryption key and encrypts the decryption key with the use of the public key corresponding to the key. KDPK 316 of DSCT 1 06. The encrypted decryption key is then stored in memory 206 as EDKSD 230. The key granting authority does not retain a copy of the decryption key. Thus, the DSCT 1 06 is the only device that can decrypt the EDKSD 230. Figures 4 and 6 are flowcharts that illustrate various aspects of the operation of the DSCT 106. The flowcharts of Figures 4 and 5 show the architectures, the functionality and the operation of a possible implementation of the DSCT 106. In this respect, each block represents a module, segment or portion of code comprising one or more executable instructions for implementing the specific logic functions. It should be noted that in some alternative implementations, the functions indicated in the blocks may occur outside the order indicated in Figures 4 and 5. For example, the two blocks shown in succession in Figures 4 and 5 may, in fact, be executed essentially in concurrently or sometimes, the blocks may be executed in an inverted order, depending on the functionality involved, as will be described later. The logic of the preferred embodiment of the invention can be implemented in software, hardware or a combination thereof. In a preferred embodiment, logic is implemented in software or firmware that is stored in a memory and executed by an appropriate instruction execution system (microprocessor). When implemented in hardware, as in an alternative embodiment, the AOl, the NMM and the group of keys of the device can be implemented with any or a combination of the following technologies, which are well known in the art: a logic circuit discontinuous that has logical gateways to implement the logic functions on the data signals, a specific application integrated circuit having appropriate logic gateways, a programmable gateway array (PGA), a programmable field gateway array (FPGA), etc. further, the software that can comprise a list in order of executable instructions to implement the logical functions, can be incorporated in any computer readable medium, to be used by or in connection with a system, apparatus or instruction execution device, such as a system with computer base, a system containing a processor, or another system that can look for the instructions from the system, device or instruction execution device and execute the instructions. In the context of this document, a "computer-readable medium" can be any means that may contain, store, communicate, propagate or transport the program to be used or in connection with the systems, devices or devices for the execution of instructions. The computer-readable medium may be, for example, but is not limited to a semiconductor, infrared, electromagnetic, optical, magnetic, or electronic system, apparatus, device, or media. More specific examples (a non-exhaustive list) of the computer-readable medium include the following: an electrical (electronic) connection that has one or more wires, a portable computer (magnetic) disk, a random access memory (RAM) (electronic ), a read-only memory (ROM) (electronics), a read-only, programmable, erasable memory (EPROM or flash memory) (electronics), an optical fiber (optical), and a portable compact disk read-only memory (CDROM) (optical). It should be noted that the computer-readable medium can be paper or other appropriate medium in which the program is printed, since the program can be captured electronically, for example, through an optical scan of the paper or other medium, then, it is collected, interpreted or processed in another way in any necessary way, and stored in the computer's memory. With reference to Figure 4, the DSCT 106 implements steps 400 for, among other things, loading the DKS 226 within the AOl 220. In step 402, the DSCT 1 06 is started when the DSCT operating system is started or restarted. 106 In step 404, the processor 204 analyzes the EDKSD 230 for the secure element 208 and in step 406, the processor 302 uses the KDPK 316 to decrypt the EDKSD 230 and generates a decipher of the device key group (DKSD). In step 408, the DKSD is passed from the secure element 208 to the processor 204. In step 41 0, the processor 204 decrypts the EDKS 228 with the use of DKSD. Typically, EDKS 228 was encrypted with the use of symmetric encryption algorithms such as, without limitation, DES or 3DES. It should be noted that the processor 204 is adapted to decrypt the EDKS 228 with the use of the DKSD regardless of whether the EDKS 228 was encrypted with the use of a symmetric encryption algorithm or an asymmetric algorithm. Then, in step 412, the processor 204 provides the DKS 226 to the AOl 220. In an alternative mode, the steps 404-412 do not start after the start of the DSCT 106. Rather, the AOl 220 includes connection capabilities and reproduction so that the AOl 220 can detect the subscriber's device through the communication link 224 that responds to the device 1 08 of the subscriber coupled with the AOl 220. After detecting that the subscriber's device 1 08, the AOl 220 signals the processor 204, which implements steps 404-412.

With reference to Figure 5, steps 500 illustrate the steps carried out by AOl 220 to provide subscriber device 1 08 with digital content. In step 502, the AO1 220 detects the subscriber device 108. The AO1 220 and the subscriber device 108 include the logic necessary to implement protocols such as connect and play to communicate over the communication link 224. In step 504, the AOl 220 uses elements of the device key group 226 to determine a secret shared with the subscriber's device 1 08. The shared secret is only determined when the subscriber device 108 is authorized by the "consortium" to receive the digital content, since only the authorized subscriber devices have the group of compatible device keys. In step 506, the AOl 220 uses the shared secret to encrypt the digital content. The shared secret can be used as the key to encrypt the digital content or the shared secret can be used to generate the encryption key. In any case, the subscriber device 108 operates in a complementary manner to decipher the content. In step 508, the AO1 220 transmits the encrypted content to the subscriber's device on the communication link 224. Subscriber device 1 08 can correctly decrypt the content when and only when the shared secret has been determined successfully. The AOl 220 can use protocols that prevent the transmission of protected content to the subscriber's device when the shared secret has not been determined. Those skilled in the art will appreciate that modifications and variations may be made to the preferred embodiments of the invention, as set forth above, without departing substantially from the principles of the present disclosure. All modifications and variations are intended to be included within the scope of the present invention, as defined in the claims below.

Claims (9)

1 . A terminal superimposed on a television system of the subscriber, the superimposed terminal is characterized in that it comprises: a first memory having a first encrypted key and a group of encrypted keys stored therein; a secure element having a processor and a second memory, wherein the second memory has access only to the processor and has a private key of a private key / public key pair stored therein; wherein the processor is adapted to decrypt the first encrypted key with the use of the private key; and wherein the first decrypted key is used to decrypt the encrypted key group of the device; and an adaptive output interface adapted to use a device key group to determine a secret key shared with a receiver in communication therewith and adapted to provide an encrypted stream of content to the receiver with the use of the shared secret key to encrypt the stream of content.

2. The superimposed terminal according to claim 1, characterized in that the group of keys of the device is used with protocols for the protection of digital content of high bandwidth.

3. The overlay terminal according to claim 1, characterized in that the group of keys of the device is used with protocols for the protection of digital transmission content.

4. The superimposed terminal according to claim 1, characterized in that the adaptive output interface includes at least one of a digital visual interface and a high definition multimedia (HDMI) interface.

5. The superimposed terminal according to claim 1, characterized in that the output interface includes an IEEE interface 1 394.

6. The superimposed terminal according to claim 1, characterized in that it also includes: a second processor adapted to receive the first deciphered key and decrypt the group of encrypted keys of the device with the use of the first deciphered key and provide the decrypted key group of the device to the adaptive output interface.

7. The superimposed terminal in accordance with the claim 6, characterized in that a second processor implements a symmetric cryptographic algorithm with the use of a decipher of the device key group as a key to decrypt the encrypted key group of the device.

8. The superimposed terminal in accordance with the claim 7, characterized because the symmetric cryptographic algorithm is a 3DES algorithm.

9. The superimposed terminal according to claim 7, characterized in that the symmetric cryptographic algorithm is a DES algorithm. The overlapped terminal according to claim 1, characterized in that the encrypted key group of the device and the first encrypted key is stored in the first memory before installing the superimposed terminal on the subscriber's television system. eleven . In a television system of the subscriber having a main end in communication with a plurality of overlapping terminals including a particular overlap terminal, the determined overlay terminal is characterized in that it comprises: a first memory having a first encrypted key and a key group encrypted from the device stored in it; a secure element having a first processor and a second memory, wherein the second memory has access only to the first processor and has a private key of a private key / public key pair stored therein, wherein the first processor is adapt to decrypt the first encrypted key with the use of the private key; an input port that receives a stream of content from the main end; a second processor adapted to determine from the content stream whether content of the content stream is protected and adapted to receive the first decrypted key and decrypt the encrypted key group of the device with the use of the first decrypted key; and an adaptive output interface adapted to implement the decrypted key group of the device to determine a secret key shared with a receiver in communication therewith and responsive to the first processor that determines that the content is protected, adapted to provide a current encrypted content to the receiver with the use of the shared secret key to encrypt the content stream and that responds to the first processor that determines that the content is not protected, adapted to provide the content stream to the receiver. 2. The superimposed terminal according to claim 11, characterized in that the group of keys of the device includes protocols for the protection of digital content of high bandwidth. The overlay terminal according to claim 1, characterized in that the group of keys of the device includes protocols for the transmission of digital transmission content. 14. The superimposed terminal according to claim 1, characterized in that the adaptive output interface includes at least one of a digital visual interface and a high definition multimedia (HDMI) interface. The overlapped terminal according to claim 1, characterized in that the output interface includes an IEEE 1 394 interface. 1 6. A method for providing a receiver with a content stream, the method implemented in a superimposed terminal of the Subscriber's television system, the method is characterized in that it comprises the steps of: deciphering a first encrypted key with the use of a private key of a pair of private key / public key belonging to the superimposed terminal, wherein the first key is decipher within the secure element that has a processor and a memory, where the private key has access only for the processor; decrypt the encrypted key of the device with the use of the first deciphered key; provide the deciphered key group of the device to an adaptive output interface; determine the secret key shared with the receiver with the use of the decrypted key group of the device; and emit the content stream to the receiver. 17. The method according to claim 16, characterized in that before the step of emitting, it also includes the steps of: determining whether the content of the content stream is a protected content; and in response to determining that the content is protected, encrypt the contents of the content stream with the use of the shared secret key, where the outgoing stream of the content is encrypted. The method according to claim 1 7, characterized in that before the step of encrypting the content, it also includes the steps of: receiving a second encrypted stream of content; and deciphering the second content stream, wherein the second deciphered stream of content is the stream of content that is encrypted in the encryption step. 1 9. A method for providing a receiver with a stream of content, the method implemented in a superimposed terminal in a television system of the subscriber, the method is characterized in that it comprises the steps of: deciphering a first encrypted key with the use of the private key of a pair of private key / public key that belongs to the superimposed terminal, where the first key is deciphered inside a secure element that has a processor and a memory, where the memory has access to only the processor and has a private key stored in it; decrypt the key group of the encrypted device with the use of the first deciphered key; provide the decrypted key group of the dv to an adaptive output interface; negotiate the secret key shared with the receiver with the use of the decrypted key group of the device; receive a stream of content from the main end of the subscriber's television system; determine if the recipient is authorized to access the content stream; determine whether the received stream of content is encrypted content; and emit the content stream to the receiver. The method according to claim 1 6, characterized in that before the step of issuing it also includes the steps of: determining whether the contents of the content stream is protected content; and in response to determining whether the content is protected, encrypt the contents of the content stream with the use of a shared secret key, where the content output stream is encrypted.