METHOD FOR PROTECTING CONTENTS AND MULTIMEDIA SERVICES

TECHNICAL FIELD
The invention belongs to the field of the protection of contents  and more specifically seeks to protect multimedia contents and services distributed by an operator to several subscribers with reception terminals suitable for this purpose.

The invention also concerns a reception terminal capable of receiving such contents and services  and a computer program recorded on a recording media and capable of implementing the method when it is executed by a computer.

The method applies to protected contents supplied to terminals such as Set Top Boxes  computers or mobile telephones and seeks  notably  to improve the protection of the economic models of the operators and of the suppliers of content protection technologies  preventing the illegal redistribution of these contents.

STATE OF THE PRIOR ART

Figure 1 illustrates diagrammatically a traditional architecture to supply contents  scrambled by a scrambling platform 2  to a terminal 4 connected to the network of an operator.

Such an architecture for the supply of contents  typically protects the content to be transmitted 6  which was previously scrambled  on the operator""s side  by means of a scrambling module 8 using a content key CW.

The content key is then encrypted by means of a content access key K  by application of a function F  and then transmitted  in the form of a cryptogram CW*  by the operator to an agent 10 controlling access to the content set out in the terminal 4.

Conditions defining authorised usages of the said content can be transmitted to the terminal simultaneously with the content access key K.

The revelation of the content access key K by the agent 10  with a view to its being supplied to the unscrambling module 12 of the terminal 4  is subject that this agent 10 previously obtains a right of access to the content  which generally takes the tangible form  at minimum  of obtaining the content access key K.

The content access key K obtained by the agent 10 is then used to decrypt the cryptogram of the content key by application of the function F-1  which is the reverse of function F  and by this manner to reveal the content key CW. The latter is then supplied to the unscrambling module 12  set out in terminal 4.

Content key CW may be renewed regularly over time  notably in the case of linear contents  for example according to a pre-established crypto-period  typically of 10 seconds for broadcast flows.

This protection of the content is generally used by a Conditional Access System  or CAS  or by a Digital Rights Management  or DRM  system. In the remainder of this disclosure the characteristics and functions of such systems  which are well known to the skilled man in the art  are not described in greater detail. For more information the reader may refer  for example  to the following documents:
- concerning conditional access systems  "Functional Model of Conditional Access System"  EBU Review  Technical European Broadcasting Union  Brussels  BE  n° 266  21 December 1995;
- concerning digital rights management systems  "DRM Specification"  Open Mobile Alliance OMA-TS-DRM-DRM-V2_0_2-20080723-A  Approved version 2.0.2 – 23 Jul 2008.

In addition to protecting the content  such an architecture for the supply of contents provides protection of the service supplying the said content. This protection is generally provided by the control agent 10 and by a boot loader. These two elements typically rely on the security functions of a chipset of the terminal  depending on the availability of these functions in the chosen chipset.

Protection of the service consists principally in guaranteeing the functional conformity of the processes performed by the entities of the system  and notably of the terminal  and of the configuration data used by the latter  respectively with the processes and with the data provided by the operator.
This may involve  for example  activating protection of the memory  or the use of anti-dump or anti-debug solutions  the aim of which is to prevent observation of the execution of the computer program performing the unscrambling of the contents in the terminal.
Protection of the service typically relies on cryptographic techniques and is based  more generally  on the use of security functions established in the terminal""s design or integration phases. The latter take the form  for example  of requirements transmitted from the supplier of content protection technologies  or from the operator of content services  to the industrial companies having the mission of manufacturing the chipsets or terminals concerned.

Conformity with these requirements may be verified  notably  by means of a process of validation or certification on a very limited sample of terminals before marketing.

Protection of the content and protection of the service are complementary within the content provision architecture  in order to provide effective supply of content. Although they are logically related  these forms of protection are  however  not generally linked in their executions. Indeed  failure to satisfy the security requirements or the security policy of the service  typically the open JTAG port  the integrity control of the unactivated code  the lack of deactivation of unauthorised outputs (HDD  analog outputs  etc.)  or a non-up-to-date version of all or part of the software environment  do not prevent the content key from being revealed or this content from being used.
It should be noted that the problem of redistribution of the content keys CW is currently one of the major flaws of contents supply systems. Resistance and renewal of the securisation of the protection of the content key CW from the headend as far as its use in the decryption module of the chipset of the terminal remains a major problem.

In addition  in the case of a broadcast of contents to a set of reception terminals  the effective use of the security requirements and of the service""s security policy cannot be verified dynamically across the entire set of terminals. And failure to meet these requirements in a single one of the terminals can potentially put the operator""s entire economic model in jeopardy.
In addition  the presentation of the offer can  for example  include advertising or links to other related services  such as services associated with the supply of the content  widgets or communication services  which can be equally important for the operator. By this means the operator can differentiate itself from the competition by offering a customised user experience.

In addition to the content  it is accordingly equally imperative to protect the presentation of the offer and the associated services.

One aim of the invention is to relate  in terms of their executions  protection of the contents supplied by an operator to protection of the service supporting their supply  including the presentation of the offer and of the associated services  in order to guarantee the durability of the operator""s economic model.
In the remainder of the document  the term "superencryption" is used  when the data to be protected is encrypted at least twice using common or separate symmetrical or asymmetrical encryption algorithms  and using at least two separate keys which are respectively secret or public.

ACCOUNT OF THE INVENTION

This aim is met by means of a method to protect a scrambled content by a content key CW which is transmitted encrypted by means of a content access key K by application of a function F  where the said content is supplied by a transmission system to at least one reception terminal by means of a service configured locally in the said reception terminal using a set of properties Pi  i = 1 to N  known to the transmission system  where each of the said properties Pi is represented by a data element xi memorised in the said transmission system  and by a local data element yi with read-only access in the said terminal.

The method according to the invention comprises at transmission a step consisting in superencrypting the said content key CW by at least one reversible superencryption function fi(xi)  which is dependent on at least one of the properties Pi  i=1 to n.
According to a preferred embodiment  this method includes the following steps:
at transmission 
- defining a non-empty subset of properties Pi  i = 1 to n  to be verified 
- superencrypting the said content key CW by applying to the said content key CW the reversible superencryption functions fi(xi) for each property Pi  i = 1 to n  of the said subset EP  
- transmitting the said superencrypted content key CW to the terminal (4) 
and at reception 
- For each property Pi belonging to the said subset EP  reading the local data element yi of the said terminal representing the said property Pi
- revealing the value CW’ of the said superencrypted content key CW by applying to the said superencrypted content key CW the reverse superencryption functions fi-1(yi) for each of the properties Pi of the said subset EP  i=n to 1 
- unscrambling the content by means of the revealed content key.

It should be noted that fi(xi) and f-1(yi) are reverse functions for a predetermined pair of values (xi  yi)  a pair of which each member represents the service property Pi respectively in the transmission system and in the reception terminal. Thus  for a superencryption of the content key CW by at least one of the said reversible superencryption functions fi(xi) calculated in the transmission system  if the data element yi which is locally read in the receiver is different from the expected value  the reverse superencryption function f-1(yi) calculated at reception and applied to the superencryption content key CW will be false. In this case the content key CW is not revealed  and a value CW’  different from CW  is obtained. The unscrambler  using this value CW’ to process the scrambled content  cannot therefore unscramble it. The non-conformity of the property Pi in question of the service thus prevents correct revelation of the content key CW  and therefore prevents it from being unscrambled.

Thus  if at transmission several properties Pi  i = 1 to n  are taken into account  they will be taken into account at reception in the reverse order  i.e. with i varying from n to 1.

If at least one of the predefined pairs (xi  yi) representing the properties Pi is not in conformity  the respective superencryption functions fi(xi) and f-1(yi) no longer have a reverse relationship and  accordingly  the revelation of the content key CW  and the unscrambling of the content  are erroneous.

In the presented preferred embodiment  the performed superencryption of content key CW with at least one superencryption function fi(xi) characteristic of the service property Pi is a pre-encryption in the sense that it occurs  in the method according to the invention  before encryption with the content access key K according to the prior art. In a variant of the invention  this superencryption is performed after the encryption with content access key K  and thus constitutes a post-encryption.

In the embodiments of the invention involving several superencryptions  the latter may  according to another variant of the invention  have at least one pre-encryption and at least one post-encryption  as defined above.

Preferentially  content key CW is revealed only after the incorporation of all the properties Pi  i= 1 to n.
In a variant of an implementation of the method according to the invention  at transmission the superencrypted content key CW is transmitted to the terminal in synchronised fashion with a list of references representing a subset EP of the service properties Pi to be verified  corresponding to the data elements xi  i= 1 to n  used to calculate the superencryption functions fi(xi)  and to the data elements yi  i = 1 to n  to be used in calculating by the terminal the reverse superencryption functions fi(yi)  and at reception the terminal successively applies the reverse functions fi-1(yi) to the superencrypted content key CW and obtains as a result the revealed key CW’  for i varying from n to 1.

Incorporation of the properties Pi  i= 1 to n  is performed systematically or on a one-off basis.

The invention is implemented by a platform for scrambling a content scrambled by a content key CW encrypted by a content access key K  and supplied with at least one service by an operator to at least one reception terminal  comprising:
- means for configuring the said service by a set comprising a whole number of configuration data elements xi  i= 1 to n  where each defines a property Pi  i= 1 to n  of a context for implementation of the said service by the terminal 
- means for encrypting the said content key CW by at least one digital encryption value calculated as a function of at least one configuration data element xi  i= 1 to n.

On the reception side  the content is unscrambled by an unscrambling platform comprising:
- means for recovering each digital encryption value xi  i= 1 to n  using the function fi-1  which is the reverse of the function fi  i= 1 to n 
- means for decrypting the content key CW 
- means for unscrambling the content by means of the content key CW.

It should be noted that the method according to the invention allows the hardware and/or software configuration settings of the service supporting the supply of the available content in the terminal to be used not only for verifying the configuration of this service  but also to generate at least one superencryption key of the content supplied  such that any modification of the said service configuration settings leads to an erroneous content key.
The indication of whether or not the service is compliant is  therefore  in this case only a consequence of the method according to the invention  which moreover has the advantage that it does not have the known vulnerabilities to attacks of the logical branchings of conditional tests.

BRIEF DISCLOSURE OF THE ILLUSTRATIONS

Other characteristics and advantages of the invention will emerge from the disclosure which follows  given as a non-restrictive example  with reference to the appended figures  in which:
- figure 1 illustrates diagrammatically a traditional architecture for the distribution of scrambled contents by an operator to terminals connected to the operator via a communication network 
- figure 2 illustrates diagrammatically a first variant of the implementation of the method in the architecture of figure 1 
- figure 3 illustrates diagrammatically a second variant of the implementation of the method in the architecture of figure 1.

DETAILED ACCOUNT OF PARTICULAR EMBODIMENTS
In the remainder of the disclosure  identical references will be used to designate the elements common to the figure illustrating the architecture of the prior art and to the various figures illustrating the invention.

Figure 2 illustrates diagrammatically the general principle of the invention  consisting in linking the revelation of the content key CW to one or more configuration data elements xi  i= 1 to n  of the service supplied by the operator.

To this end  as is illustrated by figure 2  the scrambling platform 2 has a unit 20 for superencryption of the content key CW prior to its encryption by the content access key K  comprising n superencryption sub-modules 22i  i=1 to n  where each sub-module 22i contains a routine which is to apply selectively to the encrypted key CW a reversible function fi  i= 1 to n  having as its input parameter a data element xi  i= 1 to n  which is representative of a property Pi  i= 1 to n  of a context of use of the said service by terminal 4. This reversible superencryption function will be noted fi(xi).

It should be noted that the service properties Pi  i=1 to n  are represented  at transmission  by xi values specified by the operator  and at reception by their effective values yi obtained by measurement or by calculation in the environment of terminal 4.

Terminal 4 has  in addition to the access control agent 10  a computation unit 40 intended to apply selectively to the superencrypted key CW the reverse superencryption function f-1i(yi)  i= 1 to n  which is the reverse of the function fi(xi)  i= 1 to n  used at transmission to superencrypt key CW. When xi and yi are compliant with the expected values  f-1i(yi) (fi(xi)(CW))=CW  if applicable  the two functions fi(xi)and f-1i(yi) are no longer in a reverse relationship.

Computation unit 40 has n processing sub-modules 42i  i= 1 to n  the purpose of which is to apply to the content key CW  decrypted using the function F-1  and at least one function f-1i(yi)  i= 1 to n  which is the reverse of the superencryption function fi(xi)  i= 1 to n  applied in the scrambling platform 2.

The access control agent 10 is configured to supply the content access key K and the data elements yi  i= 1 to n  corresponding to the data xi used by the scrambling platform to calculate the superencryption key fi(xi) i= 1 to n.

To this end  the operator sends terminal 4 a reference of the data element(s) xi  i=1 to n  which were used  at transmission  for calculating the superencryption key fi(xi) i= 1 to n. The EP references are the subset of the service properties Pi which it is desired to verify.

On receipt of this subset EP of references  terminal 4 determines  by calculation or by measurement  the current yi values  i= 1 to n  corresponding to the references transmitted  and applies one-by-one the reverse functions fi-1(yi)  in the order i= n to 1  to the superencrypted key CW. A result CW’ is obtained by this means.

If the current yi values  i= 1 to n  correspond respectively to the values expected by the operator  then the value of the content key CW is revealed by CW’ and allows the content to be unscrambled (since CW is equal to CW’).

Otherwise  the value of the content key CW’ is false and the unscrambling returns a result which is incomprehensible (since CW is different from CW’) for the remainder of the content processing sequence  typically decoding.

It should be noted that the method according to the invention enables the terminal to be forced to take into account properties Pi  i= 1 to n  of the service before authorising the use of the content.

It should also be noted that if the content key CW changes over time  which is the case notably with broadcast or ""live"" contents  the values xi  i= 1 to n  can be adjusted for each transmission of a content key CW in accordance with the modifications made to the service or to the expected properties of terminal 4.

In addition  the conformity of the properties Pi  i= 1 to n  can be verified systematically or on a one-off basis  or indeed in random fashion. If the verification of a property Pi is systematic  the calculation of the value yi on the terminal side can be implicit  and therefore there is no need to transmit the reference to Pi to the terminal.
Moreover  the verified properties must be appropriate for the content""s broadcast type. If a content key CW is broadcast very widely to a set of terminals  then the expected data elements yi  i= 1 to n  which are respectively representative of the service properties Pi  i= 1 to n  must have the same respective representations across the entire set of targeted terminals. The said data elements yi  i= 1 to n  have values which are directly accessible or can be the result of a measurement or a prior calculation (hash  etc.). They can represent a unique property or a combination of coherent properties of the service. They must also be formatted such that they can be used correctly by the reverse superencryption functions f-1i(yi)  i= n to 1  of the content key CW with which they are associated.

These functions fi(xi) and f-1i(yi)  i= 1 to n  can be based on standard or proprietary cryptographic functions. Their complexity reflects a compromise between the expected level of protection and the performance of the terminals. They can take the form of relatively simple functions  such as an XOR addition  a permutation or a substitution  or again complex algorithms such as 3-DES or AES. The values xi and yi can represent an identical state of the property Pi with different  although equivalent  numerical values. In this case  fi(xi) and f-1i(yi) include calculation operations for reformatting the data restoring a strict equality between xi and yi  and which thus allow a simple definition of f-1i(yi) on the basis of fi(xi).
The syntax of the EP references of the data elements xi  i=1 to n  transmitted to terminal 4 can be protected in order to mask  in the electronic messaging  Pi  i= 1 to n  which the operator wishes to use. In this case  since the references do not necessarily change with each change of content key  the transmitted references can be concatenated to a random value which is renewed each time the content key is changed. The cryptogram of the references is thus different for each content key.

Figure 3 illustrates diagrammatically the use of the method according to the invention in an environment in which two security modules coexist  the secure module of the chipset of a decoder 50 and the secure chipset of a smart card 52.

In this type of environment the operator can distribute the properties to be used between the different modules according to the order in which the cryptogram of the content key CW passes through these modules. Certain properties can also be applied by one of the modules in order to verify the conformity of the properties of the other module.

The method according to the invention can also be used in the communication between two such modules such as  for example  a content reception module considered as the transmission point and an associated security processor considered as the reception point  in the sense of the method according to the invention. The references of the properties to be verified must be known respectively by (or transmitted to) each of the modules in question. There is no requirement to circulate all the properties in all the interfaces between the different modules.

With reference to figure 3  the scrambling platform 2 contains a superencryption sub-module 22 comprising a routine intended to apply to the encrypted key CW a function f1  the input parameter of which is a data element x1  noted fi(xi)  which is representative of a property P1 of configuration of the secure module of the chipset of the decoder 50. The decoder 50 has  in read-only mode  the data element y1 corresponding to P1. The latter comprises a processing sub-module 42 intended to apply to the content key CW the function f-11(y1)  which is the reverse of the function f1(x1)  applied in the scrambling platform 2  the entry value of which is the value y1 supplied by the chipset of the decoder 50.

In terminal 4  the chipset of the decoder 50 comprises a computation unit 40 containing a processing sub-module 421 intended to apply to the superencrypted key CW the function f-11(y1)  which is the reverse of the function f1  used at transmission to superencrypt the key CW.

If data element y1 supplied by the chipset of decoder 50 is not consistent with the data element x1 used in the scrambling platform as the input of function f1  this will mean that the P1 property configured by the operator is not satisfied. In this case  the value of the content key CW is not revealed by the performed decryption and the unscrambling makes a result incomprehensible for the remainder of the content processing sequence  typically decoding.

In addition  in the example illustrated by figure 3  the scrambling platform 2 comprises at least one superencryption sub-module 22k comprising a routine intended to apply to the key CW a function fk  the input parameter of which is a data element xk  which is representative of a property Pk of configuration of the secure module of the secure chipset of the smart card 52. The latter comprises a processing sub-module 54k intended to apply to the content key CW the function f-1k(yk)  which is the reverse of the function fk(xk)  applied in the scrambling platform 2  the entry value of which is the value yk supplied by the secure chipset of the smart card 52.

If the data element yk supplied by the secure chipset of the smart card 52 does not match the data element xk used in the scrambling platform as the input of function fk  this will mean that the property Pk configured by the operator is not satisfied. In this case  the value of the content key CW is not revealed by the performed decryption and the unscrambling makes a result incomprehensible for the remainder of the content processing sequence  typically decoding.

In another variant of the invention  the method is used to protect the interface between the chipset of the decoder 50 and the secure chipset of the smart card 52.
In this case  the secure chipset of the smart card 52 comprises at least one superencryption sub-module 54i  i= 1 to n  containing a routine intended to apply to encrypted key CW at least one function fi  the input parameter of which is a data element xi  which is representative of a property Pi of the hardware and/or software configuration of the interface between the chipset of the decoder 50 and the secure chipset of the smart card 52.

The computation unit 40 of the chipset of the decoder 50 comprises at least one processing sub-module 42i  i= 1 to n  intended to apply to content key CW at least one function f-1i(yi)  i= n to 1  which is the reverse of the function fi(xi)  i= 1 to n  applied in the secure chipset of the smart card 52.

If the data element yi supplied by the chipset of the decoder 50 does not match the data element xi used by the superencryption sub-module 54i of the secure chipset of the smart card 52 as the input of function fi  this will mean that the hardware and/or software property Pi of the interface between the chipset of the decoder 50 and the secure chipset of the smart card 52 configured by the operator is not satisfied. In this case  the value of the content key CW is not correctly decrypted and the unscrambling makes a result incomprehensible for the remainder of the content processing sequence  typically decoding.

The table below discloses  as a non-restrictive example  properties Pi internal to the secure environment or external to the latter which can be used by the method according to the invention.

Property
Purpose of checking of the property Advantage
Value representative of the current characteristics of the terminal""s secure environment  typically the chipset""s secure module Conformity of the current characteristics of the terminal""s secure environment (conformity with the fuse map  activated or deactivated functions (JTAG locked  boot loader in secure mode  "first start-up performed" indicator (installation of the target terminal environment)  encryption of the active FLASH  encryption of the active RAM  etc.)  number of keys  etc.) Control of conformity of the terminal""s secure environment relative to the requirements and the security policy
Control of Anti-mosc updates
…
Current status of A/V outputs Verification of outputs authorised for content (HDMI  HDD  Ethernet  Wifi  etc.) E2E control of conformity of the content redistribution policy
Current status of the protection mechanisms associated with the A/V outputs Activation of the content protection mechanisms for the authorised outputs (HDCP  Macrovison  DTCP-IP  etc.)
…
Value representative of the authorised services and/or of the usage rights acquired by the access control agent Conformity of the authorised services (list of identifiers of services or of the associated operators) and normality of the acquired usage rights (numbers of rights  dates of expiry of the rights  etc.) Control of conformity of the access control performed by the agent
Control of Anti-MOSC updates
Value representative of the lists of revocations associated with A/V output protection mechanisms Conformity of the current version of the lists of revocations associated with A/V output protection mechanisms (HDCP  DTCP-IP  CI+  CPCM  etc.)
…
Value representative of the current settings for access to the operator""s service(s) Conformity of the current settings for access to the operator""s service(s) (address of the services portal  etc.) Control of conformity of the delivered service
Control of updates

Value representative of the previous content protection key Deletion of random access to the content (force consumption of a part of a content  typically an advertisement  to access the following part or at least its start  etc.)
…

The method according to the invention applies both to DRM (Digital Right Management) solutions and to CAS (Control Access System) solutions for services which may be linear (live) or not (VoD  etc.)  and transmitted as unicast  multicast or broadcast.
It should be noted that the authenticity of the information transmitted for the coordination of the A/V outputs of a terminal is no longer required. Indeed  if the latter are not positioned correctly before revelation of the content key the latter will not be unscrambled correctly.

It should also be noted that in a unicast services context (VoD  etc.)  if the identifier of the user or the terminal which has acquired a licence or right is also used as a revealer  then this identifier can be used as a valid mark for a watermarking device.

The method according to the invention is directed dynamically under the control of the services operator from the scrambling platform 2. The service properties taken into account and their expected representative values can change over time according to the constraint requirements and the changes in the contributions of the terminals targeted by the operator.
Execution of the process is strictly the same over all the terminals receiving a given content  whether or not the values of the characteristic data obtained are in conformity with their expected values. There is no verification  nor therefore any intermediate testing  and only the final value of the content key obtained  whether or not enabling the content to be correctly decrypted  either indicates or does not indicate that all the characteristic data taken into account is in accordance with its expected values.
Using the method according to the invention  the complexity for an attacker involved in recovering the content key is increased. This complexity is not based solely on the knowledge of a key pre-established in the terminal""s secure environment  but also depends on the hardware and software configuration used for the implementation of the supplied service.

In another variant of implementation of the method according to the invention  some of the revealers are dynamic and representative of the changes in the service or of its suitability relative to a given content. In this variant  access to the content key requires that the terminal is made compliant.

In addition  end-to-end protection of the content  protection of the access control agent or protection of the operator""s service generally  can be related to protection of the content key.

We Claim:

1. A method for protection of a content (6) scrambled by a content key CW transmitted encrypted by a content access key K  characterized in that the said content is supplied by a transmission system to at least one reception terminal (4) by means of a service configured locally within the said reception terminal according to a set of properties Pi  i = 1 to N  which are known to the transmission system  and where each of the said properties Pi is represented by a data element xi recorded in the said transmission system and by a local data element yi which is locally accessible in read-only mode in the said terminal  and in that  at transmission said method comprises a step consisting in superencrypting the said content key CW by at least one reversible superencryption function fi(xi)  which is dependent on at least one of the properties Pi  i=1 to n  and at reception  the value of said superencrypted content key CW is revealed by applying to said superencrypted content key CW the reverse superencryption function corresponding to the property Pi.

2. A method according to claim 1  also comprising the following steps:
at transmission 
- defining a non-empty subset of properties Pi to be verified  i = 1 to n 
- superencrypting the said content key CW by applying to the said content key CW the reversible superencryption functions fi(xi) for each property Pi  i = 1 to n  of the said subset EP  
- transmitting the said superencrypted content key CW to the terminal (4) 
and at reception 
- for each property Pi belonging to the said subset EP  reading the local data element yi of the said terminal representing the said property Pi 
- revealing the value of the said superencrypted content key CW by applying to the said superencrypted content key CW the reverse superencryption functions fi-1(yi) for each of the properties Pi of the said subset EP  i=n to 1 
- unscrambling the content by means of the revealed value of the said content key CW.

3. A method according to claim 2  in which  if any one of the functions fi-1 (yi) calculated at reception is not the reverse of the respective function fi(xi) defined at transmission for the said subset EP  the content key CW is not revealed.

4. A method according to claim 2  in which the content key CW is revealed only after verification of all the properties Pi  i= 1 to n.

5. A method according to claim 2  in which  at transmission  the superencrypted content key CW is transmitted to the terminal (4) in synchronised fashion with the said subset EP consisting of references to the properties Pi  i= 1 to n  designating the data elements xi used to calculate the reversible superencryption functions fi(xi) and respectively the data elements yi  to be used to calculate the reverse superencryption functions fi-1(yi).

6. A method according to claim 4  in which the verification of the properties Pi  i= 1 to n  is performed systematically or on a one-off basis.

7. A reception terminal (4) capable of receiving a scrambled content supplied with at least one service secured by the method according to claim 1.

8. A computer program recorded on a recording media characterised in that it comprises instructions to implement the method according to claim 1 when it is executed by a computer.

9. A platform (2) for scrambling a content supplied to at least one reception terminal (4) adapted for implementing the method according to anyone of claims 1 to 7.