CN1848944A - IPTV system, enciphered digital programme issuing and watching method - Google Patents
IPTV system, enciphered digital programme issuing and watching method Download PDFInfo
- Publication number
- CN1848944A CN1848944A CN 200510063164 CN200510063164A CN1848944A CN 1848944 A CN1848944 A CN 1848944A CN 200510063164 CN200510063164 CN 200510063164 CN 200510063164 A CN200510063164 A CN 200510063164A CN 1848944 A CN1848944 A CN 1848944A
- Authority
- CN
- China
- Prior art keywords
- content
- program
- stb
- key
- authorization object
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
An IPTV system comprises content source CO, content service unit CS, content management unit CM, service management unit SM, single-way guide unit EPG of electronic program, top box STB, content enciphering unit CE, cipher key management unit KM and authorization management unit RM for providing enciphered program. The method of issuing and viewing enciphered program is also disclosed.
Description
Technical field
The present invention relates to the IPTV field, be meant a kind of IPTV system, enciphered digital programme issue, method for watching especially.
Background technology
IPTV is is main terminal equipment with " television set+set-top box ", the data value-added service of interactive television and multimedia service is provided to the user by the IP data network.The IPTV operation system can provide several data business such as audio/video on-demand, audio-video-frequency broadcast, long-distance education, recreation, FLASH, video telephone.
The IPTV system mainly comprises: television set, set-top box (STB), remote controller, IP data network, streaming media server, electronic playbill server.Operation IPTV business also needs digital program source and supporting OSS.The user is by remote controller and set top box interactive, and set-top box is by IP data network visit electronic playbill server, and the program downloading inventory is presented to the user on television set.The user browses programme by remote controller, selects programs of interest.Set-top box is connected to the streaming media server of depositing this program according to user-selected program by the IP data network, starts the broadcast of request program or receives programme televised live stream.Set-top box receives the digital program packet from streaming media server, and data stream recovery is become audio-video signal, gives television set by the AV oral instructions.The user just can appreciate high-quality audio/video program like this.The user can also control the broadcast process of program by remote controller, as F.F., rewind down, time-out etc.
Specifically, streaming media server and digital program source, electronic playbill server can be realized by content service unit (CS), content source (CO), content management units (CM), Service Management Unit (SM), electronic program list navigation unit (EPG).The digital program that CO provides is kept on the CS, and the descriptor of digital program (as the program download address, program identification, programme content brief introduction etc.) offers EPG after by CM, SM packing, is shown to the user with the form of program inventory by STB, for user's program request.
Because IPTV provides the HD digital program, has characteristics customizable, can be mutual, can bring the business experience of user's more attractive, therefore obtain digitized program from network, carry out the main target that bootlegging becomes piracy ring.Digital program is encrypted and copyright protection, user and program source identity is authenticated to become promote the important step that Digital Television is moved towards market success.At present, digital copyright management (DRM) notion has been proposed, its main task is exactly to guarantee the digitized program content from illicit reproduction by the necessary technology means, ensure IPTV program supplier and benefits of operators, wherein, a method commonly used is carried out encrypted transmission to digitized program exactly, is decrypted in the user side set-top box to be reduced to audio-video signal and to watch, the disabled user can't be usurped from network duplicate digitized program.But, do not provide a concrete scheme that in IPTV, realizes DRM at present as yet, the feasible safe transmission that also is difficult to realize the IPTV digital program.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of IPTV system, can realize the encipherment protection to the data program.
The present invention also provides accordingly based on this system and has carried out the method that enciphered digital programme is issued, enciphered digital programme is watched, cooperates the safe transmission that has realized the IPTV digital program.
The present invention at first provides a kind of IPTV system, comprising: content source CO, content service unit CS, Service Management Unit SM, electronic program list guide unit EPG, set-top box STB; It is characterized in that, also comprise: content encryption unit CE, empowerment management unit R M; The digital program that CE is used to receive CO and provides is encrypted, and the digital program after the encryption sends CS to; RM is used to inquire about the content identification ContentID of the digital program that CE encrypts and encrypts the content key Key that uses creating the authorization object RO of content sign ContentID and content key Key, and authorization object is identified ROID passes to SM; When STB receives the enciphered digital programme that CS provides, STB obtains the authorization object sign ROID of enciphered digital programme correspondence by EPG visit SM, obtain corresponding authorization object RO by STB visit RM according to authorization object sign ROID then, extract the enciphered digital programme that the content key Key deciphering CS among the authorization object RO provides.
Wherein, further comprise cipher key management unit KM, content identification ContentID that creates when being used to receive and store the CE enciphered digital programme and corresponding content key Key inquire about when RM creates described authorization object RO to offer.
Wherein, further comprise content management units CM, the digital program descriptor of creating when being used to receive the CE enciphered digital programme, and offer SM comprises the digital program of this digital program descriptor with notice STB issue.
Optionally, also comprise certificates snap-in CA, memory machine top box STB certificate and empowerment management unit R M certificate are used for providing to STB and RM the status poll of mutual certificate.
The present invention also provides a kind of digital program dissemination method, may further comprise the steps:
A5, content encryption unit CE distribute a content identification ContentID and encrypt the required content key Key of this digital program for the digital program that needs to encrypt, and the digital program that encrypt is encrypted;
B5, content encryption unit CE generate the descriptor of this enciphered digital programme and send content management units CM to;
C5, content management units CM send described descriptor to Service Management Unit SM, and Service Management Unit SM notice electronic program list navigation unit EPG issue comprises the digital program information of this descriptor.
Wherein, steps A 5 further comprises: the digital program after content encryption unit CE will encrypt sends to content service unit CS storage.
Wherein, further comprise: content encryption unit CE sends to cipher key management unit KM with employed content identification ContentID and content key Key and stores, when ordering this digital program, empowerment management unit R M reads KM generates content sign ContentID and content key Key for the user authorization object RO for the user.
Wherein, the descriptor of described enciphered digital programme comprises at least: the content identification ContentID of digital program correspondence, reference address, the empowerment management unit R M address of encrypting the back digital program.
The present invention also provides a kind of digital program method for watching, preserves the order relations of User IP TV business on Service Management Unit SM, and after the set-top box STB start authentication, electronic program list navigation unit EPG issues the electronic programming inventory, may further comprise the steps:
A9, select certain digital program from the electronic programming inventory after, set-top box STB searches the authorization object RO that self whether stores this content identification ContentID correspondence according to the content identification ContentID of this digital program, if execution in step D9 is arranged; Otherwise, carry out next step;
B9, STB visit SM by EPG, obtain the pairing authorization object sign ROID of SM record according to content identification ContentID;
C9, STB visit RM, obtain corresponding authorization object RO according to described authorization object sign ROID;
D9, STB extract the content key Key that is comprised from described authorization object RO; STB obtains the encrypted sections destination address according to described content identification ContentID visit EPG, obtains digital program according to the ciphered program address from content service unit CS;
The digital program that E9, STB use described content key Key deciphering to be obtained.
Wherein, the content identification ContentID of different digital programs is corresponding to different RM, and STB also obtains the different RM address of the different content sign ContentID correspondence of SM record among the step B9; Visit different RM according to different authorization object sign ROID when STB visits RM among the step C9.
Wherein, further comprise the service order step:
A11, Service Management Unit SM receive when the user orders certain program request that SM request empowerment management unit R M creates the authorization object RO of this programme content sign ContentID correspondence for this user;
After B11, RM receive request, to the content key Key of the described content identification ContentID of cipher key management unit KM acquisition request correspondence; RM creates the authorization object RO that comprises described content identification ContentID and content key Key for this user then, and returns the authorization object sign ROID of this authorization object to SM;
C11, SM preserve described authorization object sign ROID in the customer service order relations.
Wherein, further comprise behind the step C11: A12, Service Management Unit SM identify ROID with authorization object and pass to set-top box STB; B12, STB access authorization administrative unit RM obtain corresponding authorization object RO and preservation according to described authorization object sign ROID.
Wherein, further comprise in the described STB access authorization of the step B12 administrative unit RM process: RM confirms the legitimacy of STB and the step of validity to certificates snap-in CA request.
Wherein, further comprise among the step B12: empowerment management unit R M uses public-key to described authorization object RO and encrypts; Set-top box STB access certificate administrative unit CA obtains private key, uses private key that the authorization object RO of its acquisition is decrypted.
Wherein, the step of described start authentication comprises: set-top box STB start, initiate to insert request to Electronic Program Guide unit EPG, and EPG is to the authentication of Service Management Unit SM request IPTV service access then, and Service Management Unit SM is to the operation supporting platform request authentication; The private key for user that is used for decrypt authorized object RO that STB asks legal IPTV user to certificates snap-in CA, CA returns the IPTV private key for user, and STB preserves.
Wherein, further comprise after the step e 9: the step of deletion set-top box STB stored authorized object RO after authorization object RO lost efficacy.
By said method as can be seen, based on the present invention, the DRMS that adds CE, KM, RM, CA unit composition in the IPTV system, combine with former IPTV system, realize the transmission of digital program content-encrypt, the user obtains can to decipher digital program behind the key that DRMS provides and watches, and makes the disabled user to steal and duplicates digital program.Ensured not propagated of a large amount of high value digital programs source that business platform that Virtual network operator provides and content supplier provide by bootlegging, prevent these high value digital program contents leakage, enter pirate market.
After introducing DRMS, the bootlegger tackles optional position in broadband networks the program data after can only obtaining at the most to encrypt, and the program data before can't obtaining to encrypt.After set-top box is received program data after the encryption, could obtain authorization object from granted unit after must finishing authentication by set-top box DRM agency, authorization object RO and user identity binding have only the lawful owner of this authorization object correctly to resolve authorization object, extract the program decryption key from authorization object, the program data after encrypting are decrypted broadcast.Simultaneously set-top box forbids preserving the program data after the deciphering, and the program data after preventing to decipher is illegally read on set-top box.
The granting of digital program provided by the invention, watch, realized the encrypted transmission of digital program, have only validated user to decipher and watch, realize the safe transmission of digital program.
Description of drawings
Fig. 1 is an IPTV system construction drawing of the present invention.
Fig. 2 encrypts the issue flow chart for channel.
Fig. 3 is program request file encryption issue flow chart.
Fig. 4 is the program ordering flow chart.
Fig. 5 is a STB start-up logging flow chart.
Fig. 6 is online program ordering flow chart.
Fig. 7 is an off-line program ordering flow chart.
Fig. 8 watches flow chart for the channel program that STB preserves RO.
Fig. 9 watches flow chart for the request program that STB preserves RO.
Figure 10 watches flow chart for the channel program that STB does not preserve RO.
Figure 11 watches flow chart for the request program that STB does not preserve RO.
Figure 12 is IPTV network planning figure.
Figure 13 is for reaching and visit the flow chart of content in many ways by visiting many DRM system.
Embodiment
At first; the invention provides a kind of IPTV system that realizes digital copyright protection function; this IPTV system is on the basis of existing IPTV system platform (CO+CS+CM+SM+EPG+STB); increase system for numeral copyright management (DRMS, Digital Right Management System) and realized digital copyright protection function.DRMS of the present invention comprises CE, KM, CA, RM, DA, specifically can introduce in detail in the back.
Referring to the IPTV system shown in Fig. 1, each unit (or being called subsystem) that IPTV of the present invention system is comprised is elaborated, and comprises with lower unit:
Content source (CO, Content Origin): content source is responsible for providing the unencryption digital program medium (as the program file or the rtp streaming of coded formats such as MPEG4, H264, MP3) that meet the requirement of IPTV Streaming Media coded format.When content supplier can provide satisfactory digital program medium, the media library of this content supplier also can be considered CO.CO sends unencrypted content to content encryption unit (CE) and encrypts, or will not need the content of encipherment protection directly to send content service unit (CS) to.
Content service unit (CS, Content Service System): corresponding streaming media server, multicast server or value-added service server etc. are used to preserve CO and CE pass over the non-encrypted and digital program encrypted.And the request of reception subscriber equipment----set-top box (STB), the digital program service is provided.When receiving and playing programme televised live stream, can preserve corresponding program file on a time period in real time, as the data source or the recorded broadcast program file of time-moving television.
Content management units (CM, Content Management System): the digital program content of being responsible for plan is included in the IPTV business platform is managed concentratedly, content auditing, scheduling distribution, content release.Coordinating content source CO, content encryption unit CE and content service unit CS finish the issue of encryption or non-encrypted content and prepare.Reception is from information such as the ciphered program descriptor of content encryption unit CE, content identification, the reference address of encrypted content, live encryption descriptor, corresponding empowerment management unit R M addresses.
Service Management Unit (SM, Service Management System): receive digital program content information, carry out product packing and wholesale price from CM.Business datum, user data, terminal equipment data, user individual electronic program list and customer service are ordered relation data to be managed.Provide the support that EPG is provided personalized electronic program list to the user according to customer service authority and service distribution plan.Accept the online or off-line ordering services request of user, for service authority that the user ordered is created authorization object RO to empowerment management unit R M request, and obtain the required relevant information of authorization object RO to what online set-top box transmitted that empowerment management unit R M provides by EPG.
Electronic program list guide (EPG, Electric Program Guide): the door that is set-top box visit IPTV business unit.When user's online ordering ciphered program content, transmit the request of ordering to Service Management Unit SM, and the required relevant information of authorization object of obtaining that forwarding Service Management Unit SM orders in the response message is given set-top box.Be not issued at authorization object that the user orders under the situation of set-top box, the channel that the receiver top box is initiated switches or the play-on-demand program report, initiate the authorization query request to SM,, transmit and obtain the required relevant information of authorization object RO to set-top box according to the Query Result of SM to RM.To the channel program of time-moving television is provided, when channel multicast reference address information is provided, provide corresponding time shift recorded broadcast file access address information.
More than the unit of Jie Shaoing belongs to former IPTV system, and in the present invention, these unit cooperate the digital copyright protecting of finishing the IPTV business with the DRMS that is increased.DRMS in the IPTV system comprises with lower unit:
Content encryption unit (CE; Content Encryption System): receive from content source CO, need carry out the digital program content of encipherment protection to it; distribute unique content identification (ContentID) and content key (Key), programme content is encrypted.Send the content after encrypting to content service unit CS, send content identification and content key to cipher key management unit KM, send the program description of correspondence to content management units CM.
Cipher key management unit (KM, Key Management System): receive and store and manage content identification and content key, provide the inquiry service of content identification (ContentID) to content key (Key) for empowerment management unit R M creates authorization object RO from content encryption unit CE.
Empowerment management unit (RM, Right Management System): receive the authorization requests of using the ciphered program content from the user of Service Management Unit SM, the authority establishment and storage and the supervisor authority object RO that order according to the user, content identification (ContentID) according to user's order program is inquired about corresponding content key (Key) to cipher key management unit KM, joins among the authorization object RO with encrypted form.Issue mandate by Service Management Unit SM and EPG to set-top box and obtain trigger.Accept DRM agency's registration and mandate and obtain request, ask the subscriber equipment certificate to certificates snap-in CA, and it is authenticated.After obtaining the affirmation of certificates snap-in, issue the authorization object RO of process digital signature to the DRM agency to the subscriber equipment legitimacy.The private key of the use authority administrative unit of wherein signing uses the PKI of subscriber equipment to the encryption of content key.
Certificates snap-in (CA, Certificate Authorization System): storage and maintenance management user device STB certificate and empowerment management unit R M certificate, the status poll service of subscriber equipment certificate is provided to empowerment management unit R M, provide empowerment management unit R M the status poll of certificate to DRM agency, the function of mutual authentication promptly is provided to STB and empowerment management unit R M.
DRM acts on behalf of (DA, DRM Agent): be arranged in STB, trigger is obtained in the mandate that receives the EPG forwarding, obtains flow process according to trigger type to empowerment management unit R M initiation registration and mandate.After downloading authorization object RO, with the public key verifications empowerment management unit R M of authorization center digital signature to authorization object RO, confirm the correct integrality of authorization object RO and consistency and the information of obtaining the authorization, and the content key (Key) that carries with set-top box private key decrypt authorized object RO.The access to content address that provides according to EPG, accessed content service unit CS, set up RTSP/RTP and connect, obtain the encryption descriptor and the RTP packet of encrypted content, use content key (Key) that RTP is decrypted and play digital decrypted contents after the deciphering by the authorization message that obtains.To time-moving television, DRM agency and set-top box cooperatively interact, and finish the switching of channel data stream and channel recorded broadcast document data flow, and use deciphering and the limited broadcast of the authorization object of this channel to channel data stream and time shift recorded broadcast data flow.
Wherein, in the IPTV system shown in Fig. 1, the enumerate function of main interface between each unit and correspondence is as follows:
The CO-CE interface: being used for content source provides unencrypted digital program content to content encryption unit, and file transfer protocol (FTP) carrying (as FTP etc.) is adopted in request program, and programme televised live adopts real time streaming transport protocol carrying (as RTP etc.).
CE-CM interface: be used for content encryption unit and transmit information such as digital program descriptor, content identification, the reference address of encrypted content, live encryption descriptor, corresponding empowerment management element address to content management units, can adopt message interface or non-message interface with uniqueness.
The CE-CS interface: be used for the digital program content of content encryption unit after the content service unit provides encryption, file transfer protocol (FTP) carrying (as FTP etc.) is adopted in request program, and programme televised live adopts real time streaming transport protocol carrying (as RTP, SRTP).
CE-KM interface: be used for content identification (ContentID) and the content key information such as (Keys) of content encryption unit, adopt the carrying of HTTP/SSL agreement to cipher key management unit transmission encrypted content.
The RM-KM interface: be used for the empowerment management unit according to content identification to cipher key management unit request content key, cipher key management unit returned content key adopts the carrying of HTTP/SSL agreement.
The DA-RM interface: be used for the DRM agency and obtain to registration of empowerment management unit requests and authorization object RO, the authorization object RO that is asked is returned in empowerment management cell response DRM agency's request.Employing is based on the open OMA-ROAP agreement carrying of HTTP/SSL.
RM-CA interface: be used for the empowerment management unit to the certificate verification of certificates snap-in request subscriber equipment, adopt open OCSP agreement carrying.
DA-CA interface: be used for the DRM agency to the authentication of certificates snap-in request empowerment management unit certificate, adopt open OCSP agreement carrying.
The SM-RM interface: be used for Service Management Unit to the mandate of empowerment management unit requests, authorize a change, authorize and cancel and authorization query.Request is authorized and is comprised information such as customer equipment identification, content identification, authority description.Information such as comprising customer equipment identification, content identification, authority description, authorization object sign authorizes a change.Information such as comprising the authorization object sign is cancelled in mandate.Authorization query comprises information such as customer equipment identification, authorization object sign.Information such as empowerment management unit return authorization object identity and trigger.Employing is based on the soap protocol carrying of HTTP/SSL.
SM-CA interface: be used for Service Management Unit request certificates snap-in and activate the family device certificate state of applying flexibly of getting, adopt message interface or non-message interface.
CM-SM interface: be used for the digital program content correlated information of content management units after the Service Management Unit transmission is encrypted, as the reference address of ciphered program descriptor, content identification, encrypted content, live encryption descriptor, corresponding empowerment management element address etc.Adopt message interface or non-message interface.
EG-SM interface: be used for EPG to online service subscription of Service Management Unit request or authorization query.Ask online service subscription message to comprise information such as customer equipment identification, content identification, authority description, authorization query comprises information such as customer equipment identification, authorization object sign.Service Management Unit is according to information such as the response results return authorization object identity of empowerment management unit and triggers.Adopt the carrying of HTTP/SSL agreement.
The DA-EG interface: be used for the DRM agency to EPG request online ordering, channel switching or request program report, request message comprises information such as customer equipment identification, content identification.Response message comprises that EPG is according to information such as sign of the authorization object in the response results of Service Management Unit and triggers.Adopt the carrying of HTTP/SSL agreement.
According to above IPTV system, the source program data is stored among the CS after CE encrypts, and the content identification of using in the ciphering process (ContentID), key (Key) send KM to by CE and store, KM also offers RM with CM with ContentID, Key, is generated the authorization object RO that comprises Key when needed by RM.On the other hand, the descriptor of source program sends EPG to after passing to the SM packing by CM, is shown to the user's electronic program inventory by EPG by STB.
The user by EPG when SM orders certain program, SM generates authorization object RO according to the ContentID of this program request RM, and authorization object is identified ROID returns to STB by SM, EPG.
When the user selects certain program, corresponding program data is asked to CS in the address of the program that STB can provide according to EPG, obtain the authorization object sign (ROID) of program correspondence simultaneously by EPG inquiry SM, STB directly obtains RO to RM according to this ROID, extract the content key key that is comprised afterwards from RO, the program data deciphering of using Key to send over from CS then is the program that can watch.
Based on this IPTV system, the present invention also provides the corresponding business flow process accordingly, comprises enciphered digital programme granting, the method that enciphered digital programme is ordered, enciphered digital programme is watched.Be described referring to accompanying drawing.
At first referring to Fig. 2, Fig. 3, program digital program distribution process is described, wherein, the digital program data source comprises the program data of channel data and user's program request etc., respectively these two kinds of data sources is encrypted issuing process below and is described.
Show direct broadcast band as Fig. 2 and encrypt the issue flow process, may further comprise the steps:
Step 201: start a new channel and encrypt, need dispose the cryptographic algorithm and the SDP file (SDP of the source address of this channel descriptor, unencryption program stream, the address of service of encrypting the back program stream, the content management units address of managing this channel, cipher key management unit address, empowerment management element address, employing at content encryption unit CE, Session Description Protocol, be used for the session that will set up is described, as set up the description that can comprise information such as audio frequency, video coding and sampling frequency in the message body of a Multimedia session).
Step 202: content encryption unit CE distributes the unique content identification ContentID of the overall situation and encrypts the required content key of this channel for the direct broadcast band that needs to encrypt, and revises SDP information according to the cryptographic algorithm of selecting.
Step 203: KM sends a request message to cipher key management unit, and request increases or revises ContentID and channel content key, and cipher key management unit KM returns affirmation.
Step 204: for issuing this encoded channel, content encryption unit CE transmits channel descriptor, ContentID, empowerment management element address and channel SDP information to content management units CM request.
After step 205:CM examines this encoded channel, send channel metamessages such as channel descriptor, multicast address/port numbers, ContentID, cryptographic algorithm to Service Management Unit SM, Service Management Unit SM is responsible for this channel is carried out the product packing, determines the authorization rule that is suitable for and orders price accordingly, offer the user and order, and provide support for EPG generates the customization electronic program list.
Step 206:SM notice EPG issue direct broadcast band.
Step 207:CE content of announcement source CO starts the transmission of live rtp streaming.
Step 208~210:CE receives the live rtp streaming of unencrypted, the RTP bag is encrypted, and the RTP after will encrypting sends to predetermined content service unit CS.
Fig. 3 shows program request file encryption issue flow process, may further comprise the steps:
Step 301: request is encrypted a new program request file, need dispose the information such as cryptographic algorithm of program description, the source file address of this program request file, the address of service of encrypt file, the content management units address of managing this request program, cipher key management unit address, empowerment management element address, employing at content encryption unit CE.
Step 302: content encryption unit CE is for the overall unique content identification ContentID of the program request file allocation that needs to encrypt and encrypt the required key of this document.
Step 303:CE request CO transmits unencrypted program request file.
Step 304:CE encrypts the program request file that CO sends, and revises the SDP information in the encrypt file.
Program request file after step 305:CE will encrypt is sent to predetermined content service unit CS, or notifies this content service unit CS initiatively to arrive program request file after the content encryption unit CE reading encrypted.
Step 306:CE is right to cipher key management unit KM transmission ContentID and file key, and cipher key management unit KM returns affirmation.
Step 307: for issuing the request program of this encryption, content encryption unit CE transmits the information such as address of descriptor, ContentID, empowerment management unit R M address and the encrypt file of this request program to content management units CM request.
After step 308:CM examines this encryption request program, send the program metamessages such as program request file service address of request program descriptor, encryption to Service Management Unit SM, Service Management Unit SM is responsible for this request program is carried out the product packing, determines the authorization rule that is suitable for and ordered price accordingly, offer the user and order, and provide support for EPG generates the customization electronic program list.
Step 309:SM notice EPG issue request program.
Among the present invention, by RM is that the user creates and preserve authorization object RO, preserves programme content sign ContentID and corresponding key K ey among this RO, and only preserve ROID in SM, the user obtains ROID by SM when the watching encrypted program stream, obtain RO with the deciphering program stream to RM again.Referring to Fig. 4, this RO constructive process may further comprise the steps:
Step 401~403: belong to the program source encrypted process, by this process, the ContentID and the content key of the last preservation of KM program correspondence.Because the front is described, only sketch herein, comprising: CE is this program distribution ContentID and content key after receiving the request that a direct broadcast band or program request file are encrypted, and please transmit ContentID and key is right to cipher key management unit, KM returns acknowledge message.
Step 404: when the user ordered this program by Service Management Unit SM, SM request empowerment management unit R M created authorization object RO for this relation of ordering.
Step 405:RM is for creating authorization object RO, and RM asks the content key Key of this program ContentID to KM.
Step 406:KM query key storehouse obtains the key of corresponding program ContentID, returns to RM in response message.
Step 407:RM comprises the content key of user institute order program for this user creates authorization object RO, and to SM return authorization Object Creation result.SM orders the sign ROID that preserves this authorization object in the relation data the user.
After user terminal (set-top box) start, also comprise a start-up logging flow process, in registration process of the present invention, can and the DRMS interactive information, obtain RO when being necessary, be decrypted when being used for user's watching encrypted program stream, referring to Fig. 5, may further comprise the steps:
Step 501~504: set-top box STB start initiates to insert request to EPG, EPG is to the authentication of Service Management Unit SM request IPTV service access then, Service Management Unit SM is to the unified certification unit requests authentification of user of operation supporting platform then, and user's legitimacy is checked in the unified certification unit then.More than this several steps be identical with existing start-up logging, so not proud stating.
The private key that step 505~506:SM asks legal IPTV user to CA, CA return the IPTV private key for user.Here obtaining this private key is in order to improve fail safe: adopt to encrypt when being used for transmitting RO between STB and RM and transmit, STB uses this private key deciphering that obtains.
Step 507~508:SM orders record according to customer service, and to empowerment management unit R M request authorization query, empowerment management unit R M comprises the trigger of authorization object to SM return authorization inquiry response.
Step 509~510:SM returns the response of IPTV access authentication to EPG, and EPG returns access authentication result and electronic program list information to STB then.
Wherein, if the IPTV private key is kept in smart card or the set-top box, then can not need step 505,506.If the user not authorization object RO of order program or order program has been issued to STB, then can not need step 507,508.
The flow process that the user orders program is described below, and the user watches at the program that the order program is used for the program request order.Program be will order and online program ordering flow process and off-line order program flow process will be divided into, the difference of ordering program with existing IPTV is, the present invention not only preserves the programme content sign ContentID that the user orders in SM, also to create RO by RM, and in SM, preserve ROID, to offer the user.Wherein, relate to IPTV ROAP agreement in the following flow process, IPTV ROAP agreement is based on OMA ROAP agreement (authorization object obtains agreement), is the protocol groups that authenticates mutually between the DRM agency in empowerment management unit R I and the IPTV set-top box with the secure exchange authorization object.This protocol groups comprises that a 4-pass log-in protocol (being used for the IPTV set-top box to the RI request registration), a 2-pass authorize and obtain agreement (be used for the IPTV set-top box and ask authorization object to RI).Also relate to the ROAP trigger: the ROAP agreement adopts the ROAP trigger to start.RI is by sending the ROAP trigger to the IPTV set-top box, and the announcement machine top box starts corresponding ROAP agreement and carries out information exchange.When receiving the ROAP trigger, the IPTV set-top box starts the exchange of ROAP agreement immediately.RI needs to indicate ROAP trigger type (4Pass registration or 2Pass authorization object obtain) to the IPTV set-top box.Because above-mentioned agreement and trigger are known, only sketch so relate in the flow process literary composition of above agreement.
At first referring to Fig. 6, online ordering program flow process is described below, may further comprise the steps:
Step 601~602: the user browses EPG by STB, determines to order certain direct broadcast band or request program (EPG under the support of SM to information such as user prompt programme information, authorization rule, prices), and notice EPG initiates online ordering.EPG initiates the online ordering request to SM.
Step 603:SM initiates authorization requests according to program and selected authorization rule that the user orders to RM, and request message comprises information such as user ID, content identification, mandate description and user online status.
Step 604:RM creates authorization object RO for this relation of ordering, and wherein creates the required content key Key of authorization object RO by query key administrative unit KM acquisition (can referring to Fig. 4).RM return authorization object RO in authorization response message creates the result.Comprising establishment authorization object sign ROID and trigger information.RM determines only to issue the 2Pass trigger or issue 4Pass simultaneously and the 2Pass trigger according to the situation of set-top box recent registration RM.
Step 605~606:SM returns the online ordering response to EPG, comprises information such as authorization object sign ROID and trigger.EPG comprises information such as authorization object sign ROID and trigger to the result that set-top box STB returns the online ordering program.
What step 607~616 were described is that flow process was obtained in the mandate that starts to RM according to trigger type, obtains RO after set-top box STB received the authorization message of institute's order program.This part step is identical with prior art, only carries out brief introduction below, specifically can obtain agreement referring to 4Pass log-in protocol and 2Pass authorization object.Comprise:
Step 607: under the situation of receiving the 4Pass trigger, initiating the ROAP-DeviceHello request (annotates: under the situation of only receiving the 2Pass trigger, directly initiate RORequest acquisition request authorization object, in the IPTV service environment, be the authentication of reinforcement to subscriber equipment, default selection 4Pass+2Pass pattern).
Step 608:RM responds the message that set-top box is sent, and returns ROAP-RIHello message.
Step 609: set-top box is received the response of RM, initiates register requirement, sends out ROAP-RegistrationRequest message to RM.
Step 610:RM receives the register requirement of set-top box, authenticates to certificates snap-in requesting service certificate status according to demand.The authentication result of certificate legitimacy and validity is returned in the request of CA response RM.
Step 611:RM confirms that the set-top box identity is legal effective, accepts its register requirement, returns registration reply message ROAP-Registration Response to this set-top box.
Step 612: set-top box obtains accreditation verification, sets up the session-context of getting in touch with RM, and identifies according to the authorization object that obtains, and initiates to authorize to RM and obtains request message ROAP-RO Request.
Step 613:RM confirms that set-top box is sent to authorize and obtains the validity of request, returns that this user asks and the authorization object RO of order program by ROAP-ROResponse message.Authorization object comprises that CE is this program distribution ContentID and content key Key.
It is standby that step 614: set-top box STB preserves authorization object RO.
Step 615~616:RM issues state to SM report authorization object, and SM return authorization object issues the report response.
Referring to Fig. 7, off-line program ordering flow process is described, it is under not start situation of user STB that off-line is ordered, and carries out program ordering by other approach, may further comprise the steps:
Step 701: the user asks order program by the business hall or from service unit to Service Management Unit SM, comprises program and authorization rule that selection is ordered.
Step 702:SM initiates authorization requests according to program and selected authorization rule that the user orders to RM, and request message comprises information such as user ID, content identification, mandate description and user online status.
Step 703:RM creates authorization object RO for this relation of ordering, and wherein creates the required content key of authorization object and obtains by query key administrative unit KM.RM is return authorization Object Creation result in authorization response message.Comprising establishment authorization object sign ROID.To the situation that off-line is ordered, RM need not issue trigger.
The authorization object sign ROID that step 704:SM returns RM is saved in the user and orders in the relation record.The user starts shooting back SM will be by EPG announcement machine top box STB to RM download authorization object RO.
When the direct broadcast band key changes, or the user needs to upgrade authorization object RO when asking to change authority.SM initiates to authorize a change or authorize the request of cancelling to RM.The flow process that authorizes a change and authorize the flow process cancelled and off-line to order is similar.As, RM receives and creates authorization object again when authorizing a change message that SM upgrades order record, and obtains authorization object again by the response message announcement machine top box of giving EGP.And for example, RM receives and authorizes when cancelling message, then removes corresponding authorization object.SM removes corresponding authorization object by the electronic program list announcement machine top box that upgrades this user.
After the user has carried out start-up logging, program ordering, the user just can watch by the program request ciphered program, corresponding to Fig. 2, Fig. 3 program is divided into channel program and file program, and is difference whether to preserve RO on STB, list 4 embodiment below, to encrypting
The program method for watching is described.
, be that example is described at first, and STB there is RO, may further comprise the steps with the viewing channel program referring to Fig. 8:
Step 801~step 802: set-top box STB start initiates to insert request to EPG.EPG carries out authentication to set-top box, orders relation according to the customer service that SM preserves, and generates and issue electronic program list.(idiographic flow of this process can referring to Fig. 5)
Step 803: user's switching channels or program request channel, search the local authorization object storehouse of set-top box storage according to channel ContentID, obtain corresponding authorization object RO, and contrast up-to-date electronic programming single version and confirm that this channel authorization object is effective.
Step 804: utilize the set-top box private key that in registration process, obtains from this channel authorization object RO, to decipher the content key Key that obtains channel.
Step 805~806:STB extracts channel multicast address and port numbers from electronic program list, add the multicast group of this channel correspondence to content service unit CS request.Set-top box receives the encryption rtp streaming from content service unit CS.
Step 807: set-top box is extracted the channel cryptographic algorithm from the SDP information that electronic program list comprises, and utilize and deciphered the content key that obtains channel, the live encryption rtp streaming of receiving is carried out real time decrypting, give the media player that set-top box provides the rtp streaming after the deciphering.Media player is described according to the mandate in this channel authorization object, and the rtp streaming after the deciphering is carried out controlled broadcast.
After step 808~809:RO lost efficacy, multicast group was withdrawed from the STB request, ends playing programs.The channel authorization object RO that the set-top box deletion was lost efficacy.
Referring again to Fig. 9, the step of watching request program and STB to have RO is described, may further comprise the steps:
Step 901~902: set-top-box opening initiates to insert request to EPG.EPG carries out authentication to set-top box, orders relation according to the customer service that SM preserves, and generates and issue electronic program list.(idiographic flow of this process can referring to Fig. 5)
Step 903: the user chooses request program, and set-top box is searched the local authorization object of set-top box storehouse according to program ContentID, obtains corresponding authorization object RO, and contrasts up-to-date electronic programming single version and confirm that this authorization object is effective.
Step 904: utilize the set-top box private key that in registration process, obtains from this request program authorization object RO, to decipher and obtain request program content key Key.
Step 905~906:STB extracts this reference address of encrypting request program from electronic program list, initiate the RTSP session to content service unit CS, request SDP information.Set-top box receives the RTSP response from content service unit CS, encrypts the SDP information of program request program file comprising this.
Step 907~909: set-top box is set up the environment that receives request program RTP packet according to SDP information, sends RTSP playing request (can ask F.F., rewind down in playing process) to content service unit CS.Content service unit CS returns RTSP response (broadcast, F.F., rewind down etc.), and sends corresponding RTP data flow to STB.
Step 910: set-top box is extracted cryptographic algorithm from the SDP information of this request program, and utilizes and deciphered the request program file content key that obtains, and the encryption rtp streaming of receiving is carried out real time decrypting, send media player with the rtp streaming after the deciphering.Media player is described according to the mandate in this request program authorization object, and the rtp streaming after the deciphering is carried out controlled broadcast.
After step 911~913:RO lost efficacy, STB sent RTSP STOP request to content service unit CS, finishes playing programs.Content service unit CS returns RTSP STOP response.The authorization object RO that the set-top box deletion was lost efficacy.
Referring to Figure 10, be that example is described again, and STB do not have the RO of preservation, may further comprise the steps with the viewing channel program:
Step 1001~1002: set-top-box opening initiates to insert request to EPG.EPG carries out authentication to set-top box, orders relation according to the customer service that SM preserves, and generates and issue electronic program list.
Step 1003: user's switching channels, search the local authorization object of set-top box storehouse, not effective authorization object RO of this channel according to channel ContentID.STB determines that according to electronic program list this channel is an encoded channel.STB initiates the channel handover report to EPG, comprising the ContentID of user institute switching channels.
Step 1004:EPG initiates the authorization query request to SM, comprising information such as user ID, channel ContentID.
Step 1005:SM inquiring user service subscription record obtains to have ordered the sign ROID of authorization object, and to the request of RM initiation authorization query, (annotate: comprising the sign of ordering authorization object if this user had not ordered this channel, then return the inquiry failure, notify the user to start the online ordering flow process, and then watch program).
Step 1006~1008:RM return authorization inquiry response is comprising relevant trigger information.SM carries the trigger information that RM provides to EPG return authorization inquiry response.EPG returns the channel handoff response to STB, carries trigger information.
Step 1009:STB obtains flow process according to triggering the authorization object that type starts to RM, obtains that this user asks and the authorization object RO of order program.Referring to the step 607 among Fig. 6~616, no longer good horse is stated.
Step 1010:STB finishes download and the preservation of authorization object RO, utilizes the set-top box private key to decipher from this channel authorization object RO and obtains channel content key K ey.
Step 1011: from electronic program list, extract channel multicast address and port numbers, add the multicast group of this channel correspondence to content service unit CS request.
Step 1012: set-top box receives the encryption rtp streaming from content service unit CS.
Step 1013: set-top box is extracted the channel cryptographic algorithm from the SDP information that electronic program list comprises, and utilizes and deciphered the channel content key K ey that obtains, and the live encryption rtp streaming of receiving is carried out real time decrypting, send media player with the rtp streaming after the deciphering.Media player is described according to the mandate in this channel authorization object, and the rtp streaming after the deciphering is carried out controlled broadcast.
After step 1014~1015:RO lost efficacy, multicast group was withdrawed from the STB request, ends playing programs.The channel authorization object that the set-top box deletion was lost efficacy.
Referring again to Figure 11, to the program of program request, and the program step of watching that STB does not have under effective RO situation of preservation is described, and may further comprise the steps:
Step 1101~1102: set-top box STB start initiates to insert request to EPG.EPG carries out authentication to set-top box, orders relation according to the customer service that SM preserves, and generates and issue electronic program list.
Step 1103: the user chooses request program, and set-top box is searched the local authorization object of set-top box storehouse, not effective authorization object RO of this request program according to program ContentID.STB determines that according to electronic program list this request program is a ciphered program.STB initiates request program report request to EPG, comprising the ContentID of user's request program.
Step 1104:EPG initiates the authorization query flow process, obtains the trigger information that RM provides.Referring to Figure 10 step 1004~1007, no longer good horse is stated.
Step 1105:EPG returns request program report response to STB, carries trigger information.
Step 1106:STB obtains flow process according to the authorization object that the triggering type starts to RM, obtains the RO that RM provides.Referring to the step 607 among Fig. 6~616, no longer good horse is stated.
Step 1107~1115:STB is to the program of CS request program request, and is decrypted and watches.This process can be referring to the step 905 among Fig. 9~913, and no longer good horse is stated herein.
Among the present invention, for realizing each above-mentioned flow process, the interface that is applied to comprises following content:
| Sequence number | Interface name | Interface is described | Parameter | Flow to |
| 1 | The start-up logging request | Set-top-box opening is to the EPG request registration | User and terminal iidentification, terminal attribute, EPG version etc. | STB→ EPG |
| 2 | The start-up logging response | EPG returns the registration response | Conditional code, electronic program list, grant triggers device inventory, RM PKI, private key for user etc. | STB← EPG |
| 3 | The online ordering request | STB asks online ordering to EPG or EPG to SM | Program or content identification, user ID, order authority etc. | STB→ EPG→ SM |
| 4 | The online ordering response | EPG returns the online ordering result to STB or SM to EPG | Authorization object sign, trigger, RM PKI, conditional code etc. | STB← EPG← SM |
| 5 | The request of channel handover report | STB switches to EPG report channel, and authorization object is downloaded in request | Program or content identification, user ID etc. | STB→ EPG |
| 6 | The response of channel handover report | EPG returns the channel handoff response to STB, issues the channel authorization trigger | Authorization object sign, trigger, RM PKI, conditional code etc. | STB← EPG |
| 7 | Request program report request | STB begins to EPG report program request, and authorization object is downloaded in request | Program or content identification, user ID etc. | STB→ EPG |
| 8 | Request program report response | EPG returns program request to STB and begins response, issues program request grant triggers device | Authorization object sign, trigger, RM PKI, conditional code etc. | STB← EPG |
| 9 | The request of IPTV access authentication | EPG is to SM request IPTV access authentication of user | User and terminal iidentification and attribute, EPG version etc. | EPG→ SM |
| 10 | The response of IPTV access authentication | SM returns IPTV access authentication of user result to EPG | Conditional code, electronic program list template, grant triggers device inventory, RM PKI, private key for user etc. | EPG ← SM |
| 11 | The request of IPTV private key for user | SM is to CA request IPTV private key for user | User ID etc. | SM→ CA |
| 12 | The response of IPTV private key for user | CA returns the IPTV private key for user to SM | User ID, private key for user etc. | SM ← CA |
| 13 | Authorization requests | Service Management Unit is created to the empowerment management unit requests and is authorized | User ID, device identification, content identification, authority are described, presence | SM→ RM |
| 14 | Authorization response | The result is created to the Service Management Unit return authorization in the empowerment management unit | Authorization object sign, trigger, RM PKI, conditional code etc. | SM ← RM |
| 15 | The request of authorizing a change | Service Management Unit is authorized to the change of empowerment management unit requests | User ID, device identification, content identification, authority description, presence, authorization object sign | SM→ RM |
| 16 | Response authorizes a change | The empowerment management unit is to Service Management Unit return authorization change result | Authorization object sign, trigger, RM PKI, conditional code etc. | SM ← RM |
| 17 | Request is cancelled in mandate | Service Management Unit is to empowerment management unit requests revocation | Authorization object sign, presence | SM→ RM |
| 18 | Response is cancelled in mandate | The result is cancelled to the Service Management Unit return authorization in the empowerment management unit | Conditional code | SM ← RM |
| 19 | The authorization query request | Service Management Unit is authorized to the inquiry of empowerment management unit requests | Authorization object sign, presence | SM→ RM |
| 20 | The authorization query response | The empowerment management unit is to Service Management Unit return authorization Query Result | Trigger, RM PKI, conditional code etc. | SM ← RM |
| 21 | Channel makes an announcement | Service Management Unit notice EPG issue direct broadcast band | Multicast address, port numbers, time-moving television recorded broadcast file address etc. | SM→ EPG |
| 22 | Channel issue response | EPG confirms the direct broadcast band issued state | Conditional code | SM ← EPG |
| 23 | Request program makes an announcement | Service Management Unit notice EPG issue request program | The request program file address of encrypting etc. | SM→E PG |
| 24 | Request program issue response | EPG confirms the request program issued state | Conditional code | SM ← EPG |
| 25 | The key query requests | The empowerment management unit is to secret key encryption unit requests query contents key | Content identification | RM→K M |
| 26 | The key inquiry response | The secret key encryption unit returns Query Result to the empowerment management unit | Content key, conditional code | RM ← KM |
| 27 | The certificate status query requests | Empowerment management unit or DRM agency are to certificates snap-in request inquiry certificate status | Certificates identified | RM/DA →CA |
| 28 | The certificate status inquiry response | Certificates snap-in returns the certificate status Query Result to empowerment management unit or DRM agency | Certificate, conditional code | RM/DA ←CA |
| 29 | Mandate issues the report request | The empowerment management unit issues successfully to Service Management Unit report authorization object | User ID, authorization object sign | RM→S M |
| 30 | Mandate issues the report response | Service Management Unit returns affirmation to the empowerment management unit | Conditional code | RM ← SM |
| 31 | Key sends request | Ciphering unit is to cipher key management unit transmission content identification and content key | Transport-type (transmitting or renewal), content identification, program names, content key, cryptographic algorithm etc. | CE→K M |
| 32 | Key sends response | Cipher key management unit is to ciphering unit returned content sign and content key transmission state | Conditional code (success, the content identification sky, content identification form mistake, the password sky, the Password Length mistake, content identification repeats, content identification does not exist, algorithm sky etc.) | CE ← KM |
| 33 | Channel information sends request | Ciphering unit sends encoded channel information to content management units or content management units to the Service Management Unit request | Channel descriptor, content identification, empowerment management element address, channel reference address etc. | CE → CM → SM |
| 34 | Channel information sends response | Content management units is returned transmission encoded channel information state to ciphering unit or Service Management Unit to content management units | Conditional code | CE ← CM ← SM |
| 35 | The request program information sending request | Ciphering unit sends request program information to content management units or content management units to the Service Management Unit request | The request program file access address of request program descriptor, content identification, empowerment management element address, encryption etc. | CE → CM → SM |
| 36 | Request program information sends response | Content management units is returned transmission request program information state to ciphering unit or Service Management Unit to content management units | Conditional code | CE ← CM ← SM |
Based on the present invention, problems such as the service operation of the protection of IPTV digital program content-encrypt, private key for user safeguard protection, the management of user capture content rights, DRM full-service flow process, digital content, the planning of DRM unit networks are all solved.IPTV DRM business unit network can be planned by pattern shown in Figure 12.
On preventing that digital content is by the basis of bootlegging, the urgent hope of content supplier (CP) can obtain corresponding income according to the traffic carrying capacity that digital content is used by the user.Therefore there is the hope of self-built DRM unit in main flow CP, and non-mainstream CP then wishes to utilize its high value digital content that provides of DRM cell protection of Virtual network operator construction.
CP wishes that also its digital content can be used by the user in a wider context under the protection of DRM system.There is the hope of the local IPTV business of operation in the parton company of Virtual network operator, and other subsidiaries are limited in initial stage number of users and traffic carrying capacity that the IPTV business is carried out, wishes that then the IPTV platform of using parent company commences business.Therefore the networking of IPTV DRM unit must take into account the needs of various CP and the operation IPTV of province company business.
Referring to Fig. 1, each functional module of IPTV DRM unit is divided into two groups: content provides group (CPG, Content Provide Group) and content operation group (COG, Content OperationGroup) simultaneously.CPG comprises content source CO, content encryption unit CE, cipher key management unit KM and empowerment management unit R M, and COG comprises that content service unit CS, content management units CM, Service Management Unit SM, certificates snap-in CA, EPG, STB, DRM act on behalf of DA.
The main flow CP that wishes self-built DRM unit can self-built CPG, is connected with one or more COG of Virtual network operator, provides DRM content service to the user of one or more COG operator.The content service expense of CP can be collected to the user voluntarily based on the RM control of CP oneself, also can entrust COG owner's collection charges of cooperating with it, the mutual agreement profit-sharing.Content protecting then utilizes its CE, KM and RM to be responsible for voluntarily by CP.The key information of this CP digital content can not be diffused in the COG network only for transmitting between the CPG of CP and DA, and content key exists scope to obtain restriction, thereby provides more reliable protection for the digital content of CP.
Non-mainstream CP then can provide content to main flow CP that has COG or Virtual network operator, is responsible for providing DRM protection to its digital content by the owner of COG, and consults profit-sharing.Virtual network operator can only be built COG, also can build CPG simultaneously.The division of CPG and COG and flexible networking pattern can adapt to the secondary platform architecture at national centre and the center of provinceing, also can adapt to the reciprocity platform architecture at multiclass CP and province center.Reaching on the basis of mutual trust, form network relation between CPG and the COG, carrying out IPTV DRM business for all kinds of CP and Virtual network operator broad co-operation provides unified technique guarantee and flexibility support greatly.
Or there is not final conclusion actually build the protection of building to realize content by operator by content supplier for the DRM system all the time; all there is possibility in the design of native system based on operator and the construction DRM of content supplier, has designed a kind of implementation method that inserts a plurality of operators or content supplier in same local operation system support on this basis.The construction network figure of system can be referring to Figure 12, and the local user that Figure 13 has shown reaches and visits the flow chart of content in many ways by visiting many DRM system, and wherein, local SM disposes a plurality of RM address, so that the function that connects a plurality of RM to be provided; RM preserves different user copyright authorization solicited message, so that regular reconciliation functions is provided.The different content that can be user capture needs different DRM to authorize.Can be referring to shown in Figure 13,601-606 basic identical (this flow process does not have RO or RO invalid situation based on this locality) among step 1301-1306 and Fig. 6 wherein, difference is to support to connect different RM by the different URL address of content for the content SM that is clicked, to obtain corresponding copyright.So no longer good horse is stated.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (16)
1, a kind of IPTV system comprises: content source CO, content service unit CS, Service Management Unit SM, electronic program list guide unit EPG, set-top box STB; It is characterized in that, also comprise: content encryption unit CE, empowerment management unit R M;
The digital program that CE is used to receive CO and provides is encrypted, and the digital program after the encryption sends CS to;
RM is used to inquire about the content identification ContentID of the digital program that CE encrypts and encrypts the content key Key that uses creating the authorization object RO of content sign ContentID and content key Key, and authorization object is identified ROID passes to SM;
When STB receives the enciphered digital programme that CS provides, STB obtains the authorization object sign ROID of enciphered digital programme correspondence by EPG visit SM, obtain corresponding authorization object RO by STB visit RM according to authorization object sign ROID then, extract the enciphered digital programme that the content key Key deciphering CS among the authorization object RO provides.
2, system according to claim 1, it is characterized in that, further comprise: cipher key management unit KM, content identification ContentID that creates when being used to receive and store the CE enciphered digital programme and corresponding content key Key inquire about when RM creates described authorization object RO to offer.
3, system according to claim 1, it is characterized in that, further comprise: content management units CM, the digital program descriptor of creating when being used to receive the CE enciphered digital programme, and offer SM comprises the digital program of this digital program descriptor with notice STB issue.
4, system according to claim 1 is characterized in that, further comprises: certificates snap-in CA, storing set-top box STB certificate and empowerment management unit R M certificate, and be used for providing the status poll of mutual certificate to STB and RM.
5, a kind of digital program dissemination method is characterized in that, may further comprise the steps:
A5, content encryption unit CE distribute a content identification ContentID and encrypt the required content key Key of this digital program for the digital program that needs to encrypt, and the digital program that encrypt is encrypted;
B5, content encryption unit CE generate the descriptor of this enciphered digital programme and send content management units CM to;
C5, content management units CM send described descriptor to Service Management Unit SM, and Service Management Unit SM notice electronic program list navigation unit EPG issue comprises the digital program information of this descriptor.
6, method according to claim 5 is characterized in that, steps A 5 further comprises: the digital program after content encryption unit CE will encrypt sends to content service unit CS and stores.
7, method according to claim 5, it is characterized in that, further comprise: content encryption unit CE sends to cipher key management unit KM with employed content identification ContentID and content key Key and stores, when ordering this digital program, empowerment management unit R M reads KM generates content sign ContentID and content key Key for the user authorization object RO for the user.
8, method according to claim 5 is characterized in that, the descriptor of described enciphered digital programme comprises at least: the content identification ContentID of digital program correspondence, reference address, the empowerment management unit R M address of encrypting the back digital program.
9, a kind of digital program method for watching is preserved the order relations of User IP TV business on Service Management Unit SM, and after the set-top box STB start authentication, electronic program list navigation unit EPG issues the electronic programming inventory, it is characterized in that, may further comprise the steps:
A9, select certain digital program from the electronic programming inventory after, set-top box STB searches the authorization object RO that self whether stores this content identification ContentID correspondence according to the content identification ContentID of this digital program, if execution in step D9 is arranged; Otherwise, carry out next step;
B9, STB visit SM by EPG, obtain the pairing authorization object sign ROID of SM record according to content identification ContentID;
C9, STB visit RM, obtain corresponding authorization object RO according to described authorization object sign ROID;
D9, STB extract the content key Key that is comprised from described authorization object RO;
STB obtains the encrypted sections destination address according to described content identification ContentID visit EPG, obtains digital program according to the ciphered program address from content service unit CS;
The digital program that E9, STB use described content key Key deciphering to be obtained.
10, method according to claim 9 is characterized in that, the content identification ContentID of different digital programs is corresponding to different RM,
STB also obtains the different RM address of the different content sign ContentID correspondence of SM record among the step B9;
Visit different RM according to different authorization object sign ROID when STB visits RM among the step C9.
11, method according to claim 9 is characterized in that, further comprises the service order step:
A11, Service Management Unit SM receive when the user orders certain program request that SM request empowerment management unit R M creates the authorization object RO of this programme content sign ContentID correspondence for this user;
After B11, RM receive request, to the content key Key of the described content identification ContentID of cipher key management unit KM acquisition request correspondence;
RM creates the authorization object RO that comprises described content identification ContentID and content key Key for this user then, and returns the authorization object sign ROID of this authorization object to SM;
C11, SM preserve described authorization object sign ROID in the customer service order relations.
12, method according to claim 11 is characterized in that, further comprises behind the step C11:
A12, Service Management Unit SM identify ROID with authorization object and pass to set-top box STB;
B12, STB access authorization administrative unit RM obtain corresponding authorization object RO and preservation according to described authorization object sign ROID.
13, method according to claim 12 is characterized in that, further comprises in the described STB access authorization of the step B12 administrative unit RM process:
RM confirms the legitimacy of STB and the step of validity to certificates snap-in CA request.
14, method according to claim 12 is characterized in that, further comprises among the step B12:
Empowerment management unit R M uses public-key to described authorization object RO and encrypts;
Set-top box STB access certificate administrative unit CA obtains private key, uses private key that the authorization object RO of its acquisition is decrypted.
15, method according to claim 9 is characterized in that, the step of described start authentication comprises:
Set-top box STB start initiates to insert request to Electronic Program Guide unit EPG, and EPG is to the authentication of Service Management Unit SM request IPTV service access then, and Service Management Unit SM is to the operation supporting platform request authentication;
The private key for user that is used for decrypt authorized object RO that STB asks legal IPTV user to certificates snap-in CA, CA returns the IPTV private key for user, and STB preserves.
16, method according to claim 9 is characterized in that, further comprises after the step e 9: the step of deletion set-top box STB stored authorized object RO after authorization object RO lost efficacy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510063164XA CN100459697C (en) | 2005-04-05 | 2005-04-05 | IPTV system, enciphered digital programme issuing and watching method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510063164XA CN100459697C (en) | 2005-04-05 | 2005-04-05 | IPTV system, enciphered digital programme issuing and watching method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1848944A true CN1848944A (en) | 2006-10-18 |
| CN100459697C CN100459697C (en) | 2009-02-04 |
Family
ID=37078274
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510063164XA Active CN100459697C (en) | 2005-04-05 | 2005-04-05 | IPTV system, enciphered digital programme issuing and watching method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100459697C (en) |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008125023A1 (en) * | 2007-04-17 | 2008-10-23 | Huawei Technologies Co., Ltd. | A system, protecting method and server of realizing virtual channel service |
| WO2008128475A1 (en) * | 2007-04-20 | 2008-10-30 | Huawei Technologies Co., Ltd. | Ims based iptv system and content protect serving function entity and method |
| WO2009024097A1 (en) * | 2007-08-22 | 2009-02-26 | Huawei Technologies Co., Ltd. | Realization system, method and device for multimedia service |
| WO2009024071A1 (en) * | 2007-08-17 | 2009-02-26 | Huawei Technologies Co., Ltd. | System, method and device for realizing iptv media content security |
| WO2009106007A1 (en) * | 2008-02-27 | 2009-09-03 | 华为技术有限公司 | Method, system and equipment for realizing media security of iptv multicast service |
| CN101102476B (en) * | 2007-08-08 | 2010-12-08 | Ut斯达康通讯有限公司 | A method for identifying media asset objects |
| CN101719975B (en) * | 2009-11-25 | 2011-05-11 | 中国电信股份有限公司 | Remote management method and system of IPTV application |
| CN101159846B (en) * | 2007-11-14 | 2011-06-08 | 华为技术有限公司 | Method, device and system of limiting terminal access address |
| CN102123306A (en) * | 2010-12-30 | 2011-07-13 | 广州杰赛科技股份有限公司 | User interaction method based on digital TV network |
| CN101902611B (en) * | 2009-06-01 | 2012-03-28 | 航天信息股份有限公司 | Method for realizing IPTV digital rights management |
| CN101227305B (en) * | 2007-01-16 | 2012-11-14 | Lg电子株式会社 | Method of transmitting/receiving digital contents and digital content reception system |
| CN102833593A (en) * | 2012-07-17 | 2012-12-19 | 晨星软件研发(深圳)有限公司 | Authorization method and system applied to smart TV (television) as well as smart TV |
| CN103139642A (en) * | 2013-02-20 | 2013-06-05 | 深圳创维数字技术有限公司 | Method, related device and system of signal encryption achieved in set top box |
| CN103379365A (en) * | 2012-04-27 | 2013-10-30 | 日立(中国)研究开发有限公司 | Content acquiring device and method and content and multimedia issuing systems |
| CN103473513A (en) * | 2013-08-29 | 2013-12-25 | 南京斯谱蓝自动化科技有限公司 | Method for encrypting files of digital audio and video library |
| CN103731628A (en) * | 2012-10-10 | 2014-04-16 | 株式会社理光 | Transmission terminal, transmission system and recording medium |
| WO2014172976A1 (en) * | 2013-04-27 | 2014-10-30 | 深圳创维数字技术股份有限公司 | Video sharing method and digital television terminal |
| CN104303514A (en) * | 2012-05-17 | 2015-01-21 | 日立麦克赛尔株式会社 | Content distribution control program, content distribution control device, content distribution device and content distribution system |
| CN105578284A (en) * | 2015-12-24 | 2016-05-11 | 四川迪佳通电子有限公司 | Method and system for managing interfaces of set top box |
| CN106331895A (en) * | 2016-08-30 | 2017-01-11 | 上海寰创网络科技有限公司 | Television proxy live broadcast method |
| CN106341390A (en) * | 2016-08-16 | 2017-01-18 | 深圳神盾电子科技有限公司 | Information spreading control method and system |
| CN106416282A (en) * | 2014-06-04 | 2017-02-15 | 萨罗尼科斯贸易与服务人有限公司 | Displaying radio-television program query results according to privacy criterion |
| CN107341404A (en) * | 2016-04-29 | 2017-11-10 | 晨星半导体股份有限公司 | Computing device and data processing method |
| CN107979767A (en) * | 2016-10-25 | 2018-05-01 | 中国电信股份有限公司 | Content safety transmission method and system, Content Management System and content providing terminal |
| CN110875820A (en) * | 2018-09-03 | 2020-03-10 | 国家广播电视总局广播电视科学研究院 | Management method and system for multimedia content protection key and key agent device |
| CN112019934A (en) * | 2020-08-19 | 2020-12-01 | 深圳感臻科技有限公司 | Data processing method and system |
| CN113536327A (en) * | 2020-04-20 | 2021-10-22 | 北京沃东天骏信息技术有限公司 | Data processing method, device and system |
| CN114518977A (en) * | 2020-11-19 | 2022-05-20 | 青岛海信宽带多媒体技术有限公司 | Method, device and terminal for detecting and recovering data damage of high-security partition |
| CN117896179B (en) * | 2024-03-14 | 2024-05-17 | 深圳市小溪流科技有限公司 | Combined URL signature authentication method, device and storage medium thereof |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6865555B2 (en) * | 2001-11-21 | 2005-03-08 | Digeo, Inc. | System and method for providing conditional access to digital content |
| CN1438783A (en) * | 2002-02-10 | 2003-08-27 | 王小芹 | Digital enciphering system |
| US20040054920A1 (en) * | 2002-08-30 | 2004-03-18 | Wilson Mei L. | Live digital rights management |
| CN100423575C (en) * | 2002-12-25 | 2008-10-01 | 潍坊北大青鸟华光电子有限公司 | Method for controlling digital TV receive |
-
2005
- 2005-04-05 CN CNB200510063164XA patent/CN100459697C/en active Active
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227305B (en) * | 2007-01-16 | 2012-11-14 | Lg电子株式会社 | Method of transmitting/receiving digital contents and digital content reception system |
| WO2008125023A1 (en) * | 2007-04-17 | 2008-10-23 | Huawei Technologies Co., Ltd. | A system, protecting method and server of realizing virtual channel service |
| WO2008128475A1 (en) * | 2007-04-20 | 2008-10-30 | Huawei Technologies Co., Ltd. | Ims based iptv system and content protect serving function entity and method |
| CN101102476B (en) * | 2007-08-08 | 2010-12-08 | Ut斯达康通讯有限公司 | A method for identifying media asset objects |
| WO2009024071A1 (en) * | 2007-08-17 | 2009-02-26 | Huawei Technologies Co., Ltd. | System, method and device for realizing iptv media content security |
| RU2446582C2 (en) * | 2007-08-22 | 2012-03-27 | Хуавэй Текнолоджиз Ко., Лтд. | System, method and device for implementing multimedia service |
| US7904925B2 (en) | 2007-08-22 | 2011-03-08 | Huawei Technologies Co., Ltd. | System, method and device for realizing multimedia service |
| WO2009024097A1 (en) * | 2007-08-22 | 2009-02-26 | Huawei Technologies Co., Ltd. | Realization system, method and device for multimedia service |
| CN101159846B (en) * | 2007-11-14 | 2011-06-08 | 华为技术有限公司 | Method, device and system of limiting terminal access address |
| WO2009106007A1 (en) * | 2008-02-27 | 2009-09-03 | 华为技术有限公司 | Method, system and equipment for realizing media security of iptv multicast service |
| CN101902611B (en) * | 2009-06-01 | 2012-03-28 | 航天信息股份有限公司 | Method for realizing IPTV digital rights management |
| CN101719975B (en) * | 2009-11-25 | 2011-05-11 | 中国电信股份有限公司 | Remote management method and system of IPTV application |
| CN102123306A (en) * | 2010-12-30 | 2011-07-13 | 广州杰赛科技股份有限公司 | User interaction method based on digital TV network |
| CN103379365A (en) * | 2012-04-27 | 2013-10-30 | 日立(中国)研究开发有限公司 | Content acquiring device and method and content and multimedia issuing systems |
| CN103379365B (en) * | 2012-04-27 | 2017-08-08 | 日立(中国)研究开发有限公司 | Content acquisition unit and method, content and multimedia distribution system |
| CN104303514A (en) * | 2012-05-17 | 2015-01-21 | 日立麦克赛尔株式会社 | Content distribution control program, content distribution control device, content distribution device and content distribution system |
| CN102833593A (en) * | 2012-07-17 | 2012-12-19 | 晨星软件研发(深圳)有限公司 | Authorization method and system applied to smart TV (television) as well as smart TV |
| CN102833593B (en) * | 2012-07-17 | 2015-12-16 | 晨星软件研发(深圳)有限公司 | Authorization method, system and intelligent television that a kind of intelligent television is applied |
| CN103731628A (en) * | 2012-10-10 | 2014-04-16 | 株式会社理光 | Transmission terminal, transmission system and recording medium |
| CN103139642A (en) * | 2013-02-20 | 2013-06-05 | 深圳创维数字技术有限公司 | Method, related device and system of signal encryption achieved in set top box |
| WO2014172976A1 (en) * | 2013-04-27 | 2014-10-30 | 深圳创维数字技术股份有限公司 | Video sharing method and digital television terminal |
| CN103473513A (en) * | 2013-08-29 | 2013-12-25 | 南京斯谱蓝自动化科技有限公司 | Method for encrypting files of digital audio and video library |
| CN106416282B (en) * | 2014-06-04 | 2020-10-23 | 萨罗尼科斯贸易与服务一人有限公司 | Method, radio-television apparatus and system for protecting user privacy |
| CN106416282A (en) * | 2014-06-04 | 2017-02-15 | 萨罗尼科斯贸易与服务人有限公司 | Displaying radio-television program query results according to privacy criterion |
| CN105578284B (en) * | 2015-12-24 | 2019-01-08 | 四川迪佳通电子有限公司 | A kind of set top box interface management method and system |
| CN105578284A (en) * | 2015-12-24 | 2016-05-11 | 四川迪佳通电子有限公司 | Method and system for managing interfaces of set top box |
| CN107341404A (en) * | 2016-04-29 | 2017-11-10 | 晨星半导体股份有限公司 | Computing device and data processing method |
| CN106341390B (en) * | 2016-08-16 | 2019-06-07 | 深圳神盾电子科技有限公司 | A kind of control method and system that information is propagated |
| CN106341390A (en) * | 2016-08-16 | 2017-01-18 | 深圳神盾电子科技有限公司 | Information spreading control method and system |
| CN106331895A (en) * | 2016-08-30 | 2017-01-11 | 上海寰创网络科技有限公司 | Television proxy live broadcast method |
| CN107979767A (en) * | 2016-10-25 | 2018-05-01 | 中国电信股份有限公司 | Content safety transmission method and system, Content Management System and content providing terminal |
| CN110875820A (en) * | 2018-09-03 | 2020-03-10 | 国家广播电视总局广播电视科学研究院 | Management method and system for multimedia content protection key and key agent device |
| CN113536327A (en) * | 2020-04-20 | 2021-10-22 | 北京沃东天骏信息技术有限公司 | Data processing method, device and system |
| CN112019934A (en) * | 2020-08-19 | 2020-12-01 | 深圳感臻科技有限公司 | Data processing method and system |
| CN112019934B (en) * | 2020-08-19 | 2022-12-23 | 深圳感臻智能股份有限公司 | Data processing method and system |
| CN114518977A (en) * | 2020-11-19 | 2022-05-20 | 青岛海信宽带多媒体技术有限公司 | Method, device and terminal for detecting and recovering data damage of high-security partition |
| CN117896179B (en) * | 2024-03-14 | 2024-05-17 | 深圳市小溪流科技有限公司 | Combined URL signature authentication method, device and storage medium thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100459697C (en) | 2009-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1848944A (en) | IPTV system, enciphered digital programme issuing and watching method | |
| US10848806B2 (en) | Technique for securely communicating programming content | |
| US9900306B2 (en) | Device authentication for secure key retrieval for streaming media players | |
| CA2622505C (en) | Method for verifying a target device connected to a master device | |
| US8474054B2 (en) | Systems and methods for conditional access and digital rights management | |
| US8767961B2 (en) | Secure live television streaming | |
| US7299362B2 (en) | Apparatus of a baseline DVB-CPCM | |
| US8413256B2 (en) | Content protection and digital rights management (DRM) | |
| US8458459B2 (en) | Client device and local station with digital rights management and methods for use therewith | |
| US20090199287A1 (en) | Systems and methods for conditional access and digital rights management | |
| US20070124252A1 (en) | Reception device, transmission device, security module, and digital right management system | |
| WO2004051453A1 (en) | Multiple content provider user interface | |
| JP2008514123A (en) | System and method for providing authorized access to digital content | |
| JP2008523719A (en) | Sub-conditional access server method and apparatus | |
| US9330250B2 (en) | Authorization of media content transfer between home media server and client device | |
| WO2006109913A1 (en) | Broadcasting content protection/management system | |
| US20100008502A1 (en) | Content distribution system, content reception terminal, content distribution method and processing method performed when viewing streaming contents | |
| KR20110004332A (en) | Processing recordable content in a stream | |
| CN101160965B (en) | Method of implementing preview of network TV program, encryption device, copyright center system and subscriber terminal equipment | |
| US8406426B2 (en) | Method and apparatus for storing and retrieving encrypted programming content such that it is accessible to authorized users from multiple set top boxes | |
| CN1863303A (en) | Content management | |
| WO2003081499A1 (en) | License management method and license management apparatus | |
| CN101202883B (en) | System for numeral copyright management of IPTV system | |
| CN101895393A (en) | IPTV (Internet Protocol Television) user security terminal | |
| US8433926B2 (en) | Method and apparatus for storing and retrieving encrypted programming content using an asymmetric key arrangement |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |