WO2002045428A1 - An enciphering system for cable tv network - Google Patents

An enciphering system for cable tv network Download PDF

Info

Publication number
WO2002045428A1
WO2002045428A1 PCT/CN2001/001585 CN0101585W WO0245428A1 WO 2002045428 A1 WO2002045428 A1 WO 2002045428A1 CN 0101585 W CN0101585 W CN 0101585W WO 0245428 A1 WO0245428 A1 WO 0245428A1
Authority
WO
WIPO (PCT)
Prior art keywords
conditional access
encryption
memory
user terminal
algorithm
Prior art date
Application number
PCT/CN2001/001585
Other languages
French (fr)
Chinese (zh)
Inventor
Qin Zhang
Original Assignee
Cathay Roxus Information Technology Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cathay Roxus Information Technology Co., Ltd. filed Critical Cathay Roxus Information Technology Co., Ltd.
Priority to AU2002221506A priority Critical patent/AU2002221506A1/en
Publication of WO2002045428A1 publication Critical patent/WO2002045428A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/238Interfacing the downstream path of the transmission network, e.g. adapting the transmission rate of a video stream to network bandwidth; Processing of multiplex streams
    • H04N21/2389Multiplex stream processing, e.g. multiplex stream encrypting
    • H04N21/23895Multiplex stream processing, e.g. multiplex stream encrypting involving multiplex stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/426Internal components of the client ; Characteristics thereof
    • H04N21/42607Internal components of the client ; Characteristics thereof for processing the incoming bitstream
    • H04N21/42615Internal components of the client ; Characteristics thereof for processing the incoming bitstream involving specific demultiplexing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/426Internal components of the client ; Characteristics thereof
    • H04N21/42607Internal components of the client ; Characteristics thereof for processing the incoming bitstream
    • H04N21/42623Internal components of the client ; Characteristics thereof for processing the incoming bitstream involving specific decryption arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/438Interfacing the downstream path of the transmission network originating from a server, e.g. retrieving encoded video stream packets from an IP network
    • H04N21/4385Multiplex stream processing, e.g. multiplex stream decrypting
    • H04N21/43853Multiplex stream processing, e.g. multiplex stream decrypting involving multiplex stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]

Definitions

  • the invention relates to an encryption system, in particular to an encryption system implemented in a software platform on a cable television network.
  • the encryption systems currently used in digital space transmission systems generally include: front-ends, network systems, and user terminals.
  • the front end includes CA-Condition Access server, multiplexer, scrambler, etc.
  • the network system generally uses HFC network; the user terminal consists of code stream receiver, descrambler, demultiplexer, smart card and output unit. And other composition. As shown in Figure 1.
  • This type of cable TV encryption system no longer scrambles the transmitted analog signals, but performs digital encryption processing before sending digital TV programs or broadcast data to the cable network, which avoids the loss of analog TV signals and is more secure. .
  • the encryption system used in digital transmission systems has gone through a long period of development. Initially, due to system security considerations, various encryption system manufacturers often developed and developed encryption systems on their own, and because most encryption products encrypt an application, they are vulnerable to hardware types, application software, and network aspects. Because of this, the compatibility of encryption systems is very poor. Because service providers directly provide end users with receiving devices made according to their own needs, different encryption systems that implement the same function often cannot be replaced with each other, and multiple encryption systems that implement different functions cannot work because they follow their own standards. Together, in this way, the selection of the encryption system for cable TV operators is bound to be limited by matching with existing front-end equipment.
  • the DVB same-density standard uses a common scrambling algorithm and a shared key.
  • This type of encryption system uses CW-Control Word as a key, and uses a certain general scrambling algorithm to scramble a composite transport stream (TS-Transport Stream) containing multiple programs and data.
  • the client's descrambler uses Control words (CW) obtained by smart card decryption to descramble programs and data. The specific process is shown in Figure 3.
  • conditional access server generates a control word according to the authorization requirements for program playback.
  • the conditional access (CA) server obtains the user's address information, authorization information, etc. from the customer management system and combines it with the service key (SK) to form authorization management information (EMM — Entitlement Management Message).
  • Entitlement management information (EMM) is encrypted using a master key (PK—Private Key) and a strong encryption algorithm such as the 3DES algorithm or the RSA algorithm.
  • PK Master Key
  • the front end of the encryption system generates the user terminal master when the smart card is initialized. Key (PK), and the front end stores this master key (PK) in its own database.
  • ECM entitlement control information
  • EMM entitlement management information
  • EMM entitlement management information
  • the smart card in the receiving device (usually a digital set-top box) of the user terminal first obtains the authorization control information (ECM) and authorization management information (EMM) from the transport stream, and then uses the master key (PK) to complete the EMM decryption to obtain the authorization information and The service key (SK), then use SK to decrypt the authorization control information (ECM) to obtain the control word (CW), and pass the decrypted control word (CW) to the descrambler of the set-top box.
  • the descrambler uses the CW and the The descrambling algorithm corresponding to the front end completes the descrambling of programs and data.
  • conditional access servers of different conditional access (CA) vendors can carry multiple ECM and EMM information generated by different conditional access servers in a set of programs to end users with different needs, and the set-top box of the user terminal always serves a single CA system.
  • CA conditional access
  • different service providers must agree to transmit through it, reuse the information of other conditional access systems, and access to their respective set-top boxes. This is always an obstacle for newly added cable operators.
  • Another disadvantage of the same secret is that it increases the occupied bandwidth, because each conditional access system must copy the conditional access information.
  • the DVB multi-density standard and the POD (Point of Deployment) standard integrate the functions of the decryption and descrambling algorithms into a plug-in conditional access module with a universal interface, reflecting the idea of machine-card separation. Therefore, a user terminal of such a system can configure multiple different conditional access modules outside the receiving device, so that the same set-top box can serve multiple conditional access systems.
  • the general interface definition of this type of conditional access module is static, so it can only support the existing conditional access system.
  • the constant resource is its essential defect, plus The cost of the conditional access module is too high, and it has not been widely used.
  • the object of the present invention is to provide a new encryption system, which can easily perform the operation of replacing the scrambling algorithm without having to replace the scrambling chip and descrambling chip, so as to meet the requirements of low cost; meanwhile, the present invention can eliminate the need to replace the encryption.
  • the hardware part of the system realizes the function expansion and upgrade to meet the requirements of openness and flexibility;
  • the encryption system of the present invention includes: a front-end system, a network system, and a user terminal system.
  • the front-end system includes a conditional access server and a multiplexer.
  • the user terminal system includes a code.
  • the front-end system further includes a scrambler, which is composed of a digital signal processor and a memory, and completes the scrambling function by calling a corresponding program in the memory according to an instruction of a conditional access server;
  • a scrambler which is composed of a digital signal processor and a memory, and completes the scrambling function by calling a corresponding program in the memory according to an instruction of a conditional access server;
  • the user terminal system includes a demultiplexer, a descrambler, and a decoder composed of a digital signal processor and a memory, and the functions of demultiplexing, descrambling, and decoding are performed by a digital signal.
  • the number processor calls the corresponding program in the memory to complete.
  • the conditional access server in the front-end system includes functions such as basic client authorization, key management, authorization control information, and authorization management information generation, as well as conditional access management functions.
  • the conditional access server also encapsulates a set of authentication APIs and authorization APIs for call by the billing management system and network management system.
  • the software platformization implementation scheme of the encryption system proposed by the present invention abandons the dedicated scrambling chip and descrambling chip necessary for the hardware implementation form of the encryption system, builds the encryption system on a general-purpose computing platform, and relies on the advantage that the software can be continuously updated.
  • the cable television network performs high-speed and real-time replacement of encryption algorithms and keys, which facilitates the addition and expansion of functions, so that the encryption system can adapt to current and future standards.
  • the invention also uses a high-speed digital processor to provide a physical basis for program encryption, identity authentication, encryption algorithms, real-time updating of keys, and creation of multiple hybrid encryption mechanisms. Therefore, the encryption system involved in the present invention has higher reliability, security, and delay, and provides conditions for the expansion of the business of cable television operators.
  • FIG. 1 is a schematic diagram of a structure of an encryption system of a conventional cable television network.
  • Figure 2 is a schematic diagram of the separation of the scrambling system and the authorization management system in the encryption system of the existing cable television network.
  • FIG 3 shows the specific process of descrambling in the DVB same-secret standard by using the control word (CW) obtained by decryption of the smart card to descramble programs and data.
  • CW control word
  • Fig. 4 is a structural diagram of a front-end system of an encryption system of a cable television network of the present invention.
  • Fig. 5 is a block diagram of a terminal system of an encryption system of a cable television network according to the present invention.
  • Fig. 6 shows the architecture of the user terminal system of the present invention.
  • Fig. 7 shows the architecture of the conditional access system of the present invention.
  • FIG. 8 shows a schematic diagram of a shared front-end platform between a multiplexer and a scrambler in the front-end system of the present invention.
  • the encryption system of the present invention includes: a front-end system, a network system, and a user terminal system.
  • the front-end system of the present invention includes a conditional access (CA) server, a multiplexer, a scrambler, an algorithm management server, and an application program interface API.
  • CA conditional access
  • the scrambler in the front-end system is a system platform with software upgrade function. Its hardware and functions are separated.
  • the scrambler is composed of a hardware DSP processor and a memory. Function modules such as scramble control and scramble algorithm library are stored in the memory. After the scrambler obtains the conditional access control information provided by the conditional access (CA) server, it starts the scramble control module in the scrambler to call the scramble algorithm in the scramble algorithm library,
  • the mixed data stream is scrambled by a single method, multiple methods, or a mixed method.
  • the scrambler can also support the DVB same-density standard and can be compatible with a wide range of other conditional access (CA) systems.
  • the algorithm management server in the front-end system can implement the loading, configuration and maintenance of various scrambling / descrambling algorithms, and provides a set of algorithm upgrade application programming interface (API-Application Programming Interface). System operators can base on this API The interface is designed by itself or a third party is commissioned to design an algorithm that complies with the interface specification and update the existing algorithm.
  • API-Application Programming Interface application programming interface
  • the multiplexer in the front-end system of the present invention can share the front-end platform with the scrambler, as shown in FIG. 8, that is, the front-end memory also stores a multiplexing function module and a configuration management module.
  • the platform is equipped with an Ethernet adapter card, and the external management program can realize the configuration management of different functional modules through the Ethernet interface, and realize the multiplexing function.
  • the encryption system can implement the corresponding function of each conditional access module by calling the conditional access application program interface (referred to as CA API), or can design and add new functional modules based on this API.
  • CA API conditional access application program interface
  • conditional access system's conditional access management module is responsible for managing conditional access modules from different manufacturers that comply with different encryption standards, as well as downloading and replacing algorithms.
  • the conditional access status monitoring module of the conditional access system is responsible for monitoring user authentication. Methods such as method upgrades, conditional access services, etc. When an abnormal situation is found, an alarm is recorded and recorded for future inquiry.
  • the conditional access test module of the conditional access system can use authentication methods such as parity check and hash operation to realize the authentication of all conditional access characteristics and conditional access processing software (including the processing program in the smart card, user information, etc.) If once the characteristics of the smart card of the user terminal or any part of the conditional access system is found to be tampered, that is, the authentication fails, the current conditional access service is immediately closed, and the use of the illegal user is prohibited.
  • this module can also realize the testing of various algorithms, and the testing of ECM and EMM processing by different CA manufacturers.
  • the EMM processing module is responsible for the processing of EMM information from different CA manufacturers.
  • the ECM processing module is responsible for the processing of ECM information from different CA manufacturers.
  • the scrambling / descrambling module is responsible for using a certain algorithm to scramble / descramble the data.
  • the front-end system corresponds to the corresponding conditional access function in the user terminal system.
  • the network system of the present invention may be a fiber optic coaxial cable hybrid network (HFC) network, a digital satellite broadcasting network, a microwave network (MMDS), or an Ethernet network.
  • HFC fiber optic coaxial cable hybrid network
  • MMDS microwave network
  • Ethernet Ethernet network
  • the user terminal system of the present invention is shown in FIG. 5.
  • the rest is a high-speed DSP and a memory (DSP-Digital Signal Processor). , Equivalent to the CPU in the computer).
  • the code stream receiver of the user terminal system of the present invention uses a FPGA-Field Programmable Gate Array to transmit the received digital signals to the DSP at high speed to complete the code stream receiving function.
  • the hardware and functions of the user terminal system are also separated. For example, functions such as demultiplexing, smart card driving, and MPEG decoding are implemented by software in the memory.
  • a conditional access test module, a conditional access status monitoring module, a conditional access management module, an EMM processing module, an ECM processing module, and a descrambling module are stored in its memory. All these conditional access modules are encapsulated into APIs, which are called by the application layer.
  • the user terminal is The conditional access management module, conditional access status monitoring module, and conditional access test module perform conditional access management and monitoring by calling the conditional access API.
  • the EMM processing module and ECM processing module complete the processing of each EMM and ECM information respectively.
  • the software descrambling module realizes descrambling of the data stream. After the descrambled data is decoded by the MPEG decoding module, it is processed and output accordingly.
  • the user terminal system may also call a software download API for conditional access management to implement online upgrade and replacement of the scrambling algorithm.
  • the conditional access server of the present invention mainly includes seven parts: a conditional access (CA) management system, a customer authorization system (SAS-Subscriber Authorization System), a key management system (KM-Key Management), and a synchronizer (SCS) -SimulCrypt Syncronizer), EMMG-Entitlement Management Message Generator, ECMG-Entitlement Control Message Generator, and conditional access algorithm management system.
  • CA conditional access
  • SAS-Subscriber Authorization System customer authorization system
  • KM-Key Management key management system
  • SCS synchronizer
  • EMMG-Entitlement Management Message Generator EMMG-Entitlement Management Message Generator
  • ECMG-Entitlement Control Message Generator ECMG-Entitlement Control Message Generator
  • conditional access algorithm management system mainly includes seven parts: a conditional access (CA) management system, a customer authorization system (SAS-Subscriber Authorization System), a key management system (KM-Key Management), and a synchronizer (SCS)
  • conditional access management system is responsible for detecting and authenticating client set-top boxes and smart cards, testing various algorithms, managing and scheduling conditional access systems that comply with different encryption standards provided by multiple different manufacturers, and downloading and replacing algorithms. Wait.
  • the key management system (KM) is responsible for generating control words (CW) and business keys (SK).
  • the same password synchronizer is responsible for transmitting the control word (CW) generated by KM through the DVB same password standard interface and transmitting it to the authorization control information generator (ECMG) of the access manufacturer with different conditions.
  • the information is encrypted and then sent to the same-level synchronizer (SCS).
  • SCS is responsible for synchronously receiving ECM information from different conditional access vendors and passing it to the multiplexer for insertion into the composite transport stream.
  • the SCS also passes the control word (CW) to the digital scrambler, which controls the scrambler to change the CW and algorithm used for scrambling simultaneously.
  • the authorization management information generator receives the EMM information generated by the customer authorization system (SAS), and then uses this information to communicate with the business secrets.
  • the key (SK) completes the production of the EMM and encrypts it with the customer's master key PK, and then passes it to the multiplexer for insertion into the composite transport stream.
  • the multiplexer implements the same-dense interface of the DVB standard to receive data such as EMM and ECM, and composes all data information into a TS-Transport Stream and sends it downward.
  • the scrambler in the present invention is composed of a DSP chip, a memory, and an I / O interface.
  • the corresponding scrambling control module and scrambling algorithm library are stored in the memory.
  • the scrambling control module in the memory can implement the processing of the scrambling strategy. For example, you can choose to scramble only audio, only scramble video, and intermittently scramble audio / video.
  • the scrambling algorithm library in the memory contains both the DVB general scrambling algorithm and other standard algorithms such as DES and 3DES.
  • the algorithm management system in the conditional access server may select a new algorithm from the algorithm management server of the front-end system and load the scramble algorithm library of the scrambler, thereby facilitating the quick and easy algorithm replacement.
  • the scrambler in the present invention supports the DVB same-density standard, it can be compatible with a wide range of other conditional access (CA) systems, and it can flexibly select different scrambling algorithms. Therefore, the scrambler can serve according to data Different levels of algorithms are set for different data services. For example, for confidential data services such as e-mail, high-level algorithms will be used to ensure encryption.
  • the method is that, by inserting user authorization control information (ECM information) in the composite transport stream, an algorithm and a key are specified for a subsequent code stream of the insertion point.
  • ECM information user authorization control information
  • Fig. 6 shows the architecture of the user terminal system of the present invention.
  • Fig. 7 shows the architecture of the conditional access system of the present invention.
  • the difference between the present invention and the existing user terminal equipment based on the hardware structure is that the present invention uses a DSP processor and a memory to replace the descrambler and the like of the chip structure.
  • Most of the functions on the user side will be implemented on a general-purpose high-speed digital processor (DSP or CPU).
  • DSP digital processor
  • functions such as demultiplexing, smart card driver, and MPEG decoding are implemented by software in the memory.
  • a conditional access test module, a conditional access status monitoring module, a conditional access management module, an EMM processing module, an ECM processing module, and a descrambling module are stored in its memory. All of these conditional access modules are encapsulated into APIs, which are called by the supply layer.
  • the user terminal system calls the conditional access API.
  • the conditional access test module implements authentication of all conditional access features and conditional access processing software (including processing software in the smart card). If the authentication fails, the current conditional access service is closed.
  • the user terminal system calls the conditional access API by the conditional access status monitoring module, which monitors user authentication, algorithm upgrade, and conditional access services, etc. When an abnormal situation is found, it alerts and records in time for future query.
  • the user terminal system calls the conditional access API.
  • the conditional access management module manages the conditional access modules that comply with different encryption standards provided by multiple manufacturers, and implements functions such as downloading and replacing algorithms.
  • the code stream receiving device of the user terminal of the present invention After receiving the transmission information from the HFC network, the code stream receiving device of the user terminal of the present invention calls the EMM and ECM processing modules to obtain the EMM and ECM information, and then calls the smart card driver API to transmit the EMM and ECM information to the smart card (including the virtual card) .
  • the smart card uses the loaded master key (PK) to decrypt the EMM information to obtain the business key
  • the encryption system of the present invention can also realize comprehensive management and monitoring of the conditional access system, which greatly improves the security of the system. Moreover, since the encryption system of the present invention provides a large number of application program interface APIs, corresponding functions can be completed by calling the application program interface APIs of each functional module. When it is necessary to replace and upgrade the scrambling / descrambling algorithms or other functions, only The corresponding application program can be modified, and the functions can be easily expanded and upgraded, which greatly improves the flexibility and versatility.
  • the encryption system of the present invention is built on a general-purpose computing platform, so it can complete various flexible conditional access functions according to the needs of users. Taking the application of flexible customization services as an example, some user-customized programs have been pre-encrypted by the front-end server using private keys and algorithms. At this time, the encryption system of the present invention can complete the authentication of the front-end and the user terminal and establish a secure channel, and obtain the key and algorithm for encrypting the customized program from the private key library and algorithm library of the front-end server. After obtaining the key and algorithm, a specific user terminal completes the descrambling of the program and watches its own customized program content. Other users cannot obtain the service. However, due to the limitation of the existing architecture, the existing encryption system cannot flexibly load new algorithms and keys for specific services, and realize the non-real-time descrambling function of the program.
  • the API of the functions described in the present invention is encapsulated as follows:
  • the smart card API implements the interaction between the application and the smart card.
  • the API mainly includes:
  • ICC-CheckStatus (Card Num): Check the status of the smart card, such as presence or absence, version information, etc.
  • ICC-ReadBin (offset, Data, datalea): Read binary data from smart card ICC-WriteBin (offset, Data, Datalen): write binary data to the smart card ICC-ResetICCard (Card Num): reset the smart card
  • CA descrambling API CA Descrambler
  • CADescrambler (TS_ID, ServiceID, MPEG_Packet, Scrambler Parameter):
  • the ECM / EMM data processing API is responsible for obtaining ECM and EMM information from the TS stream according to related parameters.
  • the API mainly includes:
  • CAGetECM (CA— System— ID, TS—ID, ServicelD, ECMData, Datalen):
  • CAGetEMM (CA— System— ID, TS—ID, EMMData, Datalen):
  • Conditional access test API implements the testing of various functions of the conditional access system.
  • the API mainly includes:
  • CAModuleTester (CA_ System— ID, CAModuleTestResult):
  • CAAlgorithmTester (CAAlgorithmTestResult):
  • Conditional access monitoring API implements the status of conditional access functions running on the platform and records them in a logo file
  • CAMonitorlnitial (CAMonitorlnitialParameter): Initialize the CA monitoring module
  • CAAlgorithmLogFile Get the test file of the algorithm module
  • the conditional access management API is responsible for the management of all modules in the conditional access system.
  • the API mainly includes:
  • CAModuleInitial (CA_ System— ID, CAModuleParameter):
  • CAModuleClose (CA_ System— ID, CAModuleParameter):
  • CAAlgorit ir ⁇ ownload (CAAlgorithmPID, CAAlgorithmFlag, CAAl gorithmparameter): Download an algorithm from the TS stream
  • CAAlgorithmUpgrade (CAAlgorithmFlag, CAAlgorithmParameter, C AAlgorithmAdd): upgrade an algorithm on this platform
  • CASmartCardAppDownload (CASmartCardAppPID, CA_System_ID, CASmartCardAppParameter): Download a new application to the smart card
  • CASmartCardAppUpgrade (CASmartCardAppPID, CA_System_ID 5 C ASmartCardAppParameter): Upgrade the processing software in the smart card.
  • the front-end system When the security algorithm of the system leaks or the user requests to replace the algorithm, the front-end system will update the algorithm in the scrambler through the algorithm management system in the conditional access server.
  • the conditional access server transmits the private data (PD-Private Data) containing the algorithm to the scrambler for scrambling, and multiplexes it into the composite transport stream through a multiplexer, and delivers it to all user terminals along the specified channel.
  • PD-Private Data private data
  • the user terminal After receiving the new algorithm information, the user terminal demultiplexes and descrambles to obtain the contained private data (PD) information, and judges whether the transmitted data is the new algorithm according to the defined algorithm upgrade protocol. If it is determined that the transmitted algorithm is a new version, the software download API of conditional access management is called, the new algorithm is downloaded into the memory, and the original algorithm is overwritten.
  • PD private data
  • the encryption system of the present invention can conveniently and quickly replace and upgrade the scrambling algorithm without having to replace the scrambling and descrambling chips.
  • the range of scrambling algorithms is also greatly expanded. Not only can existing algorithms be used, but also third-party self-design and development, which greatly improves the adaptability and confidentiality of the system.
  • the invention provides a specific implementation scheme for realizing the replacement according to a certain rule or the user and the algorithm at any time, and improves the security of the system.
  • This kind of security is different from that provided by hardware-specific chips.
  • the security of hardware-only chips can only depend on the complexity of an algorithm. If the encryption strength of the algorithm cannot meet the requirements of new services, the security of the network will be affected .
  • the invention can not only change the scrambling algorithm and key through the front-end conditional access server, but also can update the scrambling algorithm at a high speed through the download software of the user terminal, and the download speed can also be changed with the upgrade of the computing capacity of the processor The fault is improved, thereby further ensuring the security of the system.
  • the encryption system implemented in the form of hardware cannot monitor the use status of the user terminal in real time.
  • the encryption system of the present invention can monitor abnormal conditions of user terminals through modules such as conditional access test, conditional access status monitoring, and conditional access management. Once the illegal user information is detected, the current service is shut down to minimize losses.
  • the invention specifically realizes that different encryption methods can be adopted according to the different required encrypted content and the required complexity of encryption, and the problem of incompatibility of the system is solved.
  • the software platform solution enables the encryption system to be compatible with other encryption systems that comply with the corresponding standards, as well as other conditional access (conditional access) systems that comply with the corresponding interface specifications, thereby making the cable television network an open system. .
  • the encryption system implemented in hardware requires a special scrambling / descrambling chip, which requires a certain cost, and the software platform encryption scheme separates the functions from the hardware chip, so the scrambling algorithm can run with other functional software, such as MPEG Decoding, network management software, etc. share the same processor, thereby achieving resource sharing, saving the cost of the descramble / descrambling chip, and reducing the cost of the system.
  • the encryption method For an encryption system implemented in hardware, the encryption method must be attached to the scrambling chip, but the technology systems of various manufacturers are not completely compatible, resulting in a monopoly state of the encryption system.
  • the software platform encryption solution can adapt to future business expansion and standards. Cable TV operators can choose different encryption solutions for different services, and different encryption solutions are compatible. They do not need to rely on a certain vendor at all. The business provided the conditions.
  • the invention can also realize the comprehensive management and monitoring of the encryption system, thereby satisfying the security requirements and being easy to manage.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Storage Device Security (AREA)

Abstract

An enciphering system includes head-end, network and user terminal. The head-end inlcudes CA-condition access server and nultiplexer. The user terminal includes stream receiver and I/O device. The head-end also includes scrambler which comprising digital signal processor and memory for performing the scrambling function by using corresponding program according to the command of the server. The user terminal includes demultiplexer comprising digital signal process and memory, descrambler and decoder for perfoming the function of demultiplexing, descrambling and decoding the signal by performing the corresponding program stored in the memory.

Description

有线电视网的加密系统  Encryption system of cable television network
技术领域 Technical field
本发明涉及一种加密系统, 特别涉及一种在有线电视网络上以 软件平台化方式实现的加密系统。  The invention relates to an encryption system, in particular to an encryption system implemented in a software platform on a cable television network.
背景技术  Background technique
早期的有线电视加密系统 (一般用于模拟传输系统) 在前端将 信道中的传输信号加扰, 很易被破解和复制, 而且会产生电视信号 的损耗, 已经逐步被数字系统所取代。  Early cable television encryption systems (usually used in analog transmission systems) scrambled the transmission signals in the channel at the front end, which was easy to crack and copy, and would cause the loss of television signals, which have gradually been replaced by digital systems.
目前用于数宇传输系统中的加密系统一般包括: 前端、 网络系 统、 用户终端。 前端包括条件接入 (CA-Condition Access)服务器、 复 用器、 加扰器等; 网络系统一般采用 HFC网络; 用户终端由码流接 收器、 解扰器、 解复用器、 智能卡和输出单元等构成。 如图 1所示。  The encryption systems currently used in digital space transmission systems generally include: front-ends, network systems, and user terminals. The front end includes CA-Condition Access server, multiplexer, scrambler, etc. The network system generally uses HFC network; the user terminal consists of code stream receiver, descrambler, demultiplexer, smart card and output unit. And other composition. As shown in Figure 1.
此类有线电视加密系统不再对传输的模拟信号加扰, 而是在将 数字电视节目或广播数据送入有线网络之前, 先进行数字加密处理, 避免了模拟电视信号的损耗, 而且更为安全。  This type of cable TV encryption system no longer scrambles the transmitted analog signals, but performs digital encryption processing before sending digital TV programs or broadcast data to the cable network, which avoids the loss of analog TV signals and is more secure. .
应用于数字传输系统中的加密系统经历了很长的发展阶段。 最 初, 各个加密系统生产商出于对系统安全性的考虑, 往往自行研制 与开发加密系统, 又由于多数加密产品是对某一种应用程序进行加 密, 易受到硬件类型、 应用软件及网络等方面的限制, 因此, 加密 系统的兼容性很差。 由于服务提供商直接向最终用户提供根据自身 需求制作的接收装置, 因而导致实现同一功能的不同加密系统之间 常常不能相互替换, 实现不同功能的多个加密系统也由于遵循各自 的标准而不能工作在一起, 如此一来, 有线电视运营商在加密系统 的选择上必然受到与已有前端设备匹配的限制。 同时, 随着有线电 视网业务的快速发展, 若想依靠单一的加密系统来实现诸如视频点 播 (VOD-Video On Demand), Internet TV, 数据通信, 数据广播, 私有虚拟网 (PVN-Private Virtual Net), 互联网服务以及其它未来的 功能, 显然是不现实的。 The encryption system used in digital transmission systems has gone through a long period of development. Initially, due to system security considerations, various encryption system manufacturers often developed and developed encryption systems on their own, and because most encryption products encrypt an application, they are vulnerable to hardware types, application software, and network aspects. Because of this, the compatibility of encryption systems is very poor. Because service providers directly provide end users with receiving devices made according to their own needs, different encryption systems that implement the same function often cannot be replaced with each other, and multiple encryption systems that implement different functions cannot work because they follow their own standards. Together, in this way, the selection of the encryption system for cable TV operators is bound to be limited by matching with existing front-end equipment. At the same time, with the rapid development of cable television network services, if you want to rely on a single encryption system to achieve Broadcast (VOD-Video On Demand), Internet TV, data communication, data broadcasting, private virtual network (PVN-Private Virtual Net), Internet services and other future functions are obviously unrealistic.
为此, 现有加密系统的设计都将加扰系统与授权管理系统分开, 如图 2所示。  For this reason, the design of existing encryption systems separates the scrambling system from the authorization management system, as shown in Figure 2.
目前较常见的如 DVB加密系统以及 OpenCAS等加密系统的设 计都反映了这一思想。 此类加密系统实现了基于内容和多用户管理 的加密方式, 同一内容的加扰可由不同的条件接入厂商完成, 同一 条件接入厂商也可实现对不同内容的加扰, 唯一的前提就是加扰系 统与条件接入系统之间采用符合统一标准规范的接口定义。  The design of more common encryption systems such as DVB encryption system and OpenCAS all reflect this idea. This type of encryption system implements content-based and multi-user management encryption methods. The same content can be scrambled by different conditional access vendors, and the same conditional access vendor can also scramble different content. The only prerequisite is to add The interface definition between the interference system and the conditional access system conforms to the unified standard specification.
DVB 同密标准采用通用的加扰算法与共享密钥。 此类加密系统 使用控制字 (CW-Control Word) 作密钥, 采用一定的通用加扰算法 将包含多个节目和数据的复合传送流 (TS-Transport Stream) 加扰, 客户端的解扰器利用由智能卡解密获得的控制字 (CW) 来解扰节目 和数据。 具体过程如图 3所示。  The DVB same-density standard uses a common scrambling algorithm and a shared key. This type of encryption system uses CW-Control Word as a key, and uses a certain general scrambling algorithm to scramble a composite transport stream (TS-Transport Stream) containing multiple programs and data. The client's descrambler uses Control words (CW) obtained by smart card decryption to descramble programs and data. The specific process is shown in Figure 3.
首先, 条件接入服务器根据节目播放的授权要求, 产生控制字 First, the conditional access server generates a control word according to the authorization requirements for program playback.
(CW-Control Word),并制作授权控制信息(ECM-Entitlement Control Message Generator )0授权控制信息(ECM)使用业务密钥(SK-Service Key) 及密码算法加密。 加扰器使用控制字 (CW) 与加扰算法对节 目与数据传输流进行加扰, 为防止非法侵入和黑客攻击, 控制字(CW-Control Word), and create ECM-Entitlement Control Message Generator. 0 ECM is encrypted using SK-Service Key and password algorithm. The scrambler uses control words (CW) and scrambling algorithms to scramble programs and data transmission streams. To prevent illegal intrusion and hacking, control words
(CW) 每隔 5— 20 秒变化一次, 授权控制信息 (ECM) 消息也随 之发生变化。 (CW) changes every 5-20 seconds, and the entitlement control information (ECM) messages change accordingly.
同时, 条件接入 (CA) 服务器从客户管理系统获取用户的地址 信息、授权信息等,与业务密钥(SK)—起组合成授权管理信息(EMM —Entitlement Management Message )。 授权管理信息 (EMM) 使用 主密钥 (PK— Private Key) 和高强度的加密算法 (如 3DES算法或 RSA算法) 加密。 加密系统前端在初始化智能卡时产生用户终端主 密钥 (PK), 同时, 前端将此主密钥 (ΡΚ) 存入自身的数据库中。 授权控制信息 (ECM) 和授权管理信息 (EMM) 均按照一定的 发送周期插入到经过加扰的复合传输流中, 一起经 HFC网向客户端 传送。 At the same time, the conditional access (CA) server obtains the user's address information, authorization information, etc. from the customer management system and combines it with the service key (SK) to form authorization management information (EMM — Entitlement Management Message). Entitlement management information (EMM) is encrypted using a master key (PK—Private Key) and a strong encryption algorithm such as the 3DES algorithm or the RSA algorithm. The front end of the encryption system generates the user terminal master when the smart card is initialized. Key (PK), and the front end stores this master key (PK) in its own database. Both the entitlement control information (ECM) and the entitlement management information (EMM) are inserted into the scrambled composite transport stream according to a certain transmission period, and are transmitted to the client via the HFC network together.
用户终端的接收装置 (一般为数字机顶盒) 中的智能卡, 先从 传输流中获取授权控制信息 (ECM) 和授权管理信息 (EMM), 然 后利用主密钥(PK)完成 EMM解密得到授权信息和业务密钥(SK), 然后利用 SK解密授权控制信息 (ECM) 获得控制字 (CW), 并将 解密后的控制字 (CW) 传给机顶盒的解扰器, 由解扰器利用 CW 和与前端对应的解扰算法完成节目和数据的解扰。  The smart card in the receiving device (usually a digital set-top box) of the user terminal first obtains the authorization control information (ECM) and authorization management information (EMM) from the transport stream, and then uses the master key (PK) to complete the EMM decryption to obtain the authorization information and The service key (SK), then use SK to decrypt the authorization control information (ECM) to obtain the control word (CW), and pass the decrypted control word (CW) to the descrambler of the set-top box. The descrambler uses the CW and the The descrambling algorithm corresponding to the front end completes the descrambling of programs and data.
由于此类加密系统采用通用的加扰算法与密钥, 系统前端可以 采用不同条件接入 (CA) 厂商的条件接入服务器, 前提是只要这些 条件接入服务器符合 DVB同密标准。 因此, 此类系统可以在一套节 目中携带不同条件接入服务器生成的多个 ECM、 EMM信息给具有 不同需求的终端用户, 而用户终端的机顶盒始终服务于一个单一的 CA系统就可以。这使得同密系统的兼容性很好, 成本也很低。但是, 为了让同密工作, 不同的服务提供商必须同意通过其传输, 复用其 它 条件接入系统的信息, 并且接入到各自的机顶盒中。 这对于新加 入的有线电视运营商而言, 始终是一个障碍。 同密的另一个缺点是 增加了带宽的占用, 因为每一个条件接入系统都要复制条件接入信  Because this type of encryption system uses a common scrambling algorithm and key, the front end of the system can use conditional access servers of different conditional access (CA) vendors, provided that these conditional access servers comply with the DVB same-density standard. Therefore, such a system can carry multiple ECM and EMM information generated by different conditional access servers in a set of programs to end users with different needs, and the set-top box of the user terminal always serves a single CA system. This makes the compatibility with the dense system very good and the cost is very low. However, in order for the same secret to work, different service providers must agree to transmit through it, reuse the information of other conditional access systems, and access to their respective set-top boxes. This is always an obstacle for newly added cable operators. Another disadvantage of the same secret is that it increases the occupied bandwidth, because each conditional access system must copy the conditional access information.
DVB多密标准与 POD (Point of Deployment) 标准等, 将解密 与解扰算法功能都集成到一个具有通用接口的插入式 条件接入模块 中, 体现了机卡分离的思想。 因此, 此类系统的用户终端可在接收 装置外配置多个不同的 条件接入模块, 使得同一机顶盒可以服务于 多个条件接入系统。 此类条件接入模块的通用接口定义是静态的, 因此只能支持现有的 条件接入系统, 资源不变是其本质缺陷, 加上 条件接入模块成本过高, 目前并没有得到广泛应用。 The DVB multi-density standard and the POD (Point of Deployment) standard integrate the functions of the decryption and descrambling algorithms into a plug-in conditional access module with a universal interface, reflecting the idea of machine-card separation. Therefore, a user terminal of such a system can configure multiple different conditional access modules outside the receiving device, so that the same set-top box can serve multiple conditional access systems. The general interface definition of this type of conditional access module is static, so it can only support the existing conditional access system. The constant resource is its essential defect, plus The cost of the conditional access module is too high, and it has not been widely used.
我们可以看出, 上述硬件形式的加密系统, 无论其采用何种标 准, 都具有一定缺陷。 如果非法用户采用光学蚀刻, 反向跟踪, 修 改时钟等手段读取、 篡改或复制智能卡内的信息, 非法享用服务时, 有线电视运营商无法监控到这一情况并及时更换算法与密钥, 安全 性难以得到保障。 而且一旦加解扰算法需要更新时, 则用户端必须 更换新的解扰芯片, 成本也较高。 此外, 硬件形式的加密系统由于 受到其体系结构的限制, 很难根据实际应用的需要增加新的功能。  We can see that the above-mentioned hardware-based encryption system, regardless of the standard, has certain defects. If an illegal user uses optical etching, back tracking, clock modification, etc. to read, tamper with, or copy the information in the smart card, when enjoying the service illegally, the cable TV operator cannot monitor this situation and replace the algorithm and key in time. Security Sex is difficult to secure. Moreover, once the descrambling algorithm needs to be updated, the user terminal must replace the descrambling chip with a new one, and the cost is also high. In addition, the encryption system in the form of hardware is limited by its architecture, and it is difficult to add new functions according to the needs of practical applications.
例如, 现有加密标准中都未定义前端系统与用户终端的互操作 功能, 无法实现算法的实时更新与升级。 现有系统也无法支持例如 非实时文件解密等其他灵活的 条件接入服务。 可见, 目前已有的硬 件形式实现的加密系统在安全性、 开放性、 灵活性、 易管理性等方 面, 仍然无法真正满足人们对加密系统通用易用的需求。  For example, none of the existing encryption standards defines the interoperation function between the front-end system and the user terminal, and it is impossible to achieve real-time update and upgrade of the algorithm. Existing systems also cannot support other flexible conditional access services such as non-real-time file decryption. It can be seen that the existing encryption systems implemented in the form of hardware still fail to truly meet people's general and easy-to-use requirements for encryption systems in terms of security, openness, flexibility, and manageability.
发明的公开  Disclosure of invention
因此, 本发明的目的是提供一种新的加密系统, 能够方便地进 行更换加扰算法操作, 而不必更换加扰芯片与解扰芯片, 满足低成 本的需求; 同时本发明可而不必更换加密系统的硬件部分而实现功 能的扩展与升级, 满足开放性、 灵活性的需求;  Therefore, the object of the present invention is to provide a new encryption system, which can easily perform the operation of replacing the scrambling algorithm without having to replace the scrambling chip and descrambling chip, so as to meet the requirements of low cost; meanwhile, the present invention can eliminate the need to replace the encryption. The hardware part of the system realizes the function expansion and upgrade to meet the requirements of openness and flexibility;
本发明是通过以下技术方案来实现的: 本发明的加密系统, 包 括: 前端系统、 网络系统、 用户终端系统, 所述前端系统包括条件 接入服务器、 复用器, 所述用户终端系统包括码流接收器、 输出装 置, 其特征在于,  The present invention is achieved through the following technical solutions: The encryption system of the present invention includes: a front-end system, a network system, and a user terminal system. The front-end system includes a conditional access server and a multiplexer. The user terminal system includes a code. A stream receiver and an output device,
所述前端系统还包括加扰器, 所述加扰器由数字信号处理器和 存储器构成, 根据条件接入服务器的指令, 通过调用存储器中的相 应程序, 完成加扰功能;  The front-end system further includes a scrambler, which is composed of a digital signal processor and a memory, and completes the scrambling function by calling a corresponding program in the memory according to an instruction of a conditional access server;
所述用户终端系统包括由数字信号处理器和存储器构成的解复 用器、 解扰器和解码器, 其解复用、 解扰、 解码的功能通过数字信 号处理器调用存储器中的相应程序来完成。 The user terminal system includes a demultiplexer, a descrambler, and a decoder composed of a digital signal processor and a memory, and the functions of demultiplexing, descrambling, and decoding are performed by a digital signal. The number processor calls the corresponding program in the memory to complete.
前端系统中的条件接入服务器除包含基本的客户授权、 密钥管 理、 授权控制信息与授权管理信息的发生等功能外, 还包括条件接 入管理功能。 条件接入服务器还封装了一套认证 API与授权 API, 供计费管理系统, 网管系统等调用。  The conditional access server in the front-end system includes functions such as basic client authorization, key management, authorization control information, and authorization management information generation, as well as conditional access management functions. The conditional access server also encapsulates a set of authentication APIs and authorization APIs for call by the billing management system and network management system.
本发明提出的加密系统软件平台化实现方案, 抛弃了硬件实现 形式加密系统所必须的专用加扰芯片与解扰芯片, 把加密体系建立 在通用运算平台上, 依靠软件可以不断更新的优势, 通过有线电视 网络对加密算法和密钥进行高速地实时更换, 便于功能的增加与扩 展, 使得加密体系可以适应现在和未来的标准。 本发明还利用高速 的数字处理器, 为实现节目加密、 身份认证、 加密算法、 密钥的实 时更新及创造多种混合加密机制提供了物理基础。 因此, 本发明所 涉及的加密系统具有更高的可靠性、 安全性与时延性, 为有线电视 运营商业务的拓展提供了条件。  The software platformization implementation scheme of the encryption system proposed by the present invention abandons the dedicated scrambling chip and descrambling chip necessary for the hardware implementation form of the encryption system, builds the encryption system on a general-purpose computing platform, and relies on the advantage that the software can be continuously updated. The cable television network performs high-speed and real-time replacement of encryption algorithms and keys, which facilitates the addition and expansion of functions, so that the encryption system can adapt to current and future standards. The invention also uses a high-speed digital processor to provide a physical basis for program encryption, identity authentication, encryption algorithms, real-time updating of keys, and creation of multiple hybrid encryption mechanisms. Therefore, the encryption system involved in the present invention has higher reliability, security, and delay, and provides conditions for the expansion of the business of cable television operators.
附图的简要说明  Brief description of the drawings
图 1是现有的有线电视网络的加密系统的结构的示意图。  FIG. 1 is a schematic diagram of a structure of an encryption system of a conventional cable television network.
图 2 是现有的有线电视网络的加密系统中加扰系统和授权管理 系统分离的示意图。  Figure 2 is a schematic diagram of the separation of the scrambling system and the authorization management system in the encryption system of the existing cable television network.
图 3 是 DVB 同密标准中解扰器利用由智能卡解密获得的控制 字 (CW) 来解扰节目和数据的具体过程。  Figure 3 shows the specific process of descrambling in the DVB same-secret standard by using the control word (CW) obtained by decryption of the smart card to descramble programs and data.
图 4是本发明的有线电视网络的加密系统的前端系统的结构图。 图 5是本发明的有线电视网络的加密系统的终端系统的结构图。 图 6表示本发明的用户终端系统的体系结构。  Fig. 4 is a structural diagram of a front-end system of an encryption system of a cable television network of the present invention. Fig. 5 is a block diagram of a terminal system of an encryption system of a cable television network according to the present invention. Fig. 6 shows the architecture of the user terminal system of the present invention.
图 7表示本发明的条件接入系统的体系结构。  Fig. 7 shows the architecture of the conditional access system of the present invention.
图 8 表示本发明的前端系统中的复用器与加扰器共用前端平台 的示意图。  FIG. 8 shows a schematic diagram of a shared front-end platform between a multiplexer and a scrambler in the front-end system of the present invention.
实施发明的最佳实施例 本发明的加密系统, 包括: 前端系统、 网络系统、 用户终端系 统。 本发明的前端系统如图 4所示, 包括条件接入 (CA) 服务器、 复用器、 加扰器、 算法管理服务器及应用程序接口 API。 Best Mode for Implementing the Invention The encryption system of the present invention includes: a front-end system, a network system, and a user terminal system. As shown in FIG. 4, the front-end system of the present invention includes a conditional access (CA) server, a multiplexer, a scrambler, an algorithm management server, and an application program interface API.
前端系统中的加扰器是一个具备软件升级功能的系统平台, 其 硬件与功能分开。 加扰器由硬件 DSP处理器与存储器等构成。 存储 器中存有加扰控制与加扰算法库等功能模块。 加扰器获得由条件接 入 (CA) 服务器提供的条件接入控制信息后, 启动所述加扰器中的 加扰控制模块来调用加扰算法库中的加扰算法, 对经过复用器混合 的数据流进行单一方法、 多种方法或混合方法的加扰。 所述加扰器 还可以支持 DVB 同密标准, 能够与广泛的其它条件接入 (CA) 系 统兼容。  The scrambler in the front-end system is a system platform with software upgrade function. Its hardware and functions are separated. The scrambler is composed of a hardware DSP processor and a memory. Function modules such as scramble control and scramble algorithm library are stored in the memory. After the scrambler obtains the conditional access control information provided by the conditional access (CA) server, it starts the scramble control module in the scrambler to call the scramble algorithm in the scramble algorithm library, The mixed data stream is scrambled by a single method, multiple methods, or a mixed method. The scrambler can also support the DVB same-density standard and can be compatible with a wide range of other conditional access (CA) systems.
前端系统中的算法管理服务器可以实现各种加 /解扰算法的载 入、 配置与维护, 并且提供了一套算法升级的应用程序接口 (API- Application Programming Interface), 系统运营商可以基于该 API接 口自行设计或委托第三方设计符合接口规范的算法并更新已有算 法。  The algorithm management server in the front-end system can implement the loading, configuration and maintenance of various scrambling / descrambling algorithms, and provides a set of algorithm upgrade application programming interface (API-Application Programming Interface). System operators can base on this API The interface is designed by itself or a third party is commissioned to design an algorithm that complies with the interface specification and update the existing algorithm.
本发明前端系统中的复用器可与加扰器共用前端平台, 如图 8 所示, 即前端的存储器中还存有多路复用功能模块及配置管理模块。 该平台配置以太网适配卡, 外部管理程序可通过以太网接口实现对 不同功能模块的配置管理, 实现多路复用功能。  The multiplexer in the front-end system of the present invention can share the front-end platform with the scrambler, as shown in FIG. 8, that is, the front-end memory also stores a multiplexing function module and a configuration management module. The platform is equipped with an Ethernet adapter card, and the external management program can realize the configuration management of different functional modules through the Ethernet interface, and realize the multiplexing function.
加密系统可通过调用条件接入应用程序接口 (简称 CA API) 实 现各条件接入模块的相应功能, 或者可基于此 API设计及增加新的 功能模块。  The encryption system can implement the corresponding function of each conditional access module by calling the conditional access application program interface (referred to as CA API), or can design and add new functional modules based on this API.
条件接入系统的 条件接入管理模块负责管理多个不同厂家提供 的符合不同加密标准的 条件接入模块, 以及实现算法的下载与更换 等功能。  The conditional access system's conditional access management module is responsible for managing conditional access modules from different manufacturers that comply with different encryption standards, as well as downloading and replacing algorithms.
条件接入系统的 条件接入状态监控模块负责监控用户认证, 算 法升级, 条件接入服务等状态, 发现异常情况时及时告警并记录, 供日后查询。 The conditional access status monitoring module of the conditional access system is responsible for monitoring user authentication. Methods such as method upgrades, conditional access services, etc. When an abnormal situation is found, an alarm is recorded and recorded for future inquiry.
条件接入系统的 条件接入测试模块, 可采用奇偶校验、 哈希运 算等认证方法实现对所有条件接入特性及条件接入处理软件 (包括 智能卡内的处理程序, 用户信息等) 的认证, 若一旦发现用户终端 智能卡的特性或 条件接入系统的任何部分被篡改, 即认证失败, 则 立刻关闭当前 条件接入服务, 禁止非法用户的使用。 此外, 此模块 还可实现对各种算法的测试, 不同 CA厂家 ECM、 EMM处理的测 试等。  The conditional access test module of the conditional access system can use authentication methods such as parity check and hash operation to realize the authentication of all conditional access characteristics and conditional access processing software (including the processing program in the smart card, user information, etc.) If once the characteristics of the smart card of the user terminal or any part of the conditional access system is found to be tampered, that is, the authentication fails, the current conditional access service is immediately closed, and the use of the illegal user is prohibited. In addition, this module can also realize the testing of various algorithms, and the testing of ECM and EMM processing by different CA manufacturers.
EMM处理模块负责不同 CA厂家的 EMM信息的处理。 ECM 处理模块负责不同 CA厂家的 ECM信息的处理。 加 /解扰模块负责 采用一定的算法对数据进行加 /解扰。 前端系统与用户终端系统内的 相应条件接入功能一一对应。  The EMM processing module is responsible for the processing of EMM information from different CA manufacturers. The ECM processing module is responsible for the processing of ECM information from different CA manufacturers. The scrambling / descrambling module is responsible for using a certain algorithm to scramble / descramble the data. The front-end system corresponds to the corresponding conditional access function in the user terminal system.
本发明的网络系统可以是光纤同轴电缆混合网 (HFC) 网络、 数字卫星广播网络、 微波网络 (MMDS)、 以太网。  The network system of the present invention may be a fiber optic coaxial cable hybrid network (HFC) network, a digital satellite broadcasting network, a microwave network (MMDS), or an Ethernet network.
本发明的用户终端系统如图 5 所示, 用户终端系统的硬件部分 除包括码流接收器与输入 /输出装置等之外, 其余部分是高速 DSP与 存储器 (DSP-Digital Signal Processor数字信号处理器, 相当于计算 机中的 CPU)。  The user terminal system of the present invention is shown in FIG. 5. In addition to the hardware part of the user terminal system, which includes a code stream receiver and an input / output device, the rest is a high-speed DSP and a memory (DSP-Digital Signal Processor). , Equivalent to the CPU in the computer).
本发明用户终端系统的码流接收器采用现场可编程门阵列 (FPGA-Field Programmable Gate Array) 将接收的数字信号高速传 送给 DSP, 完成码流接收功能。  The code stream receiver of the user terminal system of the present invention uses a FPGA-Field Programmable Gate Array to transmit the received digital signals to the DSP at high speed to complete the code stream receiving function.
用户终端系统的硬件与功能也是分开的。 例如, 解复用、 智能 卡驱动、 MPEG解码等功能即由存储器中的软件实现。 此外, 其存 储器中还存有 条件接入测试模块、 条件接入状态监控模块、 条件接 入管理模块、 EMM处理模块、 ECM 处理模块、 解扰模块等。 所有 这些 条件接入模块都封装成 API, 供应用层调用。 所述用户终端系 统通过调用 条件接入 API 由 条件接入管理模块、 条件接入状态监 控模块、 条件接入测试模块进行 条件接入的管理与监控。 EMM 处 理模块、 ECM处理模块分别完成各 EMM、 ECM信息的处理。 软件 解扰模块, 实现对数据流的解扰, 解扰后的数据经 MPEG解码模块 解码后, 做相应的处理并输出。 所述用户终端系统还可调用 条件接 入管理的软件下载 API, 实现对加扰算法的在线升级与替换。 The hardware and functions of the user terminal system are also separated. For example, functions such as demultiplexing, smart card driving, and MPEG decoding are implemented by software in the memory. In addition, a conditional access test module, a conditional access status monitoring module, a conditional access management module, an EMM processing module, an ECM processing module, and a descrambling module are stored in its memory. All these conditional access modules are encapsulated into APIs, which are called by the application layer. The user terminal is The conditional access management module, conditional access status monitoring module, and conditional access test module perform conditional access management and monitoring by calling the conditional access API. The EMM processing module and ECM processing module complete the processing of each EMM and ECM information respectively. The software descrambling module realizes descrambling of the data stream. After the descrambled data is decoded by the MPEG decoding module, it is processed and output accordingly. The user terminal system may also call a software download API for conditional access management to implement online upgrade and replacement of the scrambling algorithm.
以下说明本发明的加密系统的具体工作过程。  The specific working process of the encryption system of the present invention will be described below.
一、 数据的加扰  I. Scrambling of data
1、 条件接入服务器  1. Conditional access server
本发明的条件接入服务器主要包括七个部分: 条件接入 (CA) 管理系统, 客户授权系统 (SAS-Subscriber Authorization System), 密钥管理系统(KM-Key Management), 同密同步器(SCS-SimulCrypt Syncronizer), 授权管理信息发生器 (EMMG-Entitlement Management Message Generator),授权控制信息发生器(ECMG-Entitlement Control Message Generator) 以及条件接入算法管理系统。  The conditional access server of the present invention mainly includes seven parts: a conditional access (CA) management system, a customer authorization system (SAS-Subscriber Authorization System), a key management system (KM-Key Management), and a synchronizer (SCS) -SimulCrypt Syncronizer), EMMG-Entitlement Management Message Generator, ECMG-Entitlement Control Message Generator, and conditional access algorithm management system.
所述 条件接入管理系统负责对客户端机顶盒和智能卡的检测与 认证, 对各种算法的测试, 管理调度多个不同厂家提供的符合不同 加密标准的条件接入系统, 以及算法的下载与更换等。  The conditional access management system is responsible for detecting and authenticating client set-top boxes and smart cards, testing various algorithms, managing and scheduling conditional access systems that comply with different encryption standards provided by multiple different manufacturers, and downloading and replacing algorithms. Wait.
密钥管理系统(KM) 负责产生控制字 (CW)与业务密钥 (SK) 等。 同密同步器负责将 KM产生的控制字 (CW) 通过 DVB同密标 准接口,传送给不同条件接入厂商的授权控制信息发生器(ECMG), ECMG根据节目信息与控制字 (CW) 制作 ECM信息并对其加密, 然后再发送给同密同步器 (SCS ), 由 SCS 负责同步接收不同 条件 接入厂商的 ECM信息, 并传递给复用器以插入到复合传输流中。 同 时, SCS也将控制字 (CW) 传给数字加扰器, 控制加扰器同步更换 加扰用的 CW与算法。 而授权管理信息发生器 (EMMG) 接收由客 户授权系统 (SAS) 产生的 EMM信息, 然后根据此信息与业务密 钥 (SK) 完成 EMM的制作并用该客户的主密钥 PK对其加密, 然 后传递给复用器以插入到复合传输流中。 The key management system (KM) is responsible for generating control words (CW) and business keys (SK). The same password synchronizer is responsible for transmitting the control word (CW) generated by KM through the DVB same password standard interface and transmitting it to the authorization control information generator (ECMG) of the access manufacturer with different conditions. The information is encrypted and then sent to the same-level synchronizer (SCS). The SCS is responsible for synchronously receiving ECM information from different conditional access vendors and passing it to the multiplexer for insertion into the composite transport stream. At the same time, the SCS also passes the control word (CW) to the digital scrambler, which controls the scrambler to change the CW and algorithm used for scrambling simultaneously. The authorization management information generator (EMMG) receives the EMM information generated by the customer authorization system (SAS), and then uses this information to communicate with the business secrets. The key (SK) completes the production of the EMM and encrypts it with the customer's master key PK, and then passes it to the multiplexer for insertion into the composite transport stream.
2、 复用器  2. Multiplexer
复用器实现 DVB标准规范的同密接口接收 EMM、 ECM等数据, 并将所有数据信息复合到一个传输流 (TS-Transport Stream) 中, 向 下发送。  The multiplexer implements the same-dense interface of the DVB standard to receive data such as EMM and ECM, and composes all data information into a TS-Transport Stream and sends it downward.
3、 加扰器  3. Scrambler
本发明中的加扰器由 DSP芯片、 存储器及 I/O接口构成。 存储 器中存有相应的加扰控制模块与加扰算法库。 存储器中的加扰控制 模块可实现加扰策略的处理, 如可选择只加扰音频, 只加扰视频, 断续加扰音频 /视频等。 存储器中的加扰算法库内既含有 DVB 通用 加扰算法, 也支持标准 DES、 3DES 等其它算法。 由于所述加扰器 的功能都由软件模块来实现, 与硬件无关, 所以当需要更换加扰算 法时, 只需对相应的程序进行升级即可, 不必再更换加扰与解扰芯 片, 可以很容易的与新需求相适应。 而且, 当需要时, 条件接入服 务器中的算法管理系统可以从所述前端系统的算法管理服务器中选 择新的算法, 载入加扰器的加扰算法库, 从而方便快速的实现算法 更换。  The scrambler in the present invention is composed of a DSP chip, a memory, and an I / O interface. The corresponding scrambling control module and scrambling algorithm library are stored in the memory. The scrambling control module in the memory can implement the processing of the scrambling strategy. For example, you can choose to scramble only audio, only scramble video, and intermittently scramble audio / video. The scrambling algorithm library in the memory contains both the DVB general scrambling algorithm and other standard algorithms such as DES and 3DES. Because the functions of the scrambler are all implemented by software modules and have nothing to do with hardware, when the scrambling algorithm needs to be replaced, only the corresponding program needs to be upgraded, and it is not necessary to replace the scrambling and descrambling chip. It is easy to adapt to new requirements. Moreover, when needed, the algorithm management system in the conditional access server may select a new algorithm from the algorithm management server of the front-end system and load the scramble algorithm library of the scrambler, thereby facilitating the quick and easy algorithm replacement.
此外, 由于本发明中的加扰器支持 DVB同密标准, 能够与广泛 的其它条件接入 (CA) 系统兼容, 并且可以灵活的选用不同的加扰 算法, 因此, 加扰器可以根据数据服务的等级不同, 对各种数据服 务设置不同的算法等级。 例如对于电子邮件等保密性强的数据服务, 将选用高等级的算法来保证加密性。 方法是, 通过在复合传输流中 插入用户授权控制信息 (ECM信息), 为插入点的后续码流指定算 法和密钥。 但在现有的加密系统中, 由于加扰器的结构以芯片方式 存在, 能够提供的算法数量有限, 尤其已有的算法可靠性较差, 需 要新的算法来保证加密性时, 则已有的加密系统将无法满足这一要 求。 In addition, since the scrambler in the present invention supports the DVB same-density standard, it can be compatible with a wide range of other conditional access (CA) systems, and it can flexibly select different scrambling algorithms. Therefore, the scrambler can serve according to data Different levels of algorithms are set for different data services. For example, for confidential data services such as e-mail, high-level algorithms will be used to ensure encryption. The method is that, by inserting user authorization control information (ECM information) in the composite transport stream, an algorithm and a key are specified for a subsequent code stream of the insertion point. However, in the existing encryption system, because the structure of the scrambler exists in a chip manner, the number of algorithms that can be provided is limited, especially the reliability of the existing algorithms is poor, and when new algorithms are needed to ensure the encryption, there are already Encryption system will not meet this requirement begging.
二、 数据的解扰  Data descrambling
图 6表示本发明的用户终端系统的体系结构。 图 7表示本发明 的 条件接入系统的体系结构。  Fig. 6 shows the architecture of the user terminal system of the present invention. Fig. 7 shows the architecture of the conditional access system of the present invention.
本发明与现有的基于硬件结构的用户终端设备所不同的是, 本 发明用 DSP处理器和存储器来代替芯片结构的解扰器等。 用户端大 部分功能的实现将在通用的高速数字处理器(DSP或 CPU)上完成。 例如, 解复用、 智能卡驱动、 MPEG解码等功能即由存储器中的软 件实现。 此外, 其存储器中还存有 条件接入测试模块、 条件接入状 态监控模块、 条件接入管理模块、 EMM处理模块、 ECM处理模块、 解扰模块等。 所有这些 条件接入模块都封装成为 API, 供应用层调 用。  The difference between the present invention and the existing user terminal equipment based on the hardware structure is that the present invention uses a DSP processor and a memory to replace the descrambler and the like of the chip structure. Most of the functions on the user side will be implemented on a general-purpose high-speed digital processor (DSP or CPU). For example, functions such as demultiplexing, smart card driver, and MPEG decoding are implemented by software in the memory. In addition, a conditional access test module, a conditional access status monitoring module, a conditional access management module, an EMM processing module, an ECM processing module, and a descrambling module are stored in its memory. All of these conditional access modules are encapsulated into APIs, which are called by the supply layer.
用户终端系统调用 条件接入 API 由 条件接入测试模块实现对 所有条件接入 特性及 条件接入处理软件 (包括智能卡内的处理软 件) 的认证, 若认证失败则关闭当前条件接入服务。  The user terminal system calls the conditional access API. The conditional access test module implements authentication of all conditional access features and conditional access processing software (including processing software in the smart card). If the authentication fails, the current conditional access service is closed.
用户终端系统调用 条件接入 API 由 条件接入状态监控模块, 监控用户认证, 算法升级, 条件接入服务等状态, 发现异常情况时 及时告警并记录, 供日后查询。  The user terminal system calls the conditional access API by the conditional access status monitoring module, which monitors user authentication, algorithm upgrade, and conditional access services, etc. When an abnormal situation is found, it alerts and records in time for future query.
用户终端系统调用 条件接入 API 由 条件接入管理模块, 管理 多个不同厂家提供的符合不同加密标准的 条件接入模块, 以及实现 算法的下载与更换等功能。  The user terminal system calls the conditional access API. The conditional access management module manages the conditional access modules that comply with different encryption standards provided by multiple manufacturers, and implements functions such as downloading and replacing algorithms.
本发明用户终端的码流接收装置从 HFC 网中获得传输信息后, 调用 EMM、 ECM处理模块, 获得 EMM与 ECM信息, 然后调用智 能卡驱动 API, 将 EMM与 ECM信息传送给智能卡 (包括虚拟卡)。 智能卡利用已经载入的主密钥 (PK) 解密 EMM信息得到业务密钥 After receiving the transmission information from the HFC network, the code stream receiving device of the user terminal of the present invention calls the EMM and ECM processing modules to obtain the EMM and ECM information, and then calls the smart card driver API to transmit the EMM and ECM information to the smart card (including the virtual card) . The smart card uses the loaded master key (PK) to decrypt the EMM information to obtain the business key
(SK), 然后利用 SK解密获得的 ECM信息, 得到控制字 (CW), 并传送给解扰器。 然后, 调用解扰 API解扰码流。 最后由 MPEG解 码模块解码获得数字电视服务。 (SK), and then use the SK to decrypt the obtained ECM information to obtain a control word (CW) and send it to the descrambler. Then, the descrambling API is called to descramble the code stream. Finally solved by MPEG The code module decodes to obtain digital television services.
可见, 本发明的加密系统也可实现条件接入系统的全面管理与 监控, 大大提高了系统的安全性。 而且, 由于本发明的加密系统提 供了大量的应用程序接口 API, 通过调用各个功能模块的应用程序 接口 API即可完成相应功能, 当需要更换与升级加 /解扰算法或其它 功能时, 只需对相应的应用程序进行修改即可, 能很方便地进行功 能扩展与升级, 大大提高了灵活性与通用性。  It can be seen that the encryption system of the present invention can also realize comprehensive management and monitoring of the conditional access system, which greatly improves the security of the system. Moreover, since the encryption system of the present invention provides a large number of application program interface APIs, corresponding functions can be completed by calling the application program interface APIs of each functional module. When it is necessary to replace and upgrade the scrambling / descrambling algorithms or other functions, only The corresponding application program can be modified, and the functions can be easily expanded and upgraded, which greatly improves the flexibility and versatility.
三、 灵活支持多种条件接入服务  3. Flexible support for multiple conditional access services
本发明的加密体系建立在通用的运算平台上, 因此可以根据用 户的需要完成各种灵活的 条件接入功能。 以应用灵活的定制服务为 例, 某些用户定制的节目已由前端服务器利用私有的密钥与算法进 行了预加密。 此时, 本发明的加密系统即可完成前端与用户终端的 认证并建立安全通道, 从前端服务器私有的密钥库与算法库中获得 加密该定制节目的密钥与算法。 特定的用户终端在获得该密钥与算 法后, 完成所述节目的解扰, 收看自己定制的节目内容, 其它的用 户则不可能得到该服务。 而目前已有的加密系统由于受到体系结构 的限制, 无法针对特定的服务灵活载入新的算法与密钥, 实现节目 的非实时解扰功能。  The encryption system of the present invention is built on a general-purpose computing platform, so it can complete various flexible conditional access functions according to the needs of users. Taking the application of flexible customization services as an example, some user-customized programs have been pre-encrypted by the front-end server using private keys and algorithms. At this time, the encryption system of the present invention can complete the authentication of the front-end and the user terminal and establish a secure channel, and obtain the key and algorithm for encrypting the customized program from the private key library and algorithm library of the front-end server. After obtaining the key and algorithm, a specific user terminal completes the descrambling of the program and watches its own customized program content. Other users cannot obtain the service. However, due to the limitation of the existing architecture, the existing encryption system cannot flexibly load new algorithms and keys for specific services, and realize the non-real-time descrambling function of the program.
四、 API封装  Fourth, API packaging
作为本发明的一个应用实例, 将本发明所述功能的 API封装如 下:  As an application example of the present invention, the API of the functions described in the present invention is encapsulated as follows:
1)智能卡驱动 API (CA Smart card Driver)  1) Smart Card Driver API (CA Smart card Driver)
智能卡 API实现应用程序与智能卡的交互操作, 该 API主要包 括:  The smart card API implements the interaction between the application and the smart card. The API mainly includes:
ICC-CheckStatus(Card Num): 检查智能卡的状态, 如存在与否、 版本信息等。  ICC-CheckStatus (Card Num): Check the status of the smart card, such as presence or absence, version information, etc.
ICC-ReadBin(offset,Data,datalea): 从智能卡读取二进制数据 ICC-WriteBin(offset, Data,Datalen): 向智能卡写入二进制数据 ICC-ResetICCard(Card Num): 将智能卡复位 ICC-ReadBin (offset, Data, datalea): Read binary data from smart card ICC-WriteBin (offset, Data, Datalen): write binary data to the smart card ICC-ResetICCard (Card Num): reset the smart card
ICC-ExtemalAuthenticate(KeyIndwx, Key, Keylen) : 实现与智能 卡的安全认证  ICC-ExtemalAuthenticate (KeyIndwx, Key, Keylen): Realize security authentication with smart card
ICC-PINChange(oldPIN, NewPin, remain-Times): 修改智能卡的 PIN码  ICC-PINChange (oldPIN, NewPin, remain-Times): Modify the PIN code of the smart card
ICC-unlocldPIN(Key): 取消智能卡的 PIN码校验功能  ICC-unlocldPIN (Key): Cancel PIN code verification function of smart card
2) CA解扰 API (CA Descrambler)  2) CA descrambling API (CA Descrambler)
CA解扰 API实现对 TS流的解扰  CA descrambling API to descramble TS streams
CADescrambler(TS_ID, ServiceID,MPEG_Packet,Scrambler Parameter):  CADescrambler (TS_ID, ServiceID, MPEG_Packet, Scrambler Parameter):
根据相关参数对指定的 TS数据进行解扰  Descramble specified TS data according to related parameters
3) ECM/EMM数据处理 API (CA ECM/EMM)  3) ECM / EMM data processing API (CA ECM / EMM)
ECM/EMM数据处理 API负责根据相关参数从 TS流中获得 ECM 及 EMM信息。 该 API主要包括:  The ECM / EMM data processing API is responsible for obtaining ECM and EMM information from the TS stream according to related parameters. The API mainly includes:
CAGetECM(CA— System— ID, TS—ID, ServicelD, ECMData, Datalen):  CAGetECM (CA— System— ID, TS—ID, ServicelD, ECMData, Datalen):
根据 CA系统 ID号以及服务的描述类获得 ECM信息  Obtain ECM information based on CA system ID number and service description class
CAGetEMM(CA— System— ID, TS—ID, EMMData, Datalen):  CAGetEMM (CA— System— ID, TS—ID, EMMData, Datalen):
根据条件接入系统 ID号以及服务的描述类获得 EMM信息 Get EMM information based on conditional access system ID number and service description class
4)条件接入测试 API (CA Tester) 4) Conditional Access Test API (CA Tester)
条件接入测试 API实现对条件接入系统各个功能的测试。该 API 主要包括:  Conditional access test API implements the testing of various functions of the conditional access system. The API mainly includes:
CAModuleTester(CA_ System— ID, CAModuleTestResult):  CAModuleTester (CA_ System— ID, CAModuleTestResult):
对运行于该平台上的不同 CA厂商的 CA模块进行认证及测试 Certification and testing of CA modules of different CA vendors running on the platform
CAAlgorithmTester(CAAlgorithmTestResult): CAAlgorithmTester (CAAlgorithmTestResult):
对运行于该平台上的不同 CA解扰算法进行认证及测试 CASmartCardTester(CardNum, CASmartCardTestResult): Certification and testing of different CA descrambling algorithms running on the platform CASmartCardTester (CardNum, CASmartCardTestResult):
对该系统使用的智能卡进行认证及测试  Authenticate and test the smart cards used in the system
5)条件接入监控 API (CA Monitor)  5) CA Monitor
条件接入监控 API实现对运行于该平台上的条件接入各功能的 状态并记录入 logo文件  Conditional access monitoring API implements the status of conditional access functions running on the platform and records them in a logo file
CAMonitorlnitial(CAMonitorlnitialParameter): 初始化 CA监控模 块  CAMonitorlnitial (CAMonitorlnitialParameter): Initialize the CA monitoring module
C A Monitorclose(): 关闭 CA监控模块  C A Monitorclose (): Close the CA monitoring module
GetCAModuleLog(CamodulelogFile): 获得对各 CA模块测试的 记录文件  GetCAModuleLog (CamodulelogFile): Obtain the log file of each CA module test
GetCAAlgorithmLog(CAAlgorithmLogFile): 获得对算法模块的 测试文件  GetCAAlgorithmLog (CAAlgorithmLogFile): Get the test file of the algorithm module
GetSmartCardLog(CASmartCardLogFile): 获得对智能卡的测试 文件  GetSmartCardLog (CASmartCardLogFile): Get the test file of the smart card
6)条件接入管理 API (CA Management)  6) CA Management
条件接入管理 API负责实现对 条件接入系统中所有模块的管 理, 该 API主要包括:  The conditional access management API is responsible for the management of all modules in the conditional access system. The API mainly includes:
CAModuleInitial(CA_ System— ID, CAModuleParameter):  CAModuleInitial (CA_ System— ID, CAModuleParameter):
在该平台上初始化并运行某 CA厂商的条件接入模块  Initialize and run a CA vendor's conditional access module on the platform
CAModuleClose(CA_ System— ID, CAModuleParameter):  CAModuleClose (CA_ System— ID, CAModuleParameter):
停止运行某 CA厂商的条件接入模块  Stop the conditional access module of a CA vendor
CAAlgorit ir^ownload(CAAlgorithmPID,CAAlgorithmFlag,CAAl gorithmparameter): 从 TS流中下载某个算法  CAAlgorit ir ^ ownload (CAAlgorithmPID, CAAlgorithmFlag, CAAl gorithmparameter): Download an algorithm from the TS stream
CAAlgorithmUpgrade(CAAlgorithmFlag,CAAlgorithmParameter,C AAlgorithmAdd): 在该平台上升级某算法  CAAlgorithmUpgrade (CAAlgorithmFlag, CAAlgorithmParameter, C AAlgorithmAdd): upgrade an algorithm on this platform
CASmartCardAppDownload(CASmartCardAppPID,CA_System_ID, CASmartCardAppParameter): 向智能卡中下载新的应用程序 CASmartCardAppUpgrade(CASmartCardAppPID,CA_System_ID5 C ASmartCardAppParameter): 升级智能卡内的处理软件。 CASmartCardAppDownload (CASmartCardAppPID, CA_System_ID, CASmartCardAppParameter): Download a new application to the smart card CASmartCardAppUpgrade (CASmartCardAppPID, CA_System_ID 5 C ASmartCardAppParameter): Upgrade the processing software in the smart card.
五、 加 /解扰算法的更换与升级  V. Replacement and upgrade of scrambling / descrambling algorithms
当系统安全算法出现泄密情况或者用户要求更换算法时, 前端 系统将通过 条件接入服务器中的算法管理系统对加扰器内的算法进 行更新。 同时, 条件接入服务器将含有算法的私有数据 (PD-Private Data) 传送给加扰器加扰, 并通过复用器复用到复合传输流中, 沿 指定频道下发给所有的用户终端。  When the security algorithm of the system leaks or the user requests to replace the algorithm, the front-end system will update the algorithm in the scrambler through the algorithm management system in the conditional access server. At the same time, the conditional access server transmits the private data (PD-Private Data) containing the algorithm to the scrambler for scrambling, and multiplexes it into the composite transport stream through a multiplexer, and delivers it to all user terminals along the specified channel.
用户终端接收到新的算法信息后, 经解复用、 解扰, 获得所含 的私有数据 (PD) 信息, 并根据所定义的算法升级协议判断所传送 的数据是否为新的算法。 若判断出所传送的算法是新版本, 则调用 条件接入管理的软件下载 API, 将新的算法下载入存储器中, 并覆 盖掉原来的算法。  After receiving the new algorithm information, the user terminal demultiplexes and descrambles to obtain the contained private data (PD) information, and judges whether the transmitted data is the new algorithm according to the defined algorithm upgrade protocol. If it is determined that the transmitted algorithm is a new version, the software download API of conditional access management is called, the new algorithm is downloaded into the memory, and the original algorithm is overwritten.
通过上述方法, 本发明的加密系统可以方便快捷的实现加扰算 法的更换与升级, 而不必更换加扰与解扰芯片。 同时, 加扰算法的 选择范围也大大拓宽, 不仅可以采用已有的算法, 还可由第三方自 行设计与开发, 大大提高了系统的适应性与保密性。  Through the above method, the encryption system of the present invention can conveniently and quickly replace and upgrade the scrambling algorithm without having to replace the scrambling and descrambling chips. At the same time, the range of scrambling algorithms is also greatly expanded. Not only can existing algorithms be used, but also third-party self-design and development, which greatly improves the adaptability and confidentiality of the system.
工业应用性  Industrial applicability
本发明实施后将改善现有加密系统的性能, 具体体现在以下几 个方面:  After the implementation of the present invention, the performance of the existing encryption system will be improved, which is specifically embodied in the following aspects:
本发明为实现按照一定规律更换或者按用户要求随时更换算法 和密钥提供了具体实施方案, 提高了系统的安全性。 这种安全性与 硬件专用芯片所提供的不同, 硬件专用芯片的安全性只能依赖于某 一算法的复杂性, 如果该算法的加密强度无法符合新服务的要求, 网络的安全性将受到影响。 本发明不仅能通过前端的 条件接入服务 器更换加扰算法与密钥, 还可通过用户端的下载软件高速地实现加 扰算法的更新, 并且下载速度还可随着处理器运算能力的升级而不 断提高, 从而进一步保证了系统的安全性。 此外, 硬件形式实现的 加密系统无法实时监测用户终端的使用状态, 当出现智能卡被攻破, 有非法用户享用网络服务等情况时, 也无法及时采取措施, 避免损 失。 而本发明的加密系统通过 条件接入测试、 条件接入状态监控、 条件接入管理等模块, 可以监测用户终端的异常状况, 一旦检测到 非法用户信息则关闭当前服务, 将损失降到了最低。 The invention provides a specific implementation scheme for realizing the replacement according to a certain rule or the user and the algorithm at any time, and improves the security of the system. This kind of security is different from that provided by hardware-specific chips. The security of hardware-only chips can only depend on the complexity of an algorithm. If the encryption strength of the algorithm cannot meet the requirements of new services, the security of the network will be affected . The invention can not only change the scrambling algorithm and key through the front-end conditional access server, but also can update the scrambling algorithm at a high speed through the download software of the user terminal, and the download speed can also be changed with the upgrade of the computing capacity of the processor The fault is improved, thereby further ensuring the security of the system. In addition, the encryption system implemented in the form of hardware cannot monitor the use status of the user terminal in real time. When a smart card is breached and illegal users enjoy network services, it is impossible to take measures in time to avoid losses. The encryption system of the present invention can monitor abnormal conditions of user terminals through modules such as conditional access test, conditional access status monitoring, and conditional access management. Once the illegal user information is detected, the current service is shut down to minimize losses.
本发明具体实现了根据所需加密内容的不同及所需加密的复杂 程度不同, 可以采用不同的加密方法, 解决了系统不兼容的问题。 软件平台化方案使得加密系统可以与其它符合相应标准的加密系统 兼容, 也可与其它符合相应接口规范的条件接入 (条件接入) 系统 相兼容, 从而使有线电视网络成为了一个开放的体系。  The invention specifically realizes that different encryption methods can be adopted according to the different required encrypted content and the required complexity of encryption, and the problem of incompatibility of the system is solved. The software platform solution enables the encryption system to be compatible with other encryption systems that comply with the corresponding standards, as well as other conditional access (conditional access) systems that comply with the corresponding interface specifications, thereby making the cable television network an open system. .
硬件形式实现的加密系统需要专门的加扰 /解扰芯片, 需要花费 一定的成本, 而软件平台化加密方案使功能与硬件芯片相分离, 因 此加扰算法的运行可以与其它功能软件, 如 MPEG解码、 网络管理 软件等共用同一处理器, 从而实现资源共享, 节省加 /解扰芯片的费 用, 降低系统的造价。  The encryption system implemented in hardware requires a special scrambling / descrambling chip, which requires a certain cost, and the software platform encryption scheme separates the functions from the hardware chip, so the scrambling algorithm can run with other functional software, such as MPEG Decoding, network management software, etc. share the same processor, thereby achieving resource sharing, saving the cost of the descramble / descrambling chip, and reducing the cost of the system.
硬件形式实现的加密系统, 其加密方法必须依附于加扰芯片, 但各厂商的技术体系并不完全兼容, 造成了加密体系的垄断状况。 而软件平台化加密方案能够适应未来的业务扩展和标准的提出, 有 线电视运营商可以对不同的业务选择不同的加密方案, 不同的加密 方案可以兼容, 完全不必依赖于某个厂商, 为灵活开展业务提供了 条件。  For an encryption system implemented in hardware, the encryption method must be attached to the scrambling chip, but the technology systems of various manufacturers are not completely compatible, resulting in a monopoly state of the encryption system. The software platform encryption solution can adapt to future business expansion and standards. Cable TV operators can choose different encryption solutions for different services, and different encryption solutions are compatible. They do not need to rely on a certain vendor at all. The business provided the conditions.
本发明也可实现加密系统的全面管理与监控, 从而满足安全性 的需求并且易于管理。  The invention can also realize the comprehensive management and monitoring of the encryption system, thereby satisfying the security requirements and being easy to manage.

Claims

权 利 要 求 Rights request
1 . 一种加密系统, 包括: 前端系统、 网络系统、 用户终端系 所述前端系统包括条件接入服务器、 复用器, 所述用户终端系 统包括码流接收器、 输出装置, 其特征在于, What is claimed is: 1. An encryption system comprising: a front-end system, a network system, and a user terminal. The front-end system includes a conditional access server and a multiplexer, and the user terminal system includes a code stream receiver and an output device.
所述前端系统还包括加扰器, 所述加扰器由数字信号处理器和 存储器构成, 根据条件接入服务器的指令, 通过调用存储器中的相 应程序, 来完成加扰功能;  The front-end system further includes a scrambler, which is composed of a digital signal processor and a memory, and completes the scrambling function by calling a corresponding program in the memory according to an instruction of a conditional access server;
所述用户终端系统包括由数字信号处理器和存储器构成的解复 用器、 解扰器和解码器, 其解复用、 解扰、 解码的功能通过数字信 号处理器调用存储器中的相应程序来完成。  The user terminal system includes a demultiplexer, a descrambler, and a decoder composed of a digital signal processor and a memory. The functions of demultiplexing, descrambling, and decoding are performed by the digital signal processor calling a corresponding program in the memory carry out.
2. 根据权利要求 1所述的加密系统, 其特征在于, 所述用户终 端系统还包括智能卡, 该智能卡的功能通过所述数字信号处理器调 用存储器中的相应程序来完成。  2. The encryption system according to claim 1, wherein the user terminal system further comprises a smart card, and the function of the smart card is completed by the digital signal processor calling a corresponding program in a memory.
3. 根据权利要求 1所述的加密系统, 其特征在于, 所述前端系 统还包括前端用应用程序接口, 通过条件接入服务器调用该应用程 序接口, 实现条件接入服务器的基本功能和新增加的功能。  3. The encryption system according to claim 1, wherein the front-end system further comprises an application program interface for the front-end, and the application program interface is called by a conditional access server to implement basic functions and new additions of the conditional access server Functions.
4. 根据权利要求 1所述的加密系统, 其特征在于,  4. The encryption system according to claim 1, wherein:
所述前端系统包括算法管理服务器, 所述加扰器通过调用算法 管理服务器中的程序, 实现算法的更新和升级。  The front-end system includes an algorithm management server, and the scrambler implements updating and upgrading of the algorithm by calling a program in the algorithm management server.
5. 根据权利要求 1至 4的任一项所述的加密系统, 其特征在 于, 所述前端系统中的条件接入服务器还包含条件接入管理模块。  5. The encryption system according to any one of claims 1 to 4, characterized in that the conditional access server in the front-end system further comprises a conditional access management module.
6. 根据权利要求 1或 2所述的加密系统, 其特征在于, 所述用户终端系统的存储器中存储有认证和授权应用程序接 6. The encryption system according to claim 1 or 2, wherein the memory of the user terminal system stores an authentication and authorization application program interface.
□。 □.
7. 根据权利要求或 2所述的加密系统, 其特征在于, 所述用户 终端系统的存储器中存储有用户端应用程序接口, 通过调用该应用 程序接口, 实现系统的升级。 7. The encryption system according to claim 2, wherein the user A user-side application program interface is stored in the memory of the terminal system, and the system is upgraded by calling the application program interface.
8. 根据权利要求 7所述的加密系统, 其特征在于, 所述用户 端应用程序接口具有条件接入测试模块、 条件接入状态监控模 块、 条件接入管理模块。  8. The encryption system according to claim 7, wherein the client application program interface has a conditional access test module, a conditional access status monitoring module, and a conditional access management module.
9. 根据权利要求 7所述的加密系统, 其特征在于, 所述用户 端应用程序接口具有授权管理信息处理模块、 授权控制信息处 理模块。  9. The encryption system according to claim 7, wherein the user-side application program interface has an authorization management information processing module and an authorization control information processing module.
10. 根据权利要求 1 所述的加密系统, 其特征在于, 所述前端 系统的加扰器通过调用所述前端系统存储器中存储的不同的加密算 法, 以在复合传送流中插入用户授权控制信息的方式, 为插入点的 后续码流指定算法和密钥, 对经过复用器混合的数据流进行加密等 级不同的加扰。  10. The encryption system according to claim 1, wherein the scrambler of the front-end system inserts user authorization control information in the composite transport stream by calling different encryption algorithms stored in the storage of the front-end system. In this manner, an algorithm and a key are specified for the subsequent code stream of the insertion point, and the data stream mixed by the multiplexer is scrambled with different encryption levels.
11. 根据权利要求 1或 2所述的加密系统, 其特征在于, 所述用户终端系统的存储器中还包括 MPEG 解码模块, 所述 MPEG解码模块完成对解扰后的数据进行解码。  The encryption system according to claim 1 or 2, wherein the memory of the user terminal system further comprises an MPEG decoding module, and the MPEG decoding module completes decoding the descrambled data.
12. 根据权利要求 1或 2所述的加密系统, 其特征在于, 所述用户终端系统的存储器中还包括软件下载模块, 通过调用 软件下载 API, 将由前端系统条件接入服务器产生的新算法, 下载 到用户终端系统的存储器中。  12. The encryption system according to claim 1 or 2, wherein the memory of the user terminal system further comprises a software download module, and a new algorithm generated by a front-end system conditional access server is called by calling a software download API, Download to the memory of the user terminal system.
13. 根据权利要求 1 至 4 的任一项所述的加密系统, 其特征在 于, 所述网络系统是光纤同轴电缆混合网网络、数字卫星广播网络、 微波网络、 以太网。  13. The encryption system according to any one of claims 1 to 4, wherein the network system is a fiber-optic coaxial cable hybrid network network, a digital satellite broadcasting network, a microwave network, or an Ethernet network.
PCT/CN2001/001585 2000-11-28 2001-11-28 An enciphering system for cable tv network WO2002045428A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002221506A AU2002221506A1 (en) 2000-11-28 2001-11-28 An enciphering system for cable tv network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN00132565.5 2000-11-28
CN 00132565 CN1355654A (en) 2000-11-28 2000-11-28 Encryption system for cable TV network

Publications (1)

Publication Number Publication Date
WO2002045428A1 true WO2002045428A1 (en) 2002-06-06

Family

ID=4595239

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2001/001585 WO2002045428A1 (en) 2000-11-28 2001-11-28 An enciphering system for cable tv network

Country Status (3)

Country Link
CN (2) CN1355654A (en)
AU (1) AU2002221506A1 (en)
WO (1) WO2002045428A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100562098C (en) * 2008-01-03 2009-11-18 济南市泰信电子有限责任公司 Digital television conditional access system and handling process thereof
CN100584008C (en) * 2006-05-09 2010-01-20 中国科学院研究生院 Scrambling non-scrambling transmission flow real-time authenticating device and television device with same

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7215770B2 (en) * 2002-01-02 2007-05-08 Sony Corporation System and method for partially encrypted multimedia stream
CN101009549B (en) * 2006-01-26 2010-07-14 中国科学院计算技术研究所 Decoding device for the digital copyright management
US7962638B2 (en) * 2007-03-26 2011-06-14 International Business Machines Corporation Data stream filters and plug-ins for storage managers
CN101056393B (en) * 2007-04-20 2010-06-16 中兴通讯股份有限公司 Data de-scrambling method and system
CN105744354B (en) * 2014-12-08 2018-11-16 深圳Tcl数字技术有限公司 Scramble the de-scrambling method and system of transmitting stream
CN105512573B (en) * 2015-11-24 2019-02-05 深圳国微技术有限公司 A kind of moderator of attack resistance

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1134645A (en) * 1995-04-25 1996-10-30 冯钧 Encryption method for cable television
WO2000011871A1 (en) * 1998-08-23 2000-03-02 Open Entertainment, Inc. Transaction system for transporting media files from content provider sources to home entertainment devices

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1134645A (en) * 1995-04-25 1996-10-30 冯钧 Encryption method for cable television
WO2000011871A1 (en) * 1998-08-23 2000-03-02 Open Entertainment, Inc. Transaction system for transporting media files from content provider sources to home entertainment devices

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100584008C (en) * 2006-05-09 2010-01-20 中国科学院研究生院 Scrambling non-scrambling transmission flow real-time authenticating device and television device with same
CN100562098C (en) * 2008-01-03 2009-11-18 济南市泰信电子有限责任公司 Digital television conditional access system and handling process thereof

Also Published As

Publication number Publication date
CN1355654A (en) 2002-06-26
AU2002221506A1 (en) 2002-06-11
CN1476724A (en) 2004-02-18

Similar Documents

Publication Publication Date Title
EP1825678B1 (en) System and method for secure conditional access download and reconfiguration
US9479825B2 (en) Terminal based on conditional access technology
JP4358226B2 (en) Mechanism for remote control of client devices
KR101172093B1 (en) Digital audio/video data processing unit and method for controlling access to said data
US7336785B1 (en) System and method for copy protecting transmitted information
US20120324583A1 (en) System and Method for Processing and Protecting Content
US8160248B2 (en) Authenticated mode control
US20080267411A1 (en) Method and Apparatus for Enhancing Security of a Device
KR20040070281A (en) Process for updating a revocation list of noncompliant keys, appliances or modules in a secure system for broadcasting content
KR20070027509A (en) System and method for security processing media streams
US8176331B2 (en) Method to secure data exchange between a multimedia processing unit and a security module
KR101518086B1 (en) Method for processing data and iptv receiving device
US7804959B2 (en) Digital cable television broadcasting receiver
US20110113443A1 (en) IP TV With DRM
KR101837188B1 (en) Video protection system
JPWO2006082812A1 (en) Digital cable tv broadcast receiver
US20120051541A1 (en) Method and system for providing conditional access in broadcasting network
KR20060006897A (en) Revocation information transmission method, reception method, and device thereof
US9268735B2 (en) Loadable and modular conditional access application
WO2002045428A1 (en) An enciphering system for cable tv network
KR100950597B1 (en) Broadcasting receiving apparatus based on downloadable conditional access system and security method thereof
KR100950599B1 (en) Method for applying downloadable conditional access system and apparatus thereof
KR100947326B1 (en) Downloadable conditional access system host apparatus and method for reinforcing secure of the same
CN109117606B (en) DRM standard adaptation method and device for equipment client and hardware protection middleware
CN108200453B (en) Fusion condition receiving terminal system and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 018195415

Country of ref document: CN

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC, F1205A DATED 17.09.03

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP