WO2009024071A1 - System, method and device for realizing iptv media content security - Google Patents

System, method and device for realizing iptv media content security Download PDF

Info

Publication number
WO2009024071A1
WO2009024071A1 PCT/CN2008/072015 CN2008072015W WO2009024071A1 WO 2009024071 A1 WO2009024071 A1 WO 2009024071A1 CN 2008072015 W CN2008072015 W CN 2008072015W WO 2009024071 A1 WO2009024071 A1 WO 2009024071A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
function entity
media
service
user equipment
Prior art date
Application number
PCT/CN2008/072015
Other languages
French (fr)
Chinese (zh)
Inventor
Zhaojun Peng
Zhanjun Zhang
Jincheng Li
Jun Yan
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009024071A1 publication Critical patent/WO2009024071A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/61Network physical structure; Signal processing
    • H04N21/6106Network physical structure; Signal processing specially adapted to the downstream path of the transmission network
    • H04N21/6125Network physical structure; Signal processing specially adapted to the downstream path of the transmission network involving transmission via Internet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • H04N21/63345Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17309Transmission or handling of upstream communications
    • H04N7/17318Direct or substantially direct transmission and handling of requests

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a system, method, and device for implementing IPTV media content security.
  • IMS Core also known as Core IMS
  • Core IMS which is superimposed on the packet domain network, and is composed of functional entities such as Call Control Function (CSCF) and User Profile Serving Function (UPSF).
  • CSCF Call Control Function
  • UPSF User Profile Serving Function
  • S_CSCF service CSCF
  • P-CSCF proxy CSCF
  • I-CSCF query CSCF
  • the IPTV service based on the IMS network is a new service that has developed rapidly in recent years.
  • the service transmits multimedia on the Internet Protocol (IP) network, including media content such as video, audio and data.
  • IP Internet Protocol
  • the service essentially provides the IPTV service under the IMS network architecture, and fully utilizes the existing session control and charging mechanisms in the IMS network to provide TV services for the user equipment (UE, User Equipment).
  • Typical examples of IPTV media streaming services are Linear Television (LTV) services (also called Broadcast Service BC, Broadcast Service) and Content on Demand (CoD).
  • LTV service is a service for transmitting media content to the UE in a multicast manner
  • the CoD service is a unicast service.
  • FIG. 1 is a schematic diagram of a service function architecture of an IMS service based on an IMS network, which is proposed by a TI SPAN standards organization, where:
  • the IPTV Media Function Entity (MF, IPTV Media Function) is responsible for delivering the media content to the UE.
  • the IPTV Media Function can be decomposed into a Media Function Function (MCF) and a Media Delivery Function (MDF) from a functional perspective.
  • MCF Media Function Function
  • MDF Media Delivery Function
  • the MDF is usually a media distribution server that sends media streams to the UE under the control of the MCF.
  • IPTV Service Control Functions are used to process Provides IPTV service control from the IPTV service request sent by the UE.
  • UPSF User Profile Serving Function
  • SSF Service Selection Function
  • Transport Functions for transmitting media content delivered by the MF in the IPTV to the UE.
  • 2 is a schematic diagram of a service function architecture 2 of an IMS service based on an IMS network, which is proposed by the International Telecommunication Union (ITU-T) standards organization, including a UE, an IPTV application service function entity (applicat ions), and a service user.
  • Service user profile function, IMS Core, Content delivery function, and Transport Stratum where:
  • a content delivery function configured to provide a media content distribution service for the UE, the function of the entity being similar to the function of the MF in FIG. 1;
  • the IPTV application service function entity (applications) is configured to process an IPTV service request sent from the UE, and provide service control of the IPTV, and the function of the entity is similar to the SCF in FIG. 1;
  • the service user profile function is used to store the service subscription information of the UE, and the function of the entity is similar to the UPSF in FIG. 1;
  • Transport Stratum used to transmit media content distributed to the UE.
  • the entity's functionality is similar to Transport Functions.
  • the system shown in FIG. 1 and FIG. 2 can transmit media content in an IPTV service, in particular, when the IPTV service is an LTV service, the media stream can be transmitted in a multicast manner, and when the IPTV service is a CoD service, the medium can be transmitted in a unicast manner. flow.
  • the media stream is transmitted in the multicast mode or the unicast mode, the transmitted media stream is not protected, so the security of the LTV service or the CoD service cannot be guaranteed.
  • a conditional access (CA) method is a method for protecting media content security used in traditional broadcast television.
  • the UE by scrambling the media content at the content source, the UE performs descrambling when playing the media content, thereby implementing secure transmission of the media content.
  • the media content, security information, and other information in the system are encapsulated into a transport stream (TS, Transport Stream) and sent to the UE.
  • TS Transport Stream
  • the keys in the security information are hierarchically protected: The media content is scrambled and protected using the Control Word (CW, Control Word), and the CW is powered by the Service Key (SK, Service Key).
  • the SK After the secret processing is sent to the UE in an Entitlement Control Message (ECM), the SK sends the message to the UE through an Entitlement Management Message (EMM), and the SK needs to be encrypted by the user's personal key before being transmitted.
  • ECM Entitlement Control Message
  • EMM Entitlement Management Message
  • the process of transmitting the media content is as shown in FIG. 3.
  • the UE After receiving the UE, the UE decrypts the SK by using the user's personal distribution key stored in the UE, decrypts the CT with the SK, and then descrambles the media content with the CT.
  • the media encryption technology applied to the traditional broadcast television system uses the scrambling and descrambling technology.
  • the key is in the TS package format and cannot be directly applied to the current IPTV system. Therefore, how to implement media content security protection for LTV services in an IMS network is still an urgent problem to be solved.
  • an embodiment of the present invention provides a system for implementing media security protection, which can implement protection of IPTV media content.
  • a system for implementing IPTV media security comprising: a user equipment UE, a service control function entity SCF, an IMS core network IMSCore, a media function entity MF, and a key management function entity KMF, wherein
  • the key management function entity is configured to provide a key to the user equipment
  • the service control function entity is configured to provide service control for an IPTV service
  • the media function entity configured to send the encrypted media to the user equipment
  • the user equipment is configured to receive the encrypted media sent by the media function entity, and use the received key to obtain the unencrypted media.
  • an embodiment of the present invention provides a method for implementing media security protection, which can implement protection of IPTV media content.
  • a method for implementing I PT V media security includes the following steps:
  • the user equipment UE obtains a key corresponding to the media service security from the key management function KMF; the user equipment UE receives the encrypted medium sent by the media function entity MF;
  • the user equipment UE obtains the decrypted media using the key.
  • the embodiment of the present invention further provides a key management function entity, including: a key distribution unit and a key information service function unit;
  • a key information service function unit configured to provide a key for media service security to the key distribution unit
  • a key distribution unit configured to send the key related to the media service security to the user equipment.
  • the system, method, and device provided by the embodiments of the present invention can implement protection of IPTV media content.
  • an embodiment of the present invention further provides a content encryption entity, including:
  • a key generation unit configured to generate a media protection key
  • a key transceiver unit configured to send the media protection key to the key management function entity.
  • the embodiment of the invention further provides a content encryption entity, including:
  • a key generation unit configured to generate a media protection key
  • a message sending unit configured to send a key request message to the key management function entity, requesting a key encryption key
  • a key transceiving unit configured to receive a key encryption key sent by the key management function entity; and an encryption operation unit, configured to add the media protection key by using the key encryption key Secret.
  • the content encryption entity encrypts the media content by using the media protection key, so that the security of the media content is ensured.
  • FIG. 1 is a schematic diagram of a service function architecture of an IPTV service based on an IMS network in the prior art
  • FIG. 2 is a schematic diagram of a service function architecture 2 of an IMS service based on an IMS network in the prior art
  • FIG. 3 is a schematic diagram of a prior art transmitting a media content in a CA.
  • FIG. 4 is a schematic diagram of a system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an example of a system 1 for implementing IPTV media content security in an IMS system according to an embodiment of the present disclosure
  • FIG. 6 is a flowchart of Embodiment 1 for implementing media content security according to an embodiment of the present invention
  • FIG. 7 is a flowchart of Embodiment 2 of implementing media content security according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of Embodiment 3 of implementing media content security according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of Embodiment 4 of implementing media content security according to an embodiment of the present invention
  • FIG. 11 is a flowchart of Embodiment 6 for implementing media content security according to an embodiment of the present invention
  • FIG. 13 is a flowchart for implementing media content security according to an embodiment of the present invention
  • FIG. 16 is a flowchart of Embodiment 11 of implementing media content security according to an embodiment of the present invention
  • FIG. 17 is a schematic diagram of a second system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention
  • FIG. 18 is a flowchart of Embodiment 12 of implementing media content security according to an embodiment of the present invention
  • FIG. 19 is a schematic diagram of securing IPTV media content in an IMS system according to an embodiment of the present invention. Three schematic diagrams of the system;
  • FIG. 21 is a schematic structural diagram of a KMF according to an embodiment of the present invention.
  • FIG. 22 is a schematic diagram of a system for transmitting a key between MF and KMF according to an embodiment of the present invention
  • FIG. 23 is a diagram of an information system transmitted between a KMF and a CEF through a direct interface according to an embodiment of the present invention
  • Figure 25 is a flow chart of the fifteenth embodiment of the media content security of the present invention.
  • 26 is a flow chart of a sixteenth embodiment of the media content security of the present invention.
  • Figure 27 is a flow chart of the seventh embodiment of the media content security of the present invention.
  • FIG. 29 to FIG. 32 are schematic diagrams showing Embodiments 1 through 4 of a content encryption entity according to an embodiment of the present invention.
  • the embodiment of the present invention needs to secure the media content, and transmits a key used for security protection of the media content to the UE, and the UE receives the received key pair.
  • the securely protected media content is securely verified or decrypted. Therefore, the embodiment of the present invention re-architects a network for implementing an IPTV service based on an IMS network, and a key management function entity (KMF, Key Manage Funct ion) is introduced in the network.
  • KMF Key Management function entity
  • KMF Key Manage Funct ion
  • KMF is used to send media security related keys.
  • KMF is a logic function module. When it is implemented, it can exist as an independent functional entity. It can also be an internal logic function unit of SCF. It can also be an internal logic function unit of MF or other functional entities.
  • CEF Content Encryption Function
  • CEF is a logical function module. When implemented, it can exist as an independent functional entity. It can also be MF or other functions. The internal logical functional unit of the entity.
  • a media protection key (TEK, Traffic Encryption Key), or a content encryption key, is used to directly protect the confidentiality or integrity of media streams or content.
  • a service protection key (SEK, Serv ice Encryption Key), which is used to protect one or more multicast services, or one or more multicast service channel keys, can be used to protect the secure transmission of the TEK at the media level ( Confidentiality and/or integrity protection) can also be used to protect business-related security information, such as encryption algorithms or key validity periods, and to protect the security of a program protection key (PEK) for a media stream content. protection.
  • PKI Program Encryption Key
  • the service group key (SGK, Serv ice Group Key) is used to protect the security transmission of the TEK at the media level.
  • the UEs of the same LTV service are grouped, and each group is assigned a group key SGK, and the TEK media stream encrypted by the SGK is sent to the UEs in the group.
  • all UEs receiving the same media content can receive the same protected media stream, and each group can perform SGK update asynchronously.
  • the SGKs of each group are updated separately.
  • the UEs that join the group cannot receive the previously sent media streams, and the UEs that leave the group cannot receive the media streams sent later, which can reduce the scope of the TEK update.
  • different levels of UEs may have different receiving media stream rights.
  • the UEs may be grouped according to the rights of different levels of UEs, and each group corresponds to an SGK to protect the secure delivery of the TEK.
  • the general SEK, PEK or SGK is used for the protection of the TEK.
  • a service key SEK or a Key Encryption Key (KEK) TEK is hereinafter referred to as a media protection key.
  • Service User Key (SUK) which is a user-related key. It can be used to protect SEK or PEK or SGK.
  • SUK can be a key set by the network side and the UE, or it can be used.
  • the key generated by the GBA (Generic Bootstrapping Architecture) method can also be a user key derived from the shared key generated by the GBA method.
  • the Service Registration Key is used to authenticate the user of the IPTV service.
  • the HTTP digest authentication method can be used to authenticate the user.
  • the SRK may be a key set by the network side and the UE in advance, or may be a key generated by using the GBA method, or may be a user key derived from a shared key generated by the GBA method, and the derivative manner may be performed by the network side of the LTV service. Pre-set with the UE.
  • the SUK or SRK is referred to as a user key SUK, and the key is generally used to protect the delivery of user-specific confidential information, for example, to protect the service key.
  • the protection of the IPTV service may be classified into LTV (representing multicast service) protection and COD (representing unicast service) protection according to specific services.
  • LTV protection can use SEK and TEK
  • media stream is protected by TEK
  • TEK is protected by SEK
  • encrypted TEK and encrypted media are delivered through media multicast
  • SEK is sent through the signaling plane.
  • LTV protection can also be used to protect media only by using TEK.
  • the media stream is protected by TEK and delivered by the media multicast.
  • the TEK is sent through the signaling plane.
  • the COD protection can protect the media only by using the TEK.
  • the media stream is sent by the TEK for protection through the media plane, and the TEK is sent through the signaling plane.
  • the key in the process may refer to a key shared by all services in the entire service package; or may refer to a different key corresponding to each service in the service package.
  • the set of keys may be different for each service in the service package, but the key to be delivered is only the key corresponding to a certain service in the service package requested by the current user.
  • the protected media content needs to be different from the used key, and may be a single or multiple different media streams.
  • the UE is sent a KEK as a key
  • the UE The TEK stream encrypted by KEK and the media stream protected by TEK are received.
  • the UE can decrypt the obtained KEK to obtain the TEK, and then decrypt the media stream with TEK.
  • the TEK is sent as a key to the UE, the UE receives the media stream protected by the TEK, and decrypts the media stream by using the obtained TEK.
  • KEK or TEK is commonly referred to as a key
  • the media stream and/or key stream delivered by the media plane are simply referred to as protected media streams.
  • the following describes how to implement security protection for IPTV service media content after introducing KMF and CEF into the network.
  • FIG. 4 is a schematic diagram of a system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention.
  • KMF is introduced in a system for implementing an IPTV service based on an IMS network, and is used for a key and/or a key.
  • the relevant parameters are provided to the required functional entities.
  • KMF can generate or obtain keys and/or related parameters from other functional entities.
  • KMF can also update keys and/or related parameters.
  • the required functional entity may be a functional entity such as a UE, an MF, or an SCF
  • the related parameters include a combination of one or more of a key identifier corresponding to the key, a security algorithm, and a key validity period.
  • the embodiment of the present invention adds some interfaces in the architecture, including: a K1 interface between the KMF and the SCF; a K2 interface between the KMF and the UE; KMF and K4 interface between IMS Core; K3 interface between SCF and UE; K5 interface between KMF and MF.
  • These interfaces are mainly used to transfer key or / and key related parameters between two functional entities connected through an interface.
  • these interfaces are not all mandatory in the architecture of the specific implementation.
  • the K2 interface is required, other interfaces are optional; if the KMF is transmitted between the SCF and the UE, the K1 and K3 interfaces are required, and other interfaces are optional; if the KMF and the SCF are transmitted, then K1 The interface is required, and other interfaces are optional.
  • the K5 interface is required, and other interfaces are optional.
  • KMF directly transmits the key through the IMS Core
  • the K4 interface is required. The interface is optional.
  • HTTP protocol in the various embodiments are only described by taking HTTP as an example. In the specific implementation, other protocols may also be implemented, for example, using XML format or using MIKEY to carry and send a key. The following is a detailed description of how the system provided in Figure 4 implements media content security.
  • This embodiment can be applied to the LTV service protection or the CoD service protection.
  • the UE and the KMF directly interact with each other.
  • the K2 interface is a necessary interface.
  • the connections between the devices in the system shown in Fig. 4 are as shown in Fig. 5.
  • the UE may generate a shared user key in advance with the KMF, for example, generated by a GBA (Geeric Bootstrapping Architec), and then use the shared key to protect the KMF from being transmitted to the UE. Key information.
  • the process of generating a shared key may be performed before or after receiving a key request from the UE.
  • FIG. 6 is a flowchart of Embodiment 1 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
  • Step 601 The UE performs a session process of service establishment or service switching (channel switching of the LTV). In this step, the session process and the key request process are not in an orderly sequence.
  • Step 602 The KMF sends a key acquisition indication information to the UE, instructing the UE to initiate a key acquisition request, and the step is optional.
  • Step 603 The UE sends a key request message, such as an HTTP request message, to the KMF through the K2 interface, and carries the user identifier, the service/content identification information, or the key identification information.
  • a key request message such as an HTTP request message
  • Step 604 The KMF obtains the service authorization information of the user from the SCF or the UPF, and authorizes the user's request. This step is optional if the KMF itself has authorization capabilities.
  • Step 605 The KMF sends a response message to the UE through the K2 interface, where the key carries the key, or further includes related parameters of the key.
  • the key is a key corresponding to the service/content or key identification information carried in the request message, or includes related parameters of the key.
  • Step 606 The UE uses the obtained key to unlock the encrypted media content and perform viewing.
  • the service/content or service/content package identifier can be carried in the form of a URI or PS I in the IMS.
  • the service/content or service/content package identifiers used in the following embodiments are similar and will not be repeatedly described.
  • the key model is a three-layer key model
  • the key issued in step 605 is KEK
  • KEK uses SUK.
  • the KEK encrypted TEK is sent to the UE through multicast.
  • the UE first uses the SUK to decrypt the KEK, then uses the KEK to decrypt the TEK, and finally uses the TEK to decrypt the encrypted media stream.
  • the key of the embodiment may be similarly used according to the manner in which the multicast layer 3 key is sent.
  • the difference is that the key delivered by the media plane is not It is delivered in multicast mode, but is sent in unicast mode. Or use the model of the layer 2 key.
  • the key sent in step 605 is TEK.
  • the TEK uses the SUK to perform encryption protection. At the media level, the key is not required to be sent to the UE.
  • the UE first uses the SUK to decrypt the TEK. Use TEK to decrypt the media stream.
  • the response message of step 605 may specifically be a response message directly corresponding to the request, for example, the request is an HTTP request, and the response is a corresponding 200 message; or may be a separately sent message, for example, using a separate UPD message to carry the MIKEY format secret. key.
  • Embodiment 2
  • This embodiment can be applied to the LTV service protection or the CoD service protection.
  • the UE and the KMF directly interact with each other through the IMS Core.
  • the K1 interface is the architecture of the interface that must be selected.
  • FIG. 7 is a flowchart of Embodiment 2 of implementing media content security according to an embodiment of the present invention, and the specific steps are as follows:
  • Step 701 The UE sends a service request to the SCF through the IMS Core, and carries the user identifier and the identification information of the service or the content.
  • Step 702 The SCF sends a service request to the MF through the IMS Core, and carries the user identifier and the identification information of the service or the content, and the MF returns a service response message to the SCF through the IMS Core.
  • This step is not required for LTV service requests.
  • Step 703 The SCF generates a service authorization token (Token), and returns a service response message to the UE through the IMS Core, and carries the service authorization Token, and may also carry the obtained key address information, such as an IP address or a URL or a PS I in the IMS.
  • Token service authorization token
  • Step 704 The UE sends a key request message to the KMF, where the user identifier, and the service or content identifier, and the service authorization token are carried.
  • Step 705 After receiving the message, the KMF verifies that the authorized Token passes, and returns a key to the UE.
  • Step 706 The UE uses the obtained key to unlock the encrypted media stream for viewing.
  • the KMF may also first send a trigger message to the UE, requesting the UE to obtain the key information from the KMF.
  • the granting of the Token in Figure 7 can be performed in multiple ways.
  • the UE obtains the Token in addition to the session establishment process, and can also obtain the Token from other ways, such as service ordering, carrying and sending through an electronic decryption menu (EPG).
  • EPG electronic decryption menu
  • the key issued in this embodiment is similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected Layer 2 key or the Layer 3 key is different.
  • the service authorization Token is a certificate issued by an authorized entity (for example, SCF or MF) to check the UE's right to obtain the key corresponding to the service and the relevant parameters of the key, and the form may be various.
  • the service authorization Token is a string or a number; it can also be a list, which contains the corresponding service or content identifier, user name and other information; in addition, the authorization entity can also sign and issue the token.
  • This embodiment can be applied to LTV service protection or CoD service protection, mainly for the UE to distribute keys through SCF and KMF.
  • the K3 interface and K in the architecture are applied.
  • the 1 interface is a mandatory interface.
  • the UE may generate a shared user key in advance with the SCF, such as may be generated by the GBA method, and then use the shared key to protect the key information that the SCF delivers to the UE.
  • the process of generating a shared key may be performed before or after receiving a key request from the UE.
  • FIG. 8 is a flowchart of Embodiment 3 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
  • Step 801 The UE performs a session process of service establishment or service switching (channel switching of the LTV). In this step, the session process and the key request process are not in an orderly sequence.
  • Step 802 The SCF may send a key acquisition indication information to the UE, instructing the UE to initiate a key acquisition request, where the step is optional.
  • the SCF uses this method to notify the UE that the key needs to be acquired. If the UE knows that the key needs to be obtained through other means, for example, the IMS network side uses
  • No t i fy may require the key acquisition, or by checking the identification (key identification) required to be obtained in the media stream, the indication message may not be sent.
  • Step 803 The UE sends a key request message to the SCF through the K3 interface, and carries the user identifier, the service/content identification information, or the key identification information.
  • Step 804 The SCF obtains a key and a related parameter of the key from the KMF.
  • Step 805 The SCF sends a response message to the UE, and carries the corresponding key.
  • Step 806 The UE obtains the encrypted media stream, and uses the obtained key to unlock the media stream for viewing.
  • FIG. 8 may also perform a key update process, where the updated key may be obtained by the UE actively to the SCF, or the SCF may actively send the key to the UE.
  • the SCF may initiate a key acquisition request message to the KMF, and carry the obtained service/content identification information or key identification information, and the KMF returns the service/content identifier or the key identifier to the SCF.
  • the corresponding key or also includes information such as algorithm, expiration date, and so on.
  • the SCF can also save this information so that subsequent UEs can directly find the service request when making a service request.
  • the specific protocol used can be obtained by using the Diameter protocol, the MIKEY protocol, or the HTTP protocol, SIP protocol, S0AP, XML, or the like.
  • the methods of obtaining a key by the SCF or the MF in the following various embodiments are similar, and the description is not repeated.
  • This embodiment can be applied to the CoD service protection.
  • the SCF obtains the service protection key from the KMF and sends it to the MF, and returns it to the UE through the IMS Core.
  • the K1 in the architecture is mandatory. Select interface.
  • FIG. 9 is a flowchart of Embodiment 4 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
  • Step 901 The UE sends a service request message, such as an INVITE, to the SCF through the IMS Core, where the user carries the user identifier, the service, or the content identifier information.
  • a service request message such as an INVITE
  • Step 902 The SCF acquires, by the SMF, a key corresponding to the service or the content identifier.
  • Step 903 The SCF sends a service request message to the MF through the IMS Core, where the service carries the service or the content identifier, and the corresponding key and other information.
  • the MF can use this key to encrypt the content in real time.
  • the parameter carried in the request information sent by the SCF may not be a key, but an address information of the obtained key, such as an IP address or a URL or a PSI in the IMS.
  • step 902 is not required.
  • Step 904 The MF sends a service response message to the SCF through the IMS Core, for example, 200 0K Interest and so on.
  • Step 905 The SCF adds the information such as the key to the service response message, and forwards the service response message to the UE through the IMS Core, where the key information or the key corresponding to the service or the content identifier is used to obtain the address information.
  • Step 906 The UE uses the obtained key to unlock the media stream and perform viewing.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • This embodiment can be applied to CoD service protection. After obtaining the key from the KMF, the MF returns to the UE through the IMS Core.
  • K5 is a mandatory interface; or MF uses the Y2 and K4 interfaces to obtain a corresponding key from KMF.
  • FIG. 10 is a flowchart of Embodiment 5 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
  • Step 1001 The UE sends a service request message, such as an INVITE message, to the SCF through the IMS Core, where the UE carries the user identifier, the service, or the content identifier information.
  • a service request message such as an INVITE message
  • Step 1002 The SCF sends a service request message to the MF through the IMS Core, where the user identifier, service or content identification information is carried.
  • Step 1003 The MF obtains a key corresponding to the service or the content identifier from the KMF.
  • the MF can use this key to encrypt the content in real time.
  • Step 1004 The MF sends a service response message (for example, a 200 0K message) to the SCF through the IMS Core, and carries a key corresponding to the service or the content identifier.
  • a service response message for example, a 200 0K message
  • Step 1005 The SCF sends a service response message to the UE through the IMS Core.
  • Step 1006 The UE uses the obtained key to unlock the encrypted media stream and view it.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • Embodiment 6 This embodiment can be applied to the CoD service protection, and the SCF obtains the service key from the KMF and returns it to the UE through the IMS Core.
  • the K1 interface is a mandatory interface.
  • FIG. 11 is a flowchart of Embodiment 6 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
  • Step 1101 The UE sends a service request message (for example, INVITE) to the SCF through the IMS Core, where the UE carries the user identifier, the service, or the content identifier information.
  • a service request message for example, INVITE
  • Step 1102 The SCF sends a service request message to the MF through the IMS Core.
  • Step 1103 The MF sends a service response message, such as a 200 0K message, to the SCF through the IMS Core.
  • Step 1104 The SCF obtains a key corresponding to the service or the content identifier from the KMF.
  • Step 1105 The SCF sends a service response message to the UE through the IMS Core, and carries a key corresponding to the service or the content identifier.
  • the parameter carried in the service response information sent by the SCF may not be a key, but an address information of the obtained key, such as an IP address or a URL or a PSI in the IMS. At this point, step 1104 is not required.
  • Step 1106 The UE uses the obtained key to unlock the media stream and view it.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • This embodiment can be applied to the LTV or CoD service, and the SCF obtains the key from the KMF and returns it to the UE through the IMS session process.
  • the K1 interface is a mandatory interface. The sudden is:
  • Step 1201 The UE sends a key request message, such as an INVITE message, to the SCF through the IMS Core, where the UE carries the identifier of the user identifier, the service, or the content.
  • Step 1202 The SCF acquires a key corresponding to the service or the content identifier from the KMF.
  • Step 1203 The SCF sends a service response message to the UE through the IMS Core, and carries a key corresponding to the service or the content identifier.
  • the parameter carried in the service response information sent by the SCF may not be a key, but an address information of the obtained key, such as an IP address or a URL or a PS I identifier in the IMS. At this time, step 1202 may not be required.
  • Step 1204 The UE receives the encrypted media stream, obtains the media stream by using the key, and performs viewing.
  • the key request message and the key response message in this embodiment may use an SIP request message, for example, an Inv i te message and a 200 response message.
  • the key is delivered in this embodiment by using the service response message directly.
  • the key may not be carried by the service response message but carried by another message, for example, the KMF or the SCF sends the UE to the UE using a separate UDP message.
  • the key model is a three-layer key model
  • the key requested in step 1202 is KEK
  • KEK uses SUK.
  • Encryption protection At the media level, the KEK-encrypted TEK can be delivered to the UE through multicast through KMF or MF. The UE first decrypts the KEK using SUK, then decrypts the TEK using KEK, and finally uses TEK to decrypt the encrypted media stream.
  • the key of the embodiment may be similarly used according to the manner in which the multicast layer 3 key is sent.
  • the difference is that the key delivered by the media plane is not It is delivered in multicast mode, but is sent in unicast mode. Or use the model of the layer 2 key.
  • the key requested in step 1202 is TEK.
  • the TEK uses the SUK to perform encryption protection. At the media level, the key is not required to be sent to the UE.
  • the UE first uses the SUK to decrypt the TEK.
  • TEK decrypts the media stream.
  • the request message here may also carry the GBA temporary user identification information B-TID, and the SCF sends the B-TID to the KMF, so that the KMF obtains the corresponding SUK according to the B-TID, and uses the SUK protection requirement.
  • B-TID can use S IP request
  • the element corresponding to the XML in the message is carried.
  • the key update process is basically similar to the basic service establishment process, and is divided into a key update process initiated by the UE and a key update process initiated by the network side.
  • the key update may carry the key update request information and the key using an INVITE message in the SIP or an Upda te or Pub l i sh (release) message or a Not ify message and a corresponding reply message.
  • the service request may also be initiated by the entity on the network side, and the process is similar to this embodiment, except that the network side carries the key to the UE in the message initiating the request.
  • Process for channel switching If all services in the entire service packet (multicast service group) share a set of keys or if a set of different keys corresponding to all services in the entire service packet is initially delivered; When switching between all channels in the same service package, there is no need to initiate a key request message. If the initial delivery is only a key corresponding to a service in a certain service or service packet, the UE needs to obtain a key from the network side when performing channel switching. Or when the UE switches to a service or channel in another service packet, it also needs to obtain a key from the network side.
  • the embodiment can be applied to the LTV service and the CoD service, and the UE subscribes to the key from the SCF and subscribes to the key of the current service by using the subscription (Subscr ibe) in the SIP (RFC 3261) protocol.
  • the K1 interface is a mandatory interface.
  • FIG. 13 is a flowchart of Embodiment 8 of implementing media content security according to an embodiment of the present invention, and the specific steps are:
  • Step 1301 The UE sends a Subscr ibe message to the SCF through the IMS Core, and the subscription event is a key of the current IPTV service, carrying the user identifier, and the service or content identifier.
  • Step 1302 The SCF returns a 200 0K message to the UE through the IMS Core, indicating that the subscription is successful.
  • Step 1303 The UE performs an IPTV service establishment or handover process.
  • the subscription and delivery of the key may be before, during or after the service establishment or handover process. Then send it.
  • Step 1304 The SCF acquires current service information of the UE.
  • the SCF can obtain multiple current service modes of the UE, for example, the SCF subscribes to the current LTV channel information or CoD content information to the UE by using the Subscr ibe/Notify mode; or the SCF establishes or switches through the session.
  • the information about the current service of the UE is known; or the SCF subscribes to the current service information of the UE to the presence server Presence Server.
  • Step 1305 The SCF obtains, from the KMF, a key corresponding to the current service or the content identifier of the UE.
  • Step 1306 The SCF sends a Not if y message to the UE through the IMS Core, and carries the key corresponding to the current service or content of the UE.
  • Step 1307 The UE returns a 200 OK message to the SCF through the IMS Core.
  • Step 1308 The UE unpacks the media stream according to the received key and performs viewing.
  • the SCF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 0K message.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • the Subscr ibe request message here may also carry the GBA temporary user identification information B_T ID, and the SCF sends the B_T ID to the KMF, so that the KMF obtains the corresponding SUK according to the B_T ID, and uses the SUK protection.
  • the specific B-TID can be carried using the element corresponding to the XML in the request message.
  • This embodiment can be applied to the LTV service and the CoD service.
  • the UE subscribes to the key from the SCF in the Subscr ibe mode and subscribes to the key corresponding to a certain service or content.
  • the K1 interface is a mandatory interface. The sudden is:
  • Step 1401 The UE performs an IPTV service session establishment process or a channel switching process.
  • the session establishment process or the channel switching process and the key subscription process are not sequentially required, and the process of subscribing to the key may be performed first without performing the session establishment process.
  • Step 1402 The UE sends a Subscr ibe message to the SCF through the IMS Core, and subscribes to one or more key event packets corresponding to the service or the content identifier, where the message carries the user identifier, and the service or the content identifier.
  • Step 1403 The SCF returns a 200 OK message to the UE through the IMS Core, indicating that the subscription has succeeded.
  • Step 1404 The SCF obtains, from the KMF, a service identifier corresponding to the UE or a key corresponding to the content identifier.
  • Step 1405 The SCF sends a Not ify message to the UE through the IMS Core, where the key corresponding to the UE subscription is carried.
  • Step 1406 The UE returns a 200 0K message to the SCF through the IMS Core.
  • Step 1407 The UE uses the key obtained in step 1405 to unlock the protected media stream and view it.
  • the SCF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 0K message.
  • a channel subscription process and a basic LTV service session change process in the new IPTV service package may be re-initiated (similar to the initial LTV service session initial process). In this process, channel switching is required. At this point, the process of resubscribing with the method described in Figure 14 is required.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • the Subscr ibe request message here may also carry the GBA temporary user identification information B_T ID, and the SCF sends the B_T ID to the KMF, so that the KMF obtains the corresponding SUK according to the B_T ID, and uses the SUK protection.
  • the specific B-TID can be carried using the element corresponding to the XML in the request message.
  • Example ten This embodiment can be applied to the LTV service and the CoD service.
  • the UE subscribes to the key from the KMF in the Subscr ibe mode and subscribes to the key of the current service.
  • the K4 interface is a mandatory interface. The sudden is:
  • Step 1501 The UE sends a Subscr ibe message to the KMF through the IMS Core, and subscribes to the current IPTV service key, and carries the user identifier, and the service or content identifier.
  • Step 1502 The KMF returns a 200 OK message to the UE through the IMS Core, indicating that the subscription is successful.
  • Step 1503 The UE performs an IPTV service establishment or handover process.
  • the service establishment or handover process does not have an inevitable sequence relationship with the subscription and delivery of the key.
  • the subscription and delivery of the key may be sent before, during or after the service establishment or handover process.
  • Step 1504 The KMF obtains current service information of the UE.
  • the KMF obtains the UE's current service mode.
  • the KMF subscribes to the UE's current LTV channel information or CoD content information in the Subscr ibe/Notify mode; or the KMF establishes or switches through the session.
  • the information about the current service of the UE is known; or the KMF subscribes to the current service information of the UE to the Presence Server.
  • Step 1505 The KMF sends a Not ify message to the UE through the IMS Core, and carries the key corresponding to the current service identifier or the content identifier of the UE.
  • Step 1506 The UE returns a 200 OK message to the KMF through the IMS Core.
  • Step 1507 The UE unlocks the media stream according to the received key and performs viewing.
  • the KMF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 0K message.
  • the UE can also subscribe to the MF by using the Subscr ibe mode and subscribe to the key of the current service.
  • the K5 interface is a mandatory interface, that is, the UE subscribes to the MF, and the MF uses the K5 interface to KMF gets the key.
  • the key issued in this embodiment is similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected Layer 2 key or the Layer 3 key is different.
  • the Subscr ibe request message can also carry the GBA temporary user identification information B-TID, so that the KMF obtains the corresponding SUK according to the B-TID, and uses the SUK to protect the key to be delivered.
  • the specific B-TID can be carried using the element corresponding to the XML in the request message.
  • This embodiment can be applied to the LTV service and the CoD service.
  • the UE subscribes to the key from the KMF in the Subscr ibe mode and subscribes to the key corresponding to a certain service or content.
  • the K4 interface is the architecture of the mandatory interface when the embodiment is applied.
  • FIG. 16 is a flowchart of Embodiment 11 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
  • Step 1601 The UE performs an IPTV service session establishment process or a channel switching process.
  • the session establishment process or the channel switching process and the key subscription process have no prior sequence requirements, and the session establishment process may not be performed first, and the process of subscribing to the key is first performed.
  • Step 1602 The UE sends a Subscr ibe message to the KMF through the IMS Core, and subscribes to one or more service identifiers or a key corresponding to the content identifier, where the message carries the user identifier, the service identifier, or the content identifier.
  • Step 1603 The KMF returns a 200 OK message to the UE through the IMS Core, indicating that the subscription has succeeded.
  • Step 1604 The SCF sends a Not ify message to the UE through the IMS Core, where the key corresponding to the UE request is carried.
  • Step 1605 The UE returns a 200 OK message to the SCF through the IMS Core.
  • Step 1606 The UE uses the key obtained in step 4 to unlock the protected media stream and view it.
  • the KMF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 OK message.
  • a channel subscription process and a basic LTV service session change process in the new IPTV service package may be re-initiated (similar to the initial LTV service session initial process, in which a channel switching process is required) At this time, the process of re-subscribing with the method described in FIG. 16 is required.
  • the UE can also subscribe to the MF by using the Subs cr i be mode and subscribe to the key of a certain service.
  • the K5 interface is a mandatory interface, that is, the UE subscribes to the MF, and the MF passes.
  • the K5 interface obtains the key from KMF.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • the Subs cr i request message may also carry the GBA temporary user identification information B-TID, so that the KMF obtains the corresponding SUK according to the B-TID, and uses the SUK to protect the key to be delivered.
  • the specific B-TID can be carried using the element corresponding to the XML in the request message.
  • FIG. 17 is a schematic diagram of a system 2 for implementing IPTV media content security in an IMS system according to an embodiment of the present invention.
  • a KMF function module is introduced in a system for implementing an IPTV service based on an IMS network, and KMF is integrated into the SCF.
  • Service protection, that is, SCF has the function of KMF to manage keys.
  • the SCF having the KMF key management function can provide the key and/or related parameters to the required functional entity.
  • the SCF can also generate or obtain keys and/or related parameters from other functional entities, and the SCF can also update the keys and/or related parameters.
  • the required functional entity may be a functional entity such as a UE or an MF
  • the related parameters include a combination of one or more of a key identifier corresponding to the key, a security algorithm, a key validity period, and the like.
  • the K1 interface between the SCF and the KMF described in FIG. 4 does not exist or becomes an internal interface, and the S1 interface between the SCF and the UE also has a function of transmitting a key to the UE;
  • the S2 interface between the SCF and the MF also has a function of transmitting a key to the MF;
  • the interfaces in the actual application system are not all mandatory, according to the distribution secret.
  • the key or the corresponding parameters of the key corresponding to the key are different, and the interface selected by the actual architecture is also different. If the SCF interface is directly transmitted between the SCF and the UE, the S1 interface exists, other interfaces may exist or not exist; if transmitted between the SCF and the MF, the S2 interface must exist, and other interfaces may exist or not exist.
  • the specific process of service protection is similar to the service protection process of the KMF of FIG. 4 as an independent functional entity (Embodiment 1 to Embodiment 11), except that KMF is an internal part of the SCF.
  • the function module does not need the step of acquiring the key from the SCF to the KMF in the embodiment, and the interaction of the other functional entities with the KMF is changed to the interaction with the SCF. The following examples are explained.
  • FIG. 18 is a flowchart of Embodiment 12 of implementing media content security according to an embodiment of the present invention. It can be seen that, compared with the flowchart of Embodiment 3, the flowchart does not require SCF to KMF to acquire a key, and the SCF has KMF manages the key and sends the key directly to the UE, which saves the steps.
  • the S1 interface in the architecture is a mandatory interface.
  • the UE may generate a shared user key in advance with the SCF, such as may be generated by the GBA method, and then use the shared key to protect the key information that the SCF delivers to the UE.
  • the process of generating a shared key may be performed before or after receiving a key request from the UE.
  • Step 1801 The UE performs a session process of service establishment or service switching (channel switching of the LTV).
  • the session process and the key request process are not in an orderly sequence.
  • Step 1802 The SCF may send a key acquisition indication information to the UE, instructing the UE to initiate a key acquisition request, and the step is optional.
  • Step 1803 The UE sends a key request message to the SCF through the S1 interface, and carries the user identifier, service/content identification information, or key identification information.
  • Step 1804 The SCF sends a response message to the UE, and carries the key.
  • Step 1805 The UE obtains the protected media stream, and uses the obtained key to unlock the media stream for viewing.
  • KMF is integrated into the SCF
  • the above embodiments in which the KMF is an independent functional entity can be handled similarly to the present embodiment.
  • FIG. 19 is a schematic diagram of a system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention.
  • a KMF function module is introduced in a system for implementing an IPTV service based on an IMS network, and is integrated into the MF.
  • the MF having the KMF key management function can provide the key and/or related parameters to the required functional entity.
  • the MF can also generate or obtain keys and/or related parameters from other functional entities, and the MF can also update the keys and/or related parameters.
  • the required functional entity may be a functional entity such as a UE or an SCF
  • the related parameters include a combination of one or more of a key identifier corresponding to the key, a security algorithm, and a key validity period.
  • the K5 interface between the MF and the KMF described in FIG. 4 does not exist or becomes an internal interface
  • the L1 interface between the MF and the SCF has an existing function, and also has a UE.
  • the L2 interface between the IMS Core and the MF has the functions of the MF transmission key and the related parameters corresponding to the key, the SCF and the UE
  • the L3 interface transmits the key and the related parameter function corresponding to the key.
  • these interfaces are not all mandatory.
  • the selected interfaces are different depending on the path through which the transmission key or / and the corresponding parameters of the key correspond. If the L1 interface between the MF and the SCF is transmitted, the L1 interface between the MF and the SCF exists, and other interfaces may exist or not exist; if the L2 interface between the IMS Core and the MF is transmitted, the IMS Core and the MF The L2 interface must exist between the other interfaces, and other interfaces may exist or not exist.
  • the specific process of service protection is similar to the service protection process of the KMF of FIG. 4 as an independent functional entity (Embodiment 1 to Embodiment 11), except that KMF is an internal part of the MF.
  • the function module does not need to acquire the key in the MF to KMF in the embodiment, and the interaction of the other functional entities with the KMF is changed to the interaction with the MF.
  • FIG. 20 is a flowchart of Embodiment 13 of implementing media content security according to an embodiment of the present invention.
  • the MF does not need to obtain a key to the KMF, and the MF has KMF manages the key function and directly sends the key to the UE through the IMS Core and SCF.
  • This embodiment can be applied in CoD service protection, and M is returned to the UE key through the IMS Core.
  • L2 is a mandatory interface when the embodiment is applied. The specific steps are:
  • Step 2001 The UE sends a service request message, such as an INVITE message, to the SCF through the IMS Core, where the UE carries the user identifier, service, or content identification information.
  • a service request message such as an INVITE message
  • Step 2002 The SCF sends a service request message to the MF through the IMS Core, where the user identifier, service or content identification information is carried.
  • Step 2003 The MF sends a service response message (such as a 200 0K message) to the SCF through the IMS Core, and carries a key corresponding to the service or the content identifier.
  • a service response message such as a 200 0K message
  • Step 2004 The SCF sends a service response message to the UE through the IMS Core.
  • Step 2005 The UE uses the obtained key to unlock the media stream and view it.
  • the key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
  • each of the above embodiments in which the KMF is an independent functional entity can be handled similarly to this embodiment.
  • the network side may be in the UE.
  • the UE or the key corresponding to the content is actively sent to the UE. That is, the UE does not need to send the key request message.
  • the specific process and parameters used are similar to the embodiments that the UE actively requests.
  • the embodiment of the present invention further provides a structure diagram of a KMF, as shown in FIG. 21, including: a key distribution unit 2101 and a key information service function unit 2102, where
  • a key distribution unit 2101 configured to send a related parameter of a key or/and a key to a UE or other functional entity
  • the key information service function unit 2102 is configured to provide a key or/and a related parameter of the key to the key distribution unit 211, and the related parameter of the key or/and the key is generated by the unit itself, or may be from another The place to get.
  • the embodiment of the present invention further provides a system diagram for transmitting a key between the MF and the KMF.
  • the KMF sends the key to the MF through M1, or sends the message through M2, SCF, Core IMS.
  • M1 the key to the MF
  • M2 the message through M2
  • SCF Sends the message through M2
  • Core IMS the message through M2
  • the MF in this figure performs the encryption processing of the service protection.
  • the MF also needs to deliver the TEK multicast to the UE.
  • the interface Ml is used to pass the key directly; interface M2 : The key is passed through the SCF.
  • the Ml and M2 interfaces do not need to exist at the same time. Different interfaces are selected according to different schemes.
  • Architecture 1 Architecture selection Ml is a mandatory interface, and an M2 interface is optional.
  • Architecture 2 Architecture selection M2 is a mandatory interface, and Ml interface is an optional interface.
  • Solution 1 The case where the TEK is directly used to protect the media content between the UE and the MF. Suitable for LTV and CoD services.
  • the TEK is generated by the KMF and sent to the MF in a way that the KMF actively sends the MF or MF to the KMF to actively request the key.
  • MF uses TEK to encrypt media content.
  • Option 2 For the case where the TEK is directly used to protect the media content between the UE and the MF. Suitable for LTV and CoD services.
  • the MF generates TEK, which uses TEK to encrypt media content.
  • the TEK is sent to the KMF in such a way that the MF actively sends the KMF or KMF to the MF request key.
  • Solution 3 For the case where the MF will directly use the key to protect the media TEK is sent to the UE in multicast mode, the TEK needs to be protected by a key, which is called KEK. Suitable for LTV business and COD business. It can be KMF to generate KEK, MF to generate TEK; KMF actively sends KEK to MF or MF to KMF to request KEK to send KEK to MF, MF uses KEK to encrypt TEK, and the multicast is sent to the UE.
  • KEK a key
  • Solution 4 For the case where the MF directly uses the key TEK for protecting the media to be sent to the UE in multicast mode, the TEK needs to be protected by using a key, which is called KEK. Applicable to LTV business and C0D business. KMF generates KEK and TEK; KMF actively sends KEK and TEK to MF or MF to KMF actively requests KEK and TEK.
  • Architecture 2 uses the M2 interface to pass the key.
  • the specific process is similar to the process of architecture one, except that the path of key transfer between KMF and MF is KMF - M2 - SCF - Core IMS - MF.
  • the I PTV media security system described in the above embodiments may further include a content encryption entity for encrypting the media content.
  • the content encryption entity CEF is configured to generate a media protection key TEK and send the TEK to the key management function entity KMF;
  • the key management function entity KMF is configured to encrypt the media protection key by using a key encryption key KEK, and send the encrypted media protection key to the content encryption entity.
  • the content encryption entity is configured to generate a media protection key, and send a key request message to the key management function entity, requesting a key encryption key KEK; using the key encryption key pair
  • the media protection key is encrypted
  • the key management function entity is configured to provide a key encryption key to the content encryption entity.
  • the content encryption entity is configured to send a key request message to the key management function entity;
  • the key management function entity is configured to generate a key encryption key and a media protection key, and encrypt the media protection key by using a key encryption key according to the key request message; The subsequent media protection key and the unencrypted media protection key are sent to the content encryption entity.
  • the content encryption entity is configured to send a key request message to the key management function entity; and encrypt the media protection key by using a key encryption key;
  • the key management function entity is configured to generate a key encryption key and a media protection key, and send the key encryption key and the media protection key to the content encryption entity.
  • a direct interface N1 is used between KMF and CEF to deliver one or more of the following: SEK, TEK, SEK encrypted TEK.
  • the CEF generates a TEK, as shown in Figure 24, which includes the following steps:
  • step 2401 the CEF generates a media protection key TEK.
  • Step 2402 The CEF sends a key request message to the KMF, where the content identifier and/or the service identification information and the media protection key TEK are carried.
  • Step 2403 after receiving the key request message, the KMF encrypts the key SEK with the corresponding key encryption TEK.
  • This step is optional if the CEF only reports the generated TEK to KMF and does not require a SEK-encrypted TEK.
  • Step 2404 the KMF sends a response message to the CEF, which carries the TEK encrypted by the SEK.
  • step 2403 KMF does not send the SEK encrypted TEK parameter in this step.
  • the subsequent processing may be: the content encryption entity CEF sends the encrypted TEK to the user equipment, or the encrypted TEK is sent to the media function entity and sent to the user equipment.
  • the KMF is subsequently responsible for sending the TEK to the user terminal.
  • the CEF generates the TEK and obtains the SEK sent by the KMF.
  • the method includes the following steps: Step 2501: The CEF sends a key request message to the KMF, requesting the SEK, where the content identifier and/or the service identifier information is carried;
  • Step 2502 the KMF receives the key request message, and sends the corresponding SEK to the CEF;
  • step 2503 the CEF encrypts the TEK using the returned SEK.
  • the subsequent processing may be: the content encryption entity CEF sends the encrypted TEK to the user equipment, or the encrypted TEK is sent to the media function entity and sent to the user equipment.
  • KMF generates TEK and SEK, as shown in Figure 26, including the following steps:
  • Step 2601 the CEF sends a key request message to the KMF, where the content identifier and/or service is carried. Identification information.
  • Step 2602 After receiving the key request message, the KMF encrypts the corresponding TEK by using the SEK corresponding to the content identifier and/or the service identifier information.
  • step 2603 the KMF sends the SEK encrypted TEK and the unencrypted TEK to the CEF.
  • Subsequent processing can be: Content Encryption Entity CEF uses TEK to encrypt media.
  • the encrypted TEK is sent to the user equipment, or the encrypted TEK is handed over to the media function entity and sent to the user equipment.
  • the CEF obtains the SEK and the TEK sent by the KMF. As shown in FIG. 27, the method includes the following steps: Step 2701: The CEF sends a key request message to the KMF, where the content identifier and/or the service identifier information are carried.
  • Step 2702 After receiving the key request message, the KMF sends the corresponding SEK and TEK to the CEF. In step 2703, the CEF encrypts the TEK by using the returned SEK.
  • Subsequent processing can be: Content Encryption Entity CEF uses TEK to encrypt media.
  • the encrypted TEK is sent to the user equipment, or the encrypted TEK is handed over to the media function entity and sent to the user equipment.
  • the CEF can be a separate functional entity, or can be combined with KMF as a functional entity, or can be combined with MF as a functional entity.
  • CEF as a function module
  • the interaction with the connected entity becomes internal processing.
  • the NEK interface between the CEF and the MF entity transmits information such as TEK encrypted by the SEK.
  • the content encryption entity of the embodiment of the present invention may be the structure shown in any of Figs. 29-32.
  • the content encryption medium of the embodiment of the present invention includes: a key generation unit 2901, configured to generate a media protection key; and a key transceiver unit 2902, configured to send the media protection key to a key management function. entity.
  • the key transceiver unit 2902 is further configured to receive the encrypted media protection key sent by the key management function entity.
  • the content encryption medium in the embodiment of the present invention includes: a key generation unit 3001, Generating a media protection key; a message sending unit 3002, configured to send a key request message to the key management function entity, requesting a key encryption key; and a key transceiving unit 3003, configured to receive and manage the key a key encryption key sent by the functional entity; an encryption operation unit 3004, configured to encrypt the media protection key by using the key encryption key.
  • the content encryption entity of the embodiment of the present invention includes: a message sending unit 31 01, configured to send a key request message to a key management function entity; and a key transceiver unit 31 02, configured to receive the key by the key The encrypted media protection key sent by the management function entity and the unencrypted media protection key.
  • the content encryption entity of the embodiment of the present invention includes: a message sending unit 3201, configured to send a key request message to a key management function entity; a key transceiving unit 3202, configured to receive the key management function The key encryption key and the media protection key sent by the entity; the encryption operation unit 3203 is configured to encrypt the media protection key by using the key encryption key.
  • the KMF interacts with the CEF and the KMF, so that the KMF obtains the TEK, and
  • the encrypted media is deployed to the MF, specifically CEF encrypted media and the encrypted media is sent to the MF.
  • the UE obtains the TEK through the TEK embodiment obtained from the KMF to the SUK encryption described above, and then uses the TEK to decrypt the encrypted media sent by the MF.
  • the user key SUK, the media encryption key TEK and the key encryption key KEK are used.
  • the specific step may be that the CEF uses the TEK encryption medium and sends the encrypted media to the MF.
  • the CEK-encrypted TEK can be sent to the MF by the CEF, and then sent by the MF to the UE through the multicast media channel. After the CEF reports the CEF to the KMF, the KMF uses the KEK.
  • the UE Encrypt the TEK, and then the KEK encrypts the TEK encrypted by the KEK to the UE through the multicast media channel.
  • the UE obtains the SUK encrypted KEK through the above-mentioned embodiment of acquiring the key with KMF, obtains the KEK encrypted TEK and TEK encrypted media through the multicast channel, and then uses the KEK decryption to obtain the TEK, and then uses the TEK to decrypt the encrypted media.
  • the CEF is an internal module of KMF or MF
  • the above interaction becomes internal processing.
  • the storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Acces s Memory (RAM).

Abstract

An embodiment of the invention provides a system, method and device for realizing IPTV media content security protection, relating to communications field, aiming at realizing IPTV media content protection. Therein the system comprises: a user equipment (UE) , a service control function entity(SCF), an IMS core network(IMS Core), a media function entity(MF), and a key managing function entity(KMF), wherein the media function entity for providing a key for the user equipment; said service control function entity for providing service control of IPTV service; said media function entity for sending encrypted media content to the user equipment; said user equipment for receiving the media content from the media function entity, and using the key received to gain the decrypted media content. The embodiment of the invention is applied to IPTV.

Description

实现 IPTV媒体内容安全的系统、 方法及设备 技术领域  System, method and device for realizing IPTV media content security
本发明涉及通信技术领域,特别涉及一种实现 IPTV媒体内容安全的系统、 方法及设备。  The present invention relates to the field of communications technologies, and in particular, to a system, method, and device for implementing IPTV media content security.
背景技术 Background technique
IMS Core ( IMS 核心网) 又称 Core IMS, 是叠加在分组域网络之上, 由 呼叫控制功能(CSCF, Call Session Control Function)和用户数据服务功 能实体 (UPSF, User Profile Serving Function)等功能实体组成的网络系 统。 其中 CSCF又可以分为服务 CSCF (S_CSCF)、 代理 CSCF ( P-CSCF )和查询 CSCF (I- CSCF)三个逻辑实体。  IMS Core (also known as Core IMS), which is superimposed on the packet domain network, and is composed of functional entities such as Call Control Function (CSCF) and User Profile Serving Function (UPSF). The network system that makes up. CSCF can be divided into three logical entities: service CSCF (S_CSCF), proxy CSCF (P-CSCF) and query CSCF (I-CSCF).
基于 IMS网络的 IPTV业务是近几年迅速发展的一种新业务, 该业务在因 特网协议(IP, Internet Protocol ) 网络上传输多媒体, 包括视频、 音频和 数据等媒体内容。 该业务实质上是在 IMS网络架构下提供 IPTV业务, 充分利 用 IMS 网络中已有的会话控制、 计费等机制来为用户设备 ( UE, User Equipment )提供 TV业务。 IPTV媒体流业务典型实例是线性电视( LTV, Linear Television)业务(又叫组播业务 BC, Broadcast Service )和内容点播业务 (CoD, Content on Demand )。 其中, LTV业务为将媒体内容釆用组播方式发 送给 UE的业务, CoD业务为单播业务。  The IPTV service based on the IMS network is a new service that has developed rapidly in recent years. The service transmits multimedia on the Internet Protocol (IP) network, including media content such as video, audio and data. The service essentially provides the IPTV service under the IMS network architecture, and fully utilizes the existing session control and charging mechanisms in the IMS network to provide TV services for the user equipment (UE, User Equipment). Typical examples of IPTV media streaming services are Linear Television (LTV) services (also called Broadcast Service BC, Broadcast Service) and Content on Demand (CoD). The LTV service is a service for transmitting media content to the UE in a multicast manner, and the CoD service is a unicast service.
图 1为现有技术基于 IMS网络的 IPTV业务的业务功能架构一示意图, 该 架构是 TI SPAN标准组织提出的, 其中:  FIG. 1 is a schematic diagram of a service function architecture of an IMS service based on an IMS network, which is proposed by a TI SPAN standards organization, where:
IPTV媒体功能实体(MF, IPTV Media Function) 负责媒体内容的交付给 UE。 IPTV Media Function从功能角度可以分解为媒体功能实体(MCF, Media Control Function )和媒体交付功能实体(MDF, Media Del ivery Funct ion )。 MDF通常为一些媒体分发服务器, 在 MCF的控制下向 UE发送媒体流。  The IPTV Media Function Entity (MF, IPTV Media Function) is responsible for delivering the media content to the UE. The IPTV Media Function can be decomposed into a Media Function Function (MCF) and a Media Delivery Function (MDF) from a functional perspective. The MDF is usually a media distribution server that sends media streams to the UE under the control of the MCF.
IPTV业务控制功能实体 ( SCF, Service Control Functions )用于处理 从 UE发出的 IPTV业务请求, 提供 IPTV的业务控制。 IPTV Service Control Functions (SCF) are used to process Provides IPTV service control from the IPTV service request sent by the UE.
用户签约服务功能实体(UPSF, User Profile Serving Function), 用 于存储 UE的签约信息;  a User Profile Serving Function (UPSF) for storing the subscription information of the UE;
业务选择功能实体 ( SSF, Service Selection Function), 用于给 UE提 供可浏览和选择的业务菜单信息;  Service Selection Function (SSF), which is used to provide UEs with service menu information that can be browsed and selected;
传输功能 (Transport Functions ), 用于传输 IPTV中的 MF交付给 UE的 媒体内容。 图 2为现有技术基于 IMS网络的 IPTV业务的业务功能架构二示意 图, 该架构是国际电信联盟( ITU-T)标准组织提出的, 包括 UE、 IPTV应用 服务功能实体 ( applicat ions )、 业务用户签约功能实体 ( Service user profile function )、 IMS Core、 内容交付功能实体 ( Content delivery function ) 以及传输层 ( Transport Stratum ), 其中:  Transport Functions for transmitting media content delivered by the MF in the IPTV to the UE. 2 is a schematic diagram of a service function architecture 2 of an IMS service based on an IMS network, which is proposed by the International Telecommunication Union (ITU-T) standards organization, including a UE, an IPTV application service function entity (applicat ions), and a service user. Service user profile function, IMS Core, Content delivery function, and Transport Stratum, where:
Content delivery function, 用于为 UE提供媒体内容分发服务, 该实 体的功能和图 1中的 MF的功能类似;  a content delivery function, configured to provide a media content distribution service for the UE, the function of the entity being similar to the function of the MF in FIG. 1;
IPTV应用服务功能实体(applications ), 用于处理从 UE发出的 IPTV业 务请求, 提供 IPTV的业务控制, 该实体的功能和图 1中的 SCF类似;  The IPTV application service function entity (applications) is configured to process an IPTV service request sent from the UE, and provide service control of the IPTV, and the function of the entity is similar to the SCF in FIG. 1;
Service user profile function, 用于存储 UE 的业务签约信息, 该实 体的功能和图 1中的 UPSF类似;  The service user profile function is used to store the service subscription information of the UE, and the function of the entity is similar to the UPSF in FIG. 1;
Transport Stratum, 用于传输 Content delivery function 分发给 UE 的媒体内容, 该实体的功能和 Transport Functions类似。  Transport Stratum, used to transmit media content distributed to the UE. The entity's functionality is similar to Transport Functions.
在本发明实施例中的描述为了简便起见, 仅仅以图 1 所述的实体定义描 述, 对应图 2中的类似功能实体如果不做特殊说明, 同样也适用。  For the sake of brevity, the description in the embodiment of the present invention is only described by the definition of the entity described in FIG. 1, and similar functional entities corresponding to FIG. 2 are also applicable unless otherwise specified.
图 1和图 2所示的系统可以传输 IPTV业务中的媒体内容,特别是在 IPTV 业务是 LTV业务时可以以组播方式传输媒体流, 以及 IPTV业务是 CoD业务时 可以以单播方式传输媒体流。 但是, 目前在组播方式或单播方式传输媒体流 时, 没有对所传输的媒体流进行安全保护, 因此无法保证 LTV业务或 CoD业 务的安全性。 目前, 现有技术中, 条件接入系统(CA, Conditional Access )方式是传 统广播电视中使用的媒体内容安全的保护方法。 在该系统中, 通过在内容源 头对媒体内容进行加扰, UE播放媒体内容时进行解扰, 从而实现媒体内容的 安全传输。媒体内容、安全信息以及系统中的其它信息封装成一个传输流(TS, Transport Stream )发送给 UE。 在 CA中, 安全信息中的密钥是分层保护的: 媒体内容使用控制字( CW, Control Word )加扰保护处理, CW由业务密钥( SK, Service Key ) 力。密处理后在 4受权控制消息 (ECM, Entitlement Control Message )中发送给 UE, SK通过授权管理消息( EMM, Entitlement Management Message )发送给 UE, 且 SK在传送前需要经过用户个人密钥进行加密处理, 这个发送媒体内容过程如图 3所示, UE接收到后, 先釆用存储在自身的用户 个人分配密钥解密 SK, 再用 SK解密 CT, 再用 CT解扰媒体内容。 The system shown in FIG. 1 and FIG. 2 can transmit media content in an IPTV service, in particular, when the IPTV service is an LTV service, the media stream can be transmitted in a multicast manner, and when the IPTV service is a CoD service, the medium can be transmitted in a unicast manner. flow. However, when the media stream is transmitted in the multicast mode or the unicast mode, the transmitted media stream is not protected, so the security of the LTV service or the CoD service cannot be guaranteed. Currently, in the prior art, a conditional access (CA) method is a method for protecting media content security used in traditional broadcast television. In the system, by scrambling the media content at the content source, the UE performs descrambling when playing the media content, thereby implementing secure transmission of the media content. The media content, security information, and other information in the system are encapsulated into a transport stream (TS, Transport Stream) and sent to the UE. In the CA, the keys in the security information are hierarchically protected: The media content is scrambled and protected using the Control Word (CW, Control Word), and the CW is powered by the Service Key (SK, Service Key). After the secret processing is sent to the UE in an Entitlement Control Message (ECM), the SK sends the message to the UE through an Entitlement Management Message (EMM), and the SK needs to be encrypted by the user's personal key before being transmitted. The process of transmitting the media content is as shown in FIG. 3. After receiving the UE, the UE decrypts the SK by using the user's personal distribution key stored in the UE, decrypts the CT with the SK, and then descrambles the media content with the CT.
对于现有的 CA 系统是应用于传统的广播电视系统的媒体加密技术, 釆用 的是加扰解扰技术, 密钥是釆用 TS封装的格式, 不能直接应用在目前的 IPTV 系统中。 因此, 如何在 IMS 网络中实现 LTV业务的媒体内容安全保护还是一 个亟待解决的问题。  For the existing CA system, the media encryption technology applied to the traditional broadcast television system uses the scrambling and descrambling technology. The key is in the TS package format and cannot be directly applied to the current IPTV system. Therefore, how to implement media content security protection for LTV services in an IMS network is still an urgent problem to be solved.
发明内容 Summary of the invention
第一方面, 本发明实施例提供一种实现媒体安全保护的系统, 该系统能 够实现 IPTV媒体内容的保护。  In a first aspect, an embodiment of the present invention provides a system for implementing media security protection, which can implement protection of IPTV media content.
一种实现 IPTV媒体安全的系统, 包括: 用户设备 UE、 业务控制功能实体 SCF、 IMS核心网 IMSCore、 媒体功能实体 MF, 还包括密钥管理功能实体 KMF, 其中,  A system for implementing IPTV media security, comprising: a user equipment UE, a service control function entity SCF, an IMS core network IMSCore, a media function entity MF, and a key management function entity KMF, wherein
所述密钥管理功能实体, 用于向用户设备提供密钥;  The key management function entity is configured to provide a key to the user equipment;
所述业务控制功能实体, 用于提供对 IPTV业务的服务控制;  The service control function entity is configured to provide service control for an IPTV service;
所述媒体功能实体, 用于向用户设备发送加密的媒体;  The media function entity, configured to send the encrypted media to the user equipment;
所述用户设备, 用于接收由媒体功能实体发送的加密的媒体, 并使用接 收到的密钥得到未加密的媒体。 第二方面, 本发明实施例提供一种实现媒体安全保护的方法, 该方法能 够实现 IPTV媒体内容的保护。 The user equipment is configured to receive the encrypted media sent by the media function entity, and use the received key to obtain the unencrypted media. In a second aspect, an embodiment of the present invention provides a method for implementing media security protection, which can implement protection of IPTV media content.
一种实现 I PT V媒体安全的方法, 包括如下步骤:  A method for implementing I PT V media security includes the following steps:
用户设备 UE从密钥管理功能 KMF获得媒体业务安全对应的密钥; 所述用户设备 UE接收媒体功能实体 MF发送的加密的媒体;  The user equipment UE obtains a key corresponding to the media service security from the key management function KMF; the user equipment UE receives the encrypted medium sent by the media function entity MF;
所述用户设备 UE使用所述密钥得到解密的媒体。  The user equipment UE obtains the decrypted media using the key.
第三方面, 本发明实施例还提供一种密钥管理功能实体, 包括: 密钥分 发单元以及密钥信息服务功能单元;  In a third aspect, the embodiment of the present invention further provides a key management function entity, including: a key distribution unit and a key information service function unit;
密钥信息服务功能单元, 用于向所述密钥分发单元提供媒体业务安全相 关的密钥;  a key information service function unit, configured to provide a key for media service security to the key distribution unit;
密钥分发单元, 用于将所述媒体业务安全相关的密钥发送给用户设备。 从上述方案可以看出, 本发明实施例提供的系统、 方法及设备, 将进行 密钥管理的密钥管理功能实体, 引入到现有基于 IMS网络实现 IPTV业务的系 统中, 从而使 UE可以釆用密钥对系统所传输的加密 IPTV媒体内容进行解密、 收看, 其他没有密钥的 UE无法解密系统所传输的 IPTV媒体内容。  And a key distribution unit, configured to send the key related to the media service security to the user equipment. It can be seen from the foregoing solution that the system, the method and the device provided by the embodiments of the present invention introduce a key management function entity for key management into an existing IMS network-based IPTV service system, so that the UE can The encrypted IPTV media content transmitted by the system is decrypted and viewed by the key, and other UEs without the key cannot decrypt the IPTV media content transmitted by the system.
因此, 本发明实施例提供的系统、 方法及设备能够实现 IPTV媒体内容的 保护。  Therefore, the system, method, and device provided by the embodiments of the present invention can implement protection of IPTV media content.
此外, 本发明实施例还提供一种内容加密实体, 包括:  In addition, an embodiment of the present invention further provides a content encryption entity, including:
密钥生成单元, 用于生成媒体保护密钥;  a key generation unit, configured to generate a media protection key;
密钥收发单元, 用于将所述媒体保护密钥发送给密钥管理功能实体。 本发明实施例还提供一种内容加密实体, 包括:  And a key transceiver unit, configured to send the media protection key to the key management function entity. The embodiment of the invention further provides a content encryption entity, including:
密钥生成单元, 用于生成媒体保护密钥;  a key generation unit, configured to generate a media protection key;
消息发送单元, 用于向所述密钥管理功能实体发送密钥请求消息, 请求 密钥加密密钥;  a message sending unit, configured to send a key request message to the key management function entity, requesting a key encryption key;
密钥收发单元, 用于接收由所述密钥管理功能实体发送的密钥加密密钥; 加密操作单元, 用于利用所述密钥加密密钥对所述媒体保护密钥进行加 密。 a key transceiving unit, configured to receive a key encryption key sent by the key management function entity; and an encryption operation unit, configured to add the media protection key by using the key encryption key Secret.
在上述技术方案中, 内容加密实体利用媒体保护密钥对媒体内容进行加 密, 使得媒体内容的安全性得到了保证。  In the above technical solution, the content encryption entity encrypts the media content by using the media protection key, so that the security of the media content is ensured.
附图说明 DRAWINGS
图 1为现有技术基于 IMS网络的 IPTV业务的业务功能架构一示意图; 图 2为现有技术基于 IMS网络的 IPTV业务的业务功能架构二示意图; 图 3为现有技术在 CA中发送媒体内容的示意图;  1 is a schematic diagram of a service function architecture of an IPTV service based on an IMS network in the prior art; FIG. 2 is a schematic diagram of a service function architecture 2 of an IMS service based on an IMS network in the prior art; FIG. 3 is a schematic diagram of a prior art transmitting a media content in a CA. Schematic diagram
图 4为本发明实施例提供的在 IMS系统中实现保证 IPTV媒体内容安全的 系统一示意图;  4 is a schematic diagram of a system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention;
图 5为本发明实施例提供的在 IMS系统中实现保证 IPTV媒体内容安全的 系统一的举例示意图;  FIG. 5 is a schematic diagram of an example of a system 1 for implementing IPTV media content security in an IMS system according to an embodiment of the present disclosure;
图 6为本发明实施例实现媒体内容安全实施例一的流程图;  FIG. 6 is a flowchart of Embodiment 1 for implementing media content security according to an embodiment of the present invention;
图 7为本发明实施例实现媒体内容安全实施例二的流程图;  FIG. 7 is a flowchart of Embodiment 2 of implementing media content security according to an embodiment of the present invention;
图 8为本发明实施例实现媒体内容安全实施例三的流程图;  FIG. 8 is a flowchart of Embodiment 3 of implementing media content security according to an embodiment of the present invention;
图 9为本发明实施例实现媒体内容安全实施例四的流程图; 图 11为本发明实施例实现媒体内容安全实施例六的流程图; 图 1 3为本发明实施例实现媒体内容安全实施例八的流程图;  FIG. 9 is a flowchart of Embodiment 4 of implementing media content security according to an embodiment of the present invention; FIG. 11 is a flowchart of Embodiment 6 for implementing media content security according to an embodiment of the present invention; FIG. 13 is a flowchart for implementing media content security according to an embodiment of the present invention; Eight flow chart;
图 16为本发明实施例实现媒体内容安全实施例十一的流程图; 图 17为本发明实施例提供的在 IMS系统中实现保证 IPTV媒体内容安全 的系统二示意图; FIG. 16 is a flowchart of Embodiment 11 of implementing media content security according to an embodiment of the present invention; FIG. 17 is a schematic diagram of a second system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention;
图 18为本发明实施例实现媒体内容安全实施例十二的流程图; 图 19为本发明实施例提供的在 IMS系统中实现保证 IPTV媒体内容安全 的系统三示意图; FIG. 18 is a flowchart of Embodiment 12 of implementing media content security according to an embodiment of the present invention; FIG. 19 is a schematic diagram of securing IPTV media content in an IMS system according to an embodiment of the present invention; Three schematic diagrams of the system;
图 20为本发明实施媒体内容安全实施例十三的流程图;  20 is a flowchart of Embodiment 13 of implementing media content security according to the present invention;
图 21为本发明实施例提供的 KMF结构示意图;  FIG. 21 is a schematic structural diagram of a KMF according to an embodiment of the present invention;
图 22为本发明实施例提供一种在 MF和 KMF之间传输密钥的系统示意图; 图 23是本发明实施例中 KMF和 CEF间通过直接接口传递信息系统图; 图 24是本发明实施媒体内容安全实施例十四的流程图;  FIG. 22 is a schematic diagram of a system for transmitting a key between MF and KMF according to an embodiment of the present invention; FIG. 23 is a diagram of an information system transmitted between a KMF and a CEF through a direct interface according to an embodiment of the present invention; Flow chart of content security embodiment 14;
图 25是本发明媒体内容安全实施例十五的流程图;  Figure 25 is a flow chart of the fifteenth embodiment of the media content security of the present invention;
图 26是本发明媒体内容安全实施例十六的流程图;  26 is a flow chart of a sixteenth embodiment of the media content security of the present invention;
图 27是本发明媒体内容安全实施例十七的流程图;  Figure 27 is a flow chart of the seventh embodiment of the media content security of the present invention;
图 28是本发明媒体内容安全 CEF与 MF传递信息的系统图;  28 is a system diagram of media content security CEF and MF delivery information of the present invention;
图 29-图 32为本发明实施例内容加密实体的实施例一到实施例四的示意 图。  29 to FIG. 32 are schematic diagrams showing Embodiments 1 through 4 of a content encryption entity according to an embodiment of the present invention.
具体实施方式 detailed description
为使本发明的目的、 技术方案和优点更加清楚, 下面结合附图对本发明 实施例作进一步的详细描述。  In order to make the objects, technical solutions and advantages of the present invention more comprehensible, the embodiments of the present invention are further described in detail with reference to the accompanying drawings.
本发明实施例为了保证 IPTV媒体内容的安全性, 需要对该媒体内容进行 安全保护, 将对该媒体内容在进行安全保护时使用的密钥传送给 UE , UE接收 釆用密钥对接收到的进行安全保护的媒体内容进行安全验证或解密处理。 因 此, 本发明实施例重新架构了实现基于 IMS网络的 IPTV业务的网络, 在该网 络中引入了密钥管理功能实体 ( KMF, Key Manage Funct ion )。 其中, KMF用 于发送媒体安全相关的密钥。 KMF是逻辑功能模块, 具体实现时, 可以作为一 个独立的功能实体存在; 也可以是 SCF的内部逻辑功能单元; 也可以 MF或者 其它的功能实体的内部逻辑功能单元。  In order to ensure the security of the IPTV media content, the embodiment of the present invention needs to secure the media content, and transmits a key used for security protection of the media content to the UE, and the UE receives the received key pair. The securely protected media content is securely verified or decrypted. Therefore, the embodiment of the present invention re-architects a network for implementing an IPTV service based on an IMS network, and a key management function entity (KMF, Key Manage Funct ion) is introduced in the network. Among them, KMF is used to send media security related keys. KMF is a logic function module. When it is implemented, it can exist as an independent functional entity. It can also be an internal logic function unit of SCF. It can also be an internal logic function unit of MF or other functional entities.
此外, 在该网络架构中, 还可以引入内容加密功能实体( CEF , Content Encrypt ion Func t ion ), 用来对内容进行加密等处理。 CEF是逻辑功能模块, 具体实现时, 可以作为一个独立的功能实体存在; 也可以 MF或者其它的功能 实体的内部逻辑功能单元。 In addition, in the network architecture, a content encryption function entity (CEF, Content Encryption Function) can also be introduced, which is used for encrypting content and the like. CEF is a logical function module. When implemented, it can exist as an independent functional entity. It can also be MF or other functions. The internal logical functional unit of the entity.
在 IPTV业务中, 为了对媒体内容进行安全保护, 需要使用各种密钥进行 保护, 以下针对各种可能使用的密钥的功能进行详细说明。 "/" 表示 "或" 的意思。  In the IPTV service, in order to secure the media content, it is necessary to use various keys for protection. The following describes the functions of various possible keys. "/" means "or".
媒体保护密钥 (TEK , Traff ic Encrypt ion Key ), 或者称作内容加密密 钥, 用于直接对媒体流或内容进行机密性保护或者完整性保护。  A media protection key (TEK, Traffic Encryption Key), or a content encryption key, is used to directly protect the confidentiality or integrity of media streams or content.
业务保护密钥 ( SEK , Serv ice Encrypt ion Key ), 用于对应一个或多个 组播业务、 或一个或多个组播业务频道的密钥, 可以用来保护 TEK在媒体层 面的安全传输(机密性或 /和完整性保护), 也可以用来保护业务相关的安全 信息, 例如加密算法或密钥有效期等参数, 也可以用来保护一个媒体流内容 的节目保护密钥 (PEK ) 的安全保护。  A service protection key (SEK, Serv ice Encryption Key), which is used to protect one or more multicast services, or one or more multicast service channel keys, can be used to protect the secure transmission of the TEK at the media level ( Confidentiality and/or integrity protection) can also be used to protect business-related security information, such as encryption algorithms or key validity periods, and to protect the security of a program protection key (PEK) for a media stream content. protection.
节目保护密钥 (PEK , Program Encrypt ion Key ), 可以对应一个或多个 频道中的媒体内容进行安全保护的密钥, 可以用来保护 TEK在媒体层面的安 全传输, 也可以用来保护业务相关的安全信息, 例如加密算法或密钥有效期 等参数。  Program Encryption Key (PEK), a key that can be protected against media content in one or more channels, can be used to protect the secure transmission of TEK at the media level, and can also be used to protect business related Security information, such as encryption algorithms or key validity periods.
业务组密钥 (SGK , Serv ice Group Key ), 用来保护 TEK在媒体层面的安 全传输。 对于同一 LTV业务的 UE进行分组, 每组分配一个组密钥 SGK, 使用 SGK加密的 TEK媒体流发送给该组中的 UE。 同时, 所有接收同一媒体内容的 UE可以接收到相同保护的媒体流, 各组可以异步的进行 SGK的更新。 各组的 SGK进行各自更新, 可以做到新加入组的 UE无法接收以前发送的媒体流, 离 开组的 UE也无法接收以后发送的媒体流,这样可以减少 TEK更新影响的范围。 另外, 对于不同级别的 UE可能有不同的接收媒体流权限, 这时, 可以按照不 同级别 UE的权限进行分组, 每一个组对应一个 SGK来保护 TEK的安全下发。  The service group key (SGK, Serv ice Group Key) is used to protect the security transmission of the TEK at the media level. The UEs of the same LTV service are grouped, and each group is assigned a group key SGK, and the TEK media stream encrypted by the SGK is sent to the UEs in the group. At the same time, all UEs receiving the same media content can receive the same protected media stream, and each group can perform SGK update asynchronously. The SGKs of each group are updated separately. The UEs that join the group cannot receive the previously sent media streams, and the UEs that leave the group cannot receive the media streams sent later, which can reduce the scope of the TEK update. In addition, different levels of UEs may have different receiving media stream rights. In this case, the UEs may be grouped according to the rights of different levels of UEs, and each group corresponds to an SGK to protect the secure delivery of the TEK.
在本发明实施例中, 一般 SEK、 PEK或 SGK用于对 TEK的保护, 为了下文 的叙述简便, 通称为业务密钥 SEK或者密钥加密密钥 (KEK, Key Encrypt ion Key )。 TEK下文称为媒体保护密钥。 业务用户密钥 (SUK, Service User Key), 这是用户相关的密钥, 可以 用于进行 SEK或 PEK或 SGK的保护, SUK可以是网络侧和 UE预先设置的密钥, 也可以是使用通用引导架构 ( GBA, Generic Bootstrapping Architecture ) 方式产生的密钥, 还可以是 GBA方式产生的共享密钥衍生出来的用户密钥。 In the embodiment of the present invention, the general SEK, PEK or SGK is used for the protection of the TEK. For the convenience of the following description, it is generally referred to as a service key SEK or a Key Encryption Key (KEK). TEK is hereinafter referred to as a media protection key. Service User Key (SUK), which is a user-related key. It can be used to protect SEK or PEK or SGK. SUK can be a key set by the network side and the UE, or it can be used. The key generated by the GBA (Generic Bootstrapping Architecture) method can also be a user key derived from the shared key generated by the GBA method.
业务注册密钥 (SRK, Service Registration Key), 用来实现 IPTV业务 的用户认证, 例如可以使用 HTTP 摘要 (HTTP digest )认证方法对用户进行 认证。 SRK可以是网络侧和 UE预先设置的密钥, 也可以是使用 GBA方式产生 的密钥, 还可以是 GBA 方式产生的共享密钥衍生出来的用户密钥, 衍生方式 可以由 LTV业务的网络侧和 UE预先设置好。  The Service Registration Key (SRK) is used to authenticate the user of the IPTV service. For example, the HTTP digest authentication method can be used to authenticate the user. The SRK may be a key set by the network side and the UE in advance, or may be a key generated by using the GBA method, or may be a user key derived from a shared key generated by the GBA method, and the derivative manner may be performed by the network side of the LTV service. Pre-set with the UE.
在本发明实施例中, 将 SUK或 SRK称为用户密钥 SUK, 这个密钥一般用于 保护用户特定的机密信息的下发, 例如, 对业务密钥进行保护。  In the embodiment of the present invention, the SUK or SRK is referred to as a user key SUK, and the key is generally used to protect the delivery of user-specific confidential information, for example, to protect the service key.
在本发明实施例中, IPTV 业务的保护根据具体业务不同, 可以分为 LTV (代表组播业务)保护和 COD (代表单播业务)保护, 以下以 LTV说明组播业 务, 以 CoD说明单播业务。 这两种业务的保护具体釆用哪些密钥进行保护是 根据业务实际部署需要而有所取舍的。 例如, LTV保护可以使用 SEK和 TEK, 媒体流使用 TEK进行保护, TEK使用 SEK进行保护, 加密后的 TEK和加密的媒 体都通过媒体组播下发, SEK通过信令面下发。 LTV保护也可以只使用 TEK对 媒体进行保护,媒体流使用 TEK进行保护通过媒体组播下发, TEK通过信令面 下发。 COD保护可以只使用 TEK对媒体进行保护,媒体流使用 TEK进行保护通 过媒体面下发, TEK通过信令面下发。  In the embodiment of the present invention, the protection of the IPTV service may be classified into LTV (representing multicast service) protection and COD (representing unicast service) protection according to specific services. The following describes the multicast service by LTV, and unicast by CoD. business. The protection of these two services is specifically based on which keys are used for protection. For example, LTV protection can use SEK and TEK, media stream is protected by TEK, TEK is protected by SEK, encrypted TEK and encrypted media are delivered through media multicast, and SEK is sent through the signaling plane. LTV protection can also be used to protect media only by using TEK. The media stream is protected by TEK and delivered by the media multicast. The TEK is sent through the signaling plane. The COD protection can protect the media only by using the TEK. The media stream is sent by the TEK for protection through the media plane, and the TEK is sent through the signaling plane.
对于业务包(一组业务) 来说, 流程中的密钥可以指的是整个业务包内 的所有业务共享的密钥; 也可以指的是业务包内的每个业务对应的不同的密 钥的集合; 也可以是虽然业务包内的每个业务对应的密钥不同, 但是下发密 钥只是当前用户请求的业务包内的某个业务对应的密钥。  For a service package (a group of services), the key in the process may refer to a key shared by all services in the entire service package; or may refer to a different key corresponding to each service in the service package. The set of keys may be different for each service in the service package, but the key to be delivered is only the key corresponding to a certain service in the service package requested by the current user.
在本发明以下的具体实施例中, 保护的媒体内容需根据釆用的密钥不同, 可能为单个或多个不同的媒体流。 例如, 如果向 UE下发 KEK作为密钥时, UE 接收使用 KEK加密的 TEK流以及用 TEK保护的媒体流, 这时, UE就可以釆用 得到的 KEK解密得到 TEK , 再用 TEK解密媒体流收看。 如果向 UE下发 TEK作 为密钥时, UE接收用 TEK保护的媒体流, 釆用得到的 TEK解密媒体流。 以下 在具体叙述时, KEK或 TEK都通称为密钥, 媒体面下发的媒体流和 /或密钥流 都简称为保护的媒体流。 In the following specific embodiments of the present invention, the protected media content needs to be different from the used key, and may be a single or multiple different media streams. For example, if the UE is sent a KEK as a key, the UE The TEK stream encrypted by KEK and the media stream protected by TEK are received. At this time, the UE can decrypt the obtained KEK to obtain the TEK, and then decrypt the media stream with TEK. If the TEK is sent as a key to the UE, the UE receives the media stream protected by the TEK, and decrypts the media stream by using the obtained TEK. In the following description, KEK or TEK is commonly referred to as a key, and the media stream and/or key stream delivered by the media plane are simply referred to as protected media streams.
以下对如何在网络中引入了 KMF和 CEF后, 实现对 IPTV业务媒体内容进 行安全保护进行详细说明。  The following describes how to implement security protection for IPTV service media content after introducing KMF and CEF into the network.
图 4为本发明实施例提供的在 IMS系统中实现保证 IPTV媒体内容安全的 系统一示意图, 在现有基于 IMS网络实现 IPTV业务的系统中引入了 KMF , 用 于将密钥和 /或密钥相关参数提供给需要的功能实体。 此外, KMF还可以产生 或从其它功能实体中获取密钥和 /或相关参数, KMF还可以对密钥和 /或相关参 数进行更新。  FIG. 4 is a schematic diagram of a system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention. KMF is introduced in a system for implementing an IPTV service based on an IMS network, and is used for a key and/or a key. The relevant parameters are provided to the required functional entities. In addition, KMF can generate or obtain keys and/or related parameters from other functional entities. KMF can also update keys and/or related parameters.
这里, 需要的功能实体可以为 UE、 MF、 SCF 等功能实体, 相关参数包括 密钥对应的密钥标识、 安全算法、 密钥有效期等参数的一个或者多个的组合。  Here, the required functional entity may be a functional entity such as a UE, an MF, or an SCF, and the related parameters include a combination of one or more of a key identifier corresponding to the key, a security algorithm, and a key validity period.
为了将 KMF引入到基于 IMS网络实现 IPTV业务的架构中, 本发明实施例 在该架构中增加了一些接口, 包括: KMF和 SCF之间的 K1接口; KMF和 UE之 间的 K2接口; KMF和 IMS Core之间的 K4接口; SCF和 UE之间的 K3接口; KMF和 MF之间的 K5接口。这些接口主要用于在通过接口连接的两个功能实体 之间传输密钥或 /和密钥对应的相关参数。  In order to introduce the KMF into the architecture for implementing the IPTV service based on the IMS network, the embodiment of the present invention adds some interfaces in the architecture, including: a K1 interface between the KMF and the SCF; a K2 interface between the KMF and the UE; KMF and K4 interface between IMS Core; K3 interface between SCF and UE; K5 interface between KMF and MF. These interfaces are mainly used to transfer key or / and key related parameters between two functional entities connected through an interface.
在图 4 中, 这些接口在具体实现的架构中并不全都是必选的, 根据发送 密钥或 /和密钥对应的相关参数的所釆用的方案不同, 如果只在 KMF和 UE传 输, 则 K2接口是必须的, 其他接口可选; 如果在 KMF经 SCF到 UE之间传输, 则 K 1和 K 3接口是必须的, 其他接口可选; 如果 KMF和 SCF之间传输, 则 K 1 接口是必须的, 其他接口可选; 如果 KMF和 MF之间传输密钥, 则 K5接口是 必须的, 其他接口可选; 如果 KMF直接经 IMS Core传输密钥, 则 K4接口是 必须的, 其他接口可选。 举一个例子说明一下, 例如, 具体实现中釆用在 KMF 和 SCF之间直接传输密钥或 /和密钥对应的相关参数, 则可以釆用图 5所示的 系统架构图, 在图中, 可以看出, K1接口是必须存在的, 其他的接口可以存 在也可以没有。 In Figure 4, these interfaces are not all mandatory in the architecture of the specific implementation. Depending on the scheme used to transmit the key or/and the corresponding parameters corresponding to the key, if it is only transmitted in KMF and UE, Then the K2 interface is required, other interfaces are optional; if the KMF is transmitted between the SCF and the UE, the K1 and K3 interfaces are required, and other interfaces are optional; if the KMF and the SCF are transmitted, then K1 The interface is required, and other interfaces are optional. If the key is transmitted between KMF and MF, the K5 interface is required, and other interfaces are optional. If KMF directly transmits the key through the IMS Core, the K4 interface is required. The interface is optional. Give an example to illustrate, for example, the specific implementation used in KMF If the key or the key corresponding to the key is directly transmitted between the SCF and the SCF, the system architecture diagram shown in Figure 5 can be used. In the figure, it can be seen that the K1 interface must exist, and other interfaces can be There may or may not be.
以下的各个实施例中以 HTTP协议实现的例子只是举 HTTP为例进行说明, 具体实现中也可以釆用其它协议实现, 例如,使用 XML的格式或者使用 MIKEY 来携带和发送密钥。 以下具体说明釆用图 4提供的系统是如何实现媒体内容 安全的。  The following examples of implementing the HTTP protocol in the various embodiments are only described by taking HTTP as an example. In the specific implementation, other protocols may also be implemented, for example, using XML format or using MIKEY to carry and send a key. The following is a detailed description of how the system provided in Figure 4 implements media content security.
实施例一  Embodiment 1
该实施例可以应用在 LTV业务保护或 CoD业务保护中, 主要是 UE和 KMF 直接进行交互, 应用该实施例时, K2接口就是必须的接口。 在实施例一中, 图 4所示系统中各设备之间的连接如图 5所示。  This embodiment can be applied to the LTV service protection or the CoD service protection. The UE and the KMF directly interact with each other. When the embodiment is applied, the K2 interface is a necessary interface. In the first embodiment, the connections between the devices in the system shown in Fig. 4 are as shown in Fig. 5.
在该实施例中, UE可以预先与 KMF之间产生共享用户密钥, 例如, 釆用 引导架构 ( GBA, Gener i c Boot s trapping Archi tecture )方式产生, 然后使 用共享密钥来保护 KMF传递给 UE的密钥信息。 产生共享密钥过程可以在接收 到 UE的密钥请求之前或之后进行。  In this embodiment, the UE may generate a shared user key in advance with the KMF, for example, generated by a GBA (Geeric Bootstrapping Architec), and then use the shared key to protect the KMF from being transmitted to the UE. Key information. The process of generating a shared key may be performed before or after receiving a key request from the UE.
图 6 为本发明实施例实现媒体内容安全实施例一的流程图, 其具体步骤 为:  FIG. 6 is a flowchart of Embodiment 1 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
步骤 601、 UE进行业务建立或者业务切换( LTV的频道切换)的会话过程。 在本步骤中, 会话过程与密钥请求过程没有必然的先后顺序。  Step 601: The UE performs a session process of service establishment or service switching (channel switching of the LTV). In this step, the session process and the key request process are not in an orderly sequence.
步骤 602、 KMF向 UE发送一个密钥获取指示信息, 指示 UE发起密钥获取 请求, 该步骤为可选。  Step 602: The KMF sends a key acquisition indication information to the UE, instructing the UE to initiate a key acquisition request, and the step is optional.
在本步骤中, 只有在 KMF使用该方式通知 UE密钥需要获取的情况才是必 选的。 如果 UE 通过其它的途径得知密钥需要获取, 例如, IMS 网络侧釆用 Not ify (通知)进行通知需要密钥获取, 或者通过检查媒体流中的指示密钥 需要获取的标识 (密钥标识), 或者 UE发起该业务前就明确知道需要获取密 钥, 则该指示消息可以不发送。 步骤 603、 UE通过 K2接口直接向 KMF发送密钥请求消息, 例如 HTTP请 求消息, 携带用户标识, 业务 /内容标识信息或者密钥标识信息。 In this step, it is mandatory only if the KMF uses this method to notify the UE that the key needs to be acquired. If the UE knows that the key needs to be obtained through other means, for example, the IMS network side uses Not ify to notify that the key acquisition is required, or by checking the identifier in the media stream that needs to be obtained (key identification). If the UE explicitly knows that the key needs to be obtained before the UE initiates the service, the indication message may not be sent. Step 603: The UE sends a key request message, such as an HTTP request message, to the KMF through the K2 interface, and carries the user identifier, the service/content identification information, or the key identification information.
步骤 604、 KMF向 SCF或 UPF获取该用户的业务授权信息, 对用户的请求 进行授权。 如果 KMF本身具有授权能力, 则该步骤可选。  Step 604: The KMF obtains the service authorization information of the user from the SCF or the UPF, and authorizes the user's request. This step is optional if the KMF itself has authorization capabilities.
步骤 605、 KMF通过 K2接口向 UE发送响应消息, 其中携带密钥, 或者还 包括密钥的相关参数。  Step 605: The KMF sends a response message to the UE through the K2 interface, where the key carries the key, or further includes related parameters of the key.
在本步骤中, 密钥为请求消息中所携带的业务 /内容或密钥标识信息对应 的密钥、 或者还包括密钥的相关参数。  In this step, the key is a key corresponding to the service/content or key identification information carried in the request message, or includes related parameters of the key.
步骤 606、 UE利用得到的密钥解开加密的媒体内容, 进行观看。  Step 606: The UE uses the obtained key to unlock the encrypted media content and perform viewing.
业务 /内容或者业务 /内容包标识可釆用 URI或者 IMS中的 PS I的形式进 行携带。 以下的各个实施例中釆用的业务 /内容或者业务 /内容包标识类似, 不再重复描述。  The service/content or service/content package identifier can be carried in the form of a URI or PS I in the IMS. The service/content or service/content package identifiers used in the following embodiments are similar and will not be repeatedly described.
对于组播的业务(例如 LTV 业务)来说, 本实施例的密钥可以按照如下 的方式使用: 密钥模型是三层密钥模型, 步骤 605中下发的密钥是 KEK , KEK 使用 SUK来进行加密保护, 在媒体层面, KEK加密 TEK通过组播下发给 UE , UE首先使用 SUK解密出来 KEK , 再使用 KEK解密出来 TEK , 最后使用 TEK解密 加密的媒体流。  For multicast services (such as LTV services), the key of this embodiment can be used as follows: The key model is a three-layer key model, the key issued in step 605 is KEK, and KEK uses SUK. For encryption protection, at the media level, the KEK encrypted TEK is sent to the UE through multicast. The UE first uses the SUK to decrypt the KEK, then uses the KEK to decrypt the TEK, and finally uses the TEK to decrypt the encrypted media stream.
对于单播的业务(例如 CoD 业务)来说, 本实施例的密钥可以按照上述 的组播三层密钥的下发方式类似的使用, 不同之处在于, 媒体面下发的密钥 不是使用组播的方式下发, 而是使用单播的方式下发。 或者使用二层密钥的 模型, 步骤 605中下发的密钥是 TEK , TEK使用 SUK来进行加密保护, 在媒体 层面不需要再下发密钥给 UE , UE首先使用 SUK解密出来 TEK , 再使用 TEK解 密媒体流。  For a unicast service (for example, a CoD service), the key of the embodiment may be similarly used according to the manner in which the multicast layer 3 key is sent. The difference is that the key delivered by the media plane is not It is delivered in multicast mode, but is sent in unicast mode. Or use the model of the layer 2 key. The key sent in step 605 is TEK. The TEK uses the SUK to perform encryption protection. At the media level, the key is not required to be sent to the UE. The UE first uses the SUK to decrypt the TEK. Use TEK to decrypt the media stream.
步骤 605 的响应消息具体的可以是直接对应请求的响应消息, 例如请求 为 HTTP请求, 响应为对应的 200消息; 也可以是单独发送的消息, 例如, 使 用单独的 UPD消息来携带 MIKEY格式的密钥。 实施例二 The response message of step 605 may specifically be a response message directly corresponding to the request, for example, the request is an HTTP request, and the response is a corresponding 200 message; or may be a separately sent message, for example, using a separate UPD message to carry the MIKEY format secret. key. Embodiment 2
该实施例可以应用在 LTV业务保护或 CoD业务保护中, 主要是 UE和 KMF 通过 IMS Core直接进行交互, 应用该实施例时, 釆用的架构是 K1接口就是 为必须选的接口的架构。  This embodiment can be applied to the LTV service protection or the CoD service protection. The UE and the KMF directly interact with each other through the IMS Core. When the embodiment is applied, the K1 interface is the architecture of the interface that must be selected.
图 7 为本发明实施例实现媒体内容安全的实施例二的流程图, 其具体步 骤为:  FIG. 7 is a flowchart of Embodiment 2 of implementing media content security according to an embodiment of the present invention, and the specific steps are as follows:
步骤 701、 UE通过 IMS Core向 SCF发送业务请求, 携带用户标识以及业 务或者内容的标识信息。  Step 701: The UE sends a service request to the SCF through the IMS Core, and carries the user identifier and the identification information of the service or the content.
步骤 702、 SCF通过 IMS Core向 MF发送业务请求, 携带用户标识以及业 务或者内容的标识信息, MF通过 IMS Core向 SCF返回业务响应消息。  Step 702: The SCF sends a service request to the MF through the IMS Core, and carries the user identifier and the identification information of the service or the content, and the MF returns a service response message to the SCF through the IMS Core.
本步骤对于 LTV业务请求时不需要。  This step is not required for LTV service requests.
步骤 703、 SCF生成业务授权令牌 ( Token ) , 并通过 IMS Core向 UE返回 业务响应消息, 携带业务授权 Token, 还可能携带获取密钥地址信息, 如 IP 地址或 URL或 IMS中的 PS I。  Step 703: The SCF generates a service authorization token (Token), and returns a service response message to the UE through the IMS Core, and carries the service authorization Token, and may also carry the obtained key address information, such as an IP address or a URL or a PS I in the IMS.
步骤 704、 UE向 KMF发送密钥请求消息, 其中携带用户标识、 以及业务 或者内容标识, 以及业务授权 Token。  Step 704: The UE sends a key request message to the KMF, where the user identifier, and the service or content identifier, and the service authorization token are carried.
步骤 705、 KMF接收到该消息后, 验证授权 Token通过后, 向 UE返回密 钥。  Step 705: After receiving the message, the KMF verifies that the authorized Token passes, and returns a key to the UE.
步骤 706、 UE利用得到的密钥解开加密的媒体流, 进行观看。  Step 706: The UE uses the obtained key to unlock the encrypted media stream for viewing.
在图 7的步骤 704之前, KMF也可以先发送一个触发消息给 UE , 要求 UE 到 KMF来获取密钥信息。  Before step 704 of FIG. 7, the KMF may also first send a trigger message to the UE, requesting the UE to obtain the key information from the KMF.
图 7中的授权 Token的下发可以有多种方式, UE获取 Token除了在会话 建立过程中获取外, 还可以从其它途径获取, 如业务定购、 通过电子解密菜 单(EPG )携带下发等方式获取, 在本实施例中不一一列举。  The granting of the Token in Figure 7 can be performed in multiple ways. The UE obtains the Token in addition to the session establishment process, and can also obtain the Token from other ways, such as service ordering, carrying and sending through an electronic decryption menu (EPG). The acquisition is not enumerated in this embodiment.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK , 或者是 TEK。 在本发明实施例中, 业务授权 Token是指授权实体(例如 SCF或者 MF ) 检查 UE有权获取业务对应的密钥以及密钥的相关参数而下发的一种凭证, 形 式可以是多样的, 例如, 业务授权 Token是字符串或数字; 也可以是一个列 表, 包含对应的业务或者内容的标识、 用户名等信息; 此外, 授权实体还可 以对 token进行签名下发。 The key issued in this embodiment is similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected Layer 2 key or the Layer 3 key is different. In the embodiment of the present invention, the service authorization Token is a certificate issued by an authorized entity (for example, SCF or MF) to check the UE's right to obtain the key corresponding to the service and the relevant parameters of the key, and the form may be various. For example, the service authorization Token is a string or a number; it can also be a list, which contains the corresponding service or content identifier, user name and other information; in addition, the authorization entity can also sign and issue the token.
实施例三  Embodiment 3
该实施例可以应用在 LTV业务保护或 CoD业务保护中,主要是 UE通过 SCF 和 KMF进行密钥的分发, 结合图 4所示的系统, 应用该实施例时, 架构中的 K 3接口和 K 1接口就是必选的接口。  This embodiment can be applied to LTV service protection or CoD service protection, mainly for the UE to distribute keys through SCF and KMF. In combination with the system shown in FIG. 4, when the embodiment is applied, the K3 interface and K in the architecture are applied. The 1 interface is a mandatory interface.
在该实施例中, UE可以预先与 SCF之间产生共享用户密钥, 如可以釆用 GBA方式产生, 然后使用共享密钥来保护 SCF传递给 UE的密钥信息。 产生共 享密钥过程可以在接收到 UE的密钥请求之前或之后进行。  In this embodiment, the UE may generate a shared user key in advance with the SCF, such as may be generated by the GBA method, and then use the shared key to protect the key information that the SCF delivers to the UE. The process of generating a shared key may be performed before or after receiving a key request from the UE.
图 8 为本发明实施例实现媒体内容安全实施例三的流程图, 其具体步骤 为:  FIG. 8 is a flowchart of Embodiment 3 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
步骤 801、 UE进行业务建立或者业务切换( LTV的频道切换)的会话过程。 在本步骤中, 会话过程与密钥请求过程没有必然的先后顺序。  Step 801: The UE performs a session process of service establishment or service switching (channel switching of the LTV). In this step, the session process and the key request process are not in an orderly sequence.
步骤 802、 SCF可以向 UE发送一个密钥获取指示信息, 指示 UE发起密钥 获取请求, 该步骤为可选。  Step 802: The SCF may send a key acquisition indication information to the UE, instructing the UE to initiate a key acquisition request, where the step is optional.
在本步骤中, 只有在 SCF使用该方式通知 UE密钥需要获取的情况才是必 选的。 如果 UE 通过其它的途径得知密钥需要获取, 例如, IMS 网络侧釆用 In this step, it is only necessary if the SCF uses this method to notify the UE that the key needs to be acquired. If the UE knows that the key needs to be obtained through other means, for example, the IMS network side uses
No t i fy (通知)进行通知需要密钥获取, 或者通过检查媒体流中的指示密钥 需要获取的标识 (密钥标识), 则该指示消息可以不发送。 No t i fy (notification) may require the key acquisition, or by checking the identification (key identification) required to be obtained in the media stream, the indication message may not be sent.
步骤 803、 UE通过 K 3接口向 SCF发送密钥请求消息, 携带用户标识, 业 务 /内容标识信息或者密钥标识信息。  Step 803: The UE sends a key request message to the SCF through the K3 interface, and carries the user identifier, the service/content identification information, or the key identification information.
步骤 804、 SCF向 KMF获取密钥以及密钥的相关参数。  Step 804: The SCF obtains a key and a related parameter of the key from the KMF.
步骤 805、 SCF向 UE发送响应消息, 携带对应的密钥。 步骤 806、 UE 获取加密的媒体流, 并利用得到密钥解开媒体流, 进行观 看。 Step 805: The SCF sends a response message to the UE, and carries the corresponding key. Step 806: The UE obtains the encrypted media stream, and uses the obtained key to unlock the media stream for viewing.
在本发明实施例中, 图 8 还可以进行密钥更新过程, 更新后的密钥可由 UE主动向 SCF获取, 或 SCF向 UE主动发送密钥。  In the embodiment of the present invention, FIG. 8 may also perform a key update process, where the updated key may be obtained by the UE actively to the SCF, or the SCF may actively send the key to the UE.
对于 SCF向 KMF获取密钥的方法, 可以是 SCF向 KMF发起一个密钥获取 请求消息, 携带获取的业务 /内容标识信息或者密钥标识信息, KMF向 SCF返 回该业务 /内容标识或者密钥标识对应的密钥, 或者还包括算法、 有效期等信 息。 SCF也可以保存这些信息, 以便后续其它 UE进行业务请求时直接从本地 查找得到。 具体使用的协议可以使用 Diameter协议, MIKEY协议, 或者 HTTP 协议、 SIP协议、 S0AP、 XML等协议或方式来获取。 以下各个实施例中的 SCF 或者 MF获取密钥的方法都类似, 不再重复描述。  For the SCF to obtain a key from the KMF, the SCF may initiate a key acquisition request message to the KMF, and carry the obtained service/content identification information or key identification information, and the KMF returns the service/content identifier or the key identifier to the SCF. The corresponding key, or also includes information such as algorithm, expiration date, and so on. The SCF can also save this information so that subsequent UEs can directly find the service request when making a service request. The specific protocol used can be obtained by using the Diameter protocol, the MIKEY protocol, or the HTTP protocol, SIP protocol, S0AP, XML, or the like. The methods of obtaining a key by the SCF or the MF in the following various embodiments are similar, and the description is not repeated.
实施例四  Embodiment 4
该实施例可以应用在 CoD业务保护中, SCF从 KMF获取业务保护密钥发送 给 MF, 并通过 IMS Core返回给 UE, 结合图 4所示的系统, 应用该实施例时, 架构中 K1为必选接口。  This embodiment can be applied to the CoD service protection. The SCF obtains the service protection key from the KMF and sends it to the MF, and returns it to the UE through the IMS Core. In combination with the system shown in FIG. 4, when the embodiment is applied, the K1 in the architecture is mandatory. Select interface.
图 9 为本发明实施例实现媒体内容安全实施例四的流程图, 其具体步骤 为:  FIG. 9 is a flowchart of Embodiment 4 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
步骤 901、 UE通过 IMS Core向 SCF发起业务请求消息, 比如 INVITE , 其 中携带用户标识、 业务或者内容标识信息。  Step 901: The UE sends a service request message, such as an INVITE, to the SCF through the IMS Core, where the user carries the user identifier, the service, or the content identifier information.
步骤 902、 SCF向 KMF获取该业务或者内容标识对应的密钥。  Step 902: The SCF acquires, by the SMF, a key corresponding to the service or the content identifier.
步骤 903、 SCF通过 IMS Core向 MF发送业务请求消息, 其中携带业务或 者内容标识, 以及对应的密钥等信息。  Step 903: The SCF sends a service request message to the MF through the IMS Core, where the service carries the service or the content identifier, and the corresponding key and other information.
说明: MF可以使用该密钥对内容进行实时加密。 此处 SCF发送的请求信 息中携带的参数也可以不是密钥, 而是一个获取密钥的地址信息, 例如 IP地 址或 URL或 IMS中的 PSI等标识信息。 此时, 步骤 902便不需要。  Description: The MF can use this key to encrypt the content in real time. Here, the parameter carried in the request information sent by the SCF may not be a key, but an address information of the obtained key, such as an IP address or a URL or a PSI in the IMS. At this point, step 902 is not required.
步骤 904、 MF通过 IMS Core向 SCF发送业务响应消息, 比如 200 0K消 息等。 Step 904: The MF sends a service response message to the SCF through the IMS Core, for example, 200 0K Interest and so on.
步骤 905、 SCF 将密钥等信息添加到业务响应消息中, 并通过 IMS Core 向 UE转发业务响应消息, 其中携带业务或者内容标识对应的密钥信息或密钥 获取地址信息。  Step 905: The SCF adds the information such as the key to the service response message, and forwards the service response message to the UE through the IMS Core, where the key information or the key corresponding to the service or the content identifier is used to obtain the address information.
步骤 906、 UE釆用得到的密钥解开媒体流, 并进行观看。  Step 906: The UE uses the obtained key to unlock the media stream and perform viewing.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK , 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
实施例五  Embodiment 5
该实施例可以应用在 CoD业务保护中, MF向 KMF获取密钥后通过 IMS Core 返回给 UE。 结合图 4所示的系统, 应用该实施例时, K5为必选接口; 或者 MF 使用 Y2和 K4接口向 KMF获取对应的密钥。  This embodiment can be applied to CoD service protection. After obtaining the key from the KMF, the MF returns to the UE through the IMS Core. In conjunction with the system shown in FIG. 4, when the embodiment is applied, K5 is a mandatory interface; or MF uses the Y2 and K4 interfaces to obtain a corresponding key from KMF.
图 10为本发明实施例实现媒体内容安全实施例五的流程图, 其具体步骤 为:  FIG. 10 is a flowchart of Embodiment 5 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
步骤 1001、 UE通过 IMS Core向 SCF发起业务请求消息, 如 INVITE消息, 其中携带用户标识, 业务或者内容标识信息。  Step 1001: The UE sends a service request message, such as an INVITE message, to the SCF through the IMS Core, where the UE carries the user identifier, the service, or the content identifier information.
步骤 1002、 SCF通过 IMS Core向 MF发送业务请求消息, 其中携带用户 标识, 业务或者内容标识信息。  Step 1002: The SCF sends a service request message to the MF through the IMS Core, where the user identifier, service or content identification information is carried.
步骤 1003、 MF向 KMF获取该业务或者内容标识对应的密钥。  Step 1003: The MF obtains a key corresponding to the service or the content identifier from the KMF.
说明: MF可以使用该密钥对内容进行实时加密。  Description: The MF can use this key to encrypt the content in real time.
步骤 1004、 MF通过 IMS Core向 SCF发送业务响应消息 (如, 200 0K消 息), 携带业务或者内容标识对应的密钥。  Step 1004: The MF sends a service response message (for example, a 200 0K message) to the SCF through the IMS Core, and carries a key corresponding to the service or the content identifier.
步骤 1005、 SCF通过 IMS Core将业务响应消息发送给 UE。  Step 1005: The SCF sends a service response message to the UE through the IMS Core.
步骤 1006、 UE釆用得到的密钥解开加密的媒体流, 并进行观看。  Step 1006: The UE uses the obtained key to unlock the encrypted media stream and view it.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK , 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
实施例六 该实施例可以应用在 CoD业务保护中, 由 SCF向 KMF获取业务密钥后通 过 IMS Core返回给 UE。 结合图 4所示的系统, 应用该实施例时, K1接口为 必选接口。 Embodiment 6 This embodiment can be applied to the CoD service protection, and the SCF obtains the service key from the KMF and returns it to the UE through the IMS Core. In conjunction with the system shown in FIG. 4, when the embodiment is applied, the K1 interface is a mandatory interface.
图 11为本发明实施例实现媒体内容安全实施例六的流程图, 其具体步骤 为:  FIG. 11 is a flowchart of Embodiment 6 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
步骤 1101、 UE通过 IMS Core向 SCF发起业务请求消息 (如, INVITE ), 其中携带用户标识, 业务或者内容标识信息。  Step 1101: The UE sends a service request message (for example, INVITE) to the SCF through the IMS Core, where the UE carries the user identifier, the service, or the content identifier information.
步骤 1102、 SCF通过 IMS Core向 MF发送业务请求消息。  Step 1102: The SCF sends a service request message to the MF through the IMS Core.
步骤 1103、 MF通过 IMS Core向 SCF发送业务响应消息, 如 200 0K消息。 步骤 1104、 SCF向 KMF获取该业务或者内容标识对应的密钥。  Step 1103: The MF sends a service response message, such as a 200 0K message, to the SCF through the IMS Core. Step 1104: The SCF obtains a key corresponding to the service or the content identifier from the KMF.
步骤 1105、 SCF通过 IMS Core向 UE发送业务响应消息, 携带业务或者 内容标识对应的密钥。  Step 1105: The SCF sends a service response message to the UE through the IMS Core, and carries a key corresponding to the service or the content identifier.
说明: 此处 SCF发送的业务响应信息中携带的参数也可以不是密钥, 而 是一个获取密钥的地址信息,例如 IP地址或 URL或 IMS中的 PSI等标识信息。 此时, 步骤 1104便不需要。  NOTE: The parameter carried in the service response information sent by the SCF may not be a key, but an address information of the obtained key, such as an IP address or a URL or a PSI in the IMS. At this point, step 1104 is not required.
步骤 1106、 UE釆用得到的密钥解开媒体流, 并进行观看。  Step 1106: The UE uses the obtained key to unlock the media stream and view it.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK, 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
实施例七  Example 7
该实施例可以应用到 LTV或者 CoD业务中, SCF向 KMF获取密钥后通过 IMS会话过程返回给 UE。 结合图 4所示的系统, 应用该实施例时, K1接口为 必选接口。 骤为:  This embodiment can be applied to the LTV or CoD service, and the SCF obtains the key from the KMF and returns it to the UE through the IMS session process. In conjunction with the system shown in FIG. 4, when the embodiment is applied, the K1 interface is a mandatory interface. The sudden is:
步骤 1201、 UE通过 IMS Core向 SCF发起密钥请求消息, 如 INVITE消息, 其中携带用户标识, 业务或者内容的标识信息。 步骤 1202、 SCF向 KMF获取该业务或者内容标识对应的密钥。 步骤 1203、 SCF通过 IMS Core向 UE发送业务响应消息, 携带业务或者 内容标识对应的密钥。 Step 1201: The UE sends a key request message, such as an INVITE message, to the SCF through the IMS Core, where the UE carries the identifier of the user identifier, the service, or the content. Step 1202: The SCF acquires a key corresponding to the service or the content identifier from the KMF. Step 1203: The SCF sends a service response message to the UE through the IMS Core, and carries a key corresponding to the service or the content identifier.
说明: 此处 SCF发送的业务响应信息中携带的参数也可以不是密钥, 而 是一个获取密钥的地址信息,例如 IP地址或 URL或 IMS中的 PS I等标识信息。 此时, 步骤 1202可以不需要。  NOTE: The parameter carried in the service response information sent by the SCF may not be a key, but an address information of the obtained key, such as an IP address or a URL or a PS I identifier in the IMS. At this time, step 1202 may not be required.
步骤 1204、 UE接收加密的媒体流, 釆用密钥得到媒体流, 并进行观看。 本实施例中的密钥请求消息和密钥响应消息可以使用 S IP请求消息, 例 如, 使用 Inv i te消息和 200响应消息。  Step 1204: The UE receives the encrypted media stream, obtains the media stream by using the key, and performs viewing. The key request message and the key response message in this embodiment may use an SIP request message, for example, an Inv i te message and a 200 response message.
本实施例中的密钥下发使用的是直接使用业务响应消息携带的。 此外, 所述密钥也可以不通过业务响应消息携带, 而使用另外的消息来携带, 例如 KMF或者 SCF使用一个单独的 UDP消息发送给 UE。  The key is delivered in this embodiment by using the service response message directly. In addition, the key may not be carried by the service response message but carried by another message, for example, the KMF or the SCF sends the UE to the UE using a separate UDP message.
对于组播的业务(例如 LTV 业务)来说, 本实施例的密钥可以按照如下 的方式使用: 密钥模型是三层密钥模型, 步骤 1202中请求的密钥是 KEK , KEK 使用 SUK来进行加密保护, 在媒体层面, KEK加密 TEK可以通过 KMF或者 MF 通过组播下发给 UE。UE首先使用 SUK解密出来 KEK ,再使用 KEK解密出来 TEK , 最后使用 TEK解密加密的媒体流。  For multicast services (such as LTV services), the key of this embodiment can be used as follows: The key model is a three-layer key model, the key requested in step 1202 is KEK, and KEK uses SUK. Encryption protection. At the media level, the KEK-encrypted TEK can be delivered to the UE through multicast through KMF or MF. The UE first decrypts the KEK using SUK, then decrypts the TEK using KEK, and finally uses TEK to decrypt the encrypted media stream.
对于单播的业务(例如 CoD 业务)来说, 本实施例的密钥可以按照上述 的组播三层密钥的下发方式类似的使用, 不同之处在于, 媒体面下发的密钥 不是使用组播的方式下发, 而是使用单播的方式下发。 或者使用二层密钥的 模型, 步骤 1202中请求的密钥是 TEK , TEK使用 SUK来进行加密保护, 在媒 体层面不需要再下发密钥给 UE , UE首先使用 SUK解密出来 TEK , 再使用 TEK 解密媒体流。  For a unicast service (for example, a CoD service), the key of the embodiment may be similarly used according to the manner in which the multicast layer 3 key is sent. The difference is that the key delivered by the media plane is not It is delivered in multicast mode, but is sent in unicast mode. Or use the model of the layer 2 key. The key requested in step 1202 is TEK. The TEK uses the SUK to perform encryption protection. At the media level, the key is not required to be sent to the UE. The UE first uses the SUK to decrypt the TEK. TEK decrypts the media stream.
对于使用 GBA建立 SUK的情况, 这里的请求消息中还可以携带 GBA临时 用户标识信息 B-TID , SCF将 B-TID发送给 KMF , 以便 KMF根据 B-TID得到对 应的 SUK , 并使用 SUK保护需要下发的密钥。 具体的 B-TID可以使用 S IP请求 消息中的 XML对应的元素来携带。 For the case of using the GBA to establish the SUK, the request message here may also carry the GBA temporary user identification information B-TID, and the SCF sends the B-TID to the KMF, so that the KMF obtains the corresponding SUK according to the B-TID, and uses the SUK protection requirement. The issued key. Specific B-TID can use S IP request The element corresponding to the XML in the message is carried.
在图 12 中, 密钥更新过程和基本业务建立过程基本类似, 分为 UE主动 发起的密钥更新过程和网络侧主动发起的密钥更新过程。 密钥更新可以使用 SIP中的 INVITE (邀请) 消息或者 Upda te (更新)或者 Pub l i sh (发布) 消 息或者 Not ify消息以及对应的应答消息来携带密钥更新请求信息以及密钥。  In FIG. 12, the key update process is basically similar to the basic service establishment process, and is divided into a key update process initiated by the UE and a key update process initiated by the network side. The key update may carry the key update request information and the key using an INVITE message in the SIP or an Upda te or Pub l i sh (release) message or a Not ify message and a corresponding reply message.
在图 12中, 业务请求也可以由网络侧的实体来发起, 过程和本实施例类 似, 只不过是网络侧在发起请求的消息中便携带密钥给 UE。  In FIG. 12, the service request may also be initiated by the entity on the network side, and the process is similar to this embodiment, except that the network side carries the key to the UE in the message initiating the request.
对于频道切换的过程: 如果整个业务包 (组播业务组) 内的所有业务共 享一套密钥或者如果初始下发了整个业务包内的所有业务对应的不同的密钥 的集合; 那么 UE在同一个业务包内的所有频道间进行切换的时候, 就不需要 再发起密钥请求消息。 如果初始下发的仅仅是某个业务或者业务包内的某个 业务对应的密钥, 那么 UE在进行频道切换的时候, 需要向网络侧获取密钥。 或者 UE切换到了另外一个业务包内的业务或者频道的时候, 也需要向网络侧 获取密钥。  Process for channel switching: If all services in the entire service packet (multicast service group) share a set of keys or if a set of different keys corresponding to all services in the entire service packet is initially delivered; When switching between all channels in the same service package, there is no need to initiate a key request message. If the initial delivery is only a key corresponding to a service in a certain service or service packet, the UE needs to obtain a key from the network side when performing channel switching. Or when the UE switches to a service or channel in another service packet, it also needs to obtain a key from the network side.
实施例八  Example eight
该实施例可以应用到 LTV业务和 CoD业务中, UE釆用 SIP ( RFC 3261 ) 协议中的订阅( Subscr ibe )方式从 SCF订阅密钥且订阅的为当前业务的密钥。 结合图 4所示的系统, 应用该实施例时, K1接口为必选接口。  The embodiment can be applied to the LTV service and the CoD service, and the UE subscribes to the key from the SCF and subscribes to the key of the current service by using the subscription (Subscr ibe) in the SIP (RFC 3261) protocol. In conjunction with the system shown in FIG. 4, when the embodiment is applied, the K1 interface is a mandatory interface.
图 13为本发明实施例实现媒体内容安全的实施例八的流程图, 其具体步 骤为:  FIG. 13 is a flowchart of Embodiment 8 of implementing media content security according to an embodiment of the present invention, and the specific steps are:
步骤 1301、 UE通过 IMS Core向 SCF发送 Subscr ibe消息, 订阅事件为 当前的 IPTV业务的密钥, 携带用户标识、 以及业务或内容标识等信息。  Step 1301: The UE sends a Subscr ibe message to the SCF through the IMS Core, and the subscription event is a key of the current IPTV service, carrying the user identifier, and the service or content identifier.
步骤 1302、 SCF通过 IMS Core向 UE返回 200 0K消息, 表示订阅成功。 步骤 1303、 UE进行 IPTV业务建立或者切换过程。  Step 1302: The SCF returns a 200 0K message to the UE through the IMS Core, indicating that the subscription is successful. Step 1303: The UE performs an IPTV service establishment or handover process.
在本步骤中, 业务建立或者切换过程与密钥的订阅和下发没有必然的顺 序关系, 密钥的订阅和下发可以在业务建立或者切换过程之前、 过程中或者 之后发送。 In this step, there is no necessary order relationship between the service establishment or the handover process and the subscription and delivery of the key. The subscription and delivery of the key may be before, during or after the service establishment or handover process. Then send it.
步骤 1304、 SCF获取 UE当前的业务信息。  Step 1304: The SCF acquires current service information of the UE.
在本步骤中, SCF 获取 UE 当前的业务方式可以有多种, 如 SCF 釆用 Subscr ibe/Not ify方式向 UE订阅其当前的 LTV频道信息或者 CoD内容信息; 或者 SCF通过会话建立或者切换过程中得知 UE当前的业务的信息; 或者 SCF 向在线状态服务器 Presence Server订阅 UE的当前业务信息。  In this step, the SCF can obtain multiple current service modes of the UE, for example, the SCF subscribes to the current LTV channel information or CoD content information to the UE by using the Subscr ibe/Notify mode; or the SCF establishes or switches through the session. The information about the current service of the UE is known; or the SCF subscribes to the current service information of the UE to the presence server Presence Server.
步骤 1305、 SCF从 KMF获取 UE当前业务或内容标识对应的密钥。  Step 1305: The SCF obtains, from the KMF, a key corresponding to the current service or the content identifier of the UE.
步骤 1306、 SCF通过 IMS Core向 UE发送 Not if y消息, 携带 UE当前业 务或内容对应的密钥。  Step 1306: The SCF sends a Not if y message to the UE through the IMS Core, and carries the key corresponding to the current service or content of the UE.
步骤 1307、 UE通过 IMS Core向 SCF返回 200 0K消息。  Step 1307: The UE returns a 200 OK message to the SCF through the IMS Core.
步骤 1308、 UE根据接收到的密钥解开媒体流并进行观看。  Step 1308: The UE unpacks the media stream according to the received key and performs viewing.
密钥更新时, 由 SCF通过 Not ify向 UE传递更新后的密钥信息, UE回复 200 0K消息即可。  When the key is updated, the SCF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 0K message.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK, 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
对于使用 GBA建立 SUK的情况, 这里的 Subscr ibe请求消息中还可以携 带 GBA临时用户标识信息 B_T I D , SCF将 B_T I D发送给 KMF ,以便 KMF根据 B_T I D 得到对应的 SUK, 并使用 SUK保护需要下发的密钥。 具体的 B-TID可以使用请 求消息中的 XML对应的元素来携带。  For the case of using the GBA to establish the SUK, the Subscr ibe request message here may also carry the GBA temporary user identification information B_T ID, and the SCF sends the B_T ID to the KMF, so that the KMF obtains the corresponding SUK according to the B_T ID, and uses the SUK protection. The key sent. The specific B-TID can be carried using the element corresponding to the XML in the request message.
实施例九  Example nine
该实施例可以应用到 LTV业务和 CoD业务中,该实施例 UE釆用 Subscr ibe 方式从 SCF订阅密钥且订阅的为某个业务或内容对应的密钥。 结合图 4所示 的系统, 应用该实施例时, K1接口为必选接口。 骤为:  This embodiment can be applied to the LTV service and the CoD service. In this embodiment, the UE subscribes to the key from the SCF in the Subscr ibe mode and subscribes to the key corresponding to a certain service or content. In conjunction with the system shown in FIG. 4, when the embodiment is applied, the K1 interface is a mandatory interface. The sudden is:
步骤 1401、 UE进行 IPTV业务会话建立过程或者频道切换过程。 在本步骤中, 会话建立过程或者频道切换过程和密钥订阅的过程没有先 后顺序要求, 也可以先不进行会话建立过程, 而先进行订阅密钥的过程。 Step 1401: The UE performs an IPTV service session establishment process or a channel switching process. In this step, the session establishment process or the channel switching process and the key subscription process are not sequentially required, and the process of subscribing to the key may be performed first without performing the session establishment process.
步骤 1402、 UE通过 IMS Core向 SCF发送 Subscr ibe消息, 订阅一个或 者多个业务或内容标识对应的密钥事件包, 消息中携带用户标识、 以及业务 或内容标识等信息。  Step 1402: The UE sends a Subscr ibe message to the SCF through the IMS Core, and subscribes to one or more key event packets corresponding to the service or the content identifier, where the message carries the user identifier, and the service or the content identifier.
步骤 1403、 SCF通过 IMS Core向 UE返回 200 OK消息, 表示已经订阅成 功。  Step 1403: The SCF returns a 200 OK message to the UE through the IMS Core, indicating that the subscription has succeeded.
步骤 1404、 SCF从 KMF获取对应 UE请求的业务标识或者内容标识对应的 密钥。  Step 1404: The SCF obtains, from the KMF, a service identifier corresponding to the UE or a key corresponding to the content identifier.
步骤 1405、 SCF通过 IMS Core向 UE发送 Not ify消息, 其中携带对应 UE 订阅的密钥。  Step 1405: The SCF sends a Not ify message to the UE through the IMS Core, where the key corresponding to the UE subscription is carried.
步骤 1406、 UE通过 IMS Core向 SCF返回 200 0K消息。  Step 1406: The UE returns a 200 0K message to the SCF through the IMS Core.
步骤 1407、 UE釆用步骤 1405得到的密钥解开保护的媒体流, 并进行观 看。  Step 1407: The UE uses the key obtained in step 1405 to unlock the protected media stream and view it.
密钥更新时, 由 SCF通过 Not ify向 UE传递更新后的密钥信息, UE回复 200 0K消息即可。 在本实施例中, 还可以重新发起对新 IPTV业务包中某一频 道密钥订阅过程和基本 LTV业务会话更改流程 (与基本 LTV业务会话初始流 程类似), 在这个过程中, 需要进行频道切换过程, 这时, 需要釆用图 14 所 述的方法重新进行订阅的过程。  When the key is updated, the SCF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 0K message. In this embodiment, a channel subscription process and a basic LTV service session change process in the new IPTV service package may be re-initiated (similar to the initial LTV service session initial process). In this process, channel switching is required. At this point, the process of resubscribing with the method described in Figure 14 is required.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK, 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
对于使用 GBA建立 SUK的情况, 这里的 Subscr ibe请求消息中还可以携 带 GBA临时用户标识信息 B_T I D , SCF将 B_T I D发送给 KMF ,以便 KMF根据 B_T I D 得到对应的 SUK, 并使用 SUK保护需要下发的密钥。 具体的 B-TID可以使用请 求消息中的 XML对应的元素来携带。  For the case of using the GBA to establish the SUK, the Subscr ibe request message here may also carry the GBA temporary user identification information B_T ID, and the SCF sends the B_T ID to the KMF, so that the KMF obtains the corresponding SUK according to the B_T ID, and uses the SUK protection. The key sent. The specific B-TID can be carried using the element corresponding to the XML in the request message.
实施例十 该实施例可以应用到 LTV业务和 CoD业务中,这个方法 UE釆用 Subscr ibe 方式从 KMF订阅密钥且订阅的为当前业务的密钥。 结合图 4所示的系统, 应 用该实施例时, K4接口为必选接口。 骤为: Example ten This embodiment can be applied to the LTV service and the CoD service. The UE subscribes to the key from the KMF in the Subscr ibe mode and subscribes to the key of the current service. In conjunction with the system shown in FIG. 4, when the embodiment is applied, the K4 interface is a mandatory interface. The sudden is:
步骤 1501、 UE通过 IMS Core向 KMF发送 Subscr ibe消息, 订阅当前的 IPTV业务的密钥, 携带用户标识、 以及业务或内容标识等信息。  Step 1501: The UE sends a Subscr ibe message to the KMF through the IMS Core, and subscribes to the current IPTV service key, and carries the user identifier, and the service or content identifier.
步骤 1502、 KMF通过 IMS Core向 UE返回 200 OK消息, 表示订阅成功。 步骤 1503、 UE进行 IPTV业务建立或者切换过程。  Step 1502: The KMF returns a 200 OK message to the UE through the IMS Core, indicating that the subscription is successful. Step 1503: The UE performs an IPTV service establishment or handover process.
在本步骤中, 业务建立或者切换过程与密钥的订阅和下发没有必然的顺 序关系, 密钥的订阅和下发可以在业务建立或者切换过程之前、 过程中或者 之后发送。  In this step, the service establishment or handover process does not have an inevitable sequence relationship with the subscription and delivery of the key. The subscription and delivery of the key may be sent before, during or after the service establishment or handover process.
步骤 1504、 KMF获取 UE当前的业务信息。  Step 1504: The KMF obtains current service information of the UE.
在本步骤中, KMF 获取 UE 当前的业务方式可以有多种, 如 KMF 釆用 Subscr ibe/Not ify方式向 UE订阅其当前的 LTV频道信息或者 CoD内容信息; 或者 KMF通过会话建立或者切换过程中得知 UE当前的业务的信息; 或者 KMF 向 Presence Server订阅 UE的当前业务信息。  In this step, the KMF obtains the UE's current service mode. For example, the KMF subscribes to the UE's current LTV channel information or CoD content information in the Subscr ibe/Notify mode; or the KMF establishes or switches through the session. The information about the current service of the UE is known; or the KMF subscribes to the current service information of the UE to the Presence Server.
步骤 1505、 KMF通过 IMS Core向 UE发送 Not ify消息, 携带 UE当前业 务标识或者内容标识对应的密钥。  Step 1505: The KMF sends a Not ify message to the UE through the IMS Core, and carries the key corresponding to the current service identifier or the content identifier of the UE.
步骤 1506、 UE通过 IMS Core向 KMF返回 200 0K消息。  Step 1506: The UE returns a 200 OK message to the KMF through the IMS Core.
步骤 1507、 UE根据接收到的密钥解开媒体流并进行观看。  Step 1507: The UE unlocks the media stream according to the received key and performs viewing.
密钥更新时, 由 KMF通过 Not ify向 UE传递更新后的密钥信息, UE回复 200 0K消息即可。  When the key is updated, the KMF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 0K message.
UE还可以釆用 Subscr ibe方式向 MF订阅密钥且订阅的为当前业务的密 钥, 结合图 4所示的系统, K5接口为必选接口, 即 UE向 MF进行订阅, MF通 过 K5接口向 KMF获取密钥。 这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK, 或者是 TEK。 The UE can also subscribe to the MF by using the Subscr ibe mode and subscribe to the key of the current service. In combination with the system shown in FIG. 4, the K5 interface is a mandatory interface, that is, the UE subscribes to the MF, and the MF uses the K5 interface to KMF gets the key. The key issued in this embodiment is similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected Layer 2 key or the Layer 3 key is different.
对于使用 GBA建立 SUK的情况, 这里的 Subscr ibe请求消息中还可以携 带 GBA临时用户标识信息 B-TID, 以便 KMF根据 B-TID得到对应的 SUK , 并使 用 SUK保护需要下发的密钥。 具体的 B-TID可以使用请求消息中的 XML对应 的元素来携带。  In the case of using the GBA to establish a SUK, the Subscr ibe request message can also carry the GBA temporary user identification information B-TID, so that the KMF obtains the corresponding SUK according to the B-TID, and uses the SUK to protect the key to be delivered. The specific B-TID can be carried using the element corresponding to the XML in the request message.
实施例十一  Embodiment 11
该实施例可以应用到 LTV业务和 CoD业务中,这个方法 UE釆用 Subscr ibe 方式从 KMF订阅密钥且订阅的为某个业务或者内容对应的密钥。 结合图 4所 示的系统, 应用该实施例时, K4接口为必选接口的架构。  This embodiment can be applied to the LTV service and the CoD service. The UE subscribes to the key from the KMF in the Subscr ibe mode and subscribes to the key corresponding to a certain service or content. In conjunction with the system shown in Figure 4, the K4 interface is the architecture of the mandatory interface when the embodiment is applied.
图 16为本发明实施例实现媒体内容安全的实施例十一的流程图, 其具体 步骤为:  FIG. 16 is a flowchart of Embodiment 11 of implementing media content security according to an embodiment of the present invention, where specific steps are as follows:
步骤 1601、 UE进行 IPTV业务会话建立过程或者频道切换过程。  Step 1601: The UE performs an IPTV service session establishment process or a channel switching process.
在本步骤中, 会话建立过程或者频道切换过程和密钥订阅的过程没有先 后顺序要求, 也可以先不进行会话建立过程, 而先进行订阅密钥的过程。  In this step, the session establishment process or the channel switching process and the key subscription process have no prior sequence requirements, and the session establishment process may not be performed first, and the process of subscribing to the key is first performed.
步骤 1602、 UE通过 IMS Core向 KMF发送 Subscr ibe消息, 订阅一个或 者多个业务标识或者内容标识对应的密钥, 消息中携带用户标识、 以及业务 标识或者内容标识等信息。  Step 1602: The UE sends a Subscr ibe message to the KMF through the IMS Core, and subscribes to one or more service identifiers or a key corresponding to the content identifier, where the message carries the user identifier, the service identifier, or the content identifier.
步骤 1603、 KMF通过 IMS Core向 UE返回 200 OK消息, 表示已经订阅成 功。  Step 1603: The KMF returns a 200 OK message to the UE through the IMS Core, indicating that the subscription has succeeded.
步骤 1604、 SCF通过 IMS Core向 UE发送 Not ify消息, 其中携带对应 UE 请求的密钥。  Step 1604: The SCF sends a Not ify message to the UE through the IMS Core, where the key corresponding to the UE request is carried.
步骤 1605、 UE通过 IMS Core向 SCF返回 200 0K消息。  Step 1605: The UE returns a 200 OK message to the SCF through the IMS Core.
步骤 1606、 UE釆用步骤 4得到的密钥解开保护的媒体流, 并进行观看。 密钥更新时, 由 KMF通过 Not ify向 UE传递更新后的密钥信息, UE回复 200 0K消息即可。 在本实施例中, 还可以重新发起对新 IPTV业务包中某一频道密钥订阅过 程和基本 LTV业务会话更改流程(与基本 LTV业务会话初始流程类似, 在这 个过程中, 需要进行频道切换过程, 这时, 需要釆用图 16所述的方法重新进 行订阅的过程。 Step 1606: The UE uses the key obtained in step 4 to unlock the protected media stream and view it. When the key is updated, the KMF transmits the updated key information to the UE through Not ify, and the UE replies with the 200 OK message. In this embodiment, a channel subscription process and a basic LTV service session change process in the new IPTV service package may be re-initiated (similar to the initial LTV service session initial process, in which a channel switching process is required) At this time, the process of re-subscribing with the method described in FIG. 16 is required.
UE还可以釆用 Subs cr i be方式向 MF订阅密钥且订阅的为某个业务的密 钥, 结合图 4所示的系统, K5接口为必选接口, 即 UE向 MF进行订阅, MF通 过 K5接口向 KMF获取密钥。  The UE can also subscribe to the MF by using the Subs cr i be mode and subscribe to the key of a certain service. In combination with the system shown in FIG. 4, the K5 interface is a mandatory interface, that is, the UE subscribes to the MF, and the MF passes. The K5 interface obtains the key from KMF.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK , 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
对于使用 GBA建立 SUK的情况, 这里的 Subs cr i be请求消息中还可以携 带 GBA临时用户标识信息 B-TID , 以便 KMF根据 B-TID得到对应的 SUK , 并使 用 SUK保护需要下发的密钥。 具体的 B-TID可以使用请求消息中的 XML对应 的元素来携带。  For the case of using the GBA to establish the SUK, the Subs cr i request message may also carry the GBA temporary user identification information B-TID, so that the KMF obtains the corresponding SUK according to the B-TID, and uses the SUK to protect the key to be delivered. . The specific B-TID can be carried using the element corresponding to the XML in the request message.
图 17为本发明实施例提供的在 IMS系统中实现保证 IPTV媒体内容安全 的系统二示意图, 在现有基于 IMS网络实现 IPTV业务的系统中引入了 KMF功 能模块, 且将 KMF集成到 SCF中进行业务保护, 也就是说, SCF具有 KMF对密 钥进行管理的功能。  FIG. 17 is a schematic diagram of a system 2 for implementing IPTV media content security in an IMS system according to an embodiment of the present invention. A KMF function module is introduced in a system for implementing an IPTV service based on an IMS network, and KMF is integrated into the SCF. Service protection, that is, SCF has the function of KMF to manage keys.
这时, 具有 KMF对密钥进行管理功能的 SCF就可以将密钥和 /或相关参数 提供给需要的功能实体。 SCF还可以产生或从其它功能实体中获取密钥和 /或 相关参数, SCF还可以对密钥和 /或相关参数进行更新。  At this time, the SCF having the KMF key management function can provide the key and/or related parameters to the required functional entity. The SCF can also generate or obtain keys and/or related parameters from other functional entities, and the SCF can also update the keys and/or related parameters.
这里, 需要的功能实体可以为 UE、 MF等功能实体, 相关参数包括密钥对 应的密钥标识、 安全算法、 密钥有效期等参数的一个或者多个的组合。  Here, the required functional entity may be a functional entity such as a UE or an MF, and the related parameters include a combination of one or more of a key identifier corresponding to the key, a security algorithm, a key validity period, and the like.
由于 KMF集成到了 SCF中, 所以图 4所述的 SCF和 KMF之间的 K1接口也 就不存在或变为内部接口, SCF和 UE之间的 S 1接口还具有给 UE传输密钥的 功能; SCF和 MF之间的 S2接口还具有给 MF传输密钥的功能;  Since the KMF is integrated into the SCF, the K1 interface between the SCF and the KMF described in FIG. 4 does not exist or becomes an internal interface, and the S1 interface between the SCF and the UE also has a function of transmitting a key to the UE; The S2 interface between the SCF and the MF also has a function of transmitting a key to the MF;
在图 17中, 实际应用系统中的架构这些接口并不全必选的, 根据分发密 钥或 /和密钥对应的相关参数的所釆用的方案不同, 实际架构所选取的接口也 不相同。 如果在 SCF和 UE之间直接传输, 则 S 1接口存在, 其他的接口可以 存在或不存在; 如果在 SCF和 MF之间传输, 则 S2接口必须存在, 其它接口 可以存在或不存在。 In Figure 17, the interfaces in the actual application system are not all mandatory, according to the distribution secret. The key or the corresponding parameters of the key corresponding to the key are different, and the interface selected by the actual architecture is also different. If the SCF interface is directly transmitted between the SCF and the UE, the S1 interface exists, other interfaces may exist or not exist; if transmitted between the SCF and the MF, the S2 interface must exist, and other interfaces may exist or not exist.
在图 17所示的系统二中, 业务保护的具体过程与上述图 4的 KMF作为独 立的功能实体的业务保护过程类似(实施例一到实施例十一), 只不过 KMF是 SCF的一个内部功能模块, 不需要在实施例中的 SCF到 KMF获取密钥的步骤, 其它功能实体与 KMF的交互改为与 SCF的交互即可。 以下举例子说明一下。  In the system 2 shown in FIG. 17, the specific process of service protection is similar to the service protection process of the KMF of FIG. 4 as an independent functional entity (Embodiment 1 to Embodiment 11), except that KMF is an internal part of the SCF. The function module does not need the step of acquiring the key from the SCF to the KMF in the embodiment, and the interaction of the other functional entities with the KMF is changed to the interaction with the SCF. The following examples are explained.
实施例十二  Example twelve
图 18为本发明实施例实现媒体内容安全的实施例十二的流程图, 可以看 出, 该流程图和实施例三的流程图相比, 只是不需要 SCF到 KMF获取密钥, 而 SCF具有 KMF对密钥进行管理的功能, 直接将密钥发送给 UE , 这样节省了 步骤。 应用该实施例时, 架构中的 S 1接口是必选的接口。  FIG. 18 is a flowchart of Embodiment 12 of implementing media content security according to an embodiment of the present invention. It can be seen that, compared with the flowchart of Embodiment 3, the flowchart does not require SCF to KMF to acquire a key, and the SCF has KMF manages the key and sends the key directly to the UE, which saves the steps. When the embodiment is applied, the S1 interface in the architecture is a mandatory interface.
在该实施例中, UE可以预先与 SCF之间产生共享用户密钥, 如可以釆用 GBA方式产生, 然后使用共享密钥来保护 SCF传递给 UE的密钥信息。 产生共 享密钥过程可以在接收到 UE的密钥请求之前或之后进行。  In this embodiment, the UE may generate a shared user key in advance with the SCF, such as may be generated by the GBA method, and then use the shared key to protect the key information that the SCF delivers to the UE. The process of generating a shared key may be performed before or after receiving a key request from the UE.
步骤 1801、 UE进行业务建立或者业务切换(LTV的频道切换) 的会话过 程。  Step 1801: The UE performs a session process of service establishment or service switching (channel switching of the LTV).
在本步骤中, 会话过程与密钥请求过程没有必然的先后顺序。  In this step, the session process and the key request process are not in an orderly sequence.
步骤 1802、 SCF可以向 UE发送一个密钥获取指示信息, 指示 UE发起密 钥获取请求, 该步骤为可选。  Step 1802: The SCF may send a key acquisition indication information to the UE, instructing the UE to initiate a key acquisition request, and the step is optional.
步骤 1803、 UE通过 S 1接口向 SCF发送密钥请求消息, 携带用户标识, 业务 /内容标识信息或者密钥标识信息。  Step 1803: The UE sends a key request message to the SCF through the S1 interface, and carries the user identifier, service/content identification information, or key identification information.
步骤 1804、 SCF向 UE发送响应消息, 携带密钥。  Step 1804: The SCF sends a response message to the UE, and carries the key.
步骤 1805、 UE获取保护的媒体流, 并利用得到密钥解开媒体流, 进行观 看。 对于 KMF集成到 SCF中的情况, 以上的 KMF为独立的功能实体的各个实 施例都可以类似本实施例处理。 Step 1805: The UE obtains the protected media stream, and uses the obtained key to unlock the media stream for viewing. For the case where KMF is integrated into the SCF, the above embodiments in which the KMF is an independent functional entity can be handled similarly to the present embodiment.
图 19为本发明实施例提供的在 IMS系统中实现 IPTV媒体内容安全的系 统三示意图, 如图所示, 在现有基于 IMS网络实现 IPTV业务的系统中引入了 KMF功能模块, 且集成到 MF进行业务保护。 也就是说, MF具有 KMF对密钥进 行管理的功能。  FIG. 19 is a schematic diagram of a system for implementing IPTV media content security in an IMS system according to an embodiment of the present invention. As shown in the figure, a KMF function module is introduced in a system for implementing an IPTV service based on an IMS network, and is integrated into the MF. Conduct business protection. That is to say, the MF has the function of managing the key by the KMF.
这时, 具有 KMF对密钥进行管理功能的 MF就可以将密钥和 /或相关参数 提供给需要的功能实体。 MF还可以产生或从其它功能实体中获取密钥和 /或相 关参数, MF还可以对密钥和 /或相关参数进行更新。  At this time, the MF having the KMF key management function can provide the key and/or related parameters to the required functional entity. The MF can also generate or obtain keys and/or related parameters from other functional entities, and the MF can also update the keys and/or related parameters.
这里, 需要的功能实体可以为 UE、 SCF 等功能实体, 相关参数包括密钥 对应的密钥标识、 安全算法、 密钥有效期等参数的一个或者多个的组合。  Here, the required functional entity may be a functional entity such as a UE or an SCF, and the related parameters include a combination of one or more of a key identifier corresponding to the key, a security algorithm, and a key validity period.
由于 KMF集成到了 MF中, 所以图 4所述的 MF和 KMF之间的 K5接口也就 不存在或变为内部接口, MF和 SCF之间的 L1接口在现有的功能外,还具有给 UE传输密钥以及密钥所对应的相关参数功能; IMS Core和 MF之间的 L2接口 在现有的功能外,还具有给 MF传输密钥以及密钥所对应的相关参数功能, SCF 和 UE之间的 L3接口传输密钥以及密钥所对应的相关参数功能。  Since KMF is integrated into the MF, the K5 interface between the MF and the KMF described in FIG. 4 does not exist or becomes an internal interface, and the L1 interface between the MF and the SCF has an existing function, and also has a UE. The transmission key and the related parameter function corresponding to the key; the L2 interface between the IMS Core and the MF has the functions of the MF transmission key and the related parameters corresponding to the key, the SCF and the UE The L3 interface transmits the key and the related parameter function corresponding to the key.
在图 19 中, 这些接口并不全是必选的, 根据传输密钥或 /和密钥对应的 相关参数的所经过的途径不同, 所选取的接口也不相同。 如果在 MF和 SCF之 间的 L1接口传输, 则 MF和 SCF之间的 L1接口存在, 其他的接口可以存在或 不存在; 如果在 IMS Core和 MF之间的 L2接口传输, 则 IMS Core和 MF之间 的 L2接口必须存在, 其他的接口可以存在或不存在。  In Figure 19, these interfaces are not all mandatory. The selected interfaces are different depending on the path through which the transmission key or / and the corresponding parameters of the key correspond. If the L1 interface between the MF and the SCF is transmitted, the L1 interface between the MF and the SCF exists, and other interfaces may exist or not exist; if the L2 interface between the IMS Core and the MF is transmitted, the IMS Core and the MF The L2 interface must exist between the other interfaces, and other interfaces may exist or not exist.
在图 19所示的系统三中, 业务保护的具体过程与上述图 4的 KMF作为独 立的功能实体的业务保护过程类似(实施例一到实施例十一), 只不过 KMF是 MF的一个内部功能模块, 不需要在实施例中的 MF到 KMF获取密钥的步骤, 其 它功能实体与 KMF的交互改为与 MF的交互即可。 举例说明一下。  In the system 3 shown in FIG. 19, the specific process of service protection is similar to the service protection process of the KMF of FIG. 4 as an independent functional entity (Embodiment 1 to Embodiment 11), except that KMF is an internal part of the MF. The function module does not need to acquire the key in the MF to KMF in the embodiment, and the interaction of the other functional entities with the KMF is changed to the interaction with the MF. Give an example.
实施例十三 图 20为本发明实施例实现媒体内容安全的实施例十三的流程图, 如图所 示, 该流程图和实施例五的流程图相比, MF不需要到 KMF获取密钥, 而 MF具 有 KMF管理密钥的功能, 直接将密钥通过 IMS Core和 SCF发送给 UE即可。 该实施例可以应用在 CoD业务保护中, M通过 IMS Core返回给 UE密钥。 结合 图 19所示的系统, 应用该实施例时, L2为必选接口。 其具体步骤为: Example thirteen FIG. 20 is a flowchart of Embodiment 13 of implementing media content security according to an embodiment of the present invention. As shown in the flowchart, compared with the flowchart of Embodiment 5, the MF does not need to obtain a key to the KMF, and the MF has KMF manages the key function and directly sends the key to the UE through the IMS Core and SCF. This embodiment can be applied in CoD service protection, and M is returned to the UE key through the IMS Core. In conjunction with the system shown in FIG. 19, L2 is a mandatory interface when the embodiment is applied. The specific steps are:
步骤 2001、 UE通过 IMS Core向 SCF发起业务请求消息, 如 INVITE消息, 其中携带用户标识, 业务或者内容标识信息。  Step 2001: The UE sends a service request message, such as an INVITE message, to the SCF through the IMS Core, where the UE carries the user identifier, service, or content identification information.
步骤 2002、 SCF通过 IMS Core向 MF发送业务请求消息, 其中携带用户 标识, 业务或者内容标识信息。  Step 2002: The SCF sends a service request message to the MF through the IMS Core, where the user identifier, service or content identification information is carried.
步骤 2003、 MF通过 IMS Core向 SCF发送业务响应消息(如 200 0K消息 ), 携带业务或者内容标识对应的密钥。  Step 2003: The MF sends a service response message (such as a 200 0K message) to the SCF through the IMS Core, and carries a key corresponding to the service or the content identifier.
步骤 2004、 SCF通过 IMS Core将业务响应消息发送给 UE。  Step 2004: The SCF sends a service response message to the UE through the IMS Core.
步骤 2005、 UE釆用得到的密钥解开媒体流, 并进行观看。  Step 2005: The UE uses the obtained key to unlock the media stream and view it.
这里下发的密钥具体的类似实施例一中的密钥, 根据选择的二层密钥还 是三层密钥的不同, 可以是 KEK , 或者是 TEK。  The key issued here is specifically similar to the key in the first embodiment, and may be KEK or TEK depending on whether the selected layer 2 key or the layer 3 key is different.
对于 KMF集成到 MF中的情况, 以上的 KMF为独立的功能实体的各个实施 例都可以类似本实施例处理。  For the case where KMF is integrated into the MF, each of the above embodiments in which the KMF is an independent functional entity can be handled similarly to this embodiment.
对于以上所有的 UE获取密钥的实施例来说, 如果网络侧提前获取了用户 需要的对应的密钥信息, 例如网络侧得知用户切换到一个新的加密的频道, 则网络侧可以在 UE没有主动发起请求的时候向 UE主动发送该业务或者内容 对应的密钥, 也就是说, UE发送密钥请求消息不是一定需要的。 具体的过程 和使用的参数和 UE主动请求的实施例类似。  For the embodiment in which all the UEs obtain the key, if the network side obtains the corresponding key information required by the user in advance, for example, the network side knows that the user switches to a new encrypted channel, the network side may be in the UE. When the request is not initiated, the UE or the key corresponding to the content is actively sent to the UE. That is, the UE does not need to send the key request message. The specific process and parameters used are similar to the embodiments that the UE actively requests.
本发明实施例还提供一种 KMF的结构示意图, 如图 21所示, 包括: 密钥 分发单元 2101以及密钥信息服务功能单元 2102 , 其中,  The embodiment of the present invention further provides a structure diagram of a KMF, as shown in FIG. 21, including: a key distribution unit 2101 and a key information service function unit 2102, where
密钥分发单元 2101 , 用于将密钥或 /和密钥的相关参数发送给 UE或其他 功能实体; 密钥信息服务功能单元 2102 , 用于向密钥分发单元 21 01提供密钥或 /和 密钥的相关参数, 该密钥或 /和密钥的相关参数由该单元自身生成, 也可以从 其他的地方获取。 a key distribution unit 2101, configured to send a related parameter of a key or/and a key to a UE or other functional entity; The key information service function unit 2102 is configured to provide a key or/and a related parameter of the key to the key distribution unit 211, and the related parameter of the key or/and the key is generated by the unit itself, or may be from another The place to get.
本发明实施例还提供一种在 MF和 KMF之间传输密钥的系统示意图, 如图 22所示, 在图中, KMF将密钥通过 Ml发送给 MF , 或者通过 M2、 SCF、 Core IMS 发给 MF。 这个图中的 MF做业务保护的加密处理工作, 对于 LTV中 TEK使用组 播下发的情况, MF还需要将 TEK组播下发给 UE。  The embodiment of the present invention further provides a system diagram for transmitting a key between the MF and the KMF. As shown in FIG. 22, in the figure, the KMF sends the key to the MF through M1, or sends the message through M2, SCF, Core IMS. Give MF. The MF in this figure performs the encryption processing of the service protection. For the case where the TEK is used for the delivery of the TEK in the LTV, the MF also needs to deliver the TEK multicast to the UE.
其中的接口 Ml : 用来直接传递密钥; 接口 M2 : 经过 SCF传递密钥。 Ml和 M2接口不需要同时存在的, 根据方案不同选用不同的接口。  The interface Ml : is used to pass the key directly; interface M2 : The key is passed through the SCF. The Ml and M2 interfaces do not need to exist at the same time. Different interfaces are selected according to different schemes.
架构一: 架构选用 Ml为必选接口, M2接口可选的接口; 架构二: 架构选 用 M2为必选接口, Ml接口为可选的接口。  Architecture 1: Architecture selection Ml is a mandatory interface, and an M2 interface is optional. Architecture 2: Architecture selection M2 is a mandatory interface, and Ml interface is an optional interface.
基于架构一的方案:  Based on the architecture one:
方案一: 对于 UE和 MF之间直接使用 TEK进行媒体内容的保护的情况。 适用于 LTV和 CoD业务。 由 KMF产生 TEK , 以 KMF主动发送给 MF或者 MF到 KMF主动请求密钥的方式, 发送给 MF。 MF使用 TEK加密媒体内容。  Solution 1: The case where the TEK is directly used to protect the media content between the UE and the MF. Suitable for LTV and CoD services. The TEK is generated by the KMF and sent to the MF in a way that the KMF actively sends the MF or MF to the KMF to actively request the key. MF uses TEK to encrypt media content.
方案二: 对于 UE和 MF之间直接使用 TEK进行媒体内容的保护的情况。 适用于 LTV和 CoD业务。 MF产生 TEK , MF使用 TEK加密媒体内容。 以 MF主动 发送给 KMF或者 KMF到 MF请求密钥的方式, 将 TEK发送给 KMF。  Option 2: For the case where the TEK is directly used to protect the media content between the UE and the MF. Suitable for LTV and CoD services. The MF generates TEK, which uses TEK to encrypt media content. The TEK is sent to the KMF in such a way that the MF actively sends the KMF or KMF to the MF request key.
方案三: 对于 MF将直接用于保护媒体的密钥 TEK釆用组播的方式下发给 UE的情况, TEK需要使用一个密钥进行保护, 这里叫做 KEK。 适用于 LTV业务 和 COD业务。 可以是 KMF产生 KEK , MF产生 TEK; KMF主动发送 KEK给 MF或 者 MF到 KMF主动请求 KEK的方式将 KEK发送给 MF , MF使用 KEK加密 TEK , 组 播下发给 UE。  Solution 3: For the case where the MF will directly use the key to protect the media TEK is sent to the UE in multicast mode, the TEK needs to be protected by a key, which is called KEK. Suitable for LTV business and COD business. It can be KMF to generate KEK, MF to generate TEK; KMF actively sends KEK to MF or MF to KMF to request KEK to send KEK to MF, MF uses KEK to encrypt TEK, and the multicast is sent to the UE.
方案四: 对于 MF将直接用于保护媒体的密钥 TEK釆用组播的方式下发给 UE的情况, TEK需要使用一个密钥进行保护, 这里叫做 KEK。 适用于 LTV业务 和 C0D业务。 KMF产生 KEK和 TEK; KMF主动发送 KEK和 TEK给 MF或者 MF到 KMF主动请求 KEK和 TEK。 Solution 4: For the case where the MF directly uses the key TEK for protecting the media to be sent to the UE in multicast mode, the TEK needs to be protected by using a key, which is called KEK. Applicable to LTV business and C0D business. KMF generates KEK and TEK; KMF actively sends KEK and TEK to MF or MF to KMF actively requests KEK and TEK.
架构二使用 M2接口传递密钥, 具体流程类似架构一的流程, 只是 KMF与 MF之间的密钥传递的路径是 KMF - M2 - SCF - Core IMS - MF。  Architecture 2 uses the M2 interface to pass the key. The specific process is similar to the process of architecture one, except that the path of key transfer between KMF and MF is KMF - M2 - SCF - Core IMS - MF.
此外,以上实施例所述的 I PTV媒体安全的系统还可以包括内容加密实体, 用于加密媒体内容。  In addition, the I PTV media security system described in the above embodiments may further include a content encryption entity for encrypting the media content.
其中,所述内容加密实体 CEF ,用于生成媒体保护密钥 TEK ,并将所述 TEK 发送给所述密钥管理功能实体 KMF ;  The content encryption entity CEF is configured to generate a media protection key TEK and send the TEK to the key management function entity KMF;
所述密钥管理功能实体 KMF ,用于利用密钥加密密钥 KEK对所述媒体保护 密钥进行加密, 并将加密后的媒体保护密钥发送给所述内容加密实体。  The key management function entity KMF is configured to encrypt the media protection key by using a key encryption key KEK, and send the encrypted media protection key to the content encryption entity.
或者, 所述内容加密实体, 用于生成媒体保护密钥, 并向所述密钥管理 功能实体发送密钥请求消息, 请求密钥加密密钥 KEK ; 利用所述密钥加密密钥 对所述媒体保护密钥进行加密;  Or the content encryption entity is configured to generate a media protection key, and send a key request message to the key management function entity, requesting a key encryption key KEK; using the key encryption key pair The media protection key is encrypted;
所述密钥管理功能实体, 用于向所述内容加密实体提供密钥加密密钥。 或者, 所述内容加密实体, 用于向所述密钥管理功能实体发送密钥请求 消息;  The key management function entity is configured to provide a key encryption key to the content encryption entity. Or the content encryption entity is configured to send a key request message to the key management function entity;
所述密钥管理功能实体, 用于生成密钥加密密钥以及媒体保护密钥, 并 根据所述密钥请求消息, 利用密钥加密密钥对所述媒体保护密钥进行加密; 并将加密后的媒体保护密钥以及未加密的媒体保护密钥发送给所述内容加密 实体。  The key management function entity is configured to generate a key encryption key and a media protection key, and encrypt the media protection key by using a key encryption key according to the key request message; The subsequent media protection key and the unencrypted media protection key are sent to the content encryption entity.
或者, 所述内容加密实体, 用于向所述密钥管理功能实体发送密钥请求 消息; 利用密钥加密密钥对所述媒体保护密钥进行加密;  Or the content encryption entity is configured to send a key request message to the key management function entity; and encrypt the media protection key by using a key encryption key;
所述密钥管理功能实体, 用于生成密钥加密密钥以及媒体保护密钥, 并 将所述密钥加密密钥以及媒体保护密钥发送给所述内容加密实体。  The key management function entity is configured to generate a key encryption key and a media protection key, and send the key encryption key and the media protection key to the content encryption entity.
下面, 分别结合图 23-图 27描述一下上述各系统的工作过程图。  Next, the working process diagrams of the above systems will be described with reference to Figs. 23-27.
如图 23所示, KMF和 CEF之间使用直接的接口 N1传递以下信息的一种或 几种: SEK、 TEK、 SEK加密的 TEK。 实施例十四 As shown in Figure 23, a direct interface N1 is used between KMF and CEF to deliver one or more of the following: SEK, TEK, SEK encrypted TEK. Embodiment 14
CEF产生 TEK, 如图 24所示, 包括以下步骤:  The CEF generates a TEK, as shown in Figure 24, which includes the following steps:
步骤 2401, CEF产生媒体保护密钥 TEK。  In step 2401, the CEF generates a media protection key TEK.
步骤 2402, CEF向 KMF发送密钥请求消息, 其中携带内容标识和 /或业务 标识信息和媒体保护密钥 TEK。  Step 2402: The CEF sends a key request message to the KMF, where the content identifier and/or the service identification information and the media protection key TEK are carried.
步骤 2403, KMF收到密钥请求消息后, 使用对应的密钥加密密钥 SEK加 密 TEK。  Step 2403, after receiving the key request message, the KMF encrypts the key SEK with the corresponding key encryption TEK.
如果 CEF仅仅将产生的 TEK上报给 KMF, 不需要 SEK加密的 TEK, 则本步 骤可选。  This step is optional if the CEF only reports the generated TEK to KMF and does not require a SEK-encrypted TEK.
步骤 2404, KMF向 CEF发送响应消息, 其中携带 SEK加密的 TEK。  Step 2404, the KMF sends a response message to the CEF, which carries the TEK encrypted by the SEK.
如果步骤 2403没有, 则本步骤中 KMF也不发送 SEK加密的 TEK参数。 后续处理可以为: 内容加密实体 CEF将所述加密的 TEK发送给用户设备, 或者将加密的 TEK交给媒体功能实体发送给用户设备。  If step 2403 is not available, then KMF does not send the SEK encrypted TEK parameter in this step. The subsequent processing may be: the content encryption entity CEF sends the encrypted TEK to the user equipment, or the encrypted TEK is sent to the media function entity and sent to the user equipment.
如果 CEF仅仅将生成的 TEK上报给 KMF,则 KMF后续负责将该 TEK发送给 用户终端。  If the CEF only reports the generated TEK to the KMF, the KMF is subsequently responsible for sending the TEK to the user terminal.
实施例十五  Example fifteen
CEF产生 TEK, 并取得 KMF发送的 SEK, 如图 25所示, 包括以下步骤: 步骤 2501, CEF向 KMF发送密钥请求消息, 请求 SEK, 其中携带内容标识 和 /或业务标识信息;  The CEF generates the TEK and obtains the SEK sent by the KMF. As shown in FIG. 25, the method includes the following steps: Step 2501: The CEF sends a key request message to the KMF, requesting the SEK, where the content identifier and/or the service identifier information is carried;
步骤 2502, KMF收到密钥请求消息, 将对应的 SEK发送给 CEF;  Step 2502, the KMF receives the key request message, and sends the corresponding SEK to the CEF;
步骤 2503, CEF使用返回的 SEK加密 TEK。  In step 2503, the CEF encrypts the TEK using the returned SEK.
后续处理可以为: 内容加密实体 CEF将所述加密的 TEK发送给用户设备, 或者将加密的 TEK交给媒体功能实体发送给用户设备。  The subsequent processing may be: the content encryption entity CEF sends the encrypted TEK to the user equipment, or the encrypted TEK is sent to the media function entity and sent to the user equipment.
实施例十六  Example sixteen
KMF产生 TEK和 SEK, 如图 26所示, 包括以下步骤:  KMF generates TEK and SEK, as shown in Figure 26, including the following steps:
步骤 2601, CEF向 KMF发送密钥请求消息, 其中携带内容标识和 /或业务 标识信息。 Step 2601, the CEF sends a key request message to the KMF, where the content identifier and/or service is carried. Identification information.
步骤 2602 , KMF收到密钥请求消息后, 使用内容标识和 /或业务标识信息 对应的 SEK加密对应的 TEK。  Step 2602: After receiving the key request message, the KMF encrypts the corresponding TEK by using the SEK corresponding to the content identifier and/or the service identifier information.
步骤 2603 , KMF将 SEK加密的 TEK、 未加密的 TEK发送给 CEF。  In step 2603, the KMF sends the SEK encrypted TEK and the unencrypted TEK to the CEF.
后续处理可以为: 内容加密实体 CEF使用 TEK加密媒体。 并将所述加密 的 TEK发送给用户设备, 或者将加密的 TEK交给媒体功能实体发送给用户设 备。  Subsequent processing can be: Content Encryption Entity CEF uses TEK to encrypt media. The encrypted TEK is sent to the user equipment, or the encrypted TEK is handed over to the media function entity and sent to the user equipment.
实施例十七  Example seventeen
CEF获取 KMF发送的 SEK和 TEK , 如图 27所示, 包括以下步骤: 步骤 2701 , CEF向 KMF发送密钥请求消息, 其中携带内容标识和 /或业务 标识信息;  The CEF obtains the SEK and the TEK sent by the KMF. As shown in FIG. 27, the method includes the following steps: Step 2701: The CEF sends a key request message to the KMF, where the content identifier and/or the service identifier information are carried.
步骤 2702 , KMF收到密钥请求消息后, 将对应的 SEK和 TEK发送给 CEF; 步骤 2703 , CEF使用返回的 SEK加密 TEK。  Step 2702: After receiving the key request message, the KMF sends the corresponding SEK and TEK to the CEF. In step 2703, the CEF encrypts the TEK by using the returned SEK.
后续处理可以为: 内容加密实体 CEF使用 TEK加密媒体。 并将所述加密 的 TEK发送给用户设备, 或者将加密的 TEK交给媒体功能实体发送给用户设 备。  Subsequent processing can be: Content Encryption Entity CEF uses TEK to encrypt media. The encrypted TEK is sent to the user equipment, or the encrypted TEK is handed over to the media function entity and sent to the user equipment.
具体的, CEF可以为一个独立的功能实体, 也可以与 KMF合设为一个功能 实体, 也可以跟 MF合设为一个功能实体。 合设的情况下, CEF作为一个功能 模块, 与合设实体的交互也就成为了内部处理。 图 28中, CEF和 MF实体间使 用 N2接口传递 SEK加密的 TEK等信息。  Specifically, the CEF can be a separate functional entity, or can be combined with KMF as a functional entity, or can be combined with MF as a functional entity. In the case of a combination, CEF as a function module, the interaction with the connected entity becomes internal processing. In Figure 28, the NEK interface between the CEF and the MF entity transmits information such as TEK encrypted by the SEK.
本发明实施例内容加密实体可以为如图 29-图 32任一图示的结构。  The content encryption entity of the embodiment of the present invention may be the structure shown in any of Figs. 29-32.
如图 29所示, 本发明实施例内容加密媒体包括: 密钥生成单元 2901 , 用 于生成媒体保护密钥; 密钥收发单元 2902 , 用于将所述媒体保护密钥发送给 密钥管理功能实体。 其中, 所述密钥收发单元 2902还用于接收由所述密钥管 理功能实体发送的加密后的媒体保护密钥。  As shown in FIG. 29, the content encryption medium of the embodiment of the present invention includes: a key generation unit 2901, configured to generate a media protection key; and a key transceiver unit 2902, configured to send the media protection key to a key management function. entity. The key transceiver unit 2902 is further configured to receive the encrypted media protection key sent by the key management function entity.
如图 30所示, 本发明实施例内容加密媒体包括: 密钥生成单元 3001 , 用 于生成媒体保护密钥; 消息发送单元 3002 , 用于向所述密钥管理功能实体发 送密钥请求消息, 请求密钥加密密钥; 密钥收发单元 3003 , 用于接收由所述 密钥管理功能实体发送的密钥加密密钥; 加密操作单元 3004 , 用于利用所述 密钥加密密钥对所述媒体保护密钥进行加密。 As shown in FIG. 30, the content encryption medium in the embodiment of the present invention includes: a key generation unit 3001, Generating a media protection key; a message sending unit 3002, configured to send a key request message to the key management function entity, requesting a key encryption key; and a key transceiving unit 3003, configured to receive and manage the key a key encryption key sent by the functional entity; an encryption operation unit 3004, configured to encrypt the media protection key by using the key encryption key.
如图 31所示, 本发明实施例内容加密实体包括: 消息发送单元 31 01 , 用 于向密钥管理功能实体发送密钥请求消息; 密钥收发单元 31 02 , 用于接收由 所述密钥管理功能实体发送的加密后的媒体保护密钥以及未加密的媒体保护 密钥。  As shown in FIG. 31, the content encryption entity of the embodiment of the present invention includes: a message sending unit 31 01, configured to send a key request message to a key management function entity; and a key transceiver unit 31 02, configured to receive the key by the key The encrypted media protection key sent by the management function entity and the unencrypted media protection key.
如图 32所示, 本发明实施例内容加密实体包括: 消息发送单元 3201 , 用 于向密钥管理功能实体发送密钥请求消息; 密钥收发单元 3202 , 用于接收由 所述密钥管理功能实体发送的密钥加密密钥以及媒体保护密钥; 加密操作单 元 3203 , 用于利用所述密钥加密密钥对所述媒体保护密钥进行加密。  As shown in FIG. 32, the content encryption entity of the embodiment of the present invention includes: a message sending unit 3201, configured to send a key request message to a key management function entity; a key transceiving unit 3202, configured to receive the key management function The key encryption key and the media protection key sent by the entity; the encryption operation unit 3203 is configured to encrypt the media protection key by using the key encryption key.
以上的所有实施例, 如果釆用的是两层密钥模型的系统, 即釆用用户密 钥 SUK和媒体加密密钥 TEK , KMF通过以上的 CEF和 KMF的交互, 使得 KMF获 得 TEK , 并且将加密的媒体部署到 MF上, 具体的可以是 CEF加密媒体并将加 密后的媒体发送给 MF。 UE通过上述的从 KMF获取到 SUK加密的 TEK实施例得 到 TEK , 然后再使用 TEK解密 MF发送的加密的媒体。  In all the above embodiments, if the system of the two-layer key model is used, that is, the user key SUK and the media encryption key TEK are used, the KMF interacts with the CEF and the KMF, so that the KMF obtains the TEK, and The encrypted media is deployed to the MF, specifically CEF encrypted media and the encrypted media is sent to the MF. The UE obtains the TEK through the TEK embodiment obtained from the KMF to the SUK encryption described above, and then uses the TEK to decrypt the encrypted media sent by the MF.
以上的所有实施例, 如果釆用的是三层密钥模型的系统, 即釆用用户密 钥 SUK、 媒体加密密钥 TEK和密钥加密密钥 KEK。 具体的步骤可以是 CEF使用 TEK加密媒体, 并将加密后的媒体发送给 MF。 对于 KEK加密的 TEK发送给 UE 的方式: 可以釆用 CEF将 KEK加密后的 TEK发送给 MF , 再由 MF通过组播的媒 体通道发送给 UE ; 或者 CEF将 CEF上报给 KMF后, KMF使用 KEK加密 TEK , 再 由 KMF将 KEK加密后的 TEK通过组播的媒体通道发送给 UE。 UE通过上述的与 KMF获取密钥的实施例获取到 SUK加密的 KEK , 再通过组播通道获得 KEK加密 的 TEK和 TEK加密的媒体, 然后使用 KEK解密得到 TEK , 再使用 TEK解密加密 的媒体。 对于 CEF是 KMF或者 MF的内部模块的情况, 以上的交互就变成了内部处 理。 In all of the above embodiments, if the system of the three-layer key model is used, the user key SUK, the media encryption key TEK and the key encryption key KEK are used. The specific step may be that the CEF uses the TEK encryption medium and sends the encrypted media to the MF. For the KEK-encrypted TEK to be sent to the UE: The CEK-encrypted TEK can be sent to the MF by the CEF, and then sent by the MF to the UE through the multicast media channel. After the CEF reports the CEF to the KMF, the KMF uses the KEK. Encrypt the TEK, and then the KEK encrypts the TEK encrypted by the KEK to the UE through the multicast media channel. The UE obtains the SUK encrypted KEK through the above-mentioned embodiment of acquiring the key with KMF, obtains the KEK encrypted TEK and TEK encrypted media through the multicast channel, and then uses the KEK decryption to obtain the TEK, and then uses the TEK to decrypt the encrypted media. In the case where the CEF is an internal module of KMF or MF, the above interaction becomes internal processing.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流 程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存储于 一计算机可读取存储介质中, 该程序在执行时, 可包括如上述各方法的实施 例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体( Read-Only Memory, ROM )或随机存储记忆体 ( Random Acces s Memory, RAM )等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. In execution, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Acces s Memory (RAM).
以上是对本发明具体实施例的说明, 在具体的实施过程中可对本发明的 方法进行适当的改进, 以适应具体情况的具体需要。 因此可以理解, 根据本 发明的具体实施方式只是起示范作用, 并不用以限制本发明的保护范围。  The above is a description of specific embodiments of the present invention, and the method of the present invention may be appropriately modified in a specific implementation process to suit the specific needs of a specific situation. Therefore, it is to be understood that the specific embodiments of the present invention are not intended to limit the scope of the invention.

Claims

权 利 要求 书 Claim
1、 一种实现 IPTV媒体安全的系统, 包括 IMS核心网 IMS Core , 其特征在 于, 所述系统还包括: 用户设备 UE、 业务控制功能实体 SCF、 媒体功能实体 MF, 还包括密钥管理功能实体 KMF, 其中, A system for implementing IPTV media security, comprising an IMS core network IMS Core, wherein the system further comprises: a user equipment UE, a service control function entity SCF, a media function entity MF, and a key management function entity KMF, where,
所述密钥管理功能实体, 用于向用户设备提供密钥;  The key management function entity is configured to provide a key to the user equipment;
所述业务控制功能实体, 用于提供对 IPTV业务的服务控制;  The service control function entity is configured to provide service control for an IPTV service;
所述媒体功能实体, 用于向用户设备发送加密的媒体;  The media function entity, configured to send the encrypted media to the user equipment;
所述用户设备, 用于接收由媒体功能实体发送的加密的媒体, 并使用接收 到的密钥得到未加密的媒体。  The user equipment is configured to receive the encrypted media sent by the media function entity, and use the received key to obtain the unencrypted media.
2、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述密钥管理功能实体通过与所述用户设备之间的 K2接口, 向所述用户设 备提供密钥。  2. The system for implementing IPTV media security according to claim 1, wherein the key management function entity provides a key to the user equipment through a K2 interface with the user equipment.
3、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述用户设备向所述密钥管理功能实体发送密钥请求消息, 在所述密钥请 求消息中包括业务标识、 内容标识或者密钥标识信息;  The system for implementing IPTV media security according to claim 1, wherein the user equipment sends a key request message to the key management function entity, where the key request message includes a service identifier, Content identification or key identification information;
所述密钥管理功能实体在接收到所述密钥请求消息后, 通过与所述用户设 备之间的 K2接口, 向所述用户设备发送与所述业务标识、 内容标识或者密钥标 识信息对应的密钥。  After receiving the key request message, the key management function entity sends a corresponding to the service identifier, the content identifier, or the key identifier information to the user equipment by using a K2 interface with the user equipment. Key.
4、 根据权利要求 2或 3所述的实现 IPTV媒体安全的系统, 其特征在于, 所述密钥管理功能实体将密钥发送给所述用户设备之前, 向业务控制功能 实体或者用户数据功能获取该用户设备的业务授权信息, 并确定所述用户设备 有权获取所述密钥。  The system for implementing IPTV media security according to claim 2 or 3, wherein the key management function entity obtains a key from the service control function entity or the user data function before transmitting the key to the user equipment. The service authorization information of the user equipment, and determining that the user equipment has the right to acquire the key.
5、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述业务控制功能实体通过与所述密钥管理功能实体之间的 K1接口获取密 钥;  The system for implementing IPTV media security according to claim 1, wherein the service control function entity acquires a key by using a K1 interface with the key management function entity;
所述业务控制功能实体通过与所述用户设备之间的 K3接口发送所述密钥。 The service control function entity sends the key through a K3 interface with the user equipment.
6、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述用户设备向所述业务控制功能实体发送密钥请求消息, 在所述密钥请 求消息中包括业务标识或内容标识信息; The system for implementing IPTV media security according to claim 1, wherein the user equipment sends a key request message to the service control function entity, where the key request message includes a service identifier or content. Identification information;
所述业务控制功能实体通过与所述密钥管理功能实体之间的 K1接口向所述 密钥管理功能实体获取与所述业务标识或内容标识对应的密钥;  The service control function entity acquires, by using a K1 interface between the key management function entity, a key corresponding to the service identifier or the content identifier to the key management function entity;
在收到所述密钥后, 所述业务控制功能实体通过与所述用户设备之间的 K3 接口, 将所述密钥发送给所述用户设备。  After receiving the key, the service control function entity sends the key to the user equipment through a K3 interface with the user equipment.
7、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述业务控制功能实体通过与所述密钥管理功能实体之间的 K1接口, 由所 述密钥管理功能实体获取密钥;  The system for implementing IPTV media security according to claim 1, wherein the service control function entity is obtained by the key management function entity through a K1 interface with the key management function entity. Key
所述业务控制功能实体通过 IMS Core , 将所述密钥发送给所述用户设备。 The service control function entity sends the key to the user equipment through an IMS Core.
8、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述用户设备通过 IMS Core向业务控制功能实体发送请求消息, 在所述密 钥请求消息中包括业务标识或内容标识信息; The system for implementing IPTV media security according to claim 1, wherein the user equipment sends a request message to the service control function entity through the IMS Core, and includes a service identifier or a content identifier in the key request message. Information
所述业务控制功能实体通过与密钥管理功能实体之间的 K1接口, 向所述密 钥管理功能实体获取与所述业务标识或内容标识对应的密钥;  Obtaining, by the K1 interface between the service control function entity and the key management function entity, a key corresponding to the service identifier or the content identifier to the key management function entity;
所述业务控制功能实体通过 IMS Core , 将所述密钥发送给所述用户设备。  The service control function entity sends the key to the user equipment through an IMS Core.
9、 根据权利要求 8所述的实现 IPTV媒体安全的系统, 其特征在于, 在所述请求消息中包括 GBA 临时用户标识信息, 所述业务控制功能实体将 所述 GBA临时用户标识信息发送给所述密钥管理功能实体;  The system for implementing IPTV media security according to claim 8, wherein the request message includes GBA temporary user identification information, and the service control function entity sends the GBA temporary user identification information to the a key management function entity;
所述密钥管理功能实体使用所述 GBA 临时用户标识信息得到用户密钥, 并 使用所述用户密钥加密所述请求消息请求的密钥, 然后将加密后的所述请求消 息请求的密钥发送给所述业务控制功能实体。  The key management function entity obtains a user key by using the GBA temporary user identification information, and encrypts the key requested by the request message by using the user key, and then uses the encrypted key of the request message request Sent to the service control function entity.
10、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述媒体功能实体通过与所述密钥管理功能实体之间的 K5接口, 向所述密 钥管理功能实体获取密钥; 或者所述媒体功能实体通过与 IMS Core之间的 Y2 接口、 IMS Core, 与所述密钥管理功能实体之间的接口 K4接口, 向所述密钥管 理功能实体获取所述密钥; 10. The system for implementing IPTV media security according to claim 1, wherein the media function entity obtains a secret from the key management function entity through a K5 interface with the key management function entity. Key; or the media function entity passes Y2 with the IMS Core The interface, the IMS Core, and the interface K4 interface between the key management function entity, and acquiring the key to the key management function entity;
所述媒体功能实体通过 IMS Core向所述用户设备发送所述密钥。  The media function entity sends the key to the user equipment through an IMS Core.
11、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 用户设备通过 IMS Core向业务控制功能实体发送请求消息, 在所述请求消 息中携带业务或内容标识信息;  The system for implementing IPTV media security according to claim 1, wherein the user equipment sends a request message to the service control function entity through the IMS Core, and carries the service or content identification information in the request message;
所述业务控制功能实体通过 IMS Core向媒体功能实体发送请求消息; 所述媒体功能实体向所述密钥管理功能实体获取与所述业务或内容标识信 息对应的密钥, 并向所述业务控制功能实体发送响应消息, 在所述响应消息中 携带所述密钥;  The service control function entity sends a request message to the media function entity through the IMS Core; the media function entity acquires a key corresponding to the service or content identification information from the key management function entity, and controls the service to the service The functional entity sends a response message, where the key is carried in the response message;
所述业务控制功能实体通过 IMS Core向所述用户设备发送响应消息, 其中 携带所述密钥。  The service control function entity sends a response message to the user equipment through the IMS Core, where the key is carried.
12、 根据权利要求 11所述的实现 IPTV媒体安全的系统, 其特征在于, 所述媒体功能实体通过与所述密钥管理功能实体之间的 K5接口向所述密钥 管理功能实体获取所述密钥; 或者,  The system for implementing IPTV media security according to claim 11, wherein the media function entity acquires the information from the key management function entity through a K5 interface with the key management function entity. Key; or,
所述媒体功能实体通过与 IMS Core之间的 Y2接口、 IMS Core与所述密钥 管理功能实体之间的接口 K4接口, 向所述密钥管理功能实体获取所述密钥。  The media function entity acquires the key from the key management function entity through a Y2 interface with the IMS Core, an interface K4 interface between the IMS Core and the key management function entity.
13、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 用户设备向业务控制功能实体 SCF订阅当前业务 /内容或任一业务 /内容对 应的密钥;  13. The system for implementing IPTV media security according to claim 1, wherein the user equipment subscribes to the service control function entity SCF a key corresponding to the current service/content or any service/content;
所述业务控制功能实体 SCF通过与所述密钥管理功能实体之间的 K1接口, 由所述密钥管理功能实体获取相应的密钥后, 通过 IMS Core将所述密钥发送给 用户设备。  The service control function entity SCF obtains the corresponding key by the key management function entity through the K1 interface with the key management function entity, and then sends the key to the user equipment through the IMS Core.
14、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 用户设备向密钥管理功能实体 KMF订阅当前业务 /内容或任一业务 /内容对 应的密钥; 所述密钥管理功能实体 KMF在获取到当前业务 /内容或任一业务 /内容密钥 后, 通过与 IMS Core之间的 K4接口将所述密钥发送给用户设备。 The system for implementing IPTV media security according to claim 1, wherein the user equipment subscribes to the key service function entity KMF for the current service/content or the key corresponding to any service/content; After acquiring the current service/content or any service/content key, the key management function entity KMF sends the key to the user equipment through a K4 interface with the IMS Core.
15、 根据权利要求 1 , 2 , 3 , 5-14任一权利要求所述的实现 IPTV媒体安全 的系统, 其特征在于, 所述密钥是密钥加密密钥 KEK, 所述密钥加密密钥 KEK用 来加密媒体保护密钥 TEK , 所述媒体保护密钥 TEK用来直接加密媒体。  The system for implementing IPTV media security according to any one of claims 1, 2, 3, and 5-14, wherein the key is a key encryption key KEK, and the key is encrypted. The key KEK is used to encrypt the media protection key TEK, and the media protection key TEK is used to directly encrypt the media.
16、 根据权利要求 15所述的实现 IPTV媒体安全的系统, 其特征在于, 其 中所述媒体保护密钥 TEK是由所述密钥管理功能实体或媒体功能实体发送给用 户设备的。  The system for implementing IPTV media security according to claim 15, wherein the media protection key TEK is sent by the key management function entity or the media function entity to the user equipment.
17、 根据权利要求 11-14任一权利要求所述的实现 IPTV媒体安全的系统, 其特征在于, 所述密钥是媒体保护密钥 TEK, 所述媒体保护密钥 TEK用来直接加 密媒体。  The system for implementing IPTV media security according to any of claims 11-14, wherein the key is a media protection key TEK, and the media protection key TEK is used to directly encrypt the media.
18、 根据权利要求 1 , 2 , 3 , 5-14任一权利要求所述的实现 IPTV媒体安全 的系统, 其特征在于, 所述系统还包括:  The system for implementing IPTV media security according to any one of claims 1 to 2, 3, 5-14, wherein the system further comprises:
内容加密实体, 用于加密媒体内容。  A content encryption entity that is used to encrypt media content.
19、 根据权利要求 18所述的实现 IPTV媒体安全的系统, 其特征在于, 所述内容加密实体, 还用于生成媒体保护密钥 TEK, 并将所述媒体保护密钥 The system for implementing IPTV media security according to claim 18, wherein the content encryption entity is further configured to generate a media protection key TEK, and the media protection key
TEK发送给所述密钥管理功能实体,由所述密钥管理功能实体将所述媒体保护密 钥 TEK发送给用户设备。 The TEK is sent to the key management function entity, and the media protection function TEK is sent by the key management function entity to the user equipment.
20、 根据权利要求 18所述的实现 IPTV媒体安全的系统, 其特征在于, 所述内容加密实体, 用于接收由所述密钥管理功能实体发送的媒体保护密 钥 TEK, 并使用所述媒体保护密钥 TEK加密媒体;  The system for implementing IPTV media security according to claim 18, wherein the content encryption entity is configured to receive a media protection key TEK sent by the key management function entity, and use the media Protection key TEK encrypted media;
所述密钥管理功能实体, 用于生成媒体保护密钥 TEK, 并将所述媒体保护密 钥 TEK发送给内容加密实体。  The key management function entity is configured to generate a media protection key TEK, and send the media protection key TEK to the content encryption entity.
21、 根据权利要求 18所述的实现 IPTV媒体安全的系统, 其特征在于, 所述内容加密实体, 用于生成媒体保护密钥 TEK , 并将所述媒体保护密钥 The system for implementing IPTV media security according to claim 18, wherein the content encryption entity is configured to generate a media protection key TEK, and the media protection key
TEK发送给所述密钥管理功能实体; 所述密钥管理功能实体, 用于利用密钥加密密钥 KEK对所述媒体保护密钥 TEK进行加密, 并将加密后的媒体保护密钥 TEK发送给所述内容加密实体, 以使 所述内容加密实体将所述加密的 TEK发送给用户设备, 或者将加密的 TEK交给 媒体功能实体, 并由所述媒体功能实体发送给用户设备。 The TEK is sent to the key management function entity; The key management function entity is configured to encrypt the media protection key TEK by using a key encryption key KEK, and send the encrypted media protection key TEK to the content encryption entity, so that the The content encryption entity sends the encrypted TEK to the user equipment, or the encrypted TEK is handed over to the media function entity, and sent by the media function entity to the user equipment.
22、 根据权利要求 18所述的实现 IPTV媒体安全的系统, 其特征在于, 所述内容加密实体, 用于生成媒体保护密钥 TEK , 并向所述密钥管理功能实 体发送密钥请求消息,请求密钥加密密钥 KEK; 利用所述密钥加密密钥 KEK对所 述媒体保护密钥 TEK进行加密, 所述内容加密实体将所述加密的 TEK发送给用 户设备, 或者将加密的 TEK 交给媒体功能实体, 并由所述媒体功能实体发送给 用户设备;  The system for implementing IPTV media security according to claim 18, wherein the content encryption entity is configured to generate a media protection key TEK, and send a key request message to the key management function entity, Requesting a key encryption key KEK; encrypting the media protection key TEK with the key encryption key KEK, the content encryption entity transmitting the encrypted TEK to the user equipment, or handing over the encrypted TEK And being sent to the user equipment by the media function entity;
所述密钥管理功能实体, 用于向所述内容加密实体提供密钥加密密钥 KEK。  The key management function entity is configured to provide a key encryption key KEK to the content encryption entity.
23、 根据权利要求 1所述的实现 IPTV媒体安全的系统, 其特征在于, 所述 密钥管理功能实体是所述业务控制功能实体中或所述媒体功能实体中的一个逻 辑功能模块。  The system for implementing IPTV media security according to claim 1, wherein the key management function entity is a logical function module in the service control function entity or the media function entity.
24、 一种实现 IPTV媒体安全的方法, 其特征在于, 所述方法包括如下步骤: 用户设备 UE从密钥管理功能 KMF获得媒体业务安全对应的密钥;  A method for implementing IPTV media security, the method includes the following steps: The user equipment UE obtains a key corresponding to the media service security from the key management function KMF;
所述用户设备 UE接收媒体功能实体 MF发送的加密的媒体;  Receiving, by the user equipment UE, the encrypted media sent by the media function entity MF;
所述用户设备 UE使用所述密钥得到解密的媒体。  The user equipment UE obtains the decrypted media using the key.
25、 根据权利要求 24所述的实现 IPTV媒体安全的方法, 其特征在于, 所 述用户设备 UE从密钥管理功能 KMF 获得媒体业务安全对应的密钥的步骤具体 为:  The method for implementing the IPTV media security according to claim 24, wherein the step of the user equipment UE obtaining the key corresponding to the media service security from the key management function KMF is specifically:
所述密钥管理功能实体接收由用户设备发送的密钥请求消息, 在所述密钥 请求消息中携带业务标识、 内容标识或者密钥标识信息;  The key management function entity receives a key request message sent by the user equipment, where the key request message carries a service identifier, a content identifier, or a key identifier information;
所述密钥管理功能实体将与所述业务标识、 内容标识或者密钥标识信息所 对应的密钥发送给用户设备。  The key management function entity sends a key corresponding to the service identifier, the content identifier, or the key identifier information to the user equipment.
26、 根据权利要求 24所述的实现 IPTV媒体安全的方法, 其特征在于, 所 述用户设备 UE从密钥管理功能 KMF 获得媒体业务安全对应的密钥的步骤具体 为: 26. The method for implementing IPTV media security according to claim 24, wherein The step of the user equipment UE obtaining the key corresponding to the media service security from the key management function KMF is specifically:
所述用户设备向所述业务控制功能实体发送请求消息, 在所述请求消息中 包括业务标识或内容标识信息;  The user equipment sends a request message to the service control function entity, where the request message includes a service identifier or content identifier information;
所述业务控制功能实体通过与所述密钥管理功能实体之间的 K1接口获取密 钥, 由所述密钥管理功能实体获取相应的密钥;  The service control function entity obtains a key by using a K1 interface with the key management function entity, and acquires a corresponding key by the key management function entity;
在收到所述密钥后, 所述业务控制功能实体通过与所述用户设备之间 K3接 口, 将所述密钥发送给所述用户设备。  After receiving the key, the service control function entity sends the key to the user equipment through a K3 interface with the user equipment.
27、 根据权利要求 24所述的实现 IPTV媒体安全的方法, 其特征在于, 所 述用户设备 UE从密钥管理功能 KMF 获得媒体业务安全对应的密钥的步骤具体 为:  The method for implementing the IPTV media security according to claim 24, wherein the step of the user equipment UE obtaining the key corresponding to the media service security from the key management function KMF is specifically:
所述用户设备通过 IMS Core向业务控制功能实体发送请求消息; 所述业务控制功能实体由所述密钥管理功能实体获取对应的密钥; 所述业务控制功能实体通过 IMS Core , 将所述密钥发送给所述用户设备。 The user equipment sends a request message to the service control function entity through the IMS Core; the service control function entity acquires a corresponding key by the key management function entity; the service control function entity uses the IMS Core to set the secret The key is sent to the user equipment.
28、 根据权利要求 24所述的实现 IPTV媒体安全的方法, 其特征在于, 所 述用户设备 UE从密钥管理功能 KMF 获得媒体业务安全对应的密钥的步骤具体 为: The method for implementing the IPTV media security according to claim 24, wherein the step of the user equipment UE obtaining the key corresponding to the media service security from the key management function KMF is specifically:
用户设备通过 IMS Core向业务控制功能实体发送请求消息, 在所述请求消 息中携带业务标识或内容标识信息;  The user equipment sends a request message to the service control function entity through the IMS Core, and carries the service identifier or the content identifier information in the request message;
所述业务控制功能实体通过 IMS Core向媒体功能实体发送请求消息; 所述媒体功能实体向所述密钥管理功能实体获取与所述业务或内容标识信 息对应的密钥, 并向所述业务控制功能实体发送响应消息, 在所述响应消息中 携带所述密钥;  The service control function entity sends a request message to the media function entity through the IMS Core; the media function entity acquires a key corresponding to the service or content identification information from the key management function entity, and controls the service to the service The functional entity sends a response message, where the key is carried in the response message;
所述业务控制功能实体通过 IMS Core向所述用户设备发送响应消息; 其中携带所述密钥。  The service control function entity sends a response message to the user equipment through the IMS Core; where the key is carried.
29、 根据权利要求 24所述的实现 IPTV媒体安全的方法, 其特征在于, 所 述用户设备 UE从密钥管理功能 KMF 获得媒体业务安全对应的密钥的步骤具体 为: 29. The method for implementing IPTV media security according to claim 24, wherein The step of the user equipment UE obtaining the key corresponding to the media service security from the key management function KMF is specifically:
用户设备向业务控制功能实体 SCF订阅当前业务 /内容或任一业务 /内容对 应的密钥;  The user equipment subscribes to the service control function entity SCF for the current service/content or the key corresponding to any service/content;
所述业务控制功能实体 SCF通过与所述密钥管理功能实体之间的 K1接口, 由所述密钥管理功能实体获取相应的密钥后, 通过 IMS Core将所述密钥发送给 用户设备。  The service control function entity SCF obtains the corresponding key by the key management function entity through the K1 interface with the key management function entity, and then sends the key to the user equipment through the IMS Core.
30、 根据权利要求 24所述的实现 IPTV媒体安全的方法, 其特征在于, 所 述用户设备 UE从密钥管理功能 KMF 获得媒体业务安全对应的密钥的步骤具体 为:  The method for implementing the IPTV media security according to claim 24, wherein the step of the user equipment UE obtaining the key corresponding to the media service security from the key management function KMF is specifically:
用户设备向密钥管理功能实体 KMF订阅当前业务 /内容或任一业务 /内容对 应的密钥;  The user equipment subscribes to the key management function entity KMF for the current service/content or the key corresponding to any service/content;
所述密钥管理功能实体 KMF在获取到当前业务 /内容或任一业务 /内容密钥 后, 通过与 IMS Core之间的 K4接口将所述密钥发送给用户设备。  After obtaining the current service/content or any service/content key, the key management function entity KMF sends the key to the user equipment through a K4 interface with the IMS Core.
31、 一种密钥管理功能实体, 其特征在于, 包括: 密钥分发单元以及密钥 信息服务功能单元;  31. A key management function entity, comprising: a key distribution unit and a key information service function unit;
密钥信息服务功能单元, 用于向所述密钥分发单元提供媒体业务安全相关 的密钥;  a key information service function unit, configured to provide a key related to media service security to the key distribution unit;
密钥分发单元, 用于将所述媒体业务安全相关的密钥发送给用户设备。 And a key distribution unit, configured to send the key related to the media service security to the user equipment.
32、 一种内容加密实体, 其特征在于, 包括: 32. A content encryption entity, comprising:
密钥生成单元, 用于生成媒体保护密钥;  a key generation unit, configured to generate a media protection key;
密钥收发单元, 用于将所述媒体保护密钥发送给密钥管理功能实体。  And a key transceiver unit, configured to send the media protection key to the key management function entity.
33、 根据权利要求 32所述的内容加密实体, 其特征在于,  33. The content encryption entity of claim 32, wherein:
所述密钥收发单元, 还接收由所述密钥管理功能实体发送的加密后的媒体 保护密钥。  The key transceiving unit further receives the encrypted media protection key sent by the key management function entity.
34、 一种内容加密实体, 其特征在于, 包括: 密钥生成单元, 用于生成媒体保护密钥; 34. A content encryption entity, comprising: a key generation unit, configured to generate a media protection key;
消息发送单元, 用于向所述密钥管理功能实体发送密钥请求消息, 请求密 钥加密密钥 KEK;  a message sending unit, configured to send a key request message to the key management function entity, requesting a key encryption key KEK;
密钥收发单元, 用于接收由所述密钥管理功能实体发送的密钥加密密钥 a key transceiving unit, configured to receive a key encryption key sent by the key management function entity
KEK; KEK;
加密操作单元, 用于利用所述密钥加密密钥 KEK对所述媒体保护密钥进行 加密。  And an encryption operation unit, configured to encrypt the media protection key by using the key encryption key KEK.
PCT/CN2008/072015 2007-08-17 2008-08-15 System, method and device for realizing iptv media content security WO2009024071A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710146735.5 2007-08-17
CN200710146735 2007-08-17

Publications (1)

Publication Number Publication Date
WO2009024071A1 true WO2009024071A1 (en) 2009-02-26

Family

ID=40377855

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072015 WO2009024071A1 (en) 2007-08-17 2008-08-15 System, method and device for realizing iptv media content security

Country Status (2)

Country Link
CN (1) CN101369886A (en)
WO (1) WO2009024071A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101521570B (en) * 2008-02-27 2012-09-19 华为技术有限公司 Method, system and device for realizing IPTV multicast service media safety
CN101510825B (en) * 2009-02-25 2014-04-30 中兴通讯股份有限公司 Protection method and system for management message
CN102273172B (en) * 2009-05-18 2016-06-01 爱立信电话股份有限公司 For realizing the functional method of IMS in Set Top Box
CN101729535B (en) * 2009-06-30 2013-03-20 中兴通讯股份有限公司 Implementation method of media on-demand business
CN101998384B (en) * 2009-08-18 2014-03-26 中国移动通信集团公司 Method for encrypting transmission medium stream, encryption server and mobile terminal
CN102546574B (en) * 2010-12-24 2014-10-08 中国移动通信集团公司 Streaming media on-demand method and device based on internet protocol (IP) multimedia subsystem
CN105656621A (en) * 2014-11-12 2016-06-08 江苏威盾网络科技有限公司 Safety management method for cryptographic device
US10779345B2 (en) 2017-03-20 2020-09-15 Qualcomm Incorporated User plane relocation techniques in wireless communication systems
CN112118206B (en) * 2019-06-19 2022-04-12 贵州白山云科技股份有限公司 Decryption method, device, system, medium and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1848944A (en) * 2005-04-05 2006-10-18 华为技术有限公司 IPTV system, enciphered digital programme issuing and watching method
CN1946162A (en) * 2006-10-27 2007-04-11 华为技术有限公司 Method for obtaining EPG and IPTV service system
WO2007070652A1 (en) * 2005-12-15 2007-06-21 Lucent Technologies Inc. Method and network for providing service blending to a subscriber

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1848944A (en) * 2005-04-05 2006-10-18 华为技术有限公司 IPTV system, enciphered digital programme issuing and watching method
WO2007070652A1 (en) * 2005-12-15 2007-06-21 Lucent Technologies Inc. Method and network for providing service blending to a subscriber
CN1946162A (en) * 2006-10-27 2007-04-11 华为技术有限公司 Method for obtaining EPG and IPTV service system

Also Published As

Publication number Publication date
CN101369886A (en) 2009-02-18

Similar Documents

Publication Publication Date Title
JP4705958B2 (en) Digital Rights Management Method for Broadcast / Multicast Service
WO2009024071A1 (en) System, method and device for realizing iptv media content security
KR101203266B1 (en) Carrying protected content using a control protocol for streaming and a transport protocol
US8738910B2 (en) Method and arrangement for enabling play-out of media
US8948394B2 (en) Method and apparatus for distribution and synchronization of cryptographic context information
US20090180614A1 (en) Content protection of internet protocol (ip)-based television and video content delivered over an ip multimedia subsystem (ims)-based network
JP5153938B2 (en) IPTV security in communication networks
EP2319224B1 (en) Application server, media distribution system, control method thereof, program, and computer-readable storage medium
JP2011172276A (en) Method, device and system for relating entities for protecting content to each other
US8645680B2 (en) Sending media data via an intermediate node
US8417933B2 (en) Inter-entity coupling method, apparatus and system for service protection
KR20060105934A (en) Apparatus and method jointing digital rights management contents between service provider supported broadcast service and terminal, and the system thereof
WO2009132551A1 (en) Obtaining method of the meida stream key, session equipment and key management function entity
JP2003229844A (en) Data transfer system
CN101521570B (en) Method, system and device for realizing IPTV multicast service media safety
WO2008128475A1 (en) Ims based iptv system and content protect serving function entity and method
CN118018776A (en) Method, device, equipment and medium for realizing video on demand service
Lee et al. License administration mechanism for multiple devices in a domain.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08784006

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08784006

Country of ref document: EP

Kind code of ref document: A1