Summary of the invention
The problem to be solved in the present invention is: the legitimacy to STB terminal is verified, prevents malicious attack, to improve the fail safe of system.
In order to address the above problem, one embodiment of the present of invention have provided a kind of STB terminal verification method, comprising:
The terminal identity identification card sends Ciphering Key Sequence Number and random number sequence to the STB terminal at place;
Described STB terminal is searched the session key that prestores according to described Ciphering Key Sequence Number described random number sequence is encrypted in this STB terminal, generate the terminal encrypt data;
Described STB terminal sends to described terminal identity identification card with the end message of this terminal encrypt data and this STB terminal;
Described terminal identity identification card is searched the session key that prestores according to described end message described random number sequence is encrypted in this terminal identity identification card, generate the card encrypt data;
Described card encrypt data and described terminal encrypt data are compared, when comparative result when equating, then by checking.
In order to address the above problem, an alternative embodiment of the invention has provided a kind of STB terminal, comprising: terminal identity identification card and authentication unit;
Described terminal identity identification card comprises:
First card module is used for sending Ciphering Key Sequence Number and random number sequence to described authentication unit;
Second card module is used for searching the session key that prestores according to the end message that comes from the 3rd unit module;
The 3rd card module, the session key that is used for finding according to second card module is encrypted the described random number sequence that first card module sends, and generates the card encrypt data;
The 4th card module, being used for card encrypt data that the 3rd card module is generated and the described terminal encrypt data that comes from the 3rd unit module compares, when comparative result when equating, then by checking, and the state of default authentication field is set to allow network authentication.
Described authentication unit comprises:
The first module module is used for searching the session key that prestores according to the Ciphering Key Sequence Number that comes from first card module;
Second unit module, be used for according to the first module module searches to session key the random number sequence that comes from first card module is encrypted, generate the terminal encrypt data;
The 3rd unit module is used for the terminal encrypt data of second unit module generation and the end message of this STB terminal are sent to described terminal identity identification.
By the present invention, since the beginning network authentication before to the legitimacy of STB terminal is verified, and in proof procedure, the main information of transmitting between the two is ciphertext rather than plaintext, therefore can effectively prevent malicious attack, improve the fail safe of system, also helped effectively carrying out of business such as DRM.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Embodiment
Embodiment 1
Present embodiment provides a kind of STB terminal verification method, as shown in Figure 1, comprising:
Step 101, the IPTV SIM card sends Ciphering Key Sequence Number and random number sequence (abbreviation: RND) to the STB terminal.
Wherein, the session key of preserving in Ciphering Key Sequence Number and the STB terminal is corresponding, is used for selecting a session key from a plurality of session keys.The figure place of Ciphering Key Sequence Number can be determined according to the number of session key.
Step 102, the STB terminal is searched the session key that prestores according to the Ciphering Key Sequence Number that receives the random number sequence that receives is encrypted in this STB terminal, generate the terminal encrypt data, and the end message of this terminal encrypt data and this STB terminal is sent to the IPTV SIM card.
Wherein, the end message of STB terminal can comprise manufacturer's code, key version number etc.
Step 103, the IPTV SIM card is searched the session key that prestores according to the end message of the STB terminal that receives in this IPTV SIM card, and according to this session key the random number sequence that sends to the STB terminal in step 101 is encrypted, generate the card encrypt data.
Step 104, the IPTV SIM card will compare through cryptographic calculation card encrypt data that obtains and the terminal encrypt data that comes from the STB terminal that receives, when relatively the card release encrypt data equates with the terminal encrypt data, execution in step 105; Otherwise finish this step.
Step 105, the IPTV SIM card sends instruction message to the STB terminal, and indication STB terminal can begin to initiate the network authentication flow process.
Particularly, for the network authentication of STB terminal is controlled, can in the STB terminal, preset the authentication field, beginning that the IPTV SIM card is carried out card (Card Reset) when operation that reset, the state of authentication field is changed to " false (be called for short: FALSE) ", promptly do not allow network authentication.When execution in step 104, if comparative result is identical, then by checking, the state of authentication field is changed to " true (be called for short: TRUE) ", promptly allow network authentication.Wherein, be provided with and finish by card operating system what above-mentioned authentication field status carried out.
After receiving the authentication operating instruction (RUN IP/TVALGORITHM) that comes from the STB terminal when the IPTV SIM card, the state of inquiry authentication field; If the state of authentication field is " FALSE ", network authentication does not then bring into operation; If this state is " TURE ", network authentication then brings into operation.
By the described method of present embodiment, since the beginning network authentication before to the legitimacy of STB terminal is verified, and in proof procedure, the main information of transmitting between the two is ciphertext rather than plaintext, therefore can effectively prevent malicious attack, improve the fail safe of system, also helped effectively carrying out of business such as DRM.
Embodiment 2
Present embodiment provides another kind of STB terminal verification method, as shown in Figure 2, comprising:
Step 201,202 with embodiment 1 in step 101,102 identical, repeat no more herein.
Step 203, the IPTV SIM card is searched the session key that prestores according to the end message of the STB terminal that receives in this IPTV SIM card, and according to this session key the random number sequence that sends to the STB terminal in step 201 is encrypted, generate the card encrypt data and send to the STB terminal.
Step 204, the card encrypt data that comes from the IPTV SIM card that the STB terminal will receive compares with the terminal encrypt data that obtains through cryptographic calculation in step 202, when relatively the card release encrypt data equates with the terminal encrypt data, then by checking, network authentication then can bring into operation.
In addition, present embodiment also can adopt the method for embodiment 1 described default authentication field that the network authentication of STB terminal is controlled, when the comparative result in the step 204 when being identical, then by checking, the state of authentication field is changed to " true (be called for short: TRUE) ", promptly allow network authentication.
By the described method of present embodiment, realized checking to the STB terminal, except having embodiment 1 described advantage, because to terminal encrypt data and relatively finishing of carrying out of card encrypt data by the STB terminal, therefore reduced the work load of IPTV SIM card, reduce the designing requirement of IPTV SIM card, thereby reduced the hair fastener cost of operator; Because the STB terminal does not need just can directly obtain comparative result by the instruction message that comes from the IPTV SIM card, so response speed is faster, reliability is higher.
Also it needs to be noted herein, needs as the case may be, the technical scheme of the step 204 among the step 104 among the embodiment 1 and the embodiment 2 can also be combined, that is: all card encrypt data and terminal encrypt data are compared by IPTV SIM card and STB terminal, have only when twice comparative result to be when identical, just allow the network authentication that brings into operation.STB device and IPTV SIM card both sides are recognized each other, can further improve the fail safe of system.
Embodiment 3
Present embodiment provides a kind of STB terminal, as shown in Figure 3, STB terminal 1 comprises: terminal identity identification card 10 and authentication unit 20, and wherein, terminal identity identification card 10 comprises: first card module 11, second card module 12, the 3rd card module 13 and the 4th card module 14; Authentication unit 20 comprises: first module module 21, second unit module 22 and the 3rd unit module 23.Its operation principle is:
First card module 11 of terminal identity identification card 10 sends Ciphering Key Sequence Number and random number sequence to authentication unit 20; The first module module 21 of authentication unit 20 comes from the Ciphering Key Sequence Number of first card module 11 and searches the session key that prestores; Second unit module 22 is encrypted the random number sequence that comes from first card module 11 according to the session key that first module module 21 finds, and generates the terminal encrypt data; The 3rd unit module 23 sends to terminal identity identification card 10 with the terminal encrypt data of second unit module, 22 generations and the end message of this STB terminal 1.
Second card module 12 of terminal identity identification card 10 is searched the session key that prestores according to the end message that comes from the 3rd unit module 23 of authentication unit 20; The 3rd card module 13 is encrypted the described random number sequence that first card module 11 sends according to the session key that second card module 12 finds, and generates the card encrypt data; The 4th card module 14 compares the 3rd card module 13 card encrypt data that generates and the terminal encrypt data that comes from the 3rd unit module 23 of authentication unit 20, when comparative result when equating, then pass through checking, and the state of default authentication field is set to allow network authentication.
In addition, by the network authentication that can bring into operation after the checking, particularly, in terminal identity identification card 10, can also comprise: the 5th card module 15, be used for when detecting the 4th card module 14 by after verifying, the state of the authentication field that inquiry is default is when this state is that network authentication then brings into operation when allowing network authentication; Otherwise network authentication does not bring into operation.
By the described device of present embodiment, since the beginning network authentication before to the legitimacy of STB terminal is verified, and in proof procedure, the main information of transmitting between the two is ciphertext rather than plaintext, therefore can effectively prevent malicious attack, improve the fail safe of system, also helped effectively carrying out of business such as DRM.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.