CN101119200A - Method, network unit, terminal and system for providing broadcast/multicast service - Google Patents
Method, network unit, terminal and system for providing broadcast/multicast service Download PDFInfo
- Publication number
- CN101119200A CN101119200A CNA2007100445734A CN200710044573A CN101119200A CN 101119200 A CN101119200 A CN 101119200A CN A2007100445734 A CNA2007100445734 A CN A2007100445734A CN 200710044573 A CN200710044573 A CN 200710044573A CN 101119200 A CN101119200 A CN 101119200A
- Authority
- CN
- China
- Prior art keywords
- key
- mentioned
- time
- broadcast
- broadcasting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
The present invention relates to the methods, the network units, the terminals and the communication systems of the broadcast/multicast services which are used for providing to the terminal. The present invention is characterized in that: sending the broadcast accessing key(BAK) to the terminal based on the subscribing of the terminal is provided with the starting time(VF) and the ending time(VT) of the period of validity; sending the broadcast accessing key and the starting time as well as the ending time of the period of validity to the terminal; utilizing the broadcast accessing key to decrypt the received and encrypted broadcast/multicast service data based on the starting time as well as the ending time of the period of validity.
Description
Technical field
The present invention relates to the communications field, particularly, relate to the technology that is used for providing broadcast/multi broadcast business (BCMCS, Broadcast Multicast Service) to terminal.
Background technology
Along with development of times, people are more and more to the requirement of business, and operator is also carrying out colourful business in order to satisfy this demand in market.Wherein along with the carrying out of mobile phone TV services, broadcast/multi broadcast business seems and particularly receives publicity, and the purpose of BCMCS is exactly for to authorizing (subscription) user that broadcast/multi broadcast business is provided.Content supplier provides content by a cellular system to BCMCS user.Content can be IP Multimedia Messages such as audio-visual data, or broadcast multimedia message.The content provider can be the part of service network, also can be an independent community.
If the visit of BCMCS is based on subscription, so, content has only authorized users just can browse/handle this content after encrypting.Visit the BCMCS content, the user must have current decruption key.Yet UIM does not have enough ability decryption contents, so ME must be decrypted.This means that decruption key must be stored among the ME, ME can not think the storage facilities of a safety certainly.Must consider that the assailant finally may find the method for the current decruption key of extracting from ME.If the assailant is a booking reader, he may be distributed to other non-booking readers to decruption key.
In a word, decruption key is stored in the dangerous internal memory, just can not designs the scheme that the nonregistered user of sening as an envoy to can not visit data.Promptly just can not get rid of the possibility that nonregistered user necessarily might be designed the method for visit data by every means.
For this reason, known in the state of the art have such solution: broadcasting is inserted key (BAK) distribute to each user separately, and derive from many decruption keys with this BAK with the public information that BCMCS sends.And BAK is stored in the security threat that just can avoid a lot of reality among the UIM.For example, referring to 3GPP2S.R0083-0 Version 1.0 (October 16 2003 time of disclosure).
In above-mentioned prior art solutions, insert key (BAK) with broadcasting, parameter " BAK_Expire " also is sent to terminal, is used to indicate the term of validity that this broadcasting inserts key.But, there is following problem in this scheme:
The fail safe of-key is not enough.In order to make the user can correctly decipher its ordered business tine, network must be pushed to BAK user or user in advance and obtain BAK in advance.But owing to do not specify this BAK coming into effect the time in end side, if the moment that the service of subscribing to early than the user in the use of this BAK of network side comes into force, then the user just can decipher business tine from receiving this BAK, can cause service security to have leak like this.
-because BAK has only the concluding time " BAK_Expire " of the term of validity, and terminal does not know when bring into use this BAK, therefore, want to realize according to watching paying (pay per view) or content-based paying (content based pay) just very difficult.
Summary of the invention
In order to solve at least a portion of above-mentioned technical problem of the prior art, according to an aspect of the present invention, a kind of method that is used for providing to terminal broadcast/multi broadcast business has been proposed, it is characterized in that, comprising: the subscription according to above-mentioned terminal is that a broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity; Time started and the concluding time of above-mentioned broadcasting being inserted the key and the term of validity thereof send above-mentioned terminal to; And, utilize above-mentioned broadcasting to insert key according to the time started and above-mentioned concluding time of the above-mentioned term of validity, the encrypted broadcast/multi broadcast business data that receive are decrypted.
According to another aspect of the present invention, proposed a kind of network element (network element), be used to control broadcast/multi broadcast business (BCMCS), it is characterized in that, comprise: broadcasting inserts key generation unit (BAK generator), is used for generating broadcasting and inserts key; The unit is set effective time, and its subscription according to terminal is that above-mentioned broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity; And broadcasting access cipher key distribution unit (BAK distributor), be used for the time started and the concluding time of the above-mentioned broadcasting access key and the term of validity thereof are sent to above-mentioned terminal.
According to another aspect again of the present invention, a kind of terminal has been proposed, be used to receive broadcast/multi broadcast business (BCMCS), it is characterized in that comprise: broadcasting inserts the key request unit, be used for request broadcasting and insert key; Broadcasting inserts the key receiving element, is used to receive time started and the concluding time that broadcasting inserts the key and the term of validity thereof; Effective time, judging unit was used for time started and concluding time according to the term of validity of above-mentioned broadcasting access key, judged whether above-mentioned broadcasting inserts key effective; And the broadcast/multi broadcast business data decryption unit, being used for inserting key in above-mentioned broadcasting is under the effective situation, and the encrypted broadcast/multi broadcast business data that receive are decrypted.
According to another aspect again of the present invention, a kind of communication system has been proposed, comprising: foregoing network element; And foregoing terminal.
Description of drawings
By reading below in conjunction with the explanation of accompanying drawing to the specific embodiment of the invention, above-mentioned and other feature and advantage of the present invention will become more obvious.Wherein:
Fig. 1 is the block diagram that schematically shows a BCMCS communication system can using embodiments of the invention;
Fig. 2 is the flow chart that is used for providing to terminal the method for broadcast/multi broadcast business according to an embodiment of the invention;
Fig. 3 is the block diagram that schematically shows another BCMCS communication system that can use embodiments of the invention;
Fig. 4 is the block diagram of network element according to an embodiment of the invention;
Fig. 5 is the block diagram of network element in accordance with another embodiment of the present invention;
Fig. 6 is the block diagram of the network element of another embodiment again according to the present invention;
Fig. 7 is the block diagram of portable terminal according to an embodiment of the invention.
Embodiment
In order to understand the present invention, at first, the security architecture of BCMCS in the prior art is described.Comprise following key hierarchy in the prior art in the security architecture of BCMCS.
-login key RK: identifying user, and the unique correspondence of user.
-broadcasting inserts the broadcasting of key BAK:128 bit and inserts key.Be provided in the certain hour (as: a day, a week or January) visit to one or more broadcast/multi broadcast data flow of one group of concrete BCMCS program.The BCMCS program of every group encryption has different BAK values.
-session key SK: what end user used carries out the key of encryption and decryption at business tine.
-temporary key TK: be used for protecting the BAK transmission.
As shown in Figure 1, in the security architecture of the BCMCS of prior art, at first be based on the broadcasting of a login key RK and 128 bits and insert key BAK.Before use, mobile device (ME, Mobile Equipment) 107 Subscriber Identity Module (UIM, User Identity Module) 108 and subscription manager (SM, Subscription Manager) 106 all need to dispose the login key RK of one 128 bit.
Each SM all should have one unique, at the 128 bit RK of each UIM.Be provided at visit in the certain hour (as: a day, a week or January) and all have one 128 bit broadcasting to insert key (BAK, Broadcast Access Key) for one or more broadcast/multi broadcast data flow of BCMCS program.The BCMCS program of every group encryption has different BAK values.Each BAK has relative term of validity BAK_Expire and identifier value BAK_ID, SK manager 103 based on BAK, RUIM and BCMCS controller 300 calculates session key (SK then, Session Key), SK is that the content provider uses the 128 bit session keys that are used for to the BCMCS content-encrypt; And ME107 is used for session key SK that content is decrypted.
When in the UIM108 of ME107, providing BAK, when being used for BAK encrypted, BAK Dispatching Unit (BAKD, BAK Distributor) 105 need use a provisional cipher key T K.TK obtains based on RK from subscription manager SM106.UIM108 also is based on RK and calculates TK.In actual applications, BAK generation unit 104, BAK Dispatching Unit 104, SK manager 103 are realized as a network element usually, are called the BCMCS controller, are used to control broadcast/multi broadcast business.
The processing procedure that realizes the security architecture of BCMCS in the prior art mainly comprises the steps:
-UIM108 and subscription manager 106 be configuration registry key RK respectively, and BCMCS controller 300 generates the BAK key then.
-BCMCS controller 300 generates session key SK according to the random value of current BAK and SK_RAND, and passes to the content provider.
-used SK to encrypt from the broadcast/multi broadcast business data flow of content source 101 by content encryption unit 102, and the broadcast/multi broadcast business data flow of encrypting is sent to ME107 through service system 109.Simultaneously, content encryption unit 102 also is included in information such as SK_RAND and BAK_ID in the broadcast/multi broadcast business data flow of encryption.
-terminal needs to do following operation after receiving the broadcast/multi broadcast business data flow of encryption: do not change if BAK_ID compares with the broadcast/multi broadcast business data flow of receiving at last with SK_RAND, ME107 is decrypted the broadcast/multi broadcast business data flow with the SK value of distributing to this broadcast/multi broadcast business data flow at present, and the result is reached user's application.If BAK_ID and SK_RAND change, ME107 asks a new SK from UIM108, comprise BCMCS_FLOW_ID, BAK_ID and SK_RAND.
UIM108 can generate SK according to BAK and SK_RAND, and SK is sent back to ME107.ME deciphers multicast IP stream, and the result is reached user's application.
If UIM108 is the pairing BAK of this BAK_ID not, then carry out following processing:
-send the BAK request by ME to the BAK Dispatching Unit, comprise authorization information in this request based on the RK of UIM.
-for BAK is sent to UIM, need encrypt avoiding BAK and received by miscellaneous equipment.The BAK Dispatching Unit is to subscription manager acquisition request temporary key (TK).
-subscription manager generates TK according to random value TK_RAND and RK.This random value TK_RAND can be generated by BAK Dispatching Unit or subscription manager.Subscription manager transmission TK and TK_RAND are to the BAK Dispatching Unit.
-BAK Dispatching Unit will be encrypted the value of BAK and by ME the BAK that encrypts be sent to UIM with TK_RAND and BAK_Expire (time started and concluding time) with TK.
In above process, the SK value is to be generated with SK_RAND by BAK, and SK_RAND transmits with encrypted content.The session key (SK) that uses unique and frequent variation is to content-encrypt.ME107 uses current SK that content is decrypted.SK should often change, and reduces the influence of sharing possible " Rogue Shell " attack of its SK with undelegated user.SK never aloft transmits; It is to be drawn from a broadcasting access key (BAK) and a random number SK_RAND who sends with encrypted content by UIM108.
As described in the prior art part of front, there is following problem in the security architecture of existing BCMCS.Insert key (BAK) with broadcasting, parameter " BAK_Expire " also is sent to terminal, is used to indicate the term of validity that this broadcasting inserts key.Because BAK has only the concluding time " BAK_Expire " of the term of validity, terminal does not know when bring into use this BAK, if network side has just been used this BAK before this user orders service zero hour, then terminal just can be deciphered programme content immediately after receiving this BAK, obviously service security can not get guaranteeing, and,, want to realize according to watching paying (pay per view) or content-based paying (contentbased pay) very difficult based on present scheme.
In order to solve above technical problem, the invention provides a kind of method that is used for providing broadcast/multi broadcast business to terminal.Fig. 2 is the flow chart that is used for providing to terminal the method for broadcast/multi broadcast business according to an embodiment of the invention.
As shown in Figure 1, at first in step 201, generate broadcasting and insert key BAK.The present invention can adopt the existing or following any mode for the not special restriction of the mode that generates BAK.
Then, in step 205, be to send to the broadcasting of this terminal to insert key (BAK) time started (VF, Valid From) and concluding time (VT, Valid To) are set according to the subscription of terminal.Different with the concluding time of having only a term of validity in the past, according to present embodiment, for the BAK that sends to this terminal is provided with time started and concluding time respectively.BAK_Expire comprises VF and VT.In the present embodiment, the time started of BAK and concluding time use absolute time to represent respectively, for example, finish to " 7/20/2007 12:30:00 " from " 7/20/2007 6:30:00 " beginning.
Then, in step 210, BAK and relevant information thereof are sent to terminal.In the present embodiment, similar with existing way, the distribution of BAK and relevant information thereof also is to send to terminal after encrypting through TK.
In concrete realization, the step 201-210 of present embodiment for example can be in the following way.
-terminal sends the BAK Dispatching Unit that BAK asks the BCMCS controller.This BAK request comprises the authorization information based on RK, and it can subscribed manager makes and is used for determining that request is from legal subscriber.
-BAK Dispatching Unit is checked user's subscription.Subscription can be kept by BAK Dispatching Unit or subscription manager.If subscription manager storage is subscribed to, the BAK Dispatching Unit send request to subscription manager with the subscription of checking the user and obtain temporary key (TK).If the storage of BAK Dispatching Unit is subscribed to, the BAK Dispatching Unit sends acquisition request temporary key (TK).
The inspection of-subscription manager is subscribed to (if it keeps subscribing to) and is generated TK from random value TK_RAND and RK.Subscription manager transmission TK and TK_RAND are to the BAK Dispatching Unit.Under the situation of subscription manager storage subscription information, subscription manager will send subscribes to relevant information to the BAK Dispatching Unit.
If-user has subscribed to broadcast, the BAK Dispatching Unit will be encrypted the value of BAK and by ME the BAK that encrypts be sent to UIM with TK_RAND and BAK_Expire (time started and concluding time) with TK.Following setting BAK_Expire:
If a) user has subscribed to long-term broadcast, then VF and VT should be arranged to time started and the concluding time of this BAK.
B) if the user has subscribed to certain particular content or certain service during fixing as monthly, by week or several hours), VF then should be set in this perhaps time started of this service, and VT should be made as in this perhaps concluding time of this service.If should in perhaps the time interval of this service crossed over not only BAK, so a plurality of BAK message are sent to the user, the setting of VF and VT should guarantee that seamless link is to cover in this perhaps whole duration of this service among each BAK.
UIM at first forms TK by TK_RAND and PK, and the BAK that uses the TK enabling decryption of encrypted then is to form BAK.The BAK_Expire that the value of BAK is relevant with it is stored among the UIM.UIM should be able to store two values of BAK at least, so that before old BAK is expired, new BAK can obtain and store.
Turn back to Fig. 2, then, in step 215, the broadcast/multi broadcast business data are transmitted to terminal.At this, the broadcast/multi broadcast business data comprise by SK content data encrypted and some relevant informations, for example, and BAK_ID, SK_RAND etc.These relevant informations can be contained in the packet header of the packet that transmits content data encrypted.
Then, in step 220,, judge whether BAK is effective in terminal one side.In the present embodiment, the term of validity of BAK is to utilize time started of absolute time mode (VF) and concluding time (VT) to be provided with, therefore, can whether between the time started of BAK (VF) and concluding time (VT), judge whether this BAK is in the term of validity by judging the current time.
Then, in step 225, under the effective situation of BAK, deciphering also reappears content-data.Particularly, be in the term of validity when being judged as BAK, the SK_RAND that then utilizes this BAK and transmit with content-data generates SK, then, utilize the SK that generates to decipher, and the data after will deciphering is given the user application.
In concrete realization, the step 215-225 of present embodiment for example can be in the following way.
-SK manager generates SK by current BAK and random value SK_RAND.The SK manager sends SK, SK_RAND, BAK_ID and BAK to content encryption unit effective time.
-content source sends to content encryption unit with the broadcast/multi broadcast data flow.
-content encryption unit is used SK broadcast encryption/multicast data stream and by service system the broadcast/multi broadcast data flow of encrypting is sent to terminal.Content encryption unit also comprises information such as SK_RAND, BAK_ID in the broadcast/multi broadcast data flow of encrypting.
-ME receives the broadcast/multi broadcast data flow of encrypting, and carries out following operation:
If a) BAK_ID and the SK_RAND from last received broadcast/multi broadcast data flow do not change, ME uses the value deciphering broadcast/multi broadcast IP stream of Current Delegations to the SK of this broadcast/multi broadcast data flow, and the result is sent to user's application;
B) if BAK_ID and SK_RAND change, the SK that ME please look for novelty from UIM comprises BCMCS_FLOW_ID, BAK_ID and SK_RAND in the request.
-UIM verification BAK information (especially verification current time whether between the VF and VT of the BAK term of validity), under the effective situation of BAK, and generate SK and forward SK to ME by BAK and SK_RAND, by the broadcast/multi broadcast data flow of ME decrypt encrypted and the result is sent to the user uses.
By above description as can be known, the method that is used for providing broadcast/multi broadcast business of present embodiment to terminal, by time started and the concluding time that the BAK term of validity is set, terminal is known when brought into use this BAK, therefore, before the term of validity of old BAK finishes, also can release (push) new BAK to this terminal, and, the time started of the BAK term of validity and concluding time are that the subscription situation according to the user is provided with, therefore, can easily realize according to watching paying (pay per view) or content-based paying (content based pay).
Among the embodiment of Miao Shuing, the time started of the BAK term of validity and concluding time are to utilize the mode of absolute time to be provided with in front.But the present invention is not limited to this, also can utilize the mode of relative time that the time started and the concluding time of the BAK term of validity are set.
Under same inventive concept, according to another embodiment of the invention, adopted the mode of relative time that the time started and the concluding time of the BAK term of validity are set.With the life cycle of network side BAK with SK the duration of fast variation carry out the time period and cut apart (changed once in the shortest 30 seconds as SK, then adopt and as duration the BAK life cycle time of carrying out was cut apart in 30 seconds), and each time period is numbered.According to time order and function, generate a plurality of session keys (SK) respectively, and, according to time order and function, be respectively above-mentioned a plurality of session key (SK) specified session key identification (SK-ID), and will identify time reference the time period as the time started and the concluding time of the BAK term of validity.Describe this embodiment of the present invention below in detail, wherein, the part identical with front embodiment is with suitable omission, to avoid repetition.
The main distinction of present embodiment and front embodiment is that the mode of use relative time is provided with the time started (VF) and the concluding time (VT) of the BAK term of validity, uses SK-ID as time reference.
Particularly, when the SK manager generates SK by current BAK and random value SK_RAND, for the SK that generates specifies a unique session key sign (SK_ID) according to time sequencing.The sign of certain time period is corresponding in this SK_ID and the relevant BAK life cycle, be specially, is to divide the time period the life cycle of BAK with the minimum period (as 30 seconds) that SK changes, and these time periods are numbered, as come into force from BAK initial the time be carved into the 29th second and finish to be called the 1st time period, represented the 2nd time period in ensuing 30 seconds, by that analogy.SK_ID is corresponding to the numbering of the time period that falls into constantly that comes into force of this SK.
And the SK manager is sent to content encryption unit effective time with SK, SK_RAND, SK_ID, BAK_ID and BAK.
After content source sent to content encryption unit with the broadcast/multi broadcast data flow, content encryption unit was used SK broadcast encryption/multicast data stream and by service system the broadcast/multi broadcast data flow of encrypting is sent to terminal.Content encryption unit also comprises information such as SK_RAND, BAK_ID, SK_ID in the broadcast/multi broadcast data flow of encrypting.
When ME receives the broadcast/multi broadcast data flow of encryption, carry out following operation:
If a) BAK_ID and the SK_ID from last received broadcast/multi broadcast data flow do not change, ME uses the value deciphering broadcast/multi broadcast data flow of Current Delegations to the SK of this broadcast/multi broadcast data flow, and the result is sent to user's application;
B) if BAK_ID and SK_ID change, the SK that ME please look for novelty from UIM comprises BCMCS_FLOW_ID, BAK_ID, SK_ID and SK_RAND in this request.
UIM verification BAK information (especially the current SK_ID of verification whether between the VF and VT of BAK), the verification rule is different because of operator, general rule as: whether judge SK_ID greater than VF and smaller or equal to VT,, judge that then BAK is effective if satisfy above requirement simultaneously.Under the effective situation of BAK, generate SK and SK is passed to ME according to BAK and SK_RAND, be sent to user's application by the broadcast/multi broadcast data flow of ME decrypt encrypted and with the result.
In addition, the generation of present embodiment and the distribution BAK process also with some difference of front embodiment, particularly, after ME transmission BAK asks BAK point-score unit and BCMCS controller to confirm legal identity, after having generated TK and having obtained user's subscription information, the BAK Dispatching Unit will be encrypted the value of BAK and by ME the BAK that encrypts be sent to UIM with TK_RAND and BAK_Expire (time started VF and concluding time VT) with TK.Following setting BAK_Expire:
If a) user has subscribed to long-term broadcast, VF and VT should be set to the sign of the zero hour and the place time period finish time of this BAK.
B) if the user has subscribed to the service (as monthly, by week or several hours) of certain particular content or certain fixed interval, VF and VT should be respectively according to should in perhaps the zero hour of this service and the sign of the place time period finish time are provided with.For example: VF should be made as in this perhaps that the sign of the place time period zero hour of this service subtracts 1, and the sign of the place time period finish time of this service adds 1 and VT should be made as in this perhaps.If should in perhaps the time interval of this service crossed over not only BAK, so a plurality of BAK message are sent to the user, the setting of VF and VT should guarantee that seamless link is to cover in this perhaps whole duration of this service among each BAK.
UIM at first forms TK by TK_RAND and PK, and the BAK that uses the TK enabling decryption of encrypted then is to form BAK.The BAK_Expire that the value of BAK is relevant with it is stored among the UIM.UIM should be able to store two values of BAK at least, so that before old BAK is expired, new BAK can obtain and store.
By above description as can be known, the method that is used for providing broadcast/multi broadcast business of present embodiment to terminal, by time started and the concluding time that the BAK term of validity is set, terminal is known when brought into use this BAK, therefore, before the term of validity of old BAK finishes, also can release (push) new BAK to this terminal, and, the time started of the BAK term of validity and concluding time are that the subscription situation according to the user is provided with, therefore, can easily realize according to watching paying (pay per view) or content-based paying (content based pay).And then, because the time started and the concluding time of the BAK term of validity are set by the mode of utilizing relative time, and the time reference that is designated VF and VT setting with the place period, and it is SK_ID is related with the time period sign, therefore, can avoid owing to the deviation of absolute time setting or the problem that reason such as inaccurate produces is set terminal time, can stipulate the term of validity of BAK more accurately.
In the application of reality, also there is following such situation: provide service in the mobile domains by mobile operator, provide service in the broadcast domain by broadcast operator, needing the cooperation of mobile domains and broadcast domain to finish jointly to terminal when realizing BCMCS provides BCMCS the work of service.Fig. 3 schematically shows the example of a such system 2000.
As shown in Figure 3, upside is a mobile domains, and downside is a broadcast domain.In mobile domains one side, BCMCS controller 300 is used to generate BAK, determines BAK_ID and BAK_Expire, and sends BAK and relevant information thereof to terminal by mobile network 310.In addition, BCMCS controller 300 also is used to generate SK.Except these functions that limited by 3GPP2, BCMCS controller 300 also possesses transmission security key (traffic Key) ciphering unit 301 and is used for cooperating with broadcast domain.The program stream transmission security key that transmission security key ciphering unit 301 is used for sending from broadcast domain is encrypted, and feeds back to the transmission security key of encryption in the mode of SRTP bag.Mobile network's 310 usefulness provide interaction capabilities, for example ask and distribute BAK.
In broadcast domain one side, transmission security key generation unit 303 is used to generate transmission security key (traffc key) and it is sent to synchronous crypto-operation synchronizer (Simulcrypt synchronizer) 302 and scrambling/Multiplexing Unit (Scrambler and Multiplexer) 304 in order.Synchronous crypto-operation synchronizer 302 obtains transmission security key, interacts to generate transmission security key message with the BCMCS controller, and transmission security key and transmission security key message are sent to scrambling/Multiplexing Unit 304.Transmission security key is used for stream of encrypted content.Transmission security key message is broadcasted with encrypted content.Scrambling/Multiplexing Unit 304 is used for stream of encrypted content, inserts transmission security key message, and a plurality of content streams are multiplexed in the Business Stream.Radio network 320 uses broadcasting channel to send encrypted content and transmission security key message to terminal.
Under same inventive concept, at another embodiment, provide a kind of method that broadcast/multi broadcast business is provided to terminal under the environment of above-mentioned such broadcast domain and mobile domains cooperation according to of the present invention.The method of present embodiment and the main distinction of previously described embodiment are, adopted the mode of relative time that the time started and the concluding time of the BAK term of validity are set, wherein, considered that transmission security key (Traffic Key) is the characteristics that generate respectively according to time order and function, utilize each above-mentioned transmission security key by unique transmission security key sign (Traffic Key ID), as the time reference of the time started and the concluding time of the BAK term of validity according to the priority appointment of time.The sign of certain time period is corresponding in this Traffic_Key_ID and the relevant BAK life cycle, be specially, is to divide the time period the life cycle of BAK with the minimum period (as 30 seconds) that transmission security key changes, and these time periods are numbered, as come into force from BAK initial the time be carved into and be called zero hour of the 30th second the 0th time period, represented the 2nd time period in ensuing 10 seconds, by that analogy.Traffic_Key_ID is corresponding to the numbering of the time period that falls into constantly that comes into force of this transmission security key.Describe this embodiment of the present invention below in detail, wherein, the part identical with front embodiment is with suitable omission, to avoid repetition.
At first, generate transmission security key (Traffic Key) by transmission security key generation unit 303.Transmission security key generation unit 303 sends to synchronous crypto-operation synchronizer 302 with transmission security key with relevant control information.
Then, BCMCS controller 300 encrypted transmission keys also are included in the transmission security key of encrypting in the transmission security key message with relevant parameter, and this process may further comprise the steps:
A) utilize BAK and BAK_RAND to generate SK
B) use SK encrypted transmission key
C) be converted to Traffic_Key_ID (according to the priority of time the effective time with transmission security key, for each transmission security key is specified a unique transmission security key sign), and the transmission security key of BAK_ID, SK_RAND, BCMCS_FLOW_ID, Traffic_Key_ID and encryption comprised in the packet, if for example use bag, can in encryption section, comprise the transmission security key of encryption by in the MKI territory, comprising BAK_ID, SK_RAND, BCMCS_FLOW_ID and Traffic_Key_ID.BCMCS controller 300 returns to synchronous crypto-operation synchronizer 302 with the transmission security key message of encrypting.
Then, synchronous crypto-operation synchronizer 302 sends to scrambling/Multiplexing Unit 304 with transmission security key and transmission security key message.According to program control information, scrambling/Multiplexing Unit 304 encrypted content datas stream inserts transmission security key message, and a plurality of content data encrypted streams are multiplexed in the transport stream.
Then, content stream data is broadcasted.After terminal 311 receptions have been subscribed to service or particular content from the service guide of mobile network or broadcasting and by the mode that online interaction or off-line are subscribed to, terminal 311 decision play content streams obtain transmission security key message and find that terminal does not have the effective BAK that is used for the transmission security key decrypt messages.Therefore, terminal 311 sends to BCMCS controller 300 with request and is used for obtaining BAK.
According to subscription, BCMCS returns the BAK of encryption, and following setting BAK_Expire (time started VF and concluding time VT):
If a) user has subscribed to long-term broadcast, VF and VT should be set to the sign of the zero hour and the place time period finish time of this BAK.
B) if the user has subscribed to the service (as monthly, by week or several hours) of certain particular content or certain fixed interval, VF and VT should be respectively according to should in perhaps the zero hour of this service and the sign of the place time period finish time are provided with.For example: VF should be made as in this perhaps that the sign of the place time period zero hour of this service subtracts 1, if and VT should be made as in this perhaps the sign of the place time period finish time of this service add 1. should in perhaps the time interval of this service crossed over not only BAK, so a plurality of BAK message are sent to the user, the setting of VF and VT should guarantee that seamless link is to cover in this perhaps whole duration of this service among each BAK.
By above description as can be known, the method that is used for providing broadcast/multi broadcast business of present embodiment to terminal, by time started and the concluding time that the BAK term of validity is set, terminal is known when brought into use this BAK, therefore, before the term of validity of old BAK finishes, also can release (push) new BAK to this terminal, and, the time started of the BAK term of validity and concluding time are that the subscription situation according to the user is provided with, therefore, can easily realize according to watching paying (pay per view) or content-based paying (content based pay).And then, because by utilizing relative time that the time started and the concluding time of the BAK term of validity are set, and with the time corresponding segment identification is the time reference that VF and VT are provided with, and it is the transmission security key sign is related with the time period sign, therefore, can avoid owing to the deviation of absolute time setting or the problem that reason such as inaccurate produces is set terminal time, can stipulate the term of validity of BAK more accurately.And then present embodiment can be applied in the system environments of mobile domains and broadcast domain cooperation.
Under same inventive concept, an alternative embodiment of the invention provides a kind of network element (Network Element), can be as the BCMCS controller in the BCMCS system.Fig. 4 is the block diagram of network element according to an embodiment of the invention.Below in conjunction with this figure, the network element of present embodiment is described.For fear of repetition, use the identical drawing reference numeral representative part identical in the following description, and suitably omit explanation with front embodiment.
As shown in Figure 4, network element 300 comprises: broadcasting inserts key generation unit (BAKgenerator) 104, is used for generating broadcasting and inserts key; Unit 401 is set effective time, and its subscription according to terminal is that above-mentioned broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity; And broadcasting access cipher key distribution unit (BAK distributor) 105, be used for the time started and the concluding time of the above-mentioned broadcasting access key and the term of validity thereof are sent to terminal.In addition, identical with existing BCMCS controller, network element 300 can also comprise that the SK manager is used for generating SK according to BAK and SK_RAND.
In the present embodiment, it is that above-mentioned broadcasting inserts key (BAK) time started (VF) and concluding time (VT) are set in the mode of absolute time that unit 401 is set effective time.Particularly, following setting BAK_Expire:
If a) user has subscribed to long-term broadcast, then VF and VT should be arranged to time started and the concluding time of this BAK.
B) if the user has subscribed to certain particular content or certain service during fixing as monthly, by week or several hours), VF then should be set in this perhaps time started of this service, and VT should be made as in this perhaps concluding time of this service.If should in perhaps the time interval of this service crossed over not only BAK, so a plurality of BAK message are sent to the user, the setting of VF and VT should guarantee that seamless link is to cover in this perhaps whole duration of this service among each BAK.
In operation, the network element of present embodiment can be used for the method that is used for providing to terminal broadcast/multi broadcast business that realizes that front embodiment describes, and obtains the technological merit of front embodiment.
Under same inventive concept, another embodiment more of the present invention provides a kind of network element (Network Element), can be as the BCMCS controller in the BCMCS system.Fig. 5 is the block diagram of network element according to an embodiment of the invention.Below in conjunction with this figure, the network element of present embodiment is described.For fear of repetition, use the identical drawing reference numeral representative part identical in the following description, and suitably omit explanation with front embodiment.
As shown in Figure 5, network element 300 comprises: broadcasting inserts key generation unit (BAKgenerator) 104, is used for generating broadcasting and inserts key; Unit 401 is set effective time, and its subscription according to terminal is that above-mentioned broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity; And broadcasting access cipher key distribution unit (BAK distributor) 105, be used for the time started and the concluding time of the above-mentioned broadcasting access key and the term of validity thereof are sent to terminal.In addition, identical with existing BCMCS controller, network element 300 can also comprise that the SK manager is used for generating SK according to BAK and SK_RAND.
The embodiment shown in Figure 4 with the front is different, the network element 300 of present embodiment also comprises the SK-ID designating unit, it is respectively a plurality of session key specified session key identifications (SK-ID) that successively generate according to time sequencing, and this SK_ID is corresponding to the sign of SK place time period.
In the present embodiment, it is that above-mentioned broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity in the mode of relative time that unit 401 is set effective time, as the sign of time reference usage time interval.Particularly, following setting BAK_Expire:
If a) user has subscribed to long-term broadcast, VF and VT should be set to the sign of the zero hour and the place time period finish time of this BAK.
B) if the user has subscribed to the service (as monthly, by week or several hours) of certain particular content or certain fixed interval, VF and VT should be respectively according to should in perhaps the zero hour of this service and the sign of the place time period finish time are provided with.For example: VF should be made as in this perhaps that the sign of the place time period zero hour of this service subtracts 1, and the sign of the place time period finish time of this service adds 1 and VT should be made as in this perhaps.If should in perhaps the time interval of this service crossed over not only BAK, so a plurality of BAK message are sent to the user, the setting of VF and VT should guarantee that seamless link is to cover in this perhaps whole duration of this service among each BAK.
In operation, the network element of present embodiment can be used for the method that is used for providing to terminal broadcast/multi broadcast business that realizes that front embodiment describes, and obtains the technological merit of front embodiment.
Under same inventive concept, another embodiment more of the present invention provides a kind of network element (Network Element), can be as the BCMCS controller in the BCMCS system.Fig. 6 is the block diagram of network element according to an embodiment of the invention.Below in conjunction with this figure, the network element of present embodiment is described.For fear of repetition, use the identical drawing reference numeral representative part identical in the following description, and suitably omit explanation with front embodiment.
As shown in Figure 6, network element 300 comprises: broadcasting inserts key generation unit (BAKgenerator) 104, is used for generating broadcasting and inserts key; Unit 401 is set effective time, and its subscription according to terminal is that above-mentioned broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity; And broadcasting access cipher key distribution unit (BAK distributor) 105, be used for the time started and the concluding time of the above-mentioned broadcasting access key and the term of validity thereof are sent to terminal.In addition, identical with existing BCMCS controller, network element 300 can also comprise that the SK manager is used for generating SK according to BAK and SK_RAND.
Different with prior figures 4 and embodiment shown in Figure 5, the network element 300 of present embodiment also comprises transmission security key ciphering unit 301, it is according to time order and function, utilize above-mentioned a plurality of session key that at least one transmission security key is encrypted respectively, wherein, each of above-mentioned at least one transmission security key has been specified a unique transmission security key sign (Traffc Key ID) according to the priority of time, this transmission security key sign is with the reference that is designated of place time period.
In the present embodiment, it is that above-mentioned broadcasting inserts key (BAK) time started (VF) and concluding time (VT) are set in the mode of relative time that unit 401 is set effective time, uses transmission security key to identify (Traffic Key ID) as time reference.Particularly, following setting BAK_Expire:
If a) user has subscribed to long-term broadcast, VF and VT should be set to the sign of the zero hour and the place time period finish time of this BAK.
B) if the user has subscribed to the service (as monthly, by week or several hours) of certain particular content or certain fixed interval, VF and VT should be respectively according to should in perhaps the zero hour of this service and the sign of the place time period finish time are provided with.For example: VF should be made as in this perhaps that the sign of the place time period zero hour of this service subtracts 1, and the sign of the place time period finish time of this service adds 1 and VT should be made as in this perhaps.If should in perhaps the time interval of this service crossed over not only BAK, so a plurality of BAK message are sent to the user, the setting of VF and VT should guarantee that seamless link is to cover in this perhaps whole duration of this service among each BAK.
In operation, the network element of present embodiment can be used for the method that is used for providing to terminal broadcast/multi broadcast business that realizes that front embodiment describes, and obtains the technological merit of front embodiment.
On the implementation, the network element 300 of above-mentioned each embodiment with and the broadcasting that comprises insert that key generation unit 104, effective time are provided with unit 401, broadcasting inserts each parts such as cipher key distribution unit 105, SK manager, transmission security key ciphering unit 307 and SK-ID designating unit, can realize in the mode of software, hardware or software and hardware combination.For example, those skilled in the art are familiar with the multiple equipment that can be used to realize these parts, such as microprocessor, microcontroller, application-specific integrated circuit (ASIC) (ASIC), programmable logic device (PLD) and/or field programmable gate array (FPGA) etc.Each part of the network element 300 of above-mentioned each embodiment can integrate realization, also can be separately independent the realization, and also can physically separate and operate and upward interconnect.
Under same inventive concept, one embodiment of the present of invention provide a kind of terminal, can be as the terminal that receives the BCMCS business in the BCMCS system.Fig. 7 schematically shows the block diagram of the structure of terminal according to an embodiment of the invention.Below in conjunction with this figure, the terminal of present embodiment is described.
As shown in Figure 7, the terminal 700 of present embodiment comprises: BAK request unit 701 is used for request broadcasting and inserts key (BAK); BAK receiving element 702 is used to receive the time started and the concluding time of the BAK and the term of validity thereof; Effective time, judging unit 704, were used for time started and concluding time according to the term of validity of the BAK that receives, judged whether this BAK is effective; And broadcast/multi broadcast business data decryption unit 703, being used at above-mentioned BAK is under the effective situation, and the encrypted broadcast/multi broadcast business data that receive are decrypted.In the present embodiment, terminal 700 can also comprise: the session key generation unit, being used at BAK is under the effective situation, according to this BAK and the current session key random number that receives, generates session key.Broadcast/multi broadcast business data decryption unit 703 is utilized above-mentioned session key, and the broadcast/multi broadcast business data that receive are decrypted.
In the present embodiment, the time started of the BAK term of validity and concluding time represent that with the form of absolute time effective time, 704 time started and concluding time and the current times according to the BAK term of validity that receives of judging unit judged whether this BAK is effective.
Under same inventive concept, according to another embodiment of the invention, the time started of the BAK term of validity and concluding time represent with the form of relative time, and respectively with the reference that is designated of the time period in the initial moment and the finish time place network side BAK life cycle.Wherein, the broadcast/multi broadcast business data are to send terminal to after encrypting with a plurality of session keys respectively according to the priority of time.Above-mentioned a plurality of session key inserts key according to time order and function according to above-mentioned broadcasting and a plurality of session key random number generates respectively; And according to time order and function, be respectively above-mentioned a plurality of session key and specified session key sign (SK-ID), this SK_ID is engraved in the sign of the time period in the network side BAK life cycle when coming into force with this SK related, as the reference of BAK term of validity judgement.
Like this, effective time, judging unit 704 can judge whether BAK is effective according to time started and the concluding time and the current session key sign of the BAK term of validity.In the present embodiment, terminal 700 can also comprise: the session key generation unit, being used at BAK is under the effective situation, according to this BAK and the current session key random number that receives, generates session key.Broadcast/multi broadcast business data decryption unit 703 is utilized above-mentioned session key, and the broadcast/multi broadcast business data that receive are decrypted.
Under same inventive concept, according to another embodiment more of the present invention, the time started of the BAK term of validity and concluding time represent with the form of relative time, and respectively with the reference that is designated of the time period in the initial moment and the finish time place network side BAK life cycle.Wherein, the broadcast/multi broadcast business data are to send above-mentioned terminal to after using a plurality of transmission security keys (Traffc Key) to encrypt respectively according to the priority of time, wherein, each above-mentioned transmission security key has been specified a unique transmission security key sign (Traffic_Key_ID) according to the priority of time, the come into force sign of the time period in the place network side BAK life cycle constantly of this Traffic_Key_ID and this transmission security key is related, the reference of judging as the BAK term of validity.
In the present embodiment, effective time, judging unit 704 can judge whether BAK is effective according to time started and the concluding time and the current transmission security key sign of the BAK term of validity.
In addition, in the present embodiment, terminal 700 can also comprise: the session key generation unit, being used at BAK is under the effective situation, according to this BAK and the current session key random number that receives, generates session key.Broadcast/multi broadcast business data decryption unit 703 is at first utilized the session key that generates, and the encrypted transmission security key that receives is decrypted, and then, utilizes above-mentioned transmission security key, and the broadcast/multi broadcast business data are decrypted.
In operation, the terminal of each embodiment of front can be used for the method that is used for providing to terminal broadcast/multi broadcast business that realizes that front embodiment describes, and obtains the technological merit of front embodiment.
On the implementation, the terminal 700 of above-mentioned each embodiment with and the BAK request unit 701 that comprises, BAK receiving element 702, effective time each part such as judging unit 704, broadcast/multi broadcast business data decryption unit 703, session key generation unit, can realize in the mode of software, hardware or software and hardware combination.For example, art technology person is familiar with the multiple equipment that can be used to realize these parts, such as microprocessor, microcontroller, application-specific integrated circuit (ASIC) (ASIC), programmable logic device (PLD) and/or field programmable gate array (FPGA) etc.Each part of the terminal 700 of above-mentioned each embodiment can integrate realization, also can be separately independent the realization, and also can physically separate and operate and upward interconnect.For example, effective time, judging unit 704 and session key generation unit can be realized among the UIM in terminal, and other parts can realize in ME, but the present invention is not limited to this.
Under same inventive concept, according to another aspect of the present invention, a kind of communication system has been proposed also, this communication system comprises the network element of describing among the embodiment of front, and the terminal described in the embodiment of front.
In operation, the communication system of present embodiment can be used for the method that is used for providing to terminal broadcast/multi broadcast business that realizes that front embodiment describes, and obtains the technological merit of front embodiment.
Though more than provide method, network element, terminal and the communication system of broadcast/multi broadcast business to be described in detail of the present invention being used for to terminal by some exemplary embodiments, but above these embodiment are not exhaustive, and those skilled in the art can realize variations and modifications within the spirit and scope of the present invention.Therefore, the present invention is not limited to these embodiment, and scope of the present invention only is as the criterion by claims.
Claims (24)
1. a method that is used for providing to terminal broadcast/multi broadcast business is characterized in that, comprising:
Subscription according to above-mentioned terminal is to send to the broadcasting of this terminal to insert time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity;
Time started and the concluding time of above-mentioned broadcasting being inserted the key and the term of validity thereof send above-mentioned terminal to; And
According to the time started and the above-mentioned concluding time of the above-mentioned term of validity, utilize above-mentioned broadcasting to insert key, the encrypted broadcast/multi broadcast business data that receive are decrypted.
2. the method that is used for providing to terminal broadcast/multi broadcast business according to claim 1, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents with the form of absolute time.
3. the method that is used for providing broadcast/multi broadcast business according to claim 2 to terminal, wherein, the above-mentioned step that the encrypted broadcast/multi broadcast business data that receive are decrypted comprises:
Insert time started and the concluding time and the current time of the term of validity of key according to above-mentioned broadcasting, judge whether above-mentioned broadcasting inserts key effective; And
Being judged as under the effective situation of above-mentioned broadcasting access key, utilize above-mentioned broadcasting to insert key, the encrypted broadcast/multi broadcast business data that receive are decrypted.
4. the method that is used for providing broadcast/multi broadcast business according to claim 1 to terminal, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents that with the form of relative time said method further comprises:
Above-mentioned broadcasting is inserted key be divided into the some time section in the life cycle of network side, and for each time period is numbered, and will number the time period as time started of broadcasting the term of validity that inserts key and the reference of concluding time; And
According to time order and function, insert key and a plurality of session key random number (SK_RAND) according to above-mentioned broadcasting, generate a plurality of session keys (SK) respectively; And
According to time order and function, be respectively above-mentioned a plurality of session key specified session key identifications (SK-ID), and send the session key identification to terminal with above-mentioned broadcast/multi broadcast data, as judging that broadcasting inserts the reference of key validity;
Wherein, above-mentioned broadcast/multi broadcast business data according to time order and function respectively with sending to above-mentioned terminal after above-mentioned a plurality of session key.
5. the method that is used for providing broadcast/multi broadcast business according to claim 4 to terminal, wherein, the above-mentioned step that the encrypted broadcast/multi broadcast business data that receive are decrypted comprises:
Insert time started and the concluding time and the current session key sign of the term of validity of key according to above-mentioned broadcasting, judge whether above-mentioned broadcasting inserts key effective; And
Being judged as under the effective situation of above-mentioned broadcasting access key, utilize above-mentioned broadcasting to insert key, the encrypted broadcast/multi broadcast business data that receive are decrypted.
6. the method that is used for providing broadcast/multi broadcast business according to claim 5 to terminal, wherein, above-mentionedly insert and utilize above-mentioned broadcasting to insert key under the effective situation of key the step that the encrypted broadcast/multi broadcast business data that receive are decrypted is comprised being judged as above-mentioned broadcasting:
In terminal one side, insert key and current session key random number according to above-mentioned broadcasting, generate current session key; And
Use above-mentioned current session key, the broadcast/multi broadcast business data that receive are decrypted.
7. the method that is used for providing broadcast/multi broadcast business according to claim 1 to terminal, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents with the form of relative time;
Above-mentioned broadcast/multi broadcast business data are to send above-mentioned terminal to after using a plurality of transmission security keys (Traffic Key) to encrypt respectively according to the priority of time, wherein, each above-mentioned transmission security key has been specified a unique transmission security key sign (Traffic Key ID) according to the priority of time, as judging that broadcasting inserts the reference of key validity.
8. the method that is used for providing broadcast/multi broadcast business according to claim 7 to terminal, wherein, the above-mentioned step that the encrypted broadcast/multi broadcast business data that receive are decrypted comprises:
Insert time started and the concluding time and the current transmission security key sign of the term of validity of key according to above-mentioned broadcasting, judge whether above-mentioned broadcasting inserts key effective; And
Being judged as under the effective situation of above-mentioned broadcasting access key, utilize above-mentioned broadcasting to insert key, the broadcast/multi broadcast business data that receive are decrypted.
9. the method that is used for providing to terminal broadcast/multi broadcast business according to claim 8 further comprises:
According to time order and function, insert key and a plurality of session key random number (SK_RAND) according to above-mentioned broadcasting, generate a plurality of session keys (SK) respectively; And
According to time order and function, utilize respectively above-mentioned a plurality of session key above-mentioned transmission security key is encrypted and
With above-mentioned encrypted broadcast/multi broadcast business data, send above-mentioned transmission security key after encrypting and above-mentioned transmission security key sign to above-mentioned terminal.
10. the method that is used for providing broadcast/multi broadcast business according to claim 9 to terminal, wherein, above-mentionedly utilize above-mentioned broadcasting to insert key the step that the broadcast/multi broadcast business data that receive are decrypted is comprised:
In terminal one side, insert key and current session key random number according to above-mentioned broadcasting, generate current session key;
Use above-mentioned current session key, the encrypted above-mentioned transmission security key that receives is decrypted, to obtain above-mentioned transmission security key; And
Use above-mentioned transmission security key, the broadcast/multi broadcast business data are decrypted.
11. any described method that is used for providing broadcast/multi broadcast business to terminal according to claim 1-9, wherein, with above-mentioned broadcast/multi broadcast business data, also current broadcast is inserted key identification, current sessions key random number and broadcast/multi broadcast business traffic identifier (BCMCS_FLOW_ID) and send above-mentioned terminal to.
12. a network element (network element) is used to control broadcast/multi broadcast business (BCMCS), it is characterized in that, comprising:
Broadcasting inserts key generation unit (BAK generator), is used for generating broadcasting and inserts key;
The unit is set effective time, and its subscription according to terminal is that above-mentioned broadcasting inserts time started (VF) and the concluding time (VT) that key (BAK) is provided with the term of validity; And
Broadcasting inserts cipher key distribution unit (BAK distributor), is used for the time started and the concluding time of the above-mentioned broadcasting access key and the term of validity thereof are sent to above-mentioned terminal.
13. network element according to claim 12, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents with the form of absolute time.
14. network element according to claim 13, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents that with the form of relative time above-mentioned network element further comprises:
The session key generation unit, it inserts key and a plurality of session key random number according to time order and function according to above-mentioned broadcasting, generates a plurality of session keys respectively.
15. network element according to claim 12, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents that with the form of relative time above-mentioned network element further comprises:
The session key generation unit, it inserts key and a plurality of session key random number according to time order and function according to above-mentioned broadcasting, generates a plurality of session keys respectively; And
Session key sign designating unit, it is respectively unique session key sign of each appointment of above-mentioned a plurality of session keys according to time order and function, above-mentioned broadcasting is inserted the reference of the validity judgement of key as terminal.
16. network element according to claim 12, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents that with the form of relative time above-mentioned network element further comprises:
The session key generation unit, it inserts key and a plurality of session key random number according to time order and function according to above-mentioned broadcasting, generates a plurality of session keys respectively; And
The transmission security key ciphering unit, it is according to time order and function, utilize above-mentioned a plurality of session key that at least one transmission security key is encrypted respectively, wherein, above-mentioned at least one transmission security key has been specified a unique transmission security key sign according to the priority of time, as terminal above-mentioned broadcasting is inserted the time reference that key validity is judged.
17. network element according to claim 17 also comprises:
The session key transmitting element is used for above-mentioned transmission security key and above-mentioned transmission security key sign after radio network one side sends above-mentioned session key, encryption.
18. a terminal is used to receive broadcast/multi broadcast business (BCMCS), it is characterized in that, comprising:
Broadcasting inserts the key request unit, is used for request broadcasting and inserts key;
Broadcasting inserts the key receiving element, is used to receive time started and the concluding time that broadcasting inserts the key and the term of validity thereof;
Effective time, judging unit was used for time started and concluding time according to the term of validity of above-mentioned broadcasting access key, judged whether above-mentioned broadcasting inserts key effective; And
The broadcast/multi broadcast business data decryption unit, being used for inserting key in above-mentioned broadcasting is under the effective situation, and the encrypted broadcast/multi broadcast business data that receive are decrypted.
19. terminal according to claim 18, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents with the form of absolute time;
Above-mentioned effective time, judging unit inserted time started and the concluding time and the current time of the term of validity of key according to above-mentioned broadcasting, judged whether above-mentioned broadcasting inserts key effective.
20. terminal according to claim 18, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key to be represented with the form of relative time,
Above-mentioned effective time, judging unit inserted time started and the concluding time and the current session key sign of the term of validity of key according to above-mentioned broadcasting, judged whether above-mentioned broadcasting inserts key effective;
Wherein, above-mentioned broadcast/multi broadcast business data are to send above-mentioned terminal to after encrypting with a plurality of session keys respectively according to the priority of time, and above-mentioned a plurality of session keys insert key according to time order and function according to above-mentioned broadcasting and a plurality of session key random number generates respectively; And according to time order and function, be respectively unique session key sign of each appointment of above-mentioned a plurality of session keys, insert the time reference of the validity judgement of key as above-mentioned broadcasting.
21., further comprise according to any described terminal of claim 18-20: the session key generation unit, be used for inserting key and current session key random number according to above-mentioned broadcasting, generate session key;
Wherein, above-mentioned broadcast/multi broadcast business data decryption unit is utilized above-mentioned session key, and the above-mentioned broadcast/multi broadcast business data that receive are decrypted.
22. terminal according to claim 18, wherein, above-mentioned broadcasting inserts the time started and the concluding time of the term of validity of key and represents with the form of relative time;
Above-mentioned effective time, judging unit inserted time started and the concluding time and the current transmission security key sign of the term of validity of key according to above-mentioned broadcasting, judged whether above-mentioned broadcasting inserts key effective;
Wherein, above-mentioned broadcast/multi broadcast business data are to send above-mentioned terminal to after encrypting with a plurality of transmission security keys respectively according to the priority of time, wherein, each above-mentioned transmission security key has been specified a unique transmission security key sign according to the priority of time, insert the time reference of the validity judgement of key as above-mentioned broadcasting.
23. terminal according to claim 22 further comprises: the session key generation unit, be used for inserting key and current session key random number according to above-mentioned broadcasting, generate session key;
Wherein, above-mentioned broadcast/multi broadcast business data decryption unit is at first utilized above-mentioned session key, and the above-mentioned encrypted transmission security key that receives is decrypted, and then, utilizes above-mentioned transmission security key, and the broadcast/multi broadcast business data are decrypted.
24. a communication system comprises: any described network element of claim 12-17; And
Any described terminal of claim 18-23.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100445734A CN101119200A (en) | 2007-08-03 | 2007-08-03 | Method, network unit, terminal and system for providing broadcast/multicast service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100445734A CN101119200A (en) | 2007-08-03 | 2007-08-03 | Method, network unit, terminal and system for providing broadcast/multicast service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101119200A true CN101119200A (en) | 2008-02-06 |
Family
ID=39055156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100445734A Pending CN101119200A (en) | 2007-08-03 | 2007-08-03 | Method, network unit, terminal and system for providing broadcast/multicast service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101119200A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012148A1 (en) * | 2008-08-01 | 2010-02-04 | 阿尔卡特朗讯 | Method and apparatus for safely communicating based on broadcast or multicast |
| CN103874024A (en) * | 2012-12-13 | 2014-06-18 | 中国移动通信集团公司 | Task scheduling method, apparatus and system of broadcasting download business |
| CN106131801A (en) * | 2016-06-30 | 2016-11-16 | 成都西可科技有限公司 | A kind of based on android system without JA(junction ambient) enciphered data transmission method |
| CN106790242A (en) * | 2017-01-22 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of communication means, communication equipment, computer-readable recording medium and storage control |
| CN107295012A (en) * | 2017-08-01 | 2017-10-24 | 贝氏科技有限公司 | Encrypting and deciphering system and method |
| CN107872319A (en) * | 2016-09-22 | 2018-04-03 | 国民技术股份有限公司 | Information transferring method, device and message receiving method, device |
| CN107302546B (en) * | 2017-08-16 | 2021-05-21 | 北京奇虎科技有限公司 | Big data platform security access system and method and electronic equipment |
| CN114785571A (en) * | 2022-04-06 | 2022-07-22 | 浙江数秦科技有限公司 | Block chain-based subscription information distribution system |
-
2007
- 2007-08-03 CN CNA2007100445734A patent/CN101119200A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012148A1 (en) * | 2008-08-01 | 2010-02-04 | 阿尔卡特朗讯 | Method and apparatus for safely communicating based on broadcast or multicast |
| CN103874024A (en) * | 2012-12-13 | 2014-06-18 | 中国移动通信集团公司 | Task scheduling method, apparatus and system of broadcasting download business |
| CN106131801A (en) * | 2016-06-30 | 2016-11-16 | 成都西可科技有限公司 | A kind of based on android system without JA(junction ambient) enciphered data transmission method |
| CN106131801B (en) * | 2016-06-30 | 2019-10-01 | 成都西可科技有限公司 | One kind being based on the connectionless environment enciphered data transmission method of android system |
| CN107872319A (en) * | 2016-09-22 | 2018-04-03 | 国民技术股份有限公司 | Information transferring method, device and message receiving method, device |
| CN106790242A (en) * | 2017-01-22 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of communication means, communication equipment, computer-readable recording medium and storage control |
| CN107295012A (en) * | 2017-08-01 | 2017-10-24 | 贝氏科技有限公司 | Encrypting and deciphering system and method |
| CN107302546B (en) * | 2017-08-16 | 2021-05-21 | 北京奇虎科技有限公司 | Big data platform security access system and method and electronic equipment |
| CN114785571A (en) * | 2022-04-06 | 2022-07-22 | 浙江数秦科技有限公司 | Block chain-based subscription information distribution system |
| CN114785571B (en) * | 2022-04-06 | 2024-02-27 | 浙江数秦科技有限公司 | Subscription information distribution system based on block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1933393B (en) | Inter-entity coupling method, apparatus and system for content protection | |
| CN102598694B (en) | Method for accessing services by a user unit | |
| CN101513011B (en) | Method and system for the continuous transmission of encrypted data of a broadcast service to a mobile terminal | |
| US7702904B2 (en) | Key management system and multicast delivery system using the same | |
| CN101166259B (en) | Mobile phone TV service protection method, system, mobile phone TV server and terminal | |
| EP2061244B1 (en) | Protection of broadcast content with key distribution using telecommunications network | |
| CN101119200A (en) | Method, network unit, terminal and system for providing broadcast/multicast service | |
| KR101514840B1 (en) | Method for Security Key Distribution in Broadcast Service System and System Therefor | |
| KR101465263B1 (en) | Method for security key distrubution in broadcast system and the system therefor | |
| KR100981568B1 (en) | Apparatus and method protecting contents supported broadcast service between service provider and several terminals | |
| CN101009553A (en) | Secret key safety method and system for realizing multi-network integration mobile multi-media broadcasting system | |
| CN101390366B (en) | Method for establishing a cryptographic key, network front end and receiver therefor and method for transmitting signal | |
| CN101447841A (en) | Hybrid network encrypt/decrypt scheme | |
| KR101182515B1 (en) | Apparatus and method for broadcast services transmission and reception | |
| KR100663443B1 (en) | Apparatus and method of interlock between entities for protecting service, and the system thereof | |
| CN101945101A (en) | The term of validity of control decruption key | |
| CN101883102A (en) | Link generation method | |
| CN1946018B (en) | Encrypting and de-encrypting method for medium flow | |
| KR100975386B1 (en) | Method and system for protecting broadcasting service/content in a mobile broadcast system, and method for generating a short term key message thereof | |
| CN100544429C (en) | A kind of mobile phone TV services content protecting method | |
| CN100499470C (en) | System and method for implementing prepaid services in mobile multimedia broadcast | |
| CN102316102A (en) | Safety transmits the method for message | |
| KR20080004002A (en) | User watching entitlement identification system using one time password and method thereof | |
| CN103747300A (en) | Conditional access system capable of supporting mobile terminal | |
| EP2109314A1 (en) | Method for protection of keys exchanged between a smartcard and a terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20080206 |