CN101399662B - Method, system, conditional receiving module and customer terminal for obtaining service key - Google Patents

Method, system, conditional receiving module and customer terminal for obtaining service key Download PDF

Info

Publication number
CN101399662B
CN101399662B CN2008102236066A CN200810223606A CN101399662B CN 101399662 B CN101399662 B CN 101399662B CN 2008102236066 A CN2008102236066 A CN 2008102236066A CN 200810223606 A CN200810223606 A CN 200810223606A CN 101399662 B CN101399662 B CN 101399662B
Authority
CN
China
Prior art keywords
key
user terminal
terminal
authority
business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008102236066A
Other languages
Chinese (zh)
Other versions
CN101399662A (en
Inventor
张辉
王西强
李向阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING BOXIN SHITONG TECHNOLOGY CO., LTD.
Original Assignee
Innofidei Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Innofidei Technology Co Ltd filed Critical Innofidei Technology Co Ltd
Priority to CN2008102236066A priority Critical patent/CN101399662B/en
Publication of CN101399662A publication Critical patent/CN101399662A/en
Application granted granted Critical
Publication of CN101399662B publication Critical patent/CN101399662B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides a method for acquiring a service key and a system thereof. The method comprises the following steps: a network terminal generates an initial service key required by a user randomly, and generates initial authorization management information with a cryptograph mode and authority information of user subscription service to be transmitted to a user terminal; the user terminal receives the initial authorization management information, and decrypts the information to obtain an initial service key; when updating is triggered, the user terminal automatically generates and updates the service key required in the authority of subscription service by current service key by adopting the operation process being same as the network terminal. The invention also provides a condition receiving module and a user terminal. The invention can improve the authorization efficiency of the user terminal and save resource of the network terminal by a simple and easy service authorization method, thereby saving transmission bandwidth.

Description

Obtain method, system, Conditional Access Module and the user terminal of business cipher key
Technical field
The present invention relates to the data communication field of condition receiving system, particularly relate to a kind of service key obtaining method, system and a kind of user terminal and a kind of Conditional Access Module.
Background technology
It is exactly by effective means various service business to be implemented different protections that condition receives, and the user who buys corresponding mandate is controlled.For example for existing multiple charge operation, as pay TV, the immediate pricing TV, when VODs etc. need be seen the user, see that what channel authorizes.
In network terminal, video, audio frequency or data code flow at first will be upset data under the control of control word, carry out scrambler and encrypt, and these control words are also referred to as key.For the condition receiving system of broadcast mode mandate, business cipher key is encrypted the back through user key and is formed Entitlement Management Message (EMM:EntitlementManagement Message).For business datum, adopt secret key encryption by network terminal usually after, be sent to terminal through transmission network, be decrypted again according to Entitlement Management Message by user terminal then, with the business datum of obtaining the authorization, pay TV signal etc. for example.
Generally, EMM information can adopt the mode of data carousel to be pushed to user terminal.Data carousel is a kind of service that, once or repeatedly sends one group of identical data module with allowing server or certain application cycle.If a user terminal has missed the EMM information that this next round is broadcast,, then need by the time the moment of broadcasting next time when he wishes to visit once more wherein certain specific modules.What is more, when number of users was very big, the data volume that wheel is broadcast was surprising.According to preresearch estimates, when number of users reached up to ten million, the wheel of EMM was broadcast the cycle and can be reached 3 to 4 hours, so, if the user misses the EMM information that this next round is broadcast, just may need the long time to obtain the authorization once more.Therefore, network terminal can't in time transmit the key information data and give user terminal when user terminal need specific key information.
For example for the user who orders monthly payment mode business, business cipher key needs monthly to upgrade, and the user needs the corresponding key information data of extraction in the EMM information that every month regular trailing wheel broadcasts, and therefore, existing authorization method has reduced user's Experience Degree undoubtedly.
In a word, need the urgent technical problem that solves of those skilled in the art to be exactly at present: to invent a kind of simple business authorization method, can strengthen the mandate efficient of user terminal and save the resource of network terminal, save transmission bandwidth.
Summary of the invention
Technical problem to be solved by this invention provides a kind of service key obtaining method, system and a kind of user terminal and Conditional Access Module, can strengthen the mandate efficient of user terminal and save the resource of network terminal, saves transmission bandwidth.
In order to address the above problem, embodiments of the invention provide a kind of service key obtaining method, may further comprise the steps: network terminal generates the required initial service key of user at random, and generates the initial authorization management information of ciphertext form and the authority information of user subscribes service sends to user terminal; User terminal receives initial authorization management information, and its deciphering is obtained the initial service key; When trigger upgrading, user terminal utilizes the current business key, adopts the calculating process identical with network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Preferably, described initial service key forms initial authorization management information after encrypting through user key.
Further, generate a protection key at random, the initial service key is carried out symmetric cryptography with it by network terminal; After the protection key of initial service key after the described protection secret key encryption and correspondence is encrypted through user key again, form initial authorization management information; Described user key is relevant with user terminal.
Preferably, user terminal also comprises after receiving initial authorization management information: user terminal sends to network terminal and receives successful feedback information; Network terminal Entitlement Management Message afterwards sends in the tabulation and removes this terminal.
Preferably, the condition of described triggering renewal is default time point.
Further, guarantee the time consistency of network terminal and terminal in the following manner: when network terminal sends initial authorization management information and user subscribes service authority credentials, send one fiducial time signal, to guarantee the time consistency of the two; Perhaps, in the mandate business datum that network terminal sent, comprise one fiducial time signal, to guarantee the time consistency of the two.
Preferably, the every renewal of the business cipher key of user terminal is once pressed the automatic increasing or decreasing of setting step-length at the authority number of times of this terminal order business; When the authority number of times of order business arrives predetermined termination number of times, stop upgrading automatically.
Preferably, carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times; Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
Preferably, when the user asks to renew identical when professional, network terminal sends new authority number of times to user terminal, to replace the authority number of times of current residual.
According to embodiments of the invention, also disclose a kind of business cipher key and obtained system, comprise network terminal and user terminal; Described network terminal specifically can comprise:
The key generation unit, be used for generating at random the required initial service key of user, its encryption is obtained initial authorization management information, and the authority information that generates user subscribes service, and described Entitlement Management Message and described authority information are sent to described user terminal;
Described user terminal comprises:
Receiving element is used to receive described initial authorization management information and authority information;
Decrypting device is used for initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
The self refresh unit is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Further, described key generation unit comprises:
Be used for generating at random the module of initial service key;
Be used for generating at random the module of protection key;
First encrypting module is used to adopt described protection key that the initial service key is carried out symmetric cryptography;
Second encrypting module is used for described protection key and the initial service key after described protection secret key encryption, adopts user key to encrypt, and obtains initial authorization management information; Wherein, described user key is relevant with user terminal.
Preferably, described business cipher key obtains system and also comprises:
Feedback unit is positioned at user terminal, is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal.
Preferably, the condition of described triggering renewal is the Preset Time point.
Preferably, described business cipher key obtains system, also comprises:
The time adjustment unit is positioned at user terminal, is used to receive signal fiducial time that network terminal sends, and the correcting local time, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit
The security counters unit is positioned at user terminal, is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.
Preferably, carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times; Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
According to embodiments of the invention, a kind of Conditional Access Module is also disclosed, comprising:
Receiving element is used for receiving initial authorization management information and the authority information that is generated by network terminal from network terminal;
Decrypting device is used for described initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
The self refresh unit is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with described network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Further, described Conditional Access Module is embedded among the subscriber terminal equipment structure, with the structure of user terminal formation one; Perhaps, described Conditional Access Module is connected with user terminal to separate the mode of pegging graft.
Further, described Conditional Access Module also comprises:
Feedback unit is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal;
The time adjustment unit is used to receive signal fiducial time that network terminal sends, and the local zone time of correcting user terminal, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit;
The security counters unit is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.
Preferably, carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times; Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
According to embodiments of the invention, a kind of user terminal is also disclosed, comprise Conditional Access Module, described Conditional Access Module comprises:
Receiving element is used to receive initial authorization management information and the authority information that is generated by network terminal;
Decrypting device is used for described initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
The self refresh unit is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with described network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Further, described Conditional Access Module also comprises: the security counters unit is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.
Further, described user terminal also comprises:
Feedback unit is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal;
The time adjustment unit is used to receive signal fiducial time that network terminal sends, and the local zone time of correcting user terminal, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit;
Preferably, carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times; Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
Compared with prior art, the present invention has the following advantages:
At first, among the present invention, user terminal generates automatically and upgrades key information professional subsequently in the order business authority, no longer needs network terminal that the renewal Entitlement Management Message at this terminal is added in the formation of data carousel, improve the efficient of subscriber authorisation, promoted user's Experience Degree.
Secondly, after user terminal receives the initial service key information, also send successful feedback information, make in network terminal business cipher key (as: business cipher key of the renewal etc.) transmission afterwards and remove this user terminal to network terminal; Therefore, network terminal can discharge bandwidth after the data transmission is finished, thereby has saved the Network Transmission bandwidth.
Description of drawings
Fig. 1 is the flow chart of steps of a kind of service key obtaining method embodiment of the present invention;
Fig. 2 is the structured flowchart that a kind of business cipher key of the present invention obtains system embodiment;
Fig. 3 is the structured flowchart of a kind of Conditional Access Module embodiment of the present invention;
Fig. 4 is the structured flowchart of the another kind of Conditional Access Module embodiment of the present invention;
Fig. 5 is the structured flowchart of a kind of user terminal embodiment of the present invention.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
Core concept of the present invention is: the present invention receives the initial service key information by user terminal, and sends successful feedback information to network terminal, makes in the network terminal business cipher key transmission afterwards and removes this user terminal; And user terminal generates automatically and upgrades key information professional subsequently in the order business authority, no longer needs network terminal that the renewal Entitlement Management Message at this terminal is added in the formation of data carousel.
With reference to Fig. 1, show a kind of service key obtaining method embodiment of the present invention, be primarily aimed at the user who orders monthly payment mode business, specifically can may further comprise the steps:
Step 101, network terminal generate the required initial service key of user at random, and generate the initial authorization management information of ciphertext form and the authority information of user subscribes service sends to user terminal.
In the preferred embodiment of the present invention, network terminal can adopt the initial authorization management information after the mode of data carousel will be encrypted to send to user terminal; Further improvement project is, network terminal sends initial authorization management information at this user terminal after receiving the upstream request of user terminal.Wherein, authority information comprises that the user orders this professional authority number of times.Preferably, network terminal adopts KDF (Key DerivationFunction, key derivative function) algorithm to generate business cipher key.The KDF algorithm is a kind of key generation method based on hashing algorithm, and the hashing algorithm of Cai Yonging is SHA-1 (Secure Hash Algorithm 1, a Secure Hash Algorithm 1) here.SHA-1 mainly is applicable to the Digital Signature Algorithm of DSS the inside definition, can produce one 160 eap-message digest; When receiving message, this eap-message digest can be used for the integrality of verification msg.
The input parameter of KDF algorithm is:
Z for sharing key, can be the byte serial of random length;
Kinfo is additional keys information, can be the byte serial of random length, also can be empty NULL;
KLen is the byte length of output key K EK, and K must be an integer, and numerical value is smaller or equal to 2 32-1;
HLen is hashing algorithm output ciphertext byte length, and when adopting SHA-1 here, value is 160;
KDF output key information K is that length is the byte serial of kLen.
Below be simple introduction to KDF algorithm implementation step:
It is null character string that T is set, and counter counter is set is the integer from 1 to kLen/hLen, carries out:
T=T‖hash(Z‖counter‖KInfo)
Wherein, Hash (Hash) algorithm is exactly the input random length, by hashing algorithm, is transformed into the output of regular length, and this output is exactly hashed value; Counter adopts the signless integer of 4 byte uimsbf unsigned integer most significant bit firsts to represent; The beginning kLen byte of T is exported as key information, that is:
K=KDF(Z,KInfo,klen)=T [klen]
In the preferred embodiment of the present invention, for a class order business S, system end generates the initial service key K at random with above-mentioned KDF algorithm application M(be the T in the corresponding above-mentioned KDF algorithm [klen]), and the maximum sequence number N (N is the total authority number of times of this business, and the professional N=24 interval scale of for example monthly payment class should be 24 months the business duration) that upgrades of business cipher key.Suppose that business cipher key monthly upgrades, when system end was opened business, business cipher key was K 1, upgrading sequence number is 1, upgrades sequence number later on and monthly increases progressively, i month business cipher key is K i, the renewal sequence number is i, upgrades sequence number maximum N up to reaching.K iThe generation method as follows:
K 0=K M
K 1=KDF(K 0,NULL,klen),
K i=KDF(K i-1,NULL,klen),
Wherein NULL is a null character string, and klen is for generating the byte length of key.
For the present invention, the algorithm that generates business cipher key is not limited to the KDF algorithm, and the algorithm of other generation business cipher keys well known to those skilled in the art also all is feasible.
Having ordered when certain system's receiving terminal should business, and (M orders the authority number of times for the user to have bought M time order authority, 0<M<=N-j, j be current should the business opening time), then the M value can be sent on the user terminal by network terminal when the user orders, and, required initial service key K when generating the user and open this business by network terminal jIn order to strengthen the fail safe of user subscribes service, with the initial service key K jEncrypt and form initial authorization management information EMM j
Generally be to the initial service key K by user key jEncrypt and form initial authorization management information EMM j, user key can be differentiated user identity, prevents from illegally to enter network, and the user data that transmits on the wireless channel can be stolen.For the generation of user key, a lot of correlation techniques have been arranged in the prior art, therefore, repeat no more herein.
Though the initial service key is encrypted by user key, in order further to strengthen the anti-cracking of initial service key, can generate a protection key at random by network terminal, with it initial service key is carried out symmetric cryptography; After the protection key of initial service key after the described protection secret key encryption and correspondence is encrypted through user key again, form initial authorization management information, send to user terminal; Wherein, described user key is relevant with user terminal.This multi-layer security mechanism makes the terminal use have only to obtain simultaneously this protection key to obtain the initial service key to the deciphering of initial authorization management information, thereby has increased the fail safe that the initial service key transmits greatly.
User key can adopt the form of symmetric key, and network terminal carries out cryptographic calculation and user terminal is decrypted the same key of computing use, can adopt symmetric encipherment algorithms such as DES, 3-DES, IDEA, AES usually.
Further improved plan is, user key also can adopt the form of unsymmetrical key, promptly adopts the key of a pair of coupling to encrypt, deciphers, and two one of keys are that one of PKI is a private key, and when a handle was used to encrypt, then another just was used for deciphering.File with public key encryption can only be deciphered with private key, and the file of encrypted private key can only be deciphered with PKI.Simple public keys can be represented with prime number: choose two big prime number p and q (p, the q value is maintained secrecy) by terminal; The algorithm that two prime numbers are multiplied each other is as PKI, and this algorithm can be expressed as: n=pq (the n value is open), f (n)=(p-1) (q-1) (f (n) value is maintained secrecy).Can comprise initial service key, protection key in the clear-text message, encrypt the back and form EMM information.Therefore, the initial service key information that this encryption will be wanted to transmit exactly adds prime number when coding, send to user terminal after the coding.Usually can adopt asymmetric arithmetics such as RSA, ECC.
Step 102, user terminal receive initial authorization management information, and its deciphering is obtained the initial service key.
In the preferred embodiment of the present invention, for terminal with up link, for example mobile phone or some honeycomb industrial control equipments, further improvement project is: user terminal sends to network terminal and receives successful feedback information; Network terminal Entitlement Management Message afterwards sends in the tabulation and removes this terminal, and just network terminal is just no longer added the EMM information of upgrading at this terminal in the middle of the data carousel formation to after receiving feedback.For the unidirectional terminal that does not have up link, can take a kind of number of times that the method for broadcasting number of times comes the restricting data wheel to broadcast of estimating to take turns, reach the purpose of saving the Network Transmission bandwidth equally.For example: for certain unidirectional terminal, when wheel is broadcast number of times and is reached n time, terminal receives that successfully the probability of this authorization message can be 99%, then network terminal can not need the feedback of terminal, remove in the formation and directly this authorization message trailing wheel is broadcast, wherein the n value can be defined by test according to business demand voluntarily by network terminal.
The preferred embodiment of the present invention adopts the Decrypt function to EMM jBe decrypted required initial service key K when obtaining the user and opening this business j, decryption method is as follows:
K j=CA.Decrypt(UID,EMM j)
For the initial service key K that adopts asymmetric user key form to encrypt j, concrete decryption method is the process that adds prime number in the ciphering process of seeking:
User terminal picked at random positive integer e, 1<e<f (n), it is coprime to satisfy e and f (n), and e is open as the user terminal PKI; User terminal calculates d, satisfies d*e=1 (mod f (n)), and d is the private key of user terminal; Wherein, after network terminal is encrypted the initial service key, to the ciphertext of plaintext m be: c=me modn, then user terminal is decrypted promptly initial EMM information: for ciphertext c, expressly be: m=cd modn.
The above-mentioned private key that utilizes belongs to well-known to those skilled in the art to the process that the data through public key encryption are decrypted, and therefore, only does simple the introduction herein.
Step 103, when trigger upgrading, user terminal utilizes the current business key, adopts the calculating process identical with network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
In the preferred embodiment of the present invention,, therefore, comprise K receiving certain because the user terminal support is with the identical KDF algorithm of network terminal jEMM jAfterwards, just can utilize K jAutomatically upgrade business cipher key, method is as follows:
K j+1=KDF(K j,NULL,klen),
K M=KDF(K M-1,NULL,klen)。
Above process is carried out on the trusted software entity of user terminal.For concrete software entity, the present invention does not need it is limited, and other software entitys well known to those skilled in the art also all are feasible, as: DRM Agent.
Need to prove, the every self refresh of the business cipher key of user terminal once, the authority number of times of order business can successively decrease automatically or increases progressively by setting step-length; When the authority number of times of order business reaches predetermined termination number of times, stop upgrading automatically.In the embodiment of the invention, the every self refresh of the business cipher key of user terminal once, the authority number of times of order business when the authority number of times of order business is kept to 0, stops upgrading automatically from subtracting 1.This process can be carried out by a TSM Security Agent software entity in the specific implementation, also can be realized by the internal logic of a hardware circuit.
In addition, described business cipher key is just effective in certain time limit (for example: one month), and the time point that need preset in this time limit upgrades.In the preferred embodiment of the present invention, because business cipher key is to upgrade automatically at user terminal, rather than rely on the key information that receives after network terminal is upgraded to make the terminal use can obtain the business cipher key in following January, need at this moment user terminal while and network terminal to upgrade and produce the identical services key, the condition that therefore triggers the business cipher key renewal is the time point of presetting.Network terminal and conforming mode of terminal retention time can for: when network terminal sends initial authorization management information and user subscribes service authority information, send one fiducial time signal, to guarantee the time consistency of the two; Another embodiment is, in the mandate business datum that network terminal sent, comprise one fiducial time signal, to guarantee the time consistency of the two.
When the user asks to renew identical when professional, network terminal only needs to send new authority number of times to user terminal, and to replace the authority number of times of current residual, user terminal just can carry out the renewal of business cipher key automatically after this order business finishes.
With reference to Fig. 2, show a kind of business cipher key of the present invention and obtain system embodiment, specifically can comprise: network terminal 200 and user terminal 201; Described network terminal 200 comprises:
Key generation unit 202, be used for generating at random the required initial service key of user, its encryption is obtained initial authorization management information, and the authority information that generates user subscribes service, and described Entitlement Management Message and described authority information are sent to described user terminal;
Described user terminal 201 comprises:
Receiving element 203 is used to receive described initial authorization management information and authority information;
Decrypting device 204 is used for initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
Self refresh unit 206 is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Further, described key generation unit 202 also comprises:
Be used for generating at random the module of initial service key;
Be used for generating at random the module of protection key;
First encrypting module is used to adopt described protection key that the initial service key is carried out symmetric cryptography;
Second encrypting module is used for described protection key and the initial service key after described protection secret key encryption, adopts user key to encrypt, and obtains initial authorization management information; Wherein, described user key is relevant with user terminal 201.
Preferably, system embodiment of the present invention also comprises: feedback unit, be positioned at user terminal 201, and be used for after receiving initial authorization management information, send to network terminal 200 and receive successful feedback information; This feedback information is used for informing that network terminal 200 Entitlement Management Message afterwards sends tabulation and removes this terminal.
Further, system embodiment of the present invention also comprises: security counters unit 205.Described security counters unit 205 is a kind of hardware circuit or software module, can carry out number of times by logging program, unless having under the situation of mandate, the initial value of this counter can be set by TSM Security Agent.Described security counters unit 205 is used for when the every renewal of the business cipher key of user terminal one time the automatic increasing or decreasing of authority number of times of described order business when described authority number of times is changed to default termination number of times, is stopped upgrading automatically.In the embodiment of the invention, when the every renewal of the business cipher key of user terminal 201 one time, the authority number of times of described order business is subtracted 1; When described authority number of times reduces to 0, stop upgrading automatically.
Preferably, described triggering update condition is default time point.In order to realize network terminal 200 and 201 retention time of user terminal consistency, system embodiment of the present invention also comprises: the time adjustment unit, be positioned at user terminal 201, and be used to receive signal fiducial time that network terminal 200 sends, and the correcting local time, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit.
For system embodiment, because it is substantially corresponding to method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
The embodiment of the invention has also related to a kind of Conditional Access Module, and as shown in Figure 3, described Conditional Access Module 300 comprises:
Receiving element 303 is used for receiving initial authorization management information and the authority information that is generated by network terminal from network terminal;
Decrypting device 304 is used for described initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
Self refresh unit 306 is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with described network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Preferably, Conditional Access Module 300 of the present invention also comprises:
Security counters unit 305 is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.This Elementary Function can be realized by TSM Security Agent software or hardware circuit.
Further, with reference to structured flowchart shown in Figure 4, Conditional Access Module 400 of the present invention also comprises:
Feedback unit 407 is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal;
Time adjustment unit 408 is used to receive signal fiducial time that network terminal sends, and the local zone time of correcting user terminal, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit.
This embodiment shows a kind of preferable case that described feedback unit and time correcting unit setting can be embedded in the Conditional Access Module internal structure.In addition, in actual applications, the setting of described feedback unit and time correcting unit also can be independent of outside the condition receiving block structure.
Preferably, described Conditional Access Module can adopt in actual applications and be embedded among the subscriber terminal equipment structure, with the structure of user terminal formation one; Perhaps, this module is connected with user terminal to separate the mode of pegging graft.The present invention does not do particular determination at this.
With reference to Fig. 5, show a kind of user terminal embodiment of the present invention, comprise Conditional Access Module 500, described Conditional Access Module 500 comprises:
Receiving element 503 is used to receive initial authorization management information and the authority information that is generated by network terminal;
Decrypting device 504 is used for described initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
Self refresh unit 506 is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with described network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
Further, Conditional Access Module 500 also comprises in the user terminal embodiment of the present invention: security counters unit 505 when the every renewal of the business cipher key of user terminal 501 one time, subtracts 1 with the authority number of times of described order business; When described authority number of times reduces to 0, stop upgrading automatically.
Preferably, user terminal embodiment of the present invention also comprises: feedback unit 507, be used for after receiving initial authorization management information, and send to network terminal and receive successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal.
Preferably, described triggering update condition is default time point, in order to realize user terminal and network terminal retention time consistency, user terminal 501 of the present invention also comprises: time adjustment unit 508, be used to receive signal fiducial time that network terminal sends, and the local zone time of correcting user terminal 501, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit.
More than to a kind of service key obtaining method provided by the present invention, system and a kind of Conditional Access Module and a kind of user terminal, be described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (27)

1. a service key obtaining method is characterized in that, comprising:
Network terminal generates the required initial service key of user at random, and generates the initial authorization management information of ciphertext form and the authority information of user subscribes service sends to user terminal;
User terminal receives initial authorization management information, and its deciphering is obtained the initial service key;
When trigger upgrading, user terminal utilizes the current business key, adopts the calculating process identical with network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
2. service key obtaining method according to claim 1 is characterized in that, generates the initial authorization management information of ciphertext form in the following manner:
Described initial service key forms initial authorization management information after encrypting through user key.
3. service key obtaining method according to claim 1 is characterized in that, also generates the initial authorization management information of ciphertext form in the following manner:
Network terminal generates a protection key at random, with it initial service key is carried out symmetric cryptography; After the protection key of initial service key after the described protection secret key encryption and correspondence is encrypted through user key again, form initial authorization management information; Described user key is relevant with user terminal.
4. service key obtaining method according to claim 1 is characterized in that, user terminal also comprises after receiving initial authorization management information:
User terminal sends to network terminal and receives successful feedback information;
Network terminal Entitlement Management Message afterwards sends in the tabulation and removes this terminal.
5. service key obtaining method according to claim 1 is characterized in that, the condition that described triggering is upgraded is default time point.
6. service key obtaining method according to claim 4 is characterized in that, guarantees the time consistency of network terminal and terminal in the following manner:
When network terminal sends initial authorization management information and user subscribes service authority information, send one fiducial time signal, to guarantee the time consistency of the two;
Perhaps, in the mandate business datum that network terminal sent, comprise one fiducial time signal, to guarantee the time consistency of the two.
7. service key obtaining method according to claim 1 is characterized in that, also comprises:
The every renewal of the business cipher key of user terminal is once pressed the automatic increasing or decreasing of setting step-length at the authority number of times of this terminal order business;
When the authority number of times of order business arrives predetermined termination number of times, stop upgrading automatically.
8. service key obtaining method according to claim 7 is characterized in that,
Carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times;
Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
9. service key obtaining method according to claim 7 is characterized in that,
When the user asks to renew identical when professional, network terminal sends new authority number of times to user terminal, to replace the authority number of times of current residual.
10. a business cipher key obtains system, it is characterized in that, comprises network terminal and user terminal; Described network terminal comprises:
The key generation unit, be used for generating at random the required initial service key of user, its encryption is obtained initial authorization management information, and the authority information that generates user subscribes service, and described Entitlement Management Message and described authority information are sent to described user terminal;
Described user terminal comprises:
Receiving element is used to receive described initial authorization management information and authority information;
Decrypting device is used for initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
The self refresh unit is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
11. business cipher key according to claim 10 obtains system, it is characterized in that, described key generation unit further comprises:
Be used for generating at random the module of initial service key;
Be used for generating at random the module of protection key;
First encrypting module is used to adopt described protection key that the initial service key is carried out symmetric cryptography;
Second encrypting module is used for described protection key and the initial service key after described protection secret key encryption, adopts user key to encrypt, and obtains initial authorization management information; Wherein, described user key is relevant with user terminal.
12. business cipher key according to claim 10 obtains system, it is characterized in that, also comprises:
Feedback unit is positioned at user terminal, is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal.
13. business cipher key according to claim 10 obtains system, it is characterized in that, the condition that described triggering is upgraded is the Preset Time point.
14. business cipher key according to claim 10 obtains system, it is characterized in that, also comprises:
The time adjustment unit is positioned at user terminal, is used to receive signal fiducial time that network terminal sends, and the correcting local time, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit.
15. business cipher key according to claim 10 obtains system, it is characterized in that, also comprises:
The security counters unit is positioned at user terminal, is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.
16. business cipher key according to claim 15 obtains system, it is characterized in that,
Carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times;
Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
17. a Conditional Access Module is characterized in that, comprising:
Receiving element is used for receiving initial authorization management information and the authority information that is generated by network terminal from network terminal;
Decrypting device is used for described initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
The self refresh unit is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with described network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
18. Conditional Access Module according to claim 17 is characterized in that,
Described Conditional Access Module is embedded among the subscriber terminal equipment structure, with the structure of user terminal formation one;
Perhaps, described Conditional Access Module is connected with user terminal to separate the mode of pegging graft.
19. Conditional Access Module according to claim 17 is characterized in that, also comprises:
The time adjustment unit is used to receive signal fiducial time that network terminal sends, and the local zone time of correcting user terminal, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit.
20. Conditional Access Module according to claim 18 is characterized in that, also comprises:
The security counters unit is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.
21. Conditional Access Module according to claim 20 is characterized in that, also comprises:
Carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times;
Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
22. Conditional Access Module according to claim 18 is characterized in that, also comprises:
Feedback unit is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal.
23. a user terminal is characterized in that, comprises Conditional Access Module, described Conditional Access Module comprises:
Receiving element is used to receive initial authorization management information and the authority information that is generated by network terminal;
Decrypting device is used for described initial authorization management information is decrypted, and obtains initial service key and preservation as the current business key;
The self refresh unit is used for utilizing the current business key when trigger upgrading, and adopts the calculating process identical with described network terminal, generates automatically and upgrades the interior required business cipher key of order business authority.
24. user terminal according to claim 23 is characterized in that, described Conditional Access Module also comprises:
The security counters unit is used for when the every renewal of the business cipher key of user terminal one time, with the automatic increasing or decreasing of authority number of times of described order business; When described authority number of times is changed to default termination number of times, stop upgrading automatically.
25. user terminal according to claim 23 is characterized in that, described user terminal also comprises:
Feedback unit is used for after receiving initial authorization management information, sends to network terminal and receives successful feedback information; This feedback information is used for informing that network terminal Entitlement Management Message afterwards sends tabulation and removes this terminal.
26. user terminal according to claim 23 is characterized in that, described user terminal also comprises:
The time adjustment unit is used to receive signal fiducial time that network terminal sends, and the local zone time of correcting user terminal, to guarantee the time consistency of the two; Described fiducial time, signal was along with initial authorization management information and authority information together transmit; Perhaps, described fiducial time, signal was along with authorizing business datum together to transmit.
27. user terminal according to claim 24 is characterized in that,
Carry out operation by the TSM Security Agent software entity to the automatic increasing or decreasing of described authority number of times;
Perhaps, carry out operation by hardware circuit to the automatic increasing or decreasing of described authority number of times.
CN2008102236066A 2008-09-27 2008-09-27 Method, system, conditional receiving module and customer terminal for obtaining service key Expired - Fee Related CN101399662B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102236066A CN101399662B (en) 2008-09-27 2008-09-27 Method, system, conditional receiving module and customer terminal for obtaining service key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102236066A CN101399662B (en) 2008-09-27 2008-09-27 Method, system, conditional receiving module and customer terminal for obtaining service key

Publications (2)

Publication Number Publication Date
CN101399662A CN101399662A (en) 2009-04-01
CN101399662B true CN101399662B (en) 2011-02-16

Family

ID=40517944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102236066A Expired - Fee Related CN101399662B (en) 2008-09-27 2008-09-27 Method, system, conditional receiving module and customer terminal for obtaining service key

Country Status (1)

Country Link
CN (1) CN101399662B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101699859B (en) * 2009-11-04 2012-09-12 四川虹微技术有限公司 Method for upgrading deciphering chip of conditional access system of digital TV
CN104796397B (en) * 2015-01-08 2017-09-19 北京思普崚技术有限公司 A kind of method that data encryption is sent
CN106487773A (en) * 2015-09-01 2017-03-08 中兴通讯股份有限公司 A kind of encryption and decryption method and device
CN105491409B (en) * 2015-12-24 2019-01-08 北京腾锐视讯科技有限公司 Enhance CA system in a kind of digital television system
CN106709289B (en) * 2016-12-09 2020-01-31 北京奇虎科技有限公司 method and device for reinforcing executable file

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1643922A (en) * 2002-03-20 2005-07-20 松下电器产业株式会社 Content playback apparatus, method, and program, and key management apparatus and system
CN1764268A (en) * 2004-10-22 2006-04-26 北京握奇数据系统有限公司 CATV signal receiving and processing method
WO2006083609A2 (en) * 2005-02-04 2006-08-10 Widevine Technologies, Inc. Securely ingesting encrypted content into content servers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1643922A (en) * 2002-03-20 2005-07-20 松下电器产业株式会社 Content playback apparatus, method, and program, and key management apparatus and system
CN1764268A (en) * 2004-10-22 2006-04-26 北京握奇数据系统有限公司 CATV signal receiving and processing method
WO2006083609A2 (en) * 2005-02-04 2006-08-10 Widevine Technologies, Inc. Securely ingesting encrypted content into content servers

Also Published As

Publication number Publication date
CN101399662A (en) 2009-04-01

Similar Documents

Publication Publication Date Title
EP3577922B1 (en) Method for managing communication between a server and a user equipment
CN1655503B (en) A secure key authentication and ladder system
JP5815294B2 (en) Secure field programmable gate array (FPGA) architecture
JP4927330B2 (en) Method and apparatus for secure data transmission in a mobile communication system
CN1708942B (en) Secure implementation and utilization of device-specific security data
CN104094267B (en) Method, apparatus and system for secure sharing of media content from a source device
WO2010064666A1 (en) Key distribution system
JP2005515701A (en) Data transmission link
JP2005515701A6 (en) Data transmission link
WO2021212928A1 (en) Blockchain data authorization access method and apparatus, and device
JP2008514123A (en) System and method for providing authorized access to digital content
JP2005515715A (en) Data transmission link
JP2012019511A (en) System and method of safety transaction between wireless communication apparatus and server
EP3476078A1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN101399662B (en) Method, system, conditional receiving module and customer terminal for obtaining service key
CN100504804C (en) Apparatus and method for broadcast services transmission and reception
CN101539977B (en) Method for protecting computer software
CN101697511B (en) Method and system for receiving mobile streaming media conditions
CN101883102A (en) Link generation method
US20060048235A1 (en) Method and system for managing authentication and payment for use of broadcast material
JP2004515160A (en) Threshold encryption method and system for message authentication system
JP5633699B2 (en) Content distribution system, mobile communication terminal device, and browsing control program
CN101420687A (en) Identity verification method based on mobile terminal payment
JP2012156809A5 (en)
CN114499825A (en) Double-control key management method, system, encryption machine and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20151022

Address after: 100080, Beijing, Zhongguancun Haidian District Street 11, 100 million world wealth center, block A, 12

Patentee after: BEIJING BOXIN SHITONG TECHNOLOGY CO., LTD.

Address before: 100084 Beijing, Zhongguancun East Road, No. 1, building No. 8, Tsinghua Science Park, science and technology building, block A, 803

Patentee before: Beijing Chuangyi Vision Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110216

Termination date: 20170927

CF01 Termination of patent right due to non-payment of annual fee