Summary of the invention
The purpose of technical solution of the present invention provides a kind of network video collecting device and the network video monitor and control system, the method that adopt this network video collecting device, by the subscription authentication unit of hardware device is set in network video collecting device, not only can carry out authentication to the terminal use, guarantee the fail safe of video transmission content, and can the video capture device of access network video monitoring system be authenticated, ensure the network service system benefits of operators.
For achieving the above object, one aspect of the present invention provides a kind of network video collecting device, is arranged in the terminal of network video monitor and control system, and described device comprises: the audio-video collection unit is used for real-time images acquired and voice data; The audio frequency and video compression unit, but be used for described image and voice data being compressed and being converted to transmitting video data; The Network Transmission unit, but be used for described transmitting video data is transferred to server end; The subscription authentication unit is used to preserve the terminal operating parameter, and utilizes rivest, shamir, adelman, and described device is carried out device authentication; CPU, be used to cooperate described subscription authentication unit to finish the device authentication process, under the situation that described device authentication passes through, obtain described terminal operating parameter, carry out network communication according to described terminal operating parameter by described Network Transmission unit and described server end.
Preferably, above-mentioned described network video collecting device, terminal public key and terminal secret key are preserved in described subscription authentication unit, in described device authentication process, described subscription authentication unit generates random number, and encrypts described random number with described terminal secret key and send to described CPU.
Preferably, above-mentioned described network video collecting device, described CPU is obtained described terminal public key from described subscription authentication unit, and deciphers described random number with described terminal public key, obtains to be sent to described subscription authentication unit behind the device authentication data decryption.
Preferably, above-mentioned described network video collecting device, described subscription authentication unit are used to also judge whether described device authentication data decryption is correct, if judged result then authenticates and passes through for being, if judged result is not, then authentication can not be passed through.
Preferably, above-mentioned described network video collecting device, described subscription authentication unit also is used to preserve the server end PKI, utilize rivest, shamir, adelman, with described server end PKI the network of described terminal operating parameter being connected encrypted authentication information is to be sent to described server end after the ciphertext, makes described server end carry out terminal authentication according to described ciphertext to described terminal.
Preferably, above-mentioned described network video collecting device, described subscription authentication unit also is used to generate session key, but the audio and video data streams of the described transmitting video data of client being desired to read with described session key encrypt, and with client public key to described session key.
Preferably, above-mentioned described network video collecting device, described terminal operating parameter comprises medium access address MAC, current unique identifier PUID, terminal password, encoder control information.
The present invention provides a kind of network video monitor and control system on the other hand, described system comprises: the audio-video collection terminal, comprise audio and video acquisition devices, gather the image and the voice data of described audio-video collection terminal by described audio and video acquisition devices, but with the compression of described image and voice data and be converted to transmitting video data; The subscription authentication unit is arranged at described audio and video acquisition devices, is used to preserve the terminal operating parameter, utilize rivest, shamir, adelman, described audio and video acquisition devices is carried out device authentication, when described device authentication passes through, described terminal operating parameter is sent to described audio and video acquisition devices; Server end is used for described audio-video collection terminal is carried out terminal authentication, when described terminal authentication passes through, carries out network communication with described terminal audio and video acquisition devices, but receives described transmitting video data; Client is used for carrying out network communication with described server end, but browses the audio frequency and video image of described transmitting video data correspondence by described server end.
Preferably, above-mentioned described system, described audio and video acquisition devices comprises: CPU, be used to cooperate described subscription authentication unit to finish described device authentication, under the situation that described device authentication passes through, obtain described terminal operating parameter, according to of the network communication of described terminal operating parameter by described audio-video collection terminal and described server end.
Preferably, above-mentioned described system, terminal public key and terminal secret key are preserved in described subscription authentication unit, in described device authentication process, described subscription authentication unit generates random number, and encrypts described random number with described terminal secret key and send to described CPU.
Preferably, above-mentioned described system, described CPU is obtained described terminal public key from described subscription authentication unit, and deciphers described random number with described terminal public key, obtains to be sent to described subscription authentication unit behind the device authentication data decryption.
Preferably, above-mentioned described system, described subscription authentication unit is used to also judge whether described device authentication data decryption is correct, if judged result then authenticates and passes through for being, if judged result is not, then authentication can not be passed through.
Preferably, above-mentioned described system, described subscription authentication unit also is used to preserve the server end PKI, utilize rivest, shamir, adelman, with described server end PKI the network of described terminal operating parameter being connected encrypted authentication information is to be sent to described server end after the ciphertext, makes described server end carry out terminal authentication according to described ciphertext to described audio-video collection terminal.
Preferably, above-mentioned described system, described server end passes through the server end private key to described decrypt ciphertext, obtain the terminal authentication data decryption, and the end message that described terminal authentication data decryption and described server end are preserved mates, if the match is successful, then described terminal authentication passes through.
Preferably, above-mentioned described system, described subscription authentication unit also is used to generate session key, and the data flow of the described audio frequency and video image of described client being desired to read with described session key is encrypted, and with client public key to described session key.
Preferably, above-mentioned described system, described client also were used for deciphering described session key with client private key before browsing described audio frequency and video image, and deciphered described audio and video data streams with the described session key after the deciphering.
Further aspect of the present invention also provides a kind of network video monitoring method, and described method comprises: audio and video acquisition devices is arranged in the audio-video collection terminal of network video monitor and control system; Utilize rivest, shamir, adelman, described audio and video acquisition devices is carried out device authentication, when described device authentication passes through, described terminal operating parameter is sent to described audio and video acquisition devices, make described audio and video acquisition devices connecting system network; The server end of described network video monitor and control system carries out terminal authentication to described audio-video collection terminal, when described terminal authentication passes through, carry out network communication with described terminal audio and video acquisition devices, receive the audio and video data streams that described audio and video acquisition devices sends.
Preferably, above-mentioned described method, described server end receives before the described audio and video data streams that described audio and video acquisition devices sends, also comprise with session key described audio and video data streams encrypted, and with client public key to described session key.
Preferably, above-mentioned described method, the process of described device authentication comprises: generate a random number, encrypt described random number with terminal secret key and send to described audio and video acquisition devices; Described audio and video acquisition devices is deciphered described random number with terminal public key, obtains the device authentication data decryption; Judge whether described device authentication data decryption is correct, if judged result then authenticates and passes through for being, if judged result is not, then authentication can not be passed through.
Preferably, above-mentioned described method, the process of described terminal authentication comprises: it is to be sent to described server end after the ciphertext that described audio and video acquisition devices connects encrypted authentication information with described server end PKI with the network of described terminal operating parameter; Described server end passes through the server end private key to described decrypt ciphertext, obtain the terminal authentication data decryption, and all end messages that described terminal authentication data decryption and described server end are preserved mate, if the match is successful, then described terminal authentication passes through, if coupling is unsuccessful, then described terminal authentication does not pass through.
At least one of technique scheme has following beneficial effect, described network video collecting device of the specific embodiment of the invention and the network video monitor and control system that adopts this network video collecting device, method, the terminal operating parameter is arranged at the subscription authentication unit, utilize rivest, shamir, adelman that the network video collecting device that accesses terminal is carried out authentication, the video acquisition device that only allows authentication to pass through obtains the terminal operating parameter, therefore can provide more strong guarantee for the equipment control of network video monitor and control system, and then ensure the network service system benefits of operators; In addition, also, utilize rivest, shamir, adelman, finish the encryption function of audio/video flow data, and cooperate and to make server end carry out terminal authentication, therefore can also protect customer information effectively and guarantee the privacy of monitor message by the subscription authentication unit.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the accompanying drawings and the specific embodiments.
The described network video collecting device of the specific embodiment of the invention and the network video monitor and control system, the method that adopt this network video collecting device, by network video collecting device the subscription authentication unit is set in the network video monitor and control system terminal, can guarantee to have only watch-dog just can be connected to supervisory control system through the network video monitor and control system mandate, thus effective maintaining network service system benefits of operators.
Fig. 1 is the syndeton schematic diagram of network video monitor and control system, this network video collecting device is arranged in the terminal of network video monitor and control system, in order to image and the voice data that obtains the supervisory control system end, be transmitted through the network to long-range server end, the audio frequency and video image that client can be obtained by the server end browsing terminal.
Fig. 2 is the structural representation of the described network video collecting device of the specific embodiment of the invention, consults Fig. 1, and this device comprises: audio-video collection unit, audio frequency and video compression unit, Network Transmission unit, subscription authentication unit, CPU, wherein:
The audio-video collection unit is used for the image and the voice data of real-time acquisition terminal;
The audio frequency and video compression unit compresses and is converted to transmitting video data but be used for the image that will be collected and voice data;
The Network Transmission unit, but be used for described transmitting video data is transferred to server end;
The subscription authentication unit is used to preserve terminal operating parameter, terminal public key, terminal secret key, according to this terminal public key and this terminal secret key, utilizes rivest, shamir, adelman, and network video collecting device is carried out device authentication;
CPU, be used to control the co-ordination of whole device, comprise and cooperate this subscription authentication unit to finish the device authentication process, under the situation that this device authentication passes through, obtain the terminal operating parameter, carry out network communication according to this terminal operating parameter by this Network Transmission unit and server end, but transmitting video data is transferred to described server end.
This terminal operating parameter comprises MAC Address (Media Access Control medium access address), PUID (Passport Unique Id pass through unique identifier), terminal password, because MAC Address is the necessary address that network video collecting device moves in network monitoring system, not having this MAC Address can't move by normal cluster, PUID, terminal password is that network video collecting device connects relevant authentication information with the webserver, therefore network video collecting device only has this terminal operating parameter, can be connected to network video monitor and control system, normally operation in system.And the network video collecting device of the specific embodiment of the invention, ensure that the terminal operating parameter that this device moves is stored in the subscription authentication unit in supervisory control system, have only after the subscription authentication unit passes through the device authentication of this device, just can make device obtain the terminal operating parameter, can in system, move.
In addition; adopt the mode of this subscription authentication unit to device authentication; to a certain extent the software of back-up system operation is protected simultaneously; this is because the crucial operational factor of system terminal is stored in the subscription authentication unit; only copy systems soft ware fully merely; can not obtain crucial terminal operating parameter, system is normally moved.
The process that described subscription authentication unit carries out device authentication to described network video collecting device by rivest, shamir, adelman as shown in Figure 3, consult Fig. 3, the process of this device authentication is from step S301, the terminal of described network video collecting device access network video monitoring system.
Step S302, described CPU is obtained terminal public key from the subscription authentication unit;
Step S303, the subscription authentication unit generates a random number, and encrypts described random number with described terminal secret key and send to described CPU;
Step S304, CPU is deciphered described random number with terminal public key, obtains the device authentication data decryption;
Step S305, CPU is sent to the subscription authentication unit with described device authentication data decryption;
Step S306, whether the described device authentication data decryption of subscription authentication unit judges is correct, if judged result is for being that then this device authentication passes through, and allows this device access network video monitoring system, flow performing step S307, if judged result is that then this device authentication can not pass through, and illustrates that this device is not the specified equipment of service provider of video monitoring system, forbid this device access network video monitoring system, execution in step S308;
Step S307 is sent to CPU with the terminal operating parameter, makes device continue operation;
Step S308, the process of the said equipment authentication finishes.
In addition, in the specific embodiment of the invention, described subscription authentication unit is set except can authenticating, also has and encrypt audio/video information and cooperate server end to realize the function of server end terminal authentication to the video acquisition device that is installed on user terminal.
Described subscription authentication unit is by preserving the server end PKI, utilize rivest, shamir, adelman, be sent to described server end after with described server end PKI described terminal operating parameter being encrypted as ciphertext, make described server end carry out terminal authentication to described terminal according to described ciphertext.The verification process of concrete this terminal sees also Fig. 4.
As shown in Figure 4, this terminal authentication procedure also comprises from step S401:
Step S402, the CPU of terminal is sent to server end after by the server end PKI that is kept at the subscription authentication unit PUID, terminal password being encrypted as ciphertext;
Step S403, server end utilize the server end private key to described decrypt ciphertext, and the deciphering back obtains the terminal authentication data decryption;
Step S404, the terminal client information that server end is preserved described terminal authentication data decryption and this server end is in advance compared;
Step S405 judges whether to exist the comparison successful information, if judged result is for being, illustrate that then this terminal is a validated user, execution in step S406 is not as if judged result downwards, illustrate that then this terminal is the disabled user, forbid that this terminal use inserts supervisory control system, downwards execution in step S407;
Step S406, terminal allows the terminal transmission audio, video data by authentication;
Step S407 finishes.
By the terminal authentication procedure of above step S401 to S407, can forbid illegal terminal user access network video monitoring system, thereby effectively protect customer information, prevent to be eavesdropped or duplicate.
In addition, described subscription authentication unit also has and cooperates described CPU, to the function of the audio/video flow data encryption transmitted.In network video monitor and control system, when client is browsed the audio frequency and video image of described network video collecting device by server end at every turn, the CPU of this network video collecting device all can be carried out the communication dialogue with the subscription authentication unit, generate session key, encrypt with the audio-video code stream that session key is desired to browse to client.
Described network video collecting device is consulted Fig. 5 to the process of audio/video flow data encryption as shown in Figure 5, and this process comprises from step S501:
Step S502, described subscription authentication unit generates session key, and this session key can be one 128 random numbers;
Step S503, the audio/video flow that described CPU is desired to browse to client with session key is encrypted, and with client public key session key is further encrypted, and obtains encryption key;
Step S504, by the Network Transmission unit with described encryption key to client transmissions.
Step S505, ciphering process finishes.
The decrypting process that described client is obtained described audio/video flow data is consulted Fig. 6 as shown in Figure 6, and this process comprises from step S601:
Step S602, described client is obtained described encryption key;
Step S603 deciphers this encryption key with client private key, obtains described session key;
Step S604 with the audio/video flow data that described session key deciphering is obtained, browses corresponding audio frequency and video image information;
Step S605, decrypting process finishes.
Above step S501 to S505 is to the process of audio/video flow data encryption, because the session key that obtains during the audio frequency and video image of the each browsing terminal of client is all different, and this session key is to calculate to lift through asymmetric encryption to encrypt, therefore can prevent effectively that session key from being intercepted and captured, and then guarantee the privacy of monitor message.
Particularly, the subscription authentication unit in the described network video collecting device of the specific embodiment of the invention can be realized by SIM card, UIM card or USB-key.
The specific embodiment of the invention also provides a kind of network video monitor and control system with above-mentioned network video collecting device on the other hand, consults Fig. 7, and this system comprises:
The audio-video collection terminal comprises audio and video acquisition devices, gathers the image and the voice data of this end by described audio and video acquisition devices, but with the compression of described image and voice data and be converted to transmitting video data;
The subscription authentication unit, be arranged at described audio and video acquisition devices, preserve terminal public key, terminal secret key, be used to utilize rivest, shamir, adelman, described audio and video acquisition devices is carried out device authentication, when described device authentication passes through, described terminal operating parameter is sent to described audio and video acquisition devices;
Server end is used for described audio-video collection terminal is carried out terminal authentication, when described terminal authentication passes through, carries out network communication with described terminal audio and video acquisition devices, but receives described transmitting video data;
Client is used for carrying out network communication with described server end, but browses the audio frequency and video image of described transmitting video data correspondence by described server end.
Described subscription authentication unit can be consulted shown in Figure 3 by the process that rivest, shamir, adelman carries out device authentication to described audio and video acquisition devices, usually audio and video acquisition devices all has a CPU, cooperate the subscription authentication unit to finish device authentication by this CPU, under the situation that device authentication passes through, obtain described terminal operating parameter, control the network communication of described audio-video collection terminal and described server end according to described terminal operating parameter.
The method of subscription authentication unit actuating equipment authentication is: generate a random number, encrypt described random number with described terminal secret key and send to described CPU, CPU is deciphered described random number with terminal public key, obtain the device authentication data decryption, when this authentication data decryption of subscription authentication unit judges is correct, then device authentication passes through, and concrete verification process is consulted Fig. 3, is not described in detail in this.
Wherein, this audio and video acquisition devices comprises web camera, video server, DVR, adopt the described system of the specific embodiment of the invention, those audio and video acquisition devices access network video monitoring system terminals, only after the authentication of subscription authentication unit is passed through, the terminal operating parameter that could obtain the assurance device operation (comprises MAC Address, PUID, terminal password etc.), can operate by connecting system, therefore being connected to that the Internet video prison can be set at by the device in the system must be the equipment of network service system operator permission, guarantee benefits of operators thus.In addition; adopt the mode of this subscription authentication unit to device authentication; to a certain extent the software of back-up system operation is protected simultaneously; this is because the crucial operational factor of system terminal is stored in the subscription authentication unit; only copy systems soft ware fully merely; can not obtain crucial terminal operating parameter, system is normally moved.
In addition, the described system of the specific embodiment of the invention is provided with the subscription authentication unit except can authenticating the video acquisition device that is installed on user terminal, also has to encrypt audio/video information and cooperate server end to realize the function of server end to terminal authentication.
Described subscription authentication unit is by preserving the server end PKI, utilize rivest, shamir, adelman, be sent to described server end after with described server end PKI described terminal operating parameter being encrypted as ciphertext, make described server end carry out terminal authentication to described terminal according to described ciphertext.The verification process of concrete this terminal sees also Fig. 4.The CPU of audio and video acquisition devices is sent to server end after by the server end PKI that is kept at the subscription authentication unit PUID, terminal password being encrypted as ciphertext, server end utilizes the server end private key to described decrypt ciphertext, the deciphering back obtains the terminal authentication data decryption, the terminal client information that described terminal authentication data decryption and this server end are preserved is in advance compared again, if there are the successful data of comparison, then the authentication of this terminal is passed through, and can judge that it is a validated user.By this terminal authentication procedure, can forbid illegal terminal user access network video monitoring system, thereby effectively protect customer information, prevent to be eavesdropped or duplicate.
In addition, described subscription authentication unit also has and cooperates described CPU, and to the function of the audio/video flow data encryption transmitted, this ciphering process can be consulted shown in Figure 5.When client is browsed the audio frequency and video image of described network video collecting device by server end at every turn, CPU all can be carried out the communication dialogue with the subscription authentication unit, generate session key, encrypt with the audio-video code stream that session key is desired to browse to client, and with client public key to session key.
The decrypting process of client deciphering audio/video flow data as shown in Figure 6, described client is obtained the session key after the encryption, with the client private key deciphering, obtains session key, so the audio/video flow data of being obtained with this session key deciphering are browsed corresponding audio frequency and video image information.
The subscription authentication unit of the specific embodiment of the invention can adopt SIM card, UIM card or USB-key to realize, insert audio and video acquisition devices as peripheral apparatus, also can adopt the mode that the subscription authentication unit directly is arranged at the primary processor of audio and video acquisition devices, make primary processor support rivest, shamir, adelman, have the function of subscription authentication authentication.
The specific embodiment of the invention also provides a kind of network video monitoring method on the other hand, adopts this method for supervising, except that can carrying out audio/video flow encryption, terminal authentication, can also the audio and video acquisition devices that add terminal be authenticated.Principle schematic such as Fig. 8 of described method show that this method also comprises from step S801:
Step S802, audio and video acquisition devices is arranged in the terminal of network video monitor and control system;
Step S803 utilizes rivest, shamir, adelman, and described audio and video acquisition devices is carried out device authentication;
Step S804, whether the judgment device authentication is passed through, if judged result is for being, then the terminal operating parameter is sent to audio and video acquisition devices, make audio and video acquisition devices connecting system network, and downward execution in step S805, if judged result is for denying, then execution in step S808 refuses this audio and video acquisition devices connecting system network operation;
Step S805 utilizes rivest, shamir, adelman, and server end carries out terminal authentication to the audio-video collection terminal;
Step S806 judges whether this terminal authentication passes through, if judged result is for being, and execution in step S807 downwards then, if judged result is not for, then execution in step S808 rejects the audio, video data from this terminal transmission;
Step S807 begins in System Operation the audio and video acquisition devices that accesses terminal, and carries out network communication with server end;
Step S808 finishes.
In above-mentioned method, when client is browsed the audio frequency and video image of described network video collecting device by server end at every turn, this method also comprises generation one session key, encrypt with the audio-video code stream that this session key is desired the browse graph picture to client, and with client public key to session key.When client desires to browse corresponding audio frequency and video image information, need obtain the session key after the encryption,, obtain session key, so decipher the audio/video flow data of being obtained with this session key with the client private key deciphering.
The process of the device authentication of the described method of the specific embodiment of the invention comprises:
Generate a random number, encrypt this random number with terminal secret key and send to audio and video acquisition devices;
Audio and video acquisition devices is deciphered this random number with terminal public key, obtains the device authentication data decryption;
Judge whether this device authentication data decryption is correct, if judged result then authenticates and passes through for being, if judged result is not, then authentication can not be passed through.
The process of described terminal authentication comprises:
It is to be sent to server end after the ciphertext that audio and video acquisition devices connects encrypted authentication information with the server end PKI with the network of terminal operating parameter;
Decrypt ciphertext after this server end is encrypted this by the server end private key, obtain the terminal authentication data decryption, and all end messages that this terminal authentication data decryption and server end are preserved mate, if the match is successful, then described terminal authentication passes through, if coupling is unsuccessful, then described terminal authentication does not pass through.
Described terminal operating parameter comprises medium access address MAC, current unique identifier PUID, terminal password, encoder control information, network video collecting device only has this terminal operating parameter, can be connected to network video monitor and control system, normally operation in system.
Therefore, the described network video collecting device of the specific embodiment of the invention and the network video monitor and control system, the method that adopt this network video collecting device, the terminal operating parameter is arranged at the subscription authentication unit, the video acquisition device that only allows authentication to pass through obtains the terminal operating parameter, can be the equipment control of network video monitor and control system, the safe transmission of video content provides more strong guarantee.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.