CN101425112A - Digital exequatur sending system and digital work decipher operation method - Google Patents

Digital exequatur sending system and digital work decipher operation method Download PDF

Info

Publication number
CN101425112A
CN101425112A CNA2008102266396A CN200810226639A CN101425112A CN 101425112 A CN101425112 A CN 101425112A CN A2008102266396 A CNA2008102266396 A CN A2008102266396A CN 200810226639 A CN200810226639 A CN 200810226639A CN 101425112 A CN101425112 A CN 101425112A
Authority
CN
China
Prior art keywords
computing equipment
device identification
authorisation
authorisation device
collection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2008102266396A
Other languages
Chinese (zh)
Other versions
CN101425112B (en
Inventor
俞银燕
汤帜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New Founder Holdings Development Co ltd
Peking University
Founder Apabi Technology Ltd
Original Assignee
Peking University
Peking University Founder Group Co Ltd
Beijing Founder Apabi Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University, Peking University Founder Group Co Ltd, Beijing Founder Apabi Technology Co Ltd filed Critical Peking University
Priority to CN2008102266396A priority Critical patent/CN101425112B/en
Publication of CN101425112A publication Critical patent/CN101425112A/en
Application granted granted Critical
Publication of CN101425112B publication Critical patent/CN101425112B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of digital work copyright protection, in particular to a technique in which a multi-computing apparatus uses a digital work upon authorization, and more particular to a digital permit transmitting system, a computing apparatus and a digital work decryption operating method. The method comprises the following steps: the computing apparatus obtains a digital permit of the digital work; the digital permit is generated according to characteristic information of an authorization apparatus set and a decryption key of the digital work; and the computing apparatus obtains an apparatus identifier of the present computing apparatus, restores the decryption key according to the digital permit and the apparatus identifier of the present computing apparatus, and operates the digital work after decrypting the digital work by using the decryption key. Due to the convenient reduplication of the digital permit, the authorized computing apparatus can conveniently obtain the digital permit and conveniently utilizing the apparatus identifier of the present computing apparatus and the digital permit to obtain the decryption key so as to decrypt and operate the digital work.

Description

Digital permission certificate transmitting system and copyright decipher operation method
Technical field
The present invention relates to digital copyright protection field, relate in particular to multiple computing device uses copyright under authorization conditions technology.
Background technology
Along with the fast development of computer information technology and internet, increasing Digitized Works and other digitized information have appearred, and network has become the important channel that people obtain abundant information.Yet because digital information is easy to be replicated, revises and propagates, a large amount of digitized contents is shared and illegal the use by illegal, has caused enormous economic loss for the related right people, the copyright of the protection copyright highly needs that become.
Digital copyright protection technology (Digital Rights Management; be called for short DRM) be exactly by the possessory interests of technological means protection copyright work; selling, propagating and using in the process of copyright, protecting its copyright under mandate, controlled way, to use.In order to prevent bootlegging; existing DRM technology generally adopts the mode of identify label binding to protect the copyright of copyright; modal way be exactly by device identification with copyright work and a certain apparatus bound, make copyright work energy and can only on an equipment, using.This mode is not when effectively the protection copyright work is illegally shared; the reasonable demand of having ignored the user; be unfavorable for that a plurality of users share copyright work, also can't satisfy the user uses shielded copyright and rationally changes terminal device on a plurality of terminal devices demand.
In recent years, the user also begins to cause people's attention to the acceptance of DRM system and user's demand, and many scholars and people in the industry begin to consider and address copyright work sharing and the protection problem at a plurality of equipment rooms.At first, people adopt a kind of simple security strategy, allow the user downloading the copyright of buying on several equipment and using right to realize the use of copyright on a plurality of equipment, perhaps adopt the mode of central server control, all copyrights and use right thereof that the user is bought are kept on the central server, by the use of On-line Control realization copyright on distinct device of central server.Like this, when the user need use copyright, need just can use, cause repeated downloads by central server.Therefore, the sharing mode very flexible of On-line Control, particularly along with the popularizing of portable terminal, the strategy that this server monitoring is shared can not satisfy user's demand.At present, some mobile device such as E-book reader can not directly be surfed the Net, and also just can not directly use copyright by central server.
Though and mobile devices such as smart mobile phone, part PDA can direct interconnection network, but mobile phone-downloaded copyright and digital license need be paid the GPRS traffic fee, general user be unwilling same copyright of repeated downloads and digital license, particularly under the situation that at present the mobile phone wireless network transmission speed is low, expense is high, not only time-consuming, the expensive but also effort of mobile phone-downloaded digital media content.In addition, central server is easy to become system bottleneck, has the single point failure problem.
For fear of the same content of copyright of multiple devices repeated downloads, Microsoft allows the user to share shielded copyright on the equipment of some by the mode with digital license and user binding, user and many computing equipment bindings.But, this class is shared the increase problem of only considering equipment in the certain limit, do not consider the deletion problem of equipment, promptly can only in certain scope, increase and participate in sharing equipment, can not reject away participating in sharing equipment, dynamic and the very flexible shared can't satisfy the needs that the user changes authorisation device.
IBM, Marlin, OMA, TIRAMISU etc. have proposed to share and the protection solution based on the copyright of territory (Domain); with shielded copyright and entire domain binding; make copyright to use on any equipment in the territory; and renewal and management by domain key, realize the additions and deletions of equipment in the territory and the renewal in territory.In addition, also have some based on the shared scheme in territory by safeguarding the mode at territory information about firms, delocalization information about firms of preserving on the member device, the change of support region.
These solutions based on the territory need to have good network between all authorisation device and the domain server and are connected, so that when equipment adding or leaving domain, upgrade the key message of preserving on all devices, as the key of domain key, territory information about firms (being included in territory member tabulation, delocalization member's tabulation), domain key etc., share between the member and do not possess independence.This sharing mode is not supported off-line device, and the equipment that does not possess network savvy is got rid of outside sharing.
In sum, the shared method of the copyright of prior art makes the user can easily not go up the copyright that uses (operation) to authorize a plurality of computing equipments (especially not possessing the computing equipment that connects internet function).
Summary of the invention
The embodiment of the invention provides a kind of copyright decipher operation method, computing equipment and digital permission certificate transmitting system, makes that the user can deciphering copyright and operation on authorized computing easily.
A kind of copyright decipher operation method comprises:
Computing equipment obtains the digital permission certificate of described copyright; Described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright; Described authorisation device collection comprises the device identification of the computing equipment that is authorized to move described copyright, and the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and is associated with each device identification of authorisation device collection;
Described computing equipment obtains the device identification of this computing equipment, and recovers described decruption key according to the device identification of described digital permission certificate and this computing equipment; The device identification of described computing equipment is one of device identification of the described computing equipment that is authorized to move described copyright;
Described computing equipment moves this copyright after using described decruption key to decipher described copyright.
A kind of computing equipment comprises:
Device identification obtains module, is used to obtain the device identification of this computing equipment;
The decruption key generation module is used to use the device identification of the digital permission certificate of copyright of acquisition and this computing equipment to recover the decruption key of described copyright; Described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright; Described authorisation device is concentrated the device identification comprise the computing equipment that is authorized to move described copyright, the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and concentrates each device identification to be associated with authorisation device; The device identification of described computing equipment is one of device identification of the described computing equipment that is authorized to move described copyright;
Deciphering module is used to use described decruption key that described copyright is decrypted.
A kind of digital permission certificate transmitting system comprises:
The copyright generation module is used to generate the decruption key of copyright and this copyright;
Digital permission certificate solicited message receiver module is used to receive the digital permission certificate solicited message that computing equipment sends; Comprise the device identification of described computing equipment and the sign CID of copyright in the described digital permission certificate solicited message;
Authorisation device collection memory module is used to store the authorisation device collection;
The device identification authentication module is used for verifying whether the affiliated authorisation device collection of device identification of described digital permission certificate solicited message has licensed the copyright that is designated CID;
The digital license inteilectual becomes module, is used for the checking result according to described device identification authentication module, the characteristic information of described authorisation device collection and the decruption key of described copyright is generated the digital permission certificate, and send to described computing equipment.
The embodiment of the invention is because the digital permission certificate that generates is a decruption key according to characteristic information and copyright generates, and characteristic information is associated with the device identification of the computing equipment of licensing copyright, therefore, authorized computing can use device identification of this equipment and digital permission certificate to recover decruption key, thereby copyright is deciphered.And because the convenient reproduction of digital permission certificate, make authorized computing can obtain the digital permission certificate easily, and utilize the device identification of this equipment and digital permission certificate to obtain decruption key easily easily copyright is decrypted, moves.
Description of drawings
Fig. 1 a is the digital copyright protection system synoptic diagram of the embodiment of the invention;
Fig. 1 b is the synoptic diagram that concerns between the characteristic information, digital permission certificate, decruption key of the embodiment of the invention;
Fig. 2 is the copyright decipher operation method process flow diagram of the embodiment of the invention;
Fig. 3 is the method flow diagram that the computing equipment of the embodiment of the invention adds the authorisation device collection;
Fig. 4 withdraws from the method flow diagram of authorisation device collection for the computing equipment of the embodiment of the invention;
Fig. 5 is the structured flowchart of the computing equipment that is used for the decipher operation copyright of the embodiment of the invention;
Fig. 6 is the structural representation of the digital certificate transmitting system of the embodiment of the invention.
Embodiment
The embodiment of the invention is in order to make the authorized computing can the decipher operation copyright, sends to the digital permission certificate that computing equipment is used to generate the decruption key of copyright and generates for decruption key according to the device identification of at least one authorized computing and copyright.Like this, this digital permission certificate promptly is associated with each authorized computing, thereby authorized computing can be calculated the acquisition decruption key according to device identification and this digital permission certificate of this equipment, and copyright is decrypted and moves.Like this, authorized computing is as long as obtain the digital license postscript of copyright, utilizes the device identification of this digital permission certificate and this equipment just can realize the deciphering and the operation of copyright.That is to say, computing equipment not necessarily will possess the function that connects the internet, it can pass through bluetooth, USB connecting line, transmission mode such as infrared, obtain the digital permission certificate from another equipment that can network, can realize the deciphering and the operation of copyright, thereby make things convenient for the user to go up the operation copyright in a plurality of authorized computing computing equipment of network savvy (comprise do not have).
Further, when need changing authorized computing, the user (for example needs to increase certain new computing equipment as authorizing computing equipment can move copyright, perhaps rejecting certain authorizes computing equipment to make it no longer to possess the mandate of operation copyright) can send relevant application to system, system can change authorized computing according to user's application, and regenerates the digital permission certificate at mandate computing equipment after changing.
Describe technical scheme of the present invention in detail below in conjunction with accompanying drawing.
The embodiment of the invention provides in a kind of digital copyright protection system, comprises as shown in Figure 1a: copyright generates server 101, authorization service system 103, and computing equipment A104 and computing equipment B105.
Copyright generates to encrypt in the server 101 at copyright and generates.Be specially, after the original contents of 101 pairs of copyrights of copyright generation server is encrypted, utilize the unique identification of original contents ciphertext and copyright to generate copyright; Accordingly, copyright generates the decruption key that server 101 promptly has this copyright.Copyright generation server 101 sends to authorization service system 103 with the decruption key of copyright.
Preserved the authorisation device collection DS of this copyright in authorization service system 103, the device identification that comprises all computing equipments of licensing this copyright among the authorisation device collection DS is designated as id respectively 1~id n, wherein n is the device identification sum among the DS.Device identification among the authorisation device collection DS can belong to a user's, also can belong to a plurality of users.Authorization service system 103 generates the characteristic information of this authorisation device collection according to all devices sign of authorisation device collection.
Computing equipment A104 and computing equipment B105 are the computing equipment that mandate can be used this copyright, and its device identification is respectively id jAnd id kWherein, natural number j, k are no more than n.Also carry the feature of the device identification of computing equipment A104 and computing equipment B105 in the characteristic information that authorization service system 103 generates.
Computing equipment A104 possesses the equipment (for example PC, notebook computer etc.) that connects internet function.Computing equipment A104 can generate server 101 from copyright by the internet and download to copyright.But because this copyright is encrypted, computing equipment A104 need obtain the digital license postscript could use this copyright.
Then for not possessing the equipment that connects internet function, it can obtain the digital permission certificate from computing equipment A104 by USB connecting line or alternate manner (for example bluetooth, infrared) to computing equipment B105.
The method of computing equipment A104 and computing equipment B105 deciphering, use copyright, process flow diagram comprises following concrete steps as shown in Figure 2:
S201, computing equipment A104 generate server 101 from copyright and obtain copyright.
Computing equipment A104 can generate server 101 to copyright and send the copyright solicited messages, carries the sign CID of the copyright that computing equipment A104 need obtain in this copyright solicited message; Copyright generates server 101 and after receiving the copyright solicited message copyright of correspondence is sent to computing equipment A104.
Perhaps, copyright generates server 101 provides copyright on webpage download link, after computing equipment A104 visits this webpage, clicks respective links and downloads needed copyright.
Because the encrypted mistake of copyright, therefore obtaining copyright needn't verify, that is to say, no matter whether authorisation device can obtain copyright.
S202, computing equipment A104 send digital permission certificate solicited message to authorization service system 103.
In the digital permission certificate solicited message that computing equipment A104 sends, carry the sign CID of copyright and the device identification id of computing equipment A104 j
Whether S203,103 pairs of computing equipment A104 checkings of authorization service system license the copyright that is designated CID.
Whether 103 pairs of computing equipment A104 checkings of authorization service system license the copyright that is designated CID can several different methods:
For example, authorisation device collection DS is (the i.e. authorisation device collection of creating at the copyright that is designated CID of creating for certain or some copyrights, the equipment member that this authorisation device is concentrated authorizes and can use this (a bit) copyright), like this, safeguard that in authorization service system 103 sign of authorisation device collection DS and the corresponding relation of CID are arranged.Certainly, for the copyright that is designated CID also may be more corresponding other authorisation device collection, and in authorization service system 103, safeguarding copyright sign and the corresponding relation of licensing the authorisation device set identifier of this copyright.The authorisation device collection corresponding to CID is searched by authorization service system 103, and is confirming corresponding to the concentrated device identification id that includes of the authorisation device of CID jThe time, think that then computing equipment A104 has been authorized to use the copyright that is designated CID, checking is passed through; Otherwise checking is not passed through.
Perhaps, authorisation device collection DS creates (promptly the concentrated all devices sign of the authorisation device of Chuan Jianing all belongs to this user) at the user, like this, in authorization service system 103, safeguard the sign of authorisation device collection DS and the one-to-one relationship of user ID are arranged, that is to say that authorisation device collection different in authorization service system 103 are under the jurisdiction of different users.And also preserve the sign that copyright identifies the user who licenses with this copyright in the authorization service system 103.In the digital permission certificate solicited message that computing equipment A104 sends, further comprise user ID UID.Authorization service system 103 is according to the corresponding relation of user ID UID and copyright sign and user ID, determine that sign UID is to there being copyright sign CID, confirm that the subscriber authorisation that is designated UID has used the copyright that is designated CID, then: the authorisation device of further searching the user who is designated UID concentrates whether comprise device identification id jIf comprise device identification id jThen checking is passed through, if do not comprise device identification id jThen with device identification id jThe authorisation device that is increased to the user who is designated UID is concentrated (the authorisation device collection that promptly upgrades the user who is designated UID), is increasing device identification id jBack affirmation checking is passed through; If authorization service system 103 is according to the corresponding relation of user ID UID and copyright sign and user ID, determine that sign UID does not have corresponding copyright sign CID, confirm that then the user who is designated UID does not license the copyright that is designated CID, checking is not passed through.
Those skilled in the art can also create the authorisation device collection at other object, no matter but the authorisation device collection is at user or copyright or other Object Creation, whether checking computing equipment A104 licenses the copyright that is designated CID, whether the authorisation device collection is authorized to use the copyright that is designated CID under its essence is checking computing equipment A104, and detailed process those skilled in the art of checking can specifically formulate according to actual conditions, enumerate no longer one by one herein.
S204, the 103 checking computing equipment A104 of authorization service system have licensed this copyright, then send digital permission certificate L to computing equipment A104.
The digital permission certificate L that authorization service system 103 sends is that the decruption key KC according to characteristic information SID and this copyright generates.Characteristic information SID generates according to each device identification among the authorisation device collection DS, thereby characteristic information SID is associated with arbitrary device identification among the DS; Digital permission certificate L also is associated with arbitrary device identification among the DS.The concrete grammar of 103 generating feature information SID of authorization service system and digital permission certificate L will be introduced follow-up.
If the 103 checking computing equipment A104 of authorization service system do not license this copyright, then refuse the request of computing equipment A104.
S205, computing equipment A104 obtain the device identification id of this equipment j
Usually the employed device identification of computing equipment is relevant with this device hardware.Specifically can be that identification information by at least one hardware of this equipment obtains through conversion, and device identification buffer memory in this equipment of obtaining of conversion, after utilizing device identification to calculate the decruption key KC of copyright, promptly be released.Such as, described computing equipment is a PC, the hardware identifier information of this computing equipment comprises: CPU sequence number, hard disk sequence number, MAC Address etc., the device identification of described computing equipment are the results that one or more the combination in these hardware identifiers calculates through transform methods such as at least privacy transformation and monotonic transformations by the device identification generation module on this equipment.And the device identification id among the authorisation device collection DS of authorization service system 103 jAfter joining authorisation device collection DS, computing equipment A104 application increases.The idiographic flow that the authorisation device collection increases the device identification that requires adding will be introduced follow-up.
S206, computing equipment A104 are according to digital permission certificate L that obtains and the device identification id of computing equipment A104 jCalculate the decruption key KC of copyright, and use this decruption key KC that copyright is deciphered the back, used this copyright.
S207, computing equipment A104 send to computing equipment B105 with digital permission certificate L and the copyright that obtains.
S208, computing equipment B105 obtain the device identification id of this equipment k
S209, computing equipment B105 are according to digital permission certificate L that obtains and the device identification id of computing equipment B105 kDetermine the decruption key of copyright, and use this decruption key that copyright is deciphered the back, used this copyright.Relation between characteristic information, the digital permission certificate can be shown in Fig. 1 b.
This shows, obtain decruption key KC as long as obtain the device identification of digital permission certificate L and authorisation device.And digital permission certificate L be owing to can preserve, and duplicates between distinct device, therefore, no matter the equipment of whether authorizing can obtain digital permission certificate L.The device identification of authorisation device then can only obtain by this equipment, reason is: because the hardware identifier that device identification is generally in the computing equipment obtains through conversion, the acquisition of the hardware identifier in the computing equipment need could obtain the hardware identifier of this equipment by specific interface, particular module on the computing equipment is after obtaining the hardware identifier of this equipment by specific interface, calculate the device identification of this equipment by certain transform method, and after obtaining device identification, this device identification just is temporary in the buffer memory, participating in follow-up calculating, obtain promptly obtaining discharging or deletion behind the decruption key KC, can not be saved in the equipment, obtain thereby make this device identification to be calculated by specific modules by this equipment, miscellaneous equipment then can't obtain this device identification.That is to say that the device identification energy of any computing equipment and the particular module that can only pass through on this equipment obtain.Like this, just guaranteed to have only the equipment of mandate could use copyright.
By step S208, S209 as can be seen digital permission certificate L can duplicate at the various computing equipment room, to obtain the approach of digital permission certificate L just be not only by authorization service system 103 to computing equipment so.
In addition, also it is to be noted, in the process of secure processing device encrypts key K C and use decruption key KC deciphering copyright, use copyright, decruption key KC carries out buffer memory as intermediate variable, after to the copyright deciphering, decruption key KC will obtain discharging or deletion, can't be retained in the equipment, thereby prevent that decruption key KC from duplicating, transmitting between distinct device, also the equipment of not authorizing to obtain decruption key KC with regard to having prevented.Same, the works content data that obtain behind the deciphering copyright also only are to be temporary in the buffer memory, can not be saved on the equipment, after finishing or ending to use copyright, the content-data of buffer memory also will be released or delete, and prevents unauthorized device use copyright.
Though it will be understood by those skilled in the art that in the above-mentioned explanation, for ease of understanding, the step of method has been adopted the succession description, should be pointed out that for the order of above-mentioned steps and do not do strict the restriction.
Authorization service system 103 can adopt following concrete grammar according to each device identification generating feature information SID and the digital permission certificate L among the authorisation device collection DS:
Method one,
Utilize device identification id all among the authorisation device collection DS 1~id n, the characteristic information SID={id of generation DS 1, id 2..., id n.Wherein, n is the sum of described authorisation device concentrating equipment sign, { id 1, id 2..., id nBe id 1, id 2..., id nThe set of forming.
Corresponding, the method that generates digital permission certificate L is:
Authorization service system 103 obtains the decruption key KC of the copyright that is designated CID, and the symmetric key encryption KC that produces with each element among the SID obtains { Ek respectively 1, Ek 2..., Ek n, with For the two-dimensional interpolation node (
Figure A200810226639D00222
Be the variable in the two-dimentional element, EK jBe the functional value in the two-dimentional element, 1≤j≤n), create n-1 interpolation polynomial and extract these polynomial all coefficients calculates the value (promptly calculating the remainder of each coefficient divided by the p gained) of each coefficient module p respectively, obtains b 0, b 1..., b N-1, produce the decryption key information EKC={b that bundlees mutually with described characteristic information SID 0, b 1..., b N-1, and then create the digital permission certificate L that comprises EKC.Further, can also comprise copyright sign CID among the digital permission certificate L of establishment.Here, g is the generator of mould p, and p is a big prime number, makes ciphertext that the device identification of any computing equipment and the described decruption key of symmetric key encryption that produces with this device identification obtain all less than p.G is that the generator of mould p is meant that g is an integer, and to any integer 0<κ<p, all has integer a 0≤i<p, makes κ equal the value of gi mould p.
Corresponding, the method that computing equipment utilizes the device identification of digital permission certificate L and this equipment to recover decruption key KC is:
Computing equipment extracts decryption key information EKC={b from L 0, b 1..., b N-1, structure polynomial expression I (x)=b 0+ b 1* x+b 2* x 2+ ... + b N-1* x N-1, obtain the device identification id of this equipment j, will
Figure A200810226639D00231
Substitution polynomial function I (x) obtains v j, calculate v jThe value of mould p obtains Ek j, utilize id jProduce symmetric key k j, deciphering Ek j, obtain decruption key KC.
Method two,
Utilize device identification id all among the DS 1~id nAnd corresponding prime number p 1~p n, calculate a natural number β less than M, make β mould p 1Value equal
Figure A200810226639D00232
Mould p 1Value, β mould p 2Value equal
Figure A200810226639D00233
Mould p 2Value ..., β mould p nValue equal
Figure A200810226639D00234
Mould p nValue, the characteristic information that generates DS comprises β and M, i.e. characteristic information SID={ β, M}.
Wherein, n is the sum of described authorisation device concentrating equipment sign, M=p 1* p 2* ... * p n, g is mould p 1~mould p nCommon generator (such as, can get g and be one greater than 1 natural square negative less than p-1), p 1, p 2..., p nBe respectively device identification id 1, id 2..., id nCorresponding different prime numbers, and any one belongs to p 1~p nPrime number to deduct 1 all be a prime number divided by 2 value, p 1~p nAll greater than p, p is the big prime number greater than described decruption key, makes the device identification of all computing equipments all less than p-1, and p=2 * q+1, q also are big prime numbers.
Corresponding, the method that generates digital permission certificate L is:
Authorization service system 103 obtains the decruption key KC of the copyright that is designated CID, generates a natural number r less than p at random, calculates g rThe value z of mould M 1And described decruption key and β rThe value z of product mould M 2, obtain the decryption key information EKC=(z that bundlees mutually with described SID 1, z 2), and then create the digital permission certificate L that comprises EKC.Further, can also comprise copyright sign CID among the digital permission certificate L of establishment.
Corresponding, the method that computing equipment utilizes the device identification of digital permission certificate L and this equipment to recover decruption key KC is:
Computing equipment extracts decryption key information EKC=(z from L 1, z 2), obtain the device identification id of this equipment jAnd corresponding prime number p j, calculate one less than p jNatural number c j, make c jWith
Figure A200810226639D00241
Product mould p jValue equal 1, calculate z 2And c jProduct mould p jValue, obtain decruption key KC.
Method three,
On the basis of the generating feature information SID of method two, be further to increase security, for G=a wherein 4, a is greater than 1 natural number less than p-1, p=2 * q+1, and p, q all are big prime numbers, make the device identification of any computing equipment all less than q.
Corresponding, the method that generates digital permission certificate L is:
Authorization service system 103 obtains the decruption key KC of the copyright that is designated CID, generates a natural number x less than p at random, calculates x 2The value s of mould p generates symmetric key k with s s, encrypting and decrypting key K C obtains c, generates a natural number r less than p-1 at random, calculates g rThe value z of mould M 1And s and β rThe value z of product mould M 2, generate the decryption key information EKC={c that bundlees mutually with described characteristic information SID, z 1, z 2, create the digital permission certificate L that comprises EKC.Further, can also comprise copyright sign CID among the digital permission certificate L of establishment.
Corresponding, the method that computing equipment utilizes the device identification of digital permission certificate L and this equipment to recover decruption key KC is:
Computing equipment extracts decryption key information EKC={c, z from L 1, z 2, from EKC, extract c and z 1, z 2, obtain the device identification id of this computing equipment jAnd corresponding prime number p j, calculate one less than p jNatural number c j, make c jWith
Figure A200810226639D00251
Product mould p jValue equal 1, calculate z 2And c jProduct mould p jValue, obtain secret data s, produce symmetric key k by s sDeciphering c obtains content decryption key KC.
Method four,
When the device identification among the authorisation device collection DS is changed, such as increasing or when deleting certain device identification, then will causing characteristic information also to change because the member among the DS changes.And new characteristic information both can be method by above-mentioned introduction generate according to after changing all devices sign among the DS, also can be according to increasing or the device identification and old characteristic information generation of deletion.For example, authorisation device collection DS has increased a device identification id N+1, then the new feature information SID ' of authorisation device collection DS can be according to old characteristic information SID and id N+1Generate.Concrete grammar is:
Characteristic information SID={id for said method one generation 1, id 2..., id n, if DS has increased a device identification id N+1, the characteristic information SID ' of Geng Xining=SID ∪ { id then N+1; If DS has deleted a device identification id t(1≤t≤n), then the characteristic information SID '=SID-{id of Geng Xining t.
And identical in the method that generates the method for digital permission certificate L and obtain decruption key KC according to the characteristic information that upgrades and the method one, repeat no more herein.
Method five,
Characteristic information SID for said method two generates has increased a device identification id as if DS N+1, then: extract the corresponding prime number { p of all devices sign among the DS before increasing 1, p 2..., p n, be the device identification id of DS to be added N+1Generate one at random and differ from prime number p 1~p nAnd big prime number p greater than p N+1, making this prime number deduct 1 also is a big prime number divided by 2 value, calculates
Figure A200810226639D00252
Mould p N+1Value β N+1, calculate respectively one less than the natural number u of M and one less than p N+1Natural number v, make u and p N+1The value of product mould M and the product mould p of v and M N+1Value be 1, calculate p N+1Product M with M +, and calculate β, p N+1, u product and β N+1, M, v product with mould M +Value β +, upgrade DS, comprise increase the member device of DS sum, with device identification id N+1And corresponding prime number p N+1The characteristic information that be increased in the member device information list of DS, upgrades DS is SID '={ β +, M +.
In actual implementation process, the authorization service system is with device identification id N+1Add after the DS, also with p N+1Being saved in the file and this document is returned to device identification by network is id N+1Computing equipment preserve.If described computing equipment does not possess network savvy, the request that described computing equipment is added DS is submitted to by other networked devices, then described file is returned to other networked devices of the request of sending, the mode by duplicating is saved in described file on the described computing equipment then.
If DS has deleted a device identification id t(1≤t≤n), then: extract id tCorresponding prime number p t, calculate M divided by p tValue M -With β mould M -Value β -, upgrade DS, comprise from the member device information list and delete id tAnd p t, reduce the member device sum, upgrade characteristic information SID '={ β of DS -, M -.
And identical in the method that generates the method for digital permission certificate L and obtain decruption key KC according to the characteristic information that upgrades and the method two, repeat no more herein.
In actual implementation process, p and q are selected two big prime number: p=2q+1, decruption key KC ∈ Z of system p, any computing equipment device identification less than p-1 and discrete logarithm problem set of integers 0,1 ..., be difficult to resolve g=-a on the p-1} 2, a be one greater than 1 natural number less than p-1.P and g are generated in advance by system, and system can also generate big table of primes P={p in advance 1, p 2..., p N, p j=2q j+ 1, p jP, q jAlso be big prime number and p i≠ p j, here, i is two different natural numbers that are no more than N with j.In the process that increases authorisation device, for newcomer's equipment to be added is chosen non-existent prime number in the member device information list from table of primes P, N is greatest member's equipment sum of the permission of empowerment management criterion regulation.Further, in order to improve security, specifically can use g=a 4Substitute g=-a 2, the device identification that the choosing of q also satisfied any computing equipment is all less than this condition of q.
Pass through said method, the characteristic information SID that authorization service system 103 generates can be associated with the arbitrary device identification among the authorisation device collection DS, digital permission certificate L is associated with arbitrary device identification and decruption key KC among the authorisation device collection DS, thereby authorized computing can recover decruption key KC by the device identification of digital permission certificate L and this equipment, thereby realizes deciphering and use to copyright.Certainly, those skilled in the art also can adopt other method or algorithm to realize that digital permission certificate L is associated with arbitrary device identification and decruption key KC among the authorisation device collection DS according to technology contents disclosed by the invention, thereby make authorized computing can recover decruption key KC by the device identification of digital permission certificate L and this equipment.
When authorisation device need change, for example, certain user had increased a notebook computer newly, and it wishes that this notebook computer also can license this copyright.Then the user can add authorisation device collection DS by this notebook computer application, perhaps withdraws from from authorisation device collection DS.
Suppose that device identification is id cComputing equipment C106 application add authorisation device collection DS, then idiographic flow comprises following concrete steps as shown in Figure 3:
S301, computing equipment C106 send the request that adds authorisation device collection DS to authorization service system 103.
The device identification id that comprises computing equipment C106 in the request of the adding authorisation device collection DS that computing equipment C106 sends cAnd the sign of authorisation device collection DS.
In actual implementation process,, then can send the request that adds authorisation device collection DS to authorization service system 103 by the computing equipment or the device authorization keeper of other networkings if computing equipment C106 does not possess network savvy.Such as: computing equipment C106 at first is connected to the computing equipment D of certain networking by USB line, bluetooth etc., computing equipment C106 obtains the device identification of this equipment then, by the communication protocol between computing equipment C106 and the computing equipment D or by the mode of interactive interface with manual typing, computing equipment D is submitted in the device identification of this equipment, and last computing equipment D submits the request that computing equipment C106 is added authorisation device collection DS to authorization service system 103; Perhaps, computing equipment C106 obtains the device identification of this equipment, with this device identification annunciator authorized administrator, device authorization keeper lands authorization service system 103 by the computing equipment of networking, by the device identification of interactive interface typing computing equipment C106, submit the request that computing equipment C106 is added authorisation device collection DS to authorization service system 103.Detailed process those skilled in the art can specifically formulate according to actual conditions, enumerate no longer one by one herein.
S302, authorization service system 103 carry out member's title examination according to the empowerment management criterion to computing equipment C106.
The empowerment management criterion is that the founder of authorisation device collection adds the criterion that the authorisation device collection is provided with to computing equipment, and concrete formulation can be decided according to actual conditions by the founder.Such as, the IP that can be the computing equipment of request adding then authorizes in allowed band, otherwise does not authorize;
Perhaps, whether the user of the computing equipment that request adds has paid certain rate, and (method of the rate of user's payment of detection computations equipment is well known to those skilled in the art: the relation table that can set up the rate of user and this user payment, after the request of the equipment collection DS that obtains the authorization, require the user that user ID and password are provided, and determining that these user's rate allow this user's computing equipment to add when reaching standard), reach standard as the rate of paying and then authorize, otherwise do not authorize;
Perhaps, when the current sum of authorisation device collection reaches the maximum sum of permission, do not authorize; Otherwise authorize;
Perhaps, when the device frequency that the additions and deletions authorisation device in the setting-up time section is concentrated reaches setting value, do not authorize; Otherwise authorize.
S303, if pass, authorization service system 103 accepts to join request, and upgrades the equipment member among the authorisation device collection DS.
Be that authorization service system 103 is with device identification id cJoin among the authorisation device collection DS.After authorization service system 103 upgraded authorisation device collection DS, then corresponding characteristic information also can change, and the method for upgrading characteristic information can repeat no more as above-mentioned method one any one in the method five herein.
Suppose that device identification is id jComputing equipment C106 application withdraw from authorisation device collection DS, then idiographic flow comprises following concrete steps as shown in Figure 4:
S401, computing equipment C106 send the request of withdrawing from authorisation device collection DS to authorization service system 103.
The device identification id that comprises computing equipment C106 in the request of the adding authorisation device collection DS that computing equipment C106 sends cAnd the sign of authorisation device collection DS.
In actual implementation process,, then can send the request of withdrawing from authorisation device collection DS to authorization service system 103 by the computing equipment or the device authorization keeper of other networkings if computing equipment C106 does not possess network savvy.Detailed process is similar with the detailed process that the computing equipment that does not possess network savvy adds the authorisation device collection, repeats no more herein.
S402, authorization service system 103 upgrade authorisation device collection DS after accepting to withdraw from the request of authorisation device collection DS.
Authorization service system 103 is with device identification id cDelete from authorisation device collection DS.After authorization service system 103 upgraded authorisation device collection DS, then corresponding characteristic information also can change, and the method for upgrading characteristic information can repeat no more as above-mentioned method one any one in the method five herein.
In the system of foregoing description, authorization service system 103 generates server 101 with copyright and can be arranged in the discrete server.Obviously, those skilled in the art can be integrated in authorization service system 103 in the server with the function that copyright generates server 101.
As shown in Figure 5, can comprise in the aforementioned calculation equipment B 105: device identification obtains module 501, decruption key generation module 502, deciphering module 503.
Device identification obtains the device identification that module 501 is used to obtain this computing equipment B105.
Decruption key generation module 502 is used to use the device identification of the digital permission certificate of copyright of acquisition and this computing equipment B105 to recover the decruption key of described copyright; Described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright; Described authorisation device is concentrated the device identification comprise the computing equipment that is authorized to move described copyright, the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and concentrates each device identification to be associated with authorisation device; The device identification of described computing equipment is one of device identification of the described computing equipment that is authorized to move described copyright.The method of generating solution decryption key is aforementioned to be introduced in detail, repeated no more herein.
Deciphering module 503 is used to use described decruption key that described copyright is decrypted.Deciphering module 503 after the deciphering of finishing copyright, i.e. the decruption key that deletion generates on the slave unit, thus preventing that decruption key is retained in is able in the equipment carry out bootlegging and transmission follow-up.
Device identification wherein obtains module 501 and specifically comprises: hardware identifier obtains unit and device identification generation unit.
Hardware identifier obtains the unit, is used to obtain the hardware identifier of at least one hardware on this computing equipment;
The device identification generation unit, being used for according to the hardware identifier that obtains is described device identification by computational transformation.
Also comprise the module that computing equipment B105 is included among the computing equipment A104.In addition, computing equipment A104 can also comprise: digital permission certificate request module 504, and in order to obtain the digital permission certificate from authorization service system 103.
Concrete, digital permission certificate request module 504 is used to send digital permission certificate solicited message, carries the device identification of described computing equipment and the sign CID of described copyright in the described digital permission certificate solicited message; And receive the digital permission certificate return.
Above-mentioned authorization service system 103 and copyright generate the server 101 common a kind of digital permission certificate transmitting systems that constitute, concrete structure comprises as shown in Figure 6: digital permission certificate solicited message receiver module 602, device identification authentication module 603, digital license inteilectual become module 604, authorisation device collection memory module 605.
Digital permission certificate solicited message receiver module 602 is used to receive the digital permission certificate solicited message that computing equipment sends; Comprise the device identification of described computing equipment and the sign CID of copyright in the described digital permission certificate solicited message.
Stored authorisation device collection (can be a plurality of authorisation device collection) in the authorisation device collection memory module 605.
Device identification authentication module 603 is used for verifying whether the affiliated authorisation device collection of device identification of described digital permission certificate solicited message has licensed the copyright that is designated CID.Device identification authentication module 603 concrete verification methods can be identical with the method among the step S203, repeats no more herein.
The digital license inteilectual becomes module 604 to be used for checking result according to described device identification authentication module, the characteristic information of described authorisation device collection and the decruption key of described copyright is generated the digital permission certificate, and send to described computing equipment.
Can comprise in the device identification authentication module 603:
Authorisation device collection determining unit 611 is used for determining the affiliated authorisation device collection of device identification of described digital permission certificate solicited message;
Authorisation device collection authentication unit 612 is used to verify whether the authorisation device collection that described authorisation device collection determining unit is determined has licensed the copyright that is designated CID.
The digital license inteilectual becomes in the module 604 and can comprise: decruption key acquisition unit 621, characteristic information generation unit 622, digital license inteilectual become unit 623, digital permission certificate transmitting element 624.
Decruption key obtains the decruption key that unit 621 is used to obtain described copyright;
Characteristic information generation unit 622 is used for generating according to the device identification that described authorisation device is concentrated the characteristic information of described authorisation device collection; The method of characteristic information generation unit 622 generating feature information can adopt the arbitrary method of aforesaid method one in the method five, and perhaps other method realizes, repeats no more herein.
The digital license inteilectual becomes the checking result of unit 623 according to described device identification authentication module, and the characteristic information of described authorisation device collection and the decruption key of described copyright are generated the digital permission certificate; The generation method of digital permission certificate has aforementionedly been believed introduction, repeats no more herein.
Digital permission certificate transmitting element 624 is used to send the digital permission certificate that described digital license inteilectual becomes the unit to generate.
Further, digital permission certificate transmitting system can also comprise: copyright generation module 601.
Copyright generation module 601 is used to generate the decruption key of copyright and this copyright.The copyright generation module 601 corresponding decruption keys of preserving copyright and this copyright.And
Decruption key obtains unit 621 specifically obtains described copyright from copyright generation module 601 decruption key.
Further, digital permission certificate transmitting system can also comprise: device identification increases module 606.
Device identification increases module 606 and is used to receive the solicited message that adds the authorisation device collection, comprises the sign of device identification and authorisation device collection in the solicited message of described adding authorisation device collection; And, determine described device identification is joined described authorisation device collection according to the empowerment management criterion that sets in advance.The empowerment management criterion repeats no more at aforementioned by the agency of herein.
Device identification increases in the module 606 and can comprise:
The solicited message receiving element that adds the authorisation device collection is used to receive the solicited message that adds the authorisation device collection;
Determine to add the unit, be used for, determine described device identification is joined described authorisation device collection according to the empowerment management criterion that sets in advance.
Further, digital permission certificate transmitting system can also comprise: device identification removing module 607.
Device identification removing module 607 is used to receive the solicited message that withdraws from the authorisation device collection, comprises the sign of device identification and authorisation device collection in the described solicited message that withdraws from the authorisation device collection; And, described device identification is concentrated deletion from described authorisation device according to the described solicited message that withdraws from the authorisation device collection.
Further, digital permission certificate transmitting system can also comprise: authorisation device collection creation module 608.
Authorisation device collection creation module 608 is used to create the authorisation device collection.Concrete creation method receives the request of creating the authorisation device collection such as being, and the requestor is carried out (for example user name, cipher authentication) after the authentication generates the empowerment management criterion of authorisation device collection and the device identification of included member device; Further can also comprise list of relevant information, characteristic information of device identification sum, the member device of authorisation device collection etc.
Each module among Fig. 6 and unit can be arranged in a server, also can be arranged in different server.For example, copyright generation module 601 can be arranged on copyright and generate in the server, authorisation device collection memory module 605, characteristic information generation unit 622, device identification increase module 606, device identification removing module 607, authorisation device collection creation module 608 can be arranged in the registrar; And become unit 623, digital permission certificate transmitting element 624 to be arranged in the permit server digital permission certificate solicited message receiver module 602, decruption key acquisition unit 621, digital license inteilectual, transmit information needed mutually by information interaction (for example Xiang Guan solicited message and return message) between the server.Obviously, those skilled in the art can many kinds of combined methods, enumerate no longer one by one herein.
The embodiment of the invention is because the digital permission certificate that generates is a decruption key according to characteristic information and copyright generates, and characteristic information is associated with the device identification of the computing equipment of licensing copyright, therefore, authorized computing can use device identification of this equipment and digital permission certificate to recover decruption key, thereby copyright is deciphered.And because the convenient reproduction of digital permission certificate, make authorized computing can obtain the digital permission certificate easily, and utilize the device identification of this equipment and digital permission certificate to obtain decruption key easily easily copyright is decrypted, moves.
Though it will be understood by those skilled in the art that in the above-mentioned explanation, for ease of understanding, the step of method has been adopted the succession description, should be pointed out that for the order of above-mentioned steps and do not do strict the restriction.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, this program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Will also be appreciated that the apparatus structure shown in accompanying drawing or the embodiment only is schematically, the presentation logic structure.Wherein the module that shows as separating component may or may not be physically to separate, and the parts that show as module may be or may not be physical modules.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (42)

1, a kind of copyright decipher operation method is characterized in that, comprising:
Computing equipment obtains the digital permission certificate of described copyright; Described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright; Described authorisation device collection comprises the device identification of the computing equipment that is authorized to move described copyright, and the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and is associated with each device identification of authorisation device collection;
Described computing equipment obtains the device identification of this computing equipment, and recovers described decruption key according to the device identification of described digital permission certificate and this computing equipment; The device identification of described computing equipment is one of device identification of the described computing equipment that is authorized to move described copyright;
Described computing equipment moves this copyright after using described decruption key to decipher described copyright.
2, the method for claim 1 is characterized in that, the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and concentrates each device identification to be associated with authorisation device, specifically comprises:
It is id that described authorisation device is concentrated all device identifications 1~id n, then the described characteristic information SID of Sheng Chenging is the S set ID={id that all device identifications are formed 1, id 2..., id n; Wherein, n is the sum of described authorisation device concentrating equipment sign.
3, method as claimed in claim 2 is characterized in that, described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright, specifically comprises:
Utilize each element id among the described characteristic information SID 1, id 2..., id nThe described decruption key of the symmetric key encryption of Chan Shenging obtains Ek respectively 1, Ek 2..., Ek n, with ( g id 1 , Ek 1 ) , ( g id 2 , Ek 2 ) , . . . , ( g id n , Ek n ) Be interpolation knot, create n-1 interpolation polynomial and extract these polynomial all coefficients, calculate the value of each coefficient module p respectively, obtain b 0, b 1..., b N-1, produce the decryption key information EKC={b that bundlees mutually with described characteristic information SID 0, b 1..., b N-1, and generate the digital permission certificate that comprises EKC; The value of each coefficient module p of described calculating is exactly to calculate the remainder of each coefficient divided by the p gained;
Wherein, g is the generator of mould p, and p is a big prime number, makes ciphertext that the device identification of any computing equipment and the described decruption key of symmetric key encryption that produces with this device identification obtain all less than p; Described g is that the generator of mould p is meant that g is an integer, and to any integer 0<κ<p, all has integer a 0≤i<p, makes κ equal g iThe value of mould p.
4, method as claimed in claim 3 is characterized in that, described device identification according to described digital permission certificate and this computing equipment recovers described decruption key, specifically comprises:
From described digital permission certificate, extract described EKC, structure polynomial expression I (x)=b 0+ b 1* x+b 2* x 2+ ... + b N-1* x N-1, utilize the device identification id of described computing equipment j, will
Figure A200810226639C0003173647QIETU
Substitution polynomial function I (x) obtains v j, calculate v jThe value of mould p obtains Ek j, utilize id jProduce symmetric key k j, deciphering Ek j, obtain described decruption key.
5, the method for claim 1 is characterized in that, the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and concentrates each device identification to be associated with authorisation device, is specially:
Concentrate all device identification id for described authorisation device 1~id n, calculate natural number β less than M, make β mould p jValue equal
Figure A200810226639C0003173647QIETU
Mould p jValue, generate described characteristic information SID={ β, M};
Wherein, n is the sum of described authorisation device concentrating equipment sign, and j is the natural number smaller or equal to n; M=p 1* p 2* ... * p n, g is mould p 1~mould p nCommon generator, p 1, p 2..., p nBe respectively device identification id 1, id 2..., id nCorresponding different prime numbers, and any one belongs to p 1~p nPrime number to deduct 1 all be a prime number divided by 2 value, p 1~p nAll greater than p, p is the big prime number greater than described decruption key, makes the device identification of all computing equipments all less than p-1, and p=2 * q+1, q also are big prime numbers.
6, method as claimed in claim 5 is characterized in that, described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright, specifically comprises:
Generate natural number r at random, calculate g less than p rThe value z of mould M 1And described decruption key and β rThe value z of product mould M 2, obtain the decryption key information EKC=(z that bundlees mutually with described SID 1, z 2), and generate the digital permission certificate that comprises described EKC.
7, method as claimed in claim 6 is characterized in that, described device identification according to described digital permission certificate and this computing equipment recovers described decruption key, specifically comprises:
From described digital permission certificate, extract described EKC=(z 1, z 2), obtain the device identification id of described computing equipment jCorresponding prime number p j, calculate less than p jNatural number c j, make c jWith
Figure A200810226639C0004173825QIETU
Product mould p jValue equal 1, calculate z 2And c jProduct mould p jValue, obtain described decruption key.
8, method as claimed in claim 5 is characterized in that,
For described
Figure A200810226639C00041
, g=a wherein 4, a is greater than 1 natural number less than p-1, p=2 * q+1, and p, q all are big prime numbers, make the device identification of any computing equipment all less than q.
9, method as claimed in claim 8 is characterized in that, described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright, specifically comprises:
Generate natural number x at random, calculate x less than p 2The value s of mould p generates symmetric key k with s s, encrypt described decruption key and obtain c, generate natural number r at random less than p-1, calculate g rThe value z of mould M 1And s and β rThe value z of product mould M 2, generate the decryption key information EKC={c that bundlees mutually with described characteristic information SID, z 1, z 2, and generate the digital permission certificate that comprises EKC.
10, method as claimed in claim 9 is characterized in that, described device identification according to described digital permission certificate and this computing equipment recovers described decruption key, specifically comprises:
From described digital permission certificate, extract described EKC, from described EKC, extract described c and z 1, z 2, obtain the device identification id of described computing equipment jCorresponding prime number p j, calculate less than p jNatural number c j, make c jWith
Figure A200810226639C0004173825QIETU
Product mould p jValue equal 1, calculate z 2And c jProduct mould p jValue, obtain secret data s, produce symmetric key k by s sDeciphering c obtains described decruption key.
11, the method for claim 1 is characterized in that, to be described computing equipment from the copyright that generates described copyright generate described copyright that downloaded obtains, and perhaps duplicates acquisition from other computing equipment.
12, the method for claim 1 is characterized in that, to be described computing equipment obtain from the authorization service system described digital permission certificate, perhaps duplicates acquisition from other computing equipment.
13, method as claimed in claim 12 is characterized in that, obtains described digital permission certificate from described authorization service system, specifically comprises:
Described computing equipment sends digital permission certificate solicited message to described authorization service system; Carry the device identification of described computing equipment and the sign CID of described copyright in the described digital permission certificate solicited message;
Described authorization service system receives described digital permission certificate solicited message; Verify whether the affiliated authorisation device collection of device identification of described computing equipment has licensed the copyright that is designated CID;
After checking had been authorized, described authorization service system generated the digital permission certificate and sends to described computing equipment according to the characteristic information of described authorisation device collection and the decruption key of described copyright.
14, method as claimed in claim 13 is characterized in that, described authorization service system generates the digital permission certificate and sends to described computing equipment according to the characteristic information of described authorisation device collection, specifically comprises:
The device identification that described authorization service system concentrates according to the authorisation device under the device identification of described computing equipment generates the characteristic information of described authorisation device collection;
Generate described digital permission certificate according to the decruption key of the characteristic information of described authorisation device collection and described copyright and send to described computing equipment.
15, method as claimed in claim 14 is characterized in that, the device identification that described authorisation device is concentrated belongs to same user; The sign that also comprises described user in the described digital permission certificate solicited message; And
Whether the authorisation device collection under the device identification of the described computing equipment of described checking has licensed the copyright that is designated CID, specifically comprises:
Described authorization service system is according to the copyright sign of storage and license corresponding relation between user's the sign of this copyright, determine that the user ID in the described digital permission certificate solicited message identifies corresponding to described copyright, then confirm to authorize; Otherwise, do not authorize.
16, method as claimed in claim 15 is characterized in that, before described affirmation has been authorized, also comprises:
The described user's of described authorization service system searching authorisation device collection if described user's authorisation device is concentrated the device identification that does not comprise described computing equipment, then increases this device identification and concentrates to described user's authorisation device.
17, method as claimed in claim 14 is characterized in that, described authorisation device collection is to be provided with at described copyright; And
Whether the authorisation device collection under the device identification of the described computing equipment of described checking has licensed the copyright that is designated CID, specifically comprises:
Described authorization service system is according to the copyright sign of storage and license corresponding relation between the sign of authorisation device collection of this copyright, determine that copyright sign in the described digital permission certificate solicited message corresponding to the sign of the authorisation device collection under the device identification in the described digital permission certificate solicited message, then confirms to authorize; Otherwise, do not authorize.
18, method as claimed in claim 13 is characterized in that, before described computing equipment obtains described digital permission certificate from described authorization service system, also comprises:
Described authorization service system joins described authorisation device collection with the device identification of described computing equipment.
19, method as claimed in claim 18 is characterized in that, described authorization service system joins described authorisation device collection with the device identification of described computing equipment, specifically comprises:
Described authorization service system receives the solicited message of the adding authorisation device collection that described computing equipment sends; Comprise the device identification of described computing equipment and the sign of described authorisation device collection in the solicited message of described adding authorisation device collection;
Described authorization service system determines the device identification of described computing equipment is joined described authorisation device collection according to the empowerment management criterion that sets in advance.
20, method as claimed in claim 19 is characterized in that, according to the empowerment management criterion that sets in advance, determines that the device identification with described computing equipment joins after the described authorisation device collection in described authorization service system, also comprises:
Described authorization service system generates new characteristic information according to the authorisation device collection that upgrades.
21, method as claimed in claim 20 is characterized in that, described authorization service system generates new characteristic information according to the authorisation device collection that upgrades, and specifically comprises:
The new characteristic information that generates is SID '=SID ∪ { id N+1;
Wherein, id N+1Device identification for described computing equipment;
N is that the device identification of described computing equipment joins before the described authorisation device collection, the device identification sum that authorisation device is concentrated;
SID is that the device identification of described computing equipment joins before the described authorisation device collection characteristic information of authorisation device collection: SID={id 1, id 2..., id n; Id 1~id nFor the device identification of described computing equipment joins before the described authorisation device collection, authorisation device is concentrated all device identifications.
22, method as claimed in claim 20 is characterized in that, described authorization service system generates new characteristic information according to the authorisation device collection that upgrades, and specifically comprises:
Before the device identification of described computing equipment was increased to described authorisation device collection, it was id that described authorisation device is concentrated all device identifications 1~id n, the characteristic information of authorisation device collection is SID={ β, M}; Wherein, β is the natural number less than M, and satisfies β mould p jValue equal Mould p jValue, M=p 1* p 2* ... * p n
Wherein, n is that the device identification of described computing equipment joins before the described authorisation device collection, the sum of described authorisation device concentrating equipment sign; J is the natural number smaller or equal to n; G is mould p 1~mould p nCommon generator, perhaps g=a 4, a is greater than 1 natural number less than p-1, p 1, p 2..., p nBe respectively device identification id 1, id 2..., id nCorresponding different prime numbers, and any one belongs to p 1~p nPrime number to deduct 1 all be a prime number divided by 2 value, p 1~p nAll greater than p, p is the big prime number greater than described decruption key, and p=2 * q+1, q also are big prime numbers, and the device identification of all computing equipments is all less than q;
After the device identification of described computing equipment is increased to described authorisation device collection, extract id 1~id nCorresponding prime number p 1~p n, differ from prime number p for described computing equipment generates at random 1~p nAnd big prime number p greater than p N+1, making this prime number deduct 1 also is a big prime number divided by 2 value, calculates
Figure A200810226639C0007174144QIETU
Mould p N+1Value β N+1, calculate respectively one less than the natural number u of M and one less than p N+1Natural number v, make u and p N+1The value of product mould M and the product mould p of v and M N+1Value be 1, calculate p N+1Product with M M+, and calculate β, p N+1, u product and β N+1, M, v product with mould M +Value β +, generate new characteristic information SID '={ β +, M +.
23, method as claimed in claim 18 is characterized in that, after described authorization service system joins described authorisation device collection with the device identification of described computing equipment, also comprises:
Described authorization service system concentrates deletion with the device identification of described computing equipment from described authorisation device.
24, method as claimed in claim 23 is characterized in that, described authorization service system concentrates deletion with the device identification of described computing equipment from described authorisation device, specifically comprises:
Described authorization service system receives the solicited message that withdraws from the authorisation device collection that described computing equipment sends; Comprise the device identification of described computing equipment and the sign of described authorisation device collection in the described solicited message that withdraws from the authorisation device collection;
Described authorization service system concentrates deletion with the device identification of described computing equipment from described authorisation device according to the described solicited message that withdraws from the authorisation device collection.
25, method as claimed in claim 23 is characterized in that, described authorization service system with the device identification of described computing equipment after described authorisation device is concentrated deletion, also comprise:
Described authorization service system generates new characteristic information according to the authorisation device collection that upgrades.
26, method as claimed in claim 25 is characterized in that, described authorization service system generates new characteristic information according to the authorisation device collection that upgrades, and specifically comprises:
The new characteristic information that generates is SID '=SID-{id t;
Wherein, id tDevice identification for described computing equipment;
SID is before the device identification of described computing equipment is concentrated deletion from described authorisation device, the characteristic information of authorisation device collection: SID={id 1, id 2..., id n; Id 1~id nFor before the device identification of described computing equipment concentrates deletion from described authorisation device, authorisation device is concentrated all device identifications; N is before the device identification of described computing equipment is concentrated deletion from described authorisation device, the device identification sum that authorisation device is concentrated.
27, method as claimed in claim 25 is characterized in that, described authorization service system generates new characteristic information according to the authorisation device collection that upgrades, and specifically comprises:
Before the device identification of described computing equipment was concentrated deletion from described authorisation device, it was id that described authorisation device is concentrated all device identifications 1~id n, the characteristic information of authorisation device collection is SID={ β, M}; Wherein, β is the natural number less than M, and satisfies β mould p jValue equal
Figure A200810226639C00091
Mould p jValue, M=p 1* p 2* ... * p n
Wherein, n is before the device identification of described computing equipment is concentrated deletion from described authorisation device, the sum of described authorisation device concentrating equipment sign, and j is the natural number smaller or equal to n, g is mould p 1~mould p nCommon generator, perhaps g=a 4, a is greater than 1 natural number less than p-1, p 1, p 2..., p nBe respectively device identification id 1, id 2..., id nCorresponding different prime numbers, and any one belongs to p 1~p nPrime number to deduct 1 all be a prime number divided by 2 value, p 1~p nAll greater than p, p is the big prime number greater than described decruption key, and p=2 * q+1, q also are big prime numbers, and the device identification of all computing equipments is all less than q;
At the device identification id that deletes described computing equipment from described authorisation device collection tAfterwards, extract id tCorresponding prime number p t, calculate M divided by p tValue M -With β mould M -Value β -, generate new characteristic information SID '={ β -, M -.
28, method as claimed in claim 19 is characterized in that, described empowerment management criterion specifically comprises:
If the IP of the computing equipment that request adds then authorizes in allowed band, otherwise does not authorize; Perhaps,
Then authorize if the expense of the user of the computing equipment that request adds payment reaches setting value, otherwise do not authorize; Perhaps,
If when the current sum of authorisation device collection reaches the maximum sum of permission, do not authorize; Otherwise authorize; Perhaps,
If when the additions and deletions frequency of authorisation device collection in the setting-up time section reaches setting value, do not authorize; Otherwise authorize.
29, method as claimed in claim 13 is characterized in that, the decruption key of the described copyright in the described authorization service system generates server from copyright and obtains; Described copyright generates server and generates described copyright and the decruption key of described copyright is sent to the authorization service system.
As the arbitrary described method of claim 1-29, it is characterized in that 30, described device identification obtains through conversion according to the identification information of at least one hardware on the described computing equipment.
31, a kind of computing equipment is characterized in that, comprising:
Device identification obtains module, is used to obtain the device identification of this computing equipment;
The decruption key generation module is used to use the device identification of the digital permission certificate of copyright of acquisition and this computing equipment to recover the decruption key of described copyright; Described digital permission certificate is to generate according to the decruption key of the characteristic information of authorisation device collection and described copyright; Described authorisation device is concentrated the device identification comprise the computing equipment that is authorized to move described copyright, the characteristic information of described authorisation device collection is to concentrate all device identifications to generate according to authorisation device, and concentrates each device identification to be associated with authorisation device; The device identification of described computing equipment is one of device identification of the described computing equipment that is authorized to move described copyright;
Deciphering module is used to use described decruption key that described copyright is decrypted.
32, computing equipment as claimed in claim 31 is characterized in that, also comprises:
Digital permission certificate request module is used to send digital permission certificate solicited message, carries the device identification of described computing equipment and the sign CID of described copyright in the described digital permission certificate solicited message; And receive the digital permission certificate return.
33, computing equipment as claimed in claim 31 is characterized in that, described device identification obtains module, comprising:
Hardware identifier obtains the unit, is used to obtain the hardware identifier of at least one hardware on this computing equipment;
The device identification generation unit, being used for according to the hardware identifier that obtains is described device identification by computational transformation.
34, a kind of digital permission certificate transmitting system is characterized in that, comprising:
The copyright generation module is used to generate the decruption key of copyright and this copyright;
Digital permission certificate solicited message receiver module is used to receive the digital permission certificate solicited message that computing equipment sends; Comprise the device identification of described computing equipment and the sign CID of copyright in the described digital permission certificate solicited message;
Authorisation device collection memory module is used to store the authorisation device collection;
The device identification authentication module is used for verifying whether the affiliated authorisation device collection of device identification of described digital permission certificate solicited message has licensed the copyright that is designated CID;
The digital license inteilectual becomes module, is used for the checking result according to described device identification authentication module, the characteristic information of described authorisation device collection and the decruption key of described copyright is generated the digital permission certificate, and send to described computing equipment.
35, system as claimed in claim 34 is characterized in that, described device identification authentication module comprises:
Authorisation device collection determining unit is used for determining authorisation device collection under the device identification of described digital permission certificate solicited message;
Authorisation device collection authentication unit is used to verify whether the authorisation device collection that described authorisation device collection determining unit is determined has licensed the copyright that is designated CID.
36, system as claimed in claim 34 is characterized in that, described digital license inteilectual becomes module, comprising:
Decruption key obtains the unit, is used for obtaining from described copyright generation module the decruption key of described copyright;
The characteristic information generation unit is used for generating according to the device identification that described authorisation device is concentrated the characteristic information of described authorisation device collection;
The digital license inteilectual becomes the unit, according to the checking result of described device identification authentication module, the characteristic information of described authorisation device collection and the decruption key of described copyright is generated the digital permission certificate;
Digital permission certificate transmitting element is used to send the digital permission certificate that described digital license inteilectual becomes the unit to generate.
37, system as claimed in claim 36 is characterized in that, also comprises:
Device identification increases module, is used to receive the solicited message that adds the authorisation device collection, comprises the sign of device identification and authorisation device collection in the solicited message of described adding authorisation device collection; And, determine described device identification is joined described authorisation device collection according to the empowerment management criterion that sets in advance.
38, system as claimed in claim 37 is characterized in that,
Described characteristic information generation unit regenerates characteristic information according to the authorisation device collection after upgrading after described device identification increase module joins described authorisation device collection with described device identification.
39, system as claimed in claim 37 is characterized in that, described device identification increases module and comprises:
The solicited message receiving element that adds the authorisation device collection is used to receive the solicited message that adds the authorisation device collection;
Determine to add the unit, be used for, determine described device identification is joined described authorisation device collection according to the empowerment management criterion that sets in advance.
40, system as claimed in claim 36 is characterized in that, also comprises:
The device identification removing module is used to receive the solicited message that withdraws from the authorisation device collection, comprises the sign of device identification and authorisation device collection in the described solicited message that withdraws from the authorisation device collection; And, described device identification is concentrated deletion from described authorisation device according to the described solicited message that withdraws from the authorisation device collection.
41, system as claimed in claim 34 is characterized in that, also comprises:
Authorisation device collection creation module is used to create the authorisation device collection.
As the arbitrary described system of claim 34-41, it is characterized in that 42, each module in the described system and unit can be arranged in a server, perhaps are arranged in different server.
CN2008102266396A 2008-11-18 2008-11-18 Digital exequatur sending system and digital work decipher operation method Expired - Fee Related CN101425112B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102266396A CN101425112B (en) 2008-11-18 2008-11-18 Digital exequatur sending system and digital work decipher operation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102266396A CN101425112B (en) 2008-11-18 2008-11-18 Digital exequatur sending system and digital work decipher operation method

Publications (2)

Publication Number Publication Date
CN101425112A true CN101425112A (en) 2009-05-06
CN101425112B CN101425112B (en) 2010-09-08

Family

ID=40615723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102266396A Expired - Fee Related CN101425112B (en) 2008-11-18 2008-11-18 Digital exequatur sending system and digital work decipher operation method

Country Status (1)

Country Link
CN (1) CN101425112B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348800A (en) * 2013-07-31 2015-02-11 北大方正集团有限公司 Method and device for generating and using digital content certificate
CN104751067A (en) * 2013-12-27 2015-07-01 北京慧眼智行科技有限公司 Picture file security storage method and device
CN105677586A (en) * 2016-01-07 2016-06-15 珠海格力电器股份有限公司 Access right control method and device of MCU flash memory
CN106230832A (en) * 2016-08-04 2016-12-14 北京大学 A kind of method of device identification calibration
CN108268756A (en) * 2016-12-31 2018-07-10 北京版银科技有限责任公司 Copyright and transaction processing system
CN112565397A (en) * 2020-12-02 2021-03-26 华帝股份有限公司 Intelligent equipment maintenance method and system, computer equipment and storage medium
CN113343183A (en) * 2021-04-21 2021-09-03 湖北微源卓越科技有限公司 Authorization method and system based on UKEY
CN113765902A (en) * 2021-08-25 2021-12-07 厦门亿联网络技术股份有限公司 Offline authorization method, device and system
CN115001801A (en) * 2022-05-30 2022-09-02 北京沸铜科技有限公司 Block chain-based digital content heterogeneous chain cross-chain authorization method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2881596A1 (en) * 2005-01-28 2006-08-04 Thomson Licensing Sa METHOD FOR PROTECTING AUDIO AND / OR VIDEO DIGITAL CONTENTS AND ELECTRONIC DEVICES USING THE SAME
CN100419773C (en) * 2006-03-02 2008-09-17 王清华 Permission verification and verifying system for electronic file
CN101046835A (en) * 2006-03-28 2007-10-03 中国科学院微电子研究所 Digital content protection method based on bonded with hardware equipment

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348800A (en) * 2013-07-31 2015-02-11 北大方正集团有限公司 Method and device for generating and using digital content certificate
CN104348800B (en) * 2013-07-31 2017-09-12 北大方正集团有限公司 A kind of generation of digital content certificate and the method and apparatus used
CN104751067A (en) * 2013-12-27 2015-07-01 北京慧眼智行科技有限公司 Picture file security storage method and device
CN104751067B (en) * 2013-12-27 2019-03-12 北京慧眼智行科技有限公司 A kind of method and apparatus of picture file secure storage
CN105677586B (en) * 2016-01-07 2018-11-30 珠海格力电器股份有限公司 The access right control method and device of the flash memory of MCU
CN105677586A (en) * 2016-01-07 2016-06-15 珠海格力电器股份有限公司 Access right control method and device of MCU flash memory
CN106230832A (en) * 2016-08-04 2016-12-14 北京大学 A kind of method of device identification calibration
CN106230832B (en) * 2016-08-04 2019-01-29 北京大学 A kind of method of device identification calibration
CN108268756A (en) * 2016-12-31 2018-07-10 北京版银科技有限责任公司 Copyright and transaction processing system
CN112565397A (en) * 2020-12-02 2021-03-26 华帝股份有限公司 Intelligent equipment maintenance method and system, computer equipment and storage medium
CN113343183A (en) * 2021-04-21 2021-09-03 湖北微源卓越科技有限公司 Authorization method and system based on UKEY
CN113765902A (en) * 2021-08-25 2021-12-07 厦门亿联网络技术股份有限公司 Offline authorization method, device and system
CN115001801A (en) * 2022-05-30 2022-09-02 北京沸铜科技有限公司 Block chain-based digital content heterogeneous chain cross-chain authorization method
CN115001801B (en) * 2022-05-30 2023-05-30 北京沸铜科技有限公司 Digital content heterogeneous chain cross-chain authorization method based on blockchain

Also Published As

Publication number Publication date
CN101425112B (en) 2010-09-08

Similar Documents

Publication Publication Date Title
CN101425112B (en) Digital exequatur sending system and digital work decipher operation method
CN109697365B (en) Information processing method, block chain node and electronic equipment
US7975312B2 (en) Token passing technique for media playback devices
CN100583083C (en) Apparatus and method for processing digital rights object
KR101776635B1 (en) Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof
CN101911087B (en) Cloud-based movable-component binding
CN101268651B (en) Rights management system for streamed multimedia content
CN101496327B (en) Rights management system for streamed multimedia content
CN101286994B (en) Digital literary property management method, server and system for content sharing within multiple devices
US20050256910A1 (en) Method and apparatus for limiting number of times contents can be accessed using hash chain
CN101103591A (en) Method for moving a rights object between devices and a method and device for using a content object based on the moving method and device
CN101192261A (en) Method and apparatus for generating proxy-signature on right object and issuing proxy signature certificate
CN102461114A (en) Method for performing double domain encryption a memory device
CN103491098A (en) Software authorization method based on public key cryptosystem
CN101107611A (en) Private and controlled ownership sharing
CN1439207A (en) A platform and method for establishing provable identities while maintaining privacy
CN103457733A (en) Data sharing method and system under cloud computing environment
CN101262332A (en) Method and system for mutual authentication between mobile and host devices
CN101189633A (en) Method and apparatus for authorizing rights issuers in a content distribution system
CN105743903A (en) Audio digital rights management method and system, intelligent terminal and authentication server
CN101281630A (en) System and method for counting digital content
CN104657629A (en) Document copyright protection method and device
CN101501724A (en) Rights management system for streamed multimedia content
CN101582876A (en) Method, device and system for registering user generated content (UGC)
CN104462877A (en) Digital resource acquisition method and system under copyright protection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220615

Address after: 100871 No. 5, the Summer Palace Road, Beijing, Haidian District

Patentee after: Peking University

Patentee after: New founder holdings development Co.,Ltd.

Patentee after: FOUNDER APABI TECHNOLOGY Ltd.

Address before: 100871 No. 5, the Summer Palace Road, Beijing, Haidian District

Patentee before: Peking University

Patentee before: PEKING UNIVERSITY FOUNDER GROUP Co.,Ltd.

Patentee before: FOUNDER APABI TECHNOLOGY Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100908

CF01 Termination of patent right due to non-payment of annual fee