CN101433011A - Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor - Google Patents

Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor Download PDF

Info

Publication number
CN101433011A
CN101433011A CNA2007800152553A CN200780015255A CN101433011A CN 101433011 A CN101433011 A CN 101433011A CN A2007800152553 A CNA2007800152553 A CN A2007800152553A CN 200780015255 A CN200780015255 A CN 200780015255A CN 101433011 A CN101433011 A CN 101433011A
Authority
CN
China
Prior art keywords
stkm
tek
broadcast service
bsd
bsm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007800152553A
Other languages
Chinese (zh)
Other versions
CN101433011B (en
Inventor
李炳来
黄承吾
李国熙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Priority claimed from PCT/KR2007/000998 external-priority patent/WO2007097604A1/en
Publication of CN101433011A publication Critical patent/CN101433011A/en
Application granted granted Critical
Publication of CN101433011B publication Critical patent/CN101433011B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

Disclosed is a method for generating a Short Term Key Message (STKM) for protection of a broadcast service being broadcasted to a terminal in a mobile broadcast system. The method includes transmitting, by a Broadcast Service Subscription Management (BSM) for managing subscription information, at least one key information for authentication of the broadcast service to a Broadcast Service Distribution/Adaptation (BSD/A) for transmitting the broadcast service, generating, by the BSD/A, a Traffic Encryption Key (TEK) for deciphering of the broadcast service in the terminal and inserting the TEK into a partially created STKM, and performing, by the BSD/A, Message Authentication Code (MAC) processing on the TEK-inserted STKM using the at least one key information, thereby generating a completed STKM.

Description

Be used for protecting the method and system of broadcast service/content, and be used to it to generate the method for ephemeral keys message at mobile broadcast system
Technical field
The present invention relates generally to broadcast service methods and system thereof in the mobile broadcast system; and particularly, relate to the method and system that is used to protect the broadcast service/content between the network entity that constitutes broadcast system and be used to use it to generate the method for encryption key and message.
Background technology
Mobile communication market is constantly by combination or integrate prior art and cause needs to new service.Now, traditional mobile communication system has developed into by the portable terminal such as mobile phone and PDA(Personal Digital Assistant) (or portable terminal) broadcast service is provided.Since market demand, user to increase, the ISP of the demand of multimedia service provide except existing voice service such as the concern of the strategy of the new service of broadcast service and the mobile communication business that strengthening them with information technology (IT) company that satisfies user's needs, the polymerization of mobile communication service and Internet Protocol (IP) technology becomes the main flow of next generation mobile communication technology now.
As the group that is used to study the standard that cooperatively interacts between each mobility solution, Open Mobile Alliance (OMA) has been set up various application standards for the feature such as moving game and Internet service.Particularly, the sub-working group of OMA browser and content (BAC) mobile broadcast (BCAST) (one of OMA working group) is studying and is being used to use portable terminal that the technology of broadcast service is provided.Now, will the mobile broadcast system of discussing in the OMA BCAST working group be described briefly.
Fig. 1 is the block diagram that illustrates the network architecture of traditional mobile broadcast system.
With reference to figure 1, content creating (CC) the 10th, broadcast service (BCAST service hereinafter) supplier, and the BCAST service can comprise traditional audio/video broadcast service and file (music or data file) download service.The BCAST service is used (BSA) 20 and is generated the BCAST service data by the form that will be treated as the BCAST network that is suitable for Fig. 1 from the BCAST service data that CC10 provides, and generates the essential standardized meta data of mobile broadcast guide.
BCAST service assignment/adaptive (BSD/A) 30 sets up thereon it that the carrier of the BCAST service data that provides from BSA20 will be provided, and determines the transmission scheduling of BCAST service, and generates the mobile broadcast guide.BCAST reservation management (BSM) 40 management is used to the device information that receives the subscription information and the BCAST service provision information of BCAST service and be used to receive the portable terminal of BCAST service.
Terminal 50 can receive the BCAST service, and has the function that can connect cellular network according to terminal capability.Here, suppose that terminal 50 can be connected to cellular network.Radio network 60 is used to transmit the BCAST service, and for example can be used for hand-held digital video broadcast (DVB-H), 3GPP multimedia broadcasting and multicast service (MBMS) and 3GPP2 broadcasting and multicast service (BCMCS).The Internet 70 is used for transmitting the BCAST service on the basis of point-to-point or interactively exchanges the relevant control information and the additional information of reception of serving with BCAST, and for example can be existing cellular network.
In BCAST service, a plurality of portable terminals receive the service data of the encryption that is transmitted by the server that is used to manage broadcast service.Portable terminal can be decrypted the corresponding service of using to the service data of the encryption that provides from server by using the encryption key be stored in advance wherein.In this context, be used for that method of encrypting is carried out in broadcasted content/service and be divided into service protection and content protecting roughly.Service protection refers to the protection of the transfer channel between BCAST service assignment/adaptive (BSD/A) 30 and terminal 50, and content protecting refers to the end-to-end protection between BSA 20 and terminal 50.
Yet; in current mobile broadcast system; do not have detailed proposed projects to protect the transmission of broadcast service and/or content, be used for the encryption key of broadcast encryption service and/or content and the device and the process of message such as being used between the entity that constitutes broadcast system, generating and transmitting.Therefore, there are the needs of introducing such scheme.
Summary of the invention
An aspect of of the present present invention is intended to solve described at least problem and/or shortcoming, and following advantage is provided at least.Therefore, an aspect of of the present present invention provides a kind of method and system thereof that is used in mobile broadcast system protection broadcast service and/or content.
Another aspect of the present invention provides a kind of being used in the mobile broadcast system generation in order to protection broadcast service and/or the encryption key of content and the method and the system thereof of message.
Another aspect of the present invention provides a kind of being used in the mobile broadcast system generation in order to protection broadcast service and/or the traffic encryption keys (tek) (TEK) of content and the method and the system thereof of ephemeral keys message (STEK:Short TermKey Message).
Another aspect of the present invention provides a kind of being used for and generates and transmit encryption key and message method and the system thereof with protection broadcast service and/or content at mobile broadcast system between the entity of broadcast system constituting.
Another aspect of the present invention provides a kind of method and the system thereof of message with protection broadcast service and/or content that be used for generating and transmitting in mobile broadcast system configuration broadcast system and between its assembly.
According to the present invention, provide a kind of being used for to generate in order to protection to the method for the STKM of the broadcast service of terminal broadcasting at mobile broadcast system.Described method comprises: be used for being transmitted in the STKM that the part of Message Authentication Code (MAC) before handling created to BSD/A that terminal transmits broadcast service to the BSM that is used to manage subscription information, BSM will be used for the TEK that broadcast service is decrypted is inserted into the STKM that part is created, and BSM carries out MAC and handles inserting STKM behind the TEK, thereby generates complete STKM.
According to the present invention, provide a kind of being used for to generate in order to protection to the method for the STKM of the broadcast service of terminal broadcasting at mobile broadcast system.Described method comprises: the BSM that is used to manage subscription information transmits at least one key information that is used to verify broadcast service to the BSD/A that is used to transmit broadcast service, BSD/A generates and to be used for the TEK that the broadcast service to terminal is decrypted, and TEK is inserted into the STKM that part is created, and BSD/A uses described at least one key information to carry out MAC and handle inserting STKM behind the TEK, thereby generates complete STKM.
According to the present invention, provide a kind of and be used for to the mobile broadcast system of terminal transmission in order to the STKM of reception broadcast service.Described system comprises: BSD/A, be used for the STKM that generating portion is created before MAC handles, and use TEK that broadcast service is encrypted, and the broadcast service of broadcast enciphering; And BSM, be used for the subscription information of office terminal, TEK is inserted into the STKM that the part that receives from BSD/A is created, by carrying out MAC and handle and generate complete STKM, and transmit complete STKM to BSD/A to inserting STKM behind the TEK.
According to the present invention, provide a kind of and be used for to the mobile broadcast system of terminal transmission in order to the STKM of reception broadcast service.Described system comprises: BSD/A is used for before MAC handles the TEK of broadcast service being inserted into the STKM of part establishment, and uses at least one key information that comprises authentication secret to generate complete STKM; And BSM, be used for the subscription information of office terminal, and transmit described at least one key information to BSD/A.
Description of drawings
According to detailed description with the accompanying drawing next, of the present invention above and other target, feature and advantage will become more obvious, in the accompanying drawings:
Fig. 1 illustrates the network architecture of traditional mobile broadcast system;
Fig. 2 illustrates the method based on BSM that is used to generate encryption key and ephemeral keys message according to first embodiment of the invention;
Fig. 3 illustrates the method based on BSM that is used to generate a plurality of encryption keys and ephemeral keys message according to second embodiment of the invention;
Fig. 4 illustrates the method based on BSD/A that is used to generate encryption key and ephemeral keys message according to third embodiment of the invention;
Fig. 5 illustrates the BCAST service protection method of using of the present invention first or second embodiment;
Fig. 6 illustrates the BCAST service protection method of using the third embodiment of the present invention;
Fig. 7 illustrates the processing of the operating period execution of the BCAST DRM profile in the broadcast service protection framework that presents in Fig. 2 and Fig. 3;
Fig. 8 illustrates the processing of the operating period execution of the BCAST smart card profile in the broadcast service protection framework that presents in Fig. 2 and Fig. 3;
Fig. 9 illustrates the processing of the operating period execution of the BCAST DRM profile in the broadcasted content protection framework that presents in Fig. 2 and Fig. 3;
Figure 10 illustrates the processing of the operating period execution of the BCAST smart card profile in the broadcasted content protection framework that presents in Fig. 2 and Fig. 3;
Figure 11 illustrates the processing that the method described among Fig. 2 and Fig. 3 and the STKM generation method in broadcast service and the content protecting framework cooperatively interact; And
Figure 12 illustrates the processing that the method described among Fig. 4 and broadcast service and content protecting framework cooperatively interact.
Embodiment
Now, the preferred embodiments of the present invention will be described with reference to the drawings.In the accompanying drawings, even same or analogous element is depicted among the different figure, they are also represented by identical Reference numeral.In ensuing description, cause has for clarity and conciseness been omitted the known function that merges and the detailed description of configuration here.
For convenience, description of the invention will use in definition as the third generation partner program (3GPP) of asynchronous mobile communiation standard or the BCAST at aforesaid OMA in the title of the entity that defines be described.Yet standard of being stated and entity title thereof are not intended to limit scope of the present invention, and the present invention can be applied to any system with similar techniques background.
At first, will the basic skills that be used for carrying out at mobile broadcast system service protection and content protecting according to of the present invention be described briefly.Figure 1 illustrates the basic boom that to use mobile broadcast system of the present invention.And the present invention will openly be used for its service and content protecting scheme.
The content that provides from CC 10 that is used for content protecting is encrypted at BAS 20 or BSD/A 30, and is broadcast to terminal 50 then.Different with content protecting, 30 couples of BSD/A that are used for service protection provide the transfer channel of BCAST service to carry out thereon and encrypt.BSM 40 carries out the reservation management of terminal 50 to carry out service protection and/or content protecting.
The information relevant and use its method as follows with the encryption key that is used for service protection and/or content protecting.For the broadcast service/content that provides from the broadcast system of Fig. 1 is provided, terminal 50 subscribes to BSM 40 as service subscriber, and receives login key data (RKM) then.After this, terminal 50 can be obtained long term keys message (LKM) when its booking service, and obtains then and be used for ephemeral keys message (STKM) that the service/content of encrypting is decrypted.
In addition, terminal 50 can use RKM that LKM is decrypted, and obtains service encryption key (SEK) and service authentication secret (SAM) as the result who deciphers.SEK and SAK are included among the LEK with the merging form that is called as service encrypted authentication key (SEAK), and are passed to terminal 50 then.
STEK comprises TEK, and in order to protect TEK, STKM encrypts by SEAK, and then the MAC function is applied to wherein.Use is by the TEK of SEAK deciphering, and terminal 50 can be decrypted the service/content of encrypting.
As shown in Figure 1, transmit the service of protecting by encryption key from BSD/A 30 to terminal 50, and transmit the content of protecting by encryption key to terminal 50 from BSA 20.
Table 1 provides the definition of the BCAST interface (BCAST-1 is to BCAST-8) 100 to 160 shown in Fig. 1.
Table 1
Interface Function
BCAST-1 Transmit content from CC to BSA.
BCAST-2 Transmit content/service from SA to BSD/A.
BCAST-3 Transmit to BSA from BSM and to be used for TEK that content is encrypted.
BCAST-4 Transmit TEK, RKM, LKM, STKM etc. from BSM to BSD/A.Exchange SG data request information and its response message between BSD/A and BSM.
BCAST-5 To the service of terminal transmission encryption and RKM, the LKM etc. of encryption
BCAST-7 On interactive channel, transmit RKM, LKM to terminal from BSM.
BCAST-8 Outband channel between terminal and BSM
In table 7, " title " indicates the element of the corresponding message of formation and the title of attribute at table 2." type " indicates the type (element or attribute) of corresponding title.Element has value E1, E2, E3 and E4, and wherein E1 indicates the upper strata element of whole message, and E2 indicates the daughter element of E1, and E3 indicates the daughter element of E2, and E4 indicates the daughter element of E3.Attribute is represented as A, and A indicates the attribute of corresponding element.For example, the A under the E1 indicates the attribute of E1." classification " is used for determining that corresponding element or attribute are compulsory or optional, and has and be used to force the M value of element or attribute and be used for optional elements or the O value of attribute." radix " (cardinality) indicates relation between the element, and has value 0,0..1,1,0..n, 1..n.Here, 0 indicates optional relation, and 1 indicates mandatory relationship, and n indicates and can use a plurality of values.For example, 0..n indicates corresponding message may not have element or n element is arranged." description " indicates the implication of corresponding element or attribute, and " data type " indicates and be used for the corresponding element or the data type of attribute.
Table 2 shows the field format of the message of definition in the present invention to table 7, and has provided the description of each field of message in the table of correspondence.In addition, table 8 shows the possible case that can use described message.Encryption key and the message that is used for service/content is encrypted used herein will be respectively referred to as TEK and STKM.
Table 2 provides the definition of request message format Req-1.
Table 2
Title Type Classification Radix Describe Data type
Label E M 1 Type of message Integer
Version ? E O ? 1 The version of the standard technique that this message is supported Integer
Message id E M 1 The ID of this message Character string
The destination E M 1 Message destination ID Character string
The source E M 1 Message source ID Character string
Service/content information ? E ? M ? 1 Relevant information such as the service/content ID of correspondence Character string
Option ? E O ? 1 Specify single STKM or a plurality of STKM Integer
Time E O 1 The time that message transmits Character string
Table 3 provides the definition of response message format Res-1.
Table 3
Title Type Classification Radix Describe Data type
Label E M 1 Type of message Integer
Version ? E O ? 1 The version of the standard technique that this message is supported Integer
Message id E M 1 The ID of request message Character string
The destination E M 1 Message destination ID Character string
The source E M 1 Message source ID Character string
Service/content information ? E O ? 1 Relevant information such as the service/content ID of correspondence Character string
State E M 1 The response results of message Integer
Data ? E O ? 1 The expectation information that will transmit to the destination Binary system
Time E O 1 The time that message transmits Character string
Table 4 provides the definition of response message format Res-2.
Table 4
Title Type Classification Radix Describe Data type
Label E M 1 Type of message Integer
Message id E M 1 The ID of request message Character string
State E M 1 The response results of message Integer
Data ? E O ? 1 The expectation information that will transmit to the destination Binary system
Table 5 provides the definition of pass-along message form Tra-1.
Table 5
Title Type Classification Radix Describe Data type
Label E M 1 Type of message Integer
Version ? E O ? 1 The version of the standard technique that this message is supported Integer
Message id E M 1 The ID of this message Character string
The destination E M 1 Message destination ID Character string
The source E M 1 Message source ID Character string
Service/content information ? E ? M ? 1 Relevant information such as the service/content ID of correspondence Character string
Data ? E ? M ? 1 The expectation information that will transmit to the destination Binary system
Option ? E O ? 1 Specify single STKM or a plurality of STKM Integer
Time E O 1 The time that message transmits Character string
Table 6 provides the definition of acknowledge message form Con-1.
Table 6
Title Type Classification Radix Describe Data type
Label E M 1 Type of message Integer
Version ? E O ? 1 The version of the standard technique that this message is supported Integer
Message id E M 1 The ID of pass-along message Character string
The destination E M 1 Message destination ID Character string
The source E M 1 Message source ID Character string
Service/content information ? E O ? 1 Relevant information such as the service/content ID of correspondence Character string
State E M 1 The affirmation result of message Integer
Time E O 1 The time that message transmits Character string
Table 7 provides the definition of acknowledge message form Con-2.
Table 7
Title Type Classification Radix Describe Data type
Label E M 1 Type of message Integer
Message id E M 1 The ID of pass-along message Character string
State E M 1 The affirmation result of message Integer
Table 8 shows the type of message that use identifies to " label " of the message format of table 7 definition with table 2." label " value that defines is not below always fixed, but indicates type of message simply, and they experience change according to environment.Usually, in response message and acknowledge message, state=" 0 " indicates request of successfully having received of corresponding entity and pass-along message, and carried out the incident that is associated, and state=" 1 " indicates corresponding entity and fails to receive request and pass-along message, and therefore fails to carry out the incident that is associated
In table 7, " option " field is used to indicate has asked single STKM or has asked a plurality of STKM at table 2.Here, option=" 0 " indicates has asked single STKM, and option=" 1 " indicates and asked a plurality of STKM (that is all STKM that, are used for corresponding content (program)).In addition, option=" 2 " indicate all STKM that asked a service.
In addition, table 8 shows type of message and the applied type of message according to " label " value, and message can utilize the message Res-2 of the shortening with message id or Con-2 (being illustrated in " applied type of message ") to come obtained performance to improve.
Table 8
Figure A200780015255D00141
Fig. 2 is the signaling diagram based on the method for BSM that is used to generate encryption key and ephemeral keys message that illustrates according to first embodiment of the invention, wherein generates TEK as encryption key, and generates STKM as ephemeral keys message.STKM is the message that generates in BSM 40, thereby the subscriber can obtain LKM by booking service, and obtains the TEK that utilizes it to be decrypted broadcast service and/or content.
In TEK that presents in first embodiment of the invention and the STKM generation method, BSM 40 directly generates TEK and STKM, generates in the processing but BSD/A 30 also partly participates in STKM.When generating STKM, BSD/A 30 does not create the MAC part of TEK part and STKM.
With reference to figure 2, in step 201, BSD/A 30 does not promptly have the STKM of TEK and MAC to the STKM of BSM 40 transmitting portions establishment.For this reason, although not shown in Fig. 2, BSM 40 can send the Req-1 of table 2 as the STKM request message to BSD/A 30.When receiving the STKM request message, BSD/A 30 can be to the Res-2 of the Res-1 of the BSM 40 transmission tables 3 that are transmitted the STKM that part creates or table 4 as the STKM request response.
As another example, BSD/A 30 can use the Tra-1 of definition in the table 5 directly to send the STKM of part establishment as STKM pass-along message under the situation of the request that does not have BSM 40.Under this situation, when receiving STKM pass-along message, as the response to it, the Con-2 of definition is as indicating the STKM delivery acknowledgement message of receiving STKM in Con-1 that BSM 40 defines in BSD/A30 transmission table 6 or the table 7.
In step 203, BSM 40 generates TEK after receiving the STKM that part is created.In addition, BSM 40 utilizes SEK that the TEK that is generated is encrypted and it is inserted among the STKM, and uses SAK that STKM is carried out the MAC function treatment, and generates complete STKM among the STKM by the result value is inserted into.Complete STKM is sent to BSD/A 30 from BSM 40.
Fig. 3 illustrates the method based on BSM that is used to generate a plurality of encryption keys and ephemeral keys message according to second embodiment of the invention, wherein is that a content (program)/service generates a plurality of TEK and STKM.
With reference to figure 3, in step 301, BSD/A 30 sends the STKM of a plurality of parts establishments that are used for a content (program) or a service to BSM 40.In step 303, BSM 40 transmits a plurality of complete S TKM that are used for a content (program) or a service to BSD/A 30.Therefore, in the method for Fig. 3, although disclosed method is similar among it and Fig. 2, BSM 40 is sent as a content (program) or a plurality of STKM that service generates, rather than sends a complete STKM.Under this situation, in the Req-1 that defines in table 2 as the STKM request message, the value of Option Field should be to be used to indicate " 1 " or " 2 " of transmitting a plurality of STKM.In addition, as described in another example of Fig. 2, even when BSD/A 30 used the Tra-1 of definition in the table 5 to come the direct STKM that creates to BSM 40 transmission parts as STKM pass-along message, the value of its Option Field also should be designated as and be used to indicate " 1 " or " 2 " of transmitting a plurality of STKM.
Although BSM 40 generates TEK in the embodiment of Fig. 2 and Fig. 3, BSD/A 30 rather than BSM 40 also can generate TEK, and it is inserted into the STKM that part is created together with partial information, and it is delivered to BSM 40.Under this situation, BSM 40 utilizes SEK that TEK is encrypted, and it is turned back to the STKM that does not have MAC that receives from BSD/A 30, utilizes SAK that it is carried out the MAC function treatment, and resends complete STKM to BSD/A 30.
In addition, BSD/A 30 can send the STKM of the part establishment with TEK to BSM 40.Yet, in the replacement method,, BSD/A 30 generates STKM information necessary (as TEK) if using several fields of this message to send, and BSM 40 can comprise that the information of being associated of TEK generates STKM by extracting from the message of correspondence so.
Fig. 4 illustrates the method based on BSD/A that is used to generate encryption key and ephemeral keys message according to third embodiment of the invention, wherein generates TEK as encryption key, and generates STKM as ephemeral keys message.
In Fig. 4, BSD/A 30 ad hoc generates TEK and STKM.For this reason, in step 401, BSM 40 transmits to BSD/A 30 and is used to serve SEK and the SAK that encrypts and verify, handles thereby BSD/A30 can carry out MAC to STKM.When receiving SEK and SAK, BSD/A 30 uses SEK that TEK is encrypted in step 403, and it is inserted into the STKM that part is created, and utilizes SAK that the STKM that has inserted TEK is carried out the MAC function treatment, thereby generates complete STKM.In addition, BSD/A 30 transmits the STKM that is generated to terminal 50.
Although not shown in Figure 4, BSD/A 30 can be sent in the Req-1 of definition in the table 2 as the SEAK request message that is used to ask to transmit SEK and SAK to BSM 40.When receiving SEK and SAK, as the response to it, BSM 40 can be sent in the Res-2 of the Res-1 of definition in the table 3 or definition in table 4 as the SEAK response message to BSD/A 30.
As another example, though when not from BSD/A 30 be used for the transmission request of SEK and SAK the time, BSM 40 also can directly transmit SEK and SAK as SEAK pass-along message by the Tra-1 that sends definition in the table 5 to BSD/A30.When receiving STKM pass-along message, the Con-2 of definition is as delivery acknowledgement message in Con-1 that BSD/A 30 can define in BSM 40 transmission tables 6 or the table 7.Although in the disclosed method of Fig. 4, can between BSM 40 and BSD/A 30, exchange the merging SEAK of SEK and SAK, also can transmit SEK and SAK separately.
In the present invention disclosed table 2 can also be defined as table 9 to the message format shown in the table 12 to the message format of table 6.
Table 9 provides the definition as the request message format Req-1 ' of another message format of table 2.
Table 9
Title Type Classification Radix Describe Data type
SKeyReq E Specify secret key request message.Comprise following attribute: the key request ID physical address tag versions time comprises following element: global service ID
SKeyReqid A M 1 The identifier of secret key request message Signless integer (32 bit)
Physical address A M 1 Network entity address in order to the response that receives this message. Any URI
Label A O 0..1 The identifier that is used for the type of message that defines at part x.x No symbol-byte
Version A O 0..1 The BCAST that this message is supported Character string
Ability (enabler) version.
Time A O 0..1 Send the time of this message.The NTP time format that will be used for this field. Integer
Global service ID E1 M 1..N The identifier of service that will be encrypted Any URI
Table 10 provides as definition another message format of table 3, response message format Res-1 '.
Table 10
Title Type Classification Radix Describe Data type
SKRRes E Specify the response message of secret key request message.Comprise following attribute: the tag versions time comprises following element: key request ID
Label A O 0..1 The identifier that is used for the type of message that defines at part x.x No symbol-byte
Version A O 0..1 The BCAST ability version that this message is supported. Character string
Time A O 0..1 Send the time of this message.The NTP time format that will be used for this field. Integer
SKeyReqid E1 M 1..N The identifier of secret key request message comprises following attribute: state code Signless integer (32 bit)
State code A M 1 According to the total achievement global state code that defines among the appendix D, request. No symbol-byte
Global service ID E2 O 0..N The identifier of service that will be encrypted comprises following attribute: data Any URI
Data A M 1 The TEK relevant with global service ID Character string
Table 11 provides as definition another message format of table 5, pass-along message form Tra-1 '.
Table 11
Title Type Classification Radix Describe Data type
SKeyDeliv ery E Specify key pass-along message.Comprise following attribute: the key transmission physical address tag versions time comprises following element: global service ID
SKeyDeliv eryid A M 1 The identifier of secret key request message Signless integer (32 bit)
Physical address A M 1 Network entity address in order to the response that receives this message. Any URI
Label A O 0..1 The identifier that is used for the type of message that defines at part x.x No symbol-byte
Version A O 0..1 The BCAST ability version that this message is supported. Character string
Time A O 0..1 Send the time of this message.The NTP time format that will be used for this field. Integer
Global service ID E2 M 1..N The identifier of service that will be encrypted comprises following attribute: data Any URI
Data A M 1 The TEK relevant with global service ID Character string
Table 12 provides as definition another message format of table 6, acknowledge message form Con-1 '.
Table 12
Title Type Classification Radix Describe Data type
SKDRes E Specify the affirmation message of key pass-along message.
Comprise following attribute: the tag versions time comprises following element: key transmits ID
Label A O 0..1 The identifier that is used for the type of message that defines at part x.x No symbol-byte
Version A O 0..1 The BCAST ability version that this message is supported. Character string
Time A O 0..1 Send the time of this message.The NTP time format that will be used for this field. Integer
SKeyDeli veryid E1 M 1..N The identifier of key pass-along message comprises following attribute: state code Signless integer (32 bit)
State code A M 1 According to the total achievement global state code that in appendix D, defines, request. No symbol-byte
With reference to figure 5 and Fig. 6, will describe wherein to be applied to the example of BCAST service protection method now in the disclosed STKM generation method that Fig. 2 describes in Fig. 4.
Fig. 5 is the signaling diagram that illustrates the BCAST service protection method of using of the present invention first or second embodiment.This shows and is used to use the embodiment of Fig. 2 or Fig. 3 to transmit the process of the service of encryption, and the content-encrypt processing that wherein is used for content protecting is chosen wantonly.Therefore, the description of here deletia being encrypted.
With reference to figure 5, in step 501, terminal 50 is used to manage the subscriber's who serves in order to reception BCAST the subscription information and the BSM 40 of BCAST service provision information via the Internet 70 visits, and carries out the registration process that is used for BCAST service subscription and reception.After carrying out registration process, terminal 50 is obtained LTKM comprising SEK (or program encryption key (PEK)) and SAK (or program authentication secret (PAK)) from BSM 40 in step 503.This LTKM is used for the processing that the broadcast service of wherein 50 pairs of encryptions of terminal is decrypted.Here, SEK/SAK is the key of encryption/digital signature of being used to serve, and PEK/PAK is the key that is used for the encryption/digital signature of program.The service can thought is one group of content, and can think that program is a content.
In step 505, BSD/A 30 generates the TEK that uses when the service of 50 pairs of encryptions of terminal is decrypted.BSD/A 30 sends the TEK that is generated to BSM 40.When BSM 40 directly generated TEK, the TEK generative process can be omitted.
In step 507, when BSD/A 30 directly generated TEK, it transmitted the STKM that comprises TEK but do not comprise the part establishment of MAC to BSM 40.The STKM that described part is created comprises the necessary out of Memory of generation STKM.When receiving the STKM that part is created, BSM 40 utilizes its SEK/PEK that TEK is encrypted, and generates complete STKM by the STKM combine digital signature processing of using SAK/PAK that the part with TEK is created.Here, public/private keys scheme or the MAC function treatment as RSA can be used as the digital signature processing.In step 507, BSD/A 30 and BSM 40 commutative STKM pass-along message or STKM request messages are with the STKM of switching part establishment.Described complete S TKM is delivered to BSD/A 30.
In addition, BSD/A 30 can transmit the STKM of the part establishment with TEK to BSM 40.Yet, in the replacement method,, BSD/A 30 generates STKM information necessary (as TEK) if using several fields of this message to send, and BSM 40 can use the information of being associated that comprises TEK to generate STKM.
In step 509, BSD/A 30 transmits complete STKM to terminal 50.In step 511, CC10 transmits the content of broadcasting to the subscriber to BSD/A 30, and when receiving described content, BSD/A 30 uses TEK that the service that provides to terminal 50 is encrypted in step 513, and transmits the service of encrypting via radio network 60 to terminal 50 in step 515.
After this, terminal 50 can be utilized the registration of step 501 and 503 and SEK/PEK and the SAK/PAK that the LTKM receiving course obtains by use, the STKM that obtains in step 509 is decrypted, obtain to be used for TEK that broadcast service is decrypted, and can use TEK that the service of encrypting is decrypted, thereby produce service again.As described in the embodiment of Fig. 3, aforementioned process can also be applied to and be used to a program/service to transmit the process of a plurality of STKM.
Fig. 6 illustrates the BCAST service protection method of using the third embodiment of the present invention.This shows and is used to use the embodiment of Fig. 4 to transmit the process of the service of encryption.In this embodiment, BSD/A30 ad hoc generates TEK, and transmits SEK/PEK and the SAK/PAK that is used to serve encryption and checking to BSD/A 30, handles thereby BSD/A 30 can carry out MAC to STKM.
Wherein terminal 50 visit BSM 40, carry out the registration process that is used for service subscription and reception, and the operation of the step 501 of the step 601 that receives LTKM and 603 operation and Fig. 5 and 503 with SEK/PEK and SAK/PAK identical, so will omit detailed description to it.
In step 605, BSM 40 transmits its SEK/PEK and SAK/PAK to BSD/A 30.In step 607, BSD/A 30 uses TEK and the out of Memory that it generated to generate the STKM that part is created, and finally utilizes SAK/PAK that its combine digital signature is handled, thereby generates complete STKM.Here, public/private keys scheme or the MAC function treatment as RSA can be used as the digital signature processing.After this, wherein BSD/A 30 sends complete STKM and broadcasting to terminal 50 and utilizes the operation of step 607 to 613 of the service that TEK encrypts identical with the operation of the step 509 to 515 of Fig. 5.
Therefore, even in the embodiment of Fig. 6, terminal 50 also can be obtained TEK by STKM, and uses TEK to come the service of encrypting is decrypted, thereby produces service again.As described in the embodiment of Fig. 3, aforementioned process also can be applied to and be used to a program/service to transmit the process of a plurality of STKM.
With reference to figure 7 to Figure 10, will be described in formation now based on the message disposal method between the assembly of the entity in the broadcasting framework of Fig. 5 and Fig. 6.Fig. 7 is described to Figure 10 referring now to the example of having used the method that presents among Fig. 2 and Fig. 3.Yet, it will be apparent to those skilled in the art that next Fig. 7 is not limited to Fig. 2 and Fig. 3 to the description of Figure 10, and can be applied to the method that in Fig. 4, presents.Although carry out location registration process and LTKM reception processing at Fig. 7 in the network of support interactive channel in Figure 10, they also can be applied to the network of supporting broadcast channel.
As mentioned above, the broadcasting framework can be divided into broadcast service protection framework and broadcasted content protection framework, and the difference between them is as follows.Broadcasted content protection framework can support to be used to transmit right (right) management of content.Yet broadcast service protection framework does not have the managing entitlement function.
Fig. 7 illustrates the worldwide digital radio of BCAST in the broadcast service protection framework that presents in Fig. 2 and Fig. 3 TM(DRM TM: Digital Radio Mondiale TM) processing carried out of operating period of profile.
DRM TMProfile is for wherein using the DRM that defines in OMA working group TMThe broadcast environment of v2.0 standard and the broadcasting DRM that works out TMStandard.
With reference to figure 7; in step 701; terminal 50, and is carried out and is used to subscribe the BCAST service and receives the registration process that BCAST serves at service protection-management (SP-M) assembly 41 that is used for managing in order to the BSM 40 of the subscriber's that receives the BCAST service subscription information via the Internet 70 visit.This registration process described above.
After carrying out registration process, terminal 50 LTKM that content protecting-management (CP-M) assembly 42 from BSM 40 obtains comprising SEK/SAK or PEK/PAK in step 703.Here, SEK/SAK is used for service is encrypted/key of digital signature, and PEK/PAK is used for program is encrypted/key of digital signature.The service can thought is one group of content, and can think that program is a content.
Service protection-encryption key distribution among the BSD/A 30 (SP-KD) assembly 33 generates the TEK that uses when the service of 50 pairs of encryptions of terminal is decrypted in step 705.After this, SP-KD assembly 33 among the BSD/A 30 SP-M assembly in BSM 40 41 in step 707 sends the TEK that generated together with generating necessary other parameter of STKM (for example, encryption method, information, protocol version and the temporal information relevant with encryption method).
After this, when receiving TEK and generating the necessary Several Parameters of STKM, SP-M assembly 41 among the BSM 40 utilizes its SEK and PEK that TEK is encrypted, and use SAK and PAK utilization to be comprised the STKM combine digital signature processing that other parameter of the TEK of encryption is created, thereby generate complete STKM.Here, public/private keys scheme or the MAC function treatment as RSA can be used as the digital signature processing.BSD/A 30 and BSM 40 commutative STKM pass-along message or STKM request messages generate necessary TEK of STKM and Several Parameters with exchange.This processing described above.In step 709, file allocation/flow distribution (FD/SD) assembly 32 of the SP-M assembly 41 among the BSM 40 in BSD/A 30 transmits by the top STKM that finishes dealing with.
In step 711, service protection-encryption (SP-E) assembly 31 of the SP-KD assembly 33 among the BSD/A 30 in BSD/A 30 sends the TEK that is generated.31 controls of SP-E assembly are encrypted the service that is received, and this step 717 with Fig. 7 is corresponding.
File applications/the stream of CC 10 in BSA 20 is used (FA/SA) assembly 21 and is transmitted described content.If receive described content, then the FA/SA assembly 21 among the BSA 20 is converted to the content that is received service and it is delivered to SP-E assembly 31 among the BSD/A 30 in step 715.In step 717, the SP-E assembly 31 among the BSD/A 30 is carried out aforesaid encryption, and the service that will encrypt in step 719 then is delivered to the FD/SD assembly 32 among the BSD/A 30.
In step 721, FD/SD assembly 32 sends complete STKM to terminal 50, and then in step 723, to the service of terminal 50 transmission encryptions.In this mode, may provide the service of encryption to terminal.
Fig. 8 illustrates the processing of the operating period execution of the BCAST smart card profile in the broadcast service protection framework that presents in Fig. 2 and Fig. 3.
The processing of Fig. 8 almost is similar to the processing of Fig. 7.Therefore, will be with reference to their processing that is associated, and below different processing will only be described.
Location registration process in the step 801 is identical with the processing of Fig. 7.In step 803, the entity that is used for receiving LTKM is the smart card 51 that comprises in terminal 50, and this is different from Fig. 7.The step of describing among other step 805 to 819 and Fig. 7 705 to 719 is identical.Because being used for receiving the entity of LTKM as mentioned above is the smart card 51 of terminal 50, so the smart card in terminal 50 51 transmits STKM in step 821, and TEK is delivered to terminal 50 and is used for deciphering then, so that the service of encrypting is decrypted.After this, the processing of the service of the encryption of the transmission in the step 823 is identical with the processing of step 723.Therefore, the mode that the smart card 51 that comprises in terminal 50 is described in can be with Fig. 8 receives and handles the service of encryption.
Fig. 9 illustrates the processing of the operating period execution of the BCAST DRM profile in the broadcasted content protection framework that presents in Fig. 2 and Fig. 3.
The processing of Fig. 9 also is similar to the processing of Fig. 7, and the difference of Fig. 9 and Fig. 7 is that it operates based on broadcasted content protection framework.Assembly in the content protecting framework is identical with assembly in the service protection framework on function, but the CP-M assembly 42 among the BSM40 can generate the right object that can be used for the enforcement of rights management.That is to say that different with Fig. 7 in Fig. 9, the SP-M assembly 41 among the BSM40 is replaced by CP-M assembly 42, and CP-M assembly 42 can generate the right object that can be used for the enforcement of rights management.
Figure 10 illustrates the processing of the operating period execution of the BCAST smart card profile in the broadcasted content protection framework that presents in Fig. 2 and Fig. 3.
Operate (identical with Fig. 9) except the content-based protection framework of Figure 10, the processing of Figure 10 is similar to the processing of Fig. 8.Therefore, the difference between Figure 10 and Fig. 8 is identical with difference between Fig. 7 and Fig. 9.That is to say that the assembly in the content protecting framework is identical with assembly in the service protection framework on function, but the CP-M assembly 42 among the BSM 40 can generate the right object that can be used for the enforcement of rights management.That is to say that different with Fig. 8 in Figure 10, the SP-M assembly 41 among the BSM 40 is replaced by the CP-M assembly 42 that can generate the right object that can be used for the enforcement of rights management.
Figure 11 illustrates the processing that the method described among Fig. 2 and Fig. 3 and broadcast service and content protecting method cooperatively interact.Although the FD/SD assembly 32 among the BSD/A 30 is used in the processing of the transmission STKM among the embodiment of Fig. 7, FD/SD assembly 32 is not used among the embodiment of Figure 11.
With reference to Figure 11, the operation in the step 1101 to 1107 is identical with the operation of execution in the step 701 to 707 of Fig. 7.In step 1101 to 1107, terminal 50 is utilized the SP-M assembly 41 among the BSM 40 to carry out and is subscribed the BCAST service and receive the registration process that BCAST serves, and execution is used for from the operation of SP-M assembly 41 receptions comprising the LTKM of SEK/SAK or PEK/PAK, and the SP-KD assembly among the BSD/A 30 33 is carried out and is used for generating TEK and transmits the TEK that is generated and generate the operation of necessary other parameter of STKM (for example, encryption method, information, protocol version and the temporal information relevant with encryption method) to the SP-M of BSM 40 assembly 41 then.
Yet, in the embodiment of Figure 11, owing to do not use FD/SD assembly 32, so the SP-M assembly 41 among the BSM 40 generates complete STKM by using services/programs authentication secret SAK/PAK that STKM combine digital signature is handled in step 1109, and the SP-KD assembly in BSD/A 30 33 transmits the STKM that is generated.Here, public/private keys or the MAC function treatment as RSA can be used as the digital signature processing.After this, in step 1111, the SP-E assembly 31 of the SP-KD assembly 33 among the BSD/A 30 in BSD/A 30 is transmitted in the TEK that generates in the step 1105.The encryption of the service that 31 controls of SP-E assembly are received.
Operation in the step 1113 to 1117 is identical with the operation in the step 713 to 717 of Fig. 7.In step 1113 to 1117, the FA/SA assembly 21 of CC 10 in BSA 20 transmits content, FA/SA assembly 21 is converted to service with the content that is received, and the SP-E assembly in BSD/A 30 31 transmits these services, and 31 pairs of these services of SP-E assembly are encrypted.Encrypt if finish service in this mode, then the SP-KD assembly 33 among the BSD/A 30 in step 1119 to terminal 50 be sent in the step 1,109 41 that receive from the SP-M assembly, comprise the STKM that is used for TEK that the service/content of encrypting is decrypted.
After this, in step 1121, the SP-E assembly 31 among the BSD/A 30 transmits the service of encrypting to terminal 50, and this terminal 50 uses the STKM that receives in step 1119 that the service of encrypting is decrypted.Although terminal 50 receives the service of encrypting in the embodiment of Figure 11, it also can receive the content of encryption.
Figure 12 illustrates the processing that the method described among Fig. 4 and broadcast service and content protecting method cooperatively interact.Except the processing that generates STKM, the embodiment of Figure 12 is identical with the embodiment of Figure 11.
That is to say, in the processing that generates STKM, the SP-KD assembly in BSD/A 30 33 in step 1207 of the SP-M assembly 41 among the BSM 40 sends comprising as being used for service being encrypted/SEK of the key of digital signature and the SEAK of SAK and/or comprising as being used for program being encrypted/PEK of the key of digital signature and the PEAK of PAK.In step 1209, SP-KD assembly 33 generates complete STKM by using services/programs authentication secret SAK/PAK that its combine digital signature is handled, and transmits the STKM that is generated to terminal 50 in step 1219.In addition, step 1201 to 1205 is identical with the operation in the step 1111 to 1121 with the step 1101 to 1105 of Figure 11 with the operation in the step 1211 to 1221, therefore will omit its detailed description.
Although in the embodiment of Figure 11 and Figure 12, described the operation of the assembly in the service protection framework, also can carry out the operation of the assembly in the content protecting framework in an identical manner.Difference between the embodiment of the embodiment of Figure 11 and Figure 12 and Fig. 9 and Figure 10 is that the embodiment of Figure 11 and Figure 12 does not use the FD/SD assembly 32 among the BSD/A30.In addition, when in the embodiment of Figure 11 and Figure 12, using smart card, the processing that can between smart card 51 and SP-M assembly 41 or CP-M assembly 42, realize being used to carry out the service registry on terminal 50 and receive LTKM, and STKM can be passed to the smart card 51 that wherein can obtain TEK from the STKM that is received.In addition, the STKM transmission method that presents among Fig. 2 and Fig. 3 also can be applied to the embodiment of Figure 11 and Figure 12.
Be understandable that from the description of front; the invention provides a kind of detailed TEK/STKM generation method and detailed BCAST service protection method being used for the service that transmission/reception is encrypted between the network entity of mobile broadcast system, thereby make it possible to carry out the safe transfer of broadcast service/content.
Although illustrate and described the present invention with reference to certain preferred embodiment of the present invention, but it should be appreciated by those skilled in the art that, can carry out the various changes on form and the details therein, and not break away from the spirit and scope of the present invention that are defined by the following claims.

Claims (30)

1. one kind is used for generating in order to protection to the method for the ephemeral keys message (STKM) of the broadcast service of terminal broadcasting at mobile broadcast system, and described method comprises:
Be used for being transmitted in to the broadcast service subscription manager (BSM) that is used to manage subscription information the STKM of the part establishment of Message Authentication Code (MAC) before handling to broadcast service distributions/adapter (BSD/A) that terminal transmits broadcast service;
The traffic encryption keys (tek) (TEK) that BSM will be used for that broadcast service is decrypted is inserted into the STKM that part is created; And
BSM carries out MAC and handles inserting STKM behind the TEK, thereby generates complete STKM.
2. the method for claim 1, at least one content that is providing to terminal is provided wherein said broadcast service.
3. the method for claim 1, the step that wherein said execution MAC handles also comprises:
STKM combine digital signature after BSM uses authentication secret to insertion TEK is handled.
4. the method for claim 1 also comprises:
BSD/A sends the request of the STKM that is used for the translator unit establishment to BSM.
5. the method for claim 1 also comprises:
BSM generates TEK, and transmits the TEK that is generated to BSD/A.
6. the method for claim 1 also comprises:
BSD/A generates TEK, and transmits the TEK that is generated to BSM.
7. the method for claim 1 also comprises:
BSD/A transmits the information that is used to generate TEK to BSM; And
The information that BSM is used to generate TEK generates TEK.
8. the method for claim 1, wherein be that a broadcast service generates a plurality of STKM.
9. method as claimed in claim 2 wherein, is that a content generates a plurality of STKM.
10. one kind is used for generating in order to protection to the method for the ephemeral keys message (STKM) of the broadcast service of terminal broadcasting at mobile broadcast system, and described method comprises:
The broadcast service subscription manager (BSM) that is used to manage subscription information transmits at least one key information that is used to verify broadcast service to the broadcast service distribution/adapter (BSD/A) that is used to transmit broadcast service;
BSD/A generates and to be used for the traffic encryption keys (tek) (TEK) that the broadcast service to terminal is decrypted, and TEK is inserted into the STKM that part is created; And
STKM after BSD/A uses described at least one key information to insertion TEK carries out Message Authentication Code (MAC) and handles, thereby generates complete STKM.
11. at least one content that is providing to terminal is provided for method as claimed in claim 10, wherein said broadcast service.
12. method as claimed in claim 10, the step that wherein said execution MAC handles also comprises:
STKM combine digital signature after BSD/A uses described at least one key information to insertion TEK is handled.
13. method as claimed in claim 10 also comprises:
BSD/A sends the request that is used to transmit described at least one key information to BSM.
14. one kind is used for to the mobile broadcast system of terminal transmission in order to the ephemeral keys message (STKM) of reception broadcast service, described system comprises:
Broadcast service distribution/adapter (BSD/A) is used for the STKM that generating portion is created before Message Authentication Code (MAC) is handled, and use traffic encryption key (TEK) is encrypted broadcast service, and the broadcast service of broadcast enciphering; And
Broadcast service subscription manager (BSM), the subscription information that is used for the office terminal, TEK is inserted into the STKM that creates from the part of BSD/A reception, generates complete STKM by the STKM behind the insertion TEK is carried out the MAC processing, and to the complete STKM of BSD/A transmission.
15. at least one content that is providing to terminal is provided for mobile broadcast system as claimed in claim 14, wherein said broadcast service.
16. mobile broadcast system as claimed in claim 14, the STKM combine digital signature after wherein BSM uses authentication secret to insertion TEK is handled.
17. mobile broadcast system as claimed in claim 14, wherein BSD/A sends the request of the STKM that is used for the translator unit establishment to BSM.
18. mobile broadcast system as claimed in claim 14, wherein BSM generates TEK, and transmits the TEK that is generated to BSD/A.
19. mobile broadcast system as claimed in claim 14, wherein BSD/A generates TEK, and transmits the TEK that is generated to BSM.
20. mobile broadcast system as claimed in claim 14, wherein BSD/A transmits the information that is used to generate TEK to BSM; And
Wherein the BSM information that is used to generate TEK generates TEK.
21. mobile broadcast system as claimed in claim 14 wherein, is that a broadcast service generates a plurality of STKM.
22. mobile broadcast system as claimed in claim 15 wherein, is that a content generates a plurality of STKM.
23. one kind is used for to the mobile broadcast system of terminal transmission in order to the ephemeral keys message (STKM) of reception broadcast service, described system comprises:
Broadcast service distribution/adapter (BSD/A), be used for before Message Authentication Code (MAC) is handled, the traffic encryption keys (tek) (TEK) of broadcast service being inserted into the STKM of part establishment, and use at least one key information that comprises authentication secret to generate complete STKM; And
Broadcast service subscription manager (BSM) is used for the subscription information of office terminal, and transmits described at least one key information to BSD/A.
24. at least one content that is providing to terminal is provided for mobile broadcast system as claimed in claim 23, wherein said broadcast service.
25. mobile broadcast system as claimed in claim 23, the STKM combine digital signature after wherein BSD/A uses described at least one key information to insertion TEK is handled.
26. mobile broadcast system as claimed in claim 23, wherein BSD/A sends the request that is used to transmit described at least one key information to BSM.
27. a method that is used in mobile broadcast system protection broadcast service, described method comprises:
Be used for being transmitted in to the broadcast service subscription manager (BSM) that is used to manage subscription information the ephemeral keys message (STKM) of the part establishment of Message Authentication Code (MAC) before handling to broadcast service distributions/adapter (BSD/A) that terminal transmits broadcast service;
The traffic encryption keys (tek) (TEK) that BSM will be used for that broadcast service is decrypted is inserted into the STKM that part is created;
BSM generates complete STKM by the STKM behind the insertion TEK is carried out the MAC processing, and transmits complete STKM to BSD/A; And
BSD/A transmits complete STKM to terminal, and uses TEK broadcast service to be encrypted and broadcasted described broadcast service then.
28. a method that is used in mobile broadcast system protection broadcast service, described method comprises:
The broadcast service subscription manager (BSM) that is used to manage subscription information transmits at least one key information that is used to verify broadcast service to the broadcast service distribution/adapter (BSD/A) that is used to transmit broadcast service;
BSD/A generates and to be used for the traffic encryption keys (tek) (TEK) that the broadcast service to terminal is decrypted, and TEK is inserted into the STKM that part is created;
BSD/A carries out Message Authentication Code (MAC) processing by the STKM after using described at least one key information to insertion TEK and generates complete STKM; And
BSD/A transmits complete STKM to terminal, and uses TEK broadcast service to be encrypted and broadcasted described broadcast service then.
29. a mobile broadcast system comprises:
Broadcast service distribution/adapter (BSD/A), be used for the STKM that generating portion is created before Message Authentication Code (MAC) is handled, transmit complete STKM to terminal, and use traffic encryption key (TEK) encrypts to broadcast service, and the broadcast service of broadcast enciphering; And
Broadcast service subscription manager (BSM), the subscription information that is used for the office terminal, TEK is inserted into the STKM that creates from the part of BSD/A reception, generates complete STKM by the STKM behind the insertion TEK is carried out the MAC processing, and then to the complete STKM of BSD/A transmission.
30. a mobile broadcast system comprises:
Broadcast service distribution/adapter (BSD/A), be used for before Message Authentication Code (MAC) is handled, the traffic encryption keys (tek) (TEK) of broadcast service being inserted into the STKM of part establishment, and use at least one key information that comprises authentication secret to generate complete STKM, transmit complete STKM to terminal, and then broadcast service is encrypted and broadcasted described broadcast service; And
Broadcast service subscription manager (BSM) is used for the subscription information of office terminal, and transmits described at least one key information to BSD/A.
CN2007800152553A 2006-02-27 2007-02-27 Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor Active CN101433011B (en)

Applications Claiming Priority (13)

Application Number Priority Date Filing Date Title
KR1020060018849 2006-02-27
KR10-2006-0018849 2006-02-27
KR20060018849 2006-02-27
KR20060027184 2006-03-24
KR1020060027184 2006-03-24
KR10-2006-0027184 2006-03-24
KR10-2006-0048168 2006-05-29
KR20060048168 2006-05-29
KR1020060048168 2006-05-29
KR1020060063652A KR100975386B1 (en) 2006-02-27 2006-07-06 Method and system for protecting broadcasting service/content in a mobile broadcast system, and method for generating a short term key message thereof
KR10-2006-0063652 2006-07-06
KR1020060063652 2006-07-06
PCT/KR2007/000998 WO2007097604A1 (en) 2006-02-27 2007-02-27 Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor

Publications (2)

Publication Number Publication Date
CN101433011A true CN101433011A (en) 2009-05-13
CN101433011B CN101433011B (en) 2012-04-25

Family

ID=38614245

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007800152553A Active CN101433011B (en) 2006-02-27 2007-02-27 Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor

Country Status (3)

Country Link
JP (2) JP5090377B2 (en)
KR (1) KR100975386B1 (en)
CN (1) CN101433011B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111764A (en) * 2009-12-24 2011-06-29 中国移动通信集团公司 Method, system and device for protecting safety of broadcast information

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101420874B1 (en) 2007-09-21 2014-07-30 삼성전자주식회사 Method for storing broadcasting content in open mobile alliance mobile broadcast
KR101473488B1 (en) 2007-11-29 2014-12-17 삼성전자주식회사 Smart card and method for generating response message transmitted to mobile terminal supporting mobile broadcasting and the mobile terminal thereof
KR101514840B1 (en) 2008-06-11 2015-04-23 삼성전자주식회사 Method for Security Key Distribution in Broadcast Service System and System Therefor
KR101465263B1 (en) * 2008-06-11 2014-11-26 삼성전자주식회사 Method for security key distrubution in broadcast system and the system therefor
KR101498288B1 (en) 2008-06-24 2015-03-03 삼성전자주식회사 Apparatus and method for transmitting a plurality of key data
KR100950458B1 (en) * 2008-07-24 2010-04-02 주식회사 드리머아이 Mobile broadcasting conditional access system based on memory card

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8615218B2 (en) 2003-12-09 2013-12-24 Electronics And Telecommunications Research Institute Method for requesting, generating and distributing service-specific traffic encryption key in wireless portable internet system, apparatus for the same, and protocol configuration method for the same
US7328343B2 (en) 2004-03-10 2008-02-05 Sun Microsystems, Inc. Method and apparatus for hybrid group key management
KR20050100124A (en) * 2004-04-13 2005-10-18 에스케이 텔레콤주식회사 Portable internet broadcasting system
BRPI0514010A8 (en) * 2004-08-04 2018-07-31 Lg Electronics Inc BROADCAST/MULTI-BROADCASTING SERVICE SYSTEM AND METHOD PROVIDING MIGRATION OF CONNECTIONS BETWEEN NETWORKS
JP4712040B2 (en) * 2004-08-04 2011-06-29 エルジー エレクトロニクス インコーポレイティド Broadcast / multicast service system and method for providing roaming between networks
KR100811046B1 (en) * 2005-01-14 2008-03-06 엘지전자 주식회사 Method for managing digital rights of broadcast/multicast service
KR100663443B1 (en) * 2005-09-15 2007-01-02 삼성전자주식회사 Apparatus and method of interlock between entities for protecting service, and the system thereof
KR100724935B1 (en) * 2005-09-15 2007-06-04 삼성전자주식회사 Apparatus and method of interlock between entities for protecting contents, and the system thereof
KR100856256B1 (en) * 2005-10-14 2008-09-03 삼성전자주식회사 Apparatus and method for supporting roaming service in mobile broadcasting system
US7360581B2 (en) * 2005-11-07 2008-04-22 3M Innovative Properties Company Structured thermal transfer article
US9055040B2 (en) * 2006-02-03 2015-06-09 Qualcomm Incorporated Method and apparatus for content protection in wireless communications
KR100890037B1 (en) * 2006-02-03 2009-03-25 삼성전자주식회사 Method and system for sharing generated service guide and its fragments in mobile broadcast system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111764A (en) * 2009-12-24 2011-06-29 中国移动通信集团公司 Method, system and device for protecting safety of broadcast information
CN102111764B (en) * 2009-12-24 2014-09-10 中国移动通信集团公司 Method, system and device for protecting safety of broadcast information

Also Published As

Publication number Publication date
JP5367133B2 (en) 2013-12-11
JP2009528760A (en) 2009-08-06
KR100975386B1 (en) 2010-08-11
KR20070089027A (en) 2007-08-30
JP2012249308A (en) 2012-12-13
CN101433011B (en) 2012-04-25
JP5090377B2 (en) 2012-12-05

Similar Documents

Publication Publication Date Title
JP4705958B2 (en) Digital Rights Management Method for Broadcast / Multicast Service
CN101981864B (en) Method and apparatus for providing broadcast service using encryption key in a communication system
US9356718B2 (en) Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor
RU2333608C2 (en) Method and device for provision of protection in data processing system
CN101513011B (en) Method and system for the continuous transmission of encrypted data of a broadcast service to a mobile terminal
CN101433011B (en) Method and system for protecting broadcast service/content in a mobile broadcast system, and method for generating short term key message therefor
US20070189535A1 (en) Method and apparatus for protecting contents supporting broadcast service between service provider and a plurality of mobile stations
US9191204B2 (en) Encryption key distribution method in mobile broadcasting system and system for the same
KR100663443B1 (en) Apparatus and method of interlock between entities for protecting service, and the system thereof
KR101123598B1 (en) Method and apparatus for security in a data processing system
EP1786125B1 (en) Method for transmitting/receiving encryption information in a mobile broadcast system, and system therefor
KR101300427B1 (en) Method and system for transmitting encryption key message through interaction channel in broadcasting system
US8774414B2 (en) Method and apparatus for transmitting/receiving encryption information in a mobile broadcast system
KR20070096530A (en) Method and system for transmitting infromation btween entity in mobile broadcast system
KR20070078659A (en) Method for transmitting and receiving encryption key in mobile broadcasting system and system thereof
KR20070096531A (en) Encoding method in mobile broadcasting system and system thereof
CN101861711B (en) System and method for acquiring terminal binding key

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant