CN101505400A - Bi-directional set-top box authentication method, system and related equipment - Google Patents
Bi-directional set-top box authentication method, system and related equipment Download PDFInfo
- Publication number
- CN101505400A CN101505400A CNA2009100377172A CN200910037717A CN101505400A CN 101505400 A CN101505400 A CN 101505400A CN A2009100377172 A CNA2009100377172 A CN A2009100377172A CN 200910037717 A CN200910037717 A CN 200910037717A CN 101505400 A CN101505400 A CN 101505400A
- Authority
- CN
- China
- Prior art keywords
- authentication information
- top box
- information
- authentication
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
The embodiment of the invention discloses a two-way set-top box authentication method and a two-way set-top box, wherein the two-way set-top box comprises a conditional access module, and the method comprises the following steps: acquiring authentication information which is encrypted through a personal allocation key; decrypting the encrypted authentication information by using the conditional access module to acquire the decrypted authentication information, wherein the personal allocation key is stored in the conditional access module; and performing authentication on a network side by using the decrypted authentication information. By adopting the proposal of the embodiment, the usability and the compatibility are also ensured while the security of the IP network access of the two-way set-top box is ensured.
Description
Technical field
The present invention relates to communication field, relate in particular to a kind of bi-directional set-top box authentication method, system and relevant device.
Background technology
Bi-directional set-top box and network have Cable and Internet Protocol (Internet Protocol, IP) two connect link, make bi-directional set-top box not only can receive the video content by the Cable broadcast transmission, it is mutual to provide end to carry out by IP link and business.
In realizing process of the present invention, the inventor finds, the content by the Cable link transmission receives by condition that (Conditional Access, CA) system guarantees its fail safe.And when using IP network, the bi-directional set-top box number or the bi-directional set-top box sign (ID) of the CA module in the bi-directional set-top box that typically use bi-directional set-top box to authenticate to server of IP network side, fail safe with the access authentication that guarantees IP network, and carry out video request program (Video On Demand, VOD) service security by the IP network business.In this scheme,, therefore there is bigger potential safety hazard because bi-directional set-top box ID can be obtained, duplicate even usurp by the use user of workmen or bi-directional set-top box easily.
And in the scheme of the fail safe of the access authentication of other assurance IP network, be to need the user to import Crypted password by hand, be to change the CA module in the bi-directional set-top box, all have problems such as operability, compatibility, fail safe respectively accordingly.
As seen, in the prior art, when bi-directional set-top box carried out operation such as the access authentication of IP network, its Information Security all had problems, and can't take into account ease for use and compatibility in the fail safe that the IP network that guarantees bi-directional set-top box inserts.
Summary of the invention
Technical problem to be solved by this invention is, a kind of bi-directional set-top box authentication method, bi-directional set-top box and bi-directional set-top box Verification System are provided, when can be implemented in the fail safe of the IP network access that guarantees bi-directional set-top box, take into account ease for use and compatibility.
For this reason, on the one hand, embodiments of the invention provide a kind of bi-directional set-top box authentication method, and described bi-directional set-top box comprises Conditional Access Module, and described method comprises: obtain the authentication information by individual distributing key encryption; Utilize Conditional Access Module that the authentication information of described encryption is decrypted, the authentication information after obtaining to decipher stores described individual distributing key in the described Conditional Access Module; Use the authentication information after the described deciphering to authenticate to network side.
Embodiments of the invention also provide a kind of method of bi-directional set-top box safety certification, comprising: obtain the authentication information that network side sends; Individual distributing key by described bi-directional set-top box obtains the authentication information of encrypting to described encrypted authentication information; With the authentication information broadcast transmission of described encryption, so that described bi-directional set-top box can authenticate according to the authentication information of described encryption.
On the other hand, embodiments of the invention provide a kind of bi-directional set-top box, and described bi-directional set-top box comprises: acquiring unit is used to obtain the authentication information of encrypting by individual distributing key; Conditional Access Module is used to receive the authentication information of the encryption that described acquiring unit sends, and is decrypted according to the individual distributing key of this locality storage authentication information to described encryption, obtains the authentication information after the deciphering; Authentication ' unit is used to use the authentication information after the deciphering that described Conditional Access Module deciphering obtains to authenticate to network side.
On the one hand, embodiments of the invention also provide a kind of condition receiving system, comprising again: receiver module is used to obtain the authentication information that network side sends; Encrypting module is used for individual distributing key by described bi-directional set-top box to described encrypted authentication information, obtains the authentication information of encrypting; Sending module is used for the authentication information broadcast transmission with described encryption, so that described bi-directional set-top box can authenticate according to the authentication information of described encryption.
Simultaneously, the embodiment of the invention also provides a kind of bi-directional set-top box Verification System, comprising: network authentication server is used to obtain the authentication information corresponding with bi-directional set-top box, and sends described authentication information; Condition receiving system is used to receive the authentication information that described network authentication server sends, and the individual distributing key by described bi-directional set-top box is to described encrypted authentication information, behind the authentication information that obtains to encrypt, with the authentication information broadcast transmission of described encryption; Bi-directional set-top box, be used to receive the authentication information of the encryption that described condition receiving system sends, the individual distributing key of the Conditional Access Module storage that utilization is local is decrypted the authentication information of described encryption, and uses the authentication information after the deciphering, authenticates to described network authentication server.
Adopt the technical scheme that the embodiment of the invention provided, realize bi-directional set-top box user and network side head-end system alternately, do not need the CA module of bi-directional set-top box is changed, thereby guaranteed compatibility between the bi-directional set-top box, simultaneously when carrying out network authentication, utilized the individual distributing key of preserving in the CA module that authentication information is decrypted, thereby can obtain the high security guarantee of CA system, promptly in the compatibility and ease for use that ensure bi-directional set-top box, guaranteed the fail safe that bi-directional set-top box inserts.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a concrete schematic diagram of forming of bi-directional set-top box Verification System in the embodiment of the invention;
Fig. 2 is an idiographic flow schematic diagram of bi-directional set-top box authentication method in the embodiment of the invention;
Fig. 3 is an idiographic flow schematic diagram of the method for bi-directional set-top box safety certification in the embodiment of the invention;
Fig. 4 is a concrete schematic diagram of forming of the bi-directional set-top box among Fig. 1;
Fig. 5 is a concrete schematic diagram of forming of the acquiring unit among Fig. 4;
Fig. 6 is a concrete schematic diagram of forming of the decrypting device among Fig. 4;
Fig. 7 is another concrete schematic diagram of forming of the bi-directional set-top box in the embodiment of the invention;
Fig. 8 is a concrete schematic diagram of forming of the cas system in the embodiment of the invention;
Fig. 9 is a concrete schematic diagram of forming of the sending module among Fig. 8;
Figure 10 is another concrete schematic diagram of forming of the sending module among Fig. 8
Figure 11 is the principle schematic of the ciphering process of the cas system in the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
When bi-directional set-top box carries out the IP network authentication, in order to take into account compatibility and fail safe, need be under the situation of neither the CA module of bi-directional set-top box being made amendment, utilize condition receiving system (ConditionalAccess System again, CAS, hereinafter all be called cas system for meeting custom) high security guarantee the IP network authenticating safety, so in the scheme of present embodiment, adopt store in the cas system with specific bi-directional set-top box in the CA module in individual distributing key (the Personal Distribute Key that stores, PDK) authentication information is encrypted, the PDK in the CA module of bi-directional set-top box is decrypted.
Below with reference to accompanying drawing embodiments of the invention are described.Referring to Fig. 1, be a concrete schematic diagram of forming of bi-directional set-top box Verification System in the embodiment of the invention.In this system, network authentication server 1 obtains or generates and is used for the needed authentication information that bi-directional set-top box authenticates, and this authentication information is transferred to cas system 2.Wherein, this authentication information can be that network authentication server automatically generates or according to the generation that is provided with of operator, or other management equipments from network etc. obtain.This authentication information can comprise authenticating identity information, as user name, user cipher etc.; Simultaneously, in order to improve authenticating safety, this authentication information also can comprise authenticated time information, as timestamp, have only bi-directional set-top box in the timestamp official hour, to authenticate, this authentication is just effective, or bi-directional set-top box only could be decoded to authenticating identity information in the timestamp official hour.
This authentication information is at specific user, promptly have only its at specific bi-directional set-top box could use this authentication information to authenticate.As, can on network authentication server, store an authentication information and user's mapping table, network authentication server will be corresponding with user A authentication information A be sent to cas system after, cas system uses the PDK corresponding with user A that authentication information A is encrypted, like this, the set-top box of just only knowing the PDK of user A correspondence can be decrypted the authentication information A that receives, and then use the authentication information A after the deciphering to authenticate to network authentication server, after network authentication server is received authentication information A, authentication query information and user's mapping table, can know that the user A corresponding with authentication information A authenticates, at this moment, can carry out authentication (can certainly only directly carry out authentication) in conjunction with other information again, so that the follow-up service that user A obtains the authorization and uses according to above-mentioned mapping table.
When network authentication server 1 is transferred to cas system 2 with the authentication information that generates, because network authentication server 1 and cas system all belong to the equipment of operator's management, thereby this authentication information can transmit in the proprietary close network of operator, and its fail safe can be protected.
After cas system 2 received the authentication information that network authentication servers 1 send, the individual distributing key by bi-directional set-top box 3 was to described encrypted authentication information, behind the authentication information that obtains to encrypt, with the authentication information broadcast transmission of described encryption.
Be that cas system 2 is after receiving authentication information, use the PDK of specific bi-directional set-top box that authentication information is encrypted, as when authentication information only comprises authenticating identity information, use PDK that authenticating identity information is encrypted, when also comprising authenticated time information in the authentication information, can be only to the authenticating identity information encryption, also encrypting and authenticating temporal information simultaneously, when authentication information also comprises the information of other needs, situation is also similar, be the minimum encryption that will guarantee authenticating identity information, other information can be encrypted also and can not added.
Then, the authentication information after cas system 2 will be encrypted sends by the Cable Web broadcast.Bi-directional set-top box in broadcasting area all can be received the authentication information after this encryption, but has only the PDK in the CA module in the above-mentioned specific bi-directional set-top box to be decrypted this authentication information.As shown in fig. 1, the bi-directional set-top box 3 for being decrypted.
Bi-directional set-top box 3, be used to receive the authentication information of the encryption that cas system 2 sends, the individual distributing key of the Conditional Access Module storage that utilization is local is decrypted the authentication information of described encryption, and uses the authentication information after the deciphering, authenticates to network authentication server 1.That is, bi-directional set-top box 3 utilizes its CA module to be decrypted after receiving the authentication information of encryption, stores the required PDK of deciphering in this CA module.Can expressly authenticate to network authentication server behind the authentication information after bi-directional set-top box 3 obtains to decipher, have only the bi-directional set-top box after authentication is passed through to obtain corresponding business by IP network.
Adopt said system, after authentication information is encrypted by PDK, be sent to set-top box, neither needing can realize CA module to make amendment, utilized the fail safe of the high security assurance network authentication of cas system again existing bi-directional set-top box.Simultaneously, in authentication information, add authenticated time information, the fail safe that can further improve network authentication.
As shown in Figure 2, the schematic flow sheet that authenticates for bi-directional set-top box in the embodiment of the invention.This identifying procedure comprises:
201, acquisition is by the authentication information of individual distributing key encryption.As previously mentioned, this process can comprise: network side generates authentication information, and described authentication information is sent to condition receiving system, and described authentication information is described bi-directional set-top box needed information when authenticating; Described condition receiving system uses the individual distributing key of described bi-directional set-top box to described encrypted authentication information, obtains the authentication information after also broadcast transmission is encrypted; Described bi-directional set-top box obtains the authentication information of described encryption.
Wherein, it can be active process that network side generates and sends authentication information, also can be to be triggered by the bi-directional set-top box side, and promptly bi-directional set-top box sends authentication request information to described network side, network side sends it to cas system after generating authentication information according to described authentication request information.
Simultaneously, this network side can periodically change authentication information, and the authentication information after periodically will changing is sent to bi-directional set-top box.
In use, because user's (being bi-directional set-top box) enormous amount that each head-end system (being network authentication server) is with down often reaches the hundreds of thousands user class, so can not constantly issue authentication information at each user.Can be set as follows principle for this reason and carry out issuing of authentication information at network authentication server:
Behind A, the user's new account in a period of time (as, 3 days, 5 days etc.), the underground hair of high-frequency family information, as per minute once, concrete frequency can be carried out budget according to the customer volume of network and be set;
Back a period of time installs start and collects authentication information if the B small number of users is opened an account, and then can arrange, and the user sends a telegraph the attendant of call center, operates issuing of the authentication information that sets out by the attendant; Or by the user bi-directional set-top box is set and initiatively sends authentication request information, request issues authentication information.
Because at every bi-directional set-top box and corresponding each user, its user profile can not change frequent, to the real-time no requirement (NR), so above measure can be satisfied the demand.
202, utilize Conditional Access Module that the authentication information of described encryption is decrypted, the authentication information after obtaining to decipher stores described individual distributing key in the described Conditional Access Module.
In the operation of this step, can be earlier after bi-directional set-top box obtains corresponding authentication information with this information stores in the memory module of this locality, as adopt FLASH to store, when bi-directional set-top box need use authentication information to authenticate, read the authentication information of the encryption of storage earlier, and utilize the CA module that authentication information is decrypted.In being decrypted, in case power down, then corresponding authentication information is lost.
Because this authentication information is encrypted by PDK, so the fail safe of authentication information can be protected,, but there is not supporting CA module even this authentication information is read and duplicates, can't crack and use this authentication information equally.
If card information comprises the authenticating identity information of authenticated time information and encryption, the process that then is decrypted can be: obtain the authenticated time information in the described authentication information; After judging that according to described authenticated time information the authenticating identity information of described encryption is effective information, utilize Conditional Access Module that the authenticating identity information of described encryption is decrypted, or after utilizing Conditional Access Module that the authenticating identity information of described encryption is decrypted earlier, judge that according to described authenticated time information the authenticating identity information of described encryption is just to carry out next step verification process behind the effective information, or after utilizing Conditional Access Module that the authenticating identity information of described encryption is decrypted earlier, in next step, use authenticating identity information and authenticated time information after deciphering to authenticate.
203, the authentication information after the described deciphering of use authenticates to network side.As, when bi-directional set-top box need connect IP network, the authentication information after the deciphering is sent to network side authenticate, after the network side authentication was passed through, bi-directional set-top box can use corresponding business.
This authentication information also can be a temporary authentication information, after network side obtains temporary authentication information, send other authentication information once more to bi-directional set-top box, bi-directional set-top box authenticates to network side according to these other authentication information again, to finish whole authentication process.
This authentication information also can be authenticating identity information and the authenticated time information after the deciphering, and network side can judge whether authenticating identity information is effective according to authenticated time information, and the authenticating identity information of only receiving in effective time just may be by authentication.
Corresponding with above-mentioned flow process, as shown in Figure 3, the embodiment of the invention also provides a kind of method of bi-directional set-top box safety certification, comprising:
301, obtain the authentication information that network side sends, described authentication information is described bi-directional set-top box needed information when authenticating.This network side specifically can be a network authentication server, as IP network certificate server etc.
Wherein, it can be active process that network side generates and sends authentication information, also can be to be triggered by the bi-directional set-top box side, and promptly bi-directional set-top box sends authentication request information to described network side, network side sends it to cas system after generating authentication information according to described authentication request information again.
Simultaneously, this network side can periodically change authentication information, and the authentication information after periodically will changing is sent to bi-directional set-top box.
302, the individual distributing key by described bi-directional set-top box obtains the authentication information of encrypting to described encrypted authentication information.In cas system, preserve the PDK of the unique correspondence of each user of band down, then after the CAS access authentication information, PDK according to the user of this authentication information correspondence encrypts it, so just guaranteed, the user who only stores this PDK could be decrypted this authentication information, and then authenticates to network side.
303, with the authentication information broadcast transmission of described encryption, so that described bi-directional set-top box obtains the authentication information of described encryption and authenticates according to the authentication information of described encryption.Send as authentication information and the multiplexing back of TV signal that will encrypt, specifically can be: obtain television signal flow, Entitlement Control Message and Entitlement Management Message through the control word scrambling; The television signal flow of described authentication information, described scrambling, described Entitlement Management Message and described Entitlement Control Message are carried out multiplexing back to be sent to digital video broadcast network, wherein, described Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, described Entitlement Management Message.
Because the CA system is whole digital video broadcasting (Digital Video Broadcasting, DVB) foundation stone of security of system, therefore, the fail safe of IP network being based upon on the basis of CA fail safe can be so that the required subscriber identity information (user name, password etc.) of miscellaneous service authentication be all invisible for user and workmen on the IP network, reduced the risk that subscriber identity information leaks, the fail safe of whole system is provided.Simultaneously, in the prior art, bi-directional set-top box needs the information of artificial input, now all can finish automatically (when utilizing PDK to be decrypted between each parts by system as the CA module, promptly be that bi-directional set-top box is finished automatically), do not need manual intervention, the manually-operated trouble of minimizing has also reduced the possibility of makeing mistakes.
On the other hand, corresponding, the embodiment of the invention also provides the bi-directional set-top box 3 in the bi-directional set-top box Verification System, and as shown in Figure 4, it comprises CA module 30, and also comprises: acquiring unit 32 is used to obtain the authentication information of encrypting by individual distributing key; Conditional Access Module 34 also is used to receive the authentication information of the encryption that described acquiring unit 32 sends, and is decrypted according to the authentication information of described individual distributing key to described encryption, obtains the authentication information after the deciphering; Authentication ' unit 36 is used to use the authentication information after the deciphering that described Conditional Access Module 34 deciphering obtain to authenticate to network side.
As shown in Figure 5, if when comprising authenticated time information and authenticating identity information in the authentication information, this acquiring unit 32 comprises: acquisition module 320, be used to obtain authentication information, and described authentication information comprises authenticated time information and the authenticating identity information of encrypting by individual distributing key; Judge module 321 is used for judging according to described authenticated time information whether the authenticating identity information of described encryption is effective information; Sending module 323 is used for when authenticating identity information that described judge module 321 judged results are described encryption is effective information, the authenticating identity information of described encryption is sent to described Conditional Access Module 34 is decrypted.
Wherein, when bi-directional set-top box has the function of initiatively obtaining authentication information, acquiring unit 32 can comprise: obtain request module 323, be used for sending authentication request information to described network side, so that described network side generates authentication information according to described authentication request information, and described authentication information is sent to condition receiving system, be sent to described bi-directional set-top box after encrypting by condition receiving system.As shown in Figure 6, be the situation that comprises above-mentioned four kinds of modules.
Bi-directional set-top box described in the foregoing description can also be by other the structure of forming, as shown in Figure 7, be another composition schematic diagram of bi-directional set-top box in the embodiment of the invention, this bi-directional set-top box 4 comprises: receiver module 40 is used to receive the authentication information that sends by the Cable Web broadcast; Control module 42, being used for that the authentication information that receiver module 40 receives is sent to memory module 44 preserves, and when needing, read the authentication information of memory module 44 storage, the authentication information that reads is delivered to CA module 46 be decrypted, the authentication information after will deciphering again is sent to network side and authenticates.Wherein preserve PDK in the CA module 46, memory module 44 can be the FLASH memory.
Accordingly, the embodiment of the invention also provides the cas system 2 in the bi-directional set-top box Verification System, and as shown in Figure 8, this system comprises:
Encrypting module 22 is used for the encrypted authentication information that receiver module 20 obtained by the individual distributing key of described bi-directional set-top box, obtains the authentication information of encrypting;
Sending module 24 is used for the authentication information broadcast transmission of encryption that encrypting module 22 is obtained, so that described bi-directional set-top box obtains the authentication information of described encryption and authenticates according to the authentication information of described encryption.Wherein, when authentication information was encrypted with TV signal, as shown in Figure 9, this sending module 24 can comprise: obtain submodule 241, be used to obtain television signal flow, Entitlement Control Message and the Entitlement Management Message of process control word scrambling; Multiplexing submodule 243 is used for that the television signal flow of described authentication information, described scrambling, described Entitlement Management Message and described Entitlement Control Message are carried out multiplexing back and sends to digital video broadcast network; Wherein, described Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, described Entitlement Management Message.
As shown in figure 10, be the composition schematic diagram of another embodiment of above-mentioned sending module.Be described in detail as followsly in conjunction with ciphering process, at first produce control word (CW, Control Word), CW is offered scrambler and encryption equipment A by control word generator as the CA system of Figure 11.The typical word length of control word is 64bit, changes once every 2~30s.The control word that scrambler provides according to control word generator is carried out the scrambling computing to image, voice and data signal (being the TS clear stream).At this moment, the output result of scrambler is through having upset later transmission bit stream (being that TS adds flow-disturbing), and control word is exactly the used key of scrambler scrambling.
On the other hand, after encryption equipment A receives control word from control word generator, then the business cipher key that provides according to the authorization control system (Service Key) carries out cryptographic calculation to control word, the output result of encryption equipment A is through encrypting later control word, it is called as Entitlement Control Message (ECM, Entitlement ControlMessage).Business cipher key also has been provided for encryption equipment B when giving encryption equipment A, encryption equipment B and encryption equipment A are slightly different, and it can be encrypted the business cipher key that the authorization control system sends here according to the PDK key.The output result of encryption equipment B is an encrypted service key, and this is called as Entitlement Management Message (EMM, Entitlement Management Message).The ECM and the EMM information that produce through such process all are sent to multiplexer, carry out multiplexingly with authentication information, TS (Transport Stream) the scrambling stream of the encryption that is sent to same multiplexer, be packaged into the TS stream that can send by outputing to sending module 24 after the modulators modulate.
Corresponding to above-mentioned cipher mode, STB (Set Top Box, set-top box) process of the TS stream received of deciphering is opposite with the ciphering process of CAS, STB must at first receive EMM by the Cable network, utilize the PDK deciphering EMM business cipher key Service Key of CA module stores, and the authentication information after the authentication information of the enabling decryption of encrypted acquisition deciphering; Receive ECM from Cable then, utilize Service key deciphering ECM to obtain the CW of scrambling TS stream, finally utilize CW to remove descrambling TS stream, obtain image and the voice signal that to decode.
In embodiments of the present invention, because authentication information is encrypted by cas system, and utilize the CA module of bi-directional set-top box to be decrypted the back use, guaranteed the fail safe of authentication information, simultaneously, do not need to revise original CA module, thereby guaranteed the compatibility of bi-directional set-top box.
Through the above description of the embodiments, those skilled in the art can be well understood to each execution mode and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware.Based on such understanding, the part that technique scheme contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the computer-readable recording medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, perhaps network equipment etc.) carry out the described method of some part of each embodiment or embodiment.
Above-described execution mode does not constitute the qualification to this technical scheme protection range.Any at above-mentioned execution mode spirit and principle within done modification, be equal to and replace and improvement etc., all should be included within the protection range of this technical scheme.
Claims (15)
1, a kind of bi-directional set-top box authentication method, described bi-directional set-top box comprises Conditional Access Module, it is characterized in that, described method comprises:
Obtain authentication information by individual distributing key encryption;
Utilize Conditional Access Module to be decrypted by the authentication information of individual distributing key to described encryption, the authentication information after obtaining to decipher stores described individual distributing key in the described Conditional Access Module;
Use the authentication information after the described deciphering to authenticate to network side.
2, the method for claim 1 is characterized in that, described authentication information comprises the authenticating identity information of authenticated time information and encryption, describedly utilizes Conditional Access Module that the authentication information of described encryption is decrypted to comprise:
Obtain the authenticated time information in the described authentication information;
After judging that according to described authenticated time information the authenticating identity information of described encryption is effective information, utilize Conditional Access Module that the authenticating identity information of described encryption is decrypted.
3, method as claimed in claim 1 or 2 is characterized in that, the authentication information that described acquisition is encrypted by individual distributing key comprises:
Send authentication request information to described network side,, and be sent to condition receiving system and encrypt transmission so that described network side generates authentication information according to described authentication request information;
Receive the authentication information that passes through individual distributing key encryption that described condition receiving system sends.
4, a kind of method of bi-directional set-top box safety certification is characterized in that, described method comprises:
Obtain the authentication information that network side sends;
To described encrypted authentication information, obtain the authentication information of encrypting according to the individual distributing key of described bi-directional set-top box;
With the authentication information broadcast transmission of described encryption, so that described bi-directional set-top box can authenticate to described network side according to the authentication information of described encryption.
5, method as claimed in claim 4 is characterized in that, the authentication information that described network side sends is the information corresponding with described bi-directional set-top box that described network side is provided with, and is used for described bi-directional set-top box to described network side application authentication authentication.
6, method as claimed in claim 5 is characterized in that, described authentication information broadcast transmission with described encryption comprises:
Obtain television signal flow, Entitlement Control Message and Entitlement Management Message through the control word scrambling;
The television signal flow of the authentication information of described encryption, described scrambling, described Entitlement Management Message and described Entitlement Control Message are carried out multiplexing back to be sent to digital video broadcast network;
Wherein, described Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, described Entitlement Management Message.
As each described method in the claim 4 to 6, it is characterized in that 7, described network side is the ip network side.
8, a kind of bi-directional set-top box, described bi-directional set-top box comprises the Conditional Access Module that stores individual distributing key, it is characterized in that, described bi-directional set-top box comprises:
Acquiring unit is used to obtain the authentication information of encrypting by individual distributing key;
Conditional Access Module also is used to receive the authentication information of the encryption that described acquiring unit sends, and is decrypted according to the authentication information of described individual distributing key to described encryption, obtains the authentication information after the deciphering;
Authentication ' unit, the authentication information that is used to use described Conditional Access Module deciphering to obtain authenticates to network side.
9, bi-directional set-top box as claimed in claim 8 is characterized in that, acquiring unit comprises:
Obtain request module, be used for sending authentication request information to described network side, so that described network side generates authentication information according to described authentication request information, and is sent to condition receiving system with described authentication information, by being sent to described bi-directional set-top box after the condition receiving system encryption.
10, bi-directional set-top box as claimed in claim 8 is characterized in that, described acquiring unit comprises:
Acquisition module is used to obtain authentication information, and described authentication information comprises authenticated time information and the authenticating identity information of encrypting by individual distributing key;
Judge module is used for judging according to described authenticated time information whether the authenticating identity information of described encryption is effective information;
Sending module is used for when authenticating identity information that described judge module judged result is described encryption is effective information, the authenticating identity information of described encryption is sent to described Conditional Access Module is decrypted.
11, a kind of condition receiving system is characterized in that, described system comprises:
Receiver module is used to obtain the authentication information that network side sends;
Encrypting module is used for individual distributing key by described bi-directional set-top box to described encrypted authentication information, obtains the authentication information of encrypting;
Sending module is used for the authentication information broadcast transmission with described encryption, so that described bi-directional set-top box can authenticate according to the authentication information of described encryption.
12, system as claimed in claim 11 is characterized in that, described sending module comprises:
Obtain submodule, be used to obtain television signal flow, Entitlement Control Message and the Entitlement Management Message of process control word scrambling;
Multiplexing submodule is used for that the television signal flow of the authentication information of described encryption, described scrambling, described Entitlement Management Message and described Entitlement Control Message are carried out multiplexing back and sends to digital video broadcast network;
Wherein, described Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, described Entitlement Management Message.
13, a kind of bi-directional set-top box Verification System is characterized in that, described system comprises:
Network authentication server is used to obtain the authentication information corresponding with bi-directional set-top box, and sends described authentication information;
Condition receiving system is used to receive the authentication information that described network authentication server sends, and the individual distributing key by described bi-directional set-top box is to described encrypted authentication information, behind the authentication information that obtains to encrypt, with the authentication information broadcast transmission of described encryption;
Bi-directional set-top box, be used to receive the authentication information of the encryption that described condition receiving system sends, the individual distributing key of the Conditional Access Module storage that utilization is local is decrypted the authentication information of described encryption, and uses the authentication information after the deciphering, authenticates to described network authentication server.
14, system as claimed in claim 13 is characterized in that,
Described bi-directional set-top box also is used for sending authentication request information to described network authentication server;
Described network authentication server also is used for generating authentication information according to described authentication request information, and described authentication information is sent to condition receiving system.
15, system as claimed in claim 14 is characterized in that, described network authentication server also is used for periodically changing authentication information or changes authentication information according to predetermined strategy, and the authentication information after will changing is sent to described condition receiving system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100377172A CN101505400B (en) | 2009-03-10 | 2009-03-10 | Bi-directional set-top box authentication method, system and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100377172A CN101505400B (en) | 2009-03-10 | 2009-03-10 | Bi-directional set-top box authentication method, system and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101505400A true CN101505400A (en) | 2009-08-12 |
| CN101505400B CN101505400B (en) | 2012-03-21 |
Family
ID=40977429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100377172A Expired - Fee Related CN101505400B (en) | 2009-03-10 | 2009-03-10 | Bi-directional set-top box authentication method, system and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101505400B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958904A (en) * | 2010-10-12 | 2011-01-26 | 高斯贝尔数码科技股份有限公司 | User identity (Id) security authentication system and method for interactive digital television system |
| CN103546767A (en) * | 2012-07-16 | 2014-01-29 | 航天信息股份有限公司 | Content protection method and system of multimedia service |
| CN104079994A (en) * | 2014-07-07 | 2014-10-01 | 四川金网通电子科技有限公司 | Authorization system and method based on set top box card-free CA |
| CN104819097A (en) * | 2015-04-03 | 2015-08-05 | 北京天诚同创电气有限公司 | Protection method and device for programmable controller program of wind generating set |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
-
2009
- 2009-03-10 CN CN2009100377172A patent/CN101505400B/en not_active Expired - Fee Related
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958904A (en) * | 2010-10-12 | 2011-01-26 | 高斯贝尔数码科技股份有限公司 | User identity (Id) security authentication system and method for interactive digital television system |
| CN101958904B (en) * | 2010-10-12 | 2012-07-11 | 高斯贝尔数码科技股份有限公司 | User identity (Id) security authentication system and method for interactive digital television system |
| CN103546767A (en) * | 2012-07-16 | 2014-01-29 | 航天信息股份有限公司 | Content protection method and system of multimedia service |
| CN103546767B (en) * | 2012-07-16 | 2017-01-25 | 航天信息股份有限公司 | Content protection method and system of multimedia service |
| CN104079994A (en) * | 2014-07-07 | 2014-10-01 | 四川金网通电子科技有限公司 | Authorization system and method based on set top box card-free CA |
| CN104079994B (en) * | 2014-07-07 | 2017-05-24 | 四川金网通电子科技有限公司 | Authorization system and method based on set top box card-free CA |
| CN104819097A (en) * | 2015-04-03 | 2015-08-05 | 北京天诚同创电气有限公司 | Protection method and device for programmable controller program of wind generating set |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101505400B (en) | 2012-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5106845B2 (en) | How to descramble a scrambled content data object | |
| EP2461539B1 (en) | Control word protection | |
| US9385997B2 (en) | Protection of control words employed by conditional access systems | |
| US20060069645A1 (en) | Method and apparatus for providing secured content distribution | |
| US7937587B2 (en) | Communication terminal apparatus and information communication method | |
| KR100969668B1 (en) | Method for Downloading CAS in IPTV | |
| CN102724568A (en) | Authentication certificates | |
| CN101300841B (en) | Method for securing data exchanged between a multimedia processing device and a security module | |
| JPH10164053A (en) | Verification method/system for data by scrambling | |
| GB2489671A (en) | Cryptographic key distribution for IPTV | |
| CN101207794B (en) | Method for enciphering and deciphering number copyright management of IPTV system | |
| US8804965B2 (en) | Methods for decrypting, transmitting and receiving control words, recording medium and control word server to implement these methods | |
| CN101505400B (en) | Bi-directional set-top box authentication method, system and related equipment | |
| CN102340702A (en) | IPTV (Internet protocol television) network playing system and rights management and descrambling method based on USB (Universal serial bus) Key | |
| CN101562520A (en) | Method and system for distributing service secret keys | |
| CN102917252B (en) | IPTV (internet protocol television) program stream content protection system and method | |
| CN101202883B (en) | System for numeral copyright management of IPTV system | |
| CN103546767A (en) | Content protection method and system of multimedia service | |
| JP4692070B2 (en) | Information processing system, information processing apparatus, information processing method, and program | |
| CN103747300A (en) | Conditional access system capable of supporting mobile terminal | |
| US20080101614A1 (en) | Method and Apparatus for Providing Secured Content Distribution | |
| KR102286784B1 (en) | A security system for broadcasting system | |
| CN102238422B (en) | Digital television broadcasting conditional access system | |
| JP5143186B2 (en) | Information communication method and server | |
| JP2007036625A (en) | Content distribution method, content receiver, content transmitter and restricted receiving module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180213 Address after: California, USA Patentee after: Tanous Co. Address before: 518129 Longgang District, Guangdong, Bantian HUAWEI base B District, building 2, building No. Patentee before: HUAWEI DEVICE Co.,Ltd. Effective date of registration: 20180213 Address after: California, USA Patentee after: Global innovation polymerization LLC Address before: California, USA Patentee before: Tanous Co. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120321 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |