Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
When bi-directional set-top box carries out the IP network authentication; In order to take into account compatibility and fail safe, need under the situation of neither the CA module of bi-directional set-top box being made amendment, utilize condition receiving system (ConditionalAccess System again; CAS; Hereinafter all be called cas system for meeting custom) high security guarantee the IP network authenticating safety, so in the scheme of present embodiment, adopt store in the cas system with specific bi-directional set-top box in the CA module in individual distributing key (the Personal Distribute Key that stores; PDK) authentication information is encrypted, the PDK in the CA module of bi-directional set-top box deciphers.
With reference to accompanying drawing embodiments of the invention are described below.Referring to Fig. 1, be a concrete sketch map of forming of bi-directional set-top box Verification System in the embodiment of the invention.In this system, network authentication server 1 obtains or generates and is used for the needed authentication information that bi-directional set-top box carries out authentication, and this authentication information is transferred to cas system 2.Wherein, this authentication information can be that network authentication server automatically generates or according to the generation that is provided with of operator, or other management equipments from network etc. obtain.This authentication information can comprise authenticating identity information, like user name, user cipher etc.; Simultaneously; In order to improve authenticating safety; This authentication information also can comprise authenticated time information, like timestamp, has only bi-directional set-top box in the timestamp official hour, to carry out authentication; This authentication is just effective, or bi-directional set-top box only could be decoded to authenticating identity information in the timestamp official hour.
This authentication information is to particular user, promptly has only its specific bi-directional set-top box that is directed against could use this authentication information to carry out authentication.As, can on network authentication server, store an authentication information and user's mapping table, after the authentication information A that network authentication server will be corresponding with user A is sent to cas system; Cas system uses the PDK corresponding with user A that authentication information A is encrypted; Like this, can the authentication information A that receive be deciphered, and then use the authentication information A after the deciphering to carry out authentication to network authentication server with regard to the STB of only knowing the PDK that user A is corresponding; After network authentication server is received authentication information A; Authentication query information and user's mapping table can know that the user A corresponding with authentication information A carries out authentication, at this moment; Can combine other information to carry out authentication (can certainly only directly carry out authentication) again, so that the follow-up service that user A obtains the authorization and uses according to above-mentioned mapping table.
When network authentication server 1 is transferred to cas system 2 with the authentication information that generates; Because network authentication server 1 all belongs to the equipment that operator manages with cas system; Thereby this authentication information can transmit in the proprietary close network of operator, and its fail safe can be protected.
After cas system 2 received the authentication information that network authentication servers 1 send, the individual distributing key through bi-directional set-top box 3, behind the authentication information that obtains to encrypt was sent the authentication information broadcasting of said encryption said encrypted authentication information.
Be cas system 2 after receiving authentication information, use the PDK of specific bi-directional set-top box that authentication information is encrypted, as when authentication information only comprises authenticating identity information; Use PDK that authenticating identity information is encrypted; When also comprising authenticated time information in the authentication information, can be only to the authenticating identity information encryption, also encrypting and authenticating temporal information simultaneously; When authentication information also comprises the information of other needs; Situation is also similar, the promptly minimum encryption that will guarantee to authenticating identity information, and other information can be encrypted also and can not added.
Then, the authentication information after cas system 2 will be encrypted sends through the Cable Web broadcast.Bi-directional set-top box in broadcasting area all can be received the authentication information after this encryption, but has only the PDK in the CA module in the above-mentioned specific bi-directional set-top box to decipher this authentication information.As shown in fig. 1, be the bi-directional set-top box 3 that can decipher.
Bi-directional set-top box 3; Be used to receive the authentication information of the encryption that cas system 2 sends; Utilize the individual distributing key of local Conditional Access Module storage that the authentication information of said encryption is deciphered, and use the authentication information after the deciphering, carry out authentication to network authentication server 1.That is, bi-directional set-top box 3 utilizes its CA module to decipher after receiving the authentication information of encryption, stores the required PDK of deciphering in this CA module.Bi-directional set-top box 3 obtains can expressly carry out authentication through IP network to network authentication server behind the authentication information after the deciphering, and the bi-directional set-top box after having only authentication to pass through can obtain corresponding business.
Adopt said system, after authentication information is encrypted through PDK, be sent to STB, can realize neither need making amendment, utilized the fail safe of the high security assurance network authentication of cas system again the CA module of existing bi-directional set-top box.Simultaneously, in authentication information, add authenticated time information, the fail safe that can further improve network authentication.
Schematic flow sheet as shown in Figure 2, carry out authentication for bi-directional set-top box in the embodiment of the invention.This identifying procedure comprises:
201, acquisition is through the authentication information of individual distributing key encryption.As previously mentioned, this process can comprise: network side generates authentication information, and said authentication information is sent to condition receiving system, and said authentication information is said bi-directional set-top box needed information when carrying out authentication; Said condition receiving system uses the individual distributing key of said bi-directional set-top box to said encrypted authentication information, obtains and broadcast the authentication information that sends after encrypting; Said bi-directional set-top box obtains the authentication information of said encryption.
Wherein, It can be active process that network side generates and sends authentication information, also can be to be triggered by the bi-directional set-top box side, and promptly bi-directional set-top box sends authentication request information to said network side; Network side sends it to cas system after generating authentication information according to said authentication request information.
Simultaneously, this network side can periodically change authentication information, and the authentication information after periodically will changing is sent to bi-directional set-top box.
In use, because user's (being bi-directional set-top box) enormous amount that each head-end system (being network authentication server) is with down often reaches the hundreds of thousands user class, so can not constantly issue authentication information to each user.Can set following principle for this reason and carry out issuing of authentication information at network authentication server:
Behind A, the user's new account in a period of time (as, 3 days, 5 days etc.), the underground hair of high-frequency family information, like per minute once, concrete frequency can be carried out budget according to the customer volume of network and set;
Back a period of time installs start and collects authentication information if the B small number of users is opened an account, and then can arrange, and the user sends a telegraph the attendant of call center, operates issuing of the authentication information that sets out by the attendant; Or by the user bi-directional set-top box is set and initiatively sends authentication request information, request issues authentication information.
Because to every bi-directional set-top box and corresponding each user, its user profile can not change frequent, to the real-time no requirement (NR), so above measure can be satisfied the demand.
202, utilize Conditional Access Module that the authentication information of said encryption is deciphered, the authentication information after obtaining to decipher stores said individual distributing key in the said Conditional Access Module.
In the operation of this step; Can be earlier after bi-directional set-top box obtains corresponding authentication information with this information stores in the memory module of this locality; As adopt FLASH to store; When bi-directional set-top box need use authentication information to carry out authentication, read the authentication information of the encryption of storage earlier, and utilize the CA module that authentication information is deciphered.In deciphering, in case power down, then corresponding authentication information is lost.
Because this authentication information is encrypted through PDK, so the fail safe of authentication information can be protected,, but there is not supporting CA module even this authentication information is read and duplicates, can't crack and use this authentication information equally.
If card information comprises the authenticating identity information of authenticated time information and encryption, the process of then deciphering can be: obtain the authenticated time information in the said authentication information; After judging that according to said authenticated time information the authenticating identity information of said encryption is effective information; Utilize Conditional Access Module that the authenticating identity information of said encryption is deciphered; Or after utilizing Conditional Access Module that the authenticating identity information of said encryption is deciphered earlier; Judge that according to said authenticated time information the authenticating identity information of said encryption is just to carry out next step verification process behind the effective information; Or after utilizing Conditional Access Module that the authenticating identity information of said encryption is deciphered earlier, in next step, use authenticating identity information and authenticated time information after deciphering to carry out authentication.
203, the authentication information after the said deciphering of use carries out authentication to network side.As, when bi-directional set-top box need connect IP network, the authentication information after the deciphering is sent to network side carry out authentication, after the network side authentication was passed through, bi-directional set-top box can use corresponding business.
This authentication information also can be a temporary authentication information; After network side obtains temporary authentication information; Send other authentication information once more to bi-directional set-top box, bi-directional set-top box carries out authentication according to these other authentication information to network side again, to accomplish whole authentication process.
This authentication information also can be authenticating identity information and the authenticated time information after the deciphering, and network side can judge whether authenticating identity information is effective according to authenticated time information, and the authenticating identity information of only in effective time, receiving just maybe be through authentication.
Corresponding with above-mentioned flow process, as shown in Figure 3, the embodiment of the invention also provides a kind of method of bi-directional set-top box safety certification, comprising:
301, obtain the authentication information that network side sends, said authentication information is said bi-directional set-top box needed information when carrying out authentication.This network side specifically can be a network authentication server, like IP network certificate server etc.
Wherein, It can be active process that network side generates and sends authentication information, also can be to be triggered by the bi-directional set-top box side, and promptly bi-directional set-top box sends authentication request information to said network side; Network side sends it to cas system after generating authentication information according to said authentication request information again.
Simultaneously, this network side can periodically change authentication information, and the authentication information after periodically will changing is sent to bi-directional set-top box.
302, the individual distributing key through said bi-directional set-top box obtains the authentication information of encrypting to said encrypted authentication information.In cas system, preserve the PDK of the unique correspondence of each user of band down; Then after the CAS access authentication information; PDK according to the corresponding user of this authentication information encrypts it; So just guaranteed that the user who only stores this PDK could decipher this authentication information, and then carries out authentication to network side.
303, the broadcasting of the authentication information of said encryption is sent, so that said bi-directional set-top box obtains the authentication information of said encryption and carries out authentication according to the authentication information of said encryption.As the authentication information that will encrypt and TV signal multiplexing back transmission, specifically can be: obtain television signal flow, Entitlement Control Message and Entitlement Management Message through the control word scrambling; The television signal flow of said authentication information, said scrambling, said Entitlement Management Message and said Entitlement Control Message are carried out multiplexing back to be sent to digital video broadcast network; Wherein, Said Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, said Entitlement Management Message.
Because the CA system is whole DVB (Digital Video Broadcasting; DVB) foundation stone of security of system; Therefore; The fail safe of IP network is based upon on the CA basis of safety and can have reduced the risk that subscriber identity information leaks so that the required subscriber identity information (user name, password etc.) of miscellaneous service authentication is all invisible for user and workmen on the IP network, the fail safe of whole system is provided.Simultaneously; In the prior art, bi-directional set-top box needs the information of artificial input, now all can be by accomplishing (when utilizing PDK to decipher like the CA module automatically between each parts of system; Promptly be that bi-directional set-top box is accomplished automatically); Do not need manual intervention, the manually-operated trouble of minimizing has also reduced the possibility of makeing mistakes.
On the other hand, corresponding, the embodiment of the invention also provides the bi-directional set-top box 3 in the bi-directional set-top box Verification System, and is as shown in Figure 4, and it comprises CA module 30, and also comprises: acquiring unit 32 is used to obtain the authentication information through individual distributing key encryption; Conditional Access Module 34 also is used to receive the authentication information of the encryption that said acquiring unit 32 sends, and according to said individual distributing key the authentication information of said encryption is deciphered, and obtains the authentication information after the deciphering; Authentication ' unit 36 is used to use the authentication information after the deciphering that said Conditional Access Module 34 deciphering obtain to carry out authentication to network side.
As shown in Figure 5; If when comprising authenticated time information and authenticating identity information in the authentication information; This acquiring unit 32 comprises: acquisition module 320, be used to obtain authentication information, and said authentication information comprises authenticated time information and the authenticating identity information of encrypting through individual distributing key; Judge module 321 is used for judging according to said authenticated time information whether the authenticating identity information of said encryption is effective information; Sending module 323 is used for when authenticating identity information that said judge module 321 judged results are said encryption is effective information, the authenticating identity information of said encryption is sent to said Conditional Access Module 34 deciphers.
Wherein, When bi-directional set-top box has the function of initiatively obtaining authentication information; Acquiring unit 32 can comprise: obtain request module 323, be used for sending authentication request information to said network side, so that said network side generates authentication information according to said authentication request information; And said authentication information is sent to condition receiving system, be sent to said bi-directional set-top box after encrypting by condition receiving system.As shown in Figure 6, be the situation that comprises above-mentioned four kinds of modules.
Bi-directional set-top box described in the foregoing description can also be by other the structure of forming; As shown in Figure 7; Be another composition sketch map of bi-directional set-top box in the embodiment of the invention, this bi-directional set-top box 4 comprises: receiver module 40 is used to receive the authentication information that sends through the Cable Web broadcast; Control module 42; Being used for that the authentication information that receiver module 40 receives is sent to memory module 44 preserves; And when needing, read the authentication information of memory module 44 storage; The authentication information that reads is delivered to CA module 46 decipher, the authentication information after will deciphering again is sent to network side and carries out authentication.Wherein preserve PDK in the CA module 46, memory module 44 can be the FLASH memory.
Accordingly, the embodiment of the invention also provides the cas system 2 in the bi-directional set-top box Verification System, and is as shown in Figure 8, and this system comprises:
Receiver module 20 is used to obtain the authentication information that network side sends;
Encrypting module 22 is used for the encrypted authentication information that receiver module 20 obtained through the individual distributing key of said bi-directional set-top box, obtains the authentication information of encrypting;
Sending module 24, the authentication information broadcasting of the encryption that is used for encrypting module 22 is obtained is sent, so that said bi-directional set-top box obtains the authentication information of said encryption and carries out authentication according to the authentication information of said encryption.Wherein, as shown in Figure 9 when authentication information is encrypted with TV signal, this sending module 24 can comprise: obtain submodule 241, be used to obtain television signal flow, Entitlement Control Message and the Entitlement Management Message through the control word scrambling; Multiplex sub module 243 is used for that the television signal flow of said authentication information, said scrambling, said Entitlement Management Message and said Entitlement Control Message are carried out multiplexing back and sends to digital video broadcast network; Wherein, said Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, said Entitlement Management Message.
Shown in figure 10, be the composition sketch map of another embodiment of above-mentioned sending module.Ciphering process in conjunction with like the CA system of Figure 11 is described in detail as follows, at first produces control word (CW, Control Word) by control word generator, and CW is offered scrambler and encryption equipment A.The typical word length of control word is 64bit, whenever changes once at a distance from 2~30s.The control word that scrambler provides according to control word generator is carried out the scrambling computing to image, voice and data signal (being the TS clear stream).At this moment, the output result of scrambler is through having upset later transmission bit stream (being that TS adds flow-disturbing), and control word is exactly the used key of scrambler scrambling.
On the other hand; After encryption equipment A receives the control word from control word generator; The business cipher key that then provides according to the authorization control system (Service Key) carries out cryptographic calculation to control word; The output result of encryption equipment A is through encrypting later control word, and it is called as Entitlement Control Message (ECM, Entitlement ControlMessage).Business cipher key also has been provided for encryption equipment B when giving encryption equipment A, encryption equipment B and encryption equipment A are slightly different, and it can be encrypted the business cipher key that the authorization control system sends here according to the PDK key.The output result of encryption equipment B is an encrypted service key, and this is called as Entitlement Management Message (EMM, Entitlement Management Message).The ECM and the EMM information that produce through such process all are sent to multiplexer; Carry out multiplexingly with the authentication information of the encryption that is sent to same multiplexer, TS (Transport Stream) scrambling stream, be packaged into the TS stream that can send by outputing to sending module 24 after the modulators modulate.
Corresponding to above-mentioned cipher mode; STB (Set Top Box; STB) ciphering process of the process of the TS stream received of deciphering and CAS is opposite; STB must at first receive EMM through the Cable network, utilizes the PDK deciphering EMM business cipher key Service Key of CA module stores, and the authentication information after the authentication information of the enabling decryption of encrypted acquisition deciphering; Receive ECM from Cable then, utilize Service key deciphering ECM to obtain the CW of scrambling TS stream, finally utilize CW to remove descrambling TS stream, obtain and to carry out decoded image and voice signal.
In embodiments of the present invention, because authentication information is encrypted through cas system, and utilize the CA module of bi-directional set-top box to decipher the back use; Guaranteed the fail safe of authentication information; Simultaneously, need not revise original CA module, thereby guarantee the compatibility of bi-directional set-top box.
Through the description of above execution mode, those skilled in the art can be well understood to each execution mode and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware.Based on such understanding; The part that technique scheme contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the computer-readable recording medium, like ROM/RAM, magnetic disc, CD etc., comprises that some instructions are with so that a computer equipment (can be a personal computer; Server, perhaps network equipment etc.) carry out the described method of some part of each embodiment or embodiment.
Above-described execution mode does not constitute the qualification to this technical scheme protection range.The modification of being done within any spirit and principle at above-mentioned execution mode, be equal to replacement and improvement etc., all should be included within the protection range of this technical scheme.