CN101505400B - Bi-directional set-top box authentication method, system and related equipment - Google Patents
Bi-directional set-top box authentication method, system and related equipment Download PDFInfo
- Publication number
- CN101505400B CN101505400B CN2009100377172A CN200910037717A CN101505400B CN 101505400 B CN101505400 B CN 101505400B CN 2009100377172 A CN2009100377172 A CN 2009100377172A CN 200910037717 A CN200910037717 A CN 200910037717A CN 101505400 B CN101505400 B CN 101505400B
- Authority
- CN
- China
- Prior art keywords
- authentication information
- authentication
- information
- top box
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The embodiment of the invention discloses a two-way set-top box authentication method and a two-way set-top box, wherein the two-way set-top box comprises a conditional access module, and the method comprises the following steps: acquiring authentication information which is encrypted through a personal allocation key; decrypting the encrypted authentication information by using the conditional access module to acquire the decrypted authentication information, wherein the personal allocation key is stored in the conditional access module; and performing authentication on a network side by using the decrypted authentication information. By adopting the proposal of the embodiment, the usability and the compatibility are also ensured while the security of the IP network access of the two-way set-top box is ensured.
Description
Technical field
The present invention relates to communication field, relate in particular to a kind of bi-directional set-top box authentication method, system and relevant device.
Background technology
Bi-directional set-top box and network have Cable and Internet Protocol (Internet Protocol; IP) two connect link; Make bi-directional set-top box not only can receive the video content that sends through Cable broadcasting, it is mutual to provide end to carry out through IP link and business.
In realizing process of the present invention, the inventor finds, passes through condition through the content of Cable link transmission and receives (Conditional Access, CA) its fail safe of system's assurance.And when using IP network; Typically using the bi-directional set-top box number of bi-directional set-top box or the bi-directional set-top box sign (ID) of the CA module in the bi-directional set-top box to carry out authentication to the server of IP network side; Fail safe with the access authentication that guarantees IP network; And carry out video request program (Video On Demand, VOD) service security property through the IP network business.In this scheme,, therefore there is bigger potential safety hazard because bi-directional set-top box ID can be obtained, duplicate even usurp by the use user of workmen or bi-directional set-top box easily.
And in the scheme of the fail safe of the access authentication of other assurance IP networks; Be to need the user to import Crypted password by hand; Be to change the CA module in the bi-directional set-top box, all have problems such as operability, compatibility, fail safe respectively accordingly.
It is thus clear that in the prior art, when bi-directional set-top box carried out operation such as the access authentication of IP network, its Information Security all had problems, can't in the fail safe that the IP network that guarantees bi-directional set-top box inserts, take into account ease for use and compatibility.
Summary of the invention
Technical problem to be solved by this invention is, a kind of bi-directional set-top box and authentication method thereof, condition receiving system and Verification System are provided, and when can be implemented in the fail safe of the IP network access that guarantees bi-directional set-top box, takes into account ease for use and compatibility.
For this reason, on the one hand, embodiments of the invention provide a kind of bi-directional set-top box authentication method, and said bi-directional set-top box comprises Conditional Access Module, and said method comprises: obtain the authentication information through individual distributing key encryption; Utilize Conditional Access Module that the authentication information of said encryption is deciphered, the authentication information after obtaining to decipher stores said individual distributing key in the said Conditional Access Module; Use the authentication information after the said deciphering to carry out authentication to network side.
Embodiments of the invention also provide a kind of method of bi-directional set-top box safety certification, comprising: obtain the authentication information that network side sends; Individual distributing key through said bi-directional set-top box obtains the authentication information of encrypting to said encrypted authentication information; Said bi-directional set-top box the authentication information broadcasting of said encryption sent, so that can carry out authentication according to the authentication information of said encryption.
On the other hand, embodiments of the invention provide a kind of bi-directional set-top box, and said bi-directional set-top box comprises: acquiring unit is used to obtain the authentication information through individual distributing key encryption; Conditional Access Module is used to receive the authentication information of the encryption that said acquiring unit sends, and according to the individual distributing key of this locality storage the authentication information of said encryption is deciphered, and obtains the authentication information after the deciphering; Authentication ' unit is used to use the authentication information after the deciphering that said Conditional Access Module deciphering obtains to carry out authentication to network side.
On the one hand, embodiments of the invention also provide a kind of condition receiving system, comprising again: receiver module is used to obtain the authentication information that network side sends; Encrypting module is used for individual distributing key through said bi-directional set-top box to said encrypted authentication information, obtains the authentication information of encrypting; Sending module is used for the authentication information broadcasting of said encryption is sent, so that said bi-directional set-top box can carry out authentication according to the authentication information of said encryption.
Simultaneously, the embodiment of the invention also provides a kind of bi-directional set-top box Verification System, comprising: network authentication server is used to obtain the authentication information corresponding with bi-directional set-top box, and sends said authentication information; Condition receiving system is used to receive the authentication information that said network authentication server sends, and the individual distributing key through said bi-directional set-top box, behind the authentication information that obtains to encrypt is sent the authentication information broadcasting of said encryption said encrypted authentication information; Bi-directional set-top box; Be used to receive the authentication information of the encryption that said condition receiving system sends; Utilize the individual distributing key of local Conditional Access Module storage that the authentication information of said encryption is deciphered, and use the authentication information after the deciphering, carry out authentication to said network authentication server.
Adopt the technical scheme that the embodiment of the invention provided; Realize bi-directional set-top box user and network side head-end system alternately; Need not change, thereby guarantee the compatibility between the bi-directional set-top box, simultaneously when carrying out network authentication the CA module of bi-directional set-top box; Utilized the individual distributing key of preserving in the CA module that authentication information is deciphered; Thereby can obtain the high security guarantee of CA system, promptly in the compatibility and ease for use that ensure bi-directional set-top box, guaranteed the fail safe of bi-directional set-top box access.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a concrete sketch map of forming of bi-directional set-top box Verification System in the embodiment of the invention;
Fig. 2 is an idiographic flow sketch map of bi-directional set-top box authentication method in the embodiment of the invention;
Fig. 3 is an idiographic flow sketch map of the method for bi-directional set-top box safety certification in the embodiment of the invention;
Fig. 4 is a concrete sketch map of forming of the bi-directional set-top box among Fig. 1;
Fig. 5 is a concrete sketch map of forming of the acquiring unit among Fig. 4;
Fig. 6 is a concrete sketch map of forming of the decryption unit among Fig. 4;
Fig. 7 is another concrete sketch map of forming of the bi-directional set-top box in the embodiment of the invention;
Fig. 8 is a concrete sketch map of forming of the cas system in the embodiment of the invention;
Fig. 9 is a concrete sketch map of forming of the sending module among Fig. 8;
Figure 10 is another concrete sketch map of forming of the sending module among Fig. 8
Figure 11 is the principle schematic of the ciphering process of the cas system in the embodiment of the invention.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
When bi-directional set-top box carries out the IP network authentication; In order to take into account compatibility and fail safe, need under the situation of neither the CA module of bi-directional set-top box being made amendment, utilize condition receiving system (ConditionalAccess System again; CAS; Hereinafter all be called cas system for meeting custom) high security guarantee the IP network authenticating safety, so in the scheme of present embodiment, adopt store in the cas system with specific bi-directional set-top box in the CA module in individual distributing key (the Personal Distribute Key that stores; PDK) authentication information is encrypted, the PDK in the CA module of bi-directional set-top box deciphers.
With reference to accompanying drawing embodiments of the invention are described below.Referring to Fig. 1, be a concrete sketch map of forming of bi-directional set-top box Verification System in the embodiment of the invention.In this system, network authentication server 1 obtains or generates and is used for the needed authentication information that bi-directional set-top box carries out authentication, and this authentication information is transferred to cas system 2.Wherein, this authentication information can be that network authentication server automatically generates or according to the generation that is provided with of operator, or other management equipments from network etc. obtain.This authentication information can comprise authenticating identity information, like user name, user cipher etc.; Simultaneously; In order to improve authenticating safety; This authentication information also can comprise authenticated time information, like timestamp, has only bi-directional set-top box in the timestamp official hour, to carry out authentication; This authentication is just effective, or bi-directional set-top box only could be decoded to authenticating identity information in the timestamp official hour.
This authentication information is to particular user, promptly has only its specific bi-directional set-top box that is directed against could use this authentication information to carry out authentication.As, can on network authentication server, store an authentication information and user's mapping table, after the authentication information A that network authentication server will be corresponding with user A is sent to cas system; Cas system uses the PDK corresponding with user A that authentication information A is encrypted; Like this, can the authentication information A that receive be deciphered, and then use the authentication information A after the deciphering to carry out authentication to network authentication server with regard to the STB of only knowing the PDK that user A is corresponding; After network authentication server is received authentication information A; Authentication query information and user's mapping table can know that the user A corresponding with authentication information A carries out authentication, at this moment; Can combine other information to carry out authentication (can certainly only directly carry out authentication) again, so that the follow-up service that user A obtains the authorization and uses according to above-mentioned mapping table.
When network authentication server 1 is transferred to cas system 2 with the authentication information that generates; Because network authentication server 1 all belongs to the equipment that operator manages with cas system; Thereby this authentication information can transmit in the proprietary close network of operator, and its fail safe can be protected.
After cas system 2 received the authentication information that network authentication servers 1 send, the individual distributing key through bi-directional set-top box 3, behind the authentication information that obtains to encrypt was sent the authentication information broadcasting of said encryption said encrypted authentication information.
Be cas system 2 after receiving authentication information, use the PDK of specific bi-directional set-top box that authentication information is encrypted, as when authentication information only comprises authenticating identity information; Use PDK that authenticating identity information is encrypted; When also comprising authenticated time information in the authentication information, can be only to the authenticating identity information encryption, also encrypting and authenticating temporal information simultaneously; When authentication information also comprises the information of other needs; Situation is also similar, the promptly minimum encryption that will guarantee to authenticating identity information, and other information can be encrypted also and can not added.
Then, the authentication information after cas system 2 will be encrypted sends through the Cable Web broadcast.Bi-directional set-top box in broadcasting area all can be received the authentication information after this encryption, but has only the PDK in the CA module in the above-mentioned specific bi-directional set-top box to decipher this authentication information.As shown in fig. 1, be the bi-directional set-top box 3 that can decipher.
Bi-directional set-top box 3; Be used to receive the authentication information of the encryption that cas system 2 sends; Utilize the individual distributing key of local Conditional Access Module storage that the authentication information of said encryption is deciphered, and use the authentication information after the deciphering, carry out authentication to network authentication server 1.That is, bi-directional set-top box 3 utilizes its CA module to decipher after receiving the authentication information of encryption, stores the required PDK of deciphering in this CA module.Bi-directional set-top box 3 obtains can expressly carry out authentication through IP network to network authentication server behind the authentication information after the deciphering, and the bi-directional set-top box after having only authentication to pass through can obtain corresponding business.
Adopt said system, after authentication information is encrypted through PDK, be sent to STB, can realize neither need making amendment, utilized the fail safe of the high security assurance network authentication of cas system again the CA module of existing bi-directional set-top box.Simultaneously, in authentication information, add authenticated time information, the fail safe that can further improve network authentication.
Schematic flow sheet as shown in Figure 2, carry out authentication for bi-directional set-top box in the embodiment of the invention.This identifying procedure comprises:
201, acquisition is through the authentication information of individual distributing key encryption.As previously mentioned, this process can comprise: network side generates authentication information, and said authentication information is sent to condition receiving system, and said authentication information is said bi-directional set-top box needed information when carrying out authentication; Said condition receiving system uses the individual distributing key of said bi-directional set-top box to said encrypted authentication information, obtains and broadcast the authentication information that sends after encrypting; Said bi-directional set-top box obtains the authentication information of said encryption.
Wherein, It can be active process that network side generates and sends authentication information, also can be to be triggered by the bi-directional set-top box side, and promptly bi-directional set-top box sends authentication request information to said network side; Network side sends it to cas system after generating authentication information according to said authentication request information.
Simultaneously, this network side can periodically change authentication information, and the authentication information after periodically will changing is sent to bi-directional set-top box.
In use, because user's (being bi-directional set-top box) enormous amount that each head-end system (being network authentication server) is with down often reaches the hundreds of thousands user class, so can not constantly issue authentication information to each user.Can set following principle for this reason and carry out issuing of authentication information at network authentication server:
Behind A, the user's new account in a period of time (as, 3 days, 5 days etc.), the underground hair of high-frequency family information, like per minute once, concrete frequency can be carried out budget according to the customer volume of network and set;
Back a period of time installs start and collects authentication information if the B small number of users is opened an account, and then can arrange, and the user sends a telegraph the attendant of call center, operates issuing of the authentication information that sets out by the attendant; Or by the user bi-directional set-top box is set and initiatively sends authentication request information, request issues authentication information.
Because to every bi-directional set-top box and corresponding each user, its user profile can not change frequent, to the real-time no requirement (NR), so above measure can be satisfied the demand.
202, utilize Conditional Access Module that the authentication information of said encryption is deciphered, the authentication information after obtaining to decipher stores said individual distributing key in the said Conditional Access Module.
In the operation of this step; Can be earlier after bi-directional set-top box obtains corresponding authentication information with this information stores in the memory module of this locality; As adopt FLASH to store; When bi-directional set-top box need use authentication information to carry out authentication, read the authentication information of the encryption of storage earlier, and utilize the CA module that authentication information is deciphered.In deciphering, in case power down, then corresponding authentication information is lost.
Because this authentication information is encrypted through PDK, so the fail safe of authentication information can be protected,, but there is not supporting CA module even this authentication information is read and duplicates, can't crack and use this authentication information equally.
If card information comprises the authenticating identity information of authenticated time information and encryption, the process of then deciphering can be: obtain the authenticated time information in the said authentication information; After judging that according to said authenticated time information the authenticating identity information of said encryption is effective information; Utilize Conditional Access Module that the authenticating identity information of said encryption is deciphered; Or after utilizing Conditional Access Module that the authenticating identity information of said encryption is deciphered earlier; Judge that according to said authenticated time information the authenticating identity information of said encryption is just to carry out next step verification process behind the effective information; Or after utilizing Conditional Access Module that the authenticating identity information of said encryption is deciphered earlier, in next step, use authenticating identity information and authenticated time information after deciphering to carry out authentication.
203, the authentication information after the said deciphering of use carries out authentication to network side.As, when bi-directional set-top box need connect IP network, the authentication information after the deciphering is sent to network side carry out authentication, after the network side authentication was passed through, bi-directional set-top box can use corresponding business.
This authentication information also can be a temporary authentication information; After network side obtains temporary authentication information; Send other authentication information once more to bi-directional set-top box, bi-directional set-top box carries out authentication according to these other authentication information to network side again, to accomplish whole authentication process.
This authentication information also can be authenticating identity information and the authenticated time information after the deciphering, and network side can judge whether authenticating identity information is effective according to authenticated time information, and the authenticating identity information of only in effective time, receiving just maybe be through authentication.
Corresponding with above-mentioned flow process, as shown in Figure 3, the embodiment of the invention also provides a kind of method of bi-directional set-top box safety certification, comprising:
301, obtain the authentication information that network side sends, said authentication information is said bi-directional set-top box needed information when carrying out authentication.This network side specifically can be a network authentication server, like IP network certificate server etc.
Wherein, It can be active process that network side generates and sends authentication information, also can be to be triggered by the bi-directional set-top box side, and promptly bi-directional set-top box sends authentication request information to said network side; Network side sends it to cas system after generating authentication information according to said authentication request information again.
Simultaneously, this network side can periodically change authentication information, and the authentication information after periodically will changing is sent to bi-directional set-top box.
302, the individual distributing key through said bi-directional set-top box obtains the authentication information of encrypting to said encrypted authentication information.In cas system, preserve the PDK of the unique correspondence of each user of band down; Then after the CAS access authentication information; PDK according to the corresponding user of this authentication information encrypts it; So just guaranteed that the user who only stores this PDK could decipher this authentication information, and then carries out authentication to network side.
303, the broadcasting of the authentication information of said encryption is sent, so that said bi-directional set-top box obtains the authentication information of said encryption and carries out authentication according to the authentication information of said encryption.As the authentication information that will encrypt and TV signal multiplexing back transmission, specifically can be: obtain television signal flow, Entitlement Control Message and Entitlement Management Message through the control word scrambling; The television signal flow of said authentication information, said scrambling, said Entitlement Management Message and said Entitlement Control Message are carried out multiplexing back to be sent to digital video broadcast network; Wherein, Said Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, said Entitlement Management Message.
Because the CA system is whole DVB (Digital Video Broadcasting; DVB) foundation stone of security of system; Therefore; The fail safe of IP network is based upon on the CA basis of safety and can have reduced the risk that subscriber identity information leaks so that the required subscriber identity information (user name, password etc.) of miscellaneous service authentication is all invisible for user and workmen on the IP network, the fail safe of whole system is provided.Simultaneously; In the prior art, bi-directional set-top box needs the information of artificial input, now all can be by accomplishing (when utilizing PDK to decipher like the CA module automatically between each parts of system; Promptly be that bi-directional set-top box is accomplished automatically); Do not need manual intervention, the manually-operated trouble of minimizing has also reduced the possibility of makeing mistakes.
On the other hand, corresponding, the embodiment of the invention also provides the bi-directional set-top box 3 in the bi-directional set-top box Verification System, and is as shown in Figure 4, and it comprises CA module 30, and also comprises: acquiring unit 32 is used to obtain the authentication information through individual distributing key encryption; Conditional Access Module 34 also is used to receive the authentication information of the encryption that said acquiring unit 32 sends, and according to said individual distributing key the authentication information of said encryption is deciphered, and obtains the authentication information after the deciphering; Authentication ' unit 36 is used to use the authentication information after the deciphering that said Conditional Access Module 34 deciphering obtain to carry out authentication to network side.
As shown in Figure 5; If when comprising authenticated time information and authenticating identity information in the authentication information; This acquiring unit 32 comprises: acquisition module 320, be used to obtain authentication information, and said authentication information comprises authenticated time information and the authenticating identity information of encrypting through individual distributing key; Judge module 321 is used for judging according to said authenticated time information whether the authenticating identity information of said encryption is effective information; Sending module 323 is used for when authenticating identity information that said judge module 321 judged results are said encryption is effective information, the authenticating identity information of said encryption is sent to said Conditional Access Module 34 deciphers.
Wherein, When bi-directional set-top box has the function of initiatively obtaining authentication information; Acquiring unit 32 can comprise: obtain request module 323, be used for sending authentication request information to said network side, so that said network side generates authentication information according to said authentication request information; And said authentication information is sent to condition receiving system, be sent to said bi-directional set-top box after encrypting by condition receiving system.As shown in Figure 6, be the situation that comprises above-mentioned four kinds of modules.
Bi-directional set-top box described in the foregoing description can also be by other the structure of forming; As shown in Figure 7; Be another composition sketch map of bi-directional set-top box in the embodiment of the invention, this bi-directional set-top box 4 comprises: receiver module 40 is used to receive the authentication information that sends through the Cable Web broadcast; Control module 42; Being used for that the authentication information that receiver module 40 receives is sent to memory module 44 preserves; And when needing, read the authentication information of memory module 44 storage; The authentication information that reads is delivered to CA module 46 decipher, the authentication information after will deciphering again is sent to network side and carries out authentication.Wherein preserve PDK in the CA module 46, memory module 44 can be the FLASH memory.
Accordingly, the embodiment of the invention also provides the cas system 2 in the bi-directional set-top box Verification System, and is as shown in Figure 8, and this system comprises:
Encrypting module 22 is used for the encrypted authentication information that receiver module 20 obtained through the individual distributing key of said bi-directional set-top box, obtains the authentication information of encrypting;
Sending module 24, the authentication information broadcasting of the encryption that is used for encrypting module 22 is obtained is sent, so that said bi-directional set-top box obtains the authentication information of said encryption and carries out authentication according to the authentication information of said encryption.Wherein, as shown in Figure 9 when authentication information is encrypted with TV signal, this sending module 24 can comprise: obtain submodule 241, be used to obtain television signal flow, Entitlement Control Message and the Entitlement Management Message through the control word scrambling; Multiplex sub module 243 is used for that the television signal flow of said authentication information, said scrambling, said Entitlement Management Message and said Entitlement Control Message are carried out multiplexing back and sends to digital video broadcast network; Wherein, said Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, said Entitlement Management Message.
Shown in figure 10, be the composition sketch map of another embodiment of above-mentioned sending module.Ciphering process in conjunction with like the CA system of Figure 11 is described in detail as follows, at first produces control word (CW, Control Word) by control word generator, and CW is offered scrambler and encryption equipment A.The typical word length of control word is 64bit, whenever changes once at a distance from 2~30s.The control word that scrambler provides according to control word generator is carried out the scrambling computing to image, voice and data signal (being the TS clear stream).At this moment, the output result of scrambler is through having upset later transmission bit stream (being that TS adds flow-disturbing), and control word is exactly the used key of scrambler scrambling.
On the other hand; After encryption equipment A receives the control word from control word generator; The business cipher key that then provides according to the authorization control system (Service Key) carries out cryptographic calculation to control word; The output result of encryption equipment A is through encrypting later control word, and it is called as Entitlement Control Message (ECM, Entitlement ControlMessage).Business cipher key also has been provided for encryption equipment B when giving encryption equipment A, encryption equipment B and encryption equipment A are slightly different, and it can be encrypted the business cipher key that the authorization control system sends here according to the PDK key.The output result of encryption equipment B is an encrypted service key, and this is called as Entitlement Management Message (EMM, Entitlement Management Message).The ECM and the EMM information that produce through such process all are sent to multiplexer; Carry out multiplexingly with the authentication information of the encryption that is sent to same multiplexer, TS (Transport Stream) scrambling stream, be packaged into the TS stream that can send by outputing to sending module 24 after the modulators modulate.
Corresponding to above-mentioned cipher mode; STB (Set Top Box; STB) ciphering process of the process of the TS stream received of deciphering and CAS is opposite; STB must at first receive EMM through the Cable network, utilizes the PDK deciphering EMM business cipher key Service Key of CA module stores, and the authentication information after the authentication information of the enabling decryption of encrypted acquisition deciphering; Receive ECM from Cable then, utilize Service key deciphering ECM to obtain the CW of scrambling TS stream, finally utilize CW to remove descrambling TS stream, obtain and to carry out decoded image and voice signal.
In embodiments of the present invention, because authentication information is encrypted through cas system, and utilize the CA module of bi-directional set-top box to decipher the back use; Guaranteed the fail safe of authentication information; Simultaneously, need not revise original CA module, thereby guarantee the compatibility of bi-directional set-top box.
Through the description of above execution mode, those skilled in the art can be well understood to each execution mode and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware.Based on such understanding; The part that technique scheme contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the computer-readable recording medium, like ROM/RAM, magnetic disc, CD etc., comprises that some instructions are with so that a computer equipment (can be a personal computer; Server, perhaps network equipment etc.) carry out the described method of some part of each embodiment or embodiment.
Above-described execution mode does not constitute the qualification to this technical scheme protection range.The modification of being done within any spirit and principle at above-mentioned execution mode, be equal to replacement and improvement etc., all should be included within the protection range of this technical scheme.
Claims (15)
1. bi-directional set-top box authentication method, said bi-directional set-top box comprises Conditional Access Module, it is characterized in that, said method comprises:
Obtain authentication information through individual distributing key encryption;
Utilize Conditional Access Module through individual distributing key the authentication information of said encryption to be deciphered, the authentication information after obtaining to decipher stores said individual distributing key in the said Conditional Access Module;
Use the authentication information after the said deciphering to carry out authentication to network side.
2. the method for claim 1 is characterized in that, said authentication information comprises the authenticating identity information of authenticated time information and encryption, saidly utilizes Conditional Access Module that the authentication information of said encryption is deciphered to comprise:
Obtain the authenticated time information in the said authentication information;
After judging that according to said authenticated time information the authenticating identity information of said encryption is effective information, utilize Conditional Access Module that the authenticating identity information of said encryption is deciphered.
3. according to claim 1 or claim 2 method is characterized in that, the authentication information that said acquisition is encrypted through individual distributing key comprises:
Send authentication request information to said network side,, and be sent to condition receiving system and encrypt transmission so that said network side generates authentication information according to said authentication request information;
Receive the authentication information that passes through individual distributing key encryption that said condition receiving system sends.
4. the method for a bi-directional set-top box safety certification is characterized in that, said method comprises:
Obtain the authentication information that network side sends;
To said encrypted authentication information, obtain the authentication information of encrypting according to the individual distributing key of said bi-directional set-top box;
Said bi-directional set-top box the authentication information broadcasting of said encryption sent, so that can carry out authentication to said network side according to the authentication information of said encryption.
5. method as claimed in claim 4 is characterized in that, the authentication information that said network side sends is the information corresponding with said bi-directional set-top box that said network side is provided with, and is used for said bi-directional set-top box to said network side application authentication authentication.
6. method as claimed in claim 5 is characterized in that, said authentication information broadcasting with said encryption is sent and comprised:
Obtain television signal flow, Entitlement Control Message and Entitlement Management Message through the control word scrambling;
The television signal flow of the authentication information of said encryption, said scrambling, said Entitlement Management Message and said Entitlement Control Message are carried out multiplexing back to be sent to digital video broadcast network;
Wherein, said Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, said Entitlement Management Message.
7. like each described method in the claim 4 to 6, it is characterized in that said network side is the ip network side.
8. bi-directional set-top box, said bi-directional set-top box comprises the Conditional Access Module that stores individual distributing key, it is characterized in that, said bi-directional set-top box comprises:
Acquiring unit is used to obtain the authentication information through individual distributing key encryption;
Conditional Access Module is used to receive the authentication information of the encryption that said acquiring unit sends, and according to said individual distributing key the authentication information of said encryption is deciphered, and obtains the authentication information after the deciphering;
Authentication ' unit, the authentication information that is used to use said Conditional Access Module deciphering to obtain carries out authentication to network side.
9. bi-directional set-top box as claimed in claim 8 is characterized in that acquiring unit comprises:
Obtain request module; Be used for sending authentication request information to said network side; So that said network side generates authentication information according to said authentication request information, and is sent to condition receiving system with said authentication information, by being sent to said bi-directional set-top box after the condition receiving system encryption.
10. bi-directional set-top box as claimed in claim 8 is characterized in that, said acquiring unit comprises:
Acquisition module is used to obtain authentication information, and said authentication information comprises authenticated time information and the authenticating identity information of encrypting through individual distributing key;
Judge module is used for judging according to said authenticated time information whether the authenticating identity information of said encryption is effective information;
Sending module is used for when authenticating identity information that said judge module judged result is said encryption is effective information, the authenticating identity information of said encryption is sent to said Conditional Access Module deciphers.
11. a condition receiving system is characterized in that, said system comprises:
Receiver module is used to obtain the authentication information that network side sends;
Encrypting module is used for individual distributing key through bi-directional set-top box to said encrypted authentication information, obtains the authentication information of encrypting;
Sending module is used for the authentication information broadcasting of said encryption is sent, so that the said bi-directional set-top box that is connected with said condition receiving system can carry out authentication according to the authentication information of said encryption.
12. system as claimed in claim 11 is characterized in that, said sending module comprises:
Obtain submodule, be used to obtain television signal flow, Entitlement Control Message and Entitlement Management Message through the control word scrambling;
The multiplex sub module is used for that the television signal flow of the authentication information of said encryption, said scrambling, said Entitlement Management Message and said Entitlement Control Message are carried out multiplexing back and sends to digital video broadcast network;
Wherein, said Entitlement Control Message is the individual distributing key encrypted service key of process for process business cipher key encrypted control word, said Entitlement Management Message.
13. a bi-directional set-top box Verification System is characterized in that, said system comprises:
Network authentication server is used to obtain the authentication information corresponding with bi-directional set-top box, and sends said authentication information;
Condition receiving system is used to receive the authentication information that said network authentication server sends, and the individual distributing key through said bi-directional set-top box, behind the authentication information that obtains to encrypt is sent the authentication information broadcasting of said encryption said encrypted authentication information;
Bi-directional set-top box; Be used to receive the authentication information of the encryption that said condition receiving system sends; Utilize the individual distributing key of local Conditional Access Module storage that the authentication information of said encryption is deciphered, and use the authentication information after the deciphering, carry out authentication to said network authentication server.
14. system as claimed in claim 13 is characterized in that,
Said bi-directional set-top box also is used for sending authentication request information to said network authentication server;
Said network authentication server also is used for generating authentication information according to said authentication request information, and said authentication information is sent to condition receiving system.
15. system as claimed in claim 14 is characterized in that, said network authentication server also is used for periodically changing authentication information, and the authentication information after will changing is sent to said condition receiving system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100377172A CN101505400B (en) | 2009-03-10 | 2009-03-10 | Bi-directional set-top box authentication method, system and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100377172A CN101505400B (en) | 2009-03-10 | 2009-03-10 | Bi-directional set-top box authentication method, system and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101505400A CN101505400A (en) | 2009-08-12 |
| CN101505400B true CN101505400B (en) | 2012-03-21 |
Family
ID=40977429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100377172A Expired - Fee Related CN101505400B (en) | 2009-03-10 | 2009-03-10 | Bi-directional set-top box authentication method, system and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101505400B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958904B (en) * | 2010-10-12 | 2012-07-11 | 高斯贝尔数码科技股份有限公司 | User identity (Id) security authentication system and method for interactive digital television system |
| CN103546767B (en) * | 2012-07-16 | 2017-01-25 | 航天信息股份有限公司 | Content protection method and system of multimedia service |
| CN104079994B (en) * | 2014-07-07 | 2017-05-24 | 四川金网通电子科技有限公司 | Authorization system and method based on set top box card-free CA |
| CN104819097A (en) * | 2015-04-03 | 2015-08-05 | 北京天诚同创电气有限公司 | Protection method and device for programmable controller program of wind generating set |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
-
2009
- 2009-03-10 CN CN2009100377172A patent/CN101505400B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101505400A (en) | 2009-08-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3015175B2 (en) | Terminal function updating method and device for maintaining secure communication network | |
| CN100366083C (en) | Method for operating conditional access system for broadcast applications | |
| JP5106845B2 (en) | How to descramble a scrambled content data object | |
| US20130262869A1 (en) | Control word protection | |
| US9385997B2 (en) | Protection of control words employed by conditional access systems | |
| KR100969668B1 (en) | Method for Downloading CAS in IPTV | |
| CN102724568A (en) | Authentication certificates | |
| US7937587B2 (en) | Communication terminal apparatus and information communication method | |
| JPH10164053A (en) | Verification method/system for data by scrambling | |
| WO2011120901A1 (en) | Secure descrambling of an audio / video data stream | |
| GB2489671A (en) | Cryptographic key distribution for IPTV | |
| CN101207794B (en) | Method for enciphering and deciphering number copyright management of IPTV system | |
| CN101505400B (en) | Bi-directional set-top box authentication method, system and related equipment | |
| CN101626484A (en) | Method for protecting control word in condition access system, front end and terminal | |
| US20110302416A1 (en) | Method and system for secured communication in a non-ctms environment | |
| CN102917252B (en) | IPTV (internet protocol television) program stream content protection system and method | |
| CN100547955C (en) | A kind of method of protecting mobile multimedia service, system and equipment | |
| CN101202883B (en) | System for numeral copyright management of IPTV system | |
| CN100521771C (en) | A conditional reception system merging Internet and cable television network environments | |
| KR20100069373A (en) | Conditional access system and method exchanging randon value | |
| CN103546767A (en) | Content protection method and system of multimedia service | |
| JP2008054308A (en) | Terminal device, server device, and content distribution system | |
| KR20130096575A (en) | Apparatus and method for distributing group key based on public-key | |
| CN111917756A (en) | Encryption system and encryption method of law enforcement recorder based on public key routing | |
| KR102286784B1 (en) | A security system for broadcasting system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180213 Address after: California, USA Patentee after: Tanous Co. Address before: 518129 Longgang District, Guangdong, Bantian HUAWEI base B District, building 2, building No. Patentee before: HUAWEI DEVICE Co.,Ltd. Effective date of registration: 20180213 Address after: California, USA Patentee after: Global innovation polymerization LLC Address before: California, USA Patentee before: Tanous Co. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120321 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |