Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of business cipher key distribution method and system, with broadcasting amount, saving channel resource that reduces business cipher key and the time delay that reduces user's latency services key.
Another object of the present invention is to provide a kind of cryptographic key distribution method, makes under the condition of unidirectional broadcast network, can realize user's the authentication and the distribution of key.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
A kind of business cipher key distribution method is applicable to multi-media broadcasting service, comprising:
Be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with the corresponding relation of described business and key seed group; Comprise at least one key seed and corresponding key seed identifier thereof in the described key seed group;
This method also comprises:
A, when the needs broadcast service information, network side is from corresponding to selecting a key seed the key seed group of described business, generate business cipher key according to the key seed of described selection, and the key seed identifier of described key seed is included among the Entitlement Management Message EMM is handed down to terminal by broadcast channel;
B, terminal send to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of described key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to described definite key seed employing mode identical with network side.
Preferably, when the needs broadcast service information, described network side further generates random number, and further described random number is included among the EMM and is handed down to terminal by broadcast channel;
Steps A is described according to the key seed generation business cipher key of selecting to be: the key seed according to described random number and described selection adopts hash algorithm to generate business cipher key;
Described condition receiving card further obtains described random number from described EMM when obtaining the key seed identifier;
The key seed that the described basis of step B is determined generates business cipher key: adopt hash algorithm to generate business cipher key according to described random number and described definite key seed.
Preferably, described key seed identifier and random number are included among the EMM of steps A is: described random number and described key seed identifier are formed business cipher key generate message, and described business cipher key is generated message be included among the EMM, described EMM is signed;
Among the step B after described terminal sends to condition receiving card with the EMM that receives and described condition receiving card obtains key seed identifier and random number from EMM before, further comprise: condition receiving card verifies whether the signature of described EMM is effective, when effective, continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
Preferably, described key seed identifier and random number are included among the EMM of steps A is: described random number and key seed identifier are signed, described random number, key seed identifier and signature are formed business cipher key generate message, and described business cipher key generation message is included among the EMM;
Among the step B after described terminal sends to condition receiving card with the EMM that receives and described condition receiving card obtains key seed identifier and random number from EMM before, further comprise: condition receiving card verifies whether the signature in the described business cipher key generation message is effective, when effective, continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
Further, this method can comprise: in advance that the user is customized program authority is stored in the condition receiving card;
When receiving user's scrambled program playing request, this method further comprises: terminal sends to condition receiving card with the identifier of described scrambled program;
After described condition receiving card certifying signature is effective, further comprise: condition receiving card carries out control of authority according to the program authority of the identifier of described scrambled program and storage in advance to the user, if have the broadcast authority of described scrambled program, then continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
A kind of business cipher key dissemination system is applicable to multi-media broadcasting service, comprises network side and end side, and wherein, end side further comprises: terminal and condition receiving card;
Described network side is used to store the business that sets in advance and the corresponding relation of key seed group, comprises at least one key seed and corresponding key seed identifier thereof in the described key seed group; When the needs broadcast service information, be used for selecting a key seed from key seed group corresponding to described business, and be used for generating business cipher key, and be used for key seed identifier with described key seed and be carried on Entitlement Management Message EMM and be handed down to terminal by broadcast channel according to the key seed of described selection;
Described terminal, the EMM that is used for being received from network side sends to described condition receiving card;
Described condition receiving card, be used to store the corresponding relation of described business that sets in advance and key seed group, and be used for obtaining the key seed identifier from the EMM that is received from terminal, determine the pairing key seed of described key seed identifier according to the business of storage in advance and the corresponding relation of key seed group, and be used for adopting the mode identical to generate business cipher key with network side according to described definite key seed.
Preferably, described network side when the needs broadcast service information, can be further used for generating random number, described random number is carried among the EMM is handed down to terminal, and be used for adopting hash algorithm to generate business cipher key according to the key seed of described random number and described selection by broadcast channel;
Described condition receiving card is further used for obtaining described random number from described EMM, and is used for adopting hash algorithm to generate business cipher key according to described random number and described definite key seed.
Preferably, described network side is used for that also described random number and described key seed identifier are formed business cipher key and generates message, described business cipher key is generated message be carried among the EMM, and send to described terminal after being used for described EMM signed;
Described condition receiving card is used to also verify whether the signature of described EMM is effective, when effective, is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
Preferably, described network side also is used for described random number and key seed identifier are signed, and is used for described random number, key seed identifier and signature composition business cipher key generation message are carried on EMM;
Described condition receiving card is used for also verifying whether the signature of described business cipher key generation message is effective, when effective, is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
Preferably, described terminal is further used for when receiving user's scrambled program playing request, and the identifier of described scrambled program is sent to condition receiving card;
Described condition receiving card, be further used for storing in advance the customized program authority of user, and be used for the user being carried out control of authority according to described identifier and the described program authority of storage in advance that is received from the scrambled program of terminal, the right of broadcasting that has described scrambled program in judgement is prescribed a time limit, and is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
A kind of cryptographic key distribution method is applicable to multi-media broadcasting service, comprising:
Be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with the corresponding relation of described business and key seed group; Comprise at least one key seed and corresponding key seed identifier thereof in the described key seed group;
A, when the needs broadcast service information, network side is from corresponding to selecting a key seed the key seed group of described business, generate business cipher key according to the key seed of described selection, and the key seed identifier of key seed is included among the Entitlement Management Message EMM is handed down to terminal by broadcast channel; Terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of described key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to described definite key seed employing mode identical with network side;
B, network side are encapsulated among the Entitlement Control Message ECM after program current cipher key is encrypted with business cipher key, and described ECM is handed down to terminal by broadcast channel; The business cipher key that end side uses described condition receiving card to generate is decrypted the ECM that receives, and obtains program current cipher key;
C, network side carry out scrambling with program current cipher key to program stream, and the program stream after scrambling is handed down to terminal by broadcast channel; Program stream after end side uses program current cipher key that the deciphering of described end side obtains to scrambling carries out descrambling, obtains program stream.
As seen from the above technical solution, in the business cipher key distribution method and system that the present invention proposes,, and professional corresponding relation with the key seed group is stored in the place of safety of condition receiving card at the corresponding with it key seed group of each business setting by in advance; When needs are broadcasted the business cipher key of a certain business, from corresponding to selecting a key seed to generate business cipher key this professional key seed group, and the identifier of this key seed is included in is handed down to terminal among the EMM by network side; Terminal sends to condition receiving card after receiving EMM, determines corresponding key seed by condition receiving card according to key seed identifier wherein, and adopts the mode identical with network side to generate business cipher key in view of the above, thereby has realized the distribution of business cipher key.In the said method and system proposed by the invention, need the secure service size of key of broadcasting to depend on professional scale number, that is: exist the professional just needs of how many kinds of to broadcast what key seed identifiers, irrelevant with number of users, thereby significantly reduced the broadcasting amount of business cipher key, save valuable channel resource, and reduced the time delay of user's latency services key.
And, business cipher key distribution approach disclosed by the invention and cipher key distribution scheme have proposed a kind of new hierarchical encryption architecture, this hierarchical encryption architecture only comprises three layers, and, this scheme need not to depend on bidirectional communication network, therefore based on the authentication of unidirectional broadcast network realization to the user, this scheme has reduced the performance requirement to terminal equipment, and the scope of application is more extensive.
In addition, the key seed identifier does not need to utilize user key to encrypt among the present invention, can issue expressly to be with the form of signature, can guarantee the integrality of this transmission of messages, can reduce the requirement to the end side disposal ability again.And, do not comprise business cipher key among the EMM, just comprise the key seed identifier that is used to generate business cipher key, must could generate business cipher key in conjunction with the key seed that is stored in advance in the condition receiving card, and, business cipher key generates in card, thereby makes that the distribution of business cipher key is safer.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
Main thought of the present invention is: be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with professional corresponding relation with the key seed group; Network side is selected a key seed at random from the key seed group of correspondence when generating business cipher key, and the identifier of selected key seed is included in sends to terminal among the EMM, terminal sends to condition receiving card with EMM, condition receiving card is according to the business of storage in advance and the corresponding relation of key seed group, and network side when generating business cipher key the identifier of selected key seed determine to adopt which key seed to generate business cipher key, thereby, network side has had identical business cipher key with end side, has realized the distribution of business cipher key.
Fig. 2 is the schematic flow sheet of business cipher key distribution method of the present invention.Referring to Fig. 2, this method comprises:
Step 201: in advance at the corresponding with it key seed group of each business setting, and should business and the corresponding relation of key seed group be stored in the place of safety of condition receiving card.
This step is the step that sets in advance, and wherein, comprises at least one key seed and corresponding key seed identifier thereof in the key seed group.
In this step, also can in advance that the user is customized program authority be stored in the condition receiving card, follow-uply the user is carried out control of authority by condition receiving card.
Step 202: when the needs broadcast service information, network side is from corresponding to selecting a key seed this professional key seed group, generate business cipher key according to the key seed of this selection, and the identifier of this key seed is included among the EMM is handed down to terminal by broadcast channel.
In this step, network side can also can take alternate manner to select from corresponding to selecting a key seed at random this professional key seed group, for example: and begin circulation in turn from first key seed and select, or select at interval etc.
Selected after the key seed, the various mapping algorithms that can take to exist in the prior art generate business cipher key.Preferably, can produce a random number simultaneously, and adopt Hash (Hash) algorithm to generate business cipher key according to this random number and this key seed.
The key seed identifier that transmits in order to guarantee and the integrality of random number, and reduce requirement to the end side disposal ability, can the key seed identifier and the random number signature after issue.Particularly, can take following dual mode:
First kind of mode: key seed identifier and random number are formed business cipher key generation message, and the form of this business cipher key generation message is as shown in table 1:
The key seed identifier |
Random number |
Table 1
And business cipher key shown in the table 1 is generated message be included among the EMM, this EMM to be signed, the form of this EMM is as shown in table 2:
The EMM message identifier |
...... |
Business cipher key generates message |
...... |
Signature |
Table 2
In the table 2, EMM message comprises: EMM message identifier, business cipher key generate message and other service authorization information, and have signature.
The second way: with the computing of signing together of key seed identifier and random number, and key seed identifier, random number and signature are formed business cipher key generate message, this business cipher key is generated message be carried among the EMM.The form of this business cipher key generation message is as shown in table 3:
The key seed identifier |
Random number |
Signature |
Table 3
Step 203: terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of this key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to the determined key seed employing mode identical with network side.
In this step, condition receiving card is determined after the key seed, can take the algorithm identical with network side to generate business cipher key by key seed.This algorithm should be that network side and condition receiving card are made an appointment.
If network side has adopted random number when generating business cipher key, this random number will be included among the EMM and issue, and at this moment, condition receiving card can obtain this random number from EMM, and generates business cipher key according to this random number with determined key seed.For example: adopt hash algorithm to generate business cipher key according to this random number and this key seed.
In actual applications, when terminal receives user's scrambled program playing request, the identifier of this scrambled program can be sent to condition receiving card, carry out control of authority by condition receiving card, and determine whether to respond the playing request of user to this program, that is: whether decision generates this scrambled program corresponding service key.Particularly: after the condition receiving card certifying signature is effective, can further carry out control of authority to the user according to the program authority of the identifier of this scrambled program and storage in advance, if have the broadcast authority of this scrambled program, then from EMM, obtain key seed identifier and random number, and generate business cipher key in view of the above.
So far, finish business cipher key distribution method of the present invention.
Through after the above-mentioned steps 201~203, condition receiving card has generated business cipher key, utilizes this business cipher key decrypt authorized control information (ECM) to obtain program current cipher key, and utilizes program current cipher key that program stream is carried out descrambling.The invention provides following two kinds of end side scramble process schemes:
First kind of scheme: terminal sends to condition receiving card with the ECM that receives, and condition receiving card uses the business cipher key deciphering ECM that generates to obtain program current cipher key, and the program current cipher key that obtains is returned to terminal.
Second kind of scheme: terminal sends to condition receiving card with ECM and the program stream that receives, the inner integrated descrambling module of condition receiving card, the business cipher key that condition receiving card can't generate condition receiving card, condition receiving card obtains program current cipher key with business cipher key deciphering ECM, directly in card, finish descrambling, and the program stream that obtains is returned to terminal program stream.
Based on the above-mentioned business cipher key distribution method that the present invention proposes, corresponding change need take place in the ECM product process and the EMM product process of network side, below carries out brief description respectively.
Fig. 3 is for adopting the ECM product process schematic diagram of the inventive method.Referring to Fig. 3, this flow process comprises:
Step 301: from the key seed group of correspondence, select a key seed according to business information.
Step 302: generate random number.
Above-mentioned steps 301 and 302 order of operation also can be carried out in no particular order simultaneously.
Step 303: generate business cipher key according to key seed and random number,, and generate the ECM message that comprises this program current cipher key with this business cipher key ciphered program stream secrete key.
So far, finish the ECM product process.
Fig. 4 is for adopting the EMM product process schematic diagram of the inventive method.Referring to Fig. 4, this flow process comprises:
Step 401: from the key seed group of correspondence, select a key seed according to business information.
Step 402: generate random number.
Above-mentioned steps 401 and 402 order of operation also can be carried out in no particular order simultaneously.
Step 403: the key seed identifier and the random number of described key seed are encapsulated in the EMM message.
So far, finish the EMM product process.
Adopt the end side handling process of the inventive method below by a specific embodiment explanation.Fig. 5 is for adopting the end side handling process schematic diagram of the inventive method.Referring to Fig. 5, this flow process comprises:
Step 501: the user opens the mobile TV client.
Step 502: terminal receives business guide, and obtains the CA initialization information to the condition receiving card request.
Step 503: the user browses programme information, and the program of selecting hope to watch perhaps carries out other operations.If select to play, continue execution in step 504.
Be used under the situation of selecting to play, terminal can require the user to import PIN code.This operation can be carried out according to the needs of practical application.
Step 504: if the user selects to play certain program, then terminal is to condition receiving card request CA_System_ID, and terminal is obtained the index information of ECM/EMM according to this sign subsequently, intercepts and captures corresponding ECM then and is transmitted to condition receiving card.
Step 505: the ECM that condition receiving card sends according to terminal, the memory space in card is searched the corresponding service key, if business cipher key exists, shows to have effective business cipher key, then enters step 511; Otherwise condition receiving card returns " business cipher key disappearance message ", enters step 506.
Step 506: terminal is obtained the index information of ECM/EMM according to CA_System_ID.Subsequently EMM is sent to condition receiving card.
Step 507: the integrality of condition receiving card checking EMM if complete, then enters step 508; Otherwise condition receiving card returns " the non-full message of business cipher key information " to terminal, enters step 514.
Step 508: the service identification that condition receiving card sends according to terminal, check the user right file, judge whether the user has authority to use this business.If authentication is passed through, then enter step 509; Otherwise according to the failed authentication result, condition receiving card returns accordingly " service denial message " to terminal, enters step 514.
Step 509: condition receiving card generates new business cipher key according to key seed identifier that comprises among the EMM and random number.
Step 510: condition receiving card is replaced the business cipher key of original storage in the card stored space with newly-generated business cipher key, enters step 512.
Step 511: the service identification that condition receiving card sends according to terminal, check the user right file, judge whether the user has authority to use this business.If authentication is passed through, then enter step 512; Otherwise according to the failed authentication result, condition receiving card returns accordingly " service denial message " to terminal, enters step 514.
Step 512: condition receiving card uses business cipher key that the CW after encrypting among the ECM is decrypted, and obtains expressly CW.
Step 513: end side is with CW descrambling program stream and play TV programme.The user can select to change content and continue to watch still winding-up in watching the program process, if select the transposing program, then enter step 502; Otherwise enter step 514.
Step 514: finish playing programs, the software of closing a terminal.
So far, finish end side handling process of the present invention.
On the basis of technique scheme, the present invention proposes a kind of hierarchical encryption system, and it is three layers that this hierarchical encryption system is divided into, as shown in Figure 6.Realize that based on the present invention's hierarchical encryption system shown in Figure 6 the method for key distribution comprises following three levels:
Ground floor: business cipher key distribution.When the needs broadcast service information, network side is from corresponding to selecting a key seed this professional key seed group, generate business cipher key according to selected key seed, and the key seed identifier of key seed is included among the EMM is handed down to terminal by broadcast channel; Terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of this key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to the determined key seed employing mode identical with network side.
In this layer, condition receiving card can be finished authentication and authentication to the user according to the information of carrying among key seed group, the user's of storage authority and the EMM, and the business cipher key that is generated is stored.
Certainly, identical with the present invention's business cipher key distribution method shown in Figure 2, if produced random number when generating business cipher key, network side also needs random number is also sent to terminal, does not repeat them here.
The second layer: program current cipher key distribution.Network side is encapsulated among the Entitlement Control Message ECM after program current cipher key is encrypted with business cipher key, and described ECM is handed down to terminal by broadcast channel; The business cipher key that end side uses described condition receiving card to generate is decrypted the ECM that receives, and obtains program current cipher key.
The 3rd layer: the program stream distribution.Network side carries out scrambling with program current cipher key to program stream, and the program stream after scrambling is handed down to terminal by broadcast channel; Program stream after end side uses program current cipher key that the deciphering of described end side obtains to scrambling carries out descrambling, obtains program stream.
More than three layers all finish by the One-to-All Broadcast channel, need not to rely on bidirectional communication network, therefore, this scheme has reduced the performance requirement to terminal equipment, and the scope of application is more extensive.
Corresponding to said method, the present invention also provides a kind of business cipher key dissemination system.Fig. 7 is the composition structural representation of business cipher key dissemination system of the present invention.Referring to Fig. 7, this system comprises: network side 710 and end side 720, wherein, end side 720 further comprises: terminal 721 and condition receiving card 722.Wherein:
Network side 710 is used to store the business that sets in advance and the corresponding relation of key seed group, comprises at least one key seed and corresponding key seed identifier thereof in the high key seed group; When the needs broadcast service information, be used for from selecting a key seed corresponding to this professional key seed group, and be used for generating business cipher key, and be used for key seed identifier with this key seed and be carried on EMM and be handed down to terminal 721 by broadcast channel according to selected key seed;
Terminal 721, the EMM that is used for being received from network side 710 sends to condition receiving card 722;
Condition receiving card 722, be used to store the business that sets in advance and the corresponding relation of key seed group, and be used for obtaining the key seed identifier from the EMM that is received from terminal 721, determine the pairing key seed of this key seed identifier according to the business of storage in advance and the corresponding relation of key seed group, and be used for adopting the mode identical to generate business cipher key with network side according to determined key seed.
Network side 710 in the system shown in Figure 7, when the needs broadcast service information, be further used for generating random number, this random number be carried among the EMM be handed down to terminal 721, and be used for adopting hash algorithm to generate business cipher key according to this random number and selected key seed by broadcast channel;
Correspondingly, condition receiving card 722 is further used for obtaining this random number from this EMM, and is used for adopting hash algorithm to generate business cipher key according to this random number and determined key seed.
Network side 710 in the system shown in Figure 7 is used for that also this random number and this key seed identifier are formed business cipher key and generates message, this business cipher key is generated message be carried among the EMM, and send to terminal 721 after being used for this EMM signed;
Correspondingly, condition receiving card 722 is used to also verify whether the signature of this EMM is effective, when effective, be used for continuing to carry out the business cipher key that comprises from EMM and generate the operation of obtaining key seed identifier and random number the message.
Network side 710 in the system shown in Figure 7 also is used for this random number and key seed identifier are signed, and is used for this random number, key seed identifier and signature composition business cipher key generation message are carried on EMM;
Correspondingly, condition receiving card 722 is used for also verifying whether the signature of this business cipher key generation message is effective, when effective, be used for continuing to carry out the business cipher key that comprises from EMM and generate the operation of obtaining key seed identifier and random number the message.
Network side 710 in the system shown in Figure 7 is further used for ECM is sent to described terminal;
Terminal 721, the ECM that is further used for receiving sends to condition receiving card 722;
Condition receiving card 722 is further used for using the business cipher key deciphering ECM of generation to obtain program current cipher key, and the program current cipher key that obtains is returned to terminal.
Network side 710 in the system shown in Figure 7 is further used for the program stream after ECM and the scrambling is sent to terminal 721;
Terminal 721, the ECM and the program stream after the scrambling that are further used for receiving send to condition receiving card 722;
Condition receiving card 722 is further used for using the business cipher key deciphering ECM of generation to obtain program current cipher key, and the program stream after being used to adopt program current cipher key to this scrambling carries out descrambling, and the program stream behind the descrambling is returned to terminal 721.
Terminal 721 in the system shown in Figure 7 is further used for when receiving user's scrambled program playing request, and the identifier of this scrambled program is sent to condition receiving card 722;
Correspondingly, condition receiving card 722, be further used for storing in advance the customized program authority of user, and be used for the user being carried out control of authority according to the program authority of the identifier of the scrambled program that is received from terminal 721 and storage in advance, the right of broadcasting that has this scrambled program in judgement is prescribed a time limit, and is used for continuing to carry out the business cipher key that comprises from EMM and generates the operation of obtaining key seed identifier and random number the message.
As seen from the above-described embodiment, in the business cipher key distribution method and system that the present invention proposes, at the corresponding with it key seed group of each business setting, and professional corresponding relation with the key seed group is stored in the place of safety of condition receiving card by in advance; When needs are broadcasted the business cipher key of a certain business, from corresponding to selecting a key seed to generate business cipher key this professional key seed group, and the identifier of this key seed is included in is handed down to terminal among the EMM by network side; Terminal sends to condition receiving card after receiving EMM, determines corresponding key seed by condition receiving card according to key seed identifier wherein, and generates business cipher key in view of the above, thereby realized the distribution of business cipher key.In the said method and system proposed by the invention, need the secure service size of key of broadcasting to depend on professional scale number, that is: exist the professional just needs of how many kinds of to broadcast what key seed identifiers, irrelevant with number of users, thereby significantly reduced the broadcasting amount of business cipher key, save valuable channel resource, and reduced the time delay of user's latency services key.
And, business cipher key distribution approach disclosed by the invention and cipher key distribution scheme have proposed a kind of new hierarchical encryption architecture, this hierarchical encryption architecture only comprises three layers, and, this scheme need not to depend on bidirectional communication network, therefore based on the authentication of unidirectional broadcast network realization to the user, this scheme has reduced the performance requirement to terminal equipment, and the scope of application is more extensive.
In addition, the key seed identifier does not need to utilize user key to encrypt among the present invention, can issue expressly to be with the form of signature, can guarantee the integrality of this transmission of messages, can reduce the requirement to the end side disposal ability again.And, do not comprise business cipher key among the EMM, just comprise the key seed identifier that is used to generate business cipher key, must could generate business cipher key in conjunction with the key seed that is stored in advance in the condition receiving card, and, business cipher key generates in card, thereby makes that the distribution of business cipher key is safer.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.