CN101562520B - Method and system for distributing service secret keys - Google Patents

Method and system for distributing service secret keys Download PDF

Info

Publication number
CN101562520B
CN101562520B CN2009100853323A CN200910085332A CN101562520B CN 101562520 B CN101562520 B CN 101562520B CN 2009100853323 A CN2009100853323 A CN 2009100853323A CN 200910085332 A CN200910085332 A CN 200910085332A CN 101562520 B CN101562520 B CN 101562520B
Authority
CN
China
Prior art keywords
key seed
key
emm
identifier
receiving card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100853323A
Other languages
Chinese (zh)
Other versions
CN101562520A (en
Inventor
廖剑
刘道斌
姜涌
曹会扬
王晨阳
杨光敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Potevio Information Technology Co Ltd
Original Assignee
Potevio Institute of Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Potevio Institute of Technology Co Ltd filed Critical Potevio Institute of Technology Co Ltd
Priority to CN2009100853323A priority Critical patent/CN101562520B/en
Publication of CN101562520A publication Critical patent/CN101562520A/en
Application granted granted Critical
Publication of CN101562520B publication Critical patent/CN101562520B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method for distributing service secret keys; the method sets a corresponding secret key seed set aiming at each service and stores a corresponding relation between the service and the secret key seed set in a safety region of a condition receiving card; when service information needs to be broadcast, the network side selects a secret key seed from the corresponding secretkey seed set to generate a service secret key; a corresponding identifier of the secret key seed contained in EMM is issued to the terminal through a broadcasting channel; the terminal sends the rece ived EMM to the condition receiving card; the condition receiving card obtains the identifier of the secret key seed from the EMM and determines the corresponding secret key seed; and according to thesecret key seed, a mode which is the same as the network side is adopted to generate the service secret key. The invention also discloses a system and the method for distributing the service secret k eys. The invention is applied, can realize the user authentication and the secret key distribution in a unidirectional broadcasting network, and can reduce the broadcasting amount of the service secret key, save the channel resource and reduce the time delay for a user to wait the service secret key.

Description

Business cipher key distribution method and system, cryptographic key distribution method
Technical field
The present invention relates to the multimedia broadcasting technology, particularly a kind of business cipher key distribution method and system, cryptographic key distribution method.
Background technology
Extensively adopt the condition receiving method condition of carrying out to receive in the current multi-media broadcasting system based on the hierarchical encryption system, that is: adopt user key (UK) secure service key (SK), adopt business cipher key (SK) ciphered program stream secrete key (CW), and adopt program current cipher key CW ciphered program stream.Fig. 1 is the structural representation of the hierarchical encryption system of existing multi-media broadcasting system.Referring to Fig. 1, it is four layers that this existing hierarchical encryption system is divided into, and realizes that based on this hierarchical encryption system the scheme of key distribution comprises the mutual of following four levels:
Ground floor: authentication.Make mobile TV system/multi-media broadcasting system checking user's identity and legitimacy by verification process.Authenticate mutually between user and the business management system, authentication obtains to share key by the back.Business management system and terminal are according to each self-generating user key of this shared key.
The second layer: business cipher key distribution.Business cipher key is the key relevant with business, is used for the ciphered program stream secrete key.Management and the control of distribution realization by business cipher key to user's access service.Business management system sends business cipher key to user by cipher mode according to user's order relations.To use user key when business management system is encrypted business cipher key, terminal will be used the local user key that generates to the business cipher key decrypt messages.
The 3rd layer: the program current cipher key distribution.Program current cipher key is used for the program stream of broadcast encryption network, the program current cipher key regular update.The program key stream message of using business cipher key to encrypt is carried out broadcast transmission on radio network, will use the business cipher key of local storage when terminal is deciphered program key stream message.
The 4th layer: the program stream distribution.Use program current cipher key that program stream is carried out encryption, the program stream after the encryption is distributed by broadcast channel, and terminal is used and is decrypted by the program current cipher key of deciphering.
There is the defective of following several respects at least in above-mentioned existing cipher key distribution scheme:
1) when user's scale number acquires a certain degree, it will be very huge needing the business cipher key amount of the encryption of broadcasting, and this has increased the weight of load of server, has wasted valuable channel resource, and the time delay of user's latency services key that extended.
2) this hierarchical encryption system needs the user to upload the legitimacy that its user key is verified the user based on bidirectional communication network, therefore, is not suitable for unidirectional broadcast network.For realizing on the terminal equipment that only possesses broadcast channel in the solution of mobile TV, a lot of schemes still take to use user key secure service key, business cipher key is included in the entitlement management message (EMM), by the broadcast head end system to the user with independent addressing or divide the mode of group addressing to send to specific terminal.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of business cipher key distribution method and system, with broadcasting amount, saving channel resource that reduces business cipher key and the time delay that reduces user's latency services key.
Another object of the present invention is to provide a kind of cryptographic key distribution method, makes under the condition of unidirectional broadcast network, can realize user's the authentication and the distribution of key.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
A kind of business cipher key distribution method is applicable to multi-media broadcasting service, comprising:
Be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with the corresponding relation of described business and key seed group; Comprise at least one key seed and corresponding key seed identifier thereof in the described key seed group;
This method also comprises:
A, when the needs broadcast service information, network side is from corresponding to selecting a key seed the key seed group of described business, generate business cipher key according to the key seed of described selection, and the key seed identifier of described key seed is included among the Entitlement Management Message EMM is handed down to terminal by broadcast channel;
B, terminal send to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of described key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to described definite key seed employing mode identical with network side.
Preferably, when the needs broadcast service information, described network side further generates random number, and further described random number is included among the EMM and is handed down to terminal by broadcast channel;
Steps A is described according to the key seed generation business cipher key of selecting to be: the key seed according to described random number and described selection adopts hash algorithm to generate business cipher key;
Described condition receiving card further obtains described random number from described EMM when obtaining the key seed identifier;
The key seed that the described basis of step B is determined generates business cipher key: adopt hash algorithm to generate business cipher key according to described random number and described definite key seed.
Preferably, described key seed identifier and random number are included among the EMM of steps A is: described random number and described key seed identifier are formed business cipher key generate message, and described business cipher key is generated message be included among the EMM, described EMM is signed;
Among the step B after described terminal sends to condition receiving card with the EMM that receives and described condition receiving card obtains key seed identifier and random number from EMM before, further comprise: condition receiving card verifies whether the signature of described EMM is effective, when effective, continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
Preferably, described key seed identifier and random number are included among the EMM of steps A is: described random number and key seed identifier are signed, described random number, key seed identifier and signature are formed business cipher key generate message, and described business cipher key generation message is included among the EMM;
Among the step B after described terminal sends to condition receiving card with the EMM that receives and described condition receiving card obtains key seed identifier and random number from EMM before, further comprise: condition receiving card verifies whether the signature in the described business cipher key generation message is effective, when effective, continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
Further, this method can comprise: in advance that the user is customized program authority is stored in the condition receiving card;
When receiving user's scrambled program playing request, this method further comprises: terminal sends to condition receiving card with the identifier of described scrambled program;
After described condition receiving card certifying signature is effective, further comprise: condition receiving card carries out control of authority according to the program authority of the identifier of described scrambled program and storage in advance to the user, if have the broadcast authority of described scrambled program, then continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
A kind of business cipher key dissemination system is applicable to multi-media broadcasting service, comprises network side and end side, and wherein, end side further comprises: terminal and condition receiving card;
Described network side is used to store the business that sets in advance and the corresponding relation of key seed group, comprises at least one key seed and corresponding key seed identifier thereof in the described key seed group; When the needs broadcast service information, be used for selecting a key seed from key seed group corresponding to described business, and be used for generating business cipher key, and be used for key seed identifier with described key seed and be carried on Entitlement Management Message EMM and be handed down to terminal by broadcast channel according to the key seed of described selection;
Described terminal, the EMM that is used for being received from network side sends to described condition receiving card;
Described condition receiving card, be used to store the corresponding relation of described business that sets in advance and key seed group, and be used for obtaining the key seed identifier from the EMM that is received from terminal, determine the pairing key seed of described key seed identifier according to the business of storage in advance and the corresponding relation of key seed group, and be used for adopting the mode identical to generate business cipher key with network side according to described definite key seed.
Preferably, described network side when the needs broadcast service information, can be further used for generating random number, described random number is carried among the EMM is handed down to terminal, and be used for adopting hash algorithm to generate business cipher key according to the key seed of described random number and described selection by broadcast channel;
Described condition receiving card is further used for obtaining described random number from described EMM, and is used for adopting hash algorithm to generate business cipher key according to described random number and described definite key seed.
Preferably, described network side is used for that also described random number and described key seed identifier are formed business cipher key and generates message, described business cipher key is generated message be carried among the EMM, and send to described terminal after being used for described EMM signed;
Described condition receiving card is used to also verify whether the signature of described EMM is effective, when effective, is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
Preferably, described network side also is used for described random number and key seed identifier are signed, and is used for described random number, key seed identifier and signature composition business cipher key generation message are carried on EMM;
Described condition receiving card is used for also verifying whether the signature of described business cipher key generation message is effective, when effective, is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
Preferably, described terminal is further used for when receiving user's scrambled program playing request, and the identifier of described scrambled program is sent to condition receiving card;
Described condition receiving card, be further used for storing in advance the customized program authority of user, and be used for the user being carried out control of authority according to described identifier and the described program authority of storage in advance that is received from the scrambled program of terminal, the right of broadcasting that has described scrambled program in judgement is prescribed a time limit, and is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
A kind of cryptographic key distribution method is applicable to multi-media broadcasting service, comprising:
Be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with the corresponding relation of described business and key seed group; Comprise at least one key seed and corresponding key seed identifier thereof in the described key seed group;
A, when the needs broadcast service information, network side is from corresponding to selecting a key seed the key seed group of described business, generate business cipher key according to the key seed of described selection, and the key seed identifier of key seed is included among the Entitlement Management Message EMM is handed down to terminal by broadcast channel; Terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of described key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to described definite key seed employing mode identical with network side;
B, network side are encapsulated among the Entitlement Control Message ECM after program current cipher key is encrypted with business cipher key, and described ECM is handed down to terminal by broadcast channel; The business cipher key that end side uses described condition receiving card to generate is decrypted the ECM that receives, and obtains program current cipher key;
C, network side carry out scrambling with program current cipher key to program stream, and the program stream after scrambling is handed down to terminal by broadcast channel; Program stream after end side uses program current cipher key that the deciphering of described end side obtains to scrambling carries out descrambling, obtains program stream.
As seen from the above technical solution, in the business cipher key distribution method and system that the present invention proposes,, and professional corresponding relation with the key seed group is stored in the place of safety of condition receiving card at the corresponding with it key seed group of each business setting by in advance; When needs are broadcasted the business cipher key of a certain business, from corresponding to selecting a key seed to generate business cipher key this professional key seed group, and the identifier of this key seed is included in is handed down to terminal among the EMM by network side; Terminal sends to condition receiving card after receiving EMM, determines corresponding key seed by condition receiving card according to key seed identifier wherein, and adopts the mode identical with network side to generate business cipher key in view of the above, thereby has realized the distribution of business cipher key.In the said method and system proposed by the invention, need the secure service size of key of broadcasting to depend on professional scale number, that is: exist the professional just needs of how many kinds of to broadcast what key seed identifiers, irrelevant with number of users, thereby significantly reduced the broadcasting amount of business cipher key, save valuable channel resource, and reduced the time delay of user's latency services key.
And, business cipher key distribution approach disclosed by the invention and cipher key distribution scheme have proposed a kind of new hierarchical encryption architecture, this hierarchical encryption architecture only comprises three layers, and, this scheme need not to depend on bidirectional communication network, therefore based on the authentication of unidirectional broadcast network realization to the user, this scheme has reduced the performance requirement to terminal equipment, and the scope of application is more extensive.
In addition, the key seed identifier does not need to utilize user key to encrypt among the present invention, can issue expressly to be with the form of signature, can guarantee the integrality of this transmission of messages, can reduce the requirement to the end side disposal ability again.And, do not comprise business cipher key among the EMM, just comprise the key seed identifier that is used to generate business cipher key, must could generate business cipher key in conjunction with the key seed that is stored in advance in the condition receiving card, and, business cipher key generates in card, thereby makes that the distribution of business cipher key is safer.
Description of drawings
Fig. 1 is the structural representation of the hierarchical encryption system of existing multi-media broadcasting system;
Fig. 2 is the schematic flow sheet of business cipher key distribution method of the present invention;
Fig. 3 is for adopting the ECM product process schematic diagram of the inventive method;
Fig. 4 is for adopting the EMM product process schematic diagram of the inventive method;
Fig. 5 is for adopting the end side handling process schematic diagram of the inventive method;
Fig. 6 is the structural representation of hierarchical encryption system of the present invention;
Fig. 7 is the composition structural representation of business cipher key dissemination system of the present invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
Main thought of the present invention is: be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with professional corresponding relation with the key seed group; Network side is selected a key seed at random from the key seed group of correspondence when generating business cipher key, and the identifier of selected key seed is included in sends to terminal among the EMM, terminal sends to condition receiving card with EMM, condition receiving card is according to the business of storage in advance and the corresponding relation of key seed group, and network side when generating business cipher key the identifier of selected key seed determine to adopt which key seed to generate business cipher key, thereby, network side has had identical business cipher key with end side, has realized the distribution of business cipher key.
Fig. 2 is the schematic flow sheet of business cipher key distribution method of the present invention.Referring to Fig. 2, this method comprises:
Step 201: in advance at the corresponding with it key seed group of each business setting, and should business and the corresponding relation of key seed group be stored in the place of safety of condition receiving card.
This step is the step that sets in advance, and wherein, comprises at least one key seed and corresponding key seed identifier thereof in the key seed group.
In this step, also can in advance that the user is customized program authority be stored in the condition receiving card, follow-uply the user is carried out control of authority by condition receiving card.
Step 202: when the needs broadcast service information, network side is from corresponding to selecting a key seed this professional key seed group, generate business cipher key according to the key seed of this selection, and the identifier of this key seed is included among the EMM is handed down to terminal by broadcast channel.
In this step, network side can also can take alternate manner to select from corresponding to selecting a key seed at random this professional key seed group, for example: and begin circulation in turn from first key seed and select, or select at interval etc.
Selected after the key seed, the various mapping algorithms that can take to exist in the prior art generate business cipher key.Preferably, can produce a random number simultaneously, and adopt Hash (Hash) algorithm to generate business cipher key according to this random number and this key seed.
The key seed identifier that transmits in order to guarantee and the integrality of random number, and reduce requirement to the end side disposal ability, can the key seed identifier and the random number signature after issue.Particularly, can take following dual mode:
First kind of mode: key seed identifier and random number are formed business cipher key generation message, and the form of this business cipher key generation message is as shown in table 1:
The key seed identifier Random number
Table 1
And business cipher key shown in the table 1 is generated message be included among the EMM, this EMM to be signed, the form of this EMM is as shown in table 2:
The EMM message identifier ...... Business cipher key generates message ...... Signature
Table 2
In the table 2, EMM message comprises: EMM message identifier, business cipher key generate message and other service authorization information, and have signature.
The second way: with the computing of signing together of key seed identifier and random number, and key seed identifier, random number and signature are formed business cipher key generate message, this business cipher key is generated message be carried among the EMM.The form of this business cipher key generation message is as shown in table 3:
The key seed identifier Random number Signature
Table 3
Step 203: terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of this key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to the determined key seed employing mode identical with network side.
In this step, condition receiving card is determined after the key seed, can take the algorithm identical with network side to generate business cipher key by key seed.This algorithm should be that network side and condition receiving card are made an appointment.
If network side has adopted random number when generating business cipher key, this random number will be included among the EMM and issue, and at this moment, condition receiving card can obtain this random number from EMM, and generates business cipher key according to this random number with determined key seed.For example: adopt hash algorithm to generate business cipher key according to this random number and this key seed.
In actual applications, when terminal receives user's scrambled program playing request, the identifier of this scrambled program can be sent to condition receiving card, carry out control of authority by condition receiving card, and determine whether to respond the playing request of user to this program, that is: whether decision generates this scrambled program corresponding service key.Particularly: after the condition receiving card certifying signature is effective, can further carry out control of authority to the user according to the program authority of the identifier of this scrambled program and storage in advance, if have the broadcast authority of this scrambled program, then from EMM, obtain key seed identifier and random number, and generate business cipher key in view of the above.
So far, finish business cipher key distribution method of the present invention.
Through after the above-mentioned steps 201~203, condition receiving card has generated business cipher key, utilizes this business cipher key decrypt authorized control information (ECM) to obtain program current cipher key, and utilizes program current cipher key that program stream is carried out descrambling.The invention provides following two kinds of end side scramble process schemes:
First kind of scheme: terminal sends to condition receiving card with the ECM that receives, and condition receiving card uses the business cipher key deciphering ECM that generates to obtain program current cipher key, and the program current cipher key that obtains is returned to terminal.
Second kind of scheme: terminal sends to condition receiving card with ECM and the program stream that receives, the inner integrated descrambling module of condition receiving card, the business cipher key that condition receiving card can't generate condition receiving card, condition receiving card obtains program current cipher key with business cipher key deciphering ECM, directly in card, finish descrambling, and the program stream that obtains is returned to terminal program stream.
Based on the above-mentioned business cipher key distribution method that the present invention proposes, corresponding change need take place in the ECM product process and the EMM product process of network side, below carries out brief description respectively.
Fig. 3 is for adopting the ECM product process schematic diagram of the inventive method.Referring to Fig. 3, this flow process comprises:
Step 301: from the key seed group of correspondence, select a key seed according to business information.
Step 302: generate random number.
Above-mentioned steps 301 and 302 order of operation also can be carried out in no particular order simultaneously.
Step 303: generate business cipher key according to key seed and random number,, and generate the ECM message that comprises this program current cipher key with this business cipher key ciphered program stream secrete key.
So far, finish the ECM product process.
Fig. 4 is for adopting the EMM product process schematic diagram of the inventive method.Referring to Fig. 4, this flow process comprises:
Step 401: from the key seed group of correspondence, select a key seed according to business information.
Step 402: generate random number.
Above-mentioned steps 401 and 402 order of operation also can be carried out in no particular order simultaneously.
Step 403: the key seed identifier and the random number of described key seed are encapsulated in the EMM message.
So far, finish the EMM product process.
Adopt the end side handling process of the inventive method below by a specific embodiment explanation.Fig. 5 is for adopting the end side handling process schematic diagram of the inventive method.Referring to Fig. 5, this flow process comprises:
Step 501: the user opens the mobile TV client.
Step 502: terminal receives business guide, and obtains the CA initialization information to the condition receiving card request.
Step 503: the user browses programme information, and the program of selecting hope to watch perhaps carries out other operations.If select to play, continue execution in step 504.
Be used under the situation of selecting to play, terminal can require the user to import PIN code.This operation can be carried out according to the needs of practical application.
Step 504: if the user selects to play certain program, then terminal is to condition receiving card request CA_System_ID, and terminal is obtained the index information of ECM/EMM according to this sign subsequently, intercepts and captures corresponding ECM then and is transmitted to condition receiving card.
Step 505: the ECM that condition receiving card sends according to terminal, the memory space in card is searched the corresponding service key, if business cipher key exists, shows to have effective business cipher key, then enters step 511; Otherwise condition receiving card returns " business cipher key disappearance message ", enters step 506.
Step 506: terminal is obtained the index information of ECM/EMM according to CA_System_ID.Subsequently EMM is sent to condition receiving card.
Step 507: the integrality of condition receiving card checking EMM if complete, then enters step 508; Otherwise condition receiving card returns " the non-full message of business cipher key information " to terminal, enters step 514.
Step 508: the service identification that condition receiving card sends according to terminal, check the user right file, judge whether the user has authority to use this business.If authentication is passed through, then enter step 509; Otherwise according to the failed authentication result, condition receiving card returns accordingly " service denial message " to terminal, enters step 514.
Step 509: condition receiving card generates new business cipher key according to key seed identifier that comprises among the EMM and random number.
Step 510: condition receiving card is replaced the business cipher key of original storage in the card stored space with newly-generated business cipher key, enters step 512.
Step 511: the service identification that condition receiving card sends according to terminal, check the user right file, judge whether the user has authority to use this business.If authentication is passed through, then enter step 512; Otherwise according to the failed authentication result, condition receiving card returns accordingly " service denial message " to terminal, enters step 514.
Step 512: condition receiving card uses business cipher key that the CW after encrypting among the ECM is decrypted, and obtains expressly CW.
Step 513: end side is with CW descrambling program stream and play TV programme.The user can select to change content and continue to watch still winding-up in watching the program process, if select the transposing program, then enter step 502; Otherwise enter step 514.
Step 514: finish playing programs, the software of closing a terminal.
So far, finish end side handling process of the present invention.
On the basis of technique scheme, the present invention proposes a kind of hierarchical encryption system, and it is three layers that this hierarchical encryption system is divided into, as shown in Figure 6.Realize that based on the present invention's hierarchical encryption system shown in Figure 6 the method for key distribution comprises following three levels:
Ground floor: business cipher key distribution.When the needs broadcast service information, network side is from corresponding to selecting a key seed this professional key seed group, generate business cipher key according to selected key seed, and the key seed identifier of key seed is included among the EMM is handed down to terminal by broadcast channel; Terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of this key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to the determined key seed employing mode identical with network side.
In this layer, condition receiving card can be finished authentication and authentication to the user according to the information of carrying among key seed group, the user's of storage authority and the EMM, and the business cipher key that is generated is stored.
Certainly, identical with the present invention's business cipher key distribution method shown in Figure 2, if produced random number when generating business cipher key, network side also needs random number is also sent to terminal, does not repeat them here.
The second layer: program current cipher key distribution.Network side is encapsulated among the Entitlement Control Message ECM after program current cipher key is encrypted with business cipher key, and described ECM is handed down to terminal by broadcast channel; The business cipher key that end side uses described condition receiving card to generate is decrypted the ECM that receives, and obtains program current cipher key.
The 3rd layer: the program stream distribution.Network side carries out scrambling with program current cipher key to program stream, and the program stream after scrambling is handed down to terminal by broadcast channel; Program stream after end side uses program current cipher key that the deciphering of described end side obtains to scrambling carries out descrambling, obtains program stream.
More than three layers all finish by the One-to-All Broadcast channel, need not to rely on bidirectional communication network, therefore, this scheme has reduced the performance requirement to terminal equipment, and the scope of application is more extensive.
Corresponding to said method, the present invention also provides a kind of business cipher key dissemination system.Fig. 7 is the composition structural representation of business cipher key dissemination system of the present invention.Referring to Fig. 7, this system comprises: network side 710 and end side 720, wherein, end side 720 further comprises: terminal 721 and condition receiving card 722.Wherein:
Network side 710 is used to store the business that sets in advance and the corresponding relation of key seed group, comprises at least one key seed and corresponding key seed identifier thereof in the high key seed group; When the needs broadcast service information, be used for from selecting a key seed corresponding to this professional key seed group, and be used for generating business cipher key, and be used for key seed identifier with this key seed and be carried on EMM and be handed down to terminal 721 by broadcast channel according to selected key seed;
Terminal 721, the EMM that is used for being received from network side 710 sends to condition receiving card 722;
Condition receiving card 722, be used to store the business that sets in advance and the corresponding relation of key seed group, and be used for obtaining the key seed identifier from the EMM that is received from terminal 721, determine the pairing key seed of this key seed identifier according to the business of storage in advance and the corresponding relation of key seed group, and be used for adopting the mode identical to generate business cipher key with network side according to determined key seed.
Network side 710 in the system shown in Figure 7, when the needs broadcast service information, be further used for generating random number, this random number be carried among the EMM be handed down to terminal 721, and be used for adopting hash algorithm to generate business cipher key according to this random number and selected key seed by broadcast channel;
Correspondingly, condition receiving card 722 is further used for obtaining this random number from this EMM, and is used for adopting hash algorithm to generate business cipher key according to this random number and determined key seed.
Network side 710 in the system shown in Figure 7 is used for that also this random number and this key seed identifier are formed business cipher key and generates message, this business cipher key is generated message be carried among the EMM, and send to terminal 721 after being used for this EMM signed;
Correspondingly, condition receiving card 722 is used to also verify whether the signature of this EMM is effective, when effective, be used for continuing to carry out the business cipher key that comprises from EMM and generate the operation of obtaining key seed identifier and random number the message.
Network side 710 in the system shown in Figure 7 also is used for this random number and key seed identifier are signed, and is used for this random number, key seed identifier and signature composition business cipher key generation message are carried on EMM;
Correspondingly, condition receiving card 722 is used for also verifying whether the signature of this business cipher key generation message is effective, when effective, be used for continuing to carry out the business cipher key that comprises from EMM and generate the operation of obtaining key seed identifier and random number the message.
Network side 710 in the system shown in Figure 7 is further used for ECM is sent to described terminal;
Terminal 721, the ECM that is further used for receiving sends to condition receiving card 722;
Condition receiving card 722 is further used for using the business cipher key deciphering ECM of generation to obtain program current cipher key, and the program current cipher key that obtains is returned to terminal.
Network side 710 in the system shown in Figure 7 is further used for the program stream after ECM and the scrambling is sent to terminal 721;
Terminal 721, the ECM and the program stream after the scrambling that are further used for receiving send to condition receiving card 722;
Condition receiving card 722 is further used for using the business cipher key deciphering ECM of generation to obtain program current cipher key, and the program stream after being used to adopt program current cipher key to this scrambling carries out descrambling, and the program stream behind the descrambling is returned to terminal 721.
Terminal 721 in the system shown in Figure 7 is further used for when receiving user's scrambled program playing request, and the identifier of this scrambled program is sent to condition receiving card 722;
Correspondingly, condition receiving card 722, be further used for storing in advance the customized program authority of user, and be used for the user being carried out control of authority according to the program authority of the identifier of the scrambled program that is received from terminal 721 and storage in advance, the right of broadcasting that has this scrambled program in judgement is prescribed a time limit, and is used for continuing to carry out the business cipher key that comprises from EMM and generates the operation of obtaining key seed identifier and random number the message.
As seen from the above-described embodiment, in the business cipher key distribution method and system that the present invention proposes, at the corresponding with it key seed group of each business setting, and professional corresponding relation with the key seed group is stored in the place of safety of condition receiving card by in advance; When needs are broadcasted the business cipher key of a certain business, from corresponding to selecting a key seed to generate business cipher key this professional key seed group, and the identifier of this key seed is included in is handed down to terminal among the EMM by network side; Terminal sends to condition receiving card after receiving EMM, determines corresponding key seed by condition receiving card according to key seed identifier wherein, and generates business cipher key in view of the above, thereby realized the distribution of business cipher key.In the said method and system proposed by the invention, need the secure service size of key of broadcasting to depend on professional scale number, that is: exist the professional just needs of how many kinds of to broadcast what key seed identifiers, irrelevant with number of users, thereby significantly reduced the broadcasting amount of business cipher key, save valuable channel resource, and reduced the time delay of user's latency services key.
And, business cipher key distribution approach disclosed by the invention and cipher key distribution scheme have proposed a kind of new hierarchical encryption architecture, this hierarchical encryption architecture only comprises three layers, and, this scheme need not to depend on bidirectional communication network, therefore based on the authentication of unidirectional broadcast network realization to the user, this scheme has reduced the performance requirement to terminal equipment, and the scope of application is more extensive.
In addition, the key seed identifier does not need to utilize user key to encrypt among the present invention, can issue expressly to be with the form of signature, can guarantee the integrality of this transmission of messages, can reduce the requirement to the end side disposal ability again.And, do not comprise business cipher key among the EMM, just comprise the key seed identifier that is used to generate business cipher key, must could generate business cipher key in conjunction with the key seed that is stored in advance in the condition receiving card, and, business cipher key generates in card, thereby makes that the distribution of business cipher key is safer.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (11)

1. a business cipher key distribution method is applicable to multi-media broadcasting service, it is characterized in that:
Be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with the corresponding relation of described business and key seed group; Comprise at least one key seed and corresponding key seed identifier thereof in the described key seed group;
This method also comprises:
A, when the needs broadcast service information, network side is from corresponding to selecting a key seed the key seed group of described business, generate business cipher key according to the key seed of described selection, and the key seed identifier of described key seed is included among the Entitlement Management Message EMM is handed down to terminal by broadcast channel;
B, terminal send to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of described key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to described definite key seed employing mode identical with network side.
2. method according to claim 1 is characterized in that:
When the needs broadcast service information, described network side further generates random number, and further described random number is included among the EMM and is handed down to terminal by broadcast channel;
Steps A is described according to the key seed generation business cipher key of selecting to be: the key seed according to described random number and described selection adopts hash algorithm to generate business cipher key;
Described condition receiving card further obtains described random number from described EMM when obtaining the key seed identifier;
The key seed that the described basis of step B is determined generates business cipher key: adopt hash algorithm to generate business cipher key according to described random number and described definite key seed.
3. method according to claim 2 is characterized in that:
Described key seed identifier and random number are included among the EMM of steps A is: described random number and described key seed identifier are formed business cipher key generate message, and described business cipher key is generated message be included among the EMM, described EMM is signed;
Among the step B after described terminal sends to condition receiving card with the EMM that receives and described condition receiving card obtains key seed identifier and random number from EMM before, further comprise: condition receiving card verifies whether the signature of described EMM is effective, when effective, continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
4. method according to claim 2 is characterized in that:
Described key seed identifier and random number are included among the EMM of steps A is: described random number and key seed identifier are signed, described random number, key seed identifier and signature are formed business cipher key generate message, and described business cipher key generation message is included among the EMM;
Among the step B after described terminal sends to condition receiving card with the EMM that receives and described condition receiving card obtains key seed identifier and random number from EMM before, further comprise: condition receiving card verifies whether the signature in the described business cipher key generation message is effective, when effective, continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
5. according to claim 3 or 4 each described methods, it is characterized in that:
This method further comprises: in advance that the user is customized program authority is stored in the condition receiving card;
When receiving user's scrambled program playing request, this method further comprises: terminal sends to condition receiving card with the identifier of described scrambled program;
After described condition receiving card certifying signature is effective, further comprise: condition receiving card carries out control of authority according to the program authority of the identifier of described scrambled program and storage in advance to the user, if have the broadcast authority of described scrambled program, then continue to carry out described operation of from EMM, obtaining key seed identifier and random number.
6. a business cipher key dissemination system is applicable to multi-media broadcasting service, it is characterized in that, comprises network side and end side, and wherein, end side further comprises: terminal and condition receiving card;
Described network side is used to store the business that sets in advance and the corresponding relation of key seed group, comprises at least one key seed and corresponding key seed identifier thereof in the described key seed group; When the needs broadcast service information, be used for selecting a key seed from key seed group corresponding to described business, and be used for generating business cipher key, and be used for key seed identifier with described key seed and be carried on Entitlement Management Message EMM and be handed down to terminal by broadcast channel according to the key seed of described selection;
Described terminal, the EMM that is used for being received from network side sends to described condition receiving card;
Described condition receiving card, be used to store the corresponding relation of described business that sets in advance and key seed group, and be used for obtaining the key seed identifier from the EMM that is received from terminal, determine the pairing key seed of described key seed identifier according to the business of storage in advance and the corresponding relation of key seed group, and be used for adopting the mode identical to generate business cipher key with network side according to described definite key seed.
7. system according to claim 6 is characterized in that:
Described network side, when the needs broadcast service information, be further used for generating random number, described random number be carried among the EMM be handed down to terminal, and be used for adopting hash algorithm to generate business cipher key according to the key seed of described random number and described selection by broadcast channel;
Described condition receiving card is further used for obtaining described random number from described EMM, and is used for adopting hash algorithm to generate business cipher key according to described random number and described definite key seed.
8. system according to claim 7 is characterized in that:
Described network side is used for that also described random number and described key seed identifier are formed business cipher key and generates message, described business cipher key is generated message be carried among the EMM, and send to described terminal after being used for described EMM signed;
Described condition receiving card is used to also verify whether the signature of described EMM is effective, when effective, is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
9. system according to claim 7 is characterized in that:
Described network side also is used for described random number and key seed identifier are signed, and is used for described random number, key seed identifier and signature composition business cipher key generation message are carried on EMM;
Described condition receiving card is used for also verifying whether the signature of described business cipher key generation message is effective, when effective, is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
10. it is characterized in that according to Claim 8 or 9 each described systems:
Described terminal is further used for when receiving user's scrambled program playing request, and the identifier of described scrambled program is sent to condition receiving card;
Described condition receiving card, be further used for storing in advance the customized program authority of user, and be used for the user being carried out control of authority according to described identifier and the described program authority of storage in advance that is received from the scrambled program of terminal, the right of broadcasting that has described scrambled program in judgement is prescribed a time limit, and is used for continuing to carry out described operation of obtaining key seed identifier and random number from EMM.
11. a cryptographic key distribution method is applicable to multi-media broadcasting service, it is characterized in that:
Be stored in the place of safety of condition receiving card in advance at the corresponding with it key seed group of each business setting, and with the corresponding relation of described business and key seed group; Comprise at least one key seed and corresponding key seed identifier thereof in the described key seed group;
A, when the needs broadcast service information, network side is from corresponding to selecting a key seed the key seed group of described business, generate business cipher key according to the key seed of described selection, and the key seed identifier of key seed is included among the Entitlement Management Message EMM is handed down to terminal by broadcast channel; Terminal sends to condition receiving card with the EMM that receives, condition receiving card obtains the key seed identifier from EMM, and determine the pairing key seed of described key seed identifier according to business and the corresponding relation of key seed group of storage in advance, generate business cipher key according to described definite key seed employing mode identical with network side;
B, network side are encapsulated among the Entitlement Control Message ECM after program current cipher key is encrypted with business cipher key, and described ECM is handed down to terminal by broadcast channel; The business cipher key that end side uses described condition receiving card to generate is decrypted the ECM that receives, and obtains program current cipher key;
C, network side carry out scrambling with program current cipher key to program stream, and the program stream after scrambling is handed down to terminal by broadcast channel; Program stream after end side uses program current cipher key that the deciphering of described end side obtains to scrambling carries out descrambling, obtains program stream.
CN2009100853323A 2009-05-21 2009-05-21 Method and system for distributing service secret keys Expired - Fee Related CN101562520B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100853323A CN101562520B (en) 2009-05-21 2009-05-21 Method and system for distributing service secret keys

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100853323A CN101562520B (en) 2009-05-21 2009-05-21 Method and system for distributing service secret keys

Publications (2)

Publication Number Publication Date
CN101562520A CN101562520A (en) 2009-10-21
CN101562520B true CN101562520B (en) 2011-07-06

Family

ID=41221152

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100853323A Expired - Fee Related CN101562520B (en) 2009-05-21 2009-05-21 Method and system for distributing service secret keys

Country Status (1)

Country Link
CN (1) CN101562520B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102123390B (en) * 2010-01-07 2014-01-29 中国移动通信集团公司 Method, device and terminal for processing service keys
CN103581751B (en) * 2013-02-08 2016-12-28 山东泰信电子股份有限公司 A kind of digital television signal receives system and method for reseptance
CN104393989A (en) * 2014-10-30 2015-03-04 北京神州泰岳软件股份有限公司 A secret key negotiating method and device
CN111737660B (en) * 2020-06-28 2023-11-17 浙江大华技术股份有限公司 Method, system and storage medium for realizing software authorization
CN113473212B (en) * 2021-09-03 2021-10-29 深圳佳力拓科技有限公司 Digital television display method with both unidirectional broadcast network and bidirectional communication network
CN113541948B (en) * 2021-09-17 2021-12-21 深圳佳力拓科技有限公司 Digital television program playing method and device based on missing key

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697375A (en) * 2004-05-10 2005-11-16 华为技术有限公司 Generating digital content to be authenticated, method for authenticating and processing the digital content
CN101141246A (en) * 2006-09-05 2008-03-12 华为技术有限公司 Service key obtaining method and subscription management server
CN101166259A (en) * 2006-10-16 2008-04-23 华为技术有限公司 Mobile phone TV service protection method, system, mobile phone TV server and terminal
CN101212641A (en) * 2007-12-25 2008-07-02 深圳清华大学研究院 Encryption and authorization method for DTV conditional receiving system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697375A (en) * 2004-05-10 2005-11-16 华为技术有限公司 Generating digital content to be authenticated, method for authenticating and processing the digital content
CN101141246A (en) * 2006-09-05 2008-03-12 华为技术有限公司 Service key obtaining method and subscription management server
CN101166259A (en) * 2006-10-16 2008-04-23 华为技术有限公司 Mobile phone TV service protection method, system, mobile phone TV server and terminal
CN101212641A (en) * 2007-12-25 2008-07-02 深圳清华大学研究院 Encryption and authorization method for DTV conditional receiving system

Also Published As

Publication number Publication date
CN101562520A (en) 2009-10-21

Similar Documents

Publication Publication Date Title
CN102802036B (en) System and method for identifying digital television
CN101166259B (en) Mobile phone TV service protection method, system, mobile phone TV server and terminal
CN101448130B (en) Method, system and device for protecting data encryption in monitoring system
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
US8218772B2 (en) Secure multicast content delivery
CN101562520B (en) Method and system for distributing service secret keys
CN103354998A (en) Control word protection
CN102724568A (en) Authentication certificates
CN102111681B (en) Key system for digital television broadcast condition receiving system
CN101350718A (en) Method for protecting play content authority range base on user identification module
CN107483429B (en) A kind of data ciphering method and device
CN100403814C (en) Packet broadcasting service key controlling method
CN101640785B (en) Encrypting/decrypting system and encrypting/decrypting method for interactive network television
CN105874805B (en) The method of multimedia license is distributed in the distribution system of secure multimedia service
CN100589377C (en) Multimedia business protection and key management method based on portable terminal
CN102917252B (en) IPTV (internet protocol television) program stream content protection system and method
CN105191332A (en) Method and device to embed watermark in uncompressed video data
CN101656583B (en) Key management system and key management method
CN101505400B (en) Bi-directional set-top box authentication method, system and related equipment
CN101505462B (en) Authentication method and system for mobile multimedia broadcast conditional reception
CN103546767A (en) Content protection method and system of multimedia service
CN100544429C (en) A kind of mobile phone TV services content protecting method
CN101521668A (en) Method for authorizing multimedia broadcasting content
CN102427559A (en) Identity authentication method based on digital television set card separation technology
CN105847890A (en) OTT digital copyright-based management system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: CHINA POTEVIO CO., LTD.

Free format text: FORMER OWNER: PUTIAN IT TECH INST CO., LTD.

Effective date: 20130304

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20130304

Address after: 100080, No. two, 2 street, Zhongguancun science and Technology Park, Beijing, Haidian District

Patentee after: CHINA POTEVIO CO.,LTD.

Address before: 100080 Beijing, Haidian, North Street, No. two, No. 6, No.

Patentee before: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd.

ASS Succession or assignment of patent right

Owner name: PUTIAN IT TECH INST CO., LTD.

Free format text: FORMER OWNER: CHINA POTEVIO CO., LTD.

Effective date: 20130313

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20130313

Address after: 100080 Beijing, Haidian, North Street, No. two, No. 6, No.

Patentee after: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd.

Address before: 100080, No. two, 2 street, Zhongguancun science and Technology Park, Beijing, Haidian District

Patentee before: CHINA POTEVIO CO.,LTD.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for distributing service secret keys

Effective date of registration: 20131210

Granted publication date: 20110706

Pledgee: Bank of Beijing Limited by Share Ltd. Century City Branch

Pledgor: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd.

Registration number: 2013990000954

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
C56 Change in the name or address of the patentee

Owner name: POTEVIO INFORMATION TECHNOLOGY CO., LTD.

Free format text: FORMER NAME: PUTIAN IT TECH INST CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 100080 Beijing, Haidian, North Street, No. two, No. 6, No.

Patentee after: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 100080 Beijing, Haidian, North Street, No. two, No. 6, No.

Patentee before: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd.

PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20151102

Granted publication date: 20110706

Pledgee: Bank of Beijing Limited by Share Ltd. Century City Branch

Pledgor: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: 2013990000954

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PM01 Change of the registration of the contract for pledge of patent right

Change date: 20151102

Registration number: 2013990000954

Pledgor after: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Pledgor before: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for distributing service secret keys

Effective date of registration: 20151105

Granted publication date: 20110706

Pledgee: Bank of Beijing Limited by Share Ltd. Century City Branch

Pledgor: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: 2015990000948

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20161008

Granted publication date: 20110706

Pledgee: Bank of Beijing Limited by Share Ltd. Century City Branch

Pledgor: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: 2015990000948

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for distributing service secret keys

Effective date of registration: 20161011

Granted publication date: 20110706

Pledgee: Bank of Beijing Limited by Share Ltd. Century City Branch

Pledgor: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: 2016990000859

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20170802

Granted publication date: 20110706

Pledgee: Bank of Beijing Limited by Share Ltd. Century City Branch

Pledgor: POTEVIO INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: 2016990000859

PC01 Cancellation of the registration of the contract for pledge of patent right
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110706

Termination date: 20210521