CN101729535B - Implementation method of media on-demand business - Google Patents
Implementation method of media on-demand business Download PDFInfo
- Publication number
- CN101729535B CN101729535B CN200910150767.1A CN200910150767A CN101729535B CN 101729535 B CN101729535 B CN 101729535B CN 200910150767 A CN200910150767 A CN 200910150767A CN 101729535 B CN101729535 B CN 101729535B
- Authority
- CN
- China
- Prior art keywords
- media
- key
- user
- application server
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
- H04L65/1104—Session initiation protocol [SIP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/61—Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
- H04L65/612—Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio for unicast
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to an implementation method of media on-demand business. A user sends a media on-demand request to a media on-demand application server, wherein the request contains a user identification of the user and a media identification of media contents on-demanded by the user; after receiving the media on-demand request, the media on-demand application server enables the user identification and a media secret key which corresponds to the media contents encrypted by adopting a shared secret key Kp to be included into a media secret key encryption request and sends to a knowledgebase management system (KMS); after receiving the media secret key encryption request, the KMS acquires a media secret key by adopting Kp decryption, then encrypts the media secret key by adopting a shared secret key and sends the media secret key encrypted by the Ka to the user; and the user decrypts the received media contents transmitted in an encryption way by using the media secret key after acquiring the media secret key by adopting the Ka encryption, wherein the Kp is a shared secret key between the media on-demand application server and the KMS, and the Ka is a shared secret key between the user and the KMS.
Description
Technical field
The present invention relates to the communications field, relate in particular to the implementation method of a kind of IP (Internet Protocol, Internet Protocol) IP multimedia subsystem, IMS media on-demand business.
Background technology
In the technical specification of the media safety of IP (Internet Protocol, Internet Protocol) IP multimedia subsystem, IMS (IMS), the demand for security to media-on-demand has been proposed.
At present, also not about in the media-on-demand system, how sending safely the concrete solution of Media Stream, but Otway-Rees agreement (a kind of authentication and password exchange agreement) is used for solving IMS media flow security problem as a candidate scheme in the technical documentation relevant with the IMS media safety.
Below will simply introduce the Otway-Rees agreement, specifically may further comprise the steps:
(1) Alice generates a message, comprises in this message: the sign A of call number I, Alice, the sign B of Bob and random number RA; The key of sharing with Alice and Trent obtains EKAT (I, A, B, RA) to this message encryption, and the sign B of the sign A of call number I, Alice and Bob is sent to Bob with the message of encryption;
(2) Bob generates a message, comprises in this message: the sign A of call number I, Alice, the sign B of Bob and random number R B; The key of sharing with Bob and Trent obtains EKBT (I to this message encryption, A, B, RB), with the encryption message EKAT (I of sign B, the Alice of sign A, the Bob of call number I, Alice, A, B, RA), the message EKBT (I, the A that encrypt with Bob, B, RB) send to together Trent;
(3) Trent generates a random session key K, then generate two messages, a key of sharing with Trent and Alice obtains EKAT (K to random number RA and session key K encryption, RA), another obtains EKBT (K, RB) with the key that Trent and Bob share to random number R B and session key K encryption; Trent sends to Bob with these two messages with call number I;
(4) the message EKAT (K, RA) of the secret key encryption that will share with Trent and Alice of Bob sends to Alice;
So far, Bob and Alice have obtained session key K.
Fig. 1 is based on and carries out key agreement in the IMS media flow security solution of Otway-Rees agreement to realize the method flow diagram of safety call.Wherein, Key Management server (KMS) is as trusted third party (being equivalent to the Trent in the Otway-Rees agreement); Both call sides user A and user B adopt common authentication mechanism (Generic Bootstrapping Architecture, referred to as GBA) etc. after mode and KMS set up safe trusting relationship (being shared key), set up each other safe trusting relationship (being shared key) by the trusting relationship of both sides and KMS again.In order more clearly the method to be described, the parameters such as the required call number of Otway Rees agreement and random number in following flow process, have been omitted.As shown in Figure 1, the method comprises the steps:
101: user A and Key Management server (KMS) adopt common authentication mechanism (GBA) or alternate manner to consult to obtain shared key Ka.
102: user B and Key Management server (KMS) adopt common authentication mechanism (GBA) or alternate manner to consult to obtain shared key Kb.
103: user A sends call request (for example, INVITE) by the IMS network to user B, comprises following parameter: ID-A (identifier of user A) in the call request, ID-B (identifier of user B) and Ea (ID-A, ID-B);
Wherein, Ea (ID-A, ID-B) is for adopting shared key Ka ID-A, ID-B to be encrypted the ciphertext that obtains.
The 104:IMS network is transmitted to user B with the call request of user A.
105: after user B receives the call request of user A, send media key to KMS and obtain request, comprise following parameter: ID-A in this request, ID-B, Ea (ID-A, ID-B) and Eb (ID-A, ID-B);
Wherein, Eb (ID-A, ID-B) is for adopting shared key Kb that ID-A and ID-B are encrypted the ciphertext that obtains.
106:KMS obtains shared key Ka and Kb according to ID-A and ID-B, then deciphers respectively Ea (ID-A, ID-B) and Eb (ID-A, ID-B) with Ka and Kb, and whether the ID-A that the checking deciphering obtains is consistent with ID-A and ID-B expressly with ID-B; If the verification passes (i.e. the ID-A that deciphering obtains is consistent with ID-A and ID-B expressly with ID-B), then KMS generates media key K.
107:KMS uses respectively Ka and Kb encrypted media key K, obtains Ea (K) and Eb (K), and Ea (K) and Eb (K) are included in media key obtain and send to user B in the response.
108: user B is decrypted Eb (K), obtains media key K.
109: user B sends the call answering (for example, 200OK message) that comprises Ea (K) by the IMS network to user A.
The 110:IMS network will comprise the 200OK message of Ea (K) and issue user A.
111: user A obtains media key K by deciphering Ea (K).
Can find out according to above flow process, based on the IMS media flow security solution logic of Otway-Rees agreement fairly simple, also fewer with the Signalling exchange of KMS, solved the conversation safety problem between two users.But, because in the application scenarios of media-on-demand, one side of communication is media-on-demand application server (AS), and is that the media that media key of each some broadcasting user generation is encrypted its program request can affect greatly the performance of media-on-demand application server.
Summary of the invention
Technical problem to be solved by this invention is, overcomes the deficiencies in the prior art, and a kind of implementation method of IMS media on-demand business is provided, and realizing generating media key according to media content, and media key sent to the user's of this media content of program request purpose.
In order to address the above problem, the invention provides a kind of implementation method of media on-demand business, the method comprises:
The user sends the media-on-demand request to the media-on-demand application server, comprises the media identification of the media content of described user's user ID and described user's program request in this request;
After receiving described media-on-demand request, the media-on-demand application server is included in media key with described user ID and the corresponding media key of described media content that adopts shared key Kp to encrypt and encrypts in the request and send to Key Management server KMS;
After receiving described media key encryption request, KMS adopt shared key Ka that described media key is encrypted, and the media key that will adopt described Ka to encrypt sends to described user after adopting described Kp deciphering to obtain described media key;
Described user uses described media key that the described media content of its encrypted transmission that receives is decrypted after adopting described Ka deciphering to obtain described media key;
Wherein, described Kp is the shared key of media-on-demand application server and KMS, and described Ka is the shared key of described user and KMS.
In addition, comprise in the described media-on-demand request: the plaintext of described user ID and media identification and the described user ID and the media identification that adopt described Ka to encrypt;
Described media key is encrypted in the request and is comprised: described media identification and described media key that the plaintext of described user ID, the described user ID that adopts described Ka encryption and media identification, the described Kp of employing encrypt;
After receiving described media key encryption request, whether the user ID that KMS checking adopts described Ka deciphering to obtain consistent with the plaintext of described user ID, and checking whether adopt media identification that described Ka deciphering obtains and the described Kp of employing to decipher the media identification that obtains consistent, above-mentioned checking just adopts described Ka that described media key is encrypted by rear, and the media key of encrypting is sent to described user.
Also comprise in the described media-on-demand request: the sign that adopts the media-on-demand application server of described Ka encryption;
Described media key is encrypted in the request and is also comprised: adopt the media-on-demand application server that described Ka encrypts sign, adopt the sign of the media-on-demand application server that described Kp encrypts;
After receiving described media key and encrypting request, adopt described Ka that described media key is encrypted before, KMS also verifies the sign that adopts the media-on-demand application server that described Ka deciphering obtains and whether adopt described Kp to decipher the sign of the media-on-demand application server that obtains consistent.
In addition, KMS will adopt the media key of described Ka encryption to send to described user in the following way:
The media key that KMS will adopt described Ka to encrypt sends to the media-on-demand application server;
The media key that the media-on-demand application server will adopt described Ka to encrypt is included in media-on-demand and sends to described user in replying.
In addition, receive described media-on-demand request before, the media-on-demand application server obtains described media key in the following way:
The media-on-demand application server sends media key to KMS and obtains request, and this request comprises: the described media identification that adopts described Kp to encrypt;
After the KMS deciphering obtains described media identification, generate described media key according to described media identification or according to the sign of described media identification and media-on-demand application server, after adopting described Kp to encrypt described media key, the media key of encrypting is sent to the media-on-demand application server.
The present invention also provides a kind of implementation method of media on-demand business, and the method comprises,
The user sends the media-on-demand request to the media-on-demand application server, comprises the media identification of the media content of described user's user ID and described user's program request in this request;
After receiving described media-on-demand request, the media-on-demand application server is included in media key with described user ID and media identification and obtains and send to KMS in the request;
After receiving described media key and obtaining request, after KMS generates media key according to cipher generating parameter, adopt respectively shared key Ka and shared key Kp that described media key is encrypted, and will adopt the media key of described Ka encryption to send to described user, the media key that will adopt described Kp to encrypt sends to the media-on-demand application server; At least comprise described media identification in the described cipher generating parameter;
Described user uses described media key that the described media content of its encrypted transmission that receives is decrypted after using described Ka deciphering to obtain described media key;
Wherein, described Kp is the shared key of media-on-demand application server and KMS, and described Ka is the shared key of described user and KMS.
In addition, comprise in the described media-on-demand request: the plaintext of described user ID and media identification and the described user ID and the media identification that adopt described Ka to encrypt;
Described media key is obtained in the request and is comprised: the described media identification that the plaintext of described user ID, the described user ID that adopts described Ka encryption and media identification, the described Kp of employing encrypt;
After receiving described media key and obtaining request, whether the user ID that KMS checking adopts described Ka deciphering to obtain consistent with the plaintext of described user ID, and checking whether adopt media identification that described Ka deciphering obtains and the described Kp of employing to decipher the media identification that obtains consistent, above-mentioned checking just generates described media key by rear, and the media key of encrypting is sent to described user and media-on-demand application server.
In addition, also comprise in the described media-on-demand request: the sign that adopts the media-on-demand application server of described Ka encryption;
Described media key is obtained in the request and is also comprised: adopt the media-on-demand application server that described Ka encrypts sign, adopt the sign of the media-on-demand application server that described Kp encrypts;
After receiving the request of obtaining of described media key, generate described media key before, KMS also verifies the sign that adopts the media-on-demand application server that described Ka deciphering obtains and whether adopt described Kp to decipher the sign of the media-on-demand application server that obtains consistent.
In addition, KMS will adopt the media key of described Ka encryption to send to described user in the following way:
The media key that KMS will adopt described Ka to encrypt sends to the media-on-demand application server;
The media key that the media-on-demand application server will adopt described Ka to encrypt is included in media-on-demand and sends to described user in replying.
In addition, the sign that also comprises the media-on-demand application server in the described cipher generating parameter.
In sum, adopt method of the present invention, realized generating media key according to media content, and media key is sent to the user's of this media content of program request purpose; In addition, the present invention can also generate media key in advance before receiving the media-on-demand request, and uses in advance encrypted media content of media key, so that after receiving the media-on-demand request, provides immediately the media content of encryption to the user.
Description of drawings
Fig. 1 is based on and carries out key agreement in the IMS media flow security solution of Otway-Rees agreement to realize the method flow diagram of safety call;
Fig. 2 is the method flow diagram that first embodiment of the invention media-on-demand application server and Key Management server (KMS) carry out key agreement;
When Fig. 3 was second embodiment of the invention user on-demand media content, the media-on-demand application server sent to media key by KMS user's method flow diagram;
Fig. 4 is the implementation method flow chart of second embodiment of the invention IP Multimedia System media on-demand business.
Embodiment
Core concept of the present invention is, come the media key of generating media content according to the media identification of media content, and by the media key that KMS encrypts the media content of this user's program request with itself and user's shared key, the media key of encrypting is sent to the user.
Describe the present invention below in conjunction with drawings and Examples.
The first embodiment
Fig. 2 and Fig. 3 are the implementation method flow charts of first embodiment of the invention IP Multimedia System media on-demand business.In the present embodiment, the media-on-demand application server is the media key of generating media content in advance, and by KMS this media key is encrypted when this media content of user's program request, and the media key of encrypting is sent to the user.
Fig. 2 is the method flow diagram that first embodiment of the invention media-on-demand application server and Key Management server (KMS) carry out key agreement; After this flow process finished, the media-on-demand application server obtained the media key for encrypted media content.As shown in Figure 2, the method comprises:
201: media-on-demand application server and Key Management server (KMS) adopt common authentication mechanism (GBA) to consult to obtain shared key Kp;
If can't adopt the GBA mode, the media-on-demand application server can adopt other authentication modes and KMS to consult to obtain shared key Kp.
202: the media-on-demand application server generates media identification: ID-c for the media content (being denoted as media content C) that needs to encrypt.
Step 201 and 202 is order in no particular order.
203: the media-on-demand application server sends media key to KMS and obtains request, comprises following parameter: ID-P and Ep (ID-P, ID-c) in this request;
Wherein, ID-P is the sign of media-on-demand application server, and Ep (ID-P, ID-c) adopts shared key Kp that ID-P and ID-c are encrypted the ciphertext that obtains.
204:KMS deciphers Ep (ID-P, ID-c) with Kp, and whether the ID-P that the checking deciphering obtains is consistent with ID-P expressly; If above-mentioned checking is by (i.e. the ID-P that deciphering obtains is consistent with ID-P expressly), KMS generates media key Kc according to ID-P and ID-c (being about to ID-P and ID-c as cipher generating parameter), employing media key generating function (KDF).
205:KMS encrypts ID-c and media key Kc with Kp, obtains Ep (ID-c, Kc), and obtains response to media-on-demand application server transmission media key, wherein comprises Ep (ID-c, Kc).
206: the Ep (ID-c, Kc) that the media-on-demand application server is received with the Kp deciphering, obtain media key Kc, then use media key Kc encrypted media content C.
After above flow process is finished, generated the media content C that encrypts on the media-on-demand application server.
When Fig. 3 was second embodiment of the invention user A on-demand media content C, the media-on-demand application server sent to media key by KMS the method flow diagram of user A; After this flow process finished, user A obtained media key Kc, can use media key Kc that the media content C that encrypts is decrypted.As shown in Figure 3, the method comprises:
301: user A and Key Management server (KMS) adopt common authentication mechanism (GBA) to consult to obtain shared key Ka;
If can't adopt the GBA mode, user A can adopt other authentication modes and KMS to consult to obtain shared key Ka.
302: media-on-demand application server and Key Management server (KMS) adopt common authentication mechanism (GBA) to consult to obtain shared key Kp;
If can't adopt the GBA mode, the media-on-demand application server can adopt other authentication modes and KMS to consult to obtain shared key Kp.
If the media-on-demand application server has been preserved the shared key Kp that negotiation obtains in the step 201, this step can be omitted.
Step 301 and 302 is order in no particular order.
303: user A sends media-on-demand request (also can be called call request, for example, INVITE) by the IMS network to the media-on-demand application server, with on-demand media content C; Comprise following parameter: ID-A (identifier of user A) in the media-on-demand request, ID-P (identifier of media-on-demand application server), ID-c (identifier of media content C) and Ea (ID-A, ID-P, ID-c);
Wherein, Ea (ID-A, ID-P, ID-c) is for adopting shared key Ka that ID-A, ID-P and ID-c are encrypted the ciphertext that obtains.
The 304:IMS network is forwarded to the media-on-demand application server with the media-on-demand request of user A.
305: the media-on-demand application server takes out corresponding media key Kc according to the ID-c that comprises in the media-on-demand request.
306: the media-on-demand application server sends media key to KMS and encrypts request, and KMS authenticates user A with request, and media key Kc is encrypted; Comprise following parameter: ID-A, Ea (ID-A, ID-P, ID-c) and Ep (ID-P, ID-c, Kc) in this request.
307:KMS deciphers Ea (ID-A with Ka, ID-P, ID-c), obtain ID-A, ID-P and ID-c, whether the ID-A that the checking deciphering obtains is consistent with ID-A expressly, if the verification passes (i.e. the ID-A that deciphering obtains is consistent with ID-A expressly), then decipher Ep (ID-P, ID-c, Kc) with Kp, whether checking is consistent with the ID-P and the ID-c that obtain with the Ka deciphering with ID-c with the ID-P that the Kp deciphering obtains, if the verification passes (it is consistent with the ID-P and the ID-c that obtain with the Ka deciphering with ID-c namely to decipher the ID-P that obtains with Kp), KMS generates Ep (ID-A, ID-c, Ea (ID-c, Kc));
Wherein, above-mentioned Ea (ID-c, Kc) adopts shared key Ka that ID-c and Kc are encrypted the ciphertext that obtains; Ep (ID-A, ID-c, Ea (ID-c, Kc)) adopts shared key Kp that ID-A, ID-c and Ea (ID-c, Kc) are encrypted the ciphertext that obtains.
308:KMS returns the media key encrypted response to the media-on-demand application server, comprises Ep (ID-A, ID-c, Ea (ID-c, Kc)) in this response.
309: the media-on-demand application server is deciphered Ep (ID-A with Kp, ID-c, Ea (ID-c, Kc)), obtain Ea (ID-c, Kc), comprise Ea (ID-c by the IMS network to user A transmission, Kc) (also can be called call answering, for example, 200OK message) replied in clean culture.
The 310:IMS network will comprise the 200OK message of Ea (ID-c, Kc) and issue user A.
311: user A obtains media key Kc with shared key Ka deciphering Ea (ID-c, Kc).
After above process was finished, user A obtained media key Kc, can use media key Kc to decipher the encrypted media streams of the media content C of its program request, had realized the safe transmission that on-demand media flows.
In addition, after receiving the response message of step 308, the media-on-demand application server the is be sure of corresponding media content that has been user A program request can begin the charging to user A, perhaps begins the charging to user A when the transmission that begins to be encrypted Media Stream.
The second embodiment
Fig. 4 is the implementation method flow chart of second embodiment of the invention IP Multimedia System media on-demand business.In the present embodiment, after the media-on-demand application server received user's media-on-demand request, by the media key of KMS generating media content, KMS encrypted the media key that generates, and the media key of encrypting is sent to the user.As shown in Figure 4, the method comprises:
401~404: identical with step 301~304.
405: after receiving the media-on-demand request, if do not find by the corresponding media key of the media content of program request, the media-on-demand application server sends media key to KMS and obtains request, comprise following parameter: ID-A, Ea (ID-A in this request, ID-P, ID-c) and Ep (ID-P, ID-c).
407: after receiving media key and obtaining request, KMS deciphers Ea (ID-A with Ka, ID-P, ID-c), obtain ID-A, ID-P and ID-c, whether the ID-A that the checking deciphering obtains is consistent with ID-A expressly, if the verification passes (i.e. the ID-A that deciphering obtains is consistent with ID-A expressly), then decipher Ep (ID-P with Kp, ID-c), whether checking is consistent with the ID-P and the ID-c that obtain with the Ka deciphering with ID-c with the ID-P that the Kp deciphering obtains, if the verification passes (it is consistent with the ID-P and the ID-c that obtain with the Ka deciphering with ID-c namely to decipher the ID-P that obtains with Kp), KMS is according to ID-P and ID-c (being about to ID-P and ID-c as cipher generating parameter), adopt media key generating function (KDF) to generate media key Kc, and with Ep (ID-c, Kc) and Ea (ID-c, Kc) be included in media key and obtain and send to the media-on-demand application server in the response.
408: after receiving media key and obtaining response, the media-on-demand application server uses Kp deciphering Ep (ID-c, Kc) obtain media key Kc, Kc is saved as the corresponding media key of described media content C, and in subsequent step, use Kc encrypted media content C.
409~411: identical with step 309~311.
According to basic principle of the present invention, above-described embodiment can also have multiple mapping mode, for example:
(1) in the above embodiment of the present invention, consider the demand of Lawful Interception, generate media key Kc (be convenient to legal entity obtain media key Kc from KMS after, specific media content is decrypted and monitors) by KMS; In other embodiments of the invention, also can be by the media key of the direct generating media content of media-on-demand server.
(2) in the above embodiment of the present invention, KMS uses ID-P and ID-c to generate media key Kc; In other embodiments of the invention, KMS also can generate media key Kc according to ID-c, that is to say, can not comprise ID-P in the cipher generating parameter.
(3) in the above embodiment of the present invention, the media-on-demand application server sends to KMS with the plaintext of ID-A, and KMS finds corresponding Ka according to ID-A; In other embodiments of the invention, the media-on-demand application server sends to KMS after can adopting Kp that ID-A is encrypted, and the ID-A that KMS uses deciphering to obtain searches corresponding Ka.
(4) in the first embodiment of the present invention, before receiving user's media-on-demand request, the media-on-demand application server will generate the required cipher generating parameter of media key (ID-c or ID-P and ID-c) and send to KMS, the cipher generating parameter that KMS sends according to the media-on-demand application server, employing media key generating function are that media content generates media key Kc, then media key Kc are sent to the media-on-demand application server; After receiving user's media-on-demand request, the media-on-demand application server sends to KMS with above-mentioned Kc, and request KMS uses shared key Ka that it is encrypted, and then the Kc that encrypts is sent to user A; In other embodiments of the invention, in step 306, the media-on-demand application server can not send to KMS with media key Kc, and only cipher generating parameter (ID-c or ID-P and ID-c) is sent to KMS, KMS is according to the cipher generating parameter (ID-c or ID-P and ID-c) that receives and adopt identical media key generating function to regenerate media key Kc, and sends to user A after adopting Ka that Kc is encrypted.
(5) in the above embodiment of the present invention, the media key Kc that KMS will adopt shared key Ka to encrypt sends to user A by the media-on-demand application server; In other embodiments of the invention, KMS can adopt alternate manner will adopt the media key Kc of shared key Ka encryption to send to user A (for example, KMS directly sends to user A with the media key Kc that encrypts by the IMS network).
(6) in step 307, KMS also can adopt shared key Kp to ID-A, and ID-c encrypts, and generates Ep (ID-A, IC-c); In step 308, KMS is included in Ep (ID-A, IC-c) and Ea (ID-c, Kc) and sends to the media-on-demand application server in the media key encrypted response.
Claims (10)
1. the implementation method of a media on-demand business is characterized in that, the method comprises,
The user sends the media-on-demand request to the media-on-demand application server, comprises the media identification of the media content of described user's user ID and described user's program request in this request;
After receiving described media-on-demand request, the media-on-demand application server is included in media key with described user ID and the corresponding media key of described media content that adopts shared key Kp to encrypt and encrypts in the request and send to Key Management server KMS;
After receiving described media key encryption request, KMS adopt shared key Ka that described media key is encrypted, and the media key that will adopt described Ka to encrypt sends to described user after adopting described Kp deciphering to obtain described media key;
Described user uses described media key that the described media content of its encrypted transmission that receives is decrypted after adopting described Ka deciphering to obtain described media key;
Wherein, described Kp is the shared key of media-on-demand application server and KMS, and described Ka is the shared key of described user and KMS.
2. the method for claim 1 is characterized in that,
Comprise in the described media-on-demand request: the plaintext of described user ID and media identification and the described user ID and the media identification that adopt described Ka to encrypt;
Described media key is encrypted in the request and is comprised: described media identification and described media key that the plaintext of described user ID, the described user ID that adopts described Ka encryption and media identification, the described Kp of employing encrypt;
After receiving described media key encryption request, whether the user ID that KMS checking adopts described Ka deciphering to obtain consistent with the plaintext of described user ID, and checking whether adopt media identification that described Ka deciphering obtains and the described Kp of employing to decipher the media identification that obtains consistent, above-mentioned checking just adopts described Ka that described media key is encrypted by rear, and the media key of encrypting is sent to described user.
3. method as claimed in claim 2 is characterized in that,
Also comprise in the described media-on-demand request: the sign that adopts the media-on-demand application server of described Ka encryption;
Described media key is encrypted in the request and is also comprised: adopt the media-on-demand application server that described Ka encrypts sign, adopt the sign of the media-on-demand application server that described Kp encrypts;
After receiving described media key and encrypting request, adopt described Ka that described media key is encrypted before, KMS also verifies the sign that adopts the media-on-demand application server that described Ka deciphering obtains and whether adopt described Kp to decipher the sign of the media-on-demand application server that obtains consistent.
4. the method for claim 1 is characterized in that,
The media key that KMS will adopt described Ka to encrypt in the following way sends to described user:
The media key that KMS will adopt described Ka to encrypt sends to the media-on-demand application server;
The media key that the media-on-demand application server will adopt described Ka to encrypt is included in media-on-demand and sends to described user in replying.
5. the method for claim 1 is characterized in that,
Before receiving described media-on-demand request, the media-on-demand application server obtains described media key in the following way:
The media-on-demand application server sends media key to KMS and obtains request, and this request comprises: the described media identification that adopts described Kp to encrypt;
After the KMS deciphering obtains described media identification, generate described media key according to described media identification or according to the sign of described media identification and media-on-demand application server, after adopting described Kp to encrypt described media key, the media key of encrypting is sent to the media-on-demand application server.
6. the implementation method of a media on-demand business is characterized in that, the method comprises,
The user sends the media-on-demand request to the media-on-demand application server, comprises the media identification of the media content of described user's user ID and described user's program request in this request;
After receiving described media-on-demand request, the media-on-demand application server is included in media key with described user ID and media identification and obtains and send to KMS in the request;
After receiving described media key and obtaining request, after KMS generates media key according to cipher generating parameter, adopt respectively shared key Ka and shared key Kp that described media key is encrypted, and will adopt the media key of described Ka encryption to send to described user, the media key that will adopt described Kp to encrypt sends to the media-on-demand application server; At least comprise described media identification in the described cipher generating parameter;
Described user uses described media key that the described media content of its encrypted transmission that receives is decrypted after using described Ka deciphering to obtain described media key;
Wherein, described Kp is the shared key of media-on-demand application server and KMS, and described Ka is the shared key of described user and KMS.
7. method as claimed in claim 6 is characterized in that,
Comprise in the described media-on-demand request: the plaintext of described user ID and media identification and the described user ID and the media identification that adopt described Ka to encrypt;
Described media key is obtained in the request and is comprised: the described media identification that the plaintext of described user ID, the described user ID that adopts described Ka encryption and media identification, the described Kp of employing encrypt;
After receiving described media key and obtaining request, whether the user ID that KMS checking adopts described Ka deciphering to obtain consistent with the plaintext of described user ID, and checking whether adopt media identification that described Ka deciphering obtains and the described Kp of employing to decipher the media identification that obtains consistent, above-mentioned checking just generates described media key by rear, and the media key of encrypting is sent to described user and media-on-demand application server.
8. method as claimed in claim 7 is characterized in that,
Also comprise in the described media-on-demand request: the sign that adopts the media-on-demand application server of described Ka encryption;
Described media key is obtained in the request and is also comprised: adopt the media-on-demand application server that described Ka encrypts sign, adopt the sign of the media-on-demand application server that described Kp encrypts;
After receiving the request of obtaining of described media key, generate described media key before, KMS also verifies the sign that adopts the media-on-demand application server that described Ka deciphering obtains and whether adopt described Kp to decipher the sign of the media-on-demand application server that obtains consistent.
9. method as claimed in claim 6 is characterized in that,
The media key that KMS will adopt described Ka to encrypt in the following way sends to described user:
The media key that KMS will adopt described Ka to encrypt sends to the media-on-demand application server;
The media key that the media-on-demand application server will adopt described Ka to encrypt is included in media-on-demand and sends to described user in replying.
10. method as claimed in claim 6 is characterized in that,
The sign that also comprises the media-on-demand application server in the described cipher generating parameter.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910150767.1A CN101729535B (en) | 2009-06-30 | 2009-06-30 | Implementation method of media on-demand business |
| PCT/CN2009/075901 WO2010145160A1 (en) | 2009-06-30 | 2009-12-23 | Media on-demand service realization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910150767.1A CN101729535B (en) | 2009-06-30 | 2009-06-30 | Implementation method of media on-demand business |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101729535A CN101729535A (en) | 2010-06-09 |
| CN101729535B true CN101729535B (en) | 2013-03-20 |
Family
ID=42449743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910150767.1A Expired - Fee Related CN101729535B (en) | 2009-06-30 | 2009-06-30 | Implementation method of media on-demand business |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101729535B (en) |
| WO (1) | WO2010145160A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8677470B1 (en) * | 2008-01-22 | 2014-03-18 | Salesforce.Com, Inc. | System, method, and computer program product for security verification of communications to tenants of an on-demand database service |
| CN102546574B (en) * | 2010-12-24 | 2014-10-08 | 中国移动通信集团公司 | Streaming media on-demand method and device based on internet protocol (IP) multimedia subsystem |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009551A (en) * | 2006-01-24 | 2007-08-01 | 华为技术有限公司 | Secret key management system and method of media stream based on IP multi-media sub-system |
| CN101369886A (en) * | 2007-08-17 | 2009-02-18 | 华为技术有限公司 | System, method and apparatus for implementing IPTV media contents security |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100574185C (en) * | 2005-01-07 | 2009-12-23 | 华为技术有限公司 | The method that in the IP multimedia service subsystem network, ensures media stream safety |
| CN101102185B (en) * | 2006-07-06 | 2012-03-21 | 朗迅科技公司 | Media security for IMS session |
-
2009
- 2009-06-30 CN CN200910150767.1A patent/CN101729535B/en not_active Expired - Fee Related
- 2009-12-23 WO PCT/CN2009/075901 patent/WO2010145160A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009551A (en) * | 2006-01-24 | 2007-08-01 | 华为技术有限公司 | Secret key management system and method of media stream based on IP multi-media sub-system |
| CN101369886A (en) * | 2007-08-17 | 2009-02-18 | 华为技术有限公司 | System, method and apparatus for implementing IPTV media contents security |
Non-Patent Citations (3)
| Title |
|---|
| .《3GPP TR 33.828》.2009,第1.3.0卷第7.4节,图15. |
| 3GPP.3rd Generation Partnership Project |
| 3GPP.3rd Generation Partnership Project.《3GPP TR 33.828》.2009,第1.3.0卷第7.4节,图15. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101729535A (en) | 2010-06-09 |
| WO2010145160A1 (en) | 2010-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8582766B2 (en) | Method for ensuring media stream security in IP multimedia sub-system | |
| EP2426852B1 (en) | Method and system for implementing secure forking calling session in ip multi-media subsystem | |
| CN104618110B (en) | A kind of VoIP security conferences session key transmission method | |
| KR100852146B1 (en) | System and method for lawful interception using trusted third parties in voip secure communications | |
| CN101094394A (en) | Method for guaranteeing safe transmission of video data, and video monitoring system | |
| CN104486077A (en) | End-to-end secret key negotiation method for VoIP (Voice Over Internet Protocol) real-time data safety transmission | |
| CN101420413A (en) | Session cipher negotiating method, network system, authentication server and network appliance | |
| CN101790160A (en) | Method and device for safely consulting session key | |
| US8705745B2 (en) | Method and system for transmitting deferred media information in an IP multimedia subsystem | |
| CN101729536B (en) | Method and system for transmitting delayed media information of IP multimedia subsystem | |
| RU2006140776A (en) | POSSIBILITY OF QUICK AND PROTECTED CONNECTIONS FOR MOBILE UNIT | |
| KR20090067041A (en) | Method and apparatus for sip registering and establishing sip session with enhanced security | |
| CN101572694B (en) | Method for acquiring media stream key, session equipment and key management function entity | |
| WO2017197968A1 (en) | Data transmission method and device | |
| CN101729535B (en) | Implementation method of media on-demand business | |
| CN101222324B (en) | Method and apparatus for implementing end-to-end media stream safety | |
| CN112019553B (en) | Data sharing method based on IBE/IBBE | |
| CN102025485A (en) | Key negotiation method, key management server and terminal | |
| CN101729533B (en) | Method and system for transmitting delay media information of IP multimedia subsystem | |
| KR20120087550A (en) | Encrypted Communication Method and Encrypted Communication System Using the Same | |
| Fries et al. | On the applicability of various multimedia internet keying (mikey) modes and extensions | |
| GB2390270A (en) | Escrowing with an authority only part of the information required to reconstruct a decryption key | |
| CN101719894B (en) | Implementing system and implementing method for securely sending delay media | |
| CN117857027A (en) | Group key management method and system based on quantum key distribution and token authorization technology | |
| CN113242121A (en) | Safety communication method based on combined encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130320 Termination date: 20200630 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |