CN101872399B - Dynamic digital copyright protection method based on dual identity authentication - Google Patents

Dynamic digital copyright protection method based on dual identity authentication Download PDF

Info

Publication number
CN101872399B
CN101872399B CN 201010214589 CN201010214589A CN101872399B CN 101872399 B CN101872399 B CN 101872399B CN 201010214589 CN201010214589 CN 201010214589 CN 201010214589 A CN201010214589 A CN 201010214589A CN 101872399 B CN101872399 B CN 101872399B
Authority
CN
China
Prior art keywords
user
digital
digital certificate
key
signature
Prior art date
Application number
CN 201010214589
Other languages
Chinese (zh)
Other versions
CN101872399A (en
Inventor
刘泉
李雷
江雪梅
Original Assignee
武汉理工大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 武汉理工大学 filed Critical 武汉理工大学
Priority to CN 201010214589 priority Critical patent/CN101872399B/en
Publication of CN101872399A publication Critical patent/CN101872399A/en
Application granted granted Critical
Publication of CN101872399B publication Critical patent/CN101872399B/en

Links

Abstract

The invention discloses a dynamic digital copyright protection method based on dual identity authentication, comprising the following steps of: downloading a digital certificate of a user into a USBKEY internally provided with a random number generator; when a user logins, after placing the USBKEY into a client end, activating the USBKEY according to the input PIN code command, acquiring the digital certificate in the USBKEY, when the digital certificate is valid, generating a random number sequence by the random number generator, when the signature information of a signature of the user to the random number sequence is right, playing or downloading media works files on line according to the user right specified by an expansion item of the digital item; and when the user does not login, after placing the USBKEY into the client end, activating the USBKEY according to the input PIN code command, acquiring the digital certificate in the USBKEY, and when the digital certificate is valid, playing media works files off line according to the user right specified by the expansion item of the digital item. The method can restrict the user use right and divide the user right range and is used for authenticating the off-line state user identity to prevent off-line diffusion.

Description

基于双重身份认证的动态数字版权保护方法 Based on two-factor authentication method of dynamic digital copyright protection

技术领域 FIELD

[0001] 本发明涉及信息安全领域,涉及数字版权保护和身份认证,特别涉及ー种基于双重身份认证的动态数字版权保护方法。 [0001] The present invention relates to information security field, relates to a digital copyright protection and authentication, particularly to seed ー dynamic digital copyright protection method based on a double authentication.

背景技术 Background technique

[0002] 随着网络传输和通信技术的飞速发展,网络多媒体文件的分发、复制与编辑变得越来越普遍,与此同时,服务提供商越来越強烈地要求保护其数字内容,版权问题得到了越来越多的关注。 [0002] With the rapid development of network transmission and communication technology, distribution network multimedia files, copying and editing becoming more common, at the same time, service providers increasingly strong demand for its digital content protection, copyright issues gaining more and more attention. 由此而产生的数字版权管理技术(Digital Rights Management,以下简称DRM)可以实现版权的保护,其结合硬件和软件的存取机制,对数字多媒体内容在其生命周期内的存取进行有效地控制。 Digital rights management technology (Digital Rights Management, hereinafter referred to as DRM) arising therefrom can be achieved is protected by copyright, which is a combination of hardware and software access mechanism for accessing digital multimedia content over its lifecycle effectively control . 目前,众多学者已经对DRM技术进行了深入广泛的研究。 At present, many scholars have been extensively studied in-depth for the DRM technology.

[0003] Steve K等人提出了一种隐私可保护的版权管理模式,该模式可以在线进行用户隐私受保护的身份认证许可,但是离线状态下无法定位版权用户的身份。 [0003] Steve K et al proposed a privacy can be protected by copyright management mode, which can be licensed user authentication privacy protected online, but offline users can not locate the identity of the copyright. Andreaux JP等人提出了一种用于数字家庭网络的版权保护系统,该系统将属性证书和许可证进行分离操作,从而实现了数字媒体的安全发放。 Andreaux JP et al proposed a copyright protection system for digital home network, the system will attribute certificates and licenses separation operation, enabling secure payment of digital media. 但是受所在网络的限制,还没有推广到广域网的范畴。 But where the network is limited, and has not yet reached the scope of the WAN. ShiHao等人则设计了一种用于协同的点对点对等网络的数字版权管理方案,该方案采用动态许可证技术,但是不支持版权受控内容的物理空间的迁移。 ShiHao and others designed a digital rights management scheme for collaborative peer-to-peer network, the program uses dynamic technology license, but does not support the migration of physical space copyright controlled content.

[0004] 虽然近年来的科研成果和实践经验已经取得了瞩目的成绩,但是版权管理平台上仍然存在着亟待解决的问题,具体表现在: [0004] Although in recent years, scientific research and practical experience has made remarkable achievements, but the copyright management platform there are still problems to be solved, in particular in:

[0005] (I)虽然在线状态下的身份认证技术很好地解决了用户的合法身份问题,但是,不能正确地约束用户的使用权限和清晰地划分用户的权限范围。 [0005] (I) Although the identity authentication technology in the online state solves the problem of legal status of users, however, can not be properly constrained user's permissions and to clearly divide the user's purview.

[0006] (2)由于目前还没有离线状态下的用户身份认证机制,用户在版权管理平台上通过身份认证后,下载到本地计算机上的数字多媒体文件可以通过常用的媒体播放器进行直接播放,这样就会导致数字多媒体作品被恶意地篡改或者窃取,不能有效地防止离线扩散。 [0006] (2) Since there is no user authentication mechanism under offline, users on copyright management platform through authentication, download the digital media files on your local computer can be played directly by popular media player, this will result in a digital multimedia work has been maliciously tampered with or stolen, it can not effectively prevent diffusion offline.

[0007] 因此,有必要提供一种改进的数字版权保护方法来克服现有技术的缺陷。 [0007] Accordingly, there is a need for an improved digital copyright protection method to overcome the drawbacks of the prior art.

发明内容 SUMMARY

[0008] 本发明的目的是提供一种基于双重身份认证的动态数字版权保护方法,USBKEY内的PIN码和数字证书能解决Steve K等人提出的版权管理模式中离线状态下无法定位版权用户的身份的问题、Andreaux JP等人提出的数字家庭网络的版权保护系未推广到广域网的范畴的问题、以及Shi Hao等人设计的用于协同的点对点对等网络的数字版权管理方案中不支持版权受控内容的物理空间的迁移的问题,并且数字证书的扩展项能在在线状态下正确约束用户的使用权限和清晰划分用户的权限范围,PIN码和数字证书能在离线状态下对用户身份进行认证,避免媒体作品被恶意地篡改或者窃取,有效防止离线扩散。 [0008] The object of the present invention to provide a dynamic digital copyright protection method based on the two-factor authentication, PIN code and digital certificates in USBKEY solve the user can not locate the copyright mode, copyright management Steve K et al in offline digital Rights management scheme in question, the copyright protection system Andreaux JP et al digital home network is not extended to the category of WAN problems, as well as point-peer for collaboration Shi Hao, who designed the network does not support copyright problem of migration of physical space controlled content, and digital certificate extensions correctly constrained user's permissions and clear division of online users in the purview of the state, PIN code and digital certificates can be user identity offline certification, to avoid media works have been maliciously tampered with or stolen, effectively preventing the proliferation offline.

[0009] 为了实现上述目的,本发明提供了一种基于双重身份认证的动态数字版权保护方法,包括如下步骤:(1)将用户的数字证书下载到内置有随机数发生器的USBKEY中;(2)当用户登录吋,在USBKEY置入客户端后,根据输入的PIN码ロ令激活USBKEY,进而获取USBKEY内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,当用户对随机数序列签名的签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件;(3)当用户未登录时,在USBKEY置入客户端后,根据输入的PIN码ロ令激活USBKEY,进而获取USBKEY内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。 [0009] To achieve the above object, the present invention provides a dynamic digital copyright protection method based on two-factor authentication, comprising the steps of: (1) the user to download digital certificates have a built-in random number generator USBKEY; ( 2) when a user logs inch, after placement USBKEY client, according to the PIN code to activate USBKEY ro input order, and thus obtain a digital certificate within USBKEY, when the digital certificate is valid, the random number generator generates a random number sequence, when the user when the random number sequence for the signature of the signature information is correct, according to the specified digital certificate extensions usage rights to play online or download online media work file; (3) when the user is not logged into the client after USBKEY, according to the input ro make PIN code to activate USBKEY, and then obtain a digital certificate within USBKEY, when the digital certificate is valid, in accordance with the provisions of the digital certificate extensions to play offline media usage rights work file.

[0010] 在本发明的一个实施例中,所述方法还包括:(11)当用户将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符作为密钥要素,并利用密钥要素产生非对称密钥对后,CA代理中心对非对称密钥对的公钥中用户的身份信息进行审核,待用户的身份信息通过审核后,将非对称密钥对中的公钥和用户的身份信息发送至CA权威认证中心,(12)CA权威认证中心在用户的身份信息与公钥中的用户的身份信息信息一致时产生数字证书,将数字证书发送至CA代理中心;(13) CA代理中心将数字证书颁发给所有者或消费者,并将数字证书存储至数据库。 [0010] In one embodiment of the present invention, the method further comprises: (11) When the user sets the user's PIN code and the user registration system automatically generates a unique user identifier as a key element, and the use of dense after the key elements to generate asymmetric key pairs, CA Acting center of public asymmetric key pair, the user identity information be reviewed by the user identity information to be reviewed after the asymmetric key pair and a public key user identity information to the certification authority CA center, generating a digital certificate identification information coincides with the user (12 is) CA certification authority center of the user's identity and public key information, and transmits the digital certificate to the CA center agent; (13 ) CA agent center digital certificate issued to the owner or consumer, and digital certificates stored in the database.

[0011] 在本发明的另ー实施例中,所述数字证书包括用户的身份信息、公钥信息、CA权威认证中心的身份信息、CA权威认证中心对数字证书的签名、扩展项、以及有效期,其中用户的身份信息包含数字证书序列号、用户注册时提交的用户名称、以及系统平台为用户生成的唯一标识符,并由CA权威认证中心100来确定,扩展项包含在线播放、在线下载、离线播放媒体作品文件的权限信息。 [0011] In another embodiment of the present invention ー embodiment, the digital certificate information comprises a user's identity, public key information, identity information center certification authority CA, CA certification authority digital signature certificate center, extensions, and the expiration date , where the user's identity information contains a digital certificate serial number, user name submitted by the user registration system and platform for user-generated unique identifier by the CA certification authority to determine the center 100, extension contains online play, online download, offline playback media rights information work files.

[0012] 在本发明的又一实施例中,所述步骤(2)具体为:(21)在用户登录并将USBKEY置入客户端后,当输入的PIN码ロ令次数未超过规定次数时,输入PIN码ロ令,当输入的PIN码ロ令与USBKEY的PIN码相同时,激活USBKEY ; (22)获取USBKEY内的数字证书,当数字证书有效时,随机数发生器产生随机数序列;(23)在用户对由随机数发生器根据非对称密钥对中的私钥作为初始化种子产生的随机数、证书有效时间、以及目标接收者组成的报文签名以及签名信息通过私钥加密后,利用数字证书的公钥对加密的签名信息进行解密,将报文进行数字签名,根据签名的报文与解密的签名信息判断用户的签名是否正确;(24)当签名正确时,判断服务器是否为信息的接收者,数字证书的时间戳是否为当前时间;(25)当服务器是信息的接收者,数字证书的时间戳是当前时间时,根据数字证 (21) after the user logs into the client and USBKEY, when the PIN code entered ro order number does not exceed the predetermined number of times: [0012] In a further embodiment of the present invention, the step (2) specifically , enter the PIN ro order, when the PIN code with a PIN code entered by the order ro USBKEY while activating USBKEY; (22 is) in USBKEY obtain a digital certificate, when the digital certificate is valid, the random number generator generates a random number sequence; after (23) in the message signed by the user to initialize the random number generator seed produced according to an asymmetric key pair of the private key as a random number, certificate valid period, and the composition of the target recipient's private key and the signature information using a digital certificate encrypted public key to decrypt the signature information, the digitally signed message, the user is determined according to the packet signature and the signature information is decrypted signature is correct; (24) when the signature is correct, it is determined whether or not the server receiver time stamp, digital certificate information is the current time; (25) when the server is the recipient of information, digital certificate time stamp is the current time, the digital certificate 书的扩展项所规定的使用权限在线播放或下载媒体作品文件。 Provided for extensions of the book rights to use the online play or download media files works.

[0013] 在本发明的再一实施例中,所述步骤(3)具体为:(31)在用户未登录并将USBKEY置入客户端后,当输入的PIN码ロ令次数未超过规定次数时,输入PIN码ロ令,当输入的PIN码ロ令与USBKEY的PIN码相同时,激活USBKEY ; (32)获取USBKEY内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。 [0013] In a further embodiment of the present invention, the step (3) specifically comprises: (31) after the user is not logged into the client and USBKEY, so that when the number of PIN ro does not exceed a predetermined number of input when the input PIN code ro order, when the PIN code ro command input and USBKEY PIN code is the same, activating USBKEY; (32) obtains a digital certificate within USBKEY, when the digital certificate is valid, as specified by the extensions of digital certificates play offline media usage rights work file.

[0014] 在本发明的又一实施例中,所述方法还包括:当用户支付媒体作品文件的新使用权的费用后,更新用户的数字证书的扩展项和有效期;将更新的数字证书下载到USBKEY中以替代原有数字证书。 [0014] In a further embodiment of the present invention, the method further comprising: after the user pays the cost of the new right to use the media work file, update the user's digital certificate and the validity of the extensions; downloads the updated digital certificate to USBKEY to replace the original digital certificate.

[0015] 与现有技术相比,本发明基于双重身份认证的动态数字版权保护方法具有如下优点: [0016] (I)在在线状态和离线状态,均采用PIN码ロ令和数字证书来验证用户身份,这种双重身份验证避免了所有用户操作媒体文件,这样在离线状态下可以定位版权用户的身份,本发明家庭网络服务器组成ー个域,通过向管理家庭网络和提供数字内容的服务器端申请相应的证书,服务器端将域作为ー个整体管理,域中设备所申请的数字内容均被当作是域所申请,服务器端只与此用户域通信,而不与域中各设备直接通信,可将数字家庭网络的版权保护推广到广域网的范畴;通过秘密共享思想将数字证书的公钥分发给点对点对等网络中的可信任节点,为网络的数字版权管理中数字内容的分发提供了必要的安全保障,版权受控内容的物理空间可以迁移。 [0015] Compared with the prior art, the present invention has the advantage of two-factor authentication based on dynamic digital copyright protection method: [0016] (I) in online and offline PIN codes are used in order ro and digital certificates to verify user identity, such a two-factor authentication avoids all of the media files the user operation, so that identity can be positioned copyright offline user, a home network server according to the present invention is composed ー domain, and by providing digital content to the home network management server corresponding certificate, the server application domain as ー full management of digital content, the device application domain are deemed to be the application domain, the domain server communicate only with the user, and not directly communicate with the devices in the domain may be copyrighted digital home network is extended to the scope of the WAN; secret sharing ideas through public key digital certificates distributed to the trusted peer-to-node network and other digital distribution network provides the digital rights management the necessary security, physical space copyright content can be controlled migration.

[0017] (2)数字证书的扩展项规定了数字多媒体作品的使用权限,能实现在线下载、在线播放、离线播放的使用权限约束和权限范围划分。 [0017] (2) extensions digital certificate specifies the usage rights of digital multimedia works, can achieve online download, usage rights online, offline constraints and competence division.

[0018] (3)在在线状态吋,采用随机数发生器产生随机数序列要求用户签名,用户每次签名的随机数序列均不相同,实现了身份认证的动态性。 [0018] (3) online state inches, using a random number generator generates a random number sequence requires the user signature, each time the user signature sequence of random numbers are not the same, to achieve a dynamic identity authentication.

[0019] 通过以下的描述并结合附图,本发明将变得更加清晰,这些附图用于解释本发明的实施例。 [0019] the following description in conjunction with the accompanying drawings, the present invention will become apparent from these drawings to explain an embodiment of the present invention.

附图说明 BRIEF DESCRIPTION

[0020] 图I为本发明基于双重身份认证的动态数字版权保护方法的流程图。 [0020] Figure I is a flow chart of the dynamic digital copyright protection method of the present invention based on two-factor authentication.

[0021] 图2是图I所示基于双重身份认证的动态数字版权保护方法涉及的系统的架构图。 [0021] FIG. 2 is a diagram of a system architecture of FIG I in the dynamic digital copyright protection method based on two-factor authentication according to.

[0022] 图3为图I所示基于双重身份认证的动态数字版权保护方法中USBKEY的组成框图。 [0022] FIG. 3 is a block diagram shown in FIG. I USBKEY factor authentication based on dynamic digital copyright protection method.

[0023] 图4为图I所示基于双重身份认证的动态数字版权保护方法中实现在线播放或下载的流程图。 [0023] FIG 4 is a flowchart shown in FIG. I online play or download-based implementation of dynamic factor authentication digital copyright protection method.

[0024] 图5为图I所示基于双重身份认证的动态数字版权保护方法中实现离线播放的流程图。 [0024] FIG. 5 is a flow chart shown in FIG. I played offline factor authentication Based Dynamic digital copyright protection method.

[0025] 图6为图I所示基于双重身份认证的动态数字版权保护方法中为用户颁发数字证书的流程图。 [0025] FIG 6 is a flowchart shown in FIG. I dual digital certificate based authentication dynamic digital copyright protection method for a user issued.

具体实施方式 Detailed ways

[0026] 现在參考附图描述本发明的实施例,附图中类似的元件标号代表类似的元件。 [0026] Referring now to the accompanying drawings of embodiments of the present invention, the accompanying drawings in which like numerals represent like element elements throughout.

[0027] 參考图I和图2,本实施例基于双重身份认证的动态数字版权保护方法包括如下步骤: [0027] with reference to FIGS. I and 2, the present embodiment is based on the digital copyright protection method of dynamic factor authentication comprises the steps of:

[0028] 步骤SI,服务提供商将用户的数字证书下载到内置有随机数发生器的USBKEY(智能密码钥匙)500中,转步骤S2或步骤S3 ; [0028] Step the SI, the service provider will download the user's digital certificate to the internal random number generator of a USBKEY (smart key) 500, proceed to step S2 or step S3;

[0029] 步骤S2,当用户登录时,在USBKEY 500置入客户端(用户PC机)410后,动态身份认证模块根据输入的PIN码ロ令激活USBKEY 500,进而获取USBKEY 500内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,当用户对随机数序列签名的签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件; [0029] Step S2, when the user logs on, after USBKEY 500 into the client (the user's PC) 410, dynamic authentication module activation USBKEY 500 according to the input order ro PIN code, and then obtain the digital certificate in USBKEY 500, when the digital certificate is valid, the random number generator generates a random number sequence, when the user of the random number sequence signature signature information is correct, according to the specified digital certificate extensions usage rights online play or download online media work files;

[0030] 步骤S3,当用户未登录时,在USBKEY 500置入客户端(用户PC机)410后,离线播放模块根据输入的PIN码ロ令激活USBKEY 500,进而获取USBKEY 500内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。 [0030] Step S3, the when the user is not logged into the client after USBKEY 500 (user's PC) 410, offline playback module activates USBKEY 500 according to the input order ro PIN code, and then obtain the digital certificate in USBKEY 500, when the digital certificate is valid, in accordance with the provisions of the digital certificate extensions to play offline media usage rights work file.

[0031] 由上可以看出,本实施例基于双重身份认证的动态数字版权保护方法具有如下优点: [0031] As can be seen from the above, the present embodiment has the advantage that a double authentication dynamic digital copyright protection method based on:

[0032] (I)在在线状态和离线状态,均采用PIN码ロ令和数字证书来验证用户身份,这种双重身份验证避免了所有用户操作媒体文件。 [0032] (I) in the online and offline, are used to make the PIN ro and digital certificates to authenticate users, this two-factor authentication for all user actions to avoid the media file.

[0033] (2)数字证书的扩展项规定了数字多媒体作品的使用权限,能实现在线下载、在线播放、离线播放的使用权限约束和权限范围划分。 [0033] (2) extensions digital certificate specifies the usage rights of digital multimedia works, can achieve online download, usage rights online, offline constraints and competence division.

[0034] (3)在在线状态吋,采用随机数发生器产生随机数序列要求用户签名,用户每次签名的随机数序列均不相同,实现了身份认证的动态性,即使黑客截获数字签名,也无法仿冒合法用户的身份。 [0034] (3) online state inches, using a random number generator generates a random number sequence requires the user signature, each time the user signature sequence of random numbers are not the same, to achieve a dynamic identity authentication, even if a hacker intercepts a digital signature, can not fake the identity of legitimate users.

[0035] 见图3,所述USBKEY 500包括硬件设备管理子模块510、非対称密钥管理子模块520、算法管理子模块530、数据加密管理子模块540、以及服务提供商下载的用户的数字证书550。 [0035] Figure 3, the USBKEY digital certificate management apparatus 500 includes a hardware sub-module 510, a non Dui said key management submodule 520, the algorithm management sub-module 530, a data encryption management sub-module 540, and the service provider's user downloads 550. 下面对USBKEY 500内的各组成部分进行详细说明。 Next, each of the components within USBKEY 500 described in detail.

[0036] 所述硬件设备管理子模块510包括USB识别控制単元511、PIN码鉴别CPU単元512、以及加密保护的EPROM 513。 [0036] The hardware device management submodule 510 includes a USB control radiolabeling identification element 511, PIN code discrimination CPU radiolabeling element 512, and the encrypted protected EPROM 513. 所述USB识别控制单元511用于识别USBKEY 500插入或拔出客户端(用户PC机)410的操作,在识别出USBKEY 500插入操作时控制客户端410的CPU (CentralProcessing Unit,中央处理器)读取用户输入的PIN码ロ令。 The USB control unit 511 for recognizing identification USBKEY 500 inserting or removing a client (the user's PC) operation 410, the identified CPU (CentralProcessing Unit, central processing unit) to control the client USBKEY 500 is inserted into the read operation 410 PIN code input by the user takes ro order. 所述PIN码鉴别CPU单元512用于判断CPU读取的PIN码ロ令的正误以及判断输入PIN码的次数。 The CPU PIN code discrimination unit 512 for determining correctness of a PIN code read by the CPU, and the judgment orders ro enter your PIN number. 所述EPROM单元513用于存储数字证书550、密钥等秘密数据,对该EPROM单元513的读写操作通过程序实现,用户无法直接读取,其中用户私钥是不可导出的,杜绝了复制用户数字证书或身份信息的可能性。 The EPROM cell 513 for storing secret data 550 digital certificates, keys, etc., the read and write operations implemented by a program EPROM cell 513, the user can not directly read, wherein the private key can not be derived from the user, the user eliminate replication the possibility of a digital certificate or identity information.

[0037] 所述非对称密钥管理子模块520用于将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,利用密钥要素采用RSA算法生成非対称密钥对,将非对称密钥对和数字证书550存储在加密保护的EPROM单元;密钥分为对称密钥和非对称密钥,并且均有有效期(密钥不能无限期使用,因为密钥使用时间越长,它泄露的机会就越大,引起的损失将越大)。 [0037] The asymmetric key management sub-module 520 for the user's unique identifier (ID) set by the user and the PIN code automatically generated user registration as a key element, the RSA algorithm using the key generation element Dui said non-key pair, the encryption protection EPROM cell in asymmetric key pair and digital certificate 550 stored; key is divided into a symmetric key and asymmetric key, and are valid (key can not be used indefinitely, as secret the longer the key time, the greater the chance it leaked, losses due to the greater). 在密钥有效期内,用户利用非対称密钥中的私钥加密报文,接收方利用数字证书中的公钥解密报文,当密钥有效期满时,利用密钥要素采用RSA算法重新生成非対称密钥对,根据重新生成的非対称密钥对更新密钥。 In Keylife, using a non-user Dui said private key of the encrypted message, the receiver using the digital certificate public key to decrypt the message, when the expiration date of the key, with the key elements of the RSA algorithm to regenerate said non-adhesion Dui key pair, said key non Dui regenerated to update key. 具体地,所述非对称密钥管理子模块520包括密钥安装生成単元521、密钥使用更新単元522、以及密钥存储撤销单元523。 In particular, the asymmetric key management submodule 520 includes a key generation radiolabeling mounting element 521, the key update using the radiolabeling element 522, and a revocation key storage unit 523. 密钥安装生成単元521用于将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,利用密钥要素采用RSA算法生成非対称密钥对;密钥使用更新单元522用于读取EPROM单元511中的非对称密钥对以及更新失效的非対称密钥对;密钥存储撤销单元523用于将生成的非対称密钥对保存到EPROM单元511中或删除EPROM单元511中中的非对称密钥对。 Element 521 generates a key installation for radiolabeling a unique user identifier (ID) and the user registered PIN code system set by the user as a key element automatically generated by using the RSA algorithm and a key element, said key pair generating non Dui; key using the update unit 522 for reading EPROM cell 511 asymmetric key pair and updating the failure of non-symmetric key Dui; Dui non-revoked key storage unit 523 for the generated key pair, said storage unit 511 to the EPROM or deleted EPROM cell 511 in the asymmetric key pair.

[0038] 所述算法管理子模块530用于对每个算法标注ー个ID进而存储和识别各个算法,在各个算法中选择进行加密的算法。 [0038] The algorithm management sub-module 530 for each algorithm ID number denoted ー Further storing and identifying individual algorithm, encryption algorithm selected in each algorithm. 其中,算法有RSA、DSA等非対称密钥算法,DES、RC6、RC5等对称密钥算法,SHA-U MD5等数据散列算法,标注ID进行算法存储的方式能实现算法的合理存储,更好地解决USBKEY空间存储问题。 Wherein the algorithm RSA, DSA and other non Dui said key algorithm, DES, RC6, RC5 other symmetric key algorithm, SHA-U MD5 hash algorithm data and the like are denoted by the algorithm ID is stored in sensible manner stored algorithm, better USBKEY storage space to solve the problem. 具体地,所述算法管理子模块530包括算法库管理単元531、加密算法选择单元532、以及随机数发生器533。 Specifically, the algorithm management sub-module 530 includes an algorithm database management radiolabeling element 531, an encryption algorithm selection unit 532, and a random number generator 533. 算法库管理単元531负责管理非対称密钥算法、对称密钥算法、数据散列算法;加密算法选择单元532负责根据任务要求调度每个算法;随机数发生器533有ー个输入參数,即初始化种子,初始化种子不同,据此可产生每次不一样的随机数序列。 Library management algorithm 531 is responsible for managing the non-radiolabeling membered Dui symmetric key algorithm, a symmetric key algorithm, hash algorithm data; encryption algorithm selection unit 532 is responsible for scheduling to the tasks that each algorithm; ー random number generator 533 has input parameters, i.e., initialization different seed, seed initialization, whereby each can generate a different sequence of random numbers.

[0039] 所述数据加密管理子模块540用于根据算法管理子模块530选择的加密算法进行数据的加密,井根据根据算法管理子模块530选择的加密算法进行数据的解密。 [0039] The encrypted data management sub-module 540 for data encryption algorithm according to the encryption algorithm management sub-module 530 is selected, in accordance with well data management algorithm according to the encryption algorithm selected by the sub-module 530 to decrypt. 具体地,所述数据加密管理子模块540包括数据加密实现单元541、数据解密实现单元542、以及数据文件签名单元543。 Specifically, the encrypted data management sub-module 540 comprises a data encryption unit 541 implemented, achieve data decrypting unit 542, signing unit 543 and a data file. 数据加密实现单元541负责加密算法的操作;数据解密単元542负责解密算法的操作;数据文件签名单元543负责数字签名的操作。 The operation unit 541 is responsible for the encryption algorithm to encrypt data to achieve; 542 yuan is responsible for radiolabeling data is decrypted decryption algorithm; data file 543 signatures unit responsible for digital signature operations.

[0040] 由上可以看出,所述USBKEY 500可以看作是智能卡和读卡器的联合体。 [0040] As can be seen from the above, the consortium can be regarded as USBKEY 500 and smart card reader.

[0041] 如图4并结合图2和图3,所述步骤S2具体为: [0041] FIG. 4 in conjunction with FIGS. 2 and 3, the step S2 is specifically:

[0042] 步骤S21,在用户登录后,USBKEY 500的硬件设备管理子模块510的USB识别控制单元511识别出USBKEY 500插入客户端(用户PC机)410操作时,PIN码鉴别CPU单元512判断输入的PIN码ロ令次数是否超过规定次数,若是,结束(封锁用户ロ令,防止了非本人使用),若否,继续下一歩; [0042] In step S21, the user is logged, USBKEY hardware management sub-module 500 USB recognition control unit 511 510 recognizes when a USBKEY 500 is inserted into the client (the user's PC) 410 operation, PIN code authentication CPU unit 512 judges that the input whether the PIN code ro make the number exceeds a predetermined number of times, and if so, the end (block user ro order to prevent the use of non-I), if not, continue to the next ho;

[0043] 步骤S22,待用户输入PIN码ロ令后,USB识别控制单元511控制客户端410的CPU读取用户输入的PIN码ロ令,PIN码鉴别CPU单元512判断输入的PIN码ロ令是否正确,若是,继续下一歩,若否,转步骤S21 ; After the [0043] step S22, the user enters the PIN code to be order ro, USB recognition control unit 511 controls the client terminal CPU 410 reads the PIN entered by the user so ro, PIN code authentication unit 512 CPU determines whether the input PIN code if the order ro correct, and if so, proceed to the next ho, if not, go to step S21;

[0044] 步骤S23,服务器端(版权管理平台服务器)230通过网络获取USBKEY 500的数字证书550,判断USBKEY 500的EPROM单元513存储的数字证书550是否有效,若是,继续下 [0044] Step S23, the server (Rights Management Platform server) via a network 230 acquires USBKEY 500 digital certificate 550, digital certificate 513 stored in the EPROM unit 550 determines whether a valid USBKEY 500, if yes, proceed to the next

一步,右否,结束; Step right not, end;

[0045] 步骤S24,USBKEY 500的非対称密钥管理子模块520中的密钥安装生成单元521将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,采用RSA算法生成非対称密钥对(公钥+私钥);算法管理子模块530中的随机数发生器533根据非对称密钥对中的私钥作为初始化种子产生随机数r。 [0045] Step S24, USBKEY 500 non Dui said user's unique identifier (ID) and a user PIN code registration system key generation unit 521 is mounted a key management sub-module 520 will be set by the user as a key element automatically generated using RSA key generation algorithm to said non Dui (public + private); 533 a random number generator algorithm management sub-module 530 in accordance with an asymmetric private key pair as an initialization seed generates a random number r. ,并将随机数r。 And the random number r. 、证书有效时间tc、以及目标接收者S。 Certificate valid time tc, as well as the intended recipient S. 作为报文;数据加密管理子模块540的数据文件签名単元543通过用户对报文进行签名,得到签名信息S(r。,t。,s。);数据加密管理子模块540的数据加密实现単元541利用非対称密钥对中的私钥对签名信息SOvtc^sc)进行加密,将加密的签名信息和报文一起发送至服务器端230,其中,数字签名是对整个报文进行的单向函数,是ー组代表报文特征的定长代码,若仅改变报文中的ー处,数字签名就完全不同。 As packets; data encryption management sub-module 540 of the data file signature radiolabeling element 543 to sign the packets by the user to obtain the signature information S (r, t, s...); Management, data encryption sub-module data encryption 540 implemented radiolabeling element Dui 541 using a non-private key pair, said signature information SOvtc ^ sc) is encrypted, the encrypted signature information transmitted to the server 230 together with the message, wherein the digital signature is a one-way function of the entire packet, is a fixed length code indicates the packet group ー wherein, if the only change ー message, the digital signature is completely different.

[0046] 步骤S25,服务器端230从数字证书550中提取用户的公钥,利用用户的公钥对数据加密管理子模块540发送的加密的签名信息进行解密,得到ー个数字签名的明文,另外,服务器端230将数据加密管理子模块540发送的报文进行相同的数字签名,并与数字签名的明文比对一致性来验证数据文件签名单元543签名是否正确; [0046] Step S25, the server 230 extracts the user's public key from the digital certificate 550, using the user's public encryption signature information of the encrypted data transmission management sub-module 540 decrypts the digital signature to obtain a plaintext ー, further , the message server 230 to encrypt data transmitted management sub-module 540 performs the same digital signature and the digital signature to verify the consistency of the ratio of plaintext data file signature unit 543 whether the signature is correct;

[0047] 步骤S26,当签名正确时,服务器端230验证服务器是否为信息的接收者,数字证书550的时间戳是否为当前时间(这样任何拥有用户公钥的人都可根据验证结果接收或拒绝接收报文,同时实现禁止伪造数字签名及对报文的修改); [0047] step S26, the signature is correct when the server side authentication server 230 whether the recipient information, digital certificate timestamp 550 is the current time (so that anyone can have the public key of the user according to the verification result of acceptance or rejection receive messages, while achieving a ban on fake digital signatures and messages modification);

[0048] 步骤S27,当服务器230是信息的接收者且数字证书的时间戳是当前时间时,服务器端230根据数字证书550的扩展项内容判断用户是否具有在线播放或在线下载媒体文件的权限,若是,继续下一歩,若否,结束; [0048] step S27, the server 230 when the information is the recipient of the digital certificate and the time stamp is the current time, the server 230 determines whether the user has permission to online play or download media files online digital content certificate extensions 550, If so, continue to the next ho, if not, end;

[0049] 步骤S28,服务器端230允许在线播放或在线下载媒体文件。 [0049] step S28, the server 230 allows online play or download media files online.

[0050] 由上可以看出,当用户在线播放或在线下载媒体文件时,采用PIN码ロ令和数字证书双重认证用户的身份,实现了身份认证的高度可信性,采用随机数发生器产生随机数序列,每次用户的身份认证的随机数序列均不相同,实现了身份认证的动态性。 [0050] As can be seen from the above, when the user is online play online or download media files, using the PIN ro make two-factor authentication and digital certificate the user's identity, to achieve a high degree of credibility authentication, random number generator sequence of random numbers, each random number sequence identity of the user are not the same, to achieve a dynamic identity authentication. 此外,数字证书的扩展项明确规定了被授权多媒体文件与用户之间的权限关系,解决了在线观看和下载权限分配问题。 In addition, the digital certificate extensions clearly defines the relationship between the authority is authorized to multimedia files with users, online viewing and download to solve the problem of distribution of competences. [0051] 如图5以及图2、图3,所述步骤S3具体为: [0051] As shown in FIG. 5 and FIG. 2, FIG. 3, step S3 is specifically:

[0052] 步骤S31,在用户登录后,USBKEY 500的硬件设备管理子模块510的USB识别控制单元511识别出USBKEY 500插入客户端(用户PC机)410操作时,PIN码鉴别CPU单元512判断输入的PIN码口令次数是否超过规定次数,若是,结束(封锁用户口令,防止了非本人使用),若否,继续下一步; [0052] step S31, the user is logged, USBKEY hardware management sub-module 500 USB recognition control unit 511 510 recognizes when a USBKEY 500 is inserted into the client (the user's PC) 410 operation, PIN code authentication CPU unit 512 judges that the input PIN code password number exceeds a predetermined number, and if so, the end (user password blockade to prevent the use of non-I), if not, continue to the next step;

[0053] 步骤S32,待用户输入PIN码口令后,USB识别控制单元511控制客户端410的CPU读取用户输入的PIN码口令,PIN码鉴别CPU单元512判断输入的PIN码口令是否正确,若是,继续下一步,若否,转步骤S31 ; [0053] step S32, until the user enters a PIN password, USB recognition control unit 511 controls the client terminal CPU 410 reads the PIN code input by the user password, the PIN code PIN code authentication password CPU unit 512 determines whether the input is correct, if , continuing, if not, go to step S31;

[0054] 步骤S33,客户端410获取USBKEY 500的数字证书550,判断USBKEY 500的EPROM单元513存储的数字证书550是否有效,若是,继续下一步,若否,结束; [0054] step S33, the client 410 obtains a digital certificate 550 of USBKEY 500 determines EPROM cell USBKEY 500 digital certificate 513 stored in the 550 is valid, and if so, continuing, if not, ending;

[0055] 步骤S34,客户端410根据数字证书550的扩展项内容判断用户是否具有离线播放媒体文件的权限,若是,继续下一步,若否,结束; [0055] step S34, the client 410 according to the contents of the digital certificate extensions 550 determines whether the user has permission to play the media file offline, and if so, continuing, if not, ending;

[0056] 步骤S35,客户端410允许离线播放媒体文件。 [0056] step S35, the client 410 allows offline playback of media files.

[0057] 由上可以看出,当用户离线播放媒体文件时,采用PIN码口令和数字证书550双重认证用户的身份,实现了身份认证的高度可信性;数字证书的扩展项明确规定了被授权多媒体文件与用户之间的权限关系,解决了离线播放权限分配问题。 [0057] As can be seen from the above, when the user is offline play a media file using the PIN code authentication password and user identity dual digital certificate 550, to achieve a high degree of credibility of the authentication; digital certificate extensions are clearly defined authorization multimedia file permissions relationship between the user and solve the problem of distribution rights for offline playback.

[0058] 在本实施例中,所述数字证书550是由CA权威认证中心100和数字证书管理模块200签发的。 [0058] embodiment, the digital certificate 550 is issued by the central certification authority CA 100 and digital certificate management module 200 in the present embodiment. 如图2,所述数字证书管理模块200包括CA代理中心210、数据库220以及服务器端(版权管理平台服务器)230,则如图6,所述基于双重身份认证的动态数字版权保护方法还包括步骤: 2, the digital certificate 210 includes a management module 200, database 220 and server (Rights Management Platform server) the CA center agents 230, is shown in FIG 6, the two-factor authentication based on the dynamic digital copyright protection method further comprises the step of :

[0059] 步骤S61,当用户将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,利用密钥要素采用RSA算法通过USBKEY500的非对称密钥管理子模块520产生非对称密钥对(公钥+私钥)并通过版权管理平台服务器230发送所述非对称密钥对中的公钥至CA代理中心210,CA代理中心210对公钥中用户的身份信息进行审核,待用户的身份信息通过审核后,将非对称密钥对中的公钥和用户的身份信息发送至CA权威认证中心100 ; [0059] step S61, the user's unique identifier (ID) set by the user when the user's PIN code and the user registration system automatically generated as a key element, key element using the RSA asymmetric key algorithm management USBKEY500 sub-module 520 generates a pair (public + private key) and transmits the DRM platform server 230 via asymmetric key of an asymmetric key pair the public key to the CA center agents 210, CA agent public key of the user 210 review identity information, the user's identity information to be approved, an asymmetric key pair of public key and the user identification information to the center 100 CA certification authority;

[0060] 步骤S62,CA权威认证中心100在用户的身份信息与公钥中的用户的身份信息信息一致时产生数字证书550,所述数字证书550的格式是以X. 509数字证书格式作为标准,其包括用户的身份信息、公钥信息、CA权威认证中心100的身份信息、CA权威认证中心100对数字证书550的签名、以及数字证书的扩展项、时间戳和有效期,其中所述用户的身份信息包含证书序列号、用户注册时提交的用户名称、系统平台为用户生成的唯一标识符(ID),并由CA权威认证中心100来确定,所述数字证书的扩展项包含在线播放、在线下载、离线播放媒体作品文件的权限信息(只有数字证书在有效期范围内,同时数字证书的扩展项表明了在线播放、在线下载、离线播放权限,用户才能进行对应的操作),数字证书中的用户的身份信息表明用户的身份是否合法,公钥用于解密密文,扩展 [0060] step S62, user identity information 100 CA certification authority center and the public user identity information is generated in the same digital certificate 550, the format of the digital certificate 550 is the X. 509 digital certificate format as the standard , which includes the user's identity information, public key information, identity information center 100 CA certification authority, the certification authority CA digital certificate center 100 550 signatures, and digital certificates extensions, timestamps and expiration date, in which the user identity certificate contains the serial number, user name submitted by the user registration, a unique identifier (ID) system platform for user-generated by the CA certification authority center 100 to determine the digital certificate of extension contains online play, online rights information download, offline play media work files (only digital certificate within the validity range, while the digital certificate extensions indicate that the online play, online download, offline playback permission, users can perform the corresponding operation), digital certificate users the identity information indicates that the user's identity is legitimate, public key is used to decrypt the ciphertext, extension 用于限定用户权限,时间戳保证实时传输,有效期监控数字证书的有效性; For defining user permissions, timestamps ensure the effectiveness of real-time transmission, monitoring validity of digital certificates;

[0061] 步骤S63,CA权威认证中心100将数字证书550发送至CA代理中心210,CA代理中心210将数字证书550颁发给用户,并将数字证书存储在数据库220中。 [0061] Step S63, 100 digital certificate authority CA 550 transmits to the authentication center CA agent center 210, the center 210 CA agent 550 digital certificate issued to a user, and a digital certificate stored in the database 220.

[0062] 由上可以看出,CA代理中心210负责审核用户的身份,CA权威认证中心100负责签发数字证书。 [0062] As can be seen from the above, CA 210 center agents responsible for auditing the user's identity, CA certification authority is responsible for issuing digital certificates 100 center.

[0063] 另外,所述基于双重身份认证的动态数字版权保护方法还包括步骤: [0063] Further, the dynamic digital copyright protection method based on two-factor authentication further comprising the step of:

[0064] 步骤S101,当用户通过版权管理平台服务器230向CA代理中心210发送更新证书请求或作废证书请求后,CA代理中心210对更新证书请求或作废证书请求中包含的用户身份信息进行审核,当用户身份信息审核通过后,CA代理中心210将用户的私钥作为初始化种子产生定长代码的随机数序列,待用户对随机数序列签名后,向CA权威认证中心100申请更新证书或撤销证书; [0064] step S101, and when the user 230 sends 210 to the CA agent center through DRM platform server updates the certificate request or invalid certificate request, the user identity information CA agent center 210 updates the certificate request or revoked certificates contained in the request for review, when the user identity information for approval, CA agent center 210 user's private key to generate a random number sequence fixed-length code as an initialization seed until after the user signature sequence of random numbers, the certification authority CA certificate 100 Center update application or revocation of a certificate ;

[0065] 步骤S102,CA权威认证中心100更新数字证书550并将更新后的数字证书通过CA代理中心210发送至用户,或撤销数字证书并将撤销的数字证书加入证书撤销列表CRL中。 [0065] step S102, the digital certificate of the certification authority CA center 100 updates the updated digital certificate 550 sent by the CA agent 210 to the center of the user, or revoke digital certificates and certificate revocation list CRL is added revoked digital certificates.

[0066] 由上可以看出,CA代理中心210负责处理对于数字证书的更新请求或作废请求,CA权威认证中心100负责更新数字证书或撤销数字证书。 [0066] As can be seen from the above, the CA agent 210 is responsible for central processing digital certificate update request or invalid request, the certification authority CA Center 100 is responsible for updating digital certificate or digital certificate revocation.

[0067] 此外,所述基于双重身份认证的动态数字版权保护方法还包括步骤: [0067] In addition, the dynamic digital copyright protection method based on two-factor authentication further comprising the step of:

[0068] 步骤S201,在用户通过版权管理平台服务器230向CA代理中心210提出证书状态查询请求后,CA代理中心210对证书状态查询请求中包含的用户身份信息进行审核; [0068] step S201, the user through the DRM platform server 230,210 raised after the certificate status inquiry request, the user identity information in the certificate status inquiry request 210 to the CA agent center included in the review CA agent center;

[0069] 步骤S202,当用户身份信息审核通过后,CA权威认证中心100查询数字证书550中的时间戳或查询证书撤销列表CRL,当时间戳是当前时间时,确定证书550的状态是在有效期内,当数字证书550位于证书撤销列表CRL时,确定证书的状态是已被撤销。 [0069] step S202, when the user identity information for approval, CA certification authority center (100) of the query time stamp 550 digital certificate or certificate revocation list query the CRL, when the current time stamp, it is determined 550 that the certificate status is valid the, when the digital certificate 550 is located in the CRL certificate revocation list, determine the status of a certificate that has been revoked.

[0070] 由上可以看出,CA代理中心210负责处理对于数字证书的状态查询请求,CA权威认证中心100负责查询数字证书的状态。 [0070] As can be seen from the above, the agent CA responsible for the center 210 of the digital certificate status query request, the status query 100 is responsible for digital certificate authority CA Certification Authority.

[0071] 在本实施例中,所述基于双重身份认证的动态数字版权保护方法还包括步骤: [0071] In the present embodiment, the dynamic digital copyright protection method based on two-factor authentication further comprising the step of:

[0072] 步骤S301,当用户支付媒体文件的新使用权的费用后,CA代理中心210向CA权威认证中心100申请更新用户的数字证书550的扩展项和有效期; [0072] step S301, when the cost of the new right to use the user to pay a media file, CA agent center 210 to 100 CA certification authority center application to update the user's digital certificate 550 extensions and expiration date;

[0073] 步骤S302,在CA权威认证中心100更新数字证书550后,服务提供商将更新的数字证书下载到USBKEY 500中以替代原有数字证书550。 [0073] step S302, the CA certification authority in the center of the 100 updated digital certificate 550, service providers will be updated digital certificate is downloaded to USBKEY 500 to replace the original digital certificate 550.

[0074] 由上可以看出,当数字证书到期、无效后,CA代理中心210可以根据用户的要求在支付了新使用权费用的前提下,更新数字证书,用户可以继续使用更新了数字证书的USBKEY 500进行在线播放、在线下载、离线播放操作。 [0074] As can be seen from the above, when the digital certificate expires after invalid, CA agent center 210 according to the requirements of users in paying the cost of a new right to use the premise updated digital certificate, users can continue to use the updated digital certificate the USBKEY 500 online play, online download, offline playback operation.

[0075] 以上结合最佳实施例对本发明进行了描述,但本发明并不局限于以上揭示的实施例,而应当涵盖各种根据本发明的本质进行的修改、等效组合。 [0075] or more with the preferred embodiments of the present invention has been described, but the present invention is not limited to the embodiments disclosed above, but should cover various modifications included within the spirit of the present invention, equivalent combinations.

Claims (5)

1. 一种基于双重身份认证的动态数字版权保护方法,包括如下步骤: (1)将用户的数字证书下载到内置有随机数发生器的智能密码钥匙中; (2)当用户登录时,在智能密码钥匙置入客户端后,根据输入的PIN码ロ令激活智能密码钥匙,进而获取智能密码钥匙内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,在用户对由随机数发生器根据非对称密钥对中的私钥作为初始化种子产生的随机数、证书有效时间、以及目标接收者组成的报文签名以及签名信息通过私钥加密后,将加密的签名信息和报文一起发送至服务器端,服务器端从数字证书中提取用户的公钥,利用用户的公钥对加密的签名信息进行解密,得到ー个数字签名的明文,另外,服务器端将报文进行相同的数字签名,根据签名的报文与解密的签名信息判断用户的签名是否正确,当用 A method of dynamic digital copyright protection based on two-factor authentication, comprising the steps of: (1) the user to download digital certificates smart key built-in random number generator; (2) when the user logs in after the client smart key inserted, according to the activation order of the PIN code input ro smart key, and thus obtain a digital certificate within the smart key, when the digital certificate is valid, the random number generator generates a random number sequence, by a user of a random number generator in accordance with an asymmetric key pair of the private key as a random number initialization seed produced, time message signing certificate is valid, and the composition of the target recipient information and the signature private key encryption, and the encrypted signature information to send packets with the server, the server extracts the user's public key from the digital certificate, the encrypted signature information is decrypted using the user's public key, a digital signature to obtain plaintext ー addition, the server sends the packet to the same digital signature, according to the signature information to determine the user's message signature and decryption of the signature is correct, when used 签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件; (3)当用户未登录时,在智能密码钥匙置入客户端后,根据输入的PIN码ロ令激活智能密码钥匙,进而获取智能密码钥匙内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件, 其特征在于,还包括: (11)当用户将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符作为密钥要素,并利用密钥要素产生非対称密钥对后,CA代理中心对非对称密钥对的公钥中用户的身份信息进行审核,待用户的身份信息通过审核后,将非对称密钥对中的公钥和用户的身份信息发送至CA权威认证中心; (12) CA权威认证中心在用户的身份信息与公钥中的用户的身份信息信息一致时产生数字证书,将数字证书发送至CA代理中心; (13) When the correct signature information, in accordance with the provisions of the digital certificate extensions usage rights to play online or download online media work file; (3) when the user is not logged in the smart key into the client, according to the PIN code input ro so activate smart key, and then obtain a digital certificate in the smart key, effective when the digital certificate, in accordance with the provisions of the digital certificate extensions permissions offline media work file, characterized by further comprising: (11) when when the user sets the user's PIN code and the user registration system automatically generates a unique user identifier as a key element, and generates the key pair, said non Dui, CA public key of the agent of the center key of the asymmetric key elements user identity information for review by the user identity information to be reviewed after the asymmetric key pair of public key and the user identification information to the central certification authority CA; (12 is) CA certification authority identity of the user information center generating a digital certificate identification information coincides with the user public key, the digital certificate will be sent to the CA center agent; (13) CA代理中心将数字证书颁发给所有者或消费者,并将数字证书存储至数据库。 CA agent center digital certificate issued to the owner or consumer, and digital certificates stored in the database.
2.如权利要求I所述的基于双重身份认证的动态数字版权保护方法,其特征在于,所述数字证书包括用户的身份信息、公钥信息、时间戳、CA权威认证中心的身份信息、CA权威认证中心对数字证书的签名、扩展项、以及有效期,其中用户的身份信息包含数字证书序列号、用户注册时提交的用户名称、以及系统平台为用户生成的唯一标识符,并由CA权威认证中心来确定,扩展项包含在线播放、在线下载、离线播放媒体作品文件的权限信息。 2. I claim the digital copyright protection method based on a dynamic two-factor authentication, and wherein said digital certificate includes user identity information, public key information, a time stamp, identity information center certification authority CA, CA certification authority center for digital signature certificates, extensions, and the expiration date, in which the user's identity information contains a unique identifier for digital certificate serial number, user name submitted by the user registration system and platform for user-generated by the CA certification authority Center to determine whether, extension contains online play, download permission information online, offline play media files works.
3.如权利要求I所述的基于双重身份认证的动态数字版权保护方法,其特征在于,所述步骤(2)进ー步包括: 在用户登录并将智能密码钥匙置入客户端后,当输入的PIN码ロ令次数未超过规定次数吋,输入PIN码ロ令,当输入的PIN码ロ令与智能密码钥匙的PIN码相同时,激活智能密码钥匙; 当用户的签名正确时,判断服务器是否为信息的接收者,数字证书的时间戳是否为当前时间; 当服务器是信息的接收者,数字证书的时间戳是当前时间时,根据数字证书的扩展项所规定的使用权限在线播放或下载媒体作品文件。 3. I claim the digital copyright protection method based on a dynamic two-factor authentication, and wherein said step (2) into ー claim further comprising: after the user logs into smart key and the client, when PIN code ro make the number of inputs does not exceed a predetermined number of inches, enter the PIN ro order, when the PIN code ro make the smart key PIN code is the same, activated smart key; when the user's signature is correct, it is determined server whether the time stamp recipients, digital certificate information is the current time; when the server is the recipient of the information, the time stamp of digital certificates is the current time, in accordance with the provisions of the digital certificate extensions usage rights to play online or download media works file.
4.如权利要求I所述的基于双重身份认证的动态数字版权保护方法,其特征在于,所述步骤(3)具体为: (31)在用户未登录并将智能密码钥匙置入客户端后,当输入的PIN码ロ令次数未超过规定次数时,输入PIN码ロ令,当输入的PIN码ロ令与智能密码钥匙的PIN码相同时,激活智能密码钥匙; (32)获取智能密码钥匙内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。 4. The dynamic digital copyright protection method based on the two-factor authentication according to claim I, wherein said step (3) specifically comprises: (31) and the smart key user is not logged into the client after when the PIN code ro order number entered was not a predetermined number of times over, enter the PIN ro order, when the PIN code entered ro make the smart key PIN code is the same, activated smart key; (32) acquires smart key digital certificates within, when the digital certificate is valid, in accordance with the provisions of the digital certificate extensions to play offline media usage rights work file.
5.如权利要求I所述的基于双重身份认证的动态数字版权保护方法,其特征在于,还包括: 当用户支付媒体作品文件的新使用权的费用后,更新用户的数字证书的扩展项和有效期; 将更新的数字证书下载到智能密码钥匙中。 When the user pays the cost of the new right to use the media work file, update extensions and the user's digital certificate: 5. I the dynamic factor authentication based on digital copyright protection method, characterized as claimed in claim further comprising valid; the updated digital certificate is downloaded to the smart key.
CN 201010214589 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication CN101872399B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010214589 CN101872399B (en) 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010214589 CN101872399B (en) 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication

Publications (2)

Publication Number Publication Date
CN101872399A CN101872399A (en) 2010-10-27
CN101872399B true CN101872399B (en) 2012-08-22

Family

ID=42997256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010214589 CN101872399B (en) 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication

Country Status (1)

Country Link
CN (1) CN101872399B (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082669A (en) * 2010-12-23 2011-06-01 深圳市文鼎创数据科技有限公司 Security certification method and device
CN102780572A (en) * 2011-05-11 2012-11-14 中兴通讯股份有限公司 License management method and device
CN102427459B (en) * 2011-12-23 2014-03-05 杭州数盾信息技术有限公司 Offline authorization method based on Usbkeys
CN102413146B (en) * 2011-12-23 2014-02-19 杭州数盾信息技术有限公司 Client authorized logon method based on dynamic codes
CN103049705B (en) * 2012-06-08 2016-08-03 深圳市朗科科技股份有限公司 A kind of based on virtualized method for secure storing, terminal and system
CN103051453B (en) * 2012-12-17 2016-03-23 连连银通电子支付有限公司 A mobile terminal network secure transaction system and method based on digital certificates
CN104253801B (en) * 2013-06-28 2017-09-22 中国电信股份有限公司 Realize the methods, devices and systems of login authentication
CN104579663B (en) * 2013-10-24 2018-03-27 上海中移通信技术工程有限公司 For the method for the validity for limiting digital certificate
CN104780141B (en) 2014-01-10 2018-07-03 电信科学技术研究院 Message Authentication acquisition methods and equipment in a kind of car networking system
CN103929310A (en) * 2014-04-25 2014-07-16 长沙市梦马软件有限公司 Mobile phone client side password unified authentication method and system
CN105323204B (en) * 2014-05-29 2019-05-31 中兴通讯股份有限公司 Interaction classroom network system realization and server end
CN104901803A (en) * 2014-08-20 2015-09-09 易兴旺 Data interaction safety protection method based on CPK identity authentication technology
CN105553662B (en) * 2014-10-29 2019-01-08 航天信息股份有限公司 Dynamic digital copyright protection method and system based on id password
CN104504323B (en) * 2014-12-16 2017-06-06 浪潮集团有限公司 A kind of IPMI management systems with encryption certification
CN104866736B (en) * 2015-05-26 2017-10-03 武汉大学 The system for numeral copyright management and method of a kind of non-proliferation
CN105516136B (en) * 2015-12-08 2019-05-24 深圳市口袋网络科技有限公司 Right management method, device and system
CN106921623A (en) * 2015-12-25 2017-07-04 航天信息股份有限公司 Tagged keys update method and system
CN106209849A (en) * 2016-07-13 2016-12-07 浪潮电子信息产业股份有限公司 A kind of implementation of the double factor login mode that can freely open and close
CN106778323B (en) * 2016-10-24 2018-06-26 北京亚控科技发展有限公司 A kind of safety key of configurable control integration platform
CN106452795A (en) * 2016-11-25 2017-02-22 成都三零凯天通信实业有限公司 USB decryption Key
CN106713279A (en) * 2016-11-29 2017-05-24 北京航天爱威电子技术有限公司 Video terminal identity authentication system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1367475A2 (en) 2002-05-15 2003-12-03 Microsoft Corporation Software application protection by way of a digital rights management (DRM) system
CN1971576A (en) 2006-12-08 2007-05-30 华中科技大学 On-line digital copyright management method and its management server
CN101714195A (en) 2009-07-22 2010-05-26 北京创原天地科技有限公司 Digital certificate-based novel digital copyright protection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1367475A2 (en) 2002-05-15 2003-12-03 Microsoft Corporation Software application protection by way of a digital rights management (DRM) system
CN1971576A (en) 2006-12-08 2007-05-30 华中科技大学 On-line digital copyright management method and its management server
CN101714195A (en) 2009-07-22 2010-05-26 北京创原天地科技有限公司 Digital certificate-based novel digital copyright protection method and device

Also Published As

Publication number Publication date
CN101872399A (en) 2010-10-27

Similar Documents

Publication Publication Date Title
JP4226665B2 (en) Logon certificate
EP1530885B1 (en) Robust and flexible digital rights management involving a tamper-resistant identity module
EP1579621B1 (en) Domain-based digital-rights management system with easy and secure device enrollment
KR100362219B1 (en) Method and system for distributing programs using tamper resistant processor
AU2004200468B2 (en) A method, system and computer-readable storage for a licensor to issue a digital license to a requestor
AU2004200471B2 (en) Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (DRM) system
CN101504707B (en) Conditional access to digital rights management conversion
KR101254209B1 (en) Apparatus and method for moving and copying right objects between device and portable storage device
CN1665184B (en) Using a flexible rights template to obtain a signed rights label (SRL) for digital content
US7310732B2 (en) Content distribution system authenticating a user based on an identification certificate identified in a secure container
US7542568B2 (en) Encryption device a decrypting device a secret key generation device a copyright protection system and a cipher communication device
JP4619665B2 (en) Issuing publisher use licenses offline in digital rights management (DRM) systems
US7200230B2 (en) System and method for controlling and enforcing access rights to encrypted media
US6550011B1 (en) Media content protection utilizing public key cryptography
US7515710B2 (en) Federated digital rights management scheme including trusted systems
KR100493900B1 (en) Method for Sharing Rights Object Between Users
JP4524124B2 (en) Enroll / sub-enroll digital rights management (DRM) server to DRM architecture
US7224805B2 (en) Consumption of content
US9118462B2 (en) Content sharing systems and methods
AU2006304655B2 (en) Methods for digital rights management
JP4795727B2 (en) Method, storage device, and system for restricting content use terminal
US20050207578A1 (en) Content distribution system, content distribution method, information processing apparatus, and program providing medium
US7975312B2 (en) Token passing technique for media playback devices
US7845011B2 (en) Data transfer system and data transfer method
US20060173787A1 (en) Data protection management apparatus and data protection management method

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted