CN101924907A - Method for realizing condition receiving, terminal equipment and front end thereof - Google Patents

Method for realizing condition receiving, terminal equipment and front end thereof Download PDF

Info

Publication number
CN101924907A
CN101924907A CN200910086610.7A CN200910086610A CN101924907A CN 101924907 A CN101924907 A CN 101924907A CN 200910086610 A CN200910086610 A CN 200910086610A CN 101924907 A CN101924907 A CN 101924907A
Authority
CN
China
Prior art keywords
information
authorization
product
key
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910086610.7A
Other languages
Chinese (zh)
Other versions
CN101924907B (en
Inventor
李东
王天星
韩坚
王文军
王宇
李伟东
柯发敏
赵化军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shibo Digital TV Technology Co Ltd
Original Assignee
Beijing Shibo Digital TV Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shibo Digital TV Technology Co Ltd filed Critical Beijing Shibo Digital TV Technology Co Ltd
Priority to CN200910086610.7A priority Critical patent/CN101924907B/en
Publication of CN101924907A publication Critical patent/CN101924907A/en
Application granted granted Critical
Publication of CN101924907B publication Critical patent/CN101924907B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The invention provides a method for realizing condition receiving, terminal equipment and a front end thereof. The method comprises the following steps: receiving authorization control information transmitted by the front end, wherein the authorization control information comprises product identification, control words encrypted by product keys and identification information of currently used product keys; decrypting the encrypted control words by using the pre-stored equipment key of the terminal equipment and the encrypted product key corresponding to the product identification if product authorization information corresponding to the product identification exists, wherein the product authorization information comprises the product identification and at least two encrypted product keys corresponding to the product identification; and descrambling a received program by using the control words. Through the embodiment of the invention, a condition receiving system can ensure security performance of the system on the non-intelligent card terminal equipment, not only saves cost, but also is convenient for use.

Description

Method, terminal equipment and front end for realizing conditional access
Technical Field
The present invention relates to digital television technology, and in particular, to a method, a terminal device, and a front end for implementing conditional access.
Background
The conditional access system CAS refers to a system for controlling reception of a broadcast service by a user, and generally implements a paid service of the broadcast system through authorization management.
The front end of the conditional access system packages a plurality of channels into a product, if a user orders the product after packaging, the conditional access system is required to authorize, and the authorization information is generally sent to the set-top box through authorization Management information (EMM).
The Conditional Access System (CAS) refers to a system for controlling users to pay for receiving digital tv broadcasting services, and its basic implementation is: at the head end, the broadcast data is scrambled and the scrambled control word (CW ') is encrypted and transmitted to the terminal together with the broadcast data, at the terminal, the encrypted scrambled control word (CW') is decrypted by a security device, such as a smart card, to obtain the Control Word (CW), and then the Control Word (CW) is transmitted to a terminal device, such as a set-top box, which descrambles and recovers the broadcast data.
Wherein the secure transmission of the control word CW depends on a product key, whereas the secure transmission of the product key depends on a user key, which is pre-embedded in the smart card. The encrypted product key is sent to the terminal device through an Entitlement Management Message (EMM) data packet and is transmitted to the smart card, and the smart card decrypts the product key by using the pre-embedded user key and then stores the product key in a secure area for use.
In the prior art, the smart card is a key component for ensuring the security performance of the CAS system, and in the process of implementing the invention, the inventor finds that the defects in the prior art are as follows: the cost of the intelligent card is relatively high, and the intelligent card is required to be inserted into a set top box for use when a user watches digital programs, so that the use is inconvenient; in addition, if the smart card is in poor contact with the set-top box, the reception of programs is affected.
Disclosure of Invention
The invention aims to provide a method for realizing conditional access, terminal equipment and a conditional access system.
The embodiment of the invention provides a method for realizing conditional access, which comprises the following steps:
receiving authorization control information sent by a front end, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
if the product authorization information corresponding to the product identification exists, the product authorization information comprises the product identification and an encrypted product key corresponding to the product identification, decrypting the encrypted control word by using a pre-stored equipment key of the terminal equipment and the encrypted product key to obtain the control word;
and descrambling the received program by using the control word.
An embodiment of the present invention provides a terminal device, where the terminal device includes:
the device comprises an authorization control information receiving unit, a product key generating unit and a product key generating unit, wherein the authorization control information receiving unit is used for receiving authorization control information sent by a front end, and the authorization control information comprises a product identifier and a control word encrypted by a product key;
the authorization determining unit is connected with the authorization control information receiving unit and is used for determining that the product authorization information corresponding to the product identifier exists after the authorization control information is received, wherein the product authorization information comprises the product identifier and an encrypted product key corresponding to the product identifier;
the safety operation unit is connected with the authorization determination unit, and decrypts the encrypted control word by using a pre-stored equipment key of the terminal equipment and an encrypted product key to obtain the control word when determining that the product authorization information corresponding to the product identifier exists;
and the descrambling unit is connected with the safety operation unit and is used for descrambling the received program by using the control word.
The embodiment of the invention provides a method for realizing conditional access, which comprises the following steps:
generating authorization control information according to the program configuration information, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
and sending the generated authorization control information to terminal equipment.
An embodiment of the present invention provides a conditional access system front end, where the front end includes:
the authorization control information generating unit is used for generating authorization control information according to the program configuration information, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
and the authorization control information sending unit is connected with the authorization control information generating unit and is used for sending the authorization control information to the terminal equipment.
The method has the advantages that the conditional access system terminal has no card, the safety performance of the conditional access system is ensured only by the terminal equipment of the conditional access system, the cost is saved, and the use is convenient.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart of a method of implementing conditional access according to embodiment 1 of the present invention;
fig. 2 is a front-end workflow diagram for implementing conditional access according to embodiment 2 of the present invention;
fig. 3 is a flowchart of a process of processing a received EMM packet by a terminal device implementing conditional access according to embodiment 2 of the present invention;
fig. 4 is a flowchart of a process of processing a received ECM packet by a terminal device implementing conditional access according to embodiment 2 of the present invention;
fig. 5 is a schematic diagram of a terminal device configuration according to embodiment 3 of the present invention;
fig. 6 is a schematic diagram of a terminal device according to embodiment 4 of the present invention;
fig. 7 is a schematic diagram of the configuration of a conditional access system according to embodiment 5 of the present invention;
fig. 8 is a schematic diagram of the front end configuration in embodiment 5 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Example 1
An embodiment of the present invention provides a method for implementing conditional access, as shown in fig. 1, where the method includes:
step 101, a card-free terminal device receives authorization control information sent by a front end, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
102, if product authorization information corresponding to the product identifier exists, wherein the product authorization information comprises an encrypted product key corresponding to the product identifier, decrypting the encrypted control word by using a pre-stored device key of the terminal device and the encrypted product key to obtain the control word;
and 103, descrambling the received program by using the control word.
In this embodiment, the front end may encrypt the control word using a different product key. Therefore, when the front end uses one product key and potential safety hazards appear, the front end can also use other product keys, and the safety of the conditional access system is improved.
In this embodiment, when the control word is encrypted using more than one different product key, the ECM packet further includes identification information of the currently used product key, which may be an index bit, required to decrypt the control word.
In step 102, the product identifier can be used to search the terminal device for product authorization information corresponding to the product identifier. In this way, the terminal device may decrypt the encrypted control word using the pre-stored device key DSK of the terminal device and the encrypted product key corresponding to the identification information to obtain the control word, and may adopt the following method: firstly, the encrypted product key is decrypted by using a device key DSK prestored in the terminal device to obtain a product key, wherein the product key is the product key corresponding to the identification information. The encrypted control words in the ECM packets are then decrypted using the obtained product key to obtain the control words.
In this embodiment, the device key DSK may be written in when the terminal device is initialized, the device keys DSK corresponding to different terminal devices are different, and if different terminal devices are represented by respective device identifiers (STBID), the device keys DSK and the device identifiers STBID correspond one to one. The product key can be encrypted at the head end using the device key DSK, and thus the encrypted product key is decrypted at the terminal device using the pre-stored device key DSK to obtain the product key.
According to the embodiment, when the card-free terminal equipment receives the ECM data packet sent by the front end, the ECM data packet can be processed by directly utilizing the equipment identification and the product authorization information of the terminal equipment, so that the cost can be saved, and the use is convenient; in addition, by using a plurality of product keys, the security of the system for transmitting information can be improved.
Example 2
The following describes a conditional access system including a front end and a terminal device in detail.
As shown in fig. 2, at the front end:
step 201, establishing a corresponding relationship between the device identification (STBID) of the terminal device and the device key DSK, and storing the corresponding relationship in the front-end storage unit.
In this embodiment, the client at the front end may be used to edit the correspondence between the device identification (STBID) and the device key DSK, and store the correspondence between the device identification (STBID) and the device key DSK in a file manner, but the present invention is not limited to this manner, and may also be stored in any existing manner.
Step 202, the front end authorizes the product according to the user request and generates authorization management information; the authorization management information may include a device identifier STBID of the terminal device and product authorization information, and the product authorization information may include a product identifier and an encrypted product key corresponding to the product identifier.
In this embodiment, the entitlement management message may be an EMM packet. The product key may be one or more than one, for example, in this embodiment, at least two product keys are used, so that when a front end uses one product key and potential safety hazards occur, the front end may also use other product keys, thereby improving the safety of the conditional access system.
The product authorization information may include, in addition to the product identifier (ProductID) and the product key encrypted corresponding to the product identifier, a start time (StartDate) and an expiration time (EndDate) of authorizing the product, an operator number (OperatorID), version information, and the like, but is not limited to the above information, and may include other information as needed.
Further, generating the EMM packet may be as follows: at least two product keys are encrypted by using a device key DSK stored in a front-end storage unit, and then the at least two encrypted product keys, a product identifier, start time and expiration time, a device identifier of a terminal device, an operator number and version information are packaged to generate an EMM data packet corresponding to the terminal device.
For example, the number of encrypted product keys is 2, which may be referred to as an Odd product key (ProductKey _ Odd ') and an Even product key (ProductKey _ Even'), both of which are encrypted by the device key DSK. As shown in table 1, is the format of the EMM packet generated. The EMM packet may be referred to as an authorization packet, and one or more products may be packaged into one packet.
TABLE 1
Grammar for grammar Note
EMMData(){
STB_ID Terminal equipment identification
OperatorID Operator number
For(i=0;i<N;i++){
Product ID Product ID
StartDate Starting time
EndDate Expiration time
ProductKey_Odd’ Odd product key
ProductKey_Even’ Even product key
}
...
}
Step 203, the generated authorization management information is sent to the terminal device.
In this embodiment, the front end may send the EMM packet through the communication module.
In addition, the front end can also comprise: the front end generates authorization control information by reading the program configuration information and sends the authorization control information to the terminal equipment. This step may be performed before or after each of the above steps, without limitation.
In this embodiment, the ECM packet is the entitlement control message. The ECM packet includes a product identification (ProductID), a control word encrypted by a product key, and identification information of the currently used product key.
In addition, the ECM packet may further include information such as an operator number (operator id), which may be determined according to actual circumstances.
In this embodiment, if the front end encrypts the control word using the Odd product key (ProductKey _ Odd ') or the Even product key (ProductKey _ Even'), the ECM packet may be generated as follows: the front end encrypts the generated control word of the scrambled program by using an Odd product key (product key _ Odd ') or an Even product key (product key _ Even'), and then packages the encrypted control word, a product identifier corresponding to the program, identification information of the currently used product key, and an operator number to generate the ECM packet.
For example, the encrypted control word is encrypted by an Odd product key (ProductKey _ Odd'). Among them, the control word encrypted by the Odd product key (ProductKey _ Odd ') is referred to as an encrypted Odd control word (CW _ Odd'), and the control word encrypted by the Even product key (ProductKey _ Even ') is referred to as an encrypted Even control word (CW _ Even'). As shown in table 2, the format of the ECM packet is shown.
TABLE 2
Grammar for grammar Note
ECM_Data(){
OddFlag Flag bit indicating odd or even key
ProductID Program product ID
OperatorID Operator number
...
CW_Odd’ Encrypted odd CW
...
}
As shown in table 2, the identification information of the currently used product key is an indication bit, that is, in this embodiment, it indicates whether the used product key is an odd product key or an even product key. For example, a Flag of 0 indicates that the currently used product key is an odd product key, and a Flag of 1 indicates that the currently used product key is an even product key, or vice versa. Thus, if there is any potential for insecurity with the currently used even product key, the front end may encrypt the CW with another odd product key in the next CP period, thereby generating a new ECM packet, as described above. In this embodiment, for even product keys with potential safety hazards, the front end regenerates a new key to replace the old even product key, and regenerates a new EMM data packet with the generation of the new key to be issued to the terminal, so that when a certain product key has potential safety hazards, the front end realizes the process of seamlessly replacing the key and improves the security of information transmission on the premise that the terminal device continues to watch programs without being affected.
At a terminal device:
as shown in fig. 3, when the terminal device receives the EMM packet sent by the front end, the following steps may be adopted for processing:
step 301, the terminal device receives an EMM packet sent by the front end.
In the present embodiment, for example, the product authorization information may include information as shown in table 1, such as a device identification (STBID) of the terminal device, an operator number (OperatorID), a product identification (ProductID), a start time (StartDate), an expiration time (EndDate), an Odd product key (ProductKey _ Odd '), an Even product key (ProductKey _ Even'), and version information (not shown in table 1).
Step 302, filtering the EMM data packet of the terminal device according to the device identification STBID pre-stored in the terminal device, and in addition, filtering the EMM data packet of the terminal device by using other existing methods.
Step 303, judging whether the EMM data packet has been received, if so, executing step 307; otherwise, step 304 is performed.
In this embodiment, it may be determined whether the EMM packet has been received according to the version information of the EMM packet, and if the version information of the EMM packet stored by the terminal is consistent with the received EMM packet, it indicates that the EMM packet has been received, otherwise, the EMM packet is not received.
Step 304, in step 303, if the EMM packet has never been received, further determining whether the EMM packet is valid.
In this embodiment, whether the EMM packet is valid may be determined according to the start time and the expiration time in the EMM packet. The specific mode is as follows:
judging whether the expiration time in the received EMM data packet is greater than the starting time, if so, determining that the EMM data packet is valid, and executing the step 305 when the EMM data packet is determined to be valid.
If the determination result is that the expiration time is less than the start time, it is determined that the EMM packet is invalid, and step 308 may be executed.
In step 305, if the EMM packet is determined to be valid, the product authorization information in the EMM packet may be obtained in step 304.
Step 306, store the product authorization information.
Step 307, in step 303, when the EMM packet has been received, the EMM packet is discarded.
Step 308, in step 304, if the EMM packet is invalid, that is, the expiration time is before the start time, the EMM packet may be used as a de-authorization packet.
According to the embodiment, the terminal equipment processes the EMM data packet to obtain the product authorization information and stores the product authorization information. Thus, when the terminal device receives the corresponding ECM packet, the ECM packet can be processed using the product authorization information and the device key of the terminal device, and finally the control word is obtained.
As shown in fig. 4, when the terminal device receives an ECM packet sent by the front end, as shown in table 2, the control word is encrypted by the odd product key, and the following steps may be adopted for processing:
step 401, the terminal device receives an ECM packet sent by the front end.
In this embodiment, the ECM packet includes a product identifier (ProductID), an Odd control word (CW _ Odd ') encrypted by an Odd product key (ProductKey _ Odd'), and a Flag of the currently used product key, where the Flag is O, indicating that the currently used product key is the Odd product key.
In step 402, the ECM packet is determined to be a packet that does not use a smart card type.
In this embodiment, if the ECM packet sent by the front end to the terminal device includes both the ECM packet that does not use the smart card and other data packets that use the smart card, the terminal device needs to determine the type of the ECM packet after receiving the ECM packet, so as to perform different processing procedures according to different types.
In this embodiment, a descriptor may be used to identify the type of the ECM packet, so that the terminal device processes the ECM packet without using a smart card; otherwise, the ECM packet is processed by using the smart card, and the processing method may be any conventional method, which is not described herein again.
Step 403, the terminal device determines whether there is product authorization information corresponding to the product identifier, and if so, executes step 404; if not, go to step 406.
In this embodiment, whether product authorization information corresponding to the product identifier, such as an encrypted odd product key, an encrypted even product key, start time, expiration time, and other information, exists in the terminal device may be searched according to the product identifier, and if found, it is indicated that the product authorization information corresponding to the product identifier exists, otherwise, it is indicated that the product authorization information does not exist.
Step 404, in step 403, if the product authorization information corresponding to the product identifier exists as a result of the determination, the encrypted control word is decrypted by using the pre-stored device key DSK of the terminal device and the encrypted product key corresponding to the identifier information, such as the encrypted odd product key, to obtain the control word.
In the present embodiment, the following manner may be adopted: decrypting the encrypted Odd product key (ProductKey _ Odd') currently used with the device key DSK to obtain the Odd product key; the encrypted Odd control word (CW _ Odd ') is then decrypted using the Odd product key (ProductKey _ Odd') to obtain the Control Word (CW).
The scrambled program stream is descrambled using the control word, and the descrambled program may be played back to enable the user to view the program, step 405.
Step 406, in step 403, if the determination result is that there is no product authorization information corresponding to the product identifier, then "unauthorized" is displayed, and the terminal device does not process the ECM packet any more.
In addition, the front-end may also encrypt the control words using the Odd product key (ProductKey _ Odd ') and the Even product key (ProductKey _ Even'), and generate the ECM packet may be as follows: the front end encrypts the generated control words of the scrambled program by using the Odd product key (ProductKey _ Odd ') and the Even product key (ProductKey _ Even'), and then packages the two encrypted control words, the product identification corresponding to the program, the identification information of the currently used product key, and the operator number to generate the ECM packet. Therefore, the terminal finds out the corresponding product key according to the identification information after receiving the control word and decrypts the corresponding control word to obtain the control word.
Further, at the front end:
the front end can also use the equipment identification STBID of the terminal equipment as an addressing element to send terminal equipment application data packets such as on screen display information (OSD) or Email (Email) and the like to the terminal equipment. The application packet may also be an EMM packet, which may include device identification, on-screen display information, or mail information, and may also include a type descriptor indicating whether the packet belongs to OSD or Email.
At a terminal device:
the terminal equipment receives the EMM data packet sent by the front end, judges whether the EMM data packet belongs to on-screen display information (OSD) or mail (Email) according to the type descriptor of the EMM data packet, filters the on-screen display information or mail of the terminal equipment according to the terminal equipment identifier, and analyzes and displays the on-screen display information (OSD) if the terminal equipment does not receive the on-screen display information (OSD). If the terminal device does not receive the mail (Email), the mail is analyzed and displayed according to a certain sorting mode. If the terminal device receives the on-screen display information (OSD) or the mail (Email), the information is discarded and is not repeatedly received.
As can be seen from the above, the terminal device can receive the ECM packet sent by the front end, and process the ECM packet by using the device identifier and the encrypted product authorization information obtained in advance to obtain the control word, so as to descramble the program stream by using the control word, so that the user can view the descrambled program. Therefore, the terminal equipment can process the EMM data packet and the ECM data packet sent by the front end without using a smart card, so that the equipment cost is saved, and the use by a user is facilitated.
In addition, when the number of the encrypted product keys is more than 1, if the currently used encrypted product key has potential safety hazard, other product keys can be replaced in time to encrypt the CW, and the identification information of the product key in the ECM packet is changed at the same time. Therefore, after receiving the ECM packet with the changed product key, the terminal device searches for the product key used by the encrypted CW according to the change of the product key identification information. In addition, for the product key with potential safety hazard, the front end can perform the operation of replacing the key, and the front end generates a new product key to replace the old key with potential safety hazard. Meanwhile, the front end resends the new authorization information after the product key is changed to the terminal equipment, so that the terminal equipment can be ensured to watch programs seamlessly when the product key is changed, and the safety of information transmission can be ensured.
Example 3
The embodiment of the present invention provides a terminal device, as shown in fig. 5, the terminal device includes an authorization control information receiving unit 501, an authorization determining unit 502, a security operation unit 503, and a descrambling unit 504; wherein,
the authorization control information receiving unit 501 is configured to receive authorization control information sent by a front end, where the authorization control information includes a product identifier and a control word encrypted by a product key;
the authorization determining unit 502 is connected to the authorization control information receiving unit 501, and is configured to determine that product authorization information corresponding to the product identifier exists after receiving the authorization control information, where the product authorization information includes an encrypted product key corresponding to the product identifier;
the security operation unit 503 is connected to the authorization determination unit 502, and when it is determined that the product authorization information corresponding to the product identifier exists, decrypts the encrypted control word by using the pre-stored device key of the terminal device and the encrypted product key to obtain the control word;
the descrambling unit 504 is connected to the security arithmetic unit 503 for descrambling the received program using the control word.
In this embodiment, the front end may encrypt the control word using a different product key. When different product keys are adopted to encrypt the control words, the authorization control information also comprises the identification information of the currently used product key; and more than one encrypted product key corresponding to the product identification of the product authorization information.
In this way, the secure operation unit 503 decrypts the encrypted control word using the pre-stored device key of the terminal device and the encrypted product key corresponding to the identification information to obtain the control word.
In this embodiment, the authorization determining unit 502 may search the terminal device for the product authorization information corresponding to the product identifier by using the product identifier, so that the security calculating unit 503 may decrypt the encrypted control word by using the pre-stored device key DSK of the terminal device and the encrypted product key corresponding to the identifier information to obtain the control word, in the following manner: firstly, the encrypted product key is decrypted by using a device key DSK prestored in the terminal device to obtain a product key, wherein the product key is the product key corresponding to the identification information. The encrypted control words in the ECM packets are then decrypted using the obtained product key to obtain the control words.
In this embodiment, the device key DSK may be written in when the terminal device is initialized, the device keys DSK corresponding to different terminal devices are different, and if different terminal devices are represented by respective device identifiers (STBID), the device keys DSK and the device identifiers STBID correspond one to one. The product key can be encrypted at the head end using the device key DSK, and thus the encrypted product key is decrypted at the terminal device using the pre-stored device key DSK to obtain the product key.
According to the embodiment, when the card-free terminal equipment receives the ECM data packet sent by the front end, the ECM data packet can be processed by directly utilizing the equipment identification and the product authorization information of the terminal equipment without using an intelligent card, so that the cost can be saved, and the use is convenient; in addition, by using a plurality of product keys, the security of the system for transmitting information can be improved.
Example 4
As shown in fig. 6, the terminal device includes an authorization control information receiving unit 501, an authorization determining unit 502, a security calculating unit 503, and a descrambling unit 504, and the functions of the terminal device are similar to those of embodiment 3, which are not described herein again.
In this embodiment, the terminal device may further include a display unit (not shown in the figure) for displaying the descrambled program.
As shown in fig. 6, the terminal device further includes an authorization management information receiving unit 601, an information filtering unit 602, and an information parsing unit 603; wherein,
the authorization management information receiving unit 601 is configured to receive authorization management information sent by a front end, where the authorization management information includes a device identifier of a terminal device and product authorization information;
in this embodiment, the entitlement management message may be an EMM packet. For example, when the number of the product keys is 2, the product authorization information may include information as shown in table 1, such as a device identification (STBID) of the terminal device, an operator number (operator id), a product identification (product id), a start time (start date), an expiration time (EndDate), an Odd product key (product key _ Odd '), an Even product key (product key _ Even'), version information (not shown in table 1).
The information filtering unit 602 is connected to the authorization management information receiving unit 601, and is configured to filter authorization management information of a terminal device that belongs to the information filtering unit according to the device identifier;
the information parsing unit 603 is connected to the information filtering unit 602, and is configured to parse the authorization management information to obtain the product authorization information.
As shown in fig. 6, the terminal device further includes an authorization information storage unit 604 and a device key storage unit 605; the authorization information storage unit 604 is connected to the authorization determination unit 502 and the security operation unit 503, and is configured to store the obtained product authorization information; the device key storage unit 605 is connected to the security arithmetic unit 503, and is configured to store the device key DSK corresponding to the terminal device. In this way, the secure arithmetic unit 503 can process the ECM packet according to the pre-stored device key DSK and the product authorization information to obtain the control word.
In this embodiment, if the filtering unit 602 filters the EMM packet of the terminal device, the terminal device may further determine the validity of the EMM packet. Therefore, as shown in fig. 6, the terminal device may further include a validity determining unit 606, connected to the information filtering unit 602, for determining whether the authorization management information is valid after the information filtering unit 602 filters the authorization management information of the terminal device; the method for determining validity is as described in embodiment 2, and is not described herein again.
If the validity determining unit 606 determines that the authorization management information is valid, the information analyzing unit 603 analyzes the authorization management information when the authorization management information is valid, so as to obtain the product authorization information.
If the validity determination unit 606 determines that the authorization management information is invalid, the authorization management information may be regarded as a de-authorization packet, so that the product authorization information stored in the authorization information storage unit 605 may be cleared. Thus, as shown in fig. 6, the terminal device further includes an information clearing unit 607 connected to the validity determining unit 606 for clearing the existing product authorization information when the authorization management information is determined to be invalid.
In this embodiment, the authorization management information may further include version information, and thus, the terminal device further includes a determining unit and an information obtaining unit (not shown in the figure); wherein,
the determining unit may be connected to the information filtering unit 602 for determining whether the EMM packet has been received.
And the information acquisition unit is connected with the determination unit and used for acquiring the product authorization information in the EMM data packet when determining that the EMM is not received.
In addition, the terminal device may further include an application information receiving unit, an application information filtering unit, and an application information processing unit (not shown in the figure); the application information receiving unit is used for receiving screen display information or mails sent by a front end, wherein the screen display information or the mails comprise terminal equipment identifiers; the application information filtering unit is connected with the receiving unit and is used for filtering screen display information or mails of the terminal equipment according to the terminal equipment identifier; the application information processing unit is connected with the filtering unit and is used for analyzing and displaying the screen display information or the mail when the terminal equipment does not receive the screen display information or the mail.
As can be seen from the above, the terminal device can receive the ECM packet sent by the front end, and process the ECM packet by using the device identifier and the encrypted product authorization information obtained in advance to obtain the control word, so as to descramble the program stream by using the control word, so that the user can view the descrambled program. Therefore, the terminal equipment can process the EMM data packet and the ECM data packet sent by the front end without using a smart card, so that the equipment cost is saved, and the use by a user is facilitated. The processing procedure of the terminal device is similar to that of embodiment 2, and is not described here again.
In addition, the number of the encrypted product keys is more than 1, so that if the currently used encrypted product key is wrong, other encrypted product keys can be used as the currently used product key in time, in addition, the wrong product key can be replaced, and new authorization information is reselected and sent to the terminal equipment after the replacement, so that the authorization of the terminal equipment is not influenced, and the safety of information transmission can be ensured.
Example 5
An embodiment of the present invention provides a conditional access system, as shown in fig. 7, where the conditional access system includes a front end 701 and a terminal device 702.
As shown in fig. 8, the front end 701 includes an authorization control information generating unit 801 and an authorization control information transmitting unit 802, the authorization control information generating unit 801 is configured to generate authorization control information according to program configuration information, the authorization control information transmitting unit 802 is connected to the authorization control information generating unit 801 and is configured to transmit the authorization control information to a terminal device, the authorization control information includes a product identifier and a control word encrypted by a product key.
In this embodiment, as shown in fig. 8, the front end 701 may further include:
an authorization management information generation unit 803, the authorization management information generation unit 803 being configured to generate authorization management information including a device identifier of the terminal device and product authorization information according to a user request;
an authorization management information sending unit 804, connected to the authorization management information generating unit 803, is configured to send the authorization management information to the terminal device.
The front-end further comprises a storage unit (not shown in the figure) for storing the device identification of the terminal device and the corresponding device key DSK.
In the above embodiment, the manner of generating the authorization management information and the authorization control information is as described in embodiment 2, and is not described herein again.
As shown in fig. 8, the front end may further include:
an application information generating unit 805 for generating screen display information or a mail;
the application information transmitting unit 806 is connected to the application information generating unit 805, and transmits the generated screen display information or mail to the terminal device.
The structure and function of the terminal device 702 are as described in embodiment 4, and are not described here again.
In this embodiment, the authorization control information sending unit 802, the authorization management information sending unit 803, and the information sending unit 806 in the front end may be implemented by using the same sending unit.
As can be seen from the above embodiments, the front end of the conditional access system generates an EMM data packet and an ECM data packet, and issues the EMM data packet and the ECM data packet to the terminal device.
In this embodiment, the structure of the card-less terminal device is as described in embodiments 3 and 4, and is not described herein again.
The terminal equipment can process the ECM data packet by using the equipment identification and the encrypted product authorization information obtained in advance without a smart card to obtain a control word, so that the program stream is descrambled by using the control word, and a user can watch the descrambled program. Therefore, the terminal equipment can process the EMM data packet and the ECM data packet sent by the front end without using a smart card, so that the equipment cost is saved, and the use by a user is facilitated. The processing procedure of the terminal device is similar to that of embodiment 2, and is not described here again.
In addition, the number of the encrypted product keys is more than 1, so that if the currently used encrypted product key has potential safety hazards, other encrypted product keys can be used as the currently used product key in time, in addition, the product key with the potential safety hazards can be replaced, new authorization information is sent to the terminal device in a reselected mode after the product key with the potential safety hazards is replaced, the authorization of the terminal device is not affected, and the safety of information transmission can be guaranteed.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (25)

1. A method for implementing conditional access, the method comprising:
the method comprises the steps that the cardless terminal equipment receives authorization control information sent by a front end, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
if the product authorization information corresponding to the product identification exists, the product authorization information comprises the product identification and an encrypted product key corresponding to the product identification, decrypting the encrypted control word by using a pre-stored equipment key of the terminal equipment and the encrypted product key to obtain the control word;
and descrambling the received program by using the control word.
2. The method according to claim 1, wherein when the front end encrypts the control word using a different product key, the authorization control information further includes identification information of the currently used product key;
the number of the encrypted product keys corresponding to the product identification of the product authorization information is more than one;
and decrypting the encrypted control word using a pre-stored device key of the terminal device and an encrypted product key, including:
and decrypting the encrypted control word by using a pre-stored equipment key of the terminal equipment and an encrypted product key corresponding to the identification information to obtain the control word.
3. The method according to claim 1, wherein decrypting the encrypted control word using a pre-stored device key of the terminal device and an encrypted product key to obtain the control word comprises:
decrypting the encrypted product key using the device key to obtain the product key;
decrypting the encrypted control word using the product key to obtain the control word.
4. The method of claim 1, further comprising:
receiving authorization management information sent by a front end, wherein the authorization management information comprises equipment identification of terminal equipment and product authorization information;
and filtering the authorization management information of the terminal equipment according to the equipment identification, and analyzing the authorization management information to obtain the product authorization information.
5. The method according to claim 4, wherein after filtering out the authorization management information of the terminal device according to the device identifier, the method further comprises:
determining whether the authorization management information is valid;
and if the authorization management information is valid, triggering to analyze the authorization management information so as to obtain the product authorization information.
6. The method of claim 5, wherein the product authorization information further includes a start time and an expiration time of a product corresponding to the product identifier, and wherein determining that the authorization management information is valid comprises:
if the expiration time in the obtained product authorization information is greater than the starting time, determining that the product authorization information is valid;
if the expiration time in the obtained product authorization information is less than the starting time, determining that the product authorization information is invalid;
and if the authorization information is determined to be invalid and the product authorization information corresponding to the product identification already exists, removing the existing product authorization information in the terminal equipment.
7. The method according to claim 4, wherein after filtering out the authorization management information of the terminal device according to the device identifier, the method further comprises:
and if the card-free terminal equipment does not receive the authorization management information, storing the product authorization information contained in the authorization management information.
8. The method of claim 1, further comprising:
receiving screen display information or a mail sent by a front end, wherein the screen display information or the mail comprises a terminal equipment identifier;
filtering screen display information or mails of the terminal equipment according to the terminal equipment identifier;
and if the terminal equipment does not receive the screen display information or the mail, analyzing and displaying the screen display information or the mail.
9. A terminal device, characterized in that the terminal device comprises:
the authorization control information receiving unit is used for receiving authorization control information sent by a front end, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
the authorization determining unit is connected with the authorization control information receiving unit and is used for determining that the product authorization information corresponding to the product identifier exists after the authorization control information is received, wherein the product authorization information comprises the product identifier and an encrypted product key;
the safety operation unit is connected with the authorization determination unit and decrypts the encrypted control word by utilizing a pre-stored equipment key of the terminal equipment and an encrypted product key to obtain the control word when determining that the product authorization information corresponding to the product identifier exists;
and the descrambling unit is connected with the safety operation unit and is used for descrambling the received program by using the control word.
10. The terminal device according to claim 9, wherein when the front end encrypts the control word using a different product key, the authorization control information further includes identification information of the currently used product key;
the number of the encrypted product keys corresponding to the product identification of the product authorization information is more than one;
and the safety operation unit decrypts the encrypted control word by using a pre-stored equipment key of the terminal equipment and an encrypted product key corresponding to the identification information to obtain the control word.
11. The terminal device according to claim 9, wherein the terminal device further comprises:
the system comprises an authorization management information receiving unit, a product authorization information receiving unit and a product authorization information sending unit, wherein the authorization management information receiving unit is used for receiving authorization management information sent by a front end, and the authorization management information comprises a device identifier of a terminal device and product authorization information;
and the information analysis unit is used for analyzing the authorization management information to obtain the product authorization information.
12. The terminal device according to claim 11, wherein the terminal device further comprises:
the authorization information storage unit is connected with the authorization determining unit and is used for storing the product authorization information;
and the equipment key storage unit is connected with the safety operation unit and is used for storing the equipment key corresponding to the terminal equipment.
13. The terminal device according to claim 11, wherein the terminal device further comprises:
the validity determining unit is connected with the authorization management information receiving unit and is used for determining whether the authorization management information is valid or not after the authorization management information receiving unit receives the authorization management information;
the information analysis unit analyzes the authorization management information when the authorization management information is valid, so as to obtain the product authorization information.
14. The terminal device according to claim 13, wherein the terminal device further comprises:
and the information clearing unit is connected with the validity determining unit and used for clearing the product authorization information existing in the terminal equipment when the authorization management information is determined to be invalid.
15. The terminal device according to claim 11, wherein the terminal device further comprises:
a determination unit connected to the authorization management information receiving unit, for determining whether the authorization management information has been received;
and the information acquisition unit is connected with the determination unit and is used for acquiring the product authorization information in the authorization management information when the authorization management information is determined not to be received.
16. The terminal device according to claim 9, wherein the terminal device further comprises:
the application information receiving unit is used for receiving screen display information or mails sent by a front end, wherein the screen display information or the mails comprise terminal equipment identifiers;
and the application information processing unit is used for analyzing and displaying the screen display information or the mail when the terminal equipment does not receive the screen display information or the mail.
17. A method for implementing conditional access, the method comprising:
generating authorization control information according to the program configuration information, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
and sending the generated authorization control information to terminal equipment.
18. The method of claim 17, wherein the authorization control information further comprises identification information of a currently used product key.
19. The method of claim 17, further comprising:
generating authorization management information according to a user request, wherein the authorization management information comprises equipment identification of terminal equipment and product authorization information;
and sending the authorization management information to the terminal equipment.
20. The method of claim 17, further comprising:
generating screen display information or mails;
and sending the generated screen display information or the mail to the terminal equipment.
21. A conditional access system front-end, the front-end comprising:
the authorization control information generating unit is used for generating authorization control information according to the program configuration information, wherein the authorization control information comprises a product identifier and a control word encrypted by a product key;
and the authorization control information sending unit is connected with the authorization control information generating unit and is used for sending the authorization control information to the terminal equipment.
22. The front-end of claim 21, wherein the entitlement control messages further comprise identification information for a currently used product key.
23. The front end of claim 21, further comprising:
the system comprises an authorization management information generating unit, a product authorization unit and a management unit, wherein the authorization management information generating unit is used for generating authorization management information according to a user request, and the authorization management information comprises a device identifier of a terminal device and product authorization information; the product authorization information comprises a product identification and a product key encrypted by a device key;
and the authorization management information sending unit is connected with the authorization management information generating unit and is used for sending the authorization management information to the terminal equipment.
24. The front end of claim 21, further comprising:
an application information generating unit for generating screen display information or a mail;
and the application information sending unit is connected with the information generating unit and used for sending the generated screen display information or the mail to the terminal equipment.
25. The front-end of claim 23, further comprising a storage unit, connected to the authorization management information generation unit, for storing a device identifier of a terminal device and a corresponding product key.
CN200910086610.7A 2009-06-12 2009-06-12 Method for realizing condition receiving, terminal equipment and front end thereof Active CN101924907B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910086610.7A CN101924907B (en) 2009-06-12 2009-06-12 Method for realizing condition receiving, terminal equipment and front end thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910086610.7A CN101924907B (en) 2009-06-12 2009-06-12 Method for realizing condition receiving, terminal equipment and front end thereof

Publications (2)

Publication Number Publication Date
CN101924907A true CN101924907A (en) 2010-12-22
CN101924907B CN101924907B (en) 2013-08-28

Family

ID=43339508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910086610.7A Active CN101924907B (en) 2009-06-12 2009-06-12 Method for realizing condition receiving, terminal equipment and front end thereof

Country Status (1)

Country Link
CN (1) CN101924907B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140344850A1 (en) * 2011-10-28 2014-11-20 Irdeto B.V. Constructing a transport stream
CN104202621A (en) * 2014-09-11 2014-12-10 北京视博数字电视科技有限公司 System and method for operation of digital television subscriber management system
CN104853242A (en) * 2015-05-13 2015-08-19 青岛海信电器股份有限公司 Descrambling method and apparatus of digital television set
CN105916031A (en) * 2016-05-09 2016-08-31 青岛海信宽带多媒体技术有限公司 Entitlement management message processing method and device
CN106488321A (en) * 2016-12-22 2017-03-08 深圳Tcl数字技术有限公司 TV decryption method and system
CN106803980A (en) * 2017-02-28 2017-06-06 国家新闻出版广电总局广播科学研究院 The guard method of encrypted control word, hardware security module, master chip and terminal
WO2019062305A1 (en) * 2017-09-30 2019-04-04 深圳市九洲电器有限公司 Set-top box cardless condition receiving system production method and system
CN114286141A (en) * 2022-03-01 2022-04-05 深圳佳力拓科技有限公司 Method for realizing card-free condition receiving and set top box

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009553A (en) * 2006-12-30 2007-08-01 中兴通讯股份有限公司 Secret key safety method and system for realizing multi-network integration mobile multi-media broadcasting system
CN101212642A (en) * 2006-12-25 2008-07-02 北京握奇数据系统有限公司 Broadcast signal processing method, system, and receiver
CN101217358A (en) * 2007-01-05 2008-07-09 中国移动通信集团公司 An activation method of digital broadcast service system and digital broadcast service
CN101286994A (en) * 2008-05-19 2008-10-15 北京大学 Digital literary property management method, server and system for content sharing within multiple devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212642A (en) * 2006-12-25 2008-07-02 北京握奇数据系统有限公司 Broadcast signal processing method, system, and receiver
CN101009553A (en) * 2006-12-30 2007-08-01 中兴通讯股份有限公司 Secret key safety method and system for realizing multi-network integration mobile multi-media broadcasting system
CN101217358A (en) * 2007-01-05 2008-07-09 中国移动通信集团公司 An activation method of digital broadcast service system and digital broadcast service
CN101286994A (en) * 2008-05-19 2008-10-15 北京大学 Digital literary property management method, server and system for content sharing within multiple devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
梁龙飞: "数字电视广播系统的条件接收及传输流复用技术的研究", 《工学博士学位论文》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140344850A1 (en) * 2011-10-28 2014-11-20 Irdeto B.V. Constructing a transport stream
US11025977B2 (en) * 2011-10-28 2021-06-01 Irdeto B.V. Constructing a transport stream
CN104202621B (en) * 2014-09-11 2017-12-26 北京视博数字电视科技有限公司 A kind of method and system of digital TV subscriber management system operation
CN104202621A (en) * 2014-09-11 2014-12-10 北京视博数字电视科技有限公司 System and method for operation of digital television subscriber management system
CN104853242A (en) * 2015-05-13 2015-08-19 青岛海信电器股份有限公司 Descrambling method and apparatus of digital television set
CN105916031A (en) * 2016-05-09 2016-08-31 青岛海信宽带多媒体技术有限公司 Entitlement management message processing method and device
CN105916031B (en) * 2016-05-09 2020-03-10 青岛海信宽带多媒体技术有限公司 Method and device for processing authorization management information
CN106488321B (en) * 2016-12-22 2020-03-17 深圳Tcl数字技术有限公司 Television decryption method and system
CN106488321A (en) * 2016-12-22 2017-03-08 深圳Tcl数字技术有限公司 TV decryption method and system
CN106803980A (en) * 2017-02-28 2017-06-06 国家新闻出版广电总局广播科学研究院 The guard method of encrypted control word, hardware security module, master chip and terminal
WO2018157724A1 (en) * 2017-02-28 2018-09-07 国家新闻出版广电总局广播科学研究院 Method for protecting encrypted control word, hardware security module, main chip and terminal
US11308242B2 (en) 2017-02-28 2022-04-19 Academy Of Broadcasting Science, Nrta Method for protecting encrypted control word, hardware security module, main chip and terminal
WO2019062305A1 (en) * 2017-09-30 2019-04-04 深圳市九洲电器有限公司 Set-top box cardless condition receiving system production method and system
CN114286141A (en) * 2022-03-01 2022-04-05 深圳佳力拓科技有限公司 Method for realizing card-free condition receiving and set top box

Also Published As

Publication number Publication date
CN101924907B (en) 2013-08-28

Similar Documents

Publication Publication Date Title
CN101924907B (en) Method for realizing condition receiving, terminal equipment and front end thereof
US8677147B2 (en) Method for accessing services by a user unit
CN102439638B (en) Methods and apparatus for securing communications between a decryption device and a television receiver
EP2612503B1 (en) Method and system for decrypting a transport stream
KR101089037B1 (en) Television receiver and digital broadcast system
CN101998164B (en) Program information generating method and terminal device
CN104902311A (en) Method for sharing audio/video resources, shared gateway and system
CN101626484A (en) Method for protecting control word in condition access system, front end and terminal
KR100989495B1 (en) Messaging over mobile phone network for digital multimedia network
KR20120025086A (en) Apparatus and method for receiving broadcasting signal of pay channel
CN101635825B (en) Monitoring usage of encrypted broadcast services
CN101370076A (en) Method for implementing set-card separation based on USB interface
CN101365101B (en) Ciphering channel playing method and set-top box
CN101583012B (en) Method for realizing two-stage condition receiving system and front end and final end of two-stage condition receiving system
CN102215433B (en) User authorization method and safety device
CN101610390B (en) Method for realizing set-card correspondence of digital television receiver terminal, set top box and intelligent card
CN101674453B (en) Program information processing method, safety device and receiving terminal
CN1741608A (en) Method for realizing machine-card separation in digital TV system
CN101350910A (en) Method for separating machine and card of digital television receive terminal
CN101340528A (en) Machine-card separation method of digital television receiving terminal
CN101355642A (en) Digital television receiving terminal
CN101815200A (en) Program viewing method and device
CN101404749A (en) Machine-card separation method according to DVB-CI standard and digital television receiving terminal using the same
JP2004228624A (en) Broadcast receiver
JP2003274385A (en) Apparatus and method for receiving scrambled broadcast

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant