CN102065092A - Method and system for authorizing digital signature of application program of set top box - Google Patents
Method and system for authorizing digital signature of application program of set top box Download PDFInfo
- Publication number
- CN102065092A CN102065092A CN2010106178014A CN201010617801A CN102065092A CN 102065092 A CN102065092 A CN 102065092A CN 2010106178014 A CN2010106178014 A CN 2010106178014A CN 201010617801 A CN201010617801 A CN 201010617801A CN 102065092 A CN102065092 A CN 102065092A
- Authority
- CN
- China
- Prior art keywords
- top box
- sequence
- signature
- information
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to the relevant technical field of set top boxes, in particular to a method and system for authorizing a digital signature of an application program of a set top box. The method comprises the steps of: carrying out safe symmetrical encryption on a signature information sequence by a service end by using safe symmetrically encrypted secret keys; encrypting a signature sequence by using asymmetrically encrypted secrete keys to obtain an encrypted signature sequence, wherein a public key and the encrypted signature sequence are used as certificates; obtaining a signed application program of the set top box by the set top box, decrypting the encrypted signature sequence of the certificates by using the public key, sending verification information to the service end through safe communication; and verifying the verification information by the service end, sending the symmetrically encrypted secret keys to the set top box, decrypting the encrypted signature information sequence by the set top box by using the symmetrically encrypted secret keys to obtain the signature information sequence and installing after verifying. The technical scheme provided by the invention is more flexible compared with a PKI (Public Key Infrastructure) digital certificate technology, and the processing mechanism is simpler.
Description
Technical field
The present invention relates to the set-top box correlative technology field, particularly a kind of set-top box application progressive number signature authentication method and system thereof.
Background technology
Existing set-top box application progressive number signature authentication method as shown in Figure 1, (Public Key Infrastructure, PKI) digital certificate technique adopt the asymmetrical encryption system of RSA to the PKIX of employing, relatively safety.But the existing signature authentication method real free time is long, between set-top box developer and software developer, increased simultaneously third-party certification authority (CA, Certificate Authority) mechanism, system are complicated, and have increased cost.
Summary of the invention
First goal of the invention of the present invention is to provide a kind of set-top box application progressive number signature authentication method, with the set-top box application progressive number signature authentication method that solves prior art complicated technology problem comparatively.
In order to realize first goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of set-top box application progressive number signature authentication method, described method comprises:
Signature step:
Service end symmetric cryptographic key safe in utilization carries out safe symmetric cryptography to the signing messages sequence that comprises set-top box identifying information tract, and described set-top box identifying information tract is used to identify the set-top box scope that the set-top box application program is suitable for;
Service end is preserved software information software developer information sequence section and the corresponding symmetric cryptographic key thereof that is used to identify software information and software developer;
With software information software developer information sequence section, through the signing messages sequence of symmetric cryptography as signature sequence;
Asymmetry cryptographic algorithm safe in utilization generates one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key that signature sequence is encrypted and obtain the ciphering signature sequence, with PKI and ciphering signature sequence as certificate;
Set-top box application program and certificate are carried out the set-top box application program that amalgamation obtains the process signature, finish the digital signature step;
The certifying signature step:
Set-top box obtains the set-top box application program through signature, and the ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the signature sequence of the signing messages sequence of symmetric cryptography;
Send authorization information by secure communication to service end;
Service end is verified authorization information, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
If set-top box receives service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key that receives that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the signing messages sequence of set-top box identifying information tract;
If the signing messages sequence satisfies the set-top box proof rule, set-top box fitting machine top box application program then, otherwise withdraw from.
As a kind of preferred version, described authorization information is the software information software developer information sequence section after deciphering, and described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then is judged as and satisfies the service end proof rule, does not satisfy the service end proof rule otherwise be judged as.
As a kind of preferred version, described set-top box proof rule is: if set-top box is in the set-top box scope that the set-top box application program that set-top box identifying information tract is identified is suitable for, then be judged as and satisfy proof rule, do not satisfy proof rule otherwise be judged as.
As a kind of preferred version, described signing messages sequence also comprises uses digest algorithm to extract the first unique program digest tract from the set-top box application program.
As further preferred version, described set-top box proof rule is:
If in the set-top box scope that the set-top box application program that set-top box is identified at set-top box identifying information tract is suitable for, and;
The first program digest tract is consistent from the second program digest tract that the extraction of set-top box application program obtains by digest algorithm with set-top box, then is judged as and satisfies proof rule;
Do not satisfy proof rule otherwise be judged as.
As further preferred version, in the described signature step, service end is also preserved the first program digest tract;
Described authorization information comprises the software information software developer information sequence section after the deciphering and passes through the signature sequence of the signing messages sequence of symmetric cryptography;
Described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then adopt corresponding symmetric cryptographic key that the signing messages sequence through symmetric cryptography is decoded, obtain set-top box identifying information tract and the 3rd program digest tract, if the first program digest tract is consistent with the 3rd program digest tract, then be judged as and satisfy the service end proof rule, do not satisfy the service end proof rule otherwise be judged as.
Second goal of the invention of the present invention is to provide a kind of set-top box application progressive number signature authentication system, to use the digital signature authentication method that first goal of the invention of the present invention is provided.
In order to realize second goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of set-top box application progressive number signature authentication system, described system comprises:
Be arranged on the signature blocks of signature service end, comprise:
Symmetric cryptographic key safe in utilization carries out the service end symmetric cryptography module of safe symmetric cryptography to the signing messages sequence that comprises set-top box identifying information tract;
Preservation is used to identify software information and software developer's the software information software developer information sequence section and the service end memory module of corresponding symmetric cryptographic key thereof;
Asymmetry cryptographic algorithm safe in utilization generates one group of effective asymmetric cryptographic key and PKI, uses asymmetric cryptographic key to comprising software information software developer information sequence section and encrypting the asymmetric encryption module that obtains the ciphering signature sequence through the signature sequence of the signing messages sequence of symmetric cryptography;
With PKI and ciphering signature sequence certificate generation module as certificate;
Set-top box application program and certificate are carried out the die section that amalgamation obtains the set-top box application program of process signature;
Be arranged on the set-top box authentication module of set-top box, comprise:
The ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the asymmetric deciphering module of set-top box of the signature sequence of the signing messages sequence of symmetric cryptography;
Send the set-top box transport module of authorization information to service end by secure communication;
If receive service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key receive that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the set-top box symmetry deciphering module of the signing messages sequence of set-top box identifying information tract;
The set-top box authentication module of the signing messages sequence being verified according to the set-top box proof rule;
When the signing messages sequence satisfies the set-top box proof rule, the set-top box set up applications module of fitting machine top box application program;
Be arranged on the service end authentication module of service end, described service end authentication module is used for the authorization information that receives is verified, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
Service end is connected by closing optical fibre-coaxial cable net or Ethernet with set-top box.
As a kind of preferred version, described signature blocks also comprises uses the extraction module of digest algorithm from the unique program digest tract of set-top box application program extraction, and described signing messages sequence also comprises the program digest tract that obtains by extraction module.
Technical scheme of the present invention, owing to rely on front end and service end to carry out signature verification, so flexibility can be more flexible with respect to the PKI digital certificate technique, treatment mechanism is also simpler.
Description of drawings
Fig. 1 is the signature schematic diagram of the embodiment of the invention;
Fig. 2 is the authentication schematic diagram of the embodiment of the invention.
Embodiment
The present invention will be further described in detail below in conjunction with the drawings and specific embodiments.
Set-top box application progressive number certificate is mainly realized three functions:
1, determines that this application program can operate on the machine of what model, i.e. the top-set hardware characteristic.
2, determine whether this application program is legal, whether this application program is in the registration of set-top box manufacturer, the i.e. fail safe of application program.
3, determine that the pairing application program of digital certificate in this application program is exactly this application program, be equivalent to the identity card of application program.
The segmentation of digital certificate and description:
1, software information software developer information sequence section.The main descriptor of describing software, developer's information.
2, program digest tract.Utilize traditional digest algorithm to extract the summary of software, and extract the software identity card.
3, set-top box identifying information tract.The main suitable top-set hardware version of software of describing, area etc. are with the relevant information of set-top box.
Be illustrated in figure 1 as certificate manufacturing process:
1, the software developer submits to set-top box manufacturer with set-top box identifying information tract, software information software developer information sequence section and set-top box application program and carries out testing authentication.
If 2 software tests checking is passed through, the signature system of set-top box manufacturer uses digest algorithm to extract unique program digest tract of this software, and generate the key of the symmetric cryptography of a safety according to certain rules, and with set-top box identifying information tract and program digest tract behind the symmetric cryptography via safety, data are fed back to the software developer, and software and software developer's information sequence section and program digest tract left in the online verification system, and generate counterpart keys.
Above-mentioned digest algorithm can be existing various program digest algorithms, only need extract one section unique tract from application program and get final product.
3, afterwards, software developer's signature system asymmetry cryptographic algorithm safe in utilization generates one group of effective key and PKI, and with key amalgamation software information software developer information sequence section, program digest tract (symmetric cryptography), set-top box identifying information tract (symmetric cryptography) data is afterwards carried out asymmetric encryption.Encrypt the back data with PKI amalgamation be in the same place, as certificate, be attached to set-top box application program head, be distributed to the user and use.
Among the embodiment, the signature system of software developer's signature system, online verification system and set-top box manufacturer constitutes service end jointly, and described online verification system and signature system can be arranged for unified setting also can divide.
During install software (being the set-top box application program), as shown in Figure 2 to the processing of certificate:
1, utilize PKI to other part deciphering of certificate beyond the PKI.
2, the software information software developer information sequence section after will deciphering is sent out by secure communication and is sent to server end.
3, server end is searched this information of software, if find, just sends key to set-top box, if can not find, also to the set-top box feedback error.
If 4 receive server-side error, installation procedure not then.If receive the key that server sends, then set-top box identifying information tract and program digest tract be decrypted with key.
If 5 set-top box identifying information tracts can not adapt to this type, or some authorization informations of service routine summary tract unmatch the needs installed software, then withdraw from installation.The person does not continue.
6, extract the summary that needs installed software with digest algorithm,, then withdraw from installation if summary and deciphering back program digest tract relevant information are not wanted to meet.It deny person's install software.
Claims (8)
1. set-top box application progressive number signature authentication method is characterized in that described method comprises:
Signature step:
Service end symmetric cryptographic key safe in utilization carries out safe symmetric cryptography to the signing messages sequence that comprises set-top box identifying information tract, and described set-top box identifying information tract is used to identify the set-top box scope that the set-top box application program is suitable for;
Service end is preserved software information software developer information sequence section and the corresponding symmetric cryptographic key thereof that is used to identify software information and software developer;
With software information software developer information sequence section, through the signing messages sequence of symmetric cryptography as signature sequence;
Asymmetry cryptographic algorithm safe in utilization generates one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key that signature sequence is encrypted and obtain the ciphering signature sequence, with PKI and ciphering signature sequence as certificate;
Set-top box application program and certificate are carried out the set-top box application program that amalgamation obtains the process signature, finish the digital signature step;
The certifying signature step:
Set-top box obtains the set-top box application program through signature, and the ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the signature sequence of the signing messages sequence of symmetric cryptography;
Send authorization information by secure communication to service end;
Service end is verified authorization information, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
If set-top box receives service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key that receives that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the signing messages sequence of set-top box identifying information tract;
If the signing messages sequence satisfies the set-top box proof rule, set-top box fitting machine top box application program then, otherwise withdraw from.
2. signature authentication method according to claim 1 is characterized in that, described authorization information is the software information software developer information sequence section after deciphering, and described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then is judged as and satisfies the service end proof rule, does not satisfy the service end proof rule otherwise be judged as.
3. signature authentication method according to claim 1, it is characterized in that, described set-top box proof rule is: if set-top box is in the set-top box scope that the set-top box application program that set-top box identifying information tract is identified is suitable for, then be judged as and satisfy proof rule, do not satisfy proof rule otherwise be judged as.
4. signature authentication method according to claim 1 is characterized in that, described signing messages sequence also comprises uses digest algorithm to extract the first unique program digest tract from the set-top box application program.
5. signature authentication method according to claim 4 is characterized in that, described set-top box proof rule is:
If in the set-top box scope that the set-top box application program that set-top box is identified at set-top box identifying information tract is suitable for, and;
The first program digest tract is consistent from the second program digest tract that the extraction of set-top box application program obtains by digest algorithm with set-top box, then is judged as and satisfies proof rule;
Do not satisfy proof rule otherwise be judged as.
6. signature authentication method according to claim 4 is characterized in that, in the described signature step, service end is also preserved the first program digest tract;
Described authorization information comprises the software information software developer information sequence section after the deciphering and passes through the signature sequence of the signing messages sequence of symmetric cryptography;
Described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then adopt corresponding symmetric cryptographic key that the signing messages sequence through symmetric cryptography is decoded, obtain set-top box identifying information tract and the 3rd program digest tract, if the first program digest tract is consistent with the 3rd program digest tract, then be judged as and satisfy the service end proof rule, do not satisfy the service end proof rule otherwise be judged as.
7. set-top box application progressive number signature authentication system, application rights requires 1~6 each described digital signature authentication method, it is characterized in that described system comprises:
Be arranged on the signature blocks of signature service end, comprise:
Symmetric cryptographic key safe in utilization carries out the service end symmetric cryptography module of safe symmetric cryptography to the signing messages sequence that comprises set-top box identifying information tract;
Preservation is used to identify software information and software developer's the software information software developer information sequence section and the service end memory module of corresponding symmetric cryptographic key thereof;
Asymmetry cryptographic algorithm safe in utilization generates one group of effective asymmetric cryptographic key and PKI, uses asymmetric cryptographic key to comprising software information software developer information sequence section and encrypting the asymmetric encryption module that obtains the ciphering signature sequence through the signature sequence of the signing messages sequence of symmetric cryptography;
With PKI and ciphering signature sequence certificate generation module as certificate;
Set-top box application program and certificate are carried out the die section that amalgamation obtains the set-top box application program of process signature;
Be arranged on the set-top box authentication module of set-top box, comprise:
The ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the asymmetric deciphering module of set-top box of the signature sequence of the signing messages sequence of symmetric cryptography;
Send the set-top box transport module of authorization information to service end by secure communication;
If receive service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key receive that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the set-top box symmetry deciphering module of the signing messages sequence of set-top box identifying information tract;
The set-top box authentication module of the signing messages sequence being verified according to the set-top box proof rule;
When the signing messages sequence satisfies the set-top box proof rule, the set-top box set up applications module of fitting machine top box application program;
Be arranged on the service end authentication module of service end, described service end authentication module is used for the authorization information that receives is verified, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
Service end is connected by closing optical fibre-coaxial cable net or Ethernet with set-top box.
8. application program digital signature identification according to claim 7 system, it is characterized in that, described signature blocks also comprises uses the extraction module of digest algorithm from the unique program digest tract of set-top box application program extraction, and described signing messages sequence also comprises the program digest tract that obtains by extraction module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010617801 CN102065092B (en) | 2010-12-31 | 2010-12-31 | Method and system for authorizing digital signature of application program of set top box |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010617801 CN102065092B (en) | 2010-12-31 | 2010-12-31 | Method and system for authorizing digital signature of application program of set top box |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102065092A true CN102065092A (en) | 2011-05-18 |
| CN102065092B CN102065092B (en) | 2013-03-06 |
Family
ID=44000193
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010617801 Active CN102065092B (en) | 2010-12-31 | 2010-12-31 | Method and system for authorizing digital signature of application program of set top box |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102065092B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103402141A (en) * | 2013-08-06 | 2013-11-20 | 江苏省广电有线信息网络股份有限公司南京分公司 | Ukey-based secure television payment method |
| CN104796745A (en) * | 2015-03-26 | 2015-07-22 | 成都市斯达鑫辉视讯科技有限公司 | Safety protection method for set top box |
| CN106452786A (en) * | 2013-09-30 | 2017-02-22 | 华为技术有限公司 | Encryption and decryption processing method, apparatus and device |
| CN108280917A (en) * | 2018-03-21 | 2018-07-13 | 首创置业股份有限公司 | A kind of access control system and equipment based on Internet of Things public service platform |
| CN110176985A (en) * | 2019-05-08 | 2019-08-27 | 重庆八戒电子商务有限公司 | A kind of information ciphering method, device and storage medium |
| CN112106376A (en) * | 2018-06-03 | 2020-12-18 | 苹果公司 | Universal streaming media device configured as a set-top box |
| CN114785514A (en) * | 2022-03-23 | 2022-07-22 | 国网上海能源互联网研究院有限公司 | Method and system for authorizing application permission of industrial Internet of things terminal |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006031203A1 (en) * | 2005-01-06 | 2006-03-23 | Measat Broadcast Network Systems Sdn. Bhd. | An interactive television system |
| CN101247507A (en) * | 2008-03-17 | 2008-08-20 | 浪潮电子信息产业股份有限公司 | Digital copyright managing method of distributed television broadcast station and broadcast and television network operator |
-
2010
- 2010-12-31 CN CN 201010617801 patent/CN102065092B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006031203A1 (en) * | 2005-01-06 | 2006-03-23 | Measat Broadcast Network Systems Sdn. Bhd. | An interactive television system |
| CN101247507A (en) * | 2008-03-17 | 2008-08-20 | 浪潮电子信息产业股份有限公司 | Digital copyright managing method of distributed television broadcast station and broadcast and television network operator |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103402141A (en) * | 2013-08-06 | 2013-11-20 | 江苏省广电有线信息网络股份有限公司南京分公司 | Ukey-based secure television payment method |
| CN106452786A (en) * | 2013-09-30 | 2017-02-22 | 华为技术有限公司 | Encryption and decryption processing method, apparatus and device |
| CN104796745A (en) * | 2015-03-26 | 2015-07-22 | 成都市斯达鑫辉视讯科技有限公司 | Safety protection method for set top box |
| CN108280917A (en) * | 2018-03-21 | 2018-07-13 | 首创置业股份有限公司 | A kind of access control system and equipment based on Internet of Things public service platform |
| CN112106376A (en) * | 2018-06-03 | 2020-12-18 | 苹果公司 | Universal streaming media device configured as a set-top box |
| CN110176985A (en) * | 2019-05-08 | 2019-08-27 | 重庆八戒电子商务有限公司 | A kind of information ciphering method, device and storage medium |
| CN114785514A (en) * | 2022-03-23 | 2022-07-22 | 国网上海能源互联网研究院有限公司 | Method and system for authorizing application permission of industrial Internet of things terminal |
| CN114785514B (en) * | 2022-03-23 | 2023-11-14 | 国网上海能源互联网研究院有限公司 | Method and system for application license authorization of industrial Internet of things terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102065092B (en) | 2013-03-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240007308A1 (en) | Confidential authentication and provisioning | |
| US9912485B2 (en) | Method and apparatus for embedding secret information in digital certificates | |
| US10015159B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
| CN101828357B (en) | Credential provisioning method and device | |
| US6839841B1 (en) | Self-generation of certificates using secure microprocessor in a device for transferring digital information | |
| US8130961B2 (en) | Method and system for client-server mutual authentication using event-based OTP | |
| CN102065092B (en) | Method and system for authorizing digital signature of application program of set top box | |
| CN101212293B (en) | Identity authentication method and system | |
| CN102802036B (en) | System and method for identifying digital television | |
| CN111372247A (en) | Terminal secure access method and terminal secure access system based on narrowband Internet of things | |
| CN110891061B (en) | Data encryption and decryption method and device, storage medium and encrypted file | |
| CN111614621B (en) | Internet of things communication method and system | |
| CN104424446A (en) | Safety verification and transmission method and system | |
| CN103684798A (en) | Authentication system used in distributed user service | |
| CN111435390A (en) | Safety protection method for operation and maintenance tool of power distribution terminal | |
| CN114697040A (en) | Electronic signature method and system based on symmetric key | |
| CN112448810B (en) | Authentication method and device | |
| CN108933659A (en) | A kind of authentication system and verification method of smart grid | |
| CN104883260B (en) | Certificate information processing and verification method, processing terminal and authentication server | |
| CN110855442A (en) | PKI (public key infrastructure) technology-based inter-device certificate verification method | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
| KR20200043855A (en) | Method and apparatus for authenticating drone using dim | |
| WO2014187209A1 (en) | Method and system for backing up information in electronic signature token | |
| WO2017109058A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN215010302U (en) | Safety certification equipment of power distribution internet of things based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |