CN102065092B - Method and system for authorizing digital signature of application program of set top box - Google Patents

Method and system for authorizing digital signature of application program of set top box Download PDF

Info

Publication number
CN102065092B
CN102065092B CN 201010617801 CN201010617801A CN102065092B CN 102065092 B CN102065092 B CN 102065092B CN 201010617801 CN201010617801 CN 201010617801 CN 201010617801 A CN201010617801 A CN 201010617801A CN 102065092 B CN102065092 B CN 102065092B
Authority
CN
China
Prior art keywords
box
sequence
signature
information
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 201010617801
Other languages
Chinese (zh)
Other versions
CN102065092A (en
Inventor
王亚骞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Unionman Technology Co Ltd
Original Assignee
Guangdong Unionman Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Unionman Technology Co Ltd filed Critical Guangdong Unionman Technology Co Ltd
Priority to CN 201010617801 priority Critical patent/CN102065092B/en
Publication of CN102065092A publication Critical patent/CN102065092A/en
Application granted granted Critical
Publication of CN102065092B publication Critical patent/CN102065092B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention relates to the relevant technical field of set top boxes, in particular to a method and system for authorizing a digital signature of an application program of a set top box. The method comprises the steps of: carrying out safe symmetrical encryption on a signature information sequence by a service end by using safe symmetrically encrypted secret keys; encrypting a signature sequence by using asymmetrically encrypted secrete keys to obtain an encrypted signature sequence, wherein a public key and the encrypted signature sequence are used as certificates; obtaining a signed application program of the set top box by the set top box, decrypting the encrypted signature sequence of the certificates by using the public key, sending verification information to the service end through safe communication; and verifying the verification information by the service end, sending the symmetrically encrypted secret keys to the set top box, decrypting the encrypted signature information sequence by the set top box by using the symmetrically encrypted secret keys to obtain the signature information sequence and installing after verifying. The technical scheme provided by the invention is more flexible compared with a PKI (Public Key Infrastructure) digital certificate technology, and the processing mechanism is simpler.

Description

A kind of set-top box application progressive number signature authentication method and system thereof
Technical field
The present invention relates to the set-top box correlative technology field, particularly a kind of set-top box application progressive number signature authentication method and system thereof.
Background technology
Existing set-top box application progressive number signature authentication method as shown in Figure 1, the PKIX of employing (Public Key Infrastructure, PKI) digital certificate technique adopts the asymmetrical encryption system of RSA, and is safer.But the existing signature authentication method real free time is long, between set-top box developer and software developer, increased simultaneously third-party certification authority (CA, Certificate Authority) mechanism, system are complicated, and have increased cost.
Summary of the invention
First goal of the invention of the present invention is to provide a kind of set-top box application progressive number signature authentication method, with the comparatively complicated technical problem of set-top box application progressive number signature authentication method that solves prior art.
In order to realize first goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of set-top box application progressive number signature authentication method, described method comprises:
Signature step:
Service end uses the symmetric cryptographic key of safety that the signing messages sequence that comprises set-top box identifying information tract is carried out safe symmetric cryptography, and described set-top box identifying information tract is used for the set-top box scope that marking machine top box application program is suitable for;
Service end is preserved software information software developer information sequence section and the corresponding symmetric cryptographic key thereof that is used for sign software information and software developer;
With software information software developer information sequence section, through the signing messages sequence of symmetric cryptography as signature sequence;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key that signature sequence is encrypted and obtain the ciphering signature sequence, with PKI and ciphering signature sequence as certificate;
Set-top box application program and certificate are carried out amalgamation obtain set-top box application program through signature, finish the digital signature step;
The certifying signature step:
Set-top box obtains the set-top box application program through signature, and the ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the signature sequence of the signing messages sequence of symmetric cryptography;
Send authorization information by secure communication to service end;
Service end is verified authorization information, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
If set-top box receives service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key that receives that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the signing messages sequence of set-top box identifying information tract;
If the signing messages sequence satisfies the set-top box proof rule, set-top box fitting machine top box application program then, otherwise withdraw from.
As a kind of preferred version, described authorization information is the software information software developer information sequence section after deciphering, and described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then is judged as and satisfies the service end proof rule, does not satisfy the service end proof rule otherwise be judged as.
As a kind of preferred version, described set-top box proof rule is: if set-top box is in the set-top box scope that the set-top box application program that set-top box identifying information tract identifies is suitable for, then be judged as and satisfy proof rule, do not satisfy proof rule otherwise be judged as.
As a kind of preferred version, described signing messages sequence also comprises uses digest algorithm to extract the first unique program digest tract from the set-top box application program.
As further preferred version, described set-top box proof rule is:
If in the set-top box scope that the set-top box application program that set-top box identifies at set-top box identifying information tract is suitable for, and;
The first program digest tract is consistent from the second program digest tract that the extraction of set-top box application program obtains by digest algorithm with set-top box, then is judged as and satisfies proof rule;
Do not satisfy proof rule otherwise be judged as.
As further preferred version, in the described signature step, service end is also preserved the first program digest tract;
Described authorization information comprises the software information software developer information sequence section after the deciphering and passes through the signature sequence of the signing messages sequence of symmetric cryptography;
Described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then adopt corresponding symmetric cryptographic key that the signing messages sequence through symmetric cryptography is decoded, obtain set-top box identifying information tract and the 3rd program digest tract, if the first program digest tract is consistent with the 3rd program digest tract, then be judged as and satisfy the service end proof rule, do not satisfy the service end proof rule otherwise be judged as.
Second goal of the invention of the present invention is to provide a kind of set-top box application progressive number Signature Authentication System, the digital signature authentication method that is provided to use first goal of the invention of the present invention.
In order to realize second goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of set-top box application progressive number Signature Authentication System, described system comprises:
Be arranged on the signature blocks of Digital signature service end, comprise:
Use safe symmetric cryptographic key the signing messages sequence that comprises set-top box identifying information tract to be carried out the service end symmetric cryptography module of safe symmetric cryptography;
Preserve the service end memory module for the symmetric cryptographic key of the software information software developer information sequence section that identifies software information and software developer and correspondence thereof;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key to comprising software information software developer information sequence section and being encrypted the asymmetric encryption module that obtains the ciphering signature sequence through the signature sequence of the signing messages sequence of symmetric cryptography;
With PKI and the ciphering signature sequence certificates constructing module as certificate;
Set-top box application program and certificate are carried out amalgamation obtain die section through the set-top box application program of signature;
Be arranged on the set-top box authentication module of set-top box, comprise:
The ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the asymmetric deciphering module of set-top box of the signature sequence of the signing messages sequence of symmetric cryptography;
Send the set-top box transport module of authorization information to service end by secure communication;
If receive service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key receive that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the symmetrical deciphering module of set-top box of the signing messages sequence of set-top box identifying information tract;
The set-top box authentication module of the signing messages sequence being verified according to the set-top box proof rule;
When the signing messages sequence satisfies the set-top box proof rule, the set-top box set up applications module of fitting machine top box application program;
Be arranged on the service end authentication module of service end, described service end authentication module is used for the authorization information that receives is verified, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
Service end is connected by closing optical fibre-coaxial cable net or Ethernet with set-top box.
As a kind of preferred version, described signature blocks also comprises the extraction module that uses digest algorithm to extract unique program digest tract from the set-top box application program, and described signing messages sequence also comprises the program digest tract that obtains by extraction module.
Technical scheme of the present invention, owing to relying on front end and service end to carry out signature verification, so flexibility can be more flexible with respect to the PKI digital certificate technique, treatment mechanism is also simpler.
Description of drawings
Fig. 1 is the signature schematic diagram of the embodiment of the invention;
Fig. 2 is the authentication schematic diagram of the embodiment of the invention.
Embodiment
The present invention will be further described in detail below in conjunction with the drawings and specific embodiments.
Set-top box application progressive number certificate is mainly realized three functions:
1, determines that this application program can operate on the machine of what model, i.e. the top-set hardware characteristic.
2, determine whether this application program is legal, whether this application program is in the registration of set-top box manufacturer, the i.e. fail safe of application program.
3, determine that the corresponding application program of digital certificate in this application program is exactly this application program, be equivalent to the identity card of application program.
The segmentation of digital certificate and description:
1, software information software developer information sequence section.The main descriptor of describing software, developer's information.
2, program digest tract.Utilize traditional digest algorithm to extract the summary of software, and extract the software identity card.
3, set-top box identifying information tract.The main applicable top-set hardware version of software of describing, area etc. are with the relevant information of set-top box.
Be illustrated in figure 1 as certificate manufacturing process:
1, the software developer submits to set-top box manufacturer with set-top box identifying information tract, software information software developer information sequence section and set-top box application program and carries out testing authentication.
If 2 software tests checking is passed through, the signature system of set-top box manufacturer uses digest algorithm to extract unique program digest tract of this software, and according to the key of the symmetric cryptography of a safety of certain law generation, and with set-top box identifying information tract and program digest tract behind the symmetric cryptography via safety, with data feedback to the software developer, and software and software developer's information sequence section and program digest tract left in the online verification system, and generate counterpart keys.
Above-mentioned digest algorithm can be existing various program digest algorithms, only need to extract one section unique tract from application program and get final product.
3, afterwards, software developer's signature system uses the asymmetry cryptographic algorithm of safety to generate one group of effective key and PKI, and with key amalgamation software information software developer information sequence section, program digest tract (symmetric cryptography), set-top box identifying information tract (symmetric cryptography) data is afterwards carried out asymmetric encryption.Data after encrypting with PKI amalgamation be in the same place, as certificate, be attached to set-top box application program head, be distributed to the user and use.
Among the embodiment, the signature system of software developer's signature system, online verification system and set-top box manufacturer consists of service end jointly, and described online verification system and signature system can be arranged for unified setting also can divide.
During mounting software (being the set-top box application program), to the processing of certificate as shown in Figure 2:
1, utilize PKI to other part deciphering of certificate beyond the PKI.
2, the software information software developer information sequence section after will deciphering is sent out by secure communication and is sent to server end.
3, server end is searched the information of this software, if find, just sends key to set-top box, if can not find, also to the set-top box feedback error.
If 4 receive server-side error, installation procedure not then.If receive the key that server sends, then with key set-top box identifying information tract and program digest tract be decrypted.
If 5 set-top box identifying information tracts can not adapt to this type, or the Software match that some authorization informations of service routine summary tract are installed needs do not go up, and then withdraws from installation.No person continues.
6, extract the summary of the software that needs installation with digest algorithm, if program digest tract relevant information is not wanted to meet after summary and the deciphering, then withdraw from installation.No person's mounting software.

Claims (8)

1. a set-top box application progressive number signature authentication method is characterized in that, described method comprises:
Signature step:
Service end uses the symmetric cryptographic key of safety that the signing messages sequence that comprises set-top box identifying information tract is carried out safe symmetric cryptography, and described set-top box identifying information tract is used for the set-top box scope that marking machine top box application program is suitable for;
Service end is preserved software information software developer information sequence section and the corresponding symmetric cryptographic key thereof that is used for sign software information and software developer;
With software information software developer information sequence section, through the signing messages sequence of symmetric cryptography as signature sequence;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key that signature sequence is encrypted and obtain the ciphering signature sequence, with PKI and ciphering signature sequence as certificate;
Set-top box application program and certificate are carried out amalgamation obtain set-top box application program through signature, finish the digital signature step;
The certifying signature step:
Set-top box obtains the set-top box application program through signature, and the ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the signature sequence of the signing messages sequence of symmetric cryptography;
Send authorization information by secure communication to service end;
Service end is verified authorization information, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
If set-top box receives the service end feedback error, then withdraw from, otherwise use the symmetric cryptographic key that receives that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the signing messages sequence of set-top box identifying information tract;
If the signing messages sequence satisfies the set-top box proof rule, set-top box fitting machine top box application program then, otherwise withdraw from.
2. signature authentication method according to claim 1 is characterized in that, described authorization information is the software information software developer information sequence section after deciphering, and described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then is judged as and satisfies the service end proof rule, does not satisfy the service end proof rule otherwise be judged as.
3. signature authentication method according to claim 1, it is characterized in that, described set-top box proof rule is: if set-top box is in the set-top box scope that the set-top box application program that set-top box identifying information tract identifies is suitable for, then be judged as and satisfy proof rule, do not satisfy proof rule otherwise be judged as.
4. signature authentication method according to claim 1 is characterized in that, described signing messages sequence also comprises uses digest algorithm to extract the first unique program digest tract from the set-top box application program.
5. signature authentication method according to claim 4 is characterized in that, described set-top box proof rule is:
If in the set-top box scope that the set-top box application program that set-top box identifies at set-top box identifying information tract is suitable for, and;
The first program digest tract is consistent from the second program digest tract that the extraction of set-top box application program obtains by digest algorithm with set-top box, then is judged as and satisfies proof rule;
Do not satisfy proof rule otherwise be judged as.
6. signature authentication method according to claim 4 is characterized in that, in the described signature step, service end is also preserved the first program digest tract;
Described authorization information comprises the software information software developer information sequence section after the deciphering and passes through the signature sequence of the signing messages sequence of symmetric cryptography;
Described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then adopt corresponding symmetric cryptographic key that the signing messages sequence through symmetric cryptography is decoded, obtain set-top box identifying information tract and the 3rd program digest tract, if the first program digest tract is consistent with the 3rd program digest tract, then be judged as and satisfy the service end proof rule, do not satisfy the service end proof rule otherwise be judged as.
7. set-top box application progressive number Signature Authentication System, application rights requires 1~6 each described digital signature authentication method, it is characterized in that, and described system comprises:
Be arranged on the signature unit of Digital signature service end, comprise:
Use safe symmetric cryptographic key the signing messages sequence that comprises set-top box identifying information tract to be carried out the service end symmetric cryptography module of safe symmetric cryptography;
Preserve the service end memory module for the symmetric cryptographic key of the software information software developer information sequence section that identifies software information and software developer and correspondence thereof;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key to comprising software information software developer information sequence section and being encrypted the asymmetric encryption module that obtains the ciphering signature sequence through the signature sequence of the signing messages sequence of symmetric cryptography;
With PKI and the ciphering signature sequence certificates constructing module as certificate;
Set-top box application program and certificate are carried out amalgamation obtain die section through the set-top box application program of signature;
Be arranged on the set-top box authentication unit of set-top box, comprise:
The ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the asymmetric deciphering module of set-top box of the signature sequence of the signing messages sequence of symmetric cryptography;
Send the set-top box transport module of authorization information to service end by secure communication;
If receive the service end feedback error, then withdraw from, otherwise use the symmetric cryptographic key receive that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the symmetrical deciphering module of set-top box of the signing messages sequence of set-top box identifying information tract;
The set-top box authentication module of the signing messages sequence being verified according to the set-top box proof rule;
When the signing messages sequence satisfies the set-top box proof rule, the set-top box set up applications module of fitting machine top box application program;
Be arranged on the service end authentication unit of service end, described service end authentication unit is used for the authorization information that receives is verified, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
Service end is connected by Ethernet with set-top box.
8. application program digital signature identification according to claim 7 system, it is characterized in that, described signature unit also comprises the extraction module that uses digest algorithm to extract unique program digest tract from the set-top box application program, and described signing messages sequence also comprises the program digest tract that obtains by extraction module.
CN 201010617801 2010-12-31 2010-12-31 Method and system for authorizing digital signature of application program of set top box Active CN102065092B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010617801 CN102065092B (en) 2010-12-31 2010-12-31 Method and system for authorizing digital signature of application program of set top box

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010617801 CN102065092B (en) 2010-12-31 2010-12-31 Method and system for authorizing digital signature of application program of set top box

Publications (2)

Publication Number Publication Date
CN102065092A CN102065092A (en) 2011-05-18
CN102065092B true CN102065092B (en) 2013-03-06

Family

ID=44000193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010617801 Active CN102065092B (en) 2010-12-31 2010-12-31 Method and system for authorizing digital signature of application program of set top box

Country Status (1)

Country Link
CN (1) CN102065092B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103402141A (en) * 2013-08-06 2013-11-20 江苏省广电有线信息网络股份有限公司南京分公司 Ukey-based secure television payment method
CA2925733A1 (en) * 2013-09-30 2015-04-02 Huawei Technologies Co., Ltd. Encryption and decryption processing method, apparatus, and device
CN104796745A (en) * 2015-03-26 2015-07-22 成都市斯达鑫辉视讯科技有限公司 Safety protection method for set top box
US10924793B2 (en) * 2018-06-03 2021-02-16 Apple Inc. Generic streaming media device configured as set top box
CN110176985A (en) * 2019-05-08 2019-08-27 重庆八戒电子商务有限公司 A kind of information ciphering method, device and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247507A (en) * 2008-03-17 2008-08-20 浪潮电子信息产业股份有限公司 Digital copyright managing method of distributed television broadcast station and broadcast and television network operator

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101138242A (en) * 2005-01-06 2008-03-05 Measat广播网络系统私人有限公司 An interactive television system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247507A (en) * 2008-03-17 2008-08-20 浪潮电子信息产业股份有限公司 Digital copyright managing method of distributed television broadcast station and broadcast and television network operator

Also Published As

Publication number Publication date
CN102065092A (en) 2011-05-18

Similar Documents

Publication Publication Date Title
EP3318043B1 (en) Mutual authentication of confidential communication
CA2904615C (en) Method and apparatus for embedding secret information in digital certificates
CN101828357B (en) Credential provisioning method and device
US6839841B1 (en) Self-generation of certificates using secure microprocessor in a device for transferring digital information
CA2359673C (en) Self-generation of certificates using a secure microprocessor in a device for transferring digital information
CN104735068B (en) Method based on the close SIP safety certification of state
CN101212293B (en) Identity authentication method and system
CN102111265A (en) Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal
CN103597520A (en) Method and apparatus for identity-based ticketing
CN102065092B (en) Method and system for authorizing digital signature of application program of set top box
CN102802036B (en) System and method for identifying digital television
CN106790064B (en) The method that both sides are communicated in credible root server-cloud computing server model
CN109802825A (en) A kind of data encryption, the method for decryption, system and terminal device
CN103051869A (en) System and method for encrypting camera video in real time
CN110881048B (en) Safety communication method and device based on identity authentication
WO2021103802A1 (en) Methods and apparatuses for encrypting and decrypting data, storage medium and encrypted file
CN111372247A (en) Terminal secure access method and terminal secure access system based on narrowband Internet of things
CN103684798A (en) Authentication system used in distributed user service
CN103634265A (en) Method, device and system for security authentication
CN103873257A (en) Secrete key updating, digital signature and signature verification method and device
CN103281188B (en) A kind of back up the method and system of private key in electronic signature token
WO2014187209A1 (en) Method and system for backing up information in electronic signature token
CN111614621A (en) Internet of things communication method and system
CN110855442A (en) PKI (public key infrastructure) technology-based inter-device certificate verification method
CN107645500B (en) Broadcast data interaction method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant