Summary of the invention
Object of the present invention is just to overcome the shortcoming and defect that prior art exists, and a kind of digital copyright management method of tackling illegal copies is provided.
The object of the present invention is achieved like this:
A kind of digital copyright management method (abbreviation method) of tackling illegal copies
This method comprises the following steps:
1. content server is encrypted as required, is packaged into treated protected file rear mount to raw data and supply user's download to internet, simultaneously, the product information of protected file, right information and key are sent to authorization server by content server, deposits database in by it;
2. user installation client software, and by the Internet download or from other equipment copied content server issue protected file to user terminal;
3. user is in the time that user terminal uses client software to open protected file, and in client software, first DRM controller carries out local verification to protected file, if local verification passes through, user can use protected file in the situation that not networking;
4. when local verification when failure, user's checking of need to network, otherwise can not use protected file, in the time that the successful user of local verification thinks the rights of using of the more protected files of acquisition, also need the checking of networking;
5. local verification by or networking be verified after; DRM controller extracts the raw data in protected file according to initial right and the current state of licence, and the right information constraint built-in application program comprising according to initial right and licence is used raw data.
The present invention has following advantages and good effect:
1. utilize the symmetric key of the hardware information generation encryption and decryption of user terminal that licence is encrypted and is deciphered, thereby realize local verification, once mandate, user can open file in the situation that not networking;
Even if 2. user copies the protected file that carries legal licence on other equipment to, also cannot again authorize and normally open (in same terminal, freely copying within the rule) without networking, thus effectively should right illegal copies.
Embodiment
Describe in detail below in conjunction with drawings and Examples:
One, system
1, overall
As Fig. 1, native system comprises interconnective user terminal 10, content server 20 and authorization server 30;
The working mechanism of native system:
The initial right that content server 20 is responsible for generating protected file and is set protected file; User terminal 10 obtains protected file from content server 20; Product information, right information and key are sent to authorization server 30 by content server 20, by its preservation; Content server 20 sends authorized application by network to authorization server 30, authorization server 30 empirical tests rear line terminal 10 licensures.
2, functional block
1) user terminal 10
User terminal 10 is hardware devices that user uses protected file, mainly comprises all kinds of portable type electronic products, as the music player product of computer, mobile phone, iPOD(Apple) and the panel computer product of iPAD(Apple) etc.
User terminal 10 comprises protected file packet 11 and client software 12; Client software 12 comprises DRM controller 121, built-in application program 122 and licensc e data bag 123;
Protected file packet 11 is formed by the packing of metadata and encrypted raw data, and built-in application program 122 is used for opening and using the raw data in protected file;
As Fig. 2, metadata 201 is made up of authorized address 202, initial right 203, licence 204 and the tetrameric data of product information 205, and licence is made up of Hash identifying code 206, right 207 and key 208 again.
2) content server 20
Content server 20 is digital content to be encrypted and to be packed generate the place of protected file.
Content server 20 comprises content repository 21, product information storehouse 22 and DRM packing device 23;
Content repository 21 is connected with DRM packing device 23 respectively with product information storehouse 22.
3) authorization server 30
Authorization server 30, claims again license server, main is responsible for checking to user identity and generation and the distribution of digital content occupancy permit.
Authorization server 30 comprises entitlements database 31, key and product database 32, DRM licence generator 33 and customer data base 34;
Entitlements database 31, key and product database 32 are connected with DRM licence generator 33 respectively with customer data base 34.
Two, the concrete implementation step of this method
1,1. described step is subdivided into following steps:
A, content supplier are by metadata and original content file, be designated as File1, be uploaded to content server, licence field in metadata is filled by null character (NUL) entirely, initial rights field is filled according to actual conditions, if protected file allows user freely to have part authority, and the free authority using of initial rights field record, otherwise initial rights field is also filled by null character (NUL);
B, content server are encrypted File1 according to the initial right in metadata, can for user freely or the part of browsing do not encrypt, remainder is all encrypted, if initial rights field is that sky is all encrypted original content file, encrypts the key and the decruption key that use and generated by content server temporarily;
DRM packing device in C, content server is packed metadata and File1, meanwhile, claim, decruption key and product information is sent to authorization server, deposits in the database of authorization server;
D, content server, by packed protected file, are designated as File2, and carry is freely downloaded for user to internet;
The product information of protected file File2, right information and key are sent to authorization server by E, content server, deposits database in by it, while networking checking for user.
2,, as Fig. 3,3. described step is subdivided into following steps:
Local verification starts 301;
The metadata fields 302 of a, DRM controller fetch protection file File2 head;
B, judge that whether licence field in metadata is to have 303, is to enter step c, otherwise jumps to step g;
Licence field exists and means that File2 not yet lives through networking and authorizes, otherwise shows that File2 exists licence this moment;
C, DRM controller extract the hardware information of user terminal, and calculate the symmetric key of licence by function KeyGeneration according to hardware information, and meanwhile, DRM controller calculates cryptographic hash H 304 according to hardware information by function ConputeHash;
D, DRM controller read licence field, the license information now reading is in encrypted state, can not directly get the internal information of licence, so first use the licence field to reading out to be decrypted, obtain the plaintext of licence, then judge licence whether legal 305 by the mode whether the Hash identifying code in the licence field after detecting cryptographic hash H and deciphering equates;
E, judge that whether licence is legal 306, be to enter step f, otherwise jump to step g;
Cryptographic hash H with deciphering after licence field in Hash identifying code equate, show that the licence in File2 is that this user terminal is verified the legal licence of being issued by authorization server by networking really, otherwise mean that protected file File2 is that the licence comprising in it is illegal from other equipment copies;
F, DRM controller extract the initial rights field 307 in protected file File2 metadata, step 5. in can according to initial right have or not to extract the raw data in protected file, so far, local verification success, and without the checking 308 of networking again, local verification finishes 313;
G, DRM controller extract the initial rights field 309 in protected file File2 metadata;
H, judging whether initial right exists 310, is local verification success, if but user want to obtain more authorities or need to network and verify 311, local verification finishes 313;
Otherwise local verification failure, the checking 312 of need to further networking, shows that initial rights exists, and also represents that local verification finishes 313 simultaneously.
3,, as Fig. 4,4. described step is subdivided into following steps:
Networking checking starts 401;
Product information in I, DRM controller fetch protection file File2 metadata, the authorization server address in authorized address field and the user profile of the current login user of client; and extract the hardware information of user terminal, then send authorized application 402 to authorization server:
II, authorization server detect user and whether have bought the right to use 403 of protected file File2 on this user terminal;
III, judge whether user buys authority 404, is to enter step IV, otherwise jump to step VIII;
IV, authorization server use the rights of using of protected file File2 and the decruption key of original content file File1 to generate licence 405 in terminal according to user:
V, authorization server are calculated the symmetric key of licence by function KeyGeneration according to the hardware information of user terminal, and licence is encrypted to 406 with key;
The licence after encrypting is sent to client 407 by VI, authorization server;
VII, networking are proved to be successful 408, and so far, networking checking finishes 412;
VIII, authorization server are bought authority 409 by Client-Prompt user;
IX, judge whether user buys authority 410, is to jump to step IV, otherwise enter step X;
X, authorization server refusal are authorized, networking authentication failed, and so far, networking checking finishes 412.
4,5. described step is subdivided into following steps:
1) local verification and networking checking are after one of them passes through, and DRM controller extracts raw data expressly and right information according to the state of the request of built-in application program and current initial right and licence, and initial right and the possible state of licence have following 3 kinds:
State 1: initial right information does not exist, and licence exists and be legal;
State 2: initial right information exists, although licence does not exist or exists illegal;
State 3: initial right information exists, and licence also exists and be legal;
In the time that the state of initial right and licence is state 1: DRM controller is first decrypted licence with symmetric key, obtain right information in licence and the decruption key of raw data, thereby then with key, ciphertext part corresponding in raw data is decrypted the cleartext information that obtains raw data according to the request of built-in application program;
In the time that the state of initial right and licence is state 2: DRM controller extracts initial right information, record unencrypted original data region according to initial right information, then directly extract unencrypted raw data expressly according to the request of built-in application program, if the original contents of built-in application PROGRAMMED REQUESTS exceeds the region of record, refusal provides data and points out user to buy corresponding authority;
In the time that the state of initial right and licence is state 3: first DRM controller extracts initial right information, and record unencrypted original data region according to initial right information, secondly, DRM controller is decrypted licence with symmetric key, obtain right information in licence and the decruption key of raw data, finally, DRM controller judges that according to the current needed raw data of built-in application program whether raw data in this region is in encrypted state, if belong to recorded unencrypted region, directly extract, otherwise first with key, required raw data part is decrypted to the raw data plaintext that extraction decrypts again,
2) DRM controller by the raw data plaintext transmission extracting to built-in application program for it with operate, meanwhile, the right information constraint built-in application program that DRM controller comprises according to initial right and licence operates raw data.