Summary of the invention
The purpose of the present invention is that the shortcoming and defect overcoming prior art to exist, it is provided that a kind of illegal copies of tackling
Digital copyright management method.
The object of the present invention is achieved like this:
A kind of digital copyright management method (abbreviation method) tackling illegal copies
This method comprises the following steps:
1. content server carries out on-demand encryption, is packaged into treated protection file rear mount to interconnection initial data
Online for user's download, meanwhile, content server will protect the product information of file, right information and key to send to authorizing clothes
Business device, is stored in data base by it;
2. user installation client software, and by the Internet download or copied content server is sent out from other equipment
The protection file of cloth is on user terminal;
3. user is when user terminal uses client software to open protection file, and in client software, DRM controller is first
First protection file being carried out local verification, if local verification passes through, then user can use protection literary composition in the case of not networking
Part;
4., when local verification failure, user needs to carry out networking checking, otherwise can not use protection file, when this locality is tested
Demonstrate,prove successful user and want to obtain the right to use of more protection file in limited time, it is also desirable to carry out networking checking;
5. local verification by or networking be verified after, DRM controller is current according to initial right and licence
State extracts the initial data in protection file, the right information constraint built-in application journey comprised according to initial right and licence
Sequence uses initial data.
The present invention has following advantages and a good effect:
1. utilize user terminal hardware information generate encryption and deciphering symmetric key licence is encrypted and
Deciphering, thus realize local verification, one is authorized, and user can open file in the case of not networking;
Even if 2. user will carry the protection file copy of legal licence to other equipment, also cannot be without networking
Again authorize and normally open (freely copying within the rule in same terminal), thus effectively coped with illegal copies.
Detailed description of the invention
Describe in detail with embodiment below in conjunction with the accompanying drawings:
One, system
1, overall
Such as Fig. 1, native system includes interconnective user terminal 10, content server 20 and authorization server 30;
The working mechanism of native system:
Content server 20 is responsible for generating protection file and setting the initial right of protection file;User terminal 10 is from content
Server 20 obtains protection file;Product information, right information and key are sent to authorization server 30 by content server 20,
Preserved by it;Content server 20 sends authorized application to authorization server 30, after authorization server 30 empirical tests by network
To user terminal 10 licensure.
2, functional device
1) user terminal 10
User terminal 10 is the hardware device that user uses protection file, mainly includes all kinds of portable type electronic product, such as:
Computer, mobile phone, iPOD (the music player product of Apple) and iPAD (the panel computer product of Apple) etc..
User terminal 10 includes protecting file data bag 11 and client software 12;Client software 12 includes DRM control
Device 121, built-in application program 122 and licensc e data bag 123;
Protection file data bag 11 is packed by metadata and encrypted initial data and is formed, and built-in application program 122 is used
Open and use protection file in initial data;
Such as Fig. 2, metadata 201 is by authorized address 202, initial right 203, licence 204 and product information 205 4 part
Data constitute, licence is made up of Hash identifying code 206, right 207 and key 208 again.
2) content server 20
Content server 20 is the place being encrypted digital content and packing and generate protection file.
Content server 20 includes content repository 21, product information storehouse 22 and DRM packing device 23;
Content repository 21 and product information storehouse 22 are connected with DRM packing device 23 respectively.
3) authorization server 30
Authorization server 30, also known as license server, checking and the digital content of user identity are made by main being responsible for
With generation and the distribution of licence.
Authorization server 30 includes entitlements database 31, key and product database 32, DRM licence generator 33 and uses
User data storehouse 34;
Entitlements database 31, key and product database 32 and customer data base 34 respectively with DRM licence generator 33
Connect.
Two, this method be embodied as step
1,1. described step is subdivided into following steps:
Original content file is designated as File1 by A, content supplier, then is uploaded to content server together with metadata, unit
License field in data is filled by NUL entirely, and initial rights field is then filled according to practical situation, if protection file is permitted
Family allowable freely has part authority, then the authority that initial rights field record freely uses, otherwise, initial rights field is also used
NUL is filled;
File1 is encrypted by B, content server according to the initial right in metadata, be available for user freely use or
The part browsed is not encrypted, and remainder is all encrypted, if initial rights field is sky, and encryptions whole to original content file,
The key K that encryption useseWith decruption key KdGenerated by content server temporarily;
Metadata and File1 are packed by the DRM packing device in C, content server, meanwhile, by claim, deciphering
Key KdSend to authorization server with product information, be stored in the data base of authorization server;
D, content server, by packed protection file, are designated as File2, under carry to the Internet supplying user freely
Carry;
The protection product information of file File2, right information and key are sent to authorization server by E, content server,
Be stored in data base by it, for user network checking time.
2, such as Fig. 3,3. described step is subdivided into following steps:
Local verification starts 301;
A, DRM controller reads the metadata fields 302 of protection file File2 head;
Whether b, the license field judged in metadata are existence 303, are then to enter step c, otherwise jump to step
g;
License field does not exists, and means that File2 not yet lives through networking and authorizes, otherwise shows that File2 exists this moment
Licence;
C, DRM controller extracts the hardware information of user terminal, and according to hardware information by function KeyGeneration
Calculate the symmetric key K of licences, meanwhile, DRM controller calculates Kazakhstan according to hardware information by function ConputeHash
Uncommon value H 304;
D, DRM controller reads license field, and the license information now read is in encrypted state, it is impossible to directly obtain
Get the internal information of licence, the most first use KsThe license field read out is decrypted, obtains the plaintext of licence,
Then licence is judged by the mode that detection cryptographic Hash H is the most equal with the Hash identifying code in the license field after deciphering
The most legal 305;
E, judge licence the most legal 306, be then entrance step f, otherwise jump to step g;
Cryptographic Hash H is equal with the Hash identifying code in the license field after deciphering, then show that the licence in File2 is true
It is that this user terminal verifies the legal licence issued by authorization server by networking in fact, otherwise means to protect file
File2 is to copy from other equipment, and the licence comprised in it is illegal;
F, DRM controller extracts the initial rights field 307 in protection file File2 metadata, and step is 5. middle can basis
The presence or absence of initial right extracts the initial data in protection file, so far, local verification success, and tests without carrying out networking again
Card 308, local verification terminates 313;
G, DRM controller extracts the initial rights field 309 in protection file File2 metadata;
H, judge whether initial right exists 310, be then local verification success, if but user want to obtain more authority, also
Being to need to carry out checking 311 of networking, local verification terminates 313;
Otherwise local verification failure, needs to carry out checking 312 of networking further, shows that initial right does not exists, the most also
Represent that local verification terminates 313.
3, such as Fig. 4,4. described step is subdivided into following steps:
Networking checking beginning 401;
I, the product information during DRM controller reads protection file File2 metadata, the mandate clothes in authorized address field
Business device address and the user profile of client currently logged on user, and extract the hardware information of user terminal, then to authorizing clothes
Business device transmission authorized application 402:
II, whether authorization server detection user have purchased the protection file File2 right to use on this user terminal
403;
III, judge whether user buys authority 404, be then to enter step IV, otherwise jump to step VIII;
IV, authorization server uses use authority and the original contents literary composition of protection file File2 in terminal according to user
The decruption key K of part File1dGeneration licence 405:
V, authorization server calculates licence according to the hardware information of user terminal by function KeyGeneration
Symmetric key Ks, and use key KsLicence is encrypted 406;
VI, the licence after encryption is sent to client 407 by authorization server;
VII, networking is proved to be successful 408, so far, and networking checking end 412;
VIII, authorization server buys authority 409 by Client-Prompt user;
Ⅸ, judge whether user buys authority 410, be, jump to step IV, otherwise enter step Ⅹ;
Ⅹ, authorization server refusal authorizes, authentication failed of networking, so far, and networking checking end 412.
4,5. described step is subdivided into following steps:
1) local verification and networking checking are after one of them passes through, DRM controller according to the request of built-in application program and
The state of current initial right and licence extracts initial data in plain text and the possible shape of right information, initial right and licence
State has following 3 kinds:
State 1: initial right information does not exists, and licence exists and legal;
State 2: initial right information exists, although licence does not exists or exists but illegal;
State 3: initial right information exists, and licence there is also and legal;
When the state of initial right and licence is state 1: symmetric key K first used by DRM controllersLicence is carried out
Deciphering, obtains the right information in licence and the decruption key K of initial datad, the request further according to built-in application program is used
Key KdCipher text part corresponding in initial data is decrypted thus obtains the cleartext information of initial data;
When the state of initial right and licence is state 2: DRM controller extracts initial right information, according to initially
Right information record unencrypted original data region, then the request extracting directly unencrypted according to built-in application program is original
Data clear text, if the original contents of built-in application PROGRAMMED REQUESTS is beyond the region of record, then refusal provides data and points out user
Buy corresponding authority;
When the state of initial right and licence is state 3: first DRM controller extracts initial right information, and root
According to initial right information record unencrypted original data region, secondly, DRM controller symmetric key KsLicence is carried out
Deciphering, obtains the right information in licence and the decruption key K of initial datad, finally, DRM controller is according to built-in application
The current desired initial data wanted of program judges whether the initial data in this region is in encrypted state, is recorded if belonging to
Unencrypted region, then extracting directly, the most first use key KdIt is decrypted required original data portion to extract again and decrypts
Initial data in plain text;
2) the initial data plaintext transmission extracted for it and is operated by DRM controller to built-in application program, with
Time, initial data is operated by the right information constraint built-in application program that DRM controller comprises according to initial right and licence.