CN106454435B - Conditional access method and related equipment and system - Google Patents

Conditional access method and related equipment and system Download PDF

Info

Publication number
CN106454435B
CN106454435B CN201510483860.XA CN201510483860A CN106454435B CN 106454435 B CN106454435 B CN 106454435B CN 201510483860 A CN201510483860 A CN 201510483860A CN 106454435 B CN106454435 B CN 106454435B
Authority
CN
China
Prior art keywords
key
root key
new
key generation
terminal device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510483860.XA
Other languages
Chinese (zh)
Other versions
CN106454435A (en
Inventor
党茂昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Youku Culture Technology Beijing Co ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510483860.XA priority Critical patent/CN106454435B/en
Publication of CN106454435A publication Critical patent/CN106454435A/en
Application granted granted Critical
Publication of CN106454435B publication Critical patent/CN106454435B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The application discloses a conditional access method, related equipment and a system, wherein terminal equipment can generate a new root key according to a root key generation parameter in key update information issued by a television transmission center and a set key generation algorithm locally stored by the terminal equipment, acquire a descrambling key according to the new root key, descramble a program stream issued by the television transmission center according to the acquired descrambling key, and obtain a program clear stream.

Description

Conditional access method and related equipment and system
Technical Field
The present application relates to the field of digital television broadcasting technologies, and in particular, to a CA (conditional Access) method, and a related device and system.
Background
The CA system refers to a system for controlling a user (Subscriber) to receive a broadcast service or program, that is, the user can only watch an authorized broadcast service or program. The CA system is a key to realizing personalized services, and its basic purpose is to perform authorization control and authorization management on users in a television station television system, thereby realizing paid services of a data broadcasting system.
Specifically, as shown in fig. 1, it is a schematic diagram of a basic principle architecture of an existing CA system. As can be seen from fig. 1, the CA system employs a three-layer encryption method: scrambling the program by Ks (descrambling key) at the television program sender, wherein Ks is transmitted by Kw (work key) encryption, and Kw is transmitted by Kd (root key) encryption; at the television program receiving party, the user decrypts Kw by Kd, then decrypts Ks by Kw, and finally descrambles the television program into clear stream by Ks.
Wherein Ks and Kw may be transmitted to the user through an ECM (Entitlement Control Message), an EMM (Entitlement Management Message), and the tv program stream (specifically, Ks may be transmitted to the user through the ECM, Kw may be transmitted to the user through the EMM), and Kd is not transmitted over the air. Specifically, Kd can only be distributed by means of a secret authorized, updated by means of a secret. For example, at the terminal device, Kd is generally written into the corresponding IC card by the terminal device manufacturer through a dedicated device set, and cannot be dynamically replaced.
That is to say, the current CA system adopts a fixed device key manner, the device key (e.g., Kd) is stored in the IC card and cannot be dynamically changed, when the device key (e.g., Kd) is stolen or cracked, the device key (e.g., Kd) can only be updated by changing the IC card or changing the terminal device, so that it takes a long time for the user to update the device key to descramble the program when the user uses the corresponding CA system to receive the program, thereby reducing the receiving efficiency of the CA system and making the user experience worse.
Disclosure of Invention
The embodiment of the application provides a conditional access method, and related equipment and system, which are used for solving the problems of low receiving efficiency of the existing CA system.
Specifically, an embodiment of the present application provides a conditional access method, including:
the terminal equipment receives key updating information which is issued by a television transmitting center and contains set root key generation parameters;
generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment;
and acquiring a descrambling key according to the new root key, and descrambling the program stream issued by the television transmission center according to the acquired descrambling key to obtain a program clear stream.
Correspondingly, the embodiment of the present application further provides a terminal device, including:
the receiving module is used for receiving key updating information which is issued by a television transmitting center and contains set root key generation parameters;
the updating module is used for generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment;
and the descrambling module is used for acquiring a descrambling key according to the new root key and descrambling the program stream issued by the television transmission center according to the acquired descrambling key to obtain the program clear stream.
Further, an embodiment of the present application further provides a conditional access system, including a television transmission center and a terminal device, where:
the terminal equipment is used for receiving key updating information which is issued by the television transmitting center and contains set root key generation parameters; generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment; and acquiring a descrambling key according to the new root key, and descrambling the program stream issued by the television transmission center according to the acquired descrambling key to obtain a program clear stream.
The beneficial effect of this application is as follows:
the embodiment of the application provides a conditional access method, related equipment and a system, wherein terminal equipment can generate a new root key according to a root key generation parameter in key update information issued by a television transmission center and a set key generation algorithm locally stored by the terminal equipment, acquire a descrambling key according to the new root key, descramble a program stream issued by the television transmission center according to the acquired descrambling key, and acquire a program clear stream, so that the problem that a user needs to spend a long time for updating an equipment key to descramble a program when the user receives the program by using the existing CA system is solved, the receiving efficiency of the CA system is improved, and the application experience of the user is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a basic architecture of a conventional CA system;
fig. 2 is a schematic flowchart of a conditional access method according to a first embodiment of the present application;
fig. 3 is a schematic diagram illustrating a possible structure of a terminal device according to a second embodiment of the present application;
fig. 4 is a schematic diagram illustrating a possible structure of a conditional access system according to a third embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The first embodiment is as follows:
a first embodiment of the present application provides a conditional access method, as shown in fig. 2, which is a schematic flow chart of the conditional access method in the first embodiment of the present application, where the conditional access method may include the following steps:
step 201: and the terminal equipment receives key updating information which is issued by the television transmission center and contains the set root key generation parameters.
Optionally, the terminal device may receive, through the following manner, key update information that includes the set root key generation parameter and is issued by the television transmission center:
receiving EMM information transmitted by the television transmitting center;
and searching the information related to the terminal equipment from the EMM information by using the original equipment identifier of the terminal equipment, and decrypting the searched information related to the terminal equipment on the basis of the original root key of the terminal equipment to obtain the key updating information containing the set root key generation parameter.
That is to say, the key update information is usually issued to the terminal device by the television transmission center through an EMM, which is not described in detail in this embodiment of the present application.
Further, the root key generation parameter (i.e. Kd generation parameter, which may be identified as Kr) is generally issued to the television transmission center via the key management center and then issued to the terminal device by the television transmission center when the security server determines that the device key needs to be updated (e.g. when it determines that the device key such as Kd authorized to be issued to the terminal device is stolen or broken).
Optionally, the process of transferring the root key generation parameter between the security server, the key management center, the television transmission center, and the terminal device may be as follows:
when determining that the device key needs to be updated, the security server generates a new root key based on a set key generation algorithm and a set root key generation parameter, and sends first key update information containing the root key generation parameter and the new root key to a key management center through a set security transmission tool;
after receiving the first key updating information, the key management center updates a key database according to the first key updating information, and sends second key updating information which contains the root key generation parameters but does not contain the new root key to a television emission center;
and after receiving the second key updating information, the television transmitting center issues third key updating information which contains the root key generation parameter but does not contain the new root key to corresponding terminal equipment so as to issue the root key generation parameter to the corresponding terminal equipment.
That is to say, in the transmission process of the root key generation parameter, the security server can adopt a set security transmission tool to transmit a corresponding new root key and the root key generation parameter to the key management center point to point, that is, the key transmission is limited between the security server and the key management center, so as to prevent the key and the key generation parameter from being leaked, and improve the security of the device key; the set secure delivery tool may be provided by a key management center, which is not described in detail in this embodiment of the present application.
Further, when the secure server generates a new root key, the set key generation algorithm according to which the secure server generates a new root key may be a private secret algorithm that is preset in the secure server by a corresponding device manufacturer (that is, the key generation algorithm is run on a secure computer with security), and a new Kd may be generated by the key generation algorithm based on a specific root key generation parameter (that is, a Kd generation parameter, which may be identified as Kr). Therefore, the Kd generation parameter can be transmitted in the air, and even if the Kd generation parameter is intercepted by a third party, the corresponding Kd cannot be generated due to the fact that a corresponding key generation algorithm does not exist, and the safety of the device key is guaranteed.
Note that, when the secure server generates a new root key, the set root key generation parameter (i.e., Kd generation parameter) on which the secure server is based is usually a random number of one M bit (bit) (M is an arbitrary positive integer), and the Kd generation parameter usually satisfies the following condition: generating a corresponding Kd that can be uniquely determined from the Kd generation parameter includes uniquely generating a Kd for a corresponding generation based on Kd generation parameters of historical generations.
Optionally, in the embodiment described in this application, taking a random number with a Kd generation parameter of 32 bits as an example, the security server may specifically generate a new root key based on the set key generation algorithm and the set root key generation parameter by:
shifting the 32-bit random number according to a set shifting algorithm to obtain Y new 32-bit random numbers; for example, the 32-bit random number may be circularly left-shifted by 8 bits to obtain 3 new 32-bit random numbers;
combining the obtained Y new 32-bit random numbers with the initial 32-bit random number to obtain (Y +1) × 32-bit random numbers; for example, combining the 4 random numbers with 32 bits obtained in the above steps to obtain a random number with 128 bits (16 bytes);
based on a set matrix algorithm, carrying out transformation processing on the (Y +1) × 32-bit random number to obtain a new (Y +1) × 32-bit random number, and taking the obtained new (Y +1) × 32-bit random number as a generated new root key;
the Y is a positive integer, and is similar to a set key generation algorithm, and the set matrix algorithm may be a private security algorithm preset in the security server by a corresponding device manufacturer, which is not described in detail in this embodiment of the present application.
Step 202: and the terminal equipment generates a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment.
When the terminal device generates a new root key according to the acquired root key generation parameter, the set key generation algorithm according to which the terminal device generates the new root key is the same as a key generation algorithm used when the security server generates the new root key, and the set key generation algorithm may be a private secret algorithm that is preset in a secure storage area (Trust zone) of the terminal device by a device manufacturer related to the terminal device, that is, the key generation algorithm is not transferred over the air but embedded in the terminal device, so as to ensure the security of the device key.
Optionally, in the embodiment described in this application, similar to the process of generating the new root key by the security server, taking a random number with a Kd generation parameter of one 32 bits as an example, the terminal device may specifically generate the new root key by:
shifting the 32-bit random number according to a set shifting algorithm to obtain Y new 32-bit random numbers; for example, the 32-bit random number may be circularly left-shifted by 8 bits to obtain 3 new 32-bit random numbers;
combining the obtained Y new 32-bit random numbers with the initial 32-bit random number to obtain (Y +1) × 32-bit random numbers; for example, combining the 4 random numbers with 32 bits obtained in the above steps to obtain a random number with 128 bits (16 bytes);
based on a set matrix algorithm, carrying out transformation processing on the (Y +1) × 32-bit random number to obtain a new (Y +1) × 32-bit random number, and taking the obtained new (Y +1) × 32-bit random number as a generated new root key;
wherein Y is a positive integer; moreover, similar to the set key generation algorithm, the set matrix algorithm may be a private encryption algorithm preset in the terminal device by the corresponding device manufacturer, which is not described in detail in the embodiments of the present application.
Step 203: and the terminal equipment acquires a descrambling key according to the new root key and descrambles the program stream issued by the television transmission center according to the acquired descrambling key to obtain the program clear stream.
It should be noted that, after the Kd is updated, the Kw (work key) corresponding to the Kd also needs to be updated, that is, after the key management center receives the updated Kd sent by the security server, the key management center needs to generate a corresponding new Kw (i.e., updated Kw) by using the updated Kd, and send the new Kw to the terminal device via the television transmission center (specifically, the television transmission center may carry the encrypted new Kw obtained by encrypting with the updated Kd in the key update information and send the key update information to the terminal device), and accordingly, obtaining the descrambling key according to the new root key may include:
decrypting the encrypted updated working key according to the new root key to obtain an updated working key;
and decrypting the encrypted descrambling key carried in the ECM issued by the television transmission center according to the updated working key to obtain the descrambling key.
That is to say, in the embodiment of the present application, the terminal device may generate a new root key according to a root key generation parameter in the key update information issued by the television transmission center and a set key generation algorithm locally stored by the terminal device, acquire the descrambling key according to the new root key, and descramble the program stream issued by the television transmission center according to the acquired descrambling key to obtain the program clear stream, so as to solve the problem that a user needs to spend a long time to update the device key to descramble the program when receiving the program by using the existing CA system, improve the receiving efficiency of the CA system, and improve the application experience of the user.
Further, it should be noted that, after generating a new root key based on a set key generation algorithm and a set root key generation parameter, the security server may further generate a new root key generation number (i.e., an updated generation number) according to a history sequence of the new root key, and replace a lower N bit of an original device identifier (original device ID) of the corresponding terminal device with the new root key generation number to form a new device identifier (i.e., an updated device identifier, where N is a positive integer and a value thereof is usually not less than a number of bits occupied by the root key generation number), and issue the new root key generation number to the television transmission center via the key management center, and the television transmission center issues the new root key generation number to the corresponding terminal device by carrying the new root key generation number in the key update information; therefore, in the embodiment of the present application, after the terminal device receives the key update information issued by the television transmission center, the method may further include the following steps:
replacing the low N bit of the original equipment identifier of the terminal equipment with the new root key generation number according to the new root key generation number carried in the key updating information to form a new equipment identifier; and N is a positive integer, and the value of N is not less than the number of bits occupied by the generation number of the root key.
It should be noted that, because the value range of the root key generation number may be generally 0 to 255, that is, the root key generation number may generally occupy 8 digits (bit), the low N bit of the original device identifier of the terminal device is replaced with the new root key generation number to form a new device identifier, which may be specifically implemented as: and replacing the lower 8 bits of the original equipment identifier of the terminal equipment with the new root key generation number to form a new equipment identifier. In addition, it should be noted that the device identifier of the terminal device (including the original device identifier and the updated device identifier) may generally occupy 64 digits (bit), which is not described in this embodiment of the present application.
Accordingly, as can be seen from the above, the process of transferring the root key generation parameter among the security server, the key management center, the television transmission center, and the terminal device may be specifically as follows:
when the device key is determined to be updated, the security server generates a new root key based on a set key generation algorithm and a set root key generation parameter, generates a new root key generation number according to the historical sequence of the new root key, replaces the lower N bit of the original device identifier of the corresponding terminal device with the new root key generation number to form a new device identifier, and sends first key update information containing the root key generation parameter, the new root key and the new root key generation number to a key management center through a set security transmission tool;
after receiving the first key updating information, the key management center updates a key database according to the first key updating information, and sends second key updating information which contains the root key generation parameter and the new root key generation number but does not contain the new root key to a television emission center;
and after receiving the second key updating information, the television transmitting center issues third key updating information which contains the root key generation parameter and the new root key generation number but does not contain the new root key to corresponding terminal equipment.
For example, taking a specific example as an example, the process of transferring the root key generation parameter between the security server, the key management center, the television transmission center, and the terminal device may specifically be as follows:
since Kd once issued to a user upon authorization, the user needs to be guaranteed that it is not compromised, if Kd is inadvertently compromised or stolen by a hacker (which is often unavoidable), the corresponding device manufacturer can generate new Kd update information via the corresponding secure server, including: { updated generation number, Kr (root key generation parameter), updated root key Kd, updated device ID }, and transmits the Kd update information to the key management center (i.e., RMP center) via the secure transmission tool; the RMP center inputs the Kd updating information into a database of unified management, and sends all information without Kd, including { updated generation number, Kr and updated equipment ID } to each television transmitting center, the television transmitting center inputs the received corresponding information into the database of unified management, and after a set time (such as two days), the { updated generation number, Kr } is sent to the terminal equipment of the user through EMM information; after receiving the corresponding information, the terminal equipment can analyze and decrypt the EMM information through the original equipment ID and the original Kd to obtain corresponding Kd update information { updated generation number, Kr }, and starts a Kd update flow at the terminal side according to the obtained Kd update information { updated generation number, Kr }, so as to realize the update of the equipment key.
It should be noted that, after the Kd is updated, the Kw corresponding to the Kd also needs to be updated, so that the key management center needs to generate a new Kw (i.e., updated Kw) using the Kd after receiving the updated Kd transmitted by the security server, transmit the new Kw to the television transmission center together with the updated generation number, Kr, updated device ID, and the like, and transmit the new Kw and Kr to the terminal device by the television transmission center, so that the terminal device generates an updated Kd from the corresponding Kr, then acquires the new Kw using the updated Kd, further acquires the descrambling key Ks from the new Kw, and descrambles the program according to the acquired Ks.
Further, in the embodiment of the present application, after the terminal device generates a corresponding new root key and a new device identifier, the method may further include:
and storing the generated new root key and the new device identification in a secure storage area of the terminal device. Namely, the device key can be stored in the secure storage area in an encrypted manner, so that the security of the device key is ensured.
Optionally, storing the generated new root key and the new device identifier in a secure storage area of the terminal device may include:
generating a new file for storing the new root key and the new device identification in a secure storage area of the terminal device by taking the new root key generation number as an index; and storing the new root key and the new device identifier in the new file, and after the new root key and the new device identifier are stored in the new file, setting the attribute of the new file to be read only (i.e. all updates are additional updates and cannot be replaced).
That is, in the embodiment described in the present application, additional update of Kd can be done by creating an SFS (secure file system) file indexed by generation number, i.e., all device key updates can be managed with the updated generation number. Correspondingly, the retrieval of Kd can be completed by searching for SFS files indexed by the generation number, which is not described in detail in the embodiments of the present application.
Further, it should be noted that, because the root key generation number and the root key have a corresponding one-to-one correspondence relationship, after the terminal device receives the key update information issued by the television transmission center, it may first determine whether the root key generation number in the key update information is stored at the terminal device side, and if the determination result is yes, the root key corresponding to the root key generation number may be directly obtained from the terminal device side according to the root key generation number, without performing the operation of generating a new root key again according to the root key generation parameter in the key update information and the locally stored set key generation algorithm, so as to reduce the processing delay and the processing pressure of the system, which is also not described in detail in this embodiment of the present application.
The first embodiment of the present application provides a conditional access method, where a terminal device may generate a new root key according to a root key generation parameter in key update information issued by a television transmission center and a set key generation algorithm locally stored by the terminal device, acquire a descrambling key according to the new root key, and descramble a program stream issued by the television transmission center according to the acquired descrambling key to obtain a program clear stream, so as to solve the problem that a user needs to spend a long time to update a device key to descramble a program when the user receives the program by using an existing CA system, improve the reception efficiency of the CA system, and improve the application experience of the user.
Example two:
based on the same inventive concept, a second embodiment of the present application provides a terminal device, and specific implementation of the terminal device may refer to related description in the first embodiment of the method, and repeated parts are not described again, as shown in fig. 3, the terminal device may mainly include:
the receiving module 31 is configured to receive key update information including a set root key generation parameter and sent by a television transmission center;
an updating module 32, configured to generate a new root key according to the root key generation parameter and a set key generation algorithm locally stored in the terminal device; wherein the set key generation algorithm is a private secret algorithm preset in a secure storage area of the terminal device by a device manufacturer associated with the terminal device; the root key generation parameter is an M-bit random number, M is any positive integer, and a corresponding root key can be uniquely determined according to the root key generation parameter;
and the descrambling module 33 is configured to obtain a descrambling key according to the new root key, and descramble the program stream delivered by the television transmission center according to the obtained descrambling key to obtain a program clear stream.
Furthermore, the key updating information can also carry an encrypted updated working key;
the descrambling module 33 is specifically configured to decrypt the encrypted updated working key according to the new root key to obtain an updated working key, and decrypt the encrypted descrambling key carried in the ECM issued by the television transmission center according to the updated working key to obtain a descrambling key.
Further, the key update information may also carry a new root key generation number;
the updating module 32 is further configured to replace the lower N bits of the original device identifier of the terminal device with the new root key generation number according to the new root key generation number, so as to form a new device identifier; and N is a positive integer, and the value of N is not less than the number of bits occupied by the generation number of the root key.
Further, the terminal device may further include a storage module 34:
the storage module 34 is configured to store the generated new root key and the new device identifier in a secure storage area of the terminal device.
Optionally, the storage module 34 is specifically configured to generate a new file for storing the new root key and the new device identifier in the secure storage area of the terminal device, with the new root key generation number as an index; and storing the new root key and the new device identifier in the file, and setting the attribute of the file to be read only after the new root key and the new device identifier are stored in the file.
In addition, it should be noted that the storage module 34 may also be configured to store parameters such as an original device identifier and an original root key of the terminal device; specifically, the original generation number of the terminal device may be used as an index, and the parameters of the original device identifier of the terminal device, the original root key, and the like are stored.
Further, it should be noted that, since the key update information containing the set root key generation parameter is usually sent to the terminal device by the television transmission center through the EMM information, the receiving module 31 may be specifically configured to receive the EMM information carrying the key update information sent by the television transmission center, search the information related to the terminal device from the EMM information by using the original device identifier of the terminal device, and decrypt the searched information related to the terminal device based on the original root key of the terminal device, so as to obtain the key update information containing the set root key generation parameter.
In addition, it should be noted that the receiving module 31 may also be configured to receive an ECM issued by a television transmitting center, and receive a program stream issued by the television transmitting center, and the like, which is not described in detail in this embodiment of the application.
Based on the same inventive concept, a conditional access system is further provided in the second embodiment of the present application, and for specific implementation of the conditional access system, reference may be made to related descriptions in the first embodiment of the method, and repeated descriptions are omitted, as shown in fig. 4, the conditional access system mainly includes a television transmission center 41 and a terminal device 42, where:
the television transmission center 41 is configured to send key update information including a set root key generation parameter to the terminal device 42;
the terminal device 42 is configured to receive key update information that includes a set root key generation parameter and is issued by the television transmission center 41; generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal device 42; and acquiring a descrambling key according to the new root key, and descrambling the program stream issued by the television transmission center 41 according to the acquired descrambling key to obtain a program clear stream.
Further, it should be noted that, in addition to the television transmission center 41 and the terminal device 42, the conditional access system may further include a security server 43, a key management center 44, and the like, where: the secure server 43 may be configured to generate a new root key based on a set key generation algorithm and a set root key generation parameter when it is determined that the device key needs to be updated, and send the root key generation parameter to the key management center 44; the key management center 44 may be configured to issue the root key generation parameter issued by the security server 43 to the television transmission center 41, which is not described in detail in this embodiment of the application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus (device), or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (11)

1. A conditional access method, comprising:
the terminal equipment receives key updating information which is issued by a television transmitting center and contains set root key generation parameters;
generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment;
acquiring a descrambling key according to the new root key, and descrambling the program stream issued by the television transmission center according to the acquired descrambling key to obtain a program clear stream;
the key updating information is issued to the terminal equipment by the television transmitting center through authorization management information EMM;
searching information related to the terminal equipment from the authorization management information EMM by using the original equipment identifier of the terminal equipment;
decrypting the searched information related to the terminal equipment by using the original root key of the terminal equipment to obtain key updating information containing the set root key generation parameter;
the root key generation parameter is an M-bit random number, and M is any positive integer; generating a corresponding root key which can be uniquely determined according to the root key generation parameter;
the key updating information also carries a new root key generation number; replacing the low N bit of the original equipment identifier of the terminal equipment with the new root key generation number according to the new root key generation number to form a new equipment identifier; and N is a positive integer, and the value of N is not less than the number of bits occupied by the generation number of the root key.
2. The method of claim 1, wherein the key update information further carries an encrypted updated working key; obtaining a descrambling key according to the new root key, including:
decrypting the encrypted updated working key according to the new root key to obtain an updated working key;
and decrypting the encrypted descrambling key carried in the authorization control information ECM issued by the television transmission center according to the updated working key to obtain the descrambling key.
3. The method of claim 1, wherein the method further comprises:
and storing the generated new root key and the new device identification in a secure storage area of the terminal device.
4. The method of claim 3, wherein storing the generated new root key and new device identification in a secure storage area of the terminal device, comprises:
generating a new file for storing the new root key and the new device identification in a secure storage area of the terminal device by taking the new root key generation number as an index; and storing the new root key and the new device identifier in the file, and setting the attribute of the file to be read only after the new root key and the new device identifier are stored in the file.
5. The method of claim 1, wherein the set key generation algorithm is a private security algorithm that is preset within a secure storage area of the terminal device by a device manufacturer associated with the terminal device.
6. A terminal device, comprising:
the receiving module is used for receiving key updating information which is issued by a television transmitting center and contains set root key generation parameters; searching information related to the terminal equipment from authorization management information EMM issued by a television emission center by utilizing the original equipment identification of the terminal equipment; decrypting the searched information related to the terminal equipment according to the original root key of the terminal equipment to obtain key updating information containing the set root key generation parameter; the root key generation parameter is an M-bit random number, and M is any positive integer; generating a corresponding root key which can be uniquely determined according to the root key generation parameter;
the updating module is used for generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment; the key updating information also carries a new root key generation number; the updating module is further configured to replace the low-N bit of the original device identifier of the terminal device with the new root key generation number according to the new root key generation number to form a new device identifier; wherein, N is a positive integer and the value of N is not less than the number of bits occupied by the generation number of the root key;
and the descrambling module is used for acquiring a descrambling key according to the new root key and descrambling the program stream issued by the television transmission center according to the acquired descrambling key to obtain the program clear stream.
7. The terminal device according to claim 6, wherein the key update information further carries an encrypted updated working key;
and the descrambling module is specifically configured to decrypt the encrypted updated working key according to the new root key to obtain an updated working key, and decrypt an encrypted descrambling key carried in the entitlement control message ECM issued by the television transmission center according to the updated working key to obtain a descrambling key.
8. The terminal device of claim 6, wherein the terminal device further comprises a storage module:
and the storage module is used for storing the generated new root key and the new device identifier in a secure storage area of the terminal device.
9. The terminal device of claim 8,
the storage module is specifically configured to generate a new file for storing the new root key and the new device identifier in a secure storage area of the terminal device by using the new root key generation number as an index; and storing the new root key and the new device identifier in the file, and setting the attribute of the file to be read only after the new root key and the new device identifier are stored in the file.
10. The terminal device according to claim 6, wherein the set key generation algorithm is a private secret algorithm that is set in advance in a secure storage area of the terminal device by a device manufacturer associated with the terminal device.
11. A conditional access system comprising a television transmission center and a terminal device, wherein:
the terminal equipment is used for receiving key updating information which is issued by the television transmitting center and contains set root key generation parameters; searching information related to the terminal equipment from authorization management information EMM issued by a television emission center by utilizing the original equipment identification of the terminal equipment; decrypting the searched information related to the terminal equipment according to the original root key of the terminal equipment to obtain key updating information containing the set root key generation parameter; generating a new root key according to the root key generation parameter and a set key generation algorithm locally stored by the terminal equipment; acquiring a descrambling key according to the new root key, and descrambling the program stream issued by the television transmission center according to the acquired descrambling key to obtain a program clear stream; the root key generation parameter is an M-bit random number, and M is any positive integer; generating a corresponding root key which can be uniquely determined according to the root key generation parameter; the key updating information also carries a new root key generation number; replacing the low N bit of the original equipment identifier of the terminal equipment with the new root key generation number according to the new root key generation number to form a new equipment identifier; and N is a positive integer, and the value of N is not less than the number of bits occupied by the generation number of the root key.
CN201510483860.XA 2015-08-07 2015-08-07 Conditional access method and related equipment and system Active CN106454435B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510483860.XA CN106454435B (en) 2015-08-07 2015-08-07 Conditional access method and related equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510483860.XA CN106454435B (en) 2015-08-07 2015-08-07 Conditional access method and related equipment and system

Publications (2)

Publication Number Publication Date
CN106454435A CN106454435A (en) 2017-02-22
CN106454435B true CN106454435B (en) 2020-01-24

Family

ID=58092421

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510483860.XA Active CN106454435B (en) 2015-08-07 2015-08-07 Conditional access method and related equipment and system

Country Status (1)

Country Link
CN (1) CN106454435B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108156494B (en) * 2017-12-27 2020-12-22 海信视像科技股份有限公司 Method and device for descrambling digital television program and digital television terminal
CN114531237B (en) * 2022-04-21 2022-07-19 八维通科技有限公司 Root key upgrading method of integrated gateway based on embedded platform

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201127083Y (en) * 2007-09-19 2008-10-01 中兴通讯股份有限公司 Equipment for implementing multimedia broadcast safety
CN102752635A (en) * 2012-02-23 2012-10-24 中央电视台 Downloadable and replaceable condition receiving system
CN102752662A (en) * 2012-02-23 2012-10-24 中央电视台 Root key generation method, module and chip of conditional access system receiving terminal and receiving terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7725740B2 (en) * 2003-05-23 2010-05-25 Nagravision S.A. Generating a root key for decryption of a transmission key allowing secure communications

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201127083Y (en) * 2007-09-19 2008-10-01 中兴通讯股份有限公司 Equipment for implementing multimedia broadcast safety
CN102752635A (en) * 2012-02-23 2012-10-24 中央电视台 Downloadable and replaceable condition receiving system
CN102752662A (en) * 2012-02-23 2012-10-24 中央电视台 Root key generation method, module and chip of conditional access system receiving terminal and receiving terminal

Also Published As

Publication number Publication date
CN106454435A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
US8712041B2 (en) Content protection apparatus and content encryption and decryption apparatus using white-box encryption table
CN110650010B (en) Method, device and equipment for generating and using private key in asymmetric key
CN105260668A (en) File encryption method and electronic device
CN112948784B (en) Internet of things terminal identity authentication method, computer storage medium and electronic equipment
CN110401527B (en) Data encryption and decryption method and device and storage medium
CN110768787A (en) Data encryption and decryption method and device
US11128452B2 (en) Encrypted data sharing with a hierarchical key structure
CN102063598A (en) Data encryption and decryption methods and devices
CN107135408A (en) A kind of method for authenticating and device of video flowing address
CN103841469A (en) Digital film copyright protection method and device
CN109787754B (en) Data encryption and decryption method, computer readable storage medium and server
CN111385085B (en) Quantum three-level key system implementation method and system
CN104735484A (en) Method and device for playing video
US11308242B2 (en) Method for protecting encrypted control word, hardware security module, main chip and terminal
CN110012312A (en) The access control method based on key management suitable for pay television system
CN103117850B (en) A kind of method for building up of the cryptographic system based on random sequence database
US20090238368A1 (en) Key distribution system
CN106454435B (en) Conditional access method and related equipment and system
CN113259722B (en) Secure video Internet of things key management method, device and system
CN113326518A (en) Data processing method and device
KR20140078917A (en) Apparatas and method for security message transmission and reception of vehicle network
CN117171202A (en) Data query method and device
CN109428712A (en) Data Encrypt and Decrypt method and data Encrypt and Decrypt system
CN103313097A (en) Method and system for encrypting and decrypting encoded file
CN107872312B (en) Method, device, equipment and system for dynamically generating symmetric key

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1233405

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240623

Address after: Room 201, No. 9 Fengxiang East Street, Yangsong Town, Huairou District, Beijing

Patentee after: Youku Culture Technology (Beijing) Co.,Ltd.

Country or region after: China

Address before: Cayman Islands Grand Cayman capital building, a four storey No. 847 mailbox

Patentee before: ALIBABA GROUP HOLDING Ltd.

Country or region before: Cayman Islands