CN106656499B - Terminal equipment credibility authentication method in digital copyright protection system - Google Patents
Terminal equipment credibility authentication method in digital copyright protection system Download PDFInfo
- Publication number
- CN106656499B CN106656499B CN201510412791.3A CN201510412791A CN106656499B CN 106656499 B CN106656499 B CN 106656499B CN 201510412791 A CN201510412791 A CN 201510412791A CN 106656499 B CN106656499 B CN 106656499B
- Authority
- CN
- China
- Prior art keywords
- equipment
- identity
- authentication
- information
- data block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A terminal equipment credibility authentication method in a digital copyright protection system relates to the field of information security. The method mainly comprises the following implementation steps: 1) Registering and authorizing equipment information; 2) Registering and authorizing the identity of the equipment; 3) And trusted authentication processing of the terminal equipment. The invention comprehensively utilizes the asymmetric cryptographic technology and the trusted authentication technology to realize the unified management of the legal authorization and the identity trusted verification of the terminal equipment, and constructs a safe and trusted terminal equipment environment for protecting the copyright of digital content.
Description
Technical Field
The invention relates to the field of information security, in particular to a terminal equipment credibility authentication method in a digital copyright protection system.
Background
The terminal equipment in the digital copyright protection system is presentation equipment of digital content, and is responsible for controlling legal use of the digital content at a user side, preventing illegal copying of the digital content and ensuring that a user can only use the digital content according to the granted use right. Therefore, the terminal equipment is a key part of successful implementation of the digital rights protection technology, and the equipment legitimacy and identity credibility of the terminal equipment are important bases of the digital rights protection system.
In the digital rights protection system, the device legitimacy of the terminal device is represented by legal authorization through the digital rights protection system, and the identity credibility of the terminal device is represented by legal device of the authenticated legal user. Therefore, the credible authentication of the terminal equipment in the digital copyright protection system has the characteristic of multi-level authentication.
In the existing digital copyright protection system, the terminal equipment is mainly authenticated by adopting an authentication mode based on PKI (Public Key Infrastructure) technology to ensure the validity of the terminal equipment. Because of the rapid development of digital technology, the single equipment credibility authentication method can not meet the digital copyright protection requirements of various digital contents and applications at present, so that the credibility authentication technology needs to be comprehensively applied to realize the credibility authentication and management of the equipment legitimacy and identity credibility of the unified terminal equipment.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a terminal equipment credible authentication method in a digital copyright protection system. The method comprehensively utilizes an asymmetric cryptographic technology and a trusted authentication technology to realize unified management of legal authorization and identity trusted verification of the terminal equipment, and constructs a safe and trusted terminal equipment environment for copyright protection of digital content.
In order to achieve the above object, the technical solution of the present invention is implemented as follows:
a terminal equipment credible authentication method in a digital copyright protection system uses a terminal equipment credible authentication system composed of an equipment authentication authorization management system used by a third party equipment authentication organization, an equipment registration management system used by a terminal equipment manufacturer, an equipment identity management and credible authentication system used by a digital copyright protection system operation service end system and an equipment identity authentication management system used by a digital copyright protection system terminal equipment end system. The device authentication and authorization management system consists of a device authentication manager and a device authentication manager. The device registration management system is constituted by a device registration manager. The equipment identity management and trusted authentication system consists of an equipment identity authorization manager and an equipment trusted authentication manager. The equipment identity authentication management system consists of an identity registration manager and an identity authentication manager. The implementation steps are as follows:
(1) the device registration manager in the device registration management system acquires device characteristic information from the terminal device, generates a device information registration application data block, and the device information registration application data block contains the device characteristic information, a device public key and a digital signature of the device information registration application data block signed by using a device private key.
(2) The device information registration application data block is transmitted to the device authentication and authorization management system through a network security transmission channel between the device registration management system and the device authentication and authorization management system.
(3) The device authorization manager in the device authentication authorization management system uses the device public key in the device information registration application data block to verify the digital signature of the device information registration application data block, and confirms the validity and the integrity of the device information registration application data block; if the digital signature verification is passed, generating a device unique identifier DevID and an encryption key Kd corresponding to the DevID one by one, and carrying out encryption processing on the device characteristic information in the device information registration application data block by using the encryption key Kd and a symmetric encryption algorithm to obtain a device characteristic information ciphertext. The unique device identifier DevID and the encryption key Kd are stored in a device authentication authorization management system;
(4) the device authorization manager in the device authentication authorization management system generates a device certificate of the terminal device, wherein the device certificate comprises a device unique identifier DevID, a device public key, a device characteristic information ciphertext, an authorization system public key and a digital signature of the device certificate signed by using an authorization system private key.
And 5, the equipment certificate of the terminal equipment is transmitted to the terminal equipment through a network security transmission channel between the equipment registration management system and the equipment authentication authorization management system and is stored on the terminal equipment.
(1) The identity registration manager of the equipment identity authentication management system acquires the user identity information, the equipment characteristic information and the equipment certificate of the equipment from the terminal equipment end system of the digital copyright protection system, verifies the digital signature of the equipment certificate by using the public key of the authorization system in the equipment certificate, and confirms the legitimacy and the integrity of the equipment certificate; if the digital signature verification is passed, an equipment identity registration application data block is generated, wherein the equipment identity registration application data block contains user identity information, equipment characteristic information, equipment certificates and a digital signature of the equipment identity registration application data block signed by using an equipment private key.
(2) The equipment identity registration application data block is transmitted to the equipment identity management and trusted authentication system through a network security transmission channel between the equipment identity management system and the equipment identity management and trusted authentication system.
(3) An equipment identity authorization manager in the equipment identity management and trusted authentication system verifies the digital signature of the equipment identity registration application data block by using an equipment public key in an equipment certificate in the equipment identity registration application data block, and confirms the validity and the integrity of the equipment identity registration application data block; if the digital signature verification is passed, the equipment identity authorization manager acquires the user identity information of the equipment from the digital copyright protection system operation end system, compares the user identity information with the user identity information in the equipment identity registration application data block, and generates an equipment information authentication application data block if the data are consistent, wherein the equipment information authentication application data block comprises equipment characteristic information, an equipment certificate, an operation system public key and a digital signature of the equipment information authentication application data block signed by using an operation system private key in the equipment identity registration application data block.
(4) The equipment information authentication application data block is transmitted to the equipment authentication authorization management system through a network security transmission channel between the equipment identity management and the trusted authentication system and the equipment authentication authorization management system.
(5) The device authentication manager of the device authentication authorization management system uses an operation system public key in the device information authentication application data block to verify the digital signature of the device information authentication application data block, and confirms the validity and the integrity of the device information registration application data block; if the device identification information is verified through the digital signature, the encryption key Kd which is stored in the device authentication authorization management system and corresponds to the device unique identifier DevID in the device certificate is used for decrypting the device characteristic information ciphertext in the device certificate to obtain a device characteristic information plaintext, the device characteristic information plaintext is compared with the device characteristic information in the device information authentication application data block, if the data are consistent, a device identity registration response data block is generated, and the device identity registration response data block contains the device characteristic information, the device certificate and the digital signature of the device identity registration response data block signed by using the authorization system private key.
(6) The equipment identity registration response data block is transmitted to the equipment identity management and trusted authentication system through a network security transmission channel between the equipment identity management and trusted authentication system and the equipment authentication authorization management system.
(7) The equipment identity authorization manager in the equipment identity management and trusted authentication system uses the content of the equipment identity registration response data block and an authorization system public key in the equipment certificate to verify the digital signature of the equipment identity registration response data block, and confirms the validity and the integrity of the equipment information registration response data block; if the digital signature verification is passed, a unique equipment identity identifier DevUID and an encryption key Ku corresponding to the DevUID one by one are generated, and the equipment characteristic information and the user identity information in the equipment identity registration application data block are respectively encrypted by using the encryption key Ku and a symmetric encryption algorithm to obtain an equipment characteristic information ciphertext and a user identity information ciphertext. The equipment identity identifier DevUID and the encryption key Ku are stored in an equipment identity management and trusted authentication system;
(8) the equipment identity authorization manager in the equipment identity management and trusted authentication system generates equipment identity credentials, wherein the equipment identity credentials comprise an identity identifier DevUID, an equipment certificate, equipment characteristic information ciphertext, user identity information ciphertext, an operation system public key and a digital signature of the equipment identity credentials signed by using an operation system private key.
(9) The equipment identity credential is transferred to the terminal equipment through a network security transmission channel between the equipment identity management and the trusted authentication system and the equipment identity authentication management system, and is stored on the terminal equipment.
(1) The identity authentication manager of the equipment identity authentication management system acquires the user identity information, the equipment characteristic information and the equipment identity certificate of the equipment from the terminal equipment end system of the digital copyright protection system, verifies the digital signature of the equipment identity certificate by using the operation system public key in the equipment identity certificate, and confirms the legality and the integrity of the equipment identity certificate; if the digital signature verification is passed, a device identity authentication credential data block is generated, wherein the device identity authentication credential data block contains user identity information, device characteristic information, device identity credentials and a digital signature of the device identity authentication credential data block signed by using a device private key.
(2) The equipment identity authentication credential data block is transferred to the equipment identity management and trusted authentication system through a network security transmission channel between the equipment identity management system and the equipment identity management and trusted authentication system.
(3) A device trusted authentication manager in the device identity management and trusted authentication system uses a device public key in a device certificate in a device identity authentication credential data block to verify the digital signature of a device identity authentication application data block and confirms the validity and the integrity of the device identity authentication credential data block; if the digital signature verification is passed, the encryption key Ku which is stored in the equipment identity management and trusted authentication system and corresponds to the equipment identity identifier DevUID in the equipment identity certificate is used for respectively decrypting the equipment characteristic information ciphertext and the user identity information ciphertext in the equipment identity certificate to obtain equipment characteristic information plaintext and user identity information plaintext, the equipment characteristic information plaintext and the user identity information plaintext are respectively compared with the equipment characteristic information and the user identity information in the equipment identity information authentication certificate data block, and if the data are consistent, the equipment identity management and trusted authentication system realizes the trusted authentication of the equipment identity of the terminal equipment.
In the terminal equipment credibility authentication method in the digital copyright protection system, the digital copyright protection system operation server system is a component part of the digital content business operation server system, and management and control of digital content copyright protection at the operation server are realized. The terminal equipment end system of the digital content copyright protection system is a component part of the terminal equipment end system of the digital content service, and management and control of digital content copyright protection on terminal equipment are realized.
In the terminal equipment credible authentication method in the digital copyright protection system, the public key of the authorization system and the private key of the authorization system are managed by the equipment authentication authorization management system. The public key and the private key are built in tamper-proof storage areas of the terminal equipment by manufacturers before the terminal equipment leaves the factory and correspond to the terminal equipment one by one. The operation system public key and the operation system private key are managed by the equipment identity management and the trusted authentication system.
In the above-mentioned method for authenticating the trust of the terminal equipment in the digital rights protection system, the equipment characteristic information is a set of fixed-length data generated by readable hardware identification information capable of uniquely identifying one or more components of the terminal equipment. The components of the terminal equipment comprise a CPU, a main board, a hard disk, a network card, USB equipment, an optical drive, an SD card and other key components. The hardware identification information of the component includes the serial number of the CPU, the serial number of the motherboard, the serial number of the hard disk, the MAC address of the network card, the serial number of the USB device, the serial number of the CD driver, the serial number of the SD card, and the like.
In the above-mentioned method for authenticating terminal device trust in digital rights protection system, the user identity information refers to secret information provided by a user or secret information obtained by a system secret, the secret information provided by a user refers to information known only to the user, and the secret information obtained by the system secret refers to secret information on a user-specific device.
In the above method for authenticating the trust of the terminal device in the digital rights protection system, the network security transmission channel refers to a network data channel with the characteristics of guaranteeing data confidentiality, data integrity, data source identity verification and anti-replay attack.
By adopting the method, the device authorization and authentication management of the terminal device in the digital copyright protection system are realized through the third-party device authentication mechanism, the device trusted authentication of the terminal device is realized through the identity authorization and authentication management of the digital copyright protection system operation server system to the terminal device, and the identity trusted authentication of the terminal device is realized. The invention provides a terminal equipment credibility authentication and management technology of a digital copyright protection system, solves the problem of unified credibility authentication of the terminal equipment from two levels of terminal equipment legal authentication and equipment legal relation authentication with a user, and provides reliable technical assurance for authorization management and play control of digital content in the digital copyright protection system.
The invention is further described below with reference to the drawings and the detailed description.
Drawings
FIG. 1 is a schematic block diagram of a system for implementing the method of the present invention;
FIG. 2 is a schematic diagram of a device information registration and authorization process in the method of the present invention;
FIGS. 3-5 are schematic diagrams of the process flow of registration and authorization of equipment identity in the method of the present invention;
fig. 6 is a schematic diagram of a trusted authentication process of a terminal device in the method of the present invention.
Description of the embodiments
Referring to fig. 1, a system for implementing a terminal equipment trusted authentication method in a digital rights protection system is composed of an equipment authentication authorization management system a, an equipment registration management system B, an equipment identity management and trusted authentication system C and an equipment identity authentication management system D.
The equipment authentication and authorization management system A is a system used by a third party equipment authentication organization, and consists of an equipment authentication manager 1 and an equipment authentication manager 2, and completes the functions of the authentication management and the authentication management of the terminal equipment. The device authentication and authorization management system A generates a device certificate 8 through the device registration information to realize device authentication and management of the terminal device, and verifies the device certificate 8 to realize device validity authentication of the terminal device.
The equipment registration management system B is a system used by terminal equipment manufacturers, and is composed of an equipment registration manager 3 for completing the functions of equipment registration information generation and registration authorization management before equipment leaves a factory.
The equipment identity management and trusted authentication system C is a system used by a digital copyright protection system operation server system, and consists of an equipment identity authorization manager 4 and an equipment trusted authentication manager 5. On one hand, the identity certificate 9 is generated after the equipment legitimacy authentication and the user identity of the equipment are confirmed, so that the identity authorization management of the operation server of the digital copyright protection system to the terminal equipment is realized; on the other hand, the authentication of the equipment identity certificate 9 realizes the identity authentication of the terminal equipment and the trusted authentication management of the equipment authentication.
The equipment identity authentication management system D is a system used by a terminal equipment end system of the digital copyright protection system, and consists of an identity registration manager 6 and an identity authentication manager 7, and completes the identity registration management and identity authentication management functions of the terminal equipment.
Referring to fig. 2 to 6, the method of the present invention comprises the steps of:
(1) the device registration manager 3 in the device registration management system B acquires device characteristic information from the terminal device, generates a device information registration application data block, and includes the device characteristic information, the device public key, and a digital signature of the device information registration application data block signed by using the device private key.
(2) The device information registration application data block is transmitted to the device authentication and authorization management system A through a network security transmission channel between the device registration management system B and the device authentication and authorization management system A.
(3) The device authorization manager 1 in the device authentication authorization management system a verifies the digital signature of the device information registration application data block using the device public key in the device information registration application data block, and confirms the validity and integrity of the device information registration application data block. If the digital signature verification is passed, generating a device unique identifier DevID and an encryption key Kd corresponding to the DevID one by one, and carrying out encryption processing on the device characteristic information in the device information registration application data block by using the encryption key Kd and a symmetric encryption algorithm to obtain a device characteristic information ciphertext. The device unique identification DevID and the encryption key Kd are stored in the device authentication authorization management system a.
(4) The device authorization manager 1 in the device authentication authorization management system a generates a device certificate 8 of the terminal device, the device certificate 8 containing a device unique identification DevID, a device public key, a device characteristic information ciphertext, an authorization system public key, and a digital signature of the device certificate signed using the authorization system private key.
(4) The device certificate 8 of the terminal device is transferred to the terminal device through the network security transmission channel between the device registration management system B and the device authentication authorization management system a, and is stored on the terminal device.
(1) The identity registration manager 6 of the equipment identity authentication management system D acquires the user identity information, the equipment characteristic information and the equipment certificate 8 of the equipment from the terminal equipment end system of the digital copyright protection system, verifies the digital signature of the equipment certificate by using the public key of the authorization system in the equipment certificate 8, and confirms the legitimacy and the integrity of the equipment certificate. If the digital signature verification is passed, an equipment identity registration application data block is generated, and the equipment identity registration application data block contains user identity information, equipment characteristic information, equipment certificate 8 and a digital signature of the equipment identity registration application data block signed by using an equipment private key.
(2) The equipment identity registration application data block is transmitted to the equipment identity management and trusted authentication system C through a network security transmission channel between the equipment identity management system D and the equipment identity management and trusted authentication system C.
(3) The device identity authorization manager 4 in the device identity management and trusted authentication system C verifies the digital signature of the device identity registration application data block using the device public key in the device certificate 8 in the device identity registration application data block, confirming the validity and integrity of the device identity registration application data block. If the digital signature verification is passed, the equipment identity authorization manager acquires the user identity information of the equipment from the digital copyright protection system operation end system, compares the user identity information with the user identity information in the equipment identity registration application data block, and generates an equipment information authentication application data block if the data are consistent, wherein the equipment information authentication application data block comprises equipment characteristic information in the equipment identity registration application data block, an equipment certificate 8, an operation system public key and a digital signature of the equipment information authentication application data block signed by using an operation system private key.
(4) The device information authentication application data block is transmitted to the device authentication authorization management system A through a network security transmission channel between the device identity management and the trusted authentication system C and the device authentication authorization management system A.
(5) The device authentication manager 2 of the device authentication authorization management system a uses the operation system public key in the device information authentication application data block to verify the digital signature of the device information authentication application data block, and confirms the validity and the integrity of the device information registration application data block; if the device authentication authorization management system passes the digital signature verification, the encryption key Kd stored in the device authentication authorization management system and corresponding to the device unique identifier DevID in the device certificate is used for decrypting the device characteristic information ciphertext in the device certificate 8 to obtain a device characteristic information plaintext, the device characteristic information plaintext is compared with the device characteristic information in the device information authentication application data block, if the data are consistent, a device identity registration response data block is generated, and the device identity registration response data block contains the device characteristic information, the device certificate 8 and the digital signature of the device identity registration response data block signed by using the authorization system private key.
(6) The equipment identity registration response data block is transmitted to the equipment identity management and trusted authentication system C through a network security transmission channel between the equipment identity management and trusted authentication system C and the equipment authentication authorization management system A.
(7) The device identity authorization manager 4 in the device identity management and trusted authentication system C verifies the digital signature of the device identity registration reply data block using the authorization system public key in the device identity registration reply data block content device certificate 8, confirming the validity and integrity of the device information registration reply data block. If the digital signature verification is passed, a unique equipment identity identifier DevUID and an encryption key Ku corresponding to the DevUID one by one are generated, and the equipment characteristic information and the user identity information in the equipment identity registration application data block are respectively encrypted by using the encryption key Ku and a symmetric encryption algorithm to obtain an equipment characteristic information ciphertext and a user identity information ciphertext. The device identity identifier DevUID and the encryption key Ku are stored in the device identity management and trusted authentication system C.
(8) The device identity authorization manager 4 in the device identity management and trusted authentication system C generates a device identity credential 9, the device identity credential 9 comprising a digital signature of the identity identifier DevUID, the device certificate 8, the device characteristic information ciphertext, the user identity information ciphertext, the operating system public key, and the device identity credential signed using the operating system private key.
(9) The device identity credential 9 is transferred to the terminal device through a network secure transmission channel between the device identity management and trusted authentication system C and the device identity authentication management system D and stored on the terminal device.
(1) The identity authentication manager 7 of the equipment identity authentication management system D acquires the user identity information, the equipment characteristic information and the equipment identity certificate 9 of the equipment from the terminal equipment end system of the digital copyright protection system, verifies the digital signature of the equipment identity certificate by using the public key of the operation system in the equipment identity certificate 9, and confirms the legality and the integrity of the equipment identity certificate. If the digital signature verification is passed, a device identity authentication credential data block is generated, wherein the device identity authentication credential data block contains user identity information, device characteristic information, device identity credentials and a digital signature of the device identity authentication credential data block signed by using a device private key.
(2) The equipment identity authentication credential data block is transferred to the equipment identity management and trusted authentication system C through a network security transmission channel between the equipment identity management system D and the equipment identity management and trusted authentication system C.
(3) The device trusted authentication manager 5 in the device identity management and trusted authentication system C verifies the digital signature of the device identity authentication application data block using the device public key in the device certificate 8 in the device identity authentication credential data block, confirming the validity and integrity of the device identity authentication credential data block. If the digital signature verification is passed, the encryption key Ku which is stored in the equipment identity management and trusted authentication system C and corresponds to the equipment identity identifier DevUID in the equipment identity certificate 9 is used for respectively decrypting the equipment characteristic information ciphertext and the user identity information ciphertext in the equipment identity certificate 9 to obtain equipment characteristic information plaintext and user identity information plaintext, the equipment characteristic information plaintext and the user identity information plaintext are respectively compared with the equipment characteristic information and the user identity information in the equipment identity information authentication certificate data block, and if the data are consistent, the equipment identity management and trusted authentication system realizes the trusted authentication of the equipment identity of the terminal equipment.
Claims (6)
1. The terminal equipment credibility authentication method in the digital copyright protection system uses a terminal equipment credibility authentication and management system composed of an equipment authentication authorization management system (A) used by a third party equipment authentication organization, an equipment registration management system (B) used by a terminal equipment manufacturer, an equipment identity management and credibility authentication system (C) used by a digital copyright protection system operation service end system and an equipment identity authentication management system (D) used by a digital copyright protection system terminal equipment end system; the device authentication authorization management system (A) consists of a device authorization manager (1) and a device authentication manager (2); the device registration management system (B) consists of a device registration manager (3); the equipment identity management and trusted authentication system (C) consists of an equipment identity authorization manager (4) and an equipment trusted authentication manager (5); the equipment identity authentication management system (D) consists of an identity registration manager (6) and an identity authentication manager (7); the implementation steps are as follows:
1) Device information registration and authorization processing:
(1) a device registration manager (3) in the device registration management system (B) acquires device characteristic information from the terminal device, generates a device information registration application data block, and the device information registration application data block comprises the device characteristic information, a device public key and a digital signature of the device information registration application data block signed by using a device private key;
(2) the equipment information registration application data block is transmitted to the equipment authentication and authorization management system (A) through a network security transmission channel between the equipment registration management system (B) and the equipment authentication and authorization management system (A);
(3) the device authorization manager (1) in the device authentication authorization management system (A) uses the device public key in the device information registration application data block to verify the digital signature of the device information registration application data block, and confirms the validity and the integrity of the device information registration application data block; if the digital signature verification is passed, generating a device unique identifier DevID and an encryption key Kd corresponding to the DevID one by one, and carrying out encryption processing on device characteristic information in a device information registration application data block by using the encryption key Kd and a symmetric encryption algorithm to obtain a device characteristic information ciphertext; the unique device identifier DevID and the encryption key Kd are stored in a device authentication authorization management system (A);
(4) a device authorization manager (1) in a device authentication authorization management system (A) generates a device certificate (8) of a terminal device, wherein the device certificate (8) comprises a device unique identifier (DevID), a device public key, a device characteristic information ciphertext, an authorization system public key and a digital signature of the device certificate (8) signed by using an authorization system private key;
(5) the equipment certificate (8) of the terminal equipment is transmitted to the terminal equipment through a network security transmission channel between the equipment registration management system (B) and the equipment authentication authorization management system (A), and is stored on the terminal equipment;
2) Device identity registration and authorization process:
(1) the identity registration manager (6) of the equipment identity authentication management system (D) acquires the user identity information, the equipment characteristic information and the equipment certificate (8) of the equipment from the terminal equipment end system of the digital copyright protection system, verifies the digital signature of the equipment certificate (8) by using the public key of the authorization system in the equipment certificate (8), and confirms the validity and the integrity of the equipment certificate (8); if the digital signature verification is passed, an equipment identity registration application data block is generated, wherein the equipment identity registration application data block contains user identity information, equipment characteristic information, equipment certificates and a digital signature of the equipment identity registration application data block signed by using an equipment private key;
(2) the equipment identity registration application data block is transmitted to the equipment identity management and trusted authentication system (C) through a network security transmission channel between the equipment identity management system (D) and the equipment identity management and trusted authentication system (C);
(3) an equipment identity authorization manager (4) in the equipment identity management and trusted authentication system (C) verifies the digital signature of the equipment identity registration application data block by using an equipment public key in an equipment certificate (8) in the equipment identity registration application data block, and confirms the validity and the integrity of the equipment identity registration application data block; if the digital signature verification is passed, the equipment identity authorization manager (4) acquires the user identity information of the equipment from the digital copyright protection system operation terminal system, compares the user identity information with the user identity information in the equipment identity registration application data block, and generates an equipment information authentication application data block if the data is consistent, wherein the equipment information authentication application data block comprises equipment characteristic information, an equipment certificate, an operation system public key and a digital signature of the equipment information authentication application data block signed by using an operation system private key in the equipment identity registration application data block;
(4) the equipment information authentication application data block transmits the information to the equipment authentication authorization management system (A) through a network security transmission channel between the equipment identity management and trusted authentication system (C) and the equipment authentication authorization management system (A);
(5) the device authentication manager (2) of the device authentication authorization management system (A) uses an operation system public key in the device information authentication application data block to verify the digital signature of the device information authentication application data block, and confirms the validity and the integrity of the device information registration application data block; if the device authentication authorization management system (A) is used for verifying the digital signature, an encryption key Kd which is stored in the device authentication authorization management system (A) and corresponds to a device unique identifier DevID in a device certificate (8) is used for decrypting a device characteristic information ciphertext in the device certificate to obtain a device characteristic information plaintext, the device characteristic information plaintext is compared with the device characteristic information in a device information authentication application data block, if the data are consistent, a device identity registration response data block is generated, and the device identity registration response data block contains the device characteristic information, the device certificate (8) and a digital signature of the device identity registration response data block signed by using an authorization system private key;
(6) the equipment identity registration response data block transmits the information to the equipment identity management and trusted authentication system (C) through a network security transmission channel between the equipment identity management and trusted authentication system (C) and the equipment authentication authorization management system (A);
(7) an equipment identity authorization manager (4) in the equipment identity management and trusted authentication system (C) verifies the digital signature of the equipment identity registration response data block by using the content of the equipment identity registration response data block and an authorization system public key in an equipment certificate (8) to confirm the validity and the integrity of the equipment information registration response data block; if the digital signature verification is passed, a unique equipment identity identifier DevUID and an encryption key Ku corresponding to the DevUID one by one are generated, and the equipment characteristic information and the user identity information in the equipment identity registration application data block are respectively encrypted by using the encryption key Ku and a symmetric encryption algorithm to obtain an equipment characteristic information ciphertext and a user identity information ciphertext; the equipment identity identifier DevUID and the encryption key Ku are stored in an equipment identity management and trusted authentication system (C);
(8) an equipment identity authorization manager (4) in the equipment identity management and trusted authentication system (C) generates an equipment identity credential (9), wherein the equipment identity credential (9) comprises an identity identifier DevUID, an equipment certificate, equipment characteristic information ciphertext, user identity information ciphertext, an operation system public key and a digital signature of the equipment identity credential signed by using an operation system private key;
(9) the equipment identity certificate (9) is transmitted to the terminal equipment through a network security transmission channel between the equipment identity management and trusted authentication system (C) and the equipment identity authentication management system (D), and is stored on the terminal equipment;
3) Trusted authentication processing of terminal equipment:
(1) the identity authentication manager (7) of the equipment identity authentication management system (D) acquires user identity information, equipment characteristic information and equipment identity credentials (9) of equipment from a terminal equipment end system of the digital copyright protection system, verifies the digital signature of the equipment identity credentials (9) by using an operation system public key in the equipment identity credentials (9), and confirms the validity and the integrity of the equipment identity credentials (9); if the digital signature verification is passed, a device identity authentication credential data block is generated, wherein the device identity authentication credential data block comprises user identity information, device characteristic information, a device identity credential (9) and a digital signature of the device identity authentication credential data block signed by using a device private key;
(2) the equipment identity authentication credential data block is transmitted to the equipment identity management and trusted authentication system (C) through a network security transmission channel between the equipment identity authentication management system (D) and the equipment identity management and trusted authentication system (C);
(3) a device trusted authentication manager (5) in the device identity management and trusted authentication system (C) verifies the digital signature of the device identity authentication application data block by using a device public key in a device certificate in the device identity authentication credential data block, and confirms the validity and the integrity of the device identity authentication credential data block; if the digital signature verification is passed, the encryption key Ku which is stored in the equipment identity management and trusted authentication system (C) and corresponds to the equipment identity identifier DevUID in the equipment identity credential (9) is used for respectively decrypting the equipment characteristic information ciphertext and the user identity information ciphertext in the equipment identity credential (9) to obtain equipment characteristic information plaintext and user identity information plaintext, the equipment characteristic information plaintext and the user identity information plaintext are respectively compared with the equipment characteristic information and the user identity information in the equipment identity information authentication credential data block, and if the data are consistent, the equipment identity management and trusted authentication system (C) realizes the trusted authentication of the equipment identity of the terminal equipment.
2. The method for authenticating the trust of the terminal equipment in the digital rights protection system according to claim 1, wherein the digital rights protection system operation server system is a component part of a digital content business operation server system, and realizes the management and control of the digital content rights protection at the operation server; the terminal equipment end system of the digital content copyright protection system is a component part of the terminal equipment end system of the digital content service, and management and control of digital content copyright protection on terminal equipment are realized.
3. The terminal device trusted authentication method in a digital rights protection system according to claim 1 or 2, characterized in that the authorization system public key and the authorization system private key are managed by a device authentication authorization management system (a); the public key and the private key of the equipment are built in an anti-tampering storage area of the terminal equipment by a manufacturer before the terminal equipment leaves the factory and are in one-to-one correspondence with the terminal equipment; the operating system public key and the operating system private key are managed by a device identity management and trusted authentication system (C).
4. A method for authenticating a terminal device in a digital rights protection system according to claim 3, wherein the device characteristic information is a set of fixed length data generated from readable hardware identification information capable of uniquely identifying one or more components of the terminal device, the components of the terminal device including a CPU, a motherboard, a hard disk, a network card, a USB device, an optical drive, and an SD card, and the hardware identification information of the components including a serial number of the CPU, a serial number of the motherboard, a serial number of the hard disk, a MAC address of the network card, a serial number of the USB device, a serial number of the optical drive, and a serial number of the SD card.
5. The method for authenticating a terminal device in a digital rights protection system according to claim 4, wherein the user identity information is user-provided secret information or user secret information obtained by a system secret, the user-provided secret information is information known only to the user, and the user secret information obtained by the system secret is secret information on a user-specific device.
6. The method for authenticating terminal equipment in a digital rights protection system according to claim 5, wherein the network security transmission channel is a network data channel with characteristics of guaranteeing data confidentiality, data integrity, data source authentication and anti-replay attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510412791.3A CN106656499B (en) | 2015-07-15 | 2015-07-15 | Terminal equipment credibility authentication method in digital copyright protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510412791.3A CN106656499B (en) | 2015-07-15 | 2015-07-15 | Terminal equipment credibility authentication method in digital copyright protection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106656499A CN106656499A (en) | 2017-05-10 |
| CN106656499B true CN106656499B (en) | 2023-05-05 |
Family
ID=58815007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510412791.3A Active CN106656499B (en) | 2015-07-15 | 2015-07-15 | Terminal equipment credibility authentication method in digital copyright protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656499B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110677376B (en) * | 2018-07-03 | 2022-03-22 | 中国电信股份有限公司 | Authentication method, related device and system and computer readable storage medium |
| CN110417776B (en) * | 2019-07-29 | 2022-03-25 | 大唐高鸿信安(浙江)信息科技有限公司 | Identity authentication method and device |
| CN112637128B (en) * | 2020-11-25 | 2022-07-08 | 四川新网银行股份有限公司 | Identity mutual trust method and system for data center host |
| CN112765588B (en) * | 2021-01-21 | 2024-05-10 | 网易宝有限公司 | Identity recognition method and device, electronic equipment and storage medium |
| CN114040401B (en) * | 2021-11-08 | 2024-04-12 | 中国联合网络通信集团有限公司 | Terminal authentication method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101770794A (en) * | 2008-12-26 | 2010-07-07 | 同方股份有限公司 | Digital copyright protection method and management device thereof for digital video disc system |
| CN101969446A (en) * | 2010-11-02 | 2011-02-09 | 北京交通大学 | Mobile commerce identity authentication method |
| CN102694780A (en) * | 2011-03-25 | 2012-09-26 | 同方股份有限公司 | Digital signature authentication method, payment method containing the same and payment system |
| CN103581200A (en) * | 2013-11-15 | 2014-02-12 | 中国科学院信息工程研究所 | Method and system for achieving fast circulation of structural file among multiple levels of safety domains |
| EP2765752A1 (en) * | 2013-02-07 | 2014-08-13 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Method for equipping a mobile terminal with an authentication certificate |
-
2015
- 2015-07-15 CN CN201510412791.3A patent/CN106656499B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101770794A (en) * | 2008-12-26 | 2010-07-07 | 同方股份有限公司 | Digital copyright protection method and management device thereof for digital video disc system |
| CN101969446A (en) * | 2010-11-02 | 2011-02-09 | 北京交通大学 | Mobile commerce identity authentication method |
| CN102694780A (en) * | 2011-03-25 | 2012-09-26 | 同方股份有限公司 | Digital signature authentication method, payment method containing the same and payment system |
| EP2765752A1 (en) * | 2013-02-07 | 2014-08-13 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Method for equipping a mobile terminal with an authentication certificate |
| CN103581200A (en) * | 2013-11-15 | 2014-02-12 | 中国科学院信息工程研究所 | Method and system for achieving fast circulation of structural file among multiple levels of safety domains |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106656499A (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757662B2 (en) | Confidential authentication and provisioning | |
| US9912485B2 (en) | Method and apparatus for embedding secret information in digital certificates | |
| US9847882B2 (en) | Multiple factor authentication in an identity certificate service | |
| US11849029B2 (en) | Method of data transfer, a method of controlling use of data and cryptographic device | |
| US9219607B2 (en) | Provisioning sensitive data into third party | |
| CN106656499B (en) | Terminal equipment credibility authentication method in digital copyright protection system | |
| CN107733636B (en) | Authentication method and authentication system | |
| KR20090002227A (en) | Method and system for transmitting data through checking revocation of contents device and data server thereof | |
| KR101383810B1 (en) | System and method for certificating security smart grid devices | |
| CN110086818B (en) | Cloud file secure storage system and access control method | |
| CN104486322A (en) | Terminal access authentication authorization method and terminal access authentication authorization system | |
| US10644875B2 (en) | Pre-authorization of public key infrastructure | |
| CN116707983A (en) | Authorization authentication method and device, access authentication method and device, equipment and medium | |
| KR100970552B1 (en) | Method for generating secure key using certificateless public key | |
| KR20130100032A (en) | Method for distributting smartphone application by using code-signing scheme | |
| JP2010028689A (en) | Server, method, and program for providing open parameter, apparatus, method, and program for performing encoding process, and apparatus, method, and program for executing signature process | |
| KR20090024482A (en) | Key management system for using content and method thereof | |
| CN114221768A (en) | Method and system for proving that key pair is protected by hardware | |
| KR20110071221A (en) | Method for privacy preservation with traceable anonymous certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |