CN107809436B - Authority authentication method, encryption method, device and system for network video access - Google Patents

Authority authentication method, encryption method, device and system for network video access Download PDF

Info

Publication number
CN107809436B
CN107809436B CN201711107690.0A CN201711107690A CN107809436B CN 107809436 B CN107809436 B CN 107809436B CN 201711107690 A CN201711107690 A CN 201711107690A CN 107809436 B CN107809436 B CN 107809436B
Authority
CN
China
Prior art keywords
key
information
decryption
encryption
video
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711107690.0A
Other languages
Chinese (zh)
Other versions
CN107809436A (en
Inventor
李伟华
李毅
要文涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
POWERINFO CO Ltd
Original Assignee
POWERINFO CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by POWERINFO CO Ltd filed Critical POWERINFO CO Ltd
Priority to CN201711107690.0A priority Critical patent/CN107809436B/en
Publication of CN107809436A publication Critical patent/CN107809436A/en
Application granted granted Critical
Publication of CN107809436B publication Critical patent/CN107809436B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The invention provides a method, a device and a system for identifying authority of network video access, relating to the technical field of internet video information. In the permission identification process, the user does not need to use the video client to register an account in advance, and the user experience is improved. Meanwhile, the right information can be decrypted only by using a correct decryption algorithm and a decryption key at the same time, so that the risk of being analyzed and decrypted by a capture packet in the communication process is avoided. Moreover, the decryption algorithm and the decryption key are independent from each other, and even if one of the decryption algorithm and the decryption key is cracked, the security of the system can be ensured through the other protection strategy.

Description

Authority authentication method, encryption method, device and system for network video access
Technical Field
The invention relates to the technical field of internet video information, in particular to a method, a device and a system for authenticating the authority of network video access.
Background
According to the published data, the 2016 number of online videos shows 73% of the total internet traffic, and the 2021 number of online videos reaches 82%. The network video content is used as a main carrier of activities such as office work, entertainment, information, education, and the like, and becomes an indispensable part of the life of most people. The video content provider provides videos and puts advertising information such as advertisements to the video client through the video server so as to realize commercial value. However, in the existing video service, the transmitted information is easily cracked by the capture packet, and the security is poor.
Disclosure of Invention
In view of the above, the present invention provides a method, an apparatus and a system for authenticating a right of network video access, so as to solve the problem of security risk in the prior art.
The technical scheme provided by the invention is as follows:
a method for identifying authority of network video access is applied to a video server and comprises the following steps:
receiving encrypted permission information sent by a video client;
determining at least one decryption algorithm and at least one decryption key corresponding to the encrypted authority information according to a preset rule;
decrypting the encrypted permission information at least once by using the at least one decryption algorithm and the at least one decryption key to obtain decrypted permission information;
and judging whether the decrypted permission information meets a preset condition, and if so, verifying the permission of the video client at the video server side so as to provide video service for the video client side according to the operation of the video client side.
In a second aspect, the present invention further provides a rights encryption method, applied to a video client, where the method includes:
determining at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule;
encrypting the authority information at least once by using the at least one encryption algorithm and the at least one encryption key to obtain encrypted authority information;
and sending the encrypted authority information to a video server.
In a third aspect, the present invention further provides a rights identification apparatus, applied to a video server, including:
the information acquisition module is used for receiving encrypted permission information sent by the video client;
the decryption algorithm and key determining module is used for determining at least one decryption algorithm and at least one decryption key corresponding to the encrypted authority information according to a preset rule;
the decryption module is used for decrypting the encrypted authority information at least once by using the at least one decryption algorithm and the at least one decryption key to obtain decrypted authority information;
and the authentication module is used for judging whether the decrypted authority information meets the preset condition or not, and if so, the video server passes the authority verification of the video client so as to provide video service for the video client according to the operation of the video client.
In a fourth aspect, the present invention further provides a permission encryption apparatus, applied to a video client, where the permission encryption apparatus includes:
the encryption algorithm and key determining module is used for determining at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule;
the encryption module is used for encrypting the authority information at least once by using the at least one encryption algorithm and the at least one encryption key to obtain encrypted authority information;
and the transmission module is used for transmitting the encrypted authority information to a video server.
In a fifth aspect, the present invention further provides a permission authentication system, including a video server and a video client, where the video client includes:
the encryption algorithm and key determining module is used for determining at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule;
the encryption module is used for encrypting the authority information at least once by using the at least one encryption algorithm and the at least one encryption key to obtain encrypted authority information; and
the transmission module is used for sending the encrypted authority information to a video server;
the video server includes:
the information acquisition module is used for receiving encrypted permission information sent by the video client;
the decryption algorithm and key determining module is used for determining at least one decryption algorithm and at least one decryption key corresponding to the encrypted authority information according to a preset rule;
the decryption module is used for decrypting the encrypted authority information at least once by using the at least one decryption algorithm and the at least one decryption key to obtain decrypted authority information; and
and the authentication module is used for judging whether the decrypted authority information meets the preset condition or not, and if so, the video server passes the authority verification of the video client so as to provide video service for the video client according to the operation of the video client.
The method for authenticating the authority of the network video access provided by the embodiment of the invention can be used for authenticating the authority information sent by the video client, determining the corresponding decryption algorithm and decryption key according to the preset rule, decrypting the authority information and determining that the authority authentication is successful when the decrypted authority information meets the preset condition. In the permission identification process, the user does not need to use the video client to register an account in advance, and the user experience is improved. Meanwhile, the right information can be decrypted only by using a correct decryption algorithm and a decryption key at the same time, so that the risk of being analyzed and decrypted by a capture packet in the communication process is avoided. Moreover, the decryption algorithm and the decryption key are independent from each other, and even if one of the decryption algorithm and the decryption key is cracked, the security of the system can be ensured through the other protection strategy.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of a video server interacting with a video client according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a method for authenticating rights of network video access according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating the sub-step of step S102 in the method for authenticating right of network video access according to an embodiment of the present invention.
Fig. 4 is a flowchart illustrating a rights encryption method according to an embodiment of the present invention.
Fig. 5 is a flowchart illustrating the sub-steps of step S201 in a privilege encryption method according to an embodiment of the present invention.
Fig. 6 is a flowchart illustrating a rights authentication apparatus according to an embodiment of the invention.
Fig. 7 is a flowchart of an authority encrypting apparatus according to an embodiment of the present invention.
Icon: 100-video server; 200-a video client; 10-a rights authentication means; 20-rights encryption means; 101-an information acquisition module; 102-decryption algorithm and key determination module; 103-a decryption module; 104-an authentication module; 201-encryption algorithm and key determination module; 202-an encryption module; 203-transmission module.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The inventor finds that when a user obtains video service through communication equipment, as manufacturers providing the video service provide a large amount of video content, some video content can be played only after the user pays a fee or registers as a member. In the interaction process, the user needs to perform a series of processes such as account registration, member purchase, fee payment and the like at a manufacturer providing the video service in advance before providing the correct authority when acquiring the video service. And the information such as the account name, the password and the like of the user needs to be sent to the video server, and the video server can determine whether the user has the right authority according to the information such as the account name, the password and the like of the user. During the transmission process, the information is easy to be intercepted, which leads to the leakage of personal information of the user. Moreover, such a process requires user registration, the registration step is cumbersome, and the use experience is not good.
Meanwhile, some clients authorized by non-video content providers can acquire communication details between the video server and the clients by methods such as packet interception analysis and the like, pretend that the authorized clients acquire video content from the video server, and bypass or replace advertisement and other propaganda information provided by the video server, so that benefits of the video content providers are directly or indirectly lost.
Based on such a problem, session verification and token-based authentication mechanisms can be adopted.
The Session verification process comprises the following steps: the client logs in the server by using a user name and a password, and the server generates a session object for tracking the state of the user and returns a session ID to the client; the client requests the server again, the session ID is sent to the server in a cookie request header mode, and after the server receives the session ID, the server indexes the session object, so that the state of the client is tracked.
The process based on token authentication mechanism is as follows: the client logs in the server by using a user name and a password, and the server sends the user a token through verification; the client stores the token and attaches the token value each time the server is accessed, and the server verifies the token value and returns data.
session authentication and token-based authentication mechanism processes are similar, and both a user name and a password are required to be input by the user, which implies that the user needs to register the user name and the password. This will degrade the user experience significantly for most video client users. More importantly, session and token can be cracked in a network packet capturing analysis mode, and the safety performance has certain defects.
First embodiment
The embodiment of the invention provides a method for identifying the authority of network video access, which is applied to a video server 100, wherein the video server 100 can provide video service for a video client 200, and the video client 200 can be a communication device which can be used by a user and is connected with the video server 100, such as a personal computer, a mobile phone, a tablet computer and the like. When a user uses the video client 200 and needs the video server 100 to provide video services, different users of the video client 200 may have personalized services, and the video server 100 performs authority authentication on the video client 200 to determine whether the video client 200 has correct access authority. As shown in fig. 1, it is an interaction diagram of a video client 200 and a video server 100.
As shown in fig. 2, the method for authenticating the authority of the network video access includes the following steps.
Step S101, receiving the encrypted permission information sent by the video client 200.
The video client 200 may encrypt the permission information to obtain encrypted permission information, and may send the encrypted permission information to the video server 100 through a communication connection established in advance with the video server 100. In the embodiment of the present invention, the permission information may include one or more of parameters such as a preset client code, client terminal version information, digest information of a key file used for encryption, and current time information of the video server 100 acquired by the video client 200. The video server 100 receives the encrypted right information.
The video server 100 may operate in an environment with an operating system of RHEL 7.0(Red Hat Enterprise linux7.0), and when responding to a connection or play request of the video client 200, the video server 100 calls the decryption module 103 at the server to decrypt the encrypted rights information.
Step S102, determining at least one decryption algorithm and at least one decryption key corresponding to the encrypted authority information according to a preset rule.
The video server 100 may determine a decryption algorithm and a decryption key according to a predetermined preset rule to decrypt the received encrypted right information. The video server 100 is configured with a plurality of decryption algorithms and a plurality of decryption keys in advance. The video server 100 may store the decryption algorithm in the form of a file of a dynamic link library, where the decryption algorithm may include at least one of AES-128, AES-192, and AES-256, and of course, other forms of decryption algorithms may also be used, and the embodiment of the present invention is not limited to the specific form of the decryption algorithm.
In detail, as shown in fig. 3, the decryption algorithm and the decryption key may be determined by the following sub-steps.
And a substep S121, determining a decryption algorithm according to at least one of time information and communication interaction information, where the time information is a time value determined by the video server 100 according to the current time information.
For example, in the method of determining a decryption algorithm using time information, a remainder operation may be performed using the number of seconds of the current time of the video server 100 and 3, AES-128 may be selected as the decryption algorithm if the result is 0, AES-192 may be selected as the decryption algorithm if the result is 1, and AES-256 may be selected as the decryption algorithm if the result is 2. Of course, other forms of operation may be used for the time information to determine which algorithm is selected as the decryption algorithm.
When the decryption algorithm is determined using the communication interaction information, the communication interaction information may be information related to communication between the video server 100 and the video client 200. The communication interaction information may include initial permission information sent by the video server 100 to the video client 200 before permission authentication, connection handshake information with the video server 100 after the video client 200 is started, detection or data information sent by the video client 200 and the video server 100, and the like, and may include a programming language such as an executable program. The video server 100 may pre-establish a corresponding relationship between the communication interaction information and the decryption algorithm, and may determine the corresponding decryption algorithm according to the determined communication interaction information. For example, the corresponding decryption algorithm may be determined according to preset fixed data included in the communication interaction information. For example, if the value of some fixed data is 0, the AES-128 is determined to be the decryption algorithm. If the value of the fixed data is 1, AES-192 is determined to be the decryption algorithm. If the value of the fixed data is 2, AES-256 is determined to be the decryption algorithm.
In addition, the communication interaction information may further include an executable program including the decryption algorithm. In this case, when determining the decryption algorithm, an interpreter corresponding to the executable program may be called to execute at least a part of the executable program, and the executable program may be executed as a part or all of the decryption algorithm. The executable program may be a statement in a scripting language such as Python, Lua, Perl, etc., and the video server 100 may call an interpreter corresponding to the scripting language to execute the statement in the executable program, obtain statement information corresponding to the executable program, and use the statement information as at least a part of the decryption algorithm.
For example, the statement information obtained after execution is obtained by splicing the authority information and the preset initial authority information and then performing a circular exclusive or operation with the decryption key. The action of this piece of information can be taken as the action of the decryption algorithm. Alternatively, the statement information obtained after execution may be the data information of the statement itself as the decryption algorithm, and in this case, the statement may be used as the decryption method as a whole.
The corresponding decryption algorithm may be determined by the method described above. It can be understood that, when the video server 100 configures the decryption algorithm and the decryption key in advance, the replacement period D may be configured for the decryption key, and the decryption coefficients may be preset decryption coefficients C1 and C2, and the decryption coefficients may be preset parameters for performing related decryption operations.
And a substep S122, determining a key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information, and determining a decryption key corresponding to the key index number from the plurality of decryption keys according to the key index number.
In the process of decrypting the authority information, not only a decryption algorithm but also a decryption key is needed, and the decryption key is used as a parameter during decryption. The lengths of the decryption keys corresponding to different decryption algorithms are different. For example, when the key file is fixed to 65536 bytes, the number of keys contained in the file will be different using different decryption algorithms. For example, when AES-128 is used as the decryption algorithm, the number of decryption keys is 4096. When AES-192 is used as the decryption algorithm, the number of decryption keys is 2730. When using AES-256 as the decryption algorithm, the number of keys may be 2048. The key index number corresponding to the decryption key may be generated by combining at least one of the time information and the communication interaction information with decryption key feature data, where the decryption key feature data includes at least one parameter of a number of decryption keys, a decryption coefficient, and decryption key module version information.
When the time information is used to determine the decryption key, the time information may be used in combination with the decryption key feature data to calculate the key index number of the decryption key. For example, the key index number of the decryption key may be calculated by a preset formula using seconds of the current time relative to 1/1970. The preset formula may be: ((T/D) ^ C1) + C2)% S, where T is the number of seconds relative to 1970.1.1, D is the decryption key module version information of the current version, which may be the preset replacement period of the decryption key, C1 and C2 are the preset decryption coefficients, and S is the number of the decryption keys. Of course, other operation forms can be adopted to operate on the time information to determine the key index number. The corresponding decryption key is found by using the key index number.
When the decryption key is determined by using the communication interaction information, the data field of the communication interaction information can directly include the key index number of the decryption key, and the corresponding decryption key is determined by the key index number in the data field.
In addition, the key index number can be obtained by the data in the communication interaction information and the decryption key characteristic data operation. For example, if the data in the communication interaction information is X, the key index of the decryption key can be calculated using the formula (((X/D) ^ C1+ C2)% S).
In another specific embodiment, different decryption keys use different primitive polynomials and initial values to generate a pseudo-random sequence, and data in the pseudo-random sequence is selected as a key index number of the decryption key according to the time information; or selecting the data in the pseudo-random sequence as the key index number of the decryption key according to the data field in the communication interaction information. For example, a pseudo-random sequence can be generated using the primitive polynomial and the initial value of the Gold sequence algorithm, and then an element is selected from the pseudo-random sequence as the key index of the decryption key according to the time information.
In another embodiment, the determination of the decryption method and the decryption key may be performed according to a flag given by a predetermined key file, for example, a decryption method operation flag is set in a header of the key file.
The decryption algorithm and the corresponding decryption key can be determined by adopting the method. The video server 100 can pre-configure a plurality of decryption algorithms and a plurality of decryption keys, so that rich decryption combinations can be realized, and the security of the permission information during decryption is improved. The determined decryption algorithm and decryption key may be one or more.
For example, when the time information is used to determine the decryption algorithm, if the remainder is calculated by taking the number of seconds of the current time and 3, the AES-128 is selected as the decryption algorithm when the result is 0. The result is 1 and AES-192 is selected as the decryption algorithm. When the result is 2, AES-256 is selected as the decryption algorithm. If only a single algorithm is determined as the decryption algorithm, it may occur that the determined decryption algorithm is not the correct decryption algorithm due to systematic errors. Therefore, in order to prevent rounding errors, one method may be taken forward and backward, for example, in this embodiment, the calculation result is 0, and not only AES-128 is used as the decryption algorithm, but also AES-256 corresponding to the previous result of 2, and AES-192 corresponding to the latter result of 1 are also used as the decryption algorithm.
In another embodiment, the key index number may be determined according to a related rule to obtain a corresponding decryption key. The decryption key may also be at least one data file, a disguised digital carrier file, or a digital media file, and at this time, a conventional key interface, a disguised reading interface, a digital watermark extraction interface, or a digital steganographic content extraction interface needs to be called to read the at least one data file, the disguised digital carrier file, or the digital media file to obtain the content of the decryption key.
The data file may directly store the decryption key content. The disguised digital carrier file refers to one or more files, the content of which is a key, but the appearance form of the file is a dynamic link library, an image, audio and video. The digital media file bearing the key means that the appearance of the file is the digital media file, the digital media can also normally show the content of the media, the decryption key is stored in the digital media file by using a digital watermark or a digital steganography method, and the difference between the media file and the conventional media file is difficult to detect by visual detection or program detection. The digital media files may include a combination of one or more of the following: image, video, audio.
In detail, the digital watermarking or digital steganography algorithm mentioned in this embodiment mainly includes an LSB (Least Significant Bit) algorithm in a spatial domain and a DCT (Discrete Cosine Transform) algorithm in a frequency domain. For the three types of digital media described above, the LSB and DCT algorithms apply to images, while video and audio only apply to DCT algorithms. The following description will be given by taking an image processing method as an example:
1) the LSB method writes the watermark or steganographic information into the lowest bit in the RGB bytes using the RGB space of the color image, and human eyes cannot distinguish the difference because the influence of the lowest bit being 0 or 1 on the display effect of the image is very low. Since the human eye is least sensitive to blue (B) in the RGB space, the present embodiment may select B bytes for steganography. The specific method is to write the embedded information into B bytes of image pixels in sequence according to the unit of bit.
2) The principle of the DCT method is that when the digital watermark is added with the watermark or steganography information in a frequency domain, the energy of a high-frequency part of image data after DCT conversion is very small, and most of the energy of an original image is in a low-intermediate frequency part, so that the watermark is usually embedded into a low-frequency coefficient of the image, and the balance point between the invisibility and the robustness of the watermark can be met. In this embodiment, an image is transformed from an RGB space to a YIQ space for a color image, a luminance information Y component is extracted therefrom, the extracted Y component is subjected to one-level wavelet decomposition, a low-frequency portion thereof is extracted and blocked: and performing DCT (discrete cosine transformation) on each block image to obtain a transformed DC component, writing the watermark or steganographic information into the DC component, performing DCT inverse transformation and wavelet inverse transformation to obtain a new Y component, and restoring the new Y component to an RGB (Red, Green and blue) space by combining the original IQ component.
For audio and video, the information is written into the low-frequency components of the video and audio by using the DCT principle, so that the aim of hiding the information is fulfilled.
And determining the file form of the decryption key, and then obtaining the content of the decryption key by using the corresponding extraction port.
In the above decryption key determining process, the decryption key may be stored in a separate file, and the decryption key may be obtained from the separate file by the above determining method. In another embodiment, the decryption key may also be stored in multiple files, and the complete content of the decryption key can only be obtained if all related files are read simultaneously.
In addition, the determined decryption key itself may also be encrypted, the video server 100 may determine a flag indicating that the key stores a clear state from a configuration file of the decryption key, and if the key is in a ciphertext form, the read decryption key file needs to be decrypted again by using the key in the configuration file, so as to obtain an unencrypted decryption key.
Step S103, the encrypted authority information is decrypted at least once by using the at least one decryption algorithm and the at least one decryption key, and the decrypted authority information is obtained.
After the decryption algorithm and the decryption key are obtained through the steps, the decryption algorithm and the decryption key can be used for decryption operation, and the encrypted authority information is decrypted to obtain the decrypted authority information.
It should be noted that the video client 200 may send the requested video data and the encrypted right information to the video server 100. When the permission information is decrypted, it may be further determined whether video data requested by the video client 200 is a preset key video, and if the video data is the preset key video, a standby decryption key is called to perform standby decryption on the encrypted permission information, so as to obtain standby decrypted permission information. And secondarily decrypting the standby decrypted authority information.
The condition of decrypting the permission information corresponding to the key video, which is requested by the video client 200 and is preset in the video client, may be before the step of performing normal decryption. And obtaining normal encrypted authority information by standby decryption of the authority information corresponding to the key video. And normally decrypting by using the determined decryption algorithm and the decryption key to obtain decrypted authority information.
The key video refers to video content that is considered to have a high commercial or social value, the video server 100 may set the type of the video content according to a preset rule, classify some video content as the key video, and perform the above-mentioned standby decryption process when the video content requested by the video client 200 is the key video, so as to obtain normal decrypted right information.
Step S104, determining whether the decrypted permission information meets a preset condition, and if the decrypted permission information meets the preset condition, the video server 100 passes permission verification of the video client 200 to provide video service for the video client 200 according to the operation of the video client 200.
The authority information may include version information of the key file added in plain text. The decrypted authority information may include the version information of the key file, and if the decrypted version information of the key file is not in a format and content specified by the system, it is determined that the decryption has failed and the authority information authentication has failed. If the version information of the key file is the content of the old version, the video server 100 can notify the client to update the encryption key, if the update is successful, the video client 200 uses the new encryption key to encrypt the permission information again to form new permission information, and the video server 100 decrypts the new permission information and then performs permission authentication. If the encryption key update fails, it is considered that the authentication of the rights information of the video client 200 fails.
In addition, the decrypted permission information may further include at least one of a client code of the video client 200, client version information, digest information of an encryption key, and time information of the video server 100 sent by the video client 200, and the decrypted permission information may be determined according to the following several ways when meeting a preset condition:
determining that the client code conforms to a preset system specification;
determining that the client version information of the video client 200 is consistent with the terminal version corresponding to the used encryption key file;
determining that the digest information of the encryption key is consistent with the digest information of the decryption key file of the video server 100; and
determining that the difference between the time information of the video server 100 sent by the video client 200 and the current time of the video server 100 is within a preset time length. For example, it may be preset that, if the difference between the time information of the video server 100 sent by the video client 200 and the current time of the video server 100 is within 3 seconds, the authority information is considered to be successfully authenticated.
As described above, in order to prevent rounding errors, a plurality of decryption algorithms and a corresponding plurality of decryption keys may be obtained, and a plurality of decrypted right information may be obtained using the plurality of decryption algorithms and the plurality of decryption keys. And if one of the plurality of decrypted right information passes the judgment, the right information is considered to be correct right information.
If the authority information sent by the video client 200 passes the authority authentication of the video server 100, the video server 100 can provide normal video service for the video client 200. If the authority authentication fails, the video server 100 may refuse to provide the video service or may provide the video service with a reduced bitrate or provide the video service with a limited duration.
In another specific embodiment, the video server 100 may further update the decryption algorithm and the decryption key according to a preset update rule. It is understood that the video server 100 may preset an update time point at which the decryption algorithm and the decryption key are updated. For example, several decryption keys may be randomly selected from the decryption key file library at zero 1 day per month to be updated into the currently used key file. The key version information and key file digest information can be updated at the same time. Meanwhile, several new decryption keys can be randomly selected by taking the current time as a random number seed and supplemented into a decryption key file library. By updating the decryption algorithm and the decryption key, the security of the system can be further improved, and the difficulty of being cracked is improved.
The method for authenticating the authority of the network video access provided by the embodiment of the invention can authenticate the authority information sent by the video client 200, determine the corresponding decryption algorithm and decryption key through the preset rule, decrypt the authority information, and determine that the authority authentication is successful when the decrypted authority information meets the preset condition. In the process of authority identification, the user does not need to use the video client 200 to register an account in advance, and the user experience is improved. Meanwhile, the right information can be decrypted only by using a correct decryption algorithm and a decryption key at the same time, so that the risk of being analyzed and decrypted by a capture packet in the communication process is avoided. Moreover, the decryption algorithm and the decryption key are independent from each other, and even if one of the decryption algorithm and the decryption key is cracked, the security of the system can be ensured through the other protection strategy.
Second embodiment
The above-mentioned authentication method for network video access is an authentication method applied to the video server 100, and the corresponding video client 200 also needs to encrypt the authority information. The embodiment of the present invention further provides a permission encryption method, which is applied to the video client 200, as shown in fig. 4, and the method includes the following steps.
Step S201, determining at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule.
As described above, when the video client 200 sends a video service request to the video server 100, the right information corresponding to the video client 200 may be sent to the video server 100. And the transmitted rights information is encrypted.
In detail, the video client 200 is configured with a plurality of encryption algorithms and a plurality of encryption keys, the preset rule includes at least one of time information and communication interaction information, and the step of encrypting as shown in fig. 5 specifically includes the following sub-steps.
And a substep S211, determining an encryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server 100 according to the current time information.
The video server 100 may determine the decryption algorithm according to the time information and the communication interaction information, and correspondingly, the video client 200 may also determine the encryption algorithm according to the time information and the communication interaction information.
When determining the encryption method according to the time information, the video client 200 may use the second of the current time and 3 for a remainder operation, select AES-128 as the encryption algorithm if the result is 0, select AES-192 as the encryption algorithm if the result is 1, and select AES-256 as the encryption algorithm if the result is 2. Of course, other forms of operation may be used for the time information to determine which algorithm to select as the encryption algorithm.
When the encryption algorithm is determined using the communication interaction information, the communication interaction information may be information related to communication between the video server 100 and the video client 200. The communication interaction information may include initial permission information sent by the video server 100 to the video client 200 before permission authentication, connection handshake information with the video server 100 after the video client 200 is started, detection or data information sent by the video client 200 and the video server 100, and the like, and may include a programming language such as an executable program.
When the encryption algorithm is determined by using the information contained in the initial rights information, the video server 100 may send the initial rights information (a _ auth) to the video client 200 in advance, where the initial rights information a _ auth may contain the following:
i. time information acquired by the video server 100;
II, logically and circularly shifting the authority information to mark, namely performing encryption processing after circularly moving the authority information to the left or circularly moving the authority information to the right;
the authority information is subjected to mathematical addition and subtraction sign, namely, the authority information and a certain number are subjected to mathematical addition and subtraction operation and then are subjected to encryption processing;
version and other data information.
The video client 200 may perform the determination of the encryption algorithm through the instruction shown in the initial permission information.
In addition, the video client 200 may also pre-establish a corresponding relationship between the communication interaction information and the encryption algorithm, and the corresponding encryption algorithm may be determined according to the determined communication interaction information. For example, the corresponding encryption algorithm may be determined according to preset fixed data contained in the communication interaction information. For example, if the value of some fixed data is 0, the AES-128 is determined to be the encryption algorithm. If the value of the fixed data is 1, AES-192 is determined to be an encryption algorithm. If the value of the fixed data is 2, AES-256 is determined to be the encryption algorithm.
In addition, the communication interaction information may further include an executable program including the encryption algorithm. In this case, when the encryption algorithm is determined, an interpreter corresponding to the executable program may be called to execute at least a part of the executable program, and the executable program may be executed as a part or all of the encryption algorithm. The executable program may be a statement in a scripting language such as Python, Lua, Perl, etc., and the video server 100 may call an interpreter corresponding to the scripting language to execute the statement in the executable program, obtain statement information corresponding to the executable program, and use the statement information as at least a part of the encryption algorithm.
For example, the statement information obtained after execution is obtained by splicing the authority information and the preset initial authority information and then performing a circular exclusive or operation with the encryption key. The action of this piece of information can be taken as the action of the encryption algorithm. Alternatively, the sentence information obtained after execution may be data information of the sentence itself as an encryption algorithm, and in this case, the sentence may be used as an encryption method as a whole.
The corresponding encryption algorithm can be determined by the above method. It can be understood that, when the video server 100 configures the encryption algorithm and the encryption key in advance, the replacement period D may be configured for the encryption key, and the encryption coefficients may be preset encryption coefficients C1 and C2, and the encryption coefficients may be preset parameters for performing related encryption operations.
And a substep S212, determining a key index number corresponding to the encryption key according to at least one of the time information and the communication interaction information, and determining an encryption key corresponding to the key index number from the plurality of encryption keys according to the key index number.
Encryption of rights information requires not only an encryption algorithm but also an encryption key. Because the number of the encryption keys is large, each encryption key can be configured with a corresponding key index number in advance, and the corresponding encryption key can be found according to the key index number of the encryption key. The length of the corresponding encryption key of different encryption algorithms is different. For example, when the key file is fixed to 65536 bytes, the number of keys contained in the file will be different using different decryption algorithms. For example, when AES-128 is used as the encryption algorithm, the number of decryption keys is 4096. When AES-192 is used as the encryption algorithm, the number of decryption keys is 2730. When AES-256 is used as the encryption algorithm, the number of keys may be 2048. The encryption key may be configured with encryption key characteristic data including at least one parameter among the number of encryption keys, the encryption algorithm coefficient, and the encryption key module version information.
When the time information is used to determine the key index number of the encryption key, the time information can be used in combination with the decryption key feature data to calculate the key index number of the decryption key. For example, the key index number of the decryption key may be calculated by a preset formula using seconds of the current time relative to 1/1970. The preset formula may be: ((T/D) ^ C1) + C2)% S, where T is the number of seconds relative to 1970.1.1, D is the decryption key module version information of the current version, which may be the preset replacement period of the decryption key, C1 and C2 are the preset decryption coefficients, and S is the number of the decryption keys. Once the time information is determined, a unique determination of the encryption algorithm and encryption key can be achieved.
When the encryption key is determined by using the communication interaction information, the data field of the communication interaction information can directly include the key index number of the encryption key, and the corresponding encryption key is determined by the key index number in the data field.
In addition, the key index number can be obtained by the data in the communication interaction information and the encryption key characteristic data operation. For example, if the data in the communication interaction information is X, the key index number of the encryption key can be calculated by using a formula (((X/D) ^ C1+ C2)% S).
Different encryption keys use different primitive polynomials and initial values to generate pseudo-random sequences, and a key index number can be obtained by combining data in communication interaction information with the primitive polynomials and the initial values of the key module to generate pseudo-random sequences, for example, a Gold sequence algorithm is used to combine the primitive polynomials and the initial value pseudo-random sequences, and data in the communication interaction information indicates elements in the pseudo-random sequences as the key index number.
In another alternative embodiment, the determination of the encryption method and the encryption key may also be performed according to a flag given by a key file corresponding to the encryption key, for example, an encryption algorithm operation flag is set in a key file header of the encryption key. And determining a corresponding encryption algorithm and an encryption key according to the encryption algorithm operation mark.
In another specific embodiment, the encryption key may also be at least one data file, a disguised digital carrier file, or a digital media file, and at this time, a conventional key interface, a disguised reading interface, a digital watermark extraction interface, or a digital steganographic content extraction interface needs to be called to read the at least one data file, the disguised digital carrier file, or the digital media file to obtain the content of the encryption key.
The encryption key used for encryption may be a file stored in the client 200, or may be obtained from update information or data message sent by the video server 100, or the video server 100 adds the encryption key to an advertisement picture, an advertisement video or an audio before the key video is played by using a digital watermark or a digital steganography algorithm, and the video client 200 may extract the encryption key from the advertisement by using the digital watermark or the digital steganography algorithm while playing the relevant advertisement content. For details, reference may be made to the above process of determining the decryption key through the conventional key interface, the disguised reading interface, the digital watermark extraction interface, or the digital steganography content extraction interface, which is not described herein again.
In the above determination process of the encryption key, the encryption key may be stored in a separate file, and the encryption key may be obtained from the separate file by the above determination method. In another embodiment, the encryption key may also be stored in multiple files, and the complete content of the encryption key can only be obtained if all related files are read simultaneously.
The determined encryption key itself may also be encrypted, and the video client 200 may determine the flag indicating the encryption key storing clear state from the configuration file of the encryption key, and if the encryption key is in a ciphertext form, need to decrypt the read encryption key file using the encryption key in the configuration file to obtain the decrypted encryption key.
Step S202, the authority information is encrypted at least once by using the at least one encryption algorithm and the at least one encryption key, and the encrypted authority information is obtained.
Step S203, sending the encrypted authority information to the video server 100.
After the corresponding encryption algorithm and the corresponding encryption key are determined by the method, the authority information can be encrypted by combining the encryption key according to the operation mode of the encryption algorithm. And the encrypted authority information is transmitted to the video server 100, and the video server 100 decrypts the encrypted authority information to continue the authority authentication.
The video client 200 may generate an abstract of a key file, compose a client code, client terminal version information, key file abstract information, and acquired current video server 100 time information into authority information, perform operation according to an encryption method in the pre-obtained initial authority information a _ auth, then splice the authority information with a _ auth, encrypt the spliced information using a determined encryption method to generate ciphertext information B _ auth, add plaintext encryption key file version information into the B _ auth to generate encrypted authority information C _ auth, then add C _ auth into an Http request for video playing, and send the encrypted authority information C _ auth to the video server 100. The digest of the encryption key file may be 16 bytes consisting of 1024-1027, 1666-1669, 10000-10003, 28128-28131 bits of the key file. Of course other byte information is possible.
In another specific embodiment, the method for encrypting the authority may further include updating the encryption algorithm and the encryption key according to a preset update rule.
In this embodiment, the application program of the video client 200 is directly updated to update the encryption algorithm and the encryption key of the video client 200, and the video server 100 sends the update information or the data message of the encryption/decryption module 103 to the video client 200 to update the encryption algorithm and the encryption key.
And updating the key file by the key module update information or data message sent by the server side, and updating the version information in the configuration file. In an alternative embodiment, the updated key file may be placed in the image, audio, or video in the client startup screen using digital steganography. When the client is started, adding current client key version information into connection handshake information of the server; if the new key version exists, the server adds the new key file into the client starting picture by using a digital steganography method and sends the new key file to the client, and the client updates the key while displaying the starting picture.
According to the permission encryption method provided by the embodiment of the invention, the permission information can be encrypted by using the encryption algorithm and the encryption key through the video client 200, so that the permission information sent to the video server 100 is encrypted, and even if the permission information is intercepted in the transmission process, the difficulty of decryption is high, and the safety of video service is improved. The encryption algorithm and the encryption key are independent from each other, and even if one of the two is cracked, the security of the system can be ensured by the encryption strategy of the other. In the encryption process, a user does not need to input an account name, a password or other identity information, information leakage is avoided, and the safety of video service is further improved. Meanwhile, the step of account registration of the user is not needed, and the user experience is improved.
Third embodiment
The embodiment of the present invention further provides a right authentication device 10, which is applied to a video server 100, as shown in fig. 6, the right authentication device 10 includes an information obtaining module 101, a decryption algorithm and key determining module 102, a decryption module 103, and an authentication module 104.
An information obtaining module 101, configured to receive encrypted permission information sent by a video client 200;
a decryption algorithm and key determining module 102, configured to determine, according to a preset rule, at least one decryption algorithm and at least one decryption key corresponding to the encrypted permission information;
the decryption module 103 is configured to decrypt the encrypted permission information at least once by using the at least one decryption algorithm and the at least one decryption key to obtain decrypted permission information;
the authentication module 104 determines whether the decrypted permission information meets a preset condition, and if the decrypted permission information meets the preset condition, the video service end 100 passes the permission verification of the video client 200 to provide the video service for the video client 200 according to the operation of the video client 200.
In detail, the video server 100 includes a plurality of decryption algorithms and a plurality of decryption keys, and the preset rule includes at least one of time information and communication interaction information, wherein the method for the decryption algorithm and key determination module 102 to determine at least one decryption algorithm and at least one decryption key corresponding to the encrypted right information according to the preset rule includes:
determining a decryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server 100 according to the current time information;
and determining a key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information, and determining a decryption key corresponding to the key index number from the plurality of decryption keys according to the key index number. In detail, the description of step S121 and step S122 can be referred to.
Further, the method for determining the key index number corresponding to the decryption key by the decryption algorithm and key determination module 102 according to at least one of the time information or the communication interaction information includes:
and generating the key index number by combining decryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the decryption key characteristic data comprises at least one parameter of decryption key number, decryption coefficient and decryption key module version information.
Further, different decryption keys use different primitive polynomials and initial values to generate pseudo-random sequences, and the method for determining the key index number corresponding to the decryption key by the decryption algorithm and key determination module 102 according to at least one of the time information and the communication interaction information includes:
selecting data in the pseudo-random sequence as a key index number of the decryption key according to the time information; or
And selecting the data in the pseudo-random sequence as the key index number of the decryption key according to the data field in the communication interaction information. In detail, reference may be made to the description of the above-mentioned method embodiments.
Further, the communication interaction information includes an executable program including the decryption algorithm, and the method for determining the corresponding decryption algorithm by the decryption algorithm and key determination module 102 according to the communication interaction information includes:
and calling an interpreter corresponding to the executable program to execute at least one part of the executable program, obtaining statement information corresponding to the executable program, and taking the statement information as at least one part of the decryption algorithm. In detail, reference may be made to the description of the above-mentioned method embodiments.
Further, the decrypted permission information includes at least one of a client code of the video client 200, client version information, digest information of an encryption key, and time information of the video server 100 sent by the video client 200, and the preset condition includes:
the client code conforms to the preset system regulation;
the client version information of the video client 200 is consistent with the terminal version corresponding to the used encryption key file;
the digest information of the encryption key is consistent with the digest information of the decryption key file of the video server 100; and
the time information of the video server 100 sent by the video client 200 and the current time of the video server 100 are within a preset time length. In detail, reference may be made to the description of step S104 in the above method embodiment.
Further, the right authentication apparatus further includes: and the decryption key updating module is used for updating the decryption algorithm and the decryption key according to a preset updating rule.
Further, the video client 200 sends the requested video data and the encrypted permission information to the video server 100; the authentication module 104 is further configured to:
judging whether the video data requested by the video client 200 is a preset key video, if so, calling a standby decryption key to perform standby decryption on the encrypted permission information to obtain standby decrypted permission information;
and carrying out secondary decryption on the standby decrypted authority information.
Further, the decryption key is at least one data file, a disguised digital carrier file, or a digital media file, and after the decryption module 103 determines at least one decryption algorithm and at least one decryption key corresponding to the encrypted right information according to a preset rule, the decryption module is further configured to:
and calling a conventional key interface, a disguised reading interface, a digital watermark extraction interface or a digital steganography content extraction interface to read the at least one data file, the disguised digital carrier file or the digital media file to obtain the content of the decryption key.
Fourth embodiment
An embodiment of the present invention further provides an authority encryption apparatus 20, which is applied to a video client 200, as shown in fig. 7, where the authority encryption apparatus 20 includes: an encryption algorithm and key determination module 201, an encryption module 202 and a transmission module 203.
And the encryption algorithm and key determining module 201 is configured to determine at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule. In detail, refer to the description of step S201 above.
The encryption module 202 is configured to encrypt the permission information at least once by using the at least one encryption algorithm and the at least one encryption key to obtain encrypted permission information. In detail, refer to the description of step S202 above.
The transmission module 203 is configured to send the encrypted permission information to the video server 100. In detail, refer to the description of step S203 above.
Further, the video client 200 is configured with a plurality of encryption algorithms and a plurality of encryption keys, the preset rule includes at least one of time information and communication interaction information, wherein the method for the encryption algorithm and key determination module 201 to determine at least one encryption algorithm and at least one encryption key corresponding to the authority information according to the preset rule includes:
determining an encryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server 100 according to the current time information;
and determining a key index number corresponding to the encryption key according to at least one of the time information and the communication interaction information, and determining the encryption key corresponding to the key index number from the plurality of encryption keys according to the key index number.
Further, the method for determining the key index number corresponding to the encryption key by the encryption algorithm and key determination module 201 according to at least one of the time information and the communication interaction information includes:
and generating the key index number by combining encryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the encryption key characteristic data comprises at least one parameter of the number of encryption keys, the encryption algorithm coefficient and the version information of an encryption key module.
Further, the step of determining the key index number corresponding to the encryption key according to at least one of the time information or the communication interaction information includes:
selecting data in the pseudo-random sequence as a key index number of the encryption key according to the time information; or
And selecting the data in the pseudo-random sequence as the key index number of the encryption key according to or a data field in the communication interaction information.
Further, the communication interaction information includes an executable program including the encryption algorithm, and the method for determining the corresponding encryption algorithm by the encryption algorithm and key determination module 201 according to the communication interaction information includes:
and calling an interpreter corresponding to the executable program to execute at least one part of the executable program, obtaining statement information corresponding to the executable program, and using the statement information as at least one part of an encryption algorithm.
Further, the right encryption device 20 further includes:
and the encryption key updating module is used for updating the encryption algorithm and the encryption key according to a preset updating rule.
Further, the encryption key is at least one data file, a disguised digital carrier file, or a digital media file, and after the encryption algorithm and key determining module 201 determines at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule, the encryption algorithm and key determining module is further configured to:
and calling a conventional key interface, a disguised reading interface, a digital watermark extraction interface or a digital steganography content extraction interface to read the at least one data file, the disguised digital carrier file or the digital media file to obtain the content of the encryption key.
Fifth embodiment
The embodiment of the present invention further provides an authority authentication system, as shown in fig. 1, including a video server 100 and a video client 200, where the video client 200 includes:
an encryption algorithm and key determining module 201, configured to determine at least one encryption algorithm and at least one encryption key corresponding to the authority information according to a preset rule;
the encryption module 202 is configured to encrypt the permission information at least once by using the at least one encryption algorithm and the at least one encryption key to obtain encrypted permission information; and
the transmission module 203 is configured to send the encrypted permission information to the video server 100;
the video server 100 includes:
an information obtaining module 101, configured to receive encrypted permission information sent by a video client 200;
a decryption algorithm and key determining module 102, configured to determine, according to a preset rule, at least one decryption algorithm and at least one decryption key corresponding to the encrypted permission information;
the decryption module 103 is configured to decrypt the encrypted permission information at least once by using the at least one decryption algorithm and the at least one decryption key to obtain decrypted permission information; and
the authentication module 104 determines whether the decrypted permission information meets a preset condition, and if the decrypted permission information meets the preset condition, the video service end 100 passes the permission verification of the video client 200 to provide the video service for the video client 200 according to the operation of the video client 200.
The decryption module 103 of the video server 100 may include a dynamic link library file, a configuration file, and a script file in this embodiment.
The dynamic link library file can contain a decryption algorithm, can also complete the realization of digital watermark adding and extracting algorithms, the realization of a digital steganographic algorithm and the realization of a key generation method, and can be in a file form ending with so in RHEL 7.0;
the configuration file may contain storage of client encryption and decryption parameters, i.e., encryption and decryption coefficients C1 and C2 and the current version rekeying period D, for different versions of different platforms. Version information and digest information for each key file are included to facilitate fast indexing of the key files. The method comprises the storage of the clear and encrypted text states of each key file, and if the key file is stored in an encrypted text form, the method also comprises a 128-bit key corresponding to a decryption algorithm; in this embodiment in the form of an XML file.
The script file may be stored in the form of a Python script file in this embodiment. The method comprises the following functions:
judging the type and version of the client and the functions of the adopted encryption and decryption methods;
the method has the advantages that the method has the function of preprocessing the authority information sent by the client, judges the ciphertext part in the authority information, and verifies the authority information of the client after the dynamic link library file is decrypted;
a key updating function, which reads the key from the standby key file according to a certain preset rule to update the key of the latest version of each terminal in the current key file;
informing the client to update the key according to the information sent by the client, converting the key into a ciphertext or digital steganography form by using a plaintext or calling a dynamic link library, and sending a new key file to the client;
and the auxiliary key generation function is used for calling the dynamic link library to generate a group of new keys after one-time key updating is completed, and adding the new keys into the spare key file.
The decryption algorithm and key determination module 102 of the video server 100 is stored in the form of a data file or a configuration file under RHEL 7.0, and since a plurality of client terminals are supported, and each version or terminal uses a different key file, there are a plurality of different key files, in this embodiment, the key files are stored in the form of XML files, each terminal occupies one XML file, each XML file contains the encryption key of the current version of the client terminal and the primitive polynomial and initial value used by the current encryption key, and the primitive polynomial and initial value of the different encryption keys are different. In addition, the decryption algorithm and key determining module 102 further includes a spare key file, where the spare key file includes a backup key for updating a current key and a key for key video playing, the number of the backup keys may be 10 times or more than that of the current terminal type, and besides performing conventional encryption on the authority information in the key video playing request, secondary encryption is also required, and the key for secondary encryption is transmitted to the client before playing. When the key video is created, a secondary encryption key is randomly distributed by the system.
The video client 200 may be an application program running on an android, IOS, Windows, Linux operating system, or a program and a component running in a browser, and different platforms call the encryption module 202 and have the same mechanism for using the encryption key file, except that: different operation platforms, different encryption and decryption methods and parameters and different key modules are adopted.
The encryption module 202 may include encryption functional components as well as configuration files.
The encryption function component is combined with the network video client 200 during system compilation in this embodiment, and includes implementation of an encryption algorithm, implementation of a digital watermark adding and extracting algorithm, implementation of a digital steganography algorithm, and a disguised reading interface of a key file.
The configuration file may comprise a stored form of an encryption key file, i.e. a digital carrier file disguised as a data file or a digital media file carrying a key. The encryption and decryption coefficients C1 and C2 corresponding to the terminal version and the key replacement period D of the current version. Version information of the key file may also be included. And storing the clear and encrypted text states of the encryption key file, and if the encryption key is stored in the AES encrypted text form, further comprising a 128-bit key corresponding to the AES algorithm. In this embodiment in the form of an XML file.
The embodiment of the invention provides an authority identification system, which can avoid the risk of analyzing and cracking through packet capturing by encrypting the authority information through a video client 200 and decrypting the encrypted authority information through a video server 100. And the encryption algorithm, the encryption key, the decryption algorithm and the decryption key are mutually independent, and under the condition that one of the encryption algorithm, the encryption key, the decryption algorithm and the decryption key is cracked, the safety of the system can still be ensured through other protection strategies. In the process of authority authentication, steps such as account registration and the like of a user are not needed, and the use experience of the user is improved.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (25)

1. A method for authenticating authority of network video access is applied to a video server, and is characterized in that the video server comprises a plurality of decryption algorithms and a plurality of decryption keys, a preset rule comprises at least one of time information and communication interaction information, and the method comprises the following steps:
receiving encrypted permission information sent by a video client;
determining a decryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server according to the current time information;
determining a key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information, and determining a decryption key corresponding to the key index number from the plurality of decryption keys according to the key index number;
decrypting the encrypted permission information at least once by using the at least one decryption algorithm and the at least one decryption key to obtain decrypted permission information;
judging whether the decrypted permission information meets a preset condition, and if so, verifying the permission of the video client at the video server side to provide video service for the video client side according to the operation of the video client side;
wherein, the step of determining the key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information comprises:
and generating the key index number corresponding to the decryption key by combining decryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the decryption key characteristic data comprises at least one parameter of the number of the decryption keys, a decryption coefficient and version information of a decryption key module.
2. The method of claim 1, wherein different decryption keys generate pseudo-random sequences using different primitive polynomials and initial values, and the step of determining the key index corresponding to the decryption key according to at least one of the time information and the communication interaction information further comprises:
selecting data in the pseudo-random sequence as a key index number of the decryption key according to the time information; or
And selecting the data in the pseudo-random sequence as the key index number of the decryption key according to the data field in the communication interaction information.
3. The method of claim 1, wherein the communication interaction information includes an executable program containing the decryption algorithm, and the step of determining the corresponding decryption algorithm according to the communication interaction information includes:
and calling an interpreter corresponding to the executable program to execute at least one part of the executable program, obtaining statement information corresponding to the executable program, and taking the statement information as at least one part of the decryption algorithm.
4. The method for authenticating right of network video access according to claim 1, wherein the decrypted right information includes at least one of a client code of the video client, client version information, digest information of an encryption key, and time information of a video server sent by the video client, and the preset condition includes:
the client code conforms to the preset system regulation;
the client version information of the video client is consistent with the terminal version corresponding to the used encryption key file;
the digest information of the encryption key is consistent with the digest information of the decryption key file of the video server; and
the time information of the video server sent by the video client and the current time of the video server are within a preset time length.
5. The method for authenticating right of network video access according to claim 1, further comprising:
and the video server side updates the decryption algorithm and the decryption key according to a preset updating rule.
6. The method for authenticating authority of accessing network video according to claim 1, wherein the video client sends the requested video data and the encrypted authority information to the video server; the method further comprises the following steps:
judging whether the video data requested by the video client is a preset key video, if so, calling a standby decryption key to perform standby decryption on the encrypted permission information to obtain standby decrypted permission information;
and carrying out secondary decryption on the standby decrypted authority information.
7. The method for authenticating authority of accessing network video according to claim 1, wherein the decryption key is at least one data file, a disguised digital carrier file or a digital media file, and after the step of determining at least one decryption algorithm and at least one decryption key corresponding to the encrypted authority information according to a preset rule, the method further comprises:
and calling a conventional key interface, a disguised reading interface, a digital watermark extraction interface or a digital steganography content extraction interface to read the at least one data file, the disguised digital carrier file or the digital media file to obtain the content of the decryption key.
8. An authority encryption method is applied to a video client, and is characterized in that the video client is configured with a plurality of encryption algorithms and a plurality of encryption keys, a preset rule comprises at least one of time information and communication interaction information, and the method comprises the following steps:
determining an encryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server according to the current time information;
determining a key index number corresponding to the encryption key according to at least one of the time information and the communication interaction information, and determining an encryption key corresponding to the key index number from the plurality of encryption keys according to the key index number;
encrypting the authority information at least once by using at least one encryption algorithm and at least one encryption key to obtain encrypted authority information;
sending the encrypted authority information to a video server;
wherein, the step of determining the key index number corresponding to the encryption key according to at least one of the time information and the communication interaction information comprises:
and generating the key index number corresponding to the encryption key by combining encryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the encryption key characteristic data comprises at least one parameter of the number of encryption keys, an encryption algorithm coefficient and encryption key module version information.
9. The privilege encryption method according to claim 8, wherein different encryption keys generate pseudo-random sequences using different primitive polynomials and initial values, and the step of determining the key index numbers corresponding to the encryption keys according to at least one of the time information or the communication interaction information comprises:
selecting data in the pseudo-random sequence as a key index number of the encryption key according to the time information; or
And selecting the data in the pseudo-random sequence as the key index number of the encryption key according to the data field in the communication interaction information.
10. The rights encryption method of claim 8, wherein the communication interaction information includes an executable program containing the encryption algorithm, and the step of determining the corresponding encryption algorithm based on the communication interaction information includes:
and calling an interpreter corresponding to the executable program to execute at least one part of the executable program, obtaining statement information corresponding to the executable program, and using the statement information as at least one part of an encryption algorithm.
11. The rights encryption method as recited in claim 8, further comprising:
and updating the encryption algorithm and the encryption key according to a preset updating rule.
12. The rights encryption method of claim 8, wherein the encryption key is at least one data file, a disguised digital carrier file or a digital media file, and after the step of determining at least one encryption algorithm and at least one encryption key corresponding to the rights information according to a preset rule, the method further comprises:
and calling a conventional key interface, a disguised reading interface, a digital watermark extraction interface or a digital steganography content extraction interface to read the at least one data file, the disguised digital carrier file or the digital media file to obtain the content of the encryption key.
13. A kind of authority authentication device that the network video visits, apply to the video server, characterized by that, the video server includes multiple decipher algorithms and multiple decipher the cipher key, preserve the rule and include at least one in time information and communication mutual information, this authority authentication device includes:
the information acquisition module is used for receiving encrypted permission information sent by the video client;
the decryption algorithm and key determining module is used for determining a decryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server according to the current time information;
the decryption algorithm and key determining module is further configured to determine a key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information, and determine a decryption key corresponding to the key index number from the plurality of decryption keys according to the key index number; wherein, the determining the key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information by the decryption algorithm and key determining module comprises: generating the key index number by combining decryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the decryption key characteristic data comprises at least one parameter of decryption key number, decryption coefficient and decryption key module version information;
the decryption module is used for decrypting the encrypted authority information at least once by using at least one decryption algorithm and at least one decryption key to obtain decrypted authority information;
and the authentication module is used for judging whether the decrypted authority information meets the preset condition or not, and if so, the video server passes the authority verification of the video client so as to provide video service for the video client according to the operation of the video client.
14. The apparatus for right authentication of claim 13, wherein different decryption keys generate pseudo-random sequences using different primitive polynomials and initial values, and the method for determining the key index number corresponding to the decryption key according to at least one of the time information and the communication interaction information by the decryption algorithm and key determination module comprises:
selecting data in the pseudo-random sequence as a key index number of the decryption key according to the time information; or
And selecting the data in the pseudo-random sequence as the key index number of the decryption key according to the data field in the communication interaction information.
15. The apparatus for right authentication of claim 13, wherein the communication interaction information comprises an executable program containing the decryption algorithm, and the method for determining the corresponding decryption algorithm by the decryption algorithm and key determination module according to the communication interaction information comprises:
and calling an interpreter corresponding to the executable program to execute at least one part of the executable program, obtaining statement information corresponding to the executable program, and taking the statement information as at least one part of the decryption algorithm.
16. The apparatus for right authentication of claim 13, wherein the decrypted right information comprises at least one of a client code of the video client, client version information, digest information of an encryption key, and time information of a video server sent by the video client, and the preset condition comprises:
the client code conforms to the preset system regulation;
the client version information of the video client is consistent with the terminal version corresponding to the used encryption key file;
the digest information of the encryption key is consistent with the digest information of the decryption key file of the video server; and
the time information of the video server sent by the video client and the current time of the video server are within a preset time length.
17. The rights authentication apparatus as claimed in claim 13, further comprising:
and the decryption key updating module is used for updating the decryption algorithm and the decryption key according to a preset updating rule.
18. The apparatus for authenticating right according to claim 13, wherein the video client transmits the requested video data together with the encrypted right information to the video server; the authentication module is further configured to:
judging whether the video data requested by the video client is a preset key video, if so, calling a standby decryption key to perform standby decryption on the encrypted permission information to obtain standby decrypted permission information;
and carrying out secondary decryption on the standby decrypted authority information.
19. The apparatus for right authentication of claim 13, wherein the decryption key is at least one data file, a disguised digital carrier file or a digital media file, and the decryption module, after determining the at least one decryption algorithm and the at least one decryption key corresponding to the encrypted right information according to a preset rule, is further configured to:
and calling a conventional key interface, a disguised reading interface, a digital watermark extraction interface or a digital steganography content extraction interface to read the at least one data file, the disguised digital carrier file or the digital media file to obtain the content of the decryption key.
20. An authority encryption device applied to a video client, wherein the video client is configured with a plurality of encryption algorithms and a plurality of encryption keys, a preset rule includes at least one of time information and communication interaction information, and the authority encryption device includes:
the encryption algorithm and key determining module is used for determining an encryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server according to the current time information;
the encryption algorithm and key determining module is further configured to determine a key index number corresponding to the encryption key according to at least one of the time information and the communication interaction information, and determine an encryption key corresponding to the key index number from the plurality of encryption keys according to the key index number; the method for determining the key index number corresponding to the encryption key by the encryption algorithm and key determination module according to at least one of the time information and the communication interaction information comprises the following steps:
generating the key index number by combining encryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the encryption key characteristic data comprises at least one parameter of the number of encryption keys, an encryption algorithm coefficient and encryption key module version information;
the encryption module is used for encrypting the authority information at least once by using at least one encryption algorithm and at least one encryption key to obtain the encrypted authority information;
and the transmission module is used for transmitting the encrypted authority information to a video server.
21. The apparatus for right encryption according to claim 20, wherein different encryption keys generate pseudo-random sequences using different primitive polynomials and initial values, and the step of determining the key index numbers corresponding to the encryption keys according to at least one of the time information or the communication interaction information comprises:
selecting data in the pseudo-random sequence as a key index number of the encryption key according to the time information; or
And selecting the data in the pseudo-random sequence as the key index number of the encryption key according to or a data field in the communication interaction information.
22. The rights encryption device of claim 20, wherein the communication interaction information comprises an executable program containing the encryption algorithm, and the method for determining the corresponding encryption algorithm by the encryption algorithm and key determination module according to the communication interaction information comprises:
and calling an interpreter corresponding to the executable program to execute at least one part of the executable program, obtaining statement information corresponding to the executable program, and using the statement information as at least one part of an encryption algorithm.
23. The rights encryption device as claimed in claim 20, further comprising:
and the encryption key updating module is used for updating the encryption algorithm and the encryption key according to a preset updating rule.
24. The rights encryption device of claim 20, wherein the encryption key is at least one data file, a disguised digital carrier file or a digital media file, and after the encryption algorithm and key determination module determines the at least one encryption algorithm and the at least one encryption key corresponding to the rights information according to a preset rule, the encryption algorithm and key determination module is further configured to:
and calling a conventional key interface, a disguised reading interface, a digital watermark extraction interface or a digital steganography content extraction interface to read the at least one data file, the disguised digital carrier file or the digital media file to obtain the content of the encryption key.
25. An authority authentication system, comprising a video server and a video client, wherein the video client comprises:
the encryption algorithm and key determining module is used for determining an encryption algorithm according to at least one of time information and communication interaction information, wherein the time information is a time value determined by the video server according to current time information;
the encryption algorithm and key determining module is further used for determining a key index number corresponding to the encryption key according to at least one of the time information and the communication interaction information, and determining the encryption key corresponding to the key index number from the plurality of encryption keys according to the key index number; the method for determining the key index number corresponding to the encryption key by the encryption algorithm and key determination module according to at least one of the time information and the communication interaction information comprises the following steps:
generating the key index number by combining encryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the encryption key characteristic data comprises at least one parameter of the number of encryption keys, an encryption algorithm coefficient and encryption key module version information;
the encryption module is used for encrypting the authority information at least once by using at least one encryption algorithm and at least one encryption key to obtain the encrypted authority information; and
the transmission module is used for sending the encrypted authority information to a video server;
the video server includes:
the information acquisition module is used for receiving encrypted permission information sent by the video client;
the decryption algorithm and key determining module is used for determining a decryption algorithm according to at least one of the time information and the communication interaction information, wherein the time information is a time value determined by the video server according to the current time information;
the decryption algorithm and key determining module is further configured to determine a key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information, and determine the decryption key corresponding to the key index number from the plurality of decryption keys according to the key index number; wherein, the determining the key index number corresponding to the decryption key according to at least one of the time information or the communication interaction information by the decryption algorithm and key determining module comprises: generating the key index number by combining decryption key characteristic data operation according to at least one of the time information and the communication interaction information, wherein the decryption key characteristic data comprises at least one parameter of decryption key number, decryption coefficient and decryption key module version information;
the decryption module is used for decrypting the encrypted authority information at least once by using at least one decryption algorithm and at least one decryption key to obtain decrypted authority information; and
and the authentication module is used for judging whether the decrypted authority information meets the preset condition or not, and if so, the video server passes the authority verification of the video client so as to provide video service for the video client according to the operation of the video client.
CN201711107690.0A 2017-11-10 2017-11-10 Authority authentication method, encryption method, device and system for network video access Active CN107809436B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711107690.0A CN107809436B (en) 2017-11-10 2017-11-10 Authority authentication method, encryption method, device and system for network video access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711107690.0A CN107809436B (en) 2017-11-10 2017-11-10 Authority authentication method, encryption method, device and system for network video access

Publications (2)

Publication Number Publication Date
CN107809436A CN107809436A (en) 2018-03-16
CN107809436B true CN107809436B (en) 2020-04-21

Family

ID=61583514

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711107690.0A Active CN107809436B (en) 2017-11-10 2017-11-10 Authority authentication method, encryption method, device and system for network video access

Country Status (1)

Country Link
CN (1) CN107809436B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022194545A1 (en) * 2021-03-18 2022-09-22 International Business Machines Corporation Managing search queries using encrypted cache data

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067799A (en) * 2018-09-28 2018-12-21 歌尔科技有限公司 Data transmission method, system and equipment
CN111050213B (en) * 2020-01-17 2022-08-26 北京达佳互联信息技术有限公司 Video playing method and device, electronic equipment and storage medium
CN111510745B (en) * 2020-03-27 2021-01-19 曹新 Internet video data encryption transmission method
CN111683081B (en) * 2020-06-04 2022-10-18 北京百度网讯科技有限公司 Method and device for secure transmission of data
CN111988639B (en) * 2020-06-16 2022-10-21 北卡科技有限公司 Video encryption and decryption method based on cryptographic algorithm and reversible steganography
CN112804214A (en) * 2020-12-31 2021-05-14 四川瑞霆电力科技有限公司 Perception layer data secure access method and system based on intelligent Internet of things
CN112733173B (en) * 2021-01-18 2024-09-27 北京灵汐科技有限公司 Image processing, key generation, training method and device, and computer readable medium
CN113132365A (en) * 2021-04-07 2021-07-16 武汉光庭信息技术股份有限公司 Communication security protection method and system of vehicle-mounted T-Box
CN114915495B (en) * 2022-07-05 2022-11-01 浙江华东工程数字技术有限公司 Message encryption and decryption method supporting multi-algorithm switching

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0424302A2 (en) * 1989-10-20 1991-04-24 International Business Machines Corporation Method for controlling the multi-frame transmission on token ring networks
CN101325483A (en) * 2008-07-28 2008-12-17 中国电信股份有限公司 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method
CN106097214A (en) * 2016-06-06 2016-11-09 立德高科(昆山)数码科技有限责任公司 First-aid dressing approaches to IM based on Quick Response Code
CN106993201A (en) * 2017-03-17 2017-07-28 武汉斗鱼网络科技有限公司 The authorization check method and device of video playback
CN107104969A (en) * 2017-04-27 2017-08-29 山西大学 The method that the individual privacy information in express delivery is protected with dynamic encryption mechanism

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0424302A2 (en) * 1989-10-20 1991-04-24 International Business Machines Corporation Method for controlling the multi-frame transmission on token ring networks
CN101325483A (en) * 2008-07-28 2008-12-17 中国电信股份有限公司 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method
CN106097214A (en) * 2016-06-06 2016-11-09 立德高科(昆山)数码科技有限责任公司 First-aid dressing approaches to IM based on Quick Response Code
CN106993201A (en) * 2017-03-17 2017-07-28 武汉斗鱼网络科技有限公司 The authorization check method and device of video playback
CN107104969A (en) * 2017-04-27 2017-08-29 山西大学 The method that the individual privacy information in express delivery is protected with dynamic encryption mechanism

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022194545A1 (en) * 2021-03-18 2022-09-22 International Business Machines Corporation Managing search queries using encrypted cache data

Also Published As

Publication number Publication date
CN107809436A (en) 2018-03-16

Similar Documents

Publication Publication Date Title
CN107809436B (en) Authority authentication method, encryption method, device and system for network video access
US11580570B2 (en) Method and apparatus for dynamic, real-time ad insertion based on meta-data within a hardware based root of trust
EP3198498B1 (en) A challenge-response method and associated computing device
US20080209231A1 (en) Contents Encryption Method, System and Method for Providing Contents Through Network Using the Encryption Method
CN103997681B (en) Net cast is carried out to method and the system thereof of door chain process
CN105915342A (en) Application program communication processing system, an application program communication processing device, an application program communication processing apparatus and an application program communication processing method
JP2004193843A (en) Device, method, and program for content delivery and device, method, and program for reproducing content
US10366411B2 (en) Protecting privacy of personally identifying information when delivering targeted assets
EP2979392B1 (en) A challenge-response method and associated client device
CN103237010B (en) The server end of digital content is cryptographically provided
CN110798433B (en) Verification code verification method and device
CN116662941B (en) Information encryption method, device, computer equipment and storage medium
CN109640175A (en) A kind of block chain encipher-decipher method based on video file
CN103237011B (en) Digital content encryption transmission method and server end
JP5908296B2 (en) Information terminal device, information terminal system, information terminal control method, and program
CN110753257A (en) Data display method, display terminal, server, display system, and storage medium
CN106453430A (en) Method and device for verifying encrypted data transmission paths
CN111602380A (en) Method and system for identifying a user terminal for receiving streaming protected multimedia content
CN109951735B (en) Video playing address analysis obtaining method, system and medium
CN109756459B (en) Data processing method, data identification method, data processing device, data identification device, and data processing medium
CN110008654B (en) Electronic file processing method and device
US20100241863A1 (en) Device for reproducing digital content, secure electronic entity, system comprising said elements and method for reproducing digital content
CN112434327B (en) Information protection method and device and electronic equipment
CN106411964A (en) Traceable and encrypted data transmission method and device
CN112769783A (en) Data transmission method, cloud server, receiving end and sending end

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant