CN110300289A - Video security management system and method - Google Patents
Video security management system and method Download PDFInfo
- Publication number
- CN110300289A CN110300289A CN201910700311.1A CN201910700311A CN110300289A CN 110300289 A CN110300289 A CN 110300289A CN 201910700311 A CN201910700311 A CN 201910700311A CN 110300289 A CN110300289 A CN 110300289A
- Authority
- CN
- China
- Prior art keywords
- key
- management
- equipment
- video
- user equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/254—Management at additional data server, e.g. shopping server, rights management server
- H04N21/2541—Rights Management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/258—Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
- H04N21/25808—Management of client data
- H04N21/25816—Management of client data involving client authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/266—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
- H04N21/26613—Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N5/00—Details of television systems
- H04N5/76—Television signal recording
- H04N5/91—Television signal processing therefor
- H04N5/913—Television signal processing therefor for scrambling ; for copy protection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
Abstract
It includes: key management platform, Video security controller and terminal authentication equipment that the embodiment of the present invention, which provides a kind of Video security management system and method, the system,;The management equipment and user equipment that the key management platform is used to be currently accessed based on management key pair are managed certification, and after the authentication has been successful, according to the matching relationship table of user equipment and Video security controller, initialization key corresponding with the Video security controller is imported to the user equipment being currently accessed;The Video security controller is used to carry out two-way authentication for the first time based on the initialization key and the user equipment, and after the success of two-way authentication for the first time, receive the application authorization key of the user equipment storage, to carry out the subsequent two-way authentication between user equipment and the Video security controller, so as to improve the safety of video data control, realizing has planning with having system comprehensive security control to video data, and then is convenient for social management and credible evidence obtaining.
Description
Technical field
The present embodiments relate to Video security technical field more particularly to a kind of Video security management systems and method.
Background technique
Video monitoring is the important component of safety and protection system, in recent years, with popularizing for Video Supervision Technique, more
Video monitoring system is mounted with come more regions, to obtain video data to the situation recorded video in region, so as to correlation
Personnel (public security officer or owner) check that the leakage and damage of video data will lead to huge loss.
It is voluntarily to be handled by video acquisition end, or only pass through simple user name to the control of video data in the prior art
The setting of password is managed.
However, above scheme safety is lower, the comprehensive safety that cannot achieve has planning to have system video data is supervised,
It is not easy to social management and credible evidence obtaining, therefore Video security protection requirements are very urgent.
Summary of the invention
The embodiment of the present invention provides a kind of Video security management system and method, to improve the effective of Video security protection
Property, realize have planning have system to video data carry out comprehensive safety supervision, be convenient for social management and credible evidence obtaining.
In a first aspect, the embodiment of the present invention provides a kind of Video security management system, comprising:
Key management platform, Video security controller and terminal authentication equipment;Wherein, the terminal authentication equipment includes pipe
Manage equipment and user equipment;
The key management platform, management equipment and user equipment for being currently accessed based on management key pair carry out pipe
Reason certification, and after administrative authentication success, it, will be with the view according to the matching relationship table of user equipment and Video security controller
The corresponding initialization key of frequency safety governor imports the user equipment being currently accessed;
The Video security controller, for two-way for the first time being recognized based on the initialization key and user equipment progress
Card, and after the success of two-way authentication for the first time, receive the application authorization key of the user equipment storage, the application authorization key
For the subsequent two-way authentication between user equipment and the Video security controller.
In a kind of possible design, the key management platform is also used to generate application authorization root in the production phase close
Key, and the application authorization root key is distributed into management equipment;
The key management platform is also used in the administrative authentication success to the management equipment and user equipment being currently accessed
Afterwards, the user equipment is written in the application authorization key that the application authorization root key dispersion management equipment stored obtains;
The management equipment, in the application stage based on the application authorization root key that is locally stored and the Video security
Controller carries out two-way authentication, so that the Video security controller executes control operation after two-way authentication passes through.
In a kind of possible design, the key management platform is also used to generate in the production phase and writes certification root code key
Sub- code key is authenticated with writing, and the certification root code key of writing is distributed into management equipment, the sub- code key of certification will be write and distribute to the management
The corresponding user equipment of equipment;
The key management platform is also used in the administrative authentication success to the management equipment and user equipment being currently accessed
Afterwards, writing based on user equipment storage writes certification root key described in certification sub-key and management equipment storage, realizes and uses
Family equipment and management equipment write certification;And after writing and authenticating successfully, user is written into address information and/or video authorization message
Equipment, so that user equipment is weighed after completing two-way authentication to Video security controller according to the video authorization message execution is corresponding
The control of limit operates.
In a kind of possible design, the initialization key of the Video security controller storage has multiple;The key
Platform is managed, the management equipment and user equipment for being specifically used for, in deployment phase, being currently accessed based on management key pair carry out pipe
Reason certification, and after administrative authentication success, one is selected from multiple initialization keys corresponding with the Video security controller
Item initializes code key, and the initialization code key and its corresponding serial number are imported to the user for being currently accessed the code key management platform
Equipment.
In a kind of possible design, the management code key includes the management root code key and user equipment of management equipment storage
The sub- code key of the management of storage;
The key management platform, is also used to based on hierarchical policy, generates management root key and by the management root key
The management equipment of appropriate level is written;
The key management platform is also used to the corresponding management root key dispersion of each management equipment obtaining management close
Key, and the corresponding user equipment of the management equipment is written into the management sub-key;
The key management platform is specifically used for being based on the management sub-key and the management root key, carries out user
The administrative authentication of equipment and management equipment.
In a kind of possible design, the key management platform is also used to generate communication authentication root key;
The key management platform is also used in the production phase, according to the communication authentication root key to management equipment
Equipment serial number dispersion obtains communication authentication sub-key, and the communication authentication sub-key is distributed to management equipment, to dispose
Stage is based on the communication authentication root key and the communication authentication sub-key, with management equipment consult session key, the meeting
Words key is for encrypting the management equipment and the interaction data of key management platform;The equipment sequence of the management equipment
It number is the unique identification for being the management equipment distribution production phase.
In a kind of possible design, the system also includes video capture devices;
The video capture device is controlled for acquiring video data and video data being sent to the Video security
Device;
The Video security controller is also used to receive the video data of video capture device transmission, based on being locally stored
Application authorization key pair video data encrypted and stored;
The Video security controller, is also used to after passing through with user equipment two-way authentication, is answered based on what is be locally stored
Needs are played with authentication key or derived video data is decrypted.
In a kind of possible design, the key management platform includes encryption equipment;The encryption equipment is described for generating
Initialization key and application authorization root key.
Second aspect, the embodiment of the present invention provide a kind of Video security management method, are suitable for any one of first aspect institute
The Video security management system stated, which comprises
The key management platform is managed and is recognized based on the management equipment that is currently accessed of management key pair and user equipment
Card, and after administrative authentication success, according to the matching relationship table of user equipment and Video security controller, will pacify with the video
The corresponding initialization key of controller imports the user equipment being currently accessed entirely;
Video security controller is based on the initialization key and the user equipment carries out two-way authentication for the first time, and for the first time
After two-way authentication success, the application authorization key of the user equipment storage is received, the application authorization key is set for user
Subsequent two-way authentication between the standby and described Video security controller.
In a kind of possible design, the key management platform generates application authorization root key in the production phase, and will
The application authorization root key distributes to management equipment;
The key management platform is after the administrative authentication success to the management equipment being currently accessed and user equipment, by institute
State the application authorization key write-in user equipment that the application authorization root key dispersion of management equipment storage obtains;
The management equipment is controlled in the application stage based on the application authorization root key and the Video security being locally stored
Device carries out two-way authentication, so that the Video security controller executes control operation after two-way authentication passes through.
In a kind of possible design, the key management platform writes certification root code key in production phase generation and writes certification
Sub- code key, and the certification root code key of writing is distributed into management equipment, the sub- code key of certification will be write and distribute to management equipment correspondence
User equipment;
The key management platform is based on after the administrative authentication success to the management equipment being currently accessed and user equipment
User equipment storage write certification sub-key and the described of management equipment storage writes certification root key, realize user equipment with
Management equipment writes certification;And after writing and authenticating successfully, user equipment is written into address information and/or video authorization message, with
The pipe of corresponding authority is executed after so that user equipment and Video security controller is completed two-way authentication according to the video authorization message
Control operation.
In a kind of possible design, the initialization key of the Video security controller storage has multiple;The key
Platform is managed in deployment phase, the management equipment and user equipment being currently accessed based on management key pair are managed certification, and
After administrative authentication success, select an initialization secret from multiple initialization keys corresponding with the Video security controller
Key, and the initialization code key and its corresponding serial number are imported to the user equipment for being currently accessed the code key management platform.
In a kind of possible design, the management code key includes the management root code key and user equipment of management equipment storage
The sub- code key of the management of storage;
The key management platform is based on hierarchical policy, generates management root key and the management root key is written corresponding
The management equipment of rank;
The corresponding management root key dispersion of each management equipment is obtained management sub-key by the key management platform, and by institute
It states management sub-key and the corresponding user equipment of the management equipment is written;
The key management platform is based on the management sub-key and the management root key, carries out user equipment and management
The administrative authentication of equipment.
In a kind of possible design, the key management platform generates communication authentication root key;
The key management platform is in the production phase, according to the communication authentication root key to the equipment serial number of management equipment
Dispersion obtains communication authentication sub-key, and the communication authentication sub-key is distributed to management equipment, to be based in deployment phase
The communication authentication root key and the communication authentication sub-key, with management equipment consult session key, the session key is used
It is encrypted in the management equipment and the interaction data of key management platform;The equipment serial number of the management equipment is production
Stage is the unique identification of management equipment distribution.
In a kind of possible design, the system also includes video capture devices;
The video capture device acquires video data and video data is sent to the Video security controller;
The Video security controller receives the video data that video capture device is sent, and is recognized based on the application being locally stored
Card key pair video data is encrypted and is stored;
The Video security controller is close based on the application authorization being locally stored after passing through with user equipment two-way authentication
Key is played to needs or derived video data is decrypted.
In a kind of possible design, the key management platform includes encryption equipment;The encryption equipment generates described initial
Change key and application authorization root key.
Video security management system and method provided in this embodiment, the system are based on managing close by key management platform
Key is managed certification to the management equipment and user equipment that are currently accessed, can be realized and manages between management equipment and user equipment
The authority relation managed and be managed manipulates permission by limitation video to realize the security management and control of video;In addition, key management is flat
Platform, will initialization corresponding with the Video security controller according to the matching relationship table of user equipment and Video security controller
Key imports the user equipment being currently accessed;And it is two-way for the first time based on the initialization key and user equipment progress
Certification, and after the success of two-way authentication for the first time, the application authorization key of the user equipment storage is received, the application authorization is close
Key is for the subsequent two-way authentication between user equipment and the Video security controller, using initialization key and application authorization
Two kinds of key certifications can make to manage convenient for disposing the control relationship of user equipment and management equipment by application authorization key
The equipment of apparatus management/control user equipment control realizes pair for having planning to have system to improve the validity of Video security protection
Video data carries out comprehensive safety supervision, is convenient for social management and credible evidence obtaining.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without any creative labor, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the structural schematic diagram for the Video security management system that one embodiment of the invention provides;
Fig. 2 is the application signal of the Video security controller for the Video security management system that further embodiment of this invention provides
Figure;
Fig. 3 is the flow diagram for the Video security management method that further embodiment of this invention provides;
Fig. 4 is the interaction flow of the first two-way authentication for the Video security management method that further embodiment of this invention provides
Figure;
Fig. 5 is the interaction flow of the subsequent two-way authentication for the Video security management method that further embodiment of this invention provides
Figure;
Fig. 6 is the interaction flow of the consult session key for the Video security management method that further embodiment of this invention provides
Figure;
Fig. 7 is the Video security controller production phase for the Video security management method that further embodiment of this invention provides
Interaction diagrams;
Fig. 8 is the interaction diagrams of the deployment phase for the Video security management method that further embodiment of this invention provides;
Fig. 9 is the interaction diagrams of the deployment phase for the Video security management method that further embodiment of this invention provides;
Figure 10 is that the application stage user equipment acquisition for the Video security management method that further embodiment of this invention provides is awarded
The interaction diagrams of power;
Figure 11 is that the application stage management equipment acquisition for the Video security management method that further embodiment of this invention provides is awarded
The interaction diagrams of power.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Presently commercially available hard disk video recorder is computer technology, network technology, digital video technology and conventional video, security protection
The high-tech product that technology combines has certain technology content, is the regeneration product of DVD, cassette recorders, is applied to
The various monitoring environment such as remote monitoriong of electric power, bank security monitoring, intelligent building, home security monitoring.Hard disk video recorder
Basic function be the audio-video signal of simulation is changed into MPEG digital signal to be stored on hard disk (HDD), and provide with record,
Play function corresponding with managing programm.In recent years, popularizing with Video Supervision Technique, also has occurred more monitor video
The case revealed without permission, therefore Video security protection requirements are very urgent.Therefore, for the technical problem, below
The specific embodiment of Video security management system provided in an embodiment of the present invention and method is described in detail.
Fig. 1 is the structural schematic diagram for the Video security management system that one embodiment of the invention provides.As shown in Figure 1, this is
System includes:
Key management platform 10, Video security controller 20 and terminal authentication equipment 30;Wherein, the terminal authentication equipment
30 include management equipment and user equipment.
The key management platform 10, management equipment and user equipment for being currently accessed based on management key pair are carried out
Administrative authentication, and after administrative authentication success, it, will be with institute according to the matching relationship table of user equipment and Video security controller 20
It states the corresponding initialization key of Video security controller and imports the user equipment being currently accessed.
The Video security controller 20, for two-way for the first time being recognized based on the initialization key and user equipment progress
Card, and after the success of two-way authentication for the first time, receive the application authorization key of the user equipment storage, the application authorization key
For the subsequent two-way authentication between user equipment and the Video security controller 20.
Optionally, the terminal authentication equipment 30 can be any terminal with storage capacity and data transmission capabilities,
Such as flash disk.Correspondingly, Video security controller 20 and key management platform 10 can be set and set for user equipment and management
The interface of standby access, for example, USB interface.Optionally, in order to further improve the security, in practical applications, user equipment is logical
It often uses, can only be matched with a Video security controller 20 for trade company.When management equipment is disposed for public security or security control department
It uses, complete certification for Video security controller 20 corresponding with the user equipment that it is managed and obtains authorization message.
Optionally, the key management platform 10 includes encryption equipment;The encryption equipment is for generating the initialization key
With application authorization root key.
The course of work of the Video security management system Video security controller 20 can be arranged each common
In the trade company of user, and it is connected with the video acquisition device of place trade company, the Video security controller 20 can be used for depositing
The video data of video acquisition device acquisition is stored up, which is built initialization key in the production phase;With
Family equipment and management equipment are pre in the production phase to be managed with the relationship of management (it is alternatively possible to close by management root
Key dispersion obtains management sub-key and management root key is distributed to management equipment, and management sub-key is distributed to user equipment,
User equipment and management equipment are bound with the relationship being managed based on management root key and the management for managing sub-key),
I.e. management equipment can manage the video data in the Video security controller 20 that all user equipmenies managed by it are managed.
Key management platform 10 is accessed simultaneously in deployment phase user equipment and management equipment, is managed certification, is managed
After authenticating successfully, the initialization key built in it can be imported user by key management platform 10 by Video security controller 20
Equipment, and the application authorization key that the application authorization root key stored out of corresponding management equipment dispersion obtains is imported and is used
Family equipment completes initial authentication based on the initialization key and video video safety governor 20 with subsequent, (optionally, complete
After initial authentication, the authorization message that Video security controller 20 can also be assigned according to user equipment in deployment phase, into
The control of row corresponding authority operates, which includes the permission letter which kind of operation user equipment can carry out to video data
Breath).
After initial authentication success, application authorization key is imported the Video security controller 20 of access by user equipment;?
Application stage, user equipment can be held by ordinary user, management equipment by be managed user (can for law enfrocement officials at different levels,
Such as the law enfrocement official of provincial public security department or city-level public security department) hold, when user needs in Video security controller 20
The user equipment for needing to hold when the video data having such as is played back, copied or damaged at the operation and the Video security control
Device 20 processed is connected, and carries out two-way authentication (optionally, based on the application authorization key being deployed in user equipment, and in portion
The application authorization key imported after phase user equipment and the success of 20 initial authentication of Video security controller from user equipment is affixed one's name to, into
Row two-way authentication), if two-way authentication passes through, the video data stored in it is played back by Video security controller 20,
The operation such as copy or damage;In addition, the management equipment that user equipment is subordinate to can also set user by application authorization root key
Video data in the Video security controller 20 of standby control is managed.Specifically, above-mentioned each stage is in order to preferably
Understand the division that this programme is carried out, limitation is not generated to the technical solution of the application.
Optionally, Video security controller 20 can pass through software code realization, or be stored with related execution generation
The medium of code, for example, cloud disk etc.;Alternatively, the Video security controller 20 can also execute code to integrate or being equipped with correlation
Entity apparatus, for example, chip.
As an embodiment, Video security controller 20 can be designed as to chip entity, realization is matched with key
To, authentication, encryption and decryption function.In practical application, as long as existing hard disk video recorder (Digital is added in the chip
Video Recorder, DVR), can carry out in network hard disk video recorder (Network Video Recorder, NVR) equipment
Video security control.Optionally, referring to fig. 2, Fig. 2 is the video for the Video security management system that further embodiment of this invention provides
The application schematic diagram of safety governor, as shown in Fig. 2, the chip (Video security controller 20) may include: microprocessor
(Micro Controller Unit, MCU) 21, encrypting module 22, deciphering module 23, encrypting module 22 and deciphering module 23 divide
It is not connect with microprocessor.
Optionally, encrypting module 22 and deciphering module 23 are connect by bus with microprocessor respectively, the optional side of bus
There are many formula, such as serial peripheral interface bus can be used, i.e. spi bus.
In practical application, encrypting module 22 can be the close SM1 encryption chip of state, and deciphering module 23 can be the close SM1 solution of state
Close chip.
Optionally, for the USB resource abundance of guarantee NVR/DVR mainboard, (NVR/DVR mainboard generally provides 2 USB2.0 and connects
Mouthful), be provided on the chip USB main equipment (USB HOST) and usb hub 24 (Universal Serial Bus Hub,
USB Hub) to guarantee USB interface quantity of the Video security controller 20 under extreme usage mode, such as the case where video copy,
Need to be separately connected one piece of mobile hard disk, a user equipment or management equipment and a mouse by multiple USB interfaces.
Optionally, the MCU can be embedded microprocessor, such as ARM Cortex M3 or M4, and MCU is responsible for close
The storage of key authentication and critical data.NVR is added with encryption chip, deciphering chip and MCU communication, processing respectively by USB HUB
It is close, the authentication function of decryption and key.
Specifically, being directed to video-encryption, NVR sends request encryption order by USB and uses SM1 encryption chip encrypted video
Data combine the enciphered video data of return with the video data of original caching and are output to file stream.
For being authorized, video is reviewed, or when copy video, MCU of the NVR into chip sends request authorization command,
Terminal authentication equipment 30 (is referred to as KEY, terminal authentication equipment in the present embodiment according to the terminal authentication equipment 30 plugged by MCU
Including user equipment referred to as use KEY) judge whether to be authorized, return NVR result.
For decryption of video, after being authorized, deciphering chip of the NVR into chip sends request decryption command and uses SM1
Deciphering chip decrypted video data combines the decrypted video data of return with former video data and is output to video cache.
Key is applied for saving, MCU of the NVR into chip sends key and import order, and MCU imports the user of insertion
Apply key in KEY, save into the FLASH of inside, and the device identification (UID) of user KEY is written, return import at
Function.
Key is applied for obtaining, MCU of the NVR into chip sends key request command, and chip is sentenced by the UID of NVR
Whether disconnected be binding NVR, and is returned the result.For system initialization, when NVR is initialized, the MCU into chip sends initialization
The UID of NVR is sent to chip by order, and internal FLASH is written in UID by chip, as future judge whether it is binding NVR according to
According to.
Video security management system provided in this embodiment, based on administrative authentication between user equipment and management equipment
Relationship is managed and is managed to be controlled, and the first two-way authentication between Video security controller 20 and user equipment at
Application authorization key is imported into user equipment after function, implements subsequent two-way authentication based on application authorization key, to recognize two-way
Response operation is executed after demonstrate,proving successfully, be can be improved the safety of video data control under multiple authentication, is realized to video data
There is planning with having system comprehensive security control, and then is convenient for social management and credible evidence obtaining.
On the basis of the above embodiments, the Video security management system that further embodiment of this invention provides recognizes application
The source of card key is described in detail, and in the present embodiment, the key management platform 10 is also used to raw in the production phase
Management equipment is distributed at application authorization root key, and by the application authorization root key.
The key management platform 10, be also used to the administrative authentication to the management equipment and user equipment that are currently accessed at
After function, the user is written into the application authorization key that the application authorization root key dispersion that the management equipment stores obtains and is set
It is standby.
The management equipment, in the application stage based on the application authorization root key that is locally stored and the Video security
Controller 20 carries out two-way authentication, so that the Video security controller 20 executes control operation after two-way authentication passes through.
Video security management system provided in this embodiment, management equipment is locally stored by key management platform 10
The dispersion of application authorization root key obtains application authorization key, and application authorization key is sent to user equipment, can be realized use
After first two-way authentication of the family equipment between completion and Video security controller 20, pacified based on the application authorization key and video
Full controller 20 carries out subsequent two-way authentication, and the administrative relationships based on application authorization root key Yu application authorization key, deposits
Containing can be real between user equipment of the management equipment of application authorization root key for being stored with corresponding application authorization key
The relationship for now managing and being managed.Enable Video security controller 20 corresponding to user equipment of the management equipment to its subordinate
Interior video data carries out security management and control.To realize reasonable authority distribution, the safety of video data control is improved.It realizes
Have planning have system to video data carry out comprehensive safety supervision, be convenient for social management and credible evidence obtaining.
In practical application, it is also necessary to which the operating right that management equipment can be performed is set, the setting side of operating right
There are many kinds of methods, for example, write certification based on authentication key is write, and based on write certification as a result, being set to user
Standby or management equipment carries out permission write operation, on the basis of the above embodiments, the video that further embodiment of this invention provides
Safety management system based on the certification of writing for writing authentication key for being described in detail, in the present embodiment, the key pipe
Platform 10 is also used to write certification root code key in production phase generation and writes the sub- code key of certification, and writes certification root code key for described
Management equipment is distributed to, the sub- code key of certification will be write and distribute to the corresponding user equipment of the management equipment.
The key management platform 10, be also used to the administrative authentication to the management equipment and user equipment that are currently accessed at
After function, writing based on user equipment storage writes certification root key described in certification sub-key and management equipment storage, realizes
User equipment and management equipment write certification;And after writing and authenticating successfully, address information and/or the write-in of video authorization message are used
Family equipment, so that user equipment executes phase according to the video authorization message with after the completion two-way authentication of Video security controller 20
The control of permission is answered to operate.
In practical application, in deployment phase, user equipment and management equipment can be connect with key management platform 10,
Optionally, the key management platform 10 can be deploying computer, and the user equipment can be user's flash disk, the management
Equipment can be management flash disk.After user's flash disk and management flash disk are accessed the deploying computer access simultaneously, it is based on using
Writing certification sub-key and managing in flash disk in the flash disk of family writes certification root key, carries out writing certification, after writing and authenticating successfully, after
The interface routine of platform software can provide the user interface of permission selection on deploying computer, be with operation according to the user's choice
Authorization message (authority information for being downloaded, playing or deleting to video data) is written in user's flash disk or address information is (right
Area information where the Video security controller 20 that should be administered).
Video security management system provided in this embodiment, by write certification and authenticating successfully rear line writing and set
Standby write-in authorization message or address information, can further limit the permission of user, improve the safety of video control, avoid disliking
The generation that meaning is distorted or deleted.
In practical application, it is contemplated that user equipment may be lost, and the initialization key in user equipment must nullify, so that
Video security controller 20 is also scrapped therewith.On the basis of the above embodiments, the video peace that further embodiment of this invention provides
Full management system extends the quantity of initialization key, and in the present embodiment, the Video security controller 20 stores
Initialization key have it is multiple;The key management platform is specifically used for being currently accessed in deployment phase based on management key pair
Management equipment and user equipment be managed certification, and after administrative authentication success, from the Video security controller pair
An initialization code key is selected in the multiple initialization keys answered, and the initialization code key and its corresponding serial number are imported currently
Access the user equipment of the code key management platform.
Video security management system provided in an embodiment of the present invention, it is a plurality of first by being arranged in Video security controller 20
Beginningization key can be avoided the loss because of user USB, cause the initialization key in user USB that must nullify, so that video
The case where safety governor 20 is also scrapped therewith appearance.In addition, by Video security controller 20 deployment phase will it is a plurality of at the beginning of
One in beginningization key and its corresponding Key Sequence Number are sent to user equipment, when making subsequent first two-way authentication, Ke Yigen
Video security controller 20 is verified according to the Key Sequence Number and whether user equipment matches, and further improves the safety of video control
Property.
In practical application, in order to further protect the safety of video data, operating right can be classified and be distributed, such as to
The permission for the management equipment distribution that provincial department is held is higher than the permission for the management equipment distribution held to city-level department, with
Realize control of the provincial department to city-level department, there are many kinds of the implementations of authority classification distribution, for example, can be based on
Differentiated control key carries out authority classification distribution, on the basis of the above embodiments, the video that further embodiment of this invention provides
The distribution of management key is described in detail in safety management system, in the present embodiment, the key management platform 10, and also
For being based on hierarchical policy, generating management root key and the management root key being written to the management equipment of appropriate level.
The key management platform 10 is also used to the corresponding management root key dispersion of each management equipment obtaining management close
Key, and the corresponding user equipment of the management equipment is written into the management sub-key;
The key management platform 10 is specifically used for being based on the management sub-key and the management root key, be used
The administrative authentication of family equipment and management equipment.
Video security management system provided in an embodiment of the present invention, by being classified to management root key, and will be at different levels
No matter the management equipment that root key distributes to corresponding level is managed, realize the classification control between management equipment, such as will be more advanced
Other management root key distributes to provincial management equipment, has city under its command for what the other management root key of lower level distributed to the province, from
And realize the video data in Video security controller 20 that provincial management equipment manages the actual management equipment having under its command into
Row control.Also, intersection control can not be carried out between each city.Therefore it can be realized straight line administration relationship, strengthen rights management,
Further improve the safety of video control.
In order to guarantee the safety of the interaction data between key management platform 10 and management equipment, further embodiment of this invention
The communication authentication based on communication authentication key is described in detail in the Video security management system of offer, in the present embodiment
In, the key management platform 10 is also used to generate communication authentication root key;The key management platform 10, is also used in life
The production stage obtains communication authentication sub-key to the equipment serial number dispersion of management equipment according to the communication authentication root key, and will
The communication authentication sub-key distributes to management equipment, to be based on the communication authentication root key and the communication in deployment phase
Sub-key is authenticated, with management equipment consult session key, the session key is used for flat to the management equipment and key management
The interaction data of platform 10 is encrypted.
Video security management system provided in this embodiment, by using communication authentication sub-key and communication authentication root key
After completing the communication authentication between key management platform 10 and management equipment, arranging key manages the meeting of platform 10 and management equipment
Key is talked about, to guarantee the safety of interaction data, and then the various keys of interaction is avoided to be stolen and distort, realizes subsequent each equipment
Between the validity that authenticates, improve the safety of video control.
In order to further protect the safety of video data, the Video security management system pair that further embodiment of this invention provides
The received video data of Video security controller 20 has carried out encryption and decryption, specifically, in the present embodiment, the system also includes
Video capture device;
The video capture device, for acquiring video data and video data being sent to the Video security controller
20。
The Video security controller 20 is also used to receive the video data of video capture device transmission, is deposited based on local
The application authorization key pair video data of storage is encrypted and is stored.
The Video security controller 20, is also used to after passing through with user equipment two-way authentication, based on what is be locally stored
Application authorization key pair needs to play or derived video data is decrypted.
It is appreciated that the application scenarios of application authorization key can also have other situations, for example, in addition to the present embodiment example
Video playing scene outside, can be applied in the certification under the scenes such as the editor to video data, deletion, to improve video counts
According to safety.
Video security management system provided in this embodiment, by the video data stored in Video security controller 20
Real-time encryption and decryption is carried out, the safety of video data can be further increased, avoids video data by malicious downloading or deletion.
Fig. 3 is the flow diagram for the Video security management method that further embodiment of this invention provides, the Video security pipe
The Video security management system that reason method can be provided based on any embodiment in previous embodiment is realized, as shown in figure 3, should
Method includes:
Key management platform 10 is managed certification based on the management equipment that is currently accessed of management key pair and user equipment,
And after administrative authentication success, according to the matching relationship table of user equipment and Video security controller 20, it will pacify with the video
The complete corresponding initialization key of controller 20 imports the user equipment being currently accessed.
Video security controller 20 is based on the initialization key and the user equipment carries out two-way authentication for the first time, and in head
After secondary two-way authentication success, the application authorization key of the user equipment storage is received, the application authorization key is used for user
Subsequent two-way authentication between equipment and the Video security controller 20.
Optionally, the terminal authentication equipment 30 can be any terminal with storage capacity and data transmission capabilities,
Such as flash disk.Correspondingly, Video security controller and key management platform can be set and connect for user equipment and management equipment
The interface entered, for example, USB interface.Optionally, in order to further improve the security, in practical applications, user equipment usually supplies
Trade company uses, and can only match with a Video security controller.Management equipment uses when disposing for public security or security control department, uses
The corresponding Video security controller of user equipment of Yu Yuqi management completes certification and obtains authorization message.
In practical application, the Video security controller 20 can be arranged in the trade company of each ordinary user, and with institute
It is connected in the video acquisition device of trade company, the Video security controller 20 can be used for storing video acquisition device acquisition
Video data, the Video security controller 20 are built initialization key in the production phase;User equipment and management equipment are in life
The production stage, which is pre, to be managed with the relationship of management (it is alternatively possible to obtain management sub-key by management root key dispersion
And management root key is distributed into management equipment, management sub-key is distributed into user equipment, based on management root key and management
The management of sub-key binds user equipment and management equipment with the relationship being managed), i.e., management equipment can manage quilt
Video data in the Video security controller 20 of its all user equipmenies managed control.
Key management platform 10 is accessed simultaneously in deployment phase user equipment and management equipment, is managed certification, is managed
After authenticating successfully, the initialization key built in it can be imported user by key management platform 10 by Video security controller 20
Equipment, and the application authorization key that the application authorization root key stored out of corresponding management equipment dispersion obtains is imported and is used
Family equipment completes initial authentication based on the initialization key and video video safety governor 20 with subsequent, (optionally, complete
After initial authentication, the authorization message that Video security controller 20 can also be assigned according to user equipment in deployment phase, into
The control of row corresponding authority operates, which includes the permission letter which kind of operation user equipment can carry out to video data
Breath).
After initial authentication success, application authorization key is imported the Video security controller 20 of access by user equipment;?
Application stage, user equipment can be held by ordinary user, management equipment by be managed user (can for law enfrocement officials at different levels,
Such as the law enfrocement official of provincial public security department or city-level public security department) hold, when user needs in Video security controller 20
The user equipment for needing to hold when the video data having such as is played back, copied or damaged at the operation and the Video security control
Device 20 processed is connected, and carries out two-way authentication (optionally, based on the application authorization key being deployed in user equipment, and in portion
The application authorization key imported after phase user equipment and the success of 20 initial authentication of Video security controller from user equipment is affixed one's name to, into
Row two-way authentication), if two-way authentication passes through, Video security controller 20 can according to equipment (equipment include user equipment and
Management equipment) in store pre-assigned permission video data is operated, for example, if pre-assigned permission includes back
The permissions such as put, copy and damage, then correspondingly, the video data stored in Video security controller 20 can be played back,
Copy and damage operation;In addition, the supervisory each management equipment of user equipment can also be by application authorization root key to user
Video data in the Video security controller 20 of apparatus management/control is managed.Specifically, above-mentioned each stage is in order to more preferable
Ground understands the division that this programme is carried out, and does not generate limitation to the technical solution of the application.
Video security management method provided in this embodiment, based on administrative authentication between user equipment and management equipment
Relationship is managed and is managed to be controlled, and the first two-way authentication between Video security controller 20 and user equipment at
Application authorization key is imported into user equipment after function, implements subsequent two-way authentication based on application authorization key, to recognize two-way
Response operation is executed after demonstrate,proving successfully, be can be improved the safety of video data control under multiple authentication, is realized to video data
There is planning with having system comprehensive security control, and then is convenient for social management and credible evidence obtaining.
On the basis of the above embodiments, the Video security management method that further embodiment of this invention provides recognizes application
The source of card key is described in detail, and in the present embodiment, the key management platform 10 is generated in the production phase and applied
Root key is authenticated, and the application authorization root key is distributed into management equipment.
The key management platform 10, will after the administrative authentication success to the management equipment being currently accessed and user equipment
The user equipment is written in the application authorization key that the application authorization root key dispersion of the management equipment storage obtains.
The management equipment is controlled in the application stage based on the application authorization root key and the Video security being locally stored
Device 20 carries out two-way authentication, so that the Video security controller 20 executes control operation after two-way authentication passes through.
Video security management method provided in this embodiment, management equipment is locally stored by key management platform 10
The dispersion of application authorization root key obtains application authorization key, and application authorization key is sent to user equipment, can be realized use
After first two-way authentication of the family equipment between completion and Video security controller 20, pacified based on the application authorization key and video
Full controller 20 carries out subsequent two-way authentication, and the administrative relationships based on application authorization root key Yu application authorization key, deposits
Containing can be real between user equipment of the management equipment of application authorization root key for being stored with corresponding application authorization key
The relationship for now managing and being managed.Enable Video security controller 20 corresponding to user equipment of the management equipment to its subordinate
Interior video data carries out security management and control.To realize reasonable authority distribution, the safety of video data control is improved.It realizes
Have planning have system to video data carry out comprehensive safety supervision, be convenient for social management and credible evidence obtaining.
In practical application, it is also necessary to which the operating right that management equipment can be performed is set, the setting side of operating right
There are many kinds of methods, for example, write certification based on authentication key is write, and based on write certification as a result, being set to user
Standby or management equipment carries out permission write operation, on the basis of the above embodiments, the video that further embodiment of this invention provides
Method for managing security based on the certification of writing for writing authentication key for being described in detail, in the present embodiment, the key pipe
Platform 10 generates to write certification root code key and write in the production phase authenticates sub- code key, and the certification root code key of writing is distributed to pipe
Equipment is managed, the sub- code key of certification will be write and distribute to the corresponding user equipment of the management equipment.
The key management platform 10 is after the administrative authentication success to the management equipment being currently accessed and user equipment, base
Certification root key is write described in certification sub-key and management equipment storage in writing for user equipment storage, realizes user equipment
Certification is write with management equipment;And after writing and authenticating successfully, user equipment is written into address information and/or video authorization message,
So as to execute corresponding authority according to the video authorization message after user equipment and the completion two-way authentication of Video security controller 20
Control operation.
In practical application, in deployment phase, user equipment and management equipment can be connect with key management platform 10,
Optionally, the key management platform 10 can be deploying computer, and the user equipment can be user's flash disk, the management
Equipment can be management flash disk.After user's flash disk and management flash disk are accessed the deploying computer access simultaneously, it is based on using
Writing certification sub-key and managing in flash disk in the flash disk of family writes certification root key, carries out writing certification, after writing and authenticating successfully, after
The interface routine of platform software can provide the user interface of permission selection on deploying computer, be with operation according to the user's choice
Authorization message (authority information for being downloaded, playing or deleting to video data) is written in user's flash disk or address information is (right
Area information where the Video security controller 20 that should be administered).
Video security management method provided in this embodiment, by write certification and authenticating successfully rear line writing and set
Standby write-in authorization message or address information, can further limit the permission of user, improve the safety of video control, avoid disliking
The generation that meaning is distorted or deleted.
In practical application, it is contemplated that user equipment may be lost, and the initialization key in user equipment must nullify, so that
Video security controller is also scrapped therewith.On the basis of the above embodiments, the Video security that further embodiment of this invention provides
Management method extends the quantity of initialization key, in the present embodiment, what the Video security controller 20 stored
Initialization key has multiple;The key management platform is specifically used for being currently accessed in deployment phase based on management key pair
Management equipment and user equipment are managed certification, and after administrative authentication success, from right with the Video security controller 20
An initialization code key is selected in the multiple initialization keys answered, and the initialization code key and its corresponding serial number are imported currently
Access the user equipment of the code key management platform.
Video security management method provided in an embodiment of the present invention, it is a plurality of first by being arranged in Video security controller 20
Beginningization key can be avoided the loss because of user USB, cause the initialization key in user USB that must nullify, so that video
The case where safety governor 20 is also scrapped therewith appearance.In addition, by Video security controller 20 deployment phase will it is a plurality of at the beginning of
One in beginningization key and its corresponding Key Sequence Number are sent to user equipment, when making subsequent first two-way authentication, Ke Yigen
Video security controller 20 is verified according to the Key Sequence Number and whether user equipment matches, and further improves the safety of video control
Property.
In practical application, in order to further protect the safety of video data, operating right can be classified and be distributed, such as to
The permission for the management equipment distribution that provincial department is held is higher than the permission for the management equipment distribution held to city-level department, with
Realize control of the provincial department to city-level department, there are many kinds of the implementations of authority classification distribution, for example, can be based on
Differentiated control key carries out authority classification distribution, on the basis of the above embodiments, the video that further embodiment of this invention provides
The distribution of management key is described in detail in method for managing security, in the present embodiment, 10 base of key management platform
In hierarchical policy, generates management root key and the management root key is written to the management equipment of appropriate level.
The corresponding management root key dispersion of each management equipment is obtained management sub-key by the key management platform 10, and will
The corresponding user equipment of the management equipment is written in the management sub-key;
The key management platform 10 is based on the management sub-key and the management root key, carries out user equipment and pipe
Manage the administrative authentication of equipment.
Video security management method provided in an embodiment of the present invention, by being classified to management root key, and will be at different levels
No matter the management equipment that root key distributes to corresponding level is managed, realize the classification control between management equipment, such as will be more advanced
Other management root key distributes to provincial management equipment, has city under its command for what the other management root key of lower level distributed to the province, from
And realize the video data in Video security controller 20 that provincial management equipment manages the actual management equipment having under its command into
Row control.Also, intersection control can not be carried out between each city.Therefore it can be realized straight line administration relationship, strengthen rights management,
Further improve the safety of video control.
In order to guarantee the safety of the interaction data between key management platform 10 and management equipment, further embodiment of this invention
The communication authentication based on communication authentication key is described in detail in the Video security management method of offer, in the present embodiment
In, the key management platform 10 generates communication authentication root key;The key management platform 10 is in the production phase, according to described
Communication authentication root key obtains communication authentication sub-key to the equipment serial number dispersion of management equipment, and communication authentication is close
Key distributes to management equipment, to be based on the communication authentication root key and the communication authentication sub-key in deployment phase, with pipe
Manage equipment consult session key, the session key be used for the interaction data of the management equipment and key management platform 10 into
Row encryption.
Specifically, Fig. 6 is the consulting session for the Video security management method that further embodiment of this invention provides referring to Fig. 6
The interaction diagrams of key, as shown in fig. 6, key management platform may include headend equipment and background server;The session
The generation method of key may comprise steps of:
601, headend equipment identifies to management equipment sending device and reads instruction;
602, end equipment sends its own the first device identification to management equipment forward;
603, headend equipment sends random number to management equipment and reads instruction;
604, end equipment sends the 11st random number to management equipment forward;
605, headend equipment sends computational token instruction to management equipment;
606, management equipment calculates the 11st according to the first communication authentication sub-key being locally stored and the 11st random number
Token;
607, management equipment returns to the 11st token to headend equipment;
608, the first device identification and the 11st token are sent to background server by headend equipment;
609, background server will obtain the after the communication authentication root key being locally stored dispersion according to the first device identification
Two communication authentication sub-keys, and the 11st token being decrypted according to the second communication authentication sub-key, obtain the 12nd with
Machine number;Background server generates the 13rd random number, and according to the 12nd random number and negated 13rd random number and
Second communication authentication sub-key generates the 12nd token;
610, the 12nd token is sent to headend equipment by background server;
611, the 12nd token is sent to management equipment by headend equipment;
612, management equipment is decrypted the second token according to the first communication authentication sub-key, obtains the 14th random number
With the 15th random number;
613, the 14th random number and the 15th random number are sent to headend equipment by management equipment;
614, the 14th random number and the 11st random number are compared headend equipment;
If 615, consistent, headend equipment sends session key instruction to management equipment;
616, management equipment is calculated according to the 11st random number and the 15th random number and the first communication authentication sub-key
Obtain the first session key;
617, the first session key is returned to headend equipment by management equipment;
618, background server is according to the 12nd random number and the 13rd random number and the second communication authentication sub-key, meter
It calculates and obtains the second session key.
Video security management method provided in this embodiment, by using communication authentication sub-key and communication authentication root key
After completing the communication authentication between key management platform 10 and management equipment, arranging key manages the meeting of platform 10 and management equipment
Key is talked about, to guarantee the safety of interaction data, and then the various keys of interaction is avoided to be stolen and distort, realizes subsequent each equipment
Between the validity that authenticates, improve the safety of video control.
In order to further protect the safety of video data, the Video security management method pair that further embodiment of this invention provides
The received video data of Video security controller 20 has carried out encryption and decryption, specifically, in the present embodiment, Video security management system
System system further includes video capture device;
The video capture device acquires video data and video data is sent to the Video security controller 20.
The Video security controller 20 receives the video data that video capture device is sent, based on the application being locally stored
Authentication key is encrypted and is stored to video data.
The Video security controller 20 with user equipment two-way authentication after passing through, based on the application authorization being locally stored
Key pair needs to play or derived video data is decrypted.
It is appreciated that the application scenarios of application authorization key can also have other situations, for example, in addition to the present embodiment example
Video playing scene outside, can be applied in the certification under the scenes such as the editor to video data, deletion, to improve video counts
According to safety.
Video security management method provided in this embodiment, by by the video stored in Video security controller 20
Data carry out real-time encryption and decryption, can further increase the safety of video data, avoid video data by malicious downloading or
It deletes.
This programme in order to better understand illustrates some interaction flows involved in this programme:
Fig. 4 is the interaction flow of the first two-way authentication for the Video security management method that further embodiment of this invention provides
Figure, as shown in figure 4, the method for the two-way authentication for the first time based on initialization key may include:
401, user equipment generates the first random number.
402, first random number is sent to Video security controller by user equipment.
403, Video security controller calculates first and enables according to the initialization key and first random number being locally stored
Board.
404, Video security controller sends the first token.
405, user equipment decrypts first token according to the initialization key being locally stored and obtains the second random number,
And the first authentication result is obtained by comparing first random number and second random number.
406, user equipment returns to the first authentication result to Video security controller.
If 407, the first authentication result is to authenticate successfully, Video security controller generates third random number.
408, the third random number is sent to the user equipment by Video security controller.
409, user equipment calculates the second token according to the initialization key and the third random number being locally stored.
410, the second token is sent to Video security controller by user equipment.
411, Video security controller obtains the 4th to second token decryption according to the initialization key being locally stored
Random number, and the second authentication result is obtained by comparing the third random number and the 4th random number.
If 412, second authentication result is to authenticate successfully, Video security controller determines that this two-way authentication is logical
It crosses.
Fig. 5 is the interaction flow of the subsequent two-way authentication for the Video security management method that further embodiment of this invention provides
Figure, as shown in figure 5, the method for the subsequent two-way authentication based on application authorization key, may include:
501, user equipment generates the 5th random number.
502, the 5th random number is sent to Video security controller by user equipment.
503, Video security controller calculates third according to the application authorization key and the 5th random number being locally stored
Token.
504, Video security controller sends third token.
505, it is random to obtain the 6th for the decryption of user equipment third token according to the application authorization key pair being locally stored
Number, and third authentication result is obtained by comparing the 5th random number and the 6th random number.
506, user equipment returns to third authentication result to Video security controller.
If 507, third authentication result is to authenticate successfully, Video security controller generates the 7th random number.
508, the 7th random number is sent to the user equipment by Video security controller.
509, user equipment calculates the 4th token according to the application authorization key and the 7th random number being locally stored.
510, the 4th token is sent to Video security controller by user equipment.
511, Video security controller the 4th token according to the application authorization key pair being locally stored decryption obtains the
Eight random numbers, and the 4th authentication result is obtained by comparing the 7th random number and the 8th random number.
If 512, the 4th authentication result is to authenticate successfully, Video security controller determines that this two-way authentication is logical
It crosses.
The key situation of each terminal for ease of understanding, in conjunction with the introduction of the various embodiments described above, below table is to Video security
Controller, user equipment, management equipment and key management platform respective key generation and distribution condition carried out it is exemplary
Explanation.
Table 1
As shown above, the video being made of Video security controller, user equipment, management equipment and key management platform
There are safety management system multiple application interfaces to realize the generation, distribution of each key and the operation of certification in upper table.According to
Scene is distinguished, and the application interface of each terminal of Video security management system is divided into three phases: production phase, deployment phase and being answered
Use the stage.And carry out production, dispersion, importing and the authenticating step of different keys in different phase, ensure that user equipment,
The Video security controller different from the interactive mode of Video security controller uses its own key to management equipment respectively,
Video data is encrypted, is decrypted.Key can control the operating right of equipment simultaneously, and higher level's key can check that junior is close
The equipment of key encryption.
The equipment interface of terminaloriented Video security controller, interface need to be inserted into legal and label are completed when calling
The terminal video safety governor of hair.
For the implementation for understanding Video security management system in detail, below to the scene pair of the three phases of application interface
The operation answered illustrates:
1) production phase:
The production system generally in key management platform is completed in the production phase for user equipment and management equipment, is realized and is generated
Device identification and management key and the function that Video security controller is written.By taking user equipment as an example, user equipment production can be with
Not design specialized interface is completed key dispersion by key management platform interior connection encryption equipment and is write by basic equipment communication interface
Enter Video security controller: generating the device identification of user equipment;The device identification of user equipment is dispersed to obtain by encryption equipment
Management, read-write, communications protection sub-key;By Video security controller equiment mark, administrative authentication sub-key, write certification sub-key
Deng write-in user equipment.
Video security controller can be completed in the production phase in Video security production firm, realize Video security controller
The write-in of initialization key.Key management platform service interface, request data include designated safety governor device identification,
It can export as a plurality of initialization key ciphertext.Initialization key ciphertext is controlled by key management platform encryption equipment and Video security
Device production routine is held jointly, the good key encipherment protection of pre-negotiated under line.The decryption of Video security controller production routine is just
After beginningization key ciphertext, a plurality of initialization key is written to Video security controller.The a plurality of initialization key can be
15.
Specifically, Fig. 7 is the Video security controller life for the Video security management method that further embodiment of this invention provides
The interaction diagrams in production stage, as shown in fig. 7, the interaction flow of Video security controller production phase, may include following step
It is rapid:
701, controller production routine sends initialization key request instruction to key management platform;
702, safety management platform returns to initialization key to key to controller production routine;
703, control production routine controls write-in initialization key to Video security.
2) deployment phase:
Deployment phase can user scene by deployment personnel complete, deployment personnel need band user equipment, management equipment,
Video security controller and remotely connect with key management platform and be equipped with authoring program (program be key production
Tool) deploying computer (microsoft system, and public network can be connected) call distinct interface program to perform the following operation: obtain current
(deployment personnel's computer plugs in user equipment and management equipment networking to the quantity and essential information for being inserted into user equipment and management equipment
It calls);Generating and be written initialization key and application authorization key, (deployment personnel's computer plugs in user equipment and pipe to user equipment
It manages equipment networking to call);Writing address information data (deployment personnel's computer plugs in user equipment and management equipment networking is called);It writes
Enter video authorization message deployment personnel's computer and plug in user equipment and management equipment networking calling);Export application authorization key (video
Safety governor is plugged in user equipment and is called), and derived application authorization key is written in Video security controller.
Specifically, Fig. 8 is the interactive stream of the deployment phase for the Video security management method that further embodiment of this invention provides
Cheng Tu, as shown in figure 8, the interaction flow of deployment phase, may comprise steps of:
801, management equipment sends the management root key being locally stored to the deployment program of key management platform and writes certification
Root key;
802, user equipment sends the management root key being locally stored to the deployment program and writes certification root key;
803, the deployment program is managed certification according to management root key and management sub-key, and according to writing certification root
Key carries out writing certification with certification sub-key is write;
If 804, administrative authentication success, the deployment program imports initialization key to user equipment and application authorization is close
Key;
It is authenticated successfully if 805, writing, the deployment program is to user equipment writing address information and authorization message.Fig. 9 is this
The interaction diagrams for inventing the deployment phase for the Video security management method that another embodiment provides, as shown in figure 9, deployment phase
Interaction flow, may comprise steps of:
901, user equipment sends the device identification being locally stored to Video security controller;
902, the device identification based on user equipment and initialization key carry out Video security controller and user equipment it
Between first two-way authentication;
If 903, first two-way authentication success, user equipment import application authorization key to Video security controller.
3) application stage:
User equipment obtains authorization: after the completion of deployment phase, user connects Video security controller by user equipment
Obtain authorization message, relevant interface called to complete following steps: obtain currently be inserted into management equipment and number of user equipment and
Essential information (Video security controller intubation reason equipment calls);The user equipment that Video security controller has matched before input
Device identification and initialization key serial number, from user equipment obtain video authorization message (Video security controller insert user set
It is standby to call).
Specifically, Figure 10 is the application stage user equipment for the Video security management method that further embodiment of this invention provides
Obtain authorization interaction diagrams, as shown in Figure 10, application stage user equipment obtain authorization interaction flow, may include with
Lower step:
1001, user equipment sends the device identification being locally stored to Video security controller;
1002, the two-way authentication between Video security controller and user equipment is carried out based on application authorization key;
If 1003, two-way authentication success, user equipment imports video authorization message to Video security controller.
Management equipment obtains authorization: after Video security controller completes deployment, video peace can be connected by management equipment
Full controller obtains authorization message, calls with lower interface: obtaining and has currently been inserted into user equipment and management equipment quantity and basic
Information (Video security controller is plugged in user equipment and called);The user equipment that Video security controller has matched before input is set
Standby mark and initialization key serial number, management equipment disperses to obtain corresponding application authorization key completion two-way authentication, and obtains
Video authorization message (Video security controller intubation reason equipment calls).
Specifically, Figure 11 is the application stage management equipment for the Video security management method that further embodiment of this invention provides
Obtain authorization interaction diagrams, as shown in figure 11, application stage management equipment obtain authorization interaction flow, may include with
Lower step:
1101, management equipment sends the device identification being locally stored to Video security controller;
1102, what the application authorization root key and Video security controller being locally stored based on management equipment were locally stored answers
The two-way authentication between Video security controller and management equipment is carried out with authentication key;
If 1103, two-way authentication success, Video security controller obtains video authorization message from management equipment.
To sum up, Video security authentication method provided in an embodiment of the present invention, has at least the following advantages: supporting multistage key
Management.Junior's key is shown that hierarchical relationship is controlled by algorithm by the dispersion of higher level's key, and strict logic is not easy to be hacked brokenly
It is bad;One machine one is close, and level-one one is close.Each autonomous device has the initial key of unique preset quantity, each level
Key is also different, so if having non-technical mode to divulge a secret (such as key is lost, and is stolen), also only to independence
Equipment has an impact.If key is reported the loss in advance, equipment handover key, it is invalid that original key also just fails;Equipment encrypted video, if
Standby user bound key and upper management key can play.Higher level's key can encrypt independent according to algorithmic derivation junior key
Key, playing decryption can be checked by the key having permission;The encryption of evidence chain whole process, it is anti-tamper.All vision operations are equal
It is related with key, permission.The whole encryption of all operations, whole record.Everything has good grounds.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (16)
1. a kind of Video security management system characterized by comprising key management platform, Video security controller and terminal
Authenticating device;Wherein, the terminal authentication equipment includes management equipment and user equipment;
The key management platform, management equipment and user equipment for being currently accessed based on management key pair are managed and are recognized
Card, and after administrative authentication success, according to the matching relationship table of user equipment and Video security controller, will pacify with the video
The corresponding initialization key of controller imports the user equipment being currently accessed entirely;
The Video security controller, for carrying out two-way authentication for the first time based on the initialization key and the user equipment, and
After the success of two-way authentication for the first time, the application authorization key of the user equipment storage is received, the application authorization key is used for
Subsequent two-way authentication between user equipment and the Video security controller.
2. system according to claim 1, which is characterized in that
The key management platform is also used to generate application authorization root key in the production phase, and the application authorization root is close
Key distributes to management equipment;
The key management platform is also used to after the administrative authentication success to the management equipment being currently accessed and user equipment,
The user equipment is written in the application authorization key that the application authorization root key dispersion that the management equipment is stored obtains;
The management equipment, for being controlled in the application stage based on the application authorization root key and the Video security being locally stored
Device carries out two-way authentication, so that the Video security controller executes control operation after two-way authentication passes through.
3. system according to claim 2, which is characterized in that
The key management platform is also used to write certification root code key in production phase generation and writes the sub- code key of certification, and will be described
It writes certification root code key and distributes to management equipment, the sub- code key of certification will be write and distribute to the corresponding user equipment of the management equipment;
The key management platform is also used to after the administrative authentication success to the management equipment being currently accessed and user equipment,
Writing based on user equipment storage writes certification root key described in certification sub-key and management equipment storage, realizes that user sets
It is standby to write certification with management equipment;And after writing and authenticating successfully, address information and/or video authorization message write-in user are set
It is standby, so as to execute corresponding authority according to the video authorization message after user equipment and the completion two-way authentication of Video security controller
Control operation.
4. system according to claim 1, which is characterized in that the initialization key of the Video security controller storage has
It is multiple;The key management platform is specifically used in deployment phase, the management equipment and use that are currently accessed based on management key pair
Family equipment is managed certification, and after administrative authentication success, from multiple initialization corresponding with the Video security controller
An initialization code key is selected in key, and the initialization code key and its importing of corresponding serial number are currently accessed the code key pipe
The user equipment of platform.
5. system according to claim 1, which is characterized in that the management code key includes the management root of management equipment storage
The sub- code key of management of code key and user equipment storage;
The key management platform is also used to be generated management root key based on hierarchical policy and the management root key is written
The management equipment of appropriate level;
The key management platform is also used to the corresponding management root key dispersion of each management equipment obtaining management sub-key, and
The corresponding user equipment of the management equipment is written into the management sub-key;
The key management platform is specifically used for being based on the management sub-key and the management root key, carries out user equipment
With the administrative authentication of management equipment.
6. system according to claim 1, which is characterized in that the key management platform is also used to generate communication authentication
Root key;
The key management platform is also used in the production phase, according to the communication authentication root key to the equipment of management equipment
Serial number dispersion obtains communication authentication sub-key, and the communication authentication sub-key is distributed to management equipment, in deployment phase
Based on the communication authentication root key and the communication authentication sub-key, with management equipment consult session key, the session is close
Key is for encrypting the management equipment and the interaction data of key management platform;The equipment serial number of the management equipment is
Production phase is the unique identification of management equipment distribution.
7. system according to claim 1-6, which is characterized in that the system also includes video capture devices;
The video capture device, for acquiring video data and video data being sent to the Video security controller;
The Video security controller is also used to receive the video data of video capture device transmission, is answered based on what is be locally stored
Video data is encrypted and stored with authentication key;
The Video security controller, is also used to after passing through with user equipment two-way authentication, is recognized based on the application being locally stored
Card key pair needs to play or derived video data is decrypted.
8. system according to claim 1-6, which is characterized in that the key management platform includes encryption equipment;
The encryption equipment is for generating the initialization key and application authorization root key.
9. a kind of Video security management method is suitable for the described in any item Video security management systems of claim 1-8, described
Method includes:
The key management platform is managed certification based on the management equipment that is currently accessed of management key pair and user equipment, and
It, will be with the Video security control according to the matching relationship table of user equipment and Video security controller after administrative authentication success
The corresponding initialization key of device processed imports the user equipment being currently accessed;
Video security controller is based on the initialization key and the user equipment carries out two-way authentication for the first time, and two-way for the first time
After authenticating successfully, receive the application authorization key of user equipment storage, the application authorization key for user equipment and
Subsequent two-way authentication between the Video security controller.
10. according to the method described in claim 9, it is characterized in that,
The key management platform generates application authorization root key in the production phase, and the application authorization root key is distributed to
Management equipment;
The key management platform is after the administrative authentication success to the management equipment being currently accessed and user equipment, by the pipe
Manage the application authorization key write-in user equipment that the application authorization root key dispersion of equipment storage obtains;
The management equipment the application stage based on the application authorization root key that is locally stored and the Video security controller into
Row two-way authentication, so that the Video security controller executes control operation after two-way authentication passes through.
11. according to the method described in claim 10, it is characterized in that,
The key management platform generates to write certification root code key and write in the production phase authenticates sub- code key, and writes certification root for described
Code key distributes to management equipment, will write the sub- code key of certification and distributes to the corresponding user equipment of the management equipment;
The key management platform is after the administrative authentication success to the management equipment being currently accessed and user equipment, based on described
User equipment storage write certification sub-key and the described of management equipment storage writes certification root key, realize user equipment and management
Equipment writes certification;And after writing and authenticating successfully, user equipment is written into address information and/or video authorization message, to use
Family equipment and Video security controller are grasped after completing two-way authentication according to the control that the video authorization message executes corresponding authority
Make.
12. according to the method described in claim 9, it is characterized in that, the initialization key of Video security controller storage
Have multiple;The key management platform is in deployment phase, the management equipment being currently accessed based on management key pair and user equipment
It is managed certification, and after administrative authentication success, from multiple initialization keys corresponding with the Video security controller
An initialization code key is selected, and the initialization code key and its importing of corresponding serial number are currently accessed the code key and manage platform
User equipment.
13. according to the method described in claim 9, it is characterized in that, the management code key includes the management of management equipment storage
The sub- code key of management of root code key and user equipment storage;
The key management platform is based on hierarchical policy, generates management root key and appropriate level is written in the management root key
Management equipment;
The corresponding management root key dispersion of each management equipment is obtained management sub-key by the key management platform, and by the pipe
It manages sub-key and the corresponding user equipment of the management equipment is written;
The key management platform is based on the management sub-key and the management root key, carries out user equipment and management equipment
Administrative authentication.
14. according to the method described in claim 9, it is characterized in that, the key management platform generates communication authentication root key;
The key management platform disperses in the production phase according to equipment serial number of the communication authentication root key to management equipment
Communication authentication sub-key is obtained, and the communication authentication sub-key is distributed into management equipment, it is described to be based in deployment phase
Communication authentication root key and the communication authentication sub-key, and management equipment consult session key, the session key for pair
The management equipment and the interaction data of key management platform are encrypted;The equipment serial number of the management equipment is the production phase
For the unique identification of management equipment distribution.
15. according to the described in any item methods of claim 9-14, which is characterized in that the system also includes video acquisitions to set
It is standby;
The video capture device acquires video data and video data is sent to the Video security controller;
The Video security controller receives the video data that video capture device is sent, close based on the application authorization being locally stored
Key is encrypted and is stored to video data;
The Video security controller with user equipment two-way authentication after passing through, based on the application authorization key pair being locally stored
It needs to play or derived video data is decrypted.
16. according to the described in any item methods of claim 9-14, which is characterized in that the key management platform includes encryption
Machine;The encryption equipment generates the initialization key and application authorization root key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910700311.1A CN110300289B (en) | 2019-07-31 | 2019-07-31 | Video safety management system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910700311.1A CN110300289B (en) | 2019-07-31 | 2019-07-31 | Video safety management system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110300289A true CN110300289A (en) | 2019-10-01 |
| CN110300289B CN110300289B (en) | 2020-08-21 |
Family
ID=68032271
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910700311.1A Active CN110300289B (en) | 2019-07-31 | 2019-07-31 | Video safety management system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110300289B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113873341A (en) * | 2020-06-30 | 2021-12-31 | 西安理工大学 | Method for improving real-time video transmission security |
| CN115811625A (en) * | 2021-09-14 | 2023-03-17 | 果核数位股份有限公司 | Streaming media service method and system for customizing information security level |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040196370A1 (en) * | 2003-04-04 | 2004-10-07 | Akira Yaegashi | Image transmission system, image pickup apparatus, image pickup apparatus unit, key generating apparatus, and program |
| US7272858B2 (en) * | 2002-04-16 | 2007-09-18 | Microsoft Corporation | Digital rights management (DRM) encryption and data-protection for content on a relatively simple device |
| CN101461178A (en) * | 2006-06-30 | 2009-06-17 | Posdata株式会社 | Dvr server and method for controlling accessing monitering device in network based digital video record system |
| EP2270710A1 (en) * | 2009-06-30 | 2011-01-05 | Axis AB | Method for restricting access to media data generated by a camera |
| CN102063767A (en) * | 2009-11-12 | 2011-05-18 | 中国移动通信集团公司 | Method, system and PSAM (Purchase Secure Access Module) card for updating encryption key of smart card |
| CN102917252A (en) * | 2011-08-02 | 2013-02-06 | 航天信息股份有限公司 | IPTV (internet protocol television) program stream content protection system and method |
| CN103888257A (en) * | 2013-11-03 | 2014-06-25 | 北京工业大学 | Network camera identity authentication method based on TPCM |
| CN105162797A (en) * | 2015-09-24 | 2015-12-16 | 广东工业大学 | Bidirectional authentication method based on video surveillance system |
| CN205283718U (en) * | 2015-12-13 | 2016-06-01 | 北京中安国通科技有限公司 | High definition digital video safety protection system |
| US20160360282A1 (en) * | 2015-01-27 | 2016-12-08 | Charter Communications Operating, Llc | System and method of content streaming and downloading |
| EP3104598A1 (en) * | 2015-06-08 | 2016-12-14 | Teleste Oyj | Method and system for providing access to a video content |
| WO2017049387A1 (en) * | 2015-09-25 | 2017-03-30 | Genetec Inc. | Secure enrolment of security device for communication with security server |
| CN106559212A (en) * | 2016-11-08 | 2017-04-05 | 北京海泰方圆科技股份有限公司 | Data processing method and device |
| WO2017165948A1 (en) * | 2016-03-28 | 2017-10-05 | Cicer One Technologies Inc. | Data storage and access platform with jurisdictional control |
| CN107959573A (en) * | 2017-12-12 | 2018-04-24 | 华东交通大学 | A kind of guard method of the IP Camera based on digital signature |
| EP3352456A1 (en) * | 2017-01-24 | 2018-07-25 | Wipro Limited | A method and a computing device for providing privacy control in a surveillance video |
| CN108763891A (en) * | 2018-06-11 | 2018-11-06 | 山东超越数控电子股份有限公司 | A kind of Special safety management platform and method for encryption mobile hard disk |
| CN108881960A (en) * | 2018-08-08 | 2018-11-23 | 江苏信源久安信息科技有限公司 | The method of intelligent video camera head security control and data confidentiality based on id password |
| CN109448197A (en) * | 2018-12-18 | 2019-03-08 | 杭州高锦科技有限公司 | A kind of cloud intelligent lock system and key management method based on multi-enciphering mode |
-
2019
- 2019-07-31 CN CN201910700311.1A patent/CN110300289B/en active Active
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7272858B2 (en) * | 2002-04-16 | 2007-09-18 | Microsoft Corporation | Digital rights management (DRM) encryption and data-protection for content on a relatively simple device |
| US20040196370A1 (en) * | 2003-04-04 | 2004-10-07 | Akira Yaegashi | Image transmission system, image pickup apparatus, image pickup apparatus unit, key generating apparatus, and program |
| CN101461178A (en) * | 2006-06-30 | 2009-06-17 | Posdata株式会社 | Dvr server and method for controlling accessing monitering device in network based digital video record system |
| EP2270710A1 (en) * | 2009-06-30 | 2011-01-05 | Axis AB | Method for restricting access to media data generated by a camera |
| CN102063767A (en) * | 2009-11-12 | 2011-05-18 | 中国移动通信集团公司 | Method, system and PSAM (Purchase Secure Access Module) card for updating encryption key of smart card |
| CN102917252A (en) * | 2011-08-02 | 2013-02-06 | 航天信息股份有限公司 | IPTV (internet protocol television) program stream content protection system and method |
| CN103888257A (en) * | 2013-11-03 | 2014-06-25 | 北京工业大学 | Network camera identity authentication method based on TPCM |
| US20160360282A1 (en) * | 2015-01-27 | 2016-12-08 | Charter Communications Operating, Llc | System and method of content streaming and downloading |
| EP3104598A1 (en) * | 2015-06-08 | 2016-12-14 | Teleste Oyj | Method and system for providing access to a video content |
| CN105162797A (en) * | 2015-09-24 | 2015-12-16 | 广东工业大学 | Bidirectional authentication method based on video surveillance system |
| WO2017049387A1 (en) * | 2015-09-25 | 2017-03-30 | Genetec Inc. | Secure enrolment of security device for communication with security server |
| CN205283718U (en) * | 2015-12-13 | 2016-06-01 | 北京中安国通科技有限公司 | High definition digital video safety protection system |
| WO2017165948A1 (en) * | 2016-03-28 | 2017-10-05 | Cicer One Technologies Inc. | Data storage and access platform with jurisdictional control |
| CN106559212A (en) * | 2016-11-08 | 2017-04-05 | 北京海泰方圆科技股份有限公司 | Data processing method and device |
| EP3352456A1 (en) * | 2017-01-24 | 2018-07-25 | Wipro Limited | A method and a computing device for providing privacy control in a surveillance video |
| CN107959573A (en) * | 2017-12-12 | 2018-04-24 | 华东交通大学 | A kind of guard method of the IP Camera based on digital signature |
| CN108763891A (en) * | 2018-06-11 | 2018-11-06 | 山东超越数控电子股份有限公司 | A kind of Special safety management platform and method for encryption mobile hard disk |
| CN108881960A (en) * | 2018-08-08 | 2018-11-23 | 江苏信源久安信息科技有限公司 | The method of intelligent video camera head security control and data confidentiality based on id password |
| CN109448197A (en) * | 2018-12-18 | 2019-03-08 | 杭州高锦科技有限公司 | A kind of cloud intelligent lock system and key management method based on multi-enciphering mode |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113873341A (en) * | 2020-06-30 | 2021-12-31 | 西安理工大学 | Method for improving real-time video transmission security |
| CN115811625A (en) * | 2021-09-14 | 2023-03-17 | 果核数位股份有限公司 | Streaming media service method and system for customizing information security level |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110300289B (en) | 2020-08-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101361076B (en) | Mobile memory system for secure storage and delivery of media content | |
| US7845011B2 (en) | Data transfer system and data transfer method | |
| JP5450392B2 (en) | Binding content licenses to portable storage devices | |
| US8694799B2 (en) | System and method for protection of content stored in a storage device | |
| US20060021065A1 (en) | Method and device for authorizing content operations | |
| CN109040026A (en) | A kind of authorization method of digital asset, device, equipment and medium | |
| CN102906755A (en) | Content control method using certificate revocation lists | |
| CN110324358A (en) | Video data manages authentication method, module, equipment and platform | |
| US7783895B2 (en) | Method and apparatus for encrypting data to be secured and inputting/outputting the same | |
| CN101351804A (en) | Method and apparatus for managing entitlement | |
| JP5139028B2 (en) | Content data management system and method | |
| CN101578608B (en) | Methods and apparatuses for accessing content based on a session ticket | |
| CN100386811C (en) | Information processing apparatus, information recording medium, information processing method and computer program | |
| US8862878B2 (en) | Authentication and authorization of a device by a service using broadcast encryption | |
| US20100313034A1 (en) | Information processing apparatus, data recording system, information processing method, and program | |
| CN110300289A (en) | Video security management system and method | |
| CN100364002C (en) | Apparatus and method for reading or writing user data | |
| US20110023083A1 (en) | Method and apparatus for digital rights management for use in mobile communication terminal | |
| CN105279453B (en) | It is a kind of to support the partitions of file for separating storage management to hide system and method | |
| US20030161064A1 (en) | Hard disk unit ensuring stability of classified data | |
| CN106533668A (en) | Network-based PVR protection method and system | |
| US20090282245A1 (en) | Security method and system for media playback devices | |
| KR20050096036A (en) | Portable storage and management method of files in the portable storage | |
| CN105354462B (en) | A kind of guard method of mobile memory and mobile memory | |
| CN101778094B (en) | Mobile storage system used for monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |