CN114286141B - Method for realizing card-free condition receiving and set top box - Google Patents
Method for realizing card-free condition receiving and set top box Download PDFInfo
- Publication number
- CN114286141B CN114286141B CN202210189394.4A CN202210189394A CN114286141B CN 114286141 B CN114286141 B CN 114286141B CN 202210189394 A CN202210189394 A CN 202210189394A CN 114286141 B CN114286141 B CN 114286141B
- Authority
- CN
- China
- Prior art keywords
- top box
- set top
- initialization data
- authorized
- unique decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a method for realizing card-free conditional access, a set top box and a computer readable storage medium. The method comprises the following steps: encrypting a unique decryption certificate for authorizing to watch content and writing the encrypted unique decryption certificate into a fixed area of an OTP chip of the set top box, and encrypting other initialization data except the unique decryption certificate for processing access authentication and authorized content processing of the set top box as authorized initialization data and writing the encrypted initialization data into a Flash NVRAM partition of the set top box; and simulating the function of a physical smart card, and adding a thread for obtaining and decrypting authorized viewing content from an operator server based on the authorized initialization data and the unique decryption voucher at the set top box. The invention realizes the function of the original smart card by matching with a corresponding thread instead of a software mode through the unique decryption voucher distributed by an operator in the OTP chip of the set top box and the authorized initialization data in the Flash NVRAM partition, thereby getting rid of the dependence on the hardware of the smart card and reducing the cost.
Description
Technical Field
The technical scheme provided by the invention relates to the field of content authorization control, in particular to a method for realizing card-free condition receiving, a set top box and a computer readable storage medium.
Background
A Conditional Access (CA) system is a digital payment system that encrypts digital tv programs to establish an efficient charging system. The program is encrypted by various digital technologies, so that an operator can perform authorization control on information received by a user, and only authorized users can watch the encrypted program, thereby ensuring the benefits of the operator and the authorized users.
At present, the conditional access modes adopted by domestic cable digital televisions are mainly divided into two types: the first is a smart card mode, which is characterized in that a decryption task is completed by the smart card and a set-top box host chip together; the second is a machine-card separation mode, which is characterized in that decryption is independently completed by a smart card.
The abandonment of separate smart card hardware if the smart card is integrated into the set-top box chip is known in the industry as cardless CA. The existing cardless CA solution does not actually depart from the framework of the cardless CA, but moves the smart card from outside the chip to inside the chip at the physical level. At present, a card-free CA needs to use a unique and invariable ID as a decryption certificate in the implementation process, and a chip ID of a main chip of a set-top box is usually used as the decryption certificate. However, in practical application, some chips do not have unique chip IDs, which brings unsafe factors to the authorization authentication of the set-top box without the card CA, and may cause loss to operators.
Disclosure of Invention
In order to overcome the defects of the authorization authentication scheme of the current card-free CA set top box and get rid of the dependence of a decryption certificate on chip ID/hardware characteristic information, the invention provides a scheme for realizing card-free condition receiving.
The scheme specifically realizes a card-free CA realization method, a set-top box and a computer readable storage medium which have low cost, high security and do not depend on chip ID/hardware characteristics for a decryption certificate.
A first aspect of the invention provides a method of enabling cardless conditional access. The method comprises the following steps: encrypting a unique decryption certificate for authorizing to watch content and writing the encrypted decryption certificate into a fixed area of an OTP chip of the set top box, and encrypting other initialization data except the unique decryption certificate for processing access authentication and authorized content processing of the set top box as authorized initialization data and writing the encrypted initialization data into a Flash NVRAM partition of the set top box; simulating the function of a physical smart card, and adding a thread for reading and decrypting the initialization data and the decryption voucher at the set top box so as to obtain and decrypt authorized viewing content from an operator server. And the thread decrypts the ciphertext of the decryption certificate in the fixed area of the OTP chip to obtain the unique decryption certificate, and decrypts the authorized content by adopting the unique decryption certificate.
Further, an agent program (OTP Client) on the set top box is accessed into a CA database of an operator server through a communication network to obtain an unauthorized encryption KEY, the encryption KEY is decrypted according to an agreed secret KEY and an algorithm, and the decrypted data is split to obtain the unique decryption certificate and the authorization initialization data; and after the unique decryption voucher is encrypted and successfully written into a fixed area of the OTP chip of the set top box and the authorization initialization data is encrypted and successfully written into the Flash NVRAM partition, returning a write-in result of the acquired KEY and the unique ID of the set top box to the operator server for associated storage by the operator server.
Further, obtaining the unauthorized encrypted KEY from the CA database of the operator server may also be implemented as: adding a corresponding program in the set-top box starting program to realize the communication between the set-top box starting program and the PC terminal through a serial port; the method comprises the steps that unauthorized encryption KEY is acquired from a CA database through PC end software and interacts with a set top box starting program to send the acquired encryption KEY to a set top box, the set top box decrypts the encrypted encryption KEY and splits the decrypted encryption KEY into an only decryption certificate and authorized initialization data, the only decryption certificate is encrypted and then written into a fixed area of an OTP chip of the set top box, and the authorized initialization data is encrypted and then written into a flash NVRAM partition of the set top box.
The second aspect of the present invention also provides a set-top box for implementing cardless conditional access, the set-top box comprising: the proxy module and the authorized content processing module; the proxy module is used for writing a unique decryption certificate which authorizes viewing content into a fixed area of the OTP chip of the set top box after being encrypted, and writing other initialization data which is used for processing access authentication of the set top box and authorization content processing except the unique decryption certificate into a Flash NVRAM partition of the set top box after being encrypted as authorization initialization data; an authorized content processing module, which exists in the form of a thread in the set-top box, obtains from the operator server based on the authorization initialization data and the unique decryption credential, and decrypts authorized viewing content.
Furthermore, the authorization processing module is further configured to decrypt a ciphertext of the decryption credential stored in the fixed region of the OTP chip to obtain the unique decryption credential, and decrypt the authorization content by using the unique decryption credential.
The third aspect of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the aforementioned method of enabling cardless conditional access.
The technical scheme provided by the invention realizes the function of the soft smart card through a software form, gets rid of the dependence on the hardware of the smart card and reduces the cost of a set-top box system. Moreover, the only decryption certificate distributed by the operator is encrypted and then stored in the fixed area of the OTP chip, and other initialization data used for processing access authentication and authorized content processing of the set top box are encrypted and then stored in a Flash NVRAM partition, so that the security of the authorized data is enhanced, and the benefits of the operator are effectively maintained.
Drawings
Fig. 1 is a schematic diagram of a set top box for implementing cardless conditional access according to the present invention.
Detailed Description
In order to make the technical problems, technical solutions and beneficial effects solved by the present invention more clear, the present invention is further described in detail below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a method for realizing card-free condition receiving. The method comprises the following steps:
step 1: the software system based on the set-top box is divided into an independent area (hereinafter referred to as Flash NVRAM partition) from the Flash of the set-top box and is used for storing authorization initialization data related to the conditional access system. The authorization initialization data is other initialization data used for processing access authentication of the set top box and authorization content processing except the unique decryption certificate. The set-top box software system includes, but is not limited to, an arm-linux system.
And 2, acquiring an unauthorized encrypted KEY from the CA database of the operator server, decrypting the KEY, and splitting decrypted data to obtain a unique decryption certificate and the authorization initialization data. The KEY stored by the operator CA database consists of credential data for decrypting authorized content and initialization data related to executing the original smart card authentication protocol.
And 3, step 3: and writing the encrypted unique decryption certificate into an OTP (one time programmable) fixed area of a chip of the set top box, and simultaneously writing the encrypted authorization initialization data into the Flash NVRAM partition.
And 4, step 4: and adding a thread for realizing the functions of the original smart card in the set-top box program. The thread is used to simulate the function of a physical smart card, and is mainly used to read and decrypt the authorization initialization data and the unique decryption voucher to obtain and decrypt authorized viewing content from an operator server. And when the thread plays the authorized content, decrypting the ciphertext of the decryption certificate stored in the fixed area of the OTP chip to obtain the unique decryption certificate, and decrypting the authorized content by adopting the unique decryption certificate.
The step 2 of obtaining the unauthorized encrypted KEY from the operator server mainly includes the following two ways:
Mode 1: on the basis that the set-top box software system can realize network communication, an OTP Client program can be added on the set-top box for accessing an operator server to obtain an unauthorized encrypted KEY. The operator server retrieves unauthorized KEY from the CA database and distributes it to different set-top boxes. The program further decrypts the encrypted KEY according to an agreed KEY and an algorithm, and splits the decrypted data to obtain the unique decryption certificate and the authorized initialization data; and after the unique decryption voucher is encrypted and successfully written into a fixed area of the OTP chip of the set top box and the authorization initialization data is encrypted and successfully written into the Flash NVRAM partition, returning a writing result of the acquired KEY and the unique ID of the set top box to the operator server for associated storage.
Mode 2: on the basis that the set-top box supports serial port communication, a corresponding program is added in a set-top box starting program, an unauthorized encryption KEY is acquired from a CA database through PC software and interacts with the set-top box starting program to send the acquired encryption KEY to the set-top box, the set-top box decrypts the encryption KEY and splits the encryption KEY into a unique decryption certificate and authorized initialization data, and the unique decryption certificate and the authorized initialization data are respectively encrypted and written into corresponding areas.
In one embodiment, the above mode 1 workflow is as follows:
OTP Client workflow:
step 2-1-1: reading OTP designated area data to check whether the data is written or not, if the data is written, exiting the program, and if the data is not written, entering the step 2-1-2;
step 2-1-2: requesting an unauthorized encryption KEY from the OTP Server, if the unauthorized encryption KEY fails, exiting the program, and if the unauthorized encryption KEY succeeds, entering the step 2-1-3;
step 2-1-3: decrypting and verifying the encrypted KEY by using the agreed secret KEY, if the verification is wrong, returning an exception to the OTP Server, and then exiting the program, and if the verification is successful, entering the step 2-1-4;
step 2-1-4: splitting the data decrypted by the KEY into a unique decryption certificate needing to be written in the OTP and authorized initialization data needing to be written in a flash NVRAM partition based on an agreed combination mode;
step 2-1-5: encrypting the authorization initialization data and writing the authorization initialization data into a flash NVRAM partition, if the authorization initialization data fails, returning an exception to the OTP Server, and if the authorization initialization data succeeds, entering the step 2-1-6;
step 2-1-6: the unique decryption certificate is encrypted and then written into the set top box chip OTP; if the failure is found, returning exception to the OTP Server, and if the failure is found, returning success to the OTP Server.
The working process corresponding to the OTP Server comprises the following steps: and after the OTP Server is started, the following loop is executed to carry out the steps 2-1-7 and the steps 2-1-8. Wherein the content of the first and second substances,
Step 2-1-7: waiting for the connection of the OTP Client, if the connection is a request KEY, reading an unallocated KEY from a CA database (currently using an sql database), recombining and encrypting the KEY with a secret KEY according to an agreed combination mode, transmitting the KEY to the OTP Client through a network, and setting the corresponding KEY state in the CA database to be allocated; if the connection request is feedback data, entering the step 2-1-8;
step 2-1-8: waiting for feedback of the OTP Client, and if the feedback result is write-in failure, storing corresponding failure information into a data table of the CA database corresponding to the KEY according to information related to the KEY in the feedback data and the fed-back error code; and if the feedback is successful in writing, storing the information which is successfully written and the unique ID of the corresponding set top box in a data table of the CA database corresponding to the KEY in an associated manner according to the information about the KEY in the feedback data.
In one embodiment, the above mode 2 workflow is as follows. The set top box starting program comprises a workflow which needs to be added, and the workflow comprises the following steps:
step 2-2-1: reading whether the fixed area of the OTP chip is written with data or not, if so, ending the process and entering a normal starting process; otherwise, entering the step 2-2-2;
step 2-2-2: requesting to acquire an unauthorized encrypted KEY from the PC side software through the serial port according to an agreed communication rule and entering the step 2-2-3;
Step 2-2-3: waiting for response, if overtime, entering a normal starting process, and if receiving an unauthorized encryption KEY, entering a step 2-2-4;
step 2-2-4: decrypting and verifying the received encrypted KEY by using an appointed KEY, if the verification fails, sending information of failed verification to the PC side software through a serial port, adding 1 to a failure count, and entering the step 2-2-5; if the verification is successful, sending information of successful verification to the PC side software through a serial port, and entering the step 2-2-6;
step 2-2-5: entering the step 2-2-3 when the failure count is smaller than the limit value, otherwise, ending the process and entering the normal starting process of the set top box;
step 2-2-6: splitting the data obtained by decryption in the step 2-2-4 into a unique decryption certificate which needs to be written into the OTP fixed area and authorized initialization data which needs to be written into a flash NVRAM partition;
step 2-2-7: encrypting the initialization authorization data and writing the encrypted initialization authorization data into a flash NVRAM partition, if the initialization authorization data fails, sending flash NVRAM write exception to the PC side software through a serial port, exiting, entering a normal starting process of the set top box, and if the initialization authorization data succeeds, entering the step 2-2-8;
step 2-2-8: writing the encrypted unique decryption certificate into the fixed area of the set top box OTP chip, and if the unique decryption certificate fails, sending OTP write exception information to the PC side software through a serial port; if the information is successful, entering the step 2-2-9 after the success information of KEY writing is generated to the PC side software through the serial port;
Step 2-2-9: sending a KEY to the serial port, successfully writing the KEY and entering a normal starting process of the set top box.
PC program work flow:
circularly executing the following steps after the PC program operation interface clicks to start writing data:
step 2-2-10: reading an unallocated encryption KEY from a CA database, setting the state of the unauthorized encryption KEY in the CA database to be allocated, adding the read encryption KEY into a serial port sending data queue according to an agreed communication rule, and entering the step 2-2-11;
step 2-2-11: waiting for receiving serial port data, and entering step 2-2-12 if a request for acquiring encrypted KEY is received or the KEY check fails; if receiving the writing exception of the flash NVRAM, entering the step 2-2-13; if receiving the OTP write failure, entering step 2-2-14; if the KEY writing is successfully received, entering the step 2-2-15;
step 2-2-12: sending the encrypted KEY in the serial port queue in the step 2-2-10 to the set top box through the serial port, and then entering the step 2-2-11;
step 2-2-13: displaying flash write-in failure and the ID of the encrypted KEY in a prompt window, and prompting to replace the set top box;
step 2-2-14: displaying the OTP write failure and the ID of the encrypted KEY in a prompt window, and prompting to replace the set top box;
Step 2-2-15: and setting the state of the read encryption KEY in the CA database as successful writing, and carrying out the step 2-2-10.
Fig. 1 is a set top box for implementing cardless conditional access according to the present invention. The set top box mainly comprises a Flash chip, an OTP chip and a main chip of the set top box on hardware. Functionally, the set-top box comprises: the proxy module and the authorized content processing module; the proxy module is used for writing a unique decryption certificate which authorizes viewing content into a fixed area of the OTP chip of the set top box after being encrypted, and writing other initialization data which is used for processing access authentication of the set top box and authorization content processing except the unique decryption certificate into a Flash NVRAM partition of the set top box after being encrypted as authorization initialization data; an authorized content processing module, which exists in the form of a thread in the set-top box, obtains from the operator server based on the authorization initialization data and the unique decryption credential, and decrypts authorized viewing content.
The present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the aforementioned method of enabling cardless conditional access.
The above-mentioned embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present disclosure.
Claims (7)
1. A method for enabling cardless conditional access, the method comprising:
obtaining an unauthorized encrypted KEY from a CA database of an operator server, and splitting data decrypted by the KEY according to an agreed KEY and an algorithm to obtain a unique decryption certificate and authorized initialization data of authorized viewing content; the authorization initialization data is other initialization data used for processing access authentication of the set top box and processing authorization content except the unique decryption certificate; writing the encrypted unique decryption certificate into a fixed area of an OTP chip of the set top box, and writing the authorization initialization data into a Flash NVRAM partition of the set top box;
And based on the original smart card program source code, adding a thread for reading the authorization initialization data and the unique decryption voucher to obtain from an operator server and decrypt the authorization to watch the content at the set top box.
2. The method of claim 1, wherein the obtaining of the unauthorized encrypted KEY from the CA database of the operator server is implemented as: accessing an unauthorized encryption KEY in a CA database of an operator server through a communication network by an agent program on the set top box, decrypting and splitting to obtain the unique decryption certificate and the authorization initialization data; and after the unique decryption voucher is encrypted and successfully written into a fixed area of the OTP chip of the set top box and the authorization initialization data is successfully written into the Flash NVRAM partition, returning a writing result of the acquired KEY and the unique ID of the set top box to the operator server, and performing associated storage by the operator server.
3. The method of claim 2, wherein obtaining an unauthorized encrypted KEY from a CA database of an operator server is further implemented as: acquiring an unauthorized encrypted KEY from a CA database of an operator server through a PC client and forwarding the unauthorized encrypted KEY to a starting program of the set top box; after receiving the unauthorized encrypted KEY, the starting program decrypts the unauthorized encrypted KEY according to an agreed KEY and algorithm, and splits decrypted data to obtain the unique decryption certificate and the authorized initialization data; and after the unique decryption voucher is encrypted and successfully written into a fixed area of the OTP chip of the set top box and the authorization initialization data is encrypted and successfully written into the Flash NVRAM partition, feeding back a writing result of the acquired KEY to the operator server through the PC client.
4. The method according to any one of claims 1 to 3, wherein the thread is further configured to decrypt a ciphertext of a unique decryption credential of the fixed region of the OTP chip to obtain the unique decryption credential, and decrypt authorized content using the unique decryption credential.
5. A set top box for enabling cardless conditional access, the set top box comprising: the proxy module and the authorized content processing module; wherein the content of the first and second substances,
the agent module is used for acquiring unauthorized encrypted KEY from a CA database of an operator server, and splitting data decrypted by the KEY according to an agreed KEY and algorithm to obtain a unique decryption certificate and authorized initialization data of authorized viewing content; the authorization initialization data is other initialization data used for processing access authentication of the set top box and authorization content processing except the unique decryption certificate; writing the encrypted unique decryption certificate into a fixed area of an OTP chip of the set top box, and writing the authorization initialization data into a Flash NVRAM partition of the set top box;
an authorized content processing module, which exists in the form of a thread in the set-top box, obtains from the operator server based on the initialization data and the unique decryption credential, and decrypts authorized viewing content.
6. The set top box according to claim 5, wherein the authorized content processing module is further configured to decrypt a ciphertext of the unique decryption certificate in the fixed region of the OTP chip to obtain the unique decryption certificate, and decrypt the authorized content by using the unique decryption certificate.
7. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210189394.4A CN114286141B (en) | 2022-03-01 | 2022-03-01 | Method for realizing card-free condition receiving and set top box |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210189394.4A CN114286141B (en) | 2022-03-01 | 2022-03-01 | Method for realizing card-free condition receiving and set top box |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114286141A CN114286141A (en) | 2022-04-05 |
| CN114286141B true CN114286141B (en) | 2022-06-28 |
Family
ID=80882166
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210189394.4A Active CN114286141B (en) | 2022-03-01 | 2022-03-01 | Method for realizing card-free condition receiving and set top box |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114286141B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112312171A (en) * | 2020-09-30 | 2021-02-02 | 广西广播电视信息网络股份有限公司 | System and method for realizing digital television program preview function |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100562098C (en) * | 2008-01-03 | 2009-11-18 | 济南市泰信电子有限责任公司 | Digital television conditional access system and handling process thereof |
| CN101924907B (en) * | 2009-06-12 | 2013-08-28 | 北京视博数字电视科技有限公司 | Method for realizing condition receiving, terminal equipment and front end thereof |
| CN102256176B (en) * | 2011-06-29 | 2013-08-28 | 四川金网通电子科技有限公司 | Method for achieving card-free certificate authority (CA) information security |
| CN102256170A (en) * | 2011-07-15 | 2011-11-23 | 四川长虹电器股份有限公司 | Encryption method and decryption method based on no-card CA (Certificate Authority) |
| CN104079994B (en) * | 2014-07-07 | 2017-05-24 | 四川金网通电子科技有限公司 | Authorization system and method based on set top box card-free CA |
-
2022
- 2022-03-01 CN CN202210189394.4A patent/CN114286141B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112312171A (en) * | 2020-09-30 | 2021-02-02 | 广西广播电视信息网络股份有限公司 | System and method for realizing digital television program preview function |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114286141A (en) | 2022-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10659454B2 (en) | Service authorization using auxiliary device | |
| US8683562B2 (en) | Secure authentication using one-time passwords | |
| US9998440B2 (en) | System and processing method for electronic authentication client, and system and method for electronic authentication | |
| US8966580B2 (en) | System and method for copying protected data from one secured storage device to another via a third party | |
| US11374767B2 (en) | Key-based authentication for backup service | |
| US20100268942A1 (en) | Systems and Methods for Using Cryptographic Keys | |
| US6839838B2 (en) | Data management system, information processing apparatus, authentification management apparatus, method and storage medium | |
| CN103036681B (en) | A kind of password safety keyboard device and system | |
| WO2008035450A1 (en) | Authentication by one-time id | |
| WO2012072001A1 (en) | Safe method for card issuing, card issuing device and system | |
| CN101103591A (en) | Method for moving a rights object between devices and a method and device for using a content object based on the moving method and device | |
| US9652624B2 (en) | Method, host, storage, and machine-readable storage medium for protecting content | |
| JP7159461B2 (en) | Authorization Method, Auxiliary Authorization Component, Management Server, and Computer Readable Medium | |
| CN109274646B (en) | Key management client server side method, system and medium based on KMIP protocol | |
| CN113010874A (en) | Login authentication method and device, electronic equipment and computer readable storage medium | |
| CN114793184B (en) | Security chip communication method and device based on third-party key management node | |
| CN111917536A (en) | Identity authentication key generation method, identity authentication method, device and system | |
| TWI476629B (en) | Data security and security systems and methods | |
| EP3787219A1 (en) | Key processing method and device | |
| CN111709752A (en) | Virtual resource processing method and device, computer readable medium and electronic equipment | |
| JP3684179B2 (en) | Memory card with security function | |
| CN114286141B (en) | Method for realizing card-free condition receiving and set top box | |
| CN113505355A (en) | Cloud desktop security access method and device | |
| JP2000224161A (en) | Operation system for card authentication type service | |
| CN114553510B (en) | Service key distribution system, method and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |