CN115913571A - File encryption and decryption method and device, and digital copyright protection system - Google Patents
File encryption and decryption method and device, and digital copyright protection system Download PDFInfo
- Publication number
- CN115913571A CN115913571A CN202211433927.5A CN202211433927A CN115913571A CN 115913571 A CN115913571 A CN 115913571A CN 202211433927 A CN202211433927 A CN 202211433927A CN 115913571 A CN115913571 A CN 115913571A
- Authority
- CN
- China
- Prior art keywords
- key
- certificate chain
- content
- license
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application discloses a file encryption and decryption method and device, and a digital copyright protection system, wherein the digital copyright protection system comprises a production server, a key management service, a client and a content license service, the production server and the key management service utilize a first certificate chain, a second certificate chain and a key license to realize a file encryption method, and can be suitable for all types of container files, the client and the content license service utilize a third certificate chain, a fourth certificate chain and a content license to realize a file decryption method, and can also be suitable for all types of container files, and the security protection capability of a digital copyright can be obviously improved based on the high security of the certificate chains (namely the first certificate chain, the second certificate chain, the third certificate chain and the fourth certificate chain), the key license and an internal license.
Description
Technical Field
The present application relates to the field of digital copyright protection, and in particular, to a file encryption and decryption method and apparatus, and a digital copyright protection system.
Background
The general encryption specification used in the existing digital rights protection technology is limited to be applicable only to container files of a specified industry standard, such as CENC general encryption specification defined by ISO/IEC 23001-7, and only to ISOBMFF file encapsulation format (MP 4, M4S, etc. format). For some non-industry standard container files (e.g., FLAG, OGG of audio), the existing digital rights protection technology cannot be used, and for this reason, the non-industry standard container file needs to be encrypted to protect the digital rights of the digital products of the non-industry standard container file.
The existing encryption mode for the container file of the non-industrial standard generally uses a fixed single encryption key to encrypt all files of a digital product, and the encryption key is easy to be cracked by a third party, so that the safety protection capability is low.
Therefore, how to improve the security protection capability of digital copyright becomes a problem which needs to be solved urgently in the field.
Disclosure of Invention
The application provides a file encryption and decryption method and device and a digital copyright protection system, and aims to improve the safety protection capability of digital copyright.
In order to achieve the above object, the present application provides the following technical solutions:
a file encryption method is applied to a production server and comprises the following steps:
after a file to be encrypted is obtained, a key generation request carrying a first certificate chain is sent to a preset key management service, so that the key management service responds to the key generation request and sends a key license carrying a second certificate chain to the production service end; the first certificate chain comprises a public key of the production server; the second certificate chain includes a public key of the key management service; the key license comprises a key information ciphertext; the key information ciphertext is obtained by encrypting a content key generated by the key management service and a key identifier corresponding to the content key by using a public key in the first certificate chain by the key management service;
under the condition that the second certificate chain passes authentication, a private key of the production server is used for decrypting the key information ciphertext obtained by analyzing the key license to obtain the content key and the key identifier;
generating a digital copyright protection information header based on the key identification;
encrypting the file to be encrypted by using the content key to obtain an encrypted file;
and packaging the digital copyright protection information header into the encrypted file to obtain a digital product ciphertext by taking the digital copyright protection information header as a file header.
Optionally, the method further includes:
re-sending the key generation request to the key management service if the second certificate chain is not authenticated.
Optionally, the generating a digital rights protection header based on the key identifier includes:
and generating a digital copyright protection information header based on the key identification, and the preset information header byte number, the encryption type identification and the information header version.
A file decryption method is applied to a client and comprises the following steps:
after a digital product ciphertext is obtained from a production server, file header extraction is carried out on the digital product ciphertext to obtain a digital copyright protection information header;
analyzing the digital copyright protection information header to obtain a key identifier;
sending a license acquisition request carrying the key identifier and a third certificate chain to a preset content license service, so that the content license service responds to the license acquisition request and sends a content license carrying a fourth certificate chain to the client; wherein the third certificate chain comprises a public key of the client; the fourth certificate chain includes a public key of the content license service; the content license includes an encryption key; the encryption key is obtained by encrypting the content key corresponding to the key identifier, which is acquired from a key management service, by the content license service by using the public key in the third certificate chain;
under the condition that the fourth certificate passes authentication, decrypting the encrypted key obtained by analyzing the content license by using a private key of the client to obtain the content key;
and decrypting the digital product ciphertext by using the content key to obtain a digital product plaintext.
Optionally, the analyzing the digital copyright protection information header to obtain a key identifier includes:
extracting an encryption type identifier from the digital copyright protection information header;
and under the condition that the encryption type identifier is a universal digital copyright, analyzing the digital copyright protection information header to obtain a key identifier.
Optionally, the method further includes:
re-sending the license acquisition request to the content license service if the fourth certificate chain is not authenticated.
A file encryption apparatus comprising:
the device comprises a request unit, a first certificate chain generation unit and a second certificate chain generation unit, wherein the request unit is used for sending a key generation request carrying a first certificate chain to a preset key management service after a file to be encrypted is obtained, so that the key management service responds to the key generation request and sends a key license carrying a second certificate chain to the file encryption device; wherein the first certificate chain comprises a public key of the file encryption device; the second certificate chain includes a public key of the key management service; the key license comprises a key information ciphertext; the key information ciphertext is obtained by encrypting a content key generated by the key management service and a key identifier corresponding to the content key by using a public key in the first certificate chain by the key management service;
a decryption unit, configured to decrypt, using a private key of the file encryption apparatus, the key information ciphertext obtained by analyzing the key license when the second certificate chain passes authentication, so as to obtain the content key and the key identifier;
a generating unit, configured to generate a digital rights protection header based on the key identifier;
the encryption unit is used for encrypting the file to be encrypted by using the content key to obtain an encrypted file;
and the packaging unit is used for packaging the digital copyright protection information header into the encrypted file to obtain a digital product ciphertext by taking the digital copyright protection information header as a file header.
Optionally, the generating unit is specifically configured to:
and generating a digital copyright protection information header based on the key identification, and the preset information header byte number, the encryption type identification and the information header version.
A file decryption apparatus comprising:
the extraction unit is used for extracting a file header of the digital product ciphertext to obtain a digital copyright protection information header after the digital product ciphertext is obtained from the production server;
the analysis unit is used for analyzing the digital copyright protection information head to obtain a key identifier;
a requesting unit, configured to send a license acquisition request carrying the key identifier and the third certificate chain to a preset content license service, so that the content license service sends a content license carrying a fourth certificate chain to the file decryption device in response to the license acquisition request; wherein the third certificate chain includes a public key of the file decryption device; the fourth certificate chain includes a public key of the content license service; the content license includes an encryption key; the encryption key is obtained by encrypting the content key corresponding to the key identifier, which is acquired from a key management service, by the content license service by using the public key in the third certificate chain;
a first decryption unit, configured to decrypt, using a private key of the file decryption device, the encrypted key obtained by parsing the content license to obtain the content key, if the fourth certificate passes authentication;
and the second decryption unit is used for decrypting the digital product ciphertext by using the content key to obtain a digital product plaintext.
A digital rights protection system comprising:
the system comprises a production server, a key management service, a client and a content license service;
the production server is used for: after a file to be encrypted is obtained, a key generation request carrying a first certificate chain is sent to the key management service, and a key license carrying a second certificate chain sent by the key management service is received; under the condition that the second certificate chain passes authentication, a private key of the production server is used for decrypting a key information ciphertext obtained by analyzing the key license to obtain a content key and a key identifier; generating a digital copyright protection information header based on the key identification; encrypting the file to be encrypted by using the content key to obtain an encrypted file; packaging the digital copyright protection information header into the encrypted file to obtain a digital product ciphertext, wherein the digital copyright protection information header is used as a file header;
the key management service to: responding to the key generation request, and generating the content key and the key identification corresponding to the content key; encrypting the content key and the key identification by using a public key in the first certificate chain to obtain the key information ciphertext; generating the key license based on the second certificate chain and the key information ciphertext;
the client is used for: after the digital product ciphertext is obtained from the production server, file header extraction is carried out on the digital product ciphertext to obtain a digital copyright protection information header; analyzing the digital copyright protection information header to obtain the key identification; sending a license acquisition request carrying the key identifier and the third certificate chain to the content license service, and receiving a content license carrying a fourth certificate chain sent by the content license service; under the condition that the fourth certificate passes authentication, decrypting the encrypted key obtained by analyzing the content license by using a private key of the client to obtain the content key; decrypting the digital product ciphertext by using the content key to obtain a digital product plaintext;
the content license service to: acquiring the content key corresponding to the key identifier from the key management service in response to the license acquisition request; encrypting the content key by using the public key in the third certificate chain to obtain the encryption key; generating the content license based on the encryption key and the fourth certificate chain;
wherein the first certificate chain comprises a public key of the production server; the second certificate chain includes a public key of the key management service; the third certificate chain comprises a public key of the client; the fourth certificate chain includes a public key of the content license service.
According to the technical scheme, the file encryption and file decryption modes are realized by utilizing the first certificate chain, the second certificate chain, the third certificate chain, the fourth certificate chain, the key license and the content license, the method and the device can be suitable for all types of container files, and the security protection capability of the digital copyright can be remarkably improved based on the high security of the certificate chains (namely the first certificate chain, the second certificate chain, the third certificate chain and the fourth certificate chain), the key license and the content license.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a file encryption method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another file encryption method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a file decryption method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another file decryption method according to an embodiment of the present application;
FIG. 5 is a schematic diagram illustrating an architecture of a file encryption apparatus according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating an architecture of a file decryption apparatus according to an embodiment of the present application;
fig. 7 is a schematic diagram of an architecture of a digital copyright protection system according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As shown in fig. 1, a schematic flow chart of a file encryption method provided in the embodiment of the present application is applied to a production server, and includes the following steps.
S101: and sending a key generation request carrying the first certificate chain to a preset key management service after the file to be encrypted is obtained, so that the key management service responds to the key generation request and sends a key license carrying the second certificate chain to the production service terminal.
The file to be encrypted includes a digital product which needs to be encrypted and protected, and the file types of the digital product include but are not limited to: an industry standard container file, and a non-industry standard container file.
It is emphasized that the first certificate chain includes the public key of the production server, and the obtaining process of the first certificate chain may be: the production server sends the public key and the identity information of the production server to a preset certificate issuing organization in advance, and after the certificate issuing organization confirms that the identity information of the production server is correct, the public key of the production server is digitally signed to generate a first certificate chain.
In addition, the second certificate chain includes a public key of the key management service, and the obtaining process of the second certificate chain may be: the key management service sends the public key and the identity information of the key management service to a certificate issuing organization in advance, and after the certificate issuing organization confirms that the identity information of the key management service is correct, the public key of the key management service is digitally signed to generate a second certificate chain.
It should be noted that the key license includes a key information ciphertext, where the key information ciphertext is obtained by encrypting, by the key management service, the content key generated by the key management service and the key identifier corresponding to the content key by using the public key in the first certificate chain.
In this embodiment of the present application, a specific implementation manner of sending a key license carrying a second certificate chain to a production server by a key management service in response to a key generation request is as follows:
1. and after receiving the key generation request, the key management service authenticates the first certificate chain to obtain an authentication result of the first certificate chain.
2. And under the condition that the authentication result of the first certificate chain is qualified, the key management service generates a content key and a key identifier corresponding to the content key, and stores the content key and the key identifier to the local.
3. The key management service encrypts the content key and the key identifier by using the public key in the first certificate chain to obtain a key information ciphertext.
4. The key management service generates a key license based on the key information ciphertext and the second certificate chain.
5. The key management service sends a key license to the production service.
Optionally, when the authentication result of the first certificate chain is unqualified, the key management service sends a key request failure prompt to the production service end.
S102: and authenticating the second certificate chain to obtain an authentication result of the second certificate chain.
The specific implementation manner of authenticating the second certificate chain is common general knowledge familiar to those skilled in the art, and is not described herein again.
S103: and under the condition that the authentication result of the second certificate chain is qualified, analyzing the key license to obtain a key information ciphertext.
Optionally, when the authentication result of the second certificate chain is not qualified, it is determined that the key request fails, and the key generation request carrying the first certificate chain is sent to the key management service again.
S104: and decrypting the key information ciphertext by using a private key of the production server to obtain the content key and the key identification.
S105: and generating a digital copyright protection information header based on the key identification, the preset information header byte number, the encryption type identification and the information header version.
Wherein the encryption type identifier is usually a universal digital right.
S106: and encrypting the file to be encrypted by using the content key to obtain the encrypted file.
Optionally, the file to be encrypted may be encrypted by using the content key based on a preset encryption rule to obtain the encrypted file.
The preset encryption rule may be: extracting a first array sequence and a second array sequence from the content key, wherein the total number of arrays contained in the first array sequence is the same as the total number of arrays contained in the second array sequence, each array in the first array sequence is extracted in sequence, and each array in the second array sequence is extracted in reverse sequence; the file to be encrypted is regarded as a third array sequence, the encrypted file is regarded as a fourth array sequence, and the total number of arrays contained in the third array sequence is the same as the total number of arrays contained in the fourth array sequence; if the first array sequence is A0-A7, the second array sequence is B0-B7, the third array sequence is C0-C N, the fourth array sequence is E0-E N, and N is a positive integer, then E [ N ] = C [ N ] xor A [ N%8], [ xorB [7-N%8], xor represents exclusive OR, and% represents complementation.
S107: and packaging the digital copyright protection information header serving as a file header into an encrypted file to obtain a digital product ciphertext.
S108: and storing the digital product ciphertext into a preset database.
In summary, the file encryption method for obtaining the digital product ciphertext by using the first certificate chain, the second certificate chain and the key license in this embodiment can be applied to all types of container files, and the security protection capability of the digital rights can be significantly improved based on the high security of the certificate chains (i.e., the first certificate chain and the second certificate chain) and the key license.
It should be noted that, S102 shown in fig. 1 is an optional implementation manner of the file encryption method in the embodiment of the present application. In addition, S108 shown in fig. 1 is also an optional implementation manner of the file encryption method in the embodiment of the present application. For this reason, the flow shown in fig. 1 can be summarized as the method shown in fig. 2.
As shown in fig. 2, a schematic flow chart of another file encryption method provided in the embodiment of the present application includes the following steps.
S201: and sending a key generation request carrying the first certificate chain to a preset key management service after the file to be encrypted is obtained, so that the key management service responds to the key generation request and sends a key license carrying the second certificate chain to the production service terminal.
The first certificate chain comprises a public key of the production server; the second certificate chain comprises a public key of the key management service; the key license includes a key information ciphertext; the key information ciphertext is obtained by encrypting the content key generated by the key management service and the key identifier corresponding to the content key by using the public key in the first certificate chain by the key management service.
S202: and under the condition that the second certificate chain passes the authentication, decrypting the key information ciphertext obtained by analyzing the key license by using the private key of the production server to obtain the content key and the key identification.
S203: and generating a digital copyright protection information header based on the key identification.
S204: and encrypting the file to be encrypted by using the content key to obtain the encrypted file.
S205: and packaging the digital copyright protection information header serving as a file header into an encrypted file to obtain a digital product ciphertext.
In summary, the file encryption method for obtaining the digital product ciphertext by using the first certificate chain, the second certificate chain and the key license in this embodiment can be applied to all types of container files, and the security protection capability of the digital rights can be significantly improved based on the high security of the certificate chains (i.e., the first certificate chain and the second certificate chain) and the key license.
It should be noted that, corresponding to the file encryption method, the embodiment of the present application further provides a file decryption method.
As shown in fig. 3, a schematic flow chart of a file decryption method provided in the embodiment of the present application is applied to a client, and includes the following steps.
S301: and after the digital product ciphertext is obtained from the production server, performing file header extraction on the digital product ciphertext to obtain a digital copyright protection information header.
S302: and extracting the encryption type identification from the digital copyright protection information header.
S303: and under the condition that the encryption type identifier is the universal digital copyright, analyzing the digital copyright protection information head to obtain the key identifier.
S304: and sending a license acquisition request carrying the key identifier and the third certificate chain to a preset content license service, so that the content license service responds to the license acquisition request and sends the content license carrying the fourth certificate chain to the client.
The third certificate chain includes a public key of the client, and the obtaining process of the third certificate chain may be: the client sends the self public key and the identity information to the certificate issuing organization in advance, and after the certificate issuing organization confirms that the identity information of the client is correct, the public key of the client is digitally signed to generate a third certificate chain.
Further, the fourth certificate chain includes a public key of the content license service, and the obtaining process of the fourth certificate chain may be: the content license service sends the public key and the identity information of the content license service to the certificate issuing organization in advance, and after the certificate issuing organization confirms that the identity information of the content license service is correct, the public key of the internal allowable certifiable service is digitally signed, and a fourth certificate chain is generated.
Generally, in the case that the encryption type is identified as a non-universal digital right, it is determined that the digital product ciphertext is not encrypted by the encryption method shown in fig. 1.
It should be noted that the content license includes an encryption key, and the encryption key is obtained by encrypting the content key corresponding to the key identifier, acquired from the key management service, by using the public key in the third certificate chain by the content license service.
In this embodiment of the present application, a specific implementation manner of sending, by the content license service, the content license carrying the second certificate chain to the client in response to the license acquisition request includes:
1. and the content license service authenticates the third certificate chain to obtain an authentication result of the third certificate chain.
2. And under the condition that the authentication result of the third certificate chain is qualified, the content license service accesses the key management service and acquires a content key corresponding to the key identification from the key management service.
3. The content license service encrypts the content key using the public key in the third certificate chain to obtain an encrypted key.
4. The content license service generates a content license based on the encryption key and the fourth certificate chain.
5. The content license service sends a content license to the client.
Optionally, when the authentication result of the third certificate chain is not qualified, the content license service sends a license request failure prompt to the client.
S305: and authenticating the fourth certificate chain to obtain an authentication result of the fourth certificate chain.
S306: and under the condition that the authentication result of the fourth certificate chain is qualified, analyzing the internal allowable certificate to obtain an encryption key.
Optionally, when the authentication result of the fourth certificate chain is not qualified, it is determined that the license request fails, and the license acquisition request carrying the third certificate chain is sent to the content license service again.
S307: and decrypting the encrypted key by using a private key of the client to obtain the content key.
S308: and decrypting the ciphertext of the digital product by using the content key to obtain the plaintext of the digital product.
Optionally, under the condition that the digital product ciphertext is obtained by encrypting according to the preset encryption rule, the digital product ciphertext is decrypted by using the content key based on the decryption rule corresponding to the preset encryption rule, so as to obtain the digital product plaintext.
In summary, the file decryption method for obtaining the clear text of the digital product by using the third certificate chain, the fourth certificate chain and the content license in this embodiment can be applied to all types of container files, and the security protection capability of the digital copyright can be significantly improved based on the high security of the certificate chains (i.e., the third certificate chain and the fourth certificate chain) and the content license.
It should be noted that S302 shown in fig. 3 is an optional implementation manner of the file decryption method shown in the embodiment of the present application. In addition, S305 shown in fig. 3 is also an optional implementation manner of the file decryption method according to the embodiment of the present application. For this purpose, the flow shown in fig. 3 can be summarized as the method shown in fig. 4.
As shown in fig. 4, a schematic flowchart of another file decryption method provided in the embodiment of the present application includes the following steps.
S401: and after the digital product ciphertext is obtained from the production server, performing file header extraction on the digital product ciphertext to obtain a digital copyright protection information header.
S402: and analyzing the digital copyright protection information header to obtain a key identifier.
S403: and sending a license acquisition request carrying the key identifier and the third certificate chain to a preset content license service, so that the content license service responds to the license acquisition request and sends the content license carrying the fourth certificate chain to the client.
Wherein the third certificate chain comprises a public key of the client; the fourth certificate chain includes a public key of the content license service; the content license includes an encryption key; the encryption key is obtained by encrypting the content key corresponding to the key identifier, which is obtained from the key management service, by the content license service using the public key in the third certificate chain.
S404: and under the condition that the fourth certificate passes the authentication, decrypting the encrypted key obtained by analyzing the content license by using the private key of the client to obtain the content key.
S405: and decrypting the ciphertext of the digital product by using the content key to obtain the plaintext of the digital product.
In summary, the file decryption method for obtaining the plaintext of the digital product by using the third certificate chain, the fourth certificate chain and the content license in this embodiment can be applied to all types of container files, and the security protection capability of the digital rights can be significantly improved based on the high security of the certificate chain (i.e. the third certificate chain and the fourth certificate chain) and the content license.
Based on the file encryption method and the file decryption method mentioned in the embodiments, the embodiments of the present application also provide a file encryption apparatus and a file decryption apparatus correspondingly.
As shown in fig. 5, a schematic diagram of an architecture of a file encryption apparatus provided in the embodiment of the present application includes the following units.
A requesting unit 501, configured to send a key generation request carrying a first certificate chain to a preset key management service every time a file to be encrypted is obtained, so that the key management service responds to the key generation request and sends a key license carrying a second certificate chain to the file encryption apparatus; wherein the first certificate chain comprises a public key of the file encryption device; the second certificate chain comprises a public key of the key management service; the key license includes a key information ciphertext; the key information ciphertext is obtained by encrypting the content key generated by the key management service and the key identifier corresponding to the content key by using the public key in the first certificate chain by the key management service.
Optionally, the requesting unit 501 is further configured to: in the event that the second certificate chain is not authenticated, the key generation request is resent to the key management service.
A decryption unit 502, configured to decrypt, using the private key of the file encryption apparatus, the key information ciphertext obtained by analyzing the key license to obtain the content key and the key identifier, when the second certificate chain passes the authentication.
A generating unit 503, configured to generate a digital rights protection header based on the key identifier.
Optionally, the generating unit 503 is specifically configured to: and generating a digital copyright protection information header based on the key identification, the preset information header byte number, the encryption type identification and the information header version.
An encrypting unit 504, configured to encrypt the file to be encrypted by using the content key to obtain an encrypted file.
And the encapsulating unit 505 is configured to encapsulate the digital copyright protection information header as a file header into an encrypted file to obtain a digital product ciphertext.
In summary, the file encryption method for obtaining the digital product ciphertext by using the first certificate chain, the second certificate chain and the key license in this embodiment can be applied to all types of container files, and based on the high security of the certificate chains (i.e., the first certificate chain and the second certificate chain) and the key license, the security protection capability of the digital copyright can be significantly improved.
As shown in fig. 6, a schematic diagram of an architecture of a file decryption apparatus provided in an embodiment of the present application includes the following units.
The extracting unit 601 is configured to extract a file header of the digital product ciphertext to obtain a digital copyright protection information header after the digital product ciphertext is obtained from the production server.
The parsing unit 602 is configured to parse the digital rights protection header to obtain the key identifier.
Optionally, the parsing unit 602 is specifically configured to: extracting an encryption type identifier from a digital copyright protection information header; and under the condition that the encryption type identifier is the universal digital copyright, analyzing the digital copyright protection information head to obtain the key identifier.
A requesting unit 603, configured to send a license acquisition request carrying a key identifier and a third certificate chain to a preset content license service, so that the content license service sends a content license carrying a fourth certificate chain to the file decryption apparatus in response to the license acquisition request; wherein the third certificate chain comprises a public key of the file decryption device; the fourth certificate chain includes a public key of the content license service; the content license includes an encryption key; the encryption key is obtained by encrypting the content key corresponding to the key identifier, which is obtained from the key management service, by the content license service using the public key in the third certificate chain.
Optionally, the requesting unit 603 is further configured to: in the event that the fourth certificate chain fails authentication, the license acquisition request is resent to the content license service.
A first decryption unit 604, configured to decrypt, using the private key of the file decryption apparatus, the encrypted key obtained by analyzing the content license, and obtain the content key, when the fourth certificate passes the authentication.
The second decryption unit 605 is configured to decrypt the ciphertext of the digital product by using the content key to obtain the plaintext of the digital product.
In summary, the file decryption method for obtaining the plaintext of the digital product by using the third certificate chain, the fourth certificate chain and the content license in this embodiment can be applied to all types of container files, and the security protection capability of the digital rights can be significantly improved based on the high security of the certificate chain (i.e. the third certificate chain and the fourth certificate chain) and the content license.
Based on the file encryption method and the file decryption method mentioned in the above embodiments, the embodiments of the present application further provide a digital copyright protection system.
As shown in fig. 7, a schematic diagram of an architecture of a digital copyright protection system provided in the embodiment of the present application includes the following components.
Production server 701, key management service 702, client 703, and content license service 704.
The production server 701 is configured to: after a file to be encrypted is obtained, a key generation request carrying a first certificate chain is sent to a key management service, and a key license carrying a second certificate chain sent by the key management service is received; under the condition that the second certificate chain passes authentication, a private key of the production server is used for decrypting a key information ciphertext obtained by analyzing the key license to obtain a content key and a key identifier; generating a digital copyright protection information header based on the key identification; encrypting the file to be encrypted by using the content key to obtain an encrypted file; and packaging the digital copyright protection information header serving as a file header into an encrypted file to obtain a digital product ciphertext.
A key management service 702 for: responding to the key generation request, and generating a content key and a key identifier corresponding to the content key; encrypting the content key and the key identification by using the public key in the first certificate chain to obtain a key information ciphertext; and generating a key license based on the second certificate chain and the key information ciphertext.
A client 703 configured to: after acquiring a digital product ciphertext from a production server, performing file header extraction on the digital product ciphertext to obtain a digital copyright protection information header; analyzing the digital copyright protection information header to obtain a key identifier; sending a license acquisition request carrying a key identifier and a third certificate chain to a content license service, and receiving a content license carrying a fourth certificate chain sent by the content license service; under the condition that the fourth certificate passes the authentication, the private key of the client is used for decrypting the encrypted key obtained by analyzing the content license to obtain a content key; and decrypting the ciphertext of the digital product by using the content key to obtain the plaintext of the digital product.
A content license service 704 to: responding to the license acquisition request, and acquiring a content key corresponding to the key identifier from the key management service; encrypting the content key by using the public key in the third certificate chain to obtain an encryption key; a content license is generated based on the encryption key and the fourth certificate chain.
The first certificate chain comprises a public key of the production server; the second certificate chain comprises a public key of the key management service; the third certificate chain comprises a public key of the client; the fourth certificate chain includes a public key of the content license service.
In summary, in the embodiment, a manner of encrypting and decrypting a file is implemented by using the first certificate chain, the second certificate chain, the third certificate chain, the fourth certificate chain, the key license, and the content license, so that the method is applicable to all types of container files, and based on the high security of the certificate chains (i.e., the first certificate chain, the second certificate chain, the third certificate chain, and the fourth certificate chain), the key license, and the content license, the security protection capability of the digital rights can be significantly improved.
The functions described in the method of the embodiment of the present application, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: u disk, removable hard disk, read only memory, random access memory, magnetic or optical disk, etc. for storing program codes.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A file encryption method is applied to a production server and comprises the following steps:
after a file to be encrypted is obtained, a key generation request carrying a first certificate chain is sent to a preset key management service, so that the key management service responds to the key generation request and sends a key license carrying a second certificate chain to the production service end; wherein the first certificate chain comprises a public key of the production server; the second certificate chain includes a public key of the key management service; the key license comprises a key information ciphertext; the key information ciphertext is obtained by encrypting a content key generated by the key management service and a key identifier corresponding to the content key by using a public key in the first certificate chain by the key management service;
under the condition that the second certificate chain passes authentication, a private key of the production server is used for decrypting the key information ciphertext obtained by analyzing the key license to obtain the content key and the key identifier;
generating a digital copyright protection information header based on the key identification;
encrypting the file to be encrypted by using the content key to obtain an encrypted file;
and packaging the digital copyright protection information header serving as a file header into the encrypted file to obtain a digital product ciphertext.
2. The method of claim 1, further comprising:
re-sending the key generation request to the key management service if the second certificate chain is not authenticated.
3. The method of claim 1, wherein generating a digital rights protection header based on the key identification comprises:
and generating a digital copyright protection information header based on the key identification, and the preset information header byte number, the encryption type identification and the information header version.
4. A file decryption method is applied to a client, and comprises the following steps:
after a digital product ciphertext is obtained from a production server, file header extraction is carried out on the digital product ciphertext to obtain a digital copyright protection information header;
analyzing the digital copyright protection information header to obtain a key identifier;
sending a license acquisition request carrying the key identifier and a third certificate chain to a preset content license service, so that the content license service responds to the license acquisition request and sends a content license carrying a fourth certificate chain to the client; wherein the third certificate chain comprises a public key of the client; the fourth certificate chain includes a public key of the content license service; the content license includes an encryption key; the encryption key is obtained by encrypting the content key corresponding to the key identifier, which is acquired from a key management service, by the content license service by using the public key in the third certificate chain;
under the condition that the fourth certificate passes authentication, decrypting the encrypted key obtained by analyzing the content license by using a private key of the client to obtain the content key;
and decrypting the ciphertext of the digital product by using the content key to obtain the plaintext of the digital product.
5. The method of claim 4, wherein parsing the DRM information header to obtain the key identifier comprises:
extracting an encryption type identifier from the digital copyright protection information header;
and under the condition that the encryption type identifier is a universal digital copyright, analyzing the digital copyright protection information header to obtain a key identifier.
6. The method of claim 4, further comprising:
re-sending the license acquisition request to the content license service if the fourth certificate chain is not authenticated.
7. A file encryption apparatus, comprising:
the device comprises a request unit and a file encryption device, wherein the request unit is used for sending a key generation request carrying a first certificate chain to a preset key management service after a file to be encrypted is obtained, so that the key management service responds to the key generation request and sends a key license carrying a second certificate chain to the file encryption device; wherein the first certificate chain comprises a public key of the file encryption device; the second certificate chain includes a public key of the key management service; the key license comprises a key information ciphertext; the key information ciphertext is obtained by encrypting a content key generated by the key management service and a key identifier corresponding to the content key by using a public key in the first certificate chain by the key management service;
a decryption unit, configured to decrypt, using a private key of the file encryption apparatus, the key information ciphertext obtained by analyzing the key license to obtain the content key and the key identifier, when the second certificate chain passes authentication;
a generating unit, configured to generate a digital rights protection header based on the key identifier;
the encryption unit is used for encrypting the file to be encrypted by using the content key to obtain an encrypted file;
and the packaging unit is used for packaging the digital copyright protection information header into the encrypted file to obtain a digital product ciphertext by taking the digital copyright protection information header as a file header.
8. The file encryption apparatus according to claim 7, wherein the generating unit is specifically configured to:
and generating a digital copyright protection information header based on the key identification, and the preset information header byte number, the encryption type identification and the information header version.
9. A file decryption apparatus, comprising:
the extraction unit is used for extracting a file header of the digital product ciphertext to obtain a digital copyright protection information header after the digital product ciphertext is obtained from the production server;
the analysis unit is used for analyzing the digital copyright protection information header to obtain a key identifier;
a requesting unit, configured to send a license acquisition request carrying the key identifier and the third certificate chain to a preset content license service, so that the content license service sends a content license carrying a fourth certificate chain to the file decryption device in response to the license acquisition request; wherein the third certificate chain includes a public key of the file decryption device; the fourth certificate chain includes a public key of the content license service; the content license includes an encryption key; the encryption key is obtained by encrypting the content key corresponding to the key identifier, which is acquired from a key management service, by the content license service by using the public key in the third certificate chain;
a first decryption unit, configured to, if the fourth certificate passes authentication, decrypt, using a private key of the file decryption apparatus, the encrypted key obtained by analyzing the content license, to obtain the content key;
and the second decryption unit is used for decrypting the digital product ciphertext by using the content key to obtain a digital product plaintext.
10. A digital rights protection system, comprising:
the system comprises a production server, a key management service, a client and a content license service;
the production server is used for: after a file to be encrypted is obtained, a key generation request carrying a first certificate chain is sent to the key management service, and a key license carrying a second certificate chain sent by the key management service is received; under the condition that the second certificate chain passes authentication, a private key of the production server is used for decrypting a key information ciphertext obtained by analyzing the key license to obtain a content key and a key identifier; generating a digital copyright protection information header based on the key identification; encrypting the file to be encrypted by using the content key to obtain an encrypted file; packaging the digital copyright protection information header into the encrypted file to obtain a digital product ciphertext, wherein the digital copyright protection information header is used as a file header;
the key management service to: responding to the key generation request, and generating the content key and the key identification corresponding to the content key; encrypting the content key and the key identification by using a public key in the first certificate chain to obtain the key information ciphertext; generating the key license based on the second certificate chain and the key information ciphertext;
the client is used for: after the digital product ciphertext is obtained from the production server, file header extraction is carried out on the digital product ciphertext to obtain a digital copyright protection information header; analyzing the digital copyright protection information header to obtain the key identification; sending a license acquisition request carrying the key identifier and the third certificate chain to the content license service, and receiving a content license carrying a fourth certificate chain sent by the content license service; under the condition that the fourth certificate passes authentication, decrypting the encrypted key obtained by analyzing the content license by using a private key of the client to obtain the content key; decrypting the digital product ciphertext by using the content key to obtain a digital product plaintext;
the content license service to: acquiring the content key corresponding to the key identifier from the key management service in response to the license acquisition request; encrypting the content key by using the public key in the third certificate chain to obtain the encryption key; generating the content license based on the encryption key and the fourth certificate chain;
the first certificate chain comprises a public key of the production server; the second certificate chain includes a public key of the key management service; the third certificate chain comprises a public key of the client; the fourth certificate chain includes a public key of the content license service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211433927.5A CN115913571A (en) | 2022-11-16 | 2022-11-16 | File encryption and decryption method and device, and digital copyright protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211433927.5A CN115913571A (en) | 2022-11-16 | 2022-11-16 | File encryption and decryption method and device, and digital copyright protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913571A true CN115913571A (en) | 2023-04-04 |
Family
ID=86496688
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211433927.5A Pending CN115913571A (en) | 2022-11-16 | 2022-11-16 | File encryption and decryption method and device, and digital copyright protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913571A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116894273A (en) * | 2023-09-11 | 2023-10-17 | 四川建设网有限责任公司 | File encryption method, decryption method, equipment and medium based on exclusive or sum remainder |
-
2022
- 2022-11-16 CN CN202211433927.5A patent/CN115913571A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116894273A (en) * | 2023-09-11 | 2023-10-17 | 四川建设网有限责任公司 | File encryption method, decryption method, equipment and medium based on exclusive or sum remainder |
| CN116894273B (en) * | 2023-09-11 | 2023-11-21 | 四川建设网有限责任公司 | File encryption method, decryption method, equipment and medium based on exclusive or sum remainder |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| CN112150147A (en) | Data security storage system based on block chain | |
| CN109067814B (en) | Media data encryption method, system, device and storage medium | |
| CN109218295A (en) | Document protection method, device, computer equipment and storage medium | |
| CN108809936B (en) | Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof | |
| CN108323230B (en) | Method for transmitting key, receiving terminal and distributing terminal | |
| CN105812366A (en) | Server, anti-crawler system and anti-crawler verification method | |
| CN112565265A (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| CN112685786A (en) | Financial data encryption and decryption method, system, equipment and storage medium | |
| CN103237011B (en) | Digital content encryption transmission method and server end | |
| CN115913571A (en) | File encryption and decryption method and device, and digital copyright protection system | |
| CN105657699A (en) | Safe data transmission method | |
| CN112865965B (en) | Train service data processing method and system based on quantum key | |
| CN116405734B (en) | Data transmission method and system for ensuring data security | |
| CN113591109A (en) | Method and system for communication between trusted execution environment and cloud | |
| CN115955310B (en) | Information source encryption multimedia data export security protection method, device and equipment | |
| CN114679299B (en) | Communication protocol encryption method, device, computer equipment and storage medium | |
| CN114978769B (en) | Unidirectional leading-in device, unidirectional leading-in method, unidirectional leading-in medium and unidirectional leading-in equipment | |
| CN112583772A (en) | Data acquisition and storage platform | |
| CN206907059U (en) | China second-generation identity card reads encryption system | |
| CN115514578A (en) | Block chain based data authorization method and device, electronic equipment and storage medium | |
| CN113672955B (en) | Data processing method, system and device | |
| CN115603907A (en) | Method, device, equipment and storage medium for encrypting storage data | |
| CN111542050B (en) | TEE-based method for guaranteeing remote initialization safety of virtual SIM card | |
| CN112104874A (en) | Data transmission method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |