CN1331463A - Information encryption method and system with real-time authentication function - Google Patents
Information encryption method and system with real-time authentication function Download PDFInfo
- Publication number
- CN1331463A CN1331463A CN 00109512 CN00109512A CN1331463A CN 1331463 A CN1331463 A CN 1331463A CN 00109512 CN00109512 CN 00109512 CN 00109512 A CN00109512 A CN 00109512A CN 1331463 A CN1331463 A CN 1331463A
- Authority
- CN
- China
- Prior art keywords
- encryption
- information
- key
- decryption
- hash function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
An information encryption method and system with real-time authentication function is disclosed. A pair of associated keys (Kn and Kn) is assigned to the information transmitting user and information receiving user by key manager. The information K* is transformed by hash function h and the resultant h(K*) and the K* are encrypted by Kn. The decryter uses Kn for decryption and the decrypted h(K*) is authenticated that if it is the said hash function h(K*). It is suitable for wireless broadband network and satellite broadband network.
Description
The present invention relates to a kind of encryption method and system of information, particularly a kind of encryption method and system that is used for the information that has real-time authentication function of cable TV network.
In current multimedia wideband network correlation technique industry, network security is to be badly in need of one of sixty-four dollar question that solves.Broadband network based on cable television network not only can be realized traditional broadcast television service, multiple brand-new business such as, the Internet access interconnected as LAN (Local Area Network), video conference, videophone can also be provided, particularly emerging various value-added services at present are as video request program, online secorities trading, electronic business transaction, network gaming etc.These interactive services not only are confined to sending the simple encryption of information the requirement of the information security of network, also require system that many-sided safety assurances such as authentication, data integrity and non-repudiation can be provided, and the real-time that requires encryption system to finish the work.
Authentication is as one of two big key elements of information system security, be mainly used in and prevent that illegal molecule from carrying out active attack to system, as pretending, harass etc., comprising altering and retransmit to content, order and the time of message, therefore for network, particularly for the multimedia wideband network that provides value added service, as existing HFC net, authentication is the important step in its overall system structure.Because what existing HFC net had one section employing is the common transport carrier, do not resemble traditional point-to-point transmission pattern, therefore the certain user can be concealed the identity forward end transmission deceptive information of oneself, just more needs strong encryption and authentication method to come the safety of guarantee information to transmit for the HFC net like this.
In existing cable television broadband network, mainly be program to be encrypted, managed by the mode of scrambling or encryption, its system forms and comprises front end (service provider) and terminal (user), as shown in Figure 1.To information encryption, decrypting process is to realize by the demoder of terminal by scrambler in system.The encryption and decryption process of total system is as follows: produce a master key K by key management unit, encryption equipment produces relevant control information under the control of master key K, as Entitlement Control Message (ECM) and Entitlement Management Message (EMM), these control informations are stored in the control system of front end.The control system of front end produces control word and sends into encryption equipment, information is encrypted and the user is received authority manage, and simultaneously Entitlement Control Message (ECM) and Entitlement Management Message (EMM) together is sent to the control system of terminal with information encrypted.During deciphering, master key K can directly send the control system of terminal by safe lane to, produces control word by control system and sends into demoder, contains deciphering module in the demoder, finishes deciphering; Also master key K can be stored in the smart card, as shown in Figure 2, the user inserts smart card and finishes deciphering in the demoder.
As can be seen from the above description, existing encryption system can not provide authentication function, therefore have following defectives: (one) can only finish single ciphering process, the passive attack of anti-locking system, and can't when encrypting, realize authentication function making the recipient can not discern sender's the identity and the true and false of acknowledge message; (2) for the system of the smart card that adopts the identical master key K of storage,, usurped by other people easily, cause economic loss of user because smart card is preserved by individual subscriber; (3) second data transmission channel that Physical layer is separated is adopted in the transmission of key K, and for the system or the transmission range user far away of more complicated, its cost is very high, even is difficult to realize.
Therefore, the purpose of this invention is to provide a kind of method of encrypting and system with authentication function, to overcome the problem that particularly exists in the cable television broadband network in said system: promptly can't when encrypting, realize authentication function, and owing to adopt the 2nd data transmission channel to cause the cost height, be difficult for the problem of realization.
For achieving the above object, the invention provides a kind of encryption and decryption method with information of real-time authentication function, it is characterized in that, by key management unit is the transmit leg of information and encryption and decryption key (Kn, kn) that the take over party distributes a pair of mutual correspondence, and hash function h, h ' are set respectively the transmit leg and the take over party of signal, and h=h ' carries out conversion with hash function h to information K*, the h as a result (K*) of conversion and K* one is reinstated send to decipher after key K n encrypts; Decipher uses the kn corresponding with Kn to be decrypted, solve h (K*) and K*, and and then with the hash function h ' of decipher end the information K* that solves is carried out conversion, obtain h ' (K*), the hash function h ' that equals the decipher end by the h (K*) that confirms to solve (K*), finish encryption and decryption, and finish authentication simultaneously information.
In said method, in the transmission course of message key, setting-up time window in transmission channel makes and to prescribe a time limit when transmission time overtime window is set, then make this time transmit invalid.
The transmit leg of described signal and take over party can be any of following combination: (1) client terminal and charge system; (2) charge system and encryption server; (3) encryption server and client terminal; (4) encryption server and key management unit; (5) encryption server and scrambler.
Described hash function h can select from one group of hash function that sets in advance.
The selection of described hash function h is undertaken by a control center.
The encryption and decryption key of described mutual correspondence (Kn, kn) can be replaced according to the content of encrypting.
When the transmit leg of information and take over party are provided with host key, can use each host key respectively the encryption and decryption key (Kn, kn) of mutual correspondence to be carried out encryption and decryption earlier, carry out described information encryption and decrypting process again with real-time authentication function.
The present invention also provides a kind of encryption and decryption system with information of real-time authentication function, comprise: key management unit, encryption equipment, decipher, by key management unit is the transmit leg of information and encryption and decryption key (Kn, kn) that the take over party distributes a pair of mutual correspondence, and hash function h, h ' are set respectively the transmit leg and the take over party of signal, and h=h ', with hash function h information K* is carried out conversion, the h as a result (K*) of conversion and K* one are reinstated send to decipher after key K n encrypts; Decipher uses the kn corresponding with Kn to be decrypted, solve h (K*) and K*, and and then with the hash function h ' of decipher end the information K* that solves is carried out conversion, obtain h ' (K*), the hash function h ' that equals the decipher end by the h (K*) that confirms to solve (K*), finish encryption and decryption, and finish authentication simultaneously information; Described encryption and decryption system also comprises a control module, is used for hash function h is selected.
The present invention is further illustrated below in conjunction with drawings and Examples.
Fig. 1 is the encryption system of existing cable television broadband network.
Fig. 2 is the encryption system that adopts smart card to be decrypted in existing cable television broadband network.
Fig. 3 is the theory diagram of the encryption system of band authentication function of the present invention.
Fig. 4 is the system chart that encryption system of the present invention is applied to cable TV broadband network.
Fig. 5 is the theory diagram that encryption system of the present invention is applied to the video-on-demand service of cable TV broadband network.
Authentication function of the present invention is based on conbined public or double key cipher system and hash function, and this authentication function comprises that the sender of (1) authorization information is genuine, rather than pretend to be; (2) authorization information transmit or storing process in do not distorted, reset or delay etc.; (3) information transmitter has non-repudiation to the information of being sent.
The encryption system of band authentication function of the present invention is made up of information source, key management unit, encryption system server, encryption equipment, decipher, control center as shown in Figure 3.One of the present invention is characterized as: by key management unit is that (Kn, kn), and this correspondence is unique to communicating pair in the encryption system key that distributes a pair of mutual correspondence, is used for important information, as the encryption and decryption of message key K*.The communicating pair here is meant any two needs exchange in the encryption system or sends the unit of important information, as between server and encryption equipment, server and decipher, key management unit and server, user and the Subscriber Management System etc.
Be that example describes here with communicating by letter between server and the decipher.At first the notion to hash function describes, so-called hash function is meant the function that long arbitrarily numeric string M is mapped to short fixed length output numeric string H, represents that with h h (M) is easy to calculate, claim that H=h (M) is the Hash Value of M, also claim hash sign indicating number, hash result etc.If hash function is an one-way function, then be called One-Way Hash Function, it is easy promptly calculating H by M, make h (M ') equal given Hash Value H then to be difficult to but will produce a M ', and this just in time is desired and can be used to the encryption and decryption of information in the password.The present invention adopts One-Way Hash Function, and information K* is numeric string M, if information K* is distorted in transmission course, then the take over party can verify out by hash function, has guaranteed the integrality of transmission data.
In the present invention, hash function is the one group of function that can select, can set in advance in server and decipher, and select by control center, also can pack in server and the decipher by the mode of downloading.
The concrete grammar that utilizes hash function to finish authentication of the present invention is as follows: hash function h and h ' are set in advance in server and decipher, and h equals h ', h and h ' can be one group of selectable functions, select by control center.Server end uses key K n, adopts removable hash function h that information K* is carried out conversion, and here, information K* for example can be a message key.Send to decipher after the h as a result (K*) of conversion and K* encrypted together.Decipher uses the kn corresponding with Kn to be decrypted, and solves h (K*) and K*.And then the hash function h ' of decipher end also carries out conversion to information K*, can draw h ' (K*), if h ' (K*)=h (K*), remain unchanged after then meaning the encryption and decryption process of hash function h (K*) through pair of secret keys Kn and kn.So not only verified the identity of transmit leg, and to the Information Authentication of this transmission of information integrality, promptly in the deciphering of finishing information K*, finish authentication.
In Fig. 1, the data transmission of key management unit and decipher is that to utilize an other transmission channel be safe lane.In contrast to this, in Fig. 3, utilization be existing transmission channel between encryption equipment and decipher, needn't use other transmission channel in addition, therefore can solve because use different the cost height that channel caused, awkward problem.
(Kn kn) can change according to certain rule dual key, as conversion in every month once, also can change at any time according to customer requirements.And the setting-up time window is finished to guarantee to be transmitted in the specified time when transmission uses Kn information encrypted key K * to give decipher, and overstepping the time limit this time transmission will be invalid, and this has guaranteed that authentication is real-time.
In addition, use several different message key K* that program is encrypted usually for relatively more secret information, at this moment can adopt multi-layer security, with the different a certain algorithm for encryption of K* packing employing, the key with this algorithm uses Kn to encrypt again as earlier.
Existing conbined public or double key cipher system mainly contains the rsa cryptosystem system, ElGamal cipher system, knapsack cipher, elliptic curve cryptosystem, McEliece cipher system, LUC cipher system, Rabin signature systems etc., we can therefrom choose any one kind of them cipher system to satisfy the requirement of different system.
Employing has the encryption system based on the authentication of conbined public or double key cipher system, when finishing information encryption, realize the authentication of user identity, can improve the security of system, anti-locking system is by active attack, can verifying information source, the true and false, information integrity and the non-repudiation of the stay of two nights, and time window is set to guarantee to encrypt and authentication is real-time by transmission channel.
Below, be that example describes encryption method is applied to cable TV broadband network.The total system of this cable TV broadband network is formed as shown in Figure 4.The information source here can be satellite television, adopt the program of different compression methods compressions, also can be multiple services such as video request program/quasi-video request program (VOD/NVOD), Internet access.Information source becomes the transport stream that takies different frequency range through multiplexer, encrypt through encryption equipment then, become radiofrequency signal through the modulator up-conversion again, following transmission mode can be divided into 2 kinds, a kind of is to enter client terminal by two-way HFC net, and functions such as deciphering, demodulation, decompression all realize among the high-speed digital signal process chip DSP in client terminal.Client terminal is sent to information televisor, home PC etc. as required.Another kind of transmission mode is delivered a letter breath by unidirectional HFC net under being, the information of uploading is passed through common telephone network.The information of uploading is given the loop receiver, carries out analysis and Control to controller then and passes to different subsystems.
Be example with VOD now, the ciphering process that this has authentication is described in detail in detail, whole encryption system comprises client terminal, scrambler, encryption server, VOD server, key management unit, database, as shown in Figure 5,
In this embodiment, program encryption adopts the DES algorithm, and RSA Algorithm is adopted in the encryption of program key PK, existing a certain user applies VOD service, and its detailed process is as follows:
(1) encryption system is checked user's request, if the legal VOD server of will notify sends the plaintext program to scrambler, and with user profile and want that the programm name of watching informs encryption server;
(2) after encryption server is received user profile and programm name, from database, obtain pertinent program information, and encrypt the requirement indication;
(3) encryption server is filed an application to key management unit, requires program key PK;
(4) key management unit sends program key PK according to application to server, and perhaps encryption server uses the program key PK of distributing in advance;
(5) encryption server sends program key PK to scrambler to finish the encryption to program on the one hand, sends client terminal to after simultaneously program key PK being encrypted;
(6) the VOD server sends to scrambler with the plaintext program, and scrambler uses program key PK to finish program encryption, sends the client terminal of user side then to;
(7) client terminal uses program key PK that ciphered program is decrypted in high-speed digital signal process chip DSP, plays out the program of user's program request then.
In said process, there is following several situation to need communicating pair to authenticate mutually: between (1) encryption server and the client terminal; (2) between encryption server and the key management unit; (3) between encryption server and the scrambler.In addition, in the system of Fig. 5, also be provided with charge system usually, at this moment,, also need communicating pair to authenticate mutually between client terminal and the charge system and between charge system and encryption server.Now be that client terminal sends the implementation process that program key PK is example explanation authentication with the encryption server:
(1) be that encryption server and client terminal respectively distribute a host key by key management unit.This host key is a dual key, and wherein a key is set directly in the hardware of encryption server and client terminal before another key dispatches from the factory by the key management management, is called host key;
(2) be that (Kn kn), and encrypts with both sides' host key separately respectively and sends encryption server and client terminal to encryption server and the client terminal dual key of distributing a pair of mutual correspondence by key management unit.This a pair of dual key is unique for each user, promptly can not exist two or more users to distribute kn in the identical dual key;
(3) all keys that key management unit distributes in the system all transmit by encryption server, as key management unit kn are encrypted with the host key of client terminal and are sent to encryption server, send client terminal to by encryption server again.This moment encryption server only know transmission terminal address and and do not know the content that transmits, promptly encryption server is equivalent to terminal in system;
(4) encryption server is wanted program key PK to key management unit, and uses corresponding key K n according to user profile, by hash function H program key PK is carried out conversion, and transformation results H (PK) and program key PK are encrypted together, sends client terminal to;
(5) client terminal uses host key to solve kn, use key kn to solve program key PK and H (PK) then, the hash function selected h with PK substitution client terminal, can draw h (PK), if h (PK)=H (PK), then do not distorted in the descriptive information transport process, promptly verified information integrity.Again because Kn and kn are one to one, and Kn ≠ kn, so have only the user who has applied for this program just can solve program key PK, promptly finished authentication.
All the other four kinds of signal intelligences are similar therewith, no longer describe in detail.
In the transmission course of program key PK, transmission channel has been set time window.If time limit that transmission time overtime window is set then this time transmit invalidly, server will be filed an application to key management unit again, whole again ciphering process, and this purpose is the real-time in order to guarantee to authenticate.
The present invention is mainly used in existing cable TV broadband network, can provide safe and reliable platform for it launches multiple value-added service, particularly for interactive services such as picture video request program/quasi-video request program (VOD/NVOD), ecommerce, the present invention can finish the real-time authentication of transmit leg identity and information integrity when transmitting important information, guaranteed service provider and user both sides' interests.
Claims (11)
1. encryption and decryption method with information of real-time authentication function, it is characterized in that, by key management unit is the transmit leg of information and encryption and decryption key (Kn, kn) that the take over party distributes a pair of mutual correspondence, and hash function h, h ' are set respectively the transmit leg and the take over party of signal, and h=h ', with hash function h information K* is carried out conversion, the h as a result (K*) of conversion and K* one are reinstated send to decipher after key K n encrypts; Decipher uses the kn corresponding with Kn to be decrypted, solve h (K*) and K*, and and then with the hash function h ' of decipher end the information K* that solves is carried out conversion, obtain h ' (K*), the hash function h ' that equals the decipher end by the h (K*) that confirms to solve (K*), finish encryption and decryption, and finish authentication simultaneously information.
2. encryption and decryption method according to claim 1 is characterized in that, in the transmission course of message key, setting-up time window in transmission channel makes and to prescribe a time limit when transmission time overtime window is set, then make this time transmit invalid.
3. encryption and decryption method according to claim 1 and 2 is characterized in that, the transmit leg of described signal and take over party can be any of following combination: (1) client terminal and charge system; (2) charge system and encryption server; (3) encryption server and client terminal; (4) encryption server and key management unit; (5) encryption server and scrambler.
4. encryption and decryption method according to claim 1 and 2 is characterized in that, described hash function h can select from one group of hash function that sets in advance.
5. encryption and decryption method according to claim 4 is characterized in that, the selection of described hash function h is undertaken by a control center.
6. according to each described encryption and decryption method of claim 1 to 5, it is characterized in that the encryption and decryption key of described mutual correspondence (Kn, kn) can be replaced according to the content of encrypting.
7. according to each described encryption and decryption method of claim 1 to 5, it is characterized in that, when when the transmit leg of information and take over party are provided with host key, can use each host key respectively the encryption and decryption key (Kn, kn) of mutual correspondence to be carried out encryption and decryption earlier, carry out described information encryption and decrypting process again with real-time authentication function.
8. encryption and decryption system with information of real-time authentication function, comprise: key management unit, encryption equipment, decipher, it is characterized in that, by key management unit is the transmit leg of information and encryption and decryption key (Kn, kn) that the take over party distributes a pair of mutual correspondence, and hash function h, h ' are set respectively the transmit leg and the take over party of signal, and h=h ' carries out conversion with hash function h to information K*, with the result of conversion
H (K*) and K* one reinstate and send to decipher after key K n encrypts; Decipher uses the kn corresponding with Kn to be decrypted, solve h (K*) and K*, and and then with the hash function h ' of decipher end the information K* that solves is carried out conversion, obtain h ' (K*), the hash function h ' that equals the decipher end by the h (K*) that confirms to solve (K*), finish encryption and decryption, and finish authentication simultaneously information;
Described encryption and decryption system also comprises a control module, is used for hash function h is selected.
9. encryption and decryption according to claim 8 system is characterized in that, in the transmission course of message key, setting-up time window in transmission channel makes and prescribes a time limit when transmission time overtime window is set, then make this time transmit invalid.
10. according to Claim 8 or 9 described encryption and decryption systems, it is characterized in that the transmit leg of described signal and take over party can be any of following combination: (1) client terminal and charge system; (2) charge system and encryption server; (3) encryption server and client terminal; (4) encryption server and key management unit; (5) encryption server and scrambler.
11. according to Claim 8 or 9 described encryption and decryption systems, it is characterized in that described hash function h can select from one group of hash function that sets in advance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 00109512 CN1331463A (en) | 2000-06-29 | 2000-06-29 | Information encryption method and system with real-time authentication function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 00109512 CN1331463A (en) | 2000-06-29 | 2000-06-29 | Information encryption method and system with real-time authentication function |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1331463A true CN1331463A (en) | 2002-01-16 |
Family
ID=4579692
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 00109512 Pending CN1331463A (en) | 2000-06-29 | 2000-06-29 | Information encryption method and system with real-time authentication function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1331463A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100362534C (en) * | 2003-08-15 | 2008-01-16 | 深圳市科陆电子科技股份有限公司 | Long-distance collecting method for electric power |
| CN101202898B (en) * | 2006-12-15 | 2011-02-16 | 黄金富 | Method and system for returning satellite television ideology control power to each country to manage |
| CN101854344B (en) * | 2004-03-19 | 2012-08-29 | 株式会社日立制作所 | Contents transmitter apparatus, contents reciever apparatus and contents transmitting method |
| CN101478386B (en) * | 2007-12-21 | 2013-05-08 | 英特尔公司 | Providing active management technology (AMT) in computer systems |
| CN112367570A (en) * | 2020-10-29 | 2021-02-12 | 福信富通科技股份有限公司 | Emergency instruction system based on wireless intercom system and method thereof |
-
2000
- 2000-06-29 CN CN 00109512 patent/CN1331463A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100362534C (en) * | 2003-08-15 | 2008-01-16 | 深圳市科陆电子科技股份有限公司 | Long-distance collecting method for electric power |
| CN101854344B (en) * | 2004-03-19 | 2012-08-29 | 株式会社日立制作所 | Contents transmitter apparatus, contents reciever apparatus and contents transmitting method |
| CN101202898B (en) * | 2006-12-15 | 2011-02-16 | 黄金富 | Method and system for returning satellite television ideology control power to each country to manage |
| CN101478386B (en) * | 2007-12-21 | 2013-05-08 | 英特尔公司 | Providing active management technology (AMT) in computer systems |
| CN112367570A (en) * | 2020-10-29 | 2021-02-12 | 福信富通科技股份有限公司 | Emergency instruction system based on wireless intercom system and method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chu et al. | A secure multicast protocol with copyright protection | |
| US7848525B2 (en) | Hybrid broadcast encryption method | |
| CN1134161C (en) | Method for providing a secure communication between two devices and application of this method | |
| CN109218825B (en) | Video encryption system | |
| US7933414B2 (en) | Secure data distribution | |
| CN109151508B (en) | Video encryption method | |
| US20030140257A1 (en) | Encryption, authentication, and key management for multimedia content pre-encryption | |
| CN107483505B (en) | Method and system for protecting user privacy in video chat | |
| US6512829B1 (en) | Key distribution method and system in secure broadcast communication | |
| JP2005510184A (en) | Key management protocol and authentication system for secure Internet protocol rights management architecture | |
| KR20070083965A (en) | Method and system for authorizing multimedia multicasting | |
| CN101076109A (en) | Two-way CA system of digital TV-set and method for ordering and cancelling programm based on it | |
| US20030018917A1 (en) | Method and apparatus for delivering digital media using packetized encryption data | |
| CN101719910A (en) | Terminal equipment for realizing content protection and transmission method thereof | |
| US20060047976A1 (en) | Method and apparatus for generating a decrpytion content key | |
| KR100670017B1 (en) | Method for broadcast encryption based on the combination | |
| JP2012044716A (en) | Method and apparatus for secure transmission of data | |
| CN113347215B (en) | Encryption method for mobile video conference | |
| Jiang et al. | Secure communication between set-top box and smart card in DTV broadcasting | |
| JP4193380B2 (en) | Electronic signature system for stream transfer | |
| JP2002510164A (en) | Method and apparatus for communicating a secret message to selected members | |
| CN101505462B (en) | Authentication method and system for mobile multimedia broadcast conditional reception | |
| CN102917252A (en) | IPTV (internet protocol television) program stream content protection system and method | |
| KR20050009227A (en) | Individual video encryption system and method | |
| CN1331463A (en) | Information encryption method and system with real-time authentication function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1057000 Country of ref document: HK |